1. Definitions and Interpretation
1.1 In this DPA, unless the context otherwise requires:
“Client Data” shall mean personal data relating to Talent that the Client and/or its users (i) directly input into Genie (including, for example, ratings and comments that Clients and/or their users make in respect of Talent) and/or (ii) provide to us for the purposes of us inviting Talent to become a user of Genie (“Invite Data”), excluding always (in each case) any Genie Data. For the avoidance of doubt, Invite Data may be the same as Registration Data that we have already obtained or that we obtain as a result of such invite;
“Data Privacy Laws” shall mean all applicable laws, rules and regulations relating to the processing of Client Data and/or Genie Data, including the following as amended, extended, re-enacted or replaced from time to time:
(i) UK Data Protection Act 2018 and any legislation relating to the processing of personal data effective in the UK that is intended to replicate or maintain some or all of the provisions, rights and obligations set out in the GDPR following the UK’s withdrawal from the European Union;
(ii) EC Directive 2002/58/EC on Privacy and Electronic Communications;
(iii) EC Regulation 2016/679 (the “GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
(iv) all local laws or regulations implementing or supplementing the EU legislation mentioned in (ii)-(iii) above;
(v) all codes of practice and guidance issued by national supervisory authorities, regulators or EU or UK institutions relating to the laws, regulations and EU legislation mentioned in (i)–(iv) above.
“EU/UK Law” means any law in force in the European Union or any law in force in a member state of the European Union and/or UK including the Data Privacy Laws;
“Genie Data” means any Registration Data, Platform Data or Shared Data;
“International Transfer Requirements” means the requirements relating to Restricted Transfers that are set out in Chapter V of the GDPR (Transfers of personal data to third countries or international organizations);
“Invite Data” has the meaning given in the definition of Client Data;
“Platform Data” means any personal data that (i) we observe about, or otherwise collect from, Talent users in connection with their use of Genie (for example a Talent’s acceptance/completion of a Brief and/or feedback provided by Talent in respect of a Client); (ii) we observe from Client users in connection with their use of Genie (excluding any Client Data). For the avoidance of doubt, such personal data may be collected via cookies or similar types of tracking technologies where indicated in our Privacy Policy;
“Privacy Policy” means the Privacy Policy applicable to Genie that explains how and why we processes Genie Data, a copy of which is available here: https://www.meetgenie.co/privacy-policy/
“Processing Annex” means details of our processing of the Client Data, as set out in Annex 1 to this DPA;
“Registration Data” means any personal data that we obtain (i) from users in connection with their registration with Genie, including email addresses, usernames and passwords and/or; (ii) from Talent in connection with the onboarding of the Talent onto Genie, including any data that is volunteered by the Talent in connection with their Genie registration or profile;
“Restricted Country” means a country, territory or jurisdiction which is not considered by the EU Commission (or in respect of personal data transfers caught by the requirements of UK and/or Swiss Data Privacy Laws, the relevant UK and/or Swiss governmental or regulatory body as applicable) to offer an adequate level of protection in respect of the processing of personal data pursuant to Article 45(1) of the GDPR;
“Restricted Transfer” means a transfer of personal data from an entity whose processing of personal data under the Terms is caught by the requirements of the GDPR and/or UK and/or Swiss Data Privacy Laws (as applicable), to an entity that processes the relevant Personal data in a Restricted Country;
“Shared Data” means:
(1) In respect of any personal data that you share with us (i) the Client and/or their users share with us (via Genie or otherwise), including any feedback that Clients and/or their users provide to us in respect of Talent, Services or Genie; and (ii) expressly or by implication we are entitled to use for the benefit of us and/or other Clients (including to improve Genie and/or to ensure that Talent are appropriately matched to other Clients and/or Briefs). For the avoidance of doubt, personal data input into Genie by Clients and/or their users will be Client Data unless it is clear that such data will be used in accordance with our Privacy Policy; or
(2) any personal data relating to Talent that we share with you via Genie or otherwise; and
“UK” means United Kingdom.
1.2 In this DPA a reference to the GDPR and/or an Article or Chapter of the GDPR shall, where the context so requires and insofar as the Data Privacy Law(s) is that of the UK and/or Switzerland, be construed as a reference to the equivalent Data Privacy Law(s) of the UK and/or Switzerland (as applicable) and/or the corresponding provision of such Data Privacy Law(s).
1.3 Where the context so admits or requires words in this DPA denoting the singular include the plural and vice versa and words denoting any gender include all genders.
1.4 References to the word “including” and related expressions will mean “including, without limitation”.
1.5 References to “processor”, “controller”, “personal data”, “processing”, “personal data breach”, “data subject” or “supervisory authority” shall have the same meanings as defined under the Data Privacy Laws.
2. General obligations of the parties
You and we will each comply with obligations imposed on you and us, respectively, by the Data Privacy Laws. Neither you nor we shall do any act or thing that puts the other in breach of the Data Privacy Laws.
3. Genie as a processor of Client Data
Your and our relationship in respect of the Client Data
3.1 You and we acknowledge and agree that we process Client Data for and on your behalf and, accordingly, you are the controller and we are your processor in respect of the Client Data. In respect of our processing of the Client Data, details of the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set out in the Processing Annex.
3.2 For the avoidance of doubt, where you supply Invite Data to us, such Invite Data shall be processed by us solely for your benefit in accordance with the Processing Annex, unless we have already obtained, or subsequently obtain, the same personal data as Registration Data (in which event we will process such personal data in accordance with clause 4 of this DPA).
3.3 If at any time you or we consider that the relationship between you and us no longer corresponds with clauses 3.1 or 3.2, you or we (as applicable) shall promptly notify the other and you and we shall discuss and agree in good faith such steps that may be required to reflect your and our status.
Your and our obligations in respect of the Client Data
3.4 You shall be solely responsible for complying with the obligations applicable to controllers that are set out in the Data Privacy Laws and ensuring the lawfulness of your instructions referred to in clause 3.5.1. In particular, you shall ensure that you have a lawful basis, and have provided the relevant data subjects with a Privacy Policy that complies with the requirements of Articles 13 and/or 14 of the GDPR, in respect of the Client Data.
3.5 We shall, in respect of our processing of the Client Data:
3.5.1 only process the Client Data in accordance with your documented instructions (including those in the Processing Annex) unless required to do so by EU/UK Law to which we are subject, in which event we shall
3.5.2 inform you of such legal requirement unless prohibited from doing so by EU/UK Law;
inform you if, in our opinion, an instruction given by you to us infringes the Data Privacy Laws;
3.5.3 ensure that any persons authorised by us to process the Client Data are subject to an obligation of confidentiality;
3.5.4 implement appropriate technical and organisational measures to ensure that Client Data is subject to a level of security appropriate to the risks arising from its processing, taking into account the factors and measures stated in Article 32 of the GDPR;
3.5.5 notify you without undue delay after becoming aware of a personal data breach;
3.5.6 taking into account the nature of the processing, assist you by implementing appropriate technical and organisational measures, insofar as this is possible, in respect of your obligation to respond to requests for exercising a data subject’s rights under Chapter III of the GDPR. For the avoidance of doubt we may provide such assistance by providing you with functionality within Genie that enables you to fulfil such requests on a self-service basis and, where we do so, we shall not be obliged to provide any further assistance unless and to the extent that such functionality cannot be used to fulfil the relevant request;
3.5.7 taking into account the nature of the processing and the information available to us, we shall assist you with regard to your compliance with Articles 32 to 36 (inclusive) of the GDPR;
3.5.8 upon termination of your use of Genie, deliver up or destroy such Client Data that is in our possession or under our control, unless and to the extent that EU/UK Law requires us to store such Client Data;
3.5.9 at your request, provide you with all information necessary to demonstrate our compliance with our obligations under this clause 3.5 and, if and to the extent that such provision of information does not demonstrate our compliance with such obligations, we shall allow for and contribute to audits and inspections conducted by or on your behalf subject to the following:
3.5.9.1 such audits may be performed no more than once per calendar year, save that further audits may be performed if an audit reveals any material non-compliance by us with our obligations in this clause 3.5 (the scope of such further audits being limited to auditing our compliance with those obligations that were not complied with);
3.5.9.2 prior to the conduct of such audit you shall, and shall procure that any third party auditor appointed by you will, enter into confidentiality undertakings in such form as is reasonably requested by us;
3.5.9.3 audits must be conducted during regular business hours (i.e. Monday to Friday, 9am to 5pm UK time, excluding UK bank and/or public holidays) and must not unreasonably interfere with our business;
3.5.9.4 you must provide us with any audit reports generated pursuant to any audit at no charge, unless prohibited by applicable law. You will ensure that the audit reports are kept confidential and may use the audit reports only for the purposes of meeting your audit requirements under Data Privacy Laws and/or confirming compliance with the requirements of this clause 3.5;
3.5.9.5 nothing in this clause shall require us to breach any duties of confidentiality owed to any of its clients, employees or other third-parties;
3.5.9.6 notwithstanding anything else in this DPA or the Terms, all audits shall be conducted at your sole cost and expense;
3.5.10 notwithstanding any other provision of this DPA or the Terms, be entitled to appoint further processors to process the Client Data on our behalf (“Sub-processor”), subject to the following:
3.5.10.1 we shall be entitled to use those Sub-processors identified in the Processing Annex;
3.5.10.2 we shall notify you in writing of our intention to engage any additional Sub-processor. Such notice shall give details of the identity of such Sub-processor and the services to be supplied by it; and
3.5.10.3 you shall be entitled to object (acting reasonably) to our proposed engagement of the Sub-processor by providing written notice to us. You shall be deemed to have approved such engagement if you have not served such a notice in writing on us within seven days of the date of our notice referred to in clause 3.5.10.2;
3.5.10.4 where you object to our proposed engagement of a Sub-processor, if the objection cannot be resolved by the parties within fourteen days of receipt by us of your written objection, we may on immediate written notice terminate your use of Genie without liability to you;
3.5.10.5 we will enter into a legally binding contract between us and the Sub-processor that contains data protection obligations on the Sub-processor that comply with the requirements of the Data Privacy Laws and in particular that provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing of the Client Data will meet the requirements of the Data Privacy Laws and ensure the protection of the rights of data subjects; and
3.5.10.6 we will remain fully liable for all acts or omissions of the Sub-processors as if they were our acts or omissions;
3.5.11 we shall be entitled to process or permit the processing of the Client Data in a Restricted Country, subject to us putting in place safeguards to ensure that the Restricted Transfer meets the International Transfer Requirements.
4. Genie and Clients as controllers
4.1 If and to the extent that you or we process the Genie Data, you and we acknowledge and agree that you and we are each separate independent controllers in respect of such processing and the following provisions shall apply.
4.2 You and we shall each comply with obligations applicable to controllers that are set out in the Data Privacy Laws.
4.3 You acknowledge and agree that, in respect of our processing of any Shared Data personal data that you provide to us, our compliance with the Data Privacy Laws may be dependent on your compliance with Data Privacy Laws and, accordingly, we will not be liable under this DPA for a failure to comply with the Data Privacy Laws where such failure results from your failure to comply with the Data Privacy Laws.
4.4 You shall ensure that you have a lawful basis, and have provided the relevant data subjects with a Privacy Policy that complies with the requirements of Articles 13 and/or 14 of the GDPR, in respect of your provision of any Shared Data personal data to us.
4.5 We will process the Genie Data for the purposes set out in, and in accordance with, our Privacy Policy.
4.6 You and we shall:
4.6.1 promptly notify the other party of any data subject request, personal data breach or and/or data subject complaint that (as applicable) names the other or concerns the other’s processing of the Genie Data;
4.6.2 provide such necessary and reasonable assistance, information and co-operation to the other party and to any supervisory authority, in connection with:
4.6.2.1 the matters referred to in clause 4.6.1;
4.6.2.2 any investigations, audits or enquiries made by a supervisory authority;
4.6.2.3 making appropriate notifications to data subjects and/or supervisory authorities in the event of a personal data breach;
4.6.2.4 carrying out any data protection impact assessment in relation to the processing of the Genie Data; and/or
4.6.2.5 the other’s ability to comply with any other obligation imposed on it by the Data Privacy Laws.
4.7 In the event of a personal data breach affecting the Genie Data:
4.7.1 neither you nor we shall make any public announcements relating to the personal data breach that may adversely affect the other party; and
4.7.2 you and we shall cooperate with each other in good faith to try to mitigate the effects of such personal data breach.
5. Cost of compliance
5.1 You will pay us in respect of any costs that are (or are to be) reasonably incurred outside the ordinary course of our business by us in respect of the performance by us of our obligations in this DPA, except where such performance is required as a result of a breach by us of our obligations under this DPA. Where practicable to do so, we will seek your written approval prior to incurring such costs.