FUNNEL GDPR DATA PROCESSING AGREEMENT

1. Background

1.1 This Funnel GDPR Data Processing Agreement (“GDPR DPA”) supplements the Funnel General Terms and Conditions available at https://funnel.io/general-terms-and-conditions, as updated from time to time (the “General Terms”), or the other agreement between Customer and Funnel, and applies between Funnel and the Customer when the GDPR applies to the Customer’s use of the Service.

1.2 The purpose of this GDPR DPA is to fulfil the requirements of a written agreement pursuant to Article 28 of the GDPR.

2. Definitions

In this DPA the following terms shall have the following meanings:

“Agreement” has the meaning ascribed to it in the General Terms.

“Customer” has the meaning ascribed to it in the General Terms.

“Data Protection Laws” refers to Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) including supplementing legislation acts and decisions.

”GDPR DPA” refers to this Data Processing Agreement and all annexes hereto.

“Funnel” has the meaning ascribed to it in the General Terms.

“General Terms” refers to the Funnel General Terms and Conditions available at https://funnel.io/general-terms-and-conditions, as updated from time to time.

“Personal Data” refers to the personal data that Funnel processes on behalf of Customer pursuant to the Agreement.

“personal data breach”, “controller”, “data subject”, “personal data”, “processor” and “processing” all have the meaning given under the GDPR.

3. Processing instructions

3.1 In consideration of Customer making available the Personal Data to Funnel, Funnel agrees to process the Personal Data in accordance with the terms and conditions of this GDPR DPA.

3.2 Subject to clause 3.3 in this GDPR DPA, the Parties acknowledge and agree that:

i. for the purposes of this GDPR DPA and as between them, Customer is, or shall be regarded as, a controller of the Personal Data and Funnel is, or shall be regarded as, a processor of the Personal Data; and

ii. Customer will comply with its obligations as a controller under the Data Protection Laws and Funnel will comply with its obligations as a processor under this GDPR DPA, the Data Protection Laws and Customer’s written instructions.

3.3 Customer instructs Funnel, and Funnel agrees to, process the Personal Data in accordance with the instructions put forward in Annex 1.

4. Confidentiality of processing

4.1 Funnel shall ensure that all persons it authorizes to process the Personal Data are subject to a duty of confidentiality (whether a contractual duty or a statutory duty) and only process the Personal Data as set out in this GDPR DPA.

4.2 Funnel shall ensure that only persons who needs to process the Personal Data, in order for Funnel to supply the Service, have access to such Personal Data.

5. Data subject rights

5.1 Funnel shall provide reasonable assistance, taking into account the nature of processing and the information available to Funnel, to Customer to enable Customer to respond to:

i. any request relating to the Personal Data from a data subject to exercise any of its rights under Data Protection Laws;

ii. any other correspondence, enquiry or complaint received from a data subject or regulator in connection with the processing of the Personal Data by Funnel.


5.2 If any such request, correspondence, enquiry or complaint is made directly to Funnel, Funnel shall without undue delay inform Customer of such request, correspondence, enquiry or complaint.

5.3 Funnel shall not disclose any Personal Data in response to a request for access or disclosure from any third party without Customer’s prior written consent, unless where Funnel is compelled to do so in accordance with applicable law or as otherwise allowed under this GDPR DPA or the Agreement.

6. Data protection impact assessments

If requested by Customer, Funnel shall provide Customer with reasonable assistance in order for Customer to conduct a data protection impact assessment; and if necessary, consult with its relevant supervisory authority..

 

7. Security

7.1 Funnel shall implement and maintain appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

7.2 Funnel shall notify Customer of any personal data breach involving the Personal Data that it becomes aware of without undue delay, and in any case, never later than 48 hours after Funnel becomes aware of the personal data breach. All such notifications shall be made at Funnel’s discretion by a phone call or email to Customer representative that Funnel regularly liaises with, or such privacy contact person notified to Funnel by Customer.

7.3 If the personal data breach may be attributed to Funnel’s processing of the Personal Data, Funnel shall cooperate with Customer and provide Customer with reasonable assistance and information in the investigation of a personal data breach.

7.4 Each Party shall bear its respective costs associated with managing a personal data breach and fulfilling its respective obligations under this GDPR DPA or the Data Protection Laws.

8. Sub-Processors

8.1 Customer gives Funnel a general written authorisation to subcontract any processing of the Personal Data to a third-party subcontractor.

8.2 Funnel shall, upon request from Customer, provide a list to Customer of the third-party subcontractors Funnel engages with in its processing of the Personal Data. Further, Customer may receive notifications on changes in subcontractors engaged for Funnel’s processing of Personal Data by signing up for such notifications at https://funnel.io/general-terms-and-conditions/privacy-notifications, and Funnel will notify Customer of such changes from Funnel having confirmed Customer’s signup.

8.3 Funnel shall impose data protection terms to an equivalent standard as provided for under this GDPR DPA for all its subcontractors.

8.4 Funnel shall remain fully liable for the processing of the Personal Data that its subcontractors process under this GDPR DPA.

9. Audit

9.1 Funnel shall permit Customer, or its appointed third-party independent auditors bound by customary confidentiality undertakings, to audit Funnel's compliance with this GDPR DPA, and shall make available to Customer information necessary for demonstrating compliance with the obligations under this GDPR DPA with regard to Funnel’s processing of its Personal Data. Funnel acknowledges that Customer’s third-party independent auditors may enter its premises for the purposes of conducting this audit, provided that Funnel is given reasonable prior notice of Customer’s intention to audit, the audit is conducted during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Funnel's operations. Customer will not exercise its audit rights more than once in any twenty-four (24) calendar month period, except if, and when, required by instruction of a competent supervisory authority.

10. International data transfers

Customer gives Funnel permission to transfer and process the Personal Data outside the European Economic Area, as long as Funnel transfers such Personal Data in accordance with one of the allowed mechanisms prescribed by the Data Protection Laws.

11. Terms and termination

11.1 This GDPR DPA shall be in effect for as long as Funnel processes Personal Data for Customer. Upon termination of the Agreement, Funnel shall destroy or return the Personal Data to Customer, depending on what Customer chooses. If Customer has not informed Funnel of its choice within one (1) month from the termination of the Agreement, Funnel shall destroy all Personal Data in accordance with Funnel’s retention plan (generally within another one month period)

11.2 At the request of Customer, Funnel shall confirm the actions taken regarding the Personal Data after the completion of the process mentioned in clause 11.1 in this GDPR DPA.

11.3 If Customer chooses that Funnel should destroy the Personal Data, in accordance with clause 11.1 in this GDPR DPA, it shall not apply to the extent that Funnel is required by any European Union, or Member State, law or other applicable law to retain such data.

11.4 All clauses of this GDPR DPA which by their nature should survive termination will survive termination.

ANNEX 1

INSTRUCTION FOR PROCESSING OF THE PERSONAL DATA

Purposes

To provide the Service and support services pursuant to the Agreement and security and monitoring.

Categories of Personal Data

The Personal Data, if any, included in the Data Sources which the Customer imports to the Service; e.g. indirectly identifiable ID numbers, in rare cases names or contact details.

Categories of data subjects

Data subjects whose Personal Data is in the Data Sources, e.g. customers’ customers and employees.

Processing activities

  • Collection;
  • logging;
  • organization;
  • structuring;
  • storage;
  • adaptation or alteration;
  • use;
  • disclosure;
  • anonymization or aggregating;
  • copying; and
  • erasure.

Location for the processing of the Personal Data

  • EU;
  • UK;
  • Australia; and
  • USA.

Retention periods

Funnel will process the Personal Data during the term of the Agreement and for a reasonable period of time thereafter to allow for Customer’s choice of destruction or return of the Personal Data in accordance with Section 11.1 of this DPA. However, Funnel will strive to aggregate or in other ways de-identify the Personal Data so it is no longer considered as personal data.

Subcontractors per the Effective Date

Funnel uses data center services from Amazon Web Services (AWS) and Google based in the EU and the USA. Funnel group companies located in the EU, USA, UK and Australia may assist in providing support services.