Last Updated Date: 24th January 2022
1. INTRODUCTION
1.1 These terms, including its annexes, (the “Data Processing Terms”) govern the processing of personal data by Gelato as processor on behalf of the Customer as controller under the Terms or Agreement concerning the Services provided by Gelato through the Gelato Platform. These Data Processing Terms do not govern (i) personal data processed by Gelato as controller, or (ii) processing of personal data not subject to the GDPR.
1.2 These Data Processing Terms supersede any prior agreements and provisions between the parties concerning the processing of personal data under the Terms or Agreement.
1.3 In the event of inconsistency between the Agreement and these Data Processing Terms on matters specifically concerning data protection, the latter shallprevail.
2. DEFINITIONS
2.1 "Applicable Data Protection Law": Applicable data protection and privacy law of the country in which the Customer and Gelato is incorporated, including theGDPR.
2.2 "GDPR": The EU General Data Protection Regulation 2016/679.
2.3 "Standard Contractual Clauses": The standard contractual clauses for the transfer of personal data to third countries, laid down by the EU Commission decision of 4 June 2021 and/or laid down by the EU Commission or a relevant supervisory authority in accordance with Article 28(7) or 28(8) of theGDPR.
2.4 "User Content" means text, pictures, audio, video, files, templates, fonts, logos, metadata and other content uploaded to or created on the GelatoPlatform (Customer Content).
2.5 Other terms shall have the meaning as defined in the Agreement or in Applicable Data Protection Law.
3. SCOPE
3.1 The Customer instructs Gelato to process personal data on behalf of the Customer as follows:
• Nature/purpose: Processing of personal data contained in the User Content uploaded by or on behalf of the Customer to the Gelato Platform for the business purpose of performing the Services which are performed on behalf of Customer.
• Data subjects: Persons mentioned, depicted or otherwise identifiable from the data contained in the User Content.
• Categories of personal data: Names, positions, phone numbers, email addresses, images and other information relating to the data subjects. The Customer will generally not include special categories of personal data (sensitive data) in the User Content.
3.2 For the avoidance of doubt, Gelato processes personal data, including name, email addresses, user names and passwords, concerning the Customer's personnel as controller. Such processing is not governed by this Data Processing Agreement, however Gelato shall process such personal data in accordance with Applicable Data Protection Law.
4. GENERAL OBLIGATIONS
4.1 The Customer shall comply with its obligations under Applicable Data Protection Law, including by ensuring lawfulness of the processing (such as by collecting consents if required) and by giving data subjects information about the processing (such as by means of a privacy notice).
4.2 Gelato shall process the personal data solely for the purpose and within the scope of clause 3, and shall refrain from processing the personal data for its own purposes. This shall however not prevent Gelato from extracting and processing anonymous data, such as aggregated knowledge and statistics, from such personal data, including for the purpose of product development.
4.3 Gelato shall without undue delay inform the Customer in writing if, in its reasonable opinion, (i) an instruction from the Customer will cause Gelato to infringe Applicable Data Protection Law, or (ii) a legal requirement laid down by EU law or law in an EEA/EU country requires Gelato to process personal data beyond the scope of the Customer's documented instructions, unless that law prohibits such information on important grounds of public interest (if so, Gelato shall inform the Customer as soon as permitted by law). In the event of (i) or (ii), the parties shall in good faith discuss how to solve the issue without adversely affecting the dataprotection.
4.4 Gelato acknowledges and agrees that its execution of the Agreement constitutes its certification that it understands the restrictions set forth in these Data Processing Terms and will comply with them.
5. ASSISTANCE TO THE CUSTOMER
5.1 Gelato shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to and comply with requests for exercising the data subject's rights laid down in Applicable Data Protection Law.
5.2 Taking into account the nature of processing and the information available to Gelato, Gelato shall assist the Customer with the obligations pursuant to Articles 32 to 36 of the GDPR, including the obligations of data security (as further described in clause 6), personal data breach notification (as further described in clause 9), data protection impact assessments, and prior consultations.
5.3 Assistance under this clause 5, which is performed upon the Customer's request, shall be without additional charge up to a maximum of 15 hours per calendar year. Assistance exceeding such hours shall be payable based on the hourly rates which are agreed between the parties under the Agreement. If no rates have been agreed, Gelato's ordinary rates will apply.
6. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
6.1 Gelato shall implement and maintain throughout the term appropriate technical and organisational data security measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access as required pursuant to Article 32 of the GDPR.
6.2 Gelato's security measures are described in Appendix 1. The Customer acknowledges that Gelato may from time to time make amendments to these measures, provided that the amendments do not adversely affect the level of datasecurity.
6.3 Gelato shall not disclose or make available the personal data to any third party except with the prior written approval of the Customer, and except to any sub-processors (subject to clause 7) on a need-to-know basis.
6.4 Gelato shall ensure that persons under its control who have access to the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7. USE OF SUB-PROCESSORS
7.1 The Customer authorises Gelato to engage sub-processors. In general, print service providers act as sub-processors, whereas logistics service providers act as separate controllers.
7.2 The Customer is hereby informed that Gelato will continuously add and replace subprocessors for the purpose of maintaining and continuously improving the Services. Gelato shall on the Gelato Platform make available an up-to-date list of the sub- processors (identities may be kept confidential ifrequired to comply with confidentiality undertakings). The current list of sub-processors is attached as Appendix 2. The Customer can at any time object to any of the sub-processors. If so, Gelato shall endeavour to deliver the Services without the sub-processor, however the Customer acknowledges that Gelato may then not be able to provide theServices.
7.3 Sub-processing shall only be done by way of a written agreement with the sub- processor which imposes appropriate data protection obligations on the sub- processors. Where a subprocessor is engaged for carrying out specific processing activities on behalf of the Customer, Gelato shall by way of a written agreement impose on the sub-processor the same data protection obligations as set out in these Data Processing Terms. At the Customer's request, Gelato shall provide the Customer with a copy of such written agreement, however commercial and other business sensitive information may be redacted.
7.4 Gelato remains fully liable to the Customer for the performance of the sub-processors' obligations.
8.INTERNATIONAL DATA TRANSFER
8.1 Gelato may transfer personal data to a non-EEA country (third country) or an international organisation only if it complies with the requirements laid down in the GDPR and only on documented instructions from theCustomer.
8.2 If, subject to clause 7, the use of a sub-processor requires the transfer of personal data to a third country, Customer instructs Gelato to transfer personal data to such sub-processor. Gelato shall ensure that the Standard Contractual Clauses are concluded with the sub-processor.
8.3 Gelato may transfer personal data to a third country without instructions so if required by applicable law in the EEA. In such event, Gelato shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (if so, Gelato shall inform the Customer as soon as permitted by law).
9. PERSONAL DATA BREACHES
9.1 In the event of a personal data breach, Gelato shall without undue delay notify the Customer in writing about the breach.
9.2 The notification shall, if relevant, and to the extent Gelato has or may reasonably obtain the
information, contain:
a. a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data recordsconcerned;
b. the identities of the affected data subjects, ifpossible;
c. the name and contact details of a contact point of Gelato where more information may be obtained;
d. a description of the likely consequences of the personal databreach;
e. a description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
f. other information reasonably required for the Customer to comply with Applicable Data Protection Law.
9.3 The Customer is solely entitled to and, if required by Applicable Data Protection Law, obliged to notify the relevant supervisory authority and the data subjects about a personal data breach.
9.4 Gelato shall without undue delay take all those measures reasonably required for the purpose of avoiding the re-occurrence of similar personal databreaches.
10.AUDITS
10.1 Gelato shall maintain necessary records and make available to the Customer all information reasonably necessary to demonstrate compliance with these Data Processing Terms and Applicable Data Protection Law.
10.2 Gelato shall allow for and contribute to audits of Gelato's processing operations conducted by the Customer or another auditor engaged by the Customer. The audits shall generally be performed by review of audit reports prepared by a third party auditor engaged by Gelato, which will be made available to the Customer upon request.
10.3 If the Customer can substantiate reasons that justifies additional audit, the Customer is entitled to request further information and to perform on-site audit of Gelato, and, if required, of the sub-processor. The personnel conducting the audit shall be subject to appropriate confidentiality undertakings. A request for audit shall, if possible, be made with at least 14 days' notice. To the extent reasonably possible, audits shall be conducted within ordinary working hours and without obstructing Gelato'sactivities.
10.4 Authorities who supervise the Customer has a right to request information from and to conduct audits of Gelato to the same extent as theCustomer.
10.5 A party shall cover its own costs associated with an audit performed under this clause
10.6 However, if an audit reveals material deviations from the obligations set out in these Data Processing Terms, the costs of the audit shall be borne by Gelato, including reasonable costs of the Customer and another auditor engaged by theCustomer.
11. TERM AND TERMINATION
11.1 These Data Processing Terms will remain in force as long as Gelato processes personal data on behalf of the Customer under theAgreement.
11.2 Upon expiry, Gelato shall, at the choice of the Customer, return all personal data and copies thereof to the Customer or delete all personal data. Return, if chosen, shall take place by means of allowing the Customer to have access to the personal data within a period of 90 days following termination, so as to enable the extraction of the personal data.
11.3 The Customer acknowledges that, irrespective of deletion, Gelato may retain personal data in backup in accordance with Gelato's ordinary backup routines, however without using the personal data for anypurpose.
APPENDIX 1 - SECURITY MEASURES
We are compliant with Applicable Data Protection Law, including article 32 of the GDPR. Gelato uses physical, technical, and organizational security measures to safeguard the confidentiality, integrity and availability of its data, from unauthorized or accidental disclosure.
Gelato maintains a security program aligned to ISO 27000 series and NIST standards. We develop security policies and procedures for the key areas of the organization. All Gelato employees are kept up-to-date on our security and privacy practices, and regular security awareness trainings are performed.
Access to Gelato portal is encrypted and protected (encryption in transit) using strong protocols (TLS) and algorithms. All Gelato servers are hosted in the cloud. Security measures are one of the key criteria based on which we select our cloud providers (currently AWS, Google Inc. and Yandex). In addition to the cloud providers security measures, we use encryption at rest for the data. The data is backed up regularly so that it can be restored if needed. When payments are processed via credit card, we use third party vendors that are PCI DSS compliant.
Despite these efforts, no information system can be 100% secure, so we cannot guarantee the absolute security of our systems. Customers also have a role to play in keeping their data safe. We encourage your users to use unique and hard-to-guess passwords for their accounts and not to share them with others. You should only grant access rights to people who you know and trust. You should monitor the accounts regularly. If you suspect that someone has gained unauthorized access to your account, please contact us immediately so that we can investigate.
APPENDIX 2 - LIST OF SUBPROCESSORS
Entity country | Entity name | Entity type | |
---|---|---|---|
Denmark | |||
Denmark | Clerk.IO | Software Provider | |
Ireland | |||
Ireland | Google Inc. | Cloud Service Provider | |
Ireland | |||
Ireland | Hubspot | Client Relationship Management | |
Malta | |||
Malta | Hotjar | Software Provider | |
Netherlands | |||
Netherlands | Adyen | B.V Payment Provider | |
Russia | |||
Russia | Yandex | Cloud Service Provider | |
United Kingdom | |||
United Kingdom | Lexion | Contract Management System | |
United States of America | |||
United States of America | Amazon Web Services Inc. | Cloud Service Provider | |
United States of America | |||
United States of America | Blueshift Labs | Software Provider | |
United States of America | |||
United States of America | Customer.io | Analytics Provider | |
United States of America | |||
United States of America | Pendo | Analytics Provider | |
United States of America | |||
United States of America | Sentry | Software Provider | |
United States of America | |||
United States of America | Slack | Software Provider | |
United States of America | |||
United States of America | Zendesk | Software Provider | |
United States of America | |||
United States of America | Thankful AI, Inc. | Software Provider | |
Denmark | |||
Denmark | Name redacted | Distribution Partner | |
France | |||
France | Name redacted | Distribution Partner | |
Ireland | |||
Ireland | Name redacted | Distribution Partner | |
Sweden | |||
Sweden | Name redacted | Distribution Partner | |
Sweden | |||
Sweden | Name redacted | Distribution Partner | |
Australia | |||
Australia | Name redacted | Print Partner | |
Australia | |||
Australia | Name redacted | Print Partner | |
Australia | |||
Australia | Name redacted | Print Partner | |
Austria | |||
Austria | Name redacted | Print Partner | |
Belgium | |||
Belgium | Name redacted | Print Partner | |
Brazil | |||
Brazil | Name redacted | Print Partner | |
Brazil | |||
Brazil | Name redacted | Print Partner | |
Brazil | |||
Brazil | Name redacted | Print Partner | |
Brazil | |||
Brazil | Name redacted | Print Partner | |
Brazil | |||
Brazil | Name redacted | Print Partner | |
Brazil | |||
Brazil | Name redacted | Print Partner | |
Canada | |||
Canada | Name redacted | Print Partner | |
Canada | |||
Canada | Name redacted | Print Partner | |
Canada | |||
Canada | Name redacted | Print Partner | |
Chile | |||
Chile | Name redacted | Print Partner | |
China | |||
China | Name redacted | Print Partner | |
Czech Republic | |||
Czech Republic | Name redacted | Print Partner | |
Czech Republic | |||
Czech Republic | Name redacted | Print Partner | |
Czech Republic | |||
Czech Republic | Name redacted | Print Partner | |
Denmark | |||
Denmark | Name redacted | Print Partner | |
Denmark | |||
Denmark | Name redacted | Print Partner | |
France | |||
France | Name redacted | Print Partner | |
France | |||
France | Name redacted | Print Partner | |
France | |||
France | Name redacted | Print Partner | |
Germany | |||
Germany | Name redacted | Print Partner | |
Germany | |||
Germany | Name redacted | Print Partner | |
Germany | |||
Germany | Name redacted | Print Partner | |
Germany | |||
Germany | Name redacted | Print Partner | |
Germany | |||
Germany | Name redacted | Print Partner | |
Germany | |||
Germany | Name redacted | Print Partner | |
Germany | |||
Germany | Name redacted | Print Partner | |
Greece | |||
Greece | Name redacted | Print Partner | |
India | |||
India | Name redacted | Print Partner | |
India | |||
India | Name redacted | Print Partner | |
Ireland | |||
Ireland | Name redacted | Print Partner | |
Ireland | |||
Ireland | Name redacted | Print Partner | |
Italy | |||
Italy | Name redacted | Print Partner | |
Japan | |||
Japan | Name redacted | Print Partner | |
Mexico | |||
Mexico | Name redacted | Print Partner | |
Mexico | |||
Mexico | Name redacted | Print Partner | |
Netherlands | |||
Netherlands | Name redacted | Print Partner | |
Netherlands | |||
Netherlands | Name redacted | Print Partner | |
Netherlands | |||
Netherlands | Name redacted | Print Partner | |
Netherlands | |||
Netherlands | Name redacted | Print Partner | |
New Zealand | |||
New Zealand | Name redacted | Print Partner | |
New Zealand | |||
New Zealand | Name redacted | Print Partner | |
New Zealand | |||
New Zealand | Name redacted | Print Partner | |
Norway | |||
Norway | Name redacted | Print Partner | |
Norway | |||
Norway | Name redacted | Print Partner | |
Portugal | |||
Portugal | Name redacted | Print Partner | |
Russia | |||
Russia | Name redacted | Print Partner | |
Singapore | |||
Singapore | Name redacted | Print Partner | |
Singapore | |||
Singapore | Name redacted | Print Partner | |
South Africa | |||
South Africa | Name redacted | Print Partner | |
South Korea | |||
South Korea | Name redacted | Print Partner | |
Spain | |||
Spain | Name redacted | Print Partner | |
Spain | |||
Spain | Name redacted | Print Partner | |
Spain | |||
Spain | Name redacted | Print Partner | |
Sweden | |||
Sweden | Name redacted | Print Partner | |
Sweden | |||
Sweden | Name redacted | Print Partner | |
Sweden | |||
Sweden | Name redacted | Print Partner | |
Switzerland | |||
Switzerland | Name redacted | Print Partner | |
Switzerland | |||
Switzerland | Name redacted | Print Partner | |
Switzerland | |||
Switzerland | Name redacted | Print Partner | |
Turkey | |||
Turkey | Name redacted | Print Partner | |
United Arab Emirates | |||
United Arab Emirates | Name redacted | Print Partner | |
United Arab Emirates | |||
United Arab Emirates | Name redacted | Print Partner | |
United Kingdom | |||
United Kingdom | Name redacted | Print Partner | |
United Kingdom | |||
United Kingdom | Name redacted | Print Partner | |
United Kingdom | |||
United Kingdom | Name redacted | Print Partner | |
United Kingdom | |||
United Kingdom | Name redacted | Print Partner | |
United Kingdom | |||
United Kingdom | Name redacted | Print Partner | |
United Kingdom | |||
United Kingdom | Name redacted | Print Partner | |
United Kingdom | |||
United Kingdom | Name redacted | Print Partner | |
United Kingdom | |||
United Kingdom | Name redacted | Print Partner | |
United Kingdom | |||
United Kingdom | Name redacted | Print Partner | |
United Kingdom | |||
United Kingdom | Name redacted | Print Partner | |
United Kingdom | |||
United Kingdom | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
United States of America | |||
United States of America | Name redacted | Print Partner | |
Entity name | Entity type |