Data Sharing Agreement
This Data Sharing Agreement (“Agreement“), forms an integral part of, and is subject to the TinyTap Terms of Service between TinyTap, Ltd. (“TinyTap“) and the person or entity accepting this Agreement (respectively “Co-Controller” and the “Terms“) and shall be effective as of the date of acceptance by Co-Controller. Capitalized terms not otherwise defined herein shall have the meanings given to them in the Terms.
Whereas, each party serves as a Controller (defined below) with respect to Personal Data (defined below) of C-Controller’s end users and;
Whereas, the parties wish to set forth the respective responsibilities and duties toward one another and toward Data Subjects (defined below) with respect to their position as co-controllers of Personal Data;
Now therefore, intending to be legally bound, the parties hereby agree as follows:
- Definitions. In addition to capitalized terms defined elsewhere in this Agreement, the following terms shall have the meanings set forth below:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Applicable Law” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR“) and laws implementing or supplementing the GDPR.
- The terms “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processor“, “Processing” and “Supervisory Authority” shall have the meanings ascribed to them in the GDPR.
- Relationship Between the Parties.
- TinyTap may provide Co-Controller with access to Personal Data of its end users, in accordance with the terms of the Terms and this Agreement and in accordance with and subject to Applicable Law, including, where required, consent from the end user.
- The parties agree that each will act as a Controller with respect to Personal Data. It is acknowledged that each is a separate, independent Controller of the Personal Data disclosed under the Terms. Personal Data disclosed under the Terms will not be processed by the parties as joint controllers as referred to in Article 26 of the GDPR. Each party shall be independently responsible for compliance with its obligations as a Controller under Applicable Law.
- In their capacity of co-controllers, the parties shall ensure that end users are provided with all information required under Applicable Law, including with regard to the source of the Personal Data and how to reach the relevant co-controller, as required under Applicable Law.
- Processing of Personal Data.
- Neither party will disclose any Personal Data to the other party other than as permitted under the Terms, this Agreement, and under Applicable Law.
- With respect to Personal Data shared in the context of the Terms, each party shall Process such Personal Data (i) in accordance with the terms of the Terms, this Agreement and Applicable Law and (ii) for the sole purpose of complying with its obligations under the Terms.
- Each party represents and warrants that it shall only share Personal Data with the other party in compliance with Applicable Law and its obligations under the Terms and this Agreement.
- Unless otherwise agreed in writing and in advance, neither party shall share any Personal Data with the other party that contains any special categories of personal data (in accordance with Article 9 of the GDPR), or (ii) contains Personal Data relating to children under age 16 or any other age requiring parental consent, as provided by Applicable Law, provided however, that in the event that parental consent has been provided, processing thereof shall be permitted hereunder, subject to Applicable Law.
- Security. Each party shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Personal Data, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR.
- Personal Data Breach.
- Each party shall notify the other party without undue delay upon becoming aware of a Personal Data Breach.
- In the event of such a Personal Data Breach, the parties shall cooperate in good faith in connection with the investigation, mitigation, and remediation of such Personal Data Breach and for the purpose of complying with each party’s obligations under Applicable Law.
- Third Party Processors. Each party may transfer personal data to and otherwise interact with third-party data Processors. Each party agrees that if it transfers Personal Data or otherwise interacts with a third-party data Processor, it will enter into a separate contractual arrangement with each such Processor to ensure compliance with its obligations under Applicable Law and hereunder.
- Data Subject Rights.
- Each party shall assist the other party, to the extent reasonably requested, to comply with any of such other party’s statutory obligations concerning requests to exercise Data Subject rights under Applicable Law (e.g., for access, rectification, deletion of Personal Data, etc.)
- When a Data Subject whose Personal Data is being Controlled by both parties submits a written request to either party to inspect his or her Personal Data, such party shall:
promptly, and in any event within two (2) days of receiving such request, inform the other party of such request; and
provide the data subject with other party’s name and address for further inquiries.
- Retention, Deletion or Return of Personal Data. Subject to Applicable Law, each party will retain Personal Data only for as long as necessary to satisfy the purposes for which it was provided to such party, or to the extent required by Applicable Law.
- Liability and Indemnity. Notwithstanding anything to the contrary in the Terms, Co-Controller shall indemnify and hold TinyTap harmless against all claims, actions, third party claims, losses, damages and expenses incurred by TinyTap and arising directly or indirectly out of or in connection with a data breach, breach of this Agreement and/or Applicable Law by Co-Controller.
- General Terms.
- This Agreement shall terminate automatically upon the termination of the Terms, provided however, that each party’s obligations under this Agreement will apply for so long as such party has access to the other party’s Personal Data.
- Governing Law and Jurisdiction.
The Parties to this Agreement hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity.[
This Agreement and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms.
- Order of Precedence.
- Nothing in this Agreement reduces the parties’ obligations under the Terms in relation to the protection of Personal Data or permits either party to Process (or permits the Processing of) Personal Data in a manner that is prohibited by the Terms.
- In the event of inconsistencies between the provisions of this Agreement and any other agreements between the Parties, including the Terms and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this Agreement, the provisions of this Agreement shall prevail.
- Changes in Data Protection Laws.
- Either party may, by at least thirty (30) calendar days’ prior written notice to the other party, request in writing any variations to this Agreement if they are required as a result of any change in, or decision of a competent authority under Applicable Law in order to allow Personal Data to be Processed (or continue to be Processed) without breach of Applicable Law.
- If the proposed changes are not acceptable to the other party, either party may, with immediate effect, terminate the Terms to the extent that it relates to the services under the Terms that are affected by the proposed variations (or lack thereof).
- Severance. Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
IN WITNESS WHEREOF, this Agreement is entered into and becomes a binding part of the Agreement with effect from the date set out above.