Data Processing Addendum
Effective date: January 2025
This Data Processing Addendum ("Addendum") applies to the Services provided pursuant to the SmartWiFi Platform License Agreement (the "Terms") to which this Addendum is attached (the "Agreement") between SmartWiFi ("SmartWiFi") and you ("Customer"). This Addendum is hereby incorporated into and made a part of the Agreement.
1. Purpose And Application
This Addendum is the parties' agreement with respect to the Processing by SmartWiFi of Personal Data under the Agreement. The terms of this Addendum apply where the GDPR applies to the Processing of Personal Data.
The terms of this Addendum shall be in force on the date of the registration for an account with SmartWiFi.
2. Definitions
Capitalized terms used but not defined in this Addendum have the meanings set out in the Agreement. In this Addendum, unless stated otherwise:
"Authorized Personnel" has the meaning given to the term in Section 4.1.2.
"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
"End User Data" has the meaning given to the term in the Agreement.
"Data Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data.
"Data Protection Laws" or "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
"Personal Data" means End User Data that is information relating to an identified or identifiable natural person (‘data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing" means any operation or set of operations which is performed upon or with respect to Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
"Processor" means the natural or legal person which Processes Personal Data on behalf of the Controller.
"Restricted Transfer" means the transfer of any Personal Data to which the GDPR applies to any country or organization, where such transfer would not be permitted by the GDPR in the absence of some legal basis permitted by the GDPR.
"Services" means the Services set out in the Terms.
"Subprocessor" means a third-party who Processes End User Data on behalf of the Processor in order to provide portions of the Services.
3. Processing of Personal Data
3.1 Roles and Responsibilities
3.1.1 Where the GDPR applies to the Processing of Personal Data by SmartWiFi, Customer is, for all purposes and with respect to all Data Protection Laws, the Controller of the Personal Data and SmartWiFi is the Processor of the Personal Data, except only when Customer acts as a Processor of Personal Data on behalf of a third party who is the Controller of same, in which case SmartWiFi shall be only a Subprocessor. Where SmartWiFi is a Subprocessor, Customer represents and warrants that it has all necessary authority of the relevant Controller to engage SmartWiFi as a Subprocessor. Notwithstanding anything to the contrary, in all cases, Customer acknowledges, agrees and represents that SmartWiFi shall not be the Controller of Personal Data.
3.1.2 SmartWiFi shall only comply with Data Protection Laws to the extent they apply to SmartWiFi's Processing of Personal Data on behalf of Customer. Customer shall comply with all Data Protection Laws applicable to Personal Data. For clarity, Customer shall obtain all required consent from the data subjects of Personal Data for SmartWiFi to Process Personal Data and shall comply with all obligations under Data Protection Laws as a Controller of Personal Data and all similar obligations.
3.2 Scope of Processing
3.2.2 Customer's instructions for SmartWiFi`s Processing of Personal Data shall comply with all Data Protection Laws. Customer shall not instruct SmartWiFi to undertake any Restricted Transfer.
3.2.3 Notwithstanding Section 3.2.1 above, SmartWiFi may Process Personal Data where required by any applicable law to which SmartWiFi is subject, in which case SmartWiFi shall (to the extent permitted by law) inform Customer of that legal requirement before carrying out the Processing.
3.2.4 The nature and purpose of SmartWiFi's Processing of Personal Data shall be to provide the Services pursuant to the Agreement. The type of Personal Data, the categories of data subjects, and the obligation and rights of Customer are set out in the Agreement, including in this Addendum.
4. Security
4.1 Security Measures
4.1.1 SmartWiFi has taken, and Customer shall take, taking into account the costs of implementation, and the nature, scope, context and purposes of Processing, the appropriate technical and organizational measures to ensure a level of security for the Personal Data, within their respective possession, which is appropriate to the risks to the applicable individual data subjects that may result from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data.
4.1.2 SmartWiFi shall cause that access to Personal Data within the possession of SmartWiFi is limited to those individuals who need access in order to meet SmartWiFi's obligations under the Agreement (together the "Authorized Personnel").
4.1.3 All Authorized Personnel are or will be trained in the handling of Personal Data, informed of the confidential nature of the Personal Data, and will be bound by appropriate confidentiality obligations when accessing it, and they will not Process Personal Data except pursuant to the instructions of Customer.
4.2 Data Incident
4.2.1 On becoming aware of a Data Incident, SmartWiFi will: (a) notify Customer of the Data Incident without undue delay; (b) make reasonable efforts to identify the cause of such Data Incident; and, (c) where the Data Incident was not caused by Customer or any User, take those steps that SmartWiFi deems necessary and reasonable in order to remediate the cause of the Data Incident to the extent the cause of the Data Incident is in SmartWiFi's reasonable control.
5. Subprocessors
5.1 General
5.1.1 SmartWiFi shall not engage Subprocessors (excluding independent contractors) without prior specific or general written authorization of Customer and will require such Subprocessors to be bound by provisions substantially similar to those in this Addendum, as applicable. A list of SmartWiFi's current Subprocessors are set out in Appendix A and Customer hereby authorizes SmartWiFi to use such Subprocessors.
5.1.2 SmartWiFi may, at its discretion, choose to engage additional third-parties as Subprocessors generally. If SmartWiFi chooses to engage Subprocessors generally, SmartWiFi will inform Customer of any new Subprocessors at least 30 days prior to authorizing the Subprocessor to Process Personal Data and Customer may object to the new Subprocessor by providing SmartWiFi written notice within 15 days of receipt of such notice. If Customer objects to the new Subprocessor under this Section 5.1.2: (i) SmartWiFi will, in its sole discretion, provide the Services without the new Subprocessor Processing any Personal Data; or, (ii) Customer may terminate the Services which require the new Subprocessor.
6. Audits
6.1 GDPR Audits
6.1.1 Where the Processing of Personal Data is subject to the GDPR, at Customer's sole expense, SmartWiFi shall make available to Customer such of SmartWiFi's information as is reasonably necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
7. Deletion and Return of Personal Data
7.1.1 At the end of the Services and at the choice of Customer, SmartWiFi shall delete or return all the Personal Data to Customer, and delete all Personal Data unless prohibited by Data Protection Laws. Please go toData Processing
8. Rights of Data Subjects
8.1.1 SmartWiFi shall, at Customer's sole expense, fulfill data subject requests to access, rectify, and restrict processing of Personal Data in a manner consistent with Data Protection Laws, the functionality of the Services, and SmartWiFi's role as a Processor.
9. Impact Assessment
9.1.1 Where the Processing of Personal Data is subject to the GDPR, at Customer's sole expense, SmartWiFi will provide reasonable assistance to Customer in its obligations to comply with its obligations to conduct privacy impact assessments and consult with regulatory bodies in relation to any Processing of Personal Data undertaken under this Agreement.
10. Indemnity
10.1.1 Customer shall fully indemnify and keep indemnified and defend at its own expense SmartWiFi against all liability, losses, claims, costs and reasonable expenses, including legal fees, which SmartWiFi may incur, or for which SmartWiFi may become liable to the extent arising from any Processing of Personal Data in accordance with the instructions of the Customer, any Customer breach of this Addendum or any Data Protection Laws, or any of Customer's acts or omissions in respect of its obligations as a Controller of Personal Data.