Data Processing
Agreement

Data Processing Agreement

Background and Interpretation

Touchtech will process personal data on behalf of the Customer when providing the Service according to the Agreement. Touchtech will process the personal data for which Customer is the controller and for which Touchtech is the processor, as further specified in Appendix 1B.

When the Customer’s subsidiaries and other partners (“Associated Companies”) are controller of personal data processed by Touchtech under the Agreement, the Customer shall inform Touchtech of such Associated Companies. The obligations that Touchtech has towards the Customer under the Agreement (and the rights conferred upon the Customer under the Agreement) shall also apply towards Associated Companies, insofar as is necessary in order to comply with the GDPR. The Customer shall ensure that the Associated Companies undertakes the rights and obligations as controller under the Agreement in relation to Touchtech.

In some cases, personal data that the Parties are controllers of separately is shared between the Parties via the Platform. In such case will the other Party become the controller of the shared data. This DPA does not regulate the processing of such personal data shared between the Parties.

One Party may be the controller for the same type of data as it is also the processor for on behalf of the other Party.

This DPA forms an integral part of the Agreement. The purpose of this DPA is to ensure a secure, correct and legal processing of personal data and to comply with applicable requirements for data processing agreements as well as to ensure adequate protection for the personal data processed within the scope of the Agreement.

Any terms used in this DPA, e.g. processing, personal data, data subjects, supervisory authority, etc., shall primarily have the meaning as stated in the GDPR and otherwise in accordance with the Agreement, unless otherwise clearly indicated by the circumstances. The terms “processing” and “personal data” refer exclusively to such processing and such personal data that Touchtech processes on behalf of the Customer in accordance with this DPA.

Instructions and Responsibilities

The type of personal data and categories of data subjects processed by Touchtech under this DPA and the purpose, nature, duration and objects of this processing, are described in the instructions on processing of personal data in Appendix 1A or the written instructions that the Customer provides from time to time. The Customer shall make sure to not use the Platform in a way which mean that Touchtech process additional categories of personal data or personal data in relation to other data subjects than those specified in the Customers written instructions.

Customer is responsible for complying with the GDPR. Customer shall in particular:

be the contact person towards data subjects and i.e. respond to their inquiries regarding the processing of personal data;
ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 12-14 in the GDPR and maintain a record of processing activities under its responsibility;
provide Touchtech with documented instructions for Touchtech’s processing of personal data, including instructions regarding the subject-matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects;
immediately inform Touchtech of changes that affect Touchtech’s obligations under this DPA;
immediately inform Touchtech if a third-party takes action or lodges a claim against Customer as a result of Touchtech’s processing under this DPA; and
immediately inform Touchtech if anyone else is joint controller with Customer of the relevant personal data.

When processing personal data, Touchtech shall:

only process personal data in accordance with Customer’s documented instructions, which at the time of the Parties entering into this DPA are set out in Appendix 1B;
ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
maintain an adequate level of security for the personal data by implementing all technical and organizational measures set out in Article 32 of the GDPR in the manner set out in the section below called Security;
respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging a sub-processor;
taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
assist Customer in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to Touchtech;
at the choice of Customer, delete or return all the personal data to Customer after the end of the Agreement, and delete existing copies, unless EU law or applicable national law of an EU Member State requires storage of the personal data; and
make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 in the GDPR and this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor agreed upon by the Parties.

Touchtech shall notify the Customer without undue delay, if, in Touchtech’s opinion, an instruction infringes the GDPR. In addition, Touchtech is to immediately inform the Customer of any changes affecting Touchtech’s obligations pursuant to this DPA.

Security

Touchtech shall implement technical and organisational security measures in order to protect the personal data against destruction, alteration, unauthorised disclosure and unauthorised access. The measures shall ensure a level of security that is appropriate considering the state of the art, the costs of implementation, the nature, scope, context and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Touchtech may amend its technical and organisational measures.

Touchtech shall notify the Customer of accidental or unauthorised access to personal data or any other personal data breach without undue delay after becoming aware of such data breach and pursuant to Article 33 of the GDPR. Such notification shall not in any manner imply that Touchtech has committed any wrongful act or omission, or that Touchtech shall become liable for the personal data breach.

If the Customer during the term of this DPA requires that Touchtech takes additional security measures, Touchtech shall as far as possible meet such requirements provided that the Customer pays and takes responsibility for any and all costs associated with such additional measures.

Sub-processors and Transfers to Third Countries

The Customer hereby grants Touchtech with a general authorisation to engage sub-processors. Sub-processors used at the date of the Agreement are listed in the list of sub-contractors in Appendix 1B. Touchtech shall enter into a data processing agreement with each sub-processor, according to which, the same data protection obligations as set out in this DPA, are imposed upon the sub-processor.

Touchtech is liable towards the Customer for a sub-processor’s performance of its obligations in relation to the Customer.

Touchtech shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Customer the opportunity to object to such changes. Such objection shall be made in writing and within thirty (30) calendar days after Touchtech has informed Customer about the intended changes. If the Customer objects to Touchtech engaging a sub-processor and the Parties cannot agree, within reasonable time, on the new sub-processor’s engagement in the processing of personal data, Touchtech can terminate the Agreement.

If Touchtech and/or sub-processors transfers personal data outside the EU/EEA, such transfer shall always comply with the applicable data protection requirements according to the GDPR and related data protection legislation. Touchtech shall keep the Customer informed about the legal grounds for the transfer.

Compensation and Limitation of Liability

Each party shall be responsible for any damages and administrative fines imposed to it under articles 82 and/or 83 of the GDPR.

Each party’s liability under this DPA shall be governed by the limitation of liability as set out in the Terms.

Term and Termination

This DPA becomes effective when the Agreement has been entered into.

Upon termination of the Agreement, Touchtech shall at the choice of Customer, delete all the personal data or return it to Customer, and ensure that each sub-processor does the same.

This DPA remains in force as long as Touchtech processes personal data on behalf of Customer, including deletion or returning of personal data according to the section above. This DPA shall thereafter cease to apply. The section above and the section on Compensation and Limitation of Liability shall continue to apply even after this DPA has been terminated.

Changes

If provisions of the GDPR change or if a supervisory authority issues guidelines, decisions or regulations regarding the application of the GDPR during the term of this DPA, with the result that this DPA does not meet the requirements for a data processing agreement, the Parties shall change this DPA to meet the requirements.

Any other changes to this DPA than following from the section above or changes in Customer’s documented instructions, shall be made in accordance with what is stated in the Terms, to be binding.

Miscellaneous

In the event of deviating provisions between the Agreement and this DPA, the provisions of this DPA shall prevail with regard to processing of personal data and nothing in the Agreement shall be deemed to restrict or modify obligations set out in this DPA, notwithstanding anything to the contrary in the Agreement.

This DPA supersedes and replaces all data processing agreements between the Parties potentially existing prior to this DPA.

APPENDIX 1A
INSTRUCTIONS ON PROCESSING OF PERSONAL

Purposes
Touchtech processes personal data in order to fulfil the Agreement. This means that Touchtech processes personal data for the following purposes:

To store and display photos of model images to be used for product marketing purposes
To transfer for example orders, baskets or favorites to third-party systems that the Platform interacts with to complete the sales workflow.
To store customer relation and sales list on the behalf of the Customer

Categories of data subjects

The following categories of data subjects may occur in the processing of personal data that is regulated in this DPA:

Employees of the Customer
Contact information that could include but not limited to first and last name, email, address, country

Partner of a Customer
Contact information that could include but not limited to first and last name, email, address, country

Models
Media (images/videos) with model photos

Categories of personal data

The following categories of personal data may occur in the processing of personal data that is regulated in this DPA:

Regarding employees and partners of the Customer

Contact information that could include but not limited to first and last name, email, address, country

Regarding models

Media (images/videos) featuring models that might be licensed by the Customer

Retention time

Personal data related to a user in the platform (Employee of the customer or partner) will be retained as long as the Customer uses the Platform they can administrate.
Logs related to technical issues can be kept up to 60 days.
Emails in email-services (external) is automatically removed after 60 days.

Processing operations

Storing data.
Transfer and synchronizing to and with third-party services.

Information security measures

Access control

Only Touchtech’s employees and registered users (Employee of the customer or partner) can access data related to other users.
Media featuring models can be accessed by anyone under certain circumstances. (sendouts => guest)

Back-up

Backups of personal data are kept daily for disaster recovery purposes and are stored in data centres provided by our hosting providers in Frankfurt and Belgium

Authorisation and permissions

Access to the platform is only possible through security protocols following the state-of-the-art guidelines in the industry (oauth 2.0).
Touchtech’s employees have access to these data for maintenance and debugging purposes to resolve technical issues. There are processes in place to remove an employee’s access privileges when that is needed.
Employees of the customer with certain roles (administrators) in the platform may have access to personal data of other employees or partners within the same brand. Revoking these access privileges is handled by the customer.
Changes in user roles and permissions within the platform are logged.
Access to media featuring models is possible for any registered user in the platform that is a member of that customer. Removal of said media is handled by the Employees of the customer.

Encryption of data communication

All communication under public networks is under TLS.

Place for storing of personal data; Service and repairs of units where personal data is stored

All data (and their respective backups) are stored in data centres provided by our hosting providers in Frankfurt and Belgium and in some cases in US.

Firewalls, separation of environments and antivirus protection

Firewalls: we rely on our hosting providers.
Separation of environments: Databases where mentioned personal data are stored are siloed. Customer A (including it’s users) cannot access data from customer B.
Antivirus protection: we rely on our hosting providers.

APPENDIX 1B – SUB-PROCESSORS

The following Sub-processors are contracted by Touchtech in order to perform parts of the processing operations as of the date of the Parties signature of this DPA.

Company name
Elastic

Geographical location
Belgium and Frankfurt

Task in the services
Logging

Mechanism for transfer to third country
No

Comments
Storing logs related to errors/technical issues

————
Company name
Sendgrid

Geographical location
US

Task in the services
Email