Jimdo Data Processing Agreement for Affiliates (DPA)

Preamble

Jimdo GmbH, Stresemannstrasse 375, 22761 Hamburg, Germany (hereinafter referred to as "Jimdo") and the legal entity that accepts this agreement (hereinafter referred to as the "Affiliate" or the "Partner") have entered into an Affiliate Partner Program Agreement (vis a vis the Jimdo Affiliate Partner Program Terms and Conditions of Participation by the Partner and the subsequent acceptance of their request to join the Jimdo Affiliate Partner Program by Jimdo), via which the Partner has joined the Jimdo Affiliate Partner Program. Both Parties to this Data Processing Agreement may collectively be referred to as the "Parties" and individually as the "Party".

This Data Processing Agreement(“DPA” or otherwise referred to as the “Agreement” is concluded between the aforementioned parties and applies is in addition to the Jimdo Affiliate Partner Program Terms and Conditions of Participation

The Affiliate is aware that Jimdo offers its affiliate services to a variety of affiliates. The possibility for the Partner, to issue supplementary instructions in the form of an individualized Data Processing Agreement that affects or impairs Jimdo's affiliate services and service offering to other Partners or Users is therefore limited by this Agreement. It would not be possible for Jimdo to operate the Jimdo Affiliate Partner Program if it had to take into consideration a large number of individual instructions from each individual Partner.

1. Scope

1.1 In this DPA, the following terms have the following meanings as explained below:

  • GDPR is the General Data Protection Regulation 2016/679 of the European Union (GDPR).
  • Data Protection Regulations refers to all applicable data protection and other provisions and laws applicable to data processing for EU citizens within the framework of this Agreement, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the “GDPR”) (as applicable) and the Privacy and Electronic Communications Directive 2002/58/EC.
  • Subprocessor is any legal person (except the employees of the Parties to this Agreement) who has been commissioned by or on behalf of either party to process personal information on behalf of that party or otherwise in connection with the Jimdo Affiliate Partner Program.

1.2 Insofar as the term "Data Processing" or "Processing" (of data) is used in this Agreement, it is to be understood within the meaning of “Processing” as defined in Art. 4 (2) GDPR.

1.3 The terms "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Profiles" have the meaning as assigned to them in the GDPR.

1.4 The provisions of the Jimdo Affiliate Partner Program Terms and Conditions will remain in full force and effect unless otherwise specified.

1.5 In the case of deviations between the stipulations of this DPA and the Terms of the Jimdo Affiliate Partner Program (regarding the Processing of data), this DPA takes precedence.

1.6 This DPA only applies in relation to the Processing of Personal Data by the parties within the framework of the Jimdo Affiliate Partner Program.

2. Duties and Rights of the Parties

2.1 The Partner and Jimdo agree to fulfill their respective obligations in accordance with all applicable data protection regulations. Each party shall cooperate reasonably with the other party in order to enable it to comply in particular with Point 2 of this Agreement.

2.2 In accordance with the general regulations on data protection, the Partner is required to obtain from their site Visitors a prior, voluntary, specific, informed, unequivocal and revocable consent to the use of the cookies, which will be assigned by Jimdo to the site Visitor as a result of a click.

2.3 The Partner will not provide any personal information to Jimdo except as anticipated by Jimdo as part of its normal operation of the Jimdo Affiliate Partner Program.

2.4 As regards Processing within the framework of the Jimdo Affiliate Partner Program, for which the Partner and Jimdo are jointly responsible, the following obligations apply:

Transparency

2.4.1 The Partner shall take appropriate measures to provide information to Data Subjects as to how Personal Data is processed by or on behalf of the Partner (e.g. via their privacy or cookie policy). This includes at least all information required by Articles 13, 14, and 26 of the GDPR. The Partner will provide this information in a clear, transparent, understandable and easily accessible form in a clear and simple language. (Partner note on Processing).

2.4.2 Jimdo takes appropriate measures to provide information to affected Data Subjects as to how personal information is processed by Jimdo in the Jimdo Privacy Policy. This includes at least all information required by articles 13, 14, and 26 of the GDPR. Jimdo provide this information in a clear, simple, transparent, understandable and easily accessible form, as well as in clear and simple language.

2.4.3 The Partner must include in their Partner note on Processing a hyperlink to the current Jimdo Privacy Policy.

Personal

2.4.4 Each party will take all reasonable steps to ensure the reliability of all employees, agents and contractors who may have access to Personal Data. In any case, they will ensure that the access:

  • is restricted to those persons who know and/ or need to know the relevant Personal Data within the framework of their employment, and
  • is strictly necessary for the purposes of the main Agreement and the observance of the applicable law within the duties of those persons.

2.4.5 Each party shall ensure that all persons referred to in Section 2.4.4 are subject to confidentiality and/or professional or legal confidentiality obligations.

The Security and Confidentiality of Data

2.4.6 Each Party implements appropriate technical and organizational measures with regard to the Personal Data being processed in order to ensure an adequate level of protection. This includes, as applicable, the measures listed in Article 32(1) of the GDPR. The parties will thereby take into account the following points:

  • the latest technology, implementation costs and the nature, scope, circumstances and purposes of the Processing, and
  • the varying probability of occurrence and severity of the risk for the rights and freedoms of natural persons.

2.4.7 In assessing the appropriate level of protection, the parties shall take particular account of the risks associated with Processing. This includes, among other things, the destruction, loss or alteration whether inadvertent or unlawful, or the unauthorized disclosure from unauthorized access to Personal Data that has been transmitted, saved or otherwise processed;

Sub-Processing

2.4.8 With regard to an intended Processing by a Subprocessor, the parties have the following obligations:

a.) Before the Subprocessor processes the Personal Data for the first time, the parties must take due care to ensure that the Subprocessor is able to ensure the protection of Personal Data required by the Data Protection Regulations.

b.) The Parties will ensure that Processing with any Subprocessor is regulated by a written agreement between the Party and the Subprocessor, incorporating the conditions set out in Article 28 (3) of the GDPR

c.) Each Party must carefully select the Subprocessor and verify, prior to commissioning, that they can comply with the agreements reached between the Parties to this Agreement. In particular, the parties must check in advance and regularly during the term of the agreement that the Subprocessor has implemented the necessary technical and organizational measures for the protection of Personal Data required by Art. 32 GDPR. The result of the inspection is to be documented by the responsible Party and must be transmitted to the other Party without undue delay, upon request.

Rights of the Data Subjects

2.4.9 Each party fulfills their obligations to respond to requests and to the exercise of the rights of Data Subjects in accordance with the Data Protection Regulations. Each party shall reasonably cooperate with the other party to enable it to comply with this point.

Personal Data Breaches

2.4.10 Each Party:

a.) must notify (“Notification” the other party without delay, in writing (fax / e-mail) at the latest within 48 hours after becoming aware of a Personal Data breach ("Data Breach") that involves data processed, collected, saved, transferred etc. within the framework of the Jimdo Affiliate Partner Program, and

b.) must provide the other party with sufficient information to fulfill its obligations to notify or inform the Data Subjects (and/or the supervisory authority) about the Data Breach in the context of, or in connection with the Data Protection Regulations, and

c.) must consult with the other party with regard to the external communication and PR strategy in connection with the Data Breach, and

d.) will not, subject to compliance with applicable laws, inform a Data Protection Authority of any Data breach without prior written consent from the other Party, and

e.) will not issue a press release or speak to a press officer regarding the Data Breach without prior written permission from the other Party.

f.) will inform the other Party without delay if a supervisory authority acts pursuant to Art. 58 GDPR against a Party and this could also involve an investigation of the Personal Data being jointly processed by the parties within the framework of the Jimdo Affiliate Partner Program.

2.4.11 The notification referred to in point 2.4.10 (a) must meet at least the following conditions:

a.) It will specify the nature of the violation of the Data Breach, (where possible indicating the categories of data affected), the type and the number of Data Subjects involved, and the types and number of Personal Data records affected.

b.) It must describe the potential consequences of the Data Breach.

c.) It shall describe the measures taken or proposed or planned to address the Data Breach and, where appropriate, measures to mitigate the possible adverse effects.

2.4.12 The Partner must cooperate with Jimdo and take the appropriate action required by Jimdo to assist in investigating, mitigating, and remedying any such Personal Data Breach.

The Transfer of Data

2.4.13 Neither party may transfer Personal Information to countries outside the EU in violation of the Data Protection Regulations.

2.5 The Partner warrants and undertakes, during the term of their participation in the Jimdo Affiliate Partner Program, to assure that:

  • the Processing within the framework of the Jimdo Affiliate Partner Program Terms and Conditions, that is conducted by Jimdo as a Controller, including the Processing of Personal Data relating to the Partner and all Authorized Users, complies with the Data Protection Regulations;
  • they have all the rights or consent necessary for the transfer of Personal Data outside the EU by Jimdo.

Supervision Rights and Duties

2.6 To the extent that Jimdo acts as the Controller and the Partner is the Processor (or, as applicable, Jimdo is the Processor and the Partner is the Processor), the Partner will:

a.) process the Personal Data only in accordance with documented instructions from Jimdo, including with regard to the deletion or return of Personal Data.

b.) To the extent that the Partner has received written notice at least 30 days in advance, that Jimdo or its auditors or advisors will, visit the Partners business premises during normal business hours to inspect the partner's systems and records, which (as Jimdo determines) are required to demonstrate that the Partner complies with Section 2 of this Agreement, the Partner shall grant Jimdo access to the relevant Personal Data and Systems. Each Party will ensure that such inspections are performed only to the extent necessary so as not to disproportionately disrupt the operations of the other Party. The cost of an inspection is always limited to one day per calendar year for the respective Party. Each Party shall be required to keep the internal confidential information of the other Party, in particular details of their technical and organizational measures, which it has learned in the context of or on occasion of such an inspection, in a strictly confidential manner, not to disclose it to third parties or to make it available to third parties, where such sharing does not fall within the purpose of the contractual relationship between the parties.

c.) will fulfill in particular Points 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, and 2.4.13 of this Agreement.

d.) In order for the Parties to exercise these rights and duties before and during the contractual relationship as appropriate, one Party may, upon request, send the report of its data protection officer on the technical and organizational measures taken in the data centers used by the Party, to the other Party. The report will be updated at least every 24 months.

2.7 The Partner will not use reports generated by the use of the external Affiliate Platform provided by Jimdo in order to create visitor Profiles.

3. Confidentiality Obligations

3.1 Both Parties undertake to keep all information obtained in connection with the execution of this Agreement confidential for an indefinite period of time and to use it only in order to implement the terms of the Agreement.

3.2 The above obligation does not apply to information that has been demonstrably obtained by one of the Parties from third parties, without being required to maintain secrecy, or information that is publicly known.

4. Limitation of Liability

4.1 Each Party is liable for any breach of the privacy practices for which it is responsible and, accordingly, the Parties are not jointly and severally liable.

4.2 The Parties shall promptly inform each other if any party identifies errors or irregularities in connection with the Processing of Personal Data by the other Party.

5. Applicable Law and Jurisdiction

5.1 The applicable law and jurisdiction of this DPA is that of the Jimdo Affiliate Partner Program Terms and Conditions of Participation.

6. Duration of the Contract

6.1 This Agreement begins with the acceptance of the Affiliate Application by Jimdo (Section 2.3 of the Jimdo Affiliate Partner Program Terms and Conditions of Participation) and will continue for the duration of the principal Agreement between the parties i.e. for the duration of participation in the Jimdo Affiliate Affiliate Program. It can be terminated with five day's notice at the end of the respective term. Upon termination of participation in the Jimdo Affiliate Partner Program, an automatic termination of this Data Processing Agreement will be carried out to the same date.

7. Concluding Provisions

7.1 For all ancillary agreements the written form is required.

7.2 Should individual parts of this DPA be ineffective, this does not affect the validity of the remaining provisions of the agreement.

7.3 In the event of any deviations resulting from the translation, the formulation set forth in the German version shall prevail.

Valid as of:

16.01.2019