Data Processing Agreement - Users
Last Updated: April 20, 2020
In order to provide the Services to its Users, LeverIT processes data from clients or visitors to the User's site or services (in this document: "User Clients"). The processing of such data by Wix is hereinafter referred to as "Processing". The following Data Processing Agreement ("DPA") sets out the terms of such processing by LeverIT.
To the extent that the User's Customer Data that is processed by LeverIT on behalf of the User, Users acknowledge and agree that LeverIT will process personal data as necessary to provide the Services under the DPA and when using the LeverIT Services, the User has instructed Wix to process such Personal Data on his behalf in accordance with this DPA.
For the purposes of this DPA, the following terms have the following meanings:
The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Processor", as used in these DPAs, have the meanings given in the GDPR and as per specified in other regulations established in Annex 2.
User Customer Data refers to the personal data of User Customers processed by Wix on behalf of Users.
Terms of processing of personal data by LeverIT:
1. LeverIT International shall:
1.1 Process the User's Customer Data for the provision of the Services to LeverIT Users and in accordance with the LeverIT Policies.
1.3 Implement adequate technical, organizational and security measures to protect the privacy and security of User Client Data.
2. Users must:
2.1 Collect, use and process personal data in accordance with the RGPD and each and every one of the data protection laws and regulations that are set out in Annex 2.
2.2 You have sole responsibility for the accuracy, quality and legality of User Customer Data and the means by which it was obtained.
2.3 Ensure the appropriate level of security when using the LeverIT Services, taking into account any risks with respect to User Customer Data.
2.4 Any storage and / or transfer of the User's Customer Data by the User to any third party or platform other than LeverIT will be at the User's sole risk and responsibility.
3) Each User hereby grants LeverIT general authorization to involve sub-processors without obtaining any other specific written authorization from the User. If the User objects to any sub-processing by LeverIT, said User must immediately suspend their use of the Services. LeverIT will execute an agreement with each sub-processor to guarantee compliance by said sub-processor with the terms that guarantee at least the same level of protection and security as those established in this DPA.
4) By using any of the LeverIT Services, the User accepts the adequacy of the organizational, technical and security measures implemented by LeverIT to protect Personal Data. Some of those measurements can be seen here.
5) If LeverIT learns of any breach of personal data, LeverIT, without undue delay, will notify the affected users, in accordance with applicable regulations. LeverIT will use reasonable efforts to include the following information in such notifications: details of the nature of such violation and the number of records affected, the category and estimated number of affected stakeholders, anticipated consequences, and any actual or proposed measures. let LeverIT take. (or on your behalf) to mitigate the possible negative effects of such a breach.
Notification by LeverIT of a personal data breach shall not be considered an acknowledgment by LeverIT of any fault or liability with respect to such incident.
In case of breach of personal data, the user will be obliged to take the measures required by applicable laws in relation to their user customer data.
6) Upon reasonable written request, LeverIT:
6.1 Make available to the User certifications that demonstrate Wix's compliance with its obligations under this DPA and applicable law; me
6.2 Make available to the user the information necessary to demonstrate compliance with their obligations under this DPA and applicable law.
7) LeverIT will assist its Users, within reasonable hours, with appropriate measures and, as reasonably possible (considering the nature of the Processing), in complying with the rights of data subjects and all other relevant obligations under the data privacy regulations, including the GDPR and other applicable regulations set out in Annex 2 below,
8) The processing of the user's client data will be carried out within the territory of the European Union, Israel or a third country, territory or one or more specific sectors within that third country which the European Commission has decided to guarantee an adequate level of protection, including but not limited to the US under the EU-US Privacy Shield. USA (transfer based on adequacy decision pursuant to Article 45.3 of EU Regulation 2016/679 and decisions taken on the basis of Article 25 (6) of Directive 95/46 / EC) . Any transfer and processing in a third country outside the European Union that does not guarantee an adequate level of protection according to the European Commission.
9) This DPA will be in force in relation to each User, during the time that said User uses any of the LeverIT Services, provided that, in the event that LeverIT is obligated, in accordance with the terms of this DPA or the Policies of LeverIT, to maintain the Personal Data of a Client Client after the termination of the Services, this DPA will continue in effect as long as Wix has such Personal Data.
10) Upon termination of the User's use of the Services, and unless LeverIT is required to retain such User Customer Data under LeverIT Policies, any applicable agreement or legislation, LeverIT, even upon written request of the User, will delete the User's Personal Data as soon as reasonably possible and in accordance with the LeverIT Policies and applicable laws.
11) LeverIT shall have the right to amend and / or adjust any of the terms of this DPA as necessary from time to time, to comply with applicable laws or regulations.
12) Any questions related to this DPA or requests from Users to exercise the Rights of Data Subjects as described in this document, in the RGPD or other applicable regulations, should be directed to the Data Protection Officer of LeverIT at solutionsti @ leverit.com. LeverIT will attempt to resolve any complaints regarding the use of your User Customer Data in accordance with this DPA and the LeverIT Policies.
Annex 1 - Standard contractual clauses (PROCESSORS)
For the purposes of article 26 (2) of Directive 95/46 / EC for the transfer of personal data to processors established in third countries that do not guarantee an adequate level of data protection.
The entity identified as "User" in the DPA (the "data exporter") and Wix.com Ltd 40 Namal Tel Aviv St., Tel Aviv 6350671, Israel (the "data importer") each party. together 'the parties'.
HAVE AGREED to the following contractual Clauses (the Clauses) in order to provide adequate guarantees with respect to the protection of privacy and the fundamental rights and freedoms of persons for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1 - Definitions
A. 'personal data', 'special categories of data', 'process / processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46 / EC of the European Parliament and of the Council, of October 24, 1995, on the protection of individuals with regard to the processing of personal data and the free circulation of such data1.
B. "data exporter": the controller who transfers the personal data.
C. "the data importer" means the processor who agrees to receive from the data exporter the personal data intended to be processed on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to the system of a third country that guarantees adequate protection within the meaning of Article 25 (1) of Directive 95/46 / EC.
D. 'the sub-processor' means any processor hired by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or any other sub-processor of the data importer personal data intended exclusively for processing activities that are will be carried out on behalf of the data exporter after the transfer in accordance with their instructions, the terms of the Clauses and the terms of the written subcontract.
E. `` the applicable data protection law '' means the legislation that protects the fundamental rights and freedoms of individuals and, in particular, their right to privacy with regard to the processing of personal data applicable to a data controller in the Member state in which the data exporter is established.
F. `` technical and organizational security measures '' means those measures aimed at protecting personal data against accidental or illegal destruction or accidental loss, alteration, disclosure or unauthorized access, in particular when the processing involves the transmission data over a network and against all other illegal forms of processing.
Clause 2 - Transfer details
The details of the transfer and, in particular, the special categories of personal data, where applicable, are specified in Appendix 1, which forms an integral part of the Clauses.
Clause 3: third party beneficiary clause
1) The interested party can enforce against the data exporter this Clause, Clause 4 (b) to (i), Clause 5 (a) to (e) and (g) to (j), Clause 6 (1) and ( 2), Clause 7, Clause 8 (2) and Clauses 9 to 12 as a third party beneficiary.
2) The interested party can enforce against the data importer this Clause, Clause 5 (a) to (e) and (g), Clause 6, Clause 7, Clause 8 (2) and Clauses 9 to 12 , in cases where the data exporter has in fact disappeared or no longer exists in law unless any successor entity has assumed all legal obligations of the data exporter by contract or by law, as a result of which it assumes the rights and obligations of the data exporter in which case the data subject may impose them against said entity.
3) The interested party may enforce against the sub-processor this Clause, Clause 5 (a) to (e) and (g), Clause 6, Clause 7, Clause 8 (2) and Clauses 9 to 12, in cases where the data exporter and data importer has in fact disappeared or ceased to exist in law or has become insolvent, unless any successor entity has assumed all legal obligations of the data exporter by contract or for compliance with the law as a result of which it assumes the rights and obligations of the data exporter, in which case the interested party can enforce them against said entity. Such third party liability of the sub-processor will be limited to its own processing operations under the Clauses.
4) The parties do not object to an interested party being represented by an association or other body if the interested party expressly so wishes and if it is permitted by national legislation.
Clause 4 - Obligations of the data exporter
The data exporter accepts and guarantees:
A. that the processing, including the transfer itself, of personal data has been carried out and will continue in accordance with the relevant provisions of the applicable data protection law (and, where applicable, the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State.
B. who has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the transferred personal data only on behalf of the data exporter and in accordance with the applicable data protection law and the Clauses .
C. that the data importer will provide sufficient guarantees regarding the technical and organizational security measures specified in Appendix 2 of this contract.
D. that after evaluating the requirements of the applicable data protection law, security measures are appropriate to protect personal data against accidental or illegal destruction or accidental loss, alteration, disclosure or unauthorized access, in particular when the processing involves the transmission of data through a network, and against all other illegal forms of processing, and that these measures guarantee a level of security appropriate to the risks presented by the processing and the nature of the data to protect taking into account the state of the art and the cost of its implementation.
E. that will guarantee compliance with security measures.
F. that, if the transfer involves special categories of data, the interested party has been informed or will be informed before, or as soon as possible after, the transfer that their data could be transmitted to a third country that does not provide adequate protection in the meaning of Directive 95/46 / CE.
G. forward any notification received from the data importer or any sub-processor in accordance with Clause 5 (b) and Clause 8 (3) to the data protection supervisory authority if the data exporter decides to continue the transfer or lift suspension.
H. make available to the interested parties, upon request, a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any sub-processing services contract that must be carried out from in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case you can delete such commercial information.
I. that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor that provides at least the same level of protection for personal data and the rights of the data subject as the data importer in under the Clauses.
J. that will guarantee compliance with Clause 4 (a) to (i).
Clause 5 - Obligations of the data importer
The data importer accepts and guarantees:
A. process personal data only on behalf of the data exporter and in accordance with his instructions and the Clauses; If you are unable to provide such compliance for any reason, you agree to immediately inform the data exporter of your inability to comply, in which case the data exporter has the right to suspend the data transfer and / or terminate the contract.
B. that you have no reason to believe that the applicable law prevents you from complying with the instructions received from the data exporter and your obligations under the contract and that, in the event of a change in this law that is likely to have a material adverse effect on the guarantees and obligations provided by the Clauses, will immediately notify the data exporter of the change as soon as he knows it, in which case the data exporter has the right to suspend the data transfer and / or terminate the contract;
C. that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the transferred personal data.
D. that it will immediately notify the data exporter about.
E. any legally binding request for disclosure of personal data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of an enforcement investigation of the law.
ii) any accidental or unauthorized access.
iii) any request received directly from data subjects without responding to that request, unless otherwise authorized to do so.
E. promptly and appropriately address all inquiries from the data exporter related to the processing of personal data subject to the transfer and comply with the advice of the supervisory authority regarding the processing of the transferred data.
F. at the request of the data exporter to submit its data processing facilities for the audit of the processing activities covered by the Clauses to be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications linked by a duty of confidentiality, selected by the data exporter, when appropriate, in agreement with the supervisory authority;
Mandatory requirements of the national legislation applicable to the data importer that do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13 (1) of Directive 95/46 / EC, i.e. , if they constitute a necessary measure to safeguard national security, defense, public security, prevention, investigation, detection and prosecution of crimes or violations of the ethics of regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements that do not go beyond what is necessary in a democratic society are, among others, internationally recognized sanctions.
G. make available to the interested party, upon request, a copy of the Clauses, or of any existing contract for sub-processing, unless the Clauses or the contract contain commercial information, in which case you can delete said commercial information, with the exception of Appendix 2, which will be replaced by a summary description of the security measures in those cases where the interested party cannot obtain a copy from the data exporter;
H. that, in the event of sub-processing, has previously informed the data exporter and obtained his prior written consent;
I. that the processing services by the subprocessor will be carried out in accordance with Clause 11;
J. promptly send a copy of any sub-processor agreement concluded under the Clauses to the data exporter.
Clause 6 - Liability
1) The parties agree that any data subject who has suffered damage as a result of any breach of the obligations mentioned in Clause 3 or Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2) If a data subject is unable to make a claim for compensation in accordance with paragraph 1 against the data exporter, due to a breach by the data importer or its sub-processor of any of its obligations mentioned in Clause 3 or in the Clause 11, Due to the fact that the data exporter has disappeared or has legally ceased to exist or has become insolvent, the data importer agrees that the data subject can file a claim against the data importer as if it were the data exporter, unless that any successor entity has assumed all the legal obligations of the data exporter by contract or by compliance with the law, in which case the interested party can assert their rights against said entity. The data importer cannot rely on the failure of a sub-processor to fulfill its obligations to avoid its own liabilities. .
3) If a data subject is unable to file a claim against the data exporter or data importer referred to in paragraphs 1 and 2, as a result of a violation by the sub-processor of any of its obligations mentioned in Clause 3 or in Clause 11 because both the data exporter and the data importer have disappeared or have legally ceased to exist or have become insolvent, the sub-processor agrees that the data subject can make a claim against the data sub-processor with respect to its own operations of processing under the Clauses as if they were the data exporter or data importer, unless any successor entity has assumed all legal obligations of the data exporter or data importer by contract or by law, in which case the data subject may do assert its rights against such entity.The sub-processor's liability will be limited to its own processing operations according to join the Clauses.
Clause 7 - Mediation and jurisdiction
1) The data importer accepts that if the interested party invokes against him the rights of third party beneficiaries and / or claims compensation for damages under the Clauses, the data importer will accept the decision of the interested party.
A. Refer the dispute to mediation, by an independent person or, where appropriate, by the supervisory authority.
B. refer the dispute to the courts of the Member State in which the data exporter is established.
2) The parties agree that the choice made by the interested party will not prejudice their substantive or procedural rights to seek solutions in accordance with other provisions of national or international law.
Clause 8 - Cooperation with supervisory authorities
1) The data exporter agrees to deposit a copy of this contract with the supervisory authority if requested or if such deposit is required by applicable data protection law.
2) The parties agree that the supervisory authority has the right to conduct an audit of the data importer and any sub-processor, having the same scope and subject to the same conditions that would apply to an audit of the data exporter under the applicable data. protection law.
3) The data importer shall promptly inform the data exporter of the existence of legislation applicable to him or to any sub-processor that prevents the performance of an audit of the data importer, or of any sub-processor, in accordance with paragraph 2. In such In this case, the data exporter will have the right to take the measures provided for in Clause 5 (b).
Clause 9 - Applicable law
The clauses will be governed by the law of the Member State in which the data exporter is established.
Clause 10 - Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not prevent the parties from adding clauses on business-related matters when necessary, as long as they do not contradict the Clause.
Clause 11 - Sub-processing
1) The data importer will not subcontract any of its processing operations carried out on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. When the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it will only do so by means of a written agreement with the sub-processor that imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses 3. When the sub-processor does not comply with its data protection obligations under said written agreement, the data importer will remain fully responsible to the data exporter for the fulfillment of the sub-processor's obligations under said agreement.
2) The prior written contract between the data importer and the sub-processor will also stipulate a third party beneficiary clause, as established in Clause 3 for cases in which the interested party cannot present the compensation claim referred to in the paragraph 1 of Clause 6 against the data exporter or data importer because they have in fact disappeared or ceased to exist in the law or have become insolvent and no successor entity has assumed all the legal obligations of the data exporter or importer by contract or by compliance with the law. Such third party liability of the sub-processor will be limited to its own processing operations under the Clauses.
3) The provisions relating to data protection aspects for the sub-processing of the contract referred to in paragraph 1 shall be governed by the legislation of the Member State in which the data exporter is established.
4) The data exporter shall maintain a list of the sub-processing agreements entered into pursuant to the Clauses and notified by the data importer in accordance with Clause 5 (j), which will be updated at least once a year. The list will be available to the data exporter's data protection supervisory authority.
Clause 12 - Obligation after termination of personal data processing services
1) The parties agree that upon completion of the provision of data processing services, the data importer and the sub-processor, at the choice of the data exporter, will return all transferred personal data and copies thereof to the data exporter or will destroy all personal data and certify to the data exporter that it has done so, unless the legislation imposed on the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer guarantees that it will ensure the confidentiality of the transferred personal data and will no longer actively process the transferred personal data.
2) The data importer and the sub-processor ensure that, at the request of the data exporter and / or the supervisory authority, they will present their data processing facilities for an audit of the measures mentioned in paragraph 1.
Appendix 1 to the Standard Contractual Clauses
This appendix is part of the clauses and must be completed and signed by the parties. Member States may complete or specify, in accordance with their national procedures, any additional information required to be included in this Appendix.
The data exporter is the entity identified as the "User" in the DPA.
The data importer is Wix.com Ltd., the provider of the services.
Data Subjects are defined as User Clients in the DPA.
Personal data are those defined in the DPA.
The personal data transferred will be subject to the following basic processing activities:
The purpose of the processing of personal data by the data importer is the performance of the Services in accordance with the Agreement.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4 (d) and 5 (c):
The technical and organizational security measures implemented by the data importer are described in: security-
Annex 2 - Applicable regulations
1.1 The definition of "Applicable Regulation" includes the California Consumer Privacy Act ("CCPA").
1.2 The definition of (i) “Personal Data” includes “Personal Information”, (ii) “Data Subject” includes “Consumer”, (iii) “Controller” includes “Company”, (iv) “Processor” includes “Provider of services ”, as defined in CCPA.
1.3 Wix will process, retain, use and disclose personal data only as necessary to provide its Services, which constitutes a business purpose.
1.4 Wix agrees not to: (i) sell (as defined by the CCPA) User's Customer Data; (ii) retain, use or disclose the User's Customer Data for any business purpose (as defined by the CCPA) other than to provide the Services; or (c) retain, use or disclose User Customer Data outside of the scope of Wix Policies.
1.5 Wix certifies that its sub-processors, as described in Section 3 of the Annex, are Service Providers under CCPA, with whom Wix has signed a written contract that includes terms that guarantee at least the same level of protection and security as those established in this DPA