Data Processing Agreement

 

This Data Processing Agreement (the “DPA”) is issued pursuant to the services agreement (the “Agreement”) entered into between MPL Brands NV, Inc (the “Company”) and the applicable service provider, contractor or other third party (the “Service Provider”). Company is entering into this DPA in the capacity of a Controller, and Service Provider is entering into this DPA in the capacity of a Processor. 

    1. Definitions. The following definitions and rules of interpretation apply in this DPA:
      1. Collect means buying, renting, gathering, obtaining, receiving, or accessing any Personal Information pertaining to a Consumer by any means. This includes receiving information Company, or from the Consumer, either actively or passively, or by observing the Consumer’s behavior.
      2. Consumer means an individual who is a Colorado, Utah, or Virginia resident acting only in an individual or household context; or a Connecticut resident not acting in a commercial or employment context; or a California resident.
      3. Contracted Business Purpose means the services provided to Company described in the Agreement for which Service Provider Processes Personal Information.
      4. CPA means the Colorado Privacy Act (Colorado Revised Statutes §§ 6-1-1301 – 6-1-1313), as amended from time to time and all other Colorado data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
      5. CPOMA means the Connecticut Act Concerning Personal Information and Online Monitoring (Public Act 22-15), as amended from time to time, and all other Connecticut data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
      6. CPRA means the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199), as amended from time to time, including the California Privacy Rights Act of 2020, and all other California data protection laws, (including without limitation the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199.95) and the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7102)), any regulations, and regulatory guidance, as may be amended or replaced from time to time.
      7. Cross-context Behavioral Advertising means the targeting of advertising to a Consumer based on the Consumer’s Personal Information obtained from the Consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the Consumer intentionally interacts.
      8. Data Protection Assessment means a data protection assessment as defined in Section 6-1-1309 of the Colorado Revised Statutes, Section 59.1-576 of the Code of Virginia, and Section 8 of the CPOMA, or a risk assessment as outlined in Cal. Civ. Code § 1798.185(a)(15)(B).
      9. Data Protection Law means all applicable privacy and data protection laws, including the CPOMA, CPRA, CPA, UCPA, and VCDPA, and all other data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time. 
      10. Data Subject means an individual to whom the Personal Information relates.
      11. Identified or identifiable natural person means a person who can be readily identified, directly or indirectly.
      12. Personal Information means information that is linked or reasonably linkable to an identified or identifiable individual Consumer. Personal Information includes, for example, name, contact information, identification number, location data, online identifier, IP address, social security number, as well as any other data or information, as defined in Data Protection Law, including those categories and examples listed on Appendix A attached hereto.
      13. Processing means any operation or set of operations performed, whether by manual or automated means, on Personal Information or on sets of Personal Information, such as the Collection, use, Sale, storage, retention, disclosure, analysis, deletion, or modification of Personal Information and includes the actions of a controller directing a Processor to process Personal Information.
      14. Processor means an individual who, or legal entity that, processes Personal Information on behalf of a controller.
      15. Sell means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information to a third party for monetary or other valuable consideration.
      16. Share means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, as defined in Data Protection Law.
      17. Supervisory Authority means (1) the attorney general and district attorneys of Colorado responsible for monitoring the application of the CPA and protecting and enforcing data privacy rights; (2) the California Privacy Protection Agency and the Attorney General of California, who implement and enforce the CPRA; (3) the Attorney General of the Commonwealth of Virginia, who is responsible for monitoring the application of the VCDPA and protecting and enforcing data privacy rights, (4) the Attorney General of Connecticut, and (5) the director of the Utah Department of Commerce’s Division of Consumer Protection and the Attorney General of the State of Utah, who are responsible for monitoring the application of the UCPA and protecting and enforcing data privacy rights.
      18. UCPA means the Utah Consumer Privacy Act (Utah Code §§ 13-61-101 – 13-61-404), as amended from time to time and all other Utah data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time.
      19. VCDPA means the Virginia Consumer Data Protection Act (Code of Virginia §§ 59.1-571 – 59.1-581), as amended from time to time and all other Virginia data protection laws, regulations, and regulatory guidance, as may be amended or replaced from time to time
    2. Service Provider’s Data Protection Law Obligations
      1. Service Provider will not retain, use or disclose Personal Information Processed on Company’s behalf outside of the direct business relationship between Company and Service Provider, including without limitation for Service Provider’s own purposes (commercial or otherwise) or any other purpose other than the Contracted Business Purpose specified in the Agreement, and Service Provider will Process all Personal Information in compliance with Data Protection Law.
      2. Service Provider will not Sell or Share Personal Information except as instructed by Company.  
      3. If a law requires the Service Provider to disclose Personal Information for a purpose unrelated to the Contracted Business Purpose, the Service Provider must first inform the Company of the legal requirement and give the Company an opportunity to object or challenge the requirement, unless the law prohibits such notice.
      4. Service Provider will limit Personal Information Processing to activities reasonably necessary and proportionate to achieve the Contracted Business Purpose.
      5. Service Provider must promptly comply with any Company request or instruction requiring the Service Provider to provide, amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized Processing.
      6. Service Provider may not aggregate, deidentify, or anonymize Personal Information other than as required for the Contracted Business Purpose, and in any event, may not use such aggregated, deidentified, or anonymized data for its own research and development purposes or any other purpose. Service Provider will not attempt to or actually re-identify any previously aggregated, deidentified, or anonymized data and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data. Except as required to perform the Contracted Business Purpose, Service Provider may not combine Personal Information it Processes on Company’s behalf with Personal Information it receives from or on behalf of another person or persons or that it collects from its own interaction with the Consumer.
      7. If the Contracted Business Purpose require the collection of Personal Information on the Company’s behalf, Service Provider will always provide a Data Protection Law-compliant notice at collection.
      8. Service Provider agrees to immediately notify Company in writing if it decides it can no longer meet its obligations herein and/or under Data Protection Law.
      9. Service Provider must regularly, and at least once per year, train its Employees on proper procedures for Processing Personal Information pursuant to the Agreement, this DPA, and Data Protection Law. For purposes of this section, Employees are Service Provider’s staff members, directors, officers, employees, temporary employees, interns, consultants, and contractors.
      10. Any Processing outside of the parameters contained herein will be a material deemed a breach of this DPA and the Agreement. 
    3. Assistance with Company’s Data Protection Law Obligations
      1. Service Provider will reasonably cooperate and assist Company with meeting the Company’s Data Protection Law compliance obligations, including assisting Company in performing any Data Protection Assessments necessary for Company to comply with Data Protection Law.
      2. Service Provider will assist Company with responding to Data Protection Law-related inquiries, including responding to verifiable consumer requests, taking into account the nature of the Service Provider’s processing and the information available to the Service Provider. 
      3. Service Provider must notify Company immediately if it receives any complaint, notice, or communication from a Data Subject that directly or indirectly relates either party’s compliance with the Data Protection Law. Specifically, the Service Provider must notify the Company within three (3) working days if it receives a Consumer request under Data Protection Law with regard to Personal Information that Service Provider Processes under the Agreement and this DPA, including a request to correct, delete or block Personal Information, and must comply with any requests. Service Provider must notify their own service providers or contractors to correct, delete or block the Personal Information as well. 
    4. Subcontracting
      1. Service Provider may use subcontractor to provide the Contracted Business Services or otherwise Process the Personal Information only with Company’s prior written consent. Any subcontractor used must qualify as a contractor or service provider under the Data Protection Law, and Service Provider must enter into a written agreement with all subcontractor containing all obligations, restrictions and requirements contained herein and as otherwise required by Data Protection Law. Additionally, Service Provider acknowledges and agrees that it cannot make any disclosures to the subcontractor that Data Protection Law would treat as a sale.
      2. For each subcontractor used, Service Provider will give Company an up-to-date list disclosing:
        1. The subcontractor’s name, address, and contact information.
        2. The type of services provided by the subcontractor.
        3. The personal information categories disclosed to the subcontractor in the preceding 12 months.
      3. Service Provider remains fully liable to the Company for the subcontractor’s performance of its obligations hereunder and under the Agreement.
      4. Upon the Company’s written request, Service Provider will audit a subcontractor’s compliance with its Personal Information obligations and provide the Company with the audit results.
    5. Confidentiality & Return of Company Information. Service Provider must keep Personal Information, and all information relating to its Processing, in strict confidence. Service Provider must ensure that all personnel authorized to Process Personal Information are subject to a contractual or statutory obligation of confidentiality. Service Provider must not disclose Personal Information to any third party, unless Service Provider obtains the prior written authorization of Company, or as otherwise provided in this DPA.
    6. Right to Monitor and Audit. 
      1. Company shall be permitted to audit and monitor the Service Provider’s compliance with the terms of this DPA and Data Protection Law through any reasonable measures, including but not limited to ongoing manual reviews and automated scans and regular assessments, audits or other technical and operational testing at least once every 12 months. Service Provider must allow Company to conduct supervision of the Personal Information Processing by Service Provider, and must make available to Company all information in its possession necessary to demonstrate Service Provider’s compliance with Data Protection Law and this DPA.
      2. Upon a written request from Company, at reasonable intervals, but no more than once per calendar year, Service Provider must make available to Company a copy of all third-party certifications and audits that relate to its compliance with this DPA or with Data Protection Law, redacting any commercially sensitive information.
        1. If such documentation provided by Service Provider clearly fails to demonstrate Service Provider’s compliance with this DPA or Data Protection Law, Company may make a written request for additional information from Partner relating to Service Provider’s compliance with the provisions that Company expressly identifies as the object of its concern.
        2. If the information described in subparagraph (i) above provided by Service Provider does not reasonably address Company’s concern(s), Company may request an audit of Service Provider’s procedures related to the protection of Personal Information. Company will give at least thirty days’ notice before conducting such an audit. The audit will be conducted during Service Provider’s business hours and will not be disruptive to Service Provider’s operations. 
        3. Service Provider agrees to permit and reasonably contribute to such an audit described in subparagraph (ii) above, while complying with its confidentiality obligations. 
      3. With Company’s consent, in lieu of an audit overseen by Company as described in subsection 8(b) above, Service Provider may arrange for a qualified and independent auditor to conduct, at least annually and at the Service Provider’s expense, an audit of the Service Provider’s policies and technical and organizational measures in support of Service Provider’s obligations under Data Protection Law using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. Service Provider must provide a report of the audit to the Company upon request.
      4. Service Provider must allow and contribute to any audits by the Supervisory Authority.
      5. Service Provider hereby grants Company the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information and to ensure that Service Provider uses Personal Information collected, transferred and/or processed in a manner consistent with Company’s obligations under this DPA and Data Protection Law. 
    7. Security
      1. Service Provider must take the necessary measures to safeguard the security of Personal Information as required by Data Protection Law and this DPA. At a minimum, Service Provider agrees to implement commercially appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by Processing, and secure its systems from unauthorized access, use, alteration or disclosure. Criteria to take into consideration include the methods, scope, and purposes of Processing, and the risk of harm to the rights and interests of Data Subjects.  This includes implementing appropriate technical, physical and organizational security measures to protect any and all Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other forms of unlawful Processing, including, but not limited to, unnecessary collection or further Processing. 
      2. Service Provider must, taking into account the nature of Processing and the information available to Service Provider, assist Company in meeting Company’s obligations in relation to the security of Processing the Personal Information pursuant to the Agreement and this DPA, and in meeting Company’s obligations regarding Personal Information breach notifications.
      3. Service Provider must notify Company without undue delay, and in any event no later than 48 hours, after becoming aware of a Personal Information breach involving Personal Information Processed by Service Provider on behalf of Company. Service Provider will take immediate action to adopt remedial measures once a Personal Information breach is discovered.
      4. Service Provider must refrain from making any communication to a third party, or to the public, regarding a potential or confirmed Personal Information breach involving Personal Information processed by Service Provider pursuant to the Agreement or this DPA without the prior written authorization of Company, unless otherwise required by applicable law, in which case Service Provider will notify Company of such communication before it is made.
    8. Data Retention
      1. Company may, at any time, request Service Provider to delete Personal Information and Service Provider must comply with such request immediately. 
      2. Service Provider will only keep Personal Information for the shortest period necessary to realize the Contracted Business Purpose, and in any event not beyond the term of this DPA, unless retention of the Personal Information is required by law, in which case Service Provider must notify Company of such retention and delete or return the Personal Information to Company, at the Company’s choice, as soon as permitted under applicable law. 
      3. Notwithstanding anything to the contrary in the Agreement or this DPA, upon termination or expiration of the Agreement or this DPA, or at any time specified by Company, Service Provider must return all Personal Information to Company, or delete it, at the Company’s choice and in accordance with Company’s instructions,  including without limitation purge its database of all Personal Information. For the avoidance of doubt, all Personal Information will be deemed to be the Confidential Information of Company. Service Provider agrees to execute and deliver (and have executed and delivered by its employees and agents) at a future date, without any compensation, any and all documents that Company reasonably determines may be necessary or desirable to demonstrate Service Provider’s compliance with this Section.
    9. Invalidity and Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision will not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
    10. Term. The term of this DPA is the same as that of the Agreement.
    11. Notices. Service Provider must make all notifications, including security-related notifications, required under this DPA at least to Company’s privacy team via email to privacy@patcobrands.com.
    12. Modification. This DPA may only be modified by a written amendment signed by all Parties.
  • CPRA Warranties and Certification
  • Service Provider will comply with all applicable requirements of Data Protection Law when Processing Personal Information.
  • Service Provider certifies that it understands this DPA and Data Protection Law restrictions and prohibitions on Selling Personal Information and Processing Personal Information outside of the parties’ direct business relationship, and it will comply with them.
  • Service Provider warrants that it has no reason to believe any Data Protection Law requirements or restrictions prevent it from providing any of the Contracted Business Purpose or otherwise performing under the Agreement or this DPA. Service Provider must promptly notify the Company of any changes to the Data Protection Law requirements that may adversely affect its performance under the Agreement or this DPA


















Appendix A

 

Personal Information Category

Examples

 

Identifiers 

First and last name, address, email address, telephone number, date of birth, social security number, driver license number, passport number, IP address, and/or other government identification numbers, immigration and work authorization status, signature, and username and/or account name

Personal information categories Protected under the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). 

​​First and last name, address, email address, telephone number, date of birth, social security number, driver license number, passport number, and/or other government identification numbers, immigration and work authorization status, signature, and username and/or account name. Financial information such as banking information for direct deposit, debit card number, credit card number, tax selections, pay rate, and payroll deduction information. Benefit selection and related information such as benefit selection, social security number or other government identification number, date of birth, health insurance information, policy number, and selections.

Protected classification characteristics under California or federal law

 

Age, race, color, national origin, citizenship, marital status, physical or mental disability, sex (including gender, gender identity, gender expression), and veteran or military status

 

Commercial information 

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. 

Biometric information

 

Fingerprint mapping, facial recognition, and retina scans

 

Internet or other similar network activity

 

Browsing history, search history, information on a consumer’s interaction with a website, program, or advertisements.

 

Geolocation data

Information that can be used to identify an electronic device’s physical location or movements

Sensory data

 

Audio, electronic, visual, thermal, olfactory, or similar information.

Professional or employment-related information 

Current or past employment history, employee status and title, job evaluations, employment status, job assignments, hours worked, training and development information, performance evaluation information, disciplinary and counseling information, background check information, drug test results, driving records, and termination information.

Non-public education information 

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records

Inferences drawn from other personal information 

Inferences based on information about an individual to create a summary about, for example, an individual’s preferences and characteristics

OTHER PERSONAL INFORMATION DESCRIPTION

 

Profile reflecting a person’s preferences, characteristics, predispositions, attitudes, and abilities such as health conditions, if relevant to employment, job restrictions, workplace accident and illness information, and health insurance policy information


Beneficiary Information of your beneficiaries, such as name and contact information, relationship to you, birth date, social security or other government identification number, and any other information necessary to process any benefits claims, 


Emergency Contact Information of person(s) 

 

 

Sensitive Personal Information Category

 

Examples

 

Government identifiers 

 

Social security, driver’s license, state identification card, or passport number

Complete account access credentials

 

User names, account numbers, or card numbers combined with required access/security code or password

Precise geolocation

 

Any data that is derived from a device, and that is used or intended to be used to locate an individual within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet

Racial or ethnic origin

 

American Indian or Alaska Native, Asian, Black or African American, Native Hawaiian or Other Pacific Islander, and White; Hispanic or Latino

Religious or philosophical beliefs

Catholic, Jewish, Buddhist

Mail, email, or text messages contents not directed to Company 

E-mail inbox processing

Unique identifying biometric information 

Processing of biometric information for the purpose of uniquely identifying a consumer

Health, sex life, or sexual orientation information

 

Health conditions, information regarding marital status or domestic partner