Scope and Applicability
GDPR Seller acts as a Data Controller with respect to Personal Data on a GDPR Seller’s Customers and its use of that data for communicating or transacting with those Customers. Similarly, YAPSODY acts as a Data Controller with respect to Personal Data on Users collected during a User’s engagement with YAPSODY and its use of that data for communicating or transacting with those Users. Both GDPR Seller and YAPSODY agree not to engage in, request or permit Data Processing in any manner that contravenes the GDPR.
The following shall apply only insofar as YAPSODY is acting as a Data Processor (as opposed to a Data Controller).
YAPSODY shall engage in Data Processing on behalf of GDPR Sellers only upon a GDPR Seller’s documented request or as otherwise required to by law (in which case YAPSODY would first inform GDPR Seller of such legal requirements unless legally prohibited from doing so). However, if YAPSODY believes that a GDPR Seller’s request is a potential breach of the GDPR, YAPSODY shall notify the GDPR Seller thereof in writing, and GDPR Seller agrees that YAPSODY may, in its sole discretion, refuse to honor GDPR Seller’s request to the extent required to remain in compliance.
YAPSODY shall have Personal Data Security Measures in place to protect Personal Data. YAPSODY will ensure that its employees, contractors, agents, and Data Sub-processors are aware of and contractually bound to the legal obligations to maintain confidentiality of Personal Data and their responsibility to YAPSODY and GDPR Sellers for any breach of those obligations. In the event of a Personal Data Breach, YAPSODY shall promptly notify GDPR Sellers whose Customers were, or may have been, affected. In such cases, YAPSODY shall work with and assist GDPR Sellers in any manner reasonably required to enable such GDPR Sellers to satisfy their obligations as Data Controllers, which includes notifying relevant Customers of the Personal Data Breach.
In the event that a Customer submits a written request for his/her Personal Data to be deleted (which request must be authenticated before any action is taken), GDPR Seller hereby instructs and authorizes YAPSODY to delete the Personal Data or otherwise modify it to the extent required by law so that the Customer cannot be identified. Furthermore, GDPR Seller agrees to forward to YAPSODY any requests or complaints related to Personal Data received from Customers and regulatory agencies; and YAPSODY agrees to assist GDPR Seller in its response thereto. GDPR Seller acknowledges that YAPSODY may have no obligation to delete, block or modify any Personal Data for which YAPSODY acts as Data Controller.
YAPSODY shall make available to GDPR Sellers reasonable evidence of its compliance under GDPR by cooperating with requests for audits, provided that such audits are conducted on site, scheduled with reasonable advance notice, conducted in adherence to Personal Data Security Measures, limited in scope to the investigation of a specific suspected breach, and limited to once every 3 years; and also provided that other reasonable investigative means have been exhausted — all of the foregoing as reasonably determined by YAPSODY.
GDPR Seller hereby consents to YAPSODY’s use of Data Sub-processors. The list of Data Sub-processors, including notification of changes which will occur from time to time, can be found on the Data Sub-processor Webpage. It is GDPR Seller’s responsibility to regularly check and review the Data Sub-processor Webpage for such changes.
GDPR Sellers may raise objections to changes in Data Sub-processors by sending notices thereof to YAPSODY within 10 days of such changes being posted on the Data Sub-processor Webpage. YAPSODY will use commercially reasonable efforts to respond to a GDPR Seller’s objection within 30 days of receipt thereof provided that the objection includes sufficient detail and examples to support reasonable concerns that a change interferes with YAPSODY’s ability to comply with its obligations under the GDPR. Objection notices that do not meet this requirement shall be considered invalid.
If YAPSODY determines in its sole discretion that it cannot reasonably accommodate a GDPR Seller’s objection, then upon notice from YAPSODY, GDPR Seller’s sole and exclusive remedy shall be to terminate any agreements for the use of YAPSODY by refraining from further use of YAPSODY. Notwithstanding anything to the contrary, such termination shall not relieve GDPR Seller of any payment obligations to YAPSODY incurred prior to the termination.
All notices from GDPR Sellers to YAPSODY pursuant to this GDPR Addendum shall be sent via email to GDPR@yapsody.com