This Data Processing Addendum (this “Addendum”) is incorporated into and forms part of the Terms of Service between the Administrator and ElectionBuddy (the “Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will prevail. For the avoidance of doubt, this Addendum is effective as at the effective date of the Agreement and will remain in effect until termination of the Agreement; or the last Processing of Administrator Personal Data carried out by or on behalf of the Administrator under the Agreement.
In this Addendum, the following words and expressions have the following meanings:
“Administrator Personal Data” means Personal Data Processed by ElectionBuddy as Processor on behalf of the Administrator pursuant to the performance of the Agreement.
“CCPA” means the California consumer privacy act (as amended by the California Privacy Rights Act) and associated regulations.
“Business”, “Controller”, “Processor”, “Data Subject”, “Personal Data” , “Processing”, “Service Provider”, and “Supervisory Authority” all have the meanings given to those terms in Data Protection Laws (and related terms such as “Process”, “Processes” and “Processed” shall have corresponding meanings);
“Data Protection Laws” means all applicable laws and regulations relating to data protection and privacy as applicable to the parties and/or to the Processing of Personal Data under the Agreement, including without limitation, the CCPA, the EU General Data Protection Regulation 2016/679 (“EU GDPR”), the EU GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), the Data Protection Act 2018, the Swiss Federal Act on Data Protection of 25 September 2020 (“FADP”) and any associated implementing legislation and regulations, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time;
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Administrator Personal Data;
“Services” means the services provided by ElectionBuddy pursuant to the Agreement;
“Sell” means for the purposes of the CCPA, to sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Data to a third party for monetary or other valuable consideration;
“Share” means for the purposes of the CCPA, to share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Data to third parties for targeted advertising to an individual based on Personal Data obtained from the individual’s activity across non-affiliated or distinctly-branded websites, applications, or services;
“Sub-Processor” means any vendor, supplier or subcontractor of ElectionBuddy authorized to Process Administrator Personal Data on behalf of ElectionBuddy;
2.1 The parties acknowledge that in respect of Administrator Personal Data, ElectionBuddy is a Processor Processing Personal Data on behalf of the Administrator as Controller. Each Party shall comply with its obligations under Data Protection Laws as relates to Administrator Personal Data.
2.2 Details of Administrator Personal Data Processed by ElectionBuddy under the Agreement are as follows:
(a) Subject Matter, Nature and Purpose of Processing. ElectionBuddy’s provision of the Services under the Agreement. In particular to enable an Administrator manage Votes using ElectionBuddy Services.
(b) Duration of Processing. Processing of Administrator Personal Data by ElectionBuddy shall be for the term of the Agreement and in accordance with ElectionBuddy’s retention obligations under the Agreement and this Addendum.
(c) Personal Data in Scope. name, email address, mailing address, information related to Votes that the Voter Participated in, relationship to Administrator and any other Personal Data that Administrator requests of its Voters; and
(d) Category of Data Subjects. Voters.
2.3 ElectionBuddy shall be an independent Controller and Business with respect to its Processing of Personal Data in connection with the execution and administration of the Agreement (including contact details of Administrator’s personnel/representatives); creation and maintenance of User accounts on the ElectionBuddy Services; and the anonymization of Personal Data to conduct research and analytics for the purposes of improving the Services. The parties agree that the Personal Data described under this Section 2.3 does not form part of Administrator Personal Data and ElectionBuddy shall comply with its obligations as a Controller with respect to such Personal Data.
3.1 Administrator’s instructions for the Processing of Administrator Personal Data shall comply with Data Protection Laws. Administrator represents and warrants that (a) it has provided or will provide any necessary notices to Data Subjects of Administrator Personal Data; (b) it has obtained any necessary approvals and rights necessary for ElectionBuddy to Process Administrator Personal Data in accordance with the Agreement and Data Protection Laws; and (c) ElectionBuddy’s processing of Personal Data in line with the Administrator’s instructions will not cause ElectionBuddy to violate any applicable law.
3.2 ElectionBuddy shall Process Administrator Personal Data only on the written instructions of the Administrator (including as set out in the Agreement) unless ElectionBuddy is required to otherwise
Process Administrator Personal Data by applicable laws. ElectionBuddy is hereby instructed to Process Administrator Personal Data for the purposes of providing the Services. Where ElectionBuddy is required by applicable laws to Process Administrator Personal Data other than in accordance with Administrator’s instructions, prior to any such Processing and to the extent permitted by applicable laws, ElectionBuddy shall notify the Administrator in writing of that legal requirement prior to Processing Administrator Personal Data.
3.3 ElectionBuddy shall promptly inform the Administrator if ElectionBuddy becomes aware of a written instruction given by the Administrator under this Section 3 that, in ElectionBuddy’s reasonable opinion, infringes Data Protection Laws.
3.4 ElectionBuddy shall not (a) Sell or Share Administrator Personal Data; (b) retain, use, or disclose any such data outside of the direct business relationship between the Administrator and ElectionBuddy other than as permitted under this Addendum and in accordance with the Agreement, or (iii) retain, use or disclose Administrator Personal Data for any purpose other than the business purposes specified in this Addendum or otherwise permitted by Data Protection Laws. ElectionBuddy shall comply with any applicable restrictions under Data Protection Laws on combining Administrator Personal Data with Personal Data received from third party sources other than the Administrator.
4.1 ElectionBuddy shall ensure that all ElectionBuddy personnel authorised to Process Administrator Personal Data are either subject to binding written contractual obligations or statutory obligations to keep Administrator Personal Data confidential.
4.2 The Administrator authorizes ElectionBuddy to engage the Sub-Processors included in the Sub-Processor list set out at https://electionbuddy.com/security (“Sub-Processor List”). Where ElectionBuddy intends to engage any additional Sub-Processor not already approved on the Sub-Processor List, prior to engaging the Sub-Processor, ElectionBuddy shall notify the Administrator of the proposed engagement of the Sub-Processor giving the Administrator the opportunity to object. The Administrator shall be entitled to make a written objection to the proposed engagement (with respect to confidentiality and data protection compliance concerns) within 10 days of ElectionBuddy providing notice to the Administrator under this Section by writing to email@example.com with the subject line 'Objection to Replacement Sub-Processor' including sufficient details and specific examples to support the objection. If no objection is received within the timeframe under this Section, the Administrator is deemed to have authorized the engagement of such Sub-Processor.
4.3 Where the Administrator raises a reasonable objection to the proposed engagement of a Sub-Processor in accordance with this Section, ElectionBuddy may, at its option: (a) use its reasonable endeavors to remedy the situation giving rise to the reasonable objection; or (b) propose an alternative Sub-Processor to conduct the relevant Processing in accordance with Section 4.2 of this Addendum, provided that, in the event that ElectionBuddy is unable to remedy the situation or propose an alternative Sub-Processor, ElectionBuddy shall be entitled to terminate the Agreement without penalty or liability effective immediately on written notice to the Administrator and the Administrator shall pay ElectionBuddy any fees due for the Services performed prior to termination.
4.4 ElectionBuddy shall ensure that prior to permitting any Sub-Processor to Process Administrator Personal Data, the Sub-Processor has entered into a binding written agreement with ElectionBuddy that imposes obligations substantially equivalent to the obligations imposed on ElectionBuddy as a Processor under this Addendum. ElectionBuddy shall remain fully liable to the Administrator for the performance of the Sub-Processor’s data protection obligations concerning Administrator Personal Data in the event the Sub-Processor fails to fulfil those obligations.
5.1 With respect to ElectionBuddy’s Processing of Administrator Personal Data subject to the GDPR and FADP, the parties acknowledge that Administrator Personal Data will be Processed by ElectionBuddy in Canada, which is a country deemed adequate for the transfer of Personal Data by applicable competent data protection authorities (“Permitted Territory”).
5.2 ElectionBuddy shall not transfer Administrator Personal Data to any party in a country outside the Permitted Territory, including permitting access to Administrator Personal Data from any party in such countries, without the prior written consent of the Administrator, unless:
(a) the transfer/access is to a Sub-Processor included in the Sub-Processor List or appointed in accordance with Section 4 of this Addendum; and
(b) the transfer/access is in compliance with Data Protection Laws (including having in place appropriate transfer safeguards as applicable).
6.1 ElectionBuddy shall implement and maintain appropriate technical and organizational measures in relation to the Processing of Administrator Personal Data to ensure a level of security appropriate to the risks which may occur as a result of Processing Administrator Personal Data, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Administrator Personal Data, including as set out at https://electionbuddy.com/security/.
6.2 ElectionBuddy shall notify the Administrator without undue delay on becoming aware of a Personal Data Breach and provide the Administrator with details of the Personal Data Breach as required under Data Protection Laws.
7.1 To the extent related to its Processing of Administrator Personal Data (taking into account the nature of Processing and the information available to ElectionBuddy), ElectionBuddy shall promptly provide the Administrator with reasonable assistance:
(a) using appropriate technical and organizational measures, in complying with any requests received from Data Subjects of Administrator Personal Data exercising Data Subject rights under Data Protection Laws;
(b) to enable the Administrator to conduct data protection impact assessments and consultations with (or notifications to) a relevant Supervisory Authority where the Administrator is required to do so under Data Protection Laws, in connection with data protection impact assessments;
(c) in complying with its obligation to implement and maintain appropriate technical and organizational security measures to protect Administrator Personal Data; and
(d) in complying with its obligation to notify a Personal Data Breach to a Supervisory Authority or to a Data Subject as applicable.
8.1 ElectionBuddy shall delete (or, at the election of the Administrator, return, in such format as ElectionBuddy may reasonably elect, provided any expenses for transferring the Administrator Personal Data to such format are agreed between the parties prior to such transfer) all Administrator Personal Data in the possession or control of ElectionBuddy within thirty (30) days after ElectionBuddy ceases to provide the Services, unless otherwise required to further store Administrator Personal Data by applicable laws or agreement with the Administrator.
9.1 ElectionBuddy shall, on request from the Administrator, make available to the Administrator all information necessary to demonstrate ElectionBuddy’s compliance with its obligations under this Addendum. ElectionBuddy shall allow for audits (including inspections), at Administrator’s cost, conducted by the Administrator or the Administrator’s designated auditor, for the purpose of demonstrating ElectionBuddy’s compliance with its obligations under this Addendum. For the avoidance of doubt such audits shall be limited to once per calendar year except as required by a Supervisory Authority and the scope of any audit will be limited to ElectionBuddy’s policies, procedures, systems and controls relevant to the Processing of Administrator Personal Data.
9.2 ElectionBuddy’s obligations under Section 9.1 of this Addendum are subject to the Administrator:
(a) giving ElectionBuddy reasonable prior notice of such information requests, audits and/or inspections being required by the Administrator;
(b) ensuring that all information obtained or generated by the Administrator or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable laws); and
(c) ensuring that such audit or inspection is undertaken during normal business hours, with, so far as reasonably practicable, minimal disruption to ElectionBuddy’s business and the business of other customers of ElectionBuddy.
10.1 The Administrator acknowledges that ElectionBuddy is reliant on the Administrator for direction as to the extent to which the Administrator is entitled to Process Administrator Personal Data on behalf of the Administrator in the provision of the Services. Consequently ElectionBuddy will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by ElectionBuddy, to the extent that such action or omission resulted directly from the Administrator’s instructions or from the Administrator’s failure to comply with its obligations under the applicable Data Protection Laws.
10.2 Notwithstanding any provisions to the contrary included in this Addendum, each Party’s liability towards the other Party under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.