🎥 Video: Framework for Building a D2C Loyalty App that is a Revenue Driver.
Save Your Seat

Data Protection Addendum

1. Introduction:

This Data Processing Addendum, along with its Schedules (jointly referred to as the "DPA") is an integral part of the Master Service Agreement or any other written or electronic agreement between Open Loyalty and the Customer for the acquisition of online services provided by the Open Loyalty (referred to as "Services") to accurately represent the Parties' consensus on the Processing of Personal Data.

Delivery of the Services may require Open Loyalty to process personal data on behalf of the Customer. To ensure the correctness of the processing both parties commit to comply with the following provisions concerning personal data acting in good faith and within their duties as a controller or processor of the data. 

2. DPA Structure:

DPA consists of several parts: the main body and schedules that will apply to your company if certain conditions occur. Such a model is necessary in a situation where Open Loyalty provides services to entities from all over the world and its goal is to provide each of its Customers and users with high protection in the field of personal data. The structure is as follows:

  • Main agreement
  • Schedules
    • Schedule 1 – Details of Data Processing
    • Schedule 2 – Sub Processor List
    • Schedule 3 – Jurisdiction Specific Terms [other countries]
    • Schedule 4 – Controller/Processor to Processor Clauses (2021) (“SCCs”) and Annexes

3. DPA definitions:

Agreement means the agreement in place including Master Service Agreement, Order Forms or any other mutual agreement between Open Loyalty and the Customer relating to the Services.

Affiliate means any entity that directly or indirectly controls is controlled by, or is under common control with the subject entity. Control, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;

CCPA means the California Consumer Privacy Act of 2018;

Contractual Safeguards means (i) where the GDPR applies, the SCCs and (ii) where the UK General Data Protection Regulation (UK GDPR) applies, the SCCs as amended by the applicable UK Addendum set out in Schedule 5 (the UK Addendum);

Data Protection Laws and Regulations means applicable national, federal, state, provincial, and local laws and regulations governing the use and disclosure of personal information including the GDPR, CCPA, 2018 Data Protection Act (UK GDPR) and any other laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom and the United States of America, applicable to the Processing of Personal Data under the Agreement;

GDPR means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive);

Open Loyalty means the Open loyalty entity that is a party to this DPA and the Agreement and that processes personal data as defined under relevant Data Protection Laws and Regulations;

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Restricted Transfer means: (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA or an (onward) transfer from a country outside of the EEA within the same country or to another country outside of the EEA, which are not subject to an adequacy decision under Article 45 GDPR by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country or an (onward) transfer from a country outside of the United Kingdom within the same country or to another country outside of the United Kingdom, which are not subject to adequacy regulations adopted pursuant to Article 45(1) UK GDPR in conjunction with Section 17A of the United Kingdom Data Protection Act 2018;

Services means the services or products to be provided by Open loyalty to the Customer in accordance with any applicable Agreement;

SCCs means (i) the standard contractual clauses between controllers and processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021, as set out in Schedule 4 (the “2021 Controller-to-Processor Clauses”); or (ii) the standard contractual clauses between processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021, (the “2021 Processor-to-Processor Clauses”); where applicable.

Sub-processor means any processor engaged by Open loyalty who agrees to receive Personal Data intended for processing on behalf of the Customer in connection with the Services;

The terms Controller, Data Subject, Personal Data, Process, Processing, Processor will have the same meanings as defined by Data Protection Laws and Regulations. 

For clarity, within this DPA “Controller” shall also mean “Business”, and “Processor” shall also mean “Service Provider”. In the same manner, Processor’s Sub-processor shall also refer to the concept of Service Provider. 

4. Objectives of the processing

The Processing carried out by Open Loyalty involves the handling of Personal Data to provide the Services as outlined in the Agreement. The duration, nature, and objective of the processing, as well as the types of Personal Data and categories of Data Subjects involved, are detailed in Schedule 1 (Details of Data Processing) of this DPA.

5. Duties of the Controller and the Processor

  1. When using the Services, the Customer must handle Personal Data in compliance with Data Protection Laws and Regulations. This includes notifying Data Subjects about the use of Open Loyalty as a Processor. If the Customer is a Processor, they must ensure that the ultimate Controller also provides this notice. 
  2. The Customer's instructions for processing Personal Data must follow Data Protection Laws and Regulations. 
  3. The Customer is responsible for the accuracy, quality, and legality of the Personal Data they have and how they obtained it. The Customer must not violate the rights of any Data Subject, especially those who have opted out of having their Personal Data shared, as required by Data Protection Laws and Regulations.
  4. Open Loyalty will handle Personal Data as Confidential Information and will only process it according to the Customer’s documented instructions. This includes processing as outlined in Agreement, processing initiated by using the Services, and processing to comply with other reasonable instructions from the Customer that are consistent with the Agreement.
  5. Open Loyalty will promptly notify the Customer if:
    1. an instruction from the Customer is deemed to violate the Data Protection Laws and Regulations, and/or
    2. Open Loyalty is unable to comply with the Customer's directives regarding the Processing of Personal Data.

6. Data Subject’s requests

  1. Open Loyalty will promptly inform Customer of any complaint, dispute, or request received from a Data Subject, including but not limited to the right of access, right to rectification, restriction of Processing, erasure (commonly known as the "right to be forgotten"), data portability, objection to Processing, or the right to not be subject to automated individual decision making. These requests are collectively referred to as "Data Subject Requests." Open Loyalty will not directly respond to a Data Subject Request unless the Customer grants authorization for Open Loyalty to redirect the request to enable the Customer to respond directly.
  2. Considering the nature of the Processing, Open Loyalty is obligated to provide the Customer with necessary support through suitable technical and organizational measures, to the extent feasible, to help fulfill the Customer's responsibility to address a Data Subject Request under Data Protection Laws and Regulations.
  3. If a Customer using the services is unable to handle a request from a data subject, the Open Loyalty will make reasonable efforts to assist upon request. This assistance will only be provided if legally allowed and required by data protection laws. The Customer will be responsible for any costs associated with this assistance.

7. Staff and technical security, Open Loyalty’s certificates

  1. Open Loyalty appoints Data Protection Officer (details: Krzysztof Łoś, Data Protection Officer, krzysztof.los@openloyalty.io).
  2. Open Loyalty will guarantee that its staff involved in handling Personal Data are aware of the confidential nature of the information, have undergone suitable training regarding their duties, and have signed confidentiality agreements. Open Loyalty will:
    1. make sure that these confidentiality obligations continue even after the staff's engagement ends; 
    2. take reasonable measures to ensure the trustworthiness of any Open Loyalty staff involved in handling Personal Data; and 
    3. ensure that Open Loyalty’s access to Personal Data is restricted to only those staff members carrying out Services as per the Agreement.
  1. Open Loyalty will uphold suitable technical and organizational safeguards to ensure the security (including protection against unauthorized or unlawful processing, accidental or unlawful destruction, loss, alteration, or damage, unauthorized disclosure, or access to Customer data), confidentiality, and integrity of Customer data.
  2. Open Loyalty has acquired third-party certifications and audits, including ISO 27001 and ISO 9001 certifications. Open Loyalty commits to keeping these certifications or standards, or similar successors, for the entire duration of the Agreement.

8. Audits

  1. Open Loyalty will have an audit program in place to ensure compliance with the obligations outlined in this DPA. Open Loyalty will provide the Customer with information to show that they are meeting these obligations, including those required by relevant Data Protection Laws and Regulations.
  2. Open Loyalty will provide access to information on third-party certifications and audits upon the Customer's written request at reasonable intervals. 
  3. The Customer can request an on-site audit of Open Loyalty's processing activities covered by this DPA. The audit can be conducted by the Customer themselves or through a Third-Party Auditor chosen by the Customer in the following situations: 
    1. when the information available from proper certificates or audits is not enough to show compliance with the obligations in this DPA and its Schedules. 
    2. when the Customer has been notified by Open Loyalty of a Customer Data Incident. 
    3. when such an audit is mandated by Data Protection Laws and Regulations or by the Customer's supervisory authority.
  1. Any on-site audits will only be conducted at Customer data processing and storage facilities operated by Open Loyalty or any of Open Loyalty’s Affiliates.
  2. Customer or its Third-Party Auditor shall conduct an On-Site Audit: 
    1. by acting reasonably, in good faith, and in a proportional manner, considering the nature and complexity of the Services used by the Customer; 
    2. up to once a year with at least three weeks' advance written notice. In case of an emergency requiring a shorter notice period, Open Loyalty will make good faith efforts to accommodate the On-Site Audit request; and 
    3. during Open Loyalty’s normal business hours, for a reasonable duration, and without unreasonably interfering with Open Loyalty’s day-to-day operations.
  1. The Customer understands that Open Loyalty operates in a multi-tenant cloud environment. Before starting any On-Site Audit, the Customer and Open Loyalty will agree on the scope, timing, and duration of the audit, as well as the reimbursement rate that the Customer will need to pay. The reimbursement rates will be fair and consider the resources used by Open Loyalty. Open Loyalty can adjust the scope of the audit to protect the service levels, availability, and confidentiality of other Customers' information.
  2. A Third-Party Auditor refers to an external contractor who is independent and not a competitor of Open Loyalty. In the event of an On-Site Audit, a Third-Party Auditor may be engaged if the following conditions are met: 
    1. before the On-Site Audit takes place, the Third-Party Auditor must sign a non-disclosure agreement that includes confidentiality provisions that are equally as protective as those outlined in the Agreement, to safeguard Open Loyalty's proprietary information.
    2. the expenses incurred by the Third-Party Auditor will be borne by the Customer.
  1. Customers shall inform Open Loyalty about any non-compliance found during an On-Site Audit without any delay.
  2. In response to the Customer's request, Open Loyalty will offer the Customer adequate cooperation and support to meet the Customer's responsibility under Data Protection Laws and Regulations for conducting a data protection impact assessment concerning the Customer's utilization of the Services. This assistance will be provided if the Customer lacks access to the pertinent information and if Open Loyalty possesses such information.

9. Transfer of data to third countries and using external suppliers

  1. The Customer authorizes Open Loyalty and its Sub-processors to make Restricted Transfers of Personal Data to third countries and use external suppliers to comply with the Customer’s instructions under this DPA and perform the obligations under the Agreement.
  2. The Customer recognizes that Open Loyalty may transfer and process Personal Data in the United States and other locations worldwide where Open Loyalty, its Affiliates, or its Sub-processors conduct data processing activities. Open Loyalty will always ensure that such transfers comply with the requirements of Data Protection Laws and Regulations and this DPA.
  3. If Personal Data protected by the GDPR needs to be transferred to a country outside the European Economic Area (EEA) that does not provide an adequate level of protection for personal data, the parties agree to process such Personal Data following the SCCs, which will be included in and become an integral part of this DPA.
  4. For transfers subject to the UK GDPR or the UK Data Protection Act 2018, the SCCs will apply as modified by the UK Addendum. The UK Addendum will be considered executed by the parties and included in and become an integral part of this DPA.

10. Subprocessors

  1. Approved Sub-processors. The Customer acknowledges that Open loyalty has the authority to engage Sub-processors to process Personal Data on behalf of the Customer. The Sub-processors currently engaged by Open Loyalty are listed in Schedule 2. Open Loyalty will inform the Customer if any Sub-processors are added or removed.
  2. Open Loyalty will: 
    1. establish a written agreement with each Sub-processor that includes data protection obligations, ensuring that the level of protection for Personal Data is at least equivalent to the obligations stated in this DPA, as required by applicable Data Protection Laws and Regulations and in relation to the nature of the service provided by the Sub-processor; and 
    2. remain accountable for the Sub-processor's compliance with the obligations outlined in this DPA, as well as for any actions or failures on the part of the Sub-processor that result in Open Loyalty breaching its obligations under this DPA. 
  1. The Customer acknowledges and agrees that, when applicable, Open Loyalty fulfills its obligations under Clause 9 of the Contractual Safeguards (as applicable) by adhering to this section. 
  2. Upon request, Open loyalty will make reasonable efforts to provide the Controller with all relevant information about Sub-processor agreements. However, due to confidentiality restrictions, Open Loyalty may not always be able to disclose Sub-processor agreements to the Customer.

11. Incident Management

  1. If Open Loyalty or any Sub-processor becomes aware of a Personal Data Breach, they shall promptly notify the Customer in accordance with the applicable Data Protection Laws and Regulations. If reporting to a Supervisory Authority is required within 72 hours, Open Loyalty shall provide such notice to the Controller within 48 hours. The notification shall include, at a minimum:
    1. detailed information about the nature of the Personal Data Breach, including the categories and numbers of Data Subjects and Personal Data records affected;
    2. the name and contact details of Open Loyalty's data protection officer or other relevant contact person who can provide further information;
    3. an assessment of the likely consequences of the Personal Data Breach, considering the nature of the Services and the breach itself;
    4. An explanation of the measures that have been taken or will be taken to address the breach.
  1. Open loyalty will collaborate with the Customer and take necessary steps to assist in the investigation, mitigation, and resolution of each Personal Data Breach.
  2. The Customer agrees that in cases where there is an unauthorized attempt to access Personal Data or the infrastructure and networks providing the Services (as defined in the Agreement) (such as pings, denial of service attacks, firewall or edge server attacks, port scans, unsuccessful login attempts, packet sniffing, or other unauthorized access to traffic data) that does not lead to a Personal Data Breach, Open Loyalty is not obligated to inform the Customer under the Agreement or this DPA.

12. Requests of authorities and courts

  1. If a Public Authority legally requests access to Personal Data, Open Loyalty must notify the Customer promptly, unless legally prohibited. If prohibited by law, Open Loyalty will try to get permission to share as much information as possible. 
  2. Open Loyalty will challenge the request if it believes it is unlawful and seek interim measures to suspend the request until a judicial decision is made. Personal Data will not be disclosed until required by law. Open Loyalty will provide the minimum information necessary when responding to disclosure requests. 
  3. If Open Loyalty becomes aware of direct access to Personal Data by a Public Authority, it will inform the Customer within legal limits. Open Loyalty certifies that it has not created back doors or changed processes to allow access to Personal Data by Public Authorities, and is not aware of any laws or policies requiring such actions at the date of concluding the Agreement. 

13. Return and deletion of data

  1. Open Loyalty stores personal data for the duration of the Agreement (including any renewals or extensions agreed upon by both parties) or longer only if we may be entitled to claims. 
  2. After the term mentioned above Open Loyalty will ensure that all personal data is securely deleted or anonymized if no longer needed. Customers can also request the Personal Data to be transferred to them upon termination of the cooperation. 

14. Liability

The liability of each party and its Affiliates, when combined, concerning this DPA and all DPAs between Authorized Affiliates and Open Loyalty, regardless of whether it is based on contract, tort, or any other theory of liability, is subject to the 'Limitation of Liability' section of the Agreement. Any mention of a party's liability in that section refers to the total liability of that party and all of its Affiliates under the Agreement and all DPAs combined.

15. CCPA & CPRA Compliance

  1. To the extent Open Loyalty receives Personal Information on the Customer’s behalf that is subject to CCPA, Open Loyalty certifies that it will take all reasonable efforts to comply with the CCPA, CPRA and Customer’s instructions. 
  2. Open Loyalty, as a service provider (as defined in the CCPA) shall provide no less than the level of privacy protection required by the CCPA, which shall not be less than the level of protection outlined in this DPA.
  3. The parties acknowledge that where and to the extent the CCPA applies to the Customer as a Business, then in a situation where Open Loyalty as a Service Provider receives from the Customer Personal Data that constitutes personal information (as defined under CCPA), Open Loyalty shall not: 
    1. sell such information;
    2. retain, use or disclose personal information for any purpose other than performing the Services under the Agreement or as otherwise permitted under CCPA;
    3. retain, use or disclose personal information for a commercial purpose other than providing Services unless otherwise permitted under the Agreement;
    4. retain, use or disclose personal information outside the direct business relationship between the Customer and Open Loyalty (and/or their Affiliates) unless otherwise permits in the Agreement.

16. Final provisions

  1. The DPA will take effect upon the commencement of the Parties' Agreement and its inclusion.
  2. This DPA will automatically end upon the later of:
    1. the termination or expiration of the Agreement; 
    2. the cessation of processing of the Personal Data by Open Loyalty. 
  1. In the event of a conflict between the terms of the Agreement and those of this DPA, the terms of the DPA will prevail. 
  2. If any provision of this DPA is deemed invalid, the validity of the remaining terms will not be affected.
  3. Any obligations resulting from legal requirements or as per a court or regulatory ruling will not be impacted by this DPA.
  4. The governing law of this Agreement shall be the same as the law governing the Agreement between the Parties. However, in cases where the Personal Data is protected by a) the GDPR, the governing law shall be the Polish; and b) the Contractual Safeguards, the law applicable under the applicable SCCs shall govern.