The User may provide ConvIOT, a company located in the United States, with access to personally identifiable information about individuals located in the European Union to act as a Processor in connection with online services and maintenance performed by ConvIOT for or on behalf of User pursuant to the Agreement.
The User requires ConvIOT preserve and maintain the privacy and security of such EU Personal Data as a Processor according to the terms of the Addendum.
In consideration of the mutual covenants and agreements in this Addendum and the Agreement and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, User and ConvIOT agree as follows:
a. “Controller” means any person or organization that, alone or jointly with others, determines the purposes and means of Processing of EU Personal Data.
b. “EU Personal Data” means personally identifiable information about individuals located in the European Union and may include, but not be limited to, the following (i) categories of data subjects: prospects, Users, business partners, and vendors, and (ii) types of personal data: name, title, position, and email address and location.
c. “GDPR” means the European Union General Data Protection Regulation.
d. “Privacy Shield” means the EU-US Privacy Shield framework and Swiss-US Privacy Shield framework.
e. “Process(es)” or “Processing” of EU Personal Data means any operation or set of operations that is performed on EU Personal Data, whether by automated means, such as collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
f. “Processor” means any natural or legal person, public authority, agency, or other body that Processes EU Personal Data on behalf of Controller.
2. Privacy, Confidentiality, and Information Security.
a. Authority to Process EU Personal Data.
i. User and RUMBLE agree User is the Controller and ConvIOT is the Processor of EU Personal Data except when User is a Processor of EU Personal Data, then RUMBLE is a subprocessor.
ii. These Addendum terms do not apply where ConvIOT is a Controller of EU Personal Data (e.g. EU Personal Data received and Processed by RUMBLE as needed for account setup, authorization and sign on).
iii. ConvIOT will Process US Personal Data only with User’s written instructions, (a) on behalf of and for the benefit of User, (b) for the purposes of Processing EU Personal Data in connection with the Agreement, and (c) to carry out its obligations pursuant to this Addendum, the Agreement and by law.
iv. User will have the exclusive authority to determine the purposes for and means of Processing EU Personal Data.
v. This Addendum and the Agreement are User’s complete instructions to RUMBLE for the Processing of EU Personal Data. Any alternative or additional instructions may only be by written amendment to this Addendum.
b. Disclosure of and Access to EU Personal Data.
i. ConvIOT will hold in confidence all EU Personal Data.
ii. ConvIOT will (a) provide at least the same level of privacy protection for EU Personal Data received from User, as is required by the GDPR, and the Privacy Shield principles that may be found on the Privacy Shield website, (b) promptly notify User if at any time RUMBLE determines it can no longer meet its obligations to provide the same level of protection as required by the GDPR, and (c) take reasonable and appropriate steps to remediate the Processing of such EU Personal Data if, at any time, User notifies RUMBLE that User has reasonably determined RUMBLE is not Processing the EU Personal Data in compliance with the GDPR.
iii. ConvIOT will only transfer the EU Personal Data outside the country in which User or its personnel originally delivered it to ConvIOT for Processing (or, if it was originally delivered to a location inside the European Economic Area (“EEA”) or Switzerland), outside the EEA or Switzerland where adequate data privacy safeguards are in place, such as binding corporate rules, the Model Clauses or the Privacy Shield principle, unless required by law, in which case, RUMBLE will, unless such prior disclosure is prohibited, notify User of such requirement before Processing.
iv. ConvIOT will not share, transfer, disclose or otherwise provide access to any EU Personal Data to any third party or contract any of ConvIOT’s rights or liabilities concerning EU Personal Data to a third party, unless User has authorized RUMBLE to do so in writing, except as required by law. Where ConvIOT, with the User’s consent, provides to a third party access to EU Personal Data or contracts such rights or obligations to a third party, ConvIOT will, with each third party, (a) enter into a written agreement that imposes obligations on the third party consistent with the GDPR, (b) transfer the EU Personal Data to the third party only for the limited and specified purposes as instructed by User, (c) require the third party to notify ConvIOT if the third party determines it can no longer meet its obligation to provide the same level of protection as required by the GDPR, and (d) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized Processing. User hereby provides its consent for RUMBLE to use subprocessors as necessary to provide the services including, but not limited to, use Dreamhost. To the extent RUMBLE makes any changes with regard to the use of its subprocessors, it will inform User and provide User with the right to object to such change. To the extent User has a reasonable objection to such change in subprocessors, the parties will cooperate to address the objection in a reasonable manner.
v. ConvIOT will promptly notify User in writing of any requests with respect to EU Personal Data received from User’s customers, consumers, employees or other associates. User will be responsible for responding to any such request, but ConvIOT will reasonably cooperate with User to address any such request or a request by an individual about whom RUMBLE holds EU Personal Data for access, rectification, objection, portability, restriction, erasure, or export of his or her EU Personal Data.
vi. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity of the rights and freedoms of natural persons, RUMBLE will implement appropriate technical and organization measures to protect the EU Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. To this basis to fulfill RUMBLE’s performance of services for or on behalf of User, by employees who agreed to comply with privacy and security obligations that are substantially similar to those required by this Addendum.
vii. Subject to applicable law, ConvIOT will notify User immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of EU Personal Data. User may, if it so chooses, seek a protective order, and ConvIOT will reasonably cooperate with User in such action, provided User reimburses ConvIOT for all costs, fees and legal expenses associated with the action. ConvIOT will have the right to approve or reject any settlements that affect ConvIOT.
c. ConvIOT will comply with the applicable data protection and privacy laws, including but not limited to, the GDPR, to the extent such laws apply to RUMBLE in its role as a Processor.
d. User certifies that it has:
i. Obtained the written consent, affirmative opt-in, other written authorization (“Consent”) from applicable individuals in the European Union or has another legitimate, legal basis for delivering or making accessible EU Personal Data to ConvIOT (and its subsidiaries, affiliates and subprocessors), and such consent or other legitimate basis allows ConvIOT (and its subsidiaries, affiliates, and subprocessors) to Process the EU Personal Data pursuant to the terms of the Agreement and this Addendum, and
ii. Ensured that the delivery and disclosure to ConvIOT of EU Personal Data is in compliance with the GDPR as Controller and all laws applicable to User and otherwise complies with applicable privacy and data protection laws.
e. ConvIOT will assist User in ensuring that it secures Processing obligations, as Controller, under the GDPR, which may include assisting User in a consultation with a supervisory authority where a data protection impact assessment indicates that the intended Processing would result in a high risk. Upon request, ConvIOT will make available to User the information necessary to demonstrate compliance with the GDPR and will allow for and contribute to audits, including inspections, to confirm RUMBLE’s compliance with this Addendum by Controller or another auditor mandated by Controller. All expenses resulting from this Subsection E will be incurred by User, unless ConvIOT is found to be materially non-compliant.
f. Upon termination of the Agreement, ConvIOT will either return all EU Personal Data Processed on behalf of User or delete or destroy the EU Personal Data, including any existing copies, at User’s expense, if any, unless ConvIOT has a legal obligation to maintain such EU Personal Data.