Companies leveraging data on EU residents need a GDPR data processing agreement any time they hire a third party to process that data. For companies which do not engage with EU user data, a DPA can still prove useful for outlining the terms of business with external data processors.
Now, with the DPA terms included in the online service terms of data processors, there is no extra engagement needed by data controllers to be compliant with the GDPR requirement for data processing terms.
The General Data Protection Regulation (GDPR) is a European privacy law that became enforceable on May 25, 2018. The GDPR replaced the EU Data Protection Directive, also known as Directive 95/46/EC, and intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state
The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU individuals in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person, including names, email addresses and phone numbers.
HeyJinni acts as both a data processor and a data controller under the GDPR.
HeyJinni as a data processor – When customers use HeyJinni services to process personal data in the content they upload to HeyJinni services, HeyJinni acts as a data processor. Customers can use the controls available in HeyJinni Trust Centre, including security configuration controls in their profile or service settings, for the handling of personal data. Under these circumstances, the customer may act as a data controller or data processor itself, and HeyJinni acts as a data processor or sub-processor. HeyJinni offers a GDPR-compliant Data Processing Agreement (DPA) that incorporates HeyJinni’s commitments as data processor.
In accordance with GDPR Article 28(new window), Section 3, our data processing agreement includes assurances when acting as a data processor that:
- HeyJinni agrees to process personal data only on written instructions of your company.
- Everyone who comes into contact with data at HeyJinni is sworn to confidentiality.
- HeyJinni uses appropriate technical and organizational measures are used to protect the security of the data.
- HeyJinni will not subcontract to another processor unless instructed to do so in writing by your company, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
- HeyJinni will help your company uphold its obligations under the GDPR, particularly concerning data subjects’ rights(new window).
- HeyJInni will help your company maintain GDPR compliance with regard to Article 32(new window) (security of processing) and Article 36(new window) (consulting with the data protection authority before undertaking high-risk processing).
Data Processing Agreement (DPA)
By signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent HeyJinni processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates.
This DPA is effective on the date that it has been duly executed by both Parties (“Effective Date”), and amends, supersedes, and replaces any prior data processing agreements that the Parties may have entered into. Any modifications to the terms of this DPA (whether handwritten or otherwise) will render this DPA ineffective unless HeyJinni has separately agreed to those modifications in writing.
1.1. Affiliate – means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2. Authorised Affiliate – means Customer’s Affiliate(s) which (a) are subject to Data Protection Laws; (b) are permitted to use the Services pursuant to the Agreement between Customer and HeyJinni; and (c) have not signed their own Services Agreement with HeyJinni and are not “Customers” as defined under this DPA.
1.3. CCPA – means the California Consumer Privacy Act of 2018 (California Civil Code sections 1798.100 – 1798.199) and its accompanying regulations.
1.4. Controller – means the entity that determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer is the Controller. For the purposes of this DPA, all references to Controller shall also mean “business” as defined in the CCPA for CCPA purposes.
1.5. Covered Services or Services – means the services that are ordered by the Customer from HeyJinni involving the Processing of Personal Data on behalf of the Customer.
1.6. Customer – means the entity that signed the Services Agreement and that determines the purposes and means of Processing of Personal Data. The Customer is considered the “Controller” of the Personal Data provided pursuant to this DPA.
1.7. Data Breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer’s Personal Data transmitted, stored, or otherwise Processed.
1.8. Data Protection Laws – means any applicable law, statute, law, regulation or order by governmental authority of competent jurisdiction, or any judgment, decision, decree, injunction, writ, order, subpoena, or like action of any court, arbitrator or other government entity, and at all times during the term of the Services Agreement, including the laws of the European Union, the UK Data Protection Act 2018, the GDPR, and the CCPA, all as amended or replaced from time to time, and any other foreign or domestic laws to the extent that they are applicable to a party in the course of its performance of the Services Agreement.
1.9. Data Subject – means either: 1) the individual within the European Economic Area and the United Kingdom to whom Personal Data relates for GDPR purposes, or 2) a “consumer,” as such term is defined in the CCPA for CCPA purposes
1.10. GDPR – means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.11. Personal Data – means either: 1) data about a specific natural person within the European Economic Area or the United Kingdom from which that person is identified or identifiable, as defined in GDPR or 2) “personal information” as defined in the CCPA for CCPA purposes, which is provided by or on behalf of Customer and Processed by HeyJinni pursuant to the Services Agreement.
1.12. Processing – means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.13. Processor – means the entity which Processes Personal Data on behalf of the Controller. For purposes of this DPA, HeyJinni, including its Affiliates, is the Processor. For the purposes of this DPA, all references to Processor shall also mean “service provider” as defined in the CCPA for CCPA purposes.
1.14. Regulator – means any supervisory authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Services or the Processing of Personal Data.
1.15. Services Agreement – means any services agreement including, but not limited to, HeyJinni’s online terms (collected together at https://policies.heyjinni.com/) between HeyJinni and Customer under which Covered Services are provided by HeyJinni to Customer.
1.16. Standard Contractual Clauses – means the annex found in the European Commission decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available as of August 1, 2021 at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj).
1.17. Sub-processor – means any Processor engaged by HeyJinni, or on its behalf, to Process Personal Data on behalf of HeyJinni.
- Services Agreement
- Data Protection Laws
3.1. Roles of the Parties – The Parties acknowledge and agree that HeyJinni will Process the Personal Data in the capacity of a Processor and that Customer will be the Controller of the Personal Data.
3.2. DPO – The Parties, to the extent required by the GDPR, will each designate a data protection officer (a “DPO”) and provide their contact details to the other Party where required by Data Protection Laws.
- Controller Obligations
4.1. Instructions – Customer warrants that the instructions it provides to HeyJinni pursuant to this DPA will comply with Data Protection Laws.
4.2. Data Subject and Regulator Requests – Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Data Protection Laws and all communications from Regulators that relate to the Personal Data, in accordance with Data Protection Laws. To the extent such requests or communications require HeyJinni’s assistance, Customer shall immediately notify HeyJinni in writing of the Data Subject’s or Regulator’s request.
4.3. Notice, Consent, and Other Authorizations – Customer agrees that the Personal Data it collects shall be in accordance with Data Protection Laws, including all legally required consents, bases of processing, approvals, and authorizations. Upon HeyJinni’s request, Customer shall provide all information necessary to demonstrate compliance with these requirements
- Details of Processing Activities
5.1. The following table sets out the details of Processing:
Purposes the Personal Data shall be processed
Description of the categories of the data subjects
Description of the categories of Personal Data
Description of special categories of Personal Data
- Processor Obligations Supplementing the Standard Contractual Clauses
6.1. Scope of Processing – HeyJinni will Process the Personal Data on documented instructions from Customer in such manner as is necessary for the provision of Services under the Service Agreement, except as may be required to comply with any legal obligation to which HeyJinni is subject. HeyJinni may make reasonable efforts to inform customers if, in its opinion, the execution of an instruction relating to the Processing of Personal Data could infringe on any Data Protection Laws. In the event HeyJinni must Process or cease Processing Personal Data for the purpose of complying with a legal obligation, HeyJinni will inform the Customer of that legal requirement before Processing or ceasing to Process, unless prohibited by the law.
6.2. Disclosure to Third Parties – Except as expressly provided in this DPA, HeyJinni will not disclose Personal Data to any third party without Customer’s consent. If requested or required by a competent governmental authority to disclose the Personal Data, to the extent legally permissible and practicable, HeyJinni will provide Customer with sufficient prior written notice in order to permit Customer the opportunity to oppose any such disclosure.
6.3. GDPR Articles 32-36 – Taking into account the nature of the Processing and the information available to HeyJinni, HeyJinni will provide reasonable assistance to Customer in complying with its obligations under GDPR Articles 32-36, which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation.
7.1. Scope – HeyJinni will maintain records of its Processing activities carried out on behalf of Customer and will make available to Customer the information reasonably necessary to demonstrate its compliance with the obligations set out in this DPA. HeyJinni may limit the scope of information made available to Customer if Customer is a HeyJinni competitor, provided that such limitation does not violate Data Protection Laws or the Standard Contractual Clauses. Customer’s inspection rights under this DPA do not extend to HeyJinni’s employee payroll, personnel records or any portions of its sites, books, documents, records, or other information that do not relate to the Services or to the extent they pertain to third parties
7.2. Process – Subject to thirty (30) days prior written notice from Customer and at the Customer’s additional expense (including all reasonable costs and fees for any and all time HeyJinni expends on such audit, in addition to the rates for services performed by HeyJinni), HeyJinni and Customer shall mutually agree to appoint a third-party auditor to verify that HeyJinni is in compliance with the obligations under this DPA. In no event shall the Parties agree to a third-party auditor that is a competitor to HeyJinni. Audits and inspections will be carried out at mutually agreed times during regular business hours. Customers shall be entitled to exercise this audit right no more than once every twelve (12) months. Customers shall not be entitled to an on-site audit of HeyJinni’s premises without demonstrating a compelling need for such an on-site audit. The Parties shall mutually agree upon the duration of the audit.
7.3. Confidentiality – All information obtained during any such request for information or audit will be considered HeyJinni’s confidential information under the Services Agreement and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed HeyJinni’s confidential information. The third party auditor may only disclose to Customer specific violations of this DPA if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.
- Contracting with Sub-processors
8.1. Customer hereby gives its general authorisation for HeyJinni to engage Sub-processors in connection with the processing of the Personal Data as set forth in clause 9 of the Standard Contractual Clauses. HeyJinni will update the applicable website and provide Customer with a mechanism to obtain notice of that update. HeyJinni website (currently posted at https://policies.heyjinni.com/sub-processors/) lists Sub-processors that are currently engaged by HeyJinni. If a Customer has objections to a listed Sub-processor, the Customer may terminate the Services and pay HeyJinni any fees or expenses not yet paid for all services provided pursuant to any Services Agreement. To object to a new Sub-processor, Customer can: (i) terminate the Agreement pursuant to its terms; (ii) cease using the Service for which HeyJinni has engaged the Sub-processor; or (iii) terminate the Services and pay HeyJinni any fees or expenses not yet paid for all services provided pursuant to any Services Agreement
8.2. Sub-processor Obligations. Where HeyJinni authorises a Sub-processor as described, HeyJinni will restrict the Sub-processor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and HeyJinni will prohibit the Sub-processor from accessing Customer Data for any other purpose; HeyJinni, unless DPA terms are included in the online service terms of data processors, will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by HeyJinni under this DPA, HeyJinni will impose on the Sub-processor the same contractual obligations that HeyJinni has under this DPA; and HeyJinni will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause HeyJinni to breach any of HeyJinni’s obligations under this DPA.
- Transfers Outside of the EEA (European Economic Area)
9.1. Transfer – Customer acknowledges that HeyJinni may, without Customer’s prior written consent, transfer the Personal Data to a foreign jurisdiction provided such transfer is either (i) to a country or territory which has been formally recognized by the European Commission as affording the Personal Data an adequate level of protection or (ii) the transfer is otherwise safeguarded by mechanisms, such as Standard Contractual Clauses and other certification instruments, recognized and approved by the European Commission from time to time.
9.2. Standard Contractual Clauses – If Customer’s use of the Services involves Customer’s transfer of Personal Data from the United Kingdom or European Economic Area to HeyJinni, or if entering into the Standard Contractual Clauses set forth in the Appendix to this DPA with HeyJinni would otherwise help Customer satisfy a legal obligation relating to the international transfer of Personal Data, then (i) by entering into this DPA, the Parties are deemed to be signing such Standard Contractual Clauses, including each of its applicable Annexes and (ii) such Standard Contractual Clauses form part of this DPA and take precedence over any other provisions of this DPA to the extent of any conflict.
- Additional Terms for California Data Subjects
To the extent that the CCPA applies, HeyJinni agrees it will not: (a) sell California Data Subjects’ Personal Data (as “sell” is defined in the CCPA); (b) retain, use, or disclose California Data Subjects’ Personal Data for a commercial purpose other than providing the services specified in the Services Agreement; (c) retain, use, or disclose California Data Subjects’ Personal Data outside of the direct business relationship between Processor and Customer. HeyJinni certifies that it understands these restrictions set out in this section and will comply with them.
- Obligations Post-Termination
Termination or expiration of this DPA shall not discharge the Parties from their obligations that by their nature may reasonably be deemed to survive the termination or expiration of this DPA
- Liability and Indemnity
Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this Agreement.
Last updated: 01/07/2022
HeyJinni website (currently posted at https://policies.heyjinni.com/sub-processors/) lists Sub-processors that are currently engaged by HeyJinni. If a Customer has objections to a listed Sub-processor, the Customer may terminate the Services and pay HeyJinni any fees or expenses not yet paid for all services provided pursuant to any Services Agreement. To object to a new Sub-processor, Customer can: (i) terminate the Agreement pursuant to its terms; (ii) cease using the Service for which HeyJinni has engaged the Sub-processor; or (iii) terminate the Services and pay HeyJinni any fees or expenses not yet paid for all services provided pursuant to any Services Agreement