This Data Processing Agreement (“DPA”) is incorporated by reference into Heyzine’s Terms and Conditions of Use (“Terms and Conditions”) available at Terms and Conditions - heyzine, entered by and between you, the User (as defined in the Terms and Conditions) (collectively, “you”, “your”, “User”, “DATA CONTROLLER”), and Heyzine Flipbooks, S.L. (“HEYZINE”, “us”, “we”, “our”, “DATA PROCESSOR”) to reflect the Parties’ agreement with regard to the Processing of Personal Data by Heyzine solely on behalf of the User. Both parties shall be referred to as the “Parties” and each, a “Party”.
By using the Service, you as the User accept this DPA and represent and warrant that you have full authority to bind the User to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the User or any other entity, you should not provide Personal Data to us or use our Service. In the event of any conflict between certain provisions of this DPA and the provisions of the Terms & Conditions, the provisions of this DPA shall prevail over the conflicting provisions of the Terms & Conditions solely with respect to the Processing of Personal Data.
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
“Agreement” means this Data Processing Agreement.
“Controller” is the party that determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the User is the DATA CONTROLLER or represents DATA CONTROLLER.
“Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
“Data Subject” is the identified or identifiable natural person that the Personal Data is related to.
“Data Transfer” means a transfer of Company Personal Data from the Company to a Contracted Processor; or an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
“EEA” means the European Economic Area;
“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or consumer, which is processed by Heyzine solely on behalf of the User, under this DPA and the Agreement between the User and Heyzine (Terms & Conditions).
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” is the party that Processes Personal Data on behalf of the Controller.
“Sensitive Data” means Personal Data that is protected under a special legislation and requires unique processing, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences.
“Service or Service(s)” means the flipbook service Heyzine provides in pursuance to the Terms & Conditions.
“Standard Contractual Clauses” means the Standard Contractual Clauses between Controllers and Processors, and between Processors and Processors, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Subprocessor” means any third party- usually service providers- that processes Personal Data under the instruction or supervision of Heyzine.
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their related terms shall be construed accordingly.
Subject-matter: The subject-matter of Processing of Personal Data by Heyzine is the performance of the Service pursuant to the Terms & Conditions. The nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in ANNEX 1 (Details of Processing) to this DPA.
Roles of the parties: The Parties acknowledge and agree that with regard to the processing of Personal Data, the User is the Controller and Heyzine is the Processor. In some circumstances, the User may be the Processor, in which case the User appoints Heyzine as the User’s sub-processor, which shall not change the obligations of either the User or Heyzine under this Data Processing Agreement, as Heyzine will remain a Processor with respect to the User in such event.
The personal data to which the DATA PROCESSOR will have access corresponds to the categories of personal data that are included in the files that the DATA CONTROLLER makes available in order to be able to comply the contracted service as specified in ANNEX I.
DATA CONTROLLER in its use of the Service, and User’s instructions to the Processor, shall comply with Data Protection Laws. User shall establish and have any and all required legal bases in order to collect, process and transfer to Processor the Personal Data, and to authorize the Processing by Processor, and for Processor’s Processing activities on User’s behalf.
The DATA CONTROLLER guarantees that the data provided to the DATA PROCESSOR has been lawfully obtained and is adequate, relevant and limited to the purposes of the processing.
The DATA CONTROLLER informs the DATA PROCESSOR that, if same determine the purposes and means of the processing themselves, PROCESSOR will be considered to be the DATA CONTROLLER and will be bound to comply with the applicable provisions of the regulations.
Heyzine, when Processing on the User’s behalf under the Agreement, shall Process Personal Data for the following purposes:
(i) Processing in accordance with the Terms & Conditions and this DPA;
(ii) Processing for the User as part of its provision of the Service
(iii) Processing to comply with the User’s reasonable and documented instructions, where such instructions are consistent with the terms of the Terms & Conditions, regarding the way in which the Processing shall be performed;
(iv) Processing as required under the laws applicable to Processor, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Processor shall inform User of the legal requirement before Processing, unless such law or order prohibit such information on important grounds of public interest.
The DATA PROCESSOR undertakes to respect all the obligations that may apply to them as DATA PROCESSOR in accordance with the provisions of current legislation and any other provision or regulation that may be equally applicable to them.
The DATA PROCESSOR shall not use, apply or assign the data to which they have access for any purpose other than that of the processing or shall otherwise be in breach of this contract.
The DATA PROCESSOR shall make available to the DATA CONTROLLER the information necessary to demonstrate compliance with the contract, and shall allow the inspections and audits necessary to evaluate the processing.
The DATA PROCESSOR guarantees that the persons authorized to process have expressly and in writing undertaken to respect the confidentiality of the data or confirmed that they are subject to a legal obligation of confidentiality of a statutory nature.
The DATA PROCESSOR shall take measures to ensure that any person acting under their authority and having access to personal data can only process it following the instructions of the DATA CONTROLLER or is obliged to do so by virtue of the legislation in force.
The DATA PROCESSOR guarantees that the persons authorized to process have received the necessary training to ensure that the protection of personal data will not be put at risk.
The DATA PROCESSOR declares that they are up to date with regard to the obligations deriving from the data protection regulations, especially with regard to the implementation of security measures for the different categories of data and processing established in article 32 of the GDPR.
The DATA PROCESSOR ensures that such security measures are properly implemented and will cooperate with the DATA CONTROLLER to ensure compliance.
The DATA CONTROLLER will carry out an analysis of the possible risks resulting from the processing to determine the appropriate security measures to guarantee the security of the information processed and the rights of the Persons Concerned and, if they determine that there are risks, will send a report to the DATA PROCESSOR with the impact assessment so that they can proceed to implement the appropriate measures to avoid or mitigate them.
The DATA PROCESSOR, for their part, must analyze the possible risks and other circumstances that may have an impact on safety that may be attributable to them, and, if there are any, must inform the DATA CONTROLLER in order to evaluate their impact.
However, the DATA PROCESSOR ensures that, taking into account the current state of the art, the costs of application and the nature, scope, context and purposes of the processing, they will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the processing, including, where appropriate, among other things:
The security breaches that the DATA PROCESSOR is aware of must be notified, without undue delay and within a maximum of 48 hours, to the DATA CONTROLLER for their knowledge and application of measures to remedy and mitigate the effects caused. Notification is not required where it is unlikely to pose a risk to the rights and freedoms of natural persons.
The security breach notification shall contain at least the following information:
When the breach of security has occurred under the responsibility of the DATA PROCESSOR, the DATA CONTROLLER may oblige them to notify the Spanish Supervisory Authority and, if necessary, to communicate it to the Person Concerned affected.
The DATA PROCESSOR may not communicate the data to other recipients, unless they have obtained prior written authorization from the DATA CONTROLLER, which shall be attached to this contract, if there are any.
The transfer of data to public authorities in exercising their public service are not considered as data communications, so the authorization of the DATA CONTROLLER is not required if such transfers are necessary to achieve the purpose.
The DATA PROCESSOR may not transfer data to third countries or international organizations that do not offer GDPR compliance guarantees for international transfers (such as Standard Contractual Clauses, Commission Adequacy Decisions, BCRs and others expressly authorized).
DATA PROCESSOR may respectively engage third-party SUB-PROCESSORS in connection with the provision of the Service and has the User’s general authorization for the engagement of sub-processor(s) from an agreed list, as outlined below. Heyzine will specifically inform the User in writing of any intended changes to that list through the addition or replacement of sub-processors at least ten (10) business days in advance, thereby giving the User sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The DATA PROCESSOR shall provide the DATA CONTROLLER with the information necessary to enable the DATA CONTROLLER to exercise its right to object.
List of subprocessors:
|AMAZON WEB SERVICES (ESW0185696B)
LUXEMBURG - Luxemburg
|Cloudflare, Inc. (CF)
LONDON - UK
|Content Delivery Network
|New Relic, Inc. (NR)
SAN FRANCISCO - USA
|Platform monitoring and error detection
|Google Ireland Limit (IE6388047V)
DUBLIN - Ireland
|For "Sign-In with Google" features
|Admin Panel and Flipbook Viewer
|Freshworks Inc. (FRESHDESK) (4861858)
DELAWARE - USA
|Support requests management
|PADDLE.COM INC (PROFITWELL)
NEW YORK - USA
|Customer and subscription analysis
|Recrea Systems, SLU (QUADERNO) (B35635648)
LAS PALMAS - Spain
|Customer invoicing and billing management
|Rewardful Inc. (RW)
NW Edmonton - Canada
|Affiliate and referral management
|Admin Panel and marketing pages
The DATA PROCESSOR shall create, whenever possible and taking into account the nature of the processing, the technical and organizational conditions necessary to assist the DATA CONTROLLER in their obligation to respond to requests for the rights of the Person Concerned.
In the event that the DATA PROCESSOR receives a request for the exercise of said rights, they must immediately notify the DATA CONTROLLER and in no case later than the working day following the receipt of the request, together with other information that may be relevant to the resolution of the request.
When the data is processed exclusively with the DATA PROCESSOR’s systems, they must respond to the request on behalf of the DATA CONTROLLER, and within the established time limit, for the exercise of the Person Concerned’ s rights in relation to the data targeted by the processing, without prejudice to the right to communicate it to the DATA CONTROLLER in accordance with the provisions of the previous paragraph; that is, the rights of access, rectification, suppression and portability of data and those of limitation or opposition to the processing, and if this is the case, not to be the subject of individualized automated decisions.
Subject to any section of the DPA and/or the Terms & Conditions dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Heyzine will Process Personal Data pursuant to the DPA and Terms & Conditions for the duration of the Terms & Conditions, unless otherwise agreed upon in writing.
According to article 82 of the GDPR, the DATA PROCESSOR is liable to the DATA CONTROLLER for damages and losses caused to Persons Concerned or third parties, including administrative sanctions, arising from judicial or extrajudicial claims or from the Spanish Supervisory Authority's sanctioning procedures which are the result of non-compliance with the instructions accepted in this contract.
Once the services provided under this contract are completed, the DATA PROCESSOR shall certify, at the discretion of the DATA CONTROLLER, the erasure of all personal data and existing copies.
The erasure of data will not proceed when its conservation is required by a legal obligation, in which case the DATA PROCESSOR will continue to retain it, blocking the data and limiting its processing as long as responsibilities could ensue from its relationship with the DATA CONTROLLER.
The DATA PROCESSOR shall maintain the obligation of secrecy and confidentiality of the data even after the termination of the relationship which is the subject of this contract.
Nature and Purpose of Processing
Heyzine will Process Personal Data as necessary for the following reasons:
The personal data transferred concerns the following categories of data subjects: The categories of data subjects whose personal data may be processed in connection with the Service provided are determined and controlled by the DATA CONTROLLER in its sole discretion and may include but are not limited to: Users, contacts and prospects of DATA CONTROLLER; affiliates, employees, clients or contractors of DATA CONTROLLER.
Categories of data
The personal data transferred concern the following categories of data:
The categories of personal data are determined by the DATA CONTROLLER in its sole discretion and may include but are not limited to:
Special categories of data (if appropriate)
The parties do not anticipate the processing of any special categories of data.
In any case the USER will be solely responsible for the personal information contained in the documents used in the context of the service. DATA PROCESSOR will not be responsible in any case for the information contained in the documents object of the service.
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
a. Storage and other Processing necessary to provide, maintain and improve the Service provided to you; and/or
b. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.