Data Processing Annex 2019

This Data Processing Annex (DPA) applies to all processing of personal data on end-users that you (Customer) provide to MessageBird B.V. (MessageBird) through the services of MessageBird as separately defined in a separate agreement (Services). This DPA applies in addition to the General Terms and Conditions of MessageBird or the Master Service Agreement, whichever is applicable (Agreement) to Customer and MessageBird (together: the Parties). In case of conflict or inconsistency between the provisions of the Agreement and this DPA, the DPA will prevail.

Terms such as “personal data”, “processing”, “data controller”, “data processor”, “personal data breach” etc. shall have the meaning assigned to them under the applicable data protection legislation (Data Protection Legislation), except for the definition of (sub-)processor which explicitly excludes telecom carriers and other telecom service providers which are deemed necessary for the operation of the Services, yet, due to the fact that such parties are acting as a mere conduit or as an independent data controller, do not fall under the definition of data processor as stated in the Data Protection Legislation.

Customer and MessageBird both acknowledge and understand that with respect to the processing of personal data of end-users (‘data subject’) which Customer provides to MessageBird on the basis of the Services, MessageBird is the data processor.

1. Customer hereby instructs MessageBird to process data subjects’ personal data to the extent required for the performance of the Services under the Agreement.

2. MessageBird shall, in relation to any personal data which is processed in connection with the Services:

   1. process personal data only on documented instructions of Customer, unless otherwise required by the laws of any member of the European Union or by the laws of the European Union applicable to MessageBird to process personal data;

   2. only provide personnel with ‘need to know’ access to the personal data and ensure that all such personnel who have access to or process personal data are under a legal obligation to keep the personal data confidential;

   3. take appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the level of risk presented by the processing (and having regard to the nature of the personal data) and to the harm which might result from a personal data breach affecting the personal data;

   4. provide Customer with any assistance as reasonably requested by Customer in order to allow Customer to comply with obligations of Customer under the Data Protection Legislation, including the notification of personal data breaches, security of processing and assisting Customer with the performance of any relevant data protection impact assessment;

   5. provide Customer with reasonable assistance in order to allow Customer to comply with its obligations to data subjects who exercise their rights under the Data Protection Legislation. MessageBird will make available technical and organizational measures to allow Customer to fulfil these obligations via the account of Customer or the dedicated API. Customer hereby acknowledges and agrees that requests sent by Customer via email are not considered as a valid means to exercise its rights and that any such requests will not be processed by MessageBird. For the avoidance of doubt, Customer as data controller is responsible for processing any requests or complaints from data subjects with respect to the personal data of data subjects;

   6. at Customer’s choice, delete or return personal data and copies thereof to Customer on termination of Customer’s agreement with MessageBird, unless otherwise required by mandatory applicable laws;

   7. maintain records as required under the Data Protection Legislation of the processing activities carried out under the Agreement and this DPA;

   8. at least every second year, audit the security and personal data processing activities of MessageBird, and provide Customer (on a confidential basis), upon his written request, with a summary or a description of the results of such audit. A summary of an ISO 27001:2013 audit report will be considered to fulfil the request of Customer. For the avoidance of doubt, the audit may either be an internal audit, or an audit performed by a third party, which decision shall, however, be in the sole discretion of MessageBird;

   9. if the summary or description of the results of the audit provided by MessageBird to Customer according to paragraph 2(h) of this DPA gives Customer substantiated reasons to believe that MessageBird is in breach of its obligations under this DPA related to the personal data provided by Customer, allow an independent and qualified third party appointed by Customer and approved by MessageBird, to audit the applicable personal data processing activities of MessageBird, provided that the terms under Clause 3 of this Annex are met; and,

   10. notify Customer as soon as reasonably possible if MessageBird receives a notice or communication from a governmental or regulatory body which relates directly to the processing of personal data, as instructed and provided by Customer, by MessageBird or its (sub-)processors unless such notice or communication is prohibited by law.

3. Customer shall:

   1. notify MessageBird at least two (2) months before exercising the audit right of Customer under paragraph 2(i) of this DPA;

   2. ensure that any audit does not unreasonably disrupt the business operations of MessageBird; and,

   3. bear and pay for all costs of such audit.

4. If Customer acts as a data controller, Customer guarantees that all processing activities are lawful, have a specific purpose and any required notices and consents or otherwise appropriate legal basis are in place to enable lawful transfer of personal data. If Customer is a data processor (in which case MessageBird will be a sub-processor), Customer ensures that the relevant data controller guarantees that the conditions listed in this clause are met.

5. Given the nature of the Services, the use of the Services by Customer and Customer’s end-users may require the transfer of personal data outside the EEA; when the performance of the Services involves a transfer of personal data to (sub-)processors outside the EEA, Customer hereby gives MessageBird a mandate for the term of all agreements in place between Customer and MessageBird to enter into EU Model Contract Clauses with (sub-)processors outside the EEA on behalf of Customer, if no other appropriate transfer mechanisms under the Data Protection Legislation apply.

6. By means of this Clause Customer gives MessageBird a general written authorization for the engagement of any other third parties as new (sub-)processors for the processing of personal data, subject to the terms of this Annex. MessageBird will not engage any (sub-)processor in the processing of personal data under this Agreement without prior informing the Customer of any intended change concerning the addition or replacement of other processors, thereby giving the Customer the opportunity to object to such changes. 

7. Customer may object to any such new (sub-)processor solely on the basis of reasonable grounds relating to data protection by terminating the Agreement and this Annex. This termination right is the sole and exclusive remedy of Customer if Customer objects to any such new (sub-)processor.

8. Customer specifically agrees to the engagement of the entities listed at https://www.messagebird.com/en-gb/legal/privacy#processorList as (sub-)processors of MessageBird for the processing of personal data. MessageBird shall update the list of (sub-)processors when a new (sub-)processor for the processing of personal data is engaged.

9. MessageBird will take all available and appropriate contractual measures to ensure that when a (sub-)processor is engaged:

   1. the (sub-)processor will only process personal data if such processing is necessary for performance of the Services or a part thereof;

   2. data protection obligations providing similar protection as those in this DPA shall be imposed on the (sub-)processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Legislation, and;

   3. MessageBird remains liable to Customer under this DPA for the performance of the obligations of its (sub-)processor.

10. Details of the processing:

    1. Subject matter and purpose of the processing: provision of the Services of MessageBird to Customer.

    2. Categories of personal data: information on end-users that Customer provides to MessageBird through the Services.

    3. Categories of data subjects: data subjects include customers of the Customer, employees, suppliers and any other natural person who is the end-user of communication services, from whom Customer provides personal data through Services.

    4. Duration of the processing: personal data will be processed for as long as required for the performance of the Services, or as required under applicable law.

11. This Data Processing Annex is governed by the laws of The Netherlands, and the Parties submit to the exclusive jurisdiction of Amsterdam courts for all purposes connected with this DPA, including the enforcement of any award or judgement made under or in connection with it.