Data Processing Addendum
Last updated on 13 September 2024
This Data Processing Addendum (“Addendum”) supplements the Terms of Service or other agreement (“Agreement”) between Livvie B.V. (“Livvie”) and the person or entity identified as the Customer (“Customer”) that covers the use of Livvie’s Service by Customer. This Addendum regulates the terms under which Livvie may act as the Data Processor of Personal Data on behalf of Customer under the terms for using the Service as defined in the Agreement. This Addendum terminates upon expiration of the Agreement or, if later, the date on which Livvie ceases the processing of Customer Personal Data. If there is conflict between the Agreement and this Addendum, then this Addendum prevails.
1. Definitions and interpretation
(a) “Customer Personal Data” means any Personal Data processed by Livvie on behalf of Customer pursuant to or in connection with the Agreement.
(b) “Data Protection Laws” means the data protection and privacy laws of any country as applicable to the processing of Personal Data under the Agreement, including the European Data Protection Laws and United States of America (USA) State Privacy Laws.
(c) “European Data Protection Laws” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the Swiss Federal Data Protection Act (the “Swiss DPA”); (iv) EU Directive 2002/58/EC on Privacy and Electronic Communications; and (v) any national law made under or pursuant to items (i) – (iv); in each case as amended, superseded, or replaced from time to time.
(d) “Restricted Transfer” means a transfer of Customer Personal Data from the European Economic Area (EEA), Switzerland, or United Kingdom (UK) to another jurisdiction which is not subject to an adequacy determination or regulation.
(e) “Subprocessor” means any third party entity appointed by the Processor to process Personal Data on behalf of Customer in connection with the Agreement.
(f) The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly. “Service Provider” has the same meaning as in the California Consumer Privacy Act (CCPA).
2. Processing of Personal Data
2.1 Customer instructs Livvie to process Customer Personal Data as described in Annex I B.
2.2 Livvie will process Customer Personal Data only as necessary to perform its obligations under the Agreement, including this Addendum, and additional instructions provided by Customer (together the “Permitted Purpose”), or as required by applicable law.
2.3 Livvie will not (i) retain, use, disclose, or otherwise process Customer Personal Data for commercial purposes other than the Permitted Purpose, except as required by applicable law.
2.4 Livvie will not “sell” or “share” Customer Personal Data as defined in USA State Privacy Laws.
2.5 Customer acknowledges that the transfer of Customer Personal Data is not a “sale” of data as defined in USA State Privacy Laws and that Livvie provides no monetary or other valuable consideration in exchange for Customer Personal Data.
2.6 Livvie and Customer will each comply with their obligations under applicable Data Protection Laws regarding processing of Personal Data processed under or in connection with the Agreement and this Addendum.
2.7 Livvie will notify Customer if it becomes aware that Customer instructions may violate applicable Data Protection Laws.
3. Security
3.1 Livvie will take reasonable steps to ensure that all personnel authorised to process Customer Personal Data (including employees, agents, and contractors) are bound by an appropriate written or statutory duty of confidentiality and that they only process Customer Personal Data as strictly necessary for the purpose of the Agreement or to comply with applicable laws.
3.2 Livvie will implement appropriate technical and organisational measures to protect Customer Personal Data from accidental or unlawful loss, destruction, alteration, access, and disclosure (“Security Incident”), including, as appropriate, the measures referred to in Article 32(1) of the GDPR. Customer acknowledges that Livvie may update or modify security measures from time to time, provided that such updates and modifications do not degrade the overall level of security of the Service.
3.3 Upon becoming aware of a Security Incident, Livvie will inform Customer without undue delay. Upon request, Livvie will provide information and cooperation as reasonably necessary for Customer to fulfil its data breach reporting obligations under, and in accordance with, applicable Data Protection Laws. Livvie will take reasonable steps to investigate, mitigate, and remediate the breach and its effects, to the extent within Livvie’s control.
4. Subprocessing
4.1 Customer grants Livvie a general authorisation to engage third party Subprocessors to process Customer Personal Data. Livvie maintains a list of its Subprocessors. If Livvie engages a new Subprocessor, Livvie will (i) update the list of Subprocessors at least 10 days prior to the addition to allow Customer to raise reasonable objections in relation to the processing of Customer Personal Data, (ii) impose substantially the same data protection terms to the Subprocessor as defined in this Addendum, and (iii) remain responsible for the Subprocessor’s obligations in the event of a breach of this Addendum caused by an act, error, or omission of such Subprocessor.
5. Cooperation and Data Subject rights
5.1 Taking into account the nature of the processing, Livvie will provide reasonable and timely assistance to Customer to enable Customer to respond to (i) requests to exercise a Data Subject’s rights under applicable Data Protection Laws (including its rights of access, correction, objection, erasure, and data portability) and (iii) any other requests, complaints, or other correspondence received from a Data Subject, regulator, or other third party in connection with the processing of Customer Personal Data by Livvie.
5.2 If Livvie receives a request from a third party regarding the processing of Customer Personal Data directly, Livvie will notify Customer and only respond to the request as instructed by Customer or as required under applicable law.
5.3 To the extent required by applicable Data Protection Law, Livvie will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with relevant data protection authorities in relation to the processing of Customer Personal Data, taking into account the nature of the processing and information available to Livvie.
6. Deletion and return of Personal Data
6.1 At the request of Customer, Livvie will delete or return all Customer Personal Data in its possession upon expiration or termination of the Agreement. Livvie may retain Customer Personal Data to the extent required by applicable law, in which case Livvie will protect the data from further processing except to the extent required by appliable law.
7. Audit rights
7.1 Upon request, Livvie will make available to Customer all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits by Customer or mandated auditor in relation to the processing of Customer Personal Data by Livvie. Information and audit rights apply only to the extent that (i) Customer cannot reasonably verify compliance with the information in the Agreement, (ii) Customer exercises these rights no more than once every twelve (12) months, and (iii) correspondence and audits are subject to confidentiality and in accordance with applicable Data Protection Laws.
8. Data transfer
8.1 Customer Personal Data may be processed in any country in which Livvie, Livvie’s affiliates, and third party service providers maintain facilities and resources to provide the Service. If Customer Personal Data processed under the Agreement is transferred from the European Economic Area, Switzerland, or the United Kingdom to another country, then Livvie will ensure that the data is adequately protected in compliance with applicable Data Protection Laws.
8.2 For Restricted Transfers of Customer Personal Data from Customer to Livvie, the EU Standard Contractual Clauses (SCCs) and UK SCCs will be incorporated as applicable.
8.3 For transfers governed by the EU SCCs the following applies: (i) Module Two (controller to processor) applies, (ii) in clause 7, the optional docking clause does not apply, (iii) in clause 9, option 2 applies with the time period as specified in this Addendum, (iv) in clause 11, the optional language does not apply, (v) in clause 17, option 1 applies and the SCC will be governed by Dutch law, and (vi) in clause 18(b) disputes will be resolved before the courts of the Netherlands. The appendix is populated with the information in Annex I.
8.4 For data that is protected by the Swiss DPA, the EU SCC applies with the following modifications: (i) references to “Regulation (EU) 2016/679” and EU Data Protection Law are interpreted as the Swiss FADP, (ii) the competent supervising authority is the Swiss Federal Data Protection and Information Commissioner, (iii) the SCCs will be governed by Swiss laws, and (iv) disputes resolved before the courts of Switzerland.
8.5 For data that is protected by the UK SCCs the terms will apply in accordance with the terms defined for the EU SCCs under Section 8.3.
ANNEX I A. LIST OF PARTIES
Data exporter:
Name: The entity identified as “Customer” in this Addendum.
Address: The address for the Customer associated with its account.
Contact details: The contact details associated with Customer’s account.
Activities: The data exporter consumes the Service of the data importer as described in the Agreement and Annex I B.
Role: Controller
Data importer:
Name: Livvie B.V. (“Livvie”).
Address: Lavendellaan 34, 5643 LT, Eindhoven.
Contact details: hello@livvie.co
Activities: The data importer provides the Service to the data exporter as described in the Agreement and Annex I B.
Role: Processor
ANNEX I B. DESCRIPTION OF DATA PROCESSING
Categories of data subjects:
Users of the Service which may include Customer’s employees, contractors, agents, and third parties authorised by Customer.
Data subjects whose Personal Data may be submitted to the Service by Customer.
Categories of Personal Data:
Customer Personal Data provided through the Service, including access credentials and contact details.
Frequency of the transfer:
Continuous.
Nature of processing:
Processing of Customer Personal Data in order to provide the Service, pursuant to the Agreement.
Purpose of data transfer and processing:
Livvie will process Customer Personal Data as necessary to provide the Service in accordance with to the Agreement, including this Addendum.
Duration:
The duration of processing is the term of the Agreement or, if later, the date on which Livvie ceases the processing of Customer Personal Data.
Subject matter:
Processing of Customer Personal Data under the Agreement including this Addendum.
ANNEX I C. COMPETENT SUPERVISORY AUTHORITY
The competent supervising authority will be determined in accordance with applicable Data Protection Law.
ANNEX II. LIST OF SUBPROCESSORS
Customer authorises the use of Subprocessors as defined in the list of Subprocessors.