(Version 01/18/2021)
1. DEFINITIONS
1.1. For the purposes of this Agreement, the following definitions are considered, according to the meaning attributed in Law nº 13.709, of August 14, 2018, the General Data Protection Law (“LGPD”), especially in article 5 and its items:
a) “Personal Data”: information related to an identified or identifiable natural person and, when applicable, may include Sensitive Personal Data, which would be those data on racial or ethnic origin, religious conviction, political opinion, union membership or organization of a religious, philosophical or political nature, data referring to health or sexual life, genetic or biometric data, when linked to a natural person;
b) “Holder”: natural person whom the personal data are the refer subject of Processing;
c) “Controller”: natural or legal person, public or private, responsible for taking the main decisions regarding the processing of personal data and for defining the purpose of this processing;
d) “Operator”: natural or legal person, public or private, who processes Data on behalf of the Controller, according to the indicated purpose; and
e) “Processing”: any operation carried out with Data, such as those referring to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, diffusion or extraction.
2. GENERAL RULES ON DATA PROCESSING
2.1. In the development of any activities related to the application of this Agreement, the Parties will observe the legal regime of protection of personal data, endeavoring to proceed with the processing of personal data that may prove necessary, in strict and rigorous compliance with Law n°13.709/2018 (the “General Law for the Protection of Personal Data” or “LGPD”) and rules and procedures that may be published and/or required by regulatory entities and other competent authorities, including Autoridade Nacional de Proteção de Dados (“ANPD”), ensuring that its employees, agents, consultants, subcontractors and/or service providers also comply with the applicable legal provisions.
2.2. For the purposes of the Licensing Agreement, of which this Agreement is an integral part, the CUSTOMER is considered a “CONTROLLER” and TAKE BLIP is the “OPERATOR” of the Personal Data provided by the CUSTOMER and transmitted on the Blip Platform .
2.3. Due to this Agreement, the CONTROLLER guarantees that the Personal Data shared with the OPERATOR will be supported by a valid, legitimate and adequate legal basis for the purpose(s) of the Processing in question, in the form of the applicable legislation, maintaining the OPERATOR exempted from any liability in this regard.
2.4. The Parties shall adopt necessary and adequate security, technical and administrative measures to protect Personal Data in their confidentiality, availability and integrity, not limited to protection against unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any form of Processing that is inappropriate, illegal or in violation of the technical-normative guidelines of regulatory agencies, such as Agência Nacional de Proteção de Dados.
2.5. The CONTROLLER may be subject to compliance with rules provided for the specific legislation in its operation area, which will not necessarily be mandatory for the OPERATOR, such as differentiated data storage rules.
3. OBLIGATIONS OF THE CONTROLLER
3.1. The CONTROLLER ‘s obligations are :
a) guarantee full compliance, legitimacy, legality and compliance with the precepts of the law with regard to the Personal Data transferred for Processing by the OPERATOR ;
b) guarantee the existence of a legal basis provided for the applicable legislation to share Personal Data with the OPERATOR, as well as the other processes carried out by the OPERATOR on behalf of the CONTROLLER ;
c) provide instructions and establish rules for the processing of Personal Data by the OPERATOR, respecting both the technical limits of the Blip Platform and those set forth in the regulation;
d) communicate to the OPERATOR when deciding to comply with any request for access, rectification, portability or deletion made by holders of Personal Data;
e) manage and do the access of its employees or agents to the Blip Platform, observing the appropriate security rules, being responsible for all their acts, as well as requests made by them to the OPERATOR ;
f) be responsible, if the CONTROLLER uses a third-party payment method or any other platform integrated into the Blip Platform, for sharing Personal Data, and must keep the OPERATOR free from any incidents involving such third parties; and
g) when applicable, assist the OPERATOR in preparing any data protection impact reports, as well as providing any information eventually required by the competent authorities.
3.2. The CONTROLLER recognizes that the Processing of Data under the conditions established by it as indicated in this Agreement, in the Contract and in its guidelines, exempt the OPERATOR from responsibility for any illegality of the Processing carried out by the CONTROLLER , the latter having to assume full responsibility for any losses and damages borne by the OPERATOR and/or third parties.
4. OPERATOR’S OBLIGATIONS
4.1. The OPERATOR ‘s obligations are :
a) treat Personal Data for the purposes of this Agreement or purposes indicated by the CONTROLLER, as well as for the design and improvement of the Blip Platform, being responsible for the processing carried out by it;
b) carry out Data Processing in accordance with the CONTROLLER’s instructions, always taking into account the technical capacity of the Blip Platform. From now on, the Parties agree that the OPERATOR will not be obliged to comply with or observe the CONTROLLER ‘s instructions if such instructions are in disagreement with the applicable Data Protection Laws;
c) Inform the CONTROLLER about the receipt of any request from the holders of Personal Data in relation to Personal Data and assist it in responding to requests, ensuring that it has all the information necessary to comply with its duties under the LGPD;
d) inform the CONTROLLER if it cannot and/or is suppressed from complying with any of the guidelines or specifications received or established in the applicable legislation, as well as in the Contract;
e) not use Personal Data for purposes other than those established in this Agreement and this Covenant; and
f) not communicate or share Personal Data with third parties without the prior written authorization of the CONTROLLER, except for the cases expressly provided for in the Agreement and/or its Annexes.
5. INCIDENTS AND COMMUNICATION
5.1. In the event of an Incident (unauthorized access, accidental or unlawful destruction, loss, alteration, communication or dissemination) (“Security Incident”) with the Personal Data processed within the scope of this contract, the Offending Party shall notify the other in the shortest possible time from the moment of unequivocal knowledge of the Incident.
5.1.1. The referred communication shall, whenever possible, contain the following descriptions: (i) date and time of acknowledgment by the Party; ( ii ) list of data types affected by the incident; ( iii ) number of affected users (incident volume); ( iv ) contact details of the Person in Charge of Data Processing of the Party, or another person from whom it is possible to obtain further information about the incident; (v) description of the possible consequences of the event; as well as (vi) measures taken to contain the incident.
5.1.2. The notification must be sent to the e-mails indicated in the Agreement signed by the Parties.
5.2. The Parties agree not to disclose any information about the Security Incident to a Third Party, except in the following cases: (i) if both Parties previously and expressly authorize it, (ii) if there is a legal obligation that requires such disclosure, or ( iii ) if determined by the Supervisory Authorities.
5.2.1. In the event of an Incident, whatever it may be, the Parties further undertake to analyze all the circumstances involved and decide, jointly, whether it conforms within the legal requirement of reporting to the Autoridade Nacional de Proteção de Dados.
6. SHARING
6.1. The CONTROLLER acknowledges and authorizes that for the execution of this Agreement, the OPERATOR may subcontract third-party data processors with which it may share the Personal Data received from the CONTROLLER, such as cloud providers and service tools.
6.1.1. In all cases, the OPERATOR will be responsible for all its sub-operators, as well as require them to comply with obligations and levels of Information Security in accordance with the provisions of this Agreement.
7. INFORMATION SECURITY
7.1. The CONTROLLER declares that it is aware and agrees that, in order to carry out any tests and evaluations, whether automated or manual, such as (i) security, including, but not limited to, vulnerability analysis and/or ( ii ) intrusion (or Pentest) on the OPERATOR ‘s products, services or infrastructure , must submit a reasoned request for formal and written authorization from the OPERATOR in advance, with the OPERATOR having the option of denying the required authorization.
7.2. If the CONTROLLER identifies, in its environment or in its interaction with the Blip Platform, any security incident that jeopardizes (i) the security, integrity and stability of the Blip Platform or ( ii ) any of the services provided by the OPERATOR or its infrastructure, such as, but not limited to, attacks involving ransomware, compromise or denial of service, the CONTROLLER shall immediately notify the OPERATOR, with a detailed description of what happened, as well as the actions taken to reverse or mitigate the effects of the incident, to that the OPERATOR can evaluate the adoption of any security measures, without transferring the responsibility of the incident to the OPERATOR .
8. FINAL PROVISIONS
8.1. The CONTROLLER and the OPERATOR are committed to preparing any impact reports on the protection of Personal Data, as well as providing any information eventually required by the competent authorities.
8.2. The Parties undertake to communicate to each other, as soon as possible and in a timely manner, if they receive a request, notification or inquiry from the competent authority or the Holder regarding the Personal Data.
8.3. Under the express command of the CONTROLLER, the OPERATOR shall carry out, within a reasonable minimum period, the unequivocal deletion of the personal data that may eventually be shared under this Agreement, respecting the hypotheses of custody and storage of the legally provided data.
8.4. The OPERATOR may process the Personal Data necessary for the performance of this Agreement, for the design, implementation of improvements and development of the Blip Platform and the OPERATOR ‘s activities, with the aim of offering the CONTROLLER ‘s customers an efficient service and communication experience, optimized and customized.
8.4.1. The CONTROLLER authorizes the OPERATOR to store the data even after the end of the Contract, in proprietary bases to the OPERATOR, in anonymized form, to allow the performance of the activities set out in Clause 8.4.
8.4.2. When Personal Data is stored even after the termination of the Agreement pursuant to Clause 8.4.1, the OPERATOR will act as Controller of Personal Data, assuming all the responsibilities inherent to this condition.8.5. Liability for non-compliance/inobservance of any of the obligations set forth herein will be determined in the format described by the Liability Clause of the Contract, without prejudice to the legally foreseen sanctions.
