Data Sharing Agreement
This agreement is executed on the same date as the Catappult Certified Distribution Agreement, by and between Aptoide, S.A., a Portuguese company, with the identification number ID 509987184 and principal place of business at Rua Soeiro Pereira Gomes, Lote 1, 3D, 1649-031 Lisboa, and its registered office at Rua Fernanda Seno n. 6, 7005-484, Évora, Portugal, hereinafter referred to as “Aptoide” and the entity identified as “Certified Developer” in the Catappult Certified Developer Agreement.
Together referred by “Parties” and individually “Party”.
WHEREAS:
1. The Parties entered into a Catappult Catappult Certified Developer Agreement (the “Contract”) that may require the sharing of Personal Data between the Parties.
2. This Personal Data Processing Agreement (Agreement) sets out the additional terms, requirements and conditions on which the Parties agree to share Personal Data under the Contract.
AGREED TERMS
1. DEFINITIONS AND INTERPRETATION
The following definitions and rules of interpretation apply in this Agreement.
1.1 Definitions
- Business Purposes: the sharing of Personal Data between the Parties under the execution of the Contract in order to allow Aptoide to manage and process payments of in-app purchases and to pay to the Certified Developer the applicable revenue share. Certified Developer may also need to use the Personal Data for its own internal business purposes.
- Data Protection Legislation: all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679) and any applicable national implementing laws, regulations and secondary legislation in Portugal relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
- Data Subject: an individual who is the subject of Personal Data.
- Personal Data: means any information relating to an identified or identifiable natural person that is processed by the Processor as a result of, or in connection with, the provision of the services under the Contract; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Permitted Recipients: The parties to this agreement, their Affiliates, the employees of each party, any third parties engaged to perform obligations in connection with this agreement.
- Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- Processing, processes and process: either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.
- Shared Personal Data: the personal data to be shared between the parties under the Contract.
- Standard Contractual Clauses (SCC): Module One (Controller to Controller) of the standard contractual clauses for the transfer of Personal Data to third countries as approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
1.2 This Agreement is subject to the terms of the Contract and is incorporated into the Contract. Interpretations and defined terms set forth in the Contract apply to the interpretation of this Agreement.
1.3 A reference to writing or written includes e-mail.
1.4 In the case of conflict or ambiguity between:
- any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail;
- the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail;
- any of the provisions of this Agreement and the provisions of the Contract, the provisions of this Agreement will prevail, in what relates to data protection matters; and
- any of the provisions of this Agreement and any executed SCC, the provisions of the executed SCC will prevail.
2. PERSONAL DATA TYPES AND PROCESSING PURPOSES
2.1 The Parties acknowledge that for the purpose of the Data Protection Legislation, each of the Parties will act as a separate and independent controller in relation to the Personal Data which they process.
2.2 Each of the Parties retain control of the Shared Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents.
2.3 The Parties undertake to process the Shared Personal Data only for: (1) the Business Purposes and; (2) to comply legal, regulatory and compliance obligations, including without limitation as may be required in the course of litigation. The Parties shall be allowed to share the Shared Personal Data with the Permitted Recipients, subcontractors and service providers and store such Personal Data in any location.
2.4 The Shared Personal Data and the Data Subjects which the Parties may process to fulfil the Business Purposes of the Contract are the following:
- Personal Data Categories: IP address, date and time of the transaction; amount of the transaction; country in which the transaction was executed (based on the IP address).
- Data Subjects: users who make in-app purchases in the Apps integrated with Aptoide’s IAB.
3. PARTIES OBLIGATIONS
3.1 In respect to the Shared Personal Data, each Party shall:
- ensure that it has all necessary notices and consents in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Business Purposes;
- give full information to any data subject whose personal data may be processed under this agreement of the nature such processing;
- process the Shared Personal Data only for the purposes determined in Clause 2.3. above;
- not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;
- ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Agreement;
- ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
- not to transfer any Shared Personal Data outside the EEA unless the transferor:
- complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller); and
- ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or (iii) one of the derogations for specific situations in Article 49 GDPR applies to the transfer.
Without prejudice of the above, to the extent that this Agreement involves a transfer of personal data to a country outside the EU/EEA/UK which has not been recognised by the European Commission as offering adequate data protection, and to the further extent that Certified Developer is receiving personal data from Aptoide as a data importer: (a) the Parties hereby incorporate Module One (Controller to Controller) of the standard contractual clauses for the transfer of Personal Data to third countries as approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, (“SCCs”) into this Agreement as the applicable data transfer mechanism, including the selections and information contained in Appendix A of this Agreement; (b) Certified Developer specifically acknowledges its warranty under Clause 14(c) of the SCCs in respect of making the best efforts to provide Aptoide with information relevant to the transfer risk assessment and to cooperate with Aptoide in ensuring compliance with the SCCs; and (c) if further regulatory guidance becomes available or industry standard practices develop about international data transfers, the Parties shall timely execute an amendment.
4. MUTUAL ASSISTANCE
4.1 Each party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each party shall:
- promptly inform the other party about the receipt of any data subject access request in respect to the Shared Personal Data;
- provide the other party with reasonable assistance in complying with any data subject access request;
- assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- notify the other party without undue delay on becoming aware of any breach of the Data Protection Legislation.
- at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of this Agreement unless required by law to store the personal data; and
- provide the other Party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation.
5. SECURITY
5.1 The Parties undertake to implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of the Shared Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
5.2 The Parties undertake to implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of security measures.
6. TERM AND TERMINATION
6.1 This Agreement will remain in full force and effect so long as:
- the Contract remains in effect, or
- Any of the Parties retains any Shared Personal Data related to the Contract in its possession or control.
6.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Contract in order to protect Shared Personal Data will remain in full force and effect.
7. INDEMNIFICATION
7.1 Each Party shall indemnify the other against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by the indemnified party arising out of or in connection with the breach of the Data Protection Legislation by the indemnifying party, its employees or agents, provided that the indemnified party gives to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle it.
8. NOTICES
8.1 Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to the addresses and contacts of the Parties referred to in the Contract.
Appendix A
(to the Data Sharing Agreement)
The Parties agree that with respect to the purpose of transfer identified below, the following options in the EU SCCs are selected and information inserted when the EU SCCs are incorporated into this Agreement:
- Clause 7: Optional docking clause is included;
- Clause 11: The optional clause allowing data subjects to lodge a complaint with an independent dispute resolution body is removed;
- Clause 13: The option for the data exporter established in an EU member state is selected;
- Clause 17: The EU Member State where the governing law is stipulated in the Country shall apply, unless this is a not EU Member State, in which case it shall be Portugal, as is where Aptoide is established; and
- Clause 18: The EU Member State where any dispute arising from these Clauses shall be resolved is the courts of the jurisdiction stipulated in the Agreement, unless this is not an EU Member State in which case it shall be Portugal.
- Annex I.A: LIST OF PARTIES
- Data exporter:
- Name: Aptoide, S.A.
- Address: Rua Soeiro Pereira Gomes, Lote 1, 3D, 1649-031 Lisboa, Portugal.
- Contact person’s name and e-mail: Data Privacy Manager, personal-data@aptoide.com
- Activities relevant to the data transferred under these Clauses: All data processing activities agreed under the Agreement.
- Signature and date: Signed and dated for and on behalf of the data exporter by execution of this Agreement.
- Role: Data controller
- Data importer:
- Name: [To be completed by Certified Developer]
- Address: [To be completed by Certified Developer]
- Contact person’s name and e-mail: [To be completed by Certified Developer]
- Activities relevant to the data transferred under these Clauses: All data processing activities agreed under the Agreement.
- Signature and date: Signed and dated for and on behalf of the data importer by execution of this Agreement.
- Role: Data controller
- Annex I.B: DESCRIPTION OF TRANSFER
- Data subjects: The personal data transferred concern the following categories of data subjects: end users of the Certified Developers Apps
- Categories of personal data: The personal data transferred concerns the following categories of data: data strictly necessary to provide the integration functionality contemplated under this Agreement
- Sensitive data transferred: The sensitive personal data transferred concern the following categories of data: none
- Frequency of transfer: continuous throughout the Term
- Nature and purpose of the processing: The data processing will be as described under the Agreement and the transfer is made for the following purposes: strictly to enable the integration functionality contemplated under this Agreement
- Period for which personal data will be retained or criteria to determine that period: Personal Data will be retained as provided for in each of the Parties Privacy Policies
- Annex I.C: SUPERVISORY AUTHORITY
- Identify the competent supervisory authority/ies in accordance with Clause 13: Portuguese Authority for Privacy Protection (CNPD)
- Annex II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
- [To be completed by Certified Developer]
Information for the Transfer Risk Assessment:
The information below is provided by Certified Developer at the time that the Agreement is executed and any further or updated information may be provided by Certified Developer in accordance with this Data Processing Appendix.
| Transfer Risk Assessment information required by 14(b) of the EU Standard Contractual Clauses | Company Answers |
---|
1 | Location of Company (country of Company entity incorporation and any other material Company data processing locations) | [To be completed by Certified Developer] |
2 | Company’s primary storage location of the data transferred | [To be completed by Certified Developer] |
3 | Company’s intention for onward transfer (including the estimated number of further recipients of the data or length of processing chain) | [To be completed by Certified Developer] |
4 | Transmission channel used (i.e. a description of the physical/technological method used to transfer the personal data to Company) | [To be completed by Certified Developer] |
5 | a) Is Company subject to any local laws that can require Company to disclose personal data to public authorities or authorise access by public authorities, e.g. FISA 702 in the US? Please state the relevant law.
b) Subject to any legal prohibitions on disclosing this information, has Company received any requests from any public authority to disclose personal data under such local laws referenced in a), in the past five years? | a) [To be completed by Certified Developer]
b) [To be completed by Certified Developer] |
5 | Details provided by Company of any relevant contractual, technical or organisational measures Company has implemented to safeguard personal data from interception or disproportionate access by public authorities, during transmission or processing. (This is in addition to Annex II of the EU SCCs). | [To be completed by Certified Developer]
Examples:
Technical: Measures for ensuring: - ongoing confidentiality, integrity, availability and resilience of processing systems and services
- the ability to restore personal data in a timely manner in the event of an incident
- user identification and authorisation
- the protection of data during transmission
- the protection of data during storage
- physical security of locations at which personal data are processed
- events logging
- system configuration, including default configuration
- internal IT
Organisational: Measures/processes for: - regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
- IT security governance and management
- ensuring data minimisation
- ensuring data quality
- ensuring limited data retention
- ensuring accountability
- allowing data portability and erasure
|