Standard Terms and Conditions

These terms and conditions (“Agreement”) govern the provision of subscription services by ChannelSight to the Client. Collectively, ChannelSight and the Client are referred to as the parties (“the parties”).

ChannelSight provides access to a proprietary Software as a Service platform and related data and technology services; the Client wishes to engage ChannelSight for the provision of technology services and granting of access to the proprietary Software as a Service platform as more fully detailed in the Order Form;

Now therefore, in consideration of the mutual promises contained in this Agreement and for other good and valuable consideration, the adequacy and sufficiency of which are hereby acknowledged, the parties agree as follows:

 1. Services

1.1. Promptly after the parties execute this Agreement, ChannelSight shall start deploying the software (the “Software”) and interfaces to retailers in scope specified by Client to ChannelSight. Copies of the documentation or other materials that ChannelSight ordinarily provides with the Software shall also be provided to agreed Client contacts. The Client shall thereupon have the right and license to use the Software during the term agreed (the “Term”) and solely in accordance with the terms of this Agreement.

1.2 Conditional on payment of the agreed Software Fees ChannelSight hereby grants to the Client a non-assignable license to use the Software on a non-exclusive basis during the Term. ChannelSight will provide assistance with the deployment and operation of the Software as required.

1.3. During the Term, and upon ongoing settlement of agreed service fees (the “Service Fees”), ChannelSight shall provide client with support services (the “Support Services”) that ChannelSight ordinarily makes available to licensees of the Software. The client and ChannelSight may agree that additional services (“Additional Services”) to the Support Services will be provided by ChannelSight to the client. The details and fees for these Additional Services shall be recorded and agreed by email. The base currency for billing is Euro. ChannelSight will invoice in foreign currency but the base currency is Euro (€) based upon the exchange rate on the invoice date from the source https://www.open-xchange.com/

1.4 ChannelSight cannot be held responsible for any third party retailer or partner changing their terms and conditions, operating agreements, data levels or media rules. Any change in such third party terms or operating agreements will not effect your service agreement with ChannelSight

1.5 ChannelSight cannot provide sales-tracking links for any off-site (non-brand owned domain) as part of its sales-tracking agreement with Amazon (Worldwide), any client wishing to track campaign performance to Amazon must traffic users via the brand.com or use a bespoke landing page. By agreeing to our general terms you acknowledge that any traffic sent to Amazon directly from a paid-media channel will not be redirected via a tracked link.

The details and fees for these Additional Services shall be recorded and agreed by email.

2. Term and Termination

2.1. This agreement is valid for the term detailed in the Agreement/Sales Order. This agreement shall automatically renew for an additional term(s) on a rolling basis unless either party gives notice of termination at least sixty days prior to the end of the Term (or any extension of the Term). Notice of termination shall be in writing.

2.2. If either party materially breaches this Agreement and fails to remedy that breach within ten days of receiving notice of that breach from the other party, the non-breaching party may terminate this Agreement immediately by way of written notice to the breaching party.

2.3 Either party may terminate this Agreement at any time on written notice to the other if the other takes any corporate action or other steps are taken or legal proceedings are started for its winding up, dissolution, examinership or for the appointment of a liquidator, receiver, ex-aminer, conservator, custodian, trustee or similar officer of it or of any or all of its revenues and assets.

2.4 ChannelSight may suspend or terminate this Agreement and the Client’s access to the Software and/or Support Services immediately if the Client fails to pay any Software Fees or Service Fees (together “Fees”) when due. The Client will continue to be charged Fees (based on previous averages) during any period of suspension. Overdue Fees are subject to interest of 3% per month on any outstanding balance, or the maximum permitted by law, whichever is less, plus all expenses of collection.

2.5 On termination of this Agreement for any reason all licenses granted to the Client under this Agreement shall cease, the Client shall cease all activities authorised by this Agreement and the Client shall pay to ChannelSight any sums due under this Agreement;

3. Warranties

3.1. The parties each represent and warrant that they have the right, power and authority to enter into and perform this Agreement.

3.2 ChannelSight will make all commercially reasonable efforts to maintain Software availability, however such access may be subject to limitations, delays, and other problems inherent in the use of the internet and electronic communications. ChannelSight is not responsible for any delays, delivery failures, or other damage resulting from such problems.

3.3 Either Party’s liability to pay damages is limited to direct losses amounting to a total of one (1) months’ service fees, limited to the service fees paid for the individual Service which is in dispute.

3.4. In addition to the representations and warranties made by ChannelSight in ChannelSight’s sales literature and promotional materials, ChannelSight represents and warrants that the Software and use of it by the Client will not infringe any trademark, patent, copyright, trade secret, or other proprietary right of any third party or otherwise conflict with the rights of any third party.

4. Indemnity

4.1 ChannelSight shall defend, indemnify and hold harmless the Client and their respective directors, officers, agents and employees from and against all claims, liabilities, suits, losses, damages and expenses, including costs and reasonable attorney’s fees (“Claims”), relating to or resulting from any actual or alleged infringement of any trademark, patent, copyright, trade secret, or other proprietary right by the Software, except infringement resulting from modification of the Software by or at the direction of Client or any use of the Software other than in accordance with the terms of this Agreement. This indemnity shall be inapplicable if ChannelSight is not notified promptly of the Claim and is prejudiced by the delay in notice or if the Client makes any admission as to liability or compromises or agrees to any settlement of any Claims without the prior written consent of ChannelSight. All indemnified parties shall cooperate to the extent necessary in the defense of any Claim within the scope of this indemnity and settlement of any Claim must be consented to in writing by the Client, such consent not to be withheld unreasonably.

4.2 If any Claim is made, or in ChannelSight’s reasonable opinion is likely to be made, against the Client, ChannelSight may at its sole option and expense either (i) procure for the Client the right to continue using the Software in accordance with the terms of this Agreement; (ii) modify the Software so that any infringement ceases; (iii) replace the Software; or (iv) terminate this Agreement on seven (7) days’ notice.

4.2. Each party shall defend, indemnify, and hold harmless the other party and their directors, officers, agent and employees from and against any damages, injuries, claims, expenses includ-ing attorneys’ fees incurred by the other party arising out of claims based on personal injuries, including death at any time resulting therefrom, and/or damage to tangible property, from any cause whatsoever, arising out of, incidental to, or in connection with this Agreement and caused by the negligence or wilful misconduct of such party.

5. Limitation of Liability & Disclaimers

5.1 Neither party shall be liable for any indirect, incidental, special, or consequential damages, or lost profits, or lost data, even if they have been advised of the possibility thereof.

5.2 ChannelSight and its licensors make no representation, warranty, or guarantee as to the reliability, timeliness, quality, suitability, availability, accuracy or completeness of the Software or any content. ChannelSight and its licensors do not represent or warrant that (a) the use of the Software will be secure, timely, uninterrupted or error-free or operate in combination with any other hardware, software, system or data, (b) the service will meet the Client’s requirements or expectations, (c) any stored data will be completely error-free, or (d) the quality of any products, services, information, or other material purchased or obtained by the Client through the service will meet the Client’s requirements or expectations.

6. Ownership and Intellectual Property Rights

All trademarks, copyright, patent, trade secret, and other proprietary rights, title and interest in and to the Software shall remain the sole property of ChannelSight, its Suppliers, or their assigns, as the case may be. The client will not alter or modify the Software in any way without the written consent of ChannelSight.

7. Confidentiality

7.1. For the purpose of this Section 6, the term “Confidential Information” means any information used in or relating to the business of one party (the “Disclosing Party”), including but not limited to information concerning the Disclosing Party’s research or development efforts, trade secrets, computer software, recipes or formulas, product or marketing plans, vendor or customer relationships, finances, business operations or affairs and any information of third parties that the Disclosing Party maintains in confidence, and all tangible embodiments of such information, that is received by the other party (the “Receiving Party”), in any form; provided that “Confidential Information” does not include any information that the Receiving Party can demonstrate (i) is or becomes publicly known through no fault of the Receiving Party; (ii) is developed independently by the Receiving Party; (iii) is known by the Receiving Party when disclosed by the Disclosing Party if the Receiving Party does not then have a duty to maintain its confidentiality; or (iv) is rightfully obtained by the Receiving Party from a third party not obligated to preserve its confidentiality who did not receive the material or information directly or indirectly from the Disclosing Party.

7.2. A Receiving Party shall not use the Disclosing Party’s Confidential Informa¬tion for any pur-pose other than in accordance with this Agreement and shall not disclose Confidential Infor-mation to any person other than to its employees, and to those of its independent contractors who have a need to know such Confidential Information and who are subject to a nondisclo-sure obligation comparable in scope to this Section 6.

7.3. Notwithstanding Section 6.2, a Receiving Party may disclose Confidential Informa¬tion to the extent required by a court or other governmental authority, provided that (i) the Receiving Party gives the Disclosing Party reasonable notice of the disclosure, (ii) the Receiving Party us-es reasonable efforts to resist disclosing the Confidential Infor¬mation, (iii) the Receiving Party cooperates with the Disclosing Party on request to obtain a protective order or otherwise limit the disclosure, and (iv) as soon as reasonably pos¬sible the Receiving Party provides a letter from its counsel confirming that the Confiden¬tial Information is in fact required to be disclosed.

7.4. The parties acknowledge that either party’s breach of Section 6.2 would cause the other party irreparable injury for which it would not have an adequate remedy at law. In the event of a breach, the non-breaching party shall be entitled to injunctive relief in addition to any other remedies it may have at law or in equity.

8. Notices

All notices, reports, and receipts shall be in writing and shall be deemed duly given on (i) the date of personal or certified mail return receipt requested delivery; or (ii) the date of transmis-sion by telecopy or other electronic transmission service, provided a confirmation copy is also sent no later than the next business day by postage paid, first-class mail, addressed to the main contact as detailed in the Order Form. Either party may change its mailing address by written notice to the other party in accordance with this Article.

9. No Solicitation

During the period commencing upon the date hereof and continuing until 1 (one) year after the termination of the term of this Agreement, neither the client nor its agents or employees shall directly or indirectly solicit or hire (on the client’s behalf or on behalf of any third party) any of ChannelSight’s employees, without the prior written consent of ChannelSight.

10. Miscellaneous

10.1. This Agreement shall be construed and enforced in accordance with the laws of Ireland. Any action or proceeding brought by one party against the other related to this Agreement shall be brought exclusively in a court located in the Republic of Ireland, and Client submits to the jurisdiction of such courts for purposes of any such action or proceeding.

10.2. The provisions of this Agreement are severable. The unenforceability of any provision of this Agreement shall not affect the enforceability of the remainder of this Agreement. The parties acknowledge that it is their intention that if any provision of this Agreement is determined by a court to be unenforceable as drafted, that provision should be construed in a manner designed to effectuate the purpose of that provision to the greatest extent possible under applicable law.

10.3. Neither party may assign any of its rights or subcontract or otherwise delegate any of its duties under this Agreement to any third party without the prior written consent of the other party, which shall not be withheld, conditioned or delayed unreasonably.

10.4. This Agreement shall be binding upon and inure to the benefit of the parties, their successors, permitted assigns and legal representatives.

10.5. All headings in this Agreement are included solely for convenient reference, are not in-tended to be full and accurate descriptions of the contents of this Agreement, shall not be deemed a part of this Agreement and shall not affect the meaning or interpretation of this Agreement.

10.6. The parties acknowledge that ChannelSight is an independent contractor of Client, and ChannelSight’s employees are not employees of Client. Nothing in this Agreement shall be construed as creating a partnership, joint venture or agency relationship between the parties, or as authorizing either party to act as agent for the other or to enter into contracts on behalf of the other.

10.7. The provisions of this Agreement concerning representations and warranties, proprietary rights, limitations of liability, confidentiality, indemnities, and duties upon termination, publicity and interpretation of the Agreement shall remain in effect after the expiration or termination of this Agreement.

10.8. This Agreement may be modified or amended only by written (including by email) agreement of the parties thereto in which this Agreement is expressly referred to.

10.9. This Agreement constitutes the entire agreement between the parties concerning the subject matter of this Agreement and supersedes all prior agreements between the parties concerning the subject matter of this Agreement.

10.10 Neither party shall be responsible for (or be deemed in breach or default hereof as a result of) delays or failures in performance hereunder (other than failure to pay any amounts due) to the extent that such party was hindered in its performance by any act of God, civil commotion, application of any law or regulation or other act of any governmental officer or personnel, labour dispute, or any other occurrence beyond the reasonable control of such party.

10.11 As part of your where-to-buy program ChannelSight sometimes uses affiliate programs to access sales data, successful sales can generate commissions. These commissions are managed and paid via the affiliate networks and are split evenly (50/50) between ChannelSight and the client.

1  PURPOSE

This Data Processing Addendum forms part of the Master Services Agreement or Sales Order entered into by and between Customer and ChannelSight (‘Agreement’). The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of Personal Data in the course of the provision of ChannelSight services (‘Services’) in accordance with the requirements of Data Protection Laws.

 

2  DEFINITIONS

Authorised User: those employees, agents and independent contractors of the Customer or of a Customer affiliate who are authorised by the Customer to use the Services.

ChannelSight: ChannelSight as defined in the Agreement.

ChannelSight Personnel: employees, agents and independent contractors of ChannelSight.Consumer: consumers of the Customer’s digital media.

Controller: the person who, either alone or with others, determines the purpose and means of the processing of Personal Data.

Data Protection Laws: any data protection laws applicable to processing of Personal Data contemplated by this agreement including, without limitation, in particular the European Union General Data Protection Regulation (‘GDPR’) or the European Union Directive on Privacy and Electronic Communications (‘E-Privacy Directive’) and any related decisions or guidelines and all privacy, security, and data protection laws, rules, and regulations of any applicable jurisdiction including any jurisdiction in which ChannelSight services (the ‘Services’) are being provided or the Personal Data is being processed and any jurisdiction from which ChannelSight or any subprocessor provides any of the or Services or from which Customer provides Customer’s products or services.

Data Subject: an identified or identifiable natural person about whom the Personal Data relates.

EEA: the European Economic Area.

Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Personal Data Breach: means any breach of security leading to the accidental or un-lawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data;

Processing and process: has the meaning given to that term in the GDPR.

Processor: a natural or legal person which processes Personal Data on behalf of the Controller.

SCC Agreement: the standard contractual sections for the transfer of personal data from the European Union to Processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as may be updated from time to time

 

3  CONTROLLER AND PROCESSOR

3.1 The Customer is the Controller of all Personal Data of Consumers that is processed by ChannelSight as part of the Services. ChannelSight acts as a Processor of this Personal Data and Authorised User log-in details to the portal.

3.2 ChannelSight acts as Controller of ancillary Personal Data relating to the provision of the Services, for example, billing information and support correspondence between Customer and ChannelSight. This may contain some information about Authorised Users. By agreeing to these terms, Customer confirms it is aware of .

3.3 Through the Customer’s use of the Services, the Customer will collect information about Consumers. This may include Personal Data. For some Channelsight Services there are minimum categories of data that must be collected for the Services to operate. If a Customer chooses to use the Service, these data categories are processed. There are also additional categories that Customers may opt to also collect.

3.4 The Controller shall ensure that it is entitled to permit ChannelSight to process the relevant Personal Data and that ChannelSight is entitled to transfer relevant Personal Data to its subprocessors so that ChannelSight may lawfully use, process and transfer the Personal Data in accordance with the Agreement on the Controller’s behalf.

3.5 The Controller shall, in its use of the Services, process Personal Data in accordance with the requirements of Data Protection Laws. The Data Controller shall ensure that the relevant third parties, Authorised Users and Consumers have been informed of, and where necessary, have given their consent to, such use, processing, and transfer contemplated under this Agreement and as required by all Data Protection Laws and the Data Controller must provide appropriate and sufficiently prominent notice to, and obtain the appropriate consent from Authorised Users and Consumers regarding the collection, use and disclosure of such Authorised Users’ and Consumers’ Personal Data, including, at a minimum, through the Data Controller’s privacy policies and cookie notices and those of its advertising partners. Customer’s instructions for the processing of Personal Data shall comply with Data Protection Laws.

3.6 The Controller is entirely responsible for ensuring that the data uploaded to the ChannelSight Services is adequate, relevant and not excessive and that the lawful basis of the processing and transparency requirements have been complied with.

 

4  DETAILS OF THE PROCESSING CONTEMPLATED UNDER THIS DPA

4.1 The details of the processing contemplated under this DPA are described in Schedule 1.

4.2 ChannelSight or Customer may provide notice of change to the description of the Personal Data to be processed where an update is required due to changes to the Services or changes required due to applicable Data Protection Laws, including their interpretation. ChannelSight may provide notice to Customer of change to the DPA. Such updates will apply 30 days from the date of the notice.

 

5  PROCESSING OF PERSONAL DATA.

ChannelSight’s obligations as Processor

5.1 As the Processor with respect to Personal Data, ChannelSight acknowledges and agrees that:

5.1.1 ChannelSight must, and shall procure that its subprocessors shall, process Personal Data only for the purposes of fulfilling its obligations under the Agreement and in accordance with relevant documented instructions from Customer (unless required to do so by a Union or member state law to which ChannelSight is subject; in such a case ChannelSight shall inform Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest). Customer agrees to provide ChannelSight with documented instructions relating to Personal Data under the Agreement.

5.1.2 ChannelSight agrees to make reasonable efforts to assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to ChannelSight.

5.1.3 ChannelSight will not disclose any Personal Data to a third party, except at Customer’s specific request or where obliged to do so under any statutory or other legal requirement (in which case ChannelSight will use reasonable endeavours to advise Customer in advance of such disclosure and in any event immediately thereafter); and

5.1.4 ChannelSight or its sub-processors will only transfer Personal Data outside the European Economic Area (“EEA”) under the terms of section “Transfers of Personal Data Outside the EEA” (below). ChannelSight does not transfer personal data outside the EEA, except on Customer request.

Customer’s obligations as controller

5.2 In addition to Customer’s other responsibilities set out elsewhere in the Agreement, Customer acknowledges and agrees that:

5.2.1 Customer has and will continue to abide by an appropriate privacy notice relating to the collection and use of Personal Data.

5.2.2 Customer shall comply with:

a)all Data Protection Laws in connection with the processing of Personal Data and in the exercise and performance of Customer’s respective rights and obligations under this Agreement; and

b)the terms of this Data Processing Addendum and the Agreement.

5.2.3 Customer states that:

a)all data sourced by Customer for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; and

b)all instructions given by it to ChannelSight shall at all times be in accordance with Data Protection Laws.

5.2.4 Customer shall not withhold, delay or condition Customer’s agreement to any change to this Agreement requested by ChannelSight in order to ensure ChannelSight (and each subprocessor) can comply with Data Protection Laws.

 

6 SECURITY MEASURES

6.1 Each party agrees to take appropriate, and industry-standard, technical and organizational measures against unauthorized or unlawful access or processing of Personal Data in connection with this Data Processing Addendum and the Agreement or its accidental loss, destruction or damage. ChannelSight agrees to apply the ChannelSight InfoSec Policy (available on request), which may be updated from time to time.

6.2 ChannelSight shall, and shall procure that its subprocessors shall, take all reasonable steps to ensure that Personal Data processed in connection with this Data Processing Addendum and the Agreement is processed in compliance with the obligations under Article 32 of the GDPR relating to security of processing.

 

7  PERSONAL DATA BREACH NOTIFICATIONS

7.1 ChannelSight will promptly notify Customer of any known or reasonably suspected breach of security leading to a Personal Data Breach.

7.2 In respect of any Personal Data Breach, ChannelSight shall:

7.2.1 notify the Customer of the Personal Data Breach without undue delay (but in no event later than 72 hours after becoming aware of the Personal Data Breach); and

7.2.2 provide the Customer without undue delay (wherever possible, no later than 72 hours after becoming aware of the Personal Data Breach) with such details as the Customer reasonably requires regarding:

a) the nature of the Personal Data Breach (including, the categories and approximate numbers of data subjects and Personal Data records concerned); and

b) any investigations into such Personal Data Breach;

c) the likely consequences of the Personal Data Breach; and

d) any measures taken, or that ChannelSight recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects,

provided that, (without prejudice to the above obligations) if ChannelSight cannot provide all these details within the timeframes set out in this section 7.2, it shall (before the end of such timeframes) provide the Customer with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give the Customer regular updates on these matters.

7.3 If a Personal Data Breach occurs ChannelSight shall:

7.3.1 take such steps and do all acts and things as the Customer requires in order to mitigate the effects of the Personal Data Breach; and

7.3.2 restore to the last available backup any Customer Data that has been lost, damaged or destroyed by the Personal Data Breach.

 

8  AUDITS

ChannelSight will make available to Customer all information necessary to demonstrate compliance with the data processing obligations laid down in this DPA including by allowing for and contributing to reasonable audits to determine ChannelSight’s compliance with its obligations under this DPA. These audits (of frequency of no more than once per year, except where there is reason to suspect a breach of the obligations may have occurred) may be conducted by Customer, auditors mandated by Customer, or public authorities in competent jurisdictions, subject to Customer and Customer’s auditors (if relevant) undertaking reasonable and appropriate confidentiality obligations.

 

9  CONFIDENTIALITY

ChannelSight shall, and shall procure that its subprocessors shall, ensure that any persons to whom ChannelSight discloses Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to the Personal Data.

 

10  TRANSFER OF PERSONAL DATA TO THIRD PARTY PROVIDERS.

Subprocessors appointed by ChannelSight:

10.1 ChannelSight uses third party providers to provide certain services, including hosting. A list of these third party providers is available on the ChannelSight portal and may be provided for Customer review, on request, prior to entering into this DPA (“Subprocessor Details”).

10.2 These subprocessors will have access to certain data, including relevant Personal Data, however such subprocessors are only permitted to process Personal Data for the purposes of providing their specifically contracted services to ChannelSight.

10.3 ChannelSight will use commercially reasonable efforts to ensure that such subprocessors utilize reasonable industry recognized security measures to protect against loss, misuse and unauthorized viewing of the information Customer provides to ChannelSight.

Third Party Providers Appointed by Customer:

10.4 Customer may elect to purchase or subscribe to third party services that may integrate with the Services (‘Third Party Solutions’).

10.5 Where Customer chooses to integrate with a Third Party Solution, this may entail providing ChannelSight with access to Personal Data held by such Third Party Solution, and may require the providers of such Third Party Solution to have access to Personal Data. Customer must notify ChannelSight and put in place a written contract between Customer and ChannelSight as required under Article 28 GDPR relating to any extra categories of Personal Data that ChannelSight will process on behalf of Customer due to such integration. Customer shall not send any Personal Data to ChannelSight unnecessarily.

10.6 With regard to Third Party Solution, Customer acknowledges and agrees that:

10.6.1 ChannelSight has no contractual relationship with such third parties, and no responsibility for Personal Data once such a transfer commences, nor for the duration such third party holds the relevant data. ChannelSight does not audit the adequacy or otherwise confirm the security or organizational measures employed by such third parties, which is Customer’s sole responsibility.

10.6.2 Customer is responsible for ensuring that Customer’s and ChannelSight’s use of the Services and integration with a Third Party Solution complies with any service terms of the applicable Third Party Solution. ChannelSight is not required to maintain Personal Data collected in breach of any relevant data protection or other applicable laws.

10.6.3 Customer is responsible for obtaining consent from Authorised Users and Consumers for the use and deployment of all Third Party Solutions or data or technology subject to the E-Privacy Directive.

10.6.4 In the instance of paid campaigns, ChannelSight technically cannot obtain consent from the consumer prior to the interaction with the terminal equipment of the consumer. This is, in most cases, the responsibility of the publisher of the ad. Brands should ensure that the advertising network they are using ensures that the publisher must obtain all required consent for cookies and tracking related to the advertisement.

10.7 ChannelSight makes no representations as to the appropriateness or legality of Customer’s choice to permit such third parties to have access to its Personal Data, and Customer is responsible for ensuring that it has all requisite consents and has provided any required notices to data subjects with respect to this processing of their data. ChannelSight is not responsible for the processing of Personal Data by Third Party Solutions.

10.8 CHANNELSIGHT HEREBY DISCLAIMS ALL RESPONSIBILITY FOR THE ACTIONS OF SUCH THIRD PARTIES OR FOR LOSS, DAMAGES, OR CLAIMS ARISING AS A RESULT OF DEPLOYING INTEGRATION CODE OR SCRIPTS FACILITATING TRANSFERS OF PERSONAL DATA OR MAKING A TRANSFER OF PERSONAL DATA ON CUSTOMER’S BEHALF. CHANNELSIGHT MAKES NO REPRESENTATIONS OR WARRANTIES AS TO THE SUITABILITY OF SUCH THIRD PARTY SOLUTIONS FOR RECEIPT OF PERSONAL DATA NOR OF THE SUITABILITY OF THE THIRD PARTY SOLUTIONS TO PROCESS PERSONAL DATA.

 

11  PROCESSING OF PERSONAL DATA BY SUBPROCESSORS OF SUPPLIER

11.1 ChannelSight may only authorise a subprocessor to process Personal Data provided that ChannelSight has entered into a written agreement with such subprocessor on terms which are substantially the same as those set out in this DPA. Where a subprocessor fails to fulfil its data protection obligations, ChannelSight shall remain liable to Customer for the performance of the data protection obligations of the relevant subprocessor.

11.2 Customer provide a general authorisation to ChannelSight to engage the subprocessors as are appointed on the date this DPA comes into force.

11.3 ChannelSight will with thirty (30) days’ notice inform Customer of any intended change in the subprocessors that will process Personal Data under this agreement and Customer shall be entitled to make any objections thereto. If no objections have been received within ten (10) days, the proposed subprocessor shall be deemed accepted. If Customer does not agree to the subprocessor, the parties shall attempt to settle the disagreement and if the parties cannot agree on the use of a subprocessor, ChannelSight may terminate this agreement by providing written notice, such termination to take effect on the later of (i) the date on which ChannelSight will commence using the services of the relevant subprocessor in relation to the Services provided to Customer or (ii) one (1) month after the date of Customer’s written notice.

 

12  TRANSFERS OF END USER PERSONAL DATA OUTSIDE THE EEA:

12.1 Personal Data may be transferred or stored outside the country where the Customer is located in order to carry out the Services and our other obligations under the Agreement.

12.2 ChannelSight will only transfer Personal Data outside the EEA on Customer’s specific request. Examples of why Customer may make such a request are transfers of such data to Customer or Customer’s affiliates, where Customer or Customer’s affiliate is based outside the EEA; a transfer to a third party outside of the EEA for further processing of the data; a specific request by Customer that ChannelSight uses a Third Party Solution or where Customer opts to integrate with a Third Party Solution outside of the EEA.

12.3 Where Customer opts to send Personal Data to Third Party Solutions via integration, plug-in or otherwise, Customer agrees that providers of Third Party Solutions are not subprocessors of ChannelSight for data protection purposes and such providers are Customer’s directly-contracted Processors acting under Customer’s instructions.

12.4 In making a request for ChannelSight to transfer Personal Data, subject to GDPR and related privacy regulations outside of the EEA, Customer confirms that there is “an adequate level of protection” in place for such transfer as such term in understood under GDPR.

12.5 Customer will indemnify and hold harmless ChannelSight, its subsidiaries and affiliates (and their respective employees, directors, officers, shareholders, attorneys, agents and representatives) from and against any and all claims, costs, losses, damages, judgments, penalties, interest and expenses (including reasonable attorneys’ fees and costs) from any claim, action, audit, investigation, regulatory action, inquiry or other proceeding that arises out of or relates to use of data by Third Party Solutions, or other transferees, or Customer’s failure to comply with any applicable laws and regulations in connection with the transfer of the Personal Data outside the EEA including any applicable data protection legislation or that arises out of or relates to any subsequent use of the Personal Data by the relevant transferee. This indemnification obligation set forth herein shall survive the termination of the Agreement.

12.6 ChannelSight agrees to enter into a SCC Agreement with Customer where reasonably required to ensure an “adequate level of protection” is in place for the transfer of such Personal Data outside the EEA, subject to ChannelSight’s approval of any updated text that may be issued.

12.7 The parties agree to cooperate where, due to changes in law or practice, an alternate data transfer mechanism is required to be put into operation to ensure an “adequate level of protection” is in place for transfer of data outside the EEA under GDPR.

12.8 In the event that the United Kingdom is not deemed to provide an “adequate level of protection” for the protection of personal data as such term is understood under the GDPR and the transition period for transfers of personal data between EU and UK has expired, the SCC Agreement (or, by agreement of the parties, any subsequent applicable data transfer mechanism agreed between the UK and EU) shall apply to any transfers of personal data to or from the United Kingdom during the term of the Agreement, subject to ChannelSight’s approval of any updated text that may be issued.

 

13  SUBJECT ACCESS REQUESTS

13.1 ChannelSight will promptly assist Customer with all notices, requests or other enquiries relating to the data protection rights which may be received by Customer or ChannelSight, at Customer’s reasonable expense.

13.2 ChannelSight will not respond to any subject access request without the Customer’s prior written approval unless required to do so by law or direction of a relevant regulator.

 

14  RETURN OR DELETION OF PERSONAL DATA

Immediately on termination or expiry of this Agreement, or otherwise on Customer’s request, ChannelSight must and shall procure that its subprocessors shall:

14.1 return all Personal Data to Customer; or

14.2 delete all the Personal Data, in a manner agreed to by Customer;

at Customer’s election, unless a law WTBding on ChannelSight or its subprocessors prevents it from doing as requested or unless otherwise agreed in the Agreement (for example, where the Customer has requested ChannelSight continue to store Personal Data in order to ensure compliance with a legal obligation

 

15  OBLIGATIONS INDEPENDENT OF OTHER PROVISIONS

The obligations contained in this DPA are without prejudice to ChannelSight’s other obligations under this Agreement and apply notwithstanding any permitted use or disclosure of confidential information in this Agreement.

 

16  COSTS

16.1 Subject to sections 2 and 16.3, the costs of ChannelSight and its subprocessors to comply with their respective obligations as Processors under Data Protection Laws applicable in a specific jurisdiction shall be borne by ChannelSight and its subprocessors to the extent compliance with such obligations is necessary for ChannelSight and/or its subprocessors’ compliance with applicable Data Protection Laws in their role as Processors in the jurisdiction in question.

16.2 Notwithstanding section 1, if Customer request ChannelSight to take on compliance activities which go beyond the activities that ChannelSight is required to do as a Processor under applicable Data Protection Laws, ChannelSight shall be entitled to its reasonable costs and the above shall be notified to ChannelSight and agreed pursuant to a further Order Form.

16.3 Should changes to applicable Data Protection Laws, including the interpretation thereof, entail increased costs for ChannelSight or its subprocessors, ChannelSight may, subject to providing written notice Customer, increase the rates charged to Customer to reflect the increased costs. The increase to Customer should be fair and reasonable and should be proportional to what other similar customers are being asked to pay.

 

17  WARRANTY and SUPPLIER LIABILITY

17.1 By using the Product to process Personal Data, Customer states, that Customer’s collection and processing of Personal Data does not breach the rights of any person or entity, including rights of publicity, privacy or under applicable Data Protection Laws, that Customer is entitled to transfer the relevant Personal Data to ChannelSight, and that ChannelSight is entitled to transfer Personal Data to its subprocessors and all Third Party Solutions so that they each respectively may lawfully use, process and transfer such Personal Data in accordance with this DPA and the Agreement.

17.2 The liability of ChannelSight relating to Personal Data processed in connection with the Product and/or Services is limited to direct losses related to:

17.3 any breach by ChannelSight of any of its Personal Data obligations under this DPA; or

17.3.1 ChannelSight (or any person acting on its behalf) acting outside or contrary to the lawful processing Instructions of the Customer in respect of the processing of Personal Data.

17.3.2 Any claims brought under or in connection with this DPA shall be subject to the Agreement, including but not limited to, the exclusions and limitations of liability set forth in the Agreement.

 

18  INTERPRETATION

18.1 The parties agree that this DPA shall replace any existing data protection terms the parties may have previously entered into in connection with the Services relating to Personal Data.

18.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

 

Schedule 1 Details of the Processing

The subject matter of the processing is: ‘Where To Buy’ functionality for brands for online retail and the processing involves mapping a Customer’s products from customer touchpoint to sale.

The duration of the processing is: the duration of the Agreement plus 30 days for Customer to elect return/deletion of the Personal Data

The nature and purpose of the processing is: to facilitate accurate routing of purchase leads to online retailers and to provide feedback to brands.

The type of Personal Data is:

For Authorised Users: Username, password, phone number, login details, log-in logs, support requests, email address.

For Consumers: Transaction tracking data including:

Number Service Data subject Data Point Optional Data controller Use case Processing
1.1 Where To Buy Consumer Impression IP Address No Brand Consumer interacts with a WTB widget on a brand website/asset and we record those events with the IP address as telemetry data. IP address stored & sometimes used to aggregate events for reporting e.g. impressions per market.
1.2 Consumer Click IP Address No Brand Consumer clicks on a WTB link on a brand website/asset and as a web facing service we capture their IP address. IP address stored, sometimes used to aggregate the clicks for reporting e.g. clicks per market.
1.3 Consumer Click Analytics GUID Yes Brand Consumer clicks on a WTB link on a brand website/asset and the brand-site appends the analytics user id from the consumer’s browser to the request. Userid stored so that the click and possibly subsequent sales can be shared back with the brand with that user context.
1.4 Consumer Click ID No Brand Consumer clicks on a WTB link on a brand website/asset and is-redirected to a retailer (possibly via an affiliate), we pass a ClickID in the URL. The retailer or affiliate may drop a cookie with this ClickID or record it in another manner. ClickID stored so that the clicks and sales can be linked (anonymously) for aggregated performance reporting or click-to-sale data export.
1.5 Consumer Click Product No Brand Consumer clicks on a WTB link on a brand website/asset and we record the product clicked on. Product ID stored so that the click and possibly subsequent sales can be shared back with the brand with that product context.
1.6 Consumer Product Sales from Clicks Yes Retailer Consumer purchases a product on a retailer site after we have directed them to the site. The retailer then shares this sales detail with us along with the originating ClickID. Product sales detail stored so that the clicks and sales can be linked (anonymously) for aggregated performance reporting or click-to-sale data export.
1.7 Consumer Location Yes Brand Consumer interacts with a WTB “maps” widget on a brand website/asset and we acquire their location by manual entry, GEO IP look-up or browser location services. We use this location to serve the consumer location specific/proximity based purchase options. We store this location for aggregated performance reporting/analytics (anonymous).
1.8 Consumer User interactions Yes Brand Consumer interacts with a WTB widget on a brand website/asset and we acquire certain UI interactions with the widget. We use this anonymous telemetry data for aggregated performance reporting/analytics (anonymous).
2.1 Paid Campaign Where To Buy Consumer Impression IP Address No Brand Consumer interacts with a WTB widget in a paid campaign context and we record those events with the IP address as telemetry data. IP address stored & sometimes used to aggregate events for reporting e.g. impressions per market.
2.2 Consumer Click IP Address No Brand Consumer clicks on a WTB link in a paid campaign context and as a web facing service we capture their IP address. IP address stored, sometimes used to aggregate the clicks for reporting e.g. clicks per market.
2.3 Consumer Click Analytics GUID Yes Brand Consumer clicks on a WTB link on a brand website and the brand-site appends the analytics user id from the consumer’s browser to the request. Userid stored so that the click and possibly subsequent sales can be shared back with the brand with that user context.
2.4 Consumer Click ID No Brand Consumer clicks on a WTB link on a brand website and is-redirected to a retailer (possibly via an affiliate), we pass a ClickID in the URL. The retailer or affiliate may drop a cookie with this ClickID or record it in another manner. ClickID stored so that the clicks and sales  can be linked (anonymously) for aggregated performance reporting or click-to-sale data export.
2.5 Consumer Click Product No Brand Consumer clicks on a WTB link on a brand website/asset and we record the product clicked on. Product ID stored so that the click and possibly subsequent sales can be shared back with the brand with that product context.
2.6 Consumer Product Sales from Clicks Yes Retailer Consumer purchases a product on a retailer site after we have directed them to the site. The retailer then shares this sales detail with us along with the originating ClickID. Product sales detail stored so that the clicks and sales  can be linked (anonymously) for aggregated performance reporting or click-to-sale data export.
3.1 All Services Authorised Users Name, eMail Brand For general service and portal use we need to store a set of users names and email addresses to control access and provide support.

 

The categories of data subjects are: Authorised Users and Consumers