This Data Processing Addendum (hereinafter: the “DPA”) supplements and forms an integral part of the Terms of Service for the Sketch Platform available at www.sketch.com (hereinafter: the “Terms”) as concluded between You (hereinafter: “Controller”) and Sketch (hereinafter: “Processor”). You and Sketch are hereinafter collectively also referred to as “Parties” and separately as a “Party”.
By accepting the terms of this DPA, You represent that You have the authority to bind Controller to this DPA.
Whereas
- The Parties have agreed that Processor shall provide certain services to Controller (hereinafter: the “Service”), as further set out in the Terms of which this DPA forms an integral part;
- As part of the delivery of the Service, Processor will process personal data on behalf of Controller; and
- The Parties wish to set out their rights and obligations in respect of such processing of personal data in this DPA.
Hereby agree as follows:
Definitions
- In this DPA, the following terms, whether single or plural, shall have the meaning assigned to them in this Paragraph:
- “Applicable Legal Requirements” — any and all international, European Union, national, provincial or local law, regulation, order, statute, administrative order or treaty, judgment, court order, code of conduct (whether or not binding), guidance or any other requirement of any relevant government or government agency or regulatory authority, as they apply to either or both of the Parties in the performance of the Terms.
- “CCPA” — the California Consumer Privacy Act (“CCPA”) – ANNEX 3 – CCPA Data Processing Addendum (if applicable).
- “Controller Personal Data” — any information relating to an identified or identifiable natural person, which is either supplied by Controller to Processor, or which is collected or generated by Processor under instruction from Controller as part of the Service, in both cases in order for Processor to provide its services under the Terms, and as further described in ANNEX 1 – DETAILS OF PROCESSING.
- “Data Breach” — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed by Processor.
- “Data Subject Request” — the exercise by a Data Subject of their rights under, and in accordance with, the GDPR.
- “Data Subject” — an identified or identifiable natural person to whom Controller Personal Data relates.
- “EEA” – the European Economic Area.
- ”Effective Date” — the later of: (i) the date the Parties entered into the Terms; or (ii) the date this DPA was accepted by You.
- ”EU GDPR” — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- “GDPR” – the UK GDPR and/or EU GDPR (as applicable), together with any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018).
- “Relevant Body” – (i) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office and/or UK Government (as and where applicable); and/or (ii) in the context of the EEA and EU GDPR, means the European Commission.
- “Restricted Country” — (i) in the context of the UK, a country or territory outside the UK; and (ii) in the context of the EEA, a country or territory outside the EEA, in each case that the Relevant Body has not deemed to provide an ‘adequate’ level of protection for personal data pursuant to a decision in accordance with Article 45 of the GDPR.
- “Restricted Transfer” — the disclosure, grant of access or other transfer of Controller Personal Data to any person, which would be prohibited without a legal basis therefor under Chapter V of the GDPR.
- “Standard Contractual Clauses” — the standard data protection clauses issued by the European Commission for the transfer of personal data from processors to processors established in a Restricted Country (i.e., applying Module 3 thereof).
- “Subprocessor” — a third party that Processor uses to process Controller Personal Data in order to provide parts of the Service and/or related technical support.
- “Supervisory Authority” – (i) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office; and (ii) in the context of the EEA and EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR.
- “Terms” — the Terms of Service for the Sketch Platform (including the Sketch Mac app, Web App and Sketch Mirror) available at www.sketch.com.
- “UK GDPR” – the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronics Communications (Amendments etc.) (EU Exit) Regulations 2019) (if applicable).
The terms “personal data”, “special categories of personal data”, “processing”, “controller”, and “processor” as used in this DPA have the meanings given in the GDPR.
1.2 Controller warrants and represents that the processing delegated to Processor under this DPA is subject to the territorial scope of the GDPR as determined in accordance therewith (including pursuant to Article 3 of the GDPR). Controller further agrees that to the extent that the same is not in fact subject to the territorial scope of the GDPR this DPA shall be deemed automatically void with effect from the Effective Date without requirement of notice.
Processing instructions
- This DPA relates to the processing of Controller Personal Data by Processor on behalf of Controller in the course of performing Processor’s obligations under the Terms. Further details of such processing are set out in ANNEX 1 – DETAILS OF PROCESSING as required by Article 28(3) of the GDPR.
- In the course of performing its obligations under the Terms, Processor shall process Controller Personal Data solely on the instruction of Controller and not use or otherwise process Controller Personal Data for any other purpose, unless required to do so by Applicable Legal Requirements.
- By entering into this DPA, Controller hereby authorises and instructs Processor to process Controller Personal Data: (i) to provide the Service and related technical support; (ii) as otherwise permitted or required by Controller’s use of the Service and/or its requests for technical support; (iii) as otherwise permitted or required by the Terms, including this DPA; and (iv) as further documented in any other written instructions that Controller gives to Processor (“Permitted Purposes”).
- Processor shall promptly notify Controller if Processor is of the opinion that an instruction given by Controller would cause the Processor to act contrary to Applicable Legal Requirements.
- Controller will not share any special category of personal data with Processor. Controller further acknowledges that Processor does not request or require any special category of personal data to provide the Service and does not wish to receive or store any special category of personal data.
- Controller warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, there is, and will be throughout the term of the Terms, a valid legal basis for the processing of Controller Personal Data by Processor in accordance with this DPA and the Terms (including any and all instructions issued by Controller from time to time in respect of such processing).
Confidentiality of Controller Personal Data
- Processor shall ensure that all of its employees, contractors and other personnel are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in respect of Controller Personal Data.
- Processor shall not disclose Controller Personal Data in any way to any third party who is not an approved Subprocessor without the prior written consent of Controller, except when Processor must comply with Applicable Legal Requirements and is prohibited from obtaining the prior written consent from Controller pursuant to such Applicable Legal Requirements.
Security
- Processor shall, taking into account the nature of Controller Personal Data and the risks involved in the processing of Controller Personal Data, implement appropriate technical and organisational measures to protect Controller Personal Data against any accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access (the “Security Measures”). The Security Measures will have regard to the state of the art, the cost of implementation, and the nature, scope, context and purposes of the processing and are listed in ANNEX 2 – SECURITY MEASURES.
- Controller agrees that it is solely responsible for its use of the Service, including: (i) making appropriate use of the Service to ensure a level of security appropriate to the risk in relation to Controller Personal Data; (ii) securing any account authentication credentials, systems, and devices it uses to access the Service; and (iii) backing up all Controller Personal Data. Controller understands and agrees that Processor has no obligation to protect Controller Personal Data that Controller elects to store or transfer outside of Processor’s or any Subprocessors’ systems (e.g. offline or on-premise storage). Controller is solely responsible for evaluating whether the Service and Processor’s commitments under this DPA meet its needs, including with respect to Controller’s compliance with any of its security obligations under the GDPR and/or Applicable Legal Requirements.
Subprocessors
- Controller authorises Processor to appoint Subprocessors in accordance with this Section.
- Processor may continue to use those Subprocessors already engaged by Processor as at the date of this DPA.
- Processor shall give Controller prior written notice of the appointment of any new Subprocessor, including reasonable details of the processing to be undertaken by the Subprocessor, by updating the list of its Subprocessors at the following address: /subprocessors/. If, within ten (10) days of receipt of that notice, Controller notifies Processor in writing of any objections (on reasonable grounds) to the proposed appointment:
- Processor shall use reasonable efforts to make available a commercially reasonable change in the provision of the Service which avoids the use of the proposed Subprocessor; or
- where such a change cannot be made, either Party may by written notice to the other Party with immediate effect terminate the Terms either in whole or to the extent that it relates to the Service which require the use of the proposed Subprocessor (subject always to the provisions of the Terms).
- With respect to each Subprocessor, Processor shall ensure that the arrangement between Processor and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Controller Personal Data as those set out in this DPA, as well as the Standard Contractual Clauses (where applicable).
- Processor shall remain liable to Controller for the acts and omissions of each Subprocessor in respect of Controller Personal Data.
Data subject rights
- Taking into account the nature of the processing, Processor shall provide Controller with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Controller in fulfilling its obligation to respond to Data Subject Requests.
- Processor shall:
- promptly notify Controller if Processor receives a Data Subject Request; and
- not respond to any Data Subject Request except on the written instructions of Controller (and in such circumstances, at Controller’s cost) or as required by Applicable Legal Requirements.
Data breach notification
- Processor shall promptly notify Controller upon becoming aware that a suspected or actual Data Breach has (or may have) occurred with respect to Controller Personal Data. Such notification shall be provided promptly and without undue delay after the detection of the (suspected) Data Breach.
- Processor shall provide the following information to Controller, to the extent that Processor is reasonably able to provide such information:
- the nature of the Data Breach and affected Data Subject(s);
- the identified and suspected consequences of the Data Breach; and
- the measures Processor has taken, or proposes to take, in order to mitigate the effects of the Data Breach.
- At the request of Controller, Processor will cooperate to inform the competent Supervisory Authority(ies) (as may be determined in accordance with the GDPR) and/or Data Subject(s) of the Data Breach.
- Controller is solely responsible for complying with any Data Breach notification requirements that may apply to Controller. Processor’s notification of or response to a Data Breach under this Section will not constitute an acknowledgement of fault or liability with respect to the Data Breach.
Data protection impact assessments, prior consultation and audits
- Processor shall provide reasonable assistance to Controller, at Controller’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities, which Controller reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to the processing of Controller Personal Data by, and taking into account the nature of the processing by and information available to, Processor.
- Processor shall make available to Controller on request such information as Processor (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. Subject to Sections 8.3 and 8.4, in the event that Controller (acting reasonably) is able to provide documentary evidence that the information made available by Processor pursuant to this Paragraph is not sufficient in the circumstances to demonstrate Processor’s compliance with this DPA, Processor shall allow for and contribute to audits, including on premise inspections, by Controller or an auditor mandated by Controller in relation to the processing of Controller Personal Data by Processor.
- Controller shall give Processor reasonable notice of any audit or inspection to be conducted (which shall in no event be less than thirty (30) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any damage, injury or disruption to Processor’s premises, equipment, personnel, data and business (including any interference with the confidentiality or security of the data of Processor’s other customers, or the availability of Processor’s services to such other customers).
- Controller shall bear any third party costs in connection with any inspection or audit and reimburse Processor for all costs incurred by Processor in connection with any such inspection or audit.
Restricted transfers of Personal Data
-
Where applicable, any transfer of Controller Personal Data from Controller in the UK to Processor in The Netherlands is covered by the adequacy regulations issued by the Relevant Body under Paragraph 5 of Schedule 21 of the UK Data Protection Act 2018 and as such, does not constitute a Restricted Transfer.
-
To the extent that there is a Restricted Transfer of Controller Personal Data from Processor to any Subprocessor, the Processor will ensure that such Restricted Transfer is effected under and subject to the Standard Contractual Clauses, with:
- Processor – as ‘data exporter’; and
- Subprocessor – as ‘data importer’.
Deletion of Controller Personal Data
- Upon the date of cessation of any Service involving the processing of Controller Personal Data, Processor shall immediately cease all processing of Controller Personal Data for any purpose other than for storage.
- Controller hereby acknowledges and agrees that, due to the nature of the Service and Controller Personal Data processed by Processor, return (as opposed to deletion) of Controller Personal Data is not a reasonably practicable option in the circumstances. Having regard to the foregoing, Controller agrees that it is hereby deemed to have irrevocably selected deletion, in preference of return, of Controller Personal Data.
- Processor and any Subprocessor may retain Controller Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Processor and any such Subprocessor shall ensure:
- the confidentiality of such Controller Personal Data; and
- that such Controller Personal Data is only processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
Term and termination
- This DPA shall take effect on the Effective Date.
- This DPA forms an integral part of the Terms and remains in force until the Terms expire or terminate, for whatever reason.
Miscellanea
- In the event of any inconsistency relating to the processing of Controller Personal Data between a provision of this DPA and the Terms, the provision of this DPA will prevail.
- If Applicable Legal Requirements require that this DPA be amended, either Party may propose an amendment and the Parties will enter into negotiations in good faith to reach an agreement ensuring the continued compliance of the DPA with Applicable Legal Requirements.