This Data Processing Addendum (the “DPA”) outlines the terms governing Hotei's processing of personal data on behalf of its Customers as part of delivering the Services. The DPA aims to ensure that Hotei handles personal data securely and in alignment with relevant Data Protection Laws.
The DPA is incorporated into the Agreement, and its provisions apply to the Parties upon acceptance of the Agreement.
Capitalized terms utilized in this DPA shall have the meanings assigned to them in the General Terms, unless otherwise defined within this document. Furthermore, the following definitions shall apply:
“Customer Controlled Data” refers to any Customer Content along with any additional information submitted by End Users or visitors of the Customer Site, which pertains to an identified or identifiable natural person and qualifies as personal data under relevant Data Protection Laws.
“Data Protection Laws” encompasses all applicable data protection, privacy laws, and regulations within the European Union, European Economic Area and their Member States, as well as Switzerland, the United Kingdom, including the GDPR, the UK GDPR, PIPEDA, and United States Data Protection Laws.
“GDPR” denotes Regulation (EU) 2016/679 of the European Parliament and Council, dated 27 April 2016, regarding the safeguarding of individuals concerning the handling of personal data and the unrestricted transfer of such data, which replaces Directive 95/46/EC (General Data Protection Regulation), as amended or superseded over time.
“Standard Contractual Clauses” designates the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021, detailing standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and Council.
“Subprocessor” indicates any third-party entity appointed by Hotei to perform specified processing activities involving Customer Controlled Data under Hotei’s instructions.
“UK GDPR” references the Data Protection Act 2018 and the GDPR, as it is incorporated into the law of England, Wales, Scotland, and Northern Ireland under section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (SI 2019/419).
“US Data Protection Laws” encompasses all applicable data protection and privacy laws within the United States, including the California Consumer Privacy Act (CCPA, as amended), along with other similar state-specific regulations.
In addition, terms such as “controller,” “processor,” “processing,” “data subject,” “personal data,” “data concerning health,” “special categories of personal data,” and “personal data breach,” as well as their counterparts under applicable Data Protection Laws, shall retain the definitions provided within the pertinent regulation.
Applicability. This DPA applies solely when Hotei, acting as a processor or sub-processor on behalf of the Customer (who in turn acts as a controller or processor of the data), processes Customer Controlled Data in connection with the Services.
Instructions. Hotei shall only process Customer Controlled Data in alignment with the Customer’s lawful documented instructions, as outlined in the Agreement, this DPA, or as otherwise directed by the Customer or its End Users through the Services (collectively, the “Instructions”). Should Hotei become aware that any Instructions from the Customer may infringe Data Protection Laws, it shall promptly inform the Customer.
Customer’s Role and Responsibilities in Data Processing. The Customer acts as the controller or processor of the Customer Controlled Data processed by Hotei under this Agreement and DPA. The Customer is responsible for ensuring adherence to Data Protection Laws, including obtaining required consents and providing necessary notices concerning its processing of Customer Controlled Data (including any special categories of personal data). Additionally, the Customer warrants on an ongoing basis that the relevant controller has approved (i) the Instructions, (ii) the Customer's designation of Hotei as a processor, and (iii) Hotei's engagement of Subprocessors as outlined in Section 6 (Subprocessors).
Cooperation. The Parties agree to cooperate in good faith and provide reasonable assistance to each other, as necessary, to meet their obligations under this DPA and Data Protection Laws. This includes, where applicable, supporting each other in handling data subject requests, conducting data protection impact assessments, and addressing other requirements arising under Data Protection Laws, in line with the terms of this DPA.
Description of Processing Activities. The specifics of the processing activities carried out by Hotei on the Customer’s behalf—including subject matter, duration, nature, and purpose of the processing, as well as the types of data subjects and categories of personal data—are outlined in Schedule 1 of this DPA.
Updates to Processing Activities. Hotei may periodically update the description of processing activities in Schedule 1 to reflect changes in the Services, including new features or functionalities. In the event of significant changes to the processing activities, Hotei will notify the Customer, who will have the opportunity to object to these changes under the terms set forth in this DPA.
Prohibition on Special Categories of Data. The Customer agrees not to use the Services to collect, process, or store any special categories of data, as defined by applicable Data Protection Laws. This includes, but is not limited to, data revealing racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data regarding a person’s sexual orientation or sex life. Hotei disclaims any liability for processing such data, and any violation of this provision is the sole responsibility of the Customer. In case of breach, Hotei reserves the right to suspend or terminate the Services without notice, in addition to any other remedies available under this DPA or applicable law.