DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) forms part of the Agreement between Revel and Customer under which Revel provides the Service to Customer. Capitalized terms used but not defined in this Addendum shall have the meaning as set forth in the Agreement.
- “Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Information.
- ”Data Processor” means the entity which Processes Personal Information on behalf of the Data Controller.
- “Data Protection Laws” mean all laws applicable to the Processing of Personal Information, including, to the extent applicable, (i) until May 25, 2018, the European Union (“EU”) Data Protection Directive 95/46/EC as implemented by the EU Member States; and (ii) on and after May 25, 2018, the EU General Data Protection Regulation.
- “Data Subject” means any individual about whom Personal Information may be Processed under this Addendum.
- “Personal Information” or “Personal Data” means Customer Data related to an identified or identifiable natural person which Revel Processes on Customer’s behalf through the Services.
- “Process” or “Processing” means any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Information.
- “Security Incident” means a breach of security of the Service leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed by Revel under this Addendum.
- Instructions. As between the parties, Customer acts as a Data Controller of the Personal Information and Revel acts as a Data Processor engaged to Process the Personal Information on Customer’s behalf. Revel will Process Personal Information in accordance with the Agreement or other documented instructions of Customer (whether in written or electronic form) or as needed to comply with applicable law. The duration of the Processing shall be the Term of the Agreement. In connection with the performance of the Agreement, Revel may transfer Personal Information to various locations, which may include locations both inside and outside of the European Economic Area (“EEA”).
- Confidentiality. Revel will require Revel personnel granted access to Personal Information to protect all Personal Information accordingly.
- Security. Revel will implement reasonable technical and organizational safeguards designed to protect Personal Information against unauthorized loss, destruction, alteration, access, or disclosure.
- Security Incident. Revel will notify Customer promptly in the event Revel discovers that a Security Incident has occurred, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. Taking into account the nature of the processing and the information available to Revel, Revel will assist Customer, at Customer’s expense unless Revel caused the Security Incident, to the extent required by applicable law in its provision of any required notifications to affected Data Subjects.
- Subprocessors. Customer agrees that Revel may disclose Personal Information to its subcontractors for purposes of providing Services to Customer (“Subprocessors”), provided that Revel will impose substantially similar obligations on its Subprocessors regarding the security and confidentiality of Personal Information as those set forth in this Addendum. Revel will (a) upon Customer’s written request make available to Customer a list of its Subprocessors and provide Customer with a mechanism to receive notice of any changes to this list and (b) notify Customer of the addition of any new Subprocessors by updating this list at least 30 days before granting the new Subprocessor access to Personal Information to allow Customer an opportunity to object to the addition.
- Audit. No more than one time annually, upon at least ten (10) days’ advance written notice, at Customer’s expense, and at a time and place to be mutually agreed upon by the parties, Customer shall be entitled to audit mutually agreed upon books and records of Revel in order to confirm its compliance with this Addendum.
- Assistance. Taking into account the nature of the processing, Revel will, at Customer’s expense, provide reasonable assistance to Customer with obligations Customer may have under applicable Data Protection Laws to (a) respond to data subjects’ requests to exercise any applicable rights under Data Protection Laws or (b) conduct privacy and data protection impact assessments and related consultations of data protection authorities.