1.1 In accordance with the Agreement (as defined below), this Data Processing Addendum (“DPA“) sets out the basis on which Nautilus processes Customer Personal Data (as defined below).
1.2 In the event of a conflict between any of the provisions of this DPA and the remaining provisions of the Agreement, the provisions of this DPA shall prevail.
2.1 Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following capitalised terms used in this DPA shall be defined as follows:
(a) “Agreement” means either Nautilus’ Platform Terms and Conditions available here or, if Nautilus has a written agreement with Customer, then such written agreement;
(b) “Services” has the same meaning as set out in the Agreement;
(c) “Customer Personal Data” means the personal data described in ANNEX 1 and any other personal data that Nautilus processes on behalf of the Customer in connection with Nautilus’s provision of the Nautilus Service;
(d) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR“) and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data;
(e) “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
(f) “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data;
(g) “Standard Contractual Clauses” means the Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission (which will automatically apply);
(h) “Subprocessor” means any Processor engaged by Nautilus who agrees to receive from Nautilus Customer Personal Data; and
(i) the terms “personal data“, “Controller“, “Processor“, “Data Subject“, “Process” and “Supervisory Authority” shall have the same meaning as set out in the GDPR.
3.1 Instructions for Data Processing. Nautilus will only Process Customer Personal Data in accordance with (a) the Agreement, to the extent necessary to provide the Nautilus Service to the Customer, and (b) the Customer’s written instructions, unless Processing is required by European Union or Member State law to which Nautilus is subject, in which case Nautilus shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before Processing that Customer Personal Data.
3.2 Processing outside the scope of this Agreement will require prior written agreement between the Customer and Nautilus on additional instructions for Processing.
3.3 Required consents. Where required by applicable Data Protection Laws, the Customer will ensure that it has obtained/will obtain all necessary consents for the Processing of Customer Personal Data by Nautilus in accordance with the Agreement.
3.4 The Customer agrees to defend, indemnify and keep indemnified, and hold harmless, at its own expense, Nautilus against all costs, claims, damages and expenses incurred by Nautilus or for which Nautilus may become liable due to any failure by the Customer to comply with clause 3.3.
3.5 The Customer acknowledges that Nautilus is reliant on the Customer for direction as to the extent to which Nautilus is entitled to use and process the Customer Personal Data. Consequently, Nautilus will not be liable for any claim brought by a Data Subject arising from any act or omission by Nautilus to the extent that such act or omission resulted from the Customer’s instructions or the Customer’s use of the Services.
4.1 Consent to Subprocessor Engagement. The Customer generally authorises the engagement of third parties as Subprocessors.
4.2 Information about Subprocessors. A current list of Nautilus’ Subprocessors is available here (“Subprocessor List“), and may be updated by Nautilus from time to time in accordance with this DPA.
4.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Nautilus will:
(a) ensure via a written agreement that:
(i) the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it and does so in accordance with the Agreement and this DPA; and
(ii) the same obligations are imposed on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on Nautilus under this DPA.
(b) remain full liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
4.4 Opportunity to Object to Subprocessor Changes.
(a) Customer may, on reasonable grounds, object to Nautilus’s use of a new Subprocessor by providing Nautilus with written notice within 10 days after Nautilus has provided notice to the Customer as described in clause 4.2.
(b) Customer may object to the appointment of that Subprocessor, on reasonable grounds, by providing documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements in this DPA (“Objection“). In the event of an Objection, Nautilus will use reasonable endeavours to make available to the Customer a change in the Services, or will recommend a commercially reasonable change to the Services. If Nautilus is unable to make available such a change within a reasonable period of time, which shall not exceed 30 days, either Party may terminate, without penalty, the Agreement by providing written notice to the other Party.
4.5 Transfers of Personal Data Outside the EEA. To the extent that the Processing of Customer Personal Data by Nautilus involves the export of such Personal Data to a country or territory outside the EEA, such transfer shall be to a third party:
a) in a country subject to an adequacy decision by the European Commission;
b) that is a member of a compliance scheme recognised by the European Commission as offering adequate protection for the rights and freedoms of data subjects such as the EU-U.S. Privacy Shield; or
c) that has signed Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission, (with the Customer as data exporter and the third party as data importer). For this purpose, the Customer appoints Nautilus to act as its agent with the authority to complete and enter into the Standard Contractual Clauses as agent for the Customer on its behalf for this purpose.
5.1 Nautilus Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Nautilus shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including, where applicable by virtue of Article 28(3)(c) of the GDPR, and as appropriate, the measures referred to in Article 32(1) of the GDPR. Without limiting the generality of the foregoing, Nautilus shall put in place and maintain the technical and organisational measures set out in ANNEX 2.
5.2 Security Audits. Upon reasonable request from a Customer, and subject to the confidentiality obligations in the Agreement, Nautilus shall make available to the Customer (or an independent third party auditor) information regarding Nautilus’ compliance with the obligations set out in this DPA, including Nautilus’ compliance with the security measures set out in this DPA, such as the technical and organisational measures as set out in ANNEX 2). Customers may contact Nautilus by e-mailing to request an on-site audit of Nautilus’ procedures relevant to the protection of Customer Personal Data, but only to the extent required by Data Protection Laws. Customer shall reimburse Nautilus for any time expended for any such on-site audit at Nautilus’ then-current rates, which shall be made available to the Customer upon reasonable request. Prior to the commencement of an on-site audit, Customer and Nautilus shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Nautilus. Customer shall promptly notify Nautilus with information regarding any non-compliance discovered during the course of an on-site audit and Nautilus shall use commercially reasonable efforts to address any confirmed non-compliance.
5.3 Security Incident Notification. If Nautilus or any Subprocessor becomes aware of a Security Incident, Nautilus will (a) notify the Customer of the Security Incident, (b) investigate the Security Incident and provide such commercially reasonable cooperation and assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA. Except as required by applicable Data Protection Laws, the obligations set out in this clause 5.3 shall not apply to security incidents caused by a Customer.
5.4 Nautilus Employees and Personnel. Nautilus shall treat the Customer Personal Data as the Confidential Information of the Customer, and shall ensure that:
(a) access to Customer Personal Data is limited to those employees or other personnel who have a business need to have access to such Customer Personal Data;
(b) any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
6.1 Data Subject Requests. Save as required (or where prohibited) under applicable law, Nautilus shall promptly notify the Customer of any request received by Nautilus or any Subprocessor from a Data Subject in respect of their personal data included in the Customer Personal Data, and shall not respond to the Data Subject.
6.2 Nautilus shall, where possible, assist the Customer with ensuring its compliance under applicable Data Protection Laws, and in particular shall:
(a) provide the Customer with the ability to correct, delete, block, access or copy the personal data of a Data Subject, or
(b) promptly correct, delete, block, access or copy Customer Personal Data within the Nautilus Services at the Customer’s request.
6.3 Government Disclosure. Nautilus shall promptly notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
6.4 Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Nautilus shall use all reasonable endeavours to assist the Customer by implementing any other appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising Data Subject rights laid down in the GDPR.
7.1 To the extent required under applicable Data Protection Laws, Nautilus shall provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Nautilus.
8.1 Deletion of data. Subject to 8.2 and 8.3 below, Nautilus shall, within 90 (ninety) days of the date of termination of the Agreement:
(a) return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by the Customer to Nautilus; and
(b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by Nautilus or any Subprocessors.
8.2 Subject to section 8.3 below, the Customer may in its absolute discretion notify Nautilus in writing within 30 (thirty) days of the date of termination of the Agreement to require Nautilus to delete and procure the deletion of all copies of Customer Personal Data Processed by Nautilus. Nautilus shall, within 90 (ninety) days of the date of termination of the Agreement:
(a) comply with any such written request; and
(b) use all reasonable endeavours to procure that its Subprocessors delete all Customer Personal Data Processed by such Subprocessors,
and, where this section 8.2 applies, Nautilus shall not be required to provide a copy of the Customer Personal Data to the Customer.
8.3 Nautilus and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Nautilus shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
DETAILS OF THE PROCESSING OF CUSTOMER PERSONAL DATA
This ANNEX 1 includes certain details of the processing of Customer Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and the duration of the Processing of the Customer Personal Data are set out in the Agreement including this DPA.
The nature and purpose of the Processing of Customer Personal Data
The Customer Personal Data will be subject to the following basic Processing activities: transmitting, collecting, storing, and analysing data in order to provide the Services to the Customer, and any other activities related to the provision of the Services or as specified in the Agreement.
The types of Customer Personal Data to be Processed
First and last name, e-mail address; and
Any other types of Customer Personal Data needed in order provide the Nautilus Service.
The categories of Data Subject to whom the Customer Personal Data relates
The categories of Data Subject to whom the Customer Personal Data relates concern are set out in the Agreement including this DPA.
The obligations and rights of the Customer
The obligations and rights of the Customer are as set out in the Agreement including this DPA.
TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
1. Nautilus maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:
(a) secure any personal data Processed by Nautilus against accidental or unlawful loss, access or disclosure;
(b) identify reasonably foreseeable and internal risks to security and unauthorised access to the personal data Processed by Nautilus;
(c) minimise security risks, including through risk assessment and regular testing.
2. Nautilus will, and will use reasonable efforts to procure that its Subprocessors conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.
3. Nautilus will, and will use reasonable efforts to procure that its Subprocessors periodically evaluate the security of their network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.