Data Processing Agreement – LinkedIn – Full Funnel B.V.

THE UNDERSIGNED

This Data Processing Agreement (“DPA“) forms part of the Agreement between Full Funnel B.V (“Processor“) and CLIENT (“Controller“) and shall be effective from the date both parties execute this DPA (“Effective Date“), whichever is later. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

Hereafter referred to collectively as: Parties.

CONSIDERING THAT:

1. Processor provides (online) services for Controller, whereby Processor processes personal data – Personal Data that befall Controller – as referred to in the General Data Protection Regulation (“Regulation”) for, and on behalf of Controller;
2. Parties wish to make agreements on this in the form of a Data Processing Agreement;
3. Processor can, during the implementation of an agreement with Controller, be classified as Processor within the meaning of article 4 sub 8 of the Regulation;
4. Controller will be classified as Controller within the meaning of article 4 sub 8 of the Regulation;
5. When in this Data Processing Agreement mentioning is made of personal data, it refers here to personal data within the meaning of article 4 sub 1 of the Regulation;
6. Processor is willing to meet its obligation regarding security and other aspects of the Regulation, as far as this is within its control;
7. The Regulation imposes the Controller should ensure that the Processor provides sufficient and “state of the art” guarantees, with reference to technical and organizational security measures regarding the processing that must be carried out;
8. Next to this, the Regulation imposes the Controller to ensure the compliance with those measures;
9. Parties, in view of the requirements in article 28 section 3 of the Regulation, wish to put their rights and obligations in writing through this Data Processing Agreement.

HAVE AGREED AS FOLLOWS

Article 1. DEFINITIONS 

1.1 Personal data: any information relating to or traceable to an identified or identifiable natural person (the “Data Subject”);

1.2 Data: all other information (data) that are not Personal Data;

1.3 Data Subject: the person to whom the Personal Data relate. In the case of a child below the age of 16, the Data Subject refers to the child’s legal representative(s);

1.4 Data Processing Agreement: the agreement between Controller and Processor;

1.5 Agreement: Agreement between Processor and Controller regarding the service(s) delivered by the Processor to the Controller;

1.6 Processing: an operation or a set of operations relating to Personal Data or a set of Personal Data, either or not carried out through automated procedures, such as collection, recording, organization, structuring, storage, updating or modifying, requesting, consulting, usage, dissemination by means of transmission, distribution or making it otherwise available, alignment or combination, protection, erasure or destruction of data;

1.7 Controller: a natural or legal person, a public authority, a service or any other organ that – alone or jointly with others – determines the aims and means for the processing of Personal Data; when the aims and means of this processing are determined by Union or Member State Law, it may provide who the controller is or it may designate the specific criteria for his nomination (“Controller”);

1.8 Processor: the entity which processes Personal Data on behalf of the Controller;

1.9 European Economic Area: all countries of the European Union, Liechtenstein, Norway and Iceland;

1.10 Data breach: a security breach that accidentally or unlawfully leads to the destruction, the loss, the altering or the unauthorized disclosure of or the unauthorized access to the forwarded, saved or otherwise processed data and/or Personal Data;

1.11 Supervisory authority: an independent public authority responsible for supervising the compliance with the law and regulations regarding the processing of Personal Data. In the Netherlands, this is the Personal Data Authority;

1.12 Sub-Processor: A professional party who is brought in by Processor to take on (part of) the Processing.

Article 2. PURPOSES OF PROCESSING

1. Processor agrees, according to the conditions set out in this Data Processing Agreement, by order of Controller, to process Personal Data. Processing will solely take place in the context of the Data Processing Agreement and those objectives as mentioned in paragraph 2.
2. The processing’s commercial objective is the execution of (affiliate) marketing campaigns, with the aim of increasing brand awareness, traffic, clientele and/or realize turnover for the Controller. A detailed plan of the authorized processing of the Personal Data is defined in Appendix 1.
3. The Personal Data that are to be processed are listed in Appendix 1.
4. Processor will not process the Personal Data for any purpose other than determined by the Controller. Controller will inform Processor of the processing objectives, where this has not already been mentioned in this Data Processing Agreement.
5. The Processor has no authority over the aims and the means for the processing of Personal Data. The Processor will not take any decisions independently regarding the receipt and use of the Personal Data, disclosure to third parties and the duration of the storage of Personal Data.
6. Upon termination of the Agreement, the Processor is obliged to destruct in a secured manner or return the sets of data and Personal Data acquired by the Controller.
7. All (intellectual) property rights, copyrights and database rights included – on the delivered Personal Data – remain at all times with the Controller (or the Data Subject).

Article 3. OBLIGATIONS PROCESSOR

1. With regard to the processing operations mentioned in article 2, the Processor will ensure compliance with the terms that, on the basis of the Regulation, are prescribed for the processing of Personal Data.

2. Processor will, upon his first request, inform Controller about the measures it has introduced regarding its obligations covered under this Data Processing Agreement.

3. The Processor’s commitments that come forth from this Data Processing Agreement also apply to any person who processes Personal Data under the authority of Processor.

4. The processing of Personal Data by Processor will never entail that Processor’s databases will be enriched with data derived from the data sets of Controller.

5. Processor solely acts as processor by order of and by means of concrete instructions and only processes Personal Data by order of Controller.

Article 4. TRANSFER OF PERSONAL DATA

1. Processor may process Personal Data in countries within the European Economic Area. Transfer to countries outside of the European Union is permitted with prior written approval of Controller. The storage of Personal Data is also included.

2. Processor will notify Controller which country or countries are involved in case of transfer or storage in countries outside the European Economic Area. The Personal Data may only be processed in a safe third country as far as this is permitted by the Resolution (a country which offers an adequate level of protection).

3. It is recorded in Appendix 1 of this Data Processing Agreement exactly which Personal Data Processor will process and for which processing purposes.

Article 5: DISTRIBUTION OF RESPONSIBILITY

1. The authorized processing operations will be carried out within an automated environment, but may from time to time be processed manually.

2. Processor is solely responsible for the processing of Personal Data covered under this Data Processing Agreement, in accordance with the instructions of Controller and under the explicit (final) responsibility of Controller. Processor is not responsible for all other processing operations of Personal Data, always including but not limited to the collection of Personal Data by the Controller, processing operations for objectives that were not notified to the Processor by the Controller, processing operations for third parties and/or other objects. The responsibility for these processing operations solely lies with Controller.

Article 6: INVOLVING THIRD PARTIES AND SUB-PROCESSORS

1. Processor may, within the framework of the Data Processing Agreement, involve a third party or Sub-Processor, but only in duly substantiated cases. These Sub-Processors are defined in Appendix 2.

2. Processor ensures unconditionally that these third parties or Sub-Processors will, in writing, take on the same obligations as agreed between Controller and Processor. Processor ensures correct implementation of these obligations by these third parties or Sub-Processors.

Article 7: SECURITY AND CONFIDENTIALITY

1. Processor shall make every effort to take sufficient technical and organizational measures regarding the processing of Personal Data that must be carried out, against loss or any other form of unlawful processing (such as unauthorized cognizance, violation, modification or disclosure of Personal Data). This security shall at least consist of state of the art technical and organizational measures. An overview of these measures and the policy thereon is defined in Appendix 3.

2. Processor shall make efforts in order to ensure the security meets a level which, taking into account the state of the art, the sensitivity of the Personal Data concerned, and the expenses associated with making the security arrangements, is not unreasonable.

3. Controller only makes Personal Data available to Processor for processing operations, when it has assured itself that the required security measures have been taken. Processor is responsible for compliance with the measures agreed upon by Parties.

4. In accordance with the Regulation, Processor is legally obliged to a duty of confidentiality. Processor is obliged to treat all (Personal) Data received as confidential.

5. Processor obliges its (past) employees and/or subcontractors to a duty of confidentiality with regard to all Personal Data which they obtain with regard to the Agreement.

6. If Processor receives a request or decree of a Dutch or foreign compliance officer or an investigation authority, an authority that deals with criminal proceedings or a national safety authority, asking to provide (access to) Personal Data, then the Processor will immediately inform the Controller. When examining the request, the Processor will observe all instructions of the Person Responsible and render all the reasonably necessary cooperation.

Article 8: DUTY TO NOTIFY DATA BREACH

1. In case of a Data breach, Processor will exert itself to the best of its abilities to, immediately and within maximum 48 hours after detection, inform Controller about this. Processor shall exert itself to the best of its abilities to ensure that the provided information is as complete, correct and accurate as possible. The duty to notify applies regardless of the impact of the Data breach.

2. When laws and/or regulations so require, Processor will collaborate by informing the in this case relevant authorities and possible parties concerned.

3. The Duty to notify concerns in any case the reporting of the fact that a Data breach has occurred, as well as:

1. What the (alleged) cause is of the Data breach;
2. What the (as yet known and/or anticipated) consequence is of the Data breach;
3. What the (proposed) solution is for the Data breach;
4. What measures have already been taken.

Article 9. PROCESSING REQUESTS OF PARTIES CONCERNED

1. In the event that a Party Concerned submits a request for inspection, as referred to in article 15 of the Regulation, or improvement, addition, modification or screening, as referred to in article 16 and following of the Regulation, to the Processor; then the Processor will deal with the request independently.

Article 10. AUDIT

1. Controller has the right to have audits carried out by an independent ICT expert, who is observing confidentiality, to check compliance with all points stipulated in this Data Processing Agreement.

2. This audit will solely take place after Controller has requested similar audit reports available at the Processor’s, has evaluated these and has given reasonable arguments to justify the audit initiated by the Controller. Such an audit is justified if the similar audit reports, made available by the Processor, give either insufficient or inconclusive information regarding the Processor’s compliance with the Data Processing Agreement. The audit, initiated by Controller, will take place two weeks after prior notice from Controller.

3. Processor will cooperate with the audit and will provide all information reasonably relevant for the audit, including supporting data such as system logs, as well as employees, as fast as possible and within a reasonable period, in which case a period of two weeks is reasonable unless an urgent interest opposes this.

4. The findings following the executed audit will be evaluated by Parties in mutual consultation and, as a result of this, will or will not be implemented by one of the Parties or jointly by both Parties.

5. The expenses for the audit will be borne by Controller, provided that the expenses for the hired third party will always be borne by Controller.

Article 11. DURATION AND TERMINATION

1. This Data Processing Agreement has been entered into for the duration as specified in the Agreement between Parties and, failing this, in any case for the duration of the collaboration. In the event that the provision of services by the Processor to Controller should (still) continue, this Data Processing Agreement will continue.

2. The Data Processing Agreement cannot be terminated mid-term.

3. Upon termination of this Data Processing Agreement, the provisions of articles 3, 8, 9 and 12 of this Data Processing Agreement will remain fully applicable.

4. Processor is allowed to modify this Data Processing Agreement and to communicate the changes to this Data Processing Agreement to the Controller.

5. Upon termination of the Data Processing Agreement, Processor will immediately destruct the Personal Data received from Controller, unless Parties agree otherwise.

Article 12. LIABILITY

1. Processor is not liable for damage or loss, resulting from this Data Processing Agreement, unless in cases of malicious intentions or gross negligence.

Article 13. OTHER PROVISIONS

1. Solely Dutch law is applicable to the Data Processing Agreement and its implementation.

2. The obligations arising from this Data Processing Agreement take effect after Controller has safely delivered the Personal Data to the Processor.

3. All disputes, which might arise between Parties with regard to the Data Processing Agreement, will be put before the competent court of the Court in Amsterdam.

4. If the data-protection laws should change, Parties will cooperate to modify this Data Processing Agreement in order to (continue) to stay in line with prevailing legislation.

Appendix 1

• Profile picture URL, name, occupation, company, url, inbox messages, date and time of the message
  • Purpose: To allow Controller to prepare and conduct LinkedIn marketing activities 
    
• Profile link, profile picture URL, full name, status (contact / new contact / ex-contact / connection sent) type of connection (1st / 2nd / 3rd), occupation, tags, connected since, campaign assigned, filter words from profile
  • Purpose: To allow Controller to find people from its LinkedIn connections
• Inbox messages, connection status (contact / new contact / connect requested), message status (email required / no interaction / awaiting reply / replied) name of message recipient, date and time when the message was sent
  • Purpose: To allow Controller to interact with LinkedIn contacts
• Profile picture URL, name, occupation, company, url, post engagement, post author
  • Purpose: To allow Controller to find people on LinkedIn
• Profile picture URL, name, occupation, tags, actions
  • Purpose: To allow Controller to track the status of its connection requests on LinkedIn
• Name, marketing campaign affiliation, tags, actions to be done
  • Purpose: To allow Controller to sort its LinkedIn connections
• LinkedIn Controller data from LeadHQ and a third-party tool: name, event, campaign, tags, target url, history, time delta, test
  • Purpose: To allow Controller to integrate third-party tool
• Contact id, first name, last name, profile link, job title, company name, email, phone, address, image link, tags, contact status, conversation status, object urn, public identifier, profile link, public identifier, message thread link, invited at, connected at
  • Purpose: To allow Controller to import its LinkedIn contacts and blacklists to Processor’s platform
• Conversation status (success / failure)
  • Purpose: To allow Controller to analyse whether a LinkedIn contact responded to its message positively 
• Contact id, first name, last name, profile link, job title, company name, email, phone, address, image link, tags, contact status, conversation status, object urn, public identifier, profile link, public identifier, message thread link, invited at, connected at
  • Purpose: To allow Controller to export LinkedIn contacts found via Processor’s platform
• Day-by-day (periodical) statistics, total statistics, communication statistics, campaign statistics, task statistics based on personal data listed above
  • Purpose: To allow Controller to analyse the efficiency of its social/marketing activities on LinkedIn

Appendix 2

• Zapier Inc
  • Purpose: Tranfer data to CRM (optional)
  • Location: The United States
  • Security: https://zapier.com/security-compliance 
• Pabbly Connect
  • Purpose: Transfer data to CRM (optional)
  • Location: United States
  • Security: https://www.pabbly.com/privacy-policy/ 
• Twilio Sendgrid
  • Purpose: .CSV export (optional)
  • Location: The United States
  • Security: https://www.twilio.com/legal/data-protection-addendum 
• Google LLC
  • Purpose: Email, onboarding, evaluation, data enrichment
  • Location: The Netherlands
  • Security: https://cloud.google.com/security/compliance
• CJ2 Hosting B.V.
  • Purpose: Cloud hosting provider
  • Location: The Netherlands

Appendix 3

• We use the latest antivirus software on our computers.
• All our accounts are protected by 2FA (2 factor authentication).
• Physical doors to our office are always locked when we are not present.
• All system passwords will be reset on a regular base
• Twice a year we perform a full security audit.
• We take measures to ensure employees only have access to sensitive data when necessary and remove permission upon completion.