Data Protection Addendum
This Addendum or "DPA” forms part of the Terms.
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms. Except as modified below, the Terms shall remain in full force and effect. To the extent there is any conflict between the provisions of the Addendum and the rest of the Terms, the provisions of the Addendum shall prevail.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Terms. Except where the context requires otherwise, references in this Addendum to the Terms are to the Terms as amended by, and including, this Addendum.
- “Special Categories of Personal Data” shall have the same meaning as in Article 9(1) of the GDPR;
- “Sub-processor” means any entity engaged by Canary or a Canary affiliate to process Video Feeds in connection with the Services; “Video Feeds” means the Personal Data comprised in the audio and video footage, images and meta data captured by our Services and processed on your behalf; and
- The terms “controller”, “data subject”, “Personal Data”, “Personal Data Breach”, “Processor” “processing” and “Supervisory Authority” shall have the same meaning as in Article 4 of the General Data Protection Regulation (“GDPR”) (together with any national transposing measures, secondary legislation (including European Commission decisions) adopted under the foregoing, “Applicable Data Protection Law”).
This Addendum only applies to you if you are habitually located within the EEA and you are subject to the obligations under the GDPR as a Controller of Video Feeds (in other words, other than where your use of the Services is “in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity”). This Addendum only applies in respect of Video Feeds. You agree that Canary is not responsible for Personal Data, including Video Feeds, that you have elected to process or share outside of the Services.
Details of Data Processing
- Subject Matter. The subject matter of the data processing under this Addendum is your Video Feeds.
- Duration. As between you and us, the duration of the data processing under this Addendum is determined by you.
- Purpose. The purpose of the data processing under this Addendum is the provision of the Services initiated by you from time to time.
- Nature of the Processing. The Services as described in the Terms and initiated by you from time to time.
- Type of Personal Data. Your Videos Feeds relating to you or other individuals whose Personal Data is included in such Video Feeds which is processed as part of the Services in accordance with instructions given through your account.
- Categories of Data Subjects. You and any other individuals whose Personal Data is included in Video Feeds.
Processing Roles and Activities.
- Canary as Processor and You as Controller. You are the Controller and Canary is the Processor of your Video Feeds.
- Description of Processing Activities. We will process your Video Feeds for the purpose of providing you with the Services, as may be used, configured or modified from within your account (the “Purpose”).
- Compliance with Laws. You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to your Video Feeds and that your Video Feeds are collected lawfully and in accordance with such laws, rules and regulations. You will also ensure that the processing of your Video Feeds in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including Applicable Data Protection Law). Canary will not access or use your Video Feeds except as provided in the Terms, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.
- Canary (as Processor) agrees with you (as Controller) that it shall:
- only process Video Feeds on your behalf and in compliance with your documented instructions and the Terms unless Canary is required to do so by mandatory EU or EU Member State law to which Canary is subject. In such cases, Canary will inform you of that legal requirement before processing, where permitted to under that law;
- taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in relation to Video Feeds implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk;
- take reasonable steps to ensure that Canary’s personnel, agents and contractors that process your Video Feeds are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
- taking into account the nature of the processing, assist you by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligations to respond to requests to exercise data subject’s rights under the GDPR;
- notify you without undue delay of becoming aware of a Personal Data Breach affecting your Video Feeds and taking into account the nature of processing and the information available to Canary, provide reasonable assistance to you to allow you to meet any obligations applicable to you in relation to such breaches under the GDPR;
- taking into account the nature of the processing and the information available to Canary, provide reasonable assistance to you in relation to any mandatory obligations applicable to you in relation to the performance of data protection impact assessments or the carrying out of consultations with a Supervisory Authority under the GDPR, in each case solely in relation to the processing of your Video Feeds;
- upon the expiration or termination of the Terms for any reason, at your election, return or delete all your Video Feeds in Canary’s possession and delete existing copies of your Video Feeds (unless Canary is required by mandatory EU or EU Member State law to retain the Personal Data);
- provide written responses and documentary information reasonably necessary to demonstrate compliance with Canary’s obligations under Clauses 5.1.1 - 5.1.7 above and, only to the extent required under Applicable Data Protection Law and where such compliance cannot be verified by providing you with evidence of Canary’s compliance, including without limitation evidence provided by an independent third party provider of compliance verification, allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you and agreed to by Canary that relate to your Video Feeds. For the avoidance of doubt, such audit shall be carried out no more than once in any 12-month period with reasonable notice, during regular business hours, in a manner which is not disruptive to Canary’s business and under a duty of confidentiality. The scope of such an audit will be agreed in advance and shall not involve physical access to the servers from which the Services are provided. You will bear the fees of any auditor and any expenses incurred by Canary in complying with this clause 5.1.8 and clauses 5.1.4 and 5.1.6; and
- promptly inform you if, in its opinion, an instruction infringes Applicable Data Protection Law.
- You acknowledge and agree that (a) Canary’s affiliates, including Canary Connect, Inc., Smartfrog Services GmbH, and Smartfrog Limited, may be retained as Sub-processors; and (b) Canary and its affiliates may engage third party Sub-processors in connection with the provision of the Services. As a condition to permitting a third-party Sub-processor to process your Video Feeds, Canary or a Canary affiliate will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Video Feeds as those in this Addendum, to the extent applicable to the nature of the services provided by such Sub-processor.
- A current list of Sub-processors, including the identities of those Sub-processors and their country of location, is available from Canary via a secured resource upon request. Canary shall update this secured resource with the details of new Sub-processor(s) before authorizing such new Sub-processor(s) to process Video Feeds in connection with the provision of the applicable Services. You agree to review the secured resource regularly in the context of such updates.
- You may reasonably object to Canary’s use of a new Sub-processor by notifying Canary promptly in writing within ten (10) business days after details of the new Sub-Processor have been added to the secured resource in accordance with clause 5.3. Such notice shall explain the reasonable grounds for the objection. Canary may recommend a commercially reasonable change to your configuration or use of the Services to avoid processing of your Video Feeds by the objected-to new Sub-processor without unreasonably burdening you. If Canary is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate without penalty the applicable subscription with respect only to those Services which cannot be provided by Canary without the use of the objected-to new Sub-processor by providing written notice to the other party.
- Canary shall be liable for the acts and omissions of its Sub-processors to the same extent Canary would be liable if performing the services of each Sub-processor directly under the terms of this Addendum.
- If and to the extent that Canary, as Processor of your Video Feeds, proposes to transfer such Video Feeds outside the European Economic Area, Canary will carry out such transfers in compliance with Applicable Data Protection Law.
- If Canary determines that it can no longer meet any of its obligations arising under clause 5.1 of this Addendum, it shall notify you without delay. In such a case, or if you have otherwise notified Canary of your determination that Canary cannot meet said obligations, Canary shall cease processing your Video Feeds and take other reasonable and appropriate remedial steps, including as directed by you.
- Canary (as Processor) agrees with you (as Controller) that it shall:
Your Obligations and Instructions to Canary
- You represent and warrant that:
- all use of the Services by you, your employees, agents and any other persons with access to or use of the Services will be in compliance with Applicable Data Protection Law;
- you shall only process Special Categories of Personal Data using the Services in accordance with Article 9 of the GDPR, in reliance on explicit consent or to protect the vital interests of the data subjects or of another person where the data subject is physically or legally incapable of giving consent, and as otherwise permitted by Applicable Data Protection Law;
- to the extent that you rely on consent as a ground to process Personal Data or Special Categories of Personal Data under Applicable Data Protection Laws, you shall obtain the valid consent of data subjects in accordance with Applicable Data Protection Laws (including, in particular, in accordance with Articles 6(1)(a) and 9(2)(a) of the GDPR);
- you will display any notices, stickers or other signage inside and outside your property as required by Canary or Applicable Data Protection Law from time to time; and
- you will not, and will procure that your employees, agents and any other persons with access to or use of the Services do not, unlawfully upload or circulate Video Feeds generated by the Services.
- You hereby instruct Canary to:
- process Video Feeds on its behalf so Canary can comply with its obligations under the Terms and provide the Services to you;
your Video Feeds as appropriate to designated third parties; the Video Feeds to Canary Connect, Inc. and it affiliates in order to provide the Services, and where necessary to enter into standard contractual clauses on your behalf to effect the lawful transfer of Video Feeds; and Video Feeds in accordance with Section 5.4 of the Terms.
- You represent and warrant that:
Liability and Indemnity
- The liability of each party under this Addendum is subject to the exclusions and limitations of liability set out in the Terms. You agree that any regulatory penalties or claims by data subjects or others incurred by Canary in relation to your Video Feeds that arise as a result of, or in connection with, your failure to comply with your obligations under this Addendum or Applicable Data Protection Law shall reduce Canary’s maximum aggregate liability to you under the Terms in the same amount as the fine and/or liability incurred by us as a result.
- Where pursuant to Article 82(4) of the GDPR, either party is found to be liable for the entire damage arising from a breach or breaches of the GDPR relating to activities under the Terms, in order to ensure effective compensation of one or more individuals, then the other party shall indemnify that party for that portion of the compensation attributable to any breaches of GDPR giving rise to the compensation for which it is responsible.
You are responsible for any costs and expenses arising from Canary’s compliance with your instructions or requests pursuant to the Terms (including this Addendum) which fall outside the standard functionality made available by Canary to its users generally through the Services.