Last modified: January 1, 2023

 

This Aries Data Processing Addendum (“DPA”) is part of the service agreement (“Agreement”) between Aries Systems Corporation (“Aries”) and the publisher identified in the Agreement (“Publisher”) and in which this DPA is referenced.


A. Definitions

  1. The terms “controller,” “data subject”, “personal data”, “personal data breach”, “processing”, and “processor” will have the meanings ascribed to them in the Data Protection Laws, and where the Data Protection Laws use equivalent or corresponding terms, such as ‘personal information’ instead of ‘personal data’, they shall be read herein as the same.
  2. “Data Protection Laws” means all privacy and data protection laws, rules, regulations, decrees, orders and other government requirements applicable to the processing of personal data under the Agreement.

 

B. Scope

  1. The subject-matter of processing is the personal data provided in respect of the services under the Agreement. The duration of the processing is the duration of the provision of the services under the Agreement until disposal of the personal data in accordance with the Agreement. The nature and purpose of the processing is in connection with the provision of the services under the Agreement. The types of personal data processed are those submitted by or at the direction of the Publisher as part of the services under the Agreement. The categories of data subjects are those whose personal data is submitted by or at the direction of the Publisher as part of the services under in the Agreement.
  2. The Agreement, including this DPA, along with the Publisher’s use and/or configuration of the services, are the Publisher’s complete and final documented instructions to Aries for the processing of personal data. Additional or alternate instructions must be agreed upon separately by the parties in writing. 

 

C. Processing

  1. Aries will implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Data Protection Laws, ensure the protection of the rights of the data subjects, and provide a standard of protection that is at least the same level of protection as is required under the Data Protection Laws.
  2. To the extent that Aries is processing personal data on behalf of the Publisher, Aries shall:

(a)  process the personal data only on documented instructions from the Publisher, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law to which Aries is subject; in such a case, Aries shall inform the Publisher of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c)  take all security measures required pursuant to the Data Protection Laws;

(d) respect the conditions referred to in clause D for engaging another processor;

(e)  taking into account the nature of the processing, assist the Publisher by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Publisher’s obligation to respond to requests for exercising the data subject’s rights laid down in the Data Protection Laws;

(f)  assist the Publisher in ensuring compliance with the obligations pursuant to the Data Protection Laws taking into account the nature of processing and the information available to Aries;

(g) at the choice of the Publisher, delete or return all the personal data to the Publisher after the end of the provision of services relating to processing and delete existing copies unless applicable law requires storage of the personal data;

(h) make available to the Publisher all information necessary to demonstrate compliance with the obligations laid down in the Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the Publisher or another auditor mandated by the Publisher;

and immediately inform the Publisher if, in its opinion, an instruction from the Publisher to Aries infringes the Data Protection Laws.

 

D. Subprocessors

  1. To the extent that Aries is processing personal data on behalf of the Publisher, Aries has the Publisher’s general authorization to engage other processors for the processing of personal data in accordance with this DPA from Aries’ list of such processors at https://www.ariessys.com/support-and-resources/resources/subprocessors/, which Aries may update from time to time. Aries shall inform the Publisher of any intended changes by updating the list on its website at least fourteen (14) days in advance. The Publisher may object to the change without penalty by notifying Aries within fourteen (14) days after the list is updated and describing its reasons to object. Aries shall use reasonable endeavors to avoid processing of personal data by such new processor to which the Publisher reasonably objects.
  2. Where Aries engages another processor for carrying out specific processing activities on behalf of the Publisher, the same data protection obligations as set out in this DPA, in substance, shall be imposed on that other processor by way of a contract or other legal act under applicable law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Laws. Where that other processor fails to fulfil those data protection obligations, Aries shall (subject to the terms of the Agreement) remain fully liable to the Publisher for the performance of that other processor’s obligations.

 

E. Data Subject Rights

  1. To the extent that Aries is processing personal data on behalf of the Publisher, Aries shall, to the extent legally permitted, promptly notify the Publisher of any data subject requests Aries receives, and the Publisher authorizes Aries to redirect such requests to the Publisher to respond directly.
  2. To the extent legally permitted, the Publisher shall be responsible for any reasonable costs arising from Aries providing assistance to the Publisher in responding to such requests.

 

F. Transfer

Aries shall ensure that, to the extent that any personal data originating from the Publisher’s country is transferred by Aries to another country, such transfer shall be subject to appropriate safeguards in accordance with the Data Protection Laws.
 

G. Security

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the parties shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.

    (a)  the pseudonymization and encryption of personal data;

    (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

    (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

    (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

  2. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
  3. To the extent that Aries is processing personal data on behalf of the Publisher, Aries shall take steps to ensure that any natural person acting under the authority of Aries who has access to such personal data does not process it except on instructions from the Publisher, unless he or she is required to do so by applicable law.

 

H. Personal Data Breach

To the extent that Aries is processing personal data on behalf of the Publisher, Aries shall notify the Publisher without undue delay after becoming aware of a personal data breach and shall reasonably respond to the Publisher’s requests for further information to assist the Publisher in fulfilling its obligations under the Data Protection Laws.
 

I. Records of Processing Activities

Aries shall maintain all records required by the Data Protection Laws and, to the extent applicable to the processing of personal data on behalf of the Publisher, make them available to the Publisher as required.
 

J. Audit

Audits shall be (i) subject to the execution of appropriate confidentiality undertakings; (ii) conducted no more than once per year, unless a demonstrated reasonable belief of non-compliance with the Agreement has been made, upon thirty (30) days written notice and having provided a plan for such review; and (iii) conducted at a mutually agreed upon time and in an agreed upon manner.
 

K. Conflict

If there is any conflict or inconsistency between the terms of this DPA and the rest of the Agreement, the terms of this DPA shall control to the extent required by law. Otherwise, the Agreement shall control in the case of such conflict or inconsistency.
 

L. Jurisdiction-Specific Terms

To the extent that Aries is processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms.

European Economic Area, United Kingdom and Switzerland

  1. To the extent that the Publisher transfers personal data from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to Aries, unless the parties may rely on an alternative transfer mechanism or basis under the data protection laws, the parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“Clauses”) in respect of such transfer, whereby:

    (a) the Publisher is the “data exporter,” Aries is the “data importer”;

    (b) the footnotes, Clause 11(a) Option and Clause 17 Option 1 are omitted, and the applicable annexes are completed with the respective content of the Agreement, including the DPA;

    (c) to the extent that each party acts as a controller, Module One applies and Modules Two, Three and Four are omitted;

    (d)to the extent that the Publisher acts as a controller and Aries acts as a processor, Module Two applies, Modules One, Three and Four are omitted, Clause 9(a) Option 1 is omitted and the time period in Option 2 is 14 days;

    (e)to the extent that each party acts as a processor, Module Three applies, Modules One, Two and Four are omitted, Clause 9(a) Option 1 is omitted and the time period in Option 2 is 14 days;

    (f) the “competent supervisory authority” is the supervisory authority in the Netherlands;

    (g) the Clauses are governed by the laws of the Netherlands;

    (h) any dispute arising from the Clauses shall be resolved by the courts of the Netherlands; and

    (i) if there is any conflict between the terms of the Agreement and the Clauses, the Clauses will prevail.

  2. In relation to transfers of personal data from the UK, the Clauses as implemented in section 1 above will apply subject to the following modifications:
  3. (a)the Clauses are amended as specified by Part 2 of the international data transfer addendum to the European Commission’s standard contractual clauses issued under Section 119A of the UK Data Protection Act 2018, as may be amended or superseded from time to time (“UK Addendum”);

    (b) tables 1 to 3 in Part 1 of the UK Addendum are completed with the respective content of the Agreement, including the DPA; and

    (c) table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”

  4. In relation to transfers of personal data from Switzerland, the Clauses as implemented in section 1 above will apply subject to the following modifications:

    (a) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”);

    (b) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP;

    (c) references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable;

    (d) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights;

    (e) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;

    (f) the Clauses are governed by the law of Switzerland; and

    (g) any dispute arising from the Clauses will be resolved by the courts of Switzerland.

 
South Africa

To the extent that Aries is processing as an operator any personal information in scope of the South African Protection of Personal Information Act, No. 4 of 2013 (POPIA) for the Publisher as responsible party, Aries will further establish and maintain the security measures referred to in section 19 of POPIA and will notify the Publisher immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person.

 
United States

U.S. Privacy Laws Addendum to Aries Data Processing Addendum