Privacy Policy
Data Collection and Use
You are welcome to access this website and browse the product showcases and online catalogues of our distribution partners. You are not required to disclose personal information to us in the course of browsing the site. To fulfil online requests from you during your use of our website, such as to receive news and special offers or in response to your emailing us, we will collect some personal information about you. The elements of personal data that we may collect include:
First name and Surname
Company/Business name
Address
Email address
Telephone number
Fax number
Mobile number
When you use a credit card to make payment for a purchase from our Webshop we use STRIPE to process the payment. We do not have any access to your credit card details. You are transferred to the STRIPE site where you can complete your purchase in a secure environment without revealing your credit card number or financial information to www.mcnamaraglass.ie. STRIPE does not retain possession of your credit card details. STRIPE is certified by the TRUSTe Privacy Seal.
For more info on STRIPE : https://stripe.com/ie
Cookies
We use 'cookies' in order to recognise you when you come back to our website. This helps us to improve the content of our website and provide services that are tailored to your user experience. Cookies are small text files that are stored by your browser on your hard drive, retaining information about you and enabling our website to recognise you on repeat visits. The cookies cannot be used by themselves to identify you personally. The Help menu on the menu bar of most browsers will tell you how to erase cookies from your computer's hard drive or how to block cookies or to receive a warning before a cookie is stored.
Data Disclosure
We will not sell, distribute or lease your personal information to third parties except with your permission or as required by law. We may use aggregate information and statistics for the purposes of monitoring website usage in order to help us develop the website and our service and may provide such aggregate information to third parties. These statistics will not include information that can be used to identify any individual. www.mcnamaraglass.ie may also in future use a data services company to analyse data on our behalf, so that we can provide you with more targeted and bespoke communications. We will only use such companies if they are registered under the Data Protection Act 1998 and provided that their procedures for ensuring the privacy of your personal information are at least as rigorous as our own.
Email database security
If at any time, you wish to have your information removed from our active databases, please click the 'UNSUBSCRIBE' option in any marketing email received from us.
We use Mailchimp to manage our email database and email marketing campaigns. Mailchimp use industry standard tools to protect the data under their control. We will not transfer any information that we hold on you to third parties.
For more info on Mainchimp: http://www.mailchimp.com
MailChimp & Stripe have TRUSTe's Privacy Seal, which means their privacy policy has been reviewed by TRUSTe for compliance with their program requirements, including transparency, accountability, and choice related to the collection and use of your Personal Information. TRUSTe is an independent third party that operates a globally recognized privacy trust-mark.
GDPR UPDATE
McNamara Fittings for Furniture uses the following 3rd party platforms in the operation of our website, the Digital Processing Addendums we have for each are linked below. If you are an existing subscriber and wish to be provided with any data we have on file for you, please email theresa@mcnamaraglass.ie and we will provide you with said data, as requested. If you wish for your details to be removed from our database, please make that request to the same email address.
Effective Date: May 14, 2018.
This Squarespace Data Processing Addendum forms part of, and is subject to the provisions of, the Squarespace Terms of Service. Capitalized terms that are not defined in this Data Processing Addendum have the meanings set forth in the Terms of Service.
1. Additional Definitions.
The following definitions apply solely to this Data Processing Addendum:
a. the terms “controller”, “data subject”, “personal data”, “process,” “processing” and “processor” have the meanings given to these terms in EU Data Protection Law.
b. “Breach” means a breach of the Security Measures resulting in access to Squarespace’s equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Controlled Data transmitted, stored or processed by Squarespace on your behalf and instructions through the Services.
c. “Content” means your User Content and any content provided to us from your End Users, including without limitation text, photos, images, audio, video, code, and any other materials.
d. “EU Data Protection Law” means any data protection or data privacy law or regulation of Switzerland or any European Economic Area (“EEA”) country applicable to Your Controlled Data, including, as applicable, the GDPR and the e-Privacy Directive 2002/58/EC.
e. “GDPR” means the EU General Data Protection Regulation 2016/679.
f. “Security Measures” means the technical and organizational security measures set out here.
g. “Sub-Processor” means an entity engaged by Squarespace to process Your Controlled Data.
h. “Your Controlled Data” means the personal data in the Content Squarespace processes on your behalf and instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Your Controlled Data does not include personal data when controlled by us, including without limitation data we collect (including IP address, device/browser details and web pages visited prior to coming to Your Site) with respect to your End Users’ interactions with Your Site through their browser and technologies like cookies.
2. Applicability.
This Data Processing Addendum only applies to you if you or your End Users are data subjects located within the EEA or Switzerland and only applies in respect of Your Controlled Data. You agree that Squarespace is not responsible for personal data that you have elected to process through Third Party Services or outside of the Services, including the systems of any other third-party cloud services, offline or on-premises storage.
3. Details of Data Processing.
3.1 Subject Matter. The subject matter of the data processing under this Data Processing Addendum is Your Controlled Data.
3.2 Duration. As between you and us, the duration of the data processing under this Data Processing Addendum is determined by you.
3.3 Purpose. The purpose of the data processing under this Data Processing Addendum is the provision of the Services initiated by you from time to time.
3.4 Nature of the Processing. The Services as described in the Agreement and initiated by you from time to time.
3.5 Type of Personal Data. Your Controlled Data relating to you, your End Users or other individuals whose personal data is included in Content which is processed as part of the Services in accordance with instructions given through your Account.
3.6 Categories of Data Subjects. You, Your End Users and any other individuals whose personal data is included in Content.
4. Processing Roles and Activities.
4.1 Squarespace as Processor and You as Controller. You are the controller and Squarespace is the processor of Your Controlled Data.
4.2 Squarespace as Controller. Squarespace may also be an independent controller for some personal data relating to you or your End Users. Please see our Privacy Policy and Terms of Service for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, such as in any access to data regarding your End Users’ interactions with Your Site, you receive that as an independent data controller and are responsible for compliance with EU Data Protection Law in that regard.
4.3 Description of Processing Activities. We will process Your Controlled Data for the purpose of providing you with the Services, as may be used, configured or modified from within your Account (the “Purpose”). For example, depending on how you use the Services, we may process Your Controlled Data in order to: (a) enable you to integrate content or features from a social media platform on Your Site; or (b) email your End Users on your behalf.
4.4 Compliance with Laws. You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including EU Data Protection Law). You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this Data Processing Addendum. Squarespace will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.
5. Our Processing Responsibilities.
5.1 How We Process. We will process Your Controlled Data for the Purpose and in accordance with the Agreement or instructions you give us through your Account. You agree that the Agreement and the instructions given through your Account are your complete and final documented instructions to us in relation to your Controlled Data. Additional instructions outside the scope of this Data Processing Addendum require prior written agreement between you and us, including agreement on any additional fees payable by you to us for carrying out such instructions. We will promptly inform you if, in our opinion, your instructions infringe applicable EU Data Protection Law, or if we are unable to comply with your instructions. We will notify you when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law on important grounds of public interest, such as a prohibition under law to preserve the confidentiality of a law enforcement investigation or request.
5.2 Notification of Breach. We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under applicable EU Data Protection Laws. We will, to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a Breach under this Section is not and will not be construed as an acknowledgement by Squarespace of any fault or liability of Squarespace with respect to the Breach. Despite the foregoing, Squarespace’s obligations under this Section do not apply to incidents that are caused by you, any activity on your Account and/or Third-Party Services.
5.3 Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from an End User, or other individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data that we process on your behalf and instructions.
5.4 Reasonable Assistance with Compliance. We will, to the extent that you cannot reasonably do so through the Services, your Account or otherwise, provide reasonable assistance to you in respect of your fulfillment of your obligation as controller to respond to requests by data subjects under Chapter 3 of the GDPR, taking into account the nature of the Services and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance.
5.5 Security Measures. We will maintain the Security Measures. We may change these Security Measures but will not do so in a way that adversely affects the security of Your Controlled Data. We will take steps to ensure that any natural person acting under our authority who has access to Your Controlled Data does not process it except on our instructions, unless such person is required to do so under applicable law, and that personnel authorized by us to process Your Controlled Data have committed themselves to relevant confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
5.6 Sub-Processors. You agree that we can share Your Controlled Data with Sub-Processors in order to provide you the Services. We will impose contractual obligations on our Sub-Processors, and contractually obligate our Sub-Processors to impose contractual obligations on any further sub-contractors which they engage to process Your Controlled Data, which provide the same level of data protection for Your Controlled Data in all material respects as the contractual obligations imposed in this Data Processing Addendum, to the extent applicable to the nature of the Services provided by such Sub-Processor. A list of our current Sub-Processors is available upon request by sending an email to privacy@squarespace.com. Provided that your objection is reasonable and related to data protection concerns, you may object to any Sub-Processor by sending an email to privacy@squarespace.com. If you object to any Sub-Processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Controlled Data by the objected-to Sub-Processor. If we are unable to make available such suggested change within a reasonable period of time, we will notify you and if you still object to our use of such Sub-Processor, you may cancel or terminate your Account or, if possible, the portions of the Services that involve use of such Sub-Processor. Except as set forth in this Section 5.6, if you object to any Sub-Processors, you may not use or access the Services. You consent to our use of Sub-Processors as described in this Section 5.6. Except as set forth in this Section 5.6 or as you may otherwise authorize, we will not permit any Sub-Processor to access Your Controlled Data. Squarespace will remain responsible for its compliance with the obligations of this Data Processing Addendum and for any acts or omissions of any Sub-Processor or their further sub-contractors that process Your Controlled Data and cause Squarespace to breach any of Squarespace’s obligations under this Data Processing Addendum, solely to the extent that Squarespace would be liable under the Agreement if the act or omission was Squarespace’s own.
5.7 Squarespace Audits. Squarespace may (but is not obliged to) use external or internal auditors to verify the adequacy of our Security Measures.
5.8 Customer Audits and Information Requests. You agree to exercise any right you may have to
conduct an audit or inspection by instructing Squarespace to carry out the audit described in Section 5.7.
You agree that you may be required to agree to a non-disclosure agreement with Squarespace before we
share any such report or outcome from such audit with you and that we may redact any such reports as
we consider appropriate. If Squarespace does not follow such instruction or if it is legally mandatory for
you to demonstrate compliance with EU Data Protection Law by means other than reviewing a report
from such an audit, you may only request a change in the following way:
a. First, submit a request for additional information in writing to Squarespace, specifying all details required to enable Squarespace to review this request effectively, including without limitation the information being requested, what form you need to obtain it in and the underlying legal requirement for the request (the “Request”). You agree that the Request will be limited to information regarding our Security Measures.
b. Within a reasonable time after we have received and reviewed the Request, you and we will discuss and work in good faith towards agreeing on a plan to determine the details of how the Request can be addressed. You and we agree to use the least intrusive means for Squarespace to verify Squarespace’s compliance with the Security Measures in order to address the Request, taking into account applicable legal requirements, information available to or that may be provided to you, the urgency of the matter and the need for Squarespace to maintain uninterrupted business operations and the security of its facilities and protect itself and its customers from risk and to prevent disclosure of information that could jeopardize the confidentiality of Squarespace or our users’ information.
You will pay our costs in considering and addressing any Request. Any information and documentation
provided by Squarespace or its auditors pursuant to this Section 5.8 will be provided at your cost. If we
decline to follow any instruction requested by you regarding audits or inspections, you may cancel any affected Paid Services.
5.9 Questions. Upon your reasonable requests to us for information regarding our compliance with the obligations set forth in this Data Processing Addendum, we shall, where such information is not otherwise available to you, provide you with written responses, provided that you agree not to exercise this right more than one (1) time per calendar year (unless it is necessary for you to do so to comply with EU Data Protection Law). The information to be made available by Squarespace under this Section 5.9 is limited to solely that information necessary, taking into account the nature of the Services and the information available to Squarespace, to assist you in complying with your obligations under the GDPR in respect of data protection impact assessments and prior consultation. You agree that you may be required to agree to a non-disclosure agreement with Squarespace before we share any such information with you.
5.10 Requests. You can delete or access a copy of some of Your Controlled Data through your Account. For any of Your Controlled Data which may not be deleted or accessed through your Account, upon your written request, we will, with respect to any of Your Controlled Data in our or our Sub-Processor’s possession that we can associate with a data subject, subject to the limitations described in the Agreement and unless prohibited by applicable law or the order of a governmental, law enforcement or regulatory body: (a) return such data and copies of such data to you provided that you make such request within no more than ninety (90) days after the cancellation of the applicable Paid Services; or (b) delete, and request that our Sub-Processors delete, such data (excluding in the case of (a) or (b) any of such data which is archived on back-up systems, which we shall securely isolate and protect from any further processing, except to the extent required by applicable law). Otherwise, we will delete Your Controlled Data in accordance with our data retention policy. This Section 5.10 does not apply to personal data held by Third Party Services.
6. Data Transfers.
You authorize us to transfer Your Controlled Data away from the country in which such data was originally collected. In particular, you authorize us to transfer Your Controlled Data to the US. We will transfer Your Controlled Data to outside the EEA using the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks or another lawful data transfer mechanism that is recognized under EU Data Protection Law as providing an adequate level of protection for such data transfers.
7. Liability.
The liability of each party under this Data Processing Addendum is subject to the exclusions and limitations of liability set out in the Agreement. You agree that any regulatory penalties or claims by data subjects or others incurred by Squarespace in relation to Your Controlled Data that arise as a result of, or in connection with, your failure to comply with your obligations under this Data Processing Addendum or EU Data Protection Law shall reduce Squarespace’s maximum aggregate liability to you under the Agreement in the same amount as the fine and/or liability incurred by us as a result.
8. Conflict.
In the event of a conflict between this Data Processing Addendum and the Terms of Service, this Data Processing Addendum will control.
9. Miscellaneous.
You are responsible for any costs and expenses arising from Squarespace’s compliance with your instructions or requests pursuant to the Agreement (including this Data Processing Addendum) which fall outside the standard functionality made available by Squarespace generally through the Services.
Customer EU Data Processing Addendum
This Data Processing Addendum ("DPA"), forms part of the Agreement between The Rocket Science Group LLC d/b/a MailChimp ("MailChimp") and McNamara Glass & Fittings Ltd ("Customer") and shall be effective on the date both parties execute this DPA (Effective Date"). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
1. Definitions
"Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
"Agreement" means MailChimp’s Terms of Use, which govern the provision of the Services to Customer, as such terms may be updated by MailChimp from time to time.
"Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" shall be construed accordingly.
"Customer Data" means any Personal Data that MailChimp processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.
"Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
"Data Controller" means an entity that determines the purposes and means of the processing of Personal Data.
"Data Processor" means an entity that processes Personal Data on behalf of a Data Controller.
"EU Data Protection Law" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive") and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
"EEA" means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.
"Group" means any and all Affiliates that are part of an entity's corporate group.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Privacy Shield" means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.
"Privacy Shield Principles" means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
"Processing" has the meaning given to it in the GDPR and "process", "processes" and "processed" shall be interpreted accordingly.
"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.
"Services" means any product or service provided by MailChimp to Customer pursuant to the Agreement.
"Sub-processor" means any Data Processor engaged by MailChimp or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or members of the MailChimp Group.
2. Relationship with the Agreement
2.1 The parties agree that DPA shall replace any existing DPA the parties may have previously entered into in connection with the Services.
2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
2.4 Any claims against MailChimp or its Affiliates under this DPA shall be brought solely against the entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by MailChimp in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce MailChimp’s liability under the Agreement as if it were liability to the Customer under the Agreement.
2.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
3. Scope and Applicability of this DPA
3.1 This DPA applies where and only to the extent that MailChimp processes Customer Data that originates from the EEA and/or that is otherwise subject to EU Data Protection Law on behalf of Customer as Data Processor in the course of providing Services pursuant to the Agreement.
3.2 Part A (being Section 4 – 8 (inclusive) of this DPA, as well as Annexes A and B of this DPA) shall apply to the processing of Customer Data within the scope of this DPA from the Effective Date.
3.3 Part B (being Sections 9-12 (inclusive) of this DPA) shall apply to the processing of Customer Data within the scope of the DPA from and including 25th May 2018. For the avoidance of doubt, Part B shall apply in addition to, and not in substitution for, the terms in Part A.
Part A: General Data Protection Obligations
4. Roles and Scope of Processing
4.1 Role of the Parties. As between MailChimp and Customer, Customer is the Data Controller of Customer Data, and MailChimp shall process Customer Data only as a Data Processor acting on behalf of Customer.
4.2. Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to MailChimp; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for MailChimp to process Customer Data and provide the Services pursuant to the Agreement and this DPA.
4.3 MailChimp Processing of Customer Data. MailChimp shall process Customer Data only for the purposes described in this DPA and only in accordance with Customer’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to MailChimp in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and MailChimp.
4.4 Details of Data Processing
(a) Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
(b) Duration: As between MailChimp and Customer, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.
(c) Purpose: The purpose of the data processing under this DPA is the provision of the Services to the Customer and the performance of MailChimp's obligations under the Agreement (including this DPA) or as otherwise agreed by the parties.
(d) Nature of the processing: MailChimp provides an email service, automation and marketing platform and other related services, as described in the Agreement.
(e) Categories of data subjects: Any individual accessing and/or using the Services through the Customer's account ("Users"); and any individual: (i) whose email address is included in the Customer's Distribution List; (ii) whose information is stored on or collected via the Services, or (iii) to whom Users send emails or otherwise engage or communicate with via the Services (collectively, "Subscribers").
(f) Types of Customer Data:
(i) Customer and Users: identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility);
(ii) Subscribers: identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address), personal interests or preferences (including purchase history, marketing preferences and publically available social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information).
4.5 Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that MailChimp shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered Personal Data under Data Protection Laws, MailChimp is the Data Controller of such data and accordingly shall process such data in accordance with the MailChimp Privacy Policy and Data Protection Laws.
4.6 Tracking Technologies. Customer acknowledges that in connection with the performance of the Services, MailChimp employs the use of cookies, unique identifiers, web beacons and similar tracking technologies ("Tracking Technologies"). Customer shall maintain appropriate notice, consent, opt-in and opt-out mechanisms as are required by Data Protection Laws to enable MailChimp to deploy Tracking Technologies lawfully on, and collect data from, the devices of Subscribers (defined below) in accordance with and as described in the MailChimp Cookie Statement.
5. Subprocessing
5.1 Authorized Sub-processors. Customer agrees that MailChimp may engage Sub-processors to process Customer Data on Customer's behalf. The Sub-processors currently engaged by MailChimp and authorized by Customer are listed in Annex A.
5.2 Sub-processor Obligations. MailChimp shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause MailChimp to breach any of its obligations under this DPA.
6. Security
6.1 Security Measures. MailChimp shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with MailChimp's security standards described in Annex B ("Security Measures").
6.2 Updates to Security Measures. Customer is responsible for reviewing the information made available by MailChimp relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that MailChimp may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
6.3 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
7. Security Reports and Audits
7.1 Customer acknowledges that MailChimp is regularly audited against SSAE 16 and PCI standards by independent third party auditors and internal auditors, respectively. Upon request, MailChimp shall supply (on a confidential basis) a summary copy of its audit report(s) ("Report") to Customer, so that Customer can verify MailChimp's compliance with the audit standards against which it has been assessed, and this DPA.
7.2 MailChimp shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm MailChimp's compliance with this DPA, provided that Customer shall not exercise this right more than once per year.
8. International Transfers
8.1 Data center locations. MailChimp may transfer and process Customer Data anywhere in the world where MailChimp, its Affiliates or its Sub-processors maintain data processing operations. MailChimp shall at all times provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws.
8.2 Privacy Shield. To the extent that MailChimp processes any Customer Data protected by EU Data Protection Law under the Agreement and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that MailChimp shall be deemed to provide adequate protection (within the meaning of EU Data Protection Law) for any such Customer Data by virtue of having self-certified its compliance with Privacy Shield. MailChimp agrees to protect such Personal Data in accordance with the requirements of the Privacy Shield Principles. If MailChimp is unable to comply with this requirement, MailChimp shall inform Customer.
8.3 Alternative Transfer Mechanism. The parties agree that the data export solution identified in Section 8.2 shall not apply if and to the extent that MailChimp adopts an alternative data export solution for the lawful transfer of Personal Data (as recognized under EU Data Protection Laws) outside of the EEA (“Alternative Transfer Mechanism”), in which event, the Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism extends to the territories to which Personal Data is transferred).
Part B: GDPR Obligations from 25 May 2018
9. Additional Security
9.1 Confidentiality of processing. MailChimp shall ensure that any person who is authorized by MailChimp to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
9.2 Security Incident Response. Upon becoming aware of a Security Incident, MailChimp shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.
10. Changes to Sub-processors
10.1 MailChimp shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer (for which email shall suffice) if it adds or removes Sub-processors at least 10 days prior to any such changes.
10.2 Customer may object in writing to MailChimp’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).
11. Return or Deletion of Data
11.1 Upon termination or expiration of the Agreement, MailChimp shall (at Customer's election) delete or return to Customer all Customer Data (including copies) in its possession or control, save that this requirement shall not apply to the extent MailChimp is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data MailChimp shall securely isolate and protect from any further processing, except to the extent required by applicable law.
12. Cooperation
12.1 The Services provide Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict Customer Data, which Customer may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Customer is unable to independently access the relevant Customer Data within the Services, MailChimp shall (at Customer's expense) provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made directly to MailChimp, MailChimp shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If MailChimp is required to respond to such a request, MailChimp shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
12.2 If a law enforcement agency sends MailChimp a demand for Customer Data (for example, through a subpoena or court order), MailChimp shall attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, MailChimp may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then MailChimp shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless MailChimp is legally prohibited from doing so.
12.3 To the extent MailChimp is required under EU Data Protection Law, MailChimp shall (at Customer's expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
IN WITNESS WHEREOF, the parties have caused this DPA to be executed by their authorized representative:
The Rocket Science Group LLC d/b/a MailChimp
By:
Name: Daniel Kurzius
Title: CCO/Co-founder
Date: May 25, 2018
McNamara Glass & Fittings Ltd
Name: Kevin McNamara
Title: Manager
Date: May 25, 2018
Annex A - List of MailChimp Sub-processors
MailChimp uses its Affiliates and a range of third party Sub-processors to assist it in providing the Services (as described in the Agreement). These Sub-processors set out below provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services.
Entity NameCorporate Location
AkamaiMassachusetts, USA
AmazonWashington, USA
E-HawkNew York, USA
El CaminoCalifornia, USA
FullContactColorado, USA
GoogleCalifornia, USA
NeustarVirginia, USA
R.R. DonnelleyIllinois, USA
SlackCalifornia, USA
TaskUsCalifornia, USA
ZendeskCalifornia, USA
Annex B – Security Measures
The Security Measures applicable to the Services are described here https://mailchimp.com/about/security/ (as updated from time to time in accordance with Section 6.2 of this DPA).