The Customer and Hubilo shall be each referred to as “Party” or collectively as
In providing the Customer and facilitating the End User/s access to/ use of the Platform in pursuance to the Agreement, Hubilo may Process Customer Personal Data on behalf of Customer in accordance with Customer’s instructions hereunder.
Capitalized terms used in this DPA that are not defined herein shall have the meanings and references provided to them in the Agreement. For the purposes of this Addendum, the following terms shall have the following meanings:
"Affiliate" means any legal entity directly or indirectly controlling, controlled by or under common control with a party to the Agreement, where “control” means the ownership of a majority share of the stock, equity, or voting interests of such entity.
“Customer'' means the Organizer that has entered into the Agreement with Hubilo to use/access the Hubilo Platform to host virtual events, which term shall include its employees, independent contractors, consultants, Affiliates, successors and assigns using/ accessing the Platform/ Services.
“Controller” or “Data Controller” means the Customer who, alone or jointly with others, collects Personal Data and determines the purposes and means of its Processing.
“Customer Personal Data”: refers to the Personal Data of the Customer as well as the End Users/ Attendees of the Customer which is processed by Hubilo under this DPA.
“Data Subject” refers to the person/ individual whose Personal Data is being accessed with his/ her consent.
“End Users” or “Attendees” means the customers of the Customer who shall, from time to time, be attending the events organised by the Customer on the Platform.
“EU Data Protection Laws” means all data protection laws and regulations applicable, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom ("UK") any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.
“Personal Data” means any information related to the data subject i.e. to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restrictions, erasure or destruction.
‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
"Personnel" means the employees, agents, consultants, and contractors of Customer/ Customer's Affiliates or Hubilo/ Hubilo Affiliate, as the case may be.
"Privacy Laws and Regulations" means all US federal and state privacy laws and regulations and the provisions under Regulation (EU) 2016/679 (GDPR), applicable to the Processing of Personal Data under the Agreement.
“Processor” or “Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller and as instructed by the Controllers, usually for specific purposes and services accessible to the Controller.
“Sub-processor” means any entity/ person appointed by or on behalf of Processor to Process Personal Data on behalf of the Customer in connection with the Agreement.
Roles of the Parties
Nature and Purpose of Processing
Hubilo will only Process the Customer Personal Data on behalf of and in accordance with the Customer’s consent and written instructions
The Customer shall be responsible for obtaining adequate consents and approvals from the End-Users whose Personal Data shall be processed by Hubilo under this DPA
Data Controller requires Hubilo to Process the Customer Personal Data for the following purposes:
Processing to comply with other reasonable written instructions provided by Customer where such instructions are consistent with the terms of the Agreement and comply with applicable Privacy Laws and Regulations.
Processing outside the scope of this DPA (if any) will require prior written agreement between Hubilo and Customer on additional instructions for Processing. These include assisting with data subject requests and performing data protection impact assessments.
Duration of Processing
Hubilo shall Process the Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
Categories of Data Subjects
The Personal Data Processed by Hubilo, relates to the following categories of data subjects:
The Customer (any authorized user of the Customer who shall operate the Account), and
End-Users authorized by Customer to access the Platform.
Type of Personal Data
The Personal Data, Processed by Hubilo includes the following categories of Personal Data:
Customer: First name, last name, email address, social media account ID, designation, organization, country etc.
End-User: name, last name, e-mail id, contact number, job profile, company name, type of the company social media account ID, Linkedin or Facebook profile details etc
Notice and Consent
Customer agrees to undertake the responsibility to provide all necessary notices to End-Users and receive all necessary permissions and consents, as important and required for Hubilo to Process the Customer Personal Data under this DPA and pursuant to the applicable Privacy Laws and Regulations.
To the extent required under the applicable Privacy Laws and Regulations, Customer will appropriately document the consents and approvals of the End- Users.
Rights of Data Subjects
Customer has the right to request Hubilo to Process the following, in accordance with Chapter III GDPR:
for access, rectification, deletion, data portability, right to be forgotten, automated individual decision-making, securing copies of Customer Personal Data; and
to raise objection to and or withdraw their consent to Processing of such Personal data.
End User Requests: Hubilo will, to the extent legally permitted, promptly notify Customer if it receives any request from an End User, to exercise the right to access, correct, modify, delete and or secure copies of Personal Data related to the End User, or to exercise other personal rights that the End User may be entitled to pursuant to the applicable Privacy laws and regulations.
Assistance: Hubilo will provide Customer with commercially reasonable cooperation and assistance in relation to handling the End User’s right to their Personal Data, to the extent legally required and to the extent Customer is unable to process such End User request through the features available on the Platform. Except where such End User request is explicitly not mandated under the applicable Privacy laws and regulations, Customer is liable to reimburse Hubilo for any costs and expenses related to the provision of such assistance.
Authority Of Customer To Issue Instructions Assistance In Compliance
Customer shall issue instructions to Hubilo in writing/ via e-mail. Hubilo will duly cooperate with and make commercially reasonable efforts to assist Customer in complying with Customer's obligations pursuant to Articles 32 to 36 of GDPR, taking into account the nature of processing and the information available to Hubilo.
Limitation of Access
Hubilo will make sure that access to Customer Personal Data is limited to its Personnel on a need-to-know basis and as strictly necessary for the purposes of the Agreement/ DPA, and to comply with the Applicable Laws.
Hubilo shall ensure that all such Personnel are informed of the confidential nature of the Customer Personal Data and are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Hubilo shall also impose required contractual obligations upon its Personnel who are engaged in the Processing of Customer Personal Data regarding data protection and data security obligations and thus bind the Personnel to the same obligations that Hubilo has with respect to the Processing of Customer Personal Data.
Third Party Service Providers/ Sub Processors
Customer acknowledges, agrees and authorizes, that Hubilo may engage Sub Processors or third party service providers for certain Processing activities as required from time to time on Customer's behalf.
All such Sub Processors (including their personnel) shall enter into written agreements with Hubilo to bind them substantially with the same material obligations under this DPA including the obligations with respect to confidentiality, data protection and the obligations under applicable Privacy Laws and Regulations.
Hubilo ensures that the Sub-processors shall provide the same level of protection to the Customer Personal Data as provided by Hubilo under this DPA and shall also meet the requirements of Article 28(3) of the GDPR;
Hubilo shall provide Customer with a prior written notice of the appointment of any new Sub-processor or at least within 30 (thirty) days of such appointment, including full details of the Processing to be undertaken by the Sub-processor.
Hubilo will maintain administrative, physical and technical safeguards to ensure a level of security including the pseudonymization and encryption of Customer Personal Data and protection of the security, confidentiality, and integrity of Customer Personal Data. Hubilo shall monitor compliance with these safeguards and will not in any case, decrease the overall security during the Term of the Agreement.
Hubilo shall provide for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Hubilo shall, while assessing the appropriate level of security, take into account all risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed.
Hubilo stands to the latest security measures for the security of Customer Personal Data and shall provide to the Customer at reasonable intervals and subject to confidentiality limitations, the then most recent version of Hubilo’s information security policy.
Supervisory Power Of Customer And Audits
Hubilo shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits which shall take place once in a year, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Hubilo.
Information and audit rights of the Customer only arise under clause 9.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).
Customer or an auditor mandated by the Customer undertaking an audit shall give Hubilo a notice of 30 (thirty) days prior to any audit or inspection which is to be conducted and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing any damage, injury or disruption to Hubilo’s premises, software, equipment, Personnel and or business while its personnel are on those premises in the course of such an audit or inspection.
Customer shall ensure that any such auditor as engaged by the Customer shall perform the audit in compliance of this DPA, relevant data privacy and protection laws and necessary confidentiality obligations.
Security Breach Management And Notification
Breach prevention and management
Hubilo will continue to maintain security incident management policies and procedures to the extent required by law, and shall promptly notify Customer of any Personal Data Breach (or “Security Incident”), which Hubilo or any Sub- processor becomes aware of.
Hubilo shall provide the Customer with sufficient information regarding the Personal Data Breach enabling the Customer to meet any obligations to report such Security Incident to any authorities or inform the End-Users of such Personal Data Breach.
Hubilo will make reasonable efforts to identify and, to the extent such Personal Data Breach is caused by a violation of the requirements of this DPA by Hubilo, remediate the cause of such Security Incident. Hubilo will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any Data Subjects of a Security Incident.
Hubilo shall provide notification of a Security Incident in the following manner:
Hubilo shall, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than 72 (seventy-two) hours after Hubilo’s confirmation or reasonable suspicion of a Security Incident impacting Customer Personal Data of which Hubilo is a processor;
Hubilo will notify the occurring of the Security Incident to the email address of Customer’s Account owner.
As part of above notification, Hubilo shall provide:
a description of the nature of the Security Incident, including the volume and type of Customer Personal Data affected and the categories and approximate number of individuals concerned;
the likely consequences of the Personal Data Breach; and
a description of the measures taken or proposed to be taken to address the Security Breach including, where appropriate, measures to mitigate its possible adverse effects.
Data Protection Impact Assessments And Prior Consultations
Hubilo shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with any supervisory authority or other competent data privacy authorities, which the Customer reasonably considers to be required as under article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to Hubilo or any Sub- processor.
Deletion And Retention Of Customer Personal Data
After conclusion of an Order Form, or earlier upon request by the Customer, at the latest upon termination of the Agreement, Hubilo shall hand over to the Customer all Customer Personal Data, or Hubilo shall, subject to the Customer’s prior consent, delete Customer Personal Data within 15 (fifteen) days of such conclusion/ request or termination event.
Copies or duplicates of the data shall never be created, except Customer agrees that Hubilo may retain copies of Customer Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under the applicable law, including to retain the Customer Personal Data pursuant to legal requirements and to use the Customer Personal Data to protect Hubilo, its agents, and any person acting on their behalf in court and administrative proceedings.
It shall be Customer’s exclusive responsibility to secure all necessary data/ information from the Customer’s Account prior to such deletion, including the End User Data.
Disclosure To Competent Authorities
Hubilo may disclose Customer Personal Data, (a) if required by a summon/ subpoena or other judicial or administrative order, or if otherwise required by law, or (b) if Hubilo deems the disclosure necessary to protect the safety and rights of any person or the general public.
Anonymized And Aggregated Data
Hubilo may process data based on extracts of Personal Data on an aggregated and non-identifiable form for Hubilo's legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Hubilo's discretion, provided that such data cannot reasonably identify an individual.
This DPA will commence on the same date that the Agreement comes into effect and will continue until the Agreement expires or is terminated, pursuant to the terms therein.
Hubilo's team is responsible to make sure that all Hubilo Personnel adhere to this DPA.
You can reach out to Hubilo for compliance related query at email@example.com.
Hubilo agrees to maintain the confidentiality of Customer Personal Data, and may disclose it to a govt authority/ court, etc. only in accordance with the provisions of the DPA.
If the Customer Personal Data with Hubilo is jeopardised due to attachment or confiscation, insolvency proceedings or due to other events or measures of third parties, Hubilo shall immediately notify (i) the Customer thereof, and (ii) all institutions or persons competent or concerned that the Customer as the Controller as defined in the GDPR holds the exclusive sovereignty over and exclusive title to the data.
Each Party shall keep a record of their processing activities. They agree to co- operate with the Data Protection Authority/ Supervisory Authority when required to do so.
Hubilo may designate a representative as laid down in Art 27 Paragraph 1 GDPR in the European Union, as applicable.