Addendum on Data Processing
The Data Processing Addendum applies to personal data that Hexagon Data Group processes on behalf of and on behalf of the Customer in connection with the contractual relationship, as set forth in this Agreement, and to the extent applicable (i) the Federal Law for the Protection of Personal Data in Possession of Private Parties and its Regulations ("LFPDPPP") or (ii) any other data protection law identified in this document.
When we refer to "Grupo Hexagon Data", "we", "us" or the "Company" we mean Hexagon Data, S.A.P.I. de C.V., a company incorporated in Mexico, Hexagon Data Colombia, S.A.S., a company incorporated in Colombia, Agradecemos Tu Pago, S.A.P.I. de C.V., a company incorporated in Mexico, and their affiliates, understood as any entity directly or indirectly controlling, controlled or under common control, that processes personal data in accordance with the terms described herein, a company incorporated in Mexico, and its affiliates, understood as any entity that directly or indirectly controls, is controlled or is under common control, that process personal data in accordance with the terms described herein. We have a legitimate interest in protecting the information that our Customers share with us.
The Client agrees and accepts in its own name, as well as in the name of its representatives, what is agreed in this document.
This Data Processing Addendum (the "Agreement" and/or "DPA") forms part of the Agreement between Hexagon Data Group and Customer; it reflects the agreement between the parties regarding the processing of Customer Data. The Parties agree to comply with the following provisions and each agrees to act reasonably and in good faith.
Definitions
- Affiliated: means any entity that directly or indirectly controls, is controlled by, is controlled by, or is in joint control of the Client. "Control" means direct or indirect ownership or 50% control of the entity's equity votes.
- AnonymizationDissociation: and/or dissociation, refers to the procedure by which personal data cannot be associated to the Data Subject or allow, due to its structure, content or degree of disaggregation, the identification of the Data Subject.
- Customer databases: refers to databases containing general information on the behavior of its users and which, on special occasions and expressly indicated as such by the Client, may include personal data of the Client's users and/or consumers.
- CCPA: means the California Consumer Privacy Act, which regulates data protection for the residents of the State of California, United States of America.
- Client: For purposes of this Agreement, the term "Customer" means the legal entity, including its affiliates, who contracts for Hexagon Data Group Services.
- Contract: Hexagon Data Group establishes its business relationship with its Customers through contracts, service orders, and/or commercial agreements where bilateral agreements between the parties are established (the "Contract"). We enter into unique contracts with each Customer to address specific needs, detailing the type of data to be collected, the duration and the purpose. This Agreement forms part of the Contract.
- Customer Data: for purposes of this Agreement, means any data and/or information that Customer shares with Hexagon Data Group. This includes Customer's databases.
- Personal Data: any information concerning an identified or identifiable natural person.
- Sensitive Personal Data: those personal data that affect the most intimate sphere of its owner, or whose improper use may give rise to discrimination or entail a serious risk for the owner. In particular, data that may reveal aspects such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political opinions, sexual preference are considered sensitive.
- Data Protection Delegate: The GDPR requires companies to appoint a person responsible for overseeing how personal data is processed and for informing and advising employees who process data about their obligations. Hexagon Data Group has appointed a Data Protection Officer. The appointed person can be contacted at privacy@hexagondata.io.
- In charge: means the natural or legal person who processes personal data on behalf of the controller.
- First Party Data: the type of data depends on the way in which this data is acquired. First Party Data are those data that are acquired "first hand" from the Customer. That is, it is information that is collected from its own sources, for example through its website, APIs, apps, newsletters and/or through direct interaction with its users and/or consumers. It is information from users who have interacted with the Customer, have been interested in the product or service and have left their data and even are already customers.
- GDPR, by its acronym in English, refers to Regulation (EU) 206/679 of the European Parliament and of the Council of 27 April 2016 on data protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Data Protection Laws and Regulations: means all laws and regulations applicable to the protection of personal data. In Mexican territory, specifically the Ley Federal de Protección de Datos Personales en Posesión de los Particulares and its Regulations ("LFPDPPP"); for Colombia, in particular Law 1581 of 2012 and Decree 1377 of 2013. Internationally, the leading instruments are the GDPR of the European Union and the CCPA of the State of California, United States of America.
- Responsible: means the natural or legal person, who alone or jointly, determines the purpose and form of the processing of Personal Data.
- Services: Hexagon Data Group provides services tailored to the Client's needs. In general, our services consist of being the Client's account administrators in DMP platforms. We are also in charge of analysis, creating audiences, reports and generating connections between different databases. The service specifications are indicated by the Client and are included in the Contract.
- Pseudonymizationalso known as reversible disassociation. It refers to the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information; which must be kept separately and be subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
- Sub-managerThe person to whom Hexagon Data Group entrusts the processing of Customer Data and/or the person who provides a service to Hexagon Data Group that is required for the performance of the Services for the Customer.
- Holdermeans the identified or identifiable natural person to whom the personal data pertains.
- Transfermeans any communication of data to a person other than the Controller or Processor.
- Treatment, and/or "processing" in the terms of the GDPR, refers to the collection, use, disclosure or storage of personal data, by any means. Use encompasses any action of accessing, handling, using, exploiting, transferring or disposing of personal data.
All capitalized terms not defined herein shall have the meanings set forth in this Agreement.
Clauses
1. Processing of Personal Data
1.1 Relationship between the Parties. The Parties agree that in relation to the processing of Customer Data, the Customer is the Controller and Hexagon Data Group is the Processor, who may sub-process Customer Data to third parties on the terms described herein.
1.2 Treatment details. Annex A sets out the object, nature and purpose of the processing by Hexagon Data Group, the duration, the types of data and categories of Data Subjects. Each party will comply with its applicable obligations under data protection laws and regulations and this DPA.
1.3 Processing of personal data by the Customer. The Client is responsible for obtaining the consent of the Data Subjects and informing the processing of the data; as well as as far as possible to anonymize or pseudonymize such data, by himself or through a third party, before entrusting us with its processing. The Client is responsible for the accuracy, quality and legality of the data and the means by which the Client acquired such data.
The Client undertakes to only share and/or give access to data that it has collected itself, or on behalf of its suppliers or authorized third parties, but that at all times it is First Party Data. The Customer is solely responsible for such data. Hexagon Data Group disclaims any liability and / or claim that its suppliers or authorized third parties claim to the Customer, since all actions that Hexagon Data Group performs are entrusted by him.
1.4 Processing of Customer Data. Hexagon Data Group may process Personal Data on behalf of and at the request of the Customer. We will treat the data as Confidential Information, unless otherwise instructed by the Customer.
1.5 Purposes of treatment. Hexagon Data Group's Services are customized to the needs and interests of each Customer, and specifications are written into each applicable Agreement. In this regard, Hexagon Data Group only processes Customer Data in accordance with (i) the Customer's written instructions (ii) the terms of this DPA, and (iii) any Agreements and/or representations between the Parties. Hexagon Data Group may process certain categories of Personal Data on behalf of Customer for certain defined purposes, pursuant to Schedule A.
2. Right of Owners
The Data Controllers have the right to modify and/or revoke their consent for the processing of their Personal Data at any time. They also have the right to be forgotten and other rights that the corresponding regulation grants them. Hexagon Data Group undertakes to comply, and to assist in its compliance, at all times.
In the event that Hexagon Data Group receives a request from a user and/or consumer for whom the Customer is Responsible to exercise their ARCO rights or rights specific to their jurisdiction, Hexagon Data Group will notify the Customer. To the extent permitted by law, Hexagon Data Group will assist the Client with appropriate technical and organizational measures for the fulfillment of the Client's obligation to respond to the Data Subject's request under the Data Protection Laws and Regulations.
If the Customer or any interested third party would like to exercise their rights over personal data for which we are the Controller, they may exercise their rights using the procedure explained in the "MEANS TO EXERCISE YOUR RIGHTS" section of our Privacy Notice
3. Hexagon Data Partners
Hexagon Data Group has a team of specialists, analysts and collaborators (the "Collaborators") trained to offer high quality Services to our Clients. We are committed to the protection of the data we process, so we implement internal measures for data handling and we also train employees to handle data in accordance with the standards described in this Agreement. The following is a list of security measures designed to protect the security and privacy of our Clients:
3.1 Confidentiality. We ensure that employees involved in data processing are informed of the confidential nature of Customer Data, receive appropriate training on their responsibilities and sign written confidentiality agreements. These confidentiality obligations survive the termination of the employee's contract.
3.2 Limitation of access. Access to Customer Data is limited to employees performing the Services pursuant to the Agreement. In addition, each collaborator is provided with a computer for the exclusive use of their collaboration with Hexagon Data Group. Any work they perform in connection with the Customer Service will be on Hexagon Data Group-owned equipment.
3.3 Data Protection Delegate. Hexagon Data Group has appointed a data protection officer. The appointed person can be contacted at privacy@hexagondata.io.
4 Sub-managers
Customer agrees and consents that Hexagon Data Group may engage third parties (the "Providers") in connection with the provision of the Services, who shall be categorized as Sub-providers in accordance with this DPA. Hexagon Data Group enters into a written agreement with each Sub-provider that contains obligations with respect to the protection of personal data no less protective than those in this DPA. The list of Sub-agents can be found in the Annex B.
In the event Hexagon Data Group wishes to make a change of Sub-processor, it will notify Customer and must obtain Customer's consent to make such change effective. Customer may object to Hexagon Data Group's use of a new Supplier within 5 (five) days of notice of the change. If Customer fails to respond and continues to act in accordance with the Agreement, the proposal shall be deemed tacitly accepted.
By contracting with the Suppliers we commit ourselves to :
a. hire recognized, market-leading companies that implement security measures no less protective than those set forth in this Agreement to comply with data protection, to the extent applicable to the nature of the services provided by such Sub-provider;
b. restrict the Sub-provider's access to Customer Data to only that which is necessary to maintain or provide services to the Customer;
c. Hexagon Data Group is responsible for the performance of the obligations of this Agreement and for any act or omission by the Sub-Intendants that breaches any of the obligations set forth herein, except as otherwise provided.
5. Security
Hexagon Data Group will implement appropriate technical and organizational measures for the protection of the security, confidentiality and integrity of Customer Data.
5.1. Safety measures. We establish and maintain administrative, technical and physical security measures to protect personal data against damage, loss, alteration, destruction or unauthorized use, access or processing. We do not adopt lesser security measures than those we maintain for the management of our information.
Security measures include: (a) anonymization and/or pseudonymization of personal data, to the extent possible; (b) we protect the security of your information during transmission to or from Hexagon Data Group websites, APIs, applications, products or services through the use of encryption software and protocols; (c) we create specific access keys for each actor involved in data processing; (d) we adopt internal measures for data handling by employees; and (e) we ensure that our Suppliers comply with the highest standards of data security and privacy, in compliance with applicable Laws.
5.2. Confidentiality. At all times, Hexagon Data Group will treat Customer Data as Confidential Information and ensures that all personnel responsible for processing Customer Data sign confidentiality agreements, which will govern the access, use and processing of Customer Data.
5.3. Management and notification of security incidents. In the event of security incidents, Hexagon Data Group will notify Customer as soon as it becomes aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including anonymized data, transmitted, stored or otherwise processed by Hexagon Data Group or its Sub-agents.
Hexagon Data Group will use reasonable efforts to identify the cause of such incident and will take such steps as it deems necessary and reasonable to remedy the cause to the extent remediation is within Hexagon Data Group's reasonable control. The obligations set forth herein shall not apply to incidents caused by Customer or Customer's users.
6. Data transfer
We transfer data as little as possible. In case of doing so, it will be with our Providers, who are Sub-providers under the terms described in the corresponding section within this DPA. The transfers we will make are only those permitted by applicable Data Protection Laws and Regulations. We also ensure that they are to jurisdictions where they meet the same or higher security standards as described in this Agreement.
7. Data deletion
During the contractual relationship with the Customer, we may store Customer Data in any of our databases. We undertake to store only the strictly necessary data and to delete them once the purpose for which they were collected has been fulfilled or until the legal limitation period. Likewise, as far as possible and upon request, we undertake to return the Customer Data at the end of the contractual relationship.
8. Additional information for certain jurisdictions
We provide additional information about the privacy, collection and use of personal information of current and prospective Hexagon Data Group customers located in certain jurisdictions.
8.1 European Union: GDPR
Hexagon Data Group processes personal data, to the extent possible, in accordance with the requirements of the GDPR directly applicable to the provision of its Services and as provided by its Customers. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject subject to the protection of the GDPR.
8.2 CCPA
Hexagon Data Group processes Personal Data, to the extent possible, in accordance with the requirements of the CCPA directly applicable to the provision of its Services and as directed by its Customers. Within or by virtue of our Services, we do not sell databases or Personal Data of the Customer or its users and/or consumers. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject who has opted not to sell or disclose their Personal Data, to the extent applicable under the CCPA.
9. Miscellaneous
9.1 Modifications. We are constantly updating our policies to provide the best possible protection. Hexagon Data Group reserves the right to make changes and adjustments to this Agreement. The new version will become effective on the date indicated at the beginning of this Policy. In the event that we believe there are material changes we will notify you by posting a prominent notice on our website or by any available means of communication. Entry into force will be deemed to be accepted by you. We encourage you to constantly review our website during the term of our relationship.
9.2 Validity. This Agreement remains in effect for the duration of the contractual relationship with Customer. Any obligation or liability accrued up to the time of termination shall remain valid until fulfilled.
This Agreement shall be legally binding at the time it is made available to the Client. It will be understood that the Client consents to the processing of his data, when having made this Agreement available to him, he does not express his opposition.
Annex A
Treatment Details
1.1. Nature of the treatment
Hexagon Data Group processes Customer Data for the purpose of providing the Services contracted by Customer and in accordance with Customer's instructions. From time to time, Hexagon Data Group may require Customer to provide access to its data sources. We will only access the data necessary to provide the contracted Services and on the instructions of the Customer.
In the event that, under the Agreement, it is agreed that a cloud-based service is provided by a Provider (Amazon Web Services, Google or other), the parties acknowledge that any Personal Data processed within the cloud service shall be governed solely by the terms and conditions thereof as stipulated and amended from time to time by the Provider.
1.2. Purpose of treatment
The purpose of processing Customer Data may include any of the following:
- Connection to Client's databases
- Data connection to displays chosen by the Customer
- Creation of campaign reports
- Cross device matching
- Customized content delivery
- Generate audience insights
- Market research
- Maintenance and administration of accounts in the Client's name
- Analytics services that may include analysis of campaigns, websites, and/or databases.
Duration of Treatment
As provided in the section on the term of the DPA, Hexagon Data Group processes Customer Data for the duration of the contractual relationship with the Customer.
Types of Personal Data
Hexagon Data Group collects data through direct transfer by the Customer or through access to databases by the Customer. At all times it is the Customer, either by itself or through an authorized third party, who collects the data. It is First Party Data of the Client.
Types of Personal Data may include, but are not limited to:
- Cookie IDs
- E-mail address
- Inferred and reported behavioral data
- Non-precise geolocation data
- Address
- Age
- Marital status
- Genre
- Web browsing information
- Information on the use of mobile applications
- Mobile Advertising IDs
- First and last name
- Number of children
1.5. Categories of Data Subjects
Customer Data is related to the following categories of Data Subjects:
- Users, consumers and prospects
- Customer's customers and vendors
1.6. Sensitive Personal Data
Hexagon Data Group does not process sensitive data.
Annex B
Sub-managers
- Amazon Web Services, Inc.
- Datorama, Inc.
- Google LLC.
- Linkedln Corporation
- Lotame Solutions, Inc.
- Microsoft Power Bi
- QlikView from QlikTech Inc.
- Tableau Software LLC.
- TapClicks, Inc.
- TikTok Pte. Ltd.