THIS CONTROLLER-TO-PROCESSOR DATA PROCESSING ADDENDUM is an addendum and exhibit to the Subscription Agreement entered into between Lefty and the Customer and sets forth the obligations and rights of the Parties regarding Lefty’s processing of the Customer Data pursuant to such Subscription Agreement with effect from the commencement of the Subscription Agreement.
​
​

This Addendum is applicable in connection with the provision of Services by Lefty to the Customer pursuant to the Subscription Agreement.

In respect of the Personal Data contained on the Lefty Platform, Lefty is the data controller of the data it collects and holds on such Lefty Platform. Once the Customer accesses the Lefty Platform, the Customer also becomes an independent data controller in respect of the data it accesses and uses on its company directory and for its analytics, as the Customer is able to determine the purposes and means of processing the data alone. Such activities of the Parties are governed by the terms of the Subscription Agreement, and not this Addendum.

From time to time, the Customer may however contribute certain Customer Data to the Lefty Platform and, where Lefty is not considered to be a bona fide independent controller of such Customer Data, Lefty shall process such Customer Data on the Customer’s behalf and on the Customer’s instructions. In connection with such processing activities, the Parties therefore agree to implement this Addendum to the Subscription Agreement to comply with the requirements of the current legal framework in relation to data processing and, in particular, with the GDPR.

In this Addendum, the Customer, to the extent it is from time to time the controller of the Customer Data being processed by Lefty as a processor pursuant to the GDPR, shall be the “Controller” and Lefty to the extent it is from time to time the processor of the Customer Data pursuant to the GDPR shall be the “Processor”.

Unless otherwise defined herein, capitalised terms and expressions shall be as defined in the Subscription Agreement, and otherwise shall have the following meaning:

means this Data Processing Addendum and all Schedules;

European Data Protection Laws and all data and/or information protection laws and regulations applicable to any member of the Lefty Group and/or the Customer’s Group from time to time in place;

means the party to the Subscription Agreement which is therein defined as the Customer or the Client or otherwise stated to be the receiver of the Services from Lefty;

shall be as defined in the Subscription Agreement, to the extent such data comprises Personal Data which is processed by Lefty as the Processor hereunder and pursuant to the GDPR.

a natural person identified or identifiable by, in or using the Customer Data either (i) connected to any member of the Controller’s Group, or (ii) featuring on the Lefty Platform, in each case about whom Personal Data is received, held or processed by the Processor or any member of the Processor’s Group, including without limitation influencers, talents, employees, officers, advisers, contractors, suppliers, clients and/or business contacts;

means any and all of EU Data Protection Laws, UK Data Protection Laws and Swiss Data Protection Laws;

means any Customer Data comprised within the Lefty Platform that is subject to (i) the GDPR; (ii) UK Data Protection Laws; and/or (iii) the Swiss Data Protection Laws.

means (i) the GDPR; (ii) EU Directive 2002/58/EC; and (iii) the national laws of each Member State made under, pursuant to, or that implement (i) or (ii), or which otherwise relate to the processing of Personal Data; in each case, as amended or superseded from time to time;

means the European Economic Area (EU Member States plus Iceland, Liechtenstein and Norway);

means EU General Data Protection Regulation 2016/679 and any national implementing laws, and the terms “controller”, “processor” and “processing” (and derivations thereof) shall be as defined in the GDPR;

means, in respect of the applicable Party, such Party and each of its group undertaking from time to time, and “Group Company” and “member of the Group” shall be construed accordingly;

means the party to the Subscription Agreement which is therein defined as Lefty or otherwise stated to be the provider of the Services to the Customer, being either Modern Agency SAS or Gaucher LLC, in each case trading as “Lefty”.

means the platform hosted and maintained by Lefty in respect of the Services;

shall mean a state which is a member of the EEA;

means any information identifying a Data Subject or information relating to a Data Subject that can be identified (directly or indirectly) from that data alone or in combination with other identifiers possessed or reasonably accessible which is Processed by the Processor on behalf of the Controller pursuant to or in connection with the Subscription Agreement;

shall have the same meaning as in the GDPR;

means (i) where the GDPR applies, a transfer of Personal Data to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (an “EU Restricted Transfer”); (ii) where the UK GDPR applies, a transfer of Personal Data to any other country which is not subject to or based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 (a “UK Restricted Transfer”); and (iii) where the Swiss DPA applies, a transfer of Personal Data to any other country which is not subject to an applicable adequacy determination (a “Swiss Restricted Transfer”);

means the services Lefty has agreed to provide to the Customer pursuant to the Subscription Agreement;

means (i) where the GDPR or the Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under section 119A(1) of the DPA 2018 (“UK Addendum”), as well as any alternative or successor clauses thereto, which are recognised by the European Commission or a relevant Supervisory Authority and which may be adopted by one of the Parties hereunder;

means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Processor in connection with this Addendum including without limitation Backblaze, Hetzner, GoCardless, Chargebee and Stripe;

means the contract(s) entered into between Lefty and the Customer in respect of the Services;

means a data protection or other regulatory body or public agency with the jurisdiction to enforce Applicable Data Protection Laws;

means (i) the Swiss Federal Act on Data Protection of 25 September 2020 and its corresponding ordinances (“Swiss DPA”); and (ii) any other national laws in Switzerland applicable (in whole or in part) to the processing of Personal Data; in each case, as amended or superseded from time to time;

means (i) the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 as it continues to have effect under section 2 of the European Union (Withdrawal) Act 2018; (iii) the Data Protection Act 2018 (the “DPA 2018”); and (iv) any other laws in the UK made under, pursuant to, or that implement (i), (ii) or (iii), or which otherwise relate to the processing of Personal Data; in each case, as amended or superseded from time to time.

Unless the context requires otherwise, words and expressions defined in or having a meaning provided by the GDPR shall have the same meaning in this Addendum.

Unless the context requires otherwise, references in this Addendum to:

The headings in this Addendum are for convenience only and shall not affect its meaning. References to a “clause”, “Schedule” or “paragraph” are (unless otherwise stated) to a clause of and Schedule to this Addendum and to a paragraph of the relevant Schedule. The Schedules form part of this Addendum and shall have the same force and effect as if expressly set out in the body of this Addendum.
​
​

Each Party agrees to comply with all Applicable Data Protection Laws in connection with the Customer Data. This clause is in addition to, and does not relieve, remove or replace, a Party’s obligations or rights under Applicable Data Protection Laws.

Schedule 1 sets out the scope, nature and purpose of processing by Processor, the duration of the processing and the types of Customer Data and categories of Data Subject.

The Processor hereby irrevocably and unconditionally agrees and undertakes:

to comply with Applicable Data Protection Laws in respect of the applicable Processing of Customer Data;

to Process such Customer Data only on the instructions of the Controller including with regard to transfers of Customer Data to a third country or an international organisation, unless required to do so by EU, Member State, UK and/or Swiss law to which the Processor is subject or as documented herein. In such a case the Processor shall inform the Controller without delay of that legal requirement before Processing, unless EU or Member State law prohibit such information;

to ensure all persons authorised to process Customer Data for or on behalf of the Processor are subject to appropriate confidentiality obligations;

that it shall, unless prohibited by law, immediately inform the Controller if, in its reasonable opinion, an instruction of the Controller under clause 3.2 infringes Applicable Data Protection Laws;

to ensure that it has in place appropriate technical and organisational measures, in such a manner that Processing by the Processor (or any member of the Processor’s Group and/or any Sub-Processors) meets the requirements of Applicable Data Protection Laws. Where EU Data Protection Laws apply, the Processor must comply with Article 32 of GDPR;

to assist the Controller in ensuring compliance with its obligations under the Applicable Data Protection Laws with respect to Data Subject rights, security, Personal Data Breach notifications, data protection impact assessments, deletion or return of data and prior consultations with supervisory authorities or regulators;

to make available all information reasonably necessary to demonstrate compliance and contribute to audits. The Processor may satisfy such obligations by providing up-to-date independent third-party audit reports/certifications and responses to reasonable security questionnaires;

to cooperate, on request, with competent Supervisory Authorities in relation to Processing under this Addendum;

to notify the Controller immediately and in accordance with Applicable Data Protection Laws on becoming aware of (i) a Personal Data Breach or potential breach by it, any member of the Processor’s Group or any Sub-Processor or (ii) any request from a Data Subject under any Applicable Data Protection Laws in respect of its Customer Data. The Processor shall reasonably assist the Controller on handling the Personal Data Breach or Data Subject request and shall provide the Controller with all reasonably necessary information regarding the Personal Data Breach or Data Subject request;

at the written direction of the Controller, to delete or return all of the Customer Data (including copies thereof) unless required by EU or Member State laws to store the Customer Data. Unless directed otherwise by the Controller, pseudonymised Customer Data may be retained by the Processor subject to the safeguards and derogations in Article 89 of GDPR;

to maintain and, upon request, make available complete and accurate records and information to demonstrate its compliance with the obligations set out in this clause 2;

where the Controller requests assistance in connection with Data Subject rights (including without limitation right of access, rectification, erasure, restriction of Processing and to object to Processing), to reasonably co-operate to assist the Controller (at Controller’s cost) to comply with its obligations under Applicable Data Protection Laws;

promptly notify Controller (unless legally prohibited) of any binding request from a public authority for disclosure of Customer Data, and will challenge unlawful or disproportionate requests and seek to narrow scope, and will disclose only the minimum necessary; and

where US state privacy laws apply, to act as a service provider and processor, not sell or share such applicable Customer Data, and not retain, use or disclose it for any purpose other than providing the Services and/or as permitted by law.
​
​

The Controller authorises the Processor to engage third-party Sub-Processors to process the Customer Data as required in connection with the provision of the Services pursuant to the Subscription Agreement provided that:

If the Controller objects on reasonable grounds relating to data protection, the Processor will discuss with the Controller (in each case acting reasonably and in good faith) whether it is possible to appoint or replace the Sub-Processor in a way that objectively resolves the Controller’s objection. If this is not reasonably possible, then:

To the extent that any transfer of Customer Data from Customer to Lefty is a Restricted Transfer, the SCCs shall be incorporated into this Addendum and apply as follows:

Where the Restricted Transfer is an EU Restricted Transfer, the EU SCCs will apply between the Controller and the Processor as follows:

Where the Restricted Transfer is a UK Restricted Transfer, the UK Addendum will apply between Customer and Lefty as follows:

Where the Restricted Transfer is a Swiss Restricted Transfer, the EU SCCs will apply between Customer and Lefty as set out above with the following modifications:

The Processor will not make a Restricted Transfer of the Customer Data to a recipient in another country unless it has done all such things as are necessary to ensure that the Restricted Transfer is compliant with European Data Protection Laws. Such measures may include transferring the Data to a recipient in a country that is deemed to provide adequate protection for Personal Data under European Data Protection Laws or to a recipient that has executed Standard Contractual Clauses with the Processor in accordance with European Data Protection Laws.

To the extent Lefty is deemed to be an independent controller of any Customer Data (“Controlled Customer Data”), it will:

​

This Addendum shall continue in force for as long as any of the Customer Data is Processed by the Processor and/or any member of its Group and/or any of its respective Sub-Processors.

The Processor shall promptly and in any event within 30 days of the date of cessation of any Services involving the Processing of the Customer Data and payment of all fees and/or expenses, delete and procure the deletion of all copies of such Customer Data so Processed.

This Addendum is subject to the non-conflicting terms of the Subscription Agreement. With regard to the subject matter of this Addendum, if inconsistencies between the provisions of this Addendum and the Subscription Agreement arise, the provisions of this Addendum shall prevail with regard to the Parties’ data protection obligations.

Except to the extent prohibited by applicable law, the total aggregate liability of the Processor and its affiliates (including any liability arising from acts or omissions of its sub-processors) for any breach of this Addendum will be subject to the aggregate limitation of liability set out in the Subscription Agreement between the Parties. If no aggregate liability limit is specified in the Subscription Agreement, the total liability of the Processor and its affiliates under or in connection with this Addendum will be limited to two (2) times the total fees paid by the Customer under the Subscription Agreement in the twelve (12) months preceding the event giving rise to the claim.

Except to the extent prohibited by applicable law, in no event shall either Party be liable to the other for any indirect, incidental, special, punitive, or consequential damages, including but not limited to lost profits, loss of use, loss of data, or interruption of business, whether under any theory of contract, tort, strict liability, or otherwise, even if advised of the possibility of such damages. This exclusion is in addition to, and not in place of, any other limitation or exclusion of liability provided in the Subscription Agreement.

All notices and communications given under this Addendum must be in writing and will be delivered personally or sent by post, and sent by email to the address and email address set out in the heading of this Addendum at such other address as notified from time to time by the Party changing address.

No variation of this Addendum shall be effective unless made in writing signed by or on behalf of each Party and expressed to be such a variation.

This Addendum is governed by the laws of France.

Any dispute arising in connection with this Addendum, which the Parties will not be able to resolve amicably, will be submitted to THE EXCLUSIVE JURISDICTION OF THE COURTS OF PARIS, even in the event of multiple defendants and/or warranty claims.

In connection with the provision of Services by Lefty to the Client, Lefty may from time to time act as a Processor of Customer Data.

As agreed in the Subscription Agreement, in respect of the Personal Data contained on the Lefty Platform, Lefty is the data Controller of the data it collects and holds on such Lefty Platform. Once the Customer accesses the Lefty Platform, the Customer also becomes an independent data Controller in respect of the Personal Data it accesses and uses on its company directory and for its analytics, as the Customer is able to determine the purposes and means of processing the Personal Data alone.

For the avoidance of doubt, this Addendum therefore only applies to situations where the Customer gives specific instructions to Lefty to process Customer Data for which the Customer is the Controller as listed hereafter. In respect of such Customer Data, Lefty will comply with this Addendum and the Customer’s reasonable instructions and requirements relating to any processing activities pursuant to this Addendum.

Influencers listed on the Lefty Platform, including Lefty campaigns and directory.

Social media influencers, talents, KOLs, content creators, industry experts and VIPs (“Influencers”).

“Customer Data”, being Personal Data from Influencers entered or contributed by Customer, including without limitation names and handles, bio and interests, public posting activity, public conversations, engagement, followers and follower counts, audience analytics. To the extent the Customer uses the Lefty Platform to process payments, the Customer Data may include such payment and account information.

Providing the Services and permitting the Customer to set up and manage campaigns on the Lefty Platform and keep track of brand ambassadors.

For the length of time the Services are being provided and for such time thereafter as is required by law or regulation to be retained or as retained pursuant to bona fide disaster recovery procedures.
​
​

Name:

The Customer company name as set out in the Subscription Agreement.

Address:

The Customer details as set out in the Subscription Agreement.

Contact person’s name, position and contact details:

The Customer details as set out in the Subscription Agreement and/or available in their Lefty Platform administration details.

Activities relevant to the data transferred under the SCCs:

Contributing the Customer Data for the purposes of receiving the Services pursuant to the Subscription Agreement.

Signature and Date:

This Addendum is deemed executed upon execution of the Subscription Agreement.

Role:

Controller (unless the Customer is a Processor on behalf of a third-party Controller, in which case it shall be a Processor).

Name:

The Lefty company name as set out in the Subscription Agreement.

Address:

The Lefty details set out in the Agreement.

Contact person’s name, position and contact details:

The Group Data Protection Officer (DPO@the-independents.com)

Activities relevant to the data transferred under the SCCs:

Receiving the Customer Data for the purposes of providing the Services pursuant to the Subscription Agreement.

Signature and Date:

This Addendum is deemed executed upon execution of the Subscription Agreement.

Role:

Processor.

Social media influencers, talents, KOLs, content creators, industry experts and VIPs (together, “Influencers”).

“Customer Data”, being Personal Data from Influencers entered or contributed by Customer, including without limitation:

To the extent the Customer uses the Lefty Platform to process payments, the Customer Data may include such payment and account information.

and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as:

Not applicable, unless Customer submits Sensitive Data in its use of the Services and/or the Lefty Platform pursuant to the Subscription Agreement, save that to the extent the Customer uses the Lefty Platform to process payments, the Customer Data may include such payment and account information which shall be kept secure by the Customer and Lefty.

(for example, whether the data is processed and transferred on a one-off or continuous basis)

Continuous during subscription to the Lefty Platform pursuant to the Subscription Agreement.

Data collection, recording, organisation, structuring, storage and analysis.

In connection with the receipt of the Services – in particular to enable the Customer to:

including social listening, analytics, and reporting and, where applicable, to handle and process payments.

or, if that is not possible, the criteria used to determine that period:

The period of access to the Platform during the term of the Subscription Agreement.

The data importer will retain EU personal data no longer than necessary for the stated purposes following termination or expiry of the Subscription Agreement.

also specify subject matter, nature and duration of the processing:

The subject matter, nature and duration of the processing are as set out above.

The competent EU supervisory authority shall be determined by reference to the place of establishment of the Customer in accordance with Clause 13 of the Standard Contractual Clauses.

The Information Commissioner’s Office.
​
​
​

The technical and organisational measures (TOMs) provided below explain all measures which have been implemented by The Independents Group (the “Group”), of which Lefty is a member, in order to ensure compliance with GDPR and otherwise to ensure good and robust procedures, practices and policies are in place from a general compliance perspective as appropriate for a business of its size and nature.

IT policies and procedures in place, including dealing with remote access, use of data and password controls.

Protocols and measures in place to back-up personal data and ensure that it can be recovered and maintained in the event of an incident.

Regular and ongoing assessment of high risk data and processing activities and developing mitigating solutions to prevent/reduce risks.

Policies and procedures in place in respect of data protection, data retention and specific Group databases – in order to ensure employees know what their obligations are and what to do if certain situations occur.

Regular reports and information passed to upper management to ensure that the adequate resources and funding are available and for accountability at all levels.

A culture of security and data protection awareness to ensure employees, contractors and any third-party working for or with the Group, know what is expected of them and how to maintain compliance – regular and ongoing training provided, including new online e-learning platform implemented for the start of 2021.

Formal third-party audits carried out on regular basis to ensure the Group has appropriate policies and procedures/technical and operational measures which are working and remain relevant – to ensure they are still effective and fit for purpose.

The Group maintains robust IT policies and procedures sufficient for a business of its size and nature. Employees are only able to access Group systems using company hardware and the Group’s password controls require regular updates. Software is regularly updated by the Group’s IT Department.

In addition, the Group’s IT Department ensures protections on end-user devices and monitors those devices to be in compliance with security standards requiring:

Controls are implemented to detect and remediate workstation compliance deviations.

In terms of hardware, the Group uses Active Directory, which provides a single sign-on process for each user, with a login account and password meeting industry standards. All devices, including servers contain industry standard malware, provided by Trend Micro Anti-Virus system. Regular updates are run on all machines – on at least a weekly basis in the office.

The Group maintains measures to identify, manage, mitigate and/or remediate vulnerabilities within the IT computing environments, including:

In terms of physical security, the Group’s offices are all keypad locked, with manned front desks monitoring those entering and leaving the buildings, and securely locked at night. All offices are equipped with alarms, comprehensive CCTV systems and firewall protection. The Group operates a clear desk policy and lockable storage space is provided. Confidential waste is destroyed and disposed of on-site and all employment contracts contain standard provisions relating to the confidentiality of information obtained whilst working for the Group.

The Group has automatic disaster recovery and back-up procedures which run regularly to ensure minimal interruption and loss of data in the event of a disaster. Servers are backed-up every 4 hours – on an incremental back up basis – plus routine nightly, weekly and monthly back-ups. Such back-ups are stored in the cloud, with a one year retention policy, which also includes disaster recovery through third-party providers, Datto and with Veeam.

Servers are localised for each site, plus the Group has a separate data centre in Milan hosted by Colt, specifically for the Group’s London and Milan offices. Access to the Milan data centre and controlled areas within the data centre and the Group’s offices is restricted to authorised personnel. All other offices run disaster recovery directly into the cloud.

The Group’s Risk Committee meets regularly to discuss risks and ensure all appropriate measures and procedures are maintained and operating as intended/expected and are responsible for regular and ongoing assessment of any high-risk data and processing activities and developing mitigating solutions to prevent/reduce risks.

The Group has incorporated Privacy by Design principles for all systems and enhancements at the earliest stage of development as well as education for all employees on security and privacy.

The Group’s Risk Committee, and in particular the Group General Counsel, HR and the Group Head of IT are responsible for ensuring appropriate compliance policies and procedures are in place and they carry out regular risk assessment in light of such risks. The Group’s current compliance and data related policies include:

In addition, the Group has engaged a third-party provider to provide a series of online training modules addressing the above risks and compliance matters. The modules vary on a quarterly basis to ensure ongoing training and monitoring and appropriate coverage across all issues pertinent to the level of risk.

When contracting with clients and suppliers, the Group’s standard contracts contain appropriate and standard data protection provisions and the Group’s Legal Department is actively involved and engaged in the reviewing and negotiation of such contracts.

The Group’s employees are aware of incident response procedures, including data breach notification to the Group General Counsel without undue delay where a breach is known or reasonably suspected.

The Group has appointed a Risk Committee which meets regularly to discuss all business risks, including without limitation GDPR, and ensure all appropriate measures and procedures are maintained and operating as intended/expected.

The Group General Counsel maintains a Data Controller Record and Breach Register, containing amongst other things, details of any suspected breaches and a record of all processing activities per Article 30 of GDPR.

The Group General Counsel reports directly into the Group CEO and CFO in respect of all matters of compliance, which are taken very seriously at Board level.

As above, the Group engages a third-party provider to provide a series of online training modules addressing the above risks and compliance matters. The modules vary on a quarterly basis to ensure ongoing training and monitoring.

In addition, the Group General Counsel, the Group Head of IT, Data Protection Officer and HR regularly provide training on a variety of risk/compliance areas, including phishing, cybersecurity, GDPR, anti-bribery, discrimination etc. on a face-to-face basis.

The Group engages external counsel to conduct regular GDPR audits, including a full data mapping exercise and implemented all recommendations.

In addition, the Group’s Risk Committee meets regularly to discuss risks and ensure all appropriate measures and procedures are maintained and operating as intended/expected.