Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of and is subject to the provisions of, the Terms and Conditions found at https://www.create.net/about/terms-and-conditions (the “Agreement”).

By agreeing to the Terms and Conditions, You enter into the DPA to the extent required under the applicable EU Data Protection Laws. This DPA is in place to prove adequate safeguards for the protection of privacy and fundamental rights and freedoms of individuals for the transfer of Personal Data by the Data Controller to the Data Processor.

In the event of a conflict between the Data Processing Addendum and the Terms and Conditions, this Data Processing Addendum will control.

  1. Definitions

    The definitions outlined within our Terms and Conditions apply to this Data Processing Addendum as well as the following definitions:

    Data Processor - means any entity (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller

    Data Controller - means any person or company who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed

    Website - means the website that you manage that is maintained through our Services.

    User - means an individual who uses our Site or has registered to use our Services.

    Your End Users - means the users, visitors and customers of our Users Websites

    EU Data Protection Laws - refers to all laws and regulations, including laws and binding regulations of the European Union (including the General Data Protection Regulation & the e-Privacy Directive 2002/58/EC)

    GDPR - means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council

    Sub-Processors - means any entity engaged by Create to process Personal Data in connection with the Services

    Sub-Contractors - any Data Processors that are used by our Sub-Processors

    Governing Body - a public authority which is established by an EU Member State pursuant to the GDPR.

    Personal Data - means any information that can be used to personally identify an individual.

    Data Within Your Control - means the Personal Data in Your Account that Create process on your behalf, and on your instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such Personal Data.

    Your Account - means any area of Create.net that you manage which requires you to log in using your designated username and selected password

    Third Party Service - means any integration available through our Service that the User has actively chosen to use and thus enter into their own Contract with the relevant service

    Data Breach - means a breach of Create’s infrastructure, the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed of the Data Within Your Control.

    Content - means your Personal Data and any Personal Data provided to us from Your End User

  2. How This Addendum Applies To You

    This Data Processing Addendum applies to you if you or Your End Users are located in the European Economic Area (“EEA”), Switzerland or the United Kingdom. It only applies in regards to Data Within Your Control.

    You agree that we are not responsible for the Data Within Your Control that you have chosen to process through any Third Party Services or services outside of the Services we provide to you at Create.

  3. Description and Detail of the Processing Activities

    3.1 Description of Roles
    For the purposes of this DPA, unless explicitly stated, Create is the Data Processor and you are the Data Controller of all the Data Within Your Control.

    3.2 Description of Processing Activities
    Depending on how you use the varied functionality and integrations available through our Services, Create will be required to process Data Within Your Control, including that of Your End Users, in order for us to provide our Services.

    3.3 Ensuring Compliance with the Law as the Data Controller
    You will ensure that any actions taken within the Services, and thus the instructions, are in full compliance with any laws, regulations and rules that are applicable to the Data Within Your Control. Furthermore, you will also ensure that the Data Within Your Control is collected and provided to us in line with the aforementioned laws, regulations and rules, where applicable.

    You also agree that the processing of any Data Within Your Control as per the actions instructed through the Services, will not result in us or you breaching any laws, regulations or rules. You are responsible for reviewing any information that is made available to us as a result of us actioning this Addendum and whether this Addendum itself, as well as the Services, meet the required legal obligations. Further to this, you are also responsible for your legal obligations that arise when you agree to this Addendum.

    Create will under no circumstances access or use any Data Within Your Control except as detailed in this Addendum, necessary for us to maintain and provide the Services or if required to do so by the Law or an appropriate Governing Body.

    3.4 Create as the Data Controller
    In certain situations, Create will be the Data Controller for certain Personal Data that relates to you or Your End Users. How we use the Personal Data in which we are the Data Controller is down to us and will be used for our own purposes. For more information on how we use this Personal Data as the Data Controller, please see our Privacy Policy.

    Please note that if we provide any information to you, in which we are the Data Controller of, that relates to your Website (i.e Your End Users activity on your site) then you receive that information as a separate Data Controller and how you handle that data needs to be in compliance with the EU Data Protection Laws. When Create process Personal Data as a Data Controller, you agree to the fact that this Addendum does not create a joint-controller relationship between you and us.

  4. Our Responsibilities as your Data Processor

    4.1 How we will Process Data as the Processor
    We will process Data Within Your Control in accordance with this Addendum as well as the actions required of us as instructed by you in Your Account. You agree that this Addendum, and the actions taken and thus instructions given by you within Your Account are your complete and final instructions to us in relation to the Data Within Your Control.

    We will immediately inform you if we feel that your instructions infringe on the applicable EU Data Protection Law or for any reason, we are unable to carry out your instructions. If your instructions prevent us from complying with the applicable laws, we will notify you. However, we will not notify you when such disclosure is forbidden by applicable law on the important grounds of public interest.

    4.2 How we will assist you in Complying
    When complying with any requests relating to Data Within Your Control received from Your End User as a Data Controller (as detailed in Chapter 3 of the GDPR), we have provided reasonable tools within Your Account that enable you to comply and fulfil your obligations as a Data Controller when you have received any request from Your End Users regarding their Personal Data. In the instances where you are not able to comply using the tools available within Your Account and complicated action is required to remove the Personal Data in question, we will provide, where possible, a reasonable quotation (upon request) based on the action that is required to complete this on your behalf.

    4.3 Any Requests Regarding the Data In Your Control
    Some of the Data Within Your Control is accessible and thus removable through Your Account. With respect to any Data Within Your Control that is not accessible and thus removable within Your Account, a request can be made to us in order for you to take relevant action that is otherwise not possible. The request must be made in writing and must include details of Your End User and the Personal Data that the request is referring to, along with any relevant action required to be taken.
    Once the request has been received and validated, we will, where applicable:

    • Remove any Personal Data of Your End User in question or provide copies of the Personal Data of Your End User in an easily accessible format 
    • Contact the applicable Sub-Processor or Sub-Processors to request the removal of any Personal Data relating to Your End User in question.

    The request will be actioned in accordance with the above except if the request is subject to the limitations as set out in this Data Processing Addendum or restricted by law and/or a governing body, where applicable.

    4.4 What we do when we Receive an Inquiry or Complaint
    If we are permitted to do so by the relevant applicable law, we will provide you notice upon receiving an inquiry or complaint from any of ‘Your End Users’, or if required to do so by the law or any lawfully binding order from a Governing Body that relates to the Data Within Your Control that we have processed on your instructions and thus, on your behalf.

    Security Incidents and Security
    We will at all times ensure that Data Within Your Control is adequately protected in accordance with the requirements of the GDPR. To do so, we agree that we will implement an appropriate level of technical, organisational and procedural measures to protect the Data Within Your Control from security incidents. If we become aware of and confirm any security incident, for which notification to you is required under applicable EU Data Protection Laws which consists of the unpermitted, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any Data Within Your Control we will inform you without any undue delay, and in no event longer than 48 hours after we discover the security incident.

    If we become aware of and confirm any security incident, for which notification to you is required under applicable EU Data Protection Laws which consists of the unpermitted, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any Data Within Your Control we will inform you without any undue delay, and in no event longer than 48 hours after we discover the security incident.

    We will always cooperate reasonably with you and provide you with the information you need in order to fulfil your Data Breach obligations under the GDPR. We will also take further measures and actions that are necessary to fix or mitigate the effects of the security incident and we will keep you informed of any material development related to the security incident. Unless required by law we will not take action to notify Your End Users of any security breach. Create may also use external or internal auditors to verify that the security measures that we have in place are adequate in protecting the Data Within Your Control that we store.

    4.5 Notifying you of a Data Breach
    When we are made aware of and confirm the occurrence of a Data Breach, we will immediately notify you in line with the requirements set out in EU Data Protection Laws. In order for us to assist you in complying with your notification obligations as set out in articles 33 and 34 of the GDPR, we will provide you with information of the Data Breach that we are reasonably able to disclose with you. The information disclosed will be based upon the type of data involved with the Data Breach, the sensitivity of the data, and if it is subject to any restrictions that prevent us from disclosing information. Our duty to report and respond to a Data Breach as detailed in ‘Notifying you of a Data Breach’ is not and must not be misinterpreted as Create acknowledging any fault or liability in regards to the Data Breach. However, Create’s obligations as detailed above do not apply to incidents that are caused by you, any actions taken through Your Account and/or any Third Party Services.

    4.6 Sub-Processors
    In the course of providing our Services, we may be required to contract with a Sub-Processor to perform a portion of the Services. You agree that we can share Data Within Your Control with Sub-Processors in order to provide the Services to you. A list of our current Sub-Processors is available upon request by sending an email to privacy@create.net.

    You acknowledge and agree that Create will use Sub-Processors to process Personal Data and any Data Within Your Control in order for us to provide the Services. Our use of any specific Sub-Processor used must be in compliance with the EU Data Protection Laws and must be governed by a contract between Create and the Sub-Processor.

    You may object to any of the Sub-Processors used on the grounds that the request is related to data protection concerns, to do so email privacy@create.net. If your objection is validated, we will work with you to find a viable alternative for providing the Services without using the Sub-Processor or Sub-Processors in question. If there is no reasonable action found that we can take and you still object to the Sub-Processor being used after notification, you will have the option to terminate Your Account with Create or, where possible, relinquish use of the part of the Services that require the Sub-Processor in question. If you object to the Sub-Processors that we use and there is no workaround for you to use the Services in any sense without using Sub-Processors in question, then please do not use the Services.

    Regardless of any Sub-Processors that we use, Create will remain responsible for maintaining it’s compliance with the EU Data Protection Laws, including any Data Breaches that involve our Sub-Processors and their sub-contractors in relation to the Data Within Your Control.

    4.7 Questions in Regards to our Compliance
    We will, to a reasonable extent, provide information to you upon request regarding our compliance with this Data Processing Addendum, where such information is not otherwise accessible by you. Only the required information will be made available to you in order for you to fulfil your duties under the GDPR. (Please note that a non-disclosure agreement may be necessary before any information is shared with you as a result of your request).

  5. Data Transfers of the Data Within Your Control

    You agree for us, where required, to transfer any Data Within Your Control to a different country from which it was originally collected. We will ensure that any transfer away from the country in which the Data From Your Control was first collected, especially outside of the EEA, complies with the EU-U.S. and Swiss-U.S. Privacy-Shield Framework, EU Data Protection Laws and any other legal framework where applicable, to ensure the adequate level of security for the data transfer.

  6. Liability of the Mentioned Parties

    In line with the existing indemnity as outlined in the Terms and Conditions, you indemnify us from any penalties, loss or claims that arise from Your End Users, or from Data Within Your Control as a result of, or in conjunction with, your failure to comply with EU Data Protection Laws and this Data Processing Addendum when using our Service. You agree that when you terminate your Account with us, you agree to remove any Personal Data of Your End Users in a timely manner in which you are able to do so through Your Account. However, you will have responsibility ensuring these measures comply with the applicable EU Data Protection Laws and the Personal Data of Your End Users is still categorised as Data Within Your Control.

  7. Miscellaneous

    We will charge you for any request, and thus action, which is outside of the reasonable extent necessary for us to comply with any requests made in relation to this Data Processing Addendum.