1.1 Adequate Country means, for personal data processed subject to European Data Protection Laws, a country which is subject of an adequacy decision under the applicable European Data Protection Laws.
1.2 Applicable Laws means with respect to a Party, all laws, regulations and mandatory codes of practice to which it is subject.
1.3 Data Incident means a breach of MOO’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Print Personal Data on systems managed by or otherwise controlled by MOO. It expressly excludes unsuccessful attempts where there has been no unauthorised access to Print Personal Data or to any of MOO’s equipment or facilities storing Print Personal Data (e.g. pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or other unauthorized access to traffic data that does not result in access beyond headers or similar incidents).
1.4 Data Protection Laws means, as applicable: European Data Protection Laws and/or Non-European Data Protection Laws.
1.5 Data Transfer means the transfer of Print Personal Data, either directly or via onward transfer, from the UK or EEA to a third country.
1.6 EEA means the European Economic Area.
1.7 EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.8 EU SCCs means either: (i) Module 1 (Controller-to-controller); Module 2 (Controller-to-Processor); (ii) Module 3 (Processor-to-Processor); or (iv) Module 4 (Processor-to-controller), (as applicable) of the Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (as amended from time to time), for the transfer of personal data from the EEA or adequate country to a third country.
1.9 European Data Protection Laws means, as applicable: (a) the UK Data Protection Laws; (b) the EU GDPR and/or (c) the Swiss FDPA.
1.10 Instructions has the meaning given to it in clause 4.
1.11 MOO means the MOO group contracting entity to the Agreement, being MOO Print Limited (company number 05121723) with registered office at LABS Triangle, Stables Market, Chalk Farm Road, London, England, NW1 8AB (MOO UK) and/or MOO Inc. with offices at 25 Fairmount Ave, East Providence, RI 02914, USA (MOO US).
1.12 Non-European Data Protection Laws means data protection or privacy laws in force outside the UK, the EEA and Switzerland, including any United States privacy laws (such as Cal. Civ. Code § 1798.100 et seq., Va. Code § 59.1-571 et seq., Colorado Rev. Stat. §§ 6-1-1301 et seq., Connecticut Public Act No. 22-15, Iowa Code §§ 715D.1 et seq., and Utah Code Ann. §§ 13-61-101 et seq.) and all implementing regulations.
1.13 Supervisory Authority means (a) a “supervisory authority” as defined in the EU GDPR; (b) the “Commissioner” as defined in the UK GDPR and/or the Swiss FDPA; and/or (c) any court, tribunal, or governmental or other entity that has jurisdiction, under Applicable Laws, over the Agreement, the Services, Customer or MOO, including any data protection authority with jurisdiction or oversight over the Applicable Laws.
1.14 Swiss FDPA means the Swiss Federal Data Protection Act of 19 June 1992 (aligning the FDPA’s standard of protection with the standard of protection offered by the EU GDPR).
1.15 Transfer Mechanism means the EU SCCs and UK IDTA Addendum.
1.16 UK IDTA Addendum means the International Data Transfer Addendum issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018, effective from 21 March 2022.
1.17 UK Data Protection Laws means the UK GDPR, the Data Protection Act 2018 (UK DPA), the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) and any other UK law relating to personal data and applicable to processing of Print Personal Data.
1.18 UK GDPR means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.
1.19 The terms controller (which has the same meaning as “business” or other similar terms in the applicable Data Protection Laws), processor (which has the same meaning as “service provider,” “contractor,” or other similar terms in the applicable Data Protection Laws), data subject (which has the same meaning as “consumer” or other similar terms in the applicable Data Protection Laws), personal data (which has the same meaning as “personal information” or other similar terms in the applicable Data Protection Laws), processing and appropriate technical and organisational measures are as defined in the applicable Data Protection Laws. In the event of a conflict in the meanings of defined terms in the Data Protection Laws, the meaning from the law applicable to the processing of personal data of the relevant data subject applies.
2. MOO COMPLIANCE OBLIGATIONS
2.1 MOO will comply with its direct obligations under applicable Data Protection Laws in connection with the processing of Print Personal Data. MOO will also provide the level of privacy protection required by applicable Data Protection Laws, and understands and will comply with this DPA. Upon the reasonable request of Customer, MOO will make available to Customer all information in MOO’s possession necessary to demonstrate MOO’s compliance with this clause 2.1.
2.2 Customer has the right to take reasonable and appropriate steps to ensure that MOO uses Print Personal Data consistent with Customer’s obligations under applicable Data Protection Laws.
2.3 MOO will not access or use, or disclose to any third party, any Print Personal Data, except, in each case, as necessary to design, create and supply the MOO Products, or as necessary to comply with Applicable Law or a valid and binding order of a governmental body (such as a subpoena or court order).
2.4 MOO has no obligation to assess Print Personal Data in order to identify information subject to any specific legal requirements.
3. CUSTOMER RIGHTS & OBLIGATIONS
3.1 The rights and obligations of Customer are set out in the Agreement and this DPA.
3.2 Customer will comply with its direct obligations under Data Protection Laws in connection with the processing of Print Personal Data.
3.3 Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful processing of the Print Personal Data by MOO for the design, creation, and supply of the MOO Products.
3.4 If Customer is a processor (and MOO a sub-processor): (a) Customer warrants on an ongoing basis that the relevant controller has authorised: (i) the use of Print Personal Data by Customer; (ii) Customer’s appointment of MOO as a processor; and (iii) MOO’s engagement of sub-processors; and (b) Customer will immediately forward to the relevant controller any notice provided by MOO under this DPA.
3.5 Customer confirms: (a) it has taken reasonable care to comply with its obligations under applicable Data Protection Laws in its engagement of MOO, use of the Site and ordering of the MOO Products under the Agreement; and (b) it has assessed its intended use of the Site and the MOO Products (including by Customer Representatives) and that the technical and organisational measures set out in the Processing Details provide a level of security appropriate to the risk to Print Personal Data (with Customer taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Print Personal Data as well as the risks to individuals).
3.6 Customer is responsible for providing correct and compliant Print Personal Data (including Customer’s decision on lawful basis of processing and any transparency notices to data subjects that Print Personal Data will be processed by MOO).
4. PROCESSING INSTRUCTIONS
4.1 Customer instructs MOO to process Print Personal Data only in accordance with applicable Data Protection Laws: (a) to design, create and supply the MOO Products, including their personalisation; (b) as further specified via Customer’s or Customer Representative’s use of the Site; (c) as documented in the Agreement; and (d) as further documented in any other written instructions given by Customer and acknowledged by MOO as constituting instructions for purposes of this DPA (collectively, the Instructions).
4.2 Customer warrants on an ongoing basis that its Instructions, and therefore the carrying out of the processing by MOO, comply with Data Protection Laws.
4.3 Unless prohibited by Applicable Laws from doing so, MOO will: (a) only process Print Personal Data on the Instructions (including with regard to international transfers of Print Personal Data); and (b) comply with the Instructions.
4.4 Prior to any processing of Print Personal Data other than in accordance with the Instructions, MOO will notify Customer if, in MOO’s opinion: (a) Applicable Laws prohibit MOO from complying with an Instruction, unless such notice is prohibited by Applicable Law on important grounds of public interest; or (b) MOO is otherwise unable to comply with an Instruction.
4.5 MOO may terminate the Agreement upon written notice to Customer with immediate effect if MOO considers (in its reasonable discretion) that: (a) it is unable to adhere to, perform or implement any Instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities; and/or (b) to adhere to, perform or implement any such Instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
5. EMPLOYEES AND CONTRACTORS
5.1 MOO will ensure that all employees and contractors (and anyone else MOO allows to process the Print Personal Data under this DPA or the Agreement are informed of the confidential nature of personal data (including Print Personal Data) and are bound by confidentiality obligations (including a duty of confidentiality) and use restrictions in respect of personal data.
5.2 MOO will take reasonable steps to ensure the reliability, integrity and trustworthiness of MOO's employees with access to Print Personal Data.
6. SECURITY OF PROCESSING
6.1 MOO will implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of personal data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Print Personal Data. These are detailed in the Processing Details.
6.2 MOO will implement such measures as are reasonable to ensure a level of security appropriate to the risk involved in providing the MOO Products and services to its customers, including as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of security measures.
7. INCIDENT MANAGEMENT
7.1 MOO will take appropriate measures to address and mitigate any Data Incident.
7.2 MOO will, without undue delay, notify Customer of any Data Incident (Data Incident Notification).
7.3 At Data Incident Notification or as soon as reasonably practical afterwards, MOO will also provide Customer with the following information: (a) description of the nature of the Data Incident; (b) the likely consequences; and (c) description of the measures taken or proposed to be taken to address the Data Incident (including measures to mitigate its possible adverse effects) (Data Incident Report).
7.4 The Data Incident Notification and the Data Incident Report will be delivered to an email address primarily associated by MOO with Customer’s account with MOO. It is Customer's sole responsibility to ensure MOO has an accurate and up to date email address for Customer.
7.5 Customer acknowledges that the level of disclosure in the Data Incident Report will need to take account of the nature of the processing, the information available to MOO at that time, and any restrictions on disclosing the information, such as confidentiality or the requirements of insurers, forensic investigators and/or law enforcement agencies.
7.6 Customer agrees that in respect of the Print Personal Data, it is best able to determine the likely consequences of a Data Incident and any notifications that may be required by it, whether to a Supervisory Authority or affected data subjects. Customer will provide MOO with any copy, which references MOO, to be sent to any Supervisory Authority or data subject.
7.7 MOO’s notification under clauses 7.2 to 7.4 will not be construed as an acknowledgement by MOO of any fault or liability with respect to the Data Incident.