This Data Processing Agreement (DPA) applies where a MOO customer (Customer) orders MOO’s print and/or merchandise products (MOO Products) either: (a) as a Business Account customer via MOO’s online business-to-business sales platform under the MOO Business Account Agreement; or (b) as a business customer without a Business Account via MOO’s main online sales website under the MOO Terms and Conditions, (the Agreement). This DPA, including any incorporated Transfer Mechanism, forms part of the Agreement. Each party to the Agreement is a Party, and together the Parties.

 

Each party is a separate controller for the name, business contact details and related personal data it processes about the other party’s personnel for relationship management and marketing purposes, including to provide access to moo.com (the Site), deliver/receive the MOO Products (and any services) and manage the relationship between the Parties (Relationship Management Data). For more information about the personal data processed by MOO as a controller see  https://www.moo.com/about/privacy-policy. 

 

With the exception of Relationship Management Data, MOO processes, on behalf of Customer, all personal data uploaded by Customer (or by Customer’s representatives (Customer Representatives)) to the MOO platform or website (Platform) or otherwise provided to MOO to design, create and supply the MOO Products (Print Personal Data). If Customer is a controller of the Print Personal Data, MOO is the processor of that Print Personal Data. If Customer is a processor of the Print Personal Data, MOO is the sub-processor of that Print Personal Data.

 

This DPA was last updated on 30 June 2023.

1.  DEFINITIONS

1.1  Adequate Country means, for personal data processed subject to European Data Protection Laws, a country which is subject of an adequacy decision under the applicable European Data Protection Laws.

1.2  Applicable Laws means with respect to a Party, all laws, regulations and mandatory codes of practice to which it is subject.

1.3  Data Incident means a breach of MOO’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Print Personal Data on systems managed by or otherwise controlled by MOO. It expressly excludes unsuccessful attempts where there has been no unauthorised access to Print Personal Data or to any of MOO’s equipment or facilities storing Print Personal Data (e.g. pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or other unauthorized access to traffic data that does not result in access beyond headers or similar incidents).

1.4  Data Protection Laws means, as applicable: European Data Protection Laws and/or Non-European Data Protection Laws. 

1.5  Data Transfer means the transfer of Print Personal Data, either directly or via onward transfer, from the UK or EEA to a third country. 

1.6  EEA means the European Economic Area.

1.7  EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.8  EU SCCs means either: (i) Module 1 (Controller-to-controller); Module 2 (Controller-to-Processor); (ii) Module 3 (Processor-to-Processor); or (iv) Module 4 (Processor-to-controller), (as applicable) of the Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (as amended from time to time), for the transfer of personal data from the EEA or adequate country to a third country.

1.9  European Data Protection Laws means, as applicable: (a) the UK Data Protection Laws; (b) the EU GDPR and/or (c) the Swiss FDPA.

1.10  Instructions has the meaning given to it in clause 4.

1.11  MOO means the MOO group contracting entity to the Agreement, being MOO Print Limited (company number 05121723) with registered office at LABS Triangle, Stables Market, Chalk Farm Road, London, England, NW1 8AB (MOO UK) and/or MOO Inc. with offices at 25 Fairmount Ave, East Providence, RI 02914, USA (MOO US).

1.12  Non-European Data Protection Laws means data protection or privacy laws in force outside the UK, the EEA and Switzerland, including any United States privacy laws (such as Cal. Civ. Code § 1798.100 et seq., Va. Code § 59.1-571 et seq., Colorado Rev. Stat. §§ 6-1-1301 et seq., Connecticut Public Act No. 22-15, Iowa Code §§ 715D.1 et seq., and Utah Code Ann. §§ 13-61-101 et seq.) and all implementing regulations.

1.13  Supervisory Authority means (a) a “supervisory authority” as defined in the EU GDPR; (b) the “Commissioner” as defined in the UK GDPR and/or the Swiss FDPA; and/or (c) any court, tribunal, or governmental or other entity that has jurisdiction, under Applicable Laws, over the Agreement, the Services, Customer or MOO, including any data protection authority with jurisdiction or oversight over the Applicable Laws.

1.14  Swiss FDPA means the Swiss Federal Data Protection Act of 19 June 1992 (aligning the FDPA’s standard of protection with the standard of protection offered by the EU GDPR).

1.15  Transfer Mechanism means the EU SCCs and UK IDTA Addendum.

1.16  UK IDTA Addendum means the International Data Transfer Addendum issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018, effective from 21 March 2022.

1.17  UK Data Protection Laws means the UK GDPR, the Data Protection Act 2018 (UK DPA), the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) and any other UK law relating to personal data and applicable to processing of Print Personal Data.

1.18  UK GDPR means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

1.19  The terms controller (which has the same meaning as “business” or other similar terms in the applicable Data Protection Laws), processor (which has the same meaning as “service provider,” “contractor,” or other similar terms in the applicable Data Protection Laws), data subject (which has the same meaning as “consumer” or other similar terms in the applicable Data Protection Laws), personal data (which has the same meaning as “personal information” or other similar terms in the applicable Data Protection Laws), processing and appropriate technical and organisational measures are as defined in the applicable Data Protection Laws. In the event of a conflict in the meanings of defined terms in the Data Protection Laws, the meaning from the law applicable to the processing of personal data of the relevant data subject applies.

2.  MOO COMPLIANCE OBLIGATIONS

2.1  MOO will comply with its direct obligations under applicable Data Protection Laws in connection with the processing of Print Personal Data. MOO will also provide the level of privacy protection required by applicable Data Protection Laws, and understands and will comply with this DPA. Upon the reasonable request of Customer, MOO will make available to Customer all information in MOO’s possession necessary to demonstrate MOO’s compliance with this clause 2.1.

2.2  Customer has the right to take reasonable and appropriate steps to ensure that MOO uses Print Personal Data consistent with Customer’s obligations under applicable Data Protection Laws.

2.3  MOO will not access or use, or disclose to any third party, any Print Personal Data, except, in each case, as necessary to design, create and supply the MOO Products, or as necessary to comply with Applicable Law or a valid and binding order of a governmental body (such as a subpoena or court order). 

2.4  MOO has no obligation to assess Print Personal Data in order to identify information subject to any specific legal requirements.

3.  CUSTOMER RIGHTS & OBLIGATIONS

3.1  The rights and obligations of Customer are set out in the Agreement and this DPA.

3.2  Customer will comply with its direct obligations under Data Protection Laws in connection with the processing of Print Personal Data.

3.3  Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful processing of the Print Personal Data by MOO for the design, creation, and supply of the MOO Products. 

3.4  If Customer is a processor (and MOO a sub-processor): (a) Customer warrants on an ongoing basis that the relevant controller has authorised: (i) the use of Print Personal Data by Customer; (ii) Customer’s appointment of MOO as a processor; and (iii) MOO’s engagement of sub-processors; and (b) Customer will immediately forward to the relevant controller any notice provided by MOO under this DPA. 

3.5  Customer confirms: (a) it has taken reasonable care to comply with its obligations under applicable Data Protection Laws in its engagement of MOO, use of the Site and ordering of the MOO Products under the Agreement; and (b) it has assessed its intended use of the Site and the MOO Products (including by Customer Representatives) and that the technical and organisational measures set out in the Processing Details provide a level of security appropriate to the risk to Print Personal Data (with Customer taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Print Personal Data as well as the risks to individuals).

3.6  Customer is responsible for providing correct and compliant Print Personal Data (including Customer’s decision on lawful basis of processing and any transparency notices to data subjects that Print Personal Data will be processed by MOO). 

4.  PROCESSING INSTRUCTIONS

4.1  Customer instructs MOO to process Print Personal Data only in accordance with applicable Data Protection Laws: (a) to design, create and supply the MOO Products, including their personalisation; (b) as further specified via Customer’s or Customer Representative’s use of the Site; (c) as documented in the Agreement; and (d) as further documented in any other written instructions given by Customer and acknowledged by MOO as constituting instructions for purposes of this DPA (collectively, the Instructions).

4.2  Customer warrants on an ongoing basis that its Instructions, and therefore the carrying out of the processing by MOO, comply with Data Protection Laws.

4.3  Unless prohibited by Applicable Laws from doing so, MOO will: (a) only process Print Personal Data on the Instructions (including with regard to international transfers of Print Personal Data); and (b) comply with the Instructions.

4.4  Prior to any processing of Print Personal Data other than in accordance with the Instructions, MOO will notify Customer if, in MOO’s opinion: (a) Applicable Laws prohibit MOO from complying with an Instruction, unless such notice is prohibited by Applicable Law on important grounds of public interest; or (b) MOO is otherwise unable to comply with an Instruction. 

4.5  MOO may terminate the Agreement upon written notice to Customer with immediate effect if MOO considers (in its reasonable discretion) that: (a) it is unable to adhere to, perform or implement any Instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities; and/or (b) to adhere to, perform or implement any such Instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).

5.  EMPLOYEES AND CONTRACTORS

5.1  MOO will ensure that all employees and contractors (and anyone else MOO allows to process the Print Personal Data under this DPA or the Agreement are informed of the confidential nature of personal data (including Print Personal Data) and are bound by confidentiality obligations (including a duty of confidentiality)  and use restrictions in respect of personal data.  

5.2  MOO will take reasonable steps to ensure the reliability, integrity and trustworthiness of MOO's employees with access to Print Personal Data.

6.  SECURITY OF PROCESSING

6.1  MOO will implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of personal data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Print Personal Data. These are detailed in the Processing Details. 

6.2  MOO will implement such measures as are reasonable to ensure a level of security appropriate to the risk involved in providing the MOO Products and services to its customers, including as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of security measures.

7.  INCIDENT MANAGEMENT

7.1  MOO will take appropriate measures to address and mitigate any Data Incident.

7.2  MOO will, without undue delay, notify Customer of any Data Incident (Data Incident Notification). 

7.3  At Data Incident Notification or as soon as reasonably practical afterwards, MOO will also provide Customer with the following information: (a) description of the nature of the Data Incident; (b) the likely consequences; and (c) description of the measures taken or proposed to be taken to address the Data Incident (including measures to mitigate its possible adverse effects) (Data Incident Report).

7.4  The Data Incident Notification and the Data Incident Report will be delivered to an email address primarily associated by MOO with Customer’s account with MOO. It is Customer's sole responsibility to ensure MOO has an accurate and up to date email address for Customer. 

7.5  Customer acknowledges that the level of disclosure in the Data Incident Report will need to take account of the nature of the processing, the information available to MOO at that time, and any restrictions on disclosing the information, such as confidentiality or the requirements of insurers, forensic investigators and/or law enforcement agencies. 

7.6  Customer agrees that in respect of the Print Personal Data, it is best able to determine the likely consequences of a Data Incident and any notifications that may be required by it, whether to a Supervisory Authority or affected data subjects. Customer will provide MOO with any copy, which references MOO, to be sent to any Supervisory Authority or data subject.

7.7  MOO’s notification under clauses 7.2 to 7.4 will not be construed as an acknowledgement by MOO of any fault or liability with respect to the Data Incident.

 

8.  SUB-PROCESSING

8.1  MOO will not engage a third party processor of the Print Personal Data without Customer’s prior specific or general written authorisation.

8.2  Customer consents, by way of general authorisation, to MOO appointing any third party processor of personal data as part of its common service and technology infrastructure (see the URL in the Processing Details for an up-to-date-list). 

8.3  In respect of sub-processors: (a) MOO confirms that it has entered or (as the case may be) will enter into written agreements with any sub-processor in compliance with applicable Data Protection Laws, in respect of which Customer acknowledges and agrees: (i) that the appointment of the sub-processors is subject to each sub-processors’ standard terms data processing agreement terms (Sub-processor DPA Terms), which are the same or equivalent restrictions and requirements that apply to MOO in this DPA and the Agreement with respect to Print Personal Data; and (ii) any obligations of MOO with respect to sub-processors are subject to the Sub-processor DPA Terms; (b) MOO will restrict the sub-processor's access to Print Personal Data only to what is necessary to design, create and supply the MOO Products, and MOO will prohibit the sub-processor from accessing Print Personal Data for any other purpose;  (c) MOO will ensure appropriate safeguards are in place before there is a Data Transfer of the Print Personal Data to a sub-processor; and (d) MOO will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processor that cause MOO to breach any of MOO’s obligations to Customer under this DPA.

8.4  MOO will inform Customer of any additional or replacement sub-processors of the Print Personal Data via the Site, which may be given by way of updating the list of sub-processors at the URL in the Processing Details. (Sub-processor Change).

8.5  Customer will raise any objection to a Sub-processor Change within 14 days of notification, giving reasons, to the email data.privacymanager@moo.com. 

8.6  If Customer raises an objection in accordance with clause 8.5: (a) MOO will use reasonable efforts to make available a commercially reasonable change in the provision of the Site/MOO Products, which avoids the use of that proposed sub-processor; and (b) where: (i) such a change cannot be made within 30 days from MOO receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change; either Party may by written notice to the other Party with immediate effect terminate the Agreement either in whole or to the extent that it relates to the provision of the Site/MOO Products which require the use of the proposed sub-processor.

9.  DATA SUBJECT ASSISTANCE

9.1 MOO will assist Customer by ensuring that there are such technical and organisational measures as may be reasonable to provide information to assist Customer to comply with the rights of data subjects in connection with the Print Personal Data under applicable Data Protection Laws, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data. Where applicable, MOO shall enable Customer to comply with any data subject request made pursuant to the Data Protection Laws.

9.2  If a data subject for whom Customer is responsible makes a request to MOO, MOO will promptly forward such request to Customer.  Customer authorises on its behalf, and on behalf of its controllers when Customer is acting as a processor, MOO to respond to any data subject who makes a request to MOO, to confirm that MOO has forwarded the request to Customer.

10.  SUPERVISORY AUTHORITY ASSISTANCE AND GOVERNMENT BODY REQUESTS

10.1  MOO will (at Customer’s cost and expense and taking into account the nature of the processing and information available) assist Customer with its obligations to Supervisory Authorities relating to Data Incidents, data protection impact assessments and consultations affecting Print Personal Data, and with its obligation to keep Print Personal Data secure. 

10.2  MOO will promptly notify Customer if it receives any notice from a Supervisory Authority that relates directly to the processing of Print Personal Data (unless requested by the supervisory authority not to).

10.3  If any governmental body sends MOO a request for data which may include Print Personal Data, MOO will attempt to redirect the governmental body to request it directly from Customer. To do so MOO will provide Customer's basic contact information to the governmental body. If compelled to disclose Print Personal Data to a governmental body, then MOO will seek to give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless MOO is prevented from doing so by applicable law. 

11.  DELETION OR RETURN OF PRINT PERSONAL DATA

11.1  MOO will comply with any Customer written instructions requiring MOO to amend, transfer, delete or otherwise process the Print Personal Data, or to stop, mitigate or remedy any unauthorised processing.

11.2  If Customer wishes to have deleted or returned any Print Personal Data at the end of the Agreement, it must request this from MOO during the term of the Agreement. MOO will comply with any such Customer request or instruction.

11.3  If any law, regulation, or government or regulatory body requires MOO to retain any Print Personal Data that MOO would otherwise be required to return or destroy under clauses 11.1 to 11.2, it may do so.

12.  RECORD KEEPING AND AUDIT

12.1  MOO will keep records regarding any processing of personal data it carries out for Customer in accordance with applicable Data Protection Laws (Records).

12.2  MOO will ensure that the Records are sufficient to enable Customer to verify MOO's compliance with its obligations under this DPA and MOO will provide Customer with copies of the Records upon request (no more than once per calendar year).

12.3  Customer’s authorised representative, subject to confidentiality and conflict of interest clearances (including the confidentiality of other MOO customers) and at Customer’s cost and expense, may audit the Records upon 30 days written notice to data.privacymanager@moo.com (no more than once per calendar year). Customer will use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, any damage, injury or disruption to MOO’s premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of MOO’s other customers or the availability of the Site or MOO Products to other customers) whilst auditing the Records.

12.4  If necessary to comply with applicable Data Protection Laws and subject to Customer reimbursing MOO for all costs incurred and time spent, MOO will contribute to an audit undertaken under clause 12.3.

13.  DATA TRANSFERS

13.1  Print Personal Data may be processed in any country in which MOO or its sub-processors maintain facilities.

13.2  Where there is a Data Transfer of Print Personal Data or Relationship Management Data between the parties, the relevant Transfer Mechanism will apply. The relevant provisions contained in the Transfer Mechanism are incorporated by reference to this DPA and, by entering into the Agreement and this DPA, the parties are deemed to have signed the Transfer Mechanism.

13.3  For the purposes of the Transfer Mechanism: (a) the recipient will act as the data importer; and (b) the transmitting party will act as the data exporter.

13.4  The information required for the purposes of Annexes I – IV to the EU SCCs and Tables 1-3 of Part one of the UK IDTA Addendum are set out in the Processing Details. 

13.5  For each module of the EU SCCs, where applicable the following applies:

(a) The optional docking clause in clause 7 does apply;

(b) In clause 9, Option 2 (general written authorisation) applies. For the purposes of clause 9(a), MOO has Customer’s general authorisation to engage Sub-processors in accordance with clause 8 of this DPA and MOO shall inform Customer of any changes to Sub-processors in accordance with that clause;

(c) In Clause 11, the optional language does not apply;

(d) MOO’s liability under clause 12(b) shall be limited to any damage caused by its processing where MOO has not complied with its obligations under the Data Protection Laws specifically directed to processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 UK GDPR;  

(e) All square brackets in clause 13 are removed;

(f) In clause 17 (Option 1), the EU SCCs will be governed by the laws of England and Wales;

(g) In clause 18(b), disputes will be resolved before the courts of England and Wales.

13.6  For the purposes of Table 4 of Part One of the UK IDTA Addendum, MOO may end the UK IDTA Addendum when it changes.  

13.7  For data transfers governed by Swiss FDPA, the EU SCCs also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as personal data under the Swiss FDPA until such laws are amended to no longer apply to a legal entity. In such circumstances, general and specific references in the EU SCCs to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in Swiss FDPA.

13.8  If the Transfer Mechanism is insufficient to safeguard the transferred Print Personal Data, the data importer will promptly implement supplementary measures to ensure Print Personal Data is protected to the same standard as required under Data Protection Laws.

13.9  Subject to clause 10 and the terms of the relevant Transfer Mechanism (and in any conflict between clause 10 and the terms of the relevant Transfer Mechanism, the Transfer Mechanism takes precedence), if the data importer receives a request from a public authority to access the Print Personal Data, it will (if legally allowed): (a) challenge the request and promptly notify the data exporter about it, and (b) only disclose to the public authority the minimum amount of Print Personal Data required and keep a record of the disclosure. 

14.  CCPA

14.1  Solely for this clause 14.1, Commercial Purpose, Share, and Sell are as defined in California Consumer Privacy Act 2018 (CCPA). If MOO processes Print Personal Data subject to CCPA on behalf of Customer, MOO will not (a) Sell or Share Print Personal Data; (b) retain, use or disclose Print Personal Data for any purpose, including a Commercial Purpose, other than for the specific purpose of designing, creating and supplying the MOO Products; (c) retain, use, or disclose Print Personal Data outside the direct business relationship between the Parties; or (d) combine Print Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer.

15.  SUSPENSION OF PROCESSING

15.1  If a change in any Data Protection Laws prevents a Party from fulfilling all or part of its obligations under this DPA, the Parties will suspend the processing of the Print Personal Data until that processing complies with the new requirements.

15.2  MOO shall promptly notify Customer if it determines that it can no longer meet its obligations under applicable Data Protection Laws. Upon receiving notice from MOO in accordance with this clause 15.2, Customer may direct MOO to take reasonable and appropriate steps to stop and remediate unauthorized use of Print Personal Data.

16.  LIABILITY

16.1  Any claims against MOO under this DPA for breach of this DPA (including any Transfer Mechanism) will be subject to the same exclusions and limitations as set out in the Agreement. MOO’s aggregate liability under both the Agreement and the DPA will be limited to the cap(s) set out in the Agreement.

17.  GENERAL & INTERPRETATION

17.1  In the case of conflict or ambiguity between: (a) any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail with respect to the processing of Print Personal Data; and (b) any of the provisions of this DPA and any applicable Transfer Mechanism, the provisions of the applicable Transfer Mechanism will prevail.

17.2  Save as set out in this clause 17, this DPA shall be interpreted in accordance with the General and Interpretation provisions of the Agreement.