Privacy

Our website may be used without entering personal information. Different rules may apply to certain services on our site, however, and are explained separately below. We collect personal information from you (e.g. name and email address) by the provisions of Spanish data protection statutes. Information is considered personal if it can be associated exclusively with a specific natural person. The legal framework for data protection may be found in the Spanish Data Protection Agency and European GDPR. The provisions below serve to provide information as to the manner, extent, and purpose for collecting, using and processing personal information by the provider.

Francesc Miralles | Owner | Plaça de Sant Pere, 6, 3r | 17220 Sant Feliu de Guíxols (Girona) Spain
Phone: +34644958855 | Email: information@byfrancesc.com

Please be aware that data transfer via the internet is subject to security risks and, therefore, complete protection against third-party access to transferred data cannot be ensured.

Our website makes use of so-called cookies to recognise repeat use of our website by the same user/internet connection subscriber. Cookies are small text files that your internet browser downloads and stores on your computer. They are used to improve our website and services. In most cases, these are so-called “session cookies” that are deleted once you leave our website.
To an extent, however, these cookies also pass along information used to recognize you automatically. Recognition occurs through an IP address saved to the cookies. The information thereby obtained is used to improve our services and to expedite your access to the website.
You can prevent cookies from being installed by adjusting the settings on your browser software accordingly. You should be aware, however, that by doing so, you may not be able to make full use of all the functions of our website.

For technical reasons, data such as the following, which your internet browser transmits to us or to our web space provider (so-called server log files), is collected:

  • type and version of the browser you use
  • operating system
  • websites that linked you to our site (referrer URL)
  • websites that you visit
  • date and time of your visit
  • your Internet Protocol (IP) address

This anonymous data is stored separately from any personal information you may have provided, thereby making it impossible to connect it to any particular person. The data is used for statistical purposes to improve our website and services.

We offer you the opportunity to sign up for our website. The information entered when signing up, as shown in the registration form ( name, email ) is collected and stored solely for use by our website. When signing up for our website, we also store your IP address and the date and time you registered. This serves to protect us in the event a third party improperly and without your knowledge makes use of your data to sign up for our site. None of this information is transferred to third parties. Nor is any of this information matched to any information that may be collected by other components of our website.

On our website, we offer you the opportunity to contact us, either by email and/or by using a contact form. In such event, information provided by the user is stored for the purpose of facilitating communications with the user. No data is transferred to third parties. Nor is any of this information matched to any information that may be collected by other components of our website.

On our website, we offer you the opportunity to post comments about individual articles. For this purpose, the IP address of the user/internet connection subscriber is stored. This information is stored for our security in the event the author through his/her comments infringes against third party rights and/or unlawful content is entered. Consequently, we have a direct interest in the author’s stored data, particularly since we may be potentially liable for such violations. No data is transferred to third parties. Nor is any of this information matched to any information that may be collected by other components of our website.

On our website, we offer you the opportunity to subscribe to subsequent comments about an article which you intend to comment on. When you choose this option, you will receive a confirmation email which is used to determine if you are the owner of the email address entered. You may at any time revoke your decision to subscribe to such follow-on comments. You will find additional details in the confirmation email. No data at this moment obtained is transferred to third parties. Nor is any of this information matched to any information that may be collected by other components of our website.

Our website uses Google Analytics, a web analysis service from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, from now on referred to as “Google“. Google Analytics employs so-called “cookies“, text files that are stored on your computer to facilitate an analysis of your use of the site.

The information generated by these cookies, such as time, place and frequency of your visits to our site, including your IP address, is transmitted to Google’s location in the US and stored there.

Google will use this information to evaluate your usage of our site, to compile reports on website activity for us, and to provide other services related to the website- and internet usage. Google may also transfer this information to third parties if this is required by law or to the extent this data is processed by third parties on Google´s behalf.
Google states that it will in never associate your IP address with other data held by Google. You can prevent cookies from being installed by adjusting the settings on your browser software accordingly. You should be aware, however, that by doing so, you may not be able to make full use of all the functions of our website.
Google also offers a disabling option for the most common browsers, thus providing you with greater control over the data which is collected and processed by Google. If you enable this option, no information regarding your website visit is transmitted to Google Analytics. However, the activation does not prevent the transmission of information to us or to any other web analytics services we may use. For more information about the disabling option provided by Google, and how to enable this option, visit https://tools.google.com/dlpage/gaoptout?hl=en

We use the “Google Maps” component on our website in combination with the so-called “Share function”. “Google Maps” is a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, from now on “Google.”
Each time this component is called up, Google sets a cookie to process the user configuration and data when the page with the integrated “Google Maps” component is displayed. As a general rule, this cookie is not deleted by closing the browser, but rather expires after a certain time, as long as it is not previously manually deleted by you.
If you do not agree with this processing of your data, you may choose to deactivate the “Google Maps” service and thereby prevent the transfer of data to Google. To do this, you must deactivate the JavaScript function in your browser. However, we would like to point out that in this case, you will not be able to use “Google Maps” or at least only to a limited extent.
The use of “Google Maps” and the information obtained through “Google Maps” is according to Google’s Terms of Use http://www.google.com/intl/en/policies/terms/regional.html
as well as the additional Terms and Conditions for “Google Maps”https://www.google.com/intl/en_en/help/terms_maps.html.

The Google Maps function also includes the following recommendation buttons:

  • “Google+-Button” from the company Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA;
  • “Facebook-Button” from the company Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA;
  • “Twitter-Button” from the company Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA.

By calling up the “Google Maps” page, these “Recommendation components” cause the browser you are using to download a corresponding display of the component from the respective provider. In this way, the respective provider mentioned above will be informed about which specific page of our internet site you are currently visiting.
If you are logged in to your personal account at the provider previously mentioned at the time of calling up the “Google Maps” page, this will be able to collect the information obtained from the websites recommended by you as well as your IP address and other browser relevant information and link it to your respective account.
If you want to prevent this transmission and storage of data by the respective provider about you and your behaviour on our website, you must log out of those providers before you visit our site.
You can find out more about the data collection of the respective providers via the following links:

 

We use the “Google Maps” component of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter “Google.”
Google sets a cookie to process the user configuration and data when the page with the integrated “Google Maps” component is displayed. As a general rule, this cookie is not deleted by closing the browser, but rather expires after a certain time, as long as it is not previously manually deleted by you.
If you do not agree with this processing of your data, you may choose to deactivate the “Google Maps” service and thereby prevent the transfer of data to Google. To do this, you must deactivate the Java Script function in your browser. However, we would like to point out that in this case, you will not be able to use “Google Maps” or at least only to a limited extent.
The use of “Google Maps” and the information obtained through “Google Maps” is according to Google’s Terms of Use
http://www.google.com/intl/en/policies/terms/regional.html
as well as the additional Terms and Conditions for “Google Maps”
https://www.google.com/intl/en_en/help/terms_maps.html.

In order to protect input forms on our site, we use the “reCAPTCHA” service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter “Google.” By means of this service, it can be distinguished whether the corresponding input is of human origin or is created improperly by automated machine processing.
To our knowledge, the referrer URL, the IP address, the behaviour of the website visitors, information about the operating system, browser and length of stay, cookies, display instructions and scripts, user input behaviour and mouse movements in the “reCAPTCHA” checkbox are conveyed to “Google.”
Google uses the information obtained, among other things, to digitize books and other printed matter as well as to optimize services such as Google Street View and Google Maps (e.g. house number and street name recognition).
The IP address provided as part of “reCAPTCHA” is not merged with other data from Google unless you are logged into your Google Account at the time the “reCAPTCHA” plug-in is used. If you want to prevent this transmission and storage of data by “Google” about you and your behaviour on our website, you must log out of “Google” before you visit our site or before using the reCAPTCHA plug-in.
The use of the “reCAPTCHA” service is according to the Google Terms of Use:
https://www.google.com/intl/en/policies/privacy/.

Our website employs components provided by the network LinkedIn. LinkedIn is a service of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Each time our website receives an access request equipped with a LinkedIn component, the component prompts your browser to download an image of this component from LinkedIn.
Through this process, LinkedIn is informed exactly which page of our website is being accessed. By clicking the LinkedIn “recommend button“ while logged into your LinkedIn account, you can link content from our website to your LinkedIn profile. This allows LinkedIn to associate your visit to our site with your LinkedIn account.
We have no control over the data that LinkedIn collects thereby, nor over the extent of the data that LinkedIn collects. Nor do we have any knowledge of the content of data transferred to LinkedIn. Details on data collection by LinkedIn as well as your rights in this regard and your browser setting options may be obtained from the LinkedIn data privacy policy, which may be accessed at: http://www.linkedin.com/legal/privacy-policy

On our website we use components (videos) of YouTube, LLC 901 Cherry Ave., 94066 San Bruno, CA, USA, a company belonging to Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA.
To this end, we use the “ – enhanced data protection mode – ” option provided by YouTube.
When you display a page that has an embedded video, a connection will be made to the YouTube server, and the content will appear on the website via a communication to your browser.
According to the information provided by YouTube, in “ – enhanced data protection mode -”, data is only transferred to the YouTube server, in particular, which of our websites you have visited if you watch the video. If you are logged onto YouTube at the same time, this information will be matched to your YouTube member account. You can prevent this from happening by logging out of your member account before visiting our website.
Further information about data protection by YouTube is provided by Google under the following link:
https://www.google.com/intl/en/policies/privacy/

 

We use Vimeo components on our site. Vimeo is a service of Vimeo LCC, 555 West 18th Street, New York, New York 10011, USA. Whenever you visit our website, which is equipped with such a component, this component causes the browser you are using to download a corresponding display of the Vimeo component. When you visit our site and are at the same time logged into Vimeo, Vimeo recognizes using the information collected by the component, which specific page you are visiting and assigns this information to your personal account at Vimeo. If, for example, you click on the “Play” button or make comments, this information will be conveyed to your personal user account at Vimeo and stored there. Also, the information that you have visited our site will be passed on to Vimeo. This is done regardless of whether you click on the component/comment or not.
If you want to prevent this transmission and storage of data by Vimeo about you and your behavior on our website, you must log out of Vimeo before you visit our site. Vimeo’s Privacy Policy provides more detailed information concerning this, in particular regarding the collection and use of data by Vimeo: https://vimeo.com/privacy

Newsletter Consent

You will be asked to consent to the use of your personal data to receive our newsletter as follows:
“I have read the privacy policy, and I give my consent to data being processed by a service provider located in Europe”.
We use the newsletter to provide you with regular updates about our offers. To receive our newsletter, you will need a valid email address. We will then check the email address entered to ensure that you are actually its owner or if its owner has agreed to receive our newsletter. By registering for the newsletter, we will save your IP address and date and time of registration. This will be used in case a third party misuses your email address to subscribe to our newsletter without your knowledge.
We will not compare the data collected during newsletter registration with any other data that might be collected by other components of our site.

Newsletter by MailChimp

We use MailChimp to send our newsletter to our subscribers. MailChimp is a service provided by The Rocket Science Group, LLC, 512 Means Street, Suite 404, Atlanta, GA 30318, USA.
The data stored when you registered for the newsletter (email address, name, IP address, and time and date of registration) will be sent to a server operated by The Rocket Science Group in the United States and stored there following its Safe Harbour Agreement.
Further information about the data protection offered by MailChimp can be found at:
http://mailchimp.com/legal/privacy/
You may cancel your newsletter subscription and revoke your consent to the storage of this data at any time with future effect. For instructions to take this step, please refer to the confirmation email and each newsletter.

Newsletter tracking

Our newsletter includes so-called web bugs that allow us to recognise if and when an email has been opened and which links in the email have been clicked by its recipient.
This data is stored by us so that we can best align our newsletter to the wishes and interests of our subscribers. Accordingly, the data thus collected is used to send personalized newsletters to each recipient.
You will be asked to consent to the use of your personal data as follows:
“I agree that my data and my user responses will be stored electronically by newsletter tracking so that I can receive a personalized newsletter. The revocation of the consent to receive the newsletter constitutes a revocation of the consent for the tracking described above.”
By revoking the consent to receive the newsletter, the consent to the aforementioned tracking is revoked.

On the basis of the Federal Data Protection Act, you may contact us at no cost if you have questions relating to the collection, processing or use of your personal information, if you wish to request the correction, blocking or deletion of the same, or if you wish to cancel explicitly granted consent. Please note that you have the right to have incorrect data corrected or to have personal data deleted, where such claim is not barred by any legal obligation to retain this data.

Imprint

Harmonia by Francesc Miralles

Francesc Miralles | Owner | Plaça de Sant Pere, 6, 3r | 17220 Sant Feliu de Guíxols (Girona) Spain
Phone: +34644958855 | Email: information@byfrancesc.com

VAT identification number 21461196B

Accountability for content: The contents of our pages have been created with the utmost care. However, we cannot guarantee the contents’ accuracy, completeness or topicality. According to statutory provisions, we are furthermore responsible for our own content on these web pages. In this context, please note that we are accordingly not obliged to monitor merely the transmitted or saved information of third parties, or investigate circumstances pointing to illegal activity. Our obligations to remove or block the use of information under generally applicable laws remain unaffected by this. Liability in this regard, however, is only possible from the time of knowledge of a specific infringement. If we become aware of any such infringements, we will immediately remove such content.

Accountability for links: Responsibility for the content of external links (to web pages of third parties) lies solely with the operators of the linked pages. No violations were evident to us at the time of linking. Should any legal infringement become known to us, we will remove the respective link immediately.

Copyright: Our web pages and their contents are subject to Spanish copyright law. Unless expressly permitted by law, every form of utilizing, reproducing or processing works subject to copyright protection on our web pages requires the prior consent of the respective owner of the rights. Individual reproductions of a work are allowed only for private use, so must not serve either directly or indirectly for earnings. Unauthorized utilization of copyrighted works is punishable.

Reuse of articles: To protect against the negative influence of so-called “double content” it is under no circumstances allowed to use the texts of this website on other internet presence. This refers to whole texts, as well as to partial areas of texts. Re-linking is of course welcome. Please note the specifications at the end of each article.

Credits
This website was created on the basis of WordPress and Divi, the famous theme of Elegant Themes. But of course, there ‘s also a lot of in-house development in use.

The following pictures and vector graphics of Pixabay, Pexels or Unsplash are used completely or partially on this page.

The content and works published on this website are governed by the copyright laws of Spain. Any duplication, processing, distribution or any form of utilisation beyond the scope of copyright law shall require the prior written consent of the author or authors in question.

To protect against the negative influence of so-called “double content” it is under no circumstances allowed to use the texts of this website on other internet presence. This refers to whole texts, as well as to partial areas of texts. Re-linking is of course welcome. Please note the specifications at the end of each article.

Francesc J Miralles Garcia (Harmonia) and Mailchimp (Newsletter manager) agreement

This Data Processing Addendum (“DPA“), forms part of the Agreement between The Rocket Science Group LLC d/b/a MailChimp (“MailChimp“) and Francesc J Miralles Garcia (“Customer“) and shall be effective on the date both parties execute this DPA (Effective Date“). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

1. Definitions

Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

Agreement” means MailChimp’s Terms of Use, which govern the provision of the Services to Customer, as such terms may be updated by MailChimp from time to time.

Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.

Customer Data” means any Personal Data that MailChimp processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.

Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.

Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.

Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.

EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive“) and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).

EEA” means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.

Group” means any and all Affiliates that are part of an entity’s corporate group.

Personal Data” means any information relating to an identified or identifiable natural person.

Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.

Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).

Processing” has the meaning given to it in the GDPR and “process“, “processes” and “processed” shall be interpreted accordingly.

Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.

Services” means any product or service provided by MailChimp to Customer pursuant to the Agreement.

Sub-processor” means any Data Processor engaged by MailChimp or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or members of the MailChimp Group.

2. Relationship with the Agreement

2.1 The parties agree that DPA shall replace any existing DPA the parties may have previously entered into in connection with the Services.

2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

2.4 Any claims against MailChimp or its Affiliates under this DPA shall be brought solely against the entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by MailChimp in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce MailChimp’s liability under the Agreement as if it were liability to the Customer under the Agreement.

2.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

3. Scope and Applicability of this DPA

3.1 This DPA applies where and only to the extent that MailChimp processes Customer Data that originates from the EEA and/or that is otherwise subject to EU Data Protection Law on behalf of Customer as Data Processor in the course of providing Services pursuant to the Agreement.

3.2 Part A (being Section 4 – 8 (inclusive) of this DPA, as well as Annexes A and B of this DPA) shall apply to the processing of Customer Data within the scope of this DPA from the Effective Date.

3.3 Part B (being Sections 9-12 (inclusive) of this DPA) shall apply to the processing of Customer Data within the scope of the DPA from and including 25th May 2018. For the avoidance of doubt, Part B shall apply in addition to, and not in substitution for, the terms in Part A.

Part A: General Data Protection Obligations

4. Roles and Scope of Processing

4.1 Role of the Parties. As between MailChimp and Customer, Customer is the Data Controller of Customer Data, and MailChimp shall process Customer Data only as a Data Processor acting on behalf of Customer.

4.2. Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to MailChimp; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for MailChimp to process Customer Data and provide the Services pursuant to the Agreement and this DPA.

4.3 MailChimp Processing of Customer Data. MailChimp shall process Customer Data only for the purposes described in this DPA and only in accordance with Customer’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to MailChimp in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and MailChimp.

4.4 Details of Data Processing

(a) Subject matter: The subject matter of the data processing under this DPA is the Customer Data.

(b) Duration: As between MailChimp and Customer, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.

(c) Purpose: The purpose of the data processing under this DPA is the provision of the Services to the Customer and the performance of MailChimp’s obligations under the Agreement (including this DPA) or as otherwise agreed by the parties.

(d) Nature of the processing: MailChimp provides an email service, automation and marketing platform and other related services, as described in the Agreement.

(e) Categories of data subjects: Any individual accessing and/or using the Services through the Customer’s account (“Users“); and any individual: (i) whose email address is included in the Customer’s Distribution List; (ii) whose information is stored on or collected via the Services, or (iii) to whom Users send emails or otherwise engage or communicate with via the Services (collectively, “Subscribers“).

(f) Types of Customer Data:

  • (i) Customer and Users: identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility);

  • (ii) Subscribers: identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address), personal interests or preferences (including purchase history, marketing preferences and publically available social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information).

4.5 Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that MailChimp shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered Personal Data under Data Protection Laws, MailChimp is the Data Controller of such data and accordingly shall process such data in accordance with the MailChimp Privacy Policyand Data Protection Laws.

4.6 Tracking Technologies. Customer acknowledges that in connection with the performance of the Services, MailChimp employs the use of cookies, unique identifiers, web beacons and similar tracking technologies (“Tracking Technologies“). Customer shall maintain appropriate notice, consent, opt-in and opt-out mechanisms as are required by Data Protection Laws to enable MailChimp to deploy Tracking Technologies lawfully on, and collect data from, the devices of Subscribers (defined below) in accordance with and as described in the MailChimp Cookie Statement.

5. Subprocessing

5.1 Authorized Sub-processors. Customer agrees that MailChimp may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by MailChimp and authorized by Customer are listed in Annex A.

5.2 Sub-processor Obligations. MailChimp shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause MailChimp to breach any of its obligations under this DPA.

6. Security

6.1 Security Measures. MailChimp shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with MailChimp’s security standards described in Annex B (“Security Measures“).

6.2 Updates to Security Measures. Customer is responsible for reviewing the information made available by MailChimp relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that MailChimp may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

6.3 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.

7. Security Reports and Audits

7.1 Customer acknowledges that MailChimp is regularly audited against SSAE 16 and PCI standards by independent third party auditors and internal auditors, respectively. Upon request, MailChimp shall supply (on a confidential basis) a summary copy of its audit report(s) (“Report“) to Customer, so that Customer can verify MailChimp’s compliance with the audit standards against which it has been assessed, and this DPA.

7.2 MailChimp shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm MailChimp’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year.

8. International Transfers

8.1 Data center locations. MailChimp may transfer and process Customer Data anywhere in the world where MailChimp, its Affiliates or its Sub-processors maintain data processing operations. MailChimp shall at all times provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws.

8.2 Privacy Shield. To the extent that MailChimp processes any Customer Data protected by EU Data Protection Law under the Agreement and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that MailChimp shall be deemed to provide adequate protection (within the meaning of EU Data Protection Law) for any such Customer Data by virtue of having self-certified its compliance with Privacy Shield. MailChimp agrees to protect such Personal Data in accordance with the requirements of the Privacy Shield Principles. If MailChimp is unable to comply with this requirement, MailChimp shall inform Customer.

8.3 Alternative Transfer Mechanism. The parties agree that the data export solution identified in Section 8.2 shall not apply if and to the extent that MailChimp adopts an alternative data export solution for the lawful transfer of Personal Data (as recognized under EU Data Protection Laws) outside of the EEA (“Alternative Transfer Mechanism”), in which event, the Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism extends to the territories to which Personal Data is transferred).

Part B: GDPR Obligations from 25 May 2018

9. Additional Security

9.1 Confidentiality of processing. MailChimp shall ensure that any person who is authorized by MailChimp to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

9.2 Security Incident Response. Upon becoming aware of a Security Incident, MailChimp shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.

10. Changes to Sub-processors

10.1 MailChimp shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer (for which email shall suffice) if it adds or removes Sub-processors at least 10 days prior to any such changes.

10.2 Customer may object in writing to MailChimp’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).

11. Return or Deletion of Data

11.1 Upon termination or expiration of the Agreement, MailChimp shall (at Customer’s election) delete or return to Customer all Customer Data (including copies) in its possession or control, save that this requirement shall not apply to the extent MailChimp is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data MailChimp shall securely isolate and protect from any further processing, except to the extent required by applicable law.

12. Cooperation

12.1 The Services provide Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict Customer Data, which Customer may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Customer is unable to independently access the relevant Customer Data within the Services, MailChimp shall (at Customer’s expense) provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made directly to MailChimp, MailChimp shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If MailChimp is required to respond to such a request, MailChimp shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

12.2 If a law enforcement agency sends MailChimp a demand for Customer Data (for example, through a subpoena or court order), MailChimp shall attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, MailChimp may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then MailChimp shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless MailChimp is legally prohibited from doing so.

12.3 To the extent MailChimp is required under EU Data Protection Law, MailChimp shall (at Customer’s expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

Annex A – List of MailChimp Sub-processors

MailChimp uses its Affiliates and a range of third party Sub-processors to assist it in providing the Services (as described in the Agreement). These Sub-processors set out below provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services.

Entity Name Corporate Location
Akamai Massachusetts, USA
Amazon Washington, USA
E-Hawk New York, USA
El Camino California, USA
FullContact Colorado, USA
Google California, USA
Neustar Virginia, USA
R.R. Donnelley Illinois, USA
Slack California, USA
TaskUs California, USA
Zendesk California, USA

Annex B – Security Measures

The Security Measures applicable to the Services are described here https://mailchimp.com/about/security/ (as updated from time to time in accordance with Section 6.2 of this DPA).