Data Protection Addendum

LAST UPDATED: JUNE 23, 2023

DealerX may process Personal Data on behalf of Company and/or its Affiliates, and DealerX agrees to comply with the terms of this Addendum with respect to any such Personal Data. All terms used in this Addendum shall have the meaning specified in the Agreement unless otherwise defined herein. For the purposes of this Addendum, the following terms are defined as follows:

• 1. Definitions.
  • a. “Business Purpose”, “Sell” and “Share” shall have the meanings given to such terms in the California Consumer Privacy Act of 2018, Cal. Civil. Code 1798.100 et seq., as amended or superseded from time to time (including the California Privacy Rights Act of 2020), and any regulations promulgated thereunder (“CCPA”).
  • b. “Privacy Laws” means all laws, in any jurisdictions worldwide, that relate to (i) the confidentiality, processing, privacy, information security, protection, obligation to provide data breach notifications, transfer or trans-border data flow of Personal Data, or customer information, or (ii) electronic data privacy; whether such laws are in place as of the effective date of the Agreement or come into effect during the term. Privacy Laws include but are not limited to the CCPA.
  • c. “Subprocessor” means any person (including DealerX’s Affiliates and any other third parties) appointed by or on behalf of DealerX to process Personal Data in connection with the provision of Services.
• 2. Use Limitation. DealerX shall process Personal Data on behalf of Company in furtherance of one or more enumerated Business Purposes under applicable law and comply with the obligations applicable to it under the CCPA, including providing the same level of privacy protection with respect to such Personal Data as is required by the CCPA. If DealerX determines that it can no longer meet its obligations under the CCPA with respect to Personal Data, DealerX will notify Company. Furthermore, DealerX shall not (i) Sell or Share Personal Data (ii) retain, use, or disclose Personal Data for any purpose other than performing the Services for Company as specified in the Agreement; (iii) retain, use, or disclose Personal Data outside of the direct business relationship between Company and DealerX; and (iv) combine Personal Data with personal data that it receives from, or on behalf of, another entity, or collects from its own interaction with data subjects except as permitted under applicable law. DealerX certifies that it understands the foregoing restrictions. Company shall have the right to take reasonable and appropriate steps to help ensure that DealerX processes Personal Data in a manner consistent with Company’s obligations under the CCPA, including without limitation the right, upon reasonable advanced notice, to stop and remediate any unauthorized processing of Personal Data.
• 3. Compliance with Privacy Laws. DealerX shall comply with all applicable Privacy Laws and provide Company, at Company’s expense, with all assistance as Company may reasonably require to comply with applicable Privacy Laws.
• 4. Subprocessors. DealerX shall not subcontract any of its responsibilities with regard to any Personal Data or otherwise allow a Subprocessor access to any Personal Data unless Company has approved such Subprocessor. The Subprocessors that are currently authorized to access and process Personal Data are listed at https://dealerx.com/subprocessors/ (the “Subprocessor List”). This URL may change if DealerX updates its website or its Company-facing documentation. Company may receive notice of new Subprocessors by subscribing to the Subprocessor List update email list at https://dealerx.com/data-inquiries/ (a “Subprocessor List Update”), or by sending an email to privacy@dealerx.com. If DealerX engages a new Subprocessor, DealerX will notify Company via the Subprocessor List Update and give Company the opportunity to object to such Subprocessor. If, within thirty (30) days of notice of a new Subprocessor, Company notifies DealerX in writing of any objections (on reasonable grounds) to the new Subprocessor, the parties will work together to find a mutually agreeable solution. If no mutually agreeable solution is achieved, Company may immediately, and notwithstanding anything contrary in the Agreement, terminate the Agreement, subject to all applicable provisions in this Addendum and the Agreement. Company acknowledges that if it does not notify DealerX within thirty (30) days of a notice of a new Subprocessor, Company will be deemed to approve new Subprocessor. For any Subprocessors that Company has approved: (i) DealerX shall ensure that, prior to allowing a Subprocessor to process Personal Data, DealerX has exercised appropriate due diligence in selecting such Subprocessor to ensure that the Subprocessor is capable of providing the level of protection for Personal Data required by the Agreement; (ii) DealerX shall remain fully responsible and liable for all acts, omissions, and work performed by any of its Subprocessors, including its Subprocessors’ compliance with the terms and conditions of this Addendum and applicable Privacy Laws; and (iii) DealerX shall ensure that the arrangements with Subprocessors are governed by a written contract including terms that impose similar obligations as those set out in this Addendum and meet the requirements of applicable Privacy Laws.
• 5. Data Subject Requests. In order to enable Company to fulfill its duties under the applicable Privacy Law, DealerX will promptly notify Company if DealerX or any Subprocessor receives any complaint, inquiry or request (including requests made by data subjects to exercise their rights pursuant to CCPA) related to Company’s or DealerX’s obligations under applicable Privacy Laws or DealerX’s and/or Subprocessors’ processing of Personal Data on behalf of Company. DealerX will not, and will ensure that Subprocessors will not, respond to such complaints, inquires and/or requests except on the documented instructions of Company. DealerX will assist Company by implementing appropriate technical and organizational measures, providing Company with all necessary cooperation, assistance and information as may be reasonably required for the purpose of responding to, or otherwise fulfilling Company’s obligations under Privacy Law in relation to, such complaints, inquires and/or requests.
• 6. Data Breach. In addition to any data or security breach notification obligations under the Agreement, DealerX shall notify Company without undue delay and in any event within seventy-two (72) hours after DealerX or any Subprocessor becomes aware of an actual or reasonably suspected Personal Data breach affecting Personal Data, providing Company with sufficient information to allow Company and/or Company’s Affiliates as appropriate to meet any obligations to report or inform regulatory authorities, data subjects and other entities of such Personal Data breach under Privacy Laws. Such notification shall at a minimum: (i) describe the nature of the Personal Data breach, categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (iii) describe the likely consequences of the Personal Data breach; and (iv) describe the measures taken or proposed to be taken by DealerX to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects. DealerX shall take prompt steps to remedy the Personal Data breach and mitigate any harmful effects, and shall, and shall ensure that Subprocessors shall, co-operate with Company and take such reasonable steps as are directed by Company to assist in any subsequent investigation, litigation, provision of notices, and mitigation and remediation of each such Personal Data breach.