GDPR Compliance and Data Protection Addendum

GDPR Compliance and Data Protection Addendum

When working in the jurisdiction of and/or for a Client subject to the EU General Data Protection Regulations, the following additional terms apply to the Agreement: 

1. Working on behalf of nonprofits, GoodUnited acts as both a data processor and joint controller for data. As GoodUnited acts as a data controller, it is responsible for Client personal data. Jeremy Berman (jeremy@goodunited.io) is the named data manager and is responsible for overseeing questions relating to this Exhibit B.
2. GoodUnited, when posting content on behalf of Client, will always make clear to an individual the experience they are opting into at the point of promotion. 
3. Explicit consent is required to subscribe to an experience following all best practices and any local legal and/or regulatory requirements.
4. Once subscribed to an experience the lawful basis for ongoing communication is based on the consent with the individual subscriber to continue to provide them the experience they are subscribed to. Any communication outside the original experience or agreed to terms will be subject to a separate and explicit consent statement. 
5. Consent can be withdrawn at any time by typing ‘stop’ or ‘unsubscribe’ and/or manually by an agent at the request of an individual.
6. Where personal data is requested/captured;
   
   1. Communication will make clear the purpose for which the data is being requested/captured
   2. Captured data is only used for the purpose of for which it was captured
7. Special category data will only be requested from individuals;
   
   1. Where Client has requested it
   2. Where GoodUnited has established the lawful basis to do so under Article 6 of the GDPR and a separate condition for processing under Article 9 of the GDPR.
8. Where GoodUnited is made aware that special category data has been inadvertently collected outwith the conditions set out in Article 7.2 of the GDPR;
   
   1. GoodUnited will immediately destroy said data under its jurisdiction
   2. Notify client Clients of any special category data they may have received as a result of data transfer that may need to be destroyed
9. GoodUnited does not store conversation histories from subscribers. Histories are held within the related third party platform such as the Facebook inbox and are therefore under the jurisdiction of the third party platform ‘business owner’ namely the Client.
10. GoodUnited will comply with the rights of individuals under the GDPR on request from an individual and/or Client.
11. GoodUnited will comply with the data retention policies under the GDPR and all individuals who unsubscribe from experiences will have all their data deleted after 90 days via automation.  
12. Some GoodUnited external third party providers are based outside of the EEA so the processing of personal data will involve a transfer of data outside of the EEA. Whenever GoodUnited transfer you personal data out of the EEA, GoodUnited will ensure a similar degree of protection is afforded by ensuring at least one of the following safeguards are implemented;
    
    1. Data is only transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
    2. Data is only transferred to certain service providers, GoodUnited may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.

‍