This Data Processing Addendum (“DPA”) supplements the Snap One Authorized Dealer Agreement (the “Agreement”) entered into between Dealer and Snap One, LLC (“Snap One” or “Processor”) governing your role as a Snap One dealer (including Control4 and Triad dealers) and your use of Snap One’s products and services, including its remote management services, such as OvrC and Control4 Composer Pro (the “Services”). This DPA is an agreement between you and the entity you represent (“Customer”, “you”, or “your”) and Snap One, and includes Appendix 1 (EU Commission Standard Contractual Clauses) and Appendix 2 (UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, attached hereto.
If you have questions about this DPA, please contact your sales representative or email email@example.com.
“Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Agreement” means the Authorized Dealer Agreement or Authorized Distributor Agreement, as well as Snap One’s online terms (available at https://snapone.com/legal) entered into between Snap One and Customer under which Services are provided by Snap One to Customer. This includes Control4 and Triad dealers.
“Authorized Affiliate” means Customer's Affiliate(s) which (a) are subject to Data Protection Laws; (b) are permitted to use the Services pursuant to the Agreement between Customer and Snap One; and (c) have not signed their own Agreement with Snap One and are not "Customers" as defined under this DPA.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer is the Controller.
“Customer” means the entity that signed the Agreement and that determines the purposes and means of Processing of Personal Data. The Customer is considered the “Controller” of the Personal Data provided pursuant to this DPA.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer’s Personal Data transmitted, stored, or otherwise Processed.
“Data Protection Laws” means any applicable law, statute, law, regulation or order by governmental authority of competent jurisdiction, or any judgment, decision, decree, injunction, writ, order, subpoena, or like action of any court, arbitrator or other government entity, and at all times during the term of the Agreement, including the laws of the European Union, the UK Data Protection Act 2018, the GDPR, all as amended or replaced from time to time, and any other foreign or domestic laws to the extent that they are applicable to a party in the course of its performance of the Agreement.
“Data Subject” means the individual within the European Economic Area and the United Kingdom to whom Personal Data relates for GDPR purposes.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means data about a specific natural person within the European Economic Area or the United Kingdom from which that person is identified or identifiable, as defined in the GDPR, which is provided by or on behalf of Customer and Processed by Snap One pursuant to the Agreement.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller. For purposes of this DPA, Snap One, including its Affiliates, is the Processor.
“Products” means Products manufactured or produced by Snap One and sold to you, including the connected features and firmware that are built into certain of the Products, enabling them to integrate to a household, business or wider network, to interact with other devices, as well as any websites and apps we operate and any online accounts that end users may create with us.
“Regulator” means any Supervisory Authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Services or the Processing of Personal Data.
“Services” means the services that are ordered and/or used by the Customer from Snap One involving the Processing of Personal Data on behalf of the Customer.
“Standard Contractual Clauses” means the annex found in the European Commission decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as attached as an Appendix to this Agreement.
“Sub-processor” means any Processor engaged by Snap One to Process Personal Data on behalf of Snap One.
This DPA supplements the Agreement and in the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA prevail with regard to the specific subject matter of this DPA.
3. Data Processing
Roles of the Parties. This DPA applies when Customer Personal Data is processed by Snap One on behalf of the Customer. In this context, Snap one will as Processor to Customer, who will act as Controller of Customer Personal Data.
DPO. The Parties, to the extent required by the GDPR, will each designate a data protection officer (a “DPO”) and provide their contact details to the other Party where required by Data Protection Laws. You may contact Snap One’s DPO at DPO@SnapOne.com.
4. Controller Obligations
Instructions. Customer warrants that the instructions it provides to Snap One pursuant to this DPA will comply with Data Protection Laws.
Data Subject and Regulator Requests. Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Data Protection Laws and all communications from Regulators that relate to the Customer Personal Data made to Customer, in accordance with Data Protection Laws. To the extent such requests or communications require Snap One’s assistance, Customer shall immediately notify Snap One in writing of the Data Subject’s or Regulator’s request.
Notice, Consent, and Other Authorisations. Customer agrees that the Personal Data it collects shall be in accordance with Data Protection Laws, including all legally required consents, bases of processing, approvals, and authorisations. Upon Snap One’s request, Customer shall provide all information necessary to demonstrate compliance with these requirements.
5. Details of Processing Activities
Subject Matter. The subject matter of the data processing under this DPA is Customer Personal Data.
Duration. As between Snap One and the Customer, as long as Customer remains a Customer, the duration of the data processing under this DPA is determined by the Customer.
Purpose. The purpose of the data processing under this DPA is the provision of Services to Customer.
Nature of the Processing. The nature of the processing is as set forth in the Agreement.
Type of Data. The type of data involved is Customer Personal Data processed by Snap One per a Customer’s request or use of Snap One’s services. This may vary depending on Customer type and need.
Categories of Data Subjects. Data Subjects may include Customer’s end-users (potential, current, and former end-users), employees, and service providers.
Obligations and Rights of Snap One and Snap One Affiliates. The obligations and rights of Snap One and Snap One Affiliates are set out in the Agreement and this DPA.
6. Processor Obligations Supplementing the Standard Contractual Clauses
Scope of Processing. The parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding Snap One’s Processing of Customer Personal Data. Snap One will Process Customer Personal Data only in accordance with those instructions. Additional instructions outside the scope of those instructions (if any) require prior written agreement between Snap One and Customer for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if Snap One declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA (except that all fees for products and services provided shall be paid and no refunds shall be granted due to such termination). Snap One may make reasonable effort to inform Customer if, in its opinion, the execution of an instruction relating to the Processing of Customer Personal Data could infringe on any Data Protection Laws. In the event Snap One must Process or cease Processing Customer Personal Data for the purpose of complying with a legal obligation, Snap One will inform the Customer of that legal requirement before Processing or ceasing to Process, unless prohibited by the law.
Disclosure to Third Parties. Except as expressly provided in this DPA, Snap One will not disclose Customer Personal Data to any third party without Customer’s consent. If requested or required by a competent governmental authority to disclose the Customer Personal Data, to the extent legally permissible and practicable, Snap One will provide Customer with sufficient prior written notice in order to permit Customer the opportunity to oppose any such disclosure.
GDPR Articles 32-36. Taking into account the nature of the Processing and the information available to Snap One, Snap One will provide reasonable assistance to Customer in complying with its obligations under GDPR Articles 32-36, which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation.
7. Contracting with Sub-processors
Customer hereby gives its general authorisation for Snap One to engage new Sub-processors in connection with the processing of the Personal Data as set forth in clause 9 of the Standard Contractual Clauses. A list of Snap One’s current Sub-processors is available here. Customer may reasonably object to the addition of any new Sub-processor, in which case Snap One will use reasonable efforts to make a change in the Service or recommend a commercially reasonable change to avoid processing by such Sub-processor. If Snap One is unable to provide an alternative, Customer may terminate the Services and shall pay Snap One any fees or expenses not yet paid for all services provided pursuant to any Agreement.
8. Transfers Outside of the European Economic Area
Transfer. Customer acknowledges that Snap One may, without Customer’s prior written consent, transfer the Personal Data to a foreign jurisdiction provided such transfer is either (i) to a country or territory which has been formally recognised by the European Commission as affording the Personal Data an adequate level of protection or (ii) the transfer is otherwise safeguarded by mechanisms, such as Standard Contractual Clauses and other certification instruments, recognised and approved by the European Commission from time to time.
Standard Contractual Clauses. If Customer’s use of the Services involves Customer’s transfer of Personal Data from the United Kingdom or European Economic Area to Snap One in the United States, then (i) by entering into this DPA, the Parties are deemed to be signing such Standard Contractual Clauses, including each of its applicable Annexes and (ii) such Standard Contractual Clauses form part of this DPA and take precedence over any other provisions of this DPA to the extent of any conflict.
Scope. Snap One will maintain records of its Processing activities carried out on behalf of Customer and will make available to Customer the information reasonably necessary to demonstrate its compliance with the obligations set out in this DPA. Snap One may limit the scope of information made available to Customer if Customer is a Snap One competitor, provided that such limitation does not violate Data Protection Laws or the Standard Contractual Clauses. Customer’s inspection rights under this DPA do not extend to Snap One’s employee payroll, personnel records or any portions of its sites, books, documents, records, or other information that do not relate to the Services or to the extent they pertain to third parties.
Process. Subject to thirty (30) days prior written notice from Customer and at the Customer's sole expense (including all reasonable costs and fees for any and all time Snap One expends on such audit, in addition to the rates for services performed by Snap One), Snap One and Customer shall mutually agree to appoint a third-party auditor to verify that Snap One is in compliance with the obligations under this DPA. In no event shall the Parties agree to a third-party auditor that is a competitor to Snap One. Audits and inspections will be carried out at times determined by Snap One. Customer shall be entitled to exercise this audit right no more than once every twelve (12) months. Customer shall not be entitled to an on-site audit of Snap One’s premises without demonstrating a compelling need for such an on-site audit. The Parties shall mutually agree upon the duration of the audit.
Confidentiality. All information obtained during any such request for information or audit will be considered Snap One’s confidential information under the Agreement and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed Snap One’s confidential information. The third-party auditor may only disclose to Customer specific violations of this DPA if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.
10. Obligations Post-Termination
Termination or expiration of this DPA shall not discharge the Parties from their obligations that by their nature may reasonably be deemed to survive the termination or expiration of this DPA.
11. Liability and Indemnity
Any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Agreement.
Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this Agreement.