Data Processing Addendum - Users
Last updated: September 27, 2021
In order to provide the Services to its users (“User” or “you”), Wix.com Ltd. (together with its affiliated companies and subsidiaries worldwide (“Wix”) processes data of customers or visitors of the Users’ site or services (herein: “Users-of-Users”). The processing of such data by Wix is hereinafter referred to as “Processing”. The following Data Processing Addendum (“DPA”) sets forth the terms of such Processing by Wix.
To the extent Users-of-Users Information is Processed by Wix on your behalf you acknowledge and agree that Wix will process Users-of-Users Information as necessary to provide you with the Services and as further detailed herein, and by using the Wix Services, you instruct Wix to process such Users-of-Users Information on your behalf pursuant to this DPA.
For the purpose of this DPA, the following terms have the following meaning
“Adequate Country” means, as applicable (i) with respect to the EEA, a country outside the EEA that is designated as a country that is deemed to ensure an adequate level of protection by the European Commission in accordance with Article 45 of the GDPR. For the purpose of this DPA, “EEA” means the member states of the European Union as well as Iceland, Liechtenstein and Norway; and (ii) with respect to the UK and/or Switzerland, a third country outside the UK or Switzerland (as applicable) that offers an adequate level of protection to data pursuant to an adequacy decision published by the relevant data protection authority
“Data Protection Laws” means all privacy and data protection laws and regulations applicable to Processing of Personal Data of natural persons under this DPA in connection with the Wix Services, including the European Union Regulation 2016/679 (the “GDPR”) and the national law of the applicable EEA member state that implements the GDPR, and California Civil Code Section 1798.100-1798.199 (the “CCPA”), the UK General Data Protection Regulation (the “UK GDPR”) (as applicable), and any laws or regulations ratifying, implementing, adopting, or supplementing such laws; in each case, to the extent in force, and as such are updated, amended or replaced from time to time.
“Data Subject” means the identified or identifiable person to whom the Personal Data relates.
The terms “Controller”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Processor”, as used in these DPA, shall have the meanings given to them in the GDPR and shall be meant to include any different but similar term used in any other Data Protection Laws.
“Jurisdiction Specific Terms” means terms and conditions that apply to Users who are subject to certain additional jurisdiction-specific data protection laws, as specified in Schedule 1 of this DPA.
“Standard Contractual Clauses” or the “Standard Clauses” means the EU Standard Contractual Clauses as approved by the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (as available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en) (in each case, as applicable while taking into consideration the nature and roles of the data exporter and data importer).
"Wix Security Documentation" means the technical and organisational measures Wix deploys and maintains to protect Users-of-Users Information, as detailed in the Wix Security Measures Overview (or as otherwise made reasonably available by Wix), all as may be updated from time to time.
B. PROCESSING OF USERS-OF-USERS INFORMATION BY WIX
Roles of the Parties. You acknowledge and agree that with regard to the Processing of Users-of-Users Information performed on your behalf, (i) you are the Controller and Wix is the Processor of such of such Users-of-Users Information; and (ii) for the purposes of the CCPA (if applicable), you are the “Business” and Wix is the “Service Provider” (as such terms are defined in the CCPA).
Details of the Processing by Wix. Wix will process Users-of-Users Information in order to provide the Services in accordance with the Agreement and this DPA. The nature and purposes of the Processing, its duration, the types of Personal Data Processed and categories of Data Subjects are further specified in Schedule 2 (Details of the Processing) to this DPA.
Processing by Wix. When Wix Processes Users-of-Users Information on your behalf in the course of providing the Service, Wix shall:
Process Users-of-Users Information only for the following purposes: (i) provisioning the Services to you in accordance with the Agreement and this DPA (including any applicable Jurisdiction Specific Terms), (ii) in accordance with your reasonable documented instructions in this DPA and as may subsequently be instructed by you, to the extent your instructions are compatible with the Services and this DPA; and (iii) as required under the laws applicable to Wix or subject to a competent authority's requirement, provided that if Wix is required by law to Process your Users-of-Users Information for any other purpose, Wix will provide you with prior notice of this requirement, unless Wix is prohibited by law from providing such notice.
Ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training regarding their responsibilities, and have committed themselves to confidentiality.
Implement reasonable technical and organizational measures to enable you to comply with Data Subject Requests (as defined below) that you are obligated to fulfil.
Processing by you. When using the Wix Service, you shall:
Ensure that your submission of Personal Data to Wix, your instructions for the Processing of Users-of-Users Information by Wix, and your processing of Users-of-Users Information in your use of the Services will comply with Data Protection Laws.
Establish and have any and all required consents, legal bases and authorizations in order to collect, use and otherwise process and transfer to Wix the Users-of-Users Information, and to authorize the Processing by Wix, and for Wix’s Processing activities on your behalf, including the pursuit of ‘business purposes’ as defined under the CCPA.
Have sole responsibility for the accuracy, quality, and legality of Users-of-Users Information and the means by which it was obtained.
Be solely responsible for any transfer of Users-of-Users Information by you (or any other person operating on your behalf) to any platform other than Wix, or any other third party.
General Authorization for use of Sub-processers. You hereby grant Wix a general authorization to engage sub-processors to Process your Users-of-Users Information in order to provide the Wix Services without obtaining any further written, specific authorization from you, subject to the following conditions:
Wix will restrict the sub-processor’s access to Users-of-Users Information only to what is necessary to provide the Services, and will prohibit sub-processors from processing Users-of-Users Information for any other purpose.
Wix’s use of any specific sub-processor to process Users-of-Users Information shall comply with applicable Data Protection Laws and Jurisdiction Specific Terms (if any) and will be governed by a contract between Wix and such sub-processor that sets forth a level of protection and security to Users-of-Users Information comparable to this DPA.
Wix shall remain liable to you under applicable Data Protection Laws and Jurisdiction Specific Terms for any breach of this DPA that is caused by an act, error, or omission of its sub-processors.
Current Sub-processors and Notification of Sub-processor Changes. A current list of sub-processors engaged by Wix and Wix subsidiaries that may Process Users-of-Users Information is available at https://support.wix.com/en/article/list-of-wixs-sub-processors (“Wix Sub-processor List”). This list contains a mechanism for you to subscribe to notifications concerning appointment or replacement of a sub-processor. Upon your first use of the Services, you acknowledge and deem authorized the Wix Sub-Processor List effective as of the date of such first use.
If you subscribe to such notifications, Wix will provide you, via your subscribed email, with details of any change of its sub-processors as soon as reasonably practicable, and, in any event will notify you no less than seven (7) days prior to such change.
Objection Right for new Sub-processors. You may reasonably object to the appointment or replacement of a sub-processor by Wix on documented reasonable grounds relating to data protection, by submitting a written and reasoned objection to Wix at firstname.lastname@example.org within seven (7) days from the receipt of a change notification in accordance with the mechanism detailed in the previous clause.
In such an event, Wix may, in its sole discretion, choose to use commercial reasonable efforts (but is not required to) make available to you an alternative solution to avoid the Processing of your Users-of-Users Information by the new Sub-processor you objected to. Until Wix makes a decision concerning your objection, Wix may be required to temporarily suspend the Processing of the related Users-of-Users Information, including, if required for this matter, suspend or limit access to your User Account or suspend or limit certain features of the Services offered to you.
If Wix finds that it is unable to resolve your objection or to provide you with such alternative solution, within thirty (30) days from receipt of your valid reasoned objection, as determined in Wix’s full and sole discretion (with no obligation to provide any reasoning), you may, as a sole remedy, discontinue the use of the affected Service(s) by providing written notice to Wix. Such discontinuation will be without prejudice to any fees incurred by you prior to the discontinuation of the affected Services and you will have no further claims against Wix in connection with the discontinuation of the affected Service(s). If no objection has been raised to the replacement or appointing a new sub-processor within the above mentioned time frame, Wix will deem you to have authorized the new sub-processor.
D. SECURITY AND SECURITY NOTIFICATIONS
Security Measures. Wix has implemented and will maintain industry-standard technical and organizational security measures as required to appropriately ensure the protection of Users-of-Users Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Users-of-Users Information, and the confidentiality and integrity of Users-of-Users Information, including those measures set forth in the Wix Security Documentation.
These measures shall be appropriate to the harm which might result from any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Users-of-Users Information, and the nature and scope of the Users-of-Users Information which is to be protected.
Your responsibility. You are responsible for reviewing the information Wix makes available regarding its data security, and making an independent determination as to whether the Wix Services meet your needs, requirements and legal obligations, including your obligations under applicable Data Protection Laws to ensure the appropriate level of security when using the Wix Services, taking into consideration any risks with respect to Users-of-Users Information.
You are further responsible for properly configuring the Wix Services and using features and functionalities made available by Wix to maintain appropriate security in light of the nature of the data processed by your use of the Wix Services. By using any of Wix’s Services, you agree to the adequacy of the organizational, technical and security measures implemented by Wix to protect the Users-of-Users Information. Some of those measures are referred to in the Wix Security Documentation.
Security Notifications. Wix will, to the extent permitted by applicable law, notify you without undue delay, after becoming aware of any Personal Data Breach that affects your Users-of-Users Information, as required under applicable Data Protection Laws. Wix shall use reasonable efforts to include in such notifications relevant information concerning: the nature of the related breach, the scope and type of affected records and affected Data Subjects, anticipated consequences and details about any remediation and other measures that Wix has taken and/or intends to take to mitigate any potential negative effects of such breach.
You acknowledge that Wix’s notification concerning a Personal Data Breach shall not be deemed or construed as an acknowledgement by Wix of any fault or liability with respect to such incident.
You also acknowledge that in the event of a Personal Data Breach, you may also be obligated to take measures required under applicable Data Protection Laws in connection with your Users-of-Users Information.
E. DATA SUBJECT REQUESTS AND RELATED ASSISTANCE
Data Subject Requests. Wix shall promptly notify you if Wix receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”), unless Wix is legally prohibited from doing so. Wix shall assist you, in a timely manner, to the extent you, in your use of the Service, do not have the ability to address a Data Subject Request, by the appropriate measures and, as reasonably possible (considering the nature of the relevant Processing), in the fulfilment of your obligation to respond to a Data Subject Request under applicable Data Protection Laws, unless Wix is legally prohibited from doing so.
Records. Wix will keep records of its Processing in compliance with applicable Data Protection Laws and provide you with necessary records to demonstrate compliance upon reasonable request.
Data Protection Impact Assessment Upon your request, Wix will provide you with reasonable cooperation and assistance needed to fulfil your obligation under the GDPR to carry out data protection impact assessments and consultations with the competent supervisory authority in relation to your use of the Service, where, in your reasonable judgement, the Processing performed by Wix is likely to result in a high risk to the rights and freedoms of natural persons, and to the extent you do not otherwise have access to the relevant information, and to the extent such information is available to Wix.
Further Assistance. Upon your reasonable written request, at reasonable intervals (no more than once every 12 months) and subject to confidentiality (if applicable) undertakings by you, Wix will
Make available to you: (a) reports, certifications or extracts thereof where available from a source charged with auditing Wix’s data protection practices to enable you to assess Wix’s compliance with the terms of this DPA; (b) Information necessary to demonstrate your compliance with your obligations under this DPA and applicable Data Protection Laws; and/or (c) a copy of Wix most recent third-party certifications that Wix has attained, as set forth in the Wix Security Documentation.
Allow for and contribute to audits, including inspections, conducted by you or by an independent auditor mandated by you (at your cost); provided, that: (a) access will take place only during business hours; (b) findings shall be restricted only to data relevant to you; (c) such audits, inspections and the results therefrom, (i) shall only be used by you to assess compliance with this DPA, and not for any other purpose, and (ii) shall not be disclosed to any third party without Wix’s prior written approval; and (c) Upon Wix’s request, you will return to Wix all records or documentation in your possession or control provided by Wix in the context of the audit and/or the inspection. In the event of such audit or inspection, you shall be responsible to ensure that you (and each of your mandated auditors) will not cause any damage, injury or disruption to Wix’s premises, equipment, personnel, services and business, as applicable, while conducting such audit or inspection.
Costs. Subject to applicable Data Protection Laws, to the extent any assistance described in this Section E entails material costs or expenses to Wix, the parties shall first come to agreement on your reimbursement to Wix of such costs and expenses.
Notwithstanding the forgoing, Wix may retain Users-of-Users Information (or a portion of it), if required under the Agreement or by applicable law or regulation (including applicable Data Protection Laws); provided such Users-of-Users Information remains protected in accordance with the terms of this DPA and applicable Data Protection Laws.
F. INTERNATIONAL TRANSFERS
General. You acknowledge that Wix may Process Users-of-Users Information anywhere in the world so long as it complies with applicable Data Protection Laws, applicable Jurisdiction Specific Terms and this DPA.
Appropriate Safeguards for Cross Border Data Transfers from the EEA, Switzerland and the United Kingdom. Wix shall only transfer Users-of-Users Information from the EEA, Switzerland and the United Kingdom (“UK”), using the applicable mechanisms required to ensure that the relevant cross-border transfer is in compliance with applicable Data Protection Laws, as follows:
Transfers to Wix.com Ltd. Users-of-Users Information that Wix receives and Processes is initially transferred by you and/or the applicable Data Subject to Wix.com Ltd. in Israel under the European Commission’s adequacy decision 211/61/EU.
Onward Transfers to Adequate Countries. Onward transfers of Users-of-Users Information by Wix to a recipient operating on Wix’s behalf that is located in an Adequate Country will be conducted under the applicable adequacy decision published by the relevant data protection authority (with no need for any other safeguard).
Onward Transfers to Wix Sub-contractors in Other Countries. Any onward transfer of Users-of-Users Information by Wix to a recipient operating on Wix’s behalf that is located in a third country outside the EEA, the UK, and Switzerland shall be conducted by either: (i) entering into the Standard Clauses or any similar mechanism approved by the competent authority in the EU, UK or Switzerland; or (ii) ensuring that other appropriate safeguards pursuant to Article 46 of the GDPR or any equivalent provision in the applicable Data Protection Law are in place.
Onward Transfers at Your Instructions. In case of a transfer to a third party that is not a sub-processor of Wix, which is conducted by Wix at your instructions, or by you in accordance with an agreement between you and such third-party (which Wix is not a party to), you shall be solely responsible for the transfer of Users-of-Users Information and its compliance with applicable laws.
If the applicable transfer mechanism is amended, replaced, or otherwise invalidated, Wix shall enter into any updated version of such mechanism or any alternative mechanism endorsed by the applicable competent authority.
This DPA shall be in effect for as long as you use any of the Wix Services; provided, however, that in the event Wix is obligated, according to the terms of this DPA or the Agreement, to keep Users-of-Users Information following the termination of the Services, this DPA shall remain in effect for as long as Wix holds Users-of-Users Information.
You acknowledge and agree that Wix may amend this DPA as may be required from time-to-time, by posting the relevant amended and DPA on Wix’s website, available at https://www.wix.com/about/privacy-dpa-users and any amendments to the DPA are effective as of the date of posting. Your continued use of the Services after the amended DPA is posted constitutes your agreement to, and acceptance of, the amended DPA.
If any provision of this DPA deemed by a court of competent jurisdiction to be invalid, unlawful, void, or for any reason unenforceable, then such provision shall be deemed severable and will not affect the validity and enforceability of the remaining provisions.
Any questions regarding this DPA should be addressed to the Wix Data Protection Officer at email@example.com. Wix will attempt to resolve any complaints regarding the use of your Users-of-Users Information in accordance with this DPA and the Agreement.
This DPA was written in English and may be translated into other languages for your convenience. If a translated (non-English) version of this DPA conflicts in any way with its English version, the provisions of the English version shall prevail.
Schedule 1 – Data Protection Laws
California. Applicable Data Protection Laws and Jurisdiction Specific Terms for California Residents:
The definition of “Data Protection Law” includes the CCPA.
The definitions of “Personal Data”, “Data Subject”, “Controller” and “Processor” includes the definitions “Personal Information”, “Consumer”, “Business”, and “Service Provider”, respectively, all as defined under CCPA.
Wix will process, retain, use, and disclose personal information only as necessary to provide its Services, which constitutes a business purpose.
Wix agrees not to: (i) sell (as such terms is defined under the CCPA) Personal Data (including Users-of-Users Information); (ii) retain, use, or disclose Personal Data (including Users-of-Users Information) for any commercial purpose (as defined by the CCPA) other than providing the Services; or (iii) retain, use, or disclose Users-of-Users Information outside of the scope of the Agreement.
Wix certifies that its sub-processors, as described in Article C of the DPA, are Service Providers under CCPA, with whom Wix has entered into a written contract that includes terms ensuring at least the same level of protection and security as those set out in this DPA.
Wix will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data it processes as set forth in Article D of this DPA.
Schedule 2 – Details of User-of-User Information Processing
Nature and Purpose of Processing. We may use your User-of-User Information for the following purposes (and tasks related to such purposes), all in accordance with the Agreement and in a way that is proportionate and that respects your and your Users-of-Users privacy rights:
Providing you with the Services;
Acting upon your instructions, including providing you with professional assistance, only upon your request; provided your instructions are consistent with the terms of this DPA and the Services;
Performing and enforcing the Agreement and this DPA and other contracts executed by and between us (if any)), and defending Wix’s rights;
Preventing, investigating and mitigating data security risks and incidents, fraud, errors and/or illegal or prohibited activities;
Complying with applicable laws and regulations;
Duration of Processing. Prior to the termination of your use of the Services, Wix will process your User-of-User Information in accordance with this DPA and the Agreement until you elect to delete such User-of-User Information (or part thereof) on your own, directly through our Services, as you are the solely responsible for deleting your User-of-User Information via the Services. Upon such termination, deletion of your Users-of-Users Information will be handled by Wix in accordance with Section 16 (Deletion of Users-of-Users Information) of this DPA.
Type of Personal Data. Subject to your content restriction obligations under this DPA and the Agreement, you may submit Users-of-Users Information to the Service, in scope and nature that is controlled and determined solely by you.
Categories of Data Subjects. Subject to your content restriction obligations under this DPA and the Agreement, you may submit Users-of-Users Information to the Service, which may include (but is not limited to), Personal Data relating to the following categories of Data Subjects, all as controlled and determined solely by you: Your existing and prospective employees, candidates, agents, consultants, freelancers, business partners and/or sub-contractors (and their respective employees, contact persons, agents, etc.), who are natural persons;(ii) your existing and prospect customers and end users (and their respective employees, contact persons and agents), who are natural persons; and (iii) any other third party individual with whom you decide to engage through the Service.