Privacy Annex for MINDBODY Services
Last Updated Date: April 2, 2018
This Privacy Annex (“Annex”) is an annex to the overhead agreement which refers to this Annex as being applicable between the Parties (“Agreement”). If there are any conflicts or inconsistencies between this Annex and the Agreement, the provisions of this Annex prevail. To the extent that MINDBODY acts as a Processor to You as a Controller, in relation to Your Data originating from the EEA, the following terms apply.
1. Compliance with Your instructions
MINDBODY may only process Personal Data in connection with its performance of Services pursuant to the Agreement, or as otherwise instructed by You or required by applicable law. The subject-matter, duration, nature and purpose of the Processing, types of Personal Data and categories of individuals will be the same as for the relevant Services to which the Processing relates. MINDBODY may aggregate or anonymize Your Data for the purpose of product or service improvements, data science and reporting.
MINDBODY will implement commercially reasonable technical and organizational measures for the MINDBODY Services that are designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, disclosure or access. As of the Effective Date, MINDBODY has implemented the measures set out in the Security Policy to this Annex. MINDBODY will notify You of a data security incident as set out in the Security Policy.
Upon Your request, up to once a year, MINDBODY will provide to You a copy of a self-certification confirming that MINDBODY complies with the material requirements set out in this Annex. Such self-certification will be MINDBODY’s Confidential Information.
MINDBODY will provide You reasonable assistance to allow You, at Your sole costs, to demonstrate Your compliance with obligations pursuant to this Annex in respect of notifying Personal Data Breaches to a Supervisory Authority and individuals and conducting Data Protection Impact Assessments.
MINDBODY will notify You of requests received directly from individuals in relation to the Processing of their Personal Data, unless prohibited from doing so under applicable law. MINDBODY may, but is not required to, acknowledge receipt of such request and ask additional questions to determine the identity and nature of the request, or may refer such request and individual to You directly, and provide You with reasonable assistance in meeting the request in a timely manner.
You are solely responsible for providing any necessary notices to, and obtaining any necessary consents from, individuals with respect to the Processing of Personal Data pursuant to the Agreement and this Annex.
You agree that MINDBODY may use Sub-Processors to assist MINDBODY in Processing Personal Data for the performance of the Services, provided that:
- (a) MINDBODY imposes no less stringent duties on such Sub-Processors regarding security and confidentiality of Personal Data as those set out in this Annex.
- (b) MINDBODY remains responsible to You for the performance of the relevant Services by the Sub-Processor, and
- (c) MINDBODY maintains a list of such Sub-Processors, and provides You with reasonable notice of any addition of Sub-Processors. In order to receive such notice, You may be required to sign up to a notification procedure. You accept to sign up to such procedure if so requested and that Your failure to do so may result in missing the deadline to object to new Sub-Processors. You may within five (5) business days of receiving a notice, object to the involvement of such new Sub-Processor in the delivery of the relevant Services through providing notice (via the appropriate channel set out in the Agreement) of objective justifiable grounds related to the ability of such Sub-Processor to protect the Personal Data or comply with data protection requirements applicable to Sub-Processor. In the event that the objection is not unreasonable, the Parties will work together in good faith to find a solution to address such objection within five (5) business days, including but not limited to reviewing additional documentation supporting the Sub-Processors’ compliance or trying to make the Services available without the involvement of such Sub-Processor.
To the extent that the Services involve a transfer of Personal Data originating from the EEA to a MINDBODY Affiliate or Sub-Processor located in a country outside the EEA that had not received an adequacy decision by the EU Commission, such transfer will be governed by a valid transfer mechanism recognized under EEA law to facilitate transfers. Without limitation, MINDBODY is certified to the EU/Swiss-US Privacy Shield Principles, a copy of which certification is available at the following link. For the purpose of this section, You hereby grant MINDBODY (and its relevant Affiliates) a mandate to enter, in your name and on your behalf, as data exporter, into Controller to Processor Standard Contractual Clauses with the relevant MINDBODY Sub-Processor as data importer.
8. Return and Deletion of Personal Data
Upon termination or expiration of the Services, MINDBODY will make available to You Personal Data maintained by MINDBODY for a duration of three (3) months to allow You to retrieve where reasonably technically feasible your Personal Data in a commonly used format set out by MINDBODY. After such period, MINDBODY will destroy or otherwise render inaccessible, at our discretion, such Personal Data from the production environment of the Services, except as may be required by law. Actions set out in this section are at Your sole cost.
We may make changes to this Annex from time to time as necessary to reflect changes in our business or legal and regulatory requirements. Changes we make will become effective when we publish a modified version of the Annex on our websites. If you continue using the Services after any changes, it means you have accepted them. If you do not agree to any material changes, you must stop using the Services, and you can terminate your account by emailing ClientCare@mindbodyonline.com.
10. Key definitions
Unless otherwise defined below, capitalized terms have the meaning set out in the Agreement.
- 10.1 “Controller”, “Personal Data Breach”, “Data Protection Impact Assessment”, “Process/Processing”, “Processor”, and “Supervisory Authority” have the meaning set out in the GDPR.
- 10.2 “Controller to Processor Standard Contractual Clauses”, means Standard Contractual Clauses adopted by the EU Commission pursuant to its decision C(2010)593 (as updated or replaced from time to time).
- 10.3 “EEA” means all member states of the European Union, Norway, Iceland, Liechtenstein and, for the purposes of the Annex, Switzerland;
- 10.4 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- 10.5 “Personal Data” means Your Data to the extent that it relates to an identified or identifiable natural person.
- 10.6 “Sub-Processors” means third party organizations that MINDBODY engages for the Processing of the Personal Data and which do not act under MINDBODY’s direct authority.