Privacy Annex for Mindbody Services
Last Updated:
This Privacy Annex (“Annex”) is an annex to the agreement which refers to this Annex as being applicable between the Parties (“Agreement”). If there are any conflicts or inconsistencies between (1) this Annex and the Agreement, the provisions of this Annex prevail, or (2) this Annex and the applicable Standard Contractual Clauses, the provisions of the applicable Standard Contractual Clauses apply to the extent a conflict exists. To the extent that Mindbody acts as a Processor or Service Provider to you as a Controller or Business (or such analogous terms), in relation to Your Data, each of us agrees that we will comply with our obligations under applicable data protection law, including the GDPR, the CCPA, and the UK Data Protection Laws, and the following terms apply.
1. Compliance with your instructions
Mindbody may only process Personal Information in connection with its obligations and rights under the Agreement, or as otherwise instructed by you in writing or required by applicable law. The subject-matter, duration, nature and purpose of the processing, types of Personal Information and categories of individuals will be the same as for the relevant Services to which the processing relates and are set out in the Agreement. Mindbody will not Sell or Share Personal Information. Mindbody may de-identify, pseudonymize or aggregate Your Data for the purposes set forth in the Agreement.
2. Self-Certification
Mindbody self-certifies that it understands the restrictions on its use, processing, disclosure and retention of any Personal Information provided by you or on your behalf, and that we process on your behalf.
3. Compliance Requests
Upon written request, and no more than once per twelve-month period, Mindbody will provide you a copy of a self-certification confirming that Mindbody complies with the applicable requirements of Article 28.3 (h) of the GDPR and Section 1789.100(d)(3) of the CCPA. Such self-certification will be Mindbody’s Confidential Information. The Parties acknowledge and agree that such self-certification, where applicable, will satisfy Article 28.3(h) of the GDPR and Section 1289.100(d)(3) of the CCPA.
4. Security
Mindbody will implement commercially reasonable technical and organizational measures for the Services that are designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, disclosure or access.
5. Assistance
Mindbody will provide reasonable assistance to allow you, at your costs, to notify affected individuals and applicable regulatory authorities upon discovery of a data breach or security incident where compromise of Personal Information is confirmed, to support your compliance with obligations under the GDPR to conduct DPIAs, or similar requirements under other applicable data protection law.
6. Individual Requests
To the extent required by applicable law, Mindbody will make timely notification to you of requests received directly from individuals in relation to the processing of their Personal Information. Mindbody will acknowledge receipt of such request and implement commercially reasonable processes in accordance with applicable data protection laws to verify the identity and nature of the request. Mindbody may refer such request and individual to you directly, and provide you with reasonable assistance in meeting the request in a timely manner. Should Mindbody determine it is unable to comply with such request, it will notify the verified requestor, or you that it is unable to provide a response, and the reason(s) for not responding to part or all of the subject request.
You are solely responsible for complying with the obligations of a controller or business under applicable data protection laws, including as applicable providing any necessary notices to, and obtaining any necessary consents from, individuals with respect to the processing of Personal Information pursuant to the Agreement and this Annex.
7. Sub-Processors
You agree that Mindbody may use Sub-Processors to assist Mindbody in processing Personal Information for the performance of the Services, provided that:
7.1 Mindbody imposes no less stringent duties on such Sub-Processors regarding privacy, security and confidentiality of Personal Information as those set out in this Annex;
7.2 Mindbody remains responsible to you for the performance of the relevant Services by the Sub-Processor;
7.3 With respect to Personal Information subject to the GDPR and UK GDPR, Mindbody maintains a list of such Sub-Processors in Section 23 of its Privacy Policy. In order to receive notice of any change to this list, you must request to subscribe to the Sub-Processor notification list by clicking here. You accept that failure to join the list may result in missing the deadline to object to new Sub-Processors. As allowed by applicable law, you may within five (5) business days of receiving a notice, object to the involvement of such new Sub-Processor on objective justifiable grounds related to the ability of such Sub-Processor to protect the Personal Information or comply with data protection requirements applicable to Sub-Processor. In the event that the objection is not unreasonable, the Parties will work together in good faith to find a solution to address such objection, including but not limited to reviewing additional documentation supporting the Sub-Processors’ compliance.
8. International Transfers
To the extent that the Services involve a transfer of Personal Information, Mindbody will comply, as the Processor, with its obligations under applicable law to facilitate such transfers through adoption of an adequate transfer mechanism as set out below. With respect to any Restricted Transfer, Mindbody and you hereby enter into Module 2 of the Standard Contractual Clauses, set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the relevant data protection laws, which are expressly incorporated herein and take effect in the event of such transfer, and:
8.1 Clause 7 – Docking clause of Module 2 of the Standard Contractual Clauses shall apply;
8.2 Clause 9 – Use of subprocessors of Module 2 of the Standard Contractual Clauses Option 2 (general authorization) shall apply and the “time period” shall be 5 days in accordance with the Sub-Processor Clause in this Privacy Annex;
8.3 Clause 11(a) – Redress of Module 2 of the EU Standard Contractual Clauses the optional language shall not apply;
8.4 Clause 17 – Governing law of Module 2 of the Standard Contractual Clauses “Option 1” shall apply and the “Member State” shall be Ireland;
8.5 Clause 18 – Choice of forum and jurisdiction of Module 2 of the Standard Contractual Clauses: the Member State shall be Ireland;
8.6 Annex 1 of Module 2 of the Standard Contractual Clauses shall be deemed to be pre-populated with the relevant information of the Parties executing the Agreement, the Order Form and this Annex. Further: (1) The data subjects, categories of data, special categories of data and processing operations and, as applicable, retention periods are set forth on the Mindbody Data Processing Schedule for the relevant Services to which the processing relates; (2) the frequency of the transfer is continuous; (3) the period for which the data will be retained is set forth in the Agreement and (4) data importer may transfer data to its Sub-Processors for the duration of the Services for storage, hosting, computing or similar support services
8.7 The competent supervisory authority shall be consistent with the member state specified through Clause 13; and
8.8 Annex 2 of Module 2 of the Standard Contractual Clauses shall refer to the Security Policy.
With respect to any Personal Information subject to a UK Restricted Transfer, Controller acting on Controller’s own behalf and as agent for each Controller Affiliate (each as “data exporter”) and Mindbody acting on its own behalf and as agent for each Sub-Processor (each as “data importer”) enter into the UK Standard Contractual Clauses (Controller to Processor) as amended by the Commissioner for the UK Data Protection Laws, which are expressly incorporated herein and published here. If at any time the UK Government approves the Standard Contractual Clauses for use under the UK Data Protection Laws, then the Standard Contractual Clauses shall apply (and shall replace the UK Standard Contractual Clauses), in respect of any UK Restricted Transfers, subject to any modifications to the Standard Contractual Clauses required by the UK Data Protection Laws (and subject to the governing law of the UK Standard Contractual Clauses being English law and the supervisory authority being the Information Commissioner’s Office (“Commissioner”)). Appendix 1 and 2 to the Standard Contractual Clauses shall be deemed to be pre-populated with the information set forth on the Mindbody Data Processing Schedule.
With respect to any Restricted Transfer of Personal Information subject to data protection laws other than those of the EEA or the UK, the data importer(s) will comply mutatis mutandis with terms of the Standard Contractual Clauses applicable to the ‘data importer’, the terms ‘Member State’ and ‘State’ are replaced throughout by the word ‘jurisdiction,’ and ‘supervisory authority’ will mean the relevant data protection regulator or other government body with authority to enforce Data Protection Laws.
To the extent any Clauses are superseded by new or amended standard contractual clauses (“Amended Clauses”), the Amended Clauses will be expressly incorporated herein upon Mindbody’s written notice to you at least 30 days prior to Mindbody’s proposed effective date of the Amended Clauses, and the Amended Clauses shall take effect and be binding upon the Parties as of such effective date, unless you provide written notice of your objection to Mindbody prior to the effective date.
9. Key definitions
Unless otherwise defined below, capitalized terms have the meaning set out in the Agreement or the Privacy Policy.
9.1 “Business” and “Service Provider” have the meaning set out in the CCPA.
9.2 “CCPA” means the California Consumer Privacy Act.
9.3 “Controller” and “Processor” have the meaning set out in the GDPR.
9.4 “EEA” means all member states of the European Union, Norway, Iceland, Liechtenstein and, for the purposes of the Annex, Switzerland.
9.5 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
9.6 “Parties” means Company and Mindbody.
9.7 “Personal Information” means data that relates to or about an identified or identifiable natural person or, where applicable, household as defined under relevant law, which is provided by you or on your behalf, and that we process on your behalf, pursuant to the Agreement. This may include information such as name, postal address, telephone number, email address, or unique online identifiers.
9.8 “Restricted Transfer” means a transfer of Your Data by or to Mindbody or a Sub-Processor, in each case, where such transfer would be prohibited by applicable data protection laws in the absence of the applicable Standard Contractual Clauses, including transfers of Your Data from within the EEA to the United States.
9.9 “Sell” and Share” have the meaning set out in the CCPA.
9.10 “Standard Contractual Clauses” means the EU standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection of personal data, which have been approved by the European Commission as adducing adequate safeguards for Restricted Transfers, or any successor clauses thereto or recognized by the European Commission pursuant to Article 46 of the GDPR, or by another relevant competent authority under other relevant Data Protection Laws and Regulations.
9.11 “Sub-Processors” means third party organizations that Mindbody engages for the Processing of the Personal Information and which do not act under Mindbody’s direct authority.
9.12 “UK Data Protection Laws” means the (UK) Data Protection Act 2018 and other data protection or privacy legislation in force from time to time in the United Kingdom.
9.13 “UK Restricted Transfer” means a transfer of Your Data from the United Kingdom to a country that has not been deemed to have adequate safeguards within the meaning of the UK Data Protection Laws and which would be prohibited in the absence of the UK Standard Contractual Clauses.
9.14 “UK Standard Contractual Clauses” means, the Standard Contractual Clauses (processors) set out in Decision 2010/87/EC as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.
10. Full Force and Effect
All other terms and conditions in the Agreement shall remain in full force and effect.
11. Changes
Mindbody may make changes to this Annex from time to time as necessary to reflect changes in our business or legal and regulatory requirements. Changes we make will become effective when we publish a modified version of the Annex on our Websites. If you continue using the Services after any changes, such changes will be deemed accepted.