Agreement of International Transfer of Personal Data

Agreement of International Transfer of Personal Data for the case of Personal Data Assignment under Brand Protection Program of Mercado Libre

Between, on the one hand, Mercado Libre (hereinafter, the “Data Exporter”) and on the other hand, Member of Brand Protection Program of Mercado Libre (the “Data Importer”), jointly, the “parties”, enter into this Agreement of International Transfer of Personal Data, under the terms and conditions established herein.

Clause 1) Definitions

For the purposes of this agreement, the terms listed below shall be construed as follows:    

“Personal Data”, “Sensitive Data”, “Data Processing”, and “Data Subject” shall have the same meaning as laid down in Data Protection Laws.

“Authority” or “Supervisory Authority” shall mean:

  • Argentina: Agencia de Acceso a la Información Pública
  • Brazil: Autoridade Nacional de Proteção de Dados
  • Colombia: Superintendencia de Industria y Comercio
  • Costa Rica: Agencia para la Protección de Datos de la Persona
  • México: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos
  • Nicaragua: Dirección de Protección de Datos Personales
  • Panamá:  Autoridad Nacional de Transparencia y Acceso a la Información
  • Perú: Dirección General de Transparencia, Acceso a la Información Pública y Protección de Datos Personales
  • Uruguay: Unidad Reguladora y de Control de Datos Personales

“Data Exporter” shall mean the person responsible for the Data Processing transferring Personal Data.

“Data Importer” or “person in charge of Data Processing” shall mean the service provider as per Data Protection Laws, domiciled outside the Data Exporter’s country of establishment, receiving Personal Data from the Data Exporter to be handled pursuant to the terms herein.

“Data Protection Laws” shall mean the General Data Protection Law (LGPD) 13.709/2018 of Brazil, Federal Law on Protection of Personal Data Held by Individuals of Mexico, Law 25.326 of Argentina, Law 1.581 of Colombia, Law 18.331 of Uruguay, Law 29.733 of Perú, Law 172 of Dominican Republic, Law 8.968 of Costa Rica, Law 81 of Panamá, Law 787 of Nicaragua, Law 19.628 of Chile and any associated regulations or instruments and any other applicable Data Protection Laws, regulations or regulatory requirements.

Clause 2) Specific features and data processing purpose

The purpose and further specific details of the data transfer shall be specified in Annex A, which is part of this agreement. 

Clause 3) Data Exporter Obligations

The Data Exporter agrees and warrants that:

a) The personal data have been and will continue to be collected, processed and transferred in accordance with Data Protection Laws; and it has notified the data subject that their personal data may be transferred to a third country with levels of data protection lower than those in place in the data exporter’s country of establishment´s law.

b) If the data subject exercises the rights vested by Data Protection Laws with regard to the processing of personal data as established in this agreement, in particular the data subject’s rights to access, rectify and suppress data and further rights contemplated in Data Protection Laws, the Data Exporter shall answer to such exercise by observing the statutory period and making available the means for such purpose. The Data Exporter shall answer the inquiries pursued by data subjects and authorities regarding the Data Importer’s processing of personal data within the period established by Data Protection Laws.

c) It has used reasonable efforts to determine that the Data Importer is able to satisfy its legal obligations hereunder. To such end, the Data Exporter may request the Data Importer to hire liability insurance for possible damages caused as a result of the intended data processing.

Clause 4) Obligations of the Data Importer

The Data Importer agrees and warrants that:

a) It shall have in place safety and confidentiality measures which may be necessary and effective to avoid any data forgery, loss or unauthorized inquiry or processing, and which may allow to detect any deviation (either voluntary or not), whether the risks were caused by human action or by the technical means employed, verifying that such measures are not inferior to those required under the legislation in force, so as to ensure a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.

b) It shall establish procedures ensuring that the data transferred shall be only accessed through staff especially authorized to do so (upon defining access levels and passwords), who shall comply with the duty of keeping such information confidential and safe and subscribe agreements to that effect.

c) It has no reason to believe that the local legislation prevents it from fulfilling obligations, warranties and principles under the agreement with relation to data processing and the data subjects’ rights, and that it will promptly notify any change to the Data Exporter as soon as it is aware of any such provision.

d) It shall process personal data for the purposes described in Annex A.

e) It shall identify to the Data Exporter a contact point within its organization authorized to respond to inquiries concerning processing of the personal data, and will cooperate in good faith with the Data Exporter, the data subject and the authority concerning all such inquiries within the statutory period. In case of legal dissolution of the Data Exporter, or if the parties have so agreed, the Data Importer will assume responsibility for compliance with the provisions of paragraph b) of clause 3.

f) At the request of the data exporter or the authority, it will make available all the documentation related to the processing of the data, for its review, audit or certification, in order to determine if the guarantees and commitments provided in this agreement are fulfilled;

g) It shall process personal data pursuant to Data Protection Laws.

h) It will promptly notify the Data Exporter about: (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited by the applicable legislation (to the extent that said request does not stray beyond what is necessary in a democratic society as per the instructions in the subsection below, paragraph 2); (ii) any accidental or unauthorized access; and (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so.

i) It shall not disclose nor transfer personal data to third parties save when the disclosure is required by law or any competent authority, to the extent that said request does not stray beyond what is necessary in a democratic society (e.g. when the request represents a necessary measure to safeguard the national security and defense, public security, and the prevention, investigation, detection and repression of criminal or administrative offences, or to protect data subjects or the rights and freedoms of other people).

Upon receiving the request mentioned above in item i), the Data Importer shall immediately: a) verify that the requesting authority offers adequate guaranties in relation to the performance of the provisions in Data Protection Laws, and of the rights vested on data subjects regarding access, rectification, suppression and further rights contained in Data Protection Laws, except in the following cases and conditions (as per Data Protection Laws): i) as prescribed by law or by means of a well-grounded decision based on national defense, public order, and safety grounds or the protection of rights and interests of third parties; ii) by means of a justified decision (with notice thereof given to the affected party), when such information could hinder pending judicial or administrative proceedings relating to the compliance with obligations subject to state control and related to public order, including: tax or social security obligations, the performance of health and environment control functions, the investigation of crimes and the verification of administrative violations —notwithstanding the foregoing, access to the relevant records must be given at the time the affected party is to exercise his or her defense rights; and b) in case the authority fails to grant or offer the guaranties indicated in item a) above, the legislation of the Data Exporter’s country of establishment shall prevail and, therefore, the Data Importer shall proceed to suspend data processing in said country, returning the data to the Data Exporter as per the instructions given by the latter, and the Data Exporter shall notify the Supervisory Authority.

j) It shall deal with the requests received from the data subject (or, when applicable, from the Data Exporter whenever it acts upon request of the data subject) related to the rights vested by Data Protection Laws on the processing of personal data provided herein —in its capacity as third-party beneficiary—, and, in particular, to the data subject’s rights to access, rectify and suppress data and further rights contained in Data Protection Laws, observing statutory periods and making available the means to such end. The Data Importer shall respond to inquiries by data subjects and authorities —also in their capacity as third-party beneficiaries— regarding the Data Importer’s processing of personal data within the period established by Data Protection Laws, independently other agreement between the parties as to which party should answer such inquiries.

k) It shall destroy (and certify that it has done so) the personal data transferred, upon the occurrence of any of the following circumstances: 1) termination of this agreement; 2) inability to comply with the provisions in Data Protection Laws; 3) termination of the purpose of the data transfer. If, at that moment, the national legislation or local rules applicable to the Data Importer prevented it from returning or destroying such data either in full or in part, the Data Importer undertakes to inform about the legal term established, to maintain such information confidential, and to refrain from submitting such data to processing again. If said preservation period is contrary to the personal data protection principles applicable to the case, the transfer shall not be resumed, and the contract shall be terminated for constituting an event of default. If any of the circumstances is verified during the performance of the agreement, the agreement shall be terminated, and the data shall be returned to the Data Exporter as per the instructions directed by the latter.

It shall keep a record on the compliance with the obligations undertaken in this clause, which report shall be available upon request of the Data Exporter or the authority.

Clause 5) Liability and Third-party Beneficiaries

a) Each party shall be liable against the data subjects for the damages caused by the negative effect of the rights acknowledged herein under the terms of Data Protection Laws, the regulatory standards thereof and the substantial law of the Data Exporter’s country of establishment.

b) Data subjects may require the Data Importer, in their capacity as third-party beneficiaries, the compliance with the provisions in Data Protection Laws in relation with the processing of their personal data, pursuant to the obligations and responsibilities undertaken by the parties hereunder, particularly those connected to the rights to access, rectify and suppress data and further rights contained in Data Protection Laws. To such end, the parties submit to the jurisdiction of the Data Exporter’s country of establishment, both for court and administrative procedures. In cases where the Data Importer’s noncompliance is invoked, the data subject may require the Data Exporter to seek appropriate legal actions to end such noncompliance.

c) The Data Importer accepts that the Supervisory Authority shall exercise its powers regarding the data processing undertaken, with the restrictions and the powers vested by Data Protection Laws, accepting its powers to control and to impose penalties and granting, for such purpose and as adequate, the capacity of third-party beneficiary. Audit works may be performed either by the Supervisory Authority’s staff or by third parties suitable for the work and appointed for such act, or by local authorities with similar competence, in collaboration with the authority.

The Data Importer shall inform without delay to the Data Exporter if the current legislation applicable to the Data Importer or any sub-processor forbids the performance of audits on the Data Importer or the sub-processors.

d) If the Data Importer revokes or fails to comply with the rights and powers acknowledged in favor of third-party beneficiaries in this clause (despite the Data Exporter’s demand granting a peremptory term of FIVE (5) business days), said event shall cause the automatic termination of this Agreement.

e) The parties do not object to a data subject being represented by an association or other body permitted by Data Exporter’s country of establishment’s law.

Clause 6) Governing law and venue

This agreement shall be governed by the Data Protection Laws, the regulatory standards thereof and further rules issued by the Supervisory Authority; and any dispute related to the protection of Personal Data shall be heard by the court and administrative jurisdiction of the Data Exporter’s country of establishment

Clause 7) Resolution of Conflicts with Data Subjects or the Authority

a) In case of dispute or claim filed against one or both parties by a data subject or the authority regarding the processing of personal data, one of the parties shall inform the other about such situation, and both parties shall cooperate to reach a solution as soon as possible and within the terms established by Data Protection Laws, actively participating in any mandatory procedure.

b) The parties agree to attend to any mediation procedure brought by a data subject or the authority. Should they decide to participate in such non-binding procedure, they may do so remotely (for example, by phone or other electronic means).

Each party undertakes to abide by any decision rendered by any court with jurisdiction or by any authority entitled to render final decisions against which no further appeal is possible.

Clause 8) Contract Termination

a) In the event that the Data Importer fails to comply with the obligations under these clauses, the Data Exporter must temporarily suspend the transfer of personal data to the Data Importer until the breach is remedied within a peremptory period established according to the severity of the breach, notifying this fact to the Authority of Control 

b) The agreement shall be deemed terminated, and the Data Exporter shall declare such termination, with prior intervention by the Supervisory Authority, in case that: i) the transfer of personal data to the Data Importer has been temporarily suspended by the Data Exporter for longer than THIRTY (30) calendar days pursuant to paragraph (a); ii) compliance by the Data Importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import; iii) the Data Importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses; iv) a final decision against which no further appeal is possible of a court of the Data Exporter’s country of establishment or of the Supervisory Authority rules that there has been a breach of the clauses by the Data Importer or the data exporter; or v) the Data Exporter, without prejudice to any other rights which it may have against the Data Importer, shall be entitled to terminate these clauses when: a petition is presented for the administration or winding up of the Data Importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed; a company voluntary arrangement is commenced by the Data Importer; or any equivalent event in any jurisdiction occurs. In cases covered by (i), (ii), or (iv) above the Data Importer may also terminate these clauses without the intervention of the Supervisory Authority.

c) The parties agree that the termination of this agreement for whatever reason shall not exempt them from the obligations and conditions hereunder as regards the processing of the personal data transferred.

 

ANEXO A

DESCRIPTION OF THE TRANSFER

1. Categories of data subjects whose Information will be transferred: Mercado Libre Users, reported by the Data Exporter in the Brand Protection Program.

2. Nature and categories of personal data that may be transferred: Identifying and contact data, such as:

  • first name,
  • last name,
  • e-mail,
  • telephone number,
  • country,
  • address,
  • CUIT/DNI.

3. Purpose of the processing: to collaborate with the Data Exporter so that it may exercise its intellectual or industrial property rights outside Mercado Libre's platform and to facilitate the resolution of disputes.

 

Was the information helpful?