pdf-html
DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391
Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the Agreement between Cision Ltd. and its affiliates (“Cision”) and the entity entering the Agreement as a customer of Cision’s Services (“Customer”).
1.Definitions
a."Agreement" means the master subscription or services agreement entered into between the parties.
b."Applicable Privacy Laws" means all applicable laws relating to data privacy including the GDPR, the EU Privacy and Electronic Communications Directive 2002/58/EC, the UK Data Protection Act 2018 and the CCPA, each as implemented in each jurisdiction, and any amending or replacement legislation from time to time.
c.“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations.
d."Cision Data" means any data in Cision’s databases that Cision uses in providing Services, excluding Customer Data. This definition of Cision Data is intended to include similarly defined terms in the Agreement such as “Company Data”, “Supplier Data”, or “Brandwatch Data”.
e.“Cision Personal Data" means any personal data included in Cision Data.
f."Customer Data" means data that Customer makes available to Cision for the purpose of
Cision processing that data on Customer’s behalf.
g."Customer Personal Data" means any Personal Data included in Customer Data.
h.“EEA” means the European Economic Area.
i."GDPR" means General Data Protection Regulation ((EU) 2016/679).
j."Restricted Transfer" means a transfer of personal data from the EEA or the UK where such transfer would, in the absence of standard contractual clauses, be prohibited by Applicable Privacy Laws.
k."Security Controls" means the technical and organisational measures as specified in the Agreement or if not so specified then the measures described at https://gdpr.cision.com/technicalorgmeasures.
l."SCCs" means the Standard Contractual Clauses forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 for the transfer of personal data to controllers and/or processors established in third countries under Directive 95/46/EC, and such updated or replacement clauses as the European Commission may approve from time to time.
m.“Sub-Processor” means a third party that Cision engages to Process any Personal Data that
Cision Processes under this DPA, as a processor on Cision’s behalf.
n.The terms "Controller", "Processor", "Personal Data", "processing", "special categories of data" and "data subject" have the meanings given to them in the GDPR or UK Data Protection Act 2018.
o.For clarity, this DPA covers any processing that takes place pursuant to the CCPA. Therefore, the following references in the CCPA have the following meanings in this DPA:
i.“Business” means “Controller”
ii.“Service Provider” means “Processor”
DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391
iii.“Third Party” means “Sub-Processor”
iv.“Personal Information” means “Personal Data”
v.“Consumer” means “Data Subject”
2.General
a.Controller Data: Cision and Customer are independent controllers of Cision Personal Data and each process this data as a controller. Where Customer receives, or is provided access to, Cision Personal Data from or by Cision, Section 3 applies.
b.Processor Data: Customer is the controller and Cision is the processor of Customer Personal Data. Where Cision processes Customer Personal Data on behalf of Customer, Section 4 applies.
c.Each party will comply with Applicable Privacy Laws when processing personal data under the Agreement.
d.If there is a conflict between this DPA and the Agreement, this DPA prevails.
e.Both parties will implement and maintain appropriate technical and organisational measures to ensure the security of Personal Data including to protect against unauthorised or unlawful loss, destruction, alteration, unauthorised disclosure or access to Personal Data.
f.Both parties will take reasonable steps to ensure that the personnel that it authorises to Process Personal Data have committed themselves to appropriate obligations of confidentiality and that access to Personal Data is limited to those individuals who need to have access for the purposes of the Agreement.
g.Amendments: Cision may, at any time on not less than 30 days’ notice, revise this
Addendum so as to incorporate any mandatory SCCs or other terms that are required by any competent data protection authority in the EU or the UK. The parties agree to adopt any necessary replacement or supplemental SCCs as the EC and/or the UK ICO may adopt from time to time. If Customer does not execute such clauses on request by Cision, Cision will be entitled to give not less than 30 days' prior written notice to terminate the Agreement.
3.Cision Data (Controller to Controller relationship)
a.Processing for purposes of the Agreement: Each party will process Cision Personal Data for the purposes of exercising their rights and obligations under the Agreement. Details of the categories of Cision Personal Data, the purpose of processing by Cision and the duration of the processing are set out in Annex 1, Part 1
b.International Data Transfers:
i.If there is a Restricted Transfer from the EEA the Customer will be bound by the Controller to Controller SCCs, which are incorporated into this Addendum and will come into effect upon the commencement of the relevant Restricted Transfer.
ii.If there is a Restricted Transfer from the UK, the parties agree to enter into any applicable UK SCCs when the UK Information Commissioner’s Office (“ICO”) approves such clauses. Pending ICO approval, the parties agree to be bound by the Controller to Controller SCCs in accordance with Clause 3.b.i.
iii.For the purposes of the SCCs, the Personal Data transferred will be as required by the Agreement and are as set out in Annex 2, Part 1 to this DPA.
DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391
c.Data breach: each party will notify the other without undue delay on becoming aware of a Personal Data breach involving Cision Personal Data or upon receipt of a request or complaint from a Data Subject involving Cision Personal Data.
4.Customer Data: Controller to Processor relationship
a.Written instructions: Cision will process Customer Personal Data only on Customer’s written instructions, as set out in this DPA. Where Applicable Privacy Laws state otherwise, Cision will inform Customer of the legal requirement before Processing, unless that law prohibits this information on important grounds of public interest. Details of the categories of Customer Personal Data, the purpose of processing by Cision and the duration of the processing are set out in Annex 1, Part II.
b.Lawful use and instruction: Customer will ensure that its use of the Services and its instructions regarding the Processing of any Personal Data pursuant to this DPA will comply with all Applicable Privacy Laws, and that Cision’s Processing in accordance with the Customer’s instructions will not cause Cision to be in breach of any Applicable Privacy
Laws. Cision will inform the Customer if, in Cision's opinion, the Customer's instructions infringe Applicable Laws.
c.Special Categories of data: Customer will notify Cision if any special categories of data are included within Customer Personal Data. Cision may refuse to process such data or impose any restrictions as are necessary, at the Customer's expense, to enable Cision to comply with its legal and contractual obligations.
d.International Data Transfers:
i.If there is a transfer from Customer (as controller) in the EEA to Cision (as processor) in any third country, the parties agree to be bound by the Controller to Processor SCCs, which are incorporated into this DPA and come into effect should a Restricted Transfer occur.
ii.If there is a Restricted Transfer from the UK, the parties agree to enter into any applicable Standard UK SCCs when the UK ICO approves such clauses. Pending ICO approval, the parties agree to enter into the Controller to Processor SCCs in accordance with Clause 4.d.i.
iii.For the purposes of the SCCs Personal Data transferred will be as required by the Agreement and are as set out in Annex 2, Part II to this DPA.
iv.Where Cision appoints any Sub-Processor in accordance with Clause 4.g and such appointment involves a Restricted Transfer, Cision may rely on SCCs to legitimise the transfer of Customer Personal Data.
e.Records of Compliance: Cision will maintain complete and accurate records and information to demonstrate its compliance with this Addendum.
f.Audit: Cision will support audits that Customer conducts (either itself or via an external auditor), at Customer’s cost and expense. Any audit conducted pursuant to this DPA is subject to the following conditions:
i.Customer will provide at least 60 days advance written notice of any audit.
ii.any audit may only be conducted during Cision’s normal business hours.
iii.Customer will conduct the audit so as to cause minimal disruption to Cision’s normal business operations.
DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391
iv.any third-party auditor will enter into direct confidentiality obligations with CIsion which are reasonably acceptable to Cision.
v.any audit will be limited only to Cision’s Processing activities as a Processor, and to such information that is reasonably necessary for Customer to assess Cision’s compliance with the terms of this DPA.
vi.as part of any audit, Customer (or its external auditor) will not have access to Cision’s
Confidential Information.
vii.Customer will reimburse Cision’s reasonable and demonstrable costs and expenses associated with any audit.
viii.Customer agrees to accept a Cision-supplied audit report in lieu of conducting its own audit:
1.if the scope of the requested audit has been addressed in an audit carried out by a recognised independent third party auditor within twelve (12) months of the Customer's request and the Company provides written confirmation that there have been no material changes in the controls and systems to be audited or
2.if it is intended that such an audit will be conducted within six months of the request and the Company provides the report of such to the Customer on completion.
g.Sub-processors: Customer authorises CIsion to appoint Sub-Processors in connection with the provision of the Services. A list of Cision’s current Sub-Processors is available at https://gdpr.cision.com/Sub-Processors.
i.Cision will inform the Customer of any intended changes concerning the addition to or replacement of any permitted Sub-Processor with a new Sub-Processor and give the Customer the opportunity to object to such changes. Any Sub-Processor Cision engages will be subject to materially equivalent terms regarding data protection as are imposed on CIsion pursuant to this DPA.
ii.Where any Sub-Processor fails to fulfil its obligations regarding data protection, Cision will remain liable for the performance of the Sub-Processor’s obligations, subject to the exclusions and limitations of liability under the Agreement.
h.Data breach: If there is a personal data breach in relation to Customer Personal Data:
i.Cision will cooperate in good faith with the Customer to enable Customer to comply with its obligations under Applicable Privacy Laws.
ii.Cision will notify Customer within 36 hours after becoming aware of a personal data breach (as defined in the Data Protection Legislation).
iii.Cision will assist the Customer in complying with any obligation to notify a supervisory authority of any data breach.
i.Data subject rights: Taking into account the nature of the Processing and the information available, Cision will provide reasonable and appropriate assistance to the Customer
(subject to payment of Cision’s reasonable and demonstrable costs and expenses), where possible, in relation to the Customer’s fulfilment of the Customer’s obligations to respond to requests relating to the exercise of individuals’ rights under the Data Protection Legislation where Cision Processes such individuals’ Personal Data pursuant to this DPA.
j.Termination:
i.If Cision is in breach of any of its obligations under this DPA, Customer may instruct Cision to temporarily suspend the processing of Customer Personal Data pending the
DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391
remedy of such breach and may instruct Cision to terminate the processing of Customer Personal Data if such breach is not remedied.
ii.According to requirements as described in Cision’s Records Retention policy, or at the written direction of the Customer, Cision will delete Customer Personal Data unless required by Applicable Privacy Laws to retain the Customer Personal Data.
5.Miscellaneous
a.Liability: Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
b.Governing law: The governing law of the Agreement applies to this DPA, except that the Controller to Processor SCCs and Controller to Controller SCCs are governed by the law of the country in which the relevant data exporter is established.
Runtime Collective |
Crimson |
Limited |
Hexagon, Inc. |
Signature: |
Signature: |
Name: Dylan Marvin |
Name: Dylan Marvin |
Title: |
Chief Legal Officer |
Title: |
Chief Legal Officer |
Date: |
May 27, 2021 | 05:41 PDT |
Date: |
May 27, 2021 | 05:41 PDT |
Cision US Inc. |
Canada Newswire |
|
|
Group Limited |
Signature: |
Signature: |
Name: |
Matt Royack |
Name: |
Matt Royack |
Title: |
Deputy General Counsel |
Title: |
Deputy General Counsel |
|
Date: |
May 27, 2021 | 06:49 PDT |
Date: |
May 27, 2021 | 06:49 PDT |
Cision Group |
Cision France SA |
Limited |
|
DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391
Signature:
Name: Matt Royack
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
Prime Research AG
Signature:
Name: Matt Royack
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
Cision
Germany GmBH
Signature:
Name:
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
PRN Asia
Signature:
Name: Matt Royack
Signature:
Name: Matt Royack
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
Cision Portugal
SL
Signature:
Name: Matt Royack
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
Prime
Germany GmBH
Signature:
Name:
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
Prime Brazil
Signature:
Name: Matt Royack
DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
Falcon.io US, Inc.
Signature:
Name: Matt Royack
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
Falcon.io ApS
Signature:
Name: Matt Royack
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
Customer name:
Customer address:
Signature:
Name:
Title:
Date:
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
Unmetric Tech.
Private Ltd.
Signature:
Name: Matt Royack
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391
Annex 1 - Processing Information
Processing, Personal Data, and Data Subjects
Part 1: Cision Personal Data (Cision as Data Controller)
Nature and Purpose |
Customer may process Cision Data as necessary to receive the Services and |
|
of processing |
comply with its obligations under the Agreement. |
|
|
|
|
Duration of the |
Customer may process Cision Data for the duration of the Agreement, unless |
|
processing |
otherwise agreed by the parties. |
|
|
|
|
Types of personal |
Name, title, position, email address, business phone number, mobile phone |
|
data |
number, employer, social media handles, Information that has been made |
|
|
public by data subjects themselves, such as identification data (e.g., name, |
|
|
username, social media handle, geographic location) and media (e.g., images, |
|
|
audio and videos). |
|
|
|
|
Categories of data |
Individual media contacts including journalists and other media 'influencers' |
|
subject |
and Individuals publishing information publicly on the Internet, including social |
|
|
media users, bloggers and web content writers. |
|
|
|
|
Part 2: Customer Personal Data (Cision as Data Processor) |
|
|
Nature and Purpose |
Cision may process Customer Personal Data as necessary to perform the |
of processing |
Services and comply with its obligations under the Agreement. |
|
|
Duration of the |
Cision may process Customer Data for the duration of the Agreement, unless |
processing |
otherwise agreed by the parties. |
|
|
Types of personal |
Name, title, position, employer, email address, business phone number, mobile |
data |
phone number, social media handles, professional life data (which may include |
|
data related to historical employment history, data related to skills, awards, or |
|
interests, or other data relating to professional life), Personal life data, which |
|
may include data about interests, likes, dislikes, or other data relating to |
|
personal life), location data and media (e.g., images, audio and videos). |
|
|
Categories of data |
Customer’s own prospects, clients, partners, or vendors; Individual media or |
subject |
government affiliated contacts provided by Customer; Employees or contact |
|
persons of the Customer; Individual authors who publish data on social media |
|
platforms, blogs, internal or external messaging platforms, and other parts of |
|
the internet. |
|
|
|
DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391
|
Annex 2 - Transfer Information |
Part 1 – Cision Personal Data |
|
|
|
The Data Exporter |
Cision or any other Cision Affiliate which exports data under the |
|
Agreement |
The Data Importer |
Customer |
Data Subjects |
the data subjects are those individuals whose Personal Data is |
|
contained in the Cision Personal Data that Customer Processes as part |
|
of receiving the Services. |
Purposes of the Transfer |
the purpose of the transfer is to permit the Customer to process the |
|
Cision Personal Data in accordance with the Agreement. |
|
|
Categories of Data |
the categories of Personal Data are set out in Annex 1, Part II to this |
|
DPA |
Recipients |
the recipients of the Personal Data are as specified in the Agreement, |
|
which usually includes the Customer’s employees, contractors, |
|
consultants, and customers. |
Special Categories of Data |
the Special categories of Personal Data are set out in Annex 1, Part II to |
|
this DPA (note: Special Categories are not collected intentionally) |
Applicable law |
the law of the country in which the data exporter is established. |
|
|
Technical Measures of the |
technical and organisational measures as specified in the Agreement |
Company (Appendix 2) |
or if not so specified then the measures described at |
|
https://gdpr.cision.com/technicalorgmeasures. |
Cision Contact Point for |
privacy@cision.com |
Data Protection Inquires |
|
|
|
Customer Contact Point for |
as specified in the Agreement. |
Data Protection Inquires |
|
|
|
Part 2 – Customer Personal Data |
|
|
The Data Exporter |
Customer |
The Data Importer |
Cision or any other Cision Affiliate which imports data under the |
|
Agreement |
Data Subjects |
the categories of data subjects are set out in Annex 1, Part I of this |
|
DPA. The Customer as the data exporter controls the type and extent |
|
of the Personal Data that Cision processes. |
Purposes of the Transfer |
to permit Cision to process the Customer Personal Data in accordance |
|
with the Agreement |
|
|
Categories of Data |
the categories of Personal Data are set out in Annex 1, Part I to this |
|
DPA). as the Customer acknowledges that as controller and exporter |
|
the Customer controls the type and extent of the Personal Data that |
|
may be transferred to Cision as a Processor. |
Recipients |
the recipients of the Personal Data are as specified in the Agreement, |
|
which usually includes Cision and any other Cision affiliates and any |
|
Cision sub-processors. |
DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391
Special Categories of Data |
the Data Exporter may submit special categories of Personal Data to |
|
Cision, the extent of which the data exporter controls and determines |
|
in its sole discretion. Any special categories of Personal Data are set |
|
out in Annex 1, Part I to this DPA. |
|
|
Applicable law |
the law of the country in which the data exporter is established. |
|
|
Technical Measures of |
technical and organisational measures as specified in the Agreement |
Cision |
or if not so specified then the measures described at |
|
https://gdpr.cision.com/technicalorgmeasures. |
Cision Contact Point for |
privacy@cision.com |
Data Protection Inquires |
|
|
|
Customer Contact Point for |
as specified in the Agreement |
Data Protection Inquires |
|
|
|