pdf-html

DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Agreement between Cision Ltd. and its affiliates (“Cision”) and the entity entering the Agreement as a customer of Cision’s Services (“Customer”).

1.Definitions

a."Agreement" means the master subscription or services agreement entered into between the parties.

b."Applicable Privacy Laws" means all applicable laws relating to data privacy including the GDPR, the EU Privacy and Electronic Communications Directive 2002/58/EC, the UK Data Protection Act 2018 and the CCPA, each as implemented in each jurisdiction, and any amending or replacement legislation from time to time.

c.“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations.

d."Cision Data" means any data in Cision’s databases that Cision uses in providing Services, excluding Customer Data. This definition of Cision Data is intended to include similarly defined terms in the Agreement such as “Company Data”, “Supplier Data”, or “Brandwatch Data”.

e.“Cision Personal Data" means any personal data included in Cision Data.

f."Customer Data" means data that Customer makes available to Cision for the purpose of

Cision processing that data on Customer’s behalf.

g."Customer Personal Data" means any Personal Data included in Customer Data.

h.“EEA” means the European Economic Area.

i."GDPR" means General Data Protection Regulation ((EU) 2016/679).

j."Restricted Transfer" means a transfer of personal data from the EEA or the UK where such transfer would, in the absence of standard contractual clauses, be prohibited by Applicable Privacy Laws.

k."Security Controls" means the technical and organisational measures as specified in the Agreement or if not so specified then the measures described at https://gdpr.cision.com/technicalorgmeasures.

l."SCCs" means the Standard Contractual Clauses forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 for the transfer of personal data to controllers and/or processors established in third countries under Directive 95/46/EC, and such updated or replacement clauses as the European Commission may approve from time to time.

m.“Sub-Processor” means a third party that Cision engages to Process any Personal Data that

Cision Processes under this DPA, as a processor on Cision’s behalf.

n.The terms "Controller", "Processor", "Personal Data", "processing", "special categories of data" and "data subject" have the meanings given to them in the GDPR or UK Data Protection Act 2018.

o.For clarity, this DPA covers any processing that takes place pursuant to the CCPA. Therefore, the following references in the CCPA have the following meanings in this DPA:

i.Business” means “Controller”

ii.“Service Provider” means “Processor”

DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391

iii.“Third Party” means “Sub-Processor”

iv.“Personal Information” means “Personal Data”

v.“Consumer” means “Data Subject”

2.General

a.Controller Data: Cision and Customer are independent controllers of Cision Personal Data and each process this data as a controller. Where Customer receives, or is provided access to, Cision Personal Data from or by Cision, Section 3 applies.

b.Processor Data: Customer is the controller and Cision is the processor of Customer Personal Data. Where Cision processes Customer Personal Data on behalf of Customer, Section 4 applies.

c.Each party will comply with Applicable Privacy Laws when processing personal data under the Agreement.

d.If there is a conflict between this DPA and the Agreement, this DPA prevails.

e.Both parties will implement and maintain appropriate technical and organisational measures to ensure the security of Personal Data including to protect against unauthorised or unlawful loss, destruction, alteration, unauthorised disclosure or access to Personal Data.

f.Both parties will take reasonable steps to ensure that the personnel that it authorises to Process Personal Data have committed themselves to appropriate obligations of confidentiality and that access to Personal Data is limited to those individuals who need to have access for the purposes of the Agreement.

g.Amendments: Cision may, at any time on not less than 30 days’ notice, revise this

Addendum so as to incorporate any mandatory SCCs or other terms that are required by any competent data protection authority in the EU or the UK. The parties agree to adopt any necessary replacement or supplemental SCCs as the EC and/or the UK ICO may adopt from time to time. If Customer does not execute such clauses on request by Cision, Cision will be entitled to give not less than 30 days' prior written notice to terminate the Agreement.

3.Cision Data (Controller to Controller relationship)

a.Processing for purposes of the Agreement: Each party will process Cision Personal Data for the purposes of exercising their rights and obligations under the Agreement. Details of the categories of Cision Personal Data, the purpose of processing by Cision and the duration of the processing are set out in Annex 1, Part 1

b.International Data Transfers:

i.If there is a Restricted Transfer from the EEA the Customer will be bound by the Controller to Controller SCCs, which are incorporated into this Addendum and will come into effect upon the commencement of the relevant Restricted Transfer.

ii.If there is a Restricted Transfer from the UK, the parties agree to enter into any applicable UK SCCs when the UK Information Commissioner’s Office (“ICO”) approves such clauses. Pending ICO approval, the parties agree to be bound by the Controller to Controller SCCs in accordance with Clause 3.b.i.

iii.For the purposes of the SCCs, the Personal Data transferred will be as required by the Agreement and are as set out in Annex 2, Part 1 to this DPA.

DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391

c.Data breach: each party will notify the other without undue delay on becoming aware of a Personal Data breach involving Cision Personal Data or upon receipt of a request or complaint from a Data Subject involving Cision Personal Data.

4.Customer Data: Controller to Processor relationship

a.Written instructions: Cision will process Customer Personal Data only on Customer’s written instructions, as set out in this DPA. Where Applicable Privacy Laws state otherwise, Cision will inform Customer of the legal requirement before Processing, unless that law prohibits this information on important grounds of public interest. Details of the categories of Customer Personal Data, the purpose of processing by Cision and the duration of the processing are set out in Annex 1, Part II.

b.Lawful use and instruction: Customer will ensure that its use of the Services and its instructions regarding the Processing of any Personal Data pursuant to this DPA will comply with all Applicable Privacy Laws, and that Cision’s Processing in accordance with the Customer’s instructions will not cause Cision to be in breach of any Applicable Privacy

Laws. Cision will inform the Customer if, in Cision's opinion, the Customer's instructions infringe Applicable Laws.

c.Special Categories of data: Customer will notify Cision if any special categories of data are included within Customer Personal Data. Cision may refuse to process such data or impose any restrictions as are necessary, at the Customer's expense, to enable Cision to comply with its legal and contractual obligations.

d.International Data Transfers:

i.If there is a transfer from Customer (as controller) in the EEA to Cision (as processor) in any third country, the parties agree to be bound by the Controller to Processor SCCs, which are incorporated into this DPA and come into effect should a Restricted Transfer occur.

ii.If there is a Restricted Transfer from the UK, the parties agree to enter into any applicable Standard UK SCCs when the UK ICO approves such clauses. Pending ICO approval, the parties agree to enter into the Controller to Processor SCCs in accordance with Clause 4.d.i.

iii.For the purposes of the SCCs Personal Data transferred will be as required by the Agreement and are as set out in Annex 2, Part II to this DPA.

iv.Where Cision appoints any Sub-Processor in accordance with Clause 4.g and such appointment involves a Restricted Transfer, Cision may rely on SCCs to legitimise the transfer of Customer Personal Data.

e.Records of Compliance: Cision will maintain complete and accurate records and information to demonstrate its compliance with this Addendum.

f.Audit: Cision will support audits that Customer conducts (either itself or via an external auditor), at Customer’s cost and expense. Any audit conducted pursuant to this DPA is subject to the following conditions:

i.Customer will provide at least 60 days advance written notice of any audit.

ii.any audit may only be conducted during Cision’s normal business hours.

iii.Customer will conduct the audit so as to cause minimal disruption to Cision’s normal business operations.

DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391

iv.any third-party auditor will enter into direct confidentiality obligations with CIsion which are reasonably acceptable to Cision.

v.any audit will be limited only to Cision’s Processing activities as a Processor, and to such information that is reasonably necessary for Customer to assess Cision’s compliance with the terms of this DPA.

vi.as part of any audit, Customer (or its external auditor) will not have access to Cision’s

Confidential Information.

vii.Customer will reimburse Cision’s reasonable and demonstrable costs and expenses associated with any audit.

viii.Customer agrees to accept a Cision-supplied audit report in lieu of conducting its own audit:

1.if the scope of the requested audit has been addressed in an audit carried out by a recognised independent third party auditor within twelve (12) months of the Customer's request and the Company provides written confirmation that there have been no material changes in the controls and systems to be audited or

2.if it is intended that such an audit will be conducted within six months of the request and the Company provides the report of such to the Customer on completion.

g.Sub-processors: Customer authorises CIsion to appoint Sub-Processors in connection with the provision of the Services. A list of Cision’s current Sub-Processors is available at https://gdpr.cision.com/Sub-Processors.

i.Cision will inform the Customer of any intended changes concerning the addition to or replacement of any permitted Sub-Processor with a new Sub-Processor and give the Customer the opportunity to object to such changes. Any Sub-Processor Cision engages will be subject to materially equivalent terms regarding data protection as are imposed on CIsion pursuant to this DPA.

ii.Where any Sub-Processor fails to fulfil its obligations regarding data protection, Cision will remain liable for the performance of the Sub-Processor’s obligations, subject to the exclusions and limitations of liability under the Agreement.

h.Data breach: If there is a personal data breach in relation to Customer Personal Data:

i.Cision will cooperate in good faith with the Customer to enable Customer to comply with its obligations under Applicable Privacy Laws.

ii.Cision will notify Customer within 36 hours after becoming aware of a personal data breach (as defined in the Data Protection Legislation).

iii.Cision will assist the Customer in complying with any obligation to notify a supervisory authority of any data breach.

i.Data subject rights: Taking into account the nature of the Processing and the information available, Cision will provide reasonable and appropriate assistance to the Customer

(subject to payment of Cision’s reasonable and demonstrable costs and expenses), where possible, in relation to the Customer’s fulfilment of the Customer’s obligations to respond to requests relating to the exercise of individuals’ rights under the Data Protection Legislation where Cision Processes such individuals’ Personal Data pursuant to this DPA.

j.Termination:

i.If Cision is in breach of any of its obligations under this DPA, Customer may instruct Cision to temporarily suspend the processing of Customer Personal Data pending the

DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391

remedy of such breach and may instruct Cision to terminate the processing of Customer Personal Data if such breach is not remedied.

ii.According to requirements as described in Cision’s Records Retention policy, or at the written direction of the Customer, Cision will delete Customer Personal Data unless required by Applicable Privacy Laws to retain the Customer Personal Data.

5.Miscellaneous

a.Liability: Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

b.Governing law: The governing law of the Agreement applies to this DPA, except that the Controller to Processor SCCs and Controller to Controller SCCs are governed by the law of the country in which the relevant data exporter is established.

Runtime Collective

Crimson

Limited

Hexagon, Inc.

Signature:

Signature:

Name: Dylan Marvin

Name: Dylan Marvin

Title:

Chief Legal Officer

Title:

Chief Legal Officer

Date:

May 27, 2021 | 05:41 PDT

Date:

May 27, 2021 | 05:41 PDT

Cision US Inc.

Canada Newswire

 

 

Group Limited

Signature:

Signature:

Name:

Matt Royack

Name:

Matt Royack

Title:

Deputy General Counsel

Title:

Deputy General Counsel

 

Date:

May 27, 2021 | 06:49 PDT

Date:

May 27, 2021 | 06:49 PDT

Cision Group

Cision France SA

Limited

 

DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391

Signature:

Name: Matt Royack

Title: Deputy General Counsel

Date: May 27, 2021 | 06:49 PDT

Prime Research AG

Signature:

Name: Matt Royack

Title: Deputy General Counsel

Date: May 27, 2021 | 06:49 PDT

Cision

Germany GmBH

Signature:

Name:

Title: Deputy General Counsel

Date: May 27, 2021 | 06:49 PDT

PRN Asia

Signature:

Name: Matt Royack

Signature:

Name: Matt Royack

Title: Deputy General Counsel

Date: May 27, 2021 | 06:49 PDT

Cision Portugal

SL

Signature:

Name: Matt Royack

Title: Deputy General Counsel

Date: May 27, 2021 | 06:49 PDT

Prime

Germany GmBH

Signature:

Name:

Title: Deputy General Counsel

Date: May 27, 2021 | 06:49 PDT

Prime Brazil

Signature:

Name: Matt Royack

DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391

Title: Deputy General Counsel

Date: May 27, 2021 | 06:49 PDT

Falcon.io US, Inc.

Signature:

Name: Matt Royack

Title: Deputy General Counsel

Date: May 27, 2021 | 06:49 PDT

Falcon.io ApS

Signature:

Name: Matt Royack

Title: Deputy General Counsel

Date: May 27, 2021 | 06:49 PDT

Customer name: 

Customer address: 

Signature: 

Name: 

Title:

Date:

Title: Deputy General Counsel

Date: May 27, 2021 | 06:49 PDT

Unmetric Tech.

Private Ltd.

Signature:

Name: Matt Royack

Title: Deputy General Counsel

Date: May 27, 2021 | 06:49 PDT

DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391

Annex 1 - Processing Information

Processing, Personal Data, and Data Subjects

Part 1: Cision Personal Data (Cision as Data Controller)

Nature and Purpose

Customer may process Cision Data as necessary to receive the Services and

 

of processing

comply with its obligations under the Agreement.

 

 

 

 

Duration of the

Customer may process Cision Data for the duration of the Agreement, unless

 

processing

otherwise agreed by the parties.

 

 

 

 

Types of personal

Name, title, position, email address, business phone number, mobile phone

 

data

number, employer, social media handles, Information that has been made

 

 

public by data subjects themselves, such as identification data (e.g., name,

 

 

username, social media handle, geographic location) and media (e.g., images,

 

 

audio and videos).

 

 

 

 

Categories of data

Individual media contacts including journalists and other media 'influencers'

 

subject

and Individuals publishing information publicly on the Internet, including social

 

 

media users, bloggers and web content writers.

 

 

 

 

Part 2: Customer Personal Data (Cision as Data Processor)

 

 

Nature and Purpose

Cision may process Customer Personal Data as necessary to perform the

of processing

Services and comply with its obligations under the Agreement.

 

 

Duration of the

Cision may process Customer Data for the duration of the Agreement, unless

processing

otherwise agreed by the parties.

 

 

Types of personal

Name, title, position, employer, email address, business phone number, mobile

data

phone number, social media handles, professional life data (which may include

 

data related to historical employment history, data related to skills, awards, or

 

interests, or other data relating to professional life), Personal life data, which

 

may include data about interests, likes, dislikes, or other data relating to

 

personal life), location data and media (e.g., images, audio and videos).

 

 

Categories of data

Customer’s own prospects, clients, partners, or vendors; Individual media or

subject

government affiliated contacts provided by Customer; Employees or contact

 

persons of the Customer; Individual authors who publish data on social media

 

platforms, blogs, internal or external messaging platforms, and other parts of

 

the internet.

 

 

 

DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391

 

Annex 2 - Transfer Information

Part 1 – Cision Personal Data

 

 

 

The Data Exporter

Cision or any other Cision Affiliate which exports data under the

 

Agreement

The Data Importer

Customer

Data Subjects

the data subjects are those individuals whose Personal Data is

 

contained in the Cision Personal Data that Customer Processes as part

 

of receiving the Services.

Purposes of the Transfer

the purpose of the transfer is to permit the Customer to process the

 

Cision Personal Data in accordance with the Agreement.

 

 

Categories of Data

the categories of Personal Data are set out in Annex 1, Part II to this

 

DPA

Recipients

the recipients of the Personal Data are as specified in the Agreement,

 

which usually includes the Customer’s employees, contractors,

 

consultants, and customers.

Special Categories of Data

the Special categories of Personal Data are set out in Annex 1, Part II to

 

this DPA (note: Special Categories are not collected intentionally)

Applicable law

the law of the country in which the data exporter is established.

 

 

Technical Measures of the

technical and organisational measures as specified in the Agreement

Company (Appendix 2)

or if not so specified then the measures described at

 

https://gdpr.cision.com/technicalorgmeasures.

Cision Contact Point for

privacy@cision.com

Data Protection Inquires

 

 

 

Customer Contact Point for

as specified in the Agreement.

Data Protection Inquires

 

 

 

Part 2 – Customer Personal Data

 

 

The Data Exporter

Customer

The Data Importer

Cision or any other Cision Affiliate which imports data under the

 

Agreement

Data Subjects

the categories of data subjects are set out in Annex 1, Part I of this

 

DPA. The Customer as the data exporter controls the type and extent

 

of the Personal Data that Cision processes.

Purposes of the Transfer

to permit Cision to process the Customer Personal Data in accordance

 

with the Agreement

 

 

Categories of Data

the categories of Personal Data are set out in Annex 1, Part I to this

 

DPA). as the Customer acknowledges that as controller and exporter

 

the Customer controls the type and extent of the Personal Data that

 

may be transferred to Cision as a Processor.

Recipients

the recipients of the Personal Data are as specified in the Agreement,

 

which usually includes Cision and any other Cision affiliates and any

 

Cision sub-processors.

DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391

Special Categories of Data

the Data Exporter may submit special categories of Personal Data to

 

Cision, the extent of which the data exporter controls and determines

 

in its sole discretion. Any special categories of Personal Data are set

 

out in Annex 1, Part I to this DPA.

 

 

Applicable law

the law of the country in which the data exporter is established.

 

 

Technical Measures of

technical and organisational measures as specified in the Agreement

Cision

or if not so specified then the measures described at

 

https://gdpr.cision.com/technicalorgmeasures.

Cision Contact Point for

privacy@cision.com

Data Protection Inquires

 

 

 

Customer Contact Point for

as specified in the Agreement

Data Protection Inquires