Customer Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the MSA entered into between the parties
identified on the Order as "Supplier" and "Customer".  Capitalized terms used herein shall have the
meaning ascribed in the MSA, unless otherwise defined in this DPA.

Definitions

a. "Agreement" means the master subscription or services agreement entered into between

the parties.

b. "Applicable Privacy Laws" means all applicable laws relating to data privacy including the

GDPR, the EU Privacy and Electronic Communications Directive 2002/58/EC, the UK Data
Protection Act 2018 and the CCPA, each as implemented in each jurisdiction, and any
amending or replacement legislation from time to time.

c. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et.

seq., and its implementing regulations.

"Supplier Data" means any data in Supplier’s databases that Supplier uses in providing
Services, excluding Customer Data. This definition of Supplier Data is intended to include
similarly defined terms in the Agreement such as “Company Data”, “Cision Data”, or
“Brandwatch Data”.

e. “Supplier Personal Data" means any personal data included in Supplier Data.
f. "Customer Data" means data that Customer makes available to Supplier for the purpose of

Supplier processing that data on Customer’s behalf.

g.  "Customer Personal Data" means any Personal Data included in Customer Data.
h.  “EEA” means the European Economic Area.
i.  "GDPR" means General Data Protection Regulation ((EU) 2016/679).
j.

“Order” means an ordering document that sets out the products or services that Supplier is
to provide to Customer.

k. "Restricted Transfer" means a transfer of personal data from the EEA, UK or any other

country where such transfer would, in the absence of SCCs, be prohibited by Applicable
Privacy Laws.

l. "Security Controls" means the technical and organisational measures as specified in the

Agreement or if not so specified then the measures described at

https://gdpr.cision.com/technicalorgmeasures

m. "SCCs" means the Standard Contractual Clauses forming part of this DPA pursuant to the

European Commission Implementing Decision (EU)

2021/914 of 04 June 2021

for the

transfer of personal data to controllers and/or processors established in third countries
under Directive 95/46/EC, and such updated or replacement clauses as the European
Commission may approve from time to time or the most recent version of any contractual
clauses governing international personal data transfers issued by any country for any
relevant transfers under the Agreement.

n. “Sub-Processor” means a third party that Supplier engages to Process any Personal Data

that Supplier Processes under this DPA, as a processor on Supplier’s behalf.

o. The terms "Controller", "Processor", "Personal Data", "processing", "special categories of

data" and "data subject" have the meanings given to them in the GDPR or UK Data
Protection Act 2018.

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

p. For clarity, this DPA covers any processing that takes place pursuant to the CCPA.

Therefore, the following references in the CCPA have the following meanings in this DPA:

i.  “Business” means “Controller”
ii.  “Service Provider” means “Processor”
iii.  “Third Party” means “Sub-Processor”
iv.  “Personal Information” means “Personal Data”
v.  “Consumer” means “Data Subject”

General

a. Controller Data: Supplier and Customer are independent controllers of Supplier Personal

Data and each process this data as a controller. Where Customer receives, or is provided
access to, Supplier Personal Data from or by Supplier, Section 3 applies.

b. Processor Data: Customer is the controller and Supplier is the processor of Customer

Personal Data. Where Supplier processes Customer Personal Data on behalf of Customer,
Section 4 applies.

c. Each party will comply with Applicable Privacy Laws when processing personal data under

the Agreement.

d. If there is a conflict between this DPA and the Agreement, this DPA prevails.
e. Both parties will implement and maintain appropriate technical and organisational

measures to ensure the security of Personal Data including to protect against unauthorised
or unlawful loss, destruction, alteration, unauthorised disclosure or access to Personal
Data.

f. Both parties will take reasonable steps to ensure that the personnel that it authorises to

Process Personal Data have committed themselves to appropriate obligations of
confidentiality and that access to Personal Data is limited to those individuals who need to
have access for the purposes of the Agreement.

g. Amendments: Supplier may, at any time on not less than 30 days’ notice, revise this

Addendum so as to incorporate any mandatory SCCs or other terms that are required by
any competent data protection authority in the EU or the UK. The parties agree to adopt
any necessary replacement or supplemental SCCs as the EC and/or the UK ICO or other
countries may adopt from time to time. If Customer does not execute such clauses on
request by Supplier, Supplier will be entitled to give not less than 30 days' prior written
notice to terminate the Agreement.

Supplier Data (Controller to Controller relationship)

a. Processing for purposes of the Agreement: Each party will process Supplier Personal Data

for the purposes of exercising their rights and obligations under the Agreement. Details of
the categories of Supplier Personal Data, the purpose of processing by Supplier and the
duration of the processing are set out in Annex 1, Part 1

b. International Data Transfers:

i. If there is a Restricted Transfer from the EEA the Customer will be bound by the

Controller to Controller SCCs, which are incorporated into this Addendum and will come
into effect upon the commencement of the relevant Restricted Transfer.

ii. If there is a Restricted Transfer from the UK, the parties agree to enter into any

applicable UK SCCs when the UK Information Commissioner’s Office (“ICO”) approves

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

such clauses. Pending ICO approval, the parties agree to be bound by the Controller to
Controller SCCs in accordance with Clause 3.b.i.

iii. If there is a Restricted Transfer from any other country, parties will be bound by the

Controller to Controller SCCs, which are incorporated into this Addendum and will come
into effect upon the commencement of the relevant Restricted Transfer.

iv. For the purposes of the SCCs, the Personal Data transferred will be as required by the

Agreement and are as set out in Annex 2, Part 1 to this DPA.

c. Data breach: each party will notify the other without undue delay on becoming aware of a

Personal Data breach involving Supplier Personal Data or upon receipt of a request or
complaint from a Data Subject involving Supplier Personal Data.

Customer Data: Controller to Processor relationship

a. Written instructions: Supplier will process Customer Personal Data only on Customer’s

written instructions, as set out in this DPA. Where Applicable Privacy Laws state otherwise,
Supplier will inform Customer of the legal requirement before Processing, unless that law
prohibits this information on important grounds of public interest. Details of the categories
of Customer Personal Data, the purpose of processing by Supplier and the duration of the
processing are set out in Annex 1, Part II.

b. Lawful use and instruction: Customer will ensure that its use of the Services and its

instructions regarding the Processing of any Personal Data pursuant to this DPA will comply
with all Applicable Privacy Laws, and that Supplier’s Processing in accordance with the
Customer’s instructions will not cause Supplier to be in breach of any Applicable Privacy
Laws. Supplier will inform the Customer if, in Supplier’s opinion, the Customer's
instructions infringe Applicable Laws.

c. Special Categories of data: Customer will notify Supplier if any special categories of data

are included within Customer Personal Data. Supplier may refuse to process such data or
impose any restrictions as are necessary, at the Customer's expense, to enable Supplier to
comply with its legal and contractual obligations.

d. International Data Transfers:

i. If there is a transfer from Customer (as controller) in the EEA to Supplier (as processor)

in any third country, the parties agree to be bound by the Controller to Processor
SCCs, which are incorporated into this DPA and come into effect should a Restricted
Transfer occur.

ii. If there is a Restricted Transfer from the UK, the parties agree to enter into any

applicable Standard UK SCCs when the UK ICO approves such clauses. Pending ICO
approval, the parties agree to enter into the Controller to Processor SCCs in
accordance with Clause 4.d.i.

iii. If there is a Restricted Transfer from any other country, parties will be bound by the

Controller to Processor SCCs, which are incorporated into this Addendum and will
come into effect upon the commencement of the relevant Restricted Transfer.

iv. For the purposes of the SCCs Personal Data transferred will be as required by the

Agreement and are as set out in Annex 2, Part II to this DPA.

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

v. Where Supplier appoints any Sub-Processor in accordance with Clause 4.g and such

appointment involves a Restricted Transfer, Supplier may rely on SCCs to legitimise the
transfer of Customer Personal Data.

e. Records of Compliance: Supplier will maintain complete and accurate records and

information to demonstrate its compliance with this Addendum.

f. Audit: Supplier will support audits that Customer conducts (either itself or via an external

auditor), at Customer’s cost and expense. Any audit conducted pursuant to this DPA is
subject to the following conditions:

i.  Customer will provide at least 60 days advance written notice of any audit.
ii.  any audit may only be conducted during Supplier’s normal business hours.
iii.  Customer will conduct the audit so as to cause minimal disruption to Supplier’s normal

business operations.

iv. any third-party auditor will enter into direct confidentiality obligations with Supplier

which are reasonably acceptable to Supplier.

v. any audit will be limited only to Supplier’s Processing activities as a Processor, and to

such information that is reasonably necessary for Customer to assess Supplier’s
compliance with the terms of this DPA.

vi. as part of any audit, Customer (or its external auditor) will not have access to

Supplier’s Confidential Information.

vii. Customer will reimburse Supplier’s reasonable and demonstrable costs and expenses

associated with any audit.

viii. Customer agrees to accept a Supplier-supplied audit report in lieu of conducting its own

audit:

1. if the scope of the requested audit has been addressed in an audit carried out by a

recognised independent third party auditor within twelve (12) months of the
Customer's request and the Supplier provides written confirmation that there have
been no material changes in the controls and systems to be audited or

2. if it is intended that such an audit will be conducted within six months of the request

and the Supplier provides the report of such to the Customer on completion.

g. Sub-processors: Customer authorises Supplier to appoint Sub-Processors in connection with

the provision of the Services. A list of Supplier’s current Sub-Processors is available at

https://gdpr.cision.com/Sub-Processors

i. Supplier will inform the Customer of any intended changes concerning the addition to

or replacement of any permitted Sub-Processor with a new Sub-Processor and give
the Customer the opportunity to object to such changes. Any Sub-Processor Supplier
engages will be subject to materially equivalent terms regarding data protection as are
imposed on Supplier pursuant to this DPA.

ii. Where any Sub-Processor fails to fulfil its obligations regarding data protection,

Supplier will remain liable for the performance of the Sub-Processor’s obligations,
subject to the exclusions and limitations of liability under the Agreement.

h. Data breach: If there is a personal data breach in relation to Customer Personal Data:

i. Supplier will cooperate in good faith with the Customer to enable Customer to comply

with its obligations under Applicable Privacy Laws.

ii. Supplier will notify Customer within 36 hours after becoming aware of a personal data

breach (as defined in the Data Protection Legislation).

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

iii. Supplier will assist the Customer in complying with any obligation to notify a

supervisory authority of any data breach.

i. Data subject rights: Taking into account the nature of the Processing and the information

available, Supplier will provide reasonable and appropriate assistance to the Customer
(subject to payment of Supplier’s reasonable and demonstrable costs and expenses),
where possible, in relation to the Customer’s fulfilment of the Customer’s obligations to
respond to requests relating to the exercise of individuals’ rights under the Data Protection
Legislation where Supplier Processes such individuals’ Personal Data pursuant to this DPA.

j. Termination:

i. If Supplier is in breach of any of its obligations under this DPA, Customer may instruct

Supplier to temporarily suspend the processing of Customer Personal Data pending
the remedy of such breach and may instruct Supplier to terminate the processing of
Customer Personal Data if such breach is not remedied.

ii. According to requirements as described in Supplier’s Records Retention policy, or at

the written direction of the Customer, Supplier will delete Customer Personal Data
unless required by Applicable Privacy Laws to retain the Customer Personal Data.

Miscellaneous

a. Liability: Each party’s liability under this DPA is subject to the limitations and exclusions of

liability set out in the Agreement.

b. Governing law: The governing law of the Agreement applies to this DPA, except that the

Controller to Processor SCCs and Controller to Controller SCCs are governed by the law of
the country in which the relevant data exporter is established.

Runtime Collective
Limited

Crimson Hexagon,
Inc.

Signature:

Name:

Title:

Date:

Cision US Inc.

Group Limited

Signature:

Name:

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

Dylan Marvin

3/18/2022

Director

3/18/2022

Matt Royack

Title:

Date:

Cision Canada Inc.

Cision France SA

Signature:

Name:

Title:

Date:

Prime Research AG

Cision Portugal SL

Signature:

Name:

Title:

Date:

Cision
Germany GmbH

Cision Group Limited

Signature:

Name:

Title:

Date:

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

3/18/2022

VP and Deputy General Counsel

Matt Royack

3/18/2022

VP and Deputy General Counsel

PR Newswire Asia
Limited

Prime Brazil

Pes. De

Midia Ltda.

Signature:

Name:

Title:

Date:

PR Newswire Ltda.

Unmetric Tech.
Private Ltd.

Signature:

Name:

Title:

Date:

Falcon.io ApS

Falcon.io US, Inc.

Signature:

Name:

Title:

Date:

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

Matt Royack

3/18/2022

VP and Deputy General Counsel

Bulletin Intelligence
LLC

Bulletin Healthcare
LLC

Signature:

Name:

Title:

Date:

Bulletin Media LLC

Prime Research LLC

Signature:

Name:

Title:

Date:

Cision Sverge AB

Cision Norge AS

Signature:

Name:

Title:

Date:

Cision Finland OY

Prime Research
International GmbH
& Co. KG

Signature:

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

Matt Royack

3/18/2022

VP and Deputy General Counsel

Name:

Title:

Date:

PRN
Business Consulting
(Shanghai) Co., Ltd.,
Beijing Branch

PRN Business
Consulting
(Shanghai) Co., Ltd.

Signature:

Name:

Title:

Date:

PR Newswire
International
Communication
(Shenzhen) Co., Ltd.

Signature:

Name:

Title:

Date:

Customer name: 

Customer address: 

Signature: 

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

Matt Royack

3/18/2022

VP and Deputy General Counsel

Name: 

Title:
 

Date:

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

Annex 1 - Processing Information

Processing, Personal Data, and Data Subjects

Part 1: Supplier Personal Data (Supplier as Data Controller)

Nature and Purpose
of processing

Customer may process Supplier Data as necessary to receive the Services and
comply with its obligations under the Agreement.

Duration of the
processing

Customer may process Supplier Data for the duration of the Agreement, unless
otherwise agreed by the parties.

Types of personal
data

Name,  title,  position,  email  address,  business  phone  number,  mobile  phone
number,  employer,  social  media  handles,  Information  that  has  been  made
public  by  data  subjects  themselves,  such  as  identification  data  (e.g.,  name,
username, social media handle, geographic location) and media (e.g., images,
audio and videos).

Categories of data
subject

Individual media contacts including journalists and other media 'influencers'
and Individuals publishing information publicly on the Internet, including social
media users, bloggers and web content writers.

For French institutional Database: Contacts such as political and elected
representatives, contacts within public administrations, personalities from the
associative world, financial analysts, shareholders and advisors.

Part 2: Customer Personal Data (Supplier as Data Processor)

Nature and Purpose
of processing

Supplier may process Customer Personal Data as necessary to perform the
Services and comply with its obligations under the Agreement.

Duration of the
processing

Supplier may process Customer Data for the duration of the Agreement, unless
otherwise agreed by the parties.

Types of personal
data

Name, title, position, employer, email address, business phone number, mobile
phone number, social media handles, professional life data (which may include
data related to historical employment history, data related to skills, awards, or
interests, or other data relating to professional life), Personal life data, which
may include data about interests, likes, dislikes, or other data relating to
personal life), location data and media (e.g., images, audio and videos).

Categories of data
subject

Customer’s own prospects, clients, partners, or vendors; Individual media or
government affiliated contacts (including personnel of public administrations
and personalities from the associative world) provided by Customer; Employees
or contact persons of the Customer.

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

Annex 2 - Transfer Information

Part 1 – Supplier Personal Data

The Data Exporter

Supplier or any other Supplier Affiliate which exports data under the
Agreement

The Data Importer

Customer

Data Subjects

the data subjects are those individuals whose Personal Data is
contained in the Supplier Personal Data that Customer Processes as
part of receiving the Services.

Purposes of the Transfer

the purpose of the transfer is to permit the Customer to process the
Supplier Personal Data in accordance with the Agreement.

Categories of Data

the categories of Personal Data are set out in Annex 1, Part II to this
DPA

Recipients

the recipients of the Personal Data are as specified in the Agreement,
which usually includes the Customer’s employees, contractors,
consultants, and customers.

Special Categories of Data

the Special categories of Personal Data are set out in Annex 1, Part II to
this DPA (note: Special Categories are not collected intentionally)

Applicable law

the law of the country in which the data exporter is established.

Technical Measures of the
Company (Appendix 2)

technical and organisational measures as specified in the Agreement
or if not so specified then the measures described at

https://gdpr.cision.com/technicalorgmeasures

Cision Contact Point for
Data Protection Inquires

privacy@cision.com

Customer Contact Point for
Data Protection Inquires

as specified in the Agreement.

Part 2 – Customer Personal Data

The Data Exporter

Customer

The Data Importer

Cision or any other Cision Affiliate which imports data under the
Agreement

Data Subjects

the categories of data subjects are set out in Annex 1, Part I of this
DPA. The Customer as the data exporter controls the type and extent
of the Personal Data that Cision processes.

Purposes of the Transfer

to permit Cision to process the Customer Personal Data in accordance
with the Agreement

Categories of Data

the categories of Personal Data are set out in Annex 1, Part I to this
DPA). as the Customer acknowledges that as controller and exporter
the Customer controls the type and extent of the Personal Data that
may be transferred to Cision as a Processor.

Recipients

the recipients of the Personal Data are as specified in the Agreement,
which usually includes Cision and any other Cision affiliates and any
Cision sub-processors.

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

Special Categories of Data

the Data Exporter may submit special categories of Personal Data to
Cision, the extent of which the data exporter controls and determines
in its sole discretion. Any special categories of Personal Data are set
out in Annex 1, Part I to this DPA.

Applicable law

the law of the country in which the data exporter is established.

Technical Measures of
Cision

technical and organisational measures as specified in the Agreement
or if not so specified then the measures described at

https://gdpr.cision.com/technicalorgmeasures

Cision Contact Point for
Data Protection Inquires

privacy@cision.com

Customer Contact Point for
Data Protection Inquires

as specified in the Agreement

DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598

Customer Data Processing Addendum

Contact & Support

Comms Cloud

Company

Resources

Cision Communications Cloud

Cision Next Gen

Customer Data Processing Addendum

Contact & Support

Comms Cloud

Company

Resources