DocuSign Envelope ID: EA42F7CD-72C9-4CF1-B053-C05E96AA6391
Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the MSA entered into between the parties identified on the Order as "Supplier" and "Customer". In this DPA, the term "Cision" is used to refer to Supplier. Capitalized terms used herein shall have the meaning ascribed in the MSA, unless otherwise defined in this DPA.
a."Agreement" means the master subscription or services agreement entered into between the parties.
b."Applicable Privacy Laws" means all applicable laws relating to data privacy including the GDPR, the EU Privacy and Electronic Communications Directive 2002/58/EC, the UK Data Protection Act 2018 and the CCPA, each as implemented in each jurisdiction, and any amending or replacement legislation from time to time.
c.“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations.
d."Cision Data" means any data in Cision’s databases that Cision uses in providing Services, excluding Customer Data. This definition of Cision Data is intended to include similarly defined terms in the Agreement such as “Company Data”, “Supplier Data”, or “Brandwatch Data”.
e.“Cision Personal Data" means any personal data included in Cision Data.
f."Customer Data" means data that Customer makes available to Cision for the purpose of
Cision processing that data on Customer’s behalf.
g."Customer Personal Data" means any Personal Data included in Customer Data.
h.“EEA” means the European Economic Area.
i."GDPR" means General Data Protection Regulation ((EU) 2016/679).
j."Restricted Transfer" means a transfer of personal data from the EEA or the UK where such transfer would, in the absence of standard contractual clauses, be prohibited by Applicable Privacy Laws.
k."Security Controls" means the technical and organisational measures as specified in the Agreement or if not so specified then the measures described at https://gdpr.cision.com/technicalorgmeasures.
l."SCCs" means the Standard Contractual Clauses forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 for the transfer of personal data to controllers and/or processors established in third countries under Directive 95/46/EC, and such updated or replacement clauses as the European Commission may approve from time to time.
m.“Sub-Processor” means a third party that Cision engages to Process any Personal Data that
Cision Processes under this DPA, as a processor on Cision’s behalf.
n.The terms "Controller", "Processor", "Personal Data", "processing", "special categories of data" and "data subject" have the meanings given to them in the GDPR or UK Data Protection Act 2018.
o.For clarity, this DPA covers any processing that takes place pursuant to the CCPA. Therefore, the following references in the CCPA have the following meanings in this DPA:
i.“Business” means “Controller”
ii.“Service Provider” means “Processor”
iii.“Third Party” means “Sub-Processor”
iv.“Personal Information” means “Personal Data”
v.“Consumer” means “Data Subject”
a.Controller Data: Cision and Customer are independent controllers of Cision Personal Data and each process this data as a controller. Where Customer receives, or is provided access to, Cision Personal Data from or by Cision, Section 3 applies.
b.Processor Data: Customer is the controller and Cision is the processor of Customer Personal Data. Where Cision processes Customer Personal Data on behalf of Customer, Section 4 applies.
c.Each party will comply with Applicable Privacy Laws when processing personal data under the Agreement.
d.If there is a conflict between this DPA and the Agreement, this DPA prevails.
e.Both parties will implement and maintain appropriate technical and organisational measures to ensure the security of Personal Data including to protect against unauthorised or unlawful loss, destruction, alteration, unauthorised disclosure or access to Personal Data.
f.Both parties will take reasonable steps to ensure that the personnel that it authorises to Process Personal Data have committed themselves to appropriate obligations of confidentiality and that access to Personal Data is limited to those individuals who need to have access for the purposes of the Agreement.
g.Amendments: Cision may, at any time on not less than 30 days’ notice, revise this
Addendum so as to incorporate any mandatory SCCs or other terms that are required by any competent data protection authority in the EU or the UK. The parties agree to adopt any necessary replacement or supplemental SCCs as the EC and/or the UK ICO may adopt from time to time. If Customer does not execute such clauses on request by Cision, Cision will be entitled to give not less than 30 days' prior written notice to terminate the Agreement.
3.Cision Data (Controller to Controller relationship)
a.Processing for purposes of the Agreement: Each party will process Cision Personal Data for the purposes of exercising their rights and obligations under the Agreement. Details of the categories of Cision Personal Data, the purpose of processing by Cision and the duration of the processing are set out in Annex 1, Part 1
b.International Data Transfers:
i.If there is a Restricted Transfer from the EEA the Customer will be bound by the Controller to Controller SCCs, which are incorporated into this Addendum and will come into effect upon the commencement of the relevant Restricted Transfer.
ii.If there is a Restricted Transfer from the UK, the parties agree to enter into any applicable UK SCCs when the UK Information Commissioner’s Office (“ICO”) approves such clauses. Pending ICO approval, the parties agree to be bound by the Controller to Controller SCCs in accordance with Clause 3.b.i.
iii.For the purposes of the SCCs, the Personal Data transferred will be as required by the Agreement and are as set out in Annex 2, Part 1 to this DPA.
c.Data breach: each party will notify the other without undue delay on becoming aware of a Personal Data breach involving Cision Personal Data or upon receipt of a request or complaint from a Data Subject involving Cision Personal Data.
4.Customer Data: Controller to Processor relationship
a.Written instructions: Cision will process Customer Personal Data only on Customer’s written instructions, as set out in this DPA. Where Applicable Privacy Laws state otherwise, Cision will inform Customer of the legal requirement before Processing, unless that law prohibits this information on important grounds of public interest. Details of the categories of Customer Personal Data, the purpose of processing by Cision and the duration of the processing are set out in Annex 1, Part II.
b.Lawful use and instruction: Customer will ensure that its use of the Services and its instructions regarding the Processing of any Personal Data pursuant to this DPA will comply with all Applicable Privacy Laws, and that Cision’s Processing in accordance with the Customer’s instructions will not cause Cision to be in breach of any Applicable Privacy
Laws. Cision will inform the Customer if, in Cision's opinion, the Customer's instructions infringe Applicable Laws.
c.Special Categories of data: Customer will notify Cision if any special categories of data are included within Customer Personal Data. Cision may refuse to process such data or impose any restrictions as are necessary, at the Customer's expense, to enable Cision to comply with its legal and contractual obligations.
d.International Data Transfers:
i.If there is a transfer from Customer (as controller) in the EEA to Cision (as processor) in any third country, the parties agree to be bound by the Controller to Processor SCCs, which are incorporated into this DPA and come into effect should a Restricted Transfer occur.
ii.If there is a Restricted Transfer from the UK, the parties agree to enter into any applicable Standard UK SCCs when the UK ICO approves such clauses. Pending ICO approval, the parties agree to enter into the Controller to Processor SCCs in accordance with Clause 4.d.i.
iii.For the purposes of the SCCs Personal Data transferred will be as required by the Agreement and are as set out in Annex 2, Part II to this DPA.
iv.Where Cision appoints any Sub-Processor in accordance with Clause 4.g and such appointment involves a Restricted Transfer, Cision may rely on SCCs to legitimise the transfer of Customer Personal Data.
e.Records of Compliance: Cision will maintain complete and accurate records and information to demonstrate its compliance with this Addendum.
f.Audit: Cision will support audits that Customer conducts (either itself or via an external auditor), at Customer’s cost and expense. Any audit conducted pursuant to this DPA is subject to the following conditions:
i.Customer will provide at least 60 days advance written notice of any audit.
ii.any audit may only be conducted during Cision’s normal business hours.
iii.Customer will conduct the audit so as to cause minimal disruption to Cision’s normal business operations.
iv.any third-party auditor will enter into direct confidentiality obligations with CIsion which are reasonably acceptable to Cision.
v.any audit will be limited only to Cision’s Processing activities as a Processor, and to such information that is reasonably necessary for Customer to assess Cision’s compliance with the terms of this DPA.
vi.as part of any audit, Customer (or its external auditor) will not have access to Cision’s
vii.Customer will reimburse Cision’s reasonable and demonstrable costs and expenses associated with any audit.
viii.Customer agrees to accept a Cision-supplied audit report in lieu of conducting its own audit:
1.if the scope of the requested audit has been addressed in an audit carried out by a recognised independent third party auditor within twelve (12) months of the Customer's request and the Company provides written confirmation that there have been no material changes in the controls and systems to be audited or
2.if it is intended that such an audit will be conducted within six months of the request and the Company provides the report of such to the Customer on completion.
g.Sub-processors: Customer authorises CIsion to appoint Sub-Processors in connection with the provision of the Services. A list of Cision’s current Sub-Processors is available at https://gdpr.cision.com/Sub-Processors.
i.Cision will inform the Customer of any intended changes concerning the addition to or replacement of any permitted Sub-Processor with a new Sub-Processor and give the Customer the opportunity to object to such changes. Any Sub-Processor Cision engages will be subject to materially equivalent terms regarding data protection as are imposed on CIsion pursuant to this DPA.
ii.Where any Sub-Processor fails to fulfil its obligations regarding data protection, Cision will remain liable for the performance of the Sub-Processor’s obligations, subject to the exclusions and limitations of liability under the Agreement.
h.Data breach: If there is a personal data breach in relation to Customer Personal Data:
i.Cision will cooperate in good faith with the Customer to enable Customer to comply with its obligations under Applicable Privacy Laws.
ii.Cision will notify Customer within 36 hours after becoming aware of a personal data breach (as defined in the Data Protection Legislation).
iii.Cision will assist the Customer in complying with any obligation to notify a supervisory authority of any data breach.
i.Data subject rights: Taking into account the nature of the Processing and the information available, Cision will provide reasonable and appropriate assistance to the Customer
(subject to payment of Cision’s reasonable and demonstrable costs and expenses), where possible, in relation to the Customer’s fulfilment of the Customer’s obligations to respond to requests relating to the exercise of individuals’ rights under the Data Protection Legislation where Cision Processes such individuals’ Personal Data pursuant to this DPA.
i.If Cision is in breach of any of its obligations under this DPA, Customer may instruct Cision to temporarily suspend the processing of Customer Personal Data pending the
remedy of such breach and may instruct Cision to terminate the processing of Customer Personal Data if such breach is not remedied.
ii.According to requirements as described in Cision’s Records Retention policy, or at the written direction of the Customer, Cision will delete Customer Personal Data unless required by Applicable Privacy Laws to retain the Customer Personal Data.
a.Liability: Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
b.Governing law: The governing law of the Agreement applies to this DPA, except that the Controller to Processor SCCs and Controller to Controller SCCs are governed by the law of the country in which the relevant data exporter is established.
Name: Dylan Marvin
Chief Legal Officer
May 27, 2021 | 05:41 PDT
Cision US Inc.
Deputy General Counsel
May 27, 2021 | 06:49 PDT
Cision France SA
Name: Matt Royack
Title: Deputy General Counsel
Date: May 27, 2021 | 06:49 PDT
Prime Research AG
Falcon.io US, Inc.
Annex 1 - Processing Information
Processing, Personal Data, and Data Subjects
Part 1: Cision Personal Data (Cision as Data Controller)
Nature and Purpose
Customer may process Cision Data as necessary to receive the Services and
comply with its obligations under the Agreement.
Duration of the
Customer may process Cision Data for the duration of the Agreement, unless
otherwise agreed by the parties.
Types of personal
Name, title, position, email address, business phone number, mobile phone
number, employer, social media handles, Information that has been made
public by data subjects themselves, such as identification data (e.g., name,
username, social media handle, geographic location) and media (e.g., images,
audio and videos).
Categories of data
Individual media contacts including journalists and other media 'influencers'
and Individuals publishing information publicly on the Internet, including social
media users, bloggers and web content writers.
Part 2: Customer Personal Data (Cision as Data Processor)
Cision may process Customer Personal Data as necessary to perform the
Services and comply with its obligations under the Agreement.
Cision may process Customer Data for the duration of the Agreement, unless
Name, title, position, employer, email address, business phone number, mobile
phone number, social media handles, professional life data (which may include
data related to historical employment history, data related to skills, awards, or
interests, or other data relating to professional life), Personal life data, which
may include data about interests, likes, dislikes, or other data relating to
personal life), location data and media (e.g., images, audio and videos).
Customer’s own prospects, clients, partners, or vendors; Individual media or
government affiliated contacts provided by Customer; Employees or contact
persons of the Customer; Individual authors who publish data on social media
platforms, blogs, internal or external messaging platforms, and other parts of
Annex 2 - Transfer Information
Part 1 – Cision Personal Data
The Data Exporter
Cision or any other Cision Affiliate which exports data under the
The Data Importer
the data subjects are those individuals whose Personal Data is
contained in the Cision Personal Data that Customer Processes as part
of receiving the Services.
Purposes of the Transfer
the purpose of the transfer is to permit the Customer to process the
Cision Personal Data in accordance with the Agreement.
Categories of Data
the categories of Personal Data are set out in Annex 1, Part II to this
the recipients of the Personal Data are as specified in the Agreement,
which usually includes the Customer’s employees, contractors,
consultants, and customers.
Special Categories of Data
the Special categories of Personal Data are set out in Annex 1, Part II to
this DPA (note: Special Categories are not collected intentionally)
the law of the country in which the data exporter is established.
Technical Measures of the
technical and organisational measures as specified in the Agreement
Company (Appendix 2)
or if not so specified then the measures described at
Cision Contact Point for
Data Protection Inquires
Customer Contact Point for
as specified in the Agreement.
Part 2 – Customer Personal Data
Cision or any other Cision Affiliate which imports data under the
the categories of data subjects are set out in Annex 1, Part I of this
DPA. The Customer as the data exporter controls the type and extent
of the Personal Data that Cision processes.
to permit Cision to process the Customer Personal Data in accordance
with the Agreement
the categories of Personal Data are set out in Annex 1, Part I to this
DPA). as the Customer acknowledges that as controller and exporter
the Customer controls the type and extent of the Personal Data that
may be transferred to Cision as a Processor.
which usually includes Cision and any other Cision affiliates and any
the Data Exporter may submit special categories of Personal Data to
Cision, the extent of which the data exporter controls and determines
in its sole discretion. Any special categories of Personal Data are set
out in Annex 1, Part I to this DPA.
Technical Measures of
as specified in the Agreement
1-877-297-8912from 8 AM - 5 PM CT