Customer Data Processing Agreement

PDF Download

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the MSA entered into between the parties identified on the Order as "Supplier" and "Customer".  Capitalized terms used herein shall have the meaning ascribed in the MSA, unless otherwise defined in this DPA. 

1.      Definitions

a.      "Agreement" means the master subscription or services agreement entered into between the parties.

b.      "Applicable Privacy Laws" means all laws regulating the collection, use, disclosure and/or free movement of Personal Data that applies to a party, as and when effective, including without limitation: (i) CCPA (as defined below), as well as the California Privacy Rights Act and the regulations promulgated pursuant thereto (“CPRA”) (ii) Canada’s Personal Information Protection and Electronic Documents Act, and similar provincial implementations, (“PIPEDA”) and any applicable and substantially similar provincial legislation; (iii) the European Union’s (“EU”) General Data Protection Regulation (EU) 2016/679 and any Member State implementing legislation (“GDPR”); (iv) the Privacy and Electronic Communications Directive 2002/58/EC (as amended by Directive 2009/136/E) in the applicable EU Member State; (v) the Asia-Pacific (“APAC”) intraregional frameworks, in particular the Asia-Pacific Economic Cooperation Cross Border Privacy Rules; (vi) the UK GDPR (as defined below); (vii) the SFDPA (as defined below); (viii) the Brazil LGPD; (ix) the China Personal Information Protection Law (“PIPL”); (x) the Virginia Consumer Data Protection Act; (xi) the Colorado Privacy Act; (xii) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring; (xiii) the Utah Consumer Privacy Act and (xiv) substantially similar privacy or data protection laws applicable to a party, each as may be amended or replaced from time to time.

c.      “C2C SCCs” means Module 1 of the SCCs.

d.      “C2P SCCs” means Module 2 of the SCCs.

e.      “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations. 

f.       “Contractor” has the meaning given in the CPRA.

g.      "Customer Data" means data that Customer makes available to Supplier for the purpose of Supplier Processing that data on Customer’s behalf.

h.      "Customer Personal Data" means any Personal Data included in Customer Data.

i.       “EEA” means the European Economic Area.

j.       "GDPR" means General Data Protection Regulation ((EU) 2016/679).

k.      “Order” means an ordering document that sets out the products or services that Supplier is to provide to Customer.

l.       "Restricted Transfer" means a transfer of Personal Data from the EEA, UK, Switzerland or any other country where such transfer would, in the absence of SCCs, be prohibited by Applicable Privacy Laws. 

m.    "Security Controls" means the technical and organisational measures as specified in the Agreement or if not so specified then the measures described at https://gdpr.cision.com/technicalorgmeasures.

n.      "SCCs"  means the Standard Contractual Clauses forming part of this DPA pursuant to the European Commission Implementing Decision (EU) 2021/914 of 04 June 2021 for the transfer of Personal Data to Controllers and/or processors established in third countries under the GDPR, found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and where applicable, as modified by the UK addendum, and such updated or replacement clauses as the European Commission may approve from time to time or the most recent version of any contractual clauses governing international Personal Data transfers issued by any country for any relevant transfers under the Agreement.  

o.      “SFDPA” means the Swiss Federal Data Protection Act.

p.      “Sub-Processor” means a third party that Supplier engages to Process any Personal Data that Supplier Processes under this DPA, as a Processor on Supplier’s behalf.

q.      "Supplier Data" means any data in Supplier’s databases that Supplier uses in providing Services, excluding Customer Data. This definition of Supplier Data is intended to include similarly defined terms in the Agreement such as “Company Data”, “Cision Data”, or “Brandwatch Data”.

r.       “Supplier Personal Data" means any Personal Data included in Supplier Data.

s.      “UK Addendum” means the addendum to the SCCs covering the transfer of Personal Data from the UK to third countries as approved by the UK Information Commissioner, found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf

t.       “UK GDPR” means the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018.

u.      The terms "Controller", "Processor", "Personal Data", "Processing", "Special Categories of Data" and "Data Subject" have the meanings given to them in the GDPR or UK GDPR.

v.      For clarity, this DPA covers any Processing that takes place pursuant to the CCPA and the CPRA. Therefore, the following references in the CCPA and the CPRA have the following meanings in this DPA:

1.  
   1.  
      1. “Business” means  “Controller”
      2. “Service Provider” means “Processor”
      3. “Third Party” means “Sub-Processor”
      4. “Personal Information” means “Personal Data”
      5. “Consumer” means “Data Subject”

2.      General

a.      Controller Data: Supplier and Customer are independent Controllers of Supplier Personal Data and each process this data as a Controller. Where Customer receives, or is provided access to, Supplier Personal Data from or by Supplier, Section 3 applies.

b.      Processor Data: Customer is the Controller and Supplier is the Processor of Customer Personal Data.  Where Supplier processes Customer Personal Data on behalf of Customer, Section 4 applies.

c.      Each party will comply with Applicable Privacy Laws when Processing Personal Data under the Agreement. 

d.      If there is a conflict between this DPA and the Agreement, this DPA prevails.

e.      Both parties will implement and maintain appropriate technical and organisational measures to ensure the security of Personal Data including to protect against unauthorised or unlawful loss, destruction, alteration, unauthorised disclosure or access to Personal Data. 

f.       Both parties will take reasonable steps to ensure that the personnel that it authorises to Process Personal Data have committed themselves to appropriate obligations of confidentiality and that access to Personal Data is limited to those individuals who need to have access for the purposes of the Agreement.

g.      Amendments: Supplier may, at any time on not less than 30 days’ notice, revise this DPA so as to incorporate any mandatory SCCs or other terms that are required by any competent data protection authority in the EU, Switzerland or the UK. The parties agree to adopt any necessary replacement or supplemental SCCs as the EC and/or the UK ICO or other applicable countries may adopt from time to time.   If Customer does not execute such clauses on request by Supplier, Supplier will be entitled to give not less than 30 days' prior written notice to terminate the Agreement.

3.      Supplier Data (Controller to Controller relationship)

a.      Processing for purposes of the Agreement: Each party will process Supplier Personal Data for the purposes of exercising their rights and obligations under the Agreement.  Details of the categories of Supplier Personal Data, the purpose of Processing by Supplier and the duration of the Processing are set out in Annex 1, Part 1

b.      International Data Transfers:

i)       If there is a Restricted Transfer from the EEA the parties will be bound by the C2C SCCs, which are incorporated into this Addendum subject to Clause 5.

ii)      If there is a Restricted Transfer from the UK, the parties will be bound by the UK Addendum in addition to the C2C SCCs, and the C2C SCCs (subject to Clause 5) and the UK Addendum (subject to Clause 6) are both incorporated into this DPA in those circumstances.

iii)    If there is a Restricted Transfer from Switzerland, the parties will be bound by the C2C SCCs, subject to Clause 5 and as amended by Clause 7, and the C2C SCCs are incorporated into this DPA in those circumstances and on that basis.

iv)    If there is a Restricted Transfer from any other country, the parties will be bound by the C2C SCCs, which are incorporated into this DPA subject to Clause 5 in those circumstances.

c.      Data breach: each party will notify the other without undue delay on becoming aware of a Personal Data breach involving Supplier Personal Data or upon receipt of a request or complaint from a Data Subject involving Supplier Personal Data.

4.    Customer Data: Controller to Processor relationship

a.      Written instructions: Supplier will process Customer Personal Data only on Customer’s written instructions, as set out in this DPA. Supplier will not sell or share Customer Personal Data nor combine it with Personal Data from other sources nor retain, use or disclose Customer Personal Data outside of the direct business relationship with Customer.  Where Applicable Privacy Laws state otherwise, Supplier will inform Customer of the legal requirement before Processing, unless that law prohibits this information on important grounds of public interest. Details of the categories of Customer Personal Data, the purpose of Processing by Supplier and the duration of the Processing are set out in Annex 1, Part II.

b.      Lawful use and instruction: Customer will ensure that its use of the Services and its instructions regarding the Processing of any Personal Data pursuant to this DPA will comply with all Applicable Privacy Laws, and that Supplier’s Processing in accordance with the Customer’s instructions will not cause Supplier to be in breach of any Applicable Privacy Laws. Supplier will inform the Customer if, in Supplier’s opinion, the Customer's instructions infringe Applicable Laws or if it cannot meet its obligations under any Applicable Privacy Laws.

c.      Special Categories of data: Customer will notify Supplier if any special categories of data are included within Customer Personal Data.  Supplier may refuse to process such data or impose any restrictions as are necessary, at the Customer's expense, to enable Supplier to comply with its legal and contractual obligations.

d.      International Data Transfers:

i)       If there is a transfer from Customer (as Controller) in the EEA to Supplier (as processor) in any third country, the parties agree to be bound by the C2P SCCs, which are incorporated into this DPA subject to Clause 5.

ii)      If there is a Restricted Transfer from the UK, the parties will be bound by the UK Addendum in addition to the C2P SCCs, and the C2P SCCs (subject to Clause 5) and the UK Addendum (subject to Clause 6) are both incorporated into this DPA in those circumstances

iii)    If there is a Restricted Transfer from Switzerland, the parties will be bound by the C2P SCCs, subject to Clause 5 and as amended by Clause 7, and the C2P SCCs are incorporated into this DPA in those circumstances and on that basis.

iv)    If there is a Restricted Transfer from any other country, the parties will be bound by the C2P SCCs, which are incorporated into this DPA subject to Clause 5.

  v)   Where Supplier appoints any Sub-Processor in accordance with Clause 4.g and such                    appointment involves a Restricted Transfer, Supplier may rely on SCCs to legitimise                              the transfer of Customer Personal Data. 

e.      Records of Compliance: Supplier will maintain complete and accurate records and information to demonstrate its compliance with this Addendum.

f.       Audit: Supplier will support audits to monitor compliance that Customer conducts (either itself or via an external auditor), at Customer’s cost and expense. Any audit conducted pursuant to this DPA is subject to the following conditions:

i)       Customer will provide at least 60 days advance written notice of any audit.

ii)      any audit may only be conducted during Supplier’s normal business hours.

iii)    Customer will conduct the audit so as to cause minimal disruption to Supplier’s normal business operations.

iv)    any third-party auditor will enter into direct confidentiality obligations with Supplier which are reasonably acceptable to Supplier.

v)      any audit will be limited only to Supplier’s Processing activities as a Processor, and to such information that is reasonably necessary for Customer to assess Supplier’s compliance with the terms of this DPA.

vi)    as part of any audit, Customer (or its external auditor) will not have access to Supplier’s Confidential Information.

vii)   Customer will reimburse Supplier’s reasonable and demonstrable costs and expenses associated with any audit.

viii) Customer agrees to accept a Supplier-supplied audit report in lieu of conducting its own audit:

1.      if the scope of the requested audit has been addressed in an audit carried out by a recognised independent third party auditor within twelve (12) months of the Customer's request and the Supplier provides written confirmation that there have been no material changes in the controls and systems to be audited or

2.      if it is intended that such an audit will be conducted within six months of the request and the Supplier provides the report of such to the Customer on completion.

g.      Sub-processors: Customer authorises Supplier to appoint Sub-Processors in connection with the provision of the Services.  A list of Supplier’s current Sub-Processors is available at https://gdpr.cision.com/Sub-Processors.

i)       Supplier will inform the Customer of any intended changes concerning the addition to or replacement of any permitted Sub-Processor with a new Sub-Process or at least 30 days in advance and give the Customer the opportunity to object to such changes. Any Sub-Processor Supplier engages will be subject to materially equivalent terms regarding data protection as are imposed on Supplier pursuant to this DPA.

ii)      Where any Sub-Processor fails to fulfil its obligations regarding data protection, Supplier will remain liable for the performance of the Sub-Processor’s obligations, subject to the exclusions and limitations of liability under the Agreement.

iii)    Where any Contractor has access to Customer Personal Data, it will only do so under a written contract and hereby certifies that it understands and is compliant with Applicable Privacy Laws.

h.      Data breach: If there is a Personal Data breach in relation to Customer Personal Data:

i)       Supplier will cooperate in good faith with the Customer to enable Customer to comply with its obligations under Applicable Privacy Laws.   

ii)      Supplier will notify Customer within 36 hours after becoming aware of a Personal Data breach (as defined in the Applicable Privacy Laws).

iii)    Supplier will assist the Customer in complying with any obligation to notify a supervisory authority of any data breach.

i.       Assistance: Taking into account the nature of the Processing and the information available, Supplier will provide reasonable and appropriate assistance to the Customer (subject to payment of Supplier’s reasonable and demonstrable costs and expenses), where possible, in relation to (i) the Customer’s fulfilment of the Customer’s obligations to respond to requests relating to the exercise of individuals’ rights under the Applicable Privacy Laws where Supplier Processes such individuals’ Personal Data pursuant to this DPA; and (ii) the Customer’s obligations under Articles 32 to 36 of the GDPR and/or the UK GDPR (as applicable).

j.       Termination:

i)       If Supplier is in breach of any of its obligations under this DPA, Customer may instruct Supplier to temporarily suspend the Processing of Customer Personal Data pending the remedy of such breach and may instruct Supplier to terminate the Processing of Customer Personal Data if such breach is not remedied.

ii)      Following the termination of this DPA, Supplier will delete Customer Personal Data unless required to retain the Customer Personal Data by Applicable Privacy Laws in the EU, EU Member States or (if applicable to the Processing) the UK or Switzerland.

5.      SCCs

a.      Where either the C2C SCCs or C2P SCCs are incorporated into this DPA under Clauses 3.b. or 4.d.:

i)       they will come into effect upon the commencement of the relevant Restricted Transfer;

ii)      any clauses which are entirely optional are not included;

iii)    for the purposes of Clause 13 the first option is included;

iv)    for the purposes of Clauses 17 and 18, the Member State for purposes of governing law and jurisdiction is the Member State in which the Customer is established. If the Customer is not established in a Member State, the specified Member State shall be Ireland;

v)      for the purposes of Annex 1.A of the SCCs, the ‘data importer’ and the ‘data exporter’ are set out in Part 1 or Part 2 (as applicable) of Annex 2 of this DPA;

vi)    for the purposes of Annex 1.B of the SCCs, the description of the transfer is set out in Part 1 or Part 2 (as applicable) of Annex 2 of this DPA

vii)   for the purposes of Annex 1.C of the SCCs the competent supervisory authority shall be the supervisory authority competent in the country in which the Customer is established; and

viii) for the purposes of Annex 2 of the SCCs, the technical and organisational measures are the Security Controls.

b.      Where the C2P SCCs are incorporated into this DPA under Clause 4.d.:

i)       Option 2 (“General written authorisation”) of Clause 9 is  selected;

ii)      the time period for the addition or replacement of Sub-Processors shall be as described in Clause 4.g.1 of this DPA; 

6.      UK Addendum

Where the UK Addendum is incorporated into this DPA under either Clauses 3.b. or 4.d.:

a.      It will come into effect upon the commencement of the relevant Restricted Transfer;

b.      for the purposes of Table 1, the Start Date shall be the commencement of the relevant Restricted Transfer, the Parties’ details and the Key Contact are set out in Annex 2 of this DPA and the parties clause of the Agreement;

c.      no signature is required for the purposes of Table 1;

d.      the first option is selected in Table 2, the Approved EU SCCS are defined in Clause 1 of this DPA and the SCCs will start on the commencement of the relevant Restricted Transfer;

e.      the Appendix Information in Table 3 is set out in Annex 1 and 2 to this DPA; and

f.       the first two options (“Importer” and “Exporter”) are selected in Table 4.

7.      Restricted Transfers from Switzerland

Where the C2C or C2P SCCs are incorporated into this DPA under Clauses 3.b. or 4.d., and there is a Restricted Transfer from Switzerland, the C2C SCCs or C2P SCCs (as applicable) shall be amended to comply with Swiss data protection laws, including without limitation the following amendments:

a)       any reference to the "Regulation (EU) 2016/679" or “that Regulation” are replaced by the SFDPA and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of the SFDPA;

b)     all definitions in the SCCs shall be interpreted in accordance with the SFDPA;

c)      references to Regulation (EU) 2018/1725 are removed;

d)     references to the “Union”, “EU”, and “EU Member State” are all replaced with the “Switzerland”;

e)     Clause 13(a) and Part C of Annex II are not used;

f)       the “competent supervisory authority” is the Federal Data Protection and Information Commissioner;

g)      Clause 17 is replaced to state “These Clauses are governed by the laws of Switzerland”; and

h)     Clause 18 is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland. The Parties agree to submit themselves to the jurisdiction of such courts.”.

8.      Miscellaneous

a.      Liability: Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.  

b.      Governing law: The governing law of the Agreement applies to this DPA, except that the  SCCs are governed by the law specified in Clause 5.a.iv).

Annex 1 - Processing Information

Processing, Personal Data, and Data Subjects

Part 1: Supplier Personal Data (Supplier as Data Controller)

Part 2: Customer Personal Data (Supplier as Data Processor)

Annex 2 - Transfer Information

Part 1 – Supplier Personal Data

Part 2 – Customer Personal Data