Data Processing Addendum
This data processing addendum (“DPA”) supplements the Agreement between V2 Cloud Solutions, Inc. and the Customer and is entered into as of the date of entering into the Agreement. This DPA incorporates the Agreement and any capitalised terms used but not defined in this DPA shall have the meanings set forth in the Agreement. For the purposes of this DPA, the Customer is the Data Controller and V2 Cloud Solutions, Inc. the Data Processor.
The terms and expressions set out in this DPA shall have the following meanings:
1.1 “Agreement” means the agreement between the parties for purchase of the Cloud Services.
1.2 “Data Controller”, “Data Processor” and “processing” shall have the meanings given to them in GDPR;
1.3 “Data Protection Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”), the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and associated regulations (“CCPA”), and the following, when effective and together with any associated regulations: the California Privacy Rights Act (“CPRA”), the Colorado Privacy Act (“CPA”). For the avoidance of doubt, if service provider’s Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this Addendum.
1.4 “Personal Data” means all data relating to individuals which is processed by the Data Processor on behalf of the Data Controller in accordance with this DPA;
1.5 “Sub-processor” means any third party that Data Processor engages to Process Personal Data on behalf of Data Processor to provide the Cloud Services.
2. Categories of Personal Data covered by the DPA
2.1 Contact details (including name, email address, telephone number, title, employer) and the IP-address used to login to the Cloud Services, of the Data Controller’s users who are added as users to the Cloud Services in the Client Account.
3. Processing and use of Personal Data
3.1 Data Processor is to process Personal Data received from the Data Controller (a) in compliance with instructions provided by the Data Controller as set out in this DPA (b) exclusively for the purpose of providing the Cloud Services established in the Agreement or (c) as otherwise notified in writing in accordance with the notice provisions in the Agreement by the Data Controller to the Data Processor during the term of the Agreement.
3.2 The Data Processor shall at all times comply with Data Protection Laws and shall not perform its obligations under this DPA, or the Agreement, in such way as to cause the Data Controller to breach any of its applicable obligations under Data Protection Laws.
3.3 The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this DPA are satisfactorily performed in accordance with Data Protection Laws from time to time in force.
4. Security of Personal Data
4.1 Data Processors agrees to implement and maintain an appropriate information security program with technical and organisational measures to protect the security of Personal Data to a level of security appropriate to the risk; in particular, against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure.
4.2 Data Processor, if so requested by the Data Controller, shall supply details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access.
4.3 All Personal Data provided to the Data Processor by the Data Controller or obtained by the Data Processor in the course of its work with the Data Controller is confidential and may not be copied, disclosed or processed in any way without the express authority of the Data Controller.
5. Sub-processors and employees
5.1 Where the Data Processor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Data Controller it shall take reasonable steps to ensure the reliability of all employees and Sub-processors.
5.2 Data Processor will take reasonable measures to inform and train its employees about relevant privacy legislation and data security and ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and ensure that all employees and Sub-processors are informed of the confidential nature of the Personal Data and are aware of Data Processor’s duties under this DPA and their personal duties and obligations under Data Protection Laws;
5.3 Data Controller approves the use of the Sub-processors listed at https://v2cloud.com/privacy-policy. The Data Processor shall notify the Data Controller in writing of any new Sub-processors prior to the Sub-processor having access to Personal Data using the email address provided in the Client Account.
5.4 Data Processor shall not disclose, transfer and/or grant access to Personal Data to a Sub-processor unless Data Processor: (i) executes a written agreement with such Sub-processor that contains substantially similar data protection obligations imposed on Data Processor by this DPA, including implementing appropriate technical and organizational measures; and (ii) remains liable for subcontractor’s failure to fulfil its obligations with respect to the processing of Personal Data as if Data Processor had failed to fulfil such obligations.
Data Processor agrees that, on reasonable, a minimum 30 days, prior notice and maximum once per calendar year, permit persons authorised by the Data Controller to access any premises on which Personal Data provided by the Data Controller to the Data Processor is processed and to inspect the Data Processor’s systems comply with this Agreement. Data Controller acknowledges that Data Processor’s obligations under this clause may be satisfied in whole or part by the provision to Data Controller of appropriate information; records; and certifications and audit reports issued by reputable independent third parties provided that there have been no material changes to the controls used by Data Processor since the certification or audit report was issued.
7. Security Incident
7.1 Data Processor shall notify the Data Controller if it receives a request from a data subject to have access to that person’s Personal Data or a complaint or request relating to the Data Controller’s obligations under Data Protection Laws.
7.2 Data Processor shall provide the Data Controller with full co-operation and assistance in relation to any complaint or request made, including by providing the Data Controller with full details of the complaint or request and complying with a data access request within the relevant timescale set out in Data Protection Laws and in accordance with the Data Controller’s instructions;
7.3 If the Data Processor becomes aware of any unauthorized or unlawful processing of any Personal Data or that any Personal Data is lost or destroyed or has become damaged, corrupted or unusable or becomes aware of any security breach, the Data Processor shall, at its own expense, immediately notify (and in any event within 48 hours) Data Controller (“Notice”) and fully co-operate with the Data Controller and assist the Data Controller, in dealing with a security breach and in ensuring compliance with its obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators as soon as reasonably practicable.
7.4 The Notice shall include, to the extent available to the Data Processor at the time, a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned, b) a description of the likely consequences of the incident and c) a description of the measures taken or proposed to be taken by the Data Processor to address the incident.
8. International data transfer
8.1 To the extent any Personal Data is accessed by Data Processor, or transferred to Data Processor, the transfer(s) shall occur according to the requirements of the Data Protection Laws, including GDPR chapter V.
8.2 To the extent Personal Data includes personal data from the EU and EEA by entering into the Agreement and this DPA, the Parties are deemed to have signed the EU Standard Contractual Clauses Module 2 (the “SCCs”), including their annexes, attached hereto.
8.2.1 To the extent the SCCs are entered into, the following options for Module 2 of the SCCs shall be used:
18.104.22.168 Clause 7. The optional docking does not apply.
22.214.171.124 Clause 9. Use of sub-processors Option 2: General written authorization is selected and the minimum time period for prior notice of sub-processor changes shall be minimum 30 days.
126.96.36.199 Clause 11. The optional language does not apply.
188.8.131.52 Clause 17. Option 2 is selected and the Parties agree that this shall be the law of the Agreement.
184.108.40.206 Clause 18 (b). The Parties agree that any dispute arising from these Clauses shall be resolved by the courts of the country as agreed in the Agreement.
220.127.116.11 Clause 13. All square brackets in are hereby removed;
8.3 To the extent Personal data includes personal data from Switzerland clause 8.2 and the Addendum for transfers from Switzerland applies.
8.4 To the extent Personal Data includes personal data from the UK the UK data transfer addendum applies.
8.5 California Consumer Privacy Act. If Data Controller or their data subjects are residents of California, please review our CCPA Vendor Addendum for information regarding your California privacy rights.
9. Return or disposal
The Data Processor shall destroy or transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times and in compliance with the requirements notified in writing by the Data Controller to the Data Processor. The Personal Data of the Data Controller shall be destroyed at the latest six (6) months after the expiry or termination of the Contract.
To the extent required by Data Protection Laws, the Data Processor shall indemnify and keep indemnified the Data Controller against direct damages, claims, and losses incurred by the Data Controller which arise directly from the Data Processor’s data processing activities under this DPA. The limitations of liability agreed between the Parties in the Agreement apply to this DPA.
11.1 Conflict. If there is a conflict between the provisions of the GTCs and this DPA, the provisions of this DPA shall prevail.
11.2 Governing law and dispute resolution. This DPA shall be governed by the laws governing the Agreement. All disputes arising out of or in connection with this DPA shall be finally settled by the dispute resolution body agreed in the Agreement.
11.3 Validity. This DPA shall be valid as long as the Agreement is in force.
A. LIST OF PARTIES
|Name:||The Customer as defined in the Agreement|
|Address:||The address for the Customer as defined in the Agreement|
|Contact person’s name, position and contact details:||The contact person for the Customer as defined in the Agreement|
|Activities relevant to the data transferred under these Clauses:||The use of Cloud Services as defined in the Agreement|
|Name:||The contracting entity as defined in the Agreement|
|Address:||The address for the contracting entity as defined in the Agreement|
|Contact person’s name, position and contact details:||The contact person for the contracting entity as defined in the Agreement|
|Activities relevant to the data transferred under these Clauses:||The provision of Cloud Services as defined in the Agreement|
B. DESCRIPTION OF TRANSFER
|Categories of data subjects whose personal data is transferred||Data Controller’s employees authorized to use the Cloud Services.|
|Categories of personal data transferred||Name, username, email address, IP address, telephone number.|
|Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.||No sensitive data is transferred.|
|The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).||Continuous basis.|
|Nature of the processing||Transfer, copying, use, deletion, correction, adjustment.|
|Purpose(s) of the data transfer and further processing||Personal data will be transferred from Data Controller to Data Processor for Data Processor to provide media monitoring SaaS-service.|
|The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period||The duration of the Agreement.|
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13. The Parties agree to the Irish supervisory authority.
ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
I. Confidentiality: Physical access checks
The Data Processor shall ensure that no unauthorised persons have access to the office, server or archive rooms. This shall transpire through:
- Limited access lists
- Secured doors
- Datacenter and Cloud partners (where client data is stored):
- Limited access lists
- Secured doors
- Locked cabinets containing hosted equipment
- Video recordings
- Escorted access only
II. Confidentiality: Entry controls
The Data Processor shall prevent the use of computer systems by unauthorised persons. This shall transpire through:
- Limited access lists
- Secured doors
- Process by which granting access to a user requires peer review
III. Confidentiality: Access controls
The Data Processor warrants that those authorised to use a data processing system shall only be able to access the data that are subject to their access authorisation and that personal data shall not be able to be read, copied, altered or removed during processing or use or after storage without authorisation. This shall transpire through:
- Process by which granting access to a user requires peer review
- Reviewing access logs
IV. Confidentiality: Separation controls
The Data Processor warrants that data collected for different purposes can be processed separately. There is no need for physical separation; a logical separation of the data is sufficient. This shall transpire through:
- Logical separation for all clients
V. Integrity: Disclosure checks
The Data Processor warrants that personal data cannot be read, copied, altered or removed without authorisation during the electronic transmission or transport or storage on data carriers, and that it shall be possible to verify and determine at which points personal data are to be transmitted by means of data transmission equipment. This shall transpire through:
- Encryption of data when in transit.
VI. Integrity: Input controls
The Data Processor warrants that it shall be possible to subsequently verify and determine whether and by whom personal data has been entered, altered or removed in data processing systems. This shall transpire through:
VII. Availability and resilience: Availability checks
The Data Processor warrants that personal data shall be protected against accidental or intentional destruction or loss. This shall transpire through:
- Least Privilege Access
VIII. Availability and resilience: recoverability
The Data Processor warrants the ability to rapidly restore the availability of the personal data and the access to the data in the event of a physical or technical incident through the following measures:
- Distaster recovery and business continuity plans
IX. Evaluation: Data protection management
The Data Processor has implemented a process to regularly review and assess the effectiveness of the technical and organisational protection measures to warrant the security of the processing. This includes:
- Random checks of measures
ANNEX III: LIST OF SUB-PROCESSORS
ADDENDUM FOR TRANSFERS FROM SWITZERLAND
1. For the purposes of localizing the SCCs to Swiss law, the parties agree to the following:
- The parties adopt the GDPR standard for all data transfers, or the standard under Swiss law where higher.
- The parties agree that the references to provisions of the GDPR in the SCCs are to be understood as references to the corresponding provisions of the Swiss Federal Data Protection Act in the version applicable at the moment of initiation of any dispute.
- The term Member State where used in the SCCs also applies to Switzerland. In particular, this shall ensure that data subjects are not excluded from the possibility to sue for their rights in their place of habitual residence.
- Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection and Information Commissioner and, concurrently, the EEA member state authority identified above.
- Clause 17: The Parties agree that the governing jurisdiction is the Member State in which the data exporter is established for claims under the GDPR and the substantive laws of Switzerland for claims under the Swiss Federal Data Protection Act.
- Clause 18:
- Any dispute arising from these Clauses shall be resolved by the courts of Zurich, Switzerland.
- A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
- The Parties agree to submit themselves to the jurisdiction of such courts.
- The parties agree to interpret the SCCs so that “data subjects” includes legal entities until the revised Swiss Federal Act on Data Protection enters into force.
ADDENDUM FOR TRANSFERS FROM the UNITED KINGDOM
1. For the purposes of localizing the SCCs to United Kingdom law, the parties agree to the following:
The parties agree that the SCCs are deemed amended to the extent necessary that they operate for transfers from the United Kingdom to a third country and provide appropriate safeguards for transfers according to Article 46 of the UK GDPR. Such amendments include changing references to the GDPR to the UK GDPR and changing references to EU Member States to the United Kingdom.
Part 1: Tables
Table 1: Parties
|Start date:||The date the DPA is signed.|
|The Parties:||Exporter and Importer as per the Intercompany Agreement to which the Approved EU SCCs and this Addendum are appended.|
Table 2: Selected SCCs, Modules and Selected Clauses
|Addendum EU SCCs||The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date: SCC version released on June 4th 2021, as in force on July 1st 2022.
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in the following Annexes to the Approved EU SCCs to which this Addendum is appended:
|Annex 1A: List of Parties|
|Annex 1B: Description of Transfer|
|Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data|
|Annex III: List of Sub processors (Modules 2 and 3 only)|
Table 4: Ending this Addendum when the Approved Addendum Changes
|Ending this Addendum when the Approved Addendum changes||Which Parties may end this Addendum as set out in Section 19:
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
|Addendum||This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.|
|Addendum EU SCCs||The version(s) of the Approved EU SCCs to which this Addendum is appended, as set out in Table 2, including the Appendix Information.|
|Appendix Information||As set out in Table 3.|
|Appropriate Safeguards||The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.|
|Approved Addendum||The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.|
|Approved EU SCCs||The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.|
|ICO||The UK Information Commissioner.|
|Restricted Transfer||A transfer which is covered by Chapter V of the UK GDPR.|
|UK||The United Kingdom of Great Britain and Northern Ireland.|
|UK Data Protection Laws||All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the UK Data Protection Act 2018.|
|UK GDPR||As defined in section 3 of the UK Data Protection Act 2018.|
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
- together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
- Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
- this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
- References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
- In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
- Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
- Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
- Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
- References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
- References to Regulation (EU) 2018/1725 are removed;
- References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
- The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
- Clause 13(a) and Part C of Annex I are not used;
- The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
- In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
- Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
- Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
- The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
- makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
- reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
- its direct costs of performing its obligations under the Addendum; and/or
- its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
This addendum (“CCPA Addendum”) is entered into as of the date below, and is incorporated into and forms a part of the DPA
This CCPA Addendum sets forth the terms and conditions relating to compliance with the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., as amended, and related regulations, as may be further amended from time to time (collectively, the “CCPA”). In the event of a conflict between this CCPA Addendum and the DPA, this CCPA Addendum will prevail.
The parties agree as follows:
1. This CCPA Addendum shall only apply to Service Provider: (a) to the extent Service Provider is subject to CCPA pursuant to the services it provides to Customer and/or Customer clients; (b) to the extent Service Provider collects personal information on behalf of Customer and/or Customer clients; or (c) receives personal information from Customer and/or Customer clients pursuant to the Agreement (the “Personal Information”).
2. All terms used in the CCPA Addendum, unless specifically defined herein, that are defined by the CCPA are to be ascribed the same meanings as those terms have in the CCPA.
3. Service Provider certifies that it understands and will comply with the CCPA, including but not limited to, with respect to any and all Personal Information that Service Provider receives from Customer and/or by or on behalf of Customer clients in connection with the Agreement, and that Service Provider has implemented reasonable security procedures and practices consistent with the CCPA’s requirements or as required under applicable California law. Service Provider affirms that it is either currently in compliance with the CCPA, or that Service Provider will be in compliance as of the time the CCPA applies to Service Provider, whether that be on January 1, 2023 or some other date.
4. The contracting entity is a “Service Provider” and not a “Third Party” as described in the CCPA.
5. Service Provider shall not: (a) sell or share the Personal Information; (b) collect, retain, use, or disclose the Personal Information for any purpose other than the specific purpose of providing the services specified in the Agreement, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the services specified in the Agreement, except as explicitly provided by the CCPA; (c) collect, retain, use, or disclose the Personal Information outside of the direct business relationship between the person to whom the Personal Information pertains and the business with whom Customer contracts relating to the Agreement; (d) collect, retain, use, disclose, or otherwise make Personal Information available for Service Provider’s own commercial purposes or in a way that does not comply with the CCPA; and/or (e) combine the Personal Information Service Provider receives pursuant to the Agreement with Personal Information which Service Provider receives from or on behalf of another person or persons, or that Service Provider may collect from its own interaction with the consumer unrelated to this Agreement.
6. If Service Provider, pursuant to the Agreement, collects Personal Information directly from consumers on behalf of Customer or Customer clients, Service Provider shall provide all required CCPA-compliant notices at the collection of the Personal Information.
7. Service Provider agrees that Customer may monitor Service Provider’s compliance with this CCPA Addendum through measures including regular assessments or audits no more than once every twelve (12) months.
8. Notwithstanding anything in the Agreement or any other document, the Parties acknowledge and agree that the exchange of Personal Information between the Parties is not part of and is explicitly excluded from the exchange of consideration, or any other thing of value, between the Parties.
9. Service Provider shall provide prompt and reasonable assistance to Customer in facilitating compliance with any applicable CCPA-related audit and risk-assessment requirements (collectively, “Audits”), as well as with requests from consumers pursuant to the CCPA. This includes, but is not limited to:
- Promptly responding to and complying with Customer’s reasonable requests for information relating to Audits;
- Providing the specific pieces and/or categories of Personal Information collected from the requesting consumer and assisting with any data portability obligations pursuant to such requests;
- Deleting Personal Information that the requesting consumer requests be deleted;
- Disclosing the business or commercial purposes for which the requested Personal Information was collected;
- Disclosing the categories of sources from which the requested Personal Information was collected;
- Disclosing the categories of third parties with whom the requested Personal Information was shared;
- Correcting any inaccurate Personal Information; and
- Limiting the use of sensitive Personal Information.
10. If Service Provider believes the CCPA relieves Service Provider from having to provide any of the information requested by a consumer, or from otherwise complying with a consumer’s request, Service Provider shall promptly and in writing provide Customer with the specific basis for Service Provider belief. Similarly, if Service Provider believes Service Provider is legally required to disclose Personal Information for a purpose or reason unrelated to the specific purpose of providing the services specified in the Agreement, Service Provider will first inform Customer in writing of the legal requirement and give Customer a reasonable opportunity to object or challenge the requirement, unless the law prohibits such notice.
11. To the extent Service Provider uses its own vendors, affiliates, Contractors, subcontractors, or subprocessors (collectively “Subprocessors”) to provide the services specified in the Agreement, Service Provider shall notify Customer of each such Subprocessor and shall require, in a written contract (or in a written amendment to any existing contract), all such Subprocessors to follow all requirements in the CCPA relating to service providers, and to assist Service Provider, as applicable, in Service Provider’s compliance with its obligations in this CCPA Addendum.
12. If Service Provider determines that Service Provider and/or any of its Subprocessors can no longer meet its obligations under the CCPA, Service Provider shall immediately notify Customer, and upon such notice Customer shall have the right to immediately take all reasonable and appropriate steps to terminate the Agreement; require Service Provider to immediately return and/or destroy all personal data exchanged pursuant to the Agreement; and/or to take any other reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information by Service Provider and/or its Subprocessors.
13. In the event that either Party shares Deidentified Information (as defined in the CCPA) with the other Party, the receiving Party warrants that it: (i) has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain; (ii) has implemented business processes that specifically prohibit reidentification of the information; (iii) has implemented business processes to prevent inadvertent release of Deidentified Information; (iv) will make no attempt to reidentify the information; and (v) will contractually prohibit downstream information recipients from attempting to or actually re-identifying such information.
14. Service Provider will notify Customer immediately, but in no event longer than three (3) business days, if Service Provider receives any complaint, verifiable consumer request, notice, or communication that directly or indirectly relates to either party’s compliance with the CCPA, including any request from a consumer for Personal Information or other actions relating to the CCPA.
15. In the event that either Party transfers to a third party Personal Information as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of such Party to the Agreement, that information shall only be used or shared consistently with applicable law, including the CCPA.