This Data Processing Agreement (“Agreement”) is effective from the effective date of the Primary Agreement (Effective Date).
This Agreement is by and between Extreme Reach Inc. (“XR”) and the Customer named in the Order Form in connection with the services provided by XR to Customer pursuant to the Primary Agreement (together the “Parties”, and the “Party” shall be construed accordingly).
RECITALS
- XR has been engaged by the Primary Agreement (as defined below) to perform certain Services and in doing so may from time to time process Personal Data to enable XR to support the Customer in accordance with applicable law (Purpose) and Customer may make Personal Data available to XR in connection with this Purpose.
- The GDPR and other applicable data protection laws require that contracts involving the processing of Personal Data contain certain safeguards. This Agreement is designed to meet these safeguard requirements. The Parties agree that the processing activities carried out by XR pursuant to the Primary Agreement shall comply with the provisions of this Agreement.
1. Definitions
Words and expressions used in this Agreement but not defined herein shall have the meanings ascribed to such words and expressions in the Applicable Data Protection Law unless otherwise stated herein. Headings are inserted for convenience only and shall be ignored in the interpretation of this Agreement. The following definitions apply to all Parts of this Agreement unless otherwise specified herein.
- Affiliate shall refer to any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. Control, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- Applicable Data Protection Law means all applicable laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of Personal Data.
- CCPA means the California Consumer Privacy Act of 2018 (Cal. Civ. Code Section 1798.100 et seq.) as may be amended from time to time including but not limited to by the California Privacy Rights Act of 2020 and any implementing regulations. To the extent this Agreement relates to the processing of personal data of California residents, “Controller,” “Processor,” and “Personal Data” shall be deemed to be references to “Business,” “Service Provider,” and “Personal Information” as defined in the CCPA. As used in this Agreement, “Sell,” “Sale,” “Share”, and “Sharing” shall have the meanings given to them in the CCPA.
- Data Controller, Data Processor and Process (and its derivatives), each has the meaning given to it in
- Applicable Data Protection Law.Data Security Breach means an incident giving rise to a risk of unauthorised or accidental disclosure, loss, lack of availability, destruction, alteration or processing of Personal Data or any known potential or actual breach of the minimum Technical and Organisational Security Measures outlined in Appendix B or any obligations or duties owed by XR to Customer relating to the confidentiality, integrity or availability of Confidential Information or Personal Data;
- XR refers to the organisation contracting with Customer in the context of the Primary Agreement who processes Personal Data as a separate Data Controller to Customer and/or a Data Processor.
- GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Customer refers to the Customer entity/entities contracting with XR in the context of the Primary Agreement, and Customer’s Affiliates.
- Personal Data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Primary Agreement means any services agreement(s) between Customer and XR to which the transfers of Personal Data referred to in this Agreement relate.
- Service(s) means the services and/or goods provided by XR to Customer under the Primary Agreement.
- Standard Contractual Clauses or SCCs means the standard contractual clauses issued by the European Commission for the transfer of Personal Data outside the EEA and any amendment or replacement of such standard contractual clauses pursuant to Article 46(5) of the GDPR.
- Technical and Organisational Security Measures means those measures aimed at protecting Personal Data from unauthorised access, or unauthorised alteration, disclosure, loss, lack of availability or destruction, as further described in Appendix B.
In consideration of the mutual covenants and agreements in this Agreement and the Primary Agreement, and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Customer and XR agree as follows:
2. Compliance with Data Protection Law
- The Parties shall comply with all Applicable Data Protection Law in relation to the processing of Personal Data pursuant to the Primary Agreement.
- In so far as XR acts as a Data Controller, Customer and XR act as separate and independent Data Controllers in respect of the Personal Data, as set out in Appendix A, that each Party Processes.
- In so far as XR acts as a Data Processor on behalf of Customer, Customer acts as a Data Controller in respect of the Personal Data, as set out in Appendix A, that each Party Processes.
3. XR’s Obligations as Processor
To the extent that XR is acting as a Data Processor on the instructions of Customer, XR agrees, in order to comply with the requirements set out in Article 28(3) GDPR, that in respect of the processing of Personal Data by XR or its personnel under or in connection with the Primary Agreement, XR shall, and shall procure that its personnel shall:
- only process the Personal Data to the extent required to provide the services in accordance with the terms of this Agreement, the Primary Agreement, or otherwise in accordance with documented instructions of Customer given from time to time;
- not otherwise modify, amend or alter the contents of the Personal Data or disclose or permit the disclosure of any of the Personal Data to any third party unless specifically authorised to do so in writing by Customer;
- promptly comply with any request from Customer requiring XR to amend, transfer or delete any Personal Data;
- implement appropriate technical and organisational measures to:
- protect Personal Data against unauthorised or unlawful processing and against accidental or unlawful loss, destruction, damage, alteration, or disclosure;
- to comply with the Data Protection Laws; and
- to ensure the protection of the rights of the data subject;
- ensure that all XR personnel engaged in the provision of the services under the Primary Agreement have entered into a confidentiality agreement or non-disclosure agreement with XR and shall further ensure that such XR personnel are made aware of and observe XR’s obligations under this Agreement with regard to the security and protection of Personal Data;
- process the Personal Data in accordance with the Data Protection Laws and not do or permit anything to be done which might cause Customer in any way to be in breach of the Data Protection Laws;
- provide written evidence of XR’s compliance with Data Protection Laws as may be requested by Customer from time to time, including participation in a data protection impact assessment as requested by Customer;
- cooperate and assist, as requested by Customer, and put appropriate technical and organisational measures in place to enable Customer to comply with any exercise of rights by a data subject under the Data Protection Laws in respect of Personal Data processed by XR under this Agreement (including, without limitation, in relation to the retrieval and/or deletion of a data subject’s Personal Data). Notify Customer within two (2) days if XR receives such a request from a Data Subject;
- other than those disclosures inherent to the services, notify Customer in the event of any disclosure of Customer Data that XR is required to make by applicable law or regulatory body prior to making such a disclosure (to the extent legally permissible);
- not process the Personal Data anywhere outside of the European Economic Area without the prior written consent of Customer (and subject then, in the event of any transfer outside the European Economic Area, to the execution of any document or agreement which, in the reasonable opinion of Customer, is required in order to lawfully effect any such transfer of Personal Data);
- at the request of Customer or any competent regulatory or supervisory authority, submit for audit the processing activities (and related facilities) carried out pursuant to the Agreement which shall be carried out by Customer, its authorised representatives (bound by a duty of confidentiality) and/or representatives of the relevant regulatory or supervisory authority;
- cease processing the Personal Data immediately upon the termination or expiry of this Agreement or, if sooner, the services to which this Agreement relates and as soon as possible thereafter, at Customer’s option, either return, or delete from its systems, the Personal Data and any copies of it or of the information it contains and XR shall confirm in writing that this Clause 2 has been complied with in full. The provisions of Clause 2 shall not apply to the extent XR is obliged by Applicable Data Protection Laws to keep copies of the Personal Data;
- XR will notify Customer without undue delay, and in any event within 48 hours, of XR becoming aware of a Data Security Breach relating to the Personal Data Processed in accordance with this Agreement. XR shall, at its own expense, provide Customer with sufficient information to allow Customer to meet any obligations to report or inform legal/regulatory authorities or Data Subjects under the Applicable Data Protection Law (including a description of the incident, Personal Data accessed, number of impacted individuals, etc.), assist investigations determined to be required by Customer, take appropriate steps to remedy the cause of the Data Security Breach, and cooperate with law enforcement as or regulatory authority as required. Unless required by law, XR shall not notify any legal/regulatory authority or Data Subjects of any Data Security Breach when acting as a processor of Customer and shall reimburse Customer for any notification related costs;
- as it relates to any sub-processor, XR shall be liable for any act or omission of the sub-processor. XR shall notify Customer of any new sub-processor and Customer shall have two weeks to make reasonable objections and work together to find an acceptable alternative, ensure that any relationship is governed by a contract no less stringent than this Agreement,, and perform due diligence to confirm that any sub-processor is capable of providing an adequate level of protection under the Applicable Data Protection Law;
- XR shall not retain, use, disclose or otherwise Process Customer Personal Data for any commercial purpose other than those purposes set out in the Primary Agreement or this Agreement. XR shall not Sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate such Customer Personal Data to any third party for monetary or other valuable consideration or Share (as defined under CPRA) such Customer Personal Data, whether or not for monetary or other valuable consideration;
- XR will not combine Customer Personal Data with the Personal Data Processed on behalf of XR's other customers or with Personal Data it collects from its own interactions with a consumer;
- Customer and XR hereby acknowledge and agree that nothing in the Primary Agreement or this Agreement shall be construed as providing for the Sale or transfer for valuable consideration of Personal Data to XR or Sharing of Personal Data to XR, whether or not for monetary or other valuable consideration;
- XR certifies that it understands the restrictions set forth in this Agreement, and all applicable sections of the CCPA and its regulations, and will comply with them; and
- Notify Customer within five (5) business days of making the determination that it can no longer meet its obligations under the Applicable Data Protection Law.
4. The Parties’ Obligations as Controllers
- To the extent that XR provides payroll or residual services under the Primary Agreement, where it is subject to strict legal obligations with respect to its control and maintenance of Personal Data related to the wages it pays under its name and FEIN, XR will act as a Data Controller in respect of such processing and XR agrees with Customer that it will comply with all obligations of a Data Controller under Applicable Data Protection Law.
- The Parties agree to assist each other to respond to requests by data subjects, exercising their rights under Applicable Data Protection Law, without undue delay, and in any event, within such timescales as required by Applicable Data Protection Law.
- If XR is contracting with a Customer entity within the EEA/Switzerland, it shall only transfer Personal Data outside the EEA/Switzerland to a country approved by the European Commission pursuant to Article 45(1) of the GDPR or in accordance with the Standard Contractual Clauses. Customer and XR hereby enter into the Standard Contractual Clauses (as further set out in the Schedule to this Agreement) in respect of such transfers. In the event that there ceases to exist any practicable and valid data transfer mechanism which would enable the Personal Data to be lawfully transferred by Customer to XR, Customer shall be entitled to terminate this Agreement by giving a minimum of thirty (30) days' prior written notice to XR.
- The Parties agree that they will comply with strict confidentiality obligations in respect of the Personal Data, except to the extent required in order to provide the Services, and will ensure that its personnel, agents and sub-processors who Process Personal Data under this Agreement are aware of and comply with this Agreement and are legally required in writing to comply with and acknowledge and respect the confidentiality of such Personal Data, including after the end of their employment, contract or at the end of their assignment. Each Party shall implement all reasonable and appropriate industry standard administrative, technical and physical security measures, including the Technical and Organisational Security Measures, to ensure a level of security appropriate to the risk to the security of Personal Data, in particular, from accidental or unlawful destruction, loss, alteration, unauthorised, disclosure of or access to Personal Data.
- XR will notify Customer without undue delay, and in any event within 48 hours, of XR becoming aware of a Data Security Breach relating to the Personal Data Processed in accordance with this Agreement.
5. Indemnity
- To the extent that a claim is brought against Customer related to Personal Data over which XR is an independent Controller or Processor, and where such claim results solely from XR’s breach of this Agreement, XR shall indemnify Customer against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by Customer arising out of or in connection with any breach of this Agreement by XR.
- To the extent that a claim is brought against XR related to Personal Data over which Customer is an independent Controller, and where such claim results solely from Customer’s breach of this Agreement, Customer shall indemnify XR against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by XR arising out of or in connection with any breach of this Agreement by Customer.
6. Miscellaneous
- The categories of Personal Data and data subjects that are subject to processing under this Agreement are set out in the relevant option(s) noted in Appendix A, being the option(s) applicable to the nature of the services being performed by XR under the Primary Agreement.
- This Agreement and the Primary Agreement represent the entire agreement between the Parties and supersede any and all prior oral or written agreements between the Parties related to the processing of Personal Data. In the event of a conflict between the terms of this Agreement and the terms of the Primary Agreement, the terms of this Agreement shall govern and shall take priority.
- If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall remain in effect.
- This Agreement is binding upon all successors and assigns of the Parties.
- A waiver by either Party of any term or condition of this Agreement in one or more instances shall not constitute a permanent waiver of the term or condition or any other term or condition of this Agreement or a general waiver.
- The obligations established under this Agreement shall survive termination of this Agreement and the Primary Agreement, and shall continue in full force and effect until such time as XR has returned or destroyed all Personal Data, as applicable, in accordance with the terms of this Agreement.
- This Agreement shall be governed by the Primary Agreement, and each of the Parties hereby consents to the exclusive personal jurisdiction (including non-contractual disputes or claims) of such jurisdiction.
Schedule
STANDARD CONTRACTUAL CLAUSES
- The relevant Controller-Controller Standard Contractual Clauses are available at: https://hrtechprivacy.com/c2cscc
- The relevant Controller-Processor Standard Contractual Clauses are available at: https://hrtechprivacy.com/c2pscc
- For the purposes of entering the relevant Standard Contractual Clauses:
- The optional Clause 7 shall not apply.
- The description of the transfer of Personal Data in Appendix A of this Agreement shall be deemed to be inserted in place of Annex I of the Standard Contractual Clauses.
- Appendix B of this Agreement shall be deemed to be inserted in place of Annex II of the Standard Contractual Clauses.
Schedule: Appendix A
A. LIST OF PARTIES
|
DATA EXPORTER(S):
|
DATA IMPORTER(S):
|
|
Name:
|
The Party listed in the Order Form
|
Name:
|
Extreme Reach, Inc.
|
|
Address:
|
See Order Form
|
Address:
|
3 Allied Dr. Suite 130
Dedham, MA 02026
USA
|
|
Contact person’s name, position and contact details:
|
See Order Form
|
Contact person’s name, position and contact details:
|
Stephen K. Robinson
General Counsel & Chief Privacy Officer
srobinson@extremereach.com
|
|
Activities relevant to the data transferred under these Clauses:
|
Distribution or production of entertainment and/or advertising content.
|
Activities relevant to the data transferred under these Clauses:
|
Advertising technology services and/or payroll services.
|
|
Role:
|
Controller
|
Role:
|
Processor / Controller
|
B. DESCRIPTION OF TRANSFER
|
Categories of data subjects whose personal data is transferred (SELECT ONE OPTION)
|
|
✘ Option 1:
|
The personal data processed by XR relates to personal data pertaining to Customer employees (for example, for use in Services which involve the provision of employee lists, login details of employees)
|
|
⚊ Option 2:
|
The personal data processed by XR relates to users of the Customer service (for use when Customer data is being transferred) |
|
⚊ Option 3:
|
The personal data processed by XR is all types of personal data, pertaining to IT |
|
Categories of personal data transferred (SELECT ALL APPLICABLE DATA)
|
|
Data relating to employees of Customer provided to XR by and at direction of Customer for the purposes of providing the Services under the Primary Agreement and may include the following categories of data:
|
|
✘ Names
|
✘ Email addresses
|
✘ Postal Addresses
|
✘ Telephone Numbers
|
|
✘ Photographs
|
⚊ Usernames
|
⚊ IP Addresses
|
⚊ Credit Card Numbers
|
|
✘ Social Secuirty Numbers
|
✘ Identification Card/Passport Numbers
|
⚊ Login Credentials
|
|
|
✘ Please identify and include other data categories as applicable:
- Payroll information for Customer production talent, crew, and/or other payees
- Basic contact information for Customer employees coordinating services with XR
|
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures (SELECT ALL APPLICABLE DATA)
|
|
Data relating to:
|
|
⚊ Racial or Ethnic Origin
|
⚊ Political Opinions
|
⚊ IP Addresses
|
⚊ Religious or Philosophical Beliefs
|
|
✘ Trade Union Membership*
* XR only has trade union information where applicable
|
⚊ Genetics
|
⚊ Biometrics
|
⚊ Health & Sexual Orientation
|
|
⚊ None
|
|
|
|
|
Applied Restrictions or Safeguards: N/A (if no sensitive data, put N/A)
|
|
The frequency of the transfer (e.g. whether the data transfer is a one-off or continuous basis) (SELECT ALL APPLICABLE DATA)
|
|
⚊ One-off
|
✘ Continuous |
|
|
|
Nature of the processing
|
|
XR will process Personal Data subject to this Agreement for the purposes of providing the Services and related technical support in accordance with this Agreement and otherwise in accordance with any documented instructions of Customer.
|
|
Purpose(s) of the data transfer and further processing
|
|
XR’s provision of the Services under the Primary Agreement to Customer.
|
|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
|
|
The applicable term of the Primary Agreement.
|
|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing (SELECT ONE)
|
|
✘ Not Applicable
or
Provide description required:
|
C. COMPETENT SUPERVISORY AUTHORITY
|
Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs:
|
|
UK ICO
|
Schedule: Appendix B
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
In accordance with the Agreement, XR will adopt and maintain appropriate (including organisational and technical) security measures in dealing with the Personal Data in order to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of such data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
In determining the technical and organisational security measures required under the Agreement, XR will take account of the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
XR will implement the following specific security measures, as applicable:
- Relevant employees and contractors are to be trained in relation to specific technical and organisational security measures;
- Personal Data is to be stored on secured servers behind a firewall;
- Servers are to be monitored by industry standard network monitoring tools to prevent any potential security breaches;
- Corporate systems and databases to be password protected;
- VPN and direct network access to be limited to company-issued devices;
- Dual factor authentication for VPN access;
- Passwords to be hashed and salted and stored in a separate database;
- Retention, for one year, of VPN, server, wiki and database access logs;
- Segregation and limitation of employee access permissions;
- Active and automated monitoring of critical access logs and anomaly detection;
- Pseudonymisation and encryption methods;
- System(s) to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- Process(es) for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
