DATA PROCESSING EEA/UK GDPR ADDENDUM
The following terms shall have the followings:
“Controller” means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
“Controller-Controller” means the model clauses for the transfer of personal data to Controllers established in third countries as set out in the European Commission’s Decision of 27 December 2004 (2004/915/EC), as such model clauses may be amended or replaced by the European Commission from time to time;
“Controller-Processor” means the model clauses for the transfer of personal data to Processors established in third countries as set out in the European Commission’s Decision 5 February 2010 (2010/87/EU), as such model clauses may be amended or replaced by the European Commission from time to time;
“Europe” means (i) the European Economic Area (“EEA”) as constituted at the time of a relevant transfer and which, as at the Effective Date, is comprised of the Member States of the European Union, together with the three countries within the European Free Trade Association, namely Norway, Iceland and Liechtenstein and (ii) the UK;
“European Data Protection Legislation” means: (i) the GDPR; (ii) any applicable national/federal or state/provincial legislation implementing the GDPR in a member state of the EEA; (iii) the GDPR as incorporated into UK law pursuant to s.3 of the European Union (Withdrawal Act) 2018 (as amended, the “UK GDPR”); and (iv) any other applicable data protection or national/federal or state/provincial privacy legislation in force in a member state of the EEA or the UK, including where applicable, statues, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by any supervisory authority or any other applicable authorities in a member state of the EEA or the UK;
“GDPR” means the General Data Protection Regulation of the European Union (Regulation 2016/679 of 27 April 2016);
“Processor” means a natural or legal person, public authority, agency, or any other body which Processes data on behalf of a Controller.
EEA/UK CONTROLLER TO PROCESSOR
1. This Part applies: (i) whenever a Company (Square Media Ltd) is established in the EEA or the UK, or otherwise subject to either GDPR (under Article 3.2 of GDPR) or the UK GDPR (under Article 3.2 of the UK GDPR), or the Personal Data that will be Processed relates to Data Subjects in Europe; and (ii) the Company is a Processor.
2. Where this Part B applies, the following provisions shall apply in respect of any transfers of Personal Data by Square Media Ltd and any subsequent Processing of the transferred Personal Data by Square Media Ltd:
2.1 Square Media Ltd shall Process the transferred Personal Data only on behalf of Square Media Ltd and affiliates and in accordance with the documented instructions of same unless required by applicable law. In such case, Square Media Ltd will inform affiliates of that legal requirement before Processing unless that law prohibits such information on important grounds of public interest.
2.2 Square Media Ltd shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.3 Square Media Ltd shall implement technical and organisational security measures to protect the Personal Data it Processes against a Security Incident in accordance with Applicable Data Protection Law. Such measures shall, at a minimum, include the Minimum-Security Measures.
2.4 Square Media Ltd shall not sub-contract to any subcontractor any of its obligations to Process the transferred Personal Data unless affiliate has authorised the use of the subcontractor. If Square Media Ltd hires a new subcontractor to Process the transferred Personal Data, it shall provide affiliate with prior notice, during which affiliate can object to the appointment. If affiliate does not object, Square Media Ltd may proceed with the appointment. Square Media Ltd shall ensure that it has a written agreement in place with all subcontractors that contains obligations on the subcontractor that are no less onerous on the relevant subcontractor than the obligations on Company under this Part B.
2.5 Considering the nature of the Processing, Square Media Ltd shall assist affiliates by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of affiliates obligation to respond to requests for exercising the Data Subject’s rights laid down in Applicable Data Protection Law.
2.6 Square Media Ltd shall notify affiliates without undue delay upon becoming aware of a Security Incident affecting the Personal Data it Processes for affiliate and provide details of the nature of the Security Incident and number of records affected, the category and approximate number of affected Data Subjects, any anticipated consequences of the Security Incident, and any actual or proposed remedies for mitigating the possible adverse effects of the Security Incident. Square Media Ltd shall use all reasonable endeavours to mitigate any possible adverse effects of the Security Incident and shall keep affiliate regularly appraised of the progress of such mitigation efforts.
2.7 Square Media Ltd shall provide affiliates with such assistance as is reasonable in respect of any data protection impact assessment and/or consultation with a supervisory authority that affiliates is required to undertake in accordance with the GDPR, considering the nature of the Processing and the information available to Square Media Ltd. At the choice of an affiliate, Square Media Ltd shall promptly delete or return all of the transferred Personal Data to the affiliate after the end of the provision of Square Media Ltd data processing services to the affiliate and shall delete existing copies of the transferred Personal Data unless applicable law requires storage of the transferred Personal Data.
2.8 Square Media Ltd shall, on written request from affiliate from time to time, make available to the affiliate (and any competent data protection authority) all information necessary to demonstrate compliance with Applicable Data Protection Law and allow for and contribute to audits, including inspections, on reasonable notice during normal business hours. Square Media Ltd may require a third-party auditor to enter into a confidentiality agreement (on reasonable, market standard terms) before permitting it to carry out an audit or inspection.
EEA/UK PROCESSOR TO CONTROLLER
This Part C applies: (i) whenever affiliate or Square Media Ltd is established in the EEA or the UK, or otherwise subject to either GDPR (under Article 3.2 of GDPR) or the UK GDPR (under Article 3.2 of the UK GDPR), or the Personal Data that will be Processed relates to Data Subjects in Europe; and (ii) Company is a Controller.
- Where Square Media Ltd is a Processor, then this Part C does not apply, and the transfer is covered by Part B.
- Each party is a controller of Personal Data transferred by affiliate to Square Media Ltd for Processing. Each shall in relation to such Personal Data comply with European Data Protection Legislation in full, including (i) by providing transparency to Data Subjects about such transfer and Processing; (ii) having a lawful basis for such transfer or (as the case may be) Processing; and (iii) responding in accordance with European Data Protection Legislation to any assertion of data subject rights made against it.
- If Square Media Ltd wishes to appoint a third party to Process Personal Data received from the affiliate for the purposes of the Agreement, Square Media Ltd shall ensure that the third party complies with European Data Protection Legislation Law and the requirements of this Addendum.
- If Square Media Ltd is in a territory (or sector) that has not been designated by the European Commission as ensuring an adequate level of protection, then affiliates and Square Media Ltd hereby agree that the Controller-to-Controller Clauses are incorporated into this Addendum with detail deemed to be completed and the affiliate(s) shall be the “Data Exporter” and Square Media Ltd shall be the “Data Importer”.
- PART D: EEA/UK SUPPLEMENTARY PROVISONS
- Scope of this Part of this Exhibit A-2: this Part A-2.4 applies whenever Part B or Part C applies. If the parties’ compliance with their European Data Protection Legislation requirements relating to international transfers of Personal Data is affected by circumstances outside of the parties’ control, including if the Controller-Controller Clauses, the Controller-Processor Clauses or any other legal instrument for international transfers of Personal Data is invalidated, amended or replaced, then the parties will work together in good faith to reasonably resolve such non-compliance.
- If Square Media Ltd becomes aware that any law enforcement, regulatory, judicial or governmental authority (an “Authority”) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then Square Media Ltd shall: (i) immediately notify any affiliate of such Authority’s request; (ii) if Square Media Ltd is a Processor of the Personal Data, inform the Authority of this and that the affiliate has not authorised Square Media Ltd to disclose that Personal Data to the Authority; (iii) inform the Authority that such requests should be made to affiliate (as the original Controller) in writing; and (iv) not provide the Authority with such Personal Data unless and until authorised by affiliate.
- In the event Square Media Ltd is legally prohibited from complying with paragraph above, Square Media Ltd shall use reasonable efforts to challenge such prohibition.
- If Square Media Ltd makes a disclosure of Personal Data to an Authority (whether with affiliate’s authorisation or due to a mandatory legal compulsion) it shall do so only to the extent legally required.
- Paragraphs 4.3 and 4.4 shall not apply where Square Media Ltd has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Square Media Ltd shall notify affiliates as soon as possible following such Authority’s access and provide affiliates with full details of the same, unless and to the extent legally prohibited from doing so.
- Square Media Ltd shall not knowingly disclose Personal Data in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.