Data Processing Agreement
This Personal Data Processing Agreement (“Agreement”) sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Audiens Customer Data Platform Agreement.
By using the Audiens Platform or clicking agree to accept these terms the Data Owner confirms that it accepts and agrees to be legally bound by all terms and conditions of this Agreement. If these terms are not accepted, the Data Owner must not use the Audiens Platform, or authorise anyone else to use the Audiens Platform.
IT IS AGREED:
1. Definitions and Interpretation
The following definitions and rules of interpretation apply in this Agreement.
“Data Protection Legislation” means the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).
“Data Subject”, “Controller”, “Processor” and “Processing” have the same meaning as in the Data Protection Legislation.
“Personal Data” has the meaning set out in the Data Protection Legislation in relation to data Processed under this Agreement;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“UK Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
1.2 This Agreement is subject to the terms of the Audiens Customer Data Platform Agreement. Interpretations and defined terms set forth in the Audiens Customer Data Platform Agreement apply to the interpretation of this Agreement.
1.3 The Schedules form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.
1.4 A reference to writing or written includes faxes and email.
1.5 In the case of conflict or ambiguity between:
1.5.1 any provision contained in the body of this Agreement and any provision contained in the Schedule, the provision in the body of this Agreement will prevail; and
1.5.2 any of the provisions of this Agreement and the provisions of the Audiens Customer Data Platform Agreement, the provisions of this Agreement will prevail.
2. Personal data types and processing purposes
2.1 The Customer and the Provider acknowledge that for the purpose of the Data Protection Legislation, the Customer is the Controller and the Provider is the Processor.
2.2 The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.
2.3 Details of the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects whose Personal Data is being Processed in connection with the Services set out in Schedule 1.
3. Provider’s obligations
3.1 The Provider will only process the Personal Data to the extent, and in such a manner, as is necessary for the purpose of providing the Services and in accordance with the Customer’s written instructions.
3.2 The Provider will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by law. If the Provider is required to disclose Personal Data by law, the Provider acknowledges that, in such a case, it must promptly inform Customer of the relevant legal requirement prior to Processing (unless the law prohibits the provision of such information on important grounds of public interest).
3.3 The Provider will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider’s processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
4. Provider’s employees
4.1 The Provider will ensure that all employees that it authorises to process the Personal Data on the Provider’s behalf:
4.1.1. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data; and
4.1.2 are aware both of the Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
5.1 The Provider shall ensure a level of security appropriate to the risks that are presented by such Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects
5.2 The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
5.2.1 the pseudonymisation and encryption of personal data;
5.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
5.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
5.2.4 a process for regularly testing, assessing and evaluating the effectiveness of security measures.
6. Personal data breach
6.1 The Provider will promptly notify the Customer if the Customer becomes aware:
6.1.1 that any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable;
6.1.2 of any accidental, unauthorised or unlawful processing of the Personal Data; or
6.1.3 of any Personal Data Breach,
and the Provider shall ensure that such notice includes details of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned and the remediation measures being taken to mitigate and contain the breach.
6.2 The Provider agrees that the Customer shall at its sole discretion determine whether to provide notification to the Data Subject, any third party or Regulator and the Provider shall not notify the Data Subject, any third party or Regulator unless such disclosure is required by law or is otherwise approved by the Customer.
7. Cross-border transfers of personal data
7.1 The Provider (or any subcontractor) must not transfer or otherwise process Personal Data outside the European Economic Area without obtaining the Customer’s prior written consent.
8.1 Save for the subcontractors set out in Schedule 1 (if any), the Provider may not authorise any third party or subcontractor to process the Personal Data without the prior specific or general consent of the Customer.
8.2 Where the Customer gives the Provider authorisation to engage another Processor:
8.2.1 the Provider shall ensure that such Processor is subject to the same obligations as are set out in this Agreement;
8.2.2 the Provider shall at all times remain liable to the Customer for such Processor’s performance of its obligations; and
8.2.3 if the authorisation given is a general written authorisation, the Provider shall not make any changes concerning the addition or replacement of other Processors without first obtaining the Customer’s written consent to such changes.
9. Complaints, data subject requests and third-party rights
9.1 The Provider must take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
9.1.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
9.1.2 information or assessment notices served on the Customer by any supervisory authority under the Data Protection Legislation.
9.2 The Provider must notify the Customer promptly, and in any event within 5 working days, if it receives:
9.2.1 any complaint notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
9.2.2 a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
9.3 The Provider shall assist and co-operate with the Customer in responding to any complaint, notice, communication or Data Subject request.
9.4 The Provider must not disclose the Personal Data to a third party without the prior written consent of the Customer.
10. Term and termination
10.1 This Agreement will remain in full force and effect so long as:
10.1.1 the Audiens Customer Data Platform Agreement remains in effect; or
10.1.2 the Provider retains any Personal Data related to the Audiens Customer Data Platform Agreement in its possession or control.
10.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Audiens Customer Data Platform Agreement in order to protect Personal Data will remain in full force and effect.
10.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Audiens Customer Data Platform Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 3 months they may terminate the Audiens Customer Data Platform Agreement on written notice to the other party.
10.4 On termination of the Audiens Customer Data Platform Agreement or expiry of its term, the Provider will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Data related to this Agreement in its possession or control, except to the extent the Provider is required to retain a copy of the Personal Data by law.
11.1 The Provider shall:
11.1.1 maintain accurate written records of the Processing it carries out in connection with this Agreement, which shall contain as a minimum:
(i) its details, the Customer’s details and the details of the Provider’s data protection officer (if applicable);
(ii) the categories of Processing carried out on behalf of Customer;
(iii) the details of any transfers to any countries outside of the European Economic Area, where applicable, and the safeguards in place for that transfer; and
(iv) an accurate record of the technical and organisational measures it has in place in accordance with its obligations under this Agreement;
11.1.2 at the Customer’s request, make available to the Customer all information necessary to demonstrate the Provider’s compliance with its obligations under this Agreement; and
11.1.3 permit the Customer (or an auditor mandated by the Customer) to inspect and audit the Provider’s facilities, equipment, documents and electronic data relating to the Provider’s data processing activities under this Agreement for the purposes of monitoring the Provider’s compliance with its obligations under this Agreement, provided that the Customer shall not perform more than one audit in each calendar year.
12.1 Any notice given to a party under or in connection with this Agreement must be in writing.
12.2 Clause 13.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
This Agreement has been entered into on the date stated at the beginning of it.