THIS DATA PROCESSING ADDENDUM is entered into as of the Addendum Effective Date by and between: (1) AirPR, Inc., of 111 Maiden Lane, Suite 530, San Francisco, CA 94108 United States of America (“AirPR”); and (2) the customer who is agreeing to these terms and who is a counterparty to the Agreement (as defined below) into which this Data Processing Addendum is incorporated and forms a part (“Customer”).
- 1. INTERPRETATION
1.1. In this Data Processing Addendum the following terms shall have the meanings set out in this Paragraph 1.1, unless expressly stated otherwise:
(a) “Addendum Effective Date” means 25 May 2018.
(b) “Adequate Country” means a country or territory outside the European Economic Area that the European Commission has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the GDPR.
(c) “Agreement” means the agreement entered into by and between the Parties.
(d) “Anonymised Data” means any Personal Data (including Customer Personal Data), which has been anonymised such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by AirPR or any other party reasonably likely to receive or access that anonymised Personal Data.
(e) “Business Day” means any day which is not a Saturday, Sunday or public holiday, and on which the banks are open for business, in San Francisco CA, USA.
(f) “Cessation Date” has the meaning given in Paragraph 9.1.
(g) “Customer Personal Data” means any Personal Data Processed by or on behalf of AirPR on behalf of Customer under the Agreement.
(h) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (the “GDPR”) and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom (references to “Articles” or “Chapters” of the GDPR shall be construed accordingly).
(i) “Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with, Chapter III of the GDPR.
(j) “Data Subject” means the identified or identifiable natural person located in the European Economic Area to whom Customer Personal Data relates.
(k) “Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” shall be construed accordingly.
(l) “Personnel” means a person’s employees, agents, consultants or contractors.
(m) “Post-cessation Storage Period” has the meaning given in Paragraph 9.2.
(n) “Restricted Country” means a country or territory outside the European Economic Area that is not an Adequate Country.
(o) “Restricted Transfer” means: (i) a transfer of Customer Personal Data from Customer to AirPR in a Restricted Country; or (ii) an onward transfer of Customer Personal Data from AirPR to a Subprocessor in a Restricted Country, (in each case) where such transfer would be prohibited by Data Protection Laws without a legal basis therefor under Chapter V of the GDPR.
(p) “Services” means those services and activities to be supplied to or carried out by or on behalf of AirPR for Customer pursuant to the Agreement.
(q) “Standard Contractual Clauses” means the standard contractual clauses issued by the European Commission (from time-to-time) for the transfer of Personal Data from Data Controllers established inside the European Economic Area to Data Processors established in Restricted Countries.
(r) “Subprocessor” means any third party appointed by or on behalf of AirPR to Process Customer Personal Data.
1.2. In this Data Processing Addendum:
(a) the terms, “Data Controller”, “Data Processor”, “Personal Data”, “Personal Data Breach”, “Process” (and its derivatives) and “Supervisory Authority” shall have the meaning ascribed to the corresponding terms in the Data Protection Laws; and
(b) unless otherwise defined in this Data Processing Addendum, all capitalised terms shall have the meaning given to them in the Agreement.
2. PROCESSING OF CUSTOMER PERSONAL DATA
2.1. In respect of Customer Personal Data, the Parties acknowledge that:
(a) AirPR acts as a Data Processor; and
(b) Customer acts as the Data Controller.
2.2. AirPR shall:
(a) comply with all applicable Data Protection Laws in Processing Customer Personal Data; and
(b) not Process Customer Personal Data other than:
(i) on Customer’s instructions (subject always to Paragraph 2.8); and
(ii) as required by applicable laws.
2.3. Customer instructs AirPR to Process Customer Personal Data as necessary:
(a) to provide the Services to Customer; and
(b) to perform AirPR’s obligations and exercise AirPR’s rights under the Agreement.
2.4. Annex 1 (Data Processing Details) sets out certain information regarding AirPR’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
2.5. Customer may amend Annex 1 (Data Processing Details) on written notice to AirPR from time to time as Customer reasonably considers necessary to meet any applicable requirements of Data Protection Laws.
2.6. Nothing in Annex 1 (Data Processing Details) (including as amended pursuant to Paragraph 2.5) confers any right or imposes any obligation on any Party to this Data Processing Addendum.
2.7. Where AirPR receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, AirPR shall inform Customer.
2.8. Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of AirPR pursuant to or in connection with the Agreement:
(a) shall be strictly required for the sole purpose of ensuring compliance with Data Protection Laws; and
(b) (without limitation to the generality of Paragraph 2.6) shall not relate to the scope of, or otherwise materially change, the Services to be provided by AirPR under the Agreement.
2.9. Notwithstanding anything to the contrary herein, AirPR may terminate the Agreement in its entirety upon written notice to Customer with immediate effect if AirPR considers (in its reasonable discretion) that:
(a) it is unable to adhere to, perform or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities; and/or
(b) to adhere to, perform or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
2.10. Customer represents and warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by AirPR of Customer Personal Data in accordance with this Data Processing Addendum and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing).
3. AIRPR PERSONNEL
AirPR shall take reasonable steps to ensure the reliability of any AirPR Personnel who Process Customer Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, AirPR shall in relation to Customer Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, AirPR shall take account in particular of the risks presented by the Processing, in particular from a Personal Data Breach.
5.1. Customer authorises AirPR to appoint Subprocessors in accordance with this Paragraph 5.
5.2. AirPR may continue to use those Subprocessors already engaged by AirPR as at the date of this Data Processing Addendum, subject to AirPR meeting within a reasonable timeframe (or having already met) the obligations set out in Paragraph 5.4. A list with the Subprocessors already engaged by AirPR (the “List”) is available at https://airpr.com/terms-of-service/subprocessors/
5.3. AirPR shall give Customer prior written notice of the appointment of any new Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor. If, within five (5) Business Days of receipt of that notice, Customer notifies AirPR in writing of any objections (on reasonable grounds) to the proposed appointment:
(a) AirPR shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
(i) such a change cannot be made within twenty (20) Business Days from AirPR receipt of Customer’s notice;
(ii) no commercially reasonable change is available; and/or
(iii) Customer declines to bear the cost of the proposed change,
either Party may by written notice to the other Party with immediate effect terminate the Agreement either in whole or to the extent that it relates to the Services which require the use of the proposed Subprocessor.
5.4. With respect to each Subprocessor, AirPR shall ensure that the arrangement between AirPR and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this Data Processing Addendum (including those set out in Paragraph 4).
6. DATA SUBJECT RIGHTS
6.1. Taking into account the nature of the Processing, AirPR shall provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Data Subject Requests.
6.2. AirPR shall:
(a) promptly notify Customer if AirPR receives a Data Subject Request; and
(b) ensure that AirPR does not respond to any Data Subject Request except on the written instructions of Customer (and in such circumstances, at Customer’s cost) or as required by applicable laws.
7. PERSONAL DATA BREACH
7.1. AirPR shall notify Customer without undue delay upon AirPR becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information (insofar as such information is, at such time, within AirPR’s possession to allow Customer to meet any obligations under Data Protection Laws to report the Personal Data Breach to:
(a) affected Data Subjects; or
(b) the relevant Supervisory Authority(ies) (as may be determined in accordance with the Data Protection Laws).
7.2. AirPR shall at Customer’s sole cost and expense co-operate with Customer and take such reasonable commercial steps as may be directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
AirPR shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required of Customer by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, AirPR.
9. DELETION OR RETURN OBLIGATIONS
9.1 Subject to Paragraphs 9.2 and 9.5, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), AirPR shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage.
9.2 Subject to Paragraph 9.5, to the extent technically possible in the circumstances (as determined in AirPR’s sole discretion), on written request to AirPR (to be made no later than five (5) Business Days after the Cessation Date (the “Post-cessation Storage Period”)), AirPR shall:
(a) return a complete copy of all Customer Personal Data within AirPR’s possession to Customer by secure file transfer, promptly following which AirPR shall Delete all other copies of such Customer Personal Data; or
(b) Delete all Customer Personal Data then within AirPR’s possession.
9.3 AirPR shall comply with any written request made pursuant to Paragraph 9.2 within thirty (30) Business Days of the Cessation Date.
9.4 In the event that during the Post-cessation Storage Period, Customer does not instruct AirPR in writing to either Delete or return the Customer Personal Data pursuant to Paragraph 9.2, AirPR shall promptly after the expiry of the Post-cessation Storage Period either (at its option):
(a) Delete; or
(b) irreversibly render Anonymised Data,
all Customer Personal Data then within AirPR’s possession to the fullest extent technically possible in the circumstances.
9.5 AirPR and any Subprocessor may retain Customer Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that AirPR and any such Subprocessor shall ensure:
(a) the confidentiality of all such Customer Personal Data; and
(b) that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
10. AUDIT RIGHTS
10.1. AirPR shall make available to Customer on request such information as AirPR (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this Data Processing Addendum.
10.2. Subject to Paragraphs 10.3 and 10.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by AirPR pursuant to Paragraph 10.1 is not sufficient in the circumstances to demonstrate AirPR’s compliance with this Data Processing Addendum, AirPR shall allow for and contribute to audits, including on‑premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by AirPR.
10.3. Customer shall give AirPR reasonable notice of any audit or inspection to be conducted under Paragraph 10.1 (which shall in no event be less than thirty (30) Business Days’ notice unless required by a Supervisory Authority as described in Paragraph 10.4(f)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies AirPR in respect of, any damage, injury or disruption to AirPR’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of AirPR’s other customers or the availability of AirPR’s services to such other customers) while its Personnel and/or its auditor’s Personnel (if applicable) are on those premises in the course of any on‑premise inspection.
10.4. AirPR need not give access to its premises for the purposes of such an audit or inspection:
(a) to any individual unless he or she produces reasonable evidence of their identity and authority;
(b) to any auditor whom AirPR has not given its prior written approval (not to be unreasonably withheld);
(c) unless the auditor enters into a non-disclosure agreement with AirPR on terms acceptable to AirPR;
(d) where, and to the extent that, AirPR considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of AirPR’s other customers or the availability of AirPR’s services to such other customers;
(e) outside normal business hours at those premises; or
(f) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which Customer is required to carry out by Data Protection Law or a Supervisory Authority, where Customer has identified the relevant requirement in its notice to AirPR of the audit or inspection.
10.5. Customer shall bear any third party costs in connection with such inspection or audit and reimburse AirPR for all costs incurred by AirPR and time spent by AirPR (at AirPR’s then-current professional services rates) in connection with any such inspection or audit.
11. RESTRICTED TRANSFERS
11.1. Subject to Paragraph 11.3, to the extent that any Processing by either AirPR or any Subprocessor of Customer Personal Data involves a Restricted Transfer, the Parties agree that:
(a) Customer – as “data exporter”; and
(b) AirPR or Subprocessor (as applicable) – as “data importer”,
shall enter into the Standard Contractual Clauses in respect of that Restricted Transfer and the associated Processing in accordance with Paragraph 11.3.
11.2. In respect of any Standard Contractual Clauses entered into pursuant to Paragraph 11.1:
(a) Clause 9 of such Standard Contractual Clauses shall be populated as follows:
“The Clauses shall be governed by the law of the Member State in which the data exporter is established.”
(b) Clause 11(3) of such Standard Contractual Clauses shall be populated as follows:
“The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.”
(c) Appendix 1 to such Standard Contractual Clauses shall be populated with the corresponding information set out in Annex 1 (Data Processing Details); and
(d) Appendix 2 to such Standard Contractual Clauses shall be populated as follows:
“The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Paragraph 4 of the Data Processing Addendum.”
11.3. The Standard Contractual Clauses shall be deemed to come into effect under Paragraph 11.1 automatically upon the commencement of the relevant Restricted Transfer provided that Paragraph 11.1 shall not apply to a Restricted Transfer unless its effect is to allow the relevant Restricted Transfer and the associated Processing to take place without breach of applicable Data Protection Laws.
12. CHANGE IN LAWS
12.1. In the event that there is a change in the Data Protection Laws that AirPR considers (acting reasonably) would mean that AirPR is no longer able to provide the Services (including any Processing and/or Restricted Transfer(s) of Customer Personal Data) in accordance with its obligations under Data Protection Laws, AirPR reserves the right to make such changes to the Services and to amend any part of this Data Processing Addendum as it considers reasonably necessary to ensure that AirPR is able to provide the Services in accordance with Data Protection Laws.
12.2. In the event that Customer considers (acting reasonably) that any required changes made either to the Services and/or this Data Processing Addendum pursuant to Paragraph 12.1 will cause material and irreparable harm to Customer may terminate the Agreement in its entirety upon written notice to Customer with immediate effect.]
13. ANONYMOUS DATA
Customer acknowledges and agrees that AirPR shall be freely able to use and disclose Anonymised Data for AirPR’s own business purposes without restriction.
14. NO SPECIAL CATEGORIES OF PERSONAL DATA
14.1. Customer warrants and represents on an ongoing basis, and further undertakes, that it shall not (and shall ensure that its Personnel shall not) cause AirPR or its Subprocessors to Process any:
(a) Special Categories of Personal Data referred to in Article 9(1) of the GDPR; or
(b) any Personal Data relating to relating to criminal convictions or offences.
14.2. Customer will indemnify and hold harmless AirPR and its employees, officers, directors and agents from and against any and all liabilities, losses, damages, costs, fines and other expenses (including legal costs and fees) arising from or relating to any breach by Customer of this Paragraph 14.
14.3. Any and all limitations on liability set out in the Agreement shall not apply to liability arising under or in connection with the indemnity set out in Paragraph 14.2.
15. ORDER OF PRECEDENCE
15.1. This Data Processing Addendum shall be incorporated into and form part of the Agreement.
15.2. In the event of any conflict or inconsistency between:
(a) this Data Processing Addendum and the Agreement, this Data Processing Addendum shall prevail; or
(b) any Standard Contractual Clauses entered into pursuant to Paragraph 11 and this Data Processing Addendum, those Standard Contractual Clauses shall prevail.
Annex 1 Data Processing Details
This Annex 1 to the Data Processing Addendum includes certain details of the Processing of Customer Personal Data: as required by Article 28(3) GDPR; and (where applicable in accordance with Paragraph 11) to populate Appendix 1 to the Standard Contractual Clauses.
– AirPR is a PR and content marketing analytics platform.
Subject matter and duration of the Processing of Customer Personal Data
– The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and the Data Processing Addendum.
The nature and purpose of the Processing of Customer Personal Data
– The Customer Personal Data is Processed by AirPR for the limited purpose of enabling AirPR to provide the Services.
The types of Customer Personal Data to be Processed
– Name and email address of Customer Employees.
– Online identifiers used to track movement of PR Viewers across the Internet prior to viewing Customer’s website(s).
Special Categories of Personal Data (if any)
The categories of Data Subject to whom the Customer Personal Data relates
– Prospects, customers, business partners, suppliers and other Internet users who visit Customer’s website(s), having previously been seen media relating to Customer’s products and/or services (“PR Viewers”).
– Users of the Services who are employees, agents, consultants, contractors and/or contingent workers engaged or employed by Customer (“Customer Employees”).
The obligations and rights of Customer
The obligations and rights of Customer are set out in the Agreement and the Data Processing Addendum.