THIS DATA PROCESSING ADDENDUM is entered into as of the Addendum Effective Date by and between: (1) Onclusive, Inc., of 1870 Ogden Dr, Burlingame, CA 94010 United States of America (“Onclusive”); and (2) the customer who is agreeing to these terms and who is a counterparty to the Agreement (as defined below) into which this Data Processing Addendum is incorporated and forms a part (“Customer”).
- 1. INTERPRETATION
1.1. In this Data Processing Addendum the following terms shall have the meanings set out in this Paragraph 1.1, unless expressly stated otherwise:
(a) “Addendum Effective Date” means 25 May 2018.
(b) “Adequate Country” means a country or territory outside the European Economic Area that the European Commission has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the GDPR.
(c) “Agreement” means the agreement entered into by and between the Parties.
(d) “Anonymised Data” means any Personal Data (including Customer Personal Data), which has been anonymised such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by Onclusive or any other party reasonably likely to receive or access that anonymised Personal Data.
(e) “Business Day” means any day which is not a Saturday, Sunday or public holiday, and on which the banks are open for business, in San Francisco CA, USA.
(f) “Cessation Date” has the meaning given in Paragraph 9.1.
(g) “Customer Personal Data” means any Personal Data Processed by or on behalf of Onclusive on behalf of Customer under the Agreement.
(h) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (the “GDPR”) and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom (references to “Articles” or “Chapters” of the GDPR shall be construed accordingly).
(i) “Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with, Chapter III of the GDPR.
(j) “Data Subject” means the identified or identifiable natural person located in the European Economic Area to whom Customer Personal Data relates.
(k) “Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” shall be construed accordingly.
(l) “Personnel” means a person’s employees, agents, consultants or contractors.
(m) “Post-cessation Storage Period” has the meaning given in Paragraph 9.2.
(n) “Restricted Country” means a country or territory outside the European Economic Area that is not an Adequate Country.
(o) “Restricted Transfer” means: (i) a transfer of Customer Personal Data from Customer to Onclusive in a Restricted Country; or (ii) an onward transfer of Customer Personal Data from Onclusive to a Subprocessor in a Restricted Country, (in each case) where such transfer would be prohibited by Data Protection Laws without a legal basis therefor under Chapter V of the GDPR.
(p) “Services” means those services and activities to be supplied to or carried out by or on behalf of Onclusive for Customer pursuant to the Agreement.
(q) “Standard Contractual Clauses” means the standard contractual clauses issued by the European Commission (from time-to-time) for the transfer of Personal Data from Data Controllers established inside the European Economic Area to Data Processors established in Restricted Countries.
(r) “Subprocessor” means any third party appointed by or on behalf of Onclusive to Process Customer Personal Data.
1.2. In this Data Processing Addendum:
(a) the terms, “Data Controller”, “Data Processor”, “Personal Data”, “Personal Data Breach”, “Process” (and its derivatives) and “Supervisory Authority” shall have the meaning ascribed to the corresponding terms in the Data Protection Laws; and
(b) unless otherwise defined in this Data Processing Addendum, all capitalised terms shall have the meaning given to them in the Agreement.
2. PROCESSING OF CUSTOMER PERSONAL DATA
2.1. In respect of Customer Personal Data, the Parties acknowledge that:
(a) Onclusive acts as a Data Processor; and
(b) Customer acts as the Data Controller.
2.2. Onclusive shall:
(a) comply with all applicable Data Protection Laws in Processing Customer Personal Data; and
(b) not Process Customer Personal Data other than:
(i) on Customer’s instructions (subject always to Paragraph 2.8); and
(ii) as required by applicable laws.
2.3. Customer instructs Onclusive to Process Customer Personal Data as necessary:
(a) to provide the Services to Customer; and
(b) to perform Onclusive’s obligations and exercise Onclusive’s rights under the Agreement.
2.4. Annex 1 (Data Processing Details) sets out certain information regarding Onclusive’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
2.5. Customer may amend Annex 1 (Data Processing Details) on written notice to Onclusive from time to time as Customer reasonably considers necessary to meet any applicable requirements of Data Protection Laws.
2.6. Nothing in Annex 1 (Data Processing Details) (including as amended pursuant to Paragraph 2.5) confers any right or imposes any obligation on any Party to this Data Processing Addendum.
2.7. Where Onclusive receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Onclusive shall inform Customer.
2.8. Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of Onclusive pursuant to or in connection with the Agreement:
(a) shall be strictly required for the sole purpose of ensuring compliance with Data Protection Laws; and
(b) (without limitation to the generality of Paragraph 2.6) shall not relate to the scope of, or otherwise materially change, the Services to be provided by Onclusive under the Agreement.
2.9. Notwithstanding anything to the contrary herein, Onclusive may terminate the Agreement in its entirety upon written notice to Customer with immediate effect if Onclusive considers (in its reasonable discretion) that:
(a) it is unable to adhere to, perform or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities; and/or
(b) to adhere to, perform or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
2.10. Customer represents and warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Onclusive of Customer Personal Data in accordance with this Data Processing Addendum and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing).
3. ONCLUSIVE PERSONNEL
Onclusive shall take reasonable steps to ensure the reliability of any Onclusive Personnel who Process Customer Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, Onclusive shall in relation to Customer Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, Onclusive shall take account in particular of the risks presented by the Processing, in particular from a Personal Data Breach.
5.1. Customer authorises Onclusive to appoint Subprocessors in accordance with this Paragraph 5.
5.2. Onclusive may continue to use those Subprocessors already engaged by Onclusive as at the date of this Data Processing Addendum, subject to Onclusive meeting within a reasonable timeframe (or having already met) the obligations set out in Paragraph 5.4. A list with the Subprocessors already engaged by Onclusive (the “List”) is available at https://onclusive.com/terms-of-service/subprocessors/
5.3. Onclusive shall give Customer prior written notice of the appointment of any new Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor. If, within five (5) Business Days of receipt of that notice, Customer notifies Onclusive in writing of any objections (on reasonable grounds) to the proposed appointment:
(a) Onclusive shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
(i) such a change cannot be made within twenty (20) Business Days from Onclusive receipt of Customer’s notice;
(ii) no commercially reasonable change is available; and/or
(iii) Customer declines to bear the cost of the proposed change,
either Party may by written notice to the other Party with immediate effect terminate the Agreement either in whole or to the extent that it relates to the Services which require the use of the proposed Subprocessor.
5.4. With respect to each Subprocessor, Onclusive shall ensure that the arrangement between Onclusive and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this Data Processing Addendum (including those set out in Paragraph 4).
6. DATA SUBJECT RIGHTS
6.1. Taking into account the nature of the Processing, Onclusive shall provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Data Subject Requests.
6.2. Onclusive shall:
(a) promptly notify Customer if Onclusive receives a Data Subject Request; and
(b) ensure that Onclusive does not respond to any Data Subject Request except on the written instructions of Customer (and in such circumstances, at Customer’s cost) or as required by applicable laws.
7. PERSONAL DATA BREACH
7.1. Onclusive shall notify Customer without undue delay upon Onclusive becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information (insofar as such information is, at such time, within Onclusive’s possession to allow Customer to meet any obligations under Data Protection Laws to report the Personal Data Breach to:
(a) affected Data Subjects; or
(b) the relevant Supervisory Authority(ies) (as may be determined in accordance with the Data Protection Laws).
7.2. Onclusive shall at Customer’s sole cost and expense co-operate with Customer and take such reasonable commercial steps as may be directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Onclusive shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required of Customer by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, Onclusive.
9. DELETION OR RETURN OBLIGATIONS
9.1 Subject to Paragraphs 9.2 and 9.5, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Onclusive shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage.
9.2 Subject to Paragraph 9.5, to the extent technically possible in the circumstances (as determined in Onclusive’s sole discretion), on written request to Onclusive (to be made no later than five (5) Business Days after the Cessation Date (the “Post-cessation Storage Period”)), Onclusive shall:
(a) return a complete copy of all Customer Personal Data within Onclusive’s possession to Customer by secure file transfer, promptly following which Onclusive shall Delete all other copies of such Customer Personal Data; or
(b) Delete all Customer Personal Data then within Onclusive’s possession.
9.3 Onclusive shall comply with any written request made pursuant to Paragraph 9.2 within thirty (30) Business Days of the Cessation Date.
9.4 In the event that during the Post-cessation Storage Period, Customer does not instruct Onclusive in writing to either Delete or return the Customer Personal Data pursuant to Paragraph 9.2, Onclusive shall promptly after the expiry of the Post-cessation Storage Period either (at its option):
(a) Delete; or
(b) irreversibly render Anonymised Data,
all Customer Personal Data then within Onclusive’s possession to the fullest extent technically possible in the circumstances.
9.5 Onclusive and any Subprocessor may retain Customer Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Onclusive and any such Subprocessor shall ensure:
(a) the confidentiality of all such Customer Personal Data; and
(b) that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
10. AUDIT RIGHTS
10.1. Onclusive shall make available to Customer on request such information as Onclusive (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this Data Processing Addendum.
10.2. Subject to Paragraphs 10.3 and 10.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Onclusive pursuant to Paragraph 10.1 is not sufficient in the circumstances to demonstrate Onclusive’s compliance with this Data Processing Addendum, Onclusive shall allow for and contribute to audits, including on‑premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Onclusive.
10.3. Customer shall give Onclusive reasonable notice of any audit or inspection to be conducted under Paragraph 10.1 (which shall in no event be less than thirty (30) Business Days’ notice unless required by a Supervisory Authority as described in Paragraph 10.4(f)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Onclusive in respect of, any damage, injury or disruption to Onclusive’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Onclusive’s other customers or the availability of Onclusive’s services to such other customers) while its Personnel and/or its auditor’s Personnel (if applicable) are on those premises in the course of any on‑premise inspection.
10.4. Onclusive need not give access to its premises for the purposes of such an audit or inspection:
(a) to any individual unless he or she produces reasonable evidence of their identity and authority;
(b) to any auditor whom Onclusive has not given its prior written approval (not to be unreasonably withheld);
(c) unless the auditor enters into a non-disclosure agreement with Onclusive on terms acceptable to Onclusive;
(d) where, and to the extent that, Onclusive considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Onclusive’s other customers or the availability of Onclusive’s services to such other customers;
(e) outside normal business hours at those premises; or
(f) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which Customer is required to carry out by Data Protection Law or a Supervisory Authority, where Customer has identified the relevant requirement in its notice to Onclusive of the audit or inspection.
10.5. Customer shall bear any third party costs in connection with such inspection or audit and reimburse Onclusive for all costs incurred by Onclusive and time spent by Onclusive (at Onclusive’s then-current professional services rates) in connection with any such inspection or audit.
11. RESTRICTED TRANSFERS
11.1. Subject to Paragraph 11.3, to the extent that any Processing by either Onclusive or any Subprocessor of Customer Personal Data involves a Restricted Transfer, the Parties agree that:
(a) Customer – as “data exporter”; and
(b) Onclusive or Subprocessor (as applicable) – as “data importer”,
shall enter into the Standard Contractual Clauses in respect of that Restricted Transfer and the associated Processing in accordance with Paragraph 11.3.
11.2. In respect of any Standard Contractual Clauses entered into pursuant to Paragraph 11.1:
(a) Clause 9 of such Standard Contractual Clauses shall be populated as follows:
“The Clauses shall be governed by the law of the Member State in which the data exporter is established.”
(b) Clause 11(3) of such Standard Contractual Clauses shall be populated as follows:
“The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.”
(c) Appendix 1 to such Standard Contractual Clauses shall be populated with the corresponding information set out in Annex 1 (Data Processing Details); and
(d) Appendix 2 to such Standard Contractual Clauses shall be populated as follows:
“The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Paragraph 4 of the Data Processing Addendum.”
11.3. The Standard Contractual Clauses shall be deemed to come into effect under Paragraph 11.1 automatically upon the commencement of the relevant Restricted Transfer provided that Paragraph 11.1 shall not apply to a Restricted Transfer unless its effect is to allow the relevant Restricted Transfer and the associated Processing to take place without breach of applicable Data Protection Laws.
12. CHANGE IN LAWS
12.1. In the event that there is a change in the Data Protection Laws that Onclusive considers (acting reasonably) would mean that Onclusive is no longer able to provide the Services (including any Processing and/or Restricted Transfer(s) of Customer Personal Data) in accordance with its obligations under Data Protection Laws, Onclusive reserves the right to make such changes to the Services and to amend any part of this Data Processing Addendum as it considers reasonably necessary to ensure that Onclusive is able to provide the Services in accordance with Data Protection Laws.
12.2. In the event that Customer considers (acting reasonably) that any required changes made either to the Services and/or this Data Processing Addendum pursuant to Paragraph 12.1 will cause material and irreparable harm to Customer may terminate the Agreement in its entirety upon written notice to Customer with immediate effect.]
13. ANONYMOUS DATA
Customer acknowledges and agrees that Onclusive shall be freely able to use and disclose Anonymised Data for Onclusive’s own business purposes without restriction.
14. NO SPECIAL CATEGORIES OF PERSONAL DATA
14.1. Customer warrants and represents on an ongoing basis, and further undertakes, that it shall not (and shall ensure that its Personnel shall not) cause Onclusive or its Subprocessors to Process any:
(a) Special Categories of Personal Data referred to in Article 9(1) of the GDPR; or
(b) any Personal Data relating to relating to criminal convictions or offences.
14.2. Customer will indemnify and hold harmless Onclusive and its employees, officers, directors and agents from and against any and all liabilities, losses, damages, costs, fines and other expenses (including legal costs and fees) arising from or relating to any breach by Customer of this Paragraph 14.
14.3. Any and all limitations on liability set out in the Agreement shall not apply to liability arising under or in connection with the indemnity set out in Paragraph 14.2.
15. ORDER OF PRECEDENCE
15.1. This Data Processing Addendum shall be incorporated into and form part of the Agreement.
15.2. In the event of any conflict or inconsistency between:
(a) this Data Processing Addendum and the Agreement, this Data Processing Addendum shall prevail; or
(b) any Standard Contractual Clauses entered into pursuant to Paragraph 11 and this Data Processing Addendum, those Standard Contractual Clauses shall prevail.
Annex 1 Data Processing Details
This Annex 1 to the Data Processing Addendum includes certain details of the Processing of Customer Personal Data: as required by Article 28(3) GDPR; and (where applicable in accordance with Paragraph 11) to populate Appendix 1 to the Standard Contractual Clauses.
– Onclusive is a PR and content marketing analytics platform.
Subject matter and duration of the Processing of Customer Personal Data
– The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and the Data Processing Addendum.
The nature and purpose of the Processing of Customer Personal Data
– The Customer Personal Data is Processed by Onclusive for the limited purpose of enabling Onclusive to provide the Services.
The types of Customer Personal Data to be Processed
– Name and email address of Customer Employees.
– Online identifiers used to track movement of PR Viewers across the Internet prior to viewing Customer’s website(s).
Special Categories of Personal Data (if any)
The categories of Data Subject to whom the Customer Personal Data relates
– Prospects, customers, business partners, suppliers and other Internet users who visit Customer’s website(s), having previously been seen media relating to Customer’s products and/or services (“PR Viewers”).
– Users of the Services who are employees, agents, consultants, contractors and/or contingent workers engaged or employed by Customer (“Customer Employees”).
The obligations and rights of Customer
The obligations and rights of Customer are set out in the Agreement and the Data Processing Addendum.