Data Processing Agreement (Addendum)
Effective as of May 25th 2018
This GDPR Data Processing Agreement(“DPA”) (Addendum) forms part of the Terms of Use available at obrienmedia.co.uk/legal/analytics-terms or such other location as the Terms of Use may be posted from time to time (as applicable, the “Agreement”), entered into by and between Customer and O’Brien Media Limited trading as O’Brien Media Analytics. (“O’Brien Media Analytics”), pursuant to which the Customer has accessed O’Brien Media Analytics’ Application Services as defined in the applicable Agreement. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.
If Customer entity entering into this DPA has executed an order form or statement of work with O’Brien Media Analytics pursuant to the Agreement (an “Ordering Document”), but is not itself a party to the Agreement, this DPA is an addendum to that Ordering Document and applicable renewal Ordering Documents. If Customer entity entering into this DPA is neither a party to an Ordering Document nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that Customer entity that is a party to the Agreement executes this DPA.
This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by the Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.
In the course of providing the Application Services to the Customer pursuant to the Agreement, O’Brien Media Analytics may process personal data on behalf of the Customer. O’Brien Media Analytics agrees to comply with the following provisions with respect to any personal data submitted by or for the Customer to the Application Services or collected and processed by or for the Customer through the Application Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
Data Processing Terms
In this DPA, “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.-
“data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation;
The parties agree that the Customer is the data controller and that O’Brien Media Analytics is its data processor in relation to personal data that is processed in the course of providing the Application Services. the Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provides to O’Brien Media Analytics pursuant to the Agreement.
The subject-matter of the data processing covered by this DPA is the Application Services ordered by the Customer either through O’Brien Media Analytics’ website or through an Ordering Document and provided by O’Brien Media Analytics to the Customer via obrienmedia.co.uk, or as additionally described in the Agreement or the DPA. The processing will be carried out until the term of the Customer’s ordering of the Application Services ceases. Further details of the data processing are set out in Annex 1 hereto.
Personal data processed in the course of providing the Application Services
In respect of personal data processed in the course of providing the Application Services, O’Brien Media Analytics:
shall process the personal data only in accordance with the documented instructions from the Customer (as set out in this DPA or the Agreement or as otherwise notified by the Customer to O’Brien Media Analytics (from time to time) If O’Brien Media Analytics is required to process the personal data for any other purpose provided by applicable law to which it is subject, O’Brien Media Analytics will inform the Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest;
shall notify the Customer without undue delay if, in O’Brien Media Analytics’ opinion, an instruction for the processing of personal data given by the Customer infringes applicable Data Protection Legislation;
shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected;
may hire other companies to provide limited services on its behalf, provided that O’Brien Media Analytics complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services O’Brien Media Analytics has retained them to provide, and they shall be prohibited from using personal data for any other purpose. O’Brien Media Analytics remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom O’Brien Media Analytics transfers personal data will have entered into written agreements with O’Brien Media Analytics requiring that the subcontractor abide by terms substantially similar to this DPA.
A list of subcontractors is available. If the Customer requires prior notification of any updates to the list of subprocessors, the Customer can request such notification in writing by emailing [email protected]. O’Brien Media Analytics will update the list within thirty (30) days of any such notification if the Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If, in O’Brien Media Analytics’ reasonable opinion, such objections are legitimate, Customer may, by providing written notice to O’Brien Media Analytics, terminate the Agreement.
shall ensure that all O’Brien Media Analytics personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause;
at Customer’s request and cost (and insofar as is possible), shall assist Customer by implementing appropriate and reasonable technical and organisational measures to assist with Customer’s obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data) provided that O’Brien Media Analytics reserves the right to reimbursement from the Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
when the General Data Protection Regulation (Regulation (EU) 2016/279) comes into effect, shall take reasonable steps at Customer’s request and cost to assist the Customer in meeting the Customer’s obligations under Article 32 to 36 of that regulation taking into account the nature of the processing under this DPA, provided that O’Brien Media Analytics reserves the right to reimbursement from the Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
at the end of the applicable term of the Application Services, upon the Customer’s request, shall securely destroy or return such personal data to the Customer;
shall allow the Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by O’Brien Media Analytics in connection with the provision of the Application Services and provide all reasonable assistance in order to assist the Customer in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that O’Brien Media Analytics is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation.
Notwithstanding the foregoing, such audit shall consist solely of:
- the provision by O’Brien Media Analytics of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and
- interviews with O’Brien Media Analytics’ IT personnel.
Such audit may be carried out by the Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality.
For the avoidance of doubt no access to any part of O’Brien Media Analytics’ IT system, data hosting sites or centres, or infrastructure will be permitted;
Accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data
If O’Brien Media Analytics becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by O’Brien Media Analytics in the course of providing the Application Services (an “Incident”) under the Agreement it shall without undue delay notify the Customer and provide the Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on the Customer Content. O’Brien Media Analytics shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident;
O’Brien Media Analytics shall provide reasonable information requested by the Customer to demonstrate compliance with the obligations set out in this DPA.
Annex 1
Details of the Data Processing
O’Brien Media Analytics shall process information to provide the Application Services pursuant to the Agreement. O’Brien Media Analytics shall process information sent by the Customer’s end users identified through the Customer’s implementation of the Application Services. As an example, in a standard programmatic implementation, to utilize the Application Services, the Customer may allow the following information to be sent by default as “default properties:”
Types of Personal Data
- City
- Region
- Country
- Time zone
- Browser
- Browser Version
- Device
- Current URL
- Initial Referrer
- Initial Referring Domain
- Operating System
- Referrer
| - Referring Domain
- Screen Height
- Screen Width
- Search Engine
- Search Keyword
- UTM Parameters (ie. any UTM tags associated with the link a customer clicked to arrive at the domain)
- Last Seen (the last time a property was set or updated)
|
Processing activities
The provision of Application Services by O’Brien Media Analytics to the Customer.
Questions?
If you have any questions or concerns at all about this agreement, please feel free to email us at [email protected] or write to the address below.
O’Brien Media Limited
FAO Compliance
Innovation Centre, PO Box 4096
Swindon
SN5 1DE