Data Processing Agreement
Valabilă din: 1 noiembrie 2021
ARBITRATION NOTICE: YOU ARE BOUND BY THE ARBITRATION PROVISION SET FORTH IN THE BUSINESS SERVICES TERMS. IF YOU ARE CONTRACTING WITH SNAP INC., THEN YOU AND SNAP INC. WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS-ACTION LAWSUIT OR CLASS-WIDE ARBITRATION.
This Data Processing Agreement (”Agreement”) forms a legally binding contract between you and Snap Inc. (“Snap”), applies to the extent you process Customer Personal Data on Snap’s behalf when Snap is the Data Controller, and is incorporated into the Business Services Terms. Some terms used in this Agreement are defined in the Business Services Terms. For purposes of clarity, Snap Inc. acts as the Data Controller under this Agreement regardless of which Snap entity you contract with for the underlying Business Services.
“Customer Personal Data” means the personal data of EEA, Switzerland, UK, and Brazilian data subjects provided to you by Snap when Snap is the Data Controller.
“Data Controller” means a controller as defined in the GDPR, UK GDPR or LGPD, as applicable, who alone or jointly with others determines the purposes and means of the processing of Customer Personal Data. In this Agreement, Snap is the Data Controller.
“Data Protection Law” means the EEA, Switzerland, UK, and Brazilian data protection laws applicable to the processing of Customer Personal Data under this Agreement, including the GDPR, the UK Data Protection Laws and LGPD.
“EEA” means the European Economic Area.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“LGPD” means Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais).
“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or controlled by you.
“Subprocessors” means third parties authorized under this Agreement to access and process Customer Personal Data.
“UK” means the United Kingdom.
"UK Data Protection Laws" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 in the UK ("UK GDPR") and the Data Protection Act 2018.
The terms “personal data,” “data subject,” “processing,” “controller,” ”processor,” “representative,” and “supervisory authority,” each as used in this Agreement, have the meanings given in the GDPR, UK GDPR or LGPD, as applicable, in each case irrespective of whether Data Protection Law applies.
a. Roles of Parties. You will process Customer Personal Data as a processor on behalf of and as instructed by the Data Controller, in accordance with Article 28 (1) GDPR, UK GDPR and LGPD, as applicable.
b. Appointment. The Data Controller appoints you to process Customer Personal Data on the Data Controller’s behalf only as is necessary to support Snap advertisers and as may subsequently be agreed to by the parties in writing.
c. Legitimacy of Processing. The Data Controller is responsible for ensuring a valid legal basis for processing the Customer Personal Data.
d. Details of Processing. The subject matter and details of processing are described in Schedule 1 of this Agreement.
e. Compliance with Law. Each party agrees it will comply with its obligations under the Data Protection Law relating to any Customer Personal Data it processes under or in relation to this Agreement. Without prejudice to the foregoing, you will not process Customer Personal Data in a manner that will, or is likely to, result in the Data Controller breaching its obligations under the Data Protection Law. You will promptly inform the Data Controller if you are of the opinion that the Data Controller’s instruction infringes Data Protection Law.
a. Processing of Customer Personal Data. You will only process Customer Personal Data in accordance with the Business Services Terms and this Agreement, and will not use or process Customer Personal Data for any purpose other than in your capacity as processor appointed by the Data Controller.
b. Data Security. In accordance with Article 32 GDPR, UK GDPR and LGPD, as applicable, and as described in Schedule 2 of this Agreement, you will implement and maintain all appropriate technical, administrative, and organizational measures required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Customer Personal Data; and (ii) prevent unauthorized or unlawful processing of Customer Personal Data, accidental loss, disclosure or destruction of, or damage to, Customer Personal Data.
c. Non-Disclosure. You will not publish, disclose, or divulge (and will ensure that your personnel do not publish, disclose, or divulge) Customer Personal Data to a third party unless the Data Controller has given its prior written consent.
d. Confidentiality. You will ensure that only personnel who may be required to assist in meeting its obligations under the Business Services Terms or this Agreement will have access to Customer Personal Data and that such personnel are bound by appropriate obligations of confidentiality, and take all reasonable steps in accordance with best industry practice to ensure the confidentiality of the Customer Personal Data.
e. Cooperation. You will provide reasonable cooperation and assistance to the Data Controller as the Data Controller may reasonably require to allow the Data Controller to comply with its obligations under Articles 32 through 36 GDPR, UK GDPR and LGPD, as applicable, including in relation to data security, data breach notification, data protection impact assessments, prior consultation with supervisory authorities, the fulfillment of data subjects’ rights, and any enquiry, notice or investigation by a supervisory authority, as further detailed in this Agreement.
f. Data Subject and Supervisory Requests. You will inform the Data Controller promptly, and in any event within two business days, of any enquiry or complaint you receive from a data subject or supervisory authority relating to Customer Personal Data. You will assist the Data Controller, insofar as it is commercially reasonable, to fulfill Data Controller's obligation to respond to requests from data subjects and supervisory authorities as required by Data Protection Law.
g. Data Protection Impact Assessment. Upon request, you will provide the Data Controller with commercially reasonable information and assistance, taking into account the nature of the processing activity and the information available to you, to assist the Data Controller to conduct a data protection impact assessment as required by Data Protection Law.
h. Providing Evidence. During the term of this Agreement and for a period of one year thereafter, you will make available to the Data Controller, or an internationally recognized auditing firm acting on the Data Controller’s behalf, all information reasonably necessary to demonstrate your compliance with this Agreement, and you will allow for and contribute to audits conducted by the Data Controller or its representatives who are bound by appropriate obligations of confidentiality; if: (i) the Data Controller provides no fewer than ten business days’ prior written notice to you; (ii) such audit is conducted during your normal business hours and in a manner that does not unreasonably interfere with your normal business operations; (iii) such audit lasts no longer than three total business days; (iv) in no event is the Data Controller (or, for avoidance of doubt, any authorized third-party auditor) entitled to access or receive your proprietary or confidential information, except to the extent strictly necessary to demonstrate compliance with this Agreement; and (v) the Data Controller is obligated to reimburse you for your documented reasonable costs if that audit determines that you are in compliance with this Agreement. In the event the audit determines you are out of compliance with this Agreement, then you will be obligated for all reasonable costs of such audit.
i. Return or Destroy Customer Personal Data. Upon completion of your obligations in relation to processing of Customer Personal Data under this Agreement or upon the Data Controller’s request at any time during the term of this Agreement (and, if the Data Controller so requests, at regular intervals set by the Data Controller), you will either: (i) return all or subsets of the Customer Personal Data in your possession to the Data Controller; (ii) render all or part of Customer Personal Data anonymous in such a manner that the data no longer constitutes personal data; or (iii) permanently delete or render all or parts of the Customer Personal Data unreadable. Upon the Data Controller’s request, you must provide written confirmation to the Data Controller of the anonymization, return, and deletion of Customer Personal Data.
j. Hashed Customer Personal Data. If you receive Customer Personal Data in hashed or otherwise obfuscated format, you will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated the Customer Personal Data unless the Data Controller instructs you to do so; and (ii) only share the Customer Personal Data in the format you received it from the Data Controller.
a. Notification. In accordance with Article 33 GDPR and UK GDPR, and notification obligations in LGPD, as applicable, you will notify the Data Controller without undue delay and, where feasible, no more than 72 hours after becoming aware of a Personal Data Breach. You will also provide the Data Controller with a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, (to the extent known to you) the categories of data subjects affected, and other information required by applicable Data Protection Law, as soon as such information can be collected or otherwise becomes available, and you will cooperate with any reasonable request made by the Data Controller relating to the Personal Data Breach.
b. Investigation. You agree to immediately take action to investigate the Personal Data Breach, to identify, prevent, and mitigate the effects of any such Personal Data Breach, and with the Data Controller’s prior agreement, to carry out any recovery or other action necessary to remedy the Personal Data Breach.
a. Authorized Subprocessors. The Data Controller specifically authorizes the engagement of your affiliates to process Customer Personal Data.
b. Obligations of Subprocessor. In accordance with Article 28 (4) GDPR and UK GDPR, and subprocessor obligations in LGPD, as applicable, you will impose legally binding contract terms on each Subprocessor that are as restrictive as those contained in this Agreement.
c. Restricted Access. You will ensure each Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it and in accordance with this Agreement.
d. Updates of Subprocessors. In accordance with Article 28 (2) GDPR and UK GDPR (as applicable), you will provide in a publicly available page an up-to-date list of: (i) all Subprocessors involved in processing Customer Personal Data; (ii) the purposes for which the Subprocessors process Customer Personal Data; and (iii) the location of each Subprocessor. You will notify the Data Controller at least 30 days before adding a new Subprocessor.
e. Right to Object. Data Controller has the right to object to the addition of a new Subprocessor, as described in this Section. In the event that the Data Controller objects to the processing of Customer Personal Data by any newly appointed Subprocessor, it will immediately inform you, after which you will either: (i) instruct the Subprocessor to cease any further processing of Customer Personal Data, in which event this Agreement shall continue unaffected; or (ii) allow the Data Controller to terminate this Agreement immediately.
a. Indemnity. You agree to indemnify the Data Controller against all third-party complaints, charges, claims, damages, losses, costs, liabilities, and expenses due to, arising out of, or relating in any way to your breach of this Agreement.
b. Indemnity Process. The Data Controller will promptly notify you in writing of any indemnification claim, but any failure to notify you will not relieve you from any indemnity liability or obligation it may have, except to the extent you are materially prejudiced by that failure. The Data Controller will reasonably cooperate with you, at your expense, in connection with the defense, compromise, or settlement of any indemnification claim. You will not compromise or settle any claim in any manner, nor make any admission of liability, without the Data Controller’s prior written consent, which the Data Controller may provide in its sole discretion. The Data Controller may participate (at its cost) in the defense, compromise, and settlement of the claim with counsel of the Data Controller’s choosing.
c. Subprocessor Liability. You acknowledge and agree that you will remain liable to the Data Controller for a breach of the terms of this Agreement by a Subprocessor and any other subsequent third-party processors you appoint.
a. Termination. This Agreement will terminate automatically upon termination of the Business Services Terms.
b. Survival. Your obligations related to returning or deleting Customer Personal Data will survive termination of the Business Services Terms and this Agreement until you have returned or deleted the Customer Personal Data in accordance with this Agreement.
If there is a conflict or inconsistency between this Agreement, the Business Services Terms, any applicable Supplemental Terms and Policies, or the Snap Terms of Service the order of priority will be: this Agreement, the Supplemental Terms and Policies, the Business Services Terms, and the Snap Terms of Service.
Your provision of certain services to Snap advertisers who have instructed Snap to collect certain lead generation data in connection with such advertisers’ ads on Snapchat platform(s), and to transfer such data to you as an intermediary for processing.
For the term of this Agreement plus the period from expiry of the term of this Agreement until the anonymization, return, or deletion of data in accordance with this Agreement.
You will process Customer Personal Data for the benefit of and use by Snap advertisers the purposes of providing the Business Services to Snap’s advertisers who have instructed Snap to collect certain lead generation data in connection with such advertisers’ ads on Snapchat platform(s), and to transfer such data to you as an intermediary for processing, in accordance with and as described in the Business Services Terms and this Agreement.
Customer Personal Data relating to individuals who complete a Snap advertiser’s lead generation form on a Snapchat platform, which may include:
name
email address
telephone number
home address
birthday
mobile ad ID (IDFA/AAID)
third party ID
job title
company name
Not applicable
Data subjects include all individuals who complete a Snap advertiser’s lead generation form on a Snapchat platform.
1. Implementation of and compliance with a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of the Customer Personal Data and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the Data Controller, the Data Controller's customers, or the Data Controller's employees; and any anticipated threats or hazards to the security or integrity of such information.
2. Adopting and implementing reasonable policies and standards related to security.
3. Assigning responsibility for information security management.
4. Devoting adequate personnel resources to information security.
5. Carrying out verification checks on permanent staff who will have access to the Customer Personal Data.
6. Conducting appropriate background checks and requiring employees, vendors, and others with access to the Customer Personal Data to enter into written confidentiality agreements.
7. Conducting training to make employees and others with access to the Customer Personal Data aware of information security risks and to enhance compliance with your policies and standards related to data protection.
8. Preventing unauthorized access to the Customer Personal Data through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with Snap's policies and standards related to data protection on an ongoing basis. In particular, You will implement and comply with, as appropriate and without limitation:
Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance, and exterior security);
Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements and firewalls);
Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that the Customer Personal Data cannot be read, copied, modified, or removed without authorization;
Data transmission control measures to ensure that the Customer Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data media, and transfer and receipt of records. In particular, your information security program will be designed:
To encrypt in storage any data sets in your possession, including sensitive personal data, using appropriate encryption levels based on industry-leading encryption standards, such as AES -256, and storing user identities on the system using key value pair such as ghost_id to prevent storage of actual user ID; and
To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside your IT system or transmitted over a public network is encrypted, such as using the newest supported versions of TLS 1.2 protocol, to protect the security of the transmission;
Data entry control measures to ensure you can check and establish whether and by whom the Customer Personal Data has been input into data processing systems, modified, or removed;
Continuous security testing measures to ensure information security practices remain relevant, effective, and up to date, including annual penetration testings, bug bounty program, use of system scanning tools, tabletop exercises, backup restoration tests, pre-production failovers, and conducting post-mortems on any actual incidents in order to update the relevant disaster recovery plans;
Subprocessor supervision measures to ensure that Customer Personal Data is processed strictly in accordance with the Data Controller's instructions including, as appropriate:
Measures to ensure that the Customer Personal Data is protected from accidental destruction or loss including, as appropriate and without limitation, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs; and
Measures to ensure that data collected for different purposes can be processed separately including, as appropriate, physical or adequate logical separation of Customer Personal Data.
9. Taking such other steps as may be appropriate under the circumstances.