Last update: 19 May 2020
Definitions. Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. In this DPA, unless stated otherwise:
“Affiliate” means any entity controlling, controlled by, or under common control with a Party, where “control” is defined as: (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.
“Agreement” means the Services Agreement entered into between the Supplier and the Customer for the provision of Services by the Supplier to Customer.
“Agreed Liability Cap” means the maximum monetary or payment-based amount at which a Party’s liability is capped under the Agreement, either per annual period or event giving rise to liability, as applicable.
“Customer Data” means data submitted, stored, sent or received via the Services by Customer, its Affiliates or End Users. Customer Data may also include Personal Data sent or otherwise made available by Customer to Supplier and/or Supplier’s Affiliates where Customer uses Supplier Affiliates Solutions.
“Customer Personal Data” means Personal Data contained within the Customer Data, as described in Appendix 1.
“Data Incident” means a breach of Supplier’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Supplier. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Effective Date” means the date on which Customer and Supplier agreed to this DPA, and is the Agreement Effective Date.
“EEA” means the European Economic Area.
“End User” means natural persons authorized by Customer to access or use the Services, including Customer and Customer’s Affiliate personnel, employee, agent or contractor.
“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) as well as any data protection laws substantially amending, replacing or superseding the GDPR, the Federal Data Protection Act of Switzerland and/or other applicable European Union Member state domestic data protection or national/federal or state/provincial privacy legislation in force, including where applicable, statutes, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by competent court or Supervisory Authority, relating to the Processing of personal data and privacy.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Model Contract Clauses” or “MCCs” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as approved by the European Commission in Decision 2010/87/EU, as amended, replaced or superseded by any set of clauses approved by the European Commission. The Model Contract Clauses are enclosed as Appendix 4 and are part of this agreement when applicable.
“Non-European Data Protection Legislation” means any national/federal or state/provincial/emirate data protection or privacy legislation, other than the Data Protection Legislation.
“Notification Email Address(es)” means the email address(es) designated by Customer to receive certain notifications from Supplier.
“Supplier’s Systems” means the computing and storage infrastructure contracted by Supplier to run the Services and to store the Customer Data. For the avoidance of doubt, Supplier’s Systems do not include Third-Party Service Provider Solution used by Customer and contracted by Customer, nor any of the Third Party Offerings.
“Restricted Transfer” means (a) a transfer of the Customer Personal Data from Customer to Supplier or Subprocessor, or (b) an onward transfer of the Customer Personal Data from Supplier or Subprocessor to (or between two establishments of) Supplier or Subprocessor, in each case, being a transfer to a country outside the EEA, where such transfer would be prohibited by European Data Protection Legislation in the absence of Model Contract Clauses or other legal instruments required by European Data Protection Legislation.
“Subprocessor(s)” means third parties authorized by Processor under this DPA to have logical access to and process Customer Data on behalf of Customer in order to provide parts of the Services and related technical support, including Supplier’s Affiliates.
“Security Measures” has the meaning given in Section 13 (Supplier Security Measures).
“Services” means the services that have been purchased by the Customer pursuant to the Agreement and any applicable Order Form, which includes the digital signage solution Playengo and any updates or replacement thereof and technical support provided by Supplier to Customer according to the terms of the Agreement. The Services do not include (i) Supplier Affiliates Solution that may have been separately licensed by Customer, (ii) any Third Party Offerings that may have been separately licensed by Customer, nor (iii) the Third-Party Service Provider Solution used by Customer.
“Supplier Affiliates Solution” means any solution of software provided by one or more Supplier’s Affiliates, which supplements and/or are necessary to provide the Services performed by Supplier, that have either been (i) licensed by Customer from a Supplier’s Affiliate or (ii) licensed by Customer from Supplier.
The terms “Personal Data”, “Data Subject”, “Processing”, “Data Controller”, “Data Processor” and “Supervisory Authority” as used in this DPA have the meanings given to them in the GDPR, and the terms “Data Importer” and “Data Exporter” have the meanings given to them in the Model Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.
“Term” means the period from the Agreement Effective Date until the end of Supplier’s provision of the Services to Customer under the Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Supplier may continue providing the Services to Customer for transitional purposes.
“Third-Party Service Provider Solution” means any solution or software on which all or part of the Services are performed by the Supplier, that have been separately licensed by Customer, as the case may be, from an unaffiliated Third-Party Service Provider. Third Party Service Providers Solutions may notably includeGoogle, Microsoft and/or Facebook solutions or software.
“Terms Effective Date” means the date on which Customer accepted, or the parties otherwise agreed to, these Terms.
Appendix 1 - Customer Personal Data Processing Details
|\*\*Subject Matter\*\*||Supplier’s provision of the Services and related technical support to Customer.|
|\*\*Categories of Data Subjects\*\* Categories of Data Subjects whose Personal Data will be Processed by Service Provider||Personal Data submitted, stored, sent or received via the Services may concern the following categories of Data Subjects: End Users including Customer’s employees and contractors; the personnel of Customer’s own customers, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with End Users.|
|\*\*Categories of data\*\* Personal Data that will be Processed by Supplier||Personal Data that will be Processed by Supplier includes data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services such as user IDs, content of information to be displayed by the Services including text and images to be displayed, audit log information, system log information and other data.|
|\*\*Location of Processing Operations\*\* Locations where the personal data will be Processed by Supplier||Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may be processed at Supplier’s locations situated at: - 6 rue Beaubourg, 75004 Paris, France - 650 California Street, San Francisco, CA 94108, USA - 3280 Peachtree Road NE, 7th Floor Atlanta, GA 30305, USA - Via Giosue’ Carducci 125/A, 20099 Sesto San Giovanni, Milan, Italy|
|\*\*Purposes\*\* Purposes for which the Personal Data will be Processed by Supplier||Supplier will process Customer Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the Data Processing Agreement.|
|\*\*Duration of processing\*\* The length of time for which Processing activities will be carried out Supplier||The applicable Term plus the period from expiry of such Term until deletion of all Customer Personal Data by Supplier in accordance with the Data Processing Agreement.|
Appendix 2 - Security Measures
Appendix 3 - Subprocessors
Supplier uses the following Subprocessors for the performance of the Services:
|\*\*Entity name\*\*||\*\*Corporate location\*\*|
Appendix 4 - Model Contract Clauses
Model Contractual Clauses (processor) for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Supplier (the “Data Importer”) and Customer (the “Data Exporter”), each a “party”, together “the parties”, agree on the following Model Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the personal data specified in the Clauses Schedule 1. The Clauses (including Schedules 1 and 2) are incorporated by reference into the Data Processing Agreement and are effective from the DPA Effective Date.
Clause 1 - Definitions
For the purposes of the Clauses:
Clause 2 - Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Schedule 1 which forms an integral part of the Clauses.
Clause 3 - Third-party beneficiary clause
Clause 4 Obligations of the Data Exporter
The Data Exporter agrees and warrants:
The Data Exporter acknowledges that its data will be hosted in the Google’s data centers of Google Inc. and/or one or more of its affiliated entities (collectively, “Google”) (and not by the Data Importer) and, as a consequence, that most of the technical and organisational security measures relating to the Data Importer’s data (as notably referred to in paragraphs 4c., 4d., 4e. and 4h. above) will be provided by the applicable Google entity under its own liability. Accordingly, and notwithstanding any other provision in these Clauses, the Data Importer disclaims any and all responsibility in relation to any acts and/or omission of Google, including notably (without limitation) for such Google technical and organisational security measures as listed for information purposes only and without any representation in Schedules 1 and 2.
Clause 5 -Obligations of the Data Importer
The Data Importer agrees and warrants:
That it will promptly notify the Data Exporter about:
Clause 6 - Liability
Clause 7 - Mediation and jurisdiction
The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject;
The parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8 - Cooperation with supervisory authorities
Clause 9 - Governing Law
The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.
Clause 10 - Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11 - Sub-Processing
Clause 12 - Obligation after the termination of personal data processing services
Schedule 1 to the Model Contractual Clauses
|\*\*Data Exporter\*\*||The Data Exporter is the Customer legal entity that is a party to the Clauses.|
|\*\*Data Importer\*\*||The Data Importer is the Supplier, a global provider of a variety of technology services for businesses.|
|\*\*Categories of Data Subjects\*\*||The personal data transferred concern personal data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services and concerning the categories of Data Subjects listed in the DPA Appendix 1.|
|\*\*Categories of Data\*\*||The personal data transferred is personal data that will be Processed by Supplier including data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services as listed in the DPA Appendix 1|
|\*\*Processing operations\*\*||The personal data transferred will be subject to the following basic processing activities: - **Scope of Processing:** - The Clauses reflect the parties’ agreement with respect to the processing and transfer of personal data specified in this Schedule pursuant to the provision of the “Service” as defined under the Agreement. - Personal data may be processed for the following purposes: (a) to provide the Service, (which may include the detection, prevention and resolution of security and technical issues); (b) to respond to customer support requests; and (c) otherwise to fulfil the obligations under the Agreement. - The Data Exporter instructs the Data Importer to process personal data in countries in which the Data Importer or its Subprocessors maintain facilities as necessary for it to provide the Service - **Term of Data Processing:** Data processing will be for the term specified in the Agreement. For the term of the Agreement, and for a reasonable period of time after the expiry or termination of the Agreement, the Data Importer will provide the Data Exporter with access to, and the ability to export, the Data Exporter’s personal data processed pursuant to the Agreement - **Data Deletion:** For the term of the Agreement, the Data Importer will provide the Data Exporter with the ability to delete the Data Exporter’s personal data from the Service. After termination or expiry of the Agreement, the Data Importer will delete the Data Exporter’s personal data in accordance with the Agreement. - **Access to Data:** For the term of the Agreement, the Data Importer will provide the Data Exporter with the ability to correct, block, export and delete the Data Exporter’s personal data from the Service in accordance with the Agreement. - **Subprocessors**: The Data Importer may engage Subprocessors to provide parts of the Service. The Data Importer will ensure Subprocessors only access and use the Data Exporter’s personal data to provide the Service and not for any other purpose.|
Schedule 2 to the Model Contractual Clauses
Description of the technical and organisational security measures implemented by the Data Importer in accordance with Clauses 4(c) and 5(c):
The Data Importer currently abides by the security standards in this Schedule 2. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a material degradation in the security of the Service during the term of the Agreement.
Google Data Center & Network Security
Networks & Transmission
Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Google intrusion detection involves:
Google Access and Site Controls
Data Storage, Isolation & Authentication