Data Processing Addendum
This data processing addendum (“DPA”) supplements the Agreement between Meltwater and the Customer, and is entered into as of the date of entering into the Agreement. This DPA incorporates the Agreement and any capitalised terms used but not defined in this DPA shall have the meanings set forth in the Agreement. For the purposes of this DPA, the Customer is the Data Controller and Meltwater the Data Processor or Service Provider, as applicable.
The terms and expressions set out in this DPA shall have the following meanings:
“Agreement” means the agreement between the parties for purchase of the Platform.
“Data Controller”, “Data Processor” and “processing” shall have the meanings given to them in the Applicable Privacy Law;
“Personal Data” means all data relating to individuals which is processed by the Data Processor on behalf of the Data Controller in accordance with this DPA;
“Applicable Privacy Law” means all privacy, data security, and data protection laws, directives, regulations, and rules in any jurisdiction; applicable to the Personal Data processed under this DPA including, without limitation to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the UK GDPR from December 31 st 2020 and the United Kingdom Data Protection Act of 2018 (together “UK Privacy Law”), the Swiss Federal Act on Data Protection (“or Service Provider, as applicable.“), the US States Data Laws (as defined herein).
“SCCs”means the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021; and
“Sub-processor” means any third party that Data Processor engages to Process Personal Data on behalf of Data Processor to provide the Platform.
“Platform” has the meaning given to it or Meltwater Services in the Agreement.
All other defined terms shall have the meaning given to them in the Agreement.
2. Categories of Personal Data covered by the DPA
2.1. Should the Data Controller use the Media Intelligence (Meltwater) platform: Contact details (including name, email address and possibly telephone number) and the IP-address used to login to the Platform, of the Data Controller’s employees who are added as Authorized Users to the Platform.
2.2. Should the Data Controller use any of the following Meltwater services: newsletter, media relations services from the Data Processor, the categories of Personal Data processed also include the following: name, email address, possibly telephone number, title, employer and social handle, of the data subjects whose information the Data Controller uploads to the Platform.
2.3. Should the Data Controller use the Influencers Marketing platform: Data Controller’s employees’ contact details (including but not limited to name or email address) and signup/login information, any other Personal data (such as notes, contracts, etc.) related to influencers or the Data Controller’s customers the Data Controller adds to and stores on the Platform, as well as conversion data and information obtained via pixels the Data Controller places on its website.
2.4. Should the Data Controller use Consumer Insights or Content Curation platforms: Contact details (including name, email address and possibly telephone number), the IP-address used to login to the Platform, social network information, and a potential profile picture of the Data Controller’s employees who are added as Authorized Users to the Platform.
2.5. Should the Data Controller use the Sales Intelligence platform: Email address, role and the name of the employer.
3. Processing and use of Personal Data
3.1. Data Processor is to process Personal Data received from the Data Controller (a) in compliance with instructions provided by the Data Controller as set out in this DPA (b) exclusively for the purpose of providing the Platform established in the Agreement or (c) as otherwise notified in writing in accordance with the notice provisions in the Agreement by the Data Controller to the Data Processor during the
term of the Agreement.
3.2. The Data Processor shall at all times comply with Applicable Privacy Law and shall not perform its obligations under this DPA, or the Agreement, in such way as to cause the Data Controller to breach any of its applicable obligations under
Applicable Privacy Law.
3.3. The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this DPA are satisfactorily performed in accordance with Applicable Privacy Law from time to time in force.
4. Security of Personal Data
4.1. Data Processors agrees to implement and maintain an appropriate information security program with technical and organisational measures to protect the security of Personal Data to a level of security appropriate to the risk; in particular, against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure.
4.2. Data Processor, if so requested by the Data Controller, shall supply details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access.
4.3. All Personal Data provided to the Data Processor by the Data Controller or obtained by the Data Processor in the course of its work with the Data Controller is confidential and may not be copied, disclosed or processed in any way without the express authority of the Data Controller.
5. Sub-processors and employees
5.1. Where the Data Processor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Data Controller it shall take reasonable steps to ensure the reliability of all employees and Sub-processors.
5.2. Data Processor will take reasonable measures to inform and train its employees about relevant privacy legislation and data security and ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and ensure that all employees and Sub-processors are informed of the confidential nature of the Personal Data and are aware of Data Processor’s duties under this DPA and their personal duties and obligations under Applicable Privacy Law;
5.3. Data Controller approves the use of the Sub-processors listed at https://www.meltwater.com/en/privacy/subprocessors. The Data Processor shall notify the Data Controller in writing of any new Sub-processors prior to the Sub-processor having access to Personal Data, subject to the Data Controller subscribing to such notifications at https://www.meltwater.com/en/privacy/subprocessors.
5.4. Data Processor shall not disclose, transfer and/or grant access to Personal Data to a Sub-processor unless Data Processor: (i) executes a written agreement with such Sub-processor that contains substantially similar data protection obligations imposed on Data Processor by this DPA, including implementing appropriate technical and organizational measures; and (ii) remains liable for subcontractor’s failure to fulfil its obligations with respect to the processing of Personal Data as if Data Processor had failed to fulfil such obligations.
Data Processor agrees that, on reasonable, a minimum 30 days, prior notice and maximum once per calendar year, permit persons authorised by the Data Controller to access Data Processor's premises on which Personal Data provided by the Data Controller to the Data Processor is processed and to inspect the Data Processor’s systems comply with this Agreement. Data Controller acknowledges that Data Processor’s obligations under this clause may be satisfied in whole or part by the provision to Data Controller of appropriate information; records; and certifications and audit reports issued by reputable independent third parties provided that there have been no material changes to the controls used by Data Processor since the certification or audit report was issued.
7. Access to Personal Data and Security Incident
7.1. Data Processor shall notify the Data Controller if it receives a request from a data subject to have access to that person’s Personal Data or a complaint or request relating to the Data Controller’s obligations under Applicable Privacy Law.
7.2. Data Processor shall provide the Data Controller with full co-operation and assistance in relation to any complaint or request made, including by providing the Data Controller with full details of the complaint or request and complying with a data access request within the relevant timescale set out in Applicable Privacy Law and in accordance with the Data Controller’s instructions;
7.3. If the Data Processor becomes aware of any unauthorised or unlawful processing of any Personal Data or that any Personal Data is lost or destroyed or has become damaged, corrupted or unusable or becomes aware of any security breach, the Data Processor shall, at its own expense, immediately notify (and in any event within 48 hours) Data Controller (“Notice”) and fully co-operate with the Data Controller and assist the Data Controller, in dealing with a security breach and in ensuring compliance with its obligations under Applicable Privacy Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators as soon as reasonably practicable.
7.4. The Notice shall include, to the extent available to the Data Processor at the time, a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned, b) a description of the likely consequences of the incident and c) a description of the measures taken or proposed to be taken by the Data Processor to address the incident.
8. International data transfer
8.1. To the extent any Personal Data is accessed by Data Processor, or transferred to Data Processor, the transfer(s) shall occur according to the requirements of the Applicable Privacy Law, including GDPR chapter V.
8.2. To the extent Personal Data includes personal data from the EU and EEA by entering into the Agreement and this DPA, the Parties are deemed to have signed the SCCs, including their annexes, attached hereto.
8.2.1. To the extent the SCCs are entered into, the following options for Module 2 of the SCCs shall be used:
188.8.131.52. Clause 7. The optional docking does not apply.
184.108.40.206. Clause 9. Use of sub-processors Option 2: General written authorization is selected and the minimum time period for prior notice of sub-processor changes shall be minimum 30 days, subject to the Data Controller subscribing to such notifications at https://www.meltwater.com/en/privacy/subprocessors.
220.127.116.11. Clause 11. The optional language does not apply.
18.104.22.168. Clause 17. Option 2 is selected and the Parties agree that this shall be the law of the Agreement.
22.214.171.124. Clause 18 (b). The Parties agree that any dispute arising from these Clauses shall be resolved by the courts of the country as agreed in the Agreement.
126.96.36.199. Clause 13. All square brackets in are hereby removed;
188.8.131.52. Annex I to this DPA contains the information required in Annex I of the SCCs;
184.108.40.206. Annex II to this DPA contains the information required in Annex II of the SCCs; and
220.127.116.11. Annex III to this DPA contains the information required in Annex III of the SCCs.
8.3. To the extent Personal data includes personal data from Switzerland clause 8.2 and the Addendum for transfers from Switzerland applies.
8.4. To the extent Personal Data includes personal data from the UK the UK data transfer addendum applies.
8.5. US States Privacy Laws. If Data Controller or their data subjects are residents of California, Virgina, Colorado, Connecticut or Utah, please review our US States Privacy Laws Addendum for information regarding your privacy rights.
9. Return or disposal
The Data Processor shall destroy or transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times and in compliance with the requirements notified in writing by the Data Controller to the Data Processor. The Personal Data of the Data Controller shall be destroyed at the latest six (6) months after the expiry or termination of the Agreement. For the Sales Intelligence platform, the Authorized User has the option to remain a freemium user after the end of the Agreement.
To the extent required by Applicable Privacy Law, the Data Processor shall indemnify and keep indemnified the Data Controller against direct damages, claims, and losses incurred by the Data Controller which arise directly from the Data Processor’s data processing activities under this DPA. The limitations of liability agreed between the Parties in the Agreement apply to this DPA.
11.1. Conflict. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.
11.2. Governing law and dispute resolution. This DPA shall be governed by the laws governing the Agreement. All disputes arising out of or in connection with this DPA shall be finally settled by the dispute resolution body agreed in the Agreement.
11.3. Validity. This DPA shall be valid as long as the Agreement is in force.
A. LIST OF PARTIES
Name: The Customer as defined in the Agreement
Address: The address for the Customer as defined in the Agreement
Contact person’s name, position and contact details: The contact person for the Customer as defined in the Agreement
Activities relevant to the data transferred under these Clauses: The use of Platform as defined in the Agreement
Role (controller/processor): Controller
Name: The Meltwater contracting entity as defined in the Agreement
Address: The address for the Meltwater contracting entity as defined in the Agreement
Contact person’s name, position and contact details: The contact person for the Meltwater contracting entity as defined in the Agreement
Activities relevant to the data transferred under these Clauses: The provision of Platform as defined in the Agreement
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Data Controller's employees authorized to use the Platform.
Categories of personal data transferred: As defined in section 2 of the DPA.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: No sensitive data is transferred.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis.
Nature of the processing: Transfer, copying, use, deletion, correction, adjustment.
Purpose(s) of the data transfer and further processing: Personal data will be transferred from Data Controller to Data Processor for Data Processor to provide media monitoring SaaS-service.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The duration of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The Data Processor’s main establishment is in the Netherlands. Dutch Supervisory Authority is the competent authority.
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES
LIST OF SUB-PROCESSORS
The Data Controller has authorised the use of the Sub-processors listed at: https://www.meltwater.com/en/privacy/subprocessors.