Data Processing Addendum
This Data Processing Addendum (“DPA”) applies between Cint and any Customers of Cint receiving services where personal data may be processed by Cint on behalf of the Customer. This DPA forms part of the services agreement entered into between Cint and the Customer under which the Customer receives the relevant services (the “Agreement”). This DPA shall be subject to the governing law and dispute resolution that applies to the Agreement.
- DEFINITIONS
Defined terms used for the purposes of this DPA shall have the meanings set out at the end of this DPA.
- DATA PROCESSING
2.1. The parties shall each comply with their respective obligations under the Data Protection Law as regards the Customer Personal Data. The parties acknowledge that the Customer is the data controller of Customer Personal Data and that Cint is appointed by the Customer as data processor to process Customer Personal Data on behalf of Customer as is necessary to provide the Services and in accordance with such other written instructions as Customer may issue from time to time.
2.2. Schedule A lists the processing activities (including their scope, nature and purpose) to be carried out by Cint in order for it to provide the services.
2.3. Cint agrees to process Customer Personal Data in accordance with the terms of this DPA and shall:
2.3.1. only process Customer Personal Data in accordance with the Customer’s documented instructions, including with regard to transfers, unless required to do otherwise by applicable law (which, where the data was collected subject to UK or EU law, shall be limited by UK or EU law). In which event, Cint shall inform Customer of the legal requirement before processing Customer Personal Data other than in accordance with Customer’s instructions, unless that same law prohibits Cint from doing so on important grounds of public interest;
2.3.2. implement appropriate technical and organisational measures to protect any Customer Personal Data processed by it against unauthorised and unlawful processing and against accidental loss, destruction, disclosure, damage or alteration;
2.3.3. only make the Customer Personal Data available to its personnel who are bound by appropriate obligations of confidentiality;
2.3.4. taking into account the nature of the processing and the information available to Cint, provide reasonable assistance to Customer insofar as this is possible (at Customer’s cost), as Customer may require to allow Customer to comply with its obligations under the Data Protection Law, including in relation to data security; data breach notification; data protection impact assessments; prior consultation with supervisory authorities; the fulfilment of data subject’s rights; and any enquiry, notice or investigation by a supervisory authority;
2.3.5. upon the termination of the Agreement (for whatever reason), delete or return (at the choice of Customer) all Customer Personal Data, and delete any existing copies unless required to retain such Customer Personal Data under applicable law (which, where the data was collected subject to UK or EU law, shall be limited by UK or EU law); and
2.3.6. on written request, make available to Customer all information necessary to demonstrate compliance with this Clause 2 (Data Processing) and allow for and contribute to remote audits conducted by Customer or its representatives bound by appropriate obligations of confidentiality, provided that Customer provides reasonable advance notice to Cint and such audit is carried out at Customer’s cost.
2.4. Cint shall inform Customer in writing without undue delay upon becoming aware of any accidental or unlawful destruction or accidental loss or damage, alteration, unauthorized disclosure or access to Customer Personal Data.
2.5. Customer consents to the appointment by Cint of third-party sub-processors, which may include other companies within Cint’s group, to process the Customer Personal Data on its behalf as part of the services (each, a “Sub-processor”). Prior to allowing such Sub-processor to access the Customer Personal Data, Cint shall impose legally binding contract terms on the Sub-processor which are the same as or equivalent to those imposed on Cint under this DPA. Cint shall at all times remain liable for the acts and omissions of its Sub-processors.
2.6. Cint shall inform the Customer of any intended changes concerning the addition or replacement of any Sub-processor within a reasonable time prior to implementation of such change. In the event of the Customer objecting to such change, Cint shall make reasonable efforts to address the Customer’s concerns (including making reasonable efforts to find an alternative Sub-processor). If the parties are unable to agree on the appointment of a Sub-processor, either party may at its option terminate the services on 30 days’ notice without penalty.
- INTERNATIONAL DATA TRANSFERS
3.1. If there is a Restricted Transfer:
3.1.1. from Customer to Cint, the parties agree to be bound by the C2P SCCs where the Customer is the data controller and Cint the data processor; and
3.1.2. from Cint to Customer, the parties agree to be bound by the P2C SCCs,
which, in each case, are incorporated into this DPA by reference subject to Clause 4.
3.2. If and to the extent that the Restricted Transfer is subject to the UK GDPR, the incorporated SCCs shall apply as amended by the UK Addendum, which is also hereby incorporated in these circumstances subject to Clause 5.
3.3. If and to the extent that the Restricted Transfer is subject to the laws of any other jurisdiction outside of the EEA or the UK, the incorporated SCCs shall be interpreted as necessary to enable the laws of the relevant jurisdiction to be complied with. In particular:
3.3.1. “European Union” or “EU Member State” shall be replaced with the jurisdiction of the Customer making the Restricted Transfer; and
3.3.2. “Regulation (EU) 2016 / 679” and all references to the Regulation shall mean the equivalent applicable data protection or privacy law that results in there being a Restricted Transfer.
- SCCs
4.1. Where the C2P SCCs are incorporated into this DPA under Clause 3:
4.1.1. they will come into effect upon commencement of the relevant Restricted Transfer and any clauses which are entirely optional are not included;
4.1.2. option 2 of Clause 9 is selected and the time period for informing the Customer of any intended changes concerning Sub-processors shall be at least 14 days in advance;
4.1.3. for the purposes of Clauses 17 and 18, the parties agree that the Member State for the purposes of governing law and jurisdiction is Sweden; and
4.1.4. for the purposes of: (a) Annex 1.A, the ‘data importer’ will be Cint and the ‘data exporter’ will be Customer; (b) Annex 1.B, the description of the transfer is set out in Schedule A; (c) Annex 1.C, the competent supervisory authority shall be the supervisory authority competent in the country in which the Customer is established; and (d) for the purposes of Annex 2, the technical and organisational measures shall be separately agreed.
4.2. Where the P2C SCCs are incorporated into this DPA under Clause 3:
4.2.1. they will come into effect upon commencement of the relevant Restricted Transfer and any clauses which are entirely optional are not included;
4.2.2. for the purposes of Clauses 17 and 18, the parties agree that the Member State for the purposes of governing law and jurisdiction is Sweden; and
4.2.3. for the purposes of: (a) Annex 1.A, the ‘data importer’ will be the Customer and the ‘data exporter’ will be Cint; and (b) Annex 1.B, the description of the transfer is set out in Schedule A.
- UK ADDENDUM
5.1. Where the UK Addendum is incorporated into this DPA under Clause 3.2:
5.1.1. for the purposes of Table 1: the Start Date shall be the commencement of the relevant Restricted Transfer, the Parties’ details are defined in Clause 1 and no signature is required;
5.1.2. the first option is selected in Table 2, the Approved EU SCCS are defined in Clause 1;
5.1.3. the Appendix Information in Table 3 is set out in Schedule A; and
5.1.4. the first two options (“Importer” and “Exporter”) are selected in Table 4.
DEFINITIONS
The terms “controller”, “processor”, “data subject”, “supervisory authority”, “personal data” and “processing” shall have the meaning given to them in the GDPR;
“Customer Personal Data” means all personal data (as defined in the Data Protection Law) which is processed by Cint on behalf of Customer in connection with the services;
“C2P SCCs” means Module 2 of the standard contractual clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as may be amended, replaced or supplemented from time to time;
“Data Protection Law” means all binding laws, rules and regulations applicable to processing of personal data, in connection with the delivery and use of the services, including, but not limited to, the US CCPA, the US CPRA, the EU GDPR and the UK GDPR;
“P2C SCCs” means Module 4 of the standard contractual clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as may be amended, replaced or supplemented from time to time;
“Restricted Transfer” means a transfer of personal data to a Third Country in circumstances where such transfer is subject to any of: (i) the EU GDPR; (ii) the UK GDPR; or (iii) an other applicable regional, federal or national laws or regulation applicable in a country outside the EEA or UK, which prohibits or restricts the transfer of personal data from that region or country;
“SCCs” means the C2P SCCs and the P2C SCCs;
“Third Country” means a country outside the EU that does not benefit from an adequacy decision pursuant to Article 45 of the GDPR (or the equivalent UK adequacy regulations, as applicable); and
“UK Addendum” means the UK International Data Transfer Addendum to the SCCs in force from 21 March 2022.
SCHEDULE A
DESCRIPTION OF PERSONAL DATA PROCESSING
The data processing activities carried out by Cint under this DPA may be described as follows:
Duration of processing: For the term of the Agreement.
Sensitive personal data: Not applicable.
Nature and purpose of processing: To enable Cint to provide the Services in accordance with the Agreement.
Personal Data categories: Data relating to individuals responding to an online survey.
Data subjects: Data subjects include the individuals invited to and choosing to respond to a survey via the Services by (or at the direction of) Customer.
Version: 2024:01
Date: 1 April 2024