US States Data Laws Addendum
Privacy Policy - DPA - Subprocessors
This addendum (“US States Data Laws Addendum”) is entered into as of the date below, and is incorporated into and forms a part of the DPA
This US States Data Laws Addendum sets forth the terms and conditions relating to compliance with:
- The California Consumer Privacy Act of 2018 and any regulations, amendments and/or updates thereto including but not limited to as amended by the California Privacy Rights Act (collectively, the “CCPA”);
- The Virginia Consumer Data Privacy Act and any regulations, amendments and/or updates thereto (the “VA Act”);
- The Colorado Data Privacy Act and any regulations, amendments and/or updates thereto (the “CO Act”);
- The Connecticut Act Concerning Personal Data Privacy and Online Monitoring and any regulations, amendments and/or updates thereto (the “CT Act”); and
- The Utah Consumer Privacy Act and any regulations, amendments and/or updates thereto (the “UT Act”)
In the event of a conflict between this US States Data Laws Addendum and the DPA, this US States Data Laws Addendum will prevail.
1. CCPA.
A. In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the CCPA, Service Provider agrees that:
a) Personal Data is being disclosed by Customer to Service Provider only for the limited and specified Processing identified by Customer and Service Provider shall not retain, use or disclose Personal Data for any other purpose.
b) Service Provider shall comply with the applicable obligations under the CCPA and provide the same level of privacy protection as required of businesses covered under the CCPA.
c) Customer shall have the right (but not the obligation) to take reasonable and appropriate steps to monitor Service Provider’s compliance with this Addendum to ensure that Service Provider is using the Personal Data in a manner consistent with the CCPA.
d) Service Provider shall immediately notify Customer in writing if it determines that it can no longer meet its obligations under the CCPA.
e) Customer shall have the right upon notice to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
f) Service Provider shall not sell, share, retain, use, cache or disclose Personal Data outside of the direct relationship between Customer and Service Provider as set forth in this Addendum.
g) If Service Provider engages any sub-processors of Personal Data then Service Provider shall notify Customer of such engagement in writing and ensure (and confirm to Customer) that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider.
h) Service Provider is not permitted to use any Personal Data for its own operational purposes or on its own behalf (for example to improve or benchmark Service Provider’s services).
i) Upon Customer’s request, Service Provider shall delete or return all Personal Data to Customer as requested at the end of the performance of Processing, unless retention of the Personal Data is required by Laws and then only to the extent required.
j) f Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
k) Service Provider acknowledges and agrees that it fully understands and agrees with the obligations and restrictions set forth in this Addendum.
B. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the CCPA.
2. VA Act.
A. In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the VA Act, Service Provider agrees that:
a) Service Provider is a “Processor” as such term is defined under the VA Act.
b) Customer is a “Controller” as such term is defined under the VA Act.
c) Customer hereby instructs Service Provider to process Personal Data solely for purposes of performing the Processing during the term of the Agreement and any applicable survival period for which Service Provider has obligations under such Agreement.
d) If Service Provider engages any sub-processors of Personal Data then Service Provider shall notify Customer of such engagement in writing, provided that Customer has registered to receive such notices by subscribing at www.meltwater.com/privacy and ensure that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to substantially all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider
e) All employees and personnel of Service Provider must be subject to a written duty of confidentiality with respect to the Processing including but not limited to regarding the Personal Data and the processing thereof.
f) Upon Customer’s reasonable request, Service Provider shall cooperate with Customer and provide information in a timely manner to Customer to (i) enable Customer to conduct and document data protection assessments and cooperate with reasonable audits by Customer or a qualified independent auditor; (ii) demonstrate Service Provider’s compliance with its obligations under the VA Act; (iii) take appropriate technical and organizational measures to fulfil consumer rights requests made to Customer; and (iv) help meet Customer’s obligations in relation to any data security and/or data breach notification.
g) Upon Customer’s request, Service Provider shall delete or return all Personal Data to Customer as requested at the end of the performance of the Processing, unless retention of the Personal Data is required by Laws and then only to the extent required.
h) If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
B. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the VA Act.
3. CO Act.
A. In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the CO Act, Service Provider agrees that:
a) Service Provider is a “Processor” as such term is defined under the CO Act.
b) Customer is a “Controller” as such term is defined under the CO Act.
c) Customer hereby instructs Service Provider to process Personal Data solely for purposes of performing the Processing during the term of the Agreement and any applicable survival period for which Service Provider has obligations under such Agreement.
d) If Service Provider engages any sub-processors of Personal Data then Service Provider shall notify Customer of such engagement in writing, provided that Customer has registered to receive such notices by subscribing at www.meltwater.com/privacy and ensure that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to substantially all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider
e) All employees and personnel of Service Provider must be subject to a written duty of confidentiality with respect to the Processing including but not limited to regarding the Personal Data and the processing thereof.
f) Upon Customer’s request, Service Provider shall cooperate with Customer and provide information to Customer in a timely manner to
- (i) enable Customer to conduct and document data protection assessments and cooperate with reasonable audits by Customer or a qualified independent auditor;
- (ii) demonstrate Service Provider’s compliance with its obligations under the CO Act;
- (iii) take appropriate technical and organizational measures to fulfil consumer rights requests made to Customer; and
- (iv) help meet Customer’s obligations in relation to any data security and/or data breach notification.
g) Upon Customer’s request, Service Provider shall delete or return all Personal Data to Customer as requested at the end of the performance of the Processing, unless retention of the Personal Data is required by Laws and then only to the extent required.
h) If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
B. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the CO Act.
4. CT Act.
A. In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the CT Act, Service Provider agrees that:
a) Service Provider is a “Processor” as such term is defined under the CT Act.
b) Customer is a “Controller” as such term is defined under the CT Act.
c) Customer hereby instructs Service Provider to process Personal Data solely for purposes of performing the Processing during the term of the Agreement and any applicable survival period for which Service Provider has obligations under such Agreement.
d) If Service Provider engages any sub-processors of Personal Data then Service Provider shall notify Customer of such engagement in writing, provided that Customer has registered to receive such notices by subscribing at www.meltwater.com/privacy and ensure that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to substantially all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider
e) All employees and personnel of Service Provider must be subject to a written duty of confidentiality with respect to the Processing including but not limited to regarding the Personal Data and the processing thereof.
f) Upon Customer’s request, Service Provider shall cooperate with Customer and provide information to Customer in a timely manner to
- (i) enable Customer to conduct and document data protection assessments and cooperate with reasonable audits by Customer or a qualified independent auditor;
- (ii) demonstrate Service Provider’s compliance with its obligations under the CT Act;
- (iii) take appropriate technical and organizational measures to fulfil consumer rights requests made to Customer; and
- (iv) help meet Customer’s obligations in relation to any data security and/or data breach notification.
g) Upon Customer’s request, Service Provider shall delete or return all Personal Data to Customer as requested at the end of the performance of Processing, unless retention of the Personal Data is required by Laws and then only to the extent required.h) If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
B. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the CT Act.
5. UT Act.
A. In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the UT Act, Service Provider agrees that:
a) Service Provider is a “Processor” as such term is defined under the UT Act.
b) Customer is a “Controller” as such term is defined under the UT Act.
c) Customer hereby instructs Service Provider to process Personal Data solely for purposes of performing the Processing during the term of the Agreement and any applicable survival period for which Service Provider has obligations under such Agreement.
d) If Service Provider engages any sub-processors of Personal Data then Service Provider shall notify Customer of such engagement in writing, provided that Customer has registered to receive such notices by subscribing at www.meltwater.com/privacy and ensure that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to substantially all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider
e) All employees and personnel of Service Provider must be subject to a written duty of confidentiality with respect to the Processing including but not limited to regarding the Personal Data and the processing thereof.
f) Service Provider shall, taking into account the nature of the processing and information available to the processor, by appropriate technical and organizational measures, insofar as reasonably
g) practicable, promptly assist Customer in a timely manner in meeting Customer’s obligations, including obligations related to the security of processing personal data and immediate written notification of a breach of security system as described in the UT Act.
h) Upon Customer’s request, Service Provider shall delete or return all Personal Data to Customer as requested at the end of the performance of Processing, unless retention of the Personal Data is required by Laws and then only to the extent required.
i) If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
B. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the UT Act.