GLOBAL PRIVACY OBLIGATIONS
LAST UPDATED: August 24, 2023
- These global privacy obligations (the “Global Privacy Obligations”) set out certain data protection obligations we expect our vendors and other partners (collectively, “Partners”) to meet in connection with their provision of products and services to us. These Global Privacy Obligations are supplemental to and form part of any agreement we have with our Partners where these Global Privacy Obligations have been incorporated (the “Agreement”).
- Different sections of these Global Privacy Obligations apply depending on our relationship with Partner. Each section states when it applies.
- This section applies to all Partners.
- For purposes of these Global Privacy Obligations, the following terms have the following meanings:
- “Controller” means a person or entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information;
- “Customer”, “we”, “us” and “our” means: (i) the Warner Bros. Discovery entity identified in and who is a party to the Agreement; and (ii) any affiliate or subsidiary that controls, is controlled by or is under common control with the Warner Bros. Discovery entity named in the Agreement;
- “Data Protection Law” means any federal, state, provincial, local, municipal, foreign, international, multinational or other constitution, law, statute, treaty, rule, regulation, ordinance, code, and guidance issued by regulatory authorities competent to interpret or enforce the same, relating to processing personal data, privacy, data protection (the protection of Personal Information), or cybersecurity, as may be amended from time to time;
- “Data Subject” means the individual to whom Personal Information relates;
- “Data Subject Request” means a request by a Data Subject for information, access, rectification, erasure, restriction, portability, objection, do-not-sell, deletion, and any other similar requests;
- “Description of Processing” means the description of Personal Information Processed by Partner under the Agreement;
- “EEA” means the European Economic Area;
- “EEA Data Transfer” means a transfer of Personal Information: (a) that is subject to the GDPR; (b) to a recipient in a country or territory outside of the EEA; and (c) which is not subject to an adequacy decision by the EU Commission;
- “EEA Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission decision of 4 June 2021 C(2021) 3972, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?url=CELEX:32021D0914&locale=en;
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation);
- “Information Security Obligations” means any applicable information security obligations which are attached to or otherwise form a part of the Agreement;
- “Other Data Transfer” means a transfer of Personal Information: (i) that is subject to the laws of a country which restricts the transfer of Personal Information to another country not deemed adequate to receive such Personal Information (a “Restricting Country”); and (ii) which is not an EEA Data Transfer or UK Data Transfer;
- “Personal Information” means any information relating to an identified or identifiable natural person including any information defined as “personally identifiable information,” “personal information,” “personal data” or similar terms as such terms are defined under Data Protection Laws, limited to that Personal Information Partner Processes in connection with the Agreement;
- “Process” or “Processing” means any operation or set of operations performed upon Personal Information, whether or not by automatic means, including the collection, recording, organization, structuring, storage, adaption or alteration, consultation, use, disclosure by transmission, transfer, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Information;
- “Processor” means a person or entity which Processes Personal Information on behalf of the Controller;
- “Security Incident” shall mean: (i) any serious interruption of Partner’s Processing operations; (ii) any unauthorized acquisition, loss, access, use or misuse, loss of access to, or loss of use of Personal Information (including loss of any storage medium on which Personal Information is stored); or (iii) any breach of security leading to the accidental or unlawful destruction, loss, alteration, use or misuse, unauthorized disclosures of, or access to, Personal Information;
- “Sensitive Personal Information” shall mean Personal Information revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; sex life or sexual orientation; the Processing of genetic data, biometric data for the purpose of uniquely identifying a Data Subject; Personal Information relating to criminal convictions and offences or related security measures; government-issued identification number; account credentials; financial account numbers including payment card numbers; precise geolocation data; contents of communications not directed to Partner or Customer; and such subsets of Personal Information that are deemed “sensitive” or require enhanced protections under applicable Data Protection Laws;
- “Services” has the meaning provided in the Agreement or, if not defined by the Agreement, means the products or services rendered by Partner to us pursuant to the Agreement;
- “Sub-Processor” means a person or entity which Processes Personal Information on behalf of a Processor;
- "UK Data Transfer” means a transfer of Personal Information: (a) that is subject to the UK GDPR; (b) to a recipient in a country or territory outside of the UK; and (c) which is not subject to an adequacy decision by the UK’s Secretary of State;
- “UK GDPR” means the GDPR as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018; and
- “UK SCC Addendum” means the template addendum issued by the UK’s Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
- This section applies to all Partners.
- Compliance with law. Partner shall comply with all applicable Data Protection Laws and provide privacy protections appropriate to address its obligations thereunder. Partner shall notify Customer at wbdprivacy@wbd.com if it determines that it can no longer meet its obligations under Data Protection Law. Customer shall have the right to take appropriate steps to eliminate and remediate any unauthorized Processing of Personal Information by Partner.
- Security. Partner shall implement and maintain technical and organizational measures appropriate and adequate to protect Personal Information. Partner’s security measures shall be designed to: (i) ensure the confidentiality, availability, and integrity of Personal Information; (ii) protect against any anticipated threats or hazards to the security or integrity of Personal Information; and (iii) protect against unauthorized Processing.
- Third party communications. In the event that Partner receives any communications from an individual, regulator, governmental body or other third party relating to:
- Partner’s Processing of Personal Information in connection with the Agreement; or
- Customer’s Processing of Personal Information,
Partner shall (unless prohibited by law) promptly notify Customer (at wbdprivacy@wbd.com) giving full details of such communication and shall provide all cooperation reasonably requested by Customer to respond to such communication. Partner shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so.
- Response to requests and incidents. Partner will not, without obtaining prior written approval from Customer, name Customer (including any subsidiary or affiliate of Customer) in any: (i) response to a Data Subject; (ii) public disclosure pertaining to Processing; (iii) notice of a Security Incident; or (iv) disclosure to a data protection authority or other legal body relating to Processing.
- Term and survival.
- The provisions of these Global Privacy Obligations will end when Partner ceases to Process Personal Information in connection with the Agreement.
- Notwithstanding anything to the contrary in this Section 3 (Terms for all Partners), Sections 3.4, 3.5, 3.8 and Section 7 shall survive termination or expiry of the Agreement and these Global Privacy Obligations.
- Translations. In the event of a conflict between the English language version of these Global Privacy Obligations and another version in any other language, the English language version shall prevail.
- No limitation of liability. For the avoidance of doubt, liabilities of the parties under these Global Privacy Obligations shall not be subject to any limitations or exclusions of liability contained in the Agreement.
- No partnership. Nothing in these Global Privacy Obligations shall be deemed to create an employment, joint venture, agency, or partnership relationship between the parties, and neither party is authorized nor shall act toward any third party, individual entity, or the public in any manner that would indicate any such relationship to the other.
- This section applies to the extent:
- Partner Processes any Personal Information as a Processor on behalf of Customer; or
- the Agreement expressly states that this section applies.
- Instructions. Partner shall only Process Personal Information in accordance with the documented instructions of Customer (unless otherwise required to Process such Personal Information in accordance with a legal requirement to which Partner is subject, in which case Partner shall inform Customer of the legal requirement before commencing such Processing, unless the legal requirement prohibits informing Customer). Customer’s documented instructions are to Process Personal Information: (i) as necessary for Partner to deliver Services and perform any other obligations under the Agreement; and (ii) as otherwise directed by Customer in writing from time to time. Partner shall immediately inform Customer if, in Partner's opinion, a direction or instruction from Customer infringes applicable Data Protection Law.
- Description of Processing. A description of the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Information and categories of Data Subjects is set out in the Description of Processing.
- Use restriction. Partner shall not: (i) sell Personal Information or otherwise disclose it in exchange for monetary or other valuable consideration; (ii) Process Personal Information for any purpose other than the specific purpose of performing the Services or pursuant to the directions of Customer; (iii) Process Personal Information outside of the direct business relationship between Partner and Customer; or (iv) combine the Personal Information with personal information received from or on behalf of other persons or collects from consumers. Partner certifies that it understands and will comply with the restrictions of this section.
- Data Subject requests. Partner shall promptly inform Customer of any Data Subject Requests or communication from or on behalf of Data Subjects relating to the Personal Information it Processes in connection with the Services, without responding to the Data Subject except to acknowledge receipt of the Data Subject Request or communication (unless otherwise required by Data Protection Law or instructed by Customer). Partner shall assist Customer as necessary to allow it to respond to Data Subject Requests, including by provision of appropriate technical and organizational measures, and any necessary product features and functionality. Partner shall provide such assistance promptly, and in any event within five (5) days of the Data Subject Request or Customer’s request for assistance. In appropriate cases, and upon Customer’s reasonable request, Partner shall assist Customer to inform individuals about the Processing of Personal Information, including by providing or directing applicable Data Subjects to a privacy policy or notice that complies with Data Protection Laws. Partner shall maintain, and provide Customer with reasonable access to, complete and accurate records of Data Subject Requests with respect to which Partner assists.
- Personnel confidentiality. Partner shall ensure that each of its personnel are subject to confidentiality obligations that apply to Personal Information.
- Security. Partner will implement and maintain those information security procedures and practices set out in the Information Security Obligations.
- Audit and assistance. Notwithstanding any audit provisions in the Information Security Obligations, Partner shall:
- provide to Customer such information and assistance as may be reasonably required to confirm Partner’s compliance with these Global Privacy Obligations, including assistance completing data protection impact assessments and consulting with data protection authorities. Partner shall further provide such assistance as reasonably necessary for Customer to comply with Data Protection Law; and
- at the direction of Customer, submit its data protection program and facilities that Process Personal Information for audit as to its compliance with these Global Privacy Obligations and/or applicable Data Protection Laws. The audit may be carried out by Customer, or a delegate appointed on its behalf, provided that the delegate agrees to a confidentiality agreement acceptable to Partner. Customer will give reasonable advance notice and will conduct any such audit during regular business hours without unreasonably disrupting Partner's operations. For the avoidance of doubt, this provision will not require Partner to provide any Customer with access to the confidential information of Partner’s other customers.
- Security Incidents. Partner shall promptly, and in no case later than forty-eight (48) hours of becoming aware, inform Customer via email to cybersecurity@wbd.com in the event of any actual or reasonably suspected Security Incident. At Customer’s direction, Partner will provide all information and assistance reasonably required by Customer to investigate, mitigate, and respond to a Security Incident, including at a minimum, any information or assistance required by applicable Data Protection Law or necessary for Customer to provide any notifications of the Security Incident. Partner agrees to consult with Customer before making any public statements or notification to a data protection authority or Data Subject in relation to a Security Incident. Partner shall be responsible for, and shall pay to Customer on demand, all costs, liabilities, losses, damages and expenses (including attorney’s fees) incurred by Customer arising out of or in connection with a Security Incident impacting Personal Information Processed by Partner, its affiliates, assignees, or Sub-Processors.
- Sub-Processing. Partner may engage or otherwise permit a Sub-Processor to Process Personal Information on its behalf, provided that Partner:
- has entered into a written obligation with each Sub-Processor that imposes obligations no less protective than those included in the provisions of these Global Privacy Obligations that apply to Partner;
- performs appropriate due diligence to ensure each Sub-Processor can perform as necessary for Partner to meet its obligations under the provisions of these Global Privacy Obligations that apply to Partner;
- notifies Customer in advance and in writing of any new Sub-Processor that Partner proposes to engage. Customer will have thirty (30) days from receiving such notice to object to Partner’s engagement of the new Sub-Processor. If Customer does not object within this period, Partner may permit the Sub-Processor to Process Personal Information. If Customer objects to the use of a Sub-Processor, then Partner will promptly address Customer’s objections within ten (10) days of receipt. If Partner cannot resolve Customer’s objection to Customer’s satisfaction within this ten (10) day period, then Customer will have the option to immediately terminate the Agreement without penalty at any time upon providing written notice to Partner. Partner will not allow the new Sub-Processor to Process Personal Information during: (i) the thirty (30) days after providing notification of its intent to use a new Sub-Processor; or (ii) any period where Customer’s objection to use of a Sub-Processor has not been resolved to Customer’s satisfaction; and
- remains fully liable for all Processing of Personal Information performed by each Sub-Processor.
- Disposal or return. Upon termination or expiration of the Agreement or as otherwise instructed by Customer, Partner shall in accordance with Customer’s instructions: (i) return to Customer (or a third party nominated by Customer) a complete copy of the Personal Information it Processed in connection with the Agreement, in a form and format reasonably agreed upon by the parties; and (ii) securely dispose of the Personal Information (including all copies) in its possession or control that it Processed in connection with the Agreement.
- This section applies to the extent:
- Partner independently determines the purposes and means of Processing any Personal Information it Processes in connection with the Agreement; or
- the Agreement expressly states that this section applies.
- Notice and transparency. Partner shall have in place and maintain a clear and conspicuously available privacy policy that informs Data Subjects (whose Personal Information Partner Processes in connection with the Agreement) about how Partner Processes their Personal Information and which complies with all applicable laws.
- Security Incidents. Partner shall promptly notify the relevant Customer of any actual or reasonably suspected Security Incident impacting Personal Information Processed in connection with the Agreement, and promptly provide Customer with information on the nature of the Security Incident, the Personal Information affected, and Partner’s response to and mitigation of the Security Incident.
- Confidentiality. Partner shall ensure that each of its personnel are subject to confidentiality obligations that apply to Personal Information.
- This section applies to Partners when an EEA Data Transfer, a UK Data Transfer or an Other Data Transfer occurs.
- Data transfers (Processors). This paragraph applies when Section 4 (Terms for Processors) applies.
- EEA Data Transfers. If and to the extent that Personal information Processed by Partner is subject to an EEA Data Transfer, the EEA Standard Contractual Clauses are incorporated herein by reference and shall apply as follows:
- Application. Partner shall act as the data importer and Customer shall act as the data exporter;
- Docking. For the purposes of Section I, Clause 7, the optional docking clause applies;
- Modules. MODULE TWO (transfer controller to processor) applies;
- Instructions. For the purposes of Section II, Clause 8.1 (Module Two), the instructions to the data importer shall be instructions to Process Personal Information as necessary to perform the Services and/or supply the products provided by Partner and as may be specified in accordance with the Agreement;
- Sub-Processors. For the purposes of Section II, Clause 9 (Module Two), Option 2 applies (and the time period for the data importer to inform the data exporter of any intended changes shall be thirty (30) days in advance);
- Redress. For purposes of Section II, Clause 11, the optional language does not apply;
- Choice of law. For the purposes of Section IV, Clauses 17 and 18, to the extent permitted by applicable Data Protection Law, the parties agree that their respective obligations under the EEA Standard Contractual Clauses shall be governed by the law(s) of and subject to the jurisdiction of the courts of the Republic of Ireland;
- Completion of Annex I, Part A. Annex I, Part A (List of parties) is hereby deemed to be completed with: (i) the details of Customer (as data exporter); and (ii) the details of Partner (as data importer), in each case as set out in the Agreement;
- Completion of Annex I, Part B. Annex I, Part B (Description of the transfer) of the EEA Standard Contractual Clauses is hereby deemed to be completed with the information provided in the Description of Processing;
- Completion of Annex I, Part C. With respect to Annex I, Part C (Competent Supervisory Authority) of the EEA Standard Contractual Clauses, to the extent permitted by applicable Data Protection Law, the parties select the data protection authority of The Republic of Ireland;
- Completion of Annex II. Annex II of the EEA Standard Contractual Clauses (The Technical and organisational measures including technical and organisational measures to ensure the security of the data) is hereby deemed to be completed with the provisions set out in the Information Security Obligations; and
- Conflict of terms. In the event of any inconsistency or conflict between the EEA Standard Contractual Clauses and this section, the provisions shall be construed in the manner that affords the greatest protections to Data Subjects.
- Interpretation of EEA Standard Contractual Clauses for Restricting Countries. If and to the extent that Customer’s disclosure of Personal Information to Partner amounts to an Other Data Transfer, the EEA Standard Contractual Clauses are incorporated herein by reference and shall apply as set out above in this paragraph of Section 6, save that: (i) references in the EEA Standard Contractual Clauses to “EU,” “Union,” “EU Member State,” or “Member State” shall refer instead to that Restricting Country; (ii) references to “Regulation (EU) 2016/679” or “that Regulation” shall refer instead to the Data Protection Laws of that Restricting Country and references to specific provisions or articles of the GDPR shall be replaced with the nearest equivalent provision or article of the Restricting Country’s Data Protection Law; (iii) “supervisory authority” shall refer to the data protection authority in that Restricting Country; (iv) references to the “Clauses” means this paragraph as it incorporates and modifies the Clauses.
- UK Data Transfers. If and to the extent that Personal information Processed by Partner is subject to a UK Data Transfer, the UK SCC Addendum is incorporated herein by reference and shall apply as follows:
- Completion of Table 1. Table 1 of the UK SCC Addendum is completed with the details of Customer (as data exporter) and the details of Partner (as data importer), as provided in the Agreement. The “start date” is the start date, effective date, or equivalent date of the Agreement. The “key contact” for Customer is “Head of Privacy” or that individual’s delegate who can be contacted at wbdprivacy@wbd.com and the “key contact” for Partner will be as communicated to Customer from time to time, including the contact’s specific job title and email address.
- Completion of Tables 2 and 3. Table 2 of the UK SCC Addendum is completed by selecting “the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.” For the purposes of Table 2 and Table 3 of the UK SCC Addendum, the “Approved EU SCCs” are completed as set out above in this paragraph of Section 6.
- Completion of Table 4. Table 4 of the UK SCC Addendum is completed by selecting “neither party.”
- Conflict of terms. In the event of any inconsistency or conflict between the UK SCC Addendum and these Global Privacy Obligations, the UK SCC Addendum shall prevail.
- Data Transfers (Controllers). This paragraph applies when Section 5 (Terms for Controllers) applies.
- EEA Data Transfers. If and to the extent that Personal information Processed by Partner is subject to an EEA Data Transfer, the EEA Standard Contractual Clauses are incorporated herein by reference and shall apply as follows:
- Application. Partner shall act as the data importer and Customer shall act as the data exporter;
- Docking. For the purposes of Section I, Clause 7, the optional docking clause applies;
- Modules. MODULE ONE (transfer controller to controller) applies;
- Redress. For purposes of Section II, Clause 11, the optional language does not apply;
- Choice of law. For the purposes of Section IV, Clauses 17 and 18, to the extent permitted by applicable Data Protection Law, the parties agree that their respective obligations under the EEA Standard Contractual Clauses shall be governed by the law(s) of and subject to the jurisdiction of the courts of The Republic of Ireland;
- Completion of Annex I, Part A. Annex I, Part A (List of parties) is hereby deemed to be completed with: (i) the details of Customer (as data exporter); and (ii) the details of Partner (as data importer), in each case as set out in the Agreement;
- Completion of Annex I, Part B. Annex I, Part B (Description of the transfer) of the EEA Standard Contractual Clauses is hereby deemed to be completed with the information provided in the Description of Processing;
- Completion of Annex I, Part C. With respect to Annex I, Part C (Competent Supervisory Authority) of the EEA Standard Contractual Clauses, to the extent permitted by applicable Data Protection Law, the parties select the data protection authority of The Republic of Ireland;
- Completion of Annex II. Annex II of the EEA Standard Contractual Clauses (The Technical and organisational measures including technical and organisational measures to ensure the security of the data) is hereby deemed to be completed with the provisions set out in the Information Security Obligations; and
- Conflict of terms. In the event of any inconsistency or conflict between the EEA Standard Contractual Clauses and this section, the provisions shall be construed in the manner that affords the greatest protections to Data Subjects.
- Interpretation of EEA Standard Contractual Clauses for Restricting Countries. If and to the extent that Customer’s disclosure of Personal Information to Partner amounts to an Other Data Transfer, the EEA Standard Contractual Clauses are incorporated herein by reference and shall apply as set out above in this paragraph of Section 6, save that: (i) references in the EEA Standard Contractual Clauses to “EU,” “Union,” “EU Member State,” or “Member State” shall refer instead to that Restricting Country; (ii) references to “Regulation (EU) 2016/679” or “that Regulation” shall refer instead to the Data Protection Laws of that Restricting Country and references to specific provisions or articles of GDPR shall be replaced with the equivalent provision or article of the Restricting Country’s Data Protection Law; (iii) “supervisory authority” shall refer to the data protection authority in that Restricting Country; (iv) references to the “Clauses” means this section as it incorporates and modifies the Clauses.
- UK Data Transfers. If and to the extent that Personal information Processed by Partner is subject to a UK Data Transfer, the UK SCC Addendum is incorporated herein by reference and shall apply as follows:
- Completion of Table 1. Table 1 of the UK SCC Addendum is completed with the details of Customer (as data exporter) and the details of Partner (as data importer), as provided in the Agreement. The “start date” is the start date, effective date, or equivalent date of the Agreement. The “key contact” for Customer is “Head of Privacy” or that individual’s delegate who can be contacted at wbdprivacy@wbd.com and the “key contact” for Partner will be communicated to Customer from time to time, including the contact’s specific job title and email address.
- Completion of Tables 2 and 3. Table 2 of the UK SCC Addendum is completed by selecting “the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.” For the purposes of Table 2 and Table 3 of the UK SCC Addendum, the “Approved EU SCCs” are completed as set out above in this paragraph of Section 6.
- Completion of Table 4. Table 4 of the UK SCC Addendum is completed by selecting “neither party.”
- Conflict of terms. In the event of any inconsistency or conflict between the UK SCC Addendum and this section, the UK SCC Addendum shall prevail.
- Additional cross-border transfer provisions. This paragraph applies if and to the extent Personal information Processed by Partner is subject to an EEA Data Transfer, UK Data Transfer or Other Transfer.
Supplementary measures
- The parties acknowledge and agree the judgment of the Court of Justice of the European Union in Case C-311/18 clarifies that supplementary measures may be necessary to ensure that Personal Information, which has been subject to an EEA Transfer or UK Transfer, is afforded an essentially equivalent level of protection to the protections it receives when Processed in its territory of origin (in addition to safeguards contained in the EEA Standard Contractual Clauses). Accordingly, the parties have agreed the measures set out in the following Sections 6.4(b) to (g) as supplementary measures to help ensure such essential equivalence.
- If Partner becomes aware of a request or demand from a law enforcement, regulatory, judicial or governmental authority (an “Authority”) to obtain access to or a copy of some or all Personal Information Processed in connection with the Agreement, whether on a voluntary or mandatory basis Partner shall:
- immediately notify Customer of such Authority’s request;
- where Section 4 (Terms for Processors) applies, inform the Authority that Partner is a Processor of Personal Information and that Customer has not authorised it to disclose such Personal Information to the Authority;
- inform the Authority that any and all requests or demands for access to such Personal Information should be notified to or served upon Customer (as the Controller) in writing; and
- subject to Section 6.4(c), not provide the Authority with access to such Personal Information unless and until authorised in writing by Customer.
- Notwithstanding Section 6.4(b)(iv), Partner may, without Customer’s prior written authorisation, disclose to an Authority Personal Information following receipt of a request or demand from such Authority, provided that (unless prohibited by law):
- Partner has given Customer reasonable prior notice of such request or demand to give Customer a reasonable opportunity to object or to seek a protective order or other appropriate remedy;
- Partner reasonably cooperates with Customer, at Customer’s cost and expense, so that Customer may object to or seek a protective order or other appropriate remedy; and
- Partner in any event discloses only that portion of Personal Information that it is legally required to disclose.
- If Partner makes a disclosure of Personal Information to an Authority, Partner shall only disclose such Personal Information to the extent Partner is legally required to do so and only in accordance with applicable lawful process.
- Partner shall not knowingly disclose Personal Information in a bulk or indiscriminate manner that goes beyond what is necessary and proportionate in a democratic society.
- Partner shall have in place, maintain, and comply with a written policy governing requests for Personal Information from Authorities which at minimum prohibits:
- bulk or indiscriminate disclosure of Personal Information relating to Data Subjects in Europe; and
- disclosure of Personal Information relating to Data Subjects in Europe to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such Personal Information.
- Partner shall have in place and maintain, in accordance with good industry practice, measures to protect Personal Information from interception (including in transit from Customer to Partner and between different systems and services). This includes having in place and maintaining network protection to deny attackers the ability to intercept data and encryption of data whilst in transit to deny attackers the ability to read data.
Additional data transfer provisions
- Partner agrees to cooperate in good faith to execute additional documents and apply additional protections, or to restrict Processing to certain territories, as Customer may deem necessary to conduct EEA Transfers, UK Transfers or Other Transfers (as applicable).
- If Partner will at any time Process Personal Information originating in any country which restricts the transfer of the Personal Information to another jurisdiction not deemed adequate to receive such Personal Information, then Partner will, on Customer’s instructions:
- take all necessary actions and execute such agreements as may be necessary under applicable Data Protection Law in such country to legitimize any Processing; and
- ensure an adequate level of protection for Customer’s Personal Information.
- In the event that any competent data protection authority holds that a data transfer mechanism relied on by the parties is invalid, or any competent data protection authority or applicable law requires transfers of Personal Information to be suspended or restricted to a specific jurisdiction, then Customer may, at its discretion, require Partner to cease Processing Personal Information and Partner will co-operate with Customer in good faith to facilitate use of an alternative data transfer mechanism, execute additional documents, apply additional protections, or restrict Processing to certain jurisdictions.
- This section applies to all Partners.
- In addition to any indemnity obligations of Partner set out in the Agreement, Partner shall defend, indemnify and hold harmless Customer against any and all third party claims, actions, costs, liabilities, losses, damages and expenses (including attorney’s fees) incurred by Customer which arise out of or in connection with: (i) a Security Incident; or (ii) a violation of these Global Privacy Obligations by Partner or Partner’s affiliates, Sub-Processors (including Sub-Processors appointed by Partner’s affiliates) and assignees, including without limitation a claim or action by a data protection authority or Data Subject.
BACK