Save as otherwise defined below, defined terms in these Data Processing Terms have the meaning given to them in the Agreement.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, and “control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
“Applicable Laws” means the laws and regulations of any Member State and the United Kingdom or the laws of the European Union applicable to the parties and any other applicable law, including but not limited to the Data Protection Legislation and the e-Privacy Legislation;
“Company” means the applicable Falcon.io entity that is the contracting party to the Agreement.
“Content” means proprietary or public information gathered or created by Company and provided to Customer as part of the Platform or Services (e.g., via social listening functionality).
“Customer” means the entity purchasing a subscription to the Platform and/or Services in the Agreement.
“Customer Data” means data and information in any format, including but not limited to text (including text provided by a third-party to or for Customer), files, images, and/or URLs, that is submitted by or for Customer to the Platform, or provided to Company by or for Customer in order for Company to provide Services, or collected and processed by or for Customer using the Platform excluding Content.
“Company Personal Data” means any Personal Data included in Content (as applicable), as is provided to Customer under the Agreement and as further specified in Part II of Annex I to these Data Processing Terms;
“Customer Personal Data” means any Personal Data included in Customer Data, and as further specified in Part I of Annex I to these Data Processing Terms;
“Data Protection Legislation” means (i) the EU Data Protection Directive (95/46/EC) as transposed into domestic legislation of each Member State and the United Kingdom as amended, replaced or superseded from time to time including by the GDPR and laws implementing or supplementing the GDPR; and (ii) to the extent applicable, the data protection laws of any other country, including the United Kingdom;
“e-Privacy Legislation” means (i) the EU Privacy and Electronic Communications Directive (2002/58/EC) as transposed into domestic legislation of each Member State as amended, replaced or superseded from time to time; and (ii) to the extent applicable, the privacy laws of any other country, including the United Kingdom;
“GDPR” means the General Data Protection Regulation ((EU) 2016/679);
“Member State” means any member state of the European Union;
“Platform” means the social media management, customer relationship management, media monitoring analytics and communications system made available online on a Software-as-a-Service basis by Company or any of its Affiliates and its underlying tools, databases, APIs, and software that make up the system, including any software or technology created by Company’s Affiliates.
“Restricted Transfer” means a transfer of Personal Data from the Data Controller to the Data Processor, or from the Data Processor to a Sub-Processor, where such transfer would, in the absence of SCC, be prohibited by Data Protection Legislation;
“Services” means any custom professional services (e.g., strategic consulting) that are provided to Customer as set forth in the Agreement;
“SCC” means the standard contractual clauses promulgated by the European Commission for data transfers from an EU controller to a non-EU or non-EEA processor;
“Sub-Processor” means any person or entity appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Data Controller in connection with the Agreement.
The terms “Data Controller“, “Data Processor“, “Data Subject“, “Personal Data” and “Personal Data Breach” have the meaning set out in the GDPR.
D-2. Data Protection – General
Each Party will comply with all requirements of the Data Protection Legislation applicable to its respective role as Data Processor or Data Controller, as applicable. These Data Processing Terms are in addition to, and do not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation.
D-3. Customer Personal Data
D-3.1 The parties acknowledge that for the purposes of the Data Protection Legislation and these Data Processing Terms, it is their understanding and intention that Customer is the Data Controller and Company is the Data Processor in respect of Customer Personal Data.
D-3.2 The obligations contained in these Data Processing Terms shall apply to any Affiliate of Company that processes data under the Agreement.
D-3.3 Annex I sets out the scope, nature and purpose of processing by Company, the duration of the processing and the types of Personal Data and categories of Data Subject.
D-3.4 Without prejudice to the generality of clause D-3.1, Customer will ensure that it is lawful to enable the transfer of Customer Personal Data to Company for the duration and for the purposes of the Agreement.
D-3.5 Without prejudice to the generality of clause D-3.1, Company shall, in relation to any Customer Personal Data processed in connection with the performance by Company of its rights and obligations under the Agreement:
D-3.5.1 process that Customer Personal Data only on the written instructions of Customer, including but not limited to any instructions contained in any Agreement unless Company is obliged to process such Personal Data by the Applicable Laws. Where Company is relying on the Applicable Laws as the basis for processing Customer Personal Data, Company shall, insofar as is permissible under such Applicable laws, promptly notify Customer of its obligations before performing the processing required by the Applicable Laws;
D-3.5.2 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, such as are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Customer Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). The details of these technical and organisational measures are set forth in Annex II hereto;
D-3.5.3 take all reasonable steps to ensure the reliability of all personnel who have access to and/or process Customer Personal Data and shall ensure that all such personnel are obliged to keep Customer Personal Data confidential and that access to Personal Data is limited to those individuals who need to have access to Customer Personal Data for the purposes of the Agreement and to comply with Applicable Laws;
D-3.5.4 be bound by the SCC, which are hereby incorporated into these Data Processing Terms, in respect of any Restricted Transfer of Customer Personal Data from Customer to Company. Such SCC shall come into effect upon the commencement of the relevant Restricted Transfer;
D-3.5.5 shall not otherwise enter into any Restricted Transfer unless the prior written consent of Customer has been obtained and the SCC are used in relation to such transfer;
D-3.5.6 notify Customer without undue delay on becoming aware of a Personal Data Breach involving Customer Personal Data or upon receipt of a request or complaint from a Data Subject involving Customer Personal Data;
D-3.5.7 assist Customer, at Customer’s cost (save where such assistance is required as a result of a breach by Company of its obligations under these Data Processing Terms and/or the Agreement in which case such costs will be borne by Company), in responding to any request from a Data Subject (but shall not respond to any such request without Customer’s prior written consent, unless otherwise required by the Data Protection Legislation) and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and
D-3.5.8 within fourteen (14) days of termination of the Agreement, at the written direction of Customer, delete or return Customer Personal Data and copies thereof to Customer unless required by Applicable Law to store Customer Personal Data.
D-3.6 Company shall maintain complete and accurate records and information (“Records“) to demonstrate its compliance with these Data Processing Terms and will allow Customer by its own personnel or by an independent auditor, who executes Company’s standard non-disclosure agreement, to access all such Records during the term of the Agreement and for one year after termination provided:
D-3.6.1 any such access for the purposes of auditing or otherwise inspecting the Records shall be on not less than thirty (30) days written notice at any time during normal business hours and not more than once during any twelve (12) month period unless:
D-126.96.36.199 Customer has reasonable grounds to suspect that a Personal Data Breach has occurred involving Customer Personal Data; or
D-188.8.131.52 Customer is required or requested to carry out an audit by Data Protection Legislation or a regulatory authority responsible for the enforcement of Data Protection Legislation in any country; and
D-3.6.2 Customer shall make (and shall ensure that any independent auditor makes) reasonable endeavours to avoid causing any damage, injury or disruption to Company’s premises, equipment, personnel and business during the audit;
D-3.6.3 Customer shall submit a detailed audit plan to Company upon giving notice of an audit, setting out details of the proposed scope and duration of the audit, such audit plan to be agreed between the parties (acting reasonably);
D-3.6.4 if the scope of the requested audit has been addressed in an audit carried out by a recognised independent third party auditor within twelve (12) months of Customer’s request, and Company provides written confirmation that there have been no material changes in the controls and systems to be audited, Customer agrees to accept that audit report in lieu of carrying out its own audit; and
D-3.6.5 Customer shall bear the costs of the audit, save where Company is found to be in breach of its obligations under these Data Processing Terms in which case Company will bear the cost of the audit.
D-3.7 The Customer hereby consents to Company appointing Sub-Processors in connection with the provision of the Platform and Services. Company shall make available at https://gdpr.cision.com/Sub-Processors a list of current Sub-Processors and shall notify Customer via such website when a Sub-Processor is replaced or added to this list. Upon notification, Customer shall have 10 days to object to the appointment of the new Sub-Processor. If Customer objects on reasonable grounds, Customer shall have the right to terminate the Agreement immediately on notice.
D-3.8 Company confirms that it has entered or (as the case may be) will enter with any appointed Sub-Processor into a written agreement incorporating terms that are substantially similar to those set out in these Data Processing Terms. As between Customer and Company, Company shall remain fully liable for all acts or omissions of any Sub-Processor appointed by it pursuant to clause D-3.7.
D-3.9 Company may, at any time on not less than 30 days’ notice, revise these Data Processing Terms for the purposes of complying with its obligations pursuant to Applicable Law or an applicable certification scheme by replacing them with any applicable controller to processor standard clauses or terms required by such law or scheme.
D-4. Company Personal Data
The parties acknowledge that for the purposes of the Data Protection Legislation and these Data Processing Terms it is their intention and understanding that Company and Customer are independent Data Controllers with respect to Company Personal Data and each Party will comply with its respective obligations in connection therewith pursuant to the Data Protection Legislation and all Applicable Laws.