Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the MSA entered into between the parties
identified on the Order as "Supplier" and "Customer". Capitalized terms used herein shall have the
meaning ascribed in the MSA, unless otherwise defined in this DPA.
1.
Definitions
a. "Agreement" means the master subscription or services agreement entered into between
the parties.
b. "Applicable Privacy Laws" means all applicable laws relating to data privacy including the
GDPR, the EU Privacy and Electronic Communications Directive 2002/58/EC, the UK Data
Protection Act 2018 and the CCPA, each as implemented in each jurisdiction, and any
amending or replacement legislation from time to time.
c. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et.
seq., and its implementing regulations.
d.
"Supplier Data" means any data in Supplier’s databases that Supplier uses in providing
Services, excluding Customer Data. This definition of Supplier Data is intended to include
similarly defined terms in the Agreement such as “Company Data”, “Cision Data”, or
“Brandwatch Data”.
e. “Supplier Personal Data" means any personal data included in Supplier Data.
f. "Customer Data" means data that Customer makes available to Supplier for the purpose of
Supplier processing that data on Customer’s behalf.
g. "Customer Personal Data" means any Personal Data included in Customer Data.
h. “EEA” means the European Economic Area.
i. "GDPR" means General Data Protection Regulation ((EU) 2016/679).
j.
“Order” means an ordering document that sets out the products or services that Supplier is
to provide to Customer.
k. "Restricted Transfer" means a transfer of personal data from the EEA, UK or any other
country where such transfer would, in the absence of SCCs, be prohibited by Applicable
Privacy Laws.
l. "Security Controls" means the technical and organisational measures as specified in the
Agreement or if not so specified then the measures described at
https://gdpr.cision.com/technicalorgmeasures
m. "SCCs" means the Standard Contractual Clauses forming part of this DPA pursuant to the
European Commission Implementing Decision (EU)
2021/914 of 04 June 2021
for the
transfer of personal data to controllers and/or processors established in third countries
under Directive 95/46/EC, and such updated or replacement clauses as the European
Commission may approve from time to time or the most recent version of any contractual
clauses governing international personal data transfers issued by any country for any
relevant transfers under the Agreement.
n. “Sub-Processor” means a third party that Supplier engages to Process any Personal Data
that Supplier Processes under this DPA, as a processor on Supplier’s behalf.
o. The terms "Controller", "Processor", "Personal Data", "processing", "special categories of
data" and "data subject" have the meanings given to them in the GDPR or UK Data
Protection Act 2018.
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
p. For clarity, this DPA covers any processing that takes place pursuant to the CCPA.
Therefore, the following references in the CCPA have the following meanings in this DPA:
i. “Business” means “Controller”
ii. “Service Provider” means “Processor”
iii. “Third Party” means “Sub-Processor”
iv. “Personal Information” means “Personal Data”
v. “Consumer” means “Data Subject”
2.
General
a. Controller Data: Supplier and Customer are independent controllers of Supplier Personal
Data and each process this data as a controller. Where Customer receives, or is provided
access to, Supplier Personal Data from or by Supplier, Section 3 applies.
b. Processor Data: Customer is the controller and Supplier is the processor of Customer
Personal Data. Where Supplier processes Customer Personal Data on behalf of Customer,
Section 4 applies.
c. Each party will comply with Applicable Privacy Laws when processing personal data under
the Agreement.
d. If there is a conflict between this DPA and the Agreement, this DPA prevails.
e. Both parties will implement and maintain appropriate technical and organisational
measures to ensure the security of Personal Data including to protect against unauthorised
or unlawful loss, destruction, alteration, unauthorised disclosure or access to Personal
Data.
f. Both parties will take reasonable steps to ensure that the personnel that it authorises to
Process Personal Data have committed themselves to appropriate obligations of
confidentiality and that access to Personal Data is limited to those individuals who need to
have access for the purposes of the Agreement.
g. Amendments: Supplier may, at any time on not less than 30 days’ notice, revise this
Addendum so as to incorporate any mandatory SCCs or other terms that are required by
any competent data protection authority in the EU or the UK. The parties agree to adopt
any necessary replacement or supplemental SCCs as the EC and/or the UK ICO or other
countries may adopt from time to time. If Customer does not execute such clauses on
request by Supplier, Supplier will be entitled to give not less than 30 days' prior written
notice to terminate the Agreement.
3.
Supplier Data (Controller to Controller relationship)
a. Processing for purposes of the Agreement: Each party will process Supplier Personal Data
for the purposes of exercising their rights and obligations under the Agreement. Details of
the categories of Supplier Personal Data, the purpose of processing by Supplier and the
duration of the processing are set out in Annex 1, Part 1
b. International Data Transfers:
i. If there is a Restricted Transfer from the EEA the Customer will be bound by the
Controller to Controller SCCs, which are incorporated into this Addendum and will come
into effect upon the commencement of the relevant Restricted Transfer.
ii. If there is a Restricted Transfer from the UK, the parties agree to enter into any
applicable UK SCCs when the UK Information Commissioner’s Office (“ICO”) approves
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
such clauses. Pending ICO approval, the parties agree to be bound by the Controller to
Controller SCCs in accordance with Clause 3.b.i.
iii. If there is a Restricted Transfer from any other country, parties will be bound by the
Controller to Controller SCCs, which are incorporated into this Addendum and will come
into effect upon the commencement of the relevant Restricted Transfer.
iv. For the purposes of the SCCs, the Personal Data transferred will be as required by the
Agreement and are as set out in Annex 2, Part 1 to this DPA.
c. Data breach: each party will notify the other without undue delay on becoming aware of a
Personal Data breach involving Supplier Personal Data or upon receipt of a request or
complaint from a Data Subject involving Supplier Personal Data.
4.
Customer Data: Controller to Processor relationship
a. Written instructions: Supplier will process Customer Personal Data only on Customer’s
written instructions, as set out in this DPA. Where Applicable Privacy Laws state otherwise,
Supplier will inform Customer of the legal requirement before Processing, unless that law
prohibits this information on important grounds of public interest. Details of the categories
of Customer Personal Data, the purpose of processing by Supplier and the duration of the
processing are set out in Annex 1, Part II.
b. Lawful use and instruction: Customer will ensure that its use of the Services and its
instructions regarding the Processing of any Personal Data pursuant to this DPA will comply
with all Applicable Privacy Laws, and that Supplier’s Processing in accordance with the
Customer’s instructions will not cause Supplier to be in breach of any Applicable Privacy
Laws. Supplier will inform the Customer if, in Supplier’s opinion, the Customer's
instructions infringe Applicable Laws.
c. Special Categories of data: Customer will notify Supplier if any special categories of data
are included within Customer Personal Data. Supplier may refuse to process such data or
impose any restrictions as are necessary, at the Customer's expense, to enable Supplier to
comply with its legal and contractual obligations.
d. International Data Transfers:
i. If there is a transfer from Customer (as controller) in the EEA to Supplier (as processor)
in any third country, the parties agree to be bound by the Controller to Processor
SCCs, which are incorporated into this DPA and come into effect should a Restricted
Transfer occur.
ii. If there is a Restricted Transfer from the UK, the parties agree to enter into any
applicable Standard UK SCCs when the UK ICO approves such clauses. Pending ICO
approval, the parties agree to enter into the Controller to Processor SCCs in
accordance with Clause 4.d.i.
iii. If there is a Restricted Transfer from any other country, parties will be bound by the
Controller to Processor SCCs, which are incorporated into this Addendum and will
come into effect upon the commencement of the relevant Restricted Transfer.
iv. For the purposes of the SCCs Personal Data transferred will be as required by the
Agreement and are as set out in Annex 2, Part II to this DPA.
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
v. Where Supplier appoints any Sub-Processor in accordance with Clause 4.g and such
appointment involves a Restricted Transfer, Supplier may rely on SCCs to legitimise the
transfer of Customer Personal Data.
e. Records of Compliance: Supplier will maintain complete and accurate records and
information to demonstrate its compliance with this Addendum.
f. Audit: Supplier will support audits that Customer conducts (either itself or via an external
auditor), at Customer’s cost and expense. Any audit conducted pursuant to this DPA is
subject to the following conditions:
i. Customer will provide at least 60 days advance written notice of any audit.
ii. any audit may only be conducted during Supplier’s normal business hours.
iii. Customer will conduct the audit so as to cause minimal disruption to Supplier’s normal
business operations.
iv. any third-party auditor will enter into direct confidentiality obligations with Supplier
which are reasonably acceptable to Supplier.
v. any audit will be limited only to Supplier’s Processing activities as a Processor, and to
such information that is reasonably necessary for Customer to assess Supplier’s
compliance with the terms of this DPA.
vi. as part of any audit, Customer (or its external auditor) will not have access to
Supplier’s Confidential Information.
vii. Customer will reimburse Supplier’s reasonable and demonstrable costs and expenses
associated with any audit.
viii. Customer agrees to accept a Supplier-supplied audit report in lieu of conducting its own
audit:
1. if the scope of the requested audit has been addressed in an audit carried out by a
recognised independent third party auditor within twelve (12) months of the
Customer's request and the Supplier provides written confirmation that there have
been no material changes in the controls and systems to be audited or
2. if it is intended that such an audit will be conducted within six months of the request
and the Supplier provides the report of such to the Customer on completion.
g. Sub-processors: Customer authorises Supplier to appoint Sub-Processors in connection with
the provision of the Services. A list of Supplier’s current Sub-Processors is available at
https://gdpr.cision.com/Sub-Processors
i. Supplier will inform the Customer of any intended changes concerning the addition to
or replacement of any permitted Sub-Processor with a new Sub-Processor and give
the Customer the opportunity to object to such changes. Any Sub-Processor Supplier
engages will be subject to materially equivalent terms regarding data protection as are
imposed on Supplier pursuant to this DPA.
ii. Where any Sub-Processor fails to fulfil its obligations regarding data protection,
Supplier will remain liable for the performance of the Sub-Processor’s obligations,
subject to the exclusions and limitations of liability under the Agreement.
h. Data breach: If there is a personal data breach in relation to Customer Personal Data:
i. Supplier will cooperate in good faith with the Customer to enable Customer to comply
with its obligations under Applicable Privacy Laws.
ii. Supplier will notify Customer within 36 hours after becoming aware of a personal data
breach (as defined in the Data Protection Legislation).
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
iii. Supplier will assist the Customer in complying with any obligation to notify a
supervisory authority of any data breach.
i. Data subject rights: Taking into account the nature of the Processing and the information
available, Supplier will provide reasonable and appropriate assistance to the Customer
(subject to payment of Supplier’s reasonable and demonstrable costs and expenses),
where possible, in relation to the Customer’s fulfilment of the Customer’s obligations to
respond to requests relating to the exercise of individuals’ rights under the Data Protection
Legislation where Supplier Processes such individuals’ Personal Data pursuant to this DPA.
j. Termination:
i. If Supplier is in breach of any of its obligations under this DPA, Customer may instruct
Supplier to temporarily suspend the processing of Customer Personal Data pending
the remedy of such breach and may instruct Supplier to terminate the processing of
Customer Personal Data if such breach is not remedied.
ii. According to requirements as described in Supplier’s Records Retention policy, or at
the written direction of the Customer, Supplier will delete Customer Personal Data
unless required by Applicable Privacy Laws to retain the Customer Personal Data.
5.
Miscellaneous
a. Liability: Each party’s liability under this DPA is subject to the limitations and exclusions of
liability set out in the Agreement.
b. Governing law: The governing law of the Agreement applies to this DPA, except that the
Controller to Processor SCCs and Controller to Controller SCCs are governed by the law of
the country in which the relevant data exporter is established.
Runtime Collective
Limited
Crimson Hexagon,
Inc.
Signature:
Signature:
Name:
Name:
Title:
Title:
Date:
Date:
Cision US Inc.
CN
W
Group Limited
Signature:
Signature:
Name:
Name:
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
Dylan Marvin
Dylan Marvin
3/18/2022
Director
Director
3/18/2022
Matt Royack
Matt Royack
Title:
Title:
Date:
Date:
Cision Canada Inc.
Cision France SA
Signature:
Signature:
Name:
Name:
Title:
Title:
Date:
Date:
Prime Research AG
Cision Portugal SL
Signature:
Signature:
Name:
Name:
Title:
Title:
Date:
Date:
Cision
Germany GmbH
Cision Group Limited
Signature:
Signature:
Name:
Name:
Title:
Title:
Date:
Date:
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
3/18/2022
3/18/2022
VP and Deputy General Counsel
VP and Deputy General Counsel
Matt Royack
Matt Royack
Matt Royack
Matt Royack
Matt Royack
Matt Royack
3/18/2022
3/18/2022
3/18/2022
3/18/2022
3/18/2022
3/18/2022
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
PR Newswire Asia
Limited
Prime Brazil
Pes. De
Midia Ltda.
Signature:
Signature:
Name:
Name:
Title:
Title:
Date:
Date:
PR Newswire Ltda.
Unmetric Tech.
Private Ltd.
Signature:
Signature:
Name:
Name:
Title:
Title:
Date:
Date:
Falcon.io ApS
Falcon.io US, Inc.
Signature:
Signature:
Name:
Name:
Title:
Title:
Date:
Date:
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
Matt Royack
Matt Royack
Matt Royack
Matt Royack
Matt Royack
Matt Royack
3/18/2022
3/18/2022
3/18/2022
3/18/2022
3/18/2022
3/18/2022
3/18/2022
3/18/2022
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
Bulletin Intelligence
LLC
Bulletin Healthcare
LLC
Signature:
Signature:
Name:
Name:
Title:
Title:
Date:
Date:
Bulletin Media LLC
Prime Research LLC
Signature:
Signature:
Name:
Name:
Title:
Title:
Date:
Date:
Cision Sverge AB
Cision Norge AS
Signature:
Signature:
Name:
Name:
Title:
Title:
Date:
Date:
Cision Finland OY
Prime Research
International GmbH
& Co. KG
Signature:
Signature:
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
Matt Royack
Matt Royack
Matt Royack
Matt Royack
Matt Royack
Matt Royack
3/18/2022
3/18/2022
3/18/2022
3/18/2022
3/18/2022
3/18/2022
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
Name:
Name:
Title:
Title:
Date:
Date:
PRN
Business Consulting
(Shanghai) Co., Ltd.,
Beijing Branch
PRN Business
Consulting
(Shanghai) Co., Ltd.
Signature:
Signature:
Name:
Name:
Title:
Title:
Date:
Date:
PR Newswire
International
Communication
(Shenzhen) Co., Ltd.
Signature:
Name:
Title:
Date:
Customer name:
Customer address:
Signature:
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
Matt Royack
Matt Royack
Matt Royack
Matt Royack
Matt Royack
3/18/2022
3/18/2022
3/18/2022
3/18/2022
3/18/2022
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
VP and Deputy General Counsel
Name:
Title:
Date:
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
Annex 1 - Processing Information
Processing, Personal Data, and Data Subjects
Part 1: Supplier Personal Data (Supplier as Data Controller)
Nature and Purpose
of processing
Customer may process Supplier Data as necessary to receive the Services and
comply with its obligations under the Agreement.
Duration of the
processing
Customer may process Supplier Data for the duration of the Agreement, unless
otherwise agreed by the parties.
Types of personal
data
Name, title, position, email address, business phone number, mobile phone
number, employer, social media handles, Information that has been made
public by data subjects themselves, such as identification data (e.g., name,
username, social media handle, geographic location) and media (e.g., images,
audio and videos).
Categories of data
subject
Individual media contacts including journalists and other media 'influencers'
and Individuals publishing information publicly on the Internet, including social
media users, bloggers and web content writers.
For French institutional Database: Contacts such as political and elected
representatives, contacts within public administrations, personalities from the
associative world, financial analysts, shareholders and advisors.
Part 2: Customer Personal Data (Supplier as Data Processor)
Nature and Purpose
of processing
Supplier may process Customer Personal Data as necessary to perform the
Services and comply with its obligations under the Agreement.
Duration of the
processing
Supplier may process Customer Data for the duration of the Agreement, unless
otherwise agreed by the parties.
Types of personal
data
Name, title, position, employer, email address, business phone number, mobile
phone number, social media handles, professional life data (which may include
data related to historical employment history, data related to skills, awards, or
interests, or other data relating to professional life), Personal life data, which
may include data about interests, likes, dislikes, or other data relating to
personal life), location data and media (e.g., images, audio and videos).
Categories of data
subject
Customer’s own prospects, clients, partners, or vendors; Individual media or
government affiliated contacts (including personnel of public administrations
and personalities from the associative world) provided by Customer; Employees
or contact persons of the Customer.
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
Annex 2 - Transfer Information
Part 1 – Supplier Personal Data
The Data Exporter
Supplier or any other Supplier Affiliate which exports data under the
Agreement
The Data Importer
Customer
Data Subjects
the data subjects are those individuals whose Personal Data is
contained in the Supplier Personal Data that Customer Processes as
part of receiving the Services.
Purposes of the Transfer
the purpose of the transfer is to permit the Customer to process the
Supplier Personal Data in accordance with the Agreement.
Categories of Data
the categories of Personal Data are set out in Annex 1, Part II to this
DPA
Recipients
the recipients of the Personal Data are as specified in the Agreement,
which usually includes the Customer’s employees, contractors,
consultants, and customers.
Special Categories of Data
the Special categories of Personal Data are set out in Annex 1, Part II to
this DPA (note: Special Categories are not collected intentionally)
Applicable law
the law of the country in which the data exporter is established.
Technical Measures of the
Company (Appendix 2)
technical and organisational measures as specified in the Agreement
or if not so specified then the measures described at
https://gdpr.cision.com/technicalorgmeasures
Cision Contact Point for
Data Protection Inquires
Customer Contact Point for
Data Protection Inquires
as specified in the Agreement.
Part 2 – Customer Personal Data
The Data Exporter
Customer
The Data Importer
Cision or any other Cision Affiliate which imports data under the
Agreement
Data Subjects
the categories of data subjects are set out in Annex 1, Part I of this
DPA. The Customer as the data exporter controls the type and extent
of the Personal Data that Cision processes.
Purposes of the Transfer
to permit Cision to process the Customer Personal Data in accordance
with the Agreement
Categories of Data
the categories of Personal Data are set out in Annex 1, Part I to this
DPA). as the Customer acknowledges that as controller and exporter
the Customer controls the type and extent of the Personal Data that
may be transferred to Cision as a Processor.
Recipients
the recipients of the Personal Data are as specified in the Agreement,
which usually includes Cision and any other Cision affiliates and any
Cision sub-processors.
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598
Special Categories of Data
the Data Exporter may submit special categories of Personal Data to
Cision, the extent of which the data exporter controls and determines
in its sole discretion. Any special categories of Personal Data are set
out in Annex 1, Part I to this DPA.
Applicable law
the law of the country in which the data exporter is established.
Technical Measures of
Cision
technical and organisational measures as specified in the Agreement
or if not so specified then the measures described at
https://gdpr.cision.com/technicalorgmeasures
Cision Contact Point for
Data Protection Inquires
Customer Contact Point for
Data Protection Inquires
as specified in the Agreement
DocuSign Envelope ID: E8D43C7E-D095-4B32-A2E3-68FCEBCEF598