DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) is by and between Yahoo and Vendor and shall, in consideration of the mutual obligations set out herein, take effect from the Effective Date and shall apply where, in the course of providing the Services under the Agreement (as defined below), Vendor Processes (as defined below) European Data (as defined below) on behalf of Yahoo.
Background
- Vendor provides the Services to Yahoo pursuant to a Purchase Order (“PO”), Statement of Work (“SOW”), a Master Services Agreement (“MSA”), the Vendor Master Terms and Conditions available at https://legal.yahoo.com/us/en/yahoo/terms/vendor/mastertnc/index.html (“VMTC”) and/or such other terms as are agreed between the Vendor and Yahoo (the "Agreement").
- In providing the Services, Vendor may need to Process European Data on behalf of Yahoo. Such Processing shall be subject to the Agreement, this DPA and the Network Security Terms (as defined below).
- This DPA will only apply to the extent that European Privacy Laws apply to the Processing of European Data.
It is agreed as follows:
1. DEFINITIONS AND INTERPRETATION
1.1 In this DPA (including the Background and the Appendices) the following terms and expressions shall have the following meanings, and are in addition to those definitions set forth elsewhere in the Agreement:
Adequacy Decision means a decision made by the European Commission that a third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection in respect of the Processing of Personal Data pursuant to Article 45(1) of the GDPR, excluding a decision made in relation to an Adequacy Framework.
Adequacy Framework means (i) the EU-US Data Privacy Framework adopted pursuant to European Commission Implementing Decision of 10 July 2023 ("EU-U.S. DPF"); (ii) the UK Extension to the EU-U.S. DPF; and (iii) the Swiss-U.S. Data Privacy Framework.
Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Applicable European Law means any applicable law of the European Union (or the law of one or more of the Member States of the European Union), Switzerland or the United Kingdom, including, for the avoidance of doubt, the European Privacy Laws.
Controller to Processor Standard Clauses means module 2 of the Standard Contractual Clauses (as amended, interpreted, or supplemented by this DPA to meet the requirements of Swiss Privacy Laws and/or UK Privacy Laws).
Controller means the natural or legal person who is considered to be the ‘controller’ in relation to Personal Data under European Privacy Laws.
Data Subject has the meaning ascribed to ‘data subject’ under European Privacy Laws.
Effective Date shall mean the Start Date, as defined in the VMTC (or, where the Agreement is on other terms, the date on which the Vendor commences its provision of the Services, including any Processing of European Data).
European Data means European Employee Data, European Partner Data and European User Data.
European Employee Data means any Personal Data relating to a member of staff of any Yahoo Affiliate.
European Partner Data Subject means any Data Subject that has a relationship with a commercial partner, vendor or sales lead of a Yahoo Affiliate, including any of their respective employees, officers, directors, agents, contractors, customers or representatives.
European Partner Data means any Personal Data relating to a European Partner Data Subject.
European Privacy Laws means all applicable law in relation to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the European Economic Area, the United Kingdom and Switzerland, including as applicable (i) the GDPR, (ii) any applicable EU Member State legislation made under, transposing, or made pursuant to the GDPR, (iii) the UK Privacy Laws; and (iv) the Swiss Privacy Laws.
European User Data means any Personal Data relating to Yahoo Users that is Processed in connection with products or services offered by a Yahoo Affiliate.
GDPR means the EU General Data Protection Regulation 2016/679.
International Transfer Requirements means the requirements of Chapter V of the GDPR.
Network Security Terms mean the network and information security requirements applicable to Vendor as more particularly described in Appendix 2.
Personal Data means information that is considered under European Privacy Laws to be “personal data”.
Personal Data Breach has the meaning ascribed to “personal data breach” under European Privacy Laws, to the extent that such breach occurs with respect to European Data.
Processing has the meaning ascribed under European Privacy Laws, and “Process” and “Processes” shall be construed accordingly.
Processor means the natural or legal person who is considered to be the ‘processor’ in relation to Personal Data under European Privacy Laws.
Processor Standard Clauses means module 3 of the Standard Contractual Clauses (as amended, interpreted, or supplemented by this DPA to meet the requirements of Swiss Privacy Laws and/or UK Privacy Laws).
Restricted Country means a country, territory or jurisdiction which is not which is covered by an Adequacy Decision.
Restricted Transfer means a transfer of Personal Data from an entity whose Processing of Personal Data is caught by the International Transfer Requirements to an entity that (i) Processes the relevant Personal Data in a Restricted Country; and (ii) does not participate in an Adequacy Framework.
Services means the services provided pursuant to clause 2 of the VMTC or otherwise pursuant to the Agreement.
Standard Contractual Clauses means the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to GDPR, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1632820530446.
Sub-Processor means, in respect of European Data, any further Processor engaged by Vendor in accordance with paragraph 5.1 of this DPA.
Supervisory Authority means an independent public authority which is established by an EU Member State pursuant to the GDPR, or the Information Commissioner’s Office in the UK or the Federal Data Protection and Information Commissioner in Switzerland, as applicable.
Supplementary Measures means any relevant contractual, technical or organizational safeguards to supplement the Processor Standard Clauses, including measures recommended by the European Data Protection Board as set out in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of Personal Data adopted on 18 June 2021 as may be updated, amended or replaced from time to time or any other measures or safeguards as may be required by the data exporter.
Swiss Privacy Laws means all applicable law in relation to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in Switzerland, including the Federal Data Protection Act of 19 June 1992 (Switzerland), as updated or replaced from time to time.
Third Party Request means any request from a third party for the disclosure of European Data, including where compliance with such request is required or purported to be required by applicable law or regulation.
UK Addendum means the International Data Transfer Addendum to the European Commission's standard contractual clauses for international data transfers, issued by the UK’s Information Commissioner’s Office (ICO) under or pursuant to section 119A(1) of the UK Data Protection Act 2018 (as may be amended by the ICO from time to time pursuant to its terms).
UK GDPR has the meaning given in the UK’s Data Protection Act 2018.
UK Privacy Laws means all applicable law in relation to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
Vendor means a party to an Agreement with Yahoo.
Yahoo means Yahoo Holdings Inc., and its Affiliates, including but not limited to Yahoo Ad Tech LLC, Yahoo Inc., AOL Media LLC, AOL Membership Services LLC and Yahoo Finance LLC with an address of 770 Broadway, New York, NY 10003.
Yahoo Affiliate means Yahoo EMEA Limited, an Irish company, or Yahoo UK Limited, an English company, or any Affiliate of those companies.
Yahoo User means any data subject that uses a Yahoo Affiliate provided service.
Yahoo Personnel means Personnel of a Yahoo Affiliate.
1.2 In this DPA, the Background and the Appendices:
1.2.1 words and expressions used but not defined in this DPA shall have the meaning given to such words and expressions under the Agreement or, where such terms are not defined in the Agreement, the meaning given to such words and expressions under European Privacy Laws.
1.2.2 any reference to a statute shall, unless the context otherwise requires, be construed as a reference to that statute as from time to time amended, consolidated, modified, extended, replaced or re-enacted together with any secondary legislation made thereunder as from time to time amended, consolidated, modified, extended, replaced or re-enacted.
1.2.3 any reference to the to the GDPR and/or an Article or Chapter of the GDPR shall, where the context so requires and insofar as the Applicable European Law is the UK Privacy Laws or the Swiss Privacy Laws, be construed as a reference to the UK GDPR or the Swiss Privacy Laws and/or the equivalent Article, Chapter or provision of the UK GDPR or the Swiss Privacy Laws (as applicable).
1.3 In the event of a conflict or inconsistency between the definitions used in this DPA and those provided under European Privacy Laws, definitions provided under European Privacy Laws shall prevail in respect of such conflict or inconsistency.
1.4 This DPA shall supersede and replace any previous data processing agreement or agreements between the parties insofar as they related to the Processing of European Data.
1.5 This DPA shall apply in addition to, and not in substitution for, any other terms contained in the Agreement. Nothing in this DPA shall change either party’s exclusions and/or limitations of liability (including any indemnities) under the Agreement and all such provisions shall continue to apply notwithstanding this DPA coming into effect, including, without limitation section 8 (‘Our warranties and Disclaimers’) and section 9 (‘Limitation of Liability’) of the Yahoo Terms of Service which shall also apply to this DPA. In the event of conflict or inconsistency between the terms of this DPA and other terms of the Agreement relating to the Processing and security of European Data, the terms of this DPA shall prevail in respect of such conflict or inconsistency only.
1.6 Paragraph 4 of the DPA addresses the requirements of Article 28 GDPR and Article 28 of the UK GDPR, and paragraph 6 of the DPA addresses the requirements of clauses 8.8 and 9(b) of the Controller to Processor Standard Clauses. In the event that terms of paragraph 4 and paragraph 6 overlap, the terms of paragraph 6 shall prevail.
2. DETAILS OF PROCESSING OPERATIONS
2.1 The subject matter and details of the Processing of European Data are described in Appendix 1 to this DPA, which forms an integral part of this DPA and the Agreement.
3. YAHOO OBLIGATIONS
3.1 Yahoo is a Processor that Processes European Data for and on behalf of Yahoo Affiliates (such Affiliates being the Controllers).
3.2 Yahoo acknowledges, with respect to European Data, its statutory duties as Processor and agrees to comply with the obligations applicable to it under European Privacy Laws.
4. VENDOR OBLIGATIONS
4.1 Vendor shall only carry out the Processing of the European Data for and on behalf of Yahoo.
4.2 In discharging its obligations under the Agreement and this DPA, Vendor is responsible for its compliance with the GDPR, and/or the UK GDPR as applicable.
4.3 Without prejudice to the generality of paragraph 4.2, Vendor agrees and warrants that it will at its own cost:
4.3.1 only Process European Data on behalf of Yahoo and in compliance with documented instructions, the Agreement and this DPA (the “Instructions"). The Instructions may be provided by Yahoo on behalf of a Yahoo Affiliate, including instructions relating to international data transfers. Vendor shall not Process any European Data for purposes other than the performance of the Services in accordance with the Agreement;
4.3.2 immediately inform Yahoo in writing if, in Vendor’s opinion, an Instruction infringes Applicable European Law;
4.3.3 comply with paragraph 5 in respect of the disclosure of European Data;
4.3.4 ensure that European Data is accurate and up-to-date, and Vendor shall inform Yahoo without delay if Vendor becomes aware that the European Data being Processed is inaccurate or outdated;
4.3.5 implement the technical and organizational security measures provided for in the Network Security Terms prior to the commencement of the Processing activities in respect of European Data, maintain such security measures (or better security measures) for the duration of the Agreement, provide Yahoo with copies of its privacy and security policies prior to the commencement of the Processing activities and promptly notify Yahoo in writing of any proposed changes to those policies during the term of the Agreement;
4.3.6 take all reasonable steps to ensure that access to European Data is strictly limited to those members of its personnel that need to Process European Data for the performance of the Services and that such personnel are aware of and comply with this DPA;
4.3.7 comply with strict confidentiality obligations in respect of European Data and ensure that all its personnel and any Sub-Processors are subject to legally binding, written obligations of confidentiality, which shall in each case survive termination of their employment, contract or assignment;
4.3.8 inform Yahoo’s Notification Contact as described in the Network Security Terms without delay of:
(A) any non-compliance by Vendor, its personnel and/or any Sub-Processor with this DPA and/or the provisions of European Privacy Laws or any other law relating to the protection of Personal Data Processed under this DPA;
(B) any correspondence, notice, inquiry or investigation received from a Supervisory Authority; and
(C) any complaint, inquiry or request (in particular, requests for access to, rectification or blocking of European Data) received directly from a Data Subject without responding to that request, unless Yahoo provides written authorisation to Vendor to respond.
4.3.9 notify Yahoo’s Notification Contact of a Personal Data Breach without undue delay, and in any event no later than 24 hours after becoming aware of the Personal Data Breach. Vendor shall follow the procedure set out in the Network Security Terms and ensure that any such notification contains the following information (to the extent possible):
(A) a description of the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned);
(B) the details of a contact point within Vendor’s business where more information concerning the personal data breach can be obtained;
(C) the likely consequences of the Personal Data Breach and the measures taken or proposed to be taken to address the Personal Data Breach, including to mitigate its possible adverse effects, and
to the extent that it is not possible to provide the foregoing information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided to Yahoo’s Notification Contact without undue delay.
4.3.10 fully co-operate with and assist Yahoo without delay in respect of Yahoo’s obligations, or those of Yahoo Affiliates regarding:
(A) requests from Data Subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of European Data;
(B) the investigation of any Personal Data Breach and the notification to the relevant Supervisory Authority and Data Subjects in respect of such Personal Data Breach;
(C) the preparation of data protection impact assessments and, where applicable, carrying out consultations with the Supervisory Authority;
(D) the obligation to ensure that European Data is accurate and up-to-date in accordance with paragraph 4.3.4 of this DPA; and
(E) the security of European Data including by implementing the technical and organizational security measures provided for in Network Security Terms.
4.3.11 deal promptly, properly and in good faith with all inquiries relating to Vendor’s Processing of European Data whether such inquiry is made by Yahoo, a Yahoo Affiliate, a Data Subject or the Supervisory Authority concerned. Save to the extent strictly required by law, Vendor shall not respond to an inquiry relating to European Data from a Data Subject or a Supervisory Authority without the prior written consent of Yahoo;
4.3.12 if Vendor is required by law to Process European Data, inform Yahoo of this requirement in advance of any Processing of European Data, unless Vendor is prohibited from informing Yahoo on important grounds of public interest; and
4.3.13 without prejudice, and subject, to paragraph 4.5 or any other audit or inspection right provided for Yahoo under the Agreement, promptly make available to Yahoo all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by Yahoo, a Yahoo Affiliate or another auditor mandated by Yahoo.
4.4 Vendor agrees and warrants that it has no reason to believe that laws applicable to it, including any Applicable European Law, prevent it from fulfilling the instructions received from Yahoo and its obligations under this DPA and that in the event of a change in law which is likely to have a substantial adverse effect on the warranties and obligations provided by Vendor in this DPA, it will promptly notify in writing the change to Yahoo as soon as it is aware, in which case Yahoo is entitled to suspend the relevant Processing of European Data and/or Yahoo may terminate the Agreement or part thereof.
4.5 Without limiting or affecting any other right of audit or inspection provided for Yahoo under the Agreement (including under the Network Security Terms), Vendor agrees and warrants that at the request of Yahoo or a Yahoo Affiliate, it shall submit its Processing facilities and/or any location from which European Data can be accessed by Vendor and/or its personnel or representatives for audit of the Processing covered by this DPA to ascertain and/or monitor compliance with this DPA, the Agreement and European Privacy Laws, which audit shall to the extent reasonably practicable be carried out with reasonable notice and during regular business hours, and in all cases under obligations of confidentiality, by Yahoo, Yahoo Affiliate and/or by a third party appointed by Yahoo.
5. PROHIBITION ON TRANSFER AND DISCLOSURE
5.1 Without limiting or affecting any other term of the Agreement, Vendor shall, if it wishes to engage one or more third parties acting on its behalf to help it satisfy its obligations in accordance with this DPA and the Agreement and to delegate all or part of the Processing activities to such Sub-Processor, inform Yahoo in writing at least 30 days’ prior to the subcontracting, thereby giving Yahoo sufficient time to be able to object to such engagement prior to the engagement. Vendor shall provide Yahoo with such information as is necessary to enable Yahoo to exercise its right to object. Vendor shall enter into appropriate contractual arrangements with such Sub-Processor that provide for the same level of data protection and information security obligations in respect of European Data as those binding on Vendor in this DPA and in the Processor Standard Clauses including in terms of third party beneficiary rights for Data Subjects. If a Sub-Processor fails to comply with its data protection obligations in respect of European Data, Vendor shall remain fully liable to Yahoo for the performance (or failure of performance) of the Sub-Processor’s data protection obligations in respect of European Data.
5.2 Vendor shall not disclose, or permit disclosure of, European Data to any third party (including for back-up purposes) save for:
5.2.1 disclosures to any Sub-Processor authorized by Yahoo under and in accordance with this DPA; and/or
5.2.2 Third Party Requests where Vendor is prohibited by applicable law or regulation from notifying Yahoo, including prohibitions under criminal law in order to preserve the confidentiality of an investigation by the relevant authorities. In such cases, Vendor shall use reasonable endeavours to advise Yahoo in advance of such disclosure and, in any event, as soon as practicable thereafter.
5.3 Vendor shall not transfer, or permit the transfer of, any European Data outside the United States without the prior written authorisation of Yahoo.
5.4 If Vendor cannot provide such compliance with this paragraph 5 for whatever reason, Vendor agrees and warrants to promptly inform Yahoo of its inability to comply, in which case Yahoo is entitled to suspend the relevant Processing of European Data and/or terminate the Agreement or part thereof.
6. STANDARD CONTRACTUAL CLAUSES
6.1 Yahoo, as Processor of European Data, receives European Data from Yahoo Affiliates in accordance with the Controller to Processor Standard Clauses or by relying on Adequacy Frameworks. To the extent that Vendor’s Processing of Personal Data constitutes a Restricted Transfer, Yahoo and Vendor agree to comply with the relevant provisions in the Processor Standard Clauses (as amended by the UK Addendum, where applicable) which are hereby incorporated by reference and are an integral part of this DPA having full force and effect as if those provisions were set out in full herein. For the avoidance of doubt, the parties agree that the Processor Standard Clauses are deemed executed by the parties without the need for any further signature from a party.
6.2 For the purposes of the Processor Standard Clauses (but subject always to any overriding provisions that apply pursuant to paragraphs 6.3 and 6.4 below ), in respect of Restricted Transfers the parties agree that Yahoo is the data exporter and Vendor is the data importer and that the Processor Standard Clauses apply as follows:
6.2.1 the option under clause 7 (docking clause) shall not apply;
6.2.2 option 2 under clause 9 (use of sub-processors) shall apply and the time period (for informing the data exporter) shall be 30 days;
6.2.3 the optional provision in clause 11(a) shall not apply;
6.2.4 the governing law for the purposes of clause 17 (governing law) shall be the law that is designated in paragraph 8 of this DPA;
6.2.5 the courts under clause 18 (choice of forum and jurisdiction) shall be those designated in paragraph 8 of this DPA; the Supervisory Authority for the purposes of Annex I.C shall be the Supervisory Authority of the Irish Data Protection Commission; and
6.2.6 the Processor Standard Clauses shall be completed as follows:
(A) the contents of Appendix 1 to this DPA shall form Annex 1.A and 1.B; and
(B) the contents of Appendix 2 to this DPA shall form Annex II.
6.3 In respect of Restricted Transfers subject to UK Data Privacy Laws, the parties agree that:
6.3.1 the UK Addendum (together with any applicable elections and information made above in respect of the Processor Standard Clauses) is hereby incorporated by reference and are an integral part of this DPA having full force and effect as if those provisions were set out in full herein. For the avoidance of doubt, the parties agree that the UK Addendum is deemed executed by the parties without the need for any further signature from a party.
6.3.2 for the purpose of Table 4 of the UK Addendum, the data exporter may end the UK Addendum as set out in Section 19 of the UK Addendum.
6.4 In respect of Restricted Transfers subject to Swiss Privacy Laws, the parties agree that the Processor Standard Clauses shall be read as follows:
6.4.1 general and specific references to Regulation (EU) 2016/679 or “that Regulation” or EU or Member State law shall be construed as a reference to the equivalent Swiss Privacy Law(s);
6.4.2 the term “Member State” will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Processor Standard Clauses; and
6.4.3 the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority for the purposes of Clause 13 of the Processor Standard Clauses.”
6.5 The Processor Standard Clauses shall cease to apply if and to the extent that the Restricted Transfer ceases to be a Restricted Transfer.
6.6 The parties acknowledge and agree that the Processor Standard Clauses may not, in isolation, ensure compliance with the International Transfer Requirements. Accordingly, the Vendor shall, promptly on Yahoo’s request (whether prior to the Restricted Transfer or otherwise), implement and maintain any necessary Supplementary Measures in respect of the Restricted Transfer to ensure the Restricted Transfer complies with the International Transfer Requirements.
6.7 If the Processor Standard Clauses cease to exist or are no longer considered by the data exporter to be a lawful method of complying with the International Transfer Requirements for any reason, the Vendor shall cease (and procure that any the relevant third party ceases) all substantive processing of European Data until such time as the Vendor has, in accordance with Yahoo’s instructions, entered into an alternative transfer mechanism and/or put in place such Supplementary Measures as are necessary to comply with the International Transfer Requirements.
6.8 Subject to paragraph 6.10, if Yahoo determines (acting reasonably) that it is not feasible to put in place an alternative transfer mechanism and/or Supplementary Measures to enable compliance with the International Transfer Requirements, Yahoo may at its discretion:
6.8.1 require the Vendor to (and/or procure that any relevant third party processors will) only Process the European Data within certain jurisdictions and/or subject to certain other restrictions; and/or
6.8.2 delete (or procure the deletion of) and/or destroy the European Data such that it is no longer Processed in the relevant Restricted Country; and/or; and/or
6.8.3 terminate the Services provided in whole or in part on fourteen (14) days’ prior written notice (and where fees for the Services are paid in advance, Vendor shall provide Yahoo with a prorated refund in respect of fees paid for Services not provided in accordance with the Agreement as at the effective date of termination).
6.9 The Vendor shall comply with paragraphs 6.7 and 6.8 at no additional cost to Yahoo.
6.10 Where the Vendor is unable to comply with paragraph 6.8 because of local laws applicable to the Vendor that prohibit such compliance, the Vendor undertakes that it will use all reasonable efforts to ensure compliance with this DPA and will only process the relevant European Data to the extent and for as long as required under that local law.
6.11 The Processor Standard Clauses shall cease to apply if and to the extent that a transfer of Personal Data ceases to be a Restricted Transfer.
6.12 Where Vendor transfers Personal Data to third countries on the basis of its participation in one or more Adequacy Framework(s), Vendor shall:
6.12.1 provide a level of protection to Personal Data that meets the requirements of the Adequacy Framework(s);
6.12.2 notify Yahoo without undue delay if Vendor determines that it can no longer comply with Section 6.12.1 and/or if Vendor’s participation in an Adequacy Framework expires or is terminated;
6.12.3 notify Yahoo without undue delay if Vendor is required to provide a copy (including any summary or a representative copy of the relevant provisions) of this DPA to any relevant governmental body, and comply with Yahoo’s reasonable directions as to the content and form of such disclosure.
6.13 If Vendor makes a notification to Yahoo in accordance with Section 6.12.2 or a relevant Adequacy Framework ceases to exist or be a lawful method of complying with the International Transfer Requirements, that Vendor’s transfer of Personal Data to third countries shall be subject to the Processor Standard Clauses as set out in Sections 6.1 to 6.10.
7. TERMINATION
7.1 In addition to the other rights of suspension and termination under this DPA, Yahoo (on behalf of the relevant Yahoo Affiliate) shall be entitled to terminate the DPA and / or Agreement insofar as it concerns the Processing of European Data if:
7.1.1 Vendor is in substantial or persistent breach of this DPA or its obligations under European Privacy Laws; or
7.1.2 Vendor fails to comply with a binding decision of a competent court or Supervisory Authority regarding its obligations under this DPA or European Privacy Laws.
7.2 Without limiting or affecting any other provision of the Agreement (including under the Network Security Terms), the parties agree that on the termination or partial termination of the Services relating to the Processing of the European Data pursuant to this DPA and the Agreement, Vendor and any Sub-Processors in respect of which Yahoo has approved in accordance with paragraph 5 of this DPA, shall at the choice of Yahoo return all European Data and copies of that data to Yahoo or securely destroy them and certify to Yahoo that it has taken such measures, unless Applicable European Law requires storage of such European Data. In such case, Vendor warrants that it shall (and shall procure the same by any Sub-Processor) guarantee the confidentiality of the European Data stored by it and shall only actively Process such European Data after such date to the extent required by Applicable European Law.
8. GOVERNING LAW AND JURISDICTION
Without limiting or affecting any other provision of the Agreement, the parties hereby agree that the formation, interpretation and operation of this DPA and all matters, claims, disputes or issues arising out of or in connection with this DPA, are subject to the laws of the Republic of Ireland and in respect of this DPA the parties each submit to the exclusive jurisdiction of the courts of the Republic of Ireland.
9. NOTIFICATIONS PROVISIONS
The Parties agree that the following email address shall be monitored for notification of Security Incidents, data protection enquiries, and Data Subject Requests:
Yahoo: dpo-contact@yahooinc.com
10. FURTHER ASSURANCE
Each Party shall, at the request of the other Party, execute such additional documents and perform or procure the performance of such other acts or things that may reasonably be required by the other Party in order to give full effect to this DPA.
Appendix 1: Details of Processing Activities
This Appendix 1 describes the subject, scope, nature and purpose of the Processing operations that are governed by the provisions of this DPA, of which it forms an integral part.
|
Parties to Standard Contractual Clauses |
Data Exporter: Yahoo Inc., with an address of 770 Broadway, New York, NY 10003, US. Contact person’s name, position and contact details: Yahoo’s Data Protection Officer can be contacted by post to Attn: Data Protection Officer, Yahoo EMEA Limited, 5-7 Point Square, North Wall Quay, Dublin 1, Ireland. Activities relevant to the data transferred under these Clauses: The data exporter acts as a processor of European Data on behalf of Yahoo Affiliates, and has engaged the data importer to provide the Services which may involve the data importer conducting the processing operations described below. Signature and date: The parties agree that entry into the Agreement by the parties shall constitute execution of these Clauses Role: Processor Data Importer: The data importer is identified in the Agreement between the Parties Name: As set out in the Agreement Address: As set out in the Agreement Contact person’s name, position and contact details: As set out in the Agreement or as otherwise notified to the data exporter from time to time Activities relevant to the data transferred under these Clauses: The data importer is engaged in providing the Services to Yahoo pursuant to the Agreement, and in providing the Services under the Agreement, Vendor may need to Process European Data on behalf of the data exporter. The data importer will assist the data exporter in conducting the processing operations described below. Signature and date: The parties agree that entry into the Agreement by the parties shall constitute execution of these Clauses. Role: Processor |
|
Subject matter |
Processing of European Data for the provision of the services by Vendor, as more particularly described in the Agreement |
|
Duration |
For the term described in the Agreement. |
|
Frequency of the transfer |
The transfer will take place from time to time during the term of the Agreement. |
|
Nature and purpose of the Processing |
Vendor shall provide the Processing activities in respect of European Data described in the applicable Agreement only in order to provide to Yahoo the Services in accordance with the Agreement. |
|
Categories of Data Subjects |
|
|
Types of Personal Data |
European Data comprise the Personal Data as defined in the Agreement, and will be:
|
|
Retention period |
Subject to paragraph 7 of this DPA, the duration of the Services and the Agreement. |
|
Sub-processors |
Subject to paragraph 5 of this DPA, the Vendor may use Sub-processors where it is authorised to subcontract any element of the Services which require the processing of Personal Data, to help Vendor satisfy its obligations in accordance with this DPA and the Agreement. |
Appendix 2
Technical and Organizational Security Measures
In accordance with paragraph 4.3.5 of this DPA, before processing European Data, Vendor will adopt and maintain appropriate (including organisational and technical) security measures in dealing with European Data in order to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of such data, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.
Without limiting or affecting the foregoing, Vendor shall implement and maintain the specific organisational and technical security measures contained in the Network Security Terms located at: https://legal.yahoo.com/us/en/yahoo/terms/vendor/networksecurity/index.html save that in respect of Section 3(3)(d)(i)(c) of the Network Security Terms, Vendor shall, to the extent not precluded by Law, refrain from notifying law enforcement, government agencies and/or regulators (including supervisory authorities) of any Personal Data Breach until Yahoo provides its written consent for Vendor to make such notification (if at all).