DATA PROCESSING ADDENDUM

This Data Processing Addendum (the "Addendum") is entered into by and between Yahoo (defined below), and the undersigned counterparty ("Company") for itself and (where applicable) on behalf of each of its Affiliates (defined below). This Addendum forms part of each MSA (as defined below) entered into by and between Company and/or any Company Affiliate and Yahoo for the provision of Services.

Yahoo” means Yahoo EMEA Limited (a company incorporated under the laws of Ireland (registration number: 426324) whose principal place of business is at 5-7 Point Square, North Wall Quay, Dublin 1, Ireland) or the relevant Yahoo Affiliate that is a party to the MSA."Yahoo Affiliate" means any Affiliate of Yahoo based in the EEA or UK.

Yahoo and Company are each a “Party” and collectively are the “Parties” to this Addendum.

Any undefined terms used herein shall have the meanings set forth in the MSA.

 

INTRODUCTION

 

The Company and Yahoo and/or the Yahoo Affiliates are or will become parties to an MSA for the provision of Services under which the Company and Yahoo may share or receive Personal Data as described in the MSA and/or this Addendum. This Addendum only applies to the extent that Applicable Data Protection Law applies to the Processing of Personal Data under the MSA and/or this Addendum, including if (a) the Processing is in the context of the activities of an establishment of either Party in the European Economic Area which, for the purposes of this Addendum, is deemed to include Switzerland (“EEA”) and/or the United Kingdom (“UK”) and/or (b) the Personal Data relates to Data Subjects who are in the EEA and/or the UK and the Processing relates to the offering to them of goods or services or the monitoring of their behaviour in the EEA and/or the UK by or on behalf of a Party. The Parties shall ensure that they will Process Personal Data in accordance with this Addendum.

 

TERMS AND CONDITIONS

 

1. Definitions and Interpretation

1.1 In this Addendum, the following terms shall have the following meanings:

(a) “Adequacy Decision” means a decision made by the European Commission that a third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection in respect of the Processing of Personal Data pursuant to Article 45(1) of the GDPR, excluding a decision made in relation to an Adequacy Framework.

(b) "Adequacy Framework" means (i) the EU-US Data Privacy Framework adopted pursuant to European Commission Implementing Decision of 10 July 2023 ("EU-U.S. DPF"); (ii) the UK Extension to the EU-U.S. DPF; and (iii) the Swiss-U.S. Data Privacy Framework.

(c) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;

(d) "Applicable Data Protection Law" means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (“e-Privacy Law”); (iii) any national data protection laws made under, transposing, or made pursuant to (i) and (ii); (iv) the UK Data Protection Law; (v) the Swiss FDPA; and (v) any legislation replacing or updating any of the foregoing.

(e) "Company Technical and Organisational Measures" means the technical and organisational measures which Company must adhere to, defined by Yahoo and located at https://legal.yahoo.com/ie/en/yahoo/terms/vendor/networksecurity/index.html, together with any additional security measures that are agreed between the parties in writing.

(f) "Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and "Process"), “Personal Data Breach” and "Special Categories of Personal Data" shall have the meanings given in Applicable Data Protection Law.

(g) “Data Processing Terms” means the terms set out at Annex 1 to these Terms and Conditions.

(h) “End User” means a human visitor to a website, application or other media.

(i) “EU SCCs” means the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to GDPR, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&q...

(j) "International Transfer Requirements" means the requirements of Chapter V of the GDPR.

(k) "MSA" means any agreement for Services between Yahoo and/or any Yahoo Affiliate and Company, pursuant to which a Party engages in or is permitted to engage in the Processing of Personal Data.

(l) Processor Standard Clausesmeans, as applicable, module two (Controller to Processor) of the EU SCCs (as amended, interpreted, or supplemented by Section 3 of these Terms and Conditions to meet the requirements of UK Data Protection Law and/or the Swiss FDPA).

(m) "Restricted Country" means a country, territory or jurisdiction which is covered by an Adequacy Decision.

(n) "Restricted Transfer" means a transfer of Personal Data from an entity whose Processing of Personal Data under the MSA and/or this Addendum is caught by the requirements of Applicable Data Protection Law to an entity that (i) Processes the relevant Personal Data in a Restricted Country; and (ii) does not participate in an Adequacy Framework.

(o) "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data that has been shared by the other Party (or which it Processes in connection with the MSA). For the avoidance of doubt, any Personal Data Breach of such Personal Data will comprise a Security Incident.

(p) “Services" means services provided to the other Party pursuant to the terms of an MSA.

(q) "Subprocessor" means any entity which provides Processing services on behalf of a Processor.

(r) "Supplementary Measures” means any relevant contractual, technical or organisational safeguards to supplement the Processor Standard Clauses, including measures recommended by the European Data Protection Board as set out in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of Personal Data adopted on 18 June 2021 as may be updated, amended or replaced from time to time or any other measures or safeguards as may be required by the data exporter;

(s) "Swiss FDPA" means the Federal Data Protection Act of 19 June 1992 (Switzerland), as updated or replaced from time to time.

(t) "UK Addendum" means the International Data Transfer Addendum to the European Commission's standard contractual clauses for international data transfers, issued by the UK’s Information Commissioner’s Office (ICO) under or pursuant to section 119A(1) of the UK Data Protection Act 2018 (as may be amended by the ICO from time to time pursuant to its terms).

(u) "UK Data Protection Law" means (i) the Data Protection Act 2018 (“DPA 2018”), (ii) the UK GDPR (as defined in the DPA 2018); and (iii) the UK Privacy and Electronic Communications Regulations 2003 (“PECR”), each as updated or replaced from time to time.

(v) A reference to the GDPR and/or an Article or Chapter of the GDPR shall, where the context so requires and insofar as the Applicable Data Protection Law is the UK Data Protection Law or the Swiss FDPA, be construed as a reference to the UK GDPR or the Swiss FDPA and/or the equivalent Article, Chapter or provision of the UK GDPR or the Swiss FDPA (as applicable).

1.2 This Addendum comprises these Terms and Conditions, the Data Processing Terms and the Schedules to the Data Processing Terms. A reference to a Section is a reference to a section of these Terms and Conditions and a reference to a Paragraph is a reference to a paragraph of the Data Processing Terms.

1.3 In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out in this Addendum shall form part of each MSA. Except where the context requires otherwise, references in this Addendum to the MSA are to each MSA, including this Addendum.

1.4 If and to the extent that there is any conflict or inconsistency between this Addendum and the terms of the MSA, the terms of this Addendum shall prevail.

2. Obligations of the Parties

2.1 The Parties agree that Yahoo is a Controller (or is a Processor on behalf of a third party Controller) and Company is Yahoo’s Processor (or Subprocessor), and that the Data Processing Terms will apply in respect of Company’s Processing of Personal Data.

2.2 The Parties shall, at all times, comply with their respective obligations under Applicable Data Protection Laws.

2.3 The Parties agree that the following email addresses shall be monitored for data protection enquiries and Data Subject Requests:

Yahoo: dpo-contact@yahooinc.com
Company: as set out in the MSA

3. International transfers

3.1 Subject always to any express restrictions in the MSA, each Party shall be entitled to make Restricted Transfers provided that it complies with the requirements of Applicable Data Protection Law in respect of such Restricted Transfers.

3.2 Subject to Section 3.3, if and to the extent that the Company’s Processing of Personal Data constitutes a Restricted Transfer (including if Company’s Processing becomes a Restricted Transfer after entry into this Addendum), the Parties agree that:

(a) the Processor Standard Clauses shall apply and the following elections are made:

(i) Clause 7: the optional docking clause shall not apply;

(ii) Clause 9: option 2 shall apply and the time period (for informing the data exporter) shall be 30 days;

(iii) Clause 11(a): the optional provision shall not apply;

(iv) Clause 17: option 1 shall apply and the governing law shall be Irish law; and

(v) Clause 18(b): any dispute arising from the Processor Standard Clauses shall be resolved by the Irish Courts;

(b) Annex I of the Processor Standard Clauses shall be as set out at Schedule A to the Data Processing Terms;

(c) Annex II of the Processor Standard Clauses shall be as set out at Schedule B to the Data Processing Terms; and

(d) the Processor Standard Clauses are deemed executed by the Parties (acting on their own behalf and, in the case of the Company, on behalf of any of its relevant Affiliates) without the need for any further signature from a Party.

3.3 In respect of Restricted Transfers:

(a) subject to UK Data Protection Laws, the UK Addendum (together with any applicable elections set out in the Processor Standard Clauses) is hereby incorporated into this Addendum by reference. The Parties acknowledge and agree that, by entering into this Addendum, the UK Addendum is deemed executed by the Parties (acting on their own behalf and, in the case of Company, on behalf of any of its relevant Affiliate) without the need for any further signature from a Party;

(b) subject to the Swiss FDPA, the Parties agree that the Processor Standard Clauses shall be read as follows: (a) general and specific references in the Processor Standard Clauses to Regulation (EU) 2016/679 or “that Regulation” or EU or Member State law shall be construed as a reference to the Swiss FDPA and/or other relevant Swiss law (as applicable); (b) the term “Member State” will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Processor Standard Clauses; and (c) the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority for the purposes of Clause 13 of the Processor Standard Clauses.

3.4 For the purposes of Table 4 of the UK Addendum, the Parties agree that the data exporter may end the UK Addendum as set out in Section 19 of the UK Addendum.

3.5 If the Processor Standard Clauses cease to exist or the data exporter determines (acting reasonably) that the Processor Standard Clauses are not a lawful method of complying with the International Transfer Requirements, the data importer shall cease (and procure that any the relevant third party ceases) all substantive Processing of the relevant Personal Data until such time as the data importer has, in accordance with the data exporter’s instructions, entered into an alternative transfer mechanism and/or put in place Supplementary Measures to comply with the International Transfer Requirements.

3.6 Subject to Section 3.8, if the data exporter determines (acting reasonably) that it is not feasible to put in place such an alternative transfer mechanism and/or Supplementary Measures to enable compliance with the International Transfer Requirements, the data exporter shall be entitled to require the data importer to:

(a) Process (and/or procure that any relevant third party Processes) the Personal Data within a jurisdiction which is not a Restricted Country;

(b) delete (or procure the deletion of) and/or destroy the Personal Data such that it is no longer processed in the relevant Restricted Country; and/or

(c) terminate in whole or in part any affected services provided under any related commercial agreement on fourteen (14) days’ prior written notice (and where fees for the services are paid in advance, Company shall provide Yahoo with a prorated refund in respect of fees paid for services not provided in accordance with the MSA as at the effective date of termination).

3.7 The data importer shall comply with Sections 3.6 and 3.7 at no additional cost to the data exporter.

3.8 Where the data importer is unable to comply with Section 3.6 because of local laws applicable to the data importer that prohibit such compliance, the data importer warrants that it will continue to ensure compliance with this Section and will only process the relevant Personal Data to the extent and for as long as required under that local law.

3.9 If there is any conflict between this Addendum and the Processor Standard Clauses, the Processor Standard Clauses shall prevail. The rights and remedies provided under this Addendum are in addition to, and not exclusive of, any rights or remedies provided by law. For the avoidance of doubt, nothing in this Addendum is intended to vary, modify or contradict the Processor Standard Clauses.

3.10 The Processor Standard Clauses shall cease to apply if and to the extent that a transfer of Personal Data ceases to be a Restricted Transfer.

3.11 Where Company transfers Personal Data to third countries on the basis of its participation in one or more Adequacy Framework(s), Company shall:

(a) provide a level of protection to Personal Data that meets the requirements of the Adequacy Framework(s);

(b) notify Yahoo without undue delay if Company determines that it can no longer comply with Section 3.11(a) and/or if Company’s participation in an Adequacy Framework expires or is terminated;

(c) notify Yahoo without undue delay if Company is required to provide a copy (including any summary or a representative copy of the relevant provisions) of this Addendum to any relevant governmental body, and comply with Yahoo’s reasonable directions as to the content and form of such disclosure.

3.12 If Company makes a notification to Yahoo in accordance with Section 3.11(b) or a relevant Adequacy Framework ceases to exist or be a lawful method of complying with the International Transfer Requirements, that Company’s transfer of Personal Data to third countries shall be subject to the Processor Standard Clauses as set out in Sections 3.2 to 3.9.

4. Term and Concluding Provisions

The term of this Addendum will take effect on the earlier of (a) the date of execution of this Addendum by the Parties; (b) the effective date of the relevant MSA; or (c) the date that the Parties commenced their Processing of Personal Data under this Addendum and/or the MSA (the “Effective Date”) and will remain in effect until the MSA is terminated in accordance with its terms or until either party ceases to Process Personal Data under or in connection with the MSA and/or this Addendum, whichever is the later (the “Term”). Any provision of this Addendum that is, expressly or by implication, to survive termination or expiry of this Addendum shall survive such termination or expiry.

5. Miscellaneous

5.1 This Addendum and any underlying MSA shall constitute the entire agreement between the Parties with respect to the subject matter of this Addendum, and this Addendum supersedes all prior agreements or representations, oral or written, regarding such subject matter, including any provisions in the MSA which address the Processing of Personal Data (insofar as such Processing relates to compliance with the Applicable Data Protection Law).

5.2 This Addendum and all disputes and claims (including all actions to enforce such claims or to recover damages or other relief in connection with such claims under this Addendum) arising out of or relating to this Addendum shall (a) be interpreted, construed and enforced in accordance with the laws of the Republic of Ireland; (b) be subject to the exclusive jurisdiction of the courts situated in the Republic of Ireland, to which each Party irrevocably submits, except in each case to the extent that Applicable Data Protection Law requires otherwise.

5.3 The Parties may execute this Addendum in counterparts, including facsimile, PDF, electronic signature (Echosign, DocuSign, etc.) and other electronic copies, which taken together will constitute one instrument.

 

 

ANNEX 1

DATA PROCESSING TERMS

WHERE YAHOO IS A CONTROLLER AND COMPANY IS A PROCESSOR AND COMPANY PROCESSES PERSONAL DATA ON BEHALF OF YAHOO

(THE “COMPANY PROCESSOR SERVICES”)

 

 

 

1. Relationship of the Parties

1.1 In relation to all Yahoo Data (defined below) processed in connection with the Company Processor Services, Company acknowledges that, as between the Parties, Yahoo is the Controller of Yahoo Data and Company is Yahoo’s Processor. "Yahoo Data" means any and all Personal Data that is processed by the Company or its Subprocessors on behalf of Yahoo in the performance of the Services and its other obligations under the MSA.

1.2 Details of the Processing carried out by the Company in connection with the Company Processor Services shall be set out in the relevant MSA and/or separately documented between the Parties in the form set out at Schedule A to this Annex 1.

2. Protection of Personal Data

2.1 In respect of the Processing of Personal Data by Company in connection with the Company Processor Services, Company shall comply with obligations applicable to Processors under Applicable Data Protection Law and shall:

(a) process the Yahoo Data only on written instructions from Yahoo (which may, in particular, be given electronically or through the functionality of the Services), including with regard to transfers of Personal Data to a Restricted Country, unless required to do so by European Union or Member State law to which Company is subject; in such a case, Company shall inform Yahoo of that legal requirement before Processing, unless and to the extent that law prohibits such information on important grounds of public interest;

(b) immediately inform Yahoo if, in the Company’s opinion, an instruction from Yahoo infringes Applicable Data Protection Law

(c) implement and maintain the Company Technical and Organisational Measures and take all other measures required pursuant to Article 32 of the GDPR (and equivalent provisions of other Applicable Data Protection Law(s)) including all organisational and technical security measures necessary to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of Yahoo Data, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing;

(d) treat all Yahoo Data processed by it on behalf of Yahoo as confidential and ensure that persons authorised to Process the Yahoo Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, even after the end of their employment contract or at the end of their assignment or engagement;

(e) cooperate as requested by Yahoo in respect of, and implement appropriate technical and organisational measures to enable Yahoo to comply with, any exercise of rights by a Data Subject under Applicable Data Protection Law in respect of the Yahoo Data (including, without limitation, in relation to the access and/or deletion of a Data Subject’s Personal Data);

(f) notwithstanding Section 3 (International Transfers) of the Terms and Conditions, not access or transfer the Yahoo Data to a Restricted Country without the prior written consent of Yahoo (which such consent may be subject to the Company taking any and all measures reasonably required by Yahoo to ensure compliance with the International Transfer Requirements);

(g) provide Yahoo (at no additional cost) with all resources and assistance as are required by Yahoo for Yahoo to discharge its duties pursuant to Articles 32 to 36 of the GDPR (and equivalent provisions of other Applicable Data Protection Law(s)) including, but not limited to, promptly at the request of Yahoo providing information in respect of any data protection impact assessment which Yahoo conducts and assisting Yahoo with any prior consultations with any supervisory authority;

(h) at the choice of Yahoo, delete or return all the Yahoo Data to Yahoo after the end of the provision of the Services relating to Processing (and in any event at any time at Yahoo’s request), and delete existing copies unless and strictly to the extent that European Union or Member State law requires continued storage of the Yahoo Data;

(i) make available to Yahoo at its request all information necessary to demonstrate compliance with the obligations laid down in this Addendum, including without limitation a detailed written description of the technical and organisational methods employed by Company and its Subprocessors (if any) for the Processing of Yahoo Data; and

(j) where applicable, integrate with Yahoo’s processor API (details of which are at https://developer.yahoo.com/processor/) in order to satisfy data subject rights requests that may be submitted by data subjects to Yahoo, unless Yahoo expressly agrees in writing that such integration is not required.

2.2 Company agrees at the request of Yahoo to submit its data processing facilities (including all equipment, documents and electronic data relating to the Processing of Yahoo Data) and/or any location from which Yahoo Data can be accessed by Processor for audit to ascertain and/or monitor compliance with this Addendum and Applicable Data Protection Law which audit shall be carried out, with reasonable notice and during regular business hours and under a duty of confidentiality, by Yahoo and/or by a third party designated by Yahoo.

3. Notification of Security Incident

3.1 Company will notify Yahoo without undue delay (and in any event within twenty-four (24) hours) upon becoming aware of or reasonably suspecting that a Security Incident has occurred. Company’s notification of or response to a Security Incident under this Paragraph 3 (Notification of Security Incident) shall not be construed as an acknowledgment by Company of any fault or liability with respect to the Security Incident.

3.2 Company will, as soon as possible following it becoming available to Company, provide Yahoo with the following information with respect to the Security Incident affecting Yahoo Data: (i) a description of the cause and nature of the Security Incident including the categories and approximate numbers of Data Subjects (including the number of Yahoo Data Subjects) concerned and the categories and approximate number of Personal Data records concerned; (ii) the measures being taken to contain, investigate and remediate the Security Incident; (iii) the likely consequences and risks for Yahoo and its Data Subjects as a result of the Security Incident; (iv) any mitigating actions taken; (v) a proposed plan to mitigate any risks for Data Subjects and/or Yahoo as a result of the Security Incident; and (vi) any other information reasonably requested by Yahoo.

3.3 Company will, in connection with any Security Incident affecting Yahoo Data: (i) promptly take such steps as are necessary to contain, remediate, minimise any effects of and investigate any Security Incident (and without destroying any evidence) and to identify its cause; (ii) co-operate with Yahoo and provide Yahoo with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation and/or mitigation of the Security Incident; and (iii) immediately notify Yahoo in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.

3.4 Company will not communicate with any third party, including but not limited to the media, vendors, consumers and affected individuals (but excluding its legal counsel, professional advisors and insurers) regarding any Security Incident connected to the Company Processor Services without the express written consent and direction of Yahoo.

4. Subprocessing

4.1 Company may, subject to compliance with Paragraph 4.2 of this Annex, use Subprocessors that are identified in Schedule C (or Subprocessors that are agreed in the MSA in the form set out at Schedule C) to Process Yahoo Data. Company may, subject to compliance with Paragraph 4.2 of this Annex, engage an additional or replace an existing Subprocessor to process Yahoo Data provided that (i) it notifies Yahoo of any intended use or replacement of a Subprocessor (such notice to include full details of the Company Processor services to be provided by the relevant Subprocessor, in the form set out at Schedule C) by email to emea-legal@yahooinc.com (“email notification”) thirty (30) days in advance of the engagement or replacement of the Subprocessor; and (ii) the Company will not appoint the relevant Subprocessor if Yahoo objects in writing to the proposed appointment within thirty (30) days of receipt of the email notification.

4.2 Company shall, where it engages any Subprocessor (i) undertake appropriate due diligence and only use a Subprocessor that has provided sufficient guarantees to implement appropriate technical and organisational measures, including where applicable measures equivalent to the Company Technical and Organisational Measures and any other measures agreed between the Parties, in such a manner that the processing will meet the requirements of the Applicable Data Protection Law(s) and ensure the protection of the rights of Data Subjects; (ii) provide Yahoo with information about such Subprocessor, if requested; (iii) impose, through a legally binding contract between Company and Subprocessor, data protection obligations on the Subprocessor that are in all material respects the same as (or more protective than) those that are imposed on the Company in this Addendum; (iv) where applicable and notwithstanding Section 3 of this Addendum, enter into EU SCCs (module three) or any other applicable transfer mechanism agreed in writing by Yahoo in order to ensure compliance with the International Transfer Requirements, together with any Supplementary Measures to protect the Yahoo Data (“Transfer Mechanism”); and (v) comply with, and ensure that the Subprocessor complies with, the Transfer Mechanism and on request provide any information required by Yahoo (in particular relating to assessments that have been undertaken in respect of local laws and practices affecting compliance with the Transfer Mechanism);

4.3 If any Subprocessor breaches its obligations under the contract between Company and Subprocessor or the Transfer Mechanism, Company shall remain fully responsible and liable to Yahoo in respect of such breach.

5. Liability and Payment of Compensation

Notwithstanding the provisions of the MSA, Company shall defend, indemnify and hold Yahoo harmless and keep Yahoo indemnified, on demand from and against any and all actual or alleged claims and damages (including any fines) incurred by Yahoo as a result of Company’s and/or its employees or representatives (including without limitation any Subprocessors) unauthorised and/or unlawful Processing, or accidental loss, disclosure, destruction or damage to any Yahoo Data obtained from (or held by Company or its personnel on behalf of) Yahoo, save where such loss, disclosure, destruction or damage was carried out or incurred at Yahoo’s request. Company shall be liable for and shall indemnify Yahoo and its employees and agents from and against all damages (including non-material damage) which Yahoo may suffer consequent upon any breach of Applicable Data Protection Law, recklessness or wilful default of Company, its employees or agents.

6. Insurance

Company shall take out and maintain insurance policies to the value sufficient to meet its liability and that of its Subprocessors under or in connection with this Addendum, and in no event shall such amount be less than €5,000,000. Within thirty (30) days of execution of this Addendum, Company shall provide proof of such insurance in the form of a certificate of insurance for data breach liability and which names Yahoo as an additional insured.

 

 

SCHEDULE A

DETAILS OF COMPANY PROCESSING ACTIVITIES (AND ANNEX I TO THE PROCESSOR STANDARD CLAUSES, WHERE APPLICABLE)

 

A. LIST OF PARTIES

Data exporter:

Name: Yahoo

Address: 5-7 Point Square, North Wall Quay, Dublin 1, Ireland

Contact person’s name, position and contact details: Yahoo’s Data Protection Officer can be contacted by post to Attn: Data Protection Officer, Yahoo EMEA, 5-7 Point Square, North Wall Quay, Dublin 1, Ireland or by email to emea-legal@yahooinc.com.

Activities relevant to the data transferred under these Clauses: The data exporter has engaged the data importer to provide certain services which involve the data importer conducting the Processing operations described below

Signature and date: The parties agree that entry into the MSA shall constitute execution of these Clauses

Role (controller/processor): Controller or Processor (as applicable)

Data importer:

Name: The data importer (“Company”) is identified in the relevant agreement between the parties

Address: As set out in the relevant agreement between the parties

Contact person’s name, position and contact details: As set out in the relevant agreement between the parties

Activities relevant to the data transferred under these Clauses: The data importer is engaged in providing certain services to Yahoo, and in providing the services, the Company may need to Process certain Personal Data on behalf of the data exporter. The data importer will assist the data exporter in conducting the Processing operations described below.

Signature and date: The parties agree that entry into the relevant agreement by the parties shall constitute execution of these Clauses

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

  • Yahoo Users (any data subject that uses a Yahoo provided product or service)
  • Personnel of Yahoo
  • European Partner Personnel (any data subject that has a relationship with a commercial partner, vendor or sales lead of Yahoo, including any of their respective employees, officers, directors, agents, contractors, customers or representatives)

Categories of personal data transferred

  • European User Data: any Personal Data relating to Yahoo Users that is Processed in connection with products or services offered by Yahoo, including identifiers relating to the user and their device, and associated data
  • European Employee Data: any Personal Data relating to Yahoo’s personnel, including HR related data
  • European Partner Data: any Personal Data relating to European Partner Personnel, including business contact data and data relating to the business relationship between the European Partner and Yahoo

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Not applicable

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The data will be transferred from time to time during the term of the agreement between the parties.

Nature of the processing

The parties will collect, record, organise, structure, store, alter, retrieve, use, disclose, combine, erase and destroy the personal data as necessary to achieve the purpose described below.

For the avoidance of doubt, Company shall provide the processing activities in respect of the data referred to above solely to provide Yahoo with services in accordance with the agreement between the parties.

Purpose(s) of the data transfer and further processing

Company’s provision of services to Yahoo.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The Company will retain the data in accordance with the relevant agreement and for the duration of the relevant services.

For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing

The Company may use (sub-) processors where it is authorised to subcontract any element of the services which require the processing of personal data, to help the Company to satisfy its obligations in accordance with the agreement between the Company and Yahoo.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of the Processor Standard Clauses (where applicable)

Data Protection Commission (Ireland)

 

 

SCHEDULE B

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons

The Company will implement the Company Technical and Organisational Measures located at https://legal.yahoo.com/ie/en/yahoo/terms/vendor/networksecurity/index.html, together with any additional security measures that are agreed between the parties in writing.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

As above

 

 

SCHEDULE C

 

LIST OF SUB-PROCESSORS

Yahoo has authorised the use of the following sub-processors:

  1. Name:
    Address:
    Contact person’s name, position and contact details:
    Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
  2. ………………………………………………………………………………………………………………….