DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) is by and between Yahoo and Vendor and shall take effect from the Effective Date and shall apply where, in the course of providing the Services under the Agreement (as defined below), Vendor Processes (as defined below) EU Data (as defined below) on behalf of Yahoo.
Vendor provides the Services to Yahoo pursuant to a Purchase Order (“PO”), Statement of Work (“SOW”), a Master Services Agreement (“MSA”), the Vendor Master Terms and Conditions (“VMTC”) or other agreement (collectively referred to as the “Agreement”).
In providing the Services under the Agreement, Vendor may need to Process EU Data on behalf of Yahoo. Where Vendor Processes EU Data on Yahoo’s behalf, such Processing shall be subject to the Agreement, this DPA and the Network Security Terms (as defined below).
This DPA will only apply to the extent that EU Privacy Laws apply to the Processing of EU Data.
It is agreed as follows:
1 Definitions and interpretation
1.1 In this DPA (including the Background and the Appendices) the following terms and expressions shall have the following meanings, and are in addition to those definitions set forth elsewhere in the Agreement:
Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Applicable EU Law means any law of the European Union (or the law of one or more of the Member States of the European Union) and, for the avoidance of doubt, includes EU Privacy Laws.
Controller to Processor Standard Clauses means module 2 of the standard contractual clauses for the controller to processor transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 approved by the European Commission in the European Commission's Implementing Decision 2021/914/EU of 4 June 2021.
Data Controller means the natural or legal person who is considered to be the ‘controller’ in relation to Personal Data under EU Privacy Laws.
Data Processor means the natural or legal person who is considered to be the ‘processor’ in relation to Personal Data under EU Privacy Laws.
Data Subject has the meaning ascribed to ‘data subject’ under EU Privacy Laws.
EEA means countries and territories comprising the European Economic Area.
EEA Affiliate means any Affiliate of Yahoo EMEA Limited, an Irish company, or Yahoo UK Limited, an English company.
Effective Date shall mean 27 September 2021.
EU Data means EU Employee Data, EU Partner Data and EU User Data.
EU Employee Data means any Personal Data relating to a member of staff of any EEA Affiliate.
EU Partner Data means any Personal Data relating to any EU commercial partner, vendor or sales lead, or any of their respective employees, officers, directors, agents, contractors or representatives that have a commercial connection or relationship with an EEA Affiliate or Yahoo.
EU Privacy Laws means the GDPR and any applicable implementing or related EU Member State legislation.
EU User Data means any Personal Data relating to users of EEA Affiliate and or Yahoo provided services or Processed in connection with products or services offered by Yahoo and/or an EEA Affiliate.
GDPR means the EU General Data Protection Regulation 2016/679.
Network Security Terms mean the network and information security requirements applicable to Vendor as more particularly described in Appendix 2.
Yahoo means Yahoo Ad Tech LLC, and/or its US affiliates, including Oath Holdings Inc. and Yahoo Inc., with an address of 770 Broadway, New York, NY 10003, USA, United States of America.
Personal Data means information that is considered under EU Privacy Laws to be “personal data”.
Personal Data Breach has the meaning ascribed to “personal data breach” under EU Privacy Laws, to the extent that such breach occurs with respect to EU Data.
Processing has the meaning ascribed under EU Privacy Laws, and ‘Process’ and “Processes” shall be construed accordingly.
Processor to Processor Standard Clauses means module 3 of the standard contractual clauses for the processor to processor transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 approved by the European Commission in the European Commission's Implementing Decision 2021/914/EU of 4 June 2021.
Sub-Processor means, in respect of EU Data, any Data Processor engaged by Vendor in accordance with paragraph 5.1 of this DPA.
Supervisory Authority means an independent public authority which is established by an EU Member State pursuant to the GDPR.
Third Party Request means any request from a third party for the disclosure of EU Data, including where compliance with such request is required or purported to be required by applicable law or regulation.
Vendor means a party to an Agreement with Yahoo.
VMTC means the Vendor Master Terms and Conditions, available at https://legal.yahoo.com/us/en/yahoo/terms/vendor/mastertnc/index.html, which forms part of the Agreement entered into between Yahoo and Vendor for the provision of services which Vendor shall provide.
1.2 In this DPA, the Background and the Appendices:
1.2.1 words and expressions used but not defined in this DPA shall have the meaning given to such words and expressions under the Agreement or, where such terms are not defined in the Agreement, the meaning given to such words and expressions under EU Privacy Laws.
1.2.2 any reference to a statute shall, unless the context otherwise requires, be construed as a reference to that statute as from time to time amended, consolidated, modified, extended, replaced or re-enacted together with any secondary legislation made thereunder as from time to time amended, consolidated, modified, extended, replaced or re-enacted.
1.3 In the event of a conflict or inconsistency between the definitions used in this DPA and those provided under EU Privacy Laws, definitions provided under EU Privacy Laws shall prevail in respect of such conflict or inconsistency.
1.4 This DPA shall supersede and replace any previous data processing agreement or agreements between the parties insofar as they related to the Processing of EU Data.
1.5 This DPA shall apply in addition to, and not in substitution for, any other terms contained in the Agreement. Nothing in this DPA shall change either party’s exclusions and/or limitations of liability (including any indemnities) under the Agreement and all such provisions shall continue to apply notwithstanding this DPA coming into effect. In the event of conflict or inconsistency between the terms of this DPA and other terms of the Agreement relating to the Processing and security of EU Data, the terms of this DPA shall prevail in respect of such conflict or inconsistency only.
1.6 Paragraph 4 of the DPA addresses the requirements of Article 28 GDPR and paragraph 6 of the DPA addresses the requirements of clauses 8.8 and 9(b) of the Controller to Processor Standard Clauses. In the event that terms of paragraph 4 and paragraph 6 overlap, the terms of paragraph 6 shall prevail.
2 Details of Processing Operations
2.1 The subject matter and details of the Processing of EU Data are described in Appendix 1 to this DPA, which forms an integral part of this DPA and the Agreement.
3 Yahoo Obligations
3.1 Yahoo is a Data Processor of EU Data under EU Privacy Laws.
3.2 Yahoo acknowledges with respect to EU Data its statutory duties as Data Processor and agrees to comply with the obligations applicable to it under EU Privacy Laws.
4 Vendor Obligations
4.1 Vendor shall only carry out the Processing of the EU Data for and on behalf of Yahoo.
4.2I n discharging its obligations under the Agreement and this DPA, Vendor is responsible for its compliance with the GDPR.
4.3 Without prejudice to the generality of paragraph 4.2 and further to the provisions of Article 28 GDPR, Vendor agrees and warrants that it will at its own cost:
4.3.1 only Process EU Data on behalf of Yahoo and in compliance with documented instructions, the Agreement and this DPA (the “Instructions”). The Instructions may be provided by Yahoo on behalf of EEA Affiliate, including instructions relating to international data transfers. Vendor shall not Process any EU Data for purposes other than the performance of the Services in accordance with the Agreement;
4.3.2 immediately inform Yahoo in writing if, in Vendor’s opinion, an Instruction infringes Applicable EU Law;
4.3.3 comply with paragraph 5 in respect of the disclosure of EU Data;
4.3.4 ensure that EU Data is accurate and up-to-date, and Vendor shall inform Yahoo without delay if Vendor becomes aware that the EU Data being Processed is inaccurate or outdated;
4.3.5 implement the technical and organizational security measures provided for in the Network Security Terms prior to the commencement of the Processing activities in respect of EU Data, maintain such security measures (or better security measures) for the duration of the Agreement, provide Yahoo with copies of its privacy and security policies prior to the commencement of the Processing activities and promptly notify Yahoo in writing of any proposed changes to those policies during the term of the Agreement;
4.3.6 take all reasonable steps to ensure that access to EU Data is strictly limited to those members of its personnel that need to Process EU Data for the performance of the Services and that such personnel are aware of and comply with this DPA;
4.3.7 comply with strict confidentiality obligations in respect of EU Data and ensure that all its personnel and any Sub-Processors are subject to legally binding, written obligations of confidentiality, which shall in each case survive termination of their employment, contract or assignment;
4.3.8 inform Yahoo’s Notification Contact as described in the Network Security Terms without delay of:
(A) any non-compliance by Vendor, its personnel and/or any Sub-Processor with this DPA and/or the provisions of EU Privacy Laws or any other law relating to the protection of Personal Data Processed under this DPA;
(B) any correspondence, notice, inquiry or investigation received from a Supervisory Authority; and
(C) any complaint, inquiry or request (in particular, requests for access to, rectification or blocking of EU Data) received directly from a Data Subject without responding to that request, unless Yahoo provides written authorisation to Vendor to so respond.
4.3.9 notify Yahoo’s Notification Contact of a Personal Data Breach without undue delay, and in any event no later than 24 hours after becoming aware of the Personal Data Breach. Vendor shall follow the procedure set out in the Network Security Terms and ensure that any such notification contains the following information (to the extent possible):
(A) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
(B) the details of a contact point within Vendor’s business where more information concerning the personal data breach can be obtained;
(C) the likely consequences of the Personal Data Breach and the measures taken or proposed to be taken to address the Personal Data Breach, including to mitigate its possible adverse effects, and to the extent that it is not possible to provide the foregoing information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided to Yahoo’s Notification Contact without undue delay.
4.3.10 fully co-operate with and assist Yahoo without delay in respect of Yahoo’s obligations, or those of EEA Affiliates regarding:
(A) requests from Data Subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of EU Data;
(B) the investigation of any Personal Data Breach and the notification to the relevant Supervisory Authority and Data Subjects in respect of such Personal Data Breach;
(C) the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority;
(D) the obligation to ensure that EU Data is accurate and up-to-date in accordance with paragraph 4.3.4 of this DPA; and
(E) the security of EU Data including by implementing the technical and organizational security measures provided for in Network Security Terms.
4.3.11 deal promptly, properly and in good faith with all inquiries relating to Vendor’s Processing of EU Data whether such inquiry is made by Yahoo, an EEA Affiliate, a Data Subject or the supervisory authority concerned. Save to the extent strictly required by law, Vendor shall not respond to an inquiry relating to EU Data from a Data Subject or a supervisory authority without the prior written consent of Yahoo;
4.3.12 if Vendor is required by law to Process EU Data, inform Yahoo of this requirement in advance of any Processing of EU Data, unless Vendor is prohibited from informing Yahoo on important grounds of public interest; and
4.3.13 without prejudice, and subject, to paragraph 4.5 or any other audit or inspection right provided for Yahoo under the Agreement, promptly make available to Yahoo all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by Yahoo, an EEA Affiliate or another auditor mandated by Yahoo.
4.4 Vendor agrees and warrants that it has no reason to believe that laws applicable to it, including any Applicable EU Law, prevent it from fulfilling the instructions received from Yahoo and its obligations under this DPA and that in the event of a change in law which is likely to have a substantial adverse effect on the warranties and obligations provided by Vendor in this DPA, it will promptly notify in writing the change to Yahoo as soon as it is aware, in which case Yahoo is entitled to suspend the relevant Processing of EU Data and/or Yahoo may terminate the Agreement or part thereof.
4.5 Without limiting or affecting any other right of audit or inspection provided for Yahoo under the Agreement (including under the Network Security Terms), Vendor agrees and warrants that at the request of Yahoo or an EEA Affiliate, it shall submit its Processing facilities and/or any location from which EU Data can be accessed by Vendor and/or its personnel or representatives for audit of the Processing covered by this DPA to ascertain and/or monitor compliance with this DPA, the Agreement and EU Privacy Laws, which audit shall to the extent reasonably practicable be carried out with reasonable notice and during regular business hours, and in all cases under obligations of confidentiality, by Yahoo, EEA Affiliate and/or by a third party appointed by Yahoo.
5 Prohibition on transfer and disclosure
5.1 Without limiting or affecting any other term of the Agreement, Vendor shall, if it wishes to engage one or more third parties acting on its behalf to help it satisfy its obligations in accordance with this DPA and the Agreement and to delegate all or part of the Processing activities to such Sub-Processor, obtain the prior written consent of Yahoo to the subcontracting. Vendor shall enter into appropriate contractual arrangements with such approved Sub-Processor that provide for the same level of data protection and information security obligations in respect of EU Data as those binding on Vendor in this DPA and in the Processor to Processor Standard Clauses including in terms of third party beneficiary rights for Data Subjects. If a Sub-Processor fails to comply with its data protection obligations in respect of EU Data, Vendor shall remain fully liable to Yahoo for the performance (or failure of performance) of the Sub-Processor’s data protection obligations in respect of EU Data.
5.2 Vendor shall not disclose, or permit disclosure of, EU Data to any third party (including for back-up purposes) save for:
5.2.1 disclosures to any Sub-Processor authorized by Yahoo under and in accordance with this DPA; and/or
5.2.2 Third Party Requests where Vendor is prohibited by applicable law or regulation from notifying Yahoo, including prohibitions under criminal law in order to preserve the confidentiality of an investigation by the relevant authorities. In such cases, Vendor shall use reasonable endeavours to advise Yahoo in advance of such disclosure and, in any event, as soon as practicable thereafter.
5.3 Vendor shall not transfer, or permit the transfer of, any EU Data outside the United States without the prior written authorisation of Yahoo.
5.4 If Vendor cannot provide such compliance with this paragraph 5 for whatever reason, Vendor agrees and warrants to promptly inform Yahoo of its inability to comply, in which case Yahoo is entitled to suspend the relevant Processing of EU Data and/or terminate the Agreement or part thereof.
6 Standard Contractual Clauses
6.1 Yahoo, as Data Processor of EU Data, receives EU Data from EEA Affiliates in accordance with the Controller to Processor Standard Clauses. Further to clauses 8.8 and 9 of the foregoing, Yahoo and Vendor agree to comply with the relevant provisions in the Processor to Processor Standard Clauses which are hereby incorporated by reference and are an integral part of this DPA having full force and effect as if those provisions were set out in full herein.
6.2 For the purposes of the Controller to Processor Standard Clauses, Yahoo is the data exporter and Vendor is the data importer and the parties agree to the following:
6.2.1 the option under clause 7 (docking clause) shall not apply;
6.2.2 option 1 under clause 9 (use of sub-processors) shall apply and for the purposes of clause 9(a) Vendor shall engage Sub-Processors in accordance with paragraph 5 of this DPA;
6.2.3 the governing law for the purposes of clause 17 (governing law) shall be the law that is designated in paragraph 8 of this DPA;
6.2.4 the courts under clause 18 (choice of forum and jurisdiction) shall be those designated in paragraph 8 of this DPA;
6.2.5 the appendix to Processor to Processor Standard Clauses shall be completed as follows:
(A) the contents of Appendix 1 to this DPA shall form Annex I.B; and
(B) the contents of Appendix 2 to this DPA shall form Annex II; and
6.2.6 in the case of transfers of EU Data originating with an EEA Affiliate located in the United Kingdom: (i) general and specific references in the Processor to Processor Standard Clauses to GDPR or EU or member state Law shall have the same meaning as the equivalent reference in the equivalent legislation of the United Kingdom (“UK Privacy Laws”); and (ii) any other obligation in the Processor to Processor Standard Clauses determined by the member state in which the data exporter or Data Subject is established shall refer to an obligation under UK Privacy Laws.
7.1 In addition to the other rights of suspension and termination under this DPA, Yahoo (on behalf of the relevant EEA Affiliate) shall be entitled to terminate the DPA and / or Agreement insofar as it concerns the Processing of EU Data if:
7.1.1 Vendor is in substantial or persistent breach of this DPA or its obligations under EU Privacy Laws; or
7.1.2 Vendor fails to comply with a binding decision of a competent court or Supervisory Authority regarding its obligations under this DPA or EU Privacy Laws.
7.2 Without limiting or affecting any other provision of the Agreement (including under the Network Security Terms), the parties agree that on the termination or partial termination of the Services relating to the Processing of the EU Data pursuant to this DPA and the Agreement, Vendor and any Sub-Processors in respect of which Yahoo has approved in accordance with paragraph 5 of this DPA, shall at the choice of Yahoo return all EU Data and copies of that data to Yahoo or securely destroy them and certify to Yahoo that it has taken such measures, unless Applicable EU Law requires storage of such EU Data. In such case, Vendor warrants that it shall (and shall procure the same by any Sub-Processor) guarantee the confidentiality of the EU Data stored by it and shall only actively Process such EU Data after such date to the extent required by Applicable EU Law.
8 Governing Law and Jurisdiction
Without limiting or affecting any other provision of the Agreement, the parties hereby agree that the formation, interpretation and operation of this DPA and all matters, claims, disputes or issues arising out of or in connection with this DPA, are subject to the law of the member state in which the relevant EEA Affiliate is established and in respect of this DPA the parties each submit to the exclusive jurisdiction of the courts of the member state in which such EEA Affiliate is established.
9 Notifications Provisions
The Parties agree that the following email address shall be monitored for notification of Security Incidents, data protection enquiries, and Data Subject Requests:
Details of Processing Activities
This Appendix 1 describes the subject, scope, nature and purpose of the Processing operations that are governed by the provisions of this DPA, of which it forms an integral part.
Processing of EU Data for the provision of the services by Vendor, as more particularly described in the Agreement
For the term described in the Agreement.
Nature and purpose of the Processing
Vendor shall provide the Processing activities in respect of EU Data described in the applicable Agreement only in order to provide to Yahoo the Services in accordance with the Agreement.
Categories of Data Subjects
Types of Personal Data
EU Data comprise the Personal Data as defined in the Agreement.
Subject to paragraph 7 of this DPA, the duration of the Services and the Agreement.
Subject to paragraph 5 of this DPA, to help Vendor satisfy its obligations in accordance with this DPA and the Agreement.
Technical and Organizational Security Measures
In accordance with paragraph 4.3.5 of this DPA, before processing EU Data, Vendor will adopt and maintain appropriate (including organisational and technical) security measures in dealing with EU Data in order to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of such data, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.
Without limiting or affecting the foregoing, Vendor shall implement and maintain the specific organisational and technical security measures contained in the Network Security Terms located at: https://legal.yahoo.com/us/en/yahoo/terms/vendor/networksecurity/index.html save that in respect of Section 3(3)(d)(i)(c) of the Network Security Terms, Vendor shall, to the extent not precluded by Law, refrain from notifying law enforcement, government agencies and/or regulators (including supervisory authorities) of any Personal Data Breach until Yahoo provides its written consent for Vendor to make such notification (if at all).