Data Processing Agreement

This Data Processing Agreement (“Agreement”) is made between Partner and Newsweek (“NMG”) (each a “Party” and together the “Parties”) and commences on the Effective Date

RECITALS

A.      NMG is subject to obligations under EU Privacy Laws (as defined below) relating to the processing of personal data and the transfer of such data to organisations outside the European Economic Area. NMG is further subject to additional obligations arising under the GDPR in respect of the engagement of data processors, such as Partner.

B.      If and to the extent that Partner processes EU Data or EEA Affiliate Data (as defined below), the Parties hereby agree that such processing shall be carried out in accordance with the terms of this Agreement.

1      Definitions and Interpretation
1.1      In this Agreement, the Recitals and the Appendices, the following defined terms shall, unless the context otherwise requires, have the following meanings:

Affiliates” means Newsweek LLC, Newsweek Media Group Ltd and Newsweek Ltd or other company as advised from time to time.

Background Agreement” means any written agreement between the Parties including but not limited to any Services Agreement, SOWs, POs or other amendments thereto agreed between the Parties.

“Newsweek” means Newsweek Media Group Inc and/or any Newsweek Affiliate

EEA Affiliate Data” means any information relating to a User, which constitutes personal data under EU Privacy Laws, and which, for the purposes of EU Privacy Laws, is controlled by an NMG Company or an affiliate thereof (“EEA Affiliate”) as a data controller and which is processed by NMG as a data processor on behalf of EEA Affiliate.

European Commission Standard Contractual Clauses (for processors) 2010” means clauses at: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm, as amended from time to time.

EU Data” means:

EU User Data”, which means any information relating to a User based in the European Economic Area and processed in connection with products or services offered by NMG and not EEA Affiliate;

EU Employee Data”, which means any information relating to an employee of any NMG Company based in the European Economic Area (which is co-controlled by the relevant NMG Company based in the EEA); and

EU Partner Data”, which means any information relating to any commercial partner, Partner or sales lead, or any of their respective employees, officers, directors, agents, contractors, or representatives, that have a commercial connection or relationship with a NMG Company based in the European Economic Area (which may be co-controlled by that NMG Company);

which in each case constitutes personal data under EU Privacy Laws and which, for the purposes of EU Privacy Laws, is controlled by NMG as a data controller.

GDPR” means Regulation (EU) 2016/679 of the European Parliament

Privacy Laws” means all applicable data protection, data security and privacy laws, statutes, directives, regulations, ordinances or treaties.

Privacy Shield” means Commission Implementing Decision of 12.7.2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (C/2016/4176).

Privacy Shield Principles” means the EU-US Privacy Shield Framework Principles issued by the US Department of Commerce which forms Annex II to the Privacy Shield.

User” means any actual or prospective user (including advertisers and content providers) of products and/or services, and any officer, director, employee, agent, contractor, and representative of an NMG Company.

NMG Company” means NMG or an Affiliate, and “NMG Companies” means NMG and Affiliates.

1.2      In this Agreement and the Recitals and the Appendices:
“data exporter”, “data importer” and “sub-processor” shall have the same meaning as in the European Commission Standard Contractual Clauses (for processors) 2010, as may be amended;

“personal data”, “special categories of data”, “process”/”processing”, “controller”, “processor”, “data subject” and “supervisory authority” shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (or, as the case may be, in any successor legislation to Directive 95/46/EC, such as the GDPR);

1.3       Any reference to a statute shall, unless the context otherwise requires, be construed as a reference to that statute as from time to time amended, consolidated, modified, extended, or replaced; and

1.4       The word “including” shall mean including without limitation or prejudice to the generality of any description, definition, term or phrase preceding that word, and the word “include” and its derivatives shall be construed accordingly.

2      Data Processing Provisions (EEA Affiliate Data and EU Data)
2.1      Partner may process EU Data as a data processor and EEA Affiliate Data as either a data processor or a sub-processor. The subject matter of the processing of EU Data and EEA Affiliate Data, including the processing operations carried out by Partner on behalf of NMG, as described in the relevant SOW or PO under the Background Agreement or in Appendix 1, as relevant. To the extent that Partner collects, receives, uses, stores or otherwise processes any EEA Affiliate Data or EU Data in connection with the Background Agreement, the following terms shall apply:

2.1.1      Partner shall process EU Data and EEA Affiliate Data only on behalf of NMG and in compliance with NMG’s instructions, this Agreement, the Background Agreement and all Privacy Laws and that any collection, use, storage, disclosure or transfer of EU Data or EEA Affiliate Data by or on behalf of Partner, expressly authorised under this Agreement or with the prior written consent of NMG, will be solely for and/or on behalf of NMG and not for or on behalf of Partner (or its agents, subcontractors, or suppliers), and Partner will not, at any time for any reason, collect, use, disclose or transfer any EU Data or EEA Affiliate Data except as is necessary for the purpose of carrying out its duties as specified in the applicable Background Agreement. If Partner cannot provide such compliance for whatever reasons, Partner agrees to promptly inform NMG of its inability to comply, in which case NMG is entitled to suspend the relevant collection, use, storage, disclosure or transfer of data and/or terminate the Agreement and the Background Agreement (and any associated SOW).

2.1.2      Partner warrants that it has no reason to believe that the legislation applicable to it including all Privacy Laws prevent it from fulfilling the instructions received from NMG and its obligations under this Clause 2 and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by in this Clause 2, it will promptly notify the change to NMG as soon as it is aware, in which case NMG is entitled to suspend the relevant collection, use, storage, disclosure or transfer of data and/or terminate the Agreement and the Background Agreement (and any associated SOW).

2.1.3      Partner warrants and confirms that it has implemented suitable Technical and Organizational Measures, as defined in Article 32 of the GDPR.

2.1.4      Partner shall promptly notify NMG about:

2.1.4.1      any non-compliance by Partner or its employees with this Agreement or the regulatory provisions relating to the protection of EU Data or EEA Affiliate Data processed under this Agreement;

2.1.4.2      any legally binding request for disclosure of EU Data or EEA Affiliate Data by a law enforcement, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation – to the extent such disclosure is permitted by law;

2.1.4.3      any incident which gives rise to a risk of unauthorised or accidental disclosure, loss, destruction or alteration of EU Data or EEA Affiliate Data;

2.1.4.4      any notice, inquiry or investigation by a supervisory authority; and

2.1.4.5      any request received directly from a data subject without responding to that request, unless it has been otherwise authorised by NMG to do so;

2.1.5      Partner shall deal promptly and properly with all inquiries from NMG relating to its processing of EU Data and EEA Affiliate Data and, where applicable, to abide by the advice of the supervisory authority with regard to the processing of EU Data and EEA Affiliate Data.

2.1.6      Partner will take all reasonable steps to ensure that persons employed by it, and other persons engaged at its place of business, are aware of and comply with 2.1(i) and 2.1(iii) above.

2.1.7      Partner will assist NMG without delay in respect of NMG’s obligations regarding:

2.1.7.1      requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of EU Data or EEA Affiliate Data. In the event that a data subject sends such a request directly to Partner, Partner will pass it on to NMG without delay;

2.1.7.2      the investigation of unauthorized processing of EU Data or EEA Affiliate Data breaches and the notification to the supervisory authority and data subjects in respect of such breaches; and

2.1.7.3      the preparation of data protection impact assessments and, where applicable, partaking in consultations with the supervisory authority;

2.1.8      Partner shall, at the request of NMG, submit its data processing facilities for audit of the processing activities covered by this Clause 2 which shall be carried out by NMG or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by NMG, where applicable, in agreement with the supervisory authority;

2.1.9      Partner shall not to transfer or permit the transfer of EU Data or EEA Affiliate Data to any facility outside the EEA without the prior express written consent of NMG and any such transfer will be carried out in accordance with all Privacy Laws;

2.1.10      Partner shall not disclose or permit the disclosure of any EU Data or EEA Affiliate Data to any third party without the prior express written consent of NMG. Where Partner subcontracts its obligations under this Agreement, with the consent of NMG, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on Partner under this Clause 2. Where the sub-processor fails to fulfil its data protection obligations under such written agreement Partner shall remain fully liable to NMG for the performance of the sub-processor’s obligations under such agreement;

2.1.11      In the event of termination or partial termination of the Agreement, Background Agreement (or any associated SOW) however so arising Partner shall return all EU Data and EEA Affiliate Data and the copies thereof to NMG or destroy all the EU Data and EEA Affiliate Data and certify to NMG that it has done so, unless legislation imposed upon it prevents it from returning or destroying all or part of the EU Data and EEA Affiliate Data. In that case, Partner warrants that it will guarantee the confidentiality of the EU Data and EEA Affiliate Data and will not actively process, use or disclose the EU Data and EEA Affiliate Data anymore;

2.1.12      If the Partner is required by law to process EU Data or EEA Affiliate Data, Partner shall inform NMG of this requirement in advance of any processing, unless Partner is prohibited from informing NMG on grounds of important public interest; and

2.1.13      Partner shall make available to NMG all information necessary to demonstrate compliance with the obligations in this Clause 2.

3      Appointment of sub-processors
The Parties agree and acknowledge that sub-processors may be retained in the provision of the Services. Partner may engage new third-party sub-processors, from time to time, in connection with the provision of the services under the applicable SOW, provided that NMG will be given prior notice and an opportunity to object to the appointment. In addition, as a condition to permitting a third-party sub-processor to process Personal Data, sub-processor shall (a) agree in writing to process Data in accordance with documented instructions; (b) implement appropriate TOMs to protect the Data against a Security Breach; (c) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Data Protection Laws. NMG may request a list of active sub-processors at any time for auditing purposes.

4      Privacy Shield
4.1      The Parties hereby agree and confirm that if NMG becomes certified under the Privacy Shield framework to receive EEA Affiliate Data, NMG may choose to rely on its Privacy Shield certification. In the event that NMG chooses to rely on its Privacy Shield certification, the Parties agree that:

4.1.1      in addition to the provisions of Clauses 2 the Partner shall comply with the Privacy Shield Principles when processing EEA Affiliate Data; and

4.1.2      stop and remediate unauthorised processing, upon notice.

5      Conflicts
This Agreement shall apply in addition to and not in substitution for any other terms contained in the Background Agreement. In the event of conflict or inconsistency between the terms of this Agreement and the terms of the Background Agreement, the terms of this Agreement shall prevail.

6      General
6.1      No amendment, variation or modification of this Agreement will be valid unless confirmed in writing by the authorised signatories of each of the Parties.

6.2      If any of the provisions (or part thereof) of this Agreement is found by a court of competent jurisdiction or any other competent authority to be void, invalid or unenforceable, it shall be deemed to be deleted from this Agreement and the remaining provisions (or part thereof) shall not be affected and shall continue to apply. The Parties shall then negotiate in good faith in order to agree terms of a mutually satisfactory provision to be substituted for the provision found to be void, invalid or unenforceable.

6.3      Any liability of any Party under the provisions of this Agreement may in whole or in part be released, varied, impounded or compromised by such Party under any liability without it in any way prejudicing or affecting its rights against any other Party under the same or a like liability whether joint and several or otherwise. No failure by any Party to enforce any provision or term of this Agreement shall be construed as a waiver of such provisions or of the right thereafter of the Party to enforce the same.

6.4      The Parties hereby agree that the formation, interpretation and operation of this Agreement and all matters, claims, disputes or issues arising out of or in connection with this Agreement, are subject to the laws of England and Wales and the Parties each submit to the exclusive jurisdiction of the courts of England and Wales. 

APPENDIX 1

Data Processing Activities
This Appendix 1 describes the subject, scope, nature and purpose of the data processing operations that are the subject of this Data Processing Agreement, of which it forms and integral part

Subject Matter Processing of EU Data for the provision of the services by Partner as described in this Agreement.
Duration As set out in this Agreement or the associated Background Agreement
Nature and purpose of data processing Partner will provide the Processing activities in respect of the EU Data as set out in the relevant Background Agreement and for the purposes of providing the agreed services
Data Subjects EU Data
EU Partner Data