Twitter Controller-to-Controller Data Protection Addendum

This Data Protection Addendum (“DPA”) with an effective date of 25 May 2018 shall amend and apply to all of your agreements (“Agreements”) with Twitter, Inc., Twitter International Company, and their affiliates, and/or subsidiaries (“Twitter”) to the extent that you receive Twitter European Data (as defined below) in connection with such Agreements.

1. Scope, Definitions and Applicable Law. This DPA will only apply to the extent that you receive personal data from Twitter originating in the European Economic Area, the United Kingdom, and Switzerland (“Twitter European Data”).  Terms and expressions used herein that are not otherwise defined, including, without limitation, “personal data,” “controller,” “processing,” and “processor,” shall have the meanings set forth in the privacy and data protection laws, regulations, and decisions applicable to a party to this DPA (“Applicable Data Protection Law”).  For Twitter European Data, Applicable Data Protection Law includes the EU Directive 95/46/EC and the General Data Protection Regulation (2016/679) and any implementing legislation..

2. Roles and Restrictions. Each party to this DPA: (a) is an independent controller of Twitter European Data under Applicable Data Protection Law; (b) will individually determine the purposes and means of its processing of Twitter European Data; and (c) will comply with the obligations applicable to it under Applicable Data Protection Law with respect to the processing of Twitter European Data. Nothing in this Section 2 shall modify any restrictions applicable to either party’s rights to use or otherwise process Twitter European Data under your Agreement(s) with Twitter, and you will process Twitter European Data solely and exclusively for the purposes specified in such Agreement(s).

3. Protection of Twitter European Data. To the extent not otherwise provided for in your Agreement(s) with Twitter: (a) you will cooperate with Twitter on and implement appropriate security (including both organizational and technical) measures prior to and during processing of any Twitter European Data to protect against, without limitation, the accidental, unlawful or unauthorized access to or use, transfer, destruction, loss, alteration, commingling, disclosure or processing of Twitter European Data and ensure a level of security appropriate to the risks presented by the processing of Twitter European Data and the nature of such Twitter European Data, and these measures shall remain in place throughout the duration of your processing of Twitter European Data or until you cease to process Twitter European Data (whichever is later); (b) you will treat Twitter European Data with strict confidence and take all reasonable steps to ensure that persons you employ and/or persons engaged at your place(s) of business who will process Twitter European Data are aware of and comply with this DPA and are under a duty of confidentiality with respect to Twitter European Data no less restrictive than the duties set forth herein; (c) you will not transfer Twitter European Data to third parties except under written contracts that guarantee at least a level of data protection and information security as provided for herein, and you will remain fully liable to Twitter for any third party’s failure to so comply.

4. Notice and Cooperation.You will promptly give written notice to and fully cooperate with Twitter:

(a) if for any reason (i) you cannot comply, or have not complied, with any portion of this DPA, (ii) you have breached or, if you continued to process Twitter European Data, would breach, any Applicable Data Protection Law governing your processing, transfer, or receipt of Twitter European Data. In such cases, you will take reasonable and appropriate steps to remedy any noncompliance, or cease further processing of Twitter European Data and Twitter may immediately terminate your Agreement or access to Twitter European Data, or take any other reasonable action; and

(b) regarding (i) any breach of security or unauthorized access to Twitter European Data that you detect or become aware of, or (ii) any complaint, inquiry, or request from a data subject or government or regulatory agency regarding Twitter European Data, unless such notice is prohibited by law. In such cases, without limiting the generality of the foregoing, you will refrain from notifying or responding to any data subject, government or regulatory agency, or other third party, for or on behalf of Twitter or any Twitter personnel, unless Twitter specifically requests in writing that you do so, except as and when otherwise required by Applicable Data Protection Law. You agree and acknowledge that if Twitter receives a request from a government or regulatory agency, Twitter may share the terms of this DPA, your Agreement(s) with Twitter, and other information you provide to demonstrate compliance with this DPA or Applicable Data Protection Law.

5. Data Exports. If (i) Twitter European Data is transferred outside of the European Economic Area or any European Commission approved country and (ii) you do not hold a valid and subsisting Privacy Shield certification in accordance with Commission implementing Decision 2016/1250 covering your processing of Twitter European Data, then you hereby agree to and hereby enter into the Controller to Controller Standard Contractual Clauses 2004 (Set II) (Commission Decision 2004/915/EC) (“C2C SCCs”) with Twitter International Company, the terms of which are hereby incorporated into this Agreement. For the purposes of the C2C SCCs, Twitter International Company is the data exporter and you are the data importer and the governing law of the C2C SCCs is Irish law.

For the purpose of Annex B to the C2C (i) the data subjects are those individuals whose personal data is contained in the data provided to you in accordance with your Agreements with Twitter; (ii) the purpose of the transfer is to permit you to use the data in accordance with the Agreement; (iii) the category of data is personal data as more particularly set out in your Agreements with Twitter; (iv) the recipients of the personal data are as specified in your Agreements with Twitter; (v) all categories of sensitive data may be transferred; (vi) there is no applicable data registration information; (vii) there is no additional useful information; and (viii) the contact points for data protection queries are the parties’ usual contacts for matters under your Agreements with Twitter. For the purposes of clause II(h) of the C2C SCCs, Customer hereby selects option (iii) and agrees to be governed by and comply with the data processing principles set out in Annex A to the C2C SCCs. To the extent the terms of the C2C SCCs conflict with other terms of your Agreements with Twitter, the terms of the C2C SCCs will control.

6. Order of Precedence. In the event of a conflict between the provisions of this DPA and those of your Agreements with Twitter, the provisions of this DPA will control. Except as modified herein, all terms and conditions of the Agreements you have with Twitter shall remain in full force and effect.