Twitter Data Processing Addendum

This Twitter Processor Data Processing Addendum (“Processor DPA”) shall amend and apply to all of your agreements (“Agreements”) with Twitter, Inc., Twitter International Company, and their affiliates and/or subsidiaries (“Twitter”) to the extent that Twitter processes as Your processor any personal data originating from the European Economic Area, the United Kingdom and Switzerland (“Your Data”)

1. Definitions

Words and expressions used in this Processor DPA but not defined herein shall have the meanings given to such words and expressions in the EU Directive 95/46/EC or, from 25 May 2018, the General Data Protection Regulation (2016/679) (“GDPR”), including any subordinate or implementing legislation, and, for transfers of Your Data to Twitter, Inc., the Commission implementing Decision 2016/1250 (“Privacy Shield”) (“Applicable Data Protection Law”).

“You” refers to the controller who has signed this Processor DPA with Twitter.

2. Details of the Processing Operations

The subject matter of the processing, including the processing operations carried out by Twitter on your behalf, the instructions from You to Twitter, and the security measures deployed by Twitter, are described in the relevant Agreements between You and Twitter. Twitter acts on behalf of and on the instructions of You in carrying out the processing operations.

3. Your Obligations

3.1 You determine the purposes for which Your Data is being or will be processed, and the manner in which they are or will be processed.

3.2 You represent, warrant and agree that with respect to Your Data provided to Twitter pursuant to this Processor DPA You:

3.2.1 comply with personal data security and other obligations prescribed by Applicable Data Protection Law for controllers;

3.2.2 confirm that the provision of Your Data to Twitter complies with Applicable Data Protection Law;

3.2.3 have established a procedure for the exercise of the rights of the individuals whose personal data is collected;

3.2.4 only process data that has been lawfully and validly collected and ensure that such data is relevant and proportionate to the respective uses;

3.2.5 ensure that after assessment of the requirements of Applicable Data Protection Law, the security and confidentiality measures implemented are suitable for protection of Your Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access, in particular when the processing involves data transmission over a network, and against any other forms of unlawful or unauthorized processing; and

3.2.6 take reasonable steps to ensure compliance with the provisions of this Processor DPA by Your personnel and by any person accessing or using Your Data on its behalf.

4. Obligations of Twitter.

4.1 Twitter carries out the processing of Your Data on your behalf.

4.2 Further to the provisions of Article 28 of the GDPR, Twitter agrees that it will:

4.2.1 process Your Data only on your behalf and in compliance with Your instructions (including relating to international data transfers), including instructions in this Processor DPA and all Agreements between You and Twitter, unless required to do so by EU or Member State law to which Twitter is subject;

4.2.2 immediately inform you if in Twitter’s opinion an instruction from You infringes Applicable Data Protection Law;

4.2.3 implement appropriate technical and organizational security measures as provided for in Your Agreements with Twitter prior to the commencement of the processing activities for Your Data, maintain such security measures (or better security measures) for the duration of this Processor DPA, and provide You with reasonable evidence of its privacy and security policies;

4.2.4 take reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged at its place of business who may process Your Data are aware of and comply with this Processor DPA;

4.2.5 comply with confidentiality obligations in respect of Your Data as detailed in all Agreements and take appropriate steps to ensure that its employees, authorized agents and any sub-processors comply with and acknowledge and respect the confidentiality of Your Data, including after the end of their employment, contract or at the end of their assignment;

4.2.6 inform You of:

4.2.6.1 any legally binding request for disclosure of Your Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;

4.2.6.2 any personal data breach within the meaning of Applicable Data Protection Law relating to Your Data which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Law (“Security Incident”);

4.2.6.3 any relevant notice, inquiry or investigation by a supervisory authority relating to Your Data; and

4.2.6.4 any requests for access to, rectification or blocking of Your Data received directly from a data subject without responding to that request, unless You have authorized a response or such a response is required by law;

4.2.7 provide reasonable co-operation and assistance to You in respect of Your obligations regarding:

4.2.7.1 requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of Your Data;

4.2.7.2 the investigation of any Security Incident and the notification to the supervisory authority and data subjects in respect of such a Security Incident;

4.2.7.3 the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority;

4.2.7.4 the security of Your Data, including by implementing the technical and organizational security measures detailed in Your Agreements with Twitter;

4.2.8 if Twitter is required by law to process Your Data, take reasonable steps to inform You of this requirement in advance of any processing, unless Twitter is prohibited from informing You on grounds of important public interest; and

4.2.9 upon reasonable request, make available to You information necessary to demonstrate compliance with the obligations in this Clause 4.

4.3 Twitter shall, upon Your request (not to exceed one request per calendar year) by email to dpo@twitter.com, certify compliance with Sections 4-6 of this Processor DPA in writing. Twitter will provide to you each year with an opinion or Service Organization Control report provided by an accredited, third-party audit firm under the Statement on Standards for Attestation Engagements (SSAE) No. 18 (“SSAE 18”) (Reporting on Controls at a Service Organization) or the International Standard on Assurance Engagements (ISAE) 3402 (“ISAE 3402”) (Assurance Reports on Controls at a Service Organization) standards applicable to the data processing services under the Agreements (each such report, a “Report”). If a Report does not provide, in Your reasonable judgment, sufficient information to confirm Twitter’s compliance with the terms of this Processor DPA, then You or an accredited third-party audit firm agreed to by both You and Twitter may audit Twitter’s compliance with the terms of this Processor DPA during regular business hours in a manner that is not disruptive to Twitter’s business, upon reasonable advance notice to Twitter of no less than 60 days and subject to reasonable confidentiality procedures. You are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Twitter expends for any such audit, in addition to the rates for support services performed by Twitter and any expenses incurred by Twitter in complying with this Clause 4.3 and Clause 4.2.7. Before the commencement of any such audit, You and Twitter shall mutually agree upon the timing, duration and scope of the audit, which shall not involve physical access to the servers from which the data processing services are provided. You shall promptly notify Twitter of information regarding any non-compliance discovered during the course of an audit. You may not audit Twitter more than once annually.

4.4 Further to the provisions of Privacy Shield, Twitter, Inc. agrees that it will provide any EU Personal Data with at least the same level of protection as required under the Privacy Shield Principles, as described here: www.privacyshield.gov/EU-US-Framework.

5. Transfer, Disclosure and Third Parties

5.1 You acknowledge and agree that (a) Twitter’s affiliates may be retained as sub-processors and (b) Twitter and Twitter’s affiliates may engage third parties in connection with the provision of the data processing services. Twitter or a Twitter affiliate shall enter into contractual arrangements with such sub-processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein. For the purposes of this Clause 5, You hereby authorise Twitter to engage sub-processors required to assist Twitter for the purposes of providing the data processing services.

5.2 A current list of sub-processors for the data processing services is accessible via gdpr.twitter.com/customer-subprocessors. We will provide reasonable notice to You before we engage a new sub-processor of Your Data, including the date on which the new sub-processor will begin processing Your Data (the “Sub-Processor Effective Date”).  You may object to Twitter’s engagement of a new sub-processor by ceasing to use the applicable product, program or feature prior to the Sub-Processor Effective Date.  Your continued use of the applicable product, program or feature on or after the Sub-Processor Effective Date constitutes your acceptance of the new sub-processor.

6. Post-termination obligations

You and Twitter agree that on the termination of the data processing services, Twitter and any sub-processors shall, subject to the limitations described in any relevant Agreements, return all of Your Data and copies of such data to You or securely destroy them and demonstrate to Your satisfaction that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Your Data. In such case, Twitter or sub-processor agree to preserve the confidentiality of Your Data retained by it and that it will only actively process Your Data after such date in order to comply with the laws to which it is subject.

7. Governing law and jurisdiction

This Processor DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of Ireland.

The parties to this Processor DPA irrevocably agree that the courts of Ireland shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Processor DPA or its subject matter or formation (including non-contractual disputes or claims).

8. Conflicts

In the event of any conflict between the terms of this Processor DPA and any other terms between You and Twitter, including but not limited to the terms of any Agreements, the terms in this Processor DPA will prevail.