GLOBAL DATA PROTECTION AND INFORMATION SECURITY AGREEMENT
(Controller – Processor)
This Global Data Protection and Information Security Agreement (“DPA”) is made part of an agreement with Paramount Global and/or one or more of its Affiliates (such party(ies), as applicable, “Paramount”) which makes reference to this DPA or the URL at which this DPA is located (the “Agreement”). This DPA does not limit other obligations of Vendor, including, without limitation, any obligations under the Agreement or laws that apply to Vendor or to Vendor’s performance under the Agreement. In the event of a conflict between the DPA, the Agreement or any applicable security requirements, the requirement that is most restrictive and protective of Paramount, as determined by Paramount in its sole discretion, shall apply unless otherwise expressly agreed upon in writing by Paramount.
1 DEFINITIONS
1.1 Capitalized terms defined below shall have the meanings set forth herein, whether or not such terms are otherwise defined in the Agreement. Capitalized terms used but not otherwise defined in this DPA shall have the meanings assigned to such terms in the Agreement.
1.2 “Affiliate” means an entity, directly or indirectly, controlling, controlled by, or under direct or indirect common control with a party.
1.3 “Argentinian Model Clauses” mean the model contract titled Contrato modelo de transferencia internacional de datos personales con motivo de prestación de servicios as adopted by the Data Protection Agency of the Republic of Argentina under Disposition 60- E/2016.
1.4 “Business Purpose” will have the meaning set forth in Section 140 (e) of the CCPA or as similarly defined in applicable Data Protection Laws.
1.5 “Data Protection Laws” mean any applicable law, treaty, statute, regulation, ordinance, order, directive, code, or other rule, or any administrative guidance or industry self- regulatory rules or guidelines regarding the same, whether of or by any legislative, administrative, judicial, or other Governmental Entity, that governs or relates to the confidentiality, security, privacy, or Processing of Personal Data or otherwise regulates marketing communications, data protection, or Security Incident management and/or notification including without limitation: the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”); the United Kingdom General Data Protection Regulation (“UK GDPR”); the Swiss Federal Act on Data Protection (“FADP”); the California Consumer Privacy Act of 2018, Cal. Civil Code section 1798.100 et seq., as amended (“CCPA”), and other applicable state and federal United States privacy laws (together with the CCPA, “US Privacy Laws”); and the Brazilian General Data Protection Law, Law n. 13.709 of 2018 (“LGPD).
1.6 “Data Subject” means, as applicable:
- 1.6.1 any identified or identifiable individual;
- 1.6.2 the meaning as set forth in Data Protection Laws; and
- 1.6.3 such similar terms as defined in any Data Protection Laws, including the term “Consumer”.
1.7 “Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws, including without limitation the right of access, right to rectification, right to restrict Processing, right to erasure, right to data portability, or right to object to the Processing.
1.8 “European Model Clauses” mean:
- 1.8.1 in respect of Personal Data to which the GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 (“EU Model Clauses”);
- 1.8.2 in respect of Personal Data to which the UK GDPR applies, the EU Model Clauses, as amended by the UK Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 (“UK Model Clauses”); and
- 1.8.3 in respect of Personal Data to which the FADP applies, the EU Model Clauses as applicable in Switzerland and adapted as follows:
- (a) the term 'Member State' shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with Clause 18(c); and
- (b) the EU Model Clauses also protect the data of legal entities until the entry into force of the revised FADP (“Swiss Model Clauses”).
1.9 “Governmental Entity” means any federal, state, provincial, municipal, local or foreign government, governmental authority, regulatory or administrative agency, governmental commission, department, board, bureau, agency, instrumentality, court or tribunal, and includes a “Supervisory Authority” as defined in applicable Data Protection Laws.
1.10 “Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to, a unique (as applicable) Data Subject, computing device, or household, and shall include, but is not limited to, all “personal data”, “personal information”, or similar terms, as defined in applicable Data Protection Laws.
1.11 “Process” or “Processing” means any operation or set of operations that is performed on Paramount Data, whether or not by automated means, such as collection, using, accessing, recording, reproducing, organization, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, evaluation or control, modification, blocking, restriction, erasure or destruction, or classification, and including all “processing” as defined in applicable Data Protection Laws.
1.12 “Restricted Transfer” means a transfer (either directly or via onward transfer) of Personal Data by a Party acting as an exporter to an importer located in a jurisdiction that has not been recognized by the Data Protection Laws applicable to the exporter as offering an adequate level of protection for Personal Data.
1.13 “Sale of Data” means:
- 1.13.1 selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Data by a business to another business or a third party for monetary or other valuable consideration; and
- 1.13.2 any other relevant activities as defined in applicable Data Protection Laws, including, without limitation, “cross-context behavioral advertising” and “targeted advertising.”
1.14 “Security Incident” means:
- 1.14.1 the unauthorized, unlawful or accidental acquisition, use, disclosure, destruction, alteration, deletion, modification, access to, corruption, transfer, sale, rental, or other Processing of any portion of Paramount Data;
- 1.14.2 any act or omission that compromises the privacy, security, confidentiality, availability or integrity of such Paramount Data or any safeguards put in place to protect the same;
- 1.14.3 any failure by Vendor to adhere to this DPA;
- 1.14.4 any other event involving Personal Data that triggers notification obligations to consumer or regulatory authorities, or similar requirements under Data Protection Laws; or
- 1.14.5 any attempt to cause any of the events described in this section 1.14.
1.15 “Subcontractor” means another data processor (as defined by Data Protection Laws) engaged by Vendor for carrying out Processing activities in respect of the Paramount Data on behalf of Paramount.
1.16 “Paramount Data” means any and all data or information, in any form, format or media, provided or otherwise accessed by or made available to Vendor or any of its employees, agents or contractors or by any other party in connection with or incidental to the Agreement, as well as all data and works obtained, developed or produced by Vendor in connection with the Agreement including derivatives, aggregations or analysis of any of the foregoing.
1.17 “Paramount Privacy and Information Security Requirements” means Paramount global information securities policies and privacy requirements applicable to Vendor as set forth in section 4 below, as may be supplemented or amended in the Agreement.
1.18 “Paramount Personal Data” means Paramount Data that constitutes Personal Data.
1.19 The terms “Business”, “Controller”, “Operator”, “Processor”, “Service Provider”, and “Special Categories of Personal Data” as used in this DPA will have the meanings ascribed to them in applicable Data Protection Laws. With respect to “Special Categories of Personal Data,” this term shall also include “sensitive personal information” or similarly defined terms in applicable Data Protection Laws and Personal Data collected from a “child” as defined under applicable Data Protection Laws.
2 ROLES OF THE PARTIES
2.1 As part of the Services described in the Agreement, Vendor may Process Paramount Data.
2.2 The Parties acknowledge and agree that with regard to the Processing of Paramount Personal Data of Data Subjects Paramount shall be the Controller and Vendor shall be the Processor of Personal Data Processed by Vendor under the Agreement.
2.3 For purposes of US Privacy Laws, Paramount shall be considered a Business or Controller and Vendor shall be a Service Provider or Processor (as such terms are defined in the applicable US Privacy Laws). Vendor certifies that Vendor understands the obligations imposed on it by this DPA and will comply with such obligations.
2.4 The subject matter of the Processing undertaken by Vendor is the provision of the Services and the Processing will be carried out for the duration of the Agreement. The Services, categories of Data Subjects, categories of Personal Data, and any specific instructions are set forth in the Agreement.
2.5 Except as expressly provided in the Agreement, Vendor acknowledges that, as between Vendor and Paramount, Paramount owns all right, title and interest in the Paramount Data.
3 OBLIGATIONS OF VENDOR WITH RESPECT TO PERSONAL DATA
3.1 When Vendor or a Subcontractor Processes Personal Data under the Agreement for or on behalf of Paramount, Vendor represents, warrants, and covenants both for itself and on behalf of each such Subcontractor, that it shall:
- 3.1.1 comply with all Data Protection Laws when Processing Personal Data, and shall not intentionally take any actions or fail to take any actions that would cause Vendor, a Subcontractor, or Paramount to be in violation of Data Protection Laws;
- 3.1.2 Process Paramount Personal Data solely for the purpose of performing its obligations under the Agreement and in accordance with Paramount’s documented instructions and not for any other purpose (including the Sale of Paramount Personal Data; processing Paramount Personal Data for any commercial purpose, other than for the Business Purposes specified by Paramount; Processing Paramount Personal Data outside of the direct business relationship with Paramount; or for combining Paramount Personal Data with Personal Data Vendor receives from or on behalf of third parties or collects independently of Paramount’s instructions), unless required to do so by applicable law to which Vendor is subject, in which case Vendor shall inform Paramount of that legal requirement before commencing Processing;
- 3.1.3 For the purposes of CCPA, Process Paramount Personal Data only for Business Purposes specified in the Agreement or applicable annex to the Agreement, subject to any further limitations specified in the Agreement.
- 3.1.4 immediately inform Paramount if, in Vendor’s opinion, Paramount’s instructions would be in breach of Data Protection Laws;
- 3.1.5 act only as a Processor, Service Provider, or Operator, or in an equivalent role as defined by Data Protection Laws, and not as a Controller or Business or equivalent role;
- 3.1.6 not disclose any Personal Data to any third party (including any Governmental Entity), for any reason, whatsoever, without Paramount’s prior express written consent, unless such disclosure is: (a) to a Subcontractor, as necessary for the performance of the Services as required by the Agreement for the benefit of Paramount and its Affiliates; or (b) required by Data Protection Laws, in which case Vendor shall, unless prohibited by such Data Protection Laws, promptly notify Paramount after receiving a request for disclosure and prior to complying with any such request. In such instances where disclosure of Personal Data is required by Data Protection Laws, Vendor shall notify Paramount in advance of any such disclosure, and at Paramount’s request, cooperate fully in resisting the disclosure request to the full extent permitted by Data Protection Laws, and in any event shall disclose the minimum Personal Data necessary to comply with Data Protection Laws;
- 3.1.7 notify Paramount without undue delay (and in any event within 24 hours) of: (a) any request for information from, or complaint by, a Governmental Entity in relation to Paramount Personal Data that Vendor Processes for the purpose of performing its obligations under the Agreement; and (b) any Data Subject Request in relation to Paramount Personal Data. Vendor shall provide to Paramount, in writing, all details surrounding such Data Subject Request, in a commonly used, structured, electronic and machine-readable format, if required. Vendor shall not respond to any Data Subject Request without Paramount’s express written consent. Further, Vendor shall fully cooperate as requested by Paramount to enable Paramount to comply with any Data Subject Request. Vendor shall implement appropriate technical and organizational measures to enable it to comply with this paragraph;
- 3.1.8 provide full and prompt cooperation and assistance in relation to any data protection impact assessment or regulatory consultation that Paramount is legally required to make in respect of Personal Data;
- 3.1.9 (a) not attempt to re-identify any non-identifying information provided to or obtained by Vendor as a result of or in connection with the Services at any time, whether during or after the term of the Agreement and not aggregate Paramount Personal Data, even if anonymized or pseudonymized, except as expressly authorized under the Agreement; (b) publicly commit to maintain and use the information in non-identifying form and not attempt to reidentify the information; and (c) contractually obligate any recipients of such non-identifying information to comply with the foregoing restrictions;
- 3.1.10 maintain records of its Processing activities under the Agreement, which will include, without limitation, the name or title of Vendor personnel who access Personal Data, the categories of Personal Data Processed on behalf of Paramount, a description of any international data transfers conducted on behalf of Paramount (including a list of any countries to which Personal Data has been transferred), a description of the technical and organizational measures used to safeguard Personal Data, and any other information required by Data Protection Laws or as may be requested by Paramount; and
- 3.1.11 limit any disclosure of Personal Data to those of its personnel and Subcontractors who have a need to know the information to provide the Services, and keep a record of such disclosures.
3.2 Vendor shall promptly notify Paramount of any determination (made by Vendor or by a Subcontractor) that it can no longer meet its obligations under this DPA, the Agreement, or Data Protection Laws.
4 PARAMOUNT GLOBAL PRIVACY AND INFORMATION SECURITY REQUIREMENTS
4.1 General Security Requirement. Vendor shall maintain physical, administrative, and technical safeguards consistent with industry-accepted best practices (including the International Organization for Standardization’s standards ISO 27001 and 27002, the National Institute of Standards and Technology (NIST) 800-53 Cybersecurity Framework, the Cloud Security Alliance, or other similar industry standards for information security) to protect the confidentiality, integrity, and availability of Paramount Data and systems. Vendor shall maintain industry-leading standards in evolving technical controls to ensure the protection of Paramount Data, including, without limitation, firewalls, encryption technologies, anti-virus software, access and authentication, security monitoring, and security alerting systems.
4.2 Specific Safeguard Requirements. Vendor shall maintain an information security program (the “Information and Security Program”), which will include, at a minimum, the following safeguards and controls:
- 4.2.1 Documented information security program and policies. Vendor shall implement and document a formal Information and Security Program including appropriate policies, standards, procedures, and risk assessments that are reviewed, and approved by Vendor, at least annually. The program will apply to Vendor’s employees, agents, subcontractors, and suppliers. Vendor will maintain a process to monitor and enforce Information and Security Program compliance and log Information and Security Program violations. The documented Information and Security Program shall include comprehensive information security policies approved by Vendor, a current copy or summary of which will be made available to Paramount upon request.
- 4.2.2 Security awareness training. Vendor shall provide periodic security training to its personnel and personnel of its Subcontractors on relevant threats and business requirements such as, but not limited to, social-engineering attacks, sensitive data handling, causes of unintentional data exposure, and security incident identification and reporting.
- 4.2.3 Physically limit access. Vendor shall enforce physical security to limit access to systems and facilities to only authorized individuals
- 4.2.4 Access controls. Vendor shall restrict access to Paramount Data and systems to only those personnel with a need-to-know for an authorized purpose. Vendor shall ensure the use of secure user authentication protocols, including the use of individual user IDs and adequate password security, with policies to block access to inactive users or in the event multiple unsuccessful attempts have been made to access a system or account.
- 4.2.5 Remote access; multi-factor authentication required. Vendor will implement multi-factor authentication (i.e., requiring at least two factors to authenticate a user) for remote access to (a) any network, system, application, or other asset containing Paramount Data; or (b) Vendor’s corporate or development networks.
- 4.2.6 Account and password management. Vendor shall implement account and password management policies to protect Paramount Data and systems, including, changing default and manufacturer-supplied passwords before deploying new hardware, software, or other assets, require periodic password changes, require complex passwords, and storing passwords in an industry- accepted form that is resistant to offline attacks.
- 4.2.7 Secure configurations. Vendor shall manage security configurations of its systems using industry best practices to protect Paramount Data and systems from exploitation through vulnerable services and settings.
- 4.2.8 Controlled use of administrative privileges. Vendor shall limit and control the use of administrative privileges on computers, networks, and applications consistent with industry best practices.
- 4.2.9 Encryption. Vendor shall enforce strong protection for Paramount Data, including TLS 1.2+ or equivalent, and AES-128 bit encryption for all data at rest and in transit, with logged access.
- 4.2.10 Vulnerability and patch management. Vendor shall maintain a process to timely identify and promptly remediate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security of Paramount Data and systems.
- 4.2.11 Maintenance, monitoring, and analysis of audit logs. Vendor will collect, manage, retain, and analyze audit logs of events to help detect, investigate, and recover from unauthorized activity that may affect Paramount Data. Logs will be kept and maintained for at least 18 months, at all times in compliance with Data Protection Laws.
- 4.2.12 Malware defences. Vendor shall deploy anti-malware software to, and configure, all workstations and servers on Vendor’s network to control and detect the installation, spread, and execution of malicious code.
- 4.2.13 Firewalls. Vendor shall maintain and configure firewalls to protect systems containing Paramount Data from unauthorized access. Vendor will review firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.
- 4.2.14 Security testing. Vendor shall conduct periodic internal and external penetration testing of systems that process Paramount Data to identify vulnerabilities and attack vectors that can be used to exploit those systems. Identified vulnerabilities shall be addressed as part of Vendor’s vulnerability management program.
- 4.2.15 Business Continuity. Vendor shall maintain a business continuity plan that includes requiring, at a minimum, offsite backups of systems processing Paramount Data, version control system software to protect against loss of work product, and provisioning of adequate back-up facilities for any site that processes Paramount Data.
- 4.2.16 Third-party risk management. Vendor shall implement and maintain a third-party risk management program, including the execution of periodic risk assessments to evaluate the security posture of Vendor’s third parties and suppliers with access to Vendor’s Data and systems.
4.3 Compliance. Vendor shall make available to Paramount all information necessary to demonstrate compliance with its Information and Security Program, the Paramount Information Security Requirements, this DPA, the Agreement and Data Protection Laws, including:
- 4.3.1 completing privacy and data security questionnaires upon Paramount request;
- 4.3.2 allowing for and facilitating audits and inspections of Vendor and Subcontractor facilities conducted by Paramount or Paramount’s authorized representatives;
- 4.3.3 permitting Paramount to regularly test Vendor’s compliance with the Paramount Information Security Requirements;
- 4.3.4 providing Paramount with accurate books and records (including, without limitation, all policies, procedures, papers, correspondence, data, information, reports, records, receipts, files, and other sources of information) consistent with generally accepted practices regarding Vendor’s performance under this DPA and the Agreement. Vendor shall, at its own cost, make any changes reasonably requested by Paramount to correct any compliance failures discovered during such audits, inspections, or tests; and
- 4.3.5 permitting Paramount, upon notice, to take reasonable and appropriate steps to stop and remediate Vendor’s unauthorized use of Personal Data.
4.4 Risk Assessment. Vendor agrees to participate in an annual risk assessment conducted by Paramount or its designee and to provide to Paramount (or its designee) any supporting documentation required during the risk assessment process, such as but not limited to, information security policies, standards, procedures, and if available, SOC2- Type1/Type2 reports, ISO27001/27002. Vendor shall also remediate any findings or deficiencies identified during Paramount’ risk assessments within a reasonable timeframe.
4.5 Software Security. If software is provided as a deliverable or as part of the service provided under the Agreement, Vendor shall have its software reviewed for security vulnerabilities by an independent third party that specializes in application security and provide Paramount the results of such review or, if Vendor has not performed such review, Vendor hereby consents to allow Paramount to commission such review by a third party at Paramount’s cost. Vendor shall reasonably cooperate with such review. Vendor shall promptly remediate security vulnerabilities identified and shall repeat the review for updates or new versions.
4.6 Background Checks. Paramount may require that Vendor representatives be subject to a lawful background check. Vendor shall cooperate with Paramount in connection with obtaining any necessary written consents in connection with any such background checks.
4.7 PCI DSS requirements. If, in the course of its Processing Paramount Data, Vendor has access to or will Process credit, debit, or other payment cardholder information, Vendor shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements (in addition to in addition to other Security Requirements), and shall remain aware at all times of changes to the PCI DSS and promptly implement all procedures and practices necessary to remain in compliance with the PCI DSS.
4.8 If Vendor receives a request for access to Paramount Data from a Governmental Entity, Vendor shall promptly notify Paramount in advance of any such disclosure, and shall cooperate with Paramount in objecting to the request to the full extent permitted by law. If Vendor is prohibited from notifying Paramount of such request by applicable law, then Vendor shall engage legal counsel to take reasonable measure to object to such disclosure. In case of any disclosure, Vendor shall disclose only the minimum Paramount Data necessary to comply with the request.
5 SECURITY INCIDENTS
5.1 Detection and Response. Vendor will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to
- 5.1.1 identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes; and
- 5.1.2 restore the availability or access to Paramount Data in a timely manner.
5.2 Notice of Security Incident. If Vendor becomes aware of a Security Incident, or information that should reasonably lead Vendor to suspect a Security Incident has occurred, Vendor shall notify Paramount without undue delay (and in any event within 24 hours), and on an ongoing basis provide the following information as soon as possible:
- 5.2.1 the segment and quantity of Paramount Data affected (including whether Paramount Personal Data was affected);
- 5.2.2 the nature of the intrusion (if applicable);
- 5.2.3 any indication of likely unauthorized use of Paramount Data, and the corrective action taken or to be taken by Vendor; and
- 5.2.4 all other available details required under applicable laws, including Data Protection Laws, for Paramount to comply with its own investigation and notification obligations to regulatory authorities or Data Subjects affected by the Security Incident.
5.3 Remediation Efforts. Following any Security Incident, Vendor shall consult in good faith with Paramount regarding remediation efforts that may be necessary, appropriate, and reasonable (“Remediation Efforts”). Vendor shall:
- 5.3.1 undertake any Remediation Efforts requested by Paramount or any government agency with jurisdiction over Vendor, in either case at Vendor’s sole expense;
- 5.3.2 ensure and provide assurance (including written evidence) to Paramount that reasonable measures were and are being taken to prevent recurrence of the same or similar type of Security Incident; and
- 5.3.3 reasonably cooperate with any Remediation Efforts undertaken by Paramount.
5.4 Breach notification. Unless prohibited by applicable law, Paramount has the right to control the breach notification process, and Vendor shall not release or publish any filings, communication, notice or notification, press release, or report about the Security Incident without written authorization from Paramount.
5.5 Reimbursement. Without limiting Paramount’s other rights, Vendor shall reimburse Paramount for all costs and expenses of Remediation Efforts and regulatory fines incurred by Paramount as a result of any Security Incident related to Paramount Data while under the control or possession of Vendor.
5.6 Cooperation. Vendor shall provide all assistance to Paramount as is reasonably necessary for Paramount to meet its obligations under Data Protection Laws.
6 SUBCONTRACTORS
6.1 Vendor shall not disclose, enable Processing of, or otherwise make accessible any Paramount Data to any Subcontractor unless expressly authorised by Paramount.
6.2 Paramount authorises the entities contained in the applicable exhibit or annex to or the link contained in the Agreement to be engaged by Vendor as Subcontractors.
6.3 Vendor may appoint a new Subcontractor at any time provided that:
- 6.3.1 Vendor gives Paramount written notice of at least 30 days before the appointment of the Subcontractor;
- 6.3.2 Paramount does not object in writing to the use of the new Subcontractor within 30 days of receipt of the notice.
6.4 If there is no objection from Paramount, Vendor may engage the Subcontractor and will update the list of approved Subcontractors. If Paramount objects to the use of this Subcontractor, Vendor will use reasonable efforts to, within 30 days of receiving the objection, either find an alternative Subcontractor or suggest a change to the Services to avoid using the Subcontractor Paramount objects to. If Paramount, in its sole discretion, is not satisfied with Vendor’s proposed solution, Paramount may terminate the Agreement or any applicable statement of work, work order, or similar transaction document, in whole or in part upon written notice with no further expenses, costs, or liabilities.
6.5 Notwithstanding anything to the contrary herein, Vendor shall:
- 6.5.1 be responsible for all acts and omissions of any Subcontractor; and
- 6.5.2 require each of its Subcontractors, as a condition of performing work under the Agreement, to enter into a written agreement with the Vendor that contains obligations of confidentiality, security, and privacy at least as strict as those contained in this DPA and the Agreement;
- 6.5.3 ensure all Subcontractors that Process Paramount Data comply with all terms of this DPA and shall be liable for any breach by Subcontractor of the terms of this DPA; and
- 6.5.4 prevent Subcontractors from further assigning or subcontracting any part of their work (except to a Vendor Affiliate) without prior notification to Paramount as contemplated in section 6.3.
6.6 Vendor shall ensure that each Subcontractor that Processes or otherwise accesses Paramount Data:
- 6.6.1 is competent to perform the Services subcontracted to it in conformance with the standards of this DPA and the Agreement; and
- 6.6.2 has adopted and adequately implemented comprehensive written protocols to carry out the obligations of confidentiality, security, and privacy required by this DPA and the Agreement.
6.7 Vendor shall ensure that all Vendor or Subcontractor personnel engaged in Processing of Paramount Data:
- 6.7.1 are duly authorized to Process Paramount Data only as set forth in this DPA and the Agreement; and
- 6.7.2 have committed themselves to maintaining the confidentiality of Paramount Data or are under an appropriate legal obligation of confidentiality.
7 INTERNATIONAL DATA TRANSFERS
7.1 The Parties acknowledge that the provision of the Services under the Agreement may involve a Restricted Transfer. Notwithstanding the generality of the foregoing, the Parties agree to the following with respect to a Restricted Transfer:
- 7.1.1 If the Processing of Personal Data under the Agreement involves a Restricted Transfer by Paramount to Vendor of Personal Data to which the GDPR, the UK GDPR, or the FADP applies, the Parties agree to comply with the European Model Clauses, which shall be deemed incorporated into and form part of this DPA. For the purposes of the European Model Clauses,
- (a) Paramount is the Data Exporter and Vendor is the Data Importer (as defined in the European Model Clauses); and
- (b) the description and details of transfers, for the purposes of the European Model Clauses, and the technical and organizational measures ensuring the security of Personal Data are set out in the applicable exhibit or annex to the Agreement relating to such transfers.
- 7.1.2 If the Processing of Personal Data under the Agreement involves a Restricted Transfer by Paramount to Vendor of Personal Data subject to Argentinian Data Protection Laws, the Parties agree to comply with the Argentinian Model Clauses. The description and details of transfers, for the purposes the Argentinian Model Clauses, is set out in the applicable exhibit or annex to the Agreement relating to such transfers.
- 7.1.3 If the provision of the Services involves a Restricted Transfer by Vendor to a Subcontractor, Vendor warrants that it shall:
- (a) execute the European Model Clauses, the Argentinian Model Clauses, or any other applicable safeguard that complies with applicable Data Protection Laws to safeguard the transfer of Personal Data, and make available the same to Paramount upon request; and
- (b) if required by applicable Data Protection Law, carry out any transfer impact assessment in respect of the third country of destination which at a minimum takes account of the specific circumstances of the transfer, the laws and practices of the third country of destination, and any relevant contractual, technical, or organizational safeguards that Vendor has put in place with the Subcontract. Vendor shall make available such transfer impact assessments to Paramount upon request.
7.2 Vendor represents and warrants that neither Vendor nor, to Vendor’s knowledge, any of its Subcontractors, have received a request from any Governmental Entity for access to European Personal Data Processed by such Vendor or Subcontractor in connection with the Services or substantially similar services for other clients. Vendor covenants to notify Paramount immediately and in writing in the event that, in Vendor’s opinion:
- 7.2.1 any Restricted Transfer performed under the Agreement would be in breach of the European Model Clauses, Argentinian Model Clauses, or applicable Data Protection Laws governing such Restricted Transfers; or
- 7.2.2 Vendor is unable to provide an adequate level of protection for Paramount Personal Data under applicable Data Protection Laws (each an “Inadequacy Notice”). Upon receipt of an Inadequacy Notice from Vendor, Paramount shall be entitled to terminate the Agreement with no further expenses, costs, or liabilities.
7.3 If any additional Data Protection Laws become effective during the Agreement which involve Restricted Transfers not contemplated herein, the Parties agree to meet in good faith to complete any formalities and enter into any documents as may be required by such Data Protection Laws.
8 DELETION OF PARAMOUNT DATA; PRESERVATION
8.1 Without limiting any obligation in the Agreement, and subject to Vendor’s retention obligations under applicable laws, rules and regulations, including Data Protection Laws, Vendor shall, and shall cause its Subcontractors to, immediately, securely destroy (by making unreadable, un-reconstructable, and indecipherable) any or all Paramount Data (including, without limitation, all electronic copies on hard drives, backup media, portable devices, optical, magnetic, or other storage media, as well as hard copies) upon the earlier to occur of the following:
- 8.1.1 termination or expiration of the Agreement or any applicable statement of work, work order or similar transaction document for any reason; or
- 8.1.2 cessation of Vendor’s need to retain such Paramount Data to perform the Services. Vendor shall certify in writing that such destruction has been completed. If Paramount requests return or transfer of all or a portion of such Paramount Data prior to the destruction described above, Vendor shall promptly return to Paramount, at no cost to Paramount, all such Paramount Data, through a secure method designated by Paramount, or shall promptly transfer such Paramount Data to Paramount’s designee, in accordance with the instructions of, and using the secure method prescribed by, Paramount, following Paramount’s written demand therefor.
8.2 Vendor shall promptly provide Paramount with a certification by an officer of Vendor that all Paramount Data has been removed from Vendor’s and any Subcontractor’s possession and/or control. If Vendor is required to retain Paramount Data pursuant to applicable laws, rules and regulations, including Data Protection Laws, Vendor shall inform Paramount of such requirement.
8.3 If Paramount notifies Vendor in writing that particular Paramount Data may be Paramount attorney-client communication or attorney work-product, then Vendor shall:
- 8.3.1 not take any action that would result in waiver of such privilege or work product immunity through the acts or omissions of Vendor or its Subcontractors;
- 8.3.2 if required by Paramount, immediately terminate the ability of any users of the applicable software or services to share such Paramount Data with third parties; and
- 8.3.3 instruct all Vendor personnel who may have access to such Paramount Data to maintain such Paramount Data as strictly confidential.
8.4 If Vendor is required by law or by interrogatories, written requests for information or documents by a Governmental Entity, subpoena, civil investigative demand or similar legal process to disclose any Paramount Data that may be within Paramount attorney-client or work-product privileges, then Vendor must provide (unless prohibited by applicable law) Paramount with prompt, written notice of such request or requirement so that Paramount may at its own expense seek an appropriate protective order or object to the requested disclosure.
8.5 Vendor shall comply with Paramount requirements regarding the preservation and production of Paramount Data held by Vendor that is relevant for legal and regulatory proceedings or investigations.
8.6 To the extent that Vendor is required to retain Paramount Data, this DPA and the Agreement will continue to apply in their entirety to such Paramount Data and Vendor’s Processing thereof.
9 INDEMNIFICATION
9.1 As an additional indemnification obligation under the applicable provision of the Agreement, Vendor will defend, indemnify and hold Paramount, its Affiliates, and their respective officers, directors, employees and agents, harmless from and against any and all claims, suits, causes of action, fines and penalties, liability, loss, costs and damages, including reasonable attorney fees, arising out of or relating to any third-party claim arising from:
- 9.1.1 failure by Vendor, its employees or Subcontractors to comply with any of its obligations contained in this DPA;
- 9.1.2 Vendor‘s performance, purported performance or non-performance of its obligations contained in this DPA; and
- 9.1.3 any security incident, except in each case to the extent resulting from the acts or omissions of Paramount.
9.2 Notwithstanding any terms of the Agreement to the contrary, any limitation of liability with respect to indemnification set forth in the Agreement shall not apply to the indemnification obligations set forth above.
10 MISCELLANEOUS
10.1 Survival. Vendor’s data protection and privacy obligations in the Agreement, including its obligations under this DPA, shall continue for so long as Vendor, or any of Vendor’s Subcontractors, continues to Process Paramount Data on behalf of Paramount, even if the Agreement has expired or been terminated.
10.2 Changes to the DPA. In addition to any rights under the Agreement, Paramount may modify this DPA at any time, including to the extent required to comply with Data Protection Laws, a court order or guidance issued by a Governmental Entity, by posting an updated version of this DPA at https://legal.paramount.com/security-and-privacy or successor website.