Data Processing Agreement

Media Company Data Processing Agreement

LAST UPDATED: February 12, 2021

This Data Processing Agreement (the “DPA”) is incorporated into the agreement(s) entered into between Client or Vendor (individually referred to as “Client” for the purposes of this DPA) and Media Company, and governs the data sharing between Client and Media Company where Data Protection Law, as defined below, is implicated.

This DPA covers the processing of: (1) Personal Data that Client uploads, transfers, or otherwise provides to Media Company in connection with the Agreement; and (2) Personal Data that Media Company uploads, transfers, or otherwise provides to Client in connection with the Agreement.

Collectively, this DPA (including the SCCs, as defined below) and the Insertion Order which incorporates the Slashdot Media Standard Terms and Conditions by reference (the “Terms”) are referred to in this DPA as the “Agreement.” In the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs (b) this DPA; and (c) the Agreement.

The Purpose of this DPA is to establish a framework where both the Media Company and Client may in connection, with the Agreement, each be Controllers of EU Personal Data, including as to Lead Data, as that term is defined within the Agreement, and, in certain cases, transfer that EU Personal Data to the other party for that other party to act as a Controller of that EU Personal Data. Additionally, this DPA will address scenarios where:

A. Media Company and Client may each be Controllers (as defined below) of EU Personal Data and, in certain cases, transfers that EU Personal Data to the other party for that other party to provide certain services to the other party as a Processor; or
B. Media Company and Client may each be a Processors of a Joint Customer’s EU Personal Data and transfer such data to the other party for processing at the direction of that Joint Customer;
C. Client and Media Company may be in a Controller to Processor relationship, where Client is the Controller of Personal Data, and Media Company processes such data as Processor at Client’s direction.

1. Definitions

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Controller-to-Controller SCCs” means the Standard Contractual Clauses (Controller to Controller Transfers – Set II) in the Annex to the European Commission Decision of December 27, 2004 as may be amended or replaced from time to time by the European Commission.

“Controller-to-Processor SCCs” means the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010 as may be amended or replaced from time to time by the European Commission.

“Data Protection Law” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time. The terms “process”, “processes” and “processed” will be construed accordingly.

“EU Personal Data” means Personal Information the sharing of which pursuant to this Agreement is regulated by the Directive, the General Data Protection Regulation, and Local Data Protection Laws.

“General Data Protection Regulation” or “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Joint Customer” means a customer of both Client and Media Company.

“Joint Customer Personal Data” means any Personal Information for which a Joint Customer acts as a Controller.

“Media Company Personal Data” means any Personal Information for which Media Company acts as a Controller.

“Client Personal Data” means any Personal Information for which Client acts a Controller.

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law.

“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

“Standard Contractual Clauses” or “SCCs” means all Controller-to-Processor SCCs and Controller-to-Controller SCCs entered into between the parties under this DPA.

“Subprocessor” means any entity which provides processing services to a Processor, as defined in Section 5, in furtherance of such Processor’s processing on behalf of a Controller.

“Supervisory Authority” means an independent public authority which is established by a member state pursuant to Article 51 of the General Data Protection Regulation.

2. Compliance With Laws

The parties shall each represent and warrant that they will comply with their respective obligations and duties under applicable Data Protection Law.

3. Joint Processor Scenarios

Each party, to the extent that it, along with the other party, acts as a Processor with respect to Personal Data, will (i) comply with the instructions and restrictions set forth in any agreement(s) with the Joint Customer; and (ii) reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in applicable Data Protection Law. Client and Media Company both acknowledge and agree that each party is acting as a Processor for the Joint Customer and neither party is engaging the other as a Subprocessor.

4. Controller-to-Controller Scenarios

Each party, to the extent that it, along with the other party, acts as a Controller with respect to Personal Information, will reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in applicable Data Protection Law.

Where both parties act as a Controller with respect to Personal Data, and the transfer of data between the parties results in a transfer of Personal Data to a jurisdiction other than in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, each party agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield framework(s) or applicable law or regulation, as applicable; and/or (b) use the Controller-to-Controller SCCs, which are incorporated herein by reference. If data transfers under this DPA rely on Controller-to-Controller SCCs to enable the lawful transfer of EU Personal Data, as set forth in the preceding sentence, the parties agree that the following terms apply: (i) Data subjects for whom a Client processes Personal Data are third-party beneficiaries under the Controller-to-Controller SCCs; and (ii) Schedule A to this DPA shall apply as Annex B of the Controller-to-Controller SCCs.

The parties acknowledge and agree that each is acting independently as a Controller with respect of Personal Data and the parties are not joint controllers as defined in the General Data Protection Regulation.

5. Controller-to-Processor Scenarios

  1. Relationship of the parties. The rights, responsibilities, and obligations of the parties with regard to Sections 6-10 of this DPA shall be as follows:

    2. For Processing operations where Media Company processes Personal Data on Client’s behalf and at Client’s direction, the term “Processor” refers to Media Company, the term “Controller” refers to Client, and the term “Personal Data” refers to the Client’s Personal Data.

    “Personal Data” refers to Client Personal Data. For data processing operations where Client processes Personal Data on Media Company’s behalf and at Media Company’s direction, the term “Processor” refers to Client, the term “Controller” refers to Media Company, and the term “Personal Data” refers to Media Company’s Personal Data.
     

  2. Scope of Processing. In the context of the scenarios described in Section 5 above, each party agrees to process Personal Data only for the purposes set forth in the Agreement. For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to this DPA are described in Schedule A to this DPA.

6. Controller Obligations

The parties in their capacity as a Controller agree to:

  1. Provide instructions to the Processor and determine the purposes and means of the Processor’s processing of Personal Data in accordance with the Agreement; and
  2. Comply with its protection, security and other obligations with respect to Personal Data prescribed by applicable Data Protection Law for a Controller by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of the Controller; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (c) ensuring compliance with the provisions of this DPA by its personnel or by any third party accessing or using Personal Data on its behalf.

7. Processor Obligations

  1. Processing Requirements. The parties in their capacity as a Processor agree to:
    1. Process Personal Data (i) only for the purpose of providing, supporting and improving the Processor’s services (including to provide insights and other reporting), using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from the Controller. The Processor will not use or process Personal Data for any other purpose. The Processor will promptly inform the Controller in writing if it cannot comply with the requirements under Sections 6-10 of this DPA, in which case the Controller may terminate the Agreement, and any applicable agreements, or take any other reasonable action, including suspending data processing operations;
    2. Inform the Controller promptly and without undue delay if, in the Processor’s opinion, an instruction from the Controller violates applicable Data Protection Law;
    3. If the Processor is collecting Personal Data from individuals on behalf of the Controller, follow the Controller’s instructions regarding such Personal Data collection;
    4. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on the Processor’s behalf comply with the terms of the Agreement;
    5. Represent and warrants that its employees, authorized agents and any Subprocessors are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the personal data who is not under such a duty of confidentiality
    6. If it intends to engage Subprocessors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors, enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein;
    7. Inform the Controller if the Processor undertakes an independent security review.
  2. Notice to the Controller. The Processor will immediately and without undue delay inform the Controller if the Processor becomes aware of:
    1. any non-compliance by Processor or its employees with Sections 6-10 of this DPA or the applicable Data Protection Law relating to the protection of Personal Data processed under this DPA;
    2. any legally binding request for disclosure of Personal Data by a law enforcement or government authority, unless the Processor is otherwise forbidden by law to inform the Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
    3. any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Data; or
    4. any complaint or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from data subjects of the Controller. The Processor will not respond to any such request without the Controller’s prior written authorization.
  3. Assistance to the Controller. The Processor will provide and timely reasonable assistance to the Controller regarding:
    1. responds to any request from an individual to exercise rights under applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) and the Processor agrees to promptly inform the Controller if such a request is received directly;
    2. the investigation of Personal Data Breaches and the notification to the Supervisory Authority and the Controller data subjects regarding such Personal Data Breaches; and
    3. where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
  4. Required Processing. If the Processor is required by Data Protection Requirements to process any Personal Data for a reason other than in connection with the Agreement, the Processor will inform the Controller of this requirement in advance of any processing, unless the Processor is legally prohibited from informing the Controller of such processing (e.g., as a result of secrecy requirements that may exist under applicable EU member state laws).
  5. Security. The Processor will:
    1. maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Personal Data;
    2. be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all of the Processor’s personnel with respect to Personal Data and liable for any failure by such Processor personnel to meet the terms of this DPA;
    3. take appropriate steps to confirm that all of the Processor’s personnel are protecting the security, privacy and confidentiality of Personal Data consistent with the requirements of this DPA; and
    4. notify the Controller of any Personal Data Breach by the Processor, its Subprocessors, or any other third parties acting on the Processor’s behalf without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.

8. Data Transfers

  1. Client Personal Data. For transfers of EU Personal Data to Media Company for processing by Media Company as Data Processor on behalf of Client as a Controller, in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, Media Company agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks or applicable law or regulation, as applicable; or (b) use the form of the Controller-to-Processor SCCs. If data transfers under this Section 8 rely on SCCs to enable the lawful transfer of EU Personal Data, as set forth in the preceding sentence, the parties agree that data subjects for whom a Media Company entity processes EU Personal Data are third-party beneficiaries under the SCCs. If Media Company is unable or becomes unable to comply with these requirements, then EU Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of EU Personal Data to a non-EU country requires the prior written consent of Client with respect to EU Personal Data.
  2. Media Company Personal Data. For transfers of EU Personal Data to Client for processing by Client as a Processor on behalf of Media Company as a Controller, in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, Client agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks or applicable law or regulation, as applicable; or (b) use the Controller-to-Processor SCCs. If data transfers under this Section 8 rely on SCCs to enable the lawful transfer of EU Personal Data, as set forth in the preceding sentence, the parties agree that data subjects for whom Client processes EU Personal Data are third-party beneficiaries under the SCCs. If Client is unable or becomes unable to comply with these requirements, then EU Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of EU Personal Data to a non-EU country requires the prior written consent of Media Company with respect to Personal Data. Client shall promptly notify Media Company of any inability by Client to comply with the provisions of this Section 8.b.

9. Data Return and Deletion

The parties agree that on the termination of the data processing services or upon the Controller’s reasonable request, the Processor shall and shall take reasonable measures to cause any Subprocessors to, at the choice of the Controller, return all the EU Personal Data and copies of such data to the Controller or securely destroy them and demonstrate to the satisfaction of the Controller that it has taken such measures, unless Data Protection Requirements prevent the Processor from returning or destroying all or part of the EU Personal Data disclosed. In such case, the Processor agrees to preserve the confidentiality of the EU Personal Data retained by it and that it will only actively process such EU Personal Data after such date in order to comply with applicable laws.

10. Term

This DPA shall remain in effect as long as either party carries out Personal Data processing operations on the Personal Data uploaded or otherwise provided by the other party pursuant to and in accordance with the Agreement.

SCHEDULE A
ANNEX B – DESCRIPTION OF THE TRANSFER

 

  1. Data Subjects. The personal data transferred concerns the following categories of data subjects:

    2. Depending on the agreement between the data importer and data exporter:

    Third parties that have, or may have, a commercial relationship with the data exporter (e.g. advertisers, customers, corporate subscribers, contractors and product users).

  2. Purposes of the Transfer(s). The transfer is made for the following purposes:

    3. The transfer is intended to enable the relationship of the parties contemplated by the Agreement.

  3. Categories of data. The personal data transferred concern the following categories of data:

    4. The data transferred is the personal data provided by the data exporter to the data importer in connection with the Agreement. Such personal data may include first name, last name, email address, contact information, title, IP address, device identifier, and any personal data contained with Lead Data as that term is used within agreements to which this DPA is incorporated, and any notes provided by the data exporter regarding the foregoing.

  4. Recipients. The personal data transferred may be disclosed only to the following recipients or categories of recipients:

    5. Data importer’s employees and other representatives of the data importer who have a legitimate business purpose for the processing of such personal data.

  5. Sensitive data (if appropriate). The personal data transferred may concern the following special categories of data:

    6. None.

  6. Data protection registration. Data protection registration information of data exporter (where applicable).

    7. None.

  7. Additional information. Additional useful information (storage limits and other relevant information).

    8. The personal data transferred between the parties may only be retained for the period of time permitted under the Agreement. The parties agree that each party will, to the extent that it, along with the other party, acts as a Controller with respect to Personal Information, reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in the Data Protection Requirements.

  8. Requirements. Contact points for data protection enquiries:

Data Importer: Signatory to the Agreement

Data Exporter: Signatory to the Agreement

MEDIA COMPANY CCPA ADDENDUM

 

  1. In the course of this Agreement Media Company may disclose personal information, as that term is defined within the California Consumer Privacy Act (“CCPA”) to Client including any such personal information that is present within Lead Data, as that term is defined within the Agreement. Client understands that it will be a third party, as provided by the CCPA as to this data transfer, and thus must abide by any statutory restrictions provided therein.
  2. Client certifies that it understands and will comply with the requirements set forth in this CCPA Addendum.
  3. Client agrees not to further sell, as that term is defined by the CCPA, any personal information sold to it by Media Company, unless in accordance with the CCPA, it has caused any consumers to which said personal information pertains to receive explicit notice of the proposed sale and an opportunity to exercise their right to opt out.
  4. Client further agrees to take such actions as directed by Media Company where required for compliance with the CCPA, including providing records regarding the processing of any such Personal Information.

COMPANY

About Us

Our Brands

Our Story

SourceForge

Slashdot

Passport

SOLUTIONS

Lead Generation

Display Advertising

Native Advertising

Business Software Listings

Email Marketing

Custom Content

POLICIES & TERMS

Terms of Use

Privacy Policies & Choices

Cookies / Opt-out

Privacy Choices

Do Not Sell or Share My Personal Information

OPT OUT

QUICK LINKS

Contact Us

Careers

Software Vendors

Resources

FOLLOW

Facebook Instagram LinkedIn