X Data Processing Addendum
This X Data Processing Addendum (“DPA”) shall amend and apply to all of your agreements (“Agreements”) with X, Inc., X International Unlimited Company (“TIUC”), and their affiliates and/or subsidiaries (collectively,“X”) to the extent that X processes (i) as Your processor, any personal data originating from the European Economic Area (“EEA”), Switzerland, the United Kingdom (“UK”), Brazil or Japan, or (ii) as Your service provider, any personal information of California consumers (collectively, “Your Data”).
1. Definitions
Words and expressions used in this DPA but not defined including, without limitation, “business,” “business purpose,” “consumer”, “controller,” “data subject,” “personal data,” “personal information,” “processing,” “processor,” “sell,” “sensitive data,” “service provider,” “sub-processor” and their respective derivative terms, shall have the meanings set forth in the privacy and data protection laws, regulations, and decisions applicable to a party to this DPA (“Applicable Data Protection Law”), which may include without limitation (i) the EU General Data Protection Regulation (2016/679) (“GDPR”), (ii) the Brazilian General Data Protection Law of 2018, Brazil Federal Law 13.709/2018, Lei Geral de Proteção de Dados, (iii) the Japanese Act on the Protection of Personal Information Act. No.57 of 2003 as amended, and its applicable regulations, and (iv) the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et seq. and its implementing regulations, in each case as amended, superseded or replaced from time to time. “You” refers to the controller or business who has agreed to this DPA with X.
2. Details of the Processing Operations
The nature and subject matter of the processing, including the processing operations carried out by X on your behalf, Your instructions to X, and the security measures deployed by X, are described in the relevant Agreements between You and X. X acts as a processor or service provider (as applicable) for, and on behalf of, You and conducts its processing operations in accordance with Your instructions.
3. Your Obligations
3.1 You determine the purposes for and means by which Your Data is being or will be processed, and the manner in which they are or will be processed.
3.2 You represent, warrant and agree that with respect to Your Data provided to X pursuant to this DPA, You:
3.2.1 comply with data security and other obligations prescribed by Applicable Data Protection Law for controllers or businesses;
3.2.2 confirm that the provision of Your Data to X complies with Applicable Data Protection Law;
3.2.3 have established a procedure for the exercise of the rights of the data subjects/consumers whose personal data or personal information is collected;
3.2.4 only process personal data or personal information that has been lawfully and validly collected and ensure that such data or information is relevant and proportionate to the respective uses;
3.2.5 disclose Your Data to X for a lawful business purpose consistent with the disclosures You make to Your data subjects/consumers in Your privacy policies, and You do not sell Your Data to X;
3.2.6 ensure that after you have assessed the requirements of Applicable Data Protection Law, the security and confidentiality measures supported by this DPA are suitable for protection of Your Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access, in particular when the processing involves data transmission over a network, and against any other forms of unlawful or unauthorized processing; and
3.2.7 will take reasonable steps to ensure compliance with the provisions of this DPA by Your personnel and by any person accessing or using Your Data on Your behalf.
4. Obligations of X
4.1 X carries out the processing of Your Data on your behalf.
4.2 Accordingly, X agrees that it will:
4.2.1 unless otherwise required by applicable law, process Your Data only on Your behalf and in compliance with Your instructions (including relating to international data transfers), including instructions in this DPA and all Agreements between You and X;
4.2.2 immediately inform You if in X’s opinion an instruction from You infringes Applicable Data Protection Law;
4.2.3 implement appropriate technical and organizational security measures as provided for in Your Agreements with X prior to the commencement of the processing activities for Your Data, maintain such security measures (or better security measures) for the duration of this DPA, and provide You with reasonable evidence of its privacy and security policies;
4.2.4 take reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged at its place of business who may process Your Data are aware of and comply with this DPA;
4.2.5 comply with confidentiality obligations in respect of Your Data as detailed in all Agreements and take appropriate steps to ensure that its employees, authorized agents and any sub-processors comply with and acknowledge and respect the confidentiality of Your Data, including after the end of their employment, contract or at the end of their assignment;
4.2.6 inform You of:
4.2.6.1 any legally binding request for disclosure of Your Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities, and you acknowledge that X may disclose Your Data to comply with such a legally binding disclosure request;
4.2.6.2 any personal data breach (or analogous concept) under Applicable Data Protection Law relating to Your Data (“Security Incident”);
4.2.6.3 any relevant notice, inquiry or investigation by a supervisory authority relating to Your Data; and
4.2.6.4 any requests from a data subject/consumer to exercise their data protection rights under Applicable Data Protection Law without responding to that request, unless You have authorized a response or such a response is required by law;
4.2.7 provide You with reasonable co-operation and assistance in respect of Your obligations regarding:
4.2.7.1 requests from data subjects/consumers in respect of the exercise of their data protection rights under Applicable Data Protection Law with respect to Your Data;
4.2.7.2 the investigation of any Security Incident and the notification to the supervisory authority and data subjects in respect of such a Security Incident;
4.2.7.3 the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority, in each case where and to the extent required by Applicable Data Protection Law;
4.2.7.4 the security of Your Data, including by implementing the technical and organizational security measures detailed in Your Agreements with X;
4.2.8 if X is required by law to process Your Data, take reasonable steps to inform You of this requirement in advance of any processing, unless X is prohibited from informing You on grounds of important public interest; and
4.2.9 upon reasonable request, make available to You all information necessary to demonstrate compliance with the obligations in this Section 4.2. X will further comply with its audit responsibilities set out in Section 4.4 below.
4.3 You and X further agree that:
4.3.1 X is acting solely as a processor, service provider or in such other similar capacity as may be understood under Applicable Data Protection Law with respect to Your Data;
4.3.2 X shall not retain, use or disclose Your Data for any purpose other than for the specific purpose of performing the services specified in this DPA or any other Agreement between You and X; and
4.3.3 X may deidentify, aggregate, or anonymize all or portions of Your Data so that it no longer constitutes personal data or information under Applicable Data Protection Laws as part of its performance of services specified in this DPA and any other Agreement between You and X.
4.4 X will, upon Your request (not to exceed one request per calendar year unless required by Applicable Data Protection Law) by email to dpo@X.com, certify compliance with Sections 4-6 of this DPA in writing. X will also provide to you each year an opinion or Service Organization Control report provided by an accredited, third-party audit firm under the Statement on Standards for Attestation Engagements (SSAE) No. 18 (“SSAE 18”) (Reporting on Controls at a Service Organization) or the International Standard on Assurance Engagements (ISAE) 3402 (“ISAE 3402”) (Assurance Reports on Controls at a Service Organization) standards applicable to the data processing services under the Agreements (each such report, a “Report”). If a Report does not provide, in Your reasonable judgment, sufficient information to confirm X’s compliance with the terms of this DPA, then You or an accredited third-party audit firm agreed to by both You and X may audit X’s compliance with the terms of this DPA during regular business hours in a manner that is not disruptive to X’s business, upon reasonable advance notice to X of no less than 60 days and subject to reasonable confidentiality procedures. You are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time X expends for any such audit, in addition to the rates for support services performed by X and any expenses incurred by X in complying with this Section 4.4 and Section 4.2.7. Before the commencement of any such audit, You and X will mutually agree upon the timing, duration and scope of the audit, which will not involve physical access to the servers from which the data processing services are provided in order to maintain the security of X’s systems and to preserve the confidentiality of other customers’ data. You will promptly notify X of information regarding any non-compliance discovered during the course of an audit. Where applicable, you agree to exercise Your audit rights under the SCCs (defined below) by instructing us to comply with the audit measures described in this Section 4.4.
4.5 If (i) Your Data includes any personal data that is protected under the GDPR or Applicable Data Protection Law of Switzerland or the UK, (ii) X processes such personal data outside of the EEA, Switzerland, or the UK; and (iii) such processing takes place in a country that is not subject to an adequacy determination by the European Commission, the UK or Swiss authorities (as applicable), then the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (“SCCs”) are hereby incorporated by reference and form an integral part of this DPA. The SCCs shall apply as follows:
4.5.1. EEA Transfers, To the extent that Your Data is subject to the GDPR, the SCCs apply as follows:
i. the “data exporter” is You and the “data importer” is X;
ii. the Module Two terms are selected;
iii. in Clause 7, the optional docking clause applies;
iv. in Clause 9, Option 2 applies and the time period for prior notice of sub-processor changes is set out in Section 5 of this DPA;
v. in Clause 11, the optional language does not apply;
vi. in Clause 17, Option 1 applies and the SCCs are governed by Irish law;
vii. in Clause 18(b), disputes will be resolved before the courts of Ireland;
viii. in Annex I.A and I.B, the details of the parties and description of the transfer are set out in the relevant Agreements between You and X;
ix. in Clause 13(a) and Annex I.C, the competent supervisory authority is the supervisory authority of the EEA member state in which You or Your representative is in or where the data subjects are predominantly located;
x. in Annex II, the description of the technical and organizational security measures is set out in the relevant Agreements between You and X; and
xi. in Annex III, the list of Sub-processors is outlined in Section 5 of this DPA.
4.5.2. Swiss Transfers. To the extent that Your Data is subject to the Applicable Data Protection Law of Switzerland, the SCCs apply as set out in Section 4.5.1 of this DPA with the following modifications:
i. references to ‘Regulation (EU) 2016/679’ are interpreted as references to the Swiss Federal Data Protection Act of 19 June 1992 or any successor thereof (“Swiss DPA”);
ii. references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the Swiss DPA;
iii. references to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘Switzerland’;
iv. Clause 13(a) and Part C of Annex 2 are not used and the ‘competent supervisory authority’ is the Swiss Federal Data Protection Information Commissioner (“FDPIC”), or, if the transfer is subject to both the Swiss DPA and the GDPR, the FDPIC (insofar as the transfer is governed by the Swiss DPA) or the supervisory authority of the EEA member state in which You or Your representative is in or where the data subjects are predominantly located (insofar as the transfer is governed by the GDPR;
v. references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the FDPIC and ‘competent Swiss courts’;
vi. in Clause 17, the SCCs are governed by the laws of Switzerland;
vii. in Clause 18(b), disputes will be resolved before competent Swiss courts; and
viii. the SCCs also protect the data of legal entities until entry into force of the revised Swiss DPA.
4.5.3. UK Transfers. To the extent that Your Data is subject to the Applicable Data Protection Law of the UK, the SCCs apply as amended by Part 2 of the UK Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018 (“UK Addendum”), and Part 1 of the UK Addendum is deemed completed as follows:
i. in Table 1, the details of the parties are set out in the Agreements between You and X;
ii. in Table 2, the selected modules and clauses are set out in Section 4.5.1 of this DPA
iii. in Table 3, the appendix information is set out in the Agreements between You and X; and
iv. in Table 4, the ‘Importer’ is selected.
4.5.4. Alternative Transfer Mechanism. In the event that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Your Data, You shall fully co-operate with X to sign an amendment to this DPA and/or execute such other documents and take such other actions as may be necessary to remedy such non-compliance. In addition, if X adopts an alternative data transfer mechanism to the mechanisms described in this DPA, including any new version of or successor to the SCCs or Privacy Shield (“Alternative Transfer Mechanism”), such Alternative Transfer Mechanism shall apply automatically instead of the measures described in this DPA but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Law and extends to the territories in which Your Data is transferred.
5. Transfer, Disclosure and Third Parties
5.1 You acknowledge and agree that (a) X’s affiliates may be retained as sub-processors and (b) X and X’s affiliates may engage sub-processors in connection with the provision of the data processing services. X or a X affiliate shall enter into contractual arrangements with such sub-processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein. For the purposes of this Section 5, You hereby authorize X to engage sub-processors required to assist X for the purposes of providing the data processing services under the Agreements.
5.2 A current list of sub-processors for the data processing services is accessible via privacy.twitter.com. We will endeavor to provide reasonable notice to You before we engage a new sub-processor of Your Data, including the date on which the new sub-processor will begin processing Your Data (the “Sub-Processor Effective Date”). You may object to X’s engagement of a new sub-processor by ceasing to use the applicable product, program or feature prior to the Sub-Processor Effective Date. Your continued use of the applicable product, program or feature on or after the Sub-Processor Effective Date constitutes your acceptance of the new sub-processor. For the purposes of the SCCs, You acknowledge that we may be restricted from disclosing sub-processor agreements to You due to confidentiality obligations but where we cannot disclose a sub-processor agreement, we shall provide all information (on a confidential basis) to You that we reasonably can in connection with such agreement.
6. Post-termination obligations
You and X agree that on the termination of any of the data processing services, X and any sub-processors shall, upon request, subject to the limitations described in any relevant Agreements, return all of Your Data relating to such data processing services and copies of such data to You or securely destroy them and demonstrate to Your reasonable satisfaction that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Your Data. In such a case, X or a sub-processor agree to preserve the confidentiality of Your Data retained by it and that it will only actively process Your Data after such date in order to comply with the laws to which it is subject.
7. Conflicts
In the event of any conflict between the terms of this DPA, the SCCs and any other terms between You and X, including but not limited to the terms of any Agreements, the terms shall apply in the following order of precedence: (i) the SCCs, (ii) this DPA, and then (iii) any other terms of your Agreements between You and X. This agreement is written in English and may be translated into other languages and made available by X. The version in English will prevail over versions translated into other languages, which are for mere reference.