Data Processing Addendum

Version Date: March 13, 2023

View Previous Data Processing Addendum.

This Data Processing Addendum (the “DPA”) forms part of and is subject to the Terms of Use (“Agreement“) executed between Metadata, Inc. (“Metadata”) and the customer signing below (“Customer“), together the “Parties” and each a “Party.” All capitalised terms not defined in this DPA shall have the meaning given to them in the Agreement.

1. Definitions

Agreement” means the Terms of Use entered between the Parties.  

Applicable Data Protection Laws” means the privacy, data protection, and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, without limitation: (a) GDPR; (b) CPRA; and (c) the Swiss Federal Act on Data Protection, in each case, as amended, adopted, or superseded from time to time.   

CPRA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder.

Customer Personal Data” means any Personal Data contained within Customer Data that is Processed by Metadata or its Subprocessors on behalf of Customer to perform the Company Services under the Agreement. 

Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Personal Data and the Processing thereof.

Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

Data Transfer Mechanism(s)” means the EU SCCs and/or the UK Transfer Addendum as applicable to the relevant Restricted Transfer.

EEA” means the European Economic Area.

EU SCCs” means the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

GDPR” means, as and where applicable to the Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) (“UK GDPR”); including, in each case any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.

Metadata Personal Data” means any Personal Data contained within Supplementary Data.

“Mandatory Clauses” means the mandatory clauses of the UK Transfer Addendum, as shown in Part Four of the document presently published at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf

Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar term defined in Applicable Data Protection Laws.

Personal Data Breach” means a breach of security leading to the accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure of, or access to, Personal Data in a Party’s possession, custody or control. 

Personnel” means a person’s employees, agents, consultants, or contractors.

Restricted Transfer” means the disclosure, grant of access or other transfer of Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under the GDPR.

Subprocessor” means any third party appointed by or on behalf of Metadata to Process Customer Personal Data.

Subprocessor List” has the meaning given to it in Section 8.

Supervisory Authority”: (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office (the “ICO”).

Supplementary Data” means additional third party or derived data points that augment the Customer Data (e.g., technographics, firmographics, and business contact information).

UK Transfer Addendum” means the template addendum B1.0 issued by the ICO under s119A(1) of the Data Protection Act 2018, in force from 21 March 2022, as set out in Attachment 3 to Annex 1 (European Annex).

The terms “Controller,” “Process,” “Processing,” and “Processor” have the meanings given to them in the Data Protection Laws and Regulations. 

2. SCOPE

  1. This DPA applies, as applicable, to: (a) Metadata’s Processing of Customer Personal Data under the Agreement and/or Metadata’s transmission of Metadata Personal Data to Customer.
  2. Annex 1 (European Annex) to this DPA applies only if and to the extent Metadata’s Processing of Customer Personal Data or Metadata’s transmission of Metadata Personal Data to Customer under the Agreement is subject to the GDPR.
  3. Annex 2 (California Annex) to this DPA applies only if and to the extent Metadata’s Processing of Customer Personal Data or Metadata’s transmission of Metadata Personal Data to Customer under the Agreement is subject to the CPRA.

3. ROLES

Metadata as a Processor

3.1 Metadata shall not Process Customer Personal Data other than on Customer’s instructions or as required by applicable laws.  Customer Personal Data shall never be commingled, added to Metadata’s own data set, or sold to or shared with any third parties.

3.2 Customer instructs Metadata to Process Customer Personal Data as necessary to provide the Company Services to Customer under and in accordance with the Agreement.

Metadata as a Controller

3.3 The Parties acknowledge and agree that Metadata may provide Client with Metadata Personal Data as part of Metadata’s provision of the Company Services.

3.4 The Parties acknowledge and agree that, in respect of any Processing of Metadata Personal Data, each Party: (a) Processes Metadata Personal Data for its own purposes and each acts as an independent Controller; (b) shall Process Metadata Personal Data in compliance with its respective obligations under Applicable Data Protection Laws (if and as applicable in the context); and (c) shall use Metadata Personal Data for the sole purpose of business-to-business marketing activities.

4. METADATA PERSONNEL

Metadata shall take commercially reasonable steps to ascertain the reliability of Metadata Personnel who Process Customer Personal Data and shall enter into written confidentiality agreements with all Metadata Personnel who Process Customer Personal Data that are not subject to professional or statutory obligations of confidentiality.

5. SECURITY

5.1 Metadata shall implement and maintain technical and organisational measures in relation to Customer Personal Data designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access as described in Annex 3 (Security Measures) (the “Security Measures”).  

5.2 Metadata may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.

6. DATA SUBJECT REQUESTS; IMPACT ASSESSMENTS

6.1 Metadata, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests.

6.2 If Metadata receives a Data Subject Request in respect of Customer Personal Data, Metadata shall:

  1. promptly notify Customer that a Data Subject Request was received; and
  2. not respond to any such Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except on the written instructions of Customer or as required by Applicable Data Protection Laws.

6.3 To the extent Customer is required under Applicable Data Protection Laws, Metadata will assist Customer to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activities that present a high risk to data subjects.

7. PERSONAL DATA BREACH

Breach notification and assistance 

7.1 Metadata will notify Customer without undue delay, and in any event within forty-eight (48) hours, if Metadata becomes aware of a Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested. At Customer’s request, Metadata will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify competent authorities and/or affected Data Subjects if Customer is required to do so under Applicable Data Protection Laws.

7.2 Metadata shall reasonably cooperate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Personal Data Breach.

7.3 Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.

Notification to Metadata

7.4 If Customer determines that a Personal Data Breach (whether related to Customer Personal Data or Metadata Personal Data) must be notified to any Supervisory Authority, any Data Subject(s), the public, or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Metadata, where permitted by applicable laws, Customer agrees to: (a) notify Metadata in advance; and (b) in good faith, consult with Metadata and consider any clarifications or corrections Metadata may reasonably recommend or request to any such notification, which: (i) relate to Metadata’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.

8. SUBPROCESSORS

8.1 Customer generally authorises Metadata to appoint Subprocessors in accordance with this section.

8.2 Metadata may continue to use those Subprocessors engaged by Metadata as of the date of this DPA (as those Subprocessors are shown, together with their respective functions and locations) at https://metadata.io/subprocessors/ (the “Subprocessor List”).

8.3 Metadata shall give Customer prior written notice of the appointment of any proposed Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor, by providing Customer with an updated copy of the Subprocessor List via a ‘mailshot’ or similar bulk distribution mechanism. If, within fourteen (14) days of receipt of that notice, Customer notifies Metadata in writing of any objections (on reasonable grounds) to the proposed appointment:

  1. Metadata shall use reasonable efforts to make available a commercially reasonable change in the provision of the Company Services that avoids the use of that proposed Subprocessor; and
  2. Where such a change cannot be made within fourteen (14) days from Metadata’s receipt of Customer’s notice and/or no commercially reasonable change is available, then either Party may by written notice to the other Party with immediate effect terminate the Agreement, either in whole or to the extent that it relates to the Company Services which require the use of the proposed Subprocessor, as its sole and exclusive remedy.
  3. Upon termination in accordance with Section 8.3(b), Metadata will promptly refund any prepaid but unused fees covering use of the Company Services or a portion thereof after termination.

8.4 If Customer does not object to Metadata’s appointment of a Subprocessor during the objection period referred to in Section 8.3, Customer shall be deemed to have approved the engagement and ongoing use of that Subprocessor.

8.5 With respect to each Subprocessor, Metadata shall maintain a written contract between Metadata and the Subprocessor that includes terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA. Metadata shall remain liable for any breach of this DPA caused by a Subprocessor.

9. RETURN AND DELETION

9.1 Upon Customer’s request, or upon termination or expiry of this DPA, Metadata shall destroy, irreversibly render anonymous, or return to Customer all Customer Personal Data (including copies) in its possession or control (including any Personal Data processed by its Subprocessors). This requirement shall not apply to the extent that Metadata is required by any applicable law to retain some or all of the Customer Personal Data, in which event Metadata shall isolate and protect the Personal Data from any further processing except to the extent required by such law.

10. AUDIT RIGHTS

10.1 Metadata shall make available to Customer such information as Customer may reasonably request to demonstrate its compliance with this DPA and Applicable Data Protection Laws in relation to its Processing of Customer Personal Data.

10.2 In the event that Customer is able to provide reasonable documentary evidence that the information made available by Metadata pursuant to Section 10.1 is not sufficient in the circumstances to demonstrate Metadata’s compliance with this DPA and Applicable Data Protection Laws, Metadata shall allow for and contribute to an audit  by Customer. 

10.3 Customer shall give Metadata reasonable notice of any audit or inspection to be conducted under Section 10.2 (which shall in no event be less than fourteen (14) days’ notice) and shall use its best efforts to avoid causing any destruction, damage, injury or disruption to Metadata’s equipment, Personnel, data, and business.

10.4 If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and Metadata has confirmed in writing that there are no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures.  

10.5 Nothing in this DPA shall require Metadata to furnish more information about its Subprocessors in connection with such audits than such Subprocessors make generally available to their customers.

11. COMPLIANCE WITH APPLICABLE DATA PRIVACY LAWS; RESTRICTED DATA

11.1 Each Party shall comply with its obligations under Applicable Data Protection Laws and Regulations in respect of any Personal Data it Processes under this DPA. 

11.2 Neither Party shall provide or otherwise make available to the other any data that contains any (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) biometric information; (e) passwords to any online accounts; (f) credentials to any financial accounts; (g) tax return data; (h) any payment card information subject to the Payment Card Industry Data Security Standard; (i) Personal Data of children under 13 years of age; or (j) any other information that falls within any special categories of personal data (as defined in GDPR or CPRA) and/or data relating to criminal convictions and offences or related security measures (together, “Restricted Data”).

12. LIABILITY

The total aggregate liability of either Party to the other Party for any claims arising out of or in connection with this DPA will under no circumstances exceed any limitations or caps on and shall be subject to any exclusions of liability and loss agreed by the Parties in the Agreement; provided that, nothing in this section will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the Data Transfer Mechanism(s) (if and as they apply).

13. PRECEDENCE

13.1 In the event of any conflict or inconsistency between:

  1. this DPA and the Agreement, this DPA shall prevail; and
  2. any Data Transfer Mechanism(s) entered into pursuant to Annex 1 (European Annex) and this DPA and/or the Agreement, the Data Transfer Mechanism(s) shall prevail in respect of the Restricted Transfer to which they apply.

Annex 1

European Annex

1.PROCESSING OF CUSTOMER PERSONAL DATA

1.1 The Parties acknowledge and agree that, as applicable, the details of: (a) Metadata’s Processing of Customer Personal Data; and (b) Metadata’s transmission of Metadata Personal Data to Customer, under this DPA are as set out in Attachment 1 to Annex 1 (European Annex) to the DPA.

1.2 Where Metadata receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Metadata shall inform Customer.

1.3 Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of Metadata pursuant to or in connection with the Agreement shall be in strict compliance with the GDPR and all other applicable laws.

2. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

2.1 Metadata, taking into account the nature of the Processing and the information available to Metadata, shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Metadata.

3. RESTRICTED TRANSFERS 

3.1 The Parties acknowledge that: (a) Customer’s transmission of Customer Personal Data to Metadata; and (b) Metadata’s transmission of Metadata Personal Data to Customer, may each involve a Restricted Transfer. The relevant Data Transfer Mechanism(s) that may be entered into under this section shall apply and have effect only if and to the extent permitted and required under the EU GDPR and/or UK GDPR (if and as applicable) to establish a valid basis under the EU GDPR and/or UK GDPR in respect of the relevant Restricted Transfer.

EU Restricted Transfers

3.2 To the extent that any Processing of Personal Data under this DPA involves an EU Restricted Transfer, the Parties shall comply with their respective obligations set out in the EU SCCs, which shall apply to the relevant EU Restricted Transfer in the following manner:

  1. Module One of the EU SCCs applies to any EU Restricted Transfer of Metadata Personal Data from Metadata as ‘data exporter’ to Customer as ‘data importer’; and
  2. Module Two of the EU SCCs applies to any EU Restricted Transfer of Customer Personal Data from Customer as ‘data exporter’ to Metadata as ‘data importer’.

3.3 Any EU SCCs applicable in accordance with this section shall be deemed:

  1. populated in accordance with Attachment 2 to Annex 1 (European Annex); and
  2. entered into by the Parties and incorporated by reference into this DPA.

UK Restricted Transfers

3.4 To the extent that any Processing of Personal Data under this DPA involves a UK Restricted Transfer:

  1. the relevant EU SCCs entered into in accordance with this section shall apply to that UK Restricted Transfer as varied by the UK Transfer Addendum; and
  2. the Parties agree that the manner of the presentation of the information included in the UK Transfer Addendum shall not operate or be construed so as to reduce the Appropriate Safeguards (as defined in the Mandatory Clauses).

Adoption of new transfer mechanism

3.5 Metadata may on notice vary this DPA and replace any Data Transfer Mechanism(s) with: (a) any new or replacement set(s) of standard contractual clauses; or (b) any other transfer mechanism, that enables the lawful transfer of Personal Data under this DPA in compliance with the GDPR. 

Provision of full-form Data Transfer Mechanism(s)

3.6 In respect of any given Restricted Transfer, if requested of either Party (“Requesting Party”) by a Supervisory Authority or Data Subject, on specific written request, the other Party shall provide Requesting Party with an executed version of the relevant Data Transfer Mechanism(s) responsive to the request made of Requesting Party for countersignature by Requesting Party, onward provision to the relevant requestor, and/or storage to evidence Requesting Party’s compliance with Applicable Data Protection Laws.

Attachment 1 TO 
EUROPEAN ANNEX

Data Processing Details

Note:

This Attachment 1 to Annex 1 (European Annex) to the DPA includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR and to populate the appendices and/or tables to the Data Transfer Mechanism(s) (if and as they apply).

PART 1: DETAILS OF THE PARTIES

METADATA DETAILS

Name: Metadata, Inc., a Delaware corporation
Address: 1754 Technology Drive, Suite 212, San Jose, CA 95110
Contact Details for Data Protection:
Role: Data Privacy Officer
Telephone: +1 650-753-7077, Toll-Free (US Only) at: +1 888-905-8193
Metadata Activities: Metadata offers software and related services for business-to-business marketers to drive efficiency and automate paid campaigns
Role:  As determined in accordance with Paragraph 3.2 of Annex 1:
  • Where Module One applies: Controller / ‘data exporter’
  • Where Module Two applies: Processor / ‘data importer’

CUSTOMER DETAILS

Name:The entity or other person who is a counterparty to the Agreement
Address:As set out in the Agreement
Contact Details for Data Protection:Customer’s contact details are Customer’s contact details submitted by Customer and associated with Customer’s account for the Company Services – unless otherwise notified to Metadata via email.
Customer Activities:Customer’s activities relevant to this DPA are the use and receipt of the Company Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
Role: 

As determined in accordance with Paragraph 3.2 of Annex 1:

  • Where Module One applies: Controller / ‘data importer’
  • Where Module Two applies: Controller / ‘data exporter’

PART 2: DETAILS OF CUSTOMER PERSONAL DATA

Categories of Data Subjects:

Any individuals whose Personal Data is comprised within data submitted to the Company Services by or on behalf of Customer under the Agreement, which will be as determined by Customer in its sole discretion through its use of the Company Services – but may include Customer’s and its affiliates’:

  • Staff”, namely:
    • employees and non-employee workers;
    • students, interns, apprentices and volunteers;
    • directors and officers;
    • advisers, consultants, independent contractors, agents and autonomous, temporary or casual workers.
  • Customers, clients, (sub-)licensees, users and end-users, website visitors and marketing prospects.

Where any of the above is a business or organisation, it includes their Staff.

Each category includes current, past and prospective Data Subjects.

Categories of Personal Data:

Any Personal Data comprised within data submitted to the Company Services by or on behalf of Customer under the Agreement, which will be as determined by Customer in its sole discretion through its use of the Company Services – but may include:

  • first name;
  • last name;
  • title;
  • company email address;
  • social media information;
  • company phone number; and/or
  • company name.
Sensitive Categories of Data, and associated additional
restrictions/safeguards:</b >

Categories of sensitive data:

None – as noted in Section 11 of the DPA, Customer agrees that Restricted Data, which includes ‘sensitive data’ (as defined in Clause 8.7 of the EU SCCs), must not be submitted to the Company Services.

Additional safeguards for sensitive data:

N/A

Frequency of transfer:Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Company Services. 
Nature of the Processing:Processing operations required in order to provide the Company Services in accordance with the Agreement.
Purpose of the Processing:Customer Personal Data will be processed: (i) as necessary to provide the Company Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
Duration of Processing / Retention Period:For the period determined in accordance with the Agreement and DPA.
Transfers to (sub-)processors:Transfers to Subprocessors are as, and for the purposes, described from time to time in the Subprocessor List.

PART 3: DETAILS OF METADATA PERSONAL DATA

Categories of Data Subjects:Any individuals whose Personal Data is comprised within Metadata Personal Data – but may include marketing prospects.
Categories of Personal Data:

Any Personal Data comprised within Metadata Personal Data – but may include:

  • first name;
  • last name;
  • social media information;
  • company email address;
  • personal email address;
  • phone number.
  • country;
  • city
  • zip code;
  • job title;
  • seniority;
  • department; and
  • industry.
Sensitive Categories of Data, and associated additional
restrictions/safeguards:</b >

Categories of sensitive data:

None.

Additional safeguards for sensitive data:

N/A

Frequency of transfer:Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Company Services.
Nature of the Processing:Processing operations required in order to provide the Company Services in accordance with the Agreement.
Purpose of the Processing:Metadata Personal Data will be processed as necessary to provide the Company Services as initiated by Customer in its use thereof.
Duration of Processing / Retention Period:For the period determined in accordance with the Agreement and DPA.
Transfers to (sub-)processors:See Sub-Processor List.

Attachment 2 TO 
EUROPEAN ANNEX

POPULATION OF EU SCCs

Notes:

  • The EU SCCs populated in accordance with this Attachment 2 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Section 3 of Annex 1 (European Annex) to the DPA).

1. SIGNATURE OF THE EU SCCs:

1.1 Where applicable in accordance with Section 3 of Annex 1 (European Annex) to the DPA:

  1. each of the Parties is hereby deemed to have signed the EU SCCs; and
  2. those EU SCCs are entered into by and between the Parties with effect from (i) the Effective Date; or (ii) the date of the first EU Restricted Transfer to which they apply in accordance with Section 3 of Annex 1 (European Annex) to the DPA, whichever is the later.
2. POPULATION OF THE BODY OF THE EU SCCs 2.1 For each Module of the EU SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
  1. The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
  2. In Clause 9:
    (i) OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Subprocessors shall be the advance notice period set out in Section 8 of the DPA; and
    (ii) OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the EU SCCs.
  3. In Clause 11, the optional language is not used and is deleted.
  4. In Clause 13, all square brackets are removed and all text therein is retained.
  5. In Clause 17:
    (i) OPTION 1 applies, and the Parties agree that the EU SCCs shall governed by the law of Ireland; and
    (ii) OPTION 2 is not used and that optional language is deleted.
  6. For the purposes of Clause 18, the Parties agree that any dispute arising from the EU SCCs shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.

3. POPULATION OF ANNEXES TO THE APPENDIX TO THE EU SCCs

3.1 Annex I to the Appendix to the EU SCCs is populated with the corresponding information detailed in Attachment 1 to Annex 1 (European Annex) to the DPA, with:

  1. Customer being ‘data exporter’ and Metadata being ‘data importer’ with respect to Restricted Transfers involving Customer Personal Data; and/or
  2. Metadata being ‘data exporter’ and Customer being ‘data importer’ with respect to Restricted Transfers involving Metadata Personal Data.

3.2 Part C of Annex I to the Appendix to the EU SCCs is populated as below:

The competent supervisory authority shall be determined as follows:

  • Where the data exporter is established in an EU Member State: the competent supervisory authority shall be the supervisory authority of that EU Member State in which the data exporter is established.
  • Where the data exporter is not established in an EU Member State, Article 3(2) of the GDPR applies and the data exporter has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which the data exporter’s EU representative relevant to the processing hereunder is based (from time-to-time).
  • Where the data exporter is not established in an EU Member State, Article 3(2) of the GDPR applies, but the data exporter has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to the data importer’s contact point for data protection identified in Attachment 1 to Annex 1 (European Annex) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

3.3 Annex II to the Appendix to the EU SCCs is populated as below:

Please refer to Section 5 of the DPA and Annex 3 (Security Measures) to the DPA.

In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Metadata, Customer should email Metadata’s contact point for data protection identified in Attachment 1 to Annex 1 (European Annex) to the DPA. 

Attachment 3 TO 
EUROPEAN ANNEX

UK TRANSFER ADDENDUM

Notes:

  • The UK Transfer Addendum set out in this Attachment 3 is incorporated into and forms an effective part of the DPA (if and where applicable in accordance with Section 3 of Annex 1 (European Annex) of the DPA).

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

All relevant information and details are as set out in Attachment 1 to Annex 1 of the DPA and it is noted that the UK Addendum is deemed to have been signed by the Parties pursuant to and in accordance with Section 3 of Annex 1 of the DPA with effect from the Effective Date.

Table 2: Selected SCCs, Modules and Selected Clauses

The version of the Approved EU SCCs which this UK Addendum is appended to, detailed below, including the Appendix Information:

Date: Effective Date
Reference (if any): the EU SCCs
Other identifier (if any): n/a

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:

Annex 1A: List of Parties: Part 1 of Attachment 1 to Annex 1 of the DPA
Annex 1B: Description of Transfer: Part 2 and/or Part 3 of Attachment 1 to Annex 1 of the DPA (as applicable)
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex 3 of the DPA
Annex III: List of Sub processors (Modules 2 and 3 only): n/a

Table 4: Ending this Addendum when the Approved Addendum Changes

Which Parties may end this Addendum as set out in Section 19: Either Party

Part 2: Mandatory Clauses

The Mandatory Clauses are incorporated by reference and form a binding and effective part of this UK Transfer Addendum.

Annex 2

CALIFORNIA ANNEX

For purposes of this California Annex, the terms, “business,” “business purpose,” “commercial purpose,” “consumer,” “personal information,” “sell,” “share,” and “service provider” shall have the respective meanings given thereto in the CPRA.

Customer Personal Data

  1. Business Purposes and services: the business purposes and services for which Metadata is Processing Customer Personal Data that constitutes personal information are: (i) as necessary to provide the Company Services, including the provision software and related services for business-to-business marketers to automate their paid campaigns, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
  2. It is the Parties’ intent that with respect to any Customer Personal Data that constitutes personal information, Metadata is a service provider. Metadata shall not (a) sell or share any such personal information; (b) retain, use or disclose any such personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing such personal information for a commercial purpose other than the business purposes specified in the Agreement; (c) retain, use or disclose such personal information outside of the direct business relationship between Metadata and Customer; or (d) combine such personal information with personal information that Metadata receives from or on behalf of another person or collected from Metadata’s own interaction with any consumer to whom such personal information pertains, unless directed to do so by Customer and permitted by the CPRA. 
  3. Metadata (a) acknowledges that Customer Personal Data that constitutes personal information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the CPRA and shall provide the same level of privacy protection to such Customer Personal Data that constitutes personal information  as is required by the CPRA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 10 of the DPA to help to ensure that Metadata’s use of Customer Personal Data is consistent with Customer’s obligations under the CPRA; (d) shall notify Customer in writing of any determination made by Metadata that it can no longer meet its obligations under the CPRA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data that constitutes personal information.
  4. Metadata shall implement reasonable security procedures and practices appropriate to the nature of the Customer Personal Data that constitutes personal information received from, or on behalf of, Customer designed to protect such personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with California Civil Code Section 1798.81.5.
  5. When Metadata engages any Subprocessor to Process Customer Personal Data that constitutes personal information, Metadata shall (i) notify Customer of the engagement, and (ii) enter into a written agreement with such Subprocessor that complies with the CPRA and contains privacy and security obligations not less protective than those in this Annex.  Metadata shall be liable for all obligations under the Agreement subcontracted to the Subprocessor and its actions and omissions related thereto.  Giving Customer notice of Subprocessor engagements in accordance with Section 8 of the DPA shall satisfy Metadata’s obligation under the CPRA to give notice of such engagements.
  6. Metadata’s compliance with Section 6 of the DPA shall satisfy Metadata’s obligation under the CPRA to reasonably assist Customer in meeting Customer’s obligation to comply with consumer requests made pursuant to the CPRA related to Customer Personal Data that constitutes personal information.
  7. The Parties acknowledge that Metadata’s retention, use and disclosure of Customer Personal Data that constitutes personal information authorized by Customer’s instructions stated in the DPA are integral to the Company Services and the business relationship between the Parties. The exchange of Customer Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.

 Metadata Personal Data

  1. Metadata provides Metadata Personal Data that constitutes personal information to Customer solely for the business purpose of business-to-business marketing activities. Customer represents and warrants that it shall not use such personal information for any other purpose.
  2. With respect to any Metadata Personal Data that constitutes personal information, Customer represents and warrants that Customer shall comply with the CPRA.
  3. With respect to any Metadata Personal Data that constitutes personal information, Customer grants Metadata the right to take reasonable and appropriate steps to help ensure that Customer uses and otherwise Processes such personal information consistent with the CPRA. Customer shall notify Metadata if it determines that it can no longer meet its obligations under the CPRA with respect to such personal information. Metadata has the right, upon notice, including in the event Customer notifies Metadata that it can no longer meet its obligations under the CPRA, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information. 

Annex 3

Security Measures

As from the Addendum Effective Date, Metadata will implement and maintain the Security Measures as set out in this Annex 3.

  1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Metadata’s information security program.
  2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Metadata’s organization, monitoring and maintaining compliance with Metadata’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
  3. Data security controls which include at a minimum logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Customer Personal Data.
  4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
  5. Password controls designed to manage and control password strength, expiration and usage.
  6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
  7. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Metadata’s possession.
  8. Procedures and tracking mechanisms designed to test, approve, and monitor all material changes to Metadata’s technology and information assets.
  9. Incident management procedures designed to allow Metadata to investigate, respond to, mitigate, and notify of events related to Metadata’s technology and information assets.
  10. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
  11. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disaster.