Data Processing Addendum

  1. Definitions
    Within this Data Processing Addendum, "GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679), and "Controller", "Data Processor", "Data Subject", "Personal Data", "Personal Data Breach" and "Processing" shall have the same meanings as are defined in the GDPR. "Processed" and "Process" shall be construed in accordance with the definition of "Processing". References to GDPR and its provisions include the GDPR as amended and incorporated into UK law. All other defined terms herein shall have the same meanings as are defined elsewhere in this Agreement.
  2. Data processing
    1. In conducting its activities as Processor under this Agreement in relation to any Personal Data within Your Data ("Your Personal Data"), Meta confirms that:
      1. the duration, subject matter, nature and purpose of the Processing shall be as specified in the Agreement;
      2. the types of Personal Data Processed shall include those specified in the definition of Your Data;
      3. the categories of Data Subjects include your representatives, Users and any other individuals identified or identifiable by Your Personal Data; and
      4. your obligations and rights as Data Controller in relation to Your Personal Data are as set out in this Agreement.
    2. To the extent that Meta Processes Your Personal Data under or in connection with the Agreement, Meta shall:
      1. only Process Your Personal Data in accordance with your instructions as set out under this Agreement, including in respect of the transfer of Your Personal Data, subject to any exceptions permitted by Article 28(3)(a) of the GDPR;
      2. ensure that those of its employees authorised to Process Your Personal Data under this Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in relation to Your Personal Data;
      3. implement the technical and organisational measures set out in the Data Security Addendum;
      4. respect the conditions referred to below in Sections 2.c and 2.d of this Data Processing Addendum when appointing Sub-processors;
      5. assist you by appropriate technical and organisational measures, insofar as this is possible through Workplace, to enable you to fulfil your obligations to respond to requests for the exercise of rights by a Data Subject under Chapter III of the GDPR;
      6. assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of the Processing and the information which is available to Meta;
      7. on termination of the Agreement, delete the Personal Data pursuant to the Agreement, unless European Union or Member State law requires Personal Data to be retained;
      8. make available to you the information described in this Agreement and via Workplace in satisfaction of Meta's obligation to make available all information that is necessary to demonstrate compliance with the obligations of Meta under Article 28 GDPR; and
      9. on an annual basis, procure that a third-party auditor of Meta's choice conducts a SOC 2 Type II or other industry standard audit of Meta's controls relating to Workplace, such third-party auditor being hereby mandated by you. At your request, Meta will provide you with a copy of its then-current audit report and such report will be deemed Meta's Confidential Information.
    3. You authorise Meta to subcontract its data Processing obligations under this Agreement to Meta's Affiliates, and to other third parties, a list of which Meta will provide to you upon your written request. Meta shall do so only by way of a written agreement with such sub-Processor which imposes the same data protection obligations on the sub-Processor as are imposed on Meta under this Agreement. Where that sub-Processor fails to fulfil such obligations, Meta shall remain fully liable to you for the performance of that sub-Processor's data protection obligations.
    4. Where Meta engages an additional or replacement sub-Processor(s) from (i) 25 May 2018, or (ii) the Effective Date (whichever is the later), Meta shall inform you of such additional or replacement sub-Processor(s) no later than fourteen (14) days in advance of the appointment of such additional or replacement sub-Processor(s). You may object to the engagement of such additional or replacement sub-Processor(s) within fourteen (14) days of being so informed by Meta by terminating the Agreement immediately on written notice to Meta.
    5. Meta shall notify you without undue delay upon becoming aware of a Personal Data Breach relating to Your Personal Data. Such notice shall include, at the time of notification or as soon as possible after notification, relevant details of the Personal Data Breach where possible, including the number of your records affected, the category and approximate number of affected Users, anticipated consequences of the breach and any actual or proposed remedies, where appropriate, for mitigating the possible adverse effects of the breach.
    6. To the extent that GDPR or the data protection laws in the EEA, UK or Switzerland apply to the Processing of Your Data under this Data Processing Addendum, the European Data Transfer Addendum is applicable to data transfers by Meta Platforms Ireland Ltd and forms part of, and is incorporated by reference into, this Data Processing Addendum.