X Controller-to-Controller (Outbound) Data Protection Addendum

1. Scope, Definitions and Applicable Law.  This Data Protection Addendum (“DPA”), to the extent it is expressly incorporated by reference into an agreement between you (“you”) and Twitter, forms part of such agreement and all further agreements executed under it with respect to the subject matter thereof (collectively the “Agreement”) and applies to the extent that you receive, access or process Twitter Data (defined below) from or on behalf of Twitter in connection with the Agreement. For purposes of this DPA, “Twitter Data” means any personal data, or personal information, including but not limited to customer, applicant, employee or user information or data, that you receive, access or process from or on behalf of Twitter pursuant to the Agreement, and “Twitter European Data” means Twitter Data that is controlled by Twitter International Unlimited Company (“TIUC”) or other Twitter affiliates or subsidiaries located in the European Economic Area (“EEA”), Switzerland, or United Kingdom (“UK”) (“European Affiliate(s)”). For example, TIUC controls the personal data of users of its services, as described in the Twitter Privacy Policy at http://www.twitter.com/privacy, while TIUC and European Affiliates control the personal data of (a) individuals who are employed by or have a working relationship with TIUC or European Affiliates, and (b) individual contacts of third parties with whom TIUC or European Affiliates have or may develop a commercial relationship. Terms and expressions used herein that are not otherwise defined, including, without limitation, “personal information,” “personal data,” “controller,” “processing,” and “processor,” and their respective derivative terms, shall have the meanings set forth in the privacy and data protection laws, regulations, and decisions applicable to a party to this DPA (“Applicable Data Protection Law”), which may include, without limitation, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations, the Brazilian General Data Protection Law of 2018, Brazil Federal Law 13.709/2018, Lei Geral de Proteção de Dados, the Japanese Act on the Protection of Personal Information, Act No. 57 of 2003 and the EU General Data Protection Regulation (2016/679) (the “GDPR”), in each case as amended, superseded or replaced from time to time.

2. Roles and Restrictions. Each party to this DPA: (a) is an independent controller of Twitter Data under Applicable Data Protection Law; (b) will individually determine the purposes and means of its processing of Twitter Data; and (c) will comply with the obligations applicable to it under Applicable Data Protection Law with respect to the processing of Twitter Data. Nothing in this Section 2 shall modify any restrictions applicable to either party’s rights to use or otherwise process Twitter Data under the Agreement, and you will process Twitter Data solely and exclusively for the purposes specified in the Agreement. 

3. Protection of Twitter Data. To the extent not otherwise provided for in the Agreement: (a) you will cooperate with Twitter on and implement appropriate organizational, technical and security measures (including the measures set out in the Agreement) to protect Twitter Data against the accidental, unlawful or unauthorized access to or use, transfer, destruction, loss, alteration, commingling, disclosure or processing of Twitter Data and ensure a level of security appropriate to the risks presented by the processing of Twitter Data and the nature of such Twitter Data, and these measures shall remain in place throughout the duration of your processing of Twitter Data as specified in the Agreement or until you cease to process Twitter Data (whichever is later); (b) you will treat Twitter Data with strict confidence and take all reasonable steps to ensure that persons you employ and/or persons engaged at your place(s) of business who will process Twitter Data are aware of and comply with this DPA and are under a duty of confidentiality with respect to Twitter Data no less restrictive than the duties set forth herein; (c) you will not transfer Twitter Data to third parties except under written contracts that guarantee at least a level of data protection and information security as provided for herein, and you will remain fully liable to Twitter for any third party’s failure to so comply; and (d) you will delete and securely erase all Twitter Data (including any derivatives thereof) within the earlier of 10 days of Twitter’s written request and when you no longer have a legitimate business need to retain it and in no event longer than the retention period required by applicable law.

4. Notice and Cooperation. You will promptly give written notice to and fully cooperate with Twitter regarding (a) any breach of security or unauthorized access to the Twitter Data that you detect or become aware of, and (b) any complaint, inquiry, or request from an individual or government or regulatory agency regarding Twitter Data, unless such notice is prohibited by law. In such cases, without limiting the generality of the foregoing, you will refrain from notifying or responding to any data subject, government or regulatory agency, or other third party, for or on behalf of Twitter or any Twitter personnel, unless Twitter specifically requests in writing that you do so, except as and when otherwise required by Applicable Data Protection Law. You agree and acknowledge that if Twitter receives a request from a government or regulatory agency, Twitter may share the terms of this DPA, the Agreement, and other information you provide to demonstrate compliance with this DPA or Applicable Data Protection Law.

5. Cross-Border Transfers of Twitter Data.  

a. Transfers of Non-European Data. If you intend to transfer Twitter Data, other than Twitter European Data, cross-border and Applicable Data Protection Law requires certain measures to be implemented prior to such transfer, then you agree to implement such measures as shall be mutually agreed.

b. Transfers of European Data. If you transfer or process Twitter European Data outside the EEA, Switzerland, or UK in a jurisdiction which is not subject to an adequacy determination by the European Commission, the UK or Swiss authorities (as applicable), then the Standard Contractual Clauses (“SCCs”) annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 are hereby incorporated by reference and form an integral part of the Agreement in accordance with this Section 5 of this DPA. Where Twitter is the controller of such Twitter Data, it enters the SCCs on its own behalf and where the ultimate controller is a third party (including, where applicable, TIUC, or other European Affiliates), Twitter enters the SCCs on behalf of such third party.

c. EEA Transfers. To the extent that Twitter European Data is subject to the GDPR, the SCCs apply as follows:

i.       the ‘data exporter’ is Twitter and you are the ‘data importer’; 
ii.      the Module One terms apply; 
iii.     in Clause 7, the optional docking clause applies; 
iv.     in Clause 11, the optional language does not apply; 
v.      in Clause 17, Option 1 applies, and the SCCs are governed by Irish law
vi.     in Clause 18(b), disputes will be resolved before the courts of Ireland; 
vii.    in Annex I.A and Annex I.B, the details of the parties and the transfer are set out in the Agreement;
viii.   in Annex I.C and Clause 13(a), the Irish Data Protection Commissioner (“DPC”) will act as competent supervisory authority; and
ix.     in Annex II, the description of the technical and organizational security measures is set out as part of the Agreement. 

d. Swiss Transfers. To the extent the Twitter European Data is subject to the Applicable Data Protection Law of Switzerland, the SCCs apply as set out in Section 5(c) of this DPA with the following modifications:

i.     references to ‘Regulation (EU) 2016/679’ are interpreted as references to the Swiss Federal Data Protection Act of 19 June 1992 or any successor thereof ("Swiss DPA”); 
ii.    references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the Swiss DPA;  
iii.   references to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘Switzerland’; 
iv.   Clause 13(a) and Part C of Annex 2 is not used, and the ‘competent supervisory authority’ is the Swiss Federal Data Protection Information Commissioner (“FDPIC”) or, if the transfer is subject to both the Swiss DPA and the GDPR, the FDPIC (insofar as the transfer is governed by the Swiss DPA) or the DPC (insofar as the transfer is governed by the GDPR);
v.    references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘FDPIC’ and ‘applicable courts of Switzerland’;
vi.    in Clause 17, the SCCs are governed by the laws of Switzerland; 
vii.   in Clause 18(b), disputes will be resolved before the competent Swiss courts; and 
viii.  the SCCs also protect the data of legal entities until entry into force of the revised Swiss DPA.

e. UK Transfers. To the extent the Twitter European Data is subject to Applicable Data Protection Law of the UK, the SCCs apply as amended by Part 2 of the UK Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018 (“UK Addendum”), and Part 1 of the UK Addendum is deemed completed as follows:

i.     in Table 1, the details of the parties are set out in the Agreement;
ii.    in Table 2, the selected modules and clauses are set out in Section 5(c) of this DPA;
iii.   in Table 3, the appendix information is set out in the Agreement; and
iv.   in Table 4, the ‘Exporter’ is elected.

f. Alternative Transfer Mechanism. If Twitter adopts an alternative data transfer mechanism to the mechanisms described in this DPA, including any new version of or successor to the SCCs or the Privacy Shield (“Alternative Transfer Mechanism”), then such Alternative Transfer Mechanism shall apply automatically instead of the mechanisms described in this DPA, and you shall fully co-operate with Twitter to sign an amendment to this DPA and/or take such other action as may be necessary to give legal effect to such Alternative Transfer Mechanism. Further, to the extent that you and/or Twitter have adopted and certified compliance with such Alternative Transfer Mechanism, you represent and warrant that you will comply with all legal principles and terms of such Alternative Transfer Mechanism. In addition, in the event that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Twitter Data cross-border, then you shall fully co-operate with Twitter to take such action as may be necessary to remedy such non-compliance.

6. Order of Precedence.  In the event of a conflict between the terms of this DPA, the SCCs, and those of the Agreement, the terms shall apply in the following order of precedence: the (i) SCCs, (ii) the DPA, and (iii) terms of the Agreement. Except as modified herein, all terms and conditions of the Agreement you have with Twitter shall remain in full force and effect.

7. Survival. The obligations under this DPA shall survive so long as you process Twitter Data, irrespective of whether the Agreement has been terminated or expired.