Controller-to-Controller (Inbound)
Data Protection Addendum
Scope, Definitions and Applicable Law. This Data Protection Addendum (“DPA”), to the extent it is expressly incorporated by reference into an agreement between you (“you”) and Twitter, forms part of such agreement and all further agreements executed under it with respect to the subject matter thereof (collectively the “Agreement”) and applies to the Personal Data you provide to Twitter, as specifically set out in the Agreement. “Personal Data” means any personal data or personal information you share with Twitter or that Twitter processes pursuant to the Agreement. Terms and expressions used herein that are not otherwise defined, including without limitation “business,” “controller,” “personal data,” “personal information,” “processing,” and their respective derivative terms, shall have the meanings set forth in the data privacy and protection laws, regulations, and decisions applicable to a party to this DPA (“Applicable Data Protection Law”), which may include, without limitation, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations, the Brazilian General Data Protection Law of 2018, Brazil Federal Law 13.709/2018, Lei Geral de Proteção de Dados, the Japanese Act on the Protection of Personal Information Act No. 57 of 2003, and the EU General Data Protection Regulation (2016/679) (“GDPR”), in each case as amended, superseded or replaced from time to time.
Roles and Restrictions. Each party to this DPA is an independent controller or business of Personal Data under Applicable Data Protection Law and shall be individually and separately responsible for complying with the obligations applicable to it under Applicable Data Protection Law. Nothing in this DPA shall modify any restrictions applicable to Twitter’s rights to use or otherwise process Personal Data under the Agreement.
Protection of Personal Data. Twitter shall implement appropriate security measures (including organizational and technical measures) to protect Personal Data against the accidental, unlawful or unauthorized access to or use, transfer, destruction, loss, alteration, commingling, disclosure or processing of Personal Data, including all measures set out in the Agreement.
Notice and Cooperation. Twitter will promptly give notice to and cooperate as necessary with you regarding (a) any material breach of security or unauthorized access to the Personal Data, and (b) any complaint, inquiry, or request from an individual or government or regulatory agency regarding the Personal Data, unless such notice is prohibited by law. If Twitter receives a request from a government or regulatory agency, Twitter may share the terms of this DPA, the Agreement, and other information necessary to demonstrate compliance with Applicable Data Protection Law.
Cross-Border Transfers of Personal Data.
a. Transfers of Non-European Data. Where Twitter intends to transfer Personal Data cross-border and Applicable Data Protection Law requires certain measures to be implemented prior to such transfer, Twitter agrees to implement such measures to ensure compliance with Applicable Data Protection Law.
b. Transfers of European Personal Data. To the extent that Twitter transfers Personal Data that is subject to Applicable Data Protection Law of European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”) outside the EEA, Switzerland, or the UK to a jurisdiction which is not subject to an adequacy determination by the European Commission, UK or Swiss authorities (as applicable), then the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (“SCCs”) are hereby incorporated by reference and form an integral part of the Agreement in accordance with Section 5 of this DPA.
c. EEA Transfers. To the extent that Personal Data is subject to the GDPR, the SCCs apply as follows:
i. you are the ‘data exporter’ and Twitter is the ‘data importer’;
ii. the Module One terms apply;
iii. in Clause 7, the optional docking clause applies;
iv. in Clause 11, the optional language does not apply;
v. in Clause 17, Option 1 applies, and the SCCs are governed by Irish law;
vi. in Clause 18(b), disputes will be resolved before the courts of Ireland;
vii. in Annex I.A and I.B, the details of the parties and the transfer are set out in the Agreement;
viii. in Clause 13(a) and Annex I.C, the Irish Data Protection Commissioner (“DPC”) will act as competent supervisory authority; and
ix. in Annex II, the description of the technical and organizational security measures is set out in the Agreement.
d. Swiss Transfers. To the extent that Personal Data is subject to Applicable Data Protection Law of Switzerland, the SCCs apply as set out in Section 5(c) of this DPA with the following modifications:
i. references to ‘Regulation (EU) 2016/679’ are interpreted as references to the Swiss Federal Data Protection Act of 19 June 1992 or any successor thereof (“Swiss DPA”);
ii. references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the Swiss DPA;
iii. references to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘Switzerland’;
iv. Clause 13(a) and Part C of Annex 2 is not used, and the ‘competent supervisory authority’ is the Swiss Federal Data Protection Information Commissioner (“FDPIC”) or, if the transfer is subject to both the Swiss DPA and the GDPR, the FDPIC (insofar as the transfer is governed by the Swiss DPA) or the DPC (insofar as the transfer is governed by the GDPR);
v. references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the FDPIC and ‘competent Swiss courts’;
vi. in Clause 17, the SCCs are governed by the laws of Switzerland;
vii. in Clause 18(b), disputes will be resolved before the competent Swiss courts; and
viii. the SCCs also protect the data of legal entities until entry into force of the revised Swiss DPA.
e. UK Transfers. To the extent that Personal Data is subject to the Applicable Data Protection Law of the UK, the SCCs apply as amended by Part 2 of the UK Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018 (“UK Addendum”), and Part 1 of the UK Addendum is deemed completed as follows:
i. in Table 1, the details of the parties are set out in the Agreement;
ii. in Table 2, the selected modules and clauses are set out in Section 5(c) of this DPA;
iii. in Table 3, the appendix information is set out in this DPA or the Agreement; and
iv. in Table 4, ‘neither party’ is selected.
f. Alternative Transfer Mechanism. If Twitter adopts an alternative data transfer mechanism to the mechanisms described in this DPA, including any new version of or successor to the SCCs (“Alternative Transfer Mechanism”), then such Alternative Transfer Mechanism shall apply automatically instead of the mechanisms described in this DPA, and you shall fully co-operate with Twitter to sign an amendment to this DPA and/or take such other action as may be necessary to give legal effect to such Alternative Transfer Mechanism. In addition, in the event that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Personal Data cross-border, then you shall fully co-operate with Twitter to take such action as may be necessary to remedy such non-compliance.
6. Order of Precedence. In the event of a conflict between the provisions of the Agreement, this DPA and (where applicable) the SCCs, the terms shall apply in the following order of precedence: (a) the SCCs, (b) the DPA, and then (c) the terms of the Agreement. Except as modified herein, all terms and conditions of the Agreement shall remain in full force and effect.