Workplace EU Data Transfer Addendum

This Workplace EU Data Transfer Addendum (“Data Transfer Addendum”) applies to the extent that Facebook Ireland Limited is Processing EU Data under the Agreement, and transfers of such data are made to its subprocessor Facebook, Inc.
  1. You acknowledge and agree that Facebook Ireland Limited uses Facebook, Inc. in the US for further Processing of EU Data to provide Workplace pursuant to the Agreement and that you enter into the Clauses in order to facilitate the transfer of EU Data to Facebook, Inc. for this purpose. Your Agreement for Workplace remains with Facebook Ireland Limited (including all rights and obligations thereunder). The Clauses apply between you and Facebook, Inc. to transfers originating in the EU, EEA, Switzerland or UK of EU Data to Facebook, Inc., unless alternative transfer arrangements are implemented by Facebook Ireland Limited in accordance with this Data Transfer Addendum.
    1. For the purposes of the Clauses: you are the “data exporter” and Facebook, Inc. is the “data importer” as those terms are defined in the Clauses.
    2. For the purposes of Appendix 1 of the Clauses: ‘data subjects’, ‘categories of data’, ‘special categories of data’ and ‘processing operations’ are as described in the Agreement, in each case to the extent relating to EU Data.
    3. For the purposes of Appendix 2 of the Clauses: the technical and organisational measures implemented by Facebook, Inc. are as set out in the Data Security Addendum.
    4. By entering into this Data Transfer Addendum, You and Facebook, Inc. agree to be bound by the Clauses as though each party had executed them under separate agreement.
  2. You agree that:
    1. where regulatory approval is required for your use of the Clauses, you will obtain such approval;
    2. any subprocessor agreement to be provided under clause 5(j) of the Clauses will be provided to you on written request only, is confidential and will be limited to the data protection provisions related to EU Data with commercial information redacted;
    3. the general consent given under the Data Processing Addendum to the use of a subprocessor is also consent under clause 11 of the Clauses; and
    4. you will use your rights of information and audit under the Data Processing Addendum to satisfy any requirements you have for an audit under the Clauses, unless you can demonstrate to Facebook, Inc. that you cannot reasonably satisfy your obligations under the GDPR in this way, in which case, you can request that Facebook, Inc. provides for other means of audit under the Clauses. Facebook, Inc. will aim to meet your request via means that are the least intrusive and least disruptive to Workplace and its business operations (e.g. via provision of additional information, meetings or other means suggested by Facebook, Inc.) to the extent you can show this is reasonably necessary to satisfy your obligations under the GDPR. Any means of audit other than as provided for under the Data Processing Addendum is subject to mutual agreement of the details such as (as relevant) manner, timing, scope, duration, control, confidentiality procedures, evidence requirements, auditor identity and subject to you paying all reasonable associated fees and costs, including for time expended by Facebook, Inc. in connection with the request.
  3. Any claim or action brought by you against Facebook, Inc. under or in connection with the Clauses or this Data Transfer Addendum will be subject to the exclusions and limitations of liability and disclaimers in the Agreement as if they applied in respect of the Clauses (as well as this Data Transfer Addendum) and as if Facebook, Inc. was a party to the Agreement and so that the combined liability of Facebook Ireland Limited and Facebook, Inc. to you under or in connection with the Agreement and the Clauses entered into with you does not in aggregate exceed the cap on liability in the Agreement.
  4. Facebook Ireland Limited may, by notice to you at any time, implement alternative arrangements for the transfer of EU Data to Facebook, Inc. that are recognised by the GDPR (including any alternative form of standard data protection clauses recognised under article 46 of the GDPR). Where Facebook Ireland Limited does so, you agree that: (1) Facebook, Inc. may terminate the Clauses by notice to You; (2) such alternative arrangements will apply to transfers of personal data in place of the Clauses: and (3) where required by Facebook Ireland Limited, You will promptly enter into any arrangements as specified by Facebook Ireland Limited for the purposes of implementing such arrangements (and if You choose not to enter into such arrangements, then Facebook Ireland Limited may terminate the Agreement by notice to You).
  5. This Data Transfer Addendum takes priority over the Agreement to the extent of a conflict or inconsistency. The Clauses take priority over this Data Transfer Addendum to the extent of any conflict or inconsistency and nothing in the Agreement or this Data Transfer Addendum varies or modifies clauses 1 to 12 of the Clauses or affects the rights of any supervisory authority or data subject under the Clauses or GDPR.
  6. Facebook, Inc. is a party to this Data Transfer Addendum solely to facilitate its entry into the Clauses on the basis set out in this Data Transfer Addendum. Facebook, Inc. is not otherwise a party to the Agreement and has no obligations or liability under or in connection with the Agreement in any respect (whether in contract, tort, negligence or otherwise), except that, where relevant to Facebook Inc.’s rights and obligations under the Clauses or this Data Transfer Addendum, Facebook, Inc. is entitled to rely upon the provisions of the Agreement as if it was a party to it. This does not limit or affect Facebook Inc.’s obligations under the Clauses.
  7. In this Data Transfer Addendum:
    1. “Clauses” mean the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by the European Commission decision 2010/87/EC, dated 5 February 2010 (but excluding the optional illustrative clauses).
    2. “EU Data” means Your Personal Data under your controllership in the EU, EEA, Switzerland or UK which is Processed by Facebook Ireland Limited pursuant to the Agreement, to the extent that the GDPR or the data protection laws of the EEA, Switzerland or UK apply to the Processing of such data.
    3. “GDPR” means the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679). References to GDPR and its provisions include the GDPR as amended and incorporated into UK law after the GDPR ceases to apply in the UK.
    4. Terms defined in the Agreement have the same meaning given to them there, except where stated otherwise. References to the Agreement, Data Processing Addendum and Data Security Addendum are to them as updated in accordance with the Agreement.