Data Processing Addendum

  1. Definitions
    Within this Data Processing Addendum, “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679), and “Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Processing” shall have the same meanings as are defined in the GDPR. “Processed” and “Process” shall be construed in accordance with the definition of “Processing”. All other defined terms herein shall have the same meanings as are defined elsewhere in this Agreement.
  2. Data Processing
    1. In conducting its activities as Processor under this Agreement in relation to any Personal Data within Your Data (“Your Personal Data”), Facebook confirms that:
      1. the duration, subject matter, nature and purpose of the Processing shall be as specified in the Agreement;
      2. the types of Personal Data Processed shall include those specified in the definition of Your Data;
      3. the categories of Data Subjects include your representatives, Users and any other individuals identified or identifiable by Your Personal Data; and
      4. your obligations and rights as Data Controller in relation to Your Personal Data are as set out in this Agreement.
    2. To the extent that Facebook Processes Your Personal Data under or in connection with the Agreement, Facebook shall:
      1. only Process Your Personal Data in accordance with your instructions as set out under this Agreement, including in respect of the transfer of Your Personal Data, subject to any exceptions permitted by Article 28(3)(a) of the GDPR;
      2. ensure that those of its employees authorised to Process Your Personal Data under this Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in relation to Your Personal Data;
      3. implement the technical and organisational measures set out in the Data Security Addendum;
      4. respect the conditions referred to below in Sections 2.c and 2.d of this Data Processing Addendum when appointing sub-Processors;
      5. assist you by appropriate technical and organisational measures, insofar as this is possible through Workplace, to enable you to fulfil your obligations to respond to requests for the exercise of rights by a Data Subject under Chapter III of the GDPR;
      6. assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information which is available to Facebook;
      7. on termination of the Agreement, delete the Personal Data pursuant to the Agreement, unless European Union or Member State law requires Personal Data to be retained;
      8. make available to you the information described in this Agreement and via Workplace in satisfaction of Facebook’s obligation to make available all information that is necessary to demonstrate compliance with the obligations of Facebook under Article 28 GDPR; and
      9. on an annual basis, procure that a third party auditor of Facebook’s choice conducts a SOC 2 Type II or other industry standard audit of Facebook’s controls relating to Workplace, such third party auditor being hereby mandated by you. At your request, Facebook will provide you with a copy of its then-current audit report and such report will be deemed Facebook’s Confidential Information.
    3. You authorise Facebook to subcontract its data Processing obligations under this Agreement to Facebook’s Affiliates, and to other third parties, a list of which Facebook will provide to you upon your written request. Facebook shall do so only by way of a written agreement with such sub-Processor which imposes the same data protection obligations on the sub-Processor as are imposed on Facebook under this Agreement. Where that sub-Processor fails to fulfil such obligations, Facebook shall remain fully liable to you for the performance of that sub-Processor's data protection obligations.
    4. Where Facebook engages an additional or replacement sub-Processor(s) from (i) 25 May 2018, or (ii) the Effective Date (whichever is the later), Facebook shall inform you of such additional or replacement sub-Processor(s) no later than fourteen (14) days in advance of the appointment of such additional or replacement sub-Processor(s). You may object to the engagement of such additional or replacement sub-Processor(s) within fourteen (14) days of being so informed by Facebook by terminating the Agreement immediately on written notice to Facebook.
    5. Facebook shall notify you without undue delay upon becoming aware of a Personal Data Breach relating to Your Personal Data. Such notice shall include, at the time of notification or as soon as possible after notification, relevant details of the Personal Data Breach where possible, including the number of your records affected, the category and approximate number of affected Users, anticipated consequences of the breach and any actual or proposed remedies, where appropriate, for mitigating the possible adverse effects of the breach.