EU Standard Contractual Clauses
To the extent applicable, the parties will abide by the requirements of European Economic Area and Swiss
data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data
from the European Economic Area and Switzerland. All transfers of Customer Data out of the European
Union, European Economic Area, and Switzerland will be governed by the Standard Contractual Clauses, as
designated by the European Commission, made available by the Publisher at the applicable URL for such
terms or as otherwise communicated to Customer.
Customer consents to the processing of Personal Data by Publisher and its Affiliates, and their respective
agents and Subcontractors, as provided in this Agreement. Before providing Personal Data to Publisher,
Customer will obtain all required consents from third parties (including Customer’s contacts, partners,
distributors, administrators, and employees) under applicable privacy and Data Protection Laws.
Processing of Personal Data GDPR
To the extent Publisher is a processor or subprocessor of Personal Data subject to the GDPR, the Standard
Contractual Clauses govern that processing and the parties also agree to the following terms in this
subsection (“Processing of Personal Data; GDPR”):
- Processor and Controller Roles and Responsibilities. Customer and Publisher agree that Customer
is the controller of Personal Data and Publisher is the processor of such data, except when (a)
Customer acts as a processor of Personal Data, in which case Publisher is a subprocessor or (b)
stated otherwise in any Offering-specific terms. Publisher will process Personal Data only on
documented instructions from Customer. In any instance where the GDPR applies and Customer is a
processor, Customer warrants to Publisher that Customer’s instructions, including appointment of
Processor as a processor or subprocessor, have been authorized by the relevant controller.
- Processing Details. The parties acknowledge and agree that:
- the subject-matter of the processing is limited to Personal Data within the scope of the GDPR; the duration of the processing will be for the duration of the Customer’s right to use the
Offering and until all Personal Data is deleted or returned in accordance with Customer
instructions or the terms of this Agreement;
- the nature and purpose of the processing will be to provide the Offering pursuant to this
- the types of Personal Data processed by the Offering include those expressly identified in
Article 4 of the GDPR; and
- the categories of data subjects are Customer’s representatives and end users, such as
employees, contractors, collaborators, and customers, and other data subjects whose
Personal Data is contained within any data made available to Publisher by Customer.
- Data Subject Rights; Assistance with Requests. Publisher will make information available to
Customer in a manner consistent with the functionality of the Offering and Publisher’s role as a
processor of Personal Data of data subjects and the ability to fulfill data subject requests to exercise
their rights under the GDPR. Publisher will comply with reasonable requests by Customer to assist
with Customer’s response to such a data subject request. If Publisher receives a request from
Customer’s data subject to exercise one or more of its rights under the GDPR in connection with an
Offering for which Publisher is a data processor or subprocessor, Publisher will redirect the data
subject to make its request directly to Customer. Customer will be responsible for responding to any
such request including, where necessary, by using the functionality of the Offering. Publisher will
comply with reasonable requests by Customer to assist with Customer’s response to such a data
- Use of Subprocessors. Customer consents to Publisher using the subprocessors listed at the
applicable Publisher URL or as otherwise communicated to Customer. Publisher remains responsible
for its subprocessors’ compliance with the obligations herein. Publisher may update its list of
subprocessors from time to time, by providing Customer at least 14-days notice before providing any
new subprocessor with access to Personal Data. If Customer does not approve of any such changes,
Customer may terminate any subscription for the affected Offering without penalty by providing, prior
to expiration of the notice period, written notice of termination that includes an explanation of the
grounds for non-approval.
- Records of Processing Activities. Publisher will maintain all records required by Article – 4 – 30(2) of
the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Customer,
make them available to Customer upon request.
- Confidential Information. “Confidential Information” is non-public information that is designated
“confidential” or that a reasonable person should understand is confidential, including, but not limited
to, Customer Data, the terms of this Agreement, and Customer’s account authentication credentials.
Confidential Information does not include information that: (1) becomes publicly available without a
breach of a confidentiality obligation; (2) the receiving party received lawfully from another source
without a confidentiality obligation; (3) is independently developed; or (4) is a comment or suggestion
volunteered about the other party’s business, products or services.
- Protection of Confidential Information. Each party will take reasonable steps to protect the other’s
Confidential Information and will use the other party’s Confidential Information only for purposes of the
parties’ business relationship. Neither party will disclose Confidential Information to third parties,
except to its Representatives, and then only on a need-to-know basis under nondisclosure obligations
at least as protective as this Agreement. Each party remains responsible for the use of Confidential
Information by its Representatives and, in the event of discovery of any unauthorized use or
disclosure, must promptly notify the other party.
- Disclosure required by law. A party may disclose the other’s Confidential Information if required by
law, but only after it notifies the other party (if legally permissible) to enable the other party to seek a
- Duration of Confidentiality obligation. These obligations apply: (1) for Customer Data, until it is
deleted by Publisher; and (2) for all other Confidential Information, for a period of five years after a
party receives the Confidential Information.