Last Modified: September 29, 2022
This data processing addendum (the “DPA”) is incorporated into the Hootsuite API Terms of Service (the “Developer Agreement”) entered into by you (“Developer”) and Hootsuite Inc. (“Hootsuite”), and governs the processing of European Personal Data (as defined below) in connection with the Developer Agreement.
1. Scope, Definitions and Applicable Law
This DPA governs the processing of personal data originating in the European Economic Area (the Member States of the European Union, plus Iceland, Liechtenstein and Norway, collectively the “EEA”), the United Kingdom (“UK”) or Switzerland (collectively, “Europe”), or that is otherwise subject to European Data Protection Law, that you receive from Hootsuite and Hootsuite Users in connection with the Developer Agreement (“European Personal Data”). Terms and expressions used herein that are not otherwise defined, including without limitation “personal data”, “controller”, “joint controller”, “processing”, “data subject”, “processor” and “subprocessor” shall have the meanings set forth in European Data Protection Law. “European Data Protection Law” means any data protection and privacy laws applicable in Europe to the personal data in question, including (i) the EU General Data Protection Regulation (“GDPR”), (ii) Directive 2002/58/EC (“ePrivacy Directive”), (iii) any applicable national implementations of (i) and (ii), (iv) the GDPR as it forms part of UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, the “UK GDPR”); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”); in each case as may be amended, superseded or replaced from time to time.
2. Roles and Responsibilities
The parties shall each comply with their respective obligations under European Data Protection Law. Each party acknowledges and agrees the following:
3. Protection of European Personal Data
In addition to the obligations set out in the Developer Agreement, you:
will cooperate with Hootsuite to implement appropriate security (including both organizational and technical) measures prior to and during processing of any European Personal Data to protect against, without limitation, the accidental, unlawful or unauthorized access to or use, transfer, destruction, loss, alteration, commingling, disclosure or processing of European Personal Data and ensure a level of security appropriate to the risks presented by the processing of European Personal Data and the nature of such European Personal Data, and these measures shall remain in place throughout the duration of your processing of European Personal Data or until you cease to process European Personal Data (whichever is later);
will treat European Personal Data with strict confidence and take all reasonable steps to ensure that your personnel who will process European Personal Data are aware of and comply with this DPA and are under a duty of confidentiality with respect to European Personal Data no less restrictive than the duties set forth herein; and
will not transfer European Personal Data to third parties except under written contracts that contain guarantees that comply with European Data Protection Law and ensure at least a level of data protection and information security as provided for in the Developer Agreement (including this DPA), and you will remain fully liable to Hootsuite for any third party’s failure to comply.
4. Notice and Cooperation
You will promptly give written notice to and fully cooperate with Hootsuite:
if for any reason (i) you cannot comply, or have not complied, with any portion of this DPA, (ii) you have breached or, if you continued to process European Personal Data, would breach, any European Data Protection Law governing your processing, transfer, or receipt of European Personal Data. In such cases, you will take reasonable and appropriate steps to remedy any noncompliance, or cease further processing of European Personal Data and Hootsuite may immediately terminate your Developer Agreement or access to European Personal Data, or take any other reasonable action; and
regarding (i) any breach of security or unauthorized access to European Personal Data that you detect or become aware of, or (ii) any complaint, inquiry, or request from a data subject or government or regulatory agency regarding European Personal Data, unless such notice is prohibited by law. In such cases, without limiting the generality of the foregoing, you will refrain from notifying or responding to any data subject, government or regulatory agency, or other third party, for or on behalf of Hootsuite or any Hootsuite personnel, unless Hootsuite specifically requests in writing that you do so, except as and when otherwise required by European Data Protection Law. You agree and acknowledge that if Hootsuite receives a request from a government or regulatory agency, Hootsuite may share the terms of this DPA, your Developer Agreement with Hootsuite, and other information you provide to demonstrate compliance with this DPA or European Data Protection Law.
5. Data Transfers
To the extent that you act as a controller of European Personal Data and process such data outside Europe in a country that does not provide an adequate level of protection for personal data within the meaning of applicable European Data Protection Law, the standard contractual clauses as approved by the European Commission pursuant to its decision 2021/914 of 4 June 2021 (“SCCs”) shall be incorporated by reference and form an integral part of this DPA with Hootsuite as the "data exporter" and you as the "data importer". For the purposes of the SCCs: (a) the Module One terms shall apply; (b) Clause 7 shall apply; (c) in Clause 11, the optional language shall be deleted; (d) in Clause 17, Option 1 shall apply and the SCCs shall be governed by the laws of the Republic of Ireland; (e) in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; (f) in Clause 13(a) and Annex 1.C, the Irish Data Protection Commissioner shall act as competent supervisory authority; and (g) Annexes 1.A, 1.B and 2 of the SCCs shall be deemed populated with the relevant information included at Schedule A of this DPA.
In addition, in relation to European Personal Data that is protected by the UK GDPR, the SCCs shall apply as set out above with the following modifications: (i) the SCCs shall be amended as specified by the International Data Transfer Addendum issued by the Information Commissioner's Office under s.119(A) of the UK Data Protection Act 2018 (the “UK Addendum”), which shall be incorporated by reference; (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in Schedule A of this DPA; (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "exporter"; and (iv) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In relation to European Personal Data that is protected by the Swiss DPA, the SCCs shall apply as set out above with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references the Swiss DPA; (ii) references to “EU,” “Union,” and “Member State” shall be replaced with “Switzerland”; (iv) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”; and (v) the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.
6. Order of Precedence
In the event of any conflict or inconsistency between any terms of this DPA, the Developer Agreement and the SCCs, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs, (b) this DPA, and (c) the Developer Agreement.
Annexes to the SCCs
Annex 1(A): List of parties
|Address:||111 East 5th Avenue, 3rd Floor, Vancouver, British Columbia, Canada V5T 4L1|
|Contact person's name, position and contact details:||Senior Director, Privacy & Product Compliance and Data Protection Officer, firstname.lastname@example.org|
|Activities relevant to data transferred under these Clauses:||Processing as necessary, in accordance with the Developer Agreement, to enable the Developer to access the Hootsuite APIs, API Documentation to develop, test and support an integration of its Application with the Hootsuite Platform.|
|Role (controller / processor):||Controller|
|Name:||The name associated with the Developer’s Application or Developer’s account within the Hootsuite Platform.|
|Address:||The address associated with the Developer’s Application or Developer’s account within the Hootsuite Platform.|
|Contact person's name, position and contact details:||The email address associated with the Developer’s Application or Developer's account within the Hootsuite Platform.|
|Activities relevant to data transferred under these Clauses:||Processing as necessary, in accordance with the Developer Agreement, to access the Hootsuite APIs, API Documentation to develop, test and support an integration of the Developer’s Application with the Hootsuite Platform.|
|Role (controller / processor):||Controller|
|Categories of data subjects:||Individuals employed by or who work for Hootsuite’s customers. Individuals whose personal data is contained in the data provided to Developer in accordance with the Developer Agreement.|
|Frequency of the transfer:||Continuous|
|Nature of the transfer and processing:||Transfer of personal data from the Hootsuite Platform to the Developer Application via the Hootsuite APIs.|
|Purpose(s) of the data transfer and further processing:||Processing as necessary, in accordance with the Developer Agreement, to access the Hootsuite APIs, API Documentation to develop, test and support an integration of the Developer’s Application with the Hootsuite Platform.|
|Period for which the personal data will be processed and retained, or, if that is not possible, the criteria used to determine that period:||Personal Data will be processed in accordance with the Developer’s data retention and deletion practices.|
Annex 2: Technical and Organizational Measures
The technical and organizational measures to be implemented (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are described in the Developer Agreement and the API Documentation and may be updated by Hootsuite from time to time.