Last Modified: July 18, 2020
This data processing addendum (the “DPA”) is incorporated into the Hootsuite API Terms of Service (the “Developer Agreement”) entered into by you and Hootsuite Inc. (“Hootsuite”), and governs the processing of EU Personal Data (as defined below) in connection with the Developer Agreement.
1. SCOPE, DEFINITIONS AND APPLICABLE LAW
This DPA governs the processing of personal data originating in the European Economic Area (the Member States of the European Union, plus Iceland, Liechtenstein, Norway and Switzerland, collectively the “EEA”) or the United Kingdom, or that is otherwise subject to Applicable Data Protection Law, that you receive from Hootsuite and Hootsuite users in connection with the Developer Agreement (“EU Personal Data”).
Terms and expressions used herein that are not otherwise defined, including without limitation “personal data”, “controller”, “joint controller”, “processing”, “processor” and “subprocessor” shall have the meanings set forth in the privacy and data protection laws, regulations, and decisions applicable to a party to this DPA (“Applicable Data Protection Law”). Applicable Data Protection Law means any data protection and privacy laws applicable in the EEA and the United Kingdom, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, and (iii) any applicable national implementations of (i) and (ii), in each case as may be amended, superseded or replaced from time to time.
2. ROLES AND RESPONSIBILITIES
Data Controller Scenario: Account Information
Each party, to the extent that it, along with the other party, acts as a controller of EU Personal Data, will reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in Applicable Data Protection Law. The parties acknowledge and agree that they are not acting as joint controllers of EU Personal Data.
Data Processor Scenario: Customer Content
Each party, to the extent that it, along with the other party, acts as a processor of EU Personal Data, will (i) comply with the instructions and restrictions set forth in its agreements with Hootsuite customers, and (ii) reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in Applicable Data Protection Law. The parties acknowledge and agree that neither party is engaging the other as a subprocessor.
3. PROTECTION OF EU PERSONAL DATA
In addition to the obligations set out in the Developer Agreement, you:
will cooperate with Hootsuite on and implement appropriate security (including both organizational and technical) measures prior to and during processing of any EU Personal Data to protect against, without limitation, the accidental, unlawful or unauthorized access to or use, transfer, destruction, loss, alteration, commingling, disclosure or processing of EU Personal Data and ensure a level of security appropriate to the risks presented by the processing of EU Personal Data and the nature of such EU Personal Data, and these measures shall remain in place throughout the duration of your processing of EU Personal Data or until you cease to process EU Personal Data (whichever is later);
will treat EU Personal Data with strict confidence and take all reasonable steps to ensure that persons you employ and/or persons engaged at your places of business who will process EU Personal Data are aware of and comply with this DPA and are under a duty of confidentiality with respect to EU Personal Data no less restrictive than the duties set forth herein; and
will not transfer EU Personal Data to third parties except under written contracts that contain prescribed guarantees under Applicable Data Protection Law and guarantee at least a level of data protection and information security as provided for herein (including, the requirements set out in the Developer Agreement), and you will remain fully liable to Hootsuite for any third party’s failure to comply.
4. NOTICE AND COOPERATION
You will promptly give written notice to and fully cooperate with Hootsuite:
if for any reason (i) you cannot comply, or have not complied, with any portion of this DPA, (ii) you have breached or, if you continued to process EU Personal Data, would breach, any Applicable Data Protection Law governing your processing, transfer, or receipt of EU Personal Data. In such cases, you will take reasonable and appropriate steps to remedy any noncompliance, or cease further processing of EU Personal Data and Hootsuite may immediately terminate your Developer Agreement or access to EU Personal Data, or take any other reasonable action; and
regarding (i) any breach of security or unauthorized access to EU Personal Data that you detect or become aware of, or (ii) any complaint, inquiry, or request from a data subject or government or regulatory agency regarding EU Personal Data, unless such notice is prohibited by law. In such cases, without limiting the generality of the foregoing, you will refrain from notifying or responding to any data subject, government or regulatory agency, or other third party, for or on behalf of Hootsuite or any Hootsuite personnel, unless Hootsuite specifically requests in writing that you do so, except as and when otherwise required by Applicable Data Protection Law. You agree and acknowledge that if Hootsuite receives a request from a government or regulatory agency, Hootsuite may share the terms of this DPA, your Developer Agreement with Hootsuite, and other information you provide to demonstrate compliance with this DPA or Applicable Data Protection Law.
5. DATA TRANSFERS
Where both parties act as a controller with respect to EU Personal Data, and the transfer of data between the parties results in a transfer of EU Personal Data to a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, each party agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks, or (b) use the Standard Contractual Clauses (Controller to Controller Transfers - Set II) in the Annex to the European Commission Decision of December 27, 2004 as may be amended or replaced from time to time by the European Commission (“Controller-to-Controller SCCs”), which are incorporated herein by reference. If data transfers under this DPA rely on Controller-to-Controller SCCs to enable the lawful transfer of EU Personal Data, as set forth in the preceding sentence, the parties agree that the following terms apply: (i) data subjects for whom you process EU Personal Data are third-party beneficiaries under the Controller-to-Controller SCCs, (ii) Schedule A to this DPA shall apply as Annex B of the Controller-to-Controller SCCs, (iii) Hootsuite Inc. is the data exporter and you are the data importer, and (iv) the governing law of the Controller-to-Controller SCCs is the law of England and Wales.
6. ORDER OF PRECEDENCE
In the event of any conflict or inconsistency between any terms of this DPA, the Developer Agreement, and the Controller-to-Controller SCCs, the provisions of the following documents (in order of precedence) shall prevail: (a) the Controller-to-Controller SCCs, (b) this DPA, and (c) the Developer Agreement.
ANNEX B TO THE CONTROLLER-TO-CONTROLLER SCCS
Individuals whose personal data is contained in the data provided to the data importer in accordance with the Developer Agreement.
Purposes of the transfer(s)
To permit the data importer to use the data in accordance with the Developer Agreement.
Categories of data
The recipients of the personal data are as specified in the data importer’s Developer Agreement with Hootsuite.
Sensitive data (if appropriate)
Data protection registration information of data exporter (where applicable)
Additional useful information (storage limits and other relevant information)
Contact points for data protection enquiries
Contact point for the data importer shall be the email address associated with the data importer’s application or developer account with Hootsuite. Contact point for Hootsuite shall be Hootsuite Inc., Attn: Legal Department, 5 East 8th Avenue, Vancouver, BC, V5T 1R6, Canada.