V3 July 2024

 

NORTH AMERICA DATA PROTECTION ADDENDUM (DPA)

This DPA is incorporated by reference into the Agreement entered into by and between you, the Client (as defined in the Agreement) (collectively, “you”, “your”, “Client”), and the Circana, LLC entity named in the Agreement (“Circana”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to the Processing of Client Personal Data by us solely on behalf of the Client.. Both parties to this DPA shall be referred to as the “Parties” and each, a “Party”.

In consideration of the mutual obligations hereto, the Parties agree that the terms of this Addendum will apply to the Services (defined below) to the extent set forth herein. The Agreement will remain in full force and effect except as modified below. 

 

1. Definitions

1.1. In this Addendum, the following terms will have the meanings set out below:

(a) “Aggregate Data” means information that relates to a group or category of Data Subjects or households, from which individual identities have been removed and which is not linked or reasonably linkable to any consumer or household (including via a device). Aggregate Data does not include data that has been deidentified or pseudonymized.

(b) “Agreement” means the existing agreement(s), order(s), purchase orders, statements of work, and/or other commercial arrangement(s), pursuant to which Circana provides products and services to Client and includes any exhibits and/or amendments thereto.

(c) “ Affiliate ” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with the respective Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

(d) “CCPA”means the California Consumer Privacy Act and any implementing regulations issued thereto, each as amended (including by the California Privacy Rights Act and any regulations promulgated thereto).

(e) “ClientPersonal Data” means any Personal Data Processed by Circana or a Subprocessor on behalf of Client pursuant to or in connection with the Services subject to Data Protection Laws.

(f) “Data Breach” means any known unauthorized access to, or use, disclosure or other Processing of a Party’s Personal Data that compromises the security of that Party’s Personal Data.

(g) “Data Protection Laws” means all national, federal, state, and local, cybersecurity and data protection laws applicable to the Processing of Personal Data under this Addendum, together with any implementing or supplemental rules and regulations, each as amended, including but not limited to the CCPA, to the extent applicable.

(h) “Data Subject” means the individual to whom the Personal Data relates.

(i) “Deidentified Data” means data that (i) is not linked or reasonably linkable to, and cannot reasonably be used to infer information about, a particular Data Subject, household, or personal or household device; and (ii) is subject to reasonable measures to ensure that such data cannot be associated with a particular Data Subject or household (including any or personal or household device), including by any recipient of such data. 

(j) “Personal Data” means any information that relates to an identified or identifiable natural person, or is otherwise linked or reasonably linkable to a particular Data Subject or household (including any personal or household device), as well as other information defined as “personal data,” “personal information” or equivalent term under applicable Data Protection Laws.

(k) “Process” or “Processing” means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.

(l) “Services” means the products, services and other activities to be supplied to or carried out by or on behalf of Circana for Client.

(m) “Subprocessor” means any person (including any third party and any Circana Affiliate but excluding an employee of Circana) appointed by or on behalf of Circana that Processes Client Personal Data.

1.2. Capitalized terms not otherwise defined herein will have the meaning set forth in the Agreement. 

 

2. Processing of Client Personal Data

2.1. The parties agree that Client discloses the Personal Data to Circana for the specific and limited purposes set forth in Annex 1 hereto.

2.2. Circana and Client will (i) comply with all applicable Data Protection Laws in the Processing of Personal Data and Circana shall provide the same level of privacy protection as is required by Data Protection Laws and this Addendum; and (ii) only Process Client Personal Data for the purposes set forth in Annex 1 and as otherwise permitted or required pursuant to the Agreement or applicable Data Protection Laws.

2.3. If Circana believes it will be unable to comply with Data Protection Laws, Circana will promptly notify Client.Without limiting the foregoing, Circana will grant Client the right to take reasonable and appropriate steps: (i) to help ensure that Circana uses Personal Data transferred in a manner consistent with Client’s obligations under Data Protection Laws; and (ii) to, upon notice, stop and remediate any unauthorized use and Processing of Personal Data.

2.4. Annex 1 to this Addendum sets out a description of the Processing of Client Personal Data, including the subject matter and duration of the Processing, the specific and limited purposes for the Processing, the type of Personal Data Processed, and the categories of Data Subjects subject to such Processing.

 

3. Deidentified Data 

Circana may use and disclose Deidentified Data related to the business and the Services to provide the Services and for quality control, analytics, research, development, and other purposes. Where Circana uses, discloses, or processes Deidentified Data, Circana will maintain and use the information in deidentified form and not attempt to reidentify the information, except as permitted pursuant to Data Protection Laws. Circana agrees to contractually obligate any recipients of such Deidentified Data to comply with this Section 3. The parties agree that Deidentified Data is not Client Personal Data. For purposes of clarity, Aggregate Data does not constitute Deidentified Data, and this Section 3 shall not apply to the use and/or disclosure of Aggregate Data.

 

4. Personnel

Circana will take reasonable steps to ensure the reliability of any employee, personnel, agent or contractor who may have access to Client Personal Data, ensuring in each case that (i) access is strictly limited to those individuals who need to know / access the relevant Client Personal Data for the purposes of the Services and to comply with applicable laws, and(ii) such employees, personnel, agents or contractors are subject to confidentiality undertakingsor professional or statutory obligations of confidentiality.

 

5. Security 

5.1. Circana shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.

 

6. Data Subject Rights and Reasonable Cooperation

6.1. The Parties will provide reasonable support and assistance as necessary to enable one another to comply with their obligations under Data Protection Laws, as set forth in this Section 6.

6.2. Taking into account the information available to the Parties, the Parties will:

6.2.1. Promptly notify one another if either Party receives a request from a Data Subject or a regulatory or supervisory authority under any Data Protection Laws in respect of the other Party’s Personal Data, and: (i) not respond to such request, unless required by applicable law to which that Party is subject; and (ii) provide reasonable assistance, to the extent possible, as necessary to enable the other Party to comply with its obligations under Data Protection Law to respond to such requests. 

6.2.2. Provide reasonable assistance as requested with any data protection impact assessments, prior consultations with, or other notification or similar obligations to Supervisory Authorities or other competent data privacy authorities, which either Party reasonably considers to be required by Data Protection Law.

 

7. Data Breach

7.1. Each Party will notify the other Party without undue delay upon becoming aware of a Data Breach. The Parties will cooperate and timely agree on commercially reasonable steps to promptly investigate and remediate the Data Breach, as well as to satisfy any notifications to regulators or to Data Subjects which are required following a Data Breach.

 

8. Deletion of Client Personal Data 

8.1. Subject to Section 8.2, Circana will delete Client Personal Data within sixty (60) calendar days of cessation of the Services.

8.2. Notwithstanding Section 8.1, Circana may retain Client Personal Data for an additional period of time only to the extent and for such period as required by applicable law.

 

9. Audit rights

9.1. Upon Client’s written request, and to the extent required by Data Protection Laws, Circana shall provide Client with information reasonably necessary to demonstrate compliance with its obligations set forth in this Addendum and applicable Data Protection Laws. Such information may include the most recent reports, certificates, and/or extracts pursuant to Circana’s ISO27001 or similarly held industry certification.

9.2. Such written requests under Section 9.1 shall be limited to no more than once per any twelve (12) calendar month period.

9.3. Any information provided by Circana to Client in accordance with this Section 9, shall be considered confidential information of Circana and subject to the confidentiality obligations in the Agreement. Client shall maintain Circana confidential information in the strictest confidence. Client agrees to restrict access to Circana confidential information only to those Client personnel who (i) have a business need to have access to such confidential information and (ii) are bound by a duty of confidentiality.

 

10. General Terms

10.1. Order of precedence . In the event of a conflict between the terms of the Agreement and this Addendum, this Addendum will control.

10.2. Changes in Data Protection Laws . If any variation is required to this Addendum as a result of a change in Data Protection Laws, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this Addendum to addresssuch changes. 

10.3. Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

 

ANNEX 1: DESCRIPTION OF PROCESSING 

This Annex 1 to the Addendum includes certain details of the Processing of Client Personal Data as may be required by applicable Data Protection Laws. The obligations of the Parties are set out in the Addendum and the Agreement.

 

1. Subject Matter and Duration

The subject matter and duration of the Processing of Personal Data:

· The subject matter and duration of the Processing of Personal Data are set out in the Agreement.

2. Business Purposes

The specific and limited purposes for the Processing of Personal Data include:

· The Services, as defined in the Agreement, and as otherwise necessary to perform the obligations under the Agreement.

3. Personal Data

The types of Personal Data to be Processed include:

· Identifiers, such as tokenized loyalty (FSP) card numbers

· Pseudonymized data including: indirect identifiers, demographic data, transactional data

· Other Personal Data as listed in the Agreement

4. Data Subjects

The categories of Data Subjects to whom Personal Data relates include:

· Customers of Client

 

V2 Jan2024

 

GDPR DATA PROTECTION ADDENDUM (“DPA”)

This DPA is incorporated by reference into the Agreement entered into by and between you, the Client (as defined in the Agreement) (collectively, “you”, “your”, “Client”), and the Circana, LLCentity named in the Agreement (“Circana”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to the Processing of Client Personal Data by us solely on behalf of the Client.. Both parties to this DPA shall be referred to as the “Parties” and each, a “Party”.

In consideration of the mutual obligations hereto, the Parties agree that the terms of this DPA will apply to the Services to the extent set forth herein. The Agreement will remain in full force and effect except as modified below. 

 

1. Definitions

1.1. In this DPA, the following terms will have the meanings set out below:

(a) “Agreement” means the existing agreement(s), order(s), purchase orders, statements of work, and/or other commercial arrangement(s), pursuant to which Circana provides products and/or services to Client and includes any exhibits and/or amendments thereto.

(b) “ Affiliate ” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with the respective Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

(c) “Client Personal Data” means Personal Data subject to Data Protection Laws provided by Client and Processed by Circana (or a Subprocessor on behalf of Circana) under this DPA;

(d) “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

(e) “Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data;

(f) “Data Protection Laws” means all laws relating to the protection of personal data and the privacy of natural or legal persons applicable to the Processing of Client Personal Data under this DPA, including (in each case as applicable) the GDPR and the UK GDPR and any national legislation supplementing or derogating from the foregoing;

(g) “Data Subject” means the individual to whom the Personal Data relates;

(h) “GDPR” means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council;

(i) “Personal Data” means any information relating to an identified or identifiable natural person, as well as other information defined as “personal data,” “personal information” or any equivalent term under applicable Data Protection Laws;

(j) “Process” or “Processing” means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data;

(k) “Processor” means a natural or legal person who Processes Personal Data on behalf of a Controller;

(l) “Pseudonymised Data” means data that can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately by Client and in no circumstances provided to Circana, and is subject to Client’s technical and organizational measures to ensure that such data is not attributed to an identified or identifiable natural person (also known as Pseudonymisation under GDPR)

(m) “Restricted Transfer” means a transfer of Personal Data, where such transfer would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses and (as applicable) the UK Addendum;

(n) “Services” means the products, services and other activities to be supplied to Client and carried out by or on behalf of Circana for Client under the Agreement;

(o) “Standard Contractual Clauses” means the EU standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to processors established in third countries (available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers), as may be amended or replaced from time to time;

(p) “Subprocessor” means any person (including any third party and any Circana Affiliate, but excluding an employee of Circana) appointed by or on behalf of Circana that Processes Client Personal Data;

(q) “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018, as may be amended or replaced from time to time; and

(r) “UK GDPR” means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

1.2. Capitalized terms not otherwise defined herein will have the meaning set forth in the Agreement. Unless otherwise stated, the use of the term “including” shall be interpreted to mean “including, without limitation”.

 

2. Supply and Processing of Client Personal Data

2.1. Unless Client has obtained express consent from Circana in writing agreeing otherwise, Client will provide only Pseudonymised Data to Circana and will not provide any additional information that would enable such data to be attributed to an identified or identifiable natural person.

2.2. Client and Circana will comply with their obligations as a Controller and as a Processor (respectively) under all applicable Data Protection Laws in relation to the Processing of Client Personal Data.

2.3. Client instructs Circana to Process Client Personal Data as necessary for the provision of the Services. Circana will only Process Client Personal Data on Client’s documented instructions (as included in the Agreement)), except to the extent further Processing is required or permitted by Data Protection Laws or other applicable laws to which Circana is subject, in which case Circana will inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

2.4. Circana will inform Client if, in its opinion, any Processing instruction from Client infringes applicable Data Protection Laws.

2.5. Annex 1 to this DPA sets out a description of the Processing of Client Personal Data, including the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data Processed, and the categories of Data Subjects subject to such Processing.

2.6. Circana may Process data related to the Services (including data generated through the anonymization of Client Personal Data) for its own purposes, including for quality control, analytics, research and development.

 

3. Personnel 

Circana will take reasonable steps to ensure the reliability of any employee, personnel, agent or contractor who may have access to Client Personal Data, ensuring in each case that (i) access is strictly limited to those individuals who need to know / access the relevant Client Personal Data for the purposes of the Services and to comply with applicable laws, and (ii) such employees, personnel, agents or contractors are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

 

4. Security 

4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Circana will in relation to the Client Personal Data implement appropriate technical and organizational measures that ensure a level of security appropriate to that risk; such measures will comply with applicable Data Protection Laws, and at a minimum meet the requirements set forth in Annex 2 to this DPA. Circana will provide reasonable cooperation and assistance to Client to ensure it can meet its security obligations under applicable Data Protection Laws.

4.2. In assessing the appropriate level of security, Circana will take account of the risks that are presented by Processing, in particular from a Data Breach. 

 

5. Subprocessing 

5.1. Client agrees that Circana is authorized to use Subprocessors (a list of which is set out in Annex 1) to Process Client Personal Data, provided that Circana ensures that each Subprocessor is bound by data protection obligations substantially similar to this DPA.

5.2. Client may object in writing to Circana’s appointment of a Subprocessor within ten (10) business days of notification, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. For the purposes of this Section5.2, notification will by given by Circana to all email addresses that have registered to be notified of Subprocessor changes at privacy@circana.com.

 

6. Data Subject Rights and Reasonable Cooperation

6.1. Taking into account the nature of the Processing and the information available to Circana, Circana will:

6.1.1. promptly notify Client if Circana receives a request from a Data Subject or a regulatory or supervisory authority under any Data Protection Laws in respect of Client Personal Data, and: (i) not respond to such request, unless required by applicable law to which the Circana is subject; and (ii) provide reasonable assistance to the Client, to the extent possible, as necessary for Client’s fulfilment of its obligations under Data Protection Law in relation to such request. 

6.1.2. Provide reasonable assistance as requested by Client with any data protection impact assessments, prior consultations with, or other notification or similar obligations to Supervisory Authorities or other competent data protection authorities, which Client reasonably considers to be required by Data Protection Law.

 

7. Data Breach

7.1. Circana will notify Client without undue delay upon becoming aware of a Data Breach. Circana will provide Client with information requested by Client, to the extent that information is available to Circana, that Client needs to meet its obligations under Data Protection Laws with respect to the Data Breach.

 

8. Deletion or return of Client Personal Data 

8.1. Subject to Section 8.2, Circana will promptly and in any event within thirty (30) calendar days of cessation of the Services cease Processing the Client Personal Data and, at the choice of Client, either return or delete all copies of Client Personal Data. Where Client requests the return of such data, such return will be by secure file transfer in such format as is reasonably notified by Client to the Circana.

8.2. Notwithstanding Section 8.1, Circana may retain Client Personal Data for an additional period of time only to the extent and for such period as required by applicable law; Circana will ensure the ongoing confidentiality of all such Client Personal Data and ensure that such data is only Processed as necessary to satisfy applicable law.

 

9. Audit rights

9.1. Upon Client’s written request, Circana shall provide Client with information reasonably necessary to demonstrate compliance with its obligations set forth in this DPA. This information shall consist of permitting examination of the most recent reports, certificates, and/or extracts prepared by an independent auditor pursuant to Circana’s ISO27001 or similarly held industry certification.

9.2. In the event the information provided in accordance with Clause 9.1 above is insufficient to reasonably demonstrate compliance, Circana shall permit Client, at Client’s expense, to inspect or audit the technical and organizational measures of Circana for the purposes of monitoring compliance with Circana’s obligations under this DPA. Any such audit or inspection shall be:

9.2.1. limited in scope to matters specific to Client and this DPA;

9.2.2. agreed in advance between the parties in writing, including scope, duration, and start date;

9.2.3. conducted in a way that does not interfere with Circana’s day-to-day business;

9.2.4. during local business hours of Circana and, upon not less than twenty (20) business days advance written notice, unless, in Client’s reasonable belief an identifiable, material non-conformance has arisen;

9.2.5. limited to no more than one per any twelve (12) calendar month period, except if required by instruction of a competent regulator; and

9.2.6. considered confidential information of Circana and subject to the confidentiality obligations in the Agreement, or where a third-party auditor conducts the audit, such third-party auditor must be a professional bound by a duty of confidentiality or subject to a suitable non-disclosure agreement. Client shall maintain Circana confidential information in the strictest confidence. Client agrees to restrict access to Circana confidential information only to those Client personnel who (i) have a business need to have access to such confidential information and (ii) are bound by a duty of confidentiality.

 

10. Restricted Transfers 

10.1. To the extent a transfer by Client to Circana is a Restricted Transfer, the Parties hereby enter into the Standard Contractual Clauses, which are expressly incorporated into and form part of this DPA, in the form specified in Annex 3 to this DPA.

10.2. If a transfer to the United Kingdom is subject to the GDPR and becomes a Restricted Transfer due to the withdrawal, revocation or non-renewal of Commission Implementing Decision of 28th June 2021 by the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom, the Parties agree that Section 10.1 will apply.

10.3. To the extent that a transfer of Client Personal Data by Circana to any of its Sub-processors is a Restricted Transfer, Circana will undertake to enter into the relevant Standard Contractual Clauses with its Sub-processor.

 

11. General Terms

11.1. Order of precedence . Nothing in this DPA reduces the obligations under the Agreement in relation to the protection of Personal Data or permits Circana or any Circana Affiliate to Process (or permit the Processing of) Personal Data in a manner prohibited by the Agreement. Conflicts or inconsistencies will be resolved as follows: (i) in any conflict between the terms of the Agreement and this DPA, this DPA will control; and (ii) in any conflict between the terms of the Standard Contractual Clauses and the other terms of this DPA or the Agreement, the Standard Contractual Clauses shall control to the extent applicable.

11.2. Changes in Data Protection Laws . If any variation is required to this DPA as a result of a change in Data Protection Laws, including any variation which is required to the Standard Contractual Clauses, then Circana may provide notice to Client of that variation, which shall take effect upon receipt by Client. 

11.3. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

11.4. Governing law. This DPA shall be governed by the laws specified in the Agreement, except for the Standard Contractual Clauses, which shall be governed by the laws specified in Annex 3.

 

ANNEX 1: DESCRIPTION OF PROCESSING 

This Annex 1 to the DPA includes certain details of the Processing of Client Personal Data as may be required by applicable Data Protection Laws. The obligations of the parties are set out in the DPA and the Agreement.

1. Subject Matter and Duration

The subject matter and duration of the Processing of Personal Data:

· The subject matter and duration of the Processing of Personal Data are set out in the Agreement.

 

2. Processing Operations

The nature and purpose of the Processing of Personal Data includes:

· The Services, as defined in the Agreement, and as otherwise necessary to perform the obligations under the Agreement.

 

3. Personal Data

The types of Personal Data to be Processed include:

· Pseudonymised Data including:

· Indirect identifiers, tokenized loyalty account numbers;

· Demographic data;

· Transactional data

 

4. Data Subjects

The categories of Data Subjects to whom Personal Data relates include:

· Customers of Client

 

5. Applied Restrictions or Safeguards for Sensitive Data

n/a

 

6. Authorized Subprocessors

 

Circana has appointed the following Subprocessors:

Name: The Circana Group

Address: 203 North LaSalle Street, Suite 1500, Chicago, 60601. IL, USA

Description of processing : provide technical and customer support to processor which may involve processing ad hoc personal data only

Name: Harman International

Address: 400 Atlantic Street, Stamford, CT, 06901, USA

Description of processing: Load, process and validate data into the AIP and reporting solutions

Name: GenPact

Address: New York: 521 5th Ave, 14th Floor, New York, NY 10175

Description of processing: Ongoing delivery and administration of solutions

 

ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES

Circana will have in place technical, physical, and organizational security measures that meet the requirements set forth in this Annex 2 to the DPA. 

 

1. Circana has implemented commercially reasonable technical and organizational measures for protecting Client Personal Data, including with respect to its relevant information processing systems, and reasonable and appropriate technical, physical and administrative measures will be maintained to protect Client Personal Data under Circana’s possession or control against unauthorized or unlawful Processing or accidental loss, destruction or damage, including:

(a) employees and other personnel that regularly handle Personal Data receive privacy and security appropriate to their responsibilities;

(b) documented policies, procedures and processes for managing the security risks related to Processing of Client Personal Data;

(c) devices, systems, facilities and assets that Process Client Personal Data (“assets”), and that are material to the provision of the Services to the Client are identified and managed;

(d) security risks are identified, and are assessed regularly;

(e) access to assets is limited to authorized users;

(f) access logs are collected and reviewed as appropriate;

(g) remote access to assets is restricted and securely managed;

(h) Client Personal Data is physically and logically separate from the Personal Data of other clients;

(i) electronic and paper records containing Client Personal Data are securely destroyed in accordance with secure destruction policies and procedures;

(j) appropriate technical security solutions are implemented and managed to protect the confidentiality, integrity and availability of Client Personal Data;

(k) maintenance and repair of information system components is performed in a controlled and secure manner;

(l) incident response processes and procedures are maintained to provide for timely identification of, response to, and mitigation of detected Data Breaches; and

(m) backups and disaster recovery processes are in place.

2. Reasonable steps will be taken in an effort to ensure the reliability of personnel having access to Client Personal Data. 

3. Appropriate due diligence will be conducted on Subprocessors to ensure that each is capable of providing an appropriate level of protection for Personal Data. 

 

ANNEX 3: DATA TRANSFERS

1. If and to the extent of a Restricted Transfer by Client to Circana, the parties agree that Module 2 of the Standard Contractual Clauses shall apply, subject to the following:

· Client shall be the data exporter and Controller;

· Circana shall be the data importer and Processor;

· Optional Clause 7 (Docking clause of Module 2) shall not apply;

· Clause 9 (Use of Subprocessors): Option 2 (General Written Authorization) shall apply in accordance with the Subprocessor Section in this DPA and the “time period” shall be ten (10) business days;

· Optional Clause 11(a) (Redress) shall not apply;

· The following shall apply to Clause 13 (Supervision): Except as otherwise set forth herein, the competent supervisory authority for the purposes of the SCCs shall be as follows: (a) if Client is established in a Member State, paragraph 1 shall apply and the competent supervisory authority shall be the supervisory authority in the EU Member State where Client is established; (b) if Client is not established in an EU Member State but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2), paragraph 2 shall apply and the competent supervisory authority will be the Data Protection Commission, 21 Fitzwilliam Square, D02 RD28 Dublin 2 ,Ireland; (c) to the extent UK Data Protection Law applies, the UK Information Commissioner’s Office will be the competent supervisory authority; and (d) to the extent any Data Protection Laws apply other than European Data Protection Laws, the primary data protection regulator pursuant to the applicable Data Protection Law will be the competent regulator.

· Clause 17 (Governing Law): Option 1 shall apply, and the specified member state shall be Ireland;

· Clause 18 (Choice of Forum and Jurisdiction): shall specify the Republic of Ireland as the choice of forum and jurisdiction;

· The competent supervisory authority is the Data Protection Commission, 21 Fitzwilliam Square, D02 RD28 Dublin 2

· The frequency of the transfer is continuous and the period for which the data will be retained shall be consistent with the retention period set forth in the Agreement and this DPA;

· Annex I and II of the EU Standard Contractual Clauses are completed with reference to Annex 1 (Details of Processing of Client Personal Data) and Annex 2 (Technical and Organizational Measures) of this DPA, respectively and executed in all required places by the signatories to this DPA.

2. With respect to any UK Restricted Transfer, the Standard Contractual Clauses (as incorporated by reference) shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK Addendum, and the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK Addendum is as set out in the Agreement and/or in this DPA. For the purposes of Table 4 of Part 1 to the Addendum, the Parties select the “Importer” and “Exporter” options.