Client Data Protection Agreement
This Data Protection Agreement (DPA) shall amend and apply to all agreements for Services provided by Kantar to Client that reference and incorporate this DPA (Agreement) and to the extent that Supplier Processes Customer Personal Data (as defined below). The parties agree that from the effective date of the Agreement, or if later, the effective date on which the Parties amend the Agreement to add this DPA, these terms will supplement existing privacy and data protection terms contained in the Agreement, however this DPA shall prevail to the extent set out below.
The Parties agree as follows:
Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set out below unless the context otherwise requires:
1.1 Affiliate means, in respect of Kantar, any entity (excluding Europanel) which, from time to time both: (i) directly or indirectly through one or more intermediaries, Controls, or is Controlled by, or is under common Control of, Client; and (ii) is trading as Kantar (and Kantar Affiliate shall be construed accordingly); and, in respect of Client, any entity, which is Controlled by Client (and Client Affiliate shall be construed accordingly).
1.2 Client Personal Data means any Personal Data Processed by a Sub-processor (as a Processor) on behalf of the Client (as Controller) pursuant to the Agreement/
1.3 Control means, in respect of any entity: (i) possession, direct or indirect through one or more intermediaries, of the power to direct the management or policies of such entity, whether through ownership of voting securities, by contract relating to voting rights, or otherwise; or (ii) ownership, direct or indirect through one or more intermediaries, of more than 50% percent of the outstanding voting securities or other ownership interest of such entity (and Controls and Controlled shall be construed accordingly).
1.4 Data Processing Particulars means such template attached in Annex 1 that describes the Processing carried out in connection with the Agreement. The Data Processing Particulars will be completed and annexed to the relevant SOW
1.5 Data Protection Laws means EU Data Protection Laws and UK Data Protection Laws including any applicable delegated acts adopted by the European Commission and any applicable national legislation made under or otherwise adopted by Member States of the European Economic Area pursuant to specific rights or powers contained within the GDPR, together with any replacement legislation or any equivalent legislation of any other applicable jurisdiction and all other applicable laws and regulations in any relevant jurisdiction relating to the processing of Personal Data and privacy
1.6 EU Data Protection Laws means the GDPR and laws implementing or supplementing the GDPR, the Privacy and Electronic Communications Directive 2002/58/EC and any other applicable laws relating to the processing of Personal Data and privacy, including where applicable the guidance and codes of practice issued by a relevant regulator in relation to such applicable laws in each case as amended, repealed or replaced from time to time
1.7 GDPR means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
1.8 Independent Auditor means an auditor from PWC, Deloitte, KPMG or Ernst & Young or another mutually agreeable internationally recognised auditing firm that is not employed on a contingency basis
1.9 International Data Transfer Agreement or UK IDTA means the Restricted International Transfer Agreement required under UK Data Protection Laws for new Processing arrangements entered into from 21 March 2022 (as amended or replaced from time to time) (and a separate UK Addendum) when Kantar requires to transfer Client Personal Data from the UK to processors established in Third Countries
1.10 Kantar Data Protection and Security Charter means the description of technical and organisational security measures to be implemented by a Data Importer, as updated from time-to-time
1.11 Personnel means either Party’s stakeholders, directors, employees, agents, consultants, subcontractors, Contracted Processors, Sub-processors or other persons authorised by (i) either Party; (ii) their Affiliates; and / or (iii) their subcontractors engaged in the provision of Services
1.12 Restricted International Transfer means a transfer of personal data between Kantar Affiliates established in: (i) a country that is deemed adequate (by the European Commission or any other competent body for the purposes of Data Protection Laws) and Third Countries, (ii) any Third Country to another Third Country.
1.13 Restricted International Transfer Agreement means the relevant standard contractual clauses (such as the Standard Contractual Clauses or the International Data Transfer Agreement) or any other standard or non-standard contractual clauses required under Data Protection Laws (as amended or replaced from time to time)
1.14 Standard Contractual Clauses means the standard contractual clauses (adopting the appropriate module as per the relationship of the Parties) approved by European Commission decision 2021/914 on standard contractual clauses for the transfer of Personal Data to processors established in Third Countries, as amended or replaced from time to time
1.15 Sub-processor means any Kantar Subcontractor or Kantar Affiliate appointed as set out in clause 4 (Sub-processors) to Process Client Personal Data on behalf of Client in connection with the Agreement
1.16 UK Addendum means a separate UK addendum to be used in conjunction with the Standard Contractual Clauses if there is also a Restricted International Transfer under Standard Contractual Clauses that includes the UK.
1.17 UK Data Protection Laws means the GDPR as transposed into United Kingdom domestic law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in the United Kingdom in each case as amended, repealed or replaced from time to time.
1.18 The terms, Commission, Controller, Data Subject, Member State, Personal Data, Processing, Processor, Supervisory Authority and Third Country shall have the same meaning as in Data Protection Laws, and their cognate terms shall be construed accordingly.
1.19 For the purposes of this DPA:
1.19.1 any reference to Parties shall be to the relevant parties to the relevant SOW (and Party shall mean any one of them)
1.19.2 any references to Client shall mean the relevant Client Affiliate that is a party to that SOW; and
1.19.3 any references to Kantar shall mean Kantar and, in respect of any SOW, the relevant Kantar Affiliate that is a party to that SOW.
2. PROCESSING OF PERSONAL DATA
2.1 The Parties acknowledge and agree that Kantar may act as an independent Controller in the provision of the Services and Kantar agrees that it shall meet the requirements of relevant Data Protection Laws in its role as an independent Controller. The Parties agree that other than the obligations in this clause 2.1, Kantar in its role as an independent Controller is not bound by any other obligation set out in this DPA.
2.2 Except as set out in clause 2.1, the Parties acknowledge and agree that with regard to the Processing of Client Personal Data, Client is the Controller, Kantar is the Processor, and that Kantar or Kantar Affiliates will engage Sub-processors pursuant to the requirements in clause 4 (Sub-processors).
2.3 Kantar shall Process Client Personal Data on behalf of the Client in compliance with the Client’s lawful instructions for the purposes described in Annex 1 (Data Processing Particulars) (Permitted Purposes).
2.4 If such other Processing is required by local applicable law in the relevant Sub-processor country, Kantar shall inform Client of that legal requirement before such Processing, unless that law prohibits this on important grounds of public interest. Notwithstanding the foregoing, Kantar shall not carry out such Processing in the relevant Sub-processor country (including transfer of Client Personal Data to a public authority) unless there is a legal mandate between the Kantar country and the local Sub-processor country for Kantar to carry out such Processing.
2.5 Kantar shall maintain appropriate technical and organisational measures (Kantar Data Protection and Security Charter).
2.6 Kantar shall:
2.6.1 only involve Kantar Personnel to process Client Personal Data under the Agreement who have had appropriate training pertinent to the care and handling of Personal Data
2.6.2 only authorise Kantar Personnel to process Client Personal Data if such person is subject to a duty of confidentiality (whether a contractual duty or a statutory duty or otherwise)
2.6.3 ensure the reliability of Kantar Personnel to whom Kantar has provided access to Client Personal Data.
2.7 The Client warrants that:
2.7.1 it has complied and will continue to comply with Data Protection Laws
2.7.2 its instructions for the Processing of Personal Data shall at all times comply with Data Protection Laws
2.7.3 all Client Personal Data has been and will continue to be collected and processed in accordance with the notice, consent and other requirements of Data Protection Laws (and where applicable, the collection and processing has been notified to the relevant authorities)
2.7.4 it has and will continue to have the right to transfer or provide access to the Client Personal Data to Kantar and the Sub-processors for the Permitted Purpose and that such Processing by Kantar and the Sub-processors will not breach Data Protection Laws
2.7.5 its instructions to Kantar in respect of the Processing of Client Personal Data are lawful and will not create legal or regulatory liability on the part of Kantar or any Sub-processor if followed.
3. RIGHTS OF DATA SUBJECTS
3.1 Kantar shall to the extent legally permitted, notify Client if Kantar receives a request from a Data Subject, third parties, relevant data protection authorities in the relevant local jurisdiction or any other law enforcement authority, to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (right to be forgotten), data portability, right to object to the Processing, or its right not to be subject to automated individual decision making (Data Subject Request).
3.2 Taking into account the nature of the Processing, Kantar shall in accordance with Client’s reasonable instructions, assist Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws.
3.3 Client shall be responsible for any costs arising from Kantar’s provision of such assistance or Kantar’s compliance with this clause 3.
4.1 Client authorises Kantar and each Kantar Affiliate to use and continue to use Kantar Affiliates and existing Kantar Subcontractors as of the date of this DPA as Sub-processors, subject to Kantar and each Kantar Affiliate in each case meeting the obligations set out in this clause as soon as practicable.
4.2 Kantar shall and shall require Kantar Subcontractors to give Client prior written notice and details of the appointment of any new Kantar Subcontractor or any changes to existing Kantar Subcontractors, including details of the Processing to be undertaken by the new Kantar Subcontractor.
4.3 If, within ten (10) business days of receipt of that notice, Client notifies Kantar in writing of any objections (on reasonable grounds that relate to these DPA terms) to the proposed appointment, Kantar shall take reasonable steps to address the objections raised by the Client and provide Client with a written explanation of the steps taken. During such time Kantar or Kantar Subcontractor shall not appoint such new Kantar Subcontractor until such objections have been addressed.
4.4 If the Parties are unable to resolve Client’s reasonable objections, Kantar shall not make such change and Kantar shall be entitled to suspend or terminate Processing in respect of the relevant Services. Client acknowledges that any suspension or termination of this DPA may prevent Kantar from providing the Services and will entitle Kantar to terminate the Agreement for convenience and apply cancellation charges.
4.5 New Kantar Subcontractors and / or any changes concerning Kantar Subcontractors will be set out in the Data Processing Particulars.
4.6 Kantar shall remain fully liable towards Client for the performance of Sub-processor obligations under this DPA.
5.1 The Parties agree that the audit provisions in the Agreement shall not apply to any audit required under this DPA and that they shall instead comply with the following audit terms:
5.1.1 Kantar permits Independent Auditors appointed by Client to access documented information and relevant facilities at Kantar’s service locations, and to interview relevant Kantar Personnel in order for Kantar to demonstrate that the obligations of Article 28 of the GDPR (or equivalent Data Protection Laws) have been met. Such information derived from the audit shall be deemed (Audit Information).
5.1.2 Independent Auditors shall upon giving Kantar reasonable written notice (minimum thirty (30) calendar days) have supervised and controlled access to relevant facilities at Kantar’s service locations during business hours and they shall use reasonable endeavours to minimise disruption while exercising the rights of audit set out in this clause 5. Client notifying Kantar of the identity of any visiting Independent Auditors to ensure they have entered into appropriate confidentiality agreements beforehand, approved by Kantar (such approval not to be unreasonably withheld or delayed).
5.1.3 Audits shall take place no more than once in any calendar year unless and to the extent that Client (acting reasonably and in good faith) has reasonable grounds to suspect any material breach of this DPA by Kantar, in which case Client and Kantar will agree timescales for the audit. Costs of the audit, including appointment of the Independent Auditor, will be borne by Client.
5.1.4 Kantar shall reasonably cooperate with Client in relation to any audit request by Client. Unless otherwise set out in this clause 5, audits shall be subject to the confidentiality obligations set forth in the relevant Agreement.
5.1.5 Kantar shall be entitled to reasonable time to review and retain any audit report, prepared by Independent Auditor and to consult the Independent Auditor on the content, prior to the audit report being submitted to Client. For avoidance of doubt, all Audit Information of Kantar obtained by Client or an Independent Auditor pursuant to any audit shall be maintained in confidence by Client and its Independent Auditor and may not be disclosed to any third party, including, without limitation, any other agents or representatives of Client except to the extent necessary to assert or enforce any of the Client’s rights under this DPA or is required to be disclosed by Data Protection Laws, by any Supervisory Authority or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives Kantar as much notice of this disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this clause, it takes into account the reasonable requests of Kantar in relation to the content of this disclosure.
5.1.6 Neither the Independent Auditor nor Client shall be permitted to perform penetration tests, vulnerability scans, or otherwise interrogate Kantar’s network or information technology systems.
5.1.7 In no circumstances shall Client or the Independent Auditor have access to:
(a) individual payroll and Kantar Personnel files;
(b) individual expenditure or records relating to Kantar’s business or its other clients;
(c) Kantar’s confidential information or trade secrets;
(d) any of Kantar’s overhead costs; or
(e) Kantar’s server rooms or IT systems.
6. DATA INCIDENT MANAGEMENT AND NOTIFICATION
6.1 Kantar shall notify Client’s relevant business contact without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Personal Data, transmitted, stored or otherwise Processed by Kantar or Contracted Sub-processors which results in any actual loss or misuse of Client Personal Data (a Data Incident).
6.2 Kantar shall make reasonable efforts to identify the cause of such Data Incident and take those steps as Kantar deems necessary and reasonable in order to remediate the cause of such a Data Incident to the extent the remediation is within Kantar’s reasonable control.
6.3 Kantar shall have no liability for costs arising from a Data Incident.
6.4 If the Client has caused the Data Incident, the Client shall be responsible for costs, including Kantar’s costs, o incurred to rectify the Data Incident, including in circumstances in which such Data Incident arises as a result of the Client’s instructions to Kantar, or if the Client requires Kantar to notify Data Subjects and / or Supervisory Authorities as set out in clause 6.5.
6.5 In the event of a Data Incident, Client shall be responsible for notifying Data Subjects and or Supervisory Authorities, unless the Client has instructed Kantar to do so or Kantar is otherwise required to do so under Data Protection Laws. Before any such notification is made, Client shall consult with and provide Kantar an opportunity to comment on any notification made in connection with a Data Incident.
7. RETURN AND DELETION OF CLIENT PERSONAL DATA
7.1 Kantar shall, at any time on the Client’s request delete (so far as is reasonably practicable and other than any back-up copies) or return all Client Personal Data except that this requirement shall not apply to the extent that:
7.1.1 Kantar or Kantar Affiliates are required to retain Client Personal Data for compliance with applicable laws or regulatory requirements.
7.1.2 Client Personal Data is required by Kantar to comply with any continuing obligations under the Agreement.
7.1.3 Client Personal Data is archived on back-up systems, provided that such copies are kept confidential and secure in accordance with the relevant Agreement terms.
8. LIMITATION OF LIABILITY
Each Party and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to a breach of its obligations under this DPA, whether in contract, tort or under any other theory of liability is subject to the liability terms in the Agreement, and any reference in such terms to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Agreement.
9. DATA PROTECTION IMPACT ASSESSMENT
Upon Client’s request, Kantar shall provide Client with reasonable cooperation and assistance, at Client’s cost, needed to fulfil Client’s obligation to carry out a data protection impact assessment (DPIA) (to the extent Controller does not otherwise have access to the relevant information, and to the extent such information is available to Kantar), to allow the Client to comply with its obligations as a Controller in relation to data security and DPIA and any related consultations under Data Protection Laws.
10. RESTRICTED INTERNATIONAL TRANSFERS AND PROCESSING IN THIRD COUNTRIES
10.1 The Restricted International Transfer Agreement terms shall apply on commencement and to the extent, of any Restricted International Transfer, including to any Sub-processors.
10.2 The Parties acknowledge that their compliance with the preceding clause, does not obviate the need to take other steps to justify Restricted International Transfers where necessary under national Data Protection Laws, which may include as appropriate: (i) carrying out a transfer risk assessment / transfer impact assessment as the case may be; (ii) entering into additional supplementary security measures arising from the transfer risk assessment / transfer impact assessment (iii) notifying or obtaining the consent of the Data Subjects whose Personal Data is transferred; or (iv) where required, notifying or obtaining the prior approval of applicable Supervisory Authorities; or (v) where required, notifying or obtaining the prior approval of works councils or similar employee representatives and the Parties shall resolve to comply with such other steps and procure that they are documented as appropriate. Nothing in the DPA shall be construed to prevail over any conflicting clause of any Restricted International Transfer Agreement.
11. GOVERNING LAW
The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity, and this DPA and is governed by the laws of the country or territory stipulated for this purpose in the Agreement.
DATA PROCESSING PARTICULARS TEMPLATE
This Annex 1 describes Processing that Kantar will perform on behalf of the Client in order to provide the Services as set out in the Agreement, as required by Article 28(3) GDPR or provisions in equivalent Data Protection Laws. In accordance with clause 2.3 (Processing of Personal Data), completed Data Processing Particulars will be provided with the relevant SOW.
(1) Controllers / Data Exporter [insert Client Affiliate name]
(2) Processor / Data Importer [insert Kantar Affiliates names]
[Insert Kantar Subcontractors]
(3) Subject matter [Insert description of Services Kantar is required to provide]
The Client requires Kantar to [TO DO WHAT?].
Client will provide Client Personal Data to Kantar who will make such Client Personal Data available to the Sub-processors [WHY?]
(4) Duration of Processing From [ ] to [ ]
(5) Purpose and nature of Processing [insert paragraph for each processor who is required to contribute to the provision of Services. If Client’s customer has to provide Services start there. Next Kantar, Kantar Affiliate and so on as set out below]
(i) Client will provide Kantar will access to Client Personal Data in [INCLUDE TOOL IN WHICH DATA WILL BE PROVIDED] | [WHERE?]
(ii) Kantar will arrange for Sub-processor Personnel to access the Client Personal Data where it lies in order to carry out the Processing activities below.
(iii) Kantar Affiliate will [ ]
(iv) Kantar Subcontractor will [ ]
(v) Details of [REPORTING?]
(6) Processing activities [Delete data types that don’t apply and / or add new processing activities that apply]
Viewing, receiving, accessing, storing, recording, modifying, correcting, enriching, deleting [ANYTHING ELSE?] in order to provide the Services to Client
(7) Types of Client Personal Data [Delete data types that don’t apply and / or add new data types. Delete from the bottom of each paragraph. For example start from (a) (vi) and move up so that you maintain the numbering structure]
Client personal data to be processed concerns Data Subjects’:
(ii) economic and financial
(iii) nationality and citizenship
(v) personal preference and interest
(b) Habits and activities:
(ii) consumed resources
(c) Identity of Data Subject:
(i) Client identification
(ii) identification number
(iii) personal identification (provided by Client (passport; driving licence, HMRC, social security identification)
(i) online access and authentication details
(ii) online connection and network connectivity data
(iii) online identifier
(iv) full name
(v) technology identifiers
(vi) telephony and IT Systems
(d) Location of Data Subject
(i) appointments, schedules, calendar entries
(iii) physical location
(e) Capabilities and qualifications
(i) education and professional qualifications / certificates
(ii) professional and employment and business information and experience
(iii) professional affiliations
(f) Client HR
(i) HR information about Client Personnel
(g) User/Systems data
(i) User and system data in Kantar’s sub-processors’ systems holding Client Personal Data.
(8) Special category Client Personal Data [Delete option that doesn’t apply]
Client Personal Data will contain the following special category data revealing Data Subjects’:
(a) racial or ethnic origin
(b) political opinions
(c) religious or philosophical beliefs
(d) trade union membership
(e) genetic or biometric data
(f) data concerning health
(g) sex life or sexual orientation
(h) allegations, proceedings or convictions (this is not special category data however there are similar rules and safeguards for processing this type of data (Art 10 GDPR)).
There will be no special category data.
(9) Data Subjects [List types of Data Subjects here, i.e., “Customers of the Client”]
The Processing activities required to perform the Services will be carried out using the Sub-processors in the table below.
Name of Sub-processors Address of Sub-processor Territory where Processing will be carried out Indicate whether Restricted International Transfer Agreement is in place if Processing is carried out in a Third Country (Y / N) Processing activities
Kantar Affiliate full company name XXXXXXXX XXXXXXXX Y As set out in paragraph (5)(SUBSECTION?)
Kantar subcontractor full company name XXXXXXXX XXXXXXXX Y As set out in paragraph (5)(SUBSECTION?)
KANTAR DATA PROTECTION AND SECURITY CHARTER - TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Kantar shall maintain appropriate technical and organisational measures (Kantar Data Protection and Security Charter) and shall:
(a) provide such assistance as Client may require for the purpose of Client, and (where applicable) the Client's compliance with their obligations under Data Protection Laws, to protect the Client Personal Data against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration, unauthorised disclosure of, or access to, Client Personal Data
(b) process the Client Personal Data in accordance with the relevant Data Protection Laws
(c) maintain confidentiality and integrity of Client Personal Data, including but not limited to compliance with the Agreement
(d) adopt suitable technical safeguards, such as the pseudonymisation and encryption of Client Personal Data where appropriate
(e) adopt measures to ensure the ongoing, availability and resilience of Kantar’s systems and services
(f) adopt a process for regularly testing, assessing and evaluating the effectiveness of the Kantar Data Protection and Security Charter for ensuring the security of the processing of Client Personal Data.
RESTRICTED INTERNATIONAL TRANSFER AGREEMENTS
(Provided for reference)
UK Controller to Processor and Processor to Processor Restricted International Transfer Agreement
EU Controller to Processor and Processor to Processor Restricted International Transfer Agreement
EU Processor to Controller and Controller to Controller Restricted International Transfer Agreement