Last Updated: 16 September, 2022
“Acceptance” means written, oral or other acceptance (including the provision of a purchase order number by Client) by Client of a Proposal or SOW for the Qualitative Services or Deliverables.
“Affiliate” means any legal entity that directly or indirectly: (i) is Controlled by that party; (ii) Controls that party; or (iii) is under substantially common Control and in relation to Kantar is trading as “Kantar” from time to time and under the common Control of Kantar, (but excluding any operating entities trading as Europanel).
“Agreement” means these terms and conditions together with the applicable SOW and any appendices constitutes the entire agreement between the parties.
“Client” means the party to whom Kantar provides the Qualitative Services as per the applicable SOW.
“Client Data” means any Materials provided by the Client to Kantar.
“Completion” means the Qualitative Services are complete and Client has received the Deliverables in accordance with the SOW.
“Confidential Information” means all information, data or material of whatsoever nature in any form, which either party, discloses to the other pursuant to this Agreement (including the Proposal and anything the receiving party creates which is derived from or based upon the information, data or materials disclosed to it by the disclosing party). It shall not include any information or materials which: (a) is in or enters into the public domain (other than as a result of disclosure by the receiving party or any third party to whom the receiving party disclosed such information); (b) were already in the lawful possession of the receiving party prior to the disclosure by the disclosing party; (c) are subsequently obtained by the receiving party from a third party who is free to disclose them to the receiving party; or (d) are required to be disclosed by law or regulatory authority.
“Control” (including “Controlled by” and “under common Control”) as used means the ownership, directly or indirectly, of a majority of the voting shares of such entity or is the ability (directly or indirectly) to appoint a majority of the directors of such entity or the authority to direct the management or policies of such entity, by contract or otherwise. An entity that otherwise qualifies under this definition will be included within the meaning of “Affiliate” even though it qualifies after the execution of this Agreement.
“DPS” means the Data Processing Schedule annexed hereto as Exhibit B.
“Deliverables” means the specific tangible documentation, work product and other materials that are created solely for Client and expressly identified as such in a SOW and delivered to Client by or on behalf of Kantar while performing the Qualitative Services, excluding Respondent Data.
"Feedback" means all suggestions, comments recommendations, improvements or any other feedback based on the Qualitative Services and Deliverables provided by Client to Kantar.
“GDPR” means EU General Data Protection Regulation 2016/679 and the terms: “Controller”, “Data Subject”, “Personal Data”, and “Processing” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
“Intellectual Property Rights” or “IPR” means all trade secrets, patents and patent applications, rights to inventions, copyright (including rights in computer software) and related rights, moral rights, database rights, semiconductor topography rights, utility models, rights in designs, trademarks, service marks, trade or brand names, internet domain names, rights in know-how, rights in confidential information, rights in inventions (whether patentable or not) rights in goodwill or to sue for passing off, and all other intellectual property and proprietary rights and other similar or equivalent rights or forms of protection in each case whether registered or unregistered and including all applications (or rights to apply) for, for renewals and extensions of, such rights as may now or in the future exist anywhere in the world.
“Kantar” means Kantar LLC, or any Affiliate that is a party to a SOW.
“Kantar Materials” means (i) Materials belonging to Kantar which exists at the date of execution of an SOW or issuance of a Client purchase order; (ii) Materials developed by or on behalf of Kantar independently during the Term of an SOW which are not Deliverables and have not been created solely for performance of the Qualitative Services to Client; (iii) Proposals and designs for studies incorporated in a SOW; (iv) data and content developed or collected by or licensed to Kantar prior to or outside the scope of this Agreement or having a generic nature or otherwise being of general applicability to Kantar’s business; and (v) Respondent Data. All copies, reproductions, improvements, modifications, adaptations, translations, Feedback and all other derivative works of, based on or otherwise using any Kantar Materials are themselves also Kantar Materials. As between Kantar and Client, Kantar shall own all Intellectual Property Rights in and to Kantar Materials.
“Materials” means information, output, documents, reports, data, programs, plans, products, advertising materials (including appended data, information databases, calculated scores and specialized database applications), software, algorithms, source code, object code, research tools, product taxonomies and dictionaries, analytical techniques and frameworks, methodologies, norms, formulae, works, questionnaires and template questionnaires, systems, computer programs, including application software, platforms, enhancements, supporting documentation and other work processes and information, whether in hard copy or digital format.
“Professional Fees” means the hourly rates, memorialized in timesheets, charged by Kantar to Client in exchange for provision of the Qualitative Services and/or Deliverables.
“Proposal” means the written proposal and/or quotation (exclusive of VAT unless otherwise stated) provided by Kantar to the Client, which shall be valid for Acceptance for 30 days from the date of issue.
“Public Statement” means to make any advertising, marketing, press releases, correspondence with any third parties or similar external communications that contain the whole or any part of the Deliverables or Qualitative Services.
“Respondents” means individuals responding to market research questions and stimuli and otherwise providing various services to Kantar for the benefit of Kantar’s clients.
“Respondent Data” means all Materials provided by Respondents including answers to survey questions.
“Qualitative Services” means the services provided by Kantar to Client, as specified in the applicable SOW.
“SOW” means the statement of work or Proposal document which sets out the Qualitative Services or Deliverables purchased by Client and their related fees.
“Subcontractor” means any third party to whom Kantar has delegated any function or obligation to provide the Qualitative Services or Deliverables to Client, excluding Kantar’s Affiliates.
“Term” means the agreed minimum period of the Qualitative Services as outlined in the applicable SOW.
“Total Fee” means the fixed amount(s) due to Kantar from Client in exchange for provision of the Qualitative Services and/or Deliverables.
In these terms and conditions, a reference to the singular includes plural and vice versa (unless the context otherwise requires) and the words and expressions “other”, “including” and “in particular” (or any similar word or expression) do not limit the generality of any preceding words.
1 Term and Termination
This Agreement shall commence once Kantar starts providing Qualitative Services or Deliverables and shall continue in effect until the earlier of (i) 1 year or (ii) until terminated in accordance with this Section 1. Either party may terminate this Agreement immediately for cause if a party breaches a material obligation of this Agreement and fails to remedy the breach within 30 days of written notice being given to the breaching party. Either party may terminate this Agreement without cause upon 3 months’ written notice. Upon the termination of this Agreement, Client shall continue to owe and shall remain liable for any and all Qualitative Services rendered, Deliverables delivered and any pre-approved out of pocket expenses incurred on Client’s behalf by Kantar for which Client has not yet rendered payment, including, without limitation, non-cancellable third party charges for Qualitative Services that Kantar has obtained or committed to obtain prior to the effective date of termination.
2 Payment of Fees
2.1 Unless otherwise stated the in the SOW, the invoicing schedule for Qualitative Services shall be as follows: (i) SOW’s with a proposed schedule of less than 60 days shall be invoiced 60% of the Total Fee on Acceptance and 40% of the Total Fee on Completion and (ii) SOW’s with a proposed schedule of greater than 60 days shall be invoiced 70% of the Total Fee on Acceptance and 30% of the Total Fee on Completion.
2.2 All invoices shall be subject to payment within 30 days of receipt. Any late payment shall entitle Kantar to charge interest at a rate of 1.5% per month, or the maximum permitted by law, whichever is higher. Client shall pay the interest promptly on demand. Except where already included within the agreed fees, Kantar shall be entitled to recover reasonable expenses incurred pursuant to the provision of the Qualitative Services. Any such expense recharge invoices shall include a breakdown of all expenses.
2.3 If any amount payable to Kantar is subject to any forms of tax, charge, duty, withholding, deduction, rate, levy and governmental charge (whether national or local) in the nature of tax whatsoever and whenever created, enacted or imposed by any governmental, state, federal, local municipal or other body, together with all related fines, penalties, interest, charges and surcharges, that amount shall be increased so as to ensure that the net amount received by Kantar shall, after tax, be equal to that which would have been received had the payment and any increased payment not been subject to tax.
3 Change, Delay or Cancellation
If Client requests changes to the Qualitative Services or Deliverables, Kantar reserves the right to revise the SOW fees and timelines accordingly. Client shall promptly delivery to Kantar all Client Data reasonably required by Kantar to provide the Qualitative Services and Deliverables. If Client fails to comply with this Section 3, Client shall be liable for any consequential delays and additional costs and expenses incurred by Kantar in providing the Qualitative Services and Deliverables. If a SOW is cancelled or postponed after Acceptance, Professional Fees and out of pocket costs shall be charged. If a SOW is cancelled or postponed within 7 days of field start or after start of fieldwork, then the greater of 50% of Total Fee or Professional Fees and out of pocket costs incurred up to the point of cancellation or postponement shall be charged. If a survey recruitment quota specified in a SOW from a Client-provided list cannot be achieved by Kantar, after exerting commercially reasonable efforts, any cancellation or postponement of such SOW by Client shall result in Client being liable for 100% of the Total Fee outlined in the SOW, in addition to any non-cancellable out of pocket costs already incurred. Upon resuming a postponed project, Kantar may, subject to feasibility of circumstances and taking into account applicability of work performed, prorate apportioned Professional Fees against the SOW.
Kantar may subcontract the Qualitative Services or parts of the Qualitative Services to a Subcontractor in the ordinary course of business, e.g. utilizing Subcontractors for recruiting respondents, facilities and online platforms. Kantar shall be primarily responsible for the performance of the Qualitative Services by any Subcontractor. Nothing in this Agreement shall be construed to create a contractual relationship between Client and any Subcontractor, nor any obligation of Client to pay or to ensure payment of any money due any Subcontractor. Respondents shall not be considered Subcontractors of Kantar in connection with this Agreement and given the nature of the Qualitative Services, Kantar shall not be liable for the acts of Respondents. If Client designates a specific subcontractor, then Kantar shall not be responsible for the accuracy, completeness or quality of the work of that subcontractor.
Each party represents and warrants that: (a) it has the authority to enter into this Agreement and that the performance of its obligations hereunder shall not breach any other contract by which it is bound; and (b) it shall comply with all applicable laws, regulations, rules, codes and judicial orders. Kantar represents and warrants that: (a) it shall comply with the Kantar Code of Conduct and (b) use of the Kantar Materials by Client, used in the manner contemplated by the SOW and in accordance with the terms of this Agreement, shall not infringe any third party IPR. Client represents and warrants that: (a) use of the Client Data by Kantar in the manner contemplated by the SOW shall not infringe the IPR of any third party; (b) it has, or will obtain or grant, in writing (email being sufficient) from either Client, Client’s agent or other Client-authorized third party (as applicable) all necessary consents and approvals required for Kantar to provide the Qualitative Services and/or Deliverables, (c) Client Data provided to Kantar by or on behalf or Client, and advertising, promotional and marketing activities in connection with the use of the Qualitative Services and/or Deliverables, shall not be deceptive, misleading, obscene, defamatory, illegal, unethical or otherwise violate the rights of a third party and (d) in the event that Client provides Kantar recruitment lists for any commissioned studies, all contact information shall be accurate and up to date. Except for the express warranties in this Agreement, each party hereby disclaims all warranties, whether express, implied, statutory or other, under or in connection with this Agreement, or any subject matter hereof.
6 Ownership and Public Statements
6.1 Client has and reserves and retains, sole and exclusive ownership of all right, title and interest in and to the Client Data, including all IPR arising or relating to the Client Data. Client Data is the Confidential Information of Client. Client grants Kantar a perpetual, worldwide, royalty-free, irrevocable license to use, perform, display, execute, distribute, transmit, copy, modify (including create derivative works), import, Client Data solely for the purposes of performing the Qualitative Services or delivering the Deliverables. Kantar may not disclose Client Data in a manner which identifies Client, except to a publisher with whom Client has chosen to use the Qualitative Services. All other rights in and to the Client Data are expressly reserved by Client.
6.2 Kantar reserves sole and exclusive ownership of all right, title and interest in and to the Kantar Materials, including all IPR therein. Kantar grants Client a worldwide, non-sublicenseable, non-transferable, royalty free license to Kantar Materials incorporated in the Deliverables, or otherwise necessary for Client to use the Qualitative Services and Deliverables solely for (i) internal purposes and not for publication or other distribution or communication to the public (unless expressly authorized in writing by Kantar); and (ii) solely for the purposes of the relevant project and in the manner envisaged by the SOW. All other rights in and to the Kantar Materials are expressly reserved.
6.3 Client shall, upon receipt by Kantar of full payment for the Qualitative Services and Deliverables under the applicable SOW, be the sole and exclusive owner of all right, title and interest in and to the Deliverables, including all IPR therein. Client shall be entitled to use the Deliverables for its bona fide and proper internal business purposes. Client shall not use any Deliverables for public relations, sales or marketing purposes in conjunction with Kantar’s name or brand without Kantar’s prior written authorization. Client shall not publish or disclose the Deliverables to any third parties in any manner which exaggerates, distorts or misrepresents the information or data provided by Kantar, or in a manner likely to harm Kantar’s reputation.
6.4 Client is not entitled to receive Respondent Data. In a study using certain Kantar products, in each case as determined by Kantar in its sole discretion, Client may be entitled to receive aggregated final results of the applicable study, subject to applicable privacy laws and any other limitations on use in this Agreement and may also receive qualitative conclusions that are determined from, derived from or based upon the aggregated Respondent Data in a manner that does not identify any particular individual. Any Personal Information (as defined in the DPS) in the Respondent Data is not the property of Kantar or Client.
6.5 Client agrees and acknowledges that it must inform Kantar in writing prior to the commencement of any work by Kantar, if Client intends to make any Public Statement. If, upon Completion, Client wishes to make a Public Statement, Client must present the Public Statement for Kantar’s review and written consent. If Client makes a Public Statement in breach of this Section 6.5, including study findings that are incorrect, distorted or incomplete, in Kantar’s reasonable opinion, Kantar shall have the right to make its own release of any or all study findings for clarification purposes, without being in breach of this Agreement.
6.6 The parties shall be entitled: (i) to list the other as its’ supplier or client in marketing/promotional material; or (ii) to share and use with panel partners and Respondents the other party’s name, trademarks, logos, or Materials solely to obtain consent for the use of Respondent Data, including Personal Information. Except for this right, neither party shall have the right to use the other party’s name, trademarks, logos, or slogans without obtaining the prior written consent of such party.
7.1 If a party receives or acquires Confidential Information directly or indirectly under this Agreement, it shall be referred to as the “Receiving Party”; if a party discloses Confidential Information under this Agreement it shall be referred to as the “Disclosing Party”. During and after the Term of this Agreement, the Receiving Party shall (i) hold the Disclosing Party’s Confidential Information in confidence using the same degree of care that it uses to protect its own Confidential Information (but in no event less than a reasonable degree of care), (ii) use the Disclosing Party’s Confidential Information solely in connection with performing its obligations hereunder, and (iii) not disclose or make available any of the Disclosing Party’s Confidential Information to any employee or other third-party without the prior written consent of the Disclosing Party except to a limited number of its employees, consultants, subcontractors and legal advisors who have a need to know the Disclosing Party’s Confidential Information in order to perform its obligations under this Agreement. Additionally, the Receiving Party may disclose the financial terms of this Agreement to its legal and business advisors and to potential investors provided such third parties agree to maintain the confidentiality of the Confidential Information. Each party shall ensure that any individual or entity receiving Confidential Information for or on behalf of the Receiving Party will be bound by terms at least as protective of the Disclosing Party’s Confidential Information as those contained in this Agreement. Receiving Party will notify the Disclosing Party promptly of any unauthorized use or disclosure of the Disclosing Party’s Confidential information and provide reasonable assistance to the Disclosing Party and its licensors in the investigation and prosecution of such unauthorized use or disclosure. Whenever requested by a Disclosing Party and in any event upon the expiration or termination of this Agreement, a Receiving Party shall immediately, at its own expense, return to the Disclosing Party all manifestations of the Disclosing Party’s Confidential (except: (i) as otherwise required by applicable law; (ii) if the return or destruction of such Confidential Information is not commercially reasonable or feasible; or (iii) in accordance with its internal document retention and back-up policies, in which case, the Receiving Party obligations in this Section 7 shall continue until such time as such Confidential Information is returned or securely destroyed) or at Disclosing Party’s option destroyed, at its own expense, all such Confidential Information as the Disclosing Party may designate and deliver to Disclosing Party a certification, in writing signed by an officer of the Receiving Party, that all such Confidential Information has been destroyed.
7.2 Receiving Party agrees to implement all appropriate technical and organizational security measures in order to protect Personal Information against accidental or unlawful destruction, against unauthorized or unlawful disclosure or access, and against accidental loss, alteration, or damage. The terms of the DPS shall govern the parties' obligations in relation to the treatment of Personal Information. In the event of an actual or threatened breach of these confidentiality provisions, the parties agree that the non-breaching party will have no adequate remedy at law and shall be entitled to seek immediate injunctive relief and any other equitable relief, without the necessity of posting a bond or showing actual monetary damages. The rights and obligations of the parties under this Agreement relating to Confidential Information shall expire 3 years after the effective date of expiration or termination; provided that with respect to Confidential Information that constitutes a trade secret under the laws of any jurisdiction, such rights and obligations will survive such expiration or termination until, if ever, such Confidential Information loses its trade secret protection other than due to an act or omission of the Receiving Party or its representatives.
8 Liability and Indemnity
8.1 Neither party will be liable to the other party (or to any person or entity claiming through the other party) for any special, incidental, indirect, consequential, exemplary or punitive damages or any lost profits arising out of or in any manner connected with this Agreement or the subject matter hereof, regardless of the form of action and whether or not such party has been informed of or otherwise might have anticipated the possibility of such damages. In no event shall Kantar’s aggregate liability arising out of or relating to this Agreement, regardless of the basis (including breach of contract, tort (including negligence) or otherwise), on which a party is entitled to claim damages from the other party exceed the cumulative amount of payments received or due to Kantar from Client under the relevant SOW in the 12 month period immediately preceding the date upon which the cause of action first arose. The limitations of liability set forth in this Agreement shall not apply to damages for any liability that cannot be limited by law.
8.2 If conclusions, findings, Deliverables or recommendations (“Conclusions”) are required of Kantar as part of the Qualitative Services, such Conclusions are solely and exclusively an opinion and are based on variable assumptions used in the field of market research and forecasting and are based on a controlled test environment. While Conclusions are the result of careful analysis and thorough work procedures, Conclusions constitute a single factor among many to be considered by Client. Conclusions are prepared for Client’s internal use only and Kantar expressly disclaims any liability for any use of or reliance on Conclusions by any third parties. In no event shall Kantar be liable to Client (or any third parties) for any damages whatsoever with respect to any Conclusions made by Kantar in relation to the Qualitative Services. Client hereby acknowledges that it shall be solely responsible for the consequences of any action taken by it based on Conclusions or the interpretation of such Conclusions.
8.3 Kantar shall indemnify, defend and hold harmless Client from and against any and all third party claims, lawsuits, actions, liabilities, and expenses (including taxes, fees, fines, penalties, interest, reasonable expenses of investigation and attorneys’ fees and disbursements) arising out of or in connection with: (i) any claim that the Qualitative Services and/or Deliverables, as provided by Kantar to Client, and Client’s authorized use of thereof infringes (whether directly, contributorily, by inducement or otherwise), misappropriates or violates a party’s or other entity’s IPR; or (ii) any breach of any obligation for which Kantar is responsible as employer of its employees.
8.4 Client shall indemnify, defend and hold harmless Kantar from and against any and all third party claims, lawsuits, actions, liabilities, and expenses (including taxes, fees, fines, penalties, interest, reasonable expenses of investigation and attorneys’ fees and disbursements) arising out of or in connection with: (i) any claim that the Client Data provided by Client to Kantar and Kantar’s authorized use thereof infringes (whether directly, contributorily, by inducement or otherwise), misappropriates or violates a party’s or other entity’s IPR; (ii) any breach of any obligation for which Client is responsible as employer of its employees; and (iii) any breach arising from Client’s, or its personnel’s, use of the Qualitative Services or Deliverables outside the scope of this Agreement or the applicable SOW.
8.5 Liability under this indemnity clause is conditional on the Indemnitee complying with this Section 8.5. If an indemnified party (“Indemnitee”) seeks indemnification under this Agreement, the Indemnitee shall (i) give prompt notice to the indemnifying party (“Indemnitor”) of a claim and the Indemnitor shall assume the defense of such claim; (ii) grant authority to Indemnitor to defend or settle any related action or claim and (iii) provide, at Indemnitor’s expense, such information, co-operation and assistance to Indemnitor as may be reasonably necessary for Indemnitor to defend or settle the claim or action. Indemnitee may participate, at its own expense, in any defense and settlement directly or through counsel of its choice. Indemnitor shall not, without the prior written consent of Indemnitee, enter into any settlement agreement on terms that would diminish the rights provided to the Indemnitee, or increase the obligations assumed by the Indemnitee, under this Agreement.
(A) The obligations outlined in Sections 5-9 shall survive termination or expiration of this Agreement. (B) Any material notice given hereunder shall be in writing by certified mail to the address(es) provided in the SOW, but standard consents and approvals may be requested and provided by email. (C) Except for any payment obligations, neither party shall be liable for failure to perform its obligations hereunder due to conditions beyond its reasonable control, including, but not limited to, fires, storms, riots, strikes, disease, shortages of materials, lock-outs, wars, floods, civil disturbances, terrorism, governmental control, restriction or prohibition whether local or national, network failures, labor disputes, cyber-attacks, and malicious acts of third parties. In such circumstances the affected party shall be entitled to a reasonable extension of the time for performing such obligations. (D) The parties agree that they have not entered into this Agreement in reliance upon any statement, representation, covenant, warranty, undertaking or understanding of any person, except as expressly set out in herein. (E) If any provision of this Agreement is or becomes illegal, invalid or unenforceable, that shall not affect or impair the legality, validity or enforceability of any other provision of this Agreement. (F) This Agreement shall not be enforceable by any third party. (G) Each party shall be and act as an independent contractor and not as a partner, joint venture or agent of the other party. (H) New York law governs this Agreement, and in the event of a dispute, the parties agree to submit to the exclusive jurisdiction of state or federal courts located in New York County, New York. (I) Electronic execution of this Agreement shall be valid and binding. (J) The rights and remedies provided this Agreement are cumulative and shall be in addition to, not in lieu of, any other rights and remedies provided by law or in equity. (K) Neither party may assign or transfer this Agreement, in whole or in part, without the written consent of the other party, except to an: (i) Affiliate; (ii) a party’s successor pursuant to a merger, reorganization, consolidation or sale; or (iii) an entity that acquires all or substantially all of a party’s assets. If the assignment is made by either party to a competitor of the other party, then the non-assigning party may terminate this Agreement upon 30 days’ written notice to the assignee and the assignor. (L) If there is a conflict between the terms of this Agreement and the terms of a SOW, or an exhibit to this Agreement, the order of precedence is as follows: (i) Exhibit B; (ii) Exhibit A; and then (iii) any SOW. (M) No waiver by either party of any breach of any obligation of this Agreement by the other party shall be considered a waiver of any other obligation. (N) This Agreement constitutes the complete understanding of the parties and supersedes all prior or contemporaneous agreements, discussions, negotiations, promises, proposals, representations and understandings (whether written or oral) between the parties, with regard to the subject matter of this Agreement.
Data Processing Schedule
This Data Protection Schedule (“DPS”) forms part of the Agreement (the “Agreement”), between Kantar LLC and its Affiliates (“Kantar”) and Client (as defined in Exhibit A) and its Affiliates (“Client”). The parties acknowledge that they are entering into this DPS pursuant to the provisions of the Agreement. The parties further acknowledge and agree that the provisions of the Agreement shall apply to this DPS as though such provisions were set out in their entirety in this DPS and if the terms of this DPS and the Agreement conflict, the terms of this DPS shall take precedence. Capitalized terms not defined in this DPS shall have the meaning defined in the Agreement.
In this DPS, the following terms shall have the meanings set out below:
“CCPA” means California Consumer Privacy Act; and the terms “Business”, “Collecting”, “Consumer”, “Processing”, “Selling”, “Service Provider”, “Sharing”, “Third Party”, “Unique Identifier” shall have the same meaning as in the CCPA or equivalent term in any applicable Data Protection Laws
“Data Protection Laws” means all applicable laws and regulations, including but not limited to laws and regulations of the United States and the CCPA (“US”); the United Kingdom (“UK”); the European Union and the GDPR (“EU”), the European Economic Area (“EEA”) and their Member States and Switzerland, applicable to the Collecting, Processing, Selling of Personal Information under the Agreement;
“GDPR” means EU General Data Protection Regulation 2016/679 and the terms: “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Processing”, “Processor”, and “Supervisory Authority” shall have the same meaning as in the GDPR or equivalent term in any applicable Data Protection Laws;
“Independent Auditor” means an auditor from PWC, Deloitte, KPMG or Ernst & Young or another mutually agreeable internationally recognized auditing firm;
“Personal Information” means any data or information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household; or as otherwise defined in any applicable Data Protection Laws;
“Sub-processor” means any third party appointed to Process Personal Information in connection with the Agreement.
2. APPOINTMENT OF SERVICE PROVIDER
The parties acknowledge and agree that for the purposes of this DPS and any applicable Agreement, where a party acts as a Service Provider with respect to Personal Information, and the other party acts as a Business that has the exclusive authority to determine the purposes and means of Processing of any Personal Information; Service Provider agrees it shall not Sell, Collect, retain, use, disclose or otherwise Process Personal Information other than for the purposes of performing the Services, obligations or actions for the benefit of Business that are specified in any Agreement or outside of the direct business relationship between Service Provider and Business; Service Provider certifies that it understands the obligations and restrictions placed on it as a Service Provider under any applicable Data Protection Laws.
3. COLLECTING, PROCESSING OR SELLING OF PERSONAL INFORMATION
3.1 Compliance with applicable Data Protection Laws. The parties acknowledge and agree that when Collecting, Selling or Processing Personal Information they will comply with their respective obligations under the applicable Data Protection Laws.
4. RIGHTS OF CONSUMERS AND DATA SUBJECTS
4.1 Consumer Request. The parties, shall, to the extent legally permitted, promptly notify the other party (and provide reasonable assistance to the other party where required) if it receives a request from a Consumer to exercise any right of: access; rectification; restriction or prohibition of Collecting, Processing or Selling; erasure/deletion; data portability, object to the Collecting, Processing, Selling, equal service and price; or not to be subject to an automated individual decision making; regarding Consumer’s Personal information (“DSAR”) or any other query received by one Party regarding the privacy practices of the other Party.
4.2 Assistance. Each party shall assist the other party by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of that party’s obligation to respond to a DSAR under Data Protection Laws. If a party, in performing its obligations under the Agreement, does not have the ability to address a DSAR, the other party shall upon request provide commercially reasonable efforts to assist that party in responding to such DSAR, if that party is legally permitted to do so and the response to such DSAR is required under Data Protection Laws. To the extent legally permitted, each party shall be responsible for its own costs arising from the provision of such assistance.
5.1 Confidentiality. The parties shall ensure that its personnel engaged in the Collecting, Processing or Selling of Personal Information are informed of the confidential nature of the Personal Information, have received appropriate training on their responsibilities and have executed written confidentiality agreements.
5.2 Reliability. The parties shall take commercially reasonable steps to ensure the reliability of any personnel engaged in the Collecting, Processing or Selling of Personal Information.
5.3 Limitation of Access. The parties shall ensure that access to Personal Information is limited to those personnel performing or using Services in accordance with the Agreement.
5.4 Data Protection Officer. To the extent required by Data Protection Laws, Kantar has appointed a Data Protection Officer, who is contactable at firstname.lastname@example.org
A party processing the other party’s Personal Information must seek the written consent of the other party if it wishes to appoint Sub-processors in accordance with this Section 8. The party appointing a Sub-processor will have entered or will enter into a written agreement with each Sub-processor containing data protection obligations substantially similar to those in this Agreement with respect to the protection of Personal Information to the extent applicable to the nature of the Services provided by such Sub-processor.
7.1 Controls for the Protection of Personal Information. The parties shall maintain appropriate technical and organizational measures designed to protect the security (including protection against unauthorized or unlawful Collecting. Processing or Selling and against accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or access to, Personal Information), confidentiality and integrity of Personal Information. The parties shall regularly monitor compliance with these measures.
7.2 Audit. The parties shall reasonably cooperate with each other in relation to any audit requests required by Data Protection Laws. Any such audit shall be subject to the confidentiality obligations set forth in the Agreement. Information and audit rights under this Section 7.2 arise only to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR). The parties shall on request appoint an Independent Auditor, with such access, on reasonable written notice (minimum thirty (30) calendar days) and within normal working hours, to those records pertaining to Personal Information as may be reasonably required by the Providing Party to exercise its rights of audit as set out in this Section 7.2. Providing Party accepts that certain sensitive information in relation to IT and security will be redacted before being audited and may only be audited at the other Party’s premises. With the Receiving Party’s agreement, this audit may cover documents only or may include an onsite audit, subject to Providing Party notifying the Receiving Party of the identity of any onsite Independent Auditors and that any Independent Auditors have entered into appropriate confidentiality agreements, approved by the Receiving Party (such approval not to be unreasonably withheld or delayed). Providing Party shall use reasonable endeavours to minimize any disruption caused to the Receiving Party’s business activities because of such audit. No audit shall last more than five (5) working days each time unless a longer period is required to fulfil any request or comply with any requirement of any regulator. Audits shall take place no more than once in any calendar year unless and to the extent that the Providing Party (acting reasonably and in good faith) has reasonable grounds to suspect any material breach of this DPS by the Receiving Party, in which case the parties will agree a timescale for an audit. Costs of the audit, including appointment of the Independent Auditor, will be borne by Providing Party. Receiving Party shall be entitled to reasonable time to review and retain any audit report and to consult the Independent Auditor on the content, prior to the report being submitted to Providing Party. All confidential information of the Receiving Party obtained by Providing Party or an Independent Auditor pursuant to any audit shall be maintained in confidence by Providing Party and its Independent Auditor and may not be disclosed to any third party, including, without limitation, any other agents or representatives of Providing Party, except to the extent necessary to assert or enforce any of Providing Party’s rights under this DPS or is required to be disclosed by Data Protection Laws, by any regulatory or Supervisory Authority or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives Receiving Party as much notice of this disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this section, it takes into account the reasonable requests of Receiving Party in relation to the content of this disclosure. Neither the Independent Auditor or Providing Party shall be permitted to perform penetration tests, vulnerability scans, or otherwise interrogate the other Party’s network or information technology systems. In no circumstances shall Providing Party or the Independent Auditor have access to (a) individual payroll and personnel files; (b) individual expenditure or records.
8. DATA INCIDENT MANAGEMENT AND NOTIFICATION
Both parties will maintain security incident management policies and procedures and shall notify the other party without undue delay and in line with the timelines required by applicable Data Protection Laws after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the other Party’s Personal Information, transmitted, stored or otherwise Processed by them or its Sub-processors which results in any actual loss or misuse of Personal Information (a “Data Incident”). The responsible party shall make reasonable efforts to identify the cause of such Data Incident and take those steps as the other party deems necessary and reasonable in order to remediate the cause of such a Data Incident to the extent the remediation is within that party’s reasonable control. The parties shall have no liability to each other for costs arising from a Data Incident unless caused solely by a breach of their respective security obligations under this Section 8. If there is a Data Incident, Providing Party shall be responsible for notifying Consumers and any relevant regulatory or Supervisory Authorities. Before any such notification is made, Providing Party shall consult with and provide Receiving Party an opportunity to comment on any notification made in connection with a Data Incident.
9. RETURN AND DELETION OF DATA
Receiving Party shall, at any time on the request of Providing Party and upon expiration or termination of the Agreement, return all Personal information to Providing Party or at Providing Party’s request delete the same from its systems, so far as is reasonably practicable and other than any back-up copies which the Parties are required to retain for compliance with applicable laws or regulatory requirements provided that such copies are kept confidential and secure in accordance with the Agreement; and instruct their relevant employees, consultants, subcontractors, Sub-processors and legal advisors to do the same.
10. LIMITATION OF LIABILITY
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to a breach of its obligations under this DPS, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement.
11. DATA PROTECTION IMPACT ASSESSMENT
Upon Providing Party’s request, the Receiving Party shall provide Providing Party with reasonable cooperation and assistance, at Providing Party’s cost, needed to fulfil their obligation under Data Protection Laws to carry out a data protection impact assessment related to Providing Party’s use or performance of the Services, to the extent Providing Party does not otherwise have access to the relevant information, and to the extent such information is available to the other Party. Receiving Party shall provide reasonable assistance to Providing Party in the cooperation or prior consultation with the regulator or Supervisory Authority in the performance of its tasks relating to this Section 11, to the extent required under Data Protection Laws.
12. TRANSFER MECHANISMS FOR DATA TRANSFERSIf in the future, there are any transfers of Personal Data under this DPS from the European Union, the European Economic Area and/or their Member States, Switzerland or the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws, then the Parties shall execute the Standard Contractual Clauses and append them to this DPS.