Data Processing Agreement

1. • Background

   1.1 The Parties agree that this Data Processing Agreement (“Agreement”) sets forth their obligations with respect to the processing of personal data in connection with the provision of Data Services (defined in section 3.2, below). This Agreement is incorporated by reference into the Master Subscription Agreement made between the Parties.

   • Definitions

   2.1 Any capitalized terms used but not defined in this Agreement shall have the meaning set forth in the Master Subscription Agreement.

   2.2 In this Agreement, the following terms shall have the following meanings:

   2.2.1  “controller”, “processor”, “data subject”, “personal data”, “processing” (and “process”) and “special categories of personal data” shall have the meanings given in Applicable Data Protection Law;

   2.2.2 “Applicable Data Protection Law” shall mean all laws applicable (in whole or part) to a Party’s processing of personal data under or in connection with this Agreement, including without limitation, as applicable, EU Data Protection Law, UK Data Protection Law, the Swiss Federal Data Protection Act and its corresponding ordinances (“Swiss DPA“) and US Privacy Laws, in each case, as enacted, amended or superseded from time to time;

   2.2.3 “Business” shall have the meaning given to it in the CCPA;

   2.2.4 “EU Data Protection Law” means: (i) all EU regulations or other legislation applicable to the processing of personal data under this Agreement (such as Regulation (EU) 2016/679)(the “GDPR”); (ii) the national laws of each EEA member state implementing any EU directive applicable to the processing of personal data under this Agreement (such as Directive 2002/58/EC (the “e-Privacy Directive”); and (iii) any other national laws of each EEA member state applicable to the processing of personal data under this Agreement;

   2.2.5 “Fusion Product(s)” means the output(s) created by the TelmarHelixa Services and/or Helixa Discover Services through the process of fusing data from two or more separate Datasets to create insights for Customers;

   2.2.6 “Helixa Discover Services” means the services, professional services and/or support provided under TelmarHelixa branding and in relation to the Helixa Discover platform that enable a Customer to research and better understand their market, audience segments, and to create better strategies on how to market to their prospective customers;

   2.2.7 “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the DPA 2018; and (iii) where Swiss DPA applies, a transfer of Data from Switzerland to any other country which is not based on an adequacy decision recognized under the Swiss DPA;

   2.2.8 “Service Provider” shall have the meaning given to it in the CCPA;

   2.2.9 “Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the DPA 2018 (“UK Addendum“); and (iii) where the Swiss DPA applies, the EU SCC’s with the Swiss additions (“Swiss SCCs“);

   2.2.10 “TelmarHelixa Services” means TelmarHelixa branded services, professional services and/or support provided under the TelmarHelixa branding and in relation to the TelmarHelixa platform that enable a Customer to analyse Datasets for the purposes of media planning;

   2.2.11 “UK Data Protection Law” means: (i) the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (ii) the Data Protection Act 2018 (the “DPA 2018”); (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of section 2 of the European Union (Withdrawal) Act 2018 (“PECR”); and (iv) any other laws in force in the UK from time to time applicable to the processing of personal data under this Agreement; and

   2.2.12 “US Privacy Laws“ means the: (i) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, as well as any regulations that may be issued thereunder (collectively, “CCPA“); and, where applicable, (ii) the Virginia Consumer Data Protection Act (“CDPA“); (iii) the Colorado Privacy Act (“CPA“) when effective; (iv) the Utah Consumer Privacy Act when effective (“UCPA”); (v) the Connecticut Data Privacy Act (“CTDPA“) when effective; in each case, only to the extent that such law(s) apply to the processing of personal Data under this Agreement; and (vi) any other laws in force in the US from time to time applicable to the processing of personal data under this Agreement.

   • Relationship of the Parties

   3.1 The Parties acknowledge and agree that, pursuant to the Master Subscription Agreement (including this Agreement), Telmar may either: 

   (i) act as a processor when Telmar receives or otherwise collects Datasets as described in the Master Subscription Agreement for processing by Telmar; or 

   (ii) act as a controller when Customer subscribes to: (a) Fusion Product(s); (b) Helixa Discover Services, whereby Telmar independently collects information from third party sources (such as social media platforms) to provide Customer with audience measurement services. 

   3.2 By using the TelmarHelixa Services, the Helixa Discover Services, the Fusion Product(s) and associated Professional Services and/or Support, as further described in the relevant Order (collectively, “Data Services”), the Customer will either:

   3.2.1 share a Customer Dataset with Telmar for the purposes of enabling Telmar to provide the Data Services to the Customer; and/or

   3.2.2 require Telmar to enable access to, use and/or store a Third Party Dataset for the purposes of enabling Telmar to provide the Data Services to the Customer.

   3.3 The Customer will also provide Telmar with information about its Users and/or employees, for the purposes of enabling those Users to access and use the Data Services and for other general contract management and commercial relationship purposes.

   3.4 The Customer acknowledges that by engaging and requiring Telmar to provide the Data Services, the information that is made available to Telmar by the Customer (either directly or indirectly) under the Master Subscription Agreement (or that information in conjunction with other information regarding individuals) may constitute ‘personal data’ (or ‘personal information’) under Applicable Data Protection Law.

   3.5 Where Telmar is a controller of such personal data (for example, in relation to Customer User contact details and passwords, as well as contact details for Customer employees with whom Telmar communicates in order to provide the Customer with the Data Services or for general business management purposes) (“Ancillary Data”), Telmar shall use the Ancillary Data in the manner set out in its Privacy Policy. Customer agrees that it shall make the relevant Users and employees aware of Telmar’s Privacy Policy.

   3.6 Where Telmar is the processor of such personal data, section 4 of this Agreement shall apply.

   3.7 Customer warrants, represents and agrees that:

   3.7.1 it has all rights, permissions and consents required by law or contract to enable Telmar to access and use the Data (as defined below) in order for Telmar to provide the Data Services to the Customer under the Master Subscription Agreement; and

   3.7.2 it has satisfied the requirements of Applicable Data Protection Law in relation to any Third Party Datasets that it makes available to Telmar (or that it otherwise requires Telmar to access or use) under the Master Subscription Agreement, including but not limited to having appropriate data processing terms in place with such Third Parties in respect of Third Party Datasets.

   3.7.3 Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law.

   • Telmar as Processor

   4.1 Customer (the controller) appoints Telmar as a processor to process the personal data described in this Agreement (the “Data”) for the purposes of providing the Data Services (and as further described in Annex A to this Agreement or as otherwise agreed in writing by the Parties), (the “Permitted Purpose”). If Telmar becomes aware that processing for the Permitted Purpose infringes Applicable Data Protection Law, it shall promptly inform Customer.

   4.2 Telmar shall act solely as a Service Provider with respect to any Data received from Customer. The Parties acknowledge and agree that Customer is providing the Data to Telmar to enable Telmar’s performance of the TelmarHelixa Services in accordance with the Permitted Purpose as described in the Master Subscription Agreement, and that Data is not exchanged for monetary or other valuable consideration.

   4.3 Limitations on processing: Without limiting any of the foregoing, Data shall be used only in the manner contemplated in the Master Subscription Agreement and this Agreement, as well as Applicable Data Protection Law. 

   4.3.1 Except as set forth in the Agreement or as otherwise necessary to perform the Permitted Purposes, Telmar shall not:

   4.3.1.1 retain, sell, use or disclose Data for any purpose other than for the specific purpose of performing the services and the Permitted Purpose for which Customer has engaged Telmar;

   4.3.1.2 retain, use or disclose any Data outside of the direct business relationship between the Customer and Telmar;

   4.3.1.3 “sell” any Data within the meaning of the US Privacy Laws, or otherwise share or communicate Data to any third party for monetary or other valuable consideration;

   4.3.1.4 share Data for targeted and/or cross-context behavioural advertising or targeted advertising, unless in accordance with the requirements under US Privacy Laws; or

   4.3.1.5 combine Data with any other data if and to the extent this would be inconsistent with the limitations on processors / service providers under US Privacy Laws or other Applicable Data Protection Law. 

   4.3.2 Notwithstanding anything to the contrary, Telmar may aggregate, de-identify, or anonymize Data, so it no longer meets the definition of personal information under the CCPA or Applicable Data Protection  Law, and may use such aggregated, de-identified, or anonymized data for its own purposes. Telmar will not attempt to or re-identify any previously aggregated, de-identified, or anonymized data. For the avoidance of doubt, to the extent permitted by the CCPA and Applicable Data Protection Law, Telmar may use Data to detect data security incidents or protect against fraudulent or illegal activity, or improve its services. To the extent required by Applicable Data Protection Law, this section constitutes Telmar’s certification to the processing restrictions herein.

   4.3.3 Customer may take reasonable and appropriate steps to ensure that Telmar processes Data in a manner consistent with Customer’s obligations under the CCPA and Applicable Data Protection Law.

   4.3.4 Telmar shall notify Customer promptly after Telmar makes a determination that it can no longer meet its obligations under Applicable Data Protection Law. Customer may, upon notice, take reasonable and appropriate steps to stop and remediate the unauthorised processing of Data.

   4.4 International transfers: Telmar shall not transfer the Data outside of the European Economic Area (“EEA”) or the UK unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Customer acknowledges and agrees that Telmar may transfer the Data to its Affiliates under the Telmar intra-group data transfer agreement or its sub-processors under a data processing agreement, which incorporates the applicable standard contractual clauses as approved by the European Commission or UK Information Commissioner’s Office (as appropriate).

   4.4.1 GDPR (Controller to Processor / Processor to Sub-processor): where Telmar is a processor (or sub-processor) of personal data protected by the GDPR, the EU SCCs will apply completed as follows: 

   (i) Module Two will apply to the extent that Customer is a controller of the Data, and Module Three will apply to the extent that Customer is a processor of the Data on behalf of a third party controller; 

   (ii) in Clause 7, the optional docking clause will apply; 

   (iii) in Clause 9, Option 1 will apply, and the time period for prior notice of Sub-processor changes shall be as set out below in Clause 4.7 of this Agreement; 

   (iv) in Clause 11, the optional language will not apply; 

   (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; 

   (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; 

   (vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Agreement; and

   (viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Agreement.

   4.4.2 UK Data Protection Law: where Telmar is a processor (or sub-processor) of personal data protected by UK Data Protection Law, the UK Addendum will apply as follows: 

   (i) the EU SCCs, completed as set out above in Clause 4.4.1 of this Agreement shall apply to transfers of such Data; 

   (ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above;  

   (iii) the option “neither party” shall be deemed checked in Table 4; and

   (iv) the start date of the UK Addendum (as set out in Table 1) shall be the date of this Agreement. 

   4.4.3 Swiss DPA: where Telmar is a processor (or sub-processor) of personal data protected by the Swiss DPA, the EU SCCs as implemented in accordance with Clause 4.4.1 above will apply provided that: 

   (i) references in the EU SCCs to “Regulation (EU) 2016/679” or the “GDPR” shall be interpreted as references to the Swiss DPA; 

   (ii) references to “EU”, “Union” and “Member State law” shall be interpreted as references to Switzerland and to Swiss law, as the case may be; 

   (iii) the term ’member state’ shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); 

   (iv) the EU SCCs should be interpreted as protecting the data of legal entities until the entry into force of the revised Swiss DPA; 

   (v) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC) and competent courts in Switzerland; and

   (vi) if the Restricted Transfer is subject to both the Swiss DPA and the GDPR, then a parallel supervision takes place: FDPIC, insofar as the data Restricted Transfer is governed by the Swiss DPA; and the competent EU supervisory authority insofar as the Restricted Transfer is governed by the GDPR. 

   4.5 Confidentiality of processing: Telmar shall ensure that any person it authorizes to process the Data (an “Authorised Person”) shall protect the Data in accordance with Telmar’s confidentiality obligations under the Master Subscription Agreement.

   4.6 Security: The processor shall implement technical and organisational measures as set out in the Master Subscription Agreement to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident”).

   4.7 Subcontracting: Customer consents to Telmar engaging Third Party subprocessors to process the Data for the Permitted Purpose provided that: (i) Telmar maintains an up-to-date list of its subprocessors at telmar.com/telmarsubprocessors, which it shall update with details of any change in subprocessors at least thirty (30) days’ prior to any such change; (ii) Telmar imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) Telmar remains liable for any breach of this section 4 that is caused by an act, error or omission of its subprocessor. Customer may object to Telmar’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, Telmar will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Master Subscription Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).

   4.8 Cooperation and data subjects’ rights: Telmar shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to (i) meet its obligations under Applicable Data Protection Laws and in particular to respond to any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) respond to any other correspondence, enquiry or complaint received from a data subject, regulator or other Third Party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Telmar concerning Telmar’s processor activities under this Agreement, Telmar shall promptly inform Customer providing full details of the same. Telmar hereby certifies that it understands and will comply with the restrictions and obligations contained in this Agreement. To the extent required by Applicable Data Protection Law, this section constitutes Telmar’s certification to the processing restrictions herein.

   4.9 Data Protection Impact Assessment: Telmar shall provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.

   4.10 Security Incidents: If it becomes aware of a confirmed Security Incident, Telmar shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Telmar shall further take any such reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.

   4.11 Deletion or return of Data: Upon termination or expiry of this Agreement, Telmar shall (at Customer’s election) destroy or return to Customer all Data in its possession or control. This requirement shall not apply to the extent that Telmar is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, in which event Telmar shall securely isolate and protect from any further processing except to the extent required by such law until deletion is possible. For the avoidance of doubt, this requirement also does not apply where Telmar has been instructed to provide Data Services via API (in contrast to where Telmar hosts and stores the relevant Dataset on its own servers), as in such case Telmar will have no access to the underlying Data once that Data Service has been terminated or expired.

   4.12 Audit: To the extent required by Applicable Data Protection Law, Telmar shall permit Customer (or its appointed Third Party auditors) to audit Telmar’s compliance with this section 4, and shall make available to Customer all information, systems and staff reasonably necessary for Customer (or its Third Party auditors) to conduct such audit. In such case, Telmar acknowledges that Customer (or its Third Party auditors) may enter its premises for the purposes of conducting this audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Telmar’s operations. Customer will not exercise its audit rights more than once in any twelve (12) calendar month period, except: (i) if and when required by instruction of a competent data protection authority; or (ii) Customer reasonably believes a further audit is necessary due to a Security Incident suffered by Telmar.

   • Telmar as Controller

   5.1 The controller-to-controller terms set forth in this Clause 5 will apply only in connection with Customer’s use of  any of the following: the Helixa Discover Services; Fusion Product(s) and Telmar’s processing of personal data in connection therewith (the “Controller Services”).

   5.2 Where Customer subscribes to the Controller Services, then Customer and Telmar are independent controllers with regard to the data of the Controller Services to the extent they contain any personal data. The Parties acknowledge and agree that, in connection with the processing of personal data for Controller Services, each Party: (a) is an independent controller of the personal data under Applicable Data Protection Law; (b) will individually determine the purposes  and means of its processing of personal data; and (c) will comply with the obligations applicable to it under Applicable Data Protection Law with respect to the personal data.

   5.3 Business Purpose: Customer will disclose to Telmar the personal data described in the Master Subscription Agreement (or relevant Form) for the relevant Controller Services, for processing as a controller for the purposes described in the Master Subscription Agreement applicable to the relevant Controller Services to which Customer subscribes (the “Business Purpose“).

   5.4 Limitations on processing: Without limiting any of the foregoing, data processed in connection with the Controller Services (“Controller Data“) shall be used only in the manner contemplated in the Master Subscription Agreement and this Agreement, as well as Applicable Data Protection Law. 

   5.4.1 Except as set forth in the Agreement or as otherwise necessary to perform the Permitted Purposes (as set out in Annex B), Telmar shall not:

   5.4.1.1 retain, sell, use or disclose Controller Data for any purpose other than for the specific purpose of performing the services and the Business Purpose for which Customer has engaged Telmar;

   5.4.1.2 retain, use or disclose any Controller Data outside of the direct business relationship between the Customer and Telmar;

   5.4.1.3 “sell” any Controller Data within the meaning of the US Privacy Laws, or otherwise share or communicate Helixa Discover Data to any third party for monetary or other valuable consideration;

   5.4.1.4 share Controller Data for targeted and/or cross-context behavioural advertising or targeted advertising, unless in accordance with the requirements under US Privacy Laws; or

   5.4.1.5 combine Controller Data with any other data if and to the extent this would be inconsistent with US Privacy Laws or other Applicable Data Protection Law. 

   5.4.2 Notwithstanding anything to the contrary, Telmar may aggregate, de-identify, or anonymize Controller Data, so it no longer meets the definition of personal information under the CCPA or US Privacy Laws, and may use such aggregated, de-identified, or anonymized data for its own purposes. Telmar will not attempt to or re-identify any previously aggregated, de-identified, or anonymized data. For the avoidance of doubt, to the extent permitted by the CCPA and US Privacy Laws, Telmar may use Controller Data to detect data security incidents or protect against fraudulent or illegal activity, or improve its services. To the extent required by Applicable Data Protection Law, this section constitutes Telmar’s certification to the processing restrictions herein.

   5.4.3 Customer may take reasonable and appropriate steps to ensure that Telmar processes Controller Data in a manner consistent with Customer’s obligations under the CCPA and Applicable Data Protection Law.

   5.4.4 Telmar shall notify Customer promptly after Telmar makes a determination that it can no longer meet its obligations under Applicable Data Protection Law. Customer may, upon notice, take reasonable and appropriate steps to stop and remediate the unauthorised processing of Controller Data.

   5.5 International transfers: Telmar shall not transfer Controller Data outside of the EEA or the UK unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Customer acknowledges and agrees that Telmar may transfer Controller Data to its Affiliates under the Telmar intra-group data transfer agreement or its sub-processors under a data processing agreement, which incorporates the applicable standard contractual clauses as approved by the European Commission or UK Information Commissioner’s Office (as appropriate).

   5.5.1 EU GDPR (Controller to Controller): where Customer has requested Controller Services, Telmar is a controller and the EU SCCs will apply in relation to personal data protected by the GDPR as follows: 

   (i) Module One will apply; 

   (ii) in Clause 7, the optional docking clause will apply; 

   (iii) in Clause 11, the optional language will not apply; 

   (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; 

   (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; 

   (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Agreement; 

   (vii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Agreement;

   5.5.2 UK Data Protection Law: where Customer has requested Controller Services, Telmar is a controller of personal data protected by UK Data Protection Law and the UK Addendum will apply as follows: 

   (i) the EU SCCs, completed as set out above in Clause 5.5.1 of this Agreement shall apply to transfers of such Data; 

   (ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above;  

   (iii) the option “neither party” shall be deemed checked in Table 4; and

   (iv) the start date of the UK Addendum (as set out in Table 1) shall be the date of this Agreement. 

   5.5.3 Swiss DPA:  where Customer has requested Controller Services, Telmar is a controller of personal data protected by the Swiss DPA and the EU SCCs as implemented in accordance with Clause 5.5.1 above will apply as follows: 

   (i) references in the EU SCCs to “Regulation (EU) 2016/679” or the “GDPR” shall be interpreted as references to the Swiss DPA; 

   (ii) references to “EU”, “Union” and “Member State law” shall be interpreted as references to Switzerland and to Swiss law, as the case may be; 

   (iii) the term ’member state’ shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); 

   (iv) the EU SCCs should be interpreted as protecting the data of legal entities until the entry into force of the revised Swiss DPA; 

   (v) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC) and competent courts in Switzerland; and

   (vi) if the Restricted Transfer is subject to both the Swiss DPA and the GDPR, then a parallel supervision takes place: FDPIC, insofar as the data Restricted Transfer is governed by the Swiss DPA; and the competent EU supervisory authority insofar as the Restricted Transfer is governed by the GDPR. 

   5.6 Confidentiality of processing: Telmar shall ensure that any Authorised Person shall protect the Controller Data in accordance with Telmar’s confidentiality obligations under the Master Subscription Agreement.

   5.7 Security: Telmar shall implement technical and organisational measures as set out in the Master Subscription Agreement to protect the Controller Data from a Security Incident.

   5.8 Cooperation and data subjects’ rights: Taking into account the nature of Telmar’s processing of data, Telmar shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to: (i) meet its obligations under Applicable Data Protection Laws and in particular in relation to a data subject’s request to exercise its rights under Applicable Data Protection Law; and (ii) respond to any other correspondence, enquiry or complaint received from a data subject, regulator or other Third Party in connection with the processing of the data. 

   5.9 Data Protection Impact Assessment: Telmar shall provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.

   5.10 Security Incidents: If it becomes aware of a confirmed Security Incident, Telmar shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer. Telmar will  fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Customer shall promptly take any reasonably necessary measures and provide Telmar with reasonable assistance in order that Telmar can fulfil its obligations.

   • Other

   6.1 Either Party may propose to amend this Agreement if the change:

   6.1.1 reflects a change in the name or form of a legal entity; and/or

   6.1.2 is required to comply with applicable law, applicable regulation, a court order or binding guidance issued by a governmental regulator or agency (each, a “Trigger Event“). In such a case, the Parties (acting reasonably) shall work together to agree amendments to this Agreement as required to satisfy the changes imposed by the Trigger Event.

   6.1.3 Notwithstanding anything to the contrary, Telmar may amend this Agreement as long as the change does not expand the scope of, or remove any restrictions on, Telmar’s processing of Data or otherwise have a material adverse impact on Customer’s rights under this Agreement, as reasonably determined by Telmar.

   6.1.4 If Telmar intends to amend this Agreement in accordance with this section 6, Telmar shall inform Customer in writing at least thirty (30) days (or such shorter period as may be required to comply with applicable law, regulation, court order or guidance issued by a relevant regulator or agency) before the change will take effect by email and/or by posting a notification on the Telmar Platform Page. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Telmar within ninety (90) days of being informed by Telmar of the proposed change.

   Annex A

   Data Processing Description

   This Annex A forms part of the Agreement and describes the processing that Telmar will perform pursuant to the Master Subscription Agreement.

   1. Where Telmar Acts as Processor

   This section applies when the following EU SCC Modules are applicable:

   • MODULE TWO: Transfer Controller to Processor
   • MODULE THREE: Transfer Processor to Sub-processor

   Controller

   The controller is (please specify briefly the controller’s activities relevant to the processing):

   Customer who has signed the Master Subscription Agreement with Telmar for Data Services (either acting solely on its own behalf or on behalf of any Customer Affiliate, as permitted under a relevant Order).

   Processor

   The processor is (please specify briefly the processor’s activities relevant to the processing):

   The non-UK or non-EU Telmar Group entity (with the Telmar Group Entities set out in section 17 of the Privacy Policy) or where applicable, the Telmar entity which has signed the Master Subscription Agreement and is entering into these SCC Modules on their behalf. Telmar is a provider of media planning and analytics services. Telmar processes the personal data on behalf of and according to the instructions of the controller.

   Categories of data subjects whose personal data is transferred 

   The personal data to be processed concern the following categories of data subjects (please specify):

   Individuals who have participated in surveys carried out by Customer (or Third Parties), or whose information is otherwise held by Customer (or a Third Party) and made available to Telmar for the provision of the Data Services to Customer. “Real world” identifiers are not typically included within the Datasets; however, the categories of data subjects are determined by the controller under the Order.

   Categories of personal data transferred

   The personal data to be processed concern the following categories of data (please specify):

   Anything that has been collected by Customer or Third Parties (typically survey responses) and which is shared with or otherwise made available to Telmar for the purposes of the provision of the Data Services to Customer. “Real world” identifiers are not typically included within the Datasets; however, the categories of data are determined by the controller under the Order.

   Special categories of data

   The personal data to be processed concern the following special categories of data (please specify):

   Anything that has been collected by Customer or Third Parties (typically survey responses) and which is shared with or otherwise made available to Telmar for the purposes of the provision of the Data Services to Customer. “Real world” identifiers are not typically included within the Datasets. Customer would not typically instruct Telmar to draw insights or conclusions based on special category data types; however, the categories of data are determined by the controller under the Order.

   The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

   Continuous basis during the term of the Master Subscription Agreement. 

   Nature of the processing operations

   The personal data will be subject to the following basic processing activities (please specify):

   Telmar will process the personal data in order to provide the Data Services, namely to analyse the Datasets provided (or made available) to Telmar by the Customer in accordance with the Customer’s instructions. In particular, Telmar provides media planning tools to enable Customer to plan its advertising campaigns by evaluating and analysing Datasets. Telmar’s specific instructions will be as set out in an Order and may include being instructed to analyse responses from multiple Datasets (noting that, in such case, the Datasets will not be co-mingled, but that Telmar will instead be instructed to draw insights from separate Datasets and then report a combined insight to the Customer, in line with Customer’s instructions). Telmar is also instructed to aggregate and anonymise the Data as required to produce non-personal data that Telmar can use to provide support to Customer and for generic product development purposes.

   Purpose(s) of the data transfer and further processing

   Data importer may process personal data in accordance with the purposes set out in the Master Subscription Agreement and the Agreement, and to provide its services to the data exporter.

   The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

   The duration of the processing is limited to the duration needed to perform data importer’s obligations under the Master Subscription Agreement unless a legal obligation applies. The obligations of the data importer with regard to the personal data processing shall in any case continue until the personal data have been properly deleted or have been returned at the request of the data exporter.

   For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

   In performing its services, data importer will use computing and personnel resources from its employees, affiliates and sub-processors in the United States and the European Economic Area for the duration needed to perform its obligations under the Master Subscription Agreement.

   Competent Supervisory Authority

   As per the criteria set out in Clause 13(a) of the EU SCCs.  

   1. Where Telmar Acts as Controller

   This section applies when the following EU SCC Modules are applicable:

   • MODULE ONE: Transfer controller to controller.

   
   Parties to the Agreement:

   • Controller 1

   Customer who has signed the Master Subscription Agreement with Telmar for Controller Services (either acting solely on its own behalf or on behalf of any Customer Affiliate, as permitted under a relevant Order).

   • Controller 2 

   The non-UK or non-EU Telmar Group entity (with the Telmar Group Entities set out in section 17 of the Privacy Policy) or where applicable, the Telmar entity which has signed the Master Subscription Agreement and is entering into these SCC Modules on their behalf. Telmar is a provider of media planning and analytics services. The Helixa Discover platform enables clients to create aggregated audience personas and audience segments for the purpose of strategic product and marketing planning.

   Categories of data subjects whose personal data is transferred 

   The personal data to be processed concern the following categories of data subjects (please specify):

   The Helixa Discover platform uses Datasets licensed from social media providers, such as X, formerly Twitter (i.e. IDs and handles, as well as a list of recent behaviours) and others that make zero-party user data available from App usage (e.g. searches, purchases, browsing and media consumption). Helixa Discover may also use publicly available data for the purposes of enhancing its Services.

   Specifically, Helixa Discover transforms users’ interactions into affinity groups and audience segments: Helixa Discover looks at user interactions (such as tweets, likes, follows, retweets, searches, browsing, purchasing or other publicly available data) in order to understand the propensity of audience’s interests, as well as the scale and reach of influence that a brand or personality has on its audience. Helixa Discover may transform other Datasets in the same manner. The Helixa Discover platform does not provide X, formerly Twitter (or other provider’s) user’s contributed content to customers. All interactions / activities are transformed by our algorithms and always only provided in aggregated format. 

   Helixa Discover may overlay the Datasets (such as X, formerly Twitter and/or other provider’s) with other data sources, without formally combining the data tables.

   Helixa Discover may also create insights for Customers by merging relevant selected data in a Dataset. In terms of Helixa Discover activities to create the insights by merging data, Telmar determines what data to look at (the user interactions) in the Datasets, including the weight and scale allocated to each data point, to create the “fusion” insight on users’ affinities.

   These data resources may contain anonymized respondent IDs (e.g. ‘respondent 123’, with their answers associated with the relevant ID). While Telmar does not know who the respondent is, or have the ability to identify the individual, the provider of the data may nevertheless be able to identify the individual.

   Categories of personal data transferred

   The personal data to be processed concern the following categories of data (please specify):

   Any user interaction, including tweets, likes, follows, retweets, searching, purchasing, browsing, media consumption, on publicly available third party platforms (such as social media and media platforms and marketplaces).

   Special categories of data

   The personal data to be processed concern the following special categories of data (please specify):

   Anything that is posted online by a data subject on publicly available third party platforms (such as social media platforms) may be collected. It is not expected that special categories of data may be collected, however there is a possibility that a data subject may choose to make such data publicly available on, for example in their social media handle or in the content of a tweet. While “real world” identifiers are not expected to be collected, a data subject may also choose to disclose their identity, for example in their social media handle or in the content of a tweet.

   The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

   Continuous basis during the term of the Master Subscription Agreement. 

   Nature of the processing operations

   The personal data will be subject to the following basic processing activities (please specify):

   Telmar will process the personal data in order to provide Controller Services, namely to analyse users’ interactions on publicly available third party platforms (such as social media and media platforms and/or marketplaces) in order to determine affinity groups and audience segments. Specifically, the Controller Services would consist in looking at user interactions (such as tweets, likes, follows, retweets, searches, purchases, browsing, media consumption) to understand the interest graph of audiences, as well as the scale and reach of influence that a brand or personality has on its audience. 

   The Controller Services do not provide user’s contributed content to its customers (such as from tweets or transactions): all interactions / activities are transformed and are always provided to customers only in an aggregated format.

   Purpose(s) of the data transfer and further processing

   Data importer may process personal data in accordance with the purposes set out in the Master Subscription Agreement and the Agreement, and to provide its services to the data exporter. Specifically, the Controller Services enable customers to run queries and k-means segmentations to understand audiences (i.e. what drives customers and learn what delights them). Customers receive aggregated and de-identified research insights into their audience in the form of ranked tables, charts and graphs.

   The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

   The duration of the processing is limited to the duration needed to perform data importer’s obligations under the Master Subscription Agreement unless a legal obligation applies. The obligations of the data importer with regard to the personal data processing shall in any case continue until the personal data have been properly deleted or have been returned at the request of the data exporter.

   For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

   In performing its services, data importer will use computing and personnel resources from its employees, affiliates and sub-processors in the United States and the EEA for the duration needed to perform its obligations under the Master Subscription Agreement.

   Competent Supervisory Authority

   As per the criteria set out in Clause 13(a) of the EU SCCs. 

   Annex B

   Technical And Organisational Measures to Ensure the Security of Data Processed

   Data importer will implement and maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of personal data uploaded to the Services, as set out in the Master Subscription Agreement.