DATA PROCESSOR APPENDIX
This Appendix is made between you (the "Customer") and Spotify AB, and shall apply if and to the extent Spotify collects or otherwise processes Personal Data on behalf of the Customer in connection with performance of its obligation under the Agreement and as further described in Schedule 1 to this Appendix.
-
Definitions. For the purposes of this Appendix:
"Controller", "Processor", "Data Subject", "Personal Data", and " Personal Data Breach" shall mean as defined in the EU General Data Protection Regulation 2016/679 ("GDPR");
"Affiliate" shall mean any entity that directly or indirectly controls, is controlled by, or is under common control with a Party;
"Agreement" shall mean the Confidence Beta Terms of Service, and any related order forms or other agreement between Spotify and the Customer to which this Appendix is attached;
"Business Day" shall mean a day (other than a Saturday, Sunday or public holiday) on which commercial banks are open for general banking business in Sweden, other than for Internet banking services only;
"Data Protection Legislation" shall mean all data protection and privacy legislation applicable to the Parties, which for the avoidance of doubt shall include the GDPR;
"Force Majeure" shall mean as defined in Section 8;
"Party"/"Parties" shall mean the Customer and Spotify separately, or jointly, as the case may be; and
"Service" shall mean the Services, as defined by the Agreement.
-
Special Undertakings of the Parties
2.1 Roles, ownership of Personal Data, processing, and purpose. For the purposes of processing Personal Data under the Agreement, the Customer shall be regarded as a Controller and Spotify shall be regarded as a Processor. Spotify may only process the Customer's Personal Data for the purposes and to the extent it is necessary for the fulfilment of Spotify's obligations under the Agreement.2.2 Special undertakings of the Customer. The Customer undertakes to:
- Ensure that under the Data Protection Legislation there is a legally valid ground for processing the Personal Data covered by this Appendix;
- Ensure that the Data Subjects, as required by the Data Protection Legislation, have received sufficient information regarding the processing, including information that Spotify may process the Personal Data on behalf of the Customer;
- Immediately after it is brought to the Customer's attention, inform Spotify of any erroneous, rectified, updated, or deleted Personal Data subject to Spotify's processing; and
- In a timely manner, provide Spotify with lawful and documented instructions regarding Spotify's processing of Personal Data.
2.3 Special undertakings of Spotify. Spotify undertakes to:
- Ensure that such employees (of Spotify or its subcontractors) which process Personal Data on behalf of the Customer have contractually committed themselves to confidentiality;
- Take all measures required pursuant to GDPR, Article 32;
- Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligations to respond to requests for exercising the Data Subject's rights laid down in the Data Protection Legislation;
- Except in cases of Personal Data Breach, upon a timely request by the Customer, assist the Customer in ensuring compliance with the obligations pursuant to GDPR, Articles 32 to 36; and
- Make available to the Customer the information necessary to demonstrate compliance with Spotify's obligations laid down in this Appendix and allow for and contribute to audits, including inspections, conducted by Customer or another third party mandated by it, in accordance with Section 5.
Spotify shall immediately inform the Customer if, in its opinion, an instruction issued by the Customer infringes the Data Protection Legislation.
-
Subcontractors.
- The Customer acknowledges and agrees that Spotify and Spotify's Affiliates respectively may engage third-party subcontractors in connection with the provision of the Service. A current list of all subcontractors for the Service is accessible at Schedule 2.
- Spotify confirms that it has entered (or, for future appointments, will enter) into a written agreement with the subcontractor incorporating terms which are substantially similar to those set out in this Appendix.
- Spotify will give the Customer notice, by email, of any new subcontractors in advance of providing that subcontractor with access to Personal Data. The Customer may reasonably object to Spotify's use of a new subcontractor by notifying Spotify promptly in writing within ten Business Days after Spotify's notice in accordance with above. Such notice shall explain the reasonable grounds for the objection.
- If the Customer's Personal Data is to be transferred to and processed by a subcontractor located outside the EU/EEA, Spotify is obliged to ensure it has implemented a data transfer solution compliant with the Data Protection Legislation prior to transferring such data.
- For the avoidance of doubt, Customer fully and explicitly consents to the use of subcontractors with whom Spotify has agreements in place at the time this Appendix enters into force, including all Spotify Affiliates, regardless if they have been engaged as subcontractors at the time of this Appendix.
-
Data Transfers.
The EU standard contractual clauses adopted by decision of 4 June 2021 document number C/2021/3972 (module 2, controllers to processors) ("SCCs") shall apply to any transfers of Personal Data under this DPA from the European Union ("EU") and the European Economic Area ("EEA") to countries which do not ensure an adequate level of data protection within the meaning of Applicable Laws of the foregoing territories, to the extent such transfers are subject to such Applicable Laws.The parties agree that Customer is the "data exporter" and Spotify is the "data importer" as defined in the SCCs.
For the purposes of Annex I of the Appendix to the SCCs, the following will apply:
- List of Parties. The names and contact details of the parties shall be as set out in the applicable order form or customer Intake form for the Service.
- Description of Transfer.
- Data subjects: Users of the Service; customers, employees, contractors and other agents of the Customer.
- Categories of data. As provided for in the Agreement.
- Sensitive data: None
- Frequency of transfer: Continuous
- Nature and purpose of processing: To provide the Service under the Agreement.
- Period for which data will be retained: To the extent required to provide the Service under the Agreement.
- Competent Supervisory Authority. The relevant competent supervisory authority(ies) for the Customer as data exporter as applicable.
For purposes of Annex II of the Appendix to the SCCs, the following will apply:
Data importer shall undertake appropriate technical and organizational security measures to protect personal data against the unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. These measures should take into account available encryption technology and the costs of implementing the specific measures and must ensure a level of security appropriate to the harm that might result from a breach of security and the nature of the data to be protected.
The parties further agree that: (i) option 2 in clause 9 of the SCCs shall apply for the general authorisation for the use of sub-processors with a time period of thirty days for notice of the addition or replacement of sub-processors; (ii) the optional additional clauses of the SCC shall not apply; and (iii) the laws and courts of Sweden shall apply for the purposes of clause 17 of the SCC. Information for the purposes of impact assessments is available if requested.
-
Audit Rights.
Spotify will, during normal business hours and upon reasonable notice make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Appendix and the Data Protection Legislation (including processing that may be carried out by Spotify's subcontractors, if any) and allow for and contribute to reasonable audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.Spotify accepts and agrees that supervisory authorities may request information from Spotify, and carry out investigations in the form of data protection audits of Spotify, in accordance with Data Protection Legislation.
The Customer is responsible for all reasonable costs associated with the audit, save for when the audit concludes a material breach of Spotify's undertakings in violation of this Appendix. If so, Spotify shall compensate the Customer for reasonable and verified costs associated with the audit.
-
Termination of the Service. Upon termination of the Service provided under the Agreement, Spotify shall, upon the Customer's request, return all Personal Data in Spotify's possession to the Customer or securely destroy such Personal Data and demonstrate to the satisfaction of the Customer that it has taken such measures, unless storage of the Personal Data is required under Data Protection Legislation.
-
Liability. Each Party shall compensate the other Party for all losses due to claims from third parties resulting from, arising out of, or relating to any breach by such first-mentioned Party of this Appendix. Notwithstanding the above, Spotify shall not be held liable for indirect losses, including damages and/or consequential damages such as loss of profit or revenue, or other economic losses incurred pursuant to this Appendix, except in cases of wilful intent or gross negligence on part of Spotify. Spotify's total liability towards the Customer under this Appendix shall never exceed the greater of 100 EURO or the amounts, if any, paid to Spotify pursuant to the Agreement during the last twelve (12) months' period.
-
Force Majure. Spotify shall not be liable for any default or delay in the performance of its obligations under this Appendix if and to the extent the default or delay is caused by circumstances that are outside Spotify's control and that Spotify could not reasonably have foreseen or prevented by reasonable precaution ("Force Majeure"). A failure by a subcontractor will be considered a Force Majeure event provided that the underlying reason for the subcontractor's non-performance is an event which, if it had been related directly to Spotify, would have qualified as a Force Majeure event under this Appendix.
-
Miscellaneous. Spotify may assign this Appendix, and its rights and obligations hereunder, to any Spotify Affiliate without the Customer's consent. The Customer may not assign this Appendix, or any of its rights and obligations hereunder, without Spotify's prior written consent.
SCHEDULE 1 to DATA PROCESSOR APPENDIX - Description of the processing of personal data
-
Subject matter
The subject matter of this agreement concerns Spotify's provision of the Service to the Customer.
-
Nature and purpose
Spotify will process the Customer’s Personal Data for the purposes of providing the Service to the Customer in accordance with the Agreement.
-
Data categories
Spotify shall process Personal Data relating to individuals provided to Spotify via the Service in accordance with the Agreement.
-
Data subjects
The Personal Data processed concern the following categories of Data Subjects:
- Users of the Service
- Customers, employees, contractors, and other agents of the Customer
-
Duration of processing
Spotify shall process Personal Data during the terms of the Agreement and not thereafter except if specifically instructed to do so by the Customer or if required by law.
SCHEDULE 2 to DATA PROCESSOR APPENDIX - List of subcontractors
Entity name: Google LLC Subcontractor activity: Cloud Service Provider
Entity name: Okta, Inc Subcontractor activity: Identity and Access Management Service Provider