Data Processing Addendum

Last updated and effective as of December 6, 2022 (the “DPA Effective Date”).

You can find archived versions of the 3Play Media Data Processing Addendum here.

This Data Processing Addendum (“DPA”), forms part of the 3Play Master Services Agreement or the 3Play Media Master Services Agreement (as applicable, the “Agreement”) between 3Play Media, Inc., together with its Affiliates (collectively, “Company” or “3Play”), and the entity that has engaged Company to provide the Services (“Customer”). Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. Each of Company and Customer is referred to in this DPA individually as a “party”, collectively the “parties”. By entering into the Agreement, the parties are deemed to have signed all Attachments, Exhibits, Annexes, Schedules, and Appendices to this DPA where applicable.

 

1. Definitions. 

  • a. “Affiliates” means any corporation, partnership or other entity now existing or hereafter organized that directly or indirectly controls, is controlled by or under common control with a party.  For purposes of this definition “control” means the direct possession of a majority of the outstanding voting securities of an entity. As of the DPA Effective Date, 3Play Media, Inc.’s Affiliates include 3Play Media Canada, Inc. and Captionmax, LLC.
  • b. “California Privacy Laws” means the California Consumer Privacy Act of 2018, together with any regulations promulgated thereunder (to the extent applicable, collectively, the “CCPA”), as amended or replaced by the California Privacy Rights Act of 2020, together with any regulations promulgated thereunder (to the extent applicable, collectively, the “CPRA”) at such time (if ever) the CPRA becomes operative (the “CPRA Effective Date”).
  • c. “Customer Data” means any information Processed by Company solely on behalf of Customer, including without limitation any EU Personal Data, UK Personal Data, and/or California Personal Data.
  • d. “European Data Protection Laws” means, collectively, the GDPR and the UK Data Protection Laws, as applicable.
  • e. “GDPR” means the General Data Protection Regulation (EU) 2016/679.
  • f. “Personal Data” means any information relating to any identified or identifiable individual or household.
  • g. “Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • h. “UK” means the United Kingdom.
  • i. “UK Data Protection Laws” means the UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”).
  • j. “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018.

2. To the extent Company Processes Personal Data regulated by the GDPR solely on behalf of Customer (“EU Personal Data”), and to the extent Customer is a controller (as defined in the GDPR) and the Company is a processor (as defined in the GDPR) on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC (attached hereto as Exhibit A, the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to the Company and to the Company’s Processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data. 

3. To the extent Company Processes EU Personal Data, and to the extent Customer is a processor (as defined in the GDPR) on behalf of a third party with respect to EU Personal Data and the Company is a processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC (attached hereto as Exhibit B, the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to the Company and to the Company’s Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.

4. To the extent Company Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Customer (“UK Personal Data”), then, to the extent required by the UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’ (attached hereto as Exhibit C, the “UK Data Exhibit”) will apply to the transfer of such UK Personal Data by Customer to the Company and to the Company’s Processing of such UK Personal Data and the parties hereby agree to comply with such UK Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the UK Data Exhibit, the UK Data Exhibit will control to the extent applicable to the UK Personal Data.

5. To the extent Customer makes available to Company Personal Data regulated by  the California Privacy Laws for a business purpose pursuant to the Agreement and/or to the extent Company Processes Personal Data regulated by the California Privacy Laws solely on behalf of Customer (collectively, “California Personal Data”), then, to the extent required by the California Privacy Laws, the California Data Exhibit (attached hereto as Exhibit D, the “California Data Exhibit”) will apply to the Company’s Processing of such California Personal Data and the parties hereby agree to comply with such California Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the California Data Exhibit, the California Data Exhibit will control to the extent applicable to the California Personal Data.

6. Customer represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all Customer Data in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable Company to lawfully Process Customer Data as permitted by the Agreement and/or this DPA; (ii) it has (and will continue to have) full right and authority to make the Customer Data available to Company under the Agreement and this DPA; and (iii) Company’s Processing of the Customer Data in accordance with the Agreement, this DPA, and/or Customer’s instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Customer shall indemnify, defend and hold Company harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 6. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 6 shall not be subject to any limitations of liability set forth in the Agreement.

7. Retrieval of Customer Data will be subject to Company’s system access procedures and document retention policies (unless prohibited by applicable law); Customer Data will be subject to destruction in accordance with such procedures and policies; and Customer hereby directs Company to destroy such Customer Data in accordance with such procedures and policies.

8. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Company shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data (as defined in, and regulated by the European Data Protection Laws), then, to the extent Company is subject to the European Data Protection Laws as a controller (as defined in the European Data Protection Laws), Company is the controller (as defined in the European Data Protection Laws) of such data and accordingly shall Process such data in accordance with the European Data Protection Laws. To the extent any such data is considered personal information (as defined in, and regulated by, the California Privacy Laws), then, to the extent Company is subject to the California Privacy Laws as a business (as defined in the California Privacy Laws), Company is the business (as defined in the California Privacy Laws) with respect to such data and accordingly shall Process such data in accordance with the California Privacy Laws.

9. This DPA (together with the Agreement), constitutes the entire agreement between the parties and supersedes all prior undertakings and agreements between the parties, whether written or oral, with respect to the subject matter of this DPA. Company reserves the right, in its sole discretion, to change, modify, replace, add to, supplement or delete any terms and conditions of this DPA at any time by posting an updated version of this DPA on this webpage, provided, however, that Company will use reasonable efforts to provide you with notification of any  material changes (as determined in Company’s sole discretion) by email, postal mail, website posting, pop-up screen, or in-service notice.

10. In this DPA, unless a clear contrary intention appears: (i) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (ii) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by the Agreement; (iii) reference to any gender includes each other gender; (iv) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (v) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; (vi) “hereunder,” “hereof,” “hereto,”  and words of similar import shall be deemed references to this DPA as a whole and not to any particular Section or Subsection of this DPA; (vii) “including” (including grammatically inflected forms thereof) means including without limiting the generality of any description preceding such term; (viii) all references to “days” refer to calendar days; and (ix) the word “or” is not exclusive. This DPA has been executed in English and the English language version shall control notwithstanding any translations of this DPA.