This Data Processing Agreement (the “DPA”) is incorporated into the agreement(s) entered into by you (“Partner”) and the LinkedIn company identified on the agreement(s) (“LinkedIn”), that govern data sharing between Partner and LinkedIn (but excluding customer agreements between Partner and LinkedIn that govern Partner’s purchase of LinkedIn products and services) (“Partner Agreement”).
This DPA governs the processing of: (1) personal data that Partner uploads or otherwise provides to LinkedIn in connection with the Partner Agreement; and (2) personal data that LinkedIn (or its members) uploads or otherwise provides to Partner in connection with the Partner Agreement.
Collectively, the DPA (including the SCCs, as defined below) and the Partner Agreement are referred to in this DPA as the “Agreement”. In the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs; (b) this DPA; and (c) the Partner Agreement. Except as specifically amended in this DPA, the Partner Agreement remains unchanged and in full force and effect.
WHEREAS, in connection with the Partner Agreement, LinkedIn and Partner may each be Data Controllers of EU Personal Data (e.g., LinkedIn member data) and, in certain cases, transfer that EU Personal Data to the other party for that other party to act as a Data Controller of that EU Personal Data;
WHEREAS, in connection with the Partner Agreement, LinkedIn and Partner may each be Data Controllers of EU Personal Data and, in certain cases, transfers that EU Personal Data to the other party for that other party to provide certain services to the other party as a Data Processor (e.g., complete an API call);
WHEREAS, in connection with the Partner Agreement, LinkedIn and Partner may each be Data Processors of a Joint Customer’s EU Personal Data and transfer such data to the other party for processing at the direction of that Joint Customer;
WHEREAS, LinkedIn and Partner wish to memorialize their obligations to one another with respect to the foregoing.
THEREFORE, by continuing to process or transfer EU Personal Data as set forth above, LinkedIn and Partner agree to be bound by this DPA. If Partner does not agree to comply with the terms of this DPA, it must immediately cease processing EU Personal Data or uploading or otherwise transferring EU Personal Data to LinkedIn in connection with the Partner Agreement.
“Controller-to-Controller SCCs” means the Standard Contractual Clauses (Controller to Controller Transfers - Set II) in the Annex to the European Commission Decision of December 27, 2004 as may be amended or replaced from time to time by the European Commission.
“Controller-to-Processor SCCs” means the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010 as may be amended or replaced from time to time by the European Commission.
“Data Protection Requirements” means the Directive, the General Data Protection Regulation, Local Data Protection Laws, and all Privacy Laws.
“Directive” means the EU Data Protection Directive 95/46/EC (as amended).
“EU Personal Data” means Personal Information the sharing of which pursuant to this Agreement is regulated by the Directive, the General Data Protection Regulation, and Local Data Protection Laws.
“General Data Protection Regulation” means the European Union Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Joint Customer” means a customer of both Partner and LinkedIn.
“Joint Customer Personal Data” means any Personal Information for which a Joint Customer acts as a data controller.
“LinkedIn Personal Data” means any Personal Information for which LinkedIn acts as a data controller.
“Local Data Protection Laws” means any subordinate legislation and regulation implementing the Directive or the General Data Protection Regulation which may apply to the Agreement.
“Partner Personal Data” means any Personal Information for which Partner acts a data controller.
“Personal Information” means information about an individual that (a) can be used to identify, contact or locate a specific individual, including data that Partner provides to LinkedIn from services such as applicant tracking systems (ATSs) or customer-relationships management (CRM) services at the direction of a Joint Customer; (b) can be combined with other information that can be used to identify, contact or locate a specific individual; or (c) is defined as “personal data” or “personal information” by applicable laws or regulations relating to the collection, use, storage or disclosure of information about an identifiable individual.
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information.
“Privacy Laws” means all applicable laws, regulations, and other legal requirements relating to (a) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Information.
“Process” and its cognates mean any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“SCCs” means all Controller-to-Processor SCCs and Controller-to-Controller SCCs entered into between the parties under the Agreement.
“Subprocessor” means any entity which provides processing services to a Data Processor, as defined in Section 5.1, in furtherance of such Data Processor’s processing on behalf of a Data Controller.
“Supervisory Authority”means an independent public authority which is established by a member state pursuant to Article 51 of the General Data Protection Regulation.
2. COMPLIANCE WITH LAWS
The parties shall each comply with their respective obligations under all applicable Data Protection Requirements.
3. JOINT PROCESSOR SCENARIOS
Each party, to the extent that it, along with the other party, acts as a Data Processor with respect to Personal Information, will (i) comply with the instructions and restrictions set forth in its agreement(s) with the Joint Customer; and (ii) reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in the General Data Protection Regulation and in other Data Protection Requirements. Partner and LinkedIn both acknowledge and agree that each is acting as a Data Processor for the Joint Customer and neither party is engaging the other as a Subprocessor.
4. CONTROLLER-TO-CONTROLLER SCENARIOS
Each party, to the extent that it, along with the other party, acts as a Data Controller with respect to Personal Information, will reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in the General Data Protection Regulation and in other Data Protection Requirements. Where both parties act as Data Controller with respect to Personal Information, and the transfer of data between the parties results in a transfer of EU Personal Data to a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, each party agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks; or (b) use the Controller-to-Controller SCCs, which are incorporated herein by reference. If data transfers under this DPA rely on Controller-to-Controller SCCs to enable the lawful transfer of EU Personal Data, as set forth in the preceding sentence, the parties agree that the following terms apply: (i) Data subjects for whom a Partner processes EU Personal Data are third-party beneficiaries under the Controller-to-Controller SCCs; and (ii) Schedule A to this DPA shall apply as Annex B of the Controller-to-Controller SCCs. The parties acknowledge and agree that each is acting independently as Data Controller with respect of Personal Information and the parties are not joint controllers as defined in the General Data Protection Regulation.
5. CONTROLLER-TO-PROCESSOR SCENARIOS
5.1 Relationship of the parties. The rights, responsibilities, and obligations of the parties with regard to Sections 6-10 of this DPA shall be as follows:
5.1.1 For data processing operations where LinkedIn processes EU Personal Data on Partner’s behalf and at Partner’s direction, the term “Data Processor” refers to LinkedIn, the term “Data Controller” refers to Partner, and the term “Personal Data” refers to Partner Personal Data.
5.1.2 For data processing operations where Partner processes EU Personal Data on LinkedIn’s behalf and at LinkedIn’s direction, the term “Data Processor” refers to Partner, the term “Data Controller” refers to LinkedIn, and the term “Personal Data” refers to LinkedIn Personal Data.
5.2 Scope of Processing. In the context of the scenarios described in Section 5.1 above, each party agrees to process Personal Data only for the purposes set forth in the Agreement. For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to this DPA are described in Schedule A to this DPA.
6. DATA CONTROLLER OBLIGATIONS
The parties in their capacity as Data Controller agree to:
6.1 provide instructions to Data Processor and determine the purposes and general means of Data Processor’s processing of Personal Data in accordance with the Agreement; and
6.2 comply with its protection, security and other obligations with respect to Personal Data prescribed by Data Protection Requirements for Data Controllers by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of Data Controller; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (c) ensuring compliance with the provisions of this DPA by its personnel or by any third party accessing or using Personal Data on its behalf.
7. DATA PROCESSOR OBLIGATIONS
7.1 Processing Requirements. The parties in their capacity as Data Processor agree to:
a. process Personal Data (i) only for the purpose of providing, supporting and improving the Data Processor’s services (including to provide insights and other reporting), using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from Data Controller. Data Processor will not use or process the Personal Data for any other purpose. Data Processor will promptly inform Data Controller in writing if it cannot comply with the requirements under Sections 6-10 of this DPA, in which case Data Controller may terminate the Agreement or take any other reasonable action, including suspending data processing operations;
b. inform Data Controller promptly if, in Data Processor’s opinion, an instruction from Data Controller violates applicable Data Protection Requirements;
c. if Data Processor is collecting Personal Data from individuals on behalf of Data Controller, follow Data Controller’s instructions regarding such Personal Data collection (including with regard to the provision of notice and exercise of choice);
d. take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on Data Processor’s behalf comply with the terms of the Agreement;
e. ensure that its employees, authorized agents and any Subprocessors are required to comply with and acknowledge and respect the confidentiality of the Personal Data, including after the end of their respective employment, contract or assignment;
f. if it intends to engage Subprocessors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors, (i) exclusive of the list of Subprocessors provided by Data Processor to Data Controller (such list for LinkedIn is available online at https://legal.linkedin.com/customer-subprocessors), obtain the prior written consent of Data Controller to such subcontracting, such consent to not be unreasonably withheld; (ii) remain liable to Data Controller for the Subprocessors’ acts and omissions with regard to data protection where such Subprocessors act on Data Processor’s instructions; and (iii) enter into contractual arrangements with such Subprocessors binding them to provide the same level of data protection and information security to that provided for herein;
g. upon request, provide Data Controller with Data Processor’s privacy and security policies; and
h. inform Data Controller if Data Processor undertakes an independent security review.
7.2 Notice to Data Controller. Data Processor will inform Data Controller if Data Processor becomes aware of:
a. any non-compliance by Data Processor or its employees with Sections 6-10 of this DPA or the Data Protection Requirements relating to the protection of Personal Data processed under this DPA;
b. any legally binding request for disclosure of Personal Data by a law enforcement authority, unless Data Processor is otherwise forbidden by law to inform Data Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
c. any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Data; or
d. any complaint or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from data subjects of Data Controller. Data Processor will not respond to any such request without Data Controller’s prior written authorization.
7.3 Assistance to Data Controller. Data Processor will provide reasonable assistance to Data Controller regarding:
a. any requests from Data Controller data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Personal Data that Data Processor processes for Data Controller. In the event that a data subject sends such a request directly to Data Processor, Data Processor will promptly send such request to Data Controller;
b. the investigation of Personal Data Breaches and the notification to the Supervisory Authority and Data Controller data subjects regarding such Personal Data Breaches; and
c. where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
7.4 Required Processing. If Data Processor is required by Data Protection Requirements to process any Personal Data for a reason other than in connection with the Agreement, Data Processor will inform Data Controller of this requirement in advance of any processing, unless Data Processor is legally prohibited from informing Data Controller of such processing (e.g., as a result of secrecy requirements that may exist under applicable EU member state laws).
7.5 Security. Data Processor will:
a. maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Personal Data;
b. be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all Data Processor personnel with respect to Personal Data and liable for any failure by such Data Processor personnel to meet the terms of this DPA;
c. take appropriate steps to confirm that all Data Processor personnel are protecting the security, privacy and confidentiality of Personal Data consistent with the requirements of this DPA; and
d. notify Data Controller of any Personal Data Breach by Data Processor, its Subprocessors, or any other third parties acting on Data Processor’s behalf without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.
8. AUDIT, CERTIFICATION
8.1 Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which Data Processor processes Personal Data in order to ascertain or monitor compliance with Data Protection Requirements, Data Processor will cooperate with such audit. Data Controller will reimburse Data Processor for its reasonable expenses incurred to cooperate with the audit.
8.2 Data Processor Certification. Data Processor must, upon Data Controller’s request (not to exceed one request per calendar year) by email (where LinkedIn is Data Processor, such emails shall be sent to DPO@linkedin.com; where Partner is Data Processor, Partner shall establish and provide to LinkedIn upon request a single point of contact for email correspondence regarding data protection), certify compliance with Sections 6-10 of this DPA in writing. Data Processor will, upon Data Controller’s request, provide to Data Controller each year an opinion or Service Organization Control report provided by an accredited, third-party audit firm under the Statement on Standards for Attestation Engagements (SSAE) No. 16 (“SSAE 16”) (Reporting on Controls at a Service Organization) or the International Standard on Assurance Engagements (ISAE) 3402 (“ISAE 3402”) (Assurance Reports on Controls at a Service Organization) standards applicable to the services under the Agreement.
9. DATA TRANSFERS
9.1 Partner Personal Data. For transfers of EU Personal Data to LinkedIn for processing by LinkedIn as Data Processor on behalf of Partner as Data Controller, in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, LinkedIn agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks; or (b) use the form of the Controller-to-Processor SCCs available at SCCs BD. If data transfers under this Section 9.1 rely on SCCs to enable the lawful transfer of EU Personal Data, as set forth in the preceding sentence, the parties agree that data subjects for whom a LinkedIn entity processes EU Personal Data are third-party beneficiaries under the SCCs. If LinkedIn is unable or becomes unable to comply with these requirements, then EU Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of EU Personal Data to a non-EU country requires the prior written consent of Partner with respect to EU Personal Data. LinkedIn shall promptly notify Partner of any inability by LinkedIn to comply with the provisions of this Section 9.1.
9.2 LinkedIn Personal Data. For transfers of EU Personal Data to Partner for processing by Partner as Data Processor on behalf of LinkedIn as Data Controller, in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, Partner agrees it will (a) provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks; or (b) use the Controller-to-Processor SCCs.. If data transfers under this Section 9.2 rely on SCCs to enable the lawful transfer of EU Personal Data, as set forth in the preceding sentence, the parties agree that data subjects for whom Partner processes EU Personal Data are third-party beneficiaries under the SCCs. If Partner is unable or becomes unable to comply with these requirements, then EU Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of EU Personal Data to a non-EU country requires the prior written consent of LinkedIn with respect to Personal Data. Partner shall promptly notify LinkedIn of any inability by Partner to comply with the provisions of this Section 9.2.
10. DATA RETURN AND DELETION
The parties agree that on the termination of the data processing services or upon Data Controller’s reasonable request, Data Processor shall and shall take reasonable measures to cause any Subprocessors to, at the choice of Data Controller, return all the EU Personal Data and copies of such data to Data Controller or securely destroy them and demonstrate to the satisfaction of Data Controller that it has taken such measures, unless Data Protection Requirements prevent Data Processor from returning or destroying all or part of the EU Personal Data disclosed. In such case, Data Processor agrees to preserve the confidentiality of the EU Personal Data retained by it and that it will only actively process such EU Personal Data after such date in order to comply with applicable laws.
This DPA shall remain in effect as long as either party carries out Personal Information processing operations on the Personal Information uploaded or otherwise provided by the other party pursuant to and in accordance with the Partner Agreement.
12. GOVERNING LAW, JURISDICTION, AND VENUE
Notwithstanding anything in the Agreement to the contrary, this DPA shall be governed by the laws of Ireland, and any action or proceeding related to this DPA (including those arising from non-contractual disputes or claims) will be brought in Dublin, Ireland.