This Wunderkind (the “Supplier”) California Data Processing Addendum (“California DPA”) is hereby incorporated by reference into any and all services agreements, insertion orders and addendums currently in place between Company and Wunderkind (the “Agreement(s)”).
Effective January 1, 2020 or as otherwise proscribed under the CCPA, the parties agree to comply with the following provisions with respect to any personal data (defined as “Personal Information” in the CCPA) of consumers processed in connection with the Agreement that is subject to the California Consumer Privacy Act (“CCPA”). The purpose of these Terms is to ensure such Processing is conducted in accordance with data protection laws, including the CCPA. References to the Agreement will be construed as including this California DPA.
- The terms “consumer,” “processing,” and “verifiable consumer request” are as defined under Section 1798.140 of the CCPA.
- “Approved Sub-processor” means a third-party entity that processes data on behalf of and as specifically directed by Supplier pursuant to a written contract and is thereby bound by obligations that are substantially similar to the obligations set out in this DPA. A list of Approved Sub-processors is available wunderkind.co/privacy/data-subprocessors.
- “Company” means Company and its subsidiary companies worldwide as defined by the underlying Agreement and the Supplier.
- “Personal Information” or “Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household as defined under 1798.140 (o)(1) of the CCPA. Such individuals may include, but are not limited to, Company’s current or prospective customers, consumers, employees, contractors or business partners. Company Personal Information does not include any derivatives or enhancements.
- “Company Third Party Partner” means any entity, exclusive of any Approved Sub-processor, engaged by Company for the processing of Personal Information.
- “Incident” means the known accidental or unlawful destruction, loss, alteration, unauthorized disclosure of Personal Information, or access to, transmission of, storage of, or otherwise processing by Supplier or a Sub-processor of Supplier.
- Supplier Warranties: Supplier agrees that: a) it shall collect, store, transfer, dispose, disclose and use all Personal Information using the commercially reasonable care to ensure the protection of such data and in compliance with all applicable federal, state and international laws, regulations and directives; b) it shall not collect, retain, process, share or otherwise use Personal Information of consumers that is provided by Company (“Company Data”) except for performing the services as described in the Agreement unless as required by law or a government authority (in which case Supplier shall use its reasonable efforts to notify Company before such disclosure or as soon thereafter as reasonably possible); and c) except for Approved Sub-processors, it shall only transfer Company Data to a third-party, including a Company Third-Party Partner as specifically directed by Company. Any Approved Sub-processors will be permitted to obtain Personal Information only to deliver the services Supplier has retained them to provide. Supplier shall remain fully liable for all acts or omissions of its Approved Sub-processors.
- Company Warranties: If applicable, Company represents and warrants that: (i) it will make the appropriate disclosures of sale of Personal Information; and (ii) provide the necessary opt-out options to consumers.
- Data Retention: Supplier shall retain Company Personal Information only for as long as necessary to provide Services to Company. Upon termination of the parties Agreement for any reason, Supplier shall erase, delete, or destroy all or any part of such Company Personal Information in accordance with Supplier’s policy.
- Information Security Standard. Both parties agree that they will use their commercially reasonable efforts to maintain administrative, technical, and physical safeguards that are no less rigorous than industry standard practices to ensure the security and confidentiality of Personal Information, protect against any anticipated threats or hazards to the confidentiality, availability or integrity of Personal Information, and protect against unauthorized access, use, or alteration of Personal Information. Both parties agree not to process nonencrypted or nonredacted personal information as defined Section 1798.81.5(d)(1) of the California Civil Code under this Agreement except with the written permission of the other party, whereby such permission shall not be unreasonably withheld.
- Written Information Security Program. Both parties shall maintain, in writing, reasonable security procedures and practices (“Written Information Security Program” or “WISP”) consistent with, at the very least, the International Organization for Standardization’s ISO/IEC 27001 or SSAE SOC 2 Type 2 standards that are necessary to protect Personal Information within its control from unauthorized access, destruction, use, modification, or disclosure. Without limiting the generality of the foregoing statement, the WISP shall at a minimum encompass each of the elements set forth below.
- Incident Procedures. Any Incident involving the nonencrypted or nonredacted personal information as defined under section 1798.81.5(d)(1) of the California Civil Code (each a “Reportable Incident”) shall be subject to the following procedures:
- Supplier shall notify Company promptly (within 72 hours) of any Reportable Incident. Notification(s) of Reportable Incidents, if any, will be delivered to the Company’s business, technical or administrative contacts by any reasonable means, including via email. It is the Company’s responsibility to ensure it maintains accurate contact information.
- Supplier shall investigate the Reportable Incident, and provide reasonable and necessary cooperation with Company, including facilitating interviews with relevant personnel, making available all relevant records, logs, files, data reporting and other materials, and providing Company with reasonable physical access to the facilities affected.
iii. Unless required by law, Supplier shall not inform any third party of any Reportable Incident without first obtaining Company’s prior written consent, other than to inform a complainant that the matter has been forwarded to Company’s legal counsel.
- Following a Reportable Incident, Supplier shall document responsive actions taken in connection with the Incident and shall conduct a post-breach review of events and actions taken, if any, to make changes in security practices and procedures to prevent such Incident from occurring again in the future.
- Incident Remediation. Supplier shall use its commercially reasonable efforts to mitigate and remedy any Incident and prevent any further Incident at its sole expense.
- Third Party notification. Supplier agrees that, unless applicable law states otherwise, Company shall have the sole right to determine (i) whether notice of the Reportable Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in Company’s discretion, (ii) the contents of such notice, and (iii) whether any type of remediation may be offered to affected persons, as well as the nature and extent of any such remediation. Supplier agrees to reimburse Company for reasonable costs described in this section for Reportable Incidents and/or as required by applicable law.