Data Processing Agreement
Effective: September 27, 2021
PLEASE NOTE: WE'VE UPDATED THE TERMS BELOW IN CONNECTION WITH THE NEW EUROPEAN COMMISSION-APPROVED STANDARD CONTRACTUAL CLAUSES, EFFECTIVE SEPTEMBER 27, 2021
ARBITRATION NOTICE: YOU ARE BOUND BY THE ARBITRATION PROVISION SET FORTH IN THE BUSINESS SERVICES TERMS. IF YOU ARE CONTRACTING WITH SNAP INC., THEN YOU AND SNAP INC. WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS-ACTION LAWSUIT OR CLASS-WIDE ARBITRATION.
This Data Processing Agreement (”Agreement”) forms a legally binding contract between you and Snap, applies to the extent Snap processes Customer Personal Data on your behalf when you are the Data Controller, and is incorporated into the Business Services Terms. Some terms used in this Agreement are defined in the Business Services Terms.
“Customer Personal Data” means the personal data of EEA, Switzerland, UK, and Brazilian data subjects provided to Snap by you or on your behalf when you are the Data Controller.
“Data Controller” means a controller as defined in the GDPR, UK GDPR or LGPD, as applicable, who alone or jointly with others determines the purposes and means of the processing of Customer Personal Data.
“Data Protection Law” means the EEA, Switzerland, UK, and Brazilian data protection laws applicable to the processing of Customer Personal Data under this Agreement, including the GDPR, the UK Data Protection Laws and LGPD.
“EEA” means the European Economic Area.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“LGPD” means Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais).
“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or controlled by Snap.
“Subprocessors” means third parties authorized under this Agreement to access and process Customer Personal Data in order to provide parts of the Business Services.
“UK” means the United Kingdom.
"UK Data Protection Laws" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 in the UK ("UK GDPR") and the Data Protection Act 2018.
The terms “personal data,” “data subject,” “processing,” “controller,” ”processor,” “representative,” and “supervisory authority,” each as used in this Agreement, have the meanings given in the GDPR, UK GDPR or LGPD, as applicable, in each case irrespective of whether Data Protection Law applies.
2. Processing of Customer Personal Data
a. Roles of Parties. Snap processes Customer Personal Data on behalf of and as instructed by the Data Controller, in accordance with Article 28 (1) GDPR, UK GDPR and LGPD, as applicable.
b. Appointment. The Data Controller appoints Snap to process Customer Personal Data on the Data Controller’s behalf only as is necessary to provide the Business Services and as may subsequently be agreed to by the parties in writing.
c. Legitimacy of Processing. The Data Controller is responsible for ensuring a valid legal basis for processing the Customer Personal Data.
d. Details of Processing. The subject matter and details of processing are described in Schedule 1 of this Agreement.
e. Compliance with Law. Each party agrees it will comply with its obligations under the Data Protection Law relating to any Customer Personal Data it processes under or in relation to this Agreement. Without prejudice to the foregoing, Snap will not process Customer Personal Data in a manner that will, or is likely to, result in the Data Controller breaching its obligations under the Data Protection Law. Snap will promptly inform the Data Controller if Snap is of the opinion that the Data Controller’s instruction infringes Data Protection Law.
3. Snap Obligations
a. Processing of Customer Personal Data. Snap will only process Customer Personal Data in accordance with the Business Services Terms and this Agreement, and will not use or process Customer Personal Data for any purpose other than in its capacity as processor appointed by the Data Controller.
b. Data Security. In accordance with Article 32 GDPR, UK GDPR and LGPD, as applicable, and as described in Schedule 2 of this Agreement, Snap will implement and maintain all appropriate technical, administrative, and organizational measures required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Customer Personal Data; and (ii) prevent unauthorized or unlawful processing of Customer Personal Data, accidental loss, disclosure or destruction of, or damage to, Customer Personal Data.
c. Non-Disclosure. Snap will not publish, disclose, or divulge (and will ensure that its personnel do not publish, disclose, or divulge) Customer Personal Data to a third party unless the Data Controller has given its prior written consent.
d. Confidentiality. Snap will ensure that only personnel who may be required to assist in meeting its obligations under the Business Services Terms or this Agreement will have access to Customer Personal Data and that such personnel are bound by appropriate obligations of confidentiality, and take all reasonable steps in accordance with best industry practice to ensure the confidentiality of the Customer Personal Data.
e. Cooperation. Snap will provide reasonable cooperation and assistance to the Data Controller as the Data Controller may reasonably require to allow the Data Controller to comply with its obligations under Articles 32 through 36 GDPR, UK GDPR and LGPD, as applicable, including in relation to data security, data breach notification, data protection impact assessments, prior consultation with supervisory authorities, the fulfilment of data subjects’ rights, and any enquiry, notice or investigation by a supervisory authority, as further detailed in this Agreement.
f. Data Subject and Supervisory Requests. Snap will inform the Data Controller promptly, and in any event within two business days, of any enquiry or complaint Snap receives from a data subject or supervisory authority relating to Customer Personal Data. Snap will assist the Data Controller, insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from data subjects and supervisory authorities as required by Data Protection Law.
g. Data Protection Impact Assessment. Upon request, Snap will provide the Data Controller with commercially reasonable information and assistance, taking into account the nature of the processing activity and the information available to Snap, to assist the Data Controller to conduct a data protection impact assessment as required by Data Protection Law.
h. Providing Evidence. During the term of this Agreement and for a period of one year thereafter, Snap will make available to the Data Controller, or an internationally recognized auditing firm acting on the Data Controller’s behalf, all information reasonably necessary to demonstrate Snap’s compliance with this Agreement, and Snap will allow for and contribute to audits conducted by the Data Controller or its representatives who are bound by appropriate obligations of confidentiality; if: (i) the Data Controller provides no fewer than ten business days’ prior written notice to Snap; (ii) such audit is conducted during Snap’s normal business hours and in a manner that does not unreasonably interfere with Snap’s normal business operations; (iii) such audit lasts no longer than three total business days; (iv) in no event is the Data Controller (or, for avoidance of doubt, any authorized third-party auditor) entitled to access or receive Snap’s proprietary or confidential information, except to the extent strictly necessary to demonstrate compliance with this Agreement; and (v) the Data Controller is obligated to reimburse Snap for Snap’s documented reasonable costs if that audit determines that Snap is in compliance with this Agreement. In the event the audit determines Snap is out of compliance with this Agreement, then Snap will be obligated for all reasonable costs of such audit.
i. Return or Destroy Customer Personal Data. Upon completion of Snap’s obligations in relation to processing of Customer Personal Data under this Agreement or upon the Data Controller’s request at any time during the term of this Agreement, (and, if the Data Controller so requests, at regular intervals set by the Data Controller), Snap will either: (i) return all or subsets of the Customer Personal Data in Snap’s possession to the Data Controller; (ii) render all or part of Customer Personal Data anonymous in such a manner that the data no longer constitutes personal data; or (iii) permanently delete or render all or parts of the Customer Personal Data unreadable. Upon the Data Controller’s request, Snap must provide written confirmation to the Data Controller of the anonymization, return, and deletion of Customer Personal Data.
j. Hashed Customer Personal Data. If Snap receives Customer Personal Data in hashed or otherwise obfuscated format, Snap will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated the Data Controller Personal Data unless the Data Controller instructs Snap to do so; and (ii) only share the Customer Personal Data in the format Snap received it from the Data Controller.
4. Personal Data Breach
a. Notification. In accordance with Article 33 GDPR, UK GDPR and LGPD, as applicable, Snap will notify the Data Controller without undue delay and, where feasible, no more than 72 hours after becoming aware of a Personal Data Breach. Snap will also provide the Data Controller with a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, (to the extent known to Snap) the categories of data subjects affected, and other information required by applicable Data Protection Law, as soon as such information can be collected or otherwise becomes available, and Snap will cooperate with any reasonable request made by the Data Controller relating to the Personal Data Breach.
b. Investigation. Snap agrees to immediately take action to investigate the Personal Data Breach, to identify, prevent, and mitigate the effects of any such Personal Data Breach, and with the Data Controller’s prior agreement, to carry out any recovery or other action necessary to remedy the Personal Data Breach.
a. Authorized Subprocessors. The Data Controller specifically authorizes the engagement of Snap’s affiliates to process Customer Personal Data and the Data Controller generally authorizes the engagement of any other third parties as Subprocessors to process Customer Personal Data.
b. Obligations of Subprocessor. In accordance with Article 28 (4) GDPR, UK GDPR and LGPD, as applicable, Snap will impose legally binding contract terms on each Subprocessor that are as restrictive as those contained in this Agreement.
c. Restricted Access. Snap will ensure each Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it and in accordance with this Agreement.
d. Updates of Subprocessors. In accordance with Article 28 (2) GDPR and UK GDPR (as applicable), here is an up-to-date list of: (i) all Subprocessors involved in processing Customer Personal Data; (ii) the purposes for which the Subprocessors process Customer Personal Data; and (iii) the location of each Subprocessor. Snap will notify the Data Controller at least 30 days before adding a new Subprocessor.
e. Right to Object. Data Controller has the right to object to the addition of a new Subprocessor, as described in this Section. In the event that the Data Controller objects to the processing of Customer Personal Data by any newly appointed Subprocessor, it will immediately inform Snap, after which Snap will either: (i) instruct the Subprocessor to cease any further processing of Customer Personal Data, in which event this Agreement shall continue unaffected; or (ii) allow the Data Controller to terminate this Agreement immediately.
6. Data Transfers
a. If the Data Controller is established in the EEA and transfers personal data to Snap Inc., Snap ULC, or Snap Aus Pty Ltd, then the Data Transfer Agreement shall:
(i) apply to such transfers;
(ii) take precedence over all other terms, including the terms of this Agreement, in respect of such transfers;
(iii) form a legally binding contract between you as the data exporter and Snap as or on behalf of the data importer; and
(iv) be hereby incorporated into the Business Services Terms.
b. With respect to personal data of EEA, Switzerland and UK data subjects, the Data Controller and Snap agree that Snap may process Customer Personal Data outside the EEA, Switzerland, and the UK where the Data Protection Law requirements (including, where applicable, Articles 44 through 47 GDPR) are fulfilled, or an exception (including, where applicable, those listed in Article 49 GDPR) applies.
c. With respect to personal data of Brazilian data subjects, the Data Controller agrees that Snap may process Customer Personal Data outside of Brazil, and represents and warrants that such transfer of Customer Personal Data is in compliance with LGPD.
7. Indemnity; Subprocessor Liability
a. Indemnity. Snap agrees to indemnify the Data Controller against all third-party complaints, charges, claims, damages, losses, costs, liabilities, and expenses due to, arising out of, or relating in any way to Snap’s breach of this Agreement.
b. Indemnity Process. The Data Controller will promptly notify Snap in writing of any indemnification claim, but any failure to notify Snap will not relieve Snap from any indemnity liability or obligation it may have, except to the extent Snap is materially prejudiced by that failure. The Data Controller will reasonably cooperate with Snap, at Snap’s expense, in connection with the defense, compromise, or settlement of any indemnification claim. Snap will not compromise or settle any claim in any manner, nor make any admission of liability, without the Data Controller’s prior written consent, which the Data Controller may provide in its sole discretion. The Data Controller may participate (at its cost) in the defense, compromise, and settlement of the claim with counsel of the Data Controller’s choosing.
c. Subprocessor Liability. Snap acknowledges and agrees that it will remain liable to the Data Controller for a breach of the terms of this Agreement by a Subprocessor and any other subsequent third-party processors appointed by it.
a. Termination. This Agreement will terminate automatically upon termination of the Business Services Terms.
b. Survival. Snap’s obligations related to returning or deleting Customer Personal Data will survive termination of the Business Services Terms and this Agreement until Snap has returned or deleted the Customer Personal Data in accordance with this Agreement.
If there is a conflict or inconsistency between this Agreement, the Data Transfer Agreement, the Business Services Terms, any applicable Supplemental Terms and Policies, or the Snap Terms of Service the order of priority will be: the Data Transfer Agreement (but only to the extent it applies under section 6.a above), this Agreement, the Supplemental Terms and Policies, the Business Services Terms, and the Snap Terms of Service.
Schedule 1: Details of Data Processing
A. List of Parties
The data exporter shall be the Data Controller, as defined in this Agreement, with the name, address, and contact details as provided to Snap via the Business Services. The activities relevant to the data transferred under these Clauses include the use of the relevant Business Services in accordance with the Business Services Terms and applicable Supplemental Terms and Policies . The data exporter shall be in the controller role.
The data importers shall be:
(a) Snap Inc., with its address at 3000 31st Street, Santa Monica, California 90405, if the data exporter is transferring personal data to Snap Inc. under this Agreement;
(b) Snap ULC, with its address at 1959 Upper Water Street, Halifax, NS, Canada B3J 3N2, if the data exporter is transferring personal data to Snap ULC under this Agreement; or
(c) Snap Aus Pty Ltd, with its address at Level 31, 2 Chifley Square, Sydney, NSW 2000, Australia, if the data exporter is transferring personal data to Snap Aus Pty Ltd under this Agreement.
The activities relevant to the data transferred under these Clauses include the provision of the relevant Business Services in accordance with the Business Services Terms and applicable Supplemental Terms and Policies terms. The data importer shall be in the processor role.
B. Description of Transfer
The data processing activities carried out by Snap under this Agreement are as follows:
Snap's provision of the Business Services to the Data Controller.
Duration of the processing and retention
For the term of this Agreement plus the period from expiry of the term of this Agreement until the anonymization, return, or deletion of data in accordance with this Agreement.
Nature and purpose
Snap will process Customer Personal Data for the purposes of providing the Business Services to the Data Controller in accordance with and as described in the Business Services Terms and this Agreement.
Customer Personal Data relating to individuals provided to Snap via the Business Services, by (or at the direction of) the Data Controller, which may include:
mobile ad ID (IDFA/AAID)
browser user agent
actions and events taken on websites and apps, including pages viewed, purchases, searches, check-out events, wish lists, installs, and user registration methods
Sensitive data transferred
Frequency of the transfer
Data subjects include EEA, Switzerland, UK, and Brazilian individuals about whom personal data is provided to Snap via the Business Services by (or at the direction of) the Data Controller.
C. Competent Supervisory Authority
The competent supervisory authority will be the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP).
Schedule 2 - Snap Security Measures
1. Implementation of and compliance with a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of the Customer Personal Data and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the Data Controller, the Data Controller's customers, or the Data Controller's employees; and any anticipated threats or hazards to the security or integrity of such information.
2. Adopting and implementing reasonable policies and standards related to security.
3. Assigning responsibility for information security management.
4. Devoting adequate personnel resources to information security.
5. Carrying out verification checks on permanent staff who will have access to the Customer Personal Data.
6. Conducting appropriate background checks and requiring employees, vendors, and others with access to the Customer Personal Data to enter into written confidentiality agreements.
7. Conducting training to make employees and others with access to the Customer Personal Data aware of information security risks and to enhance compliance with Snap's policies and standards related to data protection.
8. Preventing unauthorized access to the Customer Personal Data through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with Snap's policies and standards related to data protection on an ongoing basis. In particular, Snap has implemented and complies with, as appropriate and without limitation:
Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance, and exterior security);
Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements and firewalls.);
Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that the Customer Personal Data cannot be read, copied, modified, or removed without authorization;
Data transmission control measures to ensure that the Customer Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data media, and transfer and receipt of records. In particular, Snap's information security program will be designed:
To encrypt in storage any data sets in Snap's possession, including sensitive personal data, using appropriate encryption levels based on industry-leading encryption standards, including AES -256, and storing user identities on the system using key value pair such as ghost_id to prevent storage of actual user ID; and
To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside Snap's IT system or transmitted over a public network is encrypted using the newest supported versions of TLS 1.2 protocol to protect the security of the transmission;
Data entry control measures to ensure Snap can check and establish whether and by whom the Customer Personal Data has been input into data processing systems, modified, or removed;
Continuous security testing measures to ensure information security practices remain relevant, effective, and up to date, including annual penetration testings, bug bounty program, use of system scanning tools, tabletop exercises, backup restoration tests, pre-production failovers, and conducting post-mortems on any actual incidents in order to update the relevant disaster recovery plans;
Subprocessor supervision measures to ensure that, if Snap is permitted to use subprocessors, the Customer Personal Data is processed strictly in accordance with the Data Controller's instructions including, as appropriate:
Measures to ensure that the Customer Personal Data is protected from accidental destruction or loss including, as appropriate and without limitation, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs; and
Measures to ensure that data collected for different purposes can be processed separately including, as appropriate, physical or adequate logical separation of Customer Personal Data.
9. Taking such other steps as may be appropriate under the circumstances.