Twitch Data Processing Agreement: Controller to Processor (C2PA)
Twitch and Processor wish to supplement the terms of the Agreement to ensure the Processing of Twitch Personal Data in connection with the Agreement is in compliance with Applicable Law. This Controller to Processor Agreement (“C2PA”) will govern any Twitch Personal Data Processed by Processor on behalf of Twitch and any of its Affiliates under the Agreement. Capitalised terms used herein will have the meaning ascribed to them in the Section 1.4 below.
1. Scope of this C2PA
1.1 Application of this C2PA. This C2PA governs the Processing of Twitch Personal Data by Processor on behalf of Twitch or any Twitch Affiliate in connection with the Agreement or the Services provided therein.
1.2 Relationship with the Agreement. This C2PA is incorporated into and forms part of the Agreement. In the event and to the extent of any conflict between the terms of the Agreement and this C2PA, the terms of this C2PA will control. Except as expressly stated herein, the terms of the Agreement remain in full force and effect.
1.3 Description of Processing. The description of the Processing under this C2PA is set out in the Agreement.
1.4 Definitions. In this C2PA:
“Affiliate” | means in relation to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party from time to time. |
“Agreement” | means a separate instrument between the parties. |
“Applicable Law” | means all applicable laws, rules, regulations, and guidance including but not limited to those relating to privacy, data protection, data security, encryption and confidentiality. |
“C2PA” | means this agreement, including its Schedules and any other document incorporated by reference. |
“Data Subject” | has the meaning given in the GDPR. |
“GDPR” | means the EU General Data Protection Regulation 2016/679. |
“Party” | means a party to this C2PA. |
“Personal Data” | has the meaning given in the GDPR. |
“Personal Data Breach” | has the meaning given in the GDPR. |
“Processing” | has the meaning given in the GDPR. |
“Services” | means the Services provided under the Agreement. |
“Standard Contractual Clauses” | means the standard contractual clauses deemed by the European Commission as providing sufficient safeguards to enable the lawful transfer of Twitch Personal Data from the European Union to another jurisdiction (as updated from time to time). |
“Sub-Processors” | means any third party business contracted by Processor that may have access to or processes Twitch Personal Data. |
“Twitch Security Standards” | means the standards set out in the Data Security Addendum located at: https://www.twitch.tv/p/legal/msa/security/ |
“UK Addendum” | means the template International Data Transfer Addendum issued by the Information Commissioner under section 119A of the Data Protection Act 2018 (as updated from time to time). |
“UK Data Protection Law” | means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the United Kingdom of Great Britain and Northern Ireland, including the UK GDPR and the Data Protection Act 2018. |
“UK GDPR” | has the meaning given in section 3 of the Data Protection Act 2018. |
2. Data Processing Commitment
2.1 Compliance with Applicable Law. Processor shall comply with Applicable Law in connection with its obligations under the Agreement and any Services provided, and not do anything to place Twitch or any of its Affiliates in breach of Applicable Law. Processor represents and warrants that Processor complies with all applicable laws..
2.2 Use of Twitch Personal Data. Processor shall:
- only Process Twitch Personal Data in accordance with the written instructions of Twitch and as strictly necessary to perform the Services or obligations under the Agreement unless required otherwise by Applicable Law and provided that Processor shall inform Twitch of such legal requirement before Processing unless that law prohibits such information on the grounds of important public interest;
- avoid assuming any responsibility for determining the purposes for which and the manner in which the Twitch Personal Data is processed
- immediately inform Twitch if Processor is of the opinion that any Twitch instructions relating to the Processing of Twitch Personal Data infringe on Applicable Law; and
- only process Twitch Personal Data for the specific purpose(s) of the Processing set out in the cover page to this C2PA.
2.3 Confidentiality. Processor shall ensure that it and its respective, Affiliates’ employees, agents, contractors and other personnel who have access to Twitch Personal Data:
- only do so to the extent strictly necessary to provide the Services or otherwise comply with obligations under the Agreement;
- only disclose personal data to the minimum extent necessary to comply with a court order or statutory obligation; and
- are bound by binding confidentiality obligations which are no less protective than set out in the Agreement.
2.4 Security. Processor shall implement and maintain physical, technical and organizational measures to protect against any Twitch Personal Data Breach in accordance with good industry practice and which are commensurate with the nature of Twitch Personal Data Processed under the Agreement. Without limiting the foregoing, Processor shall:
- comply with the Twitch Security Standards (as may be updated by Twitch on written notice to Processor from time to time); and
- routinely monitor compliance with its obligations under this Clause and immediately notify Twitch if it becomes aware of any breach of such obligations.
2.5 Twitch Personal Data Breach. In the event of a Twitch Personal Data Breach, affecting Twitch Personal Data, Processor shall, in addition to complying with any applicable provisions in Section 7 of the Twitch Security Standards (regarding Security Incidents generally), at its sole cost and expense:
- notify Twitch promptly (and in any event within 72 hours) with such notification including (in reasonable detail):
- a description of the nature of the Twitch Personal Data Breach;
- the Data Subjects affected by the Twitch Personal Data Breach, including an estimate of the total number of Data Subjects affected and description of the Twitch Personal Data involved;
- the details of a contact point where more information concerning the Twitch Personal Data Breach can be obtained;
- the likely consequences of the Twitch Personal Data Breach; and
- any corrective action taken by Processor, including to mitigate the risk of harm to affected Data Subjects;
- where, and insofar as, it is not possible to provide all of the information set out in clause 2.5(a) above at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay;
- maintain sufficient documentation of each Twitch Personal Data Breach, and provide Twitch with regular updates as material additional information becomes available;
- immediately undertake an appropriate investigation and all remediation efforts necessary to rectify and prevent a recurrence of the Twitch Personal Data Breach; and
- promptly provide Twitch with all information as it may reasonably request in respect of the Twitch Personal Data Breach and as necessary to enable Twitch to comply with applicable requirements under Applicable Law, including with respect to record keeping and reporting.
2.6 Communication of Twitch Personal Data Breaches. For Twitch Personal Data Breaches involving Twitch Personal Data, Twitch shall have the right to determine:
- whether notification of a Twitch Personal Data Breach is to be provided to any non-Party (including any supervisory authority, Data Subject, regulator, law enforcement agency or credit reporting agency);
- the contents of such notice; and
- whether any type of remediation may be offered to affected Data Subjects.
2.7 Sub-Processors:
- Processor shall not engage any other sub-processor without Twitch’s prior written consent (including as may be documented in the cover page to this C2PA). If Processor wishes to request Twitch’s prior written consent to engage a sub- processor, it shall provide Twitch with no less than 30 days’ written notice to 3rdParty-Privacy@twitch.tv with such notice including all information necessary to enable Twitch to assess Processor’s request.
- Processor shall be fully responsible for all acts and omissions of its sub-processors and shall ensure that each sub-processor is subject to binding contractual agreements no less onerous than set out in this C2PA and the Agreement.
- Processor shall immediately notify Twitch if any sub-processor fails to fulfill its contractual obligations in respect of the sub-processing of Twitch Personal Data.
- Processor shall ensure that in each agreement with a sub-processor, who may process Twitch Personal Data, a third party beneficiary clause for the benefit of Twitch and each of its Affiliates to terminate the such agreement and require the sub-processor to, at Twitch’s election, promptly delete or return Twitch Personal Data in the event the Processor has factually disappeared, ceased to exist in law or has become (or is likely to become) insolvent or otherwise upon Twitch request..
- Upon Twitch’s request, Processor shall promptly provide copies of each sub- processor agreement (and any subsequent amendments) to Twitch. To the extent necessary to protect business secret or confidential information, including Twitch Personal Data, Processor may redact the text of the agreement (and amendment(s)) prior to sharing the copy.
2.8 Third Party Requests. Processor shall:
- promptly notify Twitch without undue delay, and in any event within 24 hours, of any request:
- for information from or complaint by a supervisory authority, regulator, law enforcement agency or credit reporting agency, in relation to Twitch Personal Data that Processor Processes in connection with the Agreement; and
- to Processor by a Data Subject, from or related to Twitch, to exercise rights under Applicable Law such as to access, rectify, amend, correct, share, delete or cease processing their Twitch Personal Data;
- if requested by Twitch, discuss and cooperate in the preparation of any response to such request; and
- not respond to such request without Twitch’s prior written consent.
2.9 Assistance. Processor shall provide full and prompt assistance to Twitch as Twitch may request and otherwise as reasonably necessary for Twitch to meet its obligations under Applicable Law (including, in responding to requests from data subjects exercising their rights under Applicable Law, conducting data protection impact assessments and consulting with competent authorities).
2.10 Deletion and Return or Twitch Personal Data. Processor shall promptly delete or return all Twitch Personal Data to Twitch upon request. Unless Twitch notifies Processor otherwise, on termination of the Agreement, Processor shall delete all Twitch Personal Data within 30 days. Notwithstanding the foregoing, Processor may retain Twitch Personal Data solely to the extent required otherwise by Applicable Law. If Applicable Law requires the retention of such Twitch Personal Data, Processor shall:
- notify Twitch in writing (in reasonable detail) of the reason for such retention;
- only use the Twitch Personal Data in accordance with this C2PA and as required by Applicable Law; and
- return or delete the retained Twitch Personal Data once permitted by Applicable Law.
Upon Twitch’s request, Processor shall provide Twitch with a written confirmation acknowledging that all Twitch Personal Data has been deleted or returned in accordance with this Clause.
2.11 International Transfers. Processor shall not transfer Twitch Personal Data from the United Kingdom to another country or from the European Economic Area (EEA) to another jurisdiction outside the EEA, or a country with an Adequacy Decision from the European Commission without Twitch’s prior written consent (including as may be documented in the cover page to this C2PA) and provided always that:
- where required by Applicable Law, such transfers are subject to a lawful transfer mechanism;
- if Twitch provides its prior written consent to such a transfer, and Processor executes the proper contractual agreements such as Standard Contractual Clauses or any further agreements as Twitch may require to ensure such transfer is in compliance with Applicable Law in accordance with Clause 2.13;
- Twitch may, at any time and without liability, suspend or prohibit such transfer; and
- Processor represents and warrants that in respect of such transfer it will continue to comply with this C2PA and is not subject to any conflicting legal obligation that would prevent it from doing so.
2.12 Demonstrating Compliance. Upon Twitch’s request, Processor shall promptly make available information reasonably necessary to demonstrate compliance with this C2PA, and allow for Twitch or another auditor mandated by Twitch to audit compliance with this C2PA. Without limiting the foregoing, Processor shall promptly:
- make available and provide access to such documents, records, systems and personnel, and Processor’s premises or physical facilities (on reasonable notice, where appropriate), as Twitch may require to exercise its rights under this clause;
- provide copies of any external independent audit reports in Processor’s privacy and security practices (such as a SOC 2 audit); and
- if any audit of Processor’s compliance with this C2PA identifies alleged risks or non-compliance with this C2PA, within 10 days of being notified of such risk or non-compliance, provide Twitch with a plan for remediating such issues and implement such plan (taking into account any reasonable requirements of Twitch in respect of the same).
2.13 Continued Compliance. If requested by Twitch in order to comply with Applicable Law, Processor shall enter into any additional terms necessary to enable Twitch to comply with Applicable Law.
2.14 Non-Compliance and Termination.
- Processor shall promptly inform Twitch if it is unable to comply with the C2PA for any reason.
- If Processor is in breach of this C2PA, Twitch may suspend the Processing of Twitch Personal Data until Processor remedies such breach or the Agreement is terminated.
- Twitch may, on written notice to Processor, terminate the Agreement without liability if:
- Processor has not remedied a breach of this C2PA within a reasonable period, and in any event within one month;
- Processor is in substantial or persistent breaches of this C2PA or Applicable Law; or
- Processor fails to comply with a binding decision of a competent court or competent supervisory authority.
3. Risk Allocation
3.1 Indemnification. Processor shall indemnify Twitch, Twitch’s Affiliates and each of their respective employees, agents, officers and contractors (“Twitch Indemnified Parties”) in respect of any losses, damages, fines, costs, or expenses (including legal expenses and disbursements) incurred by any Twitch Indemnified Party resulting from a breach of Processor’s obligations under this C2PA. The foregoing indemnity will not be subject to any limitations or exclusions of liability (whether in the Agreement or otherwise).
3.2 Remediation. The Parties agree that Twitch will be entitled to recover from Processor any losses, damages, fines, costs, or expenses (including legal expenses and disbursements) incurred by Twitch or any of its Affiliates resulting from a breach of Processor’s obligations under this C2PA and such amounts will be deemed direct losses and not subject to any limitations or exclusions of liability (whether in the Agreement or otherwise).
4. General
4.1 Third Party Rights. This C2PA is for the benefit of Twitch and each of its Affiliates who may enforce any of its terms. Except as provided in the foregoing, no person may enforce any term of this C2PA other than Twitch or Processor.
4.2 Counterparts. This C2PA may be entered into in any number of counterparts, all of which together will constitute one and the same instrument. Any Party may enter into this C2PA by executing such counterpart.
4.3 Remedies. The rights and remedies provided under this C2PA are in addition to, and not exclusive of, any rights or remedies provided by law or in the Agreement.
4.4 Survival. Clauses 2.1, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 2.10, 2.12, 2.13, 2.14(c), 3, 4.1, 4.3, 4.4, and 4.5 of this C2PA shall survive termination or expiration of the Agreement.
4.5 Governing Law and Jurisdiction. This C2PA shall be governed by the law of GERMANY, to the extent that European data subjects’ Twitch Personal Data is processed or at issue. This Addendum shall be governed by the law of the state of Washington for all other data subjects’ Twitch Personal Data.