Telmar acquires Helixa. Reach out to your Telmar rep for new and enhanced insights.

Data Processing Agreement

  1. Background
    1. The Parties agree that this Data Processing Agreement (“Agreement”) sets forth their obligations with respect to the processing of personal data in connection with the provision of Data Services (defined in section 3.1, below). This Agreement is incorporated by reference into the Master Subscription Agreement made between the Parties.
  2. Definitions
    1. Any capitalized terms used but not defined in this Agreement shall have the meaning set forth in the Master Subscription Agreement.
    2. In this Agreement, the following terms shall have the following meanings:
      1. controller”, “processor”, “data subject”, “personal data”, “processing” (and “process”) and “special categories of personal data” shall have the meanings given in Applicable Data Protection Law.
      2. Applicable Data Protection Law” shall mean all laws applicable (in whole or part) to a Party’s processing of personal data under or in connection with this Agreement, including, as applicable, EU Data Protection Law, UK Data Protection Law and the CCPA, as enacted, amended or superseded from time to time;
      3. Business” shall have the meaning given to it in the CCPA.
      4. CCPA” means the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 to 1798.199), as amended from time to time, and any related regulations and guidance provided or issued by the California Attorney General pertaining to same.
      5. EU Data Protection Law” means: (i) all EU regulations or other legislation applicable to the processing of personal data under this Agreement (such as Regulation (EU) 2016/679)(the “GDPR”); (ii) the national laws of each EEA member state implementing any EU directive applicable to the processing of personal data under this Agreement (such as Directive 2002/58/EC (the “e-Privacy Directive”); and (iii) any other national laws of each EEA member state applicable to the processing of personal data under this Agreement, as amended or superseded from time to time.
      6. Service Provider” shall have the meaning given to it in the CCPA.
      7. UK Data Protection Law” means: (i) the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (ii) the Data Protection Act 2018 (the “DPA 2018”); (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of section 2 of the European Union (Withdrawal) Act 2018 (“PECR”); and (iv) any other laws in force in the UK from time to time applicable to the processing of personal data under this Agreement, as amended or superseded from time to time.
  3. Relationship of the Parties
    1. The Parties acknowledge and agree that pursuant to the Master Subscription Agreement (including this Agreement), Telmar may receive or otherwise collect Datasets as described in the Master Subscription Agreement for processing. By using the Services, Professional Services and/or Support (and as further described in the relevant Order) (collectively, “Data Services”), the Customer will either:
      1. share a Customer Dataset with Telmar for the purposes of enabling Telmar to provide the Data Services to the Customer; and/or
      2. require Telmar to enable access to, use and/or store a Third Party Dataset for the purposes of enabling Telmar to provide the Data Services to the Customer.
    2. The Customer will also provide Telmar with information about its Users and/or employees, for the purposes of enabling those Users to access and use the Data Services and for other general contract management and commercial relationship purposes.
    3. The Customer acknowledges that by engaging and requiring Telmar to provide the Data Services, the information that is made available to Telmar by the Customer (either directly or indirectly) under the Master Subscription Agreement (or that information in conjunction with other information regarding individuals) may constitute personal data (or personal information) under Applicable Data Protection Law.
    4. Where Telmar is a controller of such personal data (for example, in relation to Customer User contact details and passwords, as well as contact details for Customer employees with whom Telmar communicates in order to provide the Customer with the Data Services or for general business management purposes) (“Ancillary Data”), Telmar shall use the Ancillary Data in the manner set out in its Privacy Policy. Customer agrees that it shall make the relevant Users and employees aware of Telmar’s Privacy Policy.
    5. Where Telmar is the processor of such personal data, section 4 of this Agreement shall apply.
    6. Where Telmar is a processor under this Agreement, the Customer warrants, represents and agrees that:
      1. it has all rights, permissions and consents required by law or contract to enable Telmar to access and use the Data (as defined below) in order for Telmar to provide the Data Services to the Customer under the Master Subscription Agreement; and
      2. it has satisfied the requirements of Applicable Data Protection Law in relation to any Third Party Datasets that it makes available to Telmar (or that it otherwise requires Telmar to access or use) under the Master Subscription Agreement, including but not limited to having appropriate data processing terms in place with such Third Parties in respect of Third Party Datasets.
      3. Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law.
  4. Telmar as processor
    1. Customer (the controller) appoints Telmar as a processor to process the personal data described in this Agreement (the “Data”) for the purposes of providing the Data Services (and as further described in Annex A to this Agreement or as otherwise agreed in writing by the Parties), (the “Permitted Purpose”). If Telmar becomes aware that processing for the Permitted Purpose infringes Applicable Data Protection Law, it shall promptly inform Customer.
    2. Telmar shall act solely as a Service Provider with respect to any Data received. The Parties acknowledge and agree that Customer is providing the Data to Telmar to enable Telmar’s performance of the Services in accordance with the Permitted Purpose as described in the Master Subscription Agreement, and that Data is not exchanged for monetary or other valuable consideration.
    3. Without limiting any of the foregoing, Data shall be used only in the manner contemplated in the Master Subscription Agreement and this Agreement and shall not intentionally be disclosed or sold (as such term is defined under the CCPA) to Third Parties without Customer’s prior written consent, or as otherwise permitted by the CCPA or Applicable Data Protection Law. Telmar hereby certifies that it understands and will comply with the restrictions and obligations contained in this Agreement. Notwithstanding anything to the contrary, Telmar may aggregate, de-identify, or anonymize Data, so it no longer meets the definition of personal information under the CCPA, and may use such aggregated, de-identified, or anonymized data for its own purposes. Telmar will not attempt to or re-identify any previously aggregated, de-identified, or anonymized data. For the avoidance of doubt, to the extent permitted by the CCPA, Telmar may use Data to detect data security incidents or protect against fraudulent or illegal activity, or improve its services. To the extent required by Applicable Data Protection Law, this section constitutes Telmar’s certification to the processing restrictions herein.
    4. International transfers: Telmar shall not transfer the Data outside of the European Economic Area (“EEA”) or the UK unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Customer acknowledges and agrees that Telmar may transfer the Data to its Affiliates under the Telmar intragroup data transfer agreement or its sub-processors under a data processing agreement, which incorporates the applicable standard contractual clauses as approved by the European Commission or UK Information Commissioner’s Office (as appropriate).
    5. Confidentiality of processing: Telmar shall ensure that any person it authorises to process the Data (an “Authorised Person”) shall protect the Data in accordance with Telmar’s confidentiality obligations under the Master Subscription Agreement.
    6. Security: The processor shall implement technical and organisational measures as set out in the Master Subscription Agreement to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident”).
    7. Subcontracting: Customer consents to Telmar engaging Third Party subprocessors to process the Data for the Permitted Purpose provided that: (i) Telmar maintains an up-to-date list of its subprocessors at telmar.com/telmarsubprocessors, which it shall update with details of any change in subprocessors at least ten (10) days’ prior to any such change; (ii) Telmar imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) Telmar remains liable for any breach of this section 4 that is caused by an act, error or omission of its subprocessor. Customer may object to Telmar’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, Telmar will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Master Subscription Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).
    8. Cooperation and data subjects’ rights: Telmar shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to (i) meet its obligations under Applicable Data Protection Laws and in particular to respond to any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) respond to any other correspondence, enquiry or complaint received from a data subject, regulator or other Third Party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Telmar concerning Telmar’s processor activities under this Agreement, Telmar shall promptly inform Customer providing full details of the same. Telmar hereby certifies that it understands and will comply with the restrictions and obligations contained in this Agreement. To the extent required by Applicable Data Protection Law, this section constitutes Telmar’s certification to the processing restrictions herein.
    9. Data Protection Impact Assessment: Telmar shall provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
    10. Security Incidents: If it becomes aware of a confirmed Security Incident, Telmar shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Telmar shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.
    11. Deletion or return of Data: Upon termination or expiry of this Agreement, Telmar shall (at Customer’s election) destroy or return to Customer all Data in its possession or control. This requirement shall not apply to the extent that Telmar is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, in which event Telmar shall securely isolate and protect from any further processing except to the extent required by such law until deletion is possible. For the avoidance of doubt, this requirement also does not apply where Telmar has been instructed to provide Data Services via API (in contrast to where Telmar hosts and stores the relevant Dataset on its own servers), as in such case Telmar will have no access to the underlying Data once that Data Service has been terminated or expired.
    12. Audit: To the extent required by Applicable Data Protection Law, Telmar shall permit Customer (or its appointed Third Party auditors) to audit Telmar’s compliance with this section 4, and shall make available to Customer all information, systems and staff reasonably necessary for Customer (or its Third Party auditors) to conduct such audit. In such case, Telmar acknowledges that Customer (or its Third Party auditors) may enter its premises for the purposes of conducting this audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Telmar’s operations. Customer will not exercise its audit rights more than once in any twelve (12) calendar month period, except: (i) if and when required by instruction of a competent data protection authority; or (ii) Customer reasonably believes a further audit is necessary due to a Security Incident suffered by Telmar.
  5. Other
    1. Either Party may propose to amend this Agreement if the change:
      1. reflects a change in the name or form of a legal entity; and/or
      2. is required to comply with applicable law, applicable regulation, a court order or binding guidance issued by a governmental regulator or agency.(each, a “Trigger Event“).In such case, the Parties (acting reasonably) shall work together to agree amendments to this Agreement as required to satisfy the changes imposed by the Trigger Event.
      3. Notwithstanding anything to the contrary, Telmar may amend this Agreement as long as the change does not expand the scope of, or remove any restrictions on, Telmar’s processing of Data or otherwise have a material adverse impact on Customer’s rights under this Agreement, as reasonably determined by Telmar.
      4. If Telmar intends to amend this Agreement in accordance with this section 5, Telmar shall inform Customer at least thirty (30) days (or such shorter period as may be required to comply with applicable law, regulation, court order or guidance issued by a relevant regulator or agency) before the change will take effect by posting a notification on the Telmar Platform Page. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Telmar within ninety (90) days of being informed by Telmar of the proposed change.

Annex A

Data Processing Description

This Annex A forms part of the Agreement and describes the processing that the processor will perform on behalf of the controller.

Controller

The controller is (please specify briefly the controller’s activities relevant to the processing):

Customer who has signed the Master Subscription Agreement with Telmar for Data Services (either acting solely on its own behalf or on behalf of any Customer Affiliate, as permitted under a relevant Order).

Processor

The processor is (please specify briefly the processor’s activities relevant to the processing):

The Telmar entity that has signed the Master Subscription Agreement. Telmar is a provider of media planning and analytics services. Telmar processes the personal data on behalf of and according to the instructions of the controller.

Data subjects

The personal data to be processed concern the following categories of data subjects (please specify):

Individuals who have participated in surveys carried out by Customer (or Third Parties), or whose information is otherwise held by Customer (or a Third Party) and made available to Telmar for the provision of the Data Services to Customer. “Real world” identifiers are not typically included within the Datasets; however, the categories of data subjects is determined by the controller under the Order.

Categories of data

The personal data to be processed concern the following categories of data (please specify):

Anything that has been collected by Customer or Third Parties (typically survey responses) and which is shared with or otherwise made available to Telmar for the purposes of the provision of the Data Services to Customer. “Real world” identifiers are not typically included within the Datasets; however, the categories of data are determined by the controller under the Order.

Special categories of data

The personal data to be processed concern the following special categories of data (please specify):

Anything that has been collected by Customer or Third Parties (typically survey responses) and which is shared with or otherwise made available to Telmar for the purposes of the provision of the Data Services to Customer. “Real world” identifiers are not typically included within the Datasets Customer would not typically instruct Telmar to draw insights or conclusions based on special category data types; however, the categories of data are determined by the controller under the Order.

Processing operations

The personal data will be subject to the following basic processing activities (please specify):

Telmar will process the personal data in order to provide the Data Services, namely to analyse the Datasets provided (or made available) to Telmar by the Customer in accordance with the Customer’s instructions. In particular, Telmar provides media planning tools to enable Customer to plan its advertising campaigns by evaluating and analysing Datasets. Telmar’s specific instructions will be as set out in an Order and may include being instructed to analyse responses from multiple Datasets (noting that, in such case, the Datasets will not be co-mingled, but that Telmar will instead be instructed to draw insights from separate Datasets and then report a combined insight to the Customer, in line with Customer’s instructions). Telmar is also instructed to aggregate and anonymise the Data as required to produce non-personal data that Telmar can use to provide support to Customer and for generic product development purposes.