Data Protection
Addendum

This is an addendum to the Terms of Services

Effective date: May 15, 2018

Branded Research, Inc. (“Branded”) must demonstrate compliance with data protection laws (such as the General Data Protection Regulation (“GDPR”)) by our clients. We are requesting your confirmation regarding your compliance with your legal obligations to Branded by signing and returning the Data Protection Addendum (“DPA”) below to Branded.

Throughout this addendum, “Data Recipient” or “you” shall refer to recipient of Personal Data from Branded along with its respective subcontractors and affiliates.


The following DPA constitutes an addendum between you and Branded for all responses to any questions presented in the Survey Offer along with consumer, influencer and audience behavior, or services (referred to as “Services” or in the hereinafter addendum, defined as “Services”, each referencing an Agreement”) and as an agreement to the Addendum(s) to reflect the parties’ agreement with regard to the Processing and protection of Personal Data.


Terms the Data Recipient Agrees to Comply with are as follows:


1. Ensuring Compliance

Branded and you shall remain compliant with any obligations specific to all Applicable Laws including the Processing of Personal Data in connection with the Addendum. If you are a Processor of Personal Data in connection with the Addendum, you must comply with the obligations of a Processor per Article 28 of the GDPR.


Applicable to: Data Provider, Data Recipient


2. Safeguarding

You are able to confirm and prove that you have necessary security measures in place to protect Personal Data. This includes and is not limited to the enforcement of technical measures against any unauthorized use, potential loss, damage or destruction of the Data Subject’s Personal Data.


Applicable to: Data Provider, Data Recipient


3. Data Handling and Processing

You have collected valid authorizations, as necessary, to Process and disclose Personal Data to Branded. The nature of the Personal Data being disclosed and/or shared with Branded shall be laid out in the Addendum. In the instance where you become cognizant of any errors or lack of validity in the Personal Data or in the case the Data Subject has withdrawn authorization or approval, you shall notify Branded.


Applicable to: Data Provider


4. Personnel Administration of Personal Data

You shall enforce measures to ensure that all employees, affiliates, subcontractors, or agents (also known as “Personnel”), whom are involved in the Processing of the Personal Data in connection with the Addendum, are reliable and aware of their duties.


Applicable to: Data Provider, Data Recipient


5. Transfer of Personal Data

In the case you transfer any Personal Data from within the EEA [or Switzerland] to Branded, within the United States of America, you will take all required actions to properly ensure the transfer. This includes notifying the associated Data Subjects of Branded’s certification to the EU-US [and EU-Swiss] Privacy Shield certification. Branded will uphold its certification for the entirety of term, and will notify you of any changes to its certification status.


Applicable to: Data Provider


6. Third-Party Inquiries

You agree to having a Data Protection Officer, or an employee whom shall remain responsible for ensuring the lawful and appropriate administration of Personal Data along with assisting Branded, in a timely manner, with any inquiries surrounding Data Subjects or any competent data protection or privacy authority as they relate to the Processing of Personal Data which you have provided to Branded.

In an effort to assist Branded with remaining compliant with GDPR and in relation to any Personal Data that you provide to Branded, you agree with providing Branded with assistance and information on an as needed basis in a timely manner.


Applicable to: Data Provider, Data Recipient(first paragraph only)


7. Exchange of Personal Data

Per the addendum, in the instance where you receive Personal Data from and provide Personal Data to Branded, you and Branded consent to doing so in the capacity of Controller, for the process of supplying Personal Data to the other party.
In the case you receive Personal Data from Branded, you will act in the capacity of a Controller, and:

A. Uphold the ability to Process such Personal Data for your own business and commercial needs, subject to the Terms of this Addendum (including, without limitation, the scope of the license granted) and per the obligations of Controller laid out in Article 28 of the GDPR; and
B.Retain the ability to Process Personal Data per the instructions of Branded and not for the intent of your own business or commercial purposes; complying with the Applicable Laws and obligations of a Processor as laid out in Article 28 of the GDPR.


Applicable to: Data Provider, Data Recipient


8. Consent for Personal Data

You validate that as an operator of a digital property, from which Branded collects Personal Data, you have implemented methods for obtaining appropriate consent for such collection of Personal Data for all intents and purposes specific to those which Branded has laid out in the Addendum and have provided a clear link to an easy-to-use mechanism which would allow the Data Subject the ability to opt out.

Applicable to: Data Provider

You verify that the provision of Branded Personal Data via digital properties and operated by third parties, have implemented legally enforceable obligations in place with the third parties - specifically requesting that they obtain explicit consent which you will be able to provide in evidence to Branded to satisfy the requirements of Branded’s use of such Personal Data, per the Addendum. Similarly, you will be responsible for furnishing third parties with any relevant information laid out in the Addendum and/or made available by Branded in writing.

Applicable to: Data Provider

You can validate that you have the necessary proof of consent of any Data Subject whose Personal Data you expose to Branded and in all those cases the Data Subjects are provided with a clear mechanisms to opt-out.

Applicable to: Data Provider

If you are unsure of the technology Branded uses in relation to Personal Data and how Branded will use Personal Data provided by you, please see our privacy statement at https://surveys.gobranded.com/page/branded-surveys-privacy-policy, our terms of service https://surveys.gobranded.com/page/branded-surveys-terms-of-service or submit a request to Branded for information at compliance@gobranded.com.

Generally, Branded uses Personal Data for purposes related to its measurement of consumer behavior, audiences, and advertising. At minimum, this spans (i) market research, (ii) advertising and modelling, (ii) user experience, analytics and reporting. In such instances, Branded utilizes Personal Data on its own behalf and on behalf of its customers; making the Personal Data subject to the terms of the applicable Addendum


Applicable to: Data Provider


9. Disclosures & Privacy Policy

If you are an operator of a digital property from which Personal Data is collected and provided to Branded, you will comply by having a privacy notice that is in order with the Applicable Laws. Wherever possible you shall name Branded as a party for and/or by whom Personal Data is collected via the avenue of your digital property

Applicable to: Data Provider

In the case you uphold a provision to Branded of Personal Data from digital properties, that are operated by third parties, you will contractually request that your relevant contracting parties have a privacy notice that complies with Applicable Laws for each digital property. Likewise, where possible, you shall require that third parties explicitly state Branded as a party for and/or by whom Personal Data is collected via the third party digital property.

Applicable to: Data Provider

You confirm that all parties obtaining Personal Data from Data Subjects, made available to you via Branded, have a privacy notice that discloses the collection, provision and use of the Personal Data share with Branded. This includes and is not limited to the means of how surrounding data is collected and how protocol for Advertising by Branded is in compliance with Applicable Laws – furnishing the Data Subject with an easy means of opting out (including and where applicable the Data Subject’s ability to opt out of Advertising performed by Branded) through the services provided by Supplier or its data sources.

Applicable to: Data Provider


10. Personal Data Breach

In the instance of a Personal Data Breach, where there may be impact to Personal Data Processed per the Addendum, you will: (i) take all necessary and appropriate corrective measures to resolve any related, underlying causes of the Personal Data Breach; (ii) promptly notify Branded within twenty-four (24) hours and furnish any reasonable detail regarding the nature of the Personal Data Breach along with any related, potential impact to the Personal Data disclosed to Branded; and (iii) assist Branded as necessary to ensure compliance with Applicable Laws.

Correspondingly, Branded will be the final deciding body on if a notifications regarding the nature of the personal Data Breach will be sent to any Supervisory Authorities, Branded’s Data Subjects, customers, service providers, third party partners, employees, and/or the general public along with any corresponding remediation efforts, so long as Branded operates in the capacity of Controller


Applicable to: Data Provider, Data Recipient


11. Rights of Data Subjects

You have the means and will take all necessary measures to allow us to remain in compliance with reasonable requests from Data Subjects (in relation their rights under Articles 12-22 of GDPR) as it pertains to Personal Data Processed, per the Addendum.


Applicable to: Data Provider, Data Recipient


12. Disclosure of Sensitive Personal Data

You will not disclose any sensitive categories of Personal Data, as mentioned in Article 9 and 10 of GDPR, with Branded unless explicitly agreed to in writing.


Applicable to: Data Provider


13. Audit and Compliance

Per the Addendum, you will comply with any reasonable requests for information from Branded and/or Branded clients as they pertain to your Processing of Personal Data. Per Applicable Laws, you ensure that all affiliated parties are in compliance with their specified obligations and are willing and able to allow Branded and/or Branded clients to perform an audit of your compliance as per this DPA and Applicable Laws.


Applicable to: Data Provider, Data Recipient


14. Complying with Data Protection Impact Assessments

As able, you will aid Branded with any data protectionrelated impact assessments along with former consultations with Supervisory Authorities or other competent data privacy governing bodies, which Branded considers to be necessary by Article 35 and/or 36 of the GDPR or per similar conduct spelled out in Applicable Laws and as they pertain to the Processing of Personal Data associated with the Addendum.


Applicable to: Data Provider, Data Recipient


15. Precedence of Agreements

You confirm and concur that the terms and conditions of this DPA shall serve as an add on to the existing Agreement. In the case there is any misalignment between the DPA and an Agreement, the order of precedence remains: (1) DPA; and (2) an Agreement.


Applicable to: Data Provider, Data Recipien


16. Modifications to Applicable Laws

Branded may: (i) by a minimum of at least 30 (thirty) calendar days’ of written notice to you, make any modifications as a result of any updates in, or per determination of a competent authority under the Applicable Law as it relates occurrence of to Controller to Controller disclosures of Personal Data without breach of the associated, Applicable Law; and (ii) suggest any other variations to this DPA which Branded deems to be necessary for addressing the requirements of any Applicable Laws.


Applicable to: Data Provider, Data Recipient


Related Definitions:

Applicable Laws consist of any laws, regulations, and instructions stated or enforced upon by any government entity – albeit domestic or foreign, which incorporates GDPR, Directive 95/46/EC and Directive 2002/58/EC, European Commission decisions and guidance per unique translation to the appropriate domestic legislation per member state of the European Union or other country. This shall include any laws which enforce or complement the GDPR along with any industry with selfregulatory protocol which is specific to the location or region where the Services are provided or received, in compliance with the Processing of Personal Data or the interference along with the recording or oversight of communications.

GDPR is in reference to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as it relates to the guarding of natural persons per the expectations outlined in the Processing of Personal Data along with the fluid movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);

Advertising consists of (i) obtaining data via digital avenues or other sources with the intent of profiling and providing advertising based on the identified or inferred preferences of the data subject and (ii) obtaining data about a data subject’s preferences on or in one digital property or source with the intent of profiling and providing advertising based on that data on an alternate digital property;

The terms “Personal Data”, “Personal Data Breach”, “Data Subject”, “Controller”, “Processor”, and “Processing”, and “Supervisory Authorities” retain the same meaning as specified in the GDPR, and their associated terms shall be specified as such:

  • Data Subject pertains to a natural person who may be identified directly or indirectly via a unique identifier such as a name, location data, an identification ID or number an online identifier or to one or more factors which may relay the physical, genetic, mental, physiological, cultural, social or economic standing of that individual;
  • Processor pertains to a natural or legal person, agency, public authority, or other entity which processes Personal Data on behalf of the Controller;
  • Controller pertains to a natural or legal person, agency, public authority, or other entity which, alone or in collaboration with others, identifies the purposes and means of the processing Personal Data;
  • Personal Data constitutes any information pertaining to an identified or potentially identifiable data subject, including and not limited to the aforementioned information under “Data Subject” above
  • Personal Data Breach is a breach in security which may result in a potential or unlawful loss, modification, eradication or unauthorized disclosure of, or access to, relayed, stored or processed Personal Data,
  • Process(ing) refers to the operations performed on the Personal Data, albeit executed in an automated fashion or otherwise, including and not limited to the collection, structuring, storing, altering, retrieving, accessing, using, releasing by transmittal, propagation, constraining, erasing or destroying of data; and
  • Supervisory Authorities refers to independent public authorities which were created by a member state of the European Union pursuant to GDPR Article 51.

Data Provider Acceptance

As a Data Provider or Data Recipient, you consent to this DPA has taken effect immediately upon submission and serves as a written amendment to the Agreement noted in the table above: