This Disqus Data Processing Agreement (“DPA”), that includes the Standard Contractual Clauses adopted by the European Commission, as applicable, reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data under the Disqus Terms of Service (the “Agreement”). This DPA is an amendment to the Agreement and is effective upon its incorporation into the Agreement (sign-up). Upon its incorporation into the Agreement, the DPA will form a part of the Agreement.
We understand that some publishers may prefer to have a signed DPA for their records. Publishers can download a pre-signed version of the Disqus Publisher DPA via the link below. For any questions, please contact us at firstname.lastname@example.org.
DATA PROCESSING AGREEMENT
EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”)
Addendum to the Disqus Publisher Terms and Conditions
This GDPR Addendum to the Disqus Publisher Service Agreement (the “GDPR Addendum”) set forth on the signature line below (the “Publisher”) and forms part of the Disqus Publisher Terms and Conditions previously entered into by the parties hereto.
WHEREAS, Disqus provides Publisher with the Disqus commenting application service (the “Disqus Comments”) through which Disqus collects certain personal data from website users visiting the Publisher’s websites where the Disqus Comments are loaded, and Disqus further provides Publisher with the ability to access the comments left users on their website as well as some of the personal data associated with such comments;
WHEREAS, the European Union (“EU”) General Data Protection Regulation will impose additional compliance obligations upon Disqus and Publisher, including in relation to the collection and processing of personal data from persons located in the EU.
NOW THEREFORE, Pursuant to the requirements of the GDPR, Disqus and Publisher hereby enter into this Data Processing Agreement ("DPA").
1.1For the purposes of this DPA:
(a)“EEA" means the member states of the European Union and Iceland, Liechtenstein, Norway and the United Kingdom.
(b)"EU Data Protection Legislation” meansRegulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) repealing Directive 95/46/EC, as amended, replaced or superseded, and any EU Member State laws supplementing the GDPR; the EU Directive 2002/58/EC (“e-Privacy Directive”), as replaced from time to time, and any EU Member State laws implementing the e-Privacy Directive.
(c)"Controller" shall mean the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
(d)"Processor" shall mean an entity which processes Personal Data on behalf of the Controller;
(e)“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, and identification number, location data or online identifier.
2.Applicability of DPA.
2.1Applicability. This DPA will apply only to the extent that Publisher processes Personal Data from the EEA on behalf of Disqus.
3.Roles and responsibilities.
3.1Parties' Roles. Disqus, as Controller, appoints Publisher as a Processor to process the Personal Data described in EXHIBIT A on Disqus's behalf.
3.2Purpose Limitation. Publisher shall process the Personal Data for the purposes described in EXHIBIT A and only in accordance with the lawful, documented instructions of Disqus, except where otherwise required by applicable law. The Agreement and this DPA sets out Disqus's complete instructions to Publisher in relation to the processing of the Personal Data and any processing required outside of the scope of these instructions will require prior written agreement between the parties.
3.3Compliance: Disqus, as Controller, shall be responsible for ensuring that:
(a) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including EU Data Protection Legislation (except as otherwise required by applicable law); and
(b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Publisher for processing in accordance with the terms of the Agreement and this DPA.
4.1Security.Publisher shall implement appropriate technical and organisational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (each a "Security Incident").
4.2Confidentiality of processing.Publisher shall ensure that any person that it authorizes to process the Personal Data shall be subject to a duty of confidentiality (whether a contractual or a statutory duty).
4.3Security Incidents.Upon becoming aware of a Security Incident, Publisher shall notify Disqus without undue delay and shall provide such timely information as Disqus may reasonably require, including to enable Disqus to fulfil any data breach reporting obligations under EU Data Protection Legislation.Publisher shall promptly take appropriate and commercially reasonable steps to mitigate the effects of such a Security Incident on the Personal Data under this Agreement.
5.1Sub-processors. Disqus agrees that Publisher may engage Publisher affiliates and third party sub-processors (collectively, "Sub-processors") to process the Personal Data on Publisher's behalf. Sub-processors currently engaged by Publisher will be authorized by Disqus prior to execution hereof. Publisher shall impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-processor.
5.2Changes to Subprocessors. Publisher may, by giving reasonable notice to the Disqus, add or make changes to the Sub-processors. If the Disqus objects to the appointment of an additional Sub-processor within five (5) business days of such notice on reasonable grounds relating to the protection of the Personal Data, then Publisher will not appoint the Sub-processor and will work in good faith with the Disqus to find an alternative solution.
6.1International Transfers: To the extent that Publisher processes (or causes to be processed) any Personal Data originating from the EEA in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, an adequate level of protection shall be put in place by the parties through any of the recognized methods in EU Data Protection Legislation. Disqus authorizes any transfers of Personal Data to, or access to Personal Data from, such destinations outside the EEA subject to such adequacy measures having been taken.
6.3Disclosure to authorities: Disqus acknowledges that Publisher may disclose the privacy provisions in this DPA and the Agreement to the US Department of Commerce, the Federal Trade Commission, a European data protection authority, or any other US or EU judicial or regulatory body upon their lawful request.
7.1Cooperation and data subjects' rights.Publisher shall, taking into account the nature of the processing, provide reasonable assistance to Disqus insofar as this is possible, to enable Disqus to respond to requests from a data subject seeking to exercise their rights under EU Data Protection Legislation.In the event that such request is made directly to Publisher, Publisher shall promptly inform Disqus of the same.
7.2Data Protection Impact Assessments:Publisher shall, to the extent required by EU Data Protection Legislation, provide Disqus with commercially reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Disqus is required to carry out under EU Data Protection Legislation.
8.Security reports and audits.
8.1Publisher shall provide, upon Disqus's request, copies of any relevant summaries of external security certifications or security audit reports necessary to verify Publisher compliance with this DPA.
8.2While it is the parties' intention ordinarily to rely on the provision of the documentation at 8.1 above to verify Publisher's compliance with this DPA, Publisher shall permit Disqus (or its appointed third party auditors) to carry out an audit of Publisher processing of Personal Data under the Agreement following a Security Incident suffered by Publisher, or upon the instruction of a data protection authority. Disqus must give Publisher reasonable prior notice of such intention to audit, conduct its audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Publisher's operations. Any such audit shall be subject to Publisher's security and confidentiality terms and guidelines.
9.Deletion / return of data
9.1Deletion or return of data:Upon termination or expiry of the Agreement, Publisher shall, at Disqus's election, delete or return to Disqus the Personal Data (including copies) in Publisher's possession, save to the extent that Publisher is required by any applicable law to retain some or all of the Personal Data.
10.1Except as amended by this DPA, the Agreement will remain in full force and effect.
10.2If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
Acknowledged and Agreed to:
DETAILS OF THE PROCESSING
Description of Disqus:
Disqus, Inc. is the legal entity that has executed the Agreement with Publisher for the provision of Disqus' commenting application services on Publisher’s website.
Nature of Services provided by Publisher:
Disqus provides a commenting application service (“Disqus Comments”) to Publisher. Disqus collects personal data from users commenting in the Disqus Comments on Publishers website. Disqus provides Publisher with access to the comments so that publisher may act as moderator on it’s website. The comments may include personal data such as email address, username, IP address or other online identifier, which Publisher may process solely for the purpose of moderating Publishers’ site(s).
Type(s) of Personal Data processed:
Email address, username, IP address or other online identifier, which Publisher may process solely for the purpose of moderating Publishers’ site(s).
Special categories of data (if applicable):
Disqus does not intentionally collect, and Publisher does intentionally process or transfer any sensitive personal data in relation to these data subjects.
Categories of Data Subjects:
The personal data processed concern individuals who access the Publishers website on which the Disqus Comments are loaded.
Nature of Processing Operations:
The personal data will be subject to the following basic processing activities:
Publisher will process the personal data solely for the purpose of moderating the comments on their