Data Protection and Information Security Agreement

This Global Data Protection and Information Security Agreement ("DPA") is made part of an agreement with ViacomCBS Inc. and/or one or more of its Affiliates (such party(ies), as applicable, "ViacomCBS") which involves the Processing of Personal Data by Vendor and which makes reference to this DPA or the URL at which this DPA is located (the "Agreement"). This DPA does not limit other obligations of Vendor, including, without limitation, any obligations under the Agreement or laws that apply to Vendor or to Vendor’s performance under the Agreement. In the event of a conflict between the DPA, the Agreement or any applicable security requirements, the requirement that is most restrictive and protective of ViacomCBS, as determined by ViacomCBS in its sole discretion, shall apply unless otherwise expressly agreed upon in writing by ViacomCBS.

  1. Definitions. Capitalized terms defined below shall have the meanings set forth herein, whether or not such terms are otherwise defined in the Agreement. Capitalized terms used but not otherwise defined in this DPA shall have the meanings assigned to such terms in the Agreement.
    • "Affiliate" means, with respect to Vendor, an entity, directly or indirectly, controlling, controlled by, or under direct or indirect common control with Vendor, either now or in the future and with respect to ViacomCBS, an entity, directly or indirectly, controlled by ViacomCBS Inc., either now or in the future. For the purposes of an Affiliate, "control" means ownership of fifty percent (50%) or more of the outstanding shares having voting rights, or management or operational control by agreement or otherwise.
    • "Argentinian Model Clauses" mean the model contract for the international transfer of "personal data" (as defined under Argentina Data Protection Law) to other countries that do not provide an adequate level of protection for personal data related to Data Subjects residing in Argentina, as set out in Disposition 60-E/2016 A.
    • "Argentinian Personal Data" means Personal Data originating from or Processed in Argentina or otherwise subject to Argentinian Data Protection Laws.
    • "Data Protection Laws" mean any applicable law, treaty, statute, regulation, ordinance, order, directive, code, or other rule, or any administrative guidance or industry self- regulatory rules or guidelines regarding the same, whether of or by any legislative, administrative, judicial, or other Governmental Entity, that governs or relates to the confidentiality, security, privacy, or Processing of Personal Data or otherwise regulates marketing communications, data protection, or Security Incident management and/or notification including without limitation the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"); the United Kingdom Data Protection Act 2018; the California Consumer Privacy Act of 2018, Cal. Civil Code section 1798.100 et seq., ("CCPA"); and the Brazilian General Data Protection Law, Law n. 13.709 of 2018 ("LGPD").
    • "Data Subject" means, as applicable, (i) any identified or identifiable individual, (ii) the meaning as set forth in Data Protection Laws, and (iii) such similar terms as defined in any Data Protection Laws, including the term "Consumer" as used in the CCPA.
    • "Data Subject Request" means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws, including without limitation the right of access, right to rectification, right to restrict Processing, right to erasure ("right to be forgotten"), right to data portability, or right to object to the Processing.
    • "European Model Clauses" mean the "standard contractual clauses for the transfer of personal data to processors established in third countries" as set out in European Commission Decision 2010/87/EU, and any amendments or successors to the same, populated with the information set out in the Agreement.
    • "Governmental Entity" means any federal, state, provincial, municipal, local or foreign government, governmental authority, regulatory or administrative agency, governmental commission, department, board, bureau, agency, instrumentality, court or tribunal.
    • "Personal Data" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to, a particular Data Subject, computing device, or household, and shall include, but is not limited to, all "personal data," "personal information," or similar terms, as defined in any Data Protection Laws.
    • "Process" or "Processing" means any operation or set of operations that is performed on ViacomCBS Data, whether or not by automated means, such as collection, using, accessing, recording, reproducing, organization, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, evaluation or control, modification, blocking, restriction, erasure or destruction, or classification, and including all "processing" as defined in any Data Protection Laws.
    • "Sale of Data" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Data by a business to another business or a third party for monetary or other valuable consideration.
    • "Security Incident" means: (i) the unauthorized, unlawful or accidental acquisition, use, disclosure, destruction, alteration, deletion, modification, grant of access to, corruption, transfer, sale, rental, or other Processing of any portion of such ViacomCBS Data; (ii) any act or omission that compromises the privacy, security, confidentiality, availability or integrity of such ViacomCBS Data or any safeguards put in place to protect the same; (iii) any failure by Vendor to adhere to this DPA; (iv) any other event involving Personal Data that triggers notification or similar requirements under Data Protection Laws; or (v) any attempt to cause any of the events described in clauses (i)-(iv).
    • "Subcontractor" means another data processor (as defined by Data Protection Laws) engaged by Vendor for carrying out Processing activities in respect of the ViacomCBS Data on behalf of ViacomCBS.
    • "Supervisory Authority" means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
    • "ViacomCBS Data" means any and all data or information, in any form, format or media, provided or otherwise accessed by or made available to Vendor or any of its employees, agents or contractors or by any other party in connection with or incidental to the Agreement, as well as all data and works obtained, developed or produced by Vendor in connection with the Agreement including derivatives, aggregations or analysis of any of the foregoing.
    • "ViacomCBS Information Security Requirements" means ViacomCBS global information securities policies applicable to Vendor as set forth in Section 4 below, as may be supplemented or amended in the Agreement.
    • "ViacomCBS Personal Data" means ViacomCBS Data that constitute Personal Data.
  2. Roles of the Parties
    • As part of the Services described in the Agreement, Vendor may Process ViacomCBS Data.
    • The Parties acknowledge and agree that with regard to the Processing of ViacomCBS Personal Data of Data Subjects located in the EU, UK and Switzerland, Viacom International Media Networks UK Limited shall be the Controller and Vendor shall be the Processor of Personal Data Processed by Vendor under the Agreement.
    • For purposes of the California Consumer Privacy Act ("CCPA"), ViacomCBS shall be considered a "business" and Vendor shall be a "service provider" (as defined under the CCPA).
    • The subject matter of the Processing undertaken by Vendor is in the provision of the Services and the Processing will be carried out for the duration of the Agreement. The Services, categories of Data Subjects, categories of Personal Data, and any specific instructions are set forth in the Agreement.
    • Except as expressly provided in the Agreement, Vendor acknowledges that, as between Vendor and ViacomCBS, ViacomCBS owns all right, title and interest in the ViacomCBS Data.
  3. Obligations of Vendor with respect to Personal Data
    • When Vendor or a Subcontractor Processes Personal Data under the Agreement for or on behalf of ViacomCBS, Vendor represents, warrants, and covenants both for itself and on behalf of each such Subcontractor, that it shall:
      • comply with all Data Protection Laws when Processing Personal Data, and shall not intentionally take any actions or fail to take any actions that would cause Vendor, a Subcontractor, or ViacomCBS to be in violation of Data Protection Laws;
      • Process ViacomCBS Personal Data solely for the purpose of performing its obligations under the Agreement and in accordance with ViacomCBS’s documented instructions and not for any other purpose (including the Sale of Data), unless required to do so by applicable law to which Vendor is subject, in which case Vendor shall inform ViacomCBS of that legal requirement before commencing Processing;
      • immediately inform ViacomCBS if, in Vendor’s opinion, ViacomCBS’s instructions would be in breach of Data Protection Laws;
      • act only as a "processor," "subprocessor," "service provider," or "operator," or in an equivalent role as defined by Data Protection Laws, and not as a "controller" or equivalent role;
      • not disclose any Personal Data to any third party (including any Governmental Entity), for any reason, whatsoever, without ViacomCBS’s prior express written consent, unless such disclosure is: (1) to a Subcontractor, as necessary for the performance of the Services as required by the Agreement for the benefit of ViacomCBS and its Affiliates; or (2) required by Data Protection Laws, in which case Vendor shall, unless prohibited by such Data Protection Laws, promptly notify ViacomCBS after receiving a request for disclosure and prior to complying with any such request. In such instances where disclosure of Personal Data is required by Data Protection Laws, Vendor shall notify ViacomCBS in advance of any such disclosure, and at ViacomCBS’s request, cooperate fully in resisting the disclosure request to the full extent permitted by Data Protection Laws, and in any event shall disclose the minimum Personal Data necessary to comply with Data Protection Laws;
      • notify ViacomCBS without undue delay (and in any event within 24 hours) of (i) any request for information from, or complaint by, a Supervisory Authority in relation to ViacomCBS Personal Data that Vendor Processes for the purpose of performing its obligations under the Agreement; and (ii) any Data Subject Request in relation to ViacomCBS Personal Data. Vendor shall provide to ViacomCBS, in writing, all details surrounding such Data Subject Request, in a commonly used, structured, electronic and machine-readable format, if required. Vendor shall not respond to any Data Subject Request without ViacomCBS’s express written consent. Further, Vendor shall fully cooperate as requested by ViacomCBS to enable ViacomCBS to comply with any Data Subject Request. Vendor shall implement appropriate technical and organizational measures to enable it to comply with this paragraph;
      • provide full and prompt cooperation and assistance in relation to any data protection impact assessment or regulatory consultation that ViacomCBS is legally required to make in respect of Personal Data;
      • not attempt to re-identify any non-identifying information provided to or obtained by Vendor as a result of or in connection with the Services at any time, whether during or after the term of the Agreement and not aggregate ViacomCBS Personal Data, even if anonymized or pseudonymized, except as expressly authorized under the Agreement;
      • maintain records of its Processing activities under the Agreement, which will include, without limitation, the name or title of Vendor personnel who access Personal Data, the categories of Personal Data Processed on behalf of ViacomCBS, a description of any international data transfers conducted on behalf of ViacomCBS (including a list of any countries to which Personal Data has been transferred), a description of the technical and organizational measures used to safeguard Personal Data, and any other information required by Data Protection Laws or as may be requested by ViacomCBS; and
      • limit any disclosure of Personal Data to those of its personnel and Subcontractors who have a need to know the information to effect the use permitted herein, and keep a record of such disclosures.
  4. ViacomCBS Global Information Security Requirements
    • General Security Requirement. Vendor shall maintain physical, administrative, and technical safeguards consistent with industry-accepted best practices (including the International Organization for Standardization’s standards ISO 27001 and 27002, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Cloud Security Alliance, or other similar industry standards for information security) to protect the confidentiality, integrity, and availability of ViacomCBS Data and systems. Vendor shall maintain industry-leading standards in evolving technical controls to ensure the protection of ViacomCBS Data, including, without limitation, firewalls, encryption technologies, anti-virus software, access and authentication, security monitoring, and security alerting systems.
    • Specific Safeguard Requirements. Vendor shall maintain an information security program (the "Information and Security Program"), which will include, at a minimum, the following safeguards and controls:
      • Documented information security program and policies. Vendor shall implement and document a formal Information and Security Program including appropriate policies, standards, procedures, and risk assessments that are reviewed, and approved by Vendor, at least annually. The program will apply to Vendor’s employees, agents, subcontractors, and suppliers. Vendor will maintain a process to monitor and enforce Information and Security Program compliance and log Information and Security Program violations. The documented Information and Security Program shall include comprehensive information security policies approved by Vendor, a current copy or summary of which will be made available to ViacomCBS upon request.
      • Security awareness training. Vendor shall provide periodic security training to its personnel and personnel of its Subcontractors on relevant threats and business requirements such as, but not limited to, social-engineering attacks, sensitive data handling, causes of unintentional data exposure, and security incident identification and reporting.
      • Physically limit access. Vendor shall enforce physical security to limit access to systems and facilities to only authorized individuals
      • Access controls. Vendor shall restrict access to ViacomCBS Data and systems to only those personnel with a need-to-know for an authorized purpose. Vendor shall ensure the use of secure user authentication protocols, including the use of individual user IDs and adequate password security, with policies to block access to inactive users or in the event multiple unsuccessful attempts have been made to access a system or account.
      • Remote access; multi-factor authentication required. Vendor will implement multi-factor authentication (i.e., requiring at least two factors to authenticate a user) for remote access to (i) any network, system, application, or other asset containing ViacomCBS Data; or (ii) Vendor’s corporate or development networks.
      • Account and password management. Vendor shall implement account and password management policies to protect ViacomCBS Data and systems, including, changing default and manufacturer-supplied passwords before deploying new hardware, software, or other assets, require periodic password changes, require complex passwords, and storing passwords in an industry- accepted form that is resistant to offline attacks.
      • Secure configurations. Vendor shall manage security configurations of its systems using industry best practices to protect ViacomCBS Data and systems from exploitation through vulnerable services and settings.
      • Controlled use of administrative privileges. Vendor shall limit and control the use of administrative privileges on computers, networks, and applications consistent with industry best practices.
      • Encryption. Vendor shall enforce strong protection for ViacomCBS Data, including TLS 1.2+ or equivalent, and AES-128 bit encryption for all data at rest and in transit, with logged access.
      • Vulnerability and patch management. Vendor shall maintain a process to timely identify and promptly remediate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security of ViacomCBS Data and systems.
      • Maintenance, monitoring, and analysis of audit logs. Vendor will collect, manage, retain, and analyze audit logs of events to help detect, investigate, and recover from unauthorized activity that may affect ViacomCBS Data. Logs will be kept and maintained for at least 18 months, at all times in compliance with Data Protection Laws.
      • Malware defences. Vendor shall deploy anti-malware software to, and configure, all workstations and servers on Vendor’s network to control and detect the installation, spread, and execution of malicious code.
      • Firewalls. Vendor shall maintain and configure firewalls to protect systems containing ViacomCBS Data from unauthorized access. Vendor will review firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.
      • Security testing. Vendor shall conduct periodic internal and external penetration testing of systems that process ViacomCBS Data to identify vulnerabilities and attack vectors that can be used to exploit those systems. Identified vulnerabilities shall be addressed as part of Vendor’s vulnerability management program.
      • Business Continuity. Vendor shall maintain a business continuity plan that includes requiring, at a minimum, offsite backups of systems processing ViacomCBS Data, version control system software to protect against loss of work product, and provisioning of adequate back-up facilities for any site that processes ViacomCBS Data.
      • Third-party risk management. Vendor shall implement and maintain a third-party risk management program, including the execution of periodic risk assessments to evaluate the security posture of Vendor’s third parties and suppliers with access to Vendor’s Data and systems.
    • Compliance. Vendor shall make available to ViacomCBS all information necessary to demonstrate compliance with its Information and Security Program, the ViacomCBS Information Security Requirements, this DPA, the Agreement and Data Protection Laws, including (i) completing privacy and data security questionnaires upon ViacomCBS request, (ii) allowing for and facilitating audits and inspections of Vendor and Subcontractor facilities conducted by ViacomCBS or ViacomCBS’s authorized representatives; (iii) permitting ViacomCBS to regularly test Vendor’s compliance with the ViacomCBS Information Security Requirements; and (iv) providing ViacomCBS with accurate books and records (including, without limitation, all policies, procedures, papers, correspondence, data, information, reports, records, receipts, files, and other sources of information) consistent with generally accepted practices regarding Vendor’s performance under this DPA and the Agreement. Vendor shall, at its own cost, make any changes reasonably requested by ViacomCBS to correct any compliance failures discovered during such audits, inspections, or tests.
    • Risk Assessment. Vendor agrees to participate in an annual risk assessment conducted by ViacomCBS or its designee and to provide to ViacomCBS (or its designee) any supporting documentation required during the risk assessment process, such as but not limited to, information security policies, standards, procedures, and if available, SOC2- Type1/Type2 reports, ISO27001/27002. Vendor shall also remediate any findings or deficiencies identified during ViacomCBS’ risk assessments within a reasonable timeframe.
    • Software Security. If software is provided as a deliverable or as part of the service provided under the Agreement, Vendor shall have its software reviewed for security vulnerabilities by an independent third party that specializes in application security and provide ViacomCBS the results of such review or, if Vendor has not performed such review, Vendor hereby consents to allow ViacomCBS to commission such review by a third party at ViacomCBS’s cost. Vendor shall reasonably cooperate with such review. Vendor shall promptly remediate security vulnerabilities identified and shall repeat the review for updates or new versions.
    • Background Checks. ViacomCBS may require that Vendor representatives be subject to a lawful background check. Vendor shall cooperate with ViacomCBS in connection with obtaining any necessary written consents in connection with any such background checks.
    • PCI DSS requirements. If, in the course of its Processing ViacomCBS Data, Vendor has access to or will Process credit, debit, or other payment cardholder information, Vendor shall at all times remain in compliance with the Payment Card Industry Data Security Standard ("PCI DSS") requirements (in addition to in addition to other Security Requirements), and shall remain aware at all times of changes to the PCI DSS and promptly implement all procedures and practices necessary to remain in compliance with the PCI DSS.
  5. Security Incidents
    • Detection and Response. Vendor will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to ViacomCBS Data in a timely manner.
    • Notice of Security Incident. If Vendor becomes aware of a Security Incident, or information that should reasonably lead Vendor to suspect a Security Incident has occurred, Vendor shall notify ViacomCBS without undue delay (and in any event within 24 hours), and on an ongoing basis provide the following information as soon as possible: (a) the segment and quantity of ViacomCBS Data affected (including whether ViacomCBS Personal Data was affected), (b) the nature of the intrusion (if applicable), (c) any indication of likely unauthorized use of ViacomCBS Data, and the corrective action taken or to be taken by Vendor, and, (d) all other available details required under applicable laws, including Data Protection Laws, for ViacomCBS to comply with its own investigation and notification obligations to regulatory authorities or individuals affected by the Security Incident.
    • Remediation Efforts. Following any Security Incident, Vendor shall consult in good faith with ViacomCBS regarding remediation efforts that may be necessary and reasonable ("Remediation Efforts"). Vendor shall (i) undertake any Remediation Efforts requested by ViacomCBS or any government agency with jurisdiction over Vendor, in either case at Vendor’s sole expense, (ii) ensure and provide assurance (including written evidence) to ViacomCBS that reasonable measures were and are being taken to prevent recurrence of the same or similar type of Security Incident, and (iii) reasonably cooperate with any Remediation Efforts undertaken by ViacomCBS. Unless prohibited by law, ViacomCBS has the right to control the breach notification process, and Vendor shall not notify any affected individuals nor any government entity about the Security Incident without written authorization from ViacomCBS.
    • Reimbursement. Without limiting ViacomCBS’s other rights, Vendor shall reimburse ViacomCBS for all costs and expenses of Remediation Efforts and regulatory fines incurred by ViacomCBS as a result of any Security Incident related to ViacomCBS Data while under the control or possession of Vendor.
    • Cooperation. Vendor shall provide all assistance to ViacomCBS as is reasonably necessary for ViacomCBS to meet its obligations under Data Protection Laws.
  6. Subcontractors.
    • Vendor shall not disclose, enable Processing of, or otherwise make accessible any ViacomCBS Data to any Subcontractor without the prior written consent of ViacomCBS for each Subcontractor and for each location at which such Subcontractor will provide Services on behalf of Vendor. Notwithstanding anything to the contrary herein: (i) Vendor shall be responsible for all acts and omissions of any Subcontractor; and (ii) Vendor shall require each of its Subcontractors, as a condition of performing work under the Agreement, to enter into a written agreement with the Vendor that contains obligations of confidentiality, security, and privacy at least as strict as those contained in this DPA and the Agreement.
    • Vendor shall ensure that each Subcontractor that Processes or otherwise accesses ViacomCBS Data (i) is competent to perform the Services subcontracted to it in conformance with the standards of this DPA and the Agreement and (ii) has adopted and adequately implemented comprehensive written protocols to carry out the obligations of confidentiality, security, and privacy required by this DPA and the Agreement. Vendor further agrees that it shall closely monitor all work by each Subcontractor for compliance with this DPA and the Agreement and prevent Subcontractors from further assigning or subcontracting any part of their work without the prior express written consent of ViacomCBS.
    • Vendor shall ensure that all Vendor or Subcontractor personnel engaged in Processing of ViacomCBS Data (i) are duly authorized to Process ViacomCBS Data only as set forth in this DPA and the Agreement and (2) have committed themselves to maintaining the confidentiality of ViacomCBS Data or are under an appropriate legal obligation of confidentiality.
    • Vendor shall ensure all Subcontractors that are Processing ViacomCBS Data comply with all terms of this DPA and the Agreement and shall be liable for any breach by Subcontractor of the terms of this DPA and the Agreement.
  7. International Data Transfer

    The parties acknowledge that the provision of the services under the Agreement may require the transfer or Processing of Personal Data within and across national boundaries ("International Data Transfers"). Vendor represents warrants, and covenants that it has complied and will comply (and has contractually obligated each of its Subcontractors to comply) with all Data Protection Laws applicable to such International Data Transfers. Notwithstanding the generality of the foregoing, the parties agree to the following with respect to International Data Transfers:

    • In the event that the provision of the Services involves the transfer of Personal Data from the UK, Switzerland or EEA to outside the UK, Switzerland or EEA (either directly or via onward transfer) to any country or recipient which has not been recognized by the European Commission as offering an adequate level of protection for Personal Data transferred to it from the EEA, Vendor and ViacomCBS agree to comply with the European Model Clauses, which shall be deemed incorporated into and form part of this DPA. For the purposes of the European Model Clauses, ViacomCBS will be regarded as the Data Exporter and Vendor will be regarded as the Data Importer. The description and details of transfers, for the purposes of the European Model Clauses, is set forth in the applicable exhibit or annex to the Agreement relating to such transfers.
    • In the event that the provision of the services involves the transfer of Personal Data from Argentina to outside of Argentina (either directly or via onward transfer), Vendor and ViacomCBS agree to comply with the Argentinian Model Clauses. The description and details of transfers, for the purposes the Argentinian Model Clauses, is set forth in the Agreement relating to such transfers.
    • Vendor represents and warrants that neither Vendor nor, to Vendor’s knowledge, any of its Subcontractors, have received a request from any Governmental Entity for access to European Personal Data Processed by such Vendor or Subcontractor in connection with the services or substantially similar services for other clients. Vendor covenants to immediately notify ViacomCBS in the event that, in Vendor’s opinion: (i) any International Data Transfers performed under this Agreement would be in breach of the European Model Clauses, Argentinian Model Clauses, or applicable Data Protection Laws governing such International Data Transfers or (ii) Vendor is unable to provide an adequate level of protection for ViacomCBS Personal Data under applicable Data Protection Laws (each an "Inadequacy Notice"). Upon receipt of an Inadequacy Notice from Vendor, ViacomCBS shall be entitled to terminate the Agreement with no further expenses, costs, or liabilities.
    • In the event that any additional Data Protection Laws become effective during the Agreement which impose restrictions on the cross-border transfer of Personal Data that are not contemplated herein, the Parties agree to meet in good faith to complete any formalities and enter into any documents as may be required by such Data Protection Laws.
  8. Deletion of ViacomCBS Data; Preservation.
    • Without limiting any obligation in the Agreement, and subject to Vendor’s retention obligations under applicable laws, rules and regulations, including Data Protection Laws, Vendor shall, and shall cause its Subcontractors to, immediately, securely destroy (by making unreadable, un-reconstructable, and indecipherable) any or all ViacomCBS Data (including, without limitation, all electronic copies on hard drives, backup media, portable devices, optical, magnetic, or other storage media, as well as hard copies) upon the earlier to occur of the following: (a) termination or expiration of the Agreement or any applicable statement of work, work order or similar transaction document for any reason; or (b) cessation of Vendor’s need to retain such ViacomCBS Data to perform the Services. Vendor shall certify in writing that such destruction has been completed. If ViacomCBS requests return or transfer of all or a portion of such ViacomCBS Data prior to the destruction described above, Vendor shall promptly return to ViacomCBS, at no cost to ViacomCBS, all such ViacomCBS Data, through a secure method designated by ViacomCBS, or shall promptly transfer such ViacomCBS Data to ViacomCBS’s designee, in accordance with the instructions of, and using the secure method prescribed by, ViacomCBS, following ViacomCBS’s written demand therefor. In either event, Vendor shall promptly provide ViacomCBS with a certification by an officer of Vendor that all ViacomCBS Data has been removed from Vendor’s and any Subcontractor’s possession and/or control. If Vendor is required to retain ViacomCBS Data pursuant to applicable laws, rules and regulations, including Data Protection Laws, Vendor shall so inform ViacomCBS of such requirement.
    • If ViacomCBS notifies Vendor in writing that particular ViacomCBS Data may be ViacomCBS attorney-client communication or attorney work-product, then Vendor shall (i) not take any action that would result in waiver of such privilege or work product immunity through the acts or omissions of Vendor or its Subcontractors, (b) if required by ViacomCBS, immediately terminate the ability of any users of the applicable software or services to share such ViacomCBS Data with third parties and (c) instruct all Vendor personnel who may have access to such ViacomCBS Data to maintain such ViacomCBS Data as strictly confidential.
    • If Vendor is required by law or by interrogatories, written requests for information or documents by a Governmental Entity, subpoena, civil investigative demand or similar legal process to disclose any ViacomCBS Data that may be within a Vendor’s attorney- client or work-product privileges, then Vendor must provide (unless prohibited by applicable law) ViacomCBS with prompt, written notice of such request or requirement so that ViacomCBS may at its own expense seek an appropriate protective order or the continued confidential treatment of the requested information or documents.
    • Vendor shall comply with ViacomCBS requirements regarding the preservation and production of ViacomCBS Data held by Vendor that is relevant for legal and regulatory proceedings or investigations.
    • To the extent that Vendor is required to retain ViacomCBS Data, this DPA and the Agreement will continue to apply in their entirety to such ViacomCBS Data and Vendor’s Processing thereof.
  9. Indemnification. As an additional indemnification obligation under the applicable provision of the Agreement, Vendor will defend, indemnify and hold ViacomCBS, its Affiliates, and their respective officers, directors, employees and agents, harmless from and against any and all claims, suits, causes of action, liability, loss, costs and damages, including reasonable attorney fees, arising out of or relating to any third-party claim arising from (i) failure by Vendor, its employees or Subcontractors to comply with any of its obligations contained in this DPA; (ii) Vendor‘s performance, purported performance or non-performance of its obligations contained in this DPA; and (ii) any security incident, except in each case to the extent resulting from the acts or omissions of ViacomCBS. Notwithstanding any terms of the Agreement to the contrary, any limitation of liability with respect to indemnification set forth in the Agreement shall not apply to the indemnification obligations set forth above.
  10. Survival. Vendor’s data protection obligations in the Agreement, including its obligations under this DPA, shall continue for so long as Vendor, or any of Vendor’s Subcontractors, continues to Process ViacomCBS Data on behalf of ViacomCBS, even if the Agreement has expired or been terminated.