Data Processing Addendum
This Data Processing Addendum (the “Addendum”) is incorporated into, and is subject to the terms and conditions of, the Dolby.io™ Terms of Service (the “Terms”) entered into by the entities identified as “Dolby” and “Customer” (collectively referred to as the “Parties”) in those Terms. This Addendum sets forth the terms and conditions relating to the Processing of Personal Data by Dolby on behalf of Customer in connection with Customer’s use of the Platform pursuant to the Terms.
(B) “Instructions” means this Addendum, the Terms and any further written agreement entered into by the Parties through which Customer instructs Dolby to perform specific Processing of Personal Data.
(C) “Personal Data” means any information that relates to an identified or identifiable individual, or is otherwise subject to Data Protection Law, that Customer discloses or provides to Dolby in connection with the use of Dolby’s services pursuant to the Terms and that Dolby Processes on behalf of Customer in connection with Customer’s use of the Platform pursuant to the Terms. Any data that is in aggregated, de-identified or anonymized form will not constitute Personal Data.
(D) “Sub-Processor” means an entity engaged by Dolby to Process Personal Data on behalf and under the authority of the Data Controller.
(E)“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data Breach”, “Process”, “Processed”, and “Processing” shall have the meaning ascribed to them in the GDPR.
(F) “Business”, “Sell” and “Service Provider” shall have the meanings ascribed to them in the CCPA.
(A) The Parties acknowledge and agree that Customer is acting as a Data Controller and Business with respect to the Processing of Personal Data Processed under this Addendum, and Dolby is acting as a Data Processor and Service Provider on behalf and under the Instructions of Customer. Dolby understands and agrees that it will not (1) Sell Personal Data, or (2) retain, use or disclose Personal Data for any purpose other than the performance of the services and otherwise for fulfillment of its obligations under the Terms, or as required or permitted by applicable law.
(B) Customer represents and warrants that: (1) all Personal Data has been obtained by Customer and disclosed to Dolby in compliance with applicable law; (2) Customer has all rights and permissions and a lawful basis to use and disclose Personal Data for the purposes contemplated by the Terms; and (3) all Instructions to Customer concerning the Processing of Personal Data will comply with applicable law.
(C) The Parties acknowledge and agree that Dolby may aggregate, de-identify and/or anonymize Personal Data as part of the services for analytics purposes and improving Dolby’s products and services.
Dolby agrees to:
(A) Process Personal Data in accordance with the Customer’s Instructions, as set forth in the Terms, including this Addendum, unless Dolby is otherwise required by applicable law. To the extent permitted by applicable law, Dolby shall inform Customer in advance if, in Dolby’s opinion, other Processing is required by law or an Instruction infringes applicable law.
(B) Comply with Data Protection Law in its capacity as a Data Processor or Service Provider to Customer.
(C) Ensure that personnel authorized by Dolby to Process Personal Data in the context of the services are subject to a duly enforceable contractual or statutory confidentiality obligation.
(D) Inform Customer promptly of any formal written request made to Dolby from Data Subjects exercising their rights under Data Protection Law. To the extent permitted by applicable law, Dolby shall provide appropriate and reasonable support to Customer in fulfilling Customer’s obligations to respond to such requests from Data Subjects with respect to Dolby’s Processing of their Personal Data.
(E) Taking into account the nature of Processing and information available to Dolby, reasonably assist Customer in complying with its obligations under Data Protection Law, in particular Customer’s obligation to implement appropriate data security measures, to carry out a data protection impact assessment, and to consult the competent supervisory authority or other regulatory agency, provided that such assistance does not violate applicable law or confidentiality or contractual obligations.
Where Dolby transfers Personal Data to a jurisdiction outside the EEA, United Kingdom or Switzerland, Dolby shall transfer the Personal Data in accordance with Data Protection Law. To the extent that the GDPR applies to Personal Data and such data originates from the European Economic Area, then, to the extent required to comply with GDPR, the Parties agree that the use of such Personal Data is subject to the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 (the “Clauses”), with Module 2 applying and with none of the optional clauses applying, except Clause 7 and Option 2 of Clause 9(a) (with the time period for prior notice of Sub-Processor changes as described in Section V(B) below). For purposes of Clause 17 (Option 1), the Clauses will be governed by the law of the Netherlands. For purposes of Clause 18(b), disputes will be resolved before the courts of the Netherlands. For these purposes, Dolby is the “data importer” and Customer is the “data exporter” as defined in the Clauses. The data subjects, categories of data, purposes of processing, and other descriptions of the data transfer, are as set forth in Schedule I hereto, which serves as Annex I of the Clauses. Dolby’s technical and organizational measures for the protection of Personal Data, available in the Customer Dashboard or otherwise upon request, serves as Annex II of the Clauses. Schedule II hereto, which lists the Sub-Processors that Dolby engages to Process Personal Data, serves as Annex III of the Clauses.
(A) Customer shall not share, transfer, disclose, make available or otherwise provide access to any Personal Data to a Sub-Processor, unless Customer has authorized Dolby to do so.
(B) Customer hereby authorizes the Sub-Processors listed in Schedule II to Process Personal Data. To the extent required by Data Protection Law, when any new Sub-Processor is engaged, Dolby shall give Customer written notice of the engagement at least 30 days prior to the new Sub-Processor Processing Personal Data. Dolby may provide such notice to Customer by updating the list of Sub-Processors located on its website dolby.io.
(C) Customer may object to the engagement of a new Sub-Processor by terminating the Terms, provided that the grounds for such objection are reasonable and based on compliance with Data Protection Laws and Customer sends written notice of termination to Dolby within 10 days of Dolby providing notice of the new Sub-Processor pursuant to section V(B). Any termination under this section shall be deemed to be without fault by either Party and shall be subject to the terms of the Terms. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Sub-Processor.
(D) Where Dolby engages a Sub-Processor, Dolby shall enter into written agreements with the Sub-Processor that imposes obligations on the Sub-Processor that are substantially similar to those imposed on Dolby under this Addendum.
(A) Dolby shall implement appropriate technical and organizational measures to protect Personal Data in Dolby’s possession, custody or control in accordance with Data Protection Law. A list of Dolby’s technical and organizational measures is available in the Customer Dashboard or otherwise upon request.
(B) Upon termination of the Terms, Dolby shall return to Customer, or at Customer’s request, securely destroy or render unreadable or undecipherable, all Personal Data in Dolby’s possession, custody or control, subject to applicable law. In the event applicable law does not permit Dolby to perform such delivery or destruction of the Personal Data, Dolby warrants that it shall protect the confidentiality of the Personal Data in accordance with this Addendum.
(A) Dolby shall inform Customer without undue delay of any Personal Data Breach of which Dolby becomes aware. Dolby shall promptly investigate such Personal Data Breach and cooperate with Customer in reasonable and lawful efforts to prevent, mitigate or rectify such breach. Dolby shall provide such assistance as required to enable Customer to satisfy Customer’s obligation to notify the relevant supervisory authority and Data Subjects of a Personal Data Breach under Articles 33 and 34 of the GDPR, provided that such cooperation does not violate applicable law or confidentiality or contractual obligations, disclose legal advice or interfere with Dolby’s business operations.
(A) Dolby shall make available to Customer information reasonably necessary to demonstrate Dolby’s compliance with the obligations set forth in this Addendum, provided that such information does not violate applicable law or confidentiality or contractual obligations or contain legal advice.
(B) During the term of the Terms, Dolby will conduct an assessment annually to validate the effectiveness of the technical and organizational security measures implemented by Dolby pursuant to the Addendum. Such assessment will be conducted (i) by a Dolby-appointed qualified third party and (ii) under an appropriate assessment standard or criteria selected by Dolby. Upon Customer’s request, Dolby agrees to provide Customer, on an annual basis and for no additional fee, (i) a report that reasonably summarizes the findings of the most recent assessment conducted pursuant to this section, and (ii) any other documents relevant to the security or compliance of the service that are made generally available by Dolby to customers of its services. Such report and information will be deemed Dolby’s confidential information.
(A) This Addendum shall be governed by the laws of the jurisdiction specified in the Terms.
(B) If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall remain in effect.
(C) All notices to Dolby provided under this Addendum must be in writing and sent to Dolby Laboratories, Inc., 1275 Market Street; San Francisco, CA 94103; Attention: Privacy Legal and/or via email at [email protected].
(D) This Addendum supplements the Terms. In the event of any conflict between the Terms and this Addendum, the provisions of this Addendum shall control.
This Addendum shall be subject to the limitations of liability under the Terms.
Data Exporter: Customer.
Contact details: The contact information for Customer as set forth in Customer’s account profile page.
Data Exporter Role: Controller
Signature and Date: By entering into this Addendum, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Addendum.
Data Importer: Dolby Laboratories, Inc.
Contact details: Dolby Privacy Team, [email protected]
Data Importer Role: Processor
Signature and Date: By entering into the Addendum, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Addendum.
Data Importer: Dolby Australia PTY LTD
Contact details: Dolby Privacy Team, [email protected]
Data Importer Role: Processor
Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Customer and End Users of Customer, as defined in the Terms
Name, email address, company name, user ID, cookies, and usage data, which can include IP address, domain names, URL addresses, the time of the request, method utilized to submit the request to the server, size of file, numerical code indicating the status of the server’s answer, country of origin, features of the browser and operating system utilized by the Customer, time details per visit, and path details within the application. Where Customer uses media processing or conference recording services, audio and visual files may include personal information.
In addition, Dolby may process the recording of a call (optional).
Sensitive data transferred and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
Dolby does not actively collect sensitive data in the context of the Services (as defined in the Terms). Where Customer or its End Users (as defined in the Terms) choose to include sensitive data within the communications that they transmit while using the Services (such as in a media file or audio/video content), such sensitive data may be processed. Dolby does not store sensitive data unless requested by Customer. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s End Users to transmit or process, any sensitive data via the Services. The safeguards applied for the transfer of sensitive data are set forth in Annex II.
The frequency of the transfer
Nature of the processing:
The nature of Processing depends on what services the Customer has elected. Where applicable, Dolby provides voice and video calling, screen-sharing, speech-to-text transcription for calls, and broadcast video and user interaction services. Dolby also provides Customer with the ability to use code to add messaging, video, and audio chat features into their mobile or web application.
Dolby processes audio and visual files in connection with its media processing services.
Purpose(s) of the data transfer and further processing:
Dolby provides Customer with audio and video messaging, calling, and broadcasting services and/or media processing services. Personal data is transferred to Dolby for the purposes of providing the contracted Services.
In addition, Dolby stores and analyzes personal data for the purposes of customer support; monitoring, maintaining, and improving the functionality of the Platform; security monitoring and audits; disclosures in accordance with the Terms, or as compelled by law (including restricted party screenings).
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
See Schedule II. The duration of the processing will be for the duration of the Service Agreement.
COMPETENT SUPERVISORY AUTHORITY
Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
SCHEDULE II: LIST OF SUB-PROCESSORS
Amazon – AWS
Data hosting and processing
Google Cloud – Apigee
Microsoft Power BI