Data Processing Addendum
This Data Processing Addendum (the “Addendum”) is incorporated into, and is subject to the terms and conditions of, the Dolby.io™ Terms of Service (the “Terms”) entered into by the entities identified as “Dolby” and “Customer” (collectively referred to as the “Parties”) in those Terms. This Addendum sets forth the terms and conditions relating to the Processing of Personal Data by Dolby on behalf of Customer in connection with Customer’s use of the Platform pursuant to the Terms.
(B) “Instructions” means this Addendum, the Terms and any further written agreement entered into by the Parties through which Customer instructs Dolby to perform specific Processing of Personal Data.
(C) “Personal Data” means any information that relates to an identified or identifiable individual, or is otherwise subject to Data Protection Law, that Customer discloses or provides to Dolby in connection with the use of Dolby’s services pursuant to the Terms and that Dolby Processes on behalf of Customer in connection with Customer’s use of the Platform pursuant to the Terms. Any data that is in aggregated, de-identified or anonymized form will not constitute Personal Data.
(D) “Sub-Processor” means an entity engaged by Dolby to Process Personal Data on behalf and under the authority of the Data Controller.
(E) “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data Breach”, “Process”, “Processed”, and “Processing” shall have the meaning ascribed to them in the GDPR.
(F) “Business”, “Business Purpose”, “Sell”, “Service Provider”, ”Share” shall have the meanings ascribed to them in the CCPA/CPRA.
II. Roles and Responsibilities of the Parties
(A) The Parties acknowledge and agree that Customer is acting as a Data Controller and Business with respect to the Processing of Personal Data Processed under this Addendum, and Dolby is acting as a Data Processor and Service Provider on behalf and under the Instructions of Customer. Dolby understands and agrees that, except as described in Section II(F) below, it will not (1) Sell or Share Personal Data, or (2) retain, use or disclose Personal Data (a) for any purpose other than the Business Purpose(s) of performance of the services specified in the Terms, and otherwise for fulfilment of its obligations under the Terms, or as required or permitted by applicable law, or (b) outside the direct business relationship between Customer and Dolby, or (3) combine Personal Data received pursuant to the Terms with personal data received from or on behalf of another person(s), or collected from Dolby’s interaction with individuals, unless permitted by applicable law.
(B) Customer represents and warrants that: (1) all Personal Data has been obtained by Customer and disclosed to Dolby in compliance with applicable law and for limited and specified purposes; (2) Customer has all rights and permissions and a lawful basis to use and disclose Personal Data for the purposes contemplated by the Terms; and (3) all Instructions to Customer concerning the Processing of Personal Data will comply with applicable law.
(C) The Parties acknowledge and agree that Dolby may aggregate, de-identify and/or anonymize Personal Data as part of the services for analytics purposes and improving Dolby’s products and services.
(E) Customer may take reasonable and appropriate steps to ensure that Dolby uses Personal Data in a manner consistent with Customer’s obligations under the CCPA/CPRA in its capacity as a Service Provider to Customer. Customer may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
(F) To the extent permitted by Data Protection Law, Dolby may retain, use, or disclose Personal Data obtained in the course of providing the Services: (1) to retain and employ another Data Processor/Service Provider as a subcontractor, where the subcontractor meets the requirements for a Data Processor/Service Provider under Data Protection Law; (2) for internal use by Dolby to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source; (3) to detect data security incidents, or protect against fraudulent or illegal activity; (4) to comply with federal, state, or local laws; (5) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (6) to cooperate with law enforcement agencies concerning conduct or activity that Dolby reasonably and in good faith believes may violate federal, state, or local law; or (7) to exercise or defend legal claims.
III. Obligation of Dolby
Dolby agrees to:
(A) Process Personal Data in accordance with the Customer’s Instructions, as set forth in the Terms, including this Addendum, unless Dolby is otherwise required by applicable law. To the extent permitted by applicable law, Dolby shall inform Customer in advance if, in Dolby’s opinion, other Processing is required by law or an Instruction infringes applicable law.
(B) Comply with applicable obligations under Data Protection Law in its capacity as a Data Processor or Service Provider to Customer.
(C) Dolby shall (1) provide the level of privacy of protection for Personal Data as is required by the CCPA/CPRA; (2) notify Customer if Dolby makes a determination that it can no longer meet its obligations under this Addendum or applicable obligations under the CCPA/CPRA in its capacity as a Service Provider to Customer.
(D) Ensure that personnel authorized by Dolby to Process Personal Data in the context of the services are subject to a duly enforceable contractual or statutory confidentiality obligation.
(E) Inform Customer promptly of any formal written request made to Dolby from Data Subjects exercising their rights under Data Protection Law. To the extent permitted by applicable law, Dolby shall provide appropriate and reasonable support to Customer in fulfilling Customer’s obligations to respond to such requests from Data Subjects with respect to Dolby’s Processing of their Personal Data.
(F) Taking into account the nature of Processing and information available to Dolby, reasonably assist Customer in complying with its obligations under Data Protection Law, in particular Customer’s obligation to implement appropriate data security measures, to carry out a data protection impact assessment, and to consult the competent supervisory authority or other regulatory agency, provided that such assistance does not violate applicable law or confidentiality or contractual obligations.
IV. Data Transfers
Where Dolby transfers Personal Data to a jurisdiction outside the EEA, United Kingdom or Switzerland, Dolby shall transfer the Personal Data in accordance with Data Protection Law.
To the extent that the GDPR applies to Personal Data and such data originates from the European Economic Area, then, to the extent required to comply with GDPR, the Parties agree that the use of such Personal Data is subject to the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 (the “EU Standard Contractual Clauses”), with Module 2 applying and with none of the optional clauses applying, except Clause 7 and Option 2 of Clause 9(a) (with the time period for prior notice of Sub-Processor changes as described in Section V(B) below). For purposes of Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the law of the Netherlands. For purposes of Clause 18(b), disputes will be resolved before the courts of the Netherlands. For these purposes, Dolby is the “data importer” and Customer is the “data exporter” as defined in the EU Standard Contractual Clauses. The data subjects, categories of data, purposes of processing, and other descriptions of the data transfer, are as set forth in Schedule I hereto, which serves as Annex I of the EU Standard Contractual Clauses. Dolby’s technical and organizational measures for the protection of Personal Data, available in the Customer Dashboard or otherwise upon request, serves as Annex II of the EU Standard Contractual Clauses. Schedule II hereto, which lists the Sub-Processors that Dolby engages to Process Personal Data, serves as Annex III of the EU Standard Contractual Clauses. To the extent that the UK GDPR applies to Personal Data and such data originates from the United Kingdom, then, to the extent required to comply with the UK GDPR, the Parties agree that the use of such Personal Data is subject to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under SS119A(1) of the Data Protection Act 2018 (“UK Data Transfer Agreement”). Schedule I hereto includes the parties’ details and contact information for Table 1 of the UK Data Transfer Agreement. The above paragraph of this Section IV includes the information for Table 2 of the UK Data Transfer Agreement. For Table 3 of the UK Data Transfer Agreement: (a) the list of parties is found in the “List of Parties” section of Schedule I hereto; (b) the description of transfer is found in the “Description of Transfer” section of Schedule I hereto; (c) Annex II is available in the Customer Dashboard or otherwise upon request; and Schedule II hereto, which lists the Sub-Processors that Dolby engages to Process Personal Data, serves as Annex III of the UK Data Transfer Agreement. For Table 4 of the UK Data Transfer Agreement, both the importer and exporter may end the UK Data Transfer Agreement in accordance with its terms.
(A) Customer shall not share, transfer, disclose, make available or otherwise provide access to any Personal Data to a Sub-Processor, unless Customer has authorized Dolby to do so.
(B) Customer hereby authorizes the Sub-Processors listed in Schedule II to Process Personal Data. To the extent required by Data Protection Law, when any new Sub-Processor is engaged, Dolby shall give Customer written notice of the engagement at least 30 days prior to the new Sub-Processor Processing Personal Data. Dolby may provide such notice to Customer by updating the list of Sub-Processors located on its website dolby.io.
(C) Customer may object to the engagement of a new Sub-Processor by terminating the Terms, provided that the grounds for such objection are reasonable and based on compliance with Data Protection Laws and Customer sends written notice of termination to Dolby within 10 days of Dolby providing notice of the new Sub-Processor pursuant to section V(B). Any termination under this section shall be deemed to be without fault by either Party and shall be subject to the terms of the Terms. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Sub-Processor.
(D) Where Dolby engages a Sub-Processor, Dolby shall enter into written agreements with the Sub-Processor that imposes obligations on the Sub-Processor that are the substantially similar to those imposed on Dolby under this Addendum.
VI. Data Security
(A) Dolby shall implement appropriate technical and organizational measures to protect Personal Data in Dolby’s possession, custody or control in accordance with Data Protection Law. A list of Dolby’s technical and organizational measures is available in the Customer Dashboard or otherwise upon request.
(B) Upon termination of the Terms, Dolby shall return to Customer, or at Customer’s request, securely destroy or render unreadable or undecipherable, all Personal Data in Dolby’s possession, custody or control, subject to applicable law. In the event applicable law does not permit Dolby to perform such delivery or destruction of the Personal Data, Dolby warrants that it shall protect the confidentiality of the Personal Data in accordance with this Addendum.
VII. Data Breach Notification
(A) Dolby shall inform Customer without undue delay of any Personal Data Breach of which Dolby becomes aware. Dolby shall promptly investigate such Personal Data Breach and cooperate with Customer in reasonable and lawful efforts to prevent, mitigate or rectify such breach. Dolby shall provide such assistance as required to enable Customer to satisfy Customer’s obligation to notify the relevant supervisory authority and Data Subjects of a Personal Data Breach under Articles 33 and 34 of the GDPR, provided that such cooperation does not violate applicable law or confidentiality or contractual obligations, disclose legal advice or interfere with Dolby’s business operations.
(A) Dolby shall make available to Customer information reasonably necessary to demonstrate Dolby’s compliance with the obligations set forth in this Addendum, provided that such information does not violate applicable law or confidentiality or contractual obligations or contain legal advice.
(B) During the term of the Terms, Dolby will conduct an assessment annually to validate the effectiveness of the technical and organizational security measures implemented by Dolby pursuant to the Addendum. Such assessment will be conducted (i) by a Dolby-appointed qualified third party and (ii) under an appropriate assessment standard or criteria selected by Dolby. Upon Customer’s request, Dolby agrees to provide Customer, on an annual basis and for no additional fee, (i) a report that reasonably summarizes the findings of the most recent assessment conducted pursuant to this section, and (ii) any other documents relevant to the security or compliance of the service that are made generally available by Dolby to customers of its services. Such report and information will be deemed Dolby’s confidential information.
(A) This Addendum shall be governed by the laws of the jurisdiction specified in the Terms.
(B) If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall remain in effect.
(C) All notices to Dolby provided under this Addendum must be in writing and sent to Dolby Laboratories, Inc., 1275 Market Street; San Francisco, CA 94103; Attention: Privacy Legal and/or via email at [email protected].
(D) This Addendum supplements the Terms. In the event of any conflict between the Terms and this Addendum, the provisions of this Addendum shall control.
This Addendum shall be subject to the limitations of liability under the Terms.
SCHEDULE 1: SCOPE OF THE DATA PROCESSING
LIST OF PARTIES
Data Exporter: Customer.
Contact details: The contact information for Customer as set forth in Customer’s account profile page.
Data Exporter Role: Controller
Signature and Date: By entering into this Addendum, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Addendum.
Data Importer: Dolby Laboratories, Inc.
Contact details: Dolby Privacy Team, [email protected]
Data Importer Role: Processor
Signature and Date: By entering into the Addendum, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Addendum.
Data Importer: Dolby Australia PTY LTD
Contact details: Dolby Privacy Team, [email protected]
Data Importer Role: Processor
Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: End Users of Customer, as defined in the Terms
Categories of personal data transferred:
Name, email address, company name, user ID, cookies, and usage data, which can include IP address, domain names, URL addresses, the time of the request, method utilized to submit the request to the server, size of file, numerical code indicating the status of the server’s answer, country of origin, features of the browser and operating system utilized by the Customer, time details per visit, and path details within the application. Where Customer uses media processing or conference recording services, audio and visual files may include personal information.
In addition, Dolby may process the recording of a call (optional).
Sensitive data transferred and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
Dolby does not actively collect sensitive data in the context of the Services (as defined in the Terms). Where Customer or its End Users (as defined in the Terms) choose to include sensitive data within the communications that they transmit while using the Services (such as in a media file or audio/video content), such sensitive data may be processed. Dolby does not store sensitive data unless requested by Customer. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s End Users to transmit or process, any sensitive data via the Services. The safeguards applied for the transfer of sensitive data are set forth in Annex II.
The frequency of the transfer:
Nature of the processing:
The nature of Processing depends on what services the Customer has elected. Where applicable, Dolby provides voice and video calling, screen-sharing, speech-to-text transcription for calls, and broadcast video and user interaction services. Dolby also provides Customer with the ability to use code to add messaging, video, and audio chat features into their mobile or web application. Dolby processes audio and visual files in connection with its media processing services.
Purpose(s) of the data transfer and further processing:
Dolby provides Customer with audio and video messaging, calling, and broadcasting services and/or media processing services. Personal data is transferred to Dolby for the purposes of providing the contracted Services. In addition, Dolby stores and analyzes personal data for the purposes of customer support; monitoring, maintaining, and improving the functionality of the Platform; security monitoring and audits; disclosures in accordance with the Terms, or as compelled by law (including restricted party screenings).
Duration of the processing:
The duration of the processing will be for the duration of the Service Agreement or as required by law. Dolby will delete or anonymize personal data when Dolby no longer requires it for the purposes described herein.
Transfers to (sub-) processors:
See Schedule II.
COMPETENT SUPERVISORY AUTHORITY
Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
SCHEDULE II: LIST OF SUB-PROCESSORS
Amazon – AWS
Data hosting and processing
Google Cloud – Apigee
Microsoft Power BI