Facebook

This EU Data Transfer Addendum (“Data Transfer Addendum”) applies to the extent that Facebook Ireland Limited is acting as your Processor of EU Data under the applicable product terms (such as the Facebook Business Tools Terms or the Custom List Custom Audiences Terms (“Applicable Product Terms”)), and transfers originating in the UK, EU, EEA or Switzerland of EU Data are made to its subprocessor Facebook, Inc.

1. Taking into account the circumstances, you instruct Facebook Ireland Limited to transfer EU Data to Facebook Inc. in the US for storage and further Processing. The Clauses apply between you and Facebook, Inc. to transfers originating in the UK, EU, EEA or Switzerland of EU Data to Facebook, Inc., unless such transfer is otherwise permitted under the GDPR.
1. For the purposes of the Clauses: you are the “data exporter” and Facebook, Inc. is the “data importer” as those terms are defined in the Clauses
2. For the purposes of Appendix 1 of the Clauses: “data subjects” are individuals whose data is comprised in the EU Data transferred, who may include your customers and individuals who visit, or take actions on, your websites and apps or in your shops, such as visits to your sites, installations of your apps, and purchases of your products and services, while “categories of data”, “special categories of data” and “processing operations” are as described in the Applicable Product Terms, in these cases to the extent relating to EU Data.
3. For the purposes of Appendix 2 of the Clauses: the technical and organisational security measures implemented by Facebook, Inc. are as set out in the Data Security Terms.
4. You and Facebook, Inc. are taken to have executed the Clauses when you agree to this Data Transfer Addendum or the Applicable Product Terms. By providing EU Data to Facebook Ireland Limited as your Processor under the Applicable Product Terms after the effective date above, you agree to this Data Transfer Addendum.

2. You agree that:
1. where regulatory approval is required for use of the Clauses, you will obtain such approval;
2. any subprocessor agreement to be provided under clause 5(j) of the Clauses will be provided to you on request only, is confidential and will be limited to the data protection provisions related to EU Data with commercial information redacted;
3. the general consent given under the Data Processing Terms to the use of a subprocessor is also consent under clause 11 of the Clauses; and
4. you will use your rights of information and audit under the Data Processing Terms to satisfy any requirements you have for an audit under the Clauses, unless you can demonstrate to Facebook Inc. that you cannot reasonably satisfy your obligations under the GDPR in this way. In that case, you can request that Facebook, Inc. provides for other means of audit under the Clauses (using the least intrusive and least disruptive means possible, e.g. additional information, questions, meetings or other means suggested by Facebook, Inc.) to the extent you can show this is reasonably necessary to satisfy your obligations under the GDPR. Any other means of audit under the Clauses is subject to mutual agreement of the details such as (as relevant) manner, timing, scope, duration, control, confidentiality procedures, evidence requirements, auditor identity and subject to you paying all associated fees and costs , including for time expended by Facebook, Inc. in connection with the request.

3. Any claim or action brought by you against Facebook, Inc. under or in connection with the Clauses or this Data Transfer Addendum shall be subject to the exclusions and limitations of liability and disclaimers and disputes mechanism in the Commercial Terms, Facebook Terms of Service and Applicable Product Terms as if they applied in respect of the Clauses (as well as this Data Transfer Addendum) and as if Facebook, Inc. was a party to them.
4. In order to implement or allow for an alternative means of transfer recognised by the GDPR (including any alternative form of standard data protection clauses recognised under article 46 of the GDPR), Facebook, Inc. may terminate the Clauses by notice to you, and Facebook Ireland Limited may modify this Data Transfer Addendum in accordance with the Applicable Product Terms or terminate this Data Transfer Addendum by notice. By continuing to access or use Facebook Products after any modification to the Data Transfer Addendum takes effect, you agree to be bound by any new form of standard data protection clauses (recognised under article 46 of the GDPR) provided for in the modified Data Transfer Addendum.
5. The Data Transfer Addendum and Clauses will not apply to the extent Facebook, Inc. has adopted Binding Corporate Rules for Processors or an alternative means under the GDPR for the lawful transfer of Personal Information outside the EU, EEA, UK or Switzerland.
6. This Data Transfer Addendum takes priority over the Applicable Product Terms, Facebook Terms of Service and Commercial Terms to the extent of a conflict or inconsistency. The Clauses take priority over this Data Transfer Addendum to the extent of any conflict or inconsistency and nothing in this Data Transfer Addendum, Applicable Product Terms, Facebook Terms of Service or Commercial Terms varies or modifies clauses 1 to 12 of the Clauses or affects the rights of any supervisory authority or data subject under the Clauses or GDPR.
7. You acknowledge that, where relevant to Facebook Inc.’s rights and obligations under the Clauses or this Data Transfer Addendum, Facebook, Inc. is entitled to rely upon relevant provisions of the Applicable Product Terms, Facebook Terms of Service or Commercial Terms as if it was a party to them. Facebook, Inc. is a party to this Data Transfer Addendum but solely to acknowledge and obtain the benefit of the provisions of this Data Transfer Addendum and accept its entry into the Clauses on the basis set out in this Data Transfer Addendum. Facebook, Inc. is not otherwise a party to the Applicable Product Terms, Facebook Terms of Service and Commercial Terms and has no obligations or liability under or in connection with them in any respect (whether in contract, tort, negligence or otherwise). This does not limit or affect its obligations under the Clauses.
8. In this Data Transfer Addendum:
1. “Clauses” mean the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by the European Commission decision 2010/87/EC, dated 5 February 2010 (but excluding the optional illustrative clauses).
2. “EU Data” means Personal Information under your sole controllership which is Processed by Facebook Ireland Limited as your Processor pursuant to the Applicable Product Terms, to the extent that the GDPR or the data protection laws of Iceland, Lichtenstein, Norway or Switzerland, apply to the Processing of such data.
3. “GDPR” means the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679). References to GDPR and its provisions include the GDPR as amended and incorporated into UK law after the GDPR ceases to apply in the UK.
4. Terms defined in the Applicable Products Terms, Facebook Terms of Service or Commercial Terms have the same meaning given to them there, except where stated otherwise. References to the Data Security Terms are to them as updated in accordance with the Applicable Products Terms, Facebook Terms of Service or Commercial Terms from time to time.