CenturyLink Data Protection Exhibit

1. Applicability. This Data Protection Exhibit (“DP Exhibit”) forms part of the Agreement between Customer and CenturyLink and is applicable to the provision of certain CenturyLink Services. In the event of a conflict between the Agreement, the applicable Services Exhibit(s) and this DP Exhibit, the terms of this DP Exhibit shall control.
2. Definitions. In this DP Exhibit, the following definitions apply:
   • “Data Controller” “Data Processor” “Data Subjects” “Personal Data” and “Personal Data Breach” shall have the meanings ascribed to them in the GDPR.
   • “Data Protection Laws” means the provisions of applicable laws regulating the use and processing of data relating to persons, as may be defined in such provisions, including a) prior to 25 May 2018, the EU Data Protection Directive 95/46/EC, b) after 25 May 2018 the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), c) the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and d) all other applicable laws and regulations relating to processing of personal data.
   • “Services” means the CenturyLink Services to be provided to Customer under the Agreement and the applicable Services Exhibit(s).
3. Compliance with Data Protection Laws.
   1. CenturyLink and Customer agree that, Customer is an independent Data Controller with respect to the processing of Personal Data which is necessary for the operation of the Services, and CenturyLink is an independent Data Controller with respect to the processing of billing, utilisation, usage patterns/counts/statistics, traffic data and other Customer account related information (e.g. name, address, email address)to the extent it is Personal Data, which is necessary for CenturyLink’s performance of its obligations under the Agreement and the applicable Services Exhibit(s), or with respect to any Personal Data held for general business purposes.
   2. CenturyLink and Customer shall each comply at all times with its obligations under Data Protection Laws in respect of any Personal Data processed by it under the Agreement.
4. Data Processing.
   1. CenturyLink acknowledges that it is a Data Processor on behalf of the Customer for the purposes of providing Services and performing its related obligations (including incident resolution, support or consultancy services). The subject matter, duration and nature of the processing, the types of Personal Data and applicable Data Subjects are described in the applicable Services Exhibit(s).
   2. In so far as CenturyLink processes Personal Data on behalf of Customer as a Data Processor, CenturyLink will (and will procure that CenturyLink affiliates will):
      • Only process Personal Data in accordance with the Customer’s documented instructions, including as set out in the Agreement and this DP Exhibit and ensure that CenturyLink personnel process Personal Data only on such instructions of the Customer, unless processing is required by EU or member state law to which CenturyLink are subject, in which case CenturyLink shall, to the extent permitted by such law, inform Customer of that legal requirement before processing that Personal Data;
      • Restrict the disclosure and processing of Personal Data to the extent necessary to provide the Services, or as otherwise permitted under the Agreement and this DP Exhibit, or by Customer in writing, and only disclose Personal Data on a need to know basis in connection with the Services to those who have committed themselves to confidentiality, or as required by applicable law;
      • Taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing and ensure a level of security appropriate to the risk presented by the processing;
      • Ensure that only those personnel who need to have access to Personal Data are granted access to it, and that such access is granted only for the proper provision of the Services; and
      • If and to the extent CenturyLink retains a copy of any Personal Data, not retain that Personal Data for longer than is necessary to perform the Services and at Customer’s option, securely destroy or return such Personal Data, except where required to retain the Personal Data by law or regulation. The parties agree that CenturyLink shall not actively process such Personal Data and shall be bound by the provisions of this DP Exhibit in respect of any such retained Personal Data. CenturyLink shall delete such data promptly after it ceases to be obliged to retain it and shall only process it to the extent required to comply with applicable laws.
5. Sub-Processing.
   1. The Customer generally authorises CenturyLink to appoint sub-processors in accordance with any restrictions in this DP Exhibit and the Agreement.
   2. Prior to disclosing any Personal Data to any sub-processor, CenturyLink shall ensure that it has undertaken appropriate due diligence in respect of such sub-processor, and shall ensure the sub-processor enters into a written agreement on terms which provide that the sub-processor has equivalent obligations to those set out in this DP Exhibit. CenturyLink shall remain fully liable to Customer for any breach of such obligations by the sub-processor.
   3. CenturyLink shall maintain an up to date list of its sub-processors and shall inform Customer with details of any intended change in sub-processors at least 30 days prior to any such change. The Customer may object to CenturyLink's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, CenturyLink will either not appoint or replace the sub-processor or, if this is not possible, the Customer may terminate the applicable Service Exhibit (without prejudice to any fees incurred by the Customer prior to termination). CenturyLink shall not use such sub-processor until any such objections are resolved or the Customer has terminated the applicable Service Exhibit.
6. Co-operation.
   1. CenturyLink shall, in so far as is possible, promptly notify Customer of any inquiry, complaint notice or other communication it receives from any supervisory authority, or from any Data Subject relating to the Services (including any requests to access, correct, delete, block or restrict access to their Personal Data or receive a machine-readable copy thereof) and, insofar as is possible and to the extent technically feasible, assist Customer with its obligation to respond to any notification or Data Subject rights request in accordance with the timescales set out in the Data Protection Laws.
   2. If Customer reasonably believes that CenturyLink’s processing of Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, CenturyLink shall, on request from Customer, assist Customer in connection with any data protection impact assessment and prior consultation, which may be subject to additional fees and terms, that may be required under Data Protection Laws, taking into account the nature of the processing and the information available to CenturyLink.
7. Breach Reporting. CenturyLink shall notify Customer without undue delay on becoming aware of any Personal Data Breach involving Personal Data Processed on behalf of Customer using the Services, and thereafter co-operate with Customer and provide assistance as may be reasonably required by Customer in the investigation, remediation and mitigation of such breach. CenturyLink shall provide reasonable assistance to Customer in respect of any breach reporting obligations Customer may have, and provide such additional information relating to such breach as Customer may reasonably require. The parties will agree in advance and in writing on any material remediation responsibilities and costs that exceed CenturyLink’s standard incident response process.
8. Audits. CenturyLink will maintain all information necessary to demonstrate compliance with its obligations identified in this DP Exhibit and a written record of all processing of Personal Data on behalf of Customer and, upon reasonable request grant Customer and its auditors and agents a right of access to and to take copies of records relating to compliance and all processing of such Personal Data on behalf of Customer in order to assess whether CenturyLink has complied with its obligations in respect of the processing of Personal Data. Upon reasonable notice, CenturyLink shall allow Customer to, or where applicable, shall cooperate with Customer and CenturyLink’s third-party providers to arrange for access to premises and other materials and personnel and shall provide reasonable assistance in order to assist Customer in exercising its audit rights under this clause provided that:
   • such access shall occur at a mutually agreeable time and the scope of the visit will be mutually agreed upon;
   • such access shall not unreasonably interfere with CenturyLink’s operations; and
   • access to CenturyLink premises and systems shall be subject to CenturyLink’s reasonable access requirements and security policies, and shall not compromise any confidential information to which the Customer has no entitlement.
9. Transfers. CenturyLink shall not transfer any Personal Data outside the EEA except to the extent authorised by Customer as follows:
   1. At the date of this DP Exhibit Customer authorises CenturyLink to transfer Personal Data outside the EEA, including to the United States, for the specific purpose of providing Services and performing its obligations under the Agreement and applicable Services Exhibit. Such authorisation is conditional upon CenturyLink entering into Standard Contractual Clauses (in the form adopted by decision 2010/87/EU of 5 February 2010) with its CenturyLink affiliate(s) on Customer’s behalf and in Customer’s name in order to provide adequate protection for such Personal Data; and
   2. If after the date of this DP Exhibit, CenturyLink (or any affiliate or any sub-contractor) proposes to transfer any Personal Data outside the EEA, other than as authorised above, CenturyLink (or any affiliate or any sub-contractor) shall obtain Customer’s consent prior to such transfer, which consent may be conditional upon the relevant parties having entered into an agreement what ensures that Personal Data is accurately protected as required by the Data Protection Laws.
10. Damages Cap. NOTWITHSTANDING ANYTHING TO THE CONTRARY ELSEWHERE IN THE AGREEMENT, THE TOTAL AGGREGATE LIABILITY FOR EACH PARTY ARISING OUT OF OR RELATED TO THIS EXHIBIT WILL BE LIMITED TO THE LESSER OF (I) THE TOTAL MRCs AND USAGE CHARGES PAID OR PAYABLE BY CUSTOMER TO CENTURYLINK IN THE 12 MONTHS IMMEDIATELY PRECEDING THE OCCURRENCE OF THE EVENT GIVING RISE TO THE CLAIM, OR (II) TWO MILLION DOLLARS. IN ADDITION, CENTURYLINK WILL NOT BE LIABLE HEREUNDER TO THE EXTENT ANY LIABILITY IS CAUSED BY OR CONTRIBUTED TO BY ANY PARTY OTHER THAN CENTURYLINK OR ITS SUBPROCESSORS.
11. Future Amendments. The parties may amend this DP Exhibit at any time during the term of the Agreement by written agreement if necessary to comply with any legal requirement or guidance from a supervisory authority, or if required to take account of any changes to the processing of Personal Data pursuant to the Agreement and applicable Services Exhibit(s).