Applicability. This Data Protection Addendum (“DPA”) forms part of and is subject to the governing services agreement (“Agreement”) between Customer and Lumen and is applicable to the provision of certain Lumen Services. “Lumen” is defined for purposes of this Addendum as CenturyLink Communications, LLC d/b/a Lumen Technologies Group or its affiliated entities. In the event of a conflict between the Agreement and this DPA, the terms of this DPA will control.
“Controller” “Processor” “Data Subjects” “Personal Data” “Personal Data Breach” and “Processing" will have the meanings ascribed to them in the GDPR.
"Data Protection Laws" means the provisions of applicable laws regulating the use and processing of Personal Data, as may be defined in such provisions, including (a) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), (b) the Electronic Communications Data Protection Directive 2002/58/EC, (c) the Privacy and Electronic Communications Directive 2002 as amended and (d) all other applicable laws and regulations relating to processing of personal data.
"Services" means the Lumen Processing Services to be provided to Customer under the Agreement.
Compliance with Data Protection Laws. Each party is an independent Controller with respect to Personal Data collected from the other which is necessary for administering its business relationship with the other (e.g. name, address, email address). Customer is a Controller (or effectively the Controller to Lumen as Processer/subprocessor) with respect to Personal Data Processed by Lumen. Lumen is a Controller with respect to billing, utilization, usage patterns/counts/statistics, traffic data and other business and operational information, to the extent it is Personal Data, and a Lumen Privacy Notice applicable to the foregoing can be found at: https://www.lumen.com/en-us/about/legal/privacy-notice.html. Each party will comply at all times with its Controller obligations under Data Protection Laws with respect to any Personal Data processed under the Agreement, including providing individuals with notice, required consents and ensuring a valid legal basis of processing.
Breach Reporting. Lumen will notify Customer without undue delay on becoming aware of any Personal Data Breach involving Personal Data Processed on behalf of Customer using the Services, and thereafter co-operate with Customer and provide assistance as may be reasonably required by Customer in the investigation, remediation and mitigation of such breach. Lumen will provide reasonable assistance to Customer with respect to any breach reporting obligations Customer may have, and provide additional information relating to such breach as Customer may reasonably require. The parties will agree in advance and in writing on any material remediation responsibilities and costs that exceed Lumen’s standard incident response process.
Audits. Lumen will maintain all information necessary to demonstrate compliance with its obligations identified in this DPA and a written record of all processing of Personal Data on behalf of Customer and, upon reasonable request grant Customer and its auditors and agents a right of access to and to take copies of records relating to compliance and all processing of such Personal Data on behalf of Customer in order to assess whether Lumen has complied with its obligations in respect of the processing of Personal Data. Upon reasonable notice, Lumen will allow Customer to, or where applicable, will cooperate with Customer and Lumen’s third-party providers to arrange for access to premises and other materials and personnel and will provide reasonable assistance in order to assist Customer in exercising its audit rights under this clause provided that: (i) such access will occur at a mutually agreeable time and the scope of the visit will be mutually agreed upon; (ii) such access will not unreasonably interfere with Lumen’s operations; and (iii) access to Lumen premises, documentation and systems will be subject to Lumen’s reasonable access requirements and security policies.
Transfers. Lumen will not transfer any Personal Data outside the EEA except to the extent authorized by Customer and in accordance with this paragraph. At the date of this DPA Customer authorizes Lumen to transfer Personal Data outside the EEA, including to the United States, for the specific purpose of providing Services and performing its obligations under the Agreement. Such transfer will be subject to the Standard Contractual Clauses (in the form adopted pursuant to Regulation (EU) 2016/679).
Damages Cap. NOTWITHSTANDING ANYTHING TO THE CONTRARY ELSEWHERE IN THE AGREEMENT, THE TOTAL AGGREGATE LIABILITY FOR EACH PARTY ARISING OUT OF OR RELATED TO THIS ADDENDUM WILL BE LIMITED TO THE TOTAL MRCs AND USAGE CHARGES PAID OR PAYABLE BY CUSTOMER TO LUMEN IN THE 12 MONTHS IMMEDIATELY PRECEDING THE OCCURRENCE OF THE EVENT GIVING RISE TO THE CLAIM. IN ADDITION, LUMEN WILL NOT BE LIABLE UNDER THIS ADDENDUM TO THE EXTENT ANY LIABILITY IS CAUSED BY OR CONTRIBUTED TO BY ANY PARTY OTHER THAN LUMEN OR ITS SUBPROCESSORS.
Future Amendments. The parties may amend this DPA at any time during the term of the Agreement by written agreement if necessary to comply with any legal requirement or guidance from a supervisory authority, or if required to take account of any changes to the processing of Personal Data pursuant to the Agreement.