Data Privacy Agreement
Last updated: 12.2022
During the pendency of your relationship with Party City Holdings Inc. (“PCHI”), you ("You, or the “Supplier”) may Process or otherwise receive Customer Personal Information (as further defined herein) on behalf of PCHI.
You agree to comply with this Data Privacy Agreement (the “Agreement”) with respect to Customer Personal Information and the Processing (as further defined herein) of Customer Personal Information, and otherwise as may be required pursuant to the services You provide. You also agree to complete and return within the timeline provided in Annex I, Details of Processing Activities, which PCHI shall provide You under separate cover (“Annex I”). Any capitalized terms that are used but not defined in Annex I shall have the meaning ascribed to them in this Agreement.
1.1 “Data Breach” means actual or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information.
1.2 “Data Protection Assessment” means an assessment of the impact of processing operations on the protection of Personal Information and the rights of Data Subjects, or as otherwise defined as a “Data Protection Assessment,” “Data Protection Impact Assessment,” or “Risk Assessment” by applicable Data Protection Laws.
1.3 “Data Protection Laws” means any and all applicable data protection, security, or privacy-related laws, statutes, directives, or regulations, including but not limited to: (i) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (ii) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (iii) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (iv) Connecticut Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”; (v) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; and (vi) all other equivalent laws and regulations in any relevant jurisdiction relating to Personal Information and privacy, and as each may be amended, extended or re-enacted from time to time.
1.4 “Data Subject” means an identified or identifiable natural person whose Personal Information is being Processed. Where applicable, the term “Data Subject” shall refer to “Consumer” as that term is defined under Data Protection Laws.
1.5 “Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person.
1.6 “Downstream Participant” means any third party that Processes any Personal Information arising from or relating to this Agreement or PCHI’s business (or which otherwise receives any Customer Personal Information or Personal Information hereunder) that is not Supplier or a Sub-processor.
1.7 “Customer Personal Information” means Personal Information Processed by Supplier (or a Sub-processor) in the course of providing services to PCHI.
1.8 “Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, or is otherwise defined as “personal data,” “personal information,” or “personally identifiable information” by applicable Data Protection Laws.
1.9 “Process” or “Processing” means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.
1.10 “Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, including but not limited to: the California Privacy Protection Agency; and U.S. state attorneys general.
1.11 “Sub-processor” means any person appointed by or on behalf of Supplier to Process Personal Information as a Service Provider or Processor on behalf of PCHI under this Agreement and/or the Existing Terms (as defined below).
The terms “Processor,” “Sell”, “Service Provider,” and “Share” shall have the same meaning as in the Data Protection Laws, and shall be construed accordingly. For the avoidance of doubt, to the extent Supplier is deemed a “Contractor” under CCPA rather than a “Service Provider,” it shall be subject to all the requirements hereunder that apply to the services provided, including any and all requirements that are mandated for Contractors under CCPA.
2. Processing of Information. Supplier will, and will require that its Sub-processors will, only Process Personal Information pursuant to PCHI’s documented instructions as set forth in this Agreement and the underlying terms between the parties relating to the services you provide (the “Existing Terms”). If applicable laws require Supplier or its Sub-processor to Process Customer Personal Information for another purpose, Supplier will notify PCHI of this in writing without undue delay.
2.1 The subject matter of the Processing, the duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Information, and categories of Data Subjects Processed under this Agreement are specified in Annex I that has been separately signed by Supplier.
2.2 PCHI instructs Supplier (and authorizes Supplier to instruct each Sub-processor) to Process Customer Personal Information, as reasonably necessary for the provision of services provided and consistent with the Existing Terms, and will at all relevant times remain duly and effectively authorized to give the instructions set out in this section. Supplier shall immediately inform PCHI if, in its opinion, an instruction violates Data Protection Laws.
3. Restrictions: Supplier will and will ensure that its personnel and Sub-processors:
(i) Process the Customer Personal Information only on PCHI’s documented instructions that are consistent with the terms of the Existing Terms and this Agreement;
(ii) not retain, use, or disclose Customer Personal Information for any purpose other than for the specific purpose of performing services for PCHI;
(iii) not Sell or Share Customer Personal Information;
(iv) not retain, use or disclose the Customer Personal Information outside of the direct business relationship between PCHI and Supplier; and
(v) not combine Customer Personal Information with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with Data Subjects, unless permitted by applicable Data Protection Law, and in accordance with Supplier’s role as a Service Provider or Processor, as applicable.
Supplier shall comply with applicable obligations and provide the same level of privacy protection as required by Data Protection Laws, and shall assist PCHI through appropriate technical and organizational measures to comply with requirements under applicable Data Protection Laws, taking into account the nature of the processing. Supplier shall notify PCHI if it makes a determination that it can no longer meet its obligations under Data Protection Laws. Supplier hereby certifies that it will comply with the restrictions and requirements outlined in this Section 3.
To the extent Supplier is authorized by PCHI to act as a Third Party (as defined under the CCPA), Supplier is not required to comply with the obligations described in (iii) and (v) of this Section 3, except as described further herein. For the avoidance of doubt, Supplier shall be exempt from such obligations only when acting as a Third Party; Supplier shall be subject to all obligations set forth in this Section 3 when Supplier is otherwise acting as a Processor or Service Provider. When acting as a Third Party, Supplier shall comply with all other obligations in this Agreement and the Existing Terms applicable to Processors or Service Providers as required by applicable Data Protection Laws, including under § 7053 of the CCPA regulations, and by any other requirements under the Existing Terms that are consistent with Supplier’s obligations as a Third Party. In addition, and notwithstanding any exemption from subsection (iii) of this Section 3, a Supplier that is a Third Party shall not share any Customer Personal Information with a Downstream Participant, unless expressly permitted by the Agreement (including Annex I) or otherwise approved in writing by PCHI. Without limiting the foregoing or any other obligations of Supplier, Supplier agrees to defend, indemnify, and hold harmless PCHI from and against any and all loss, liability, claims, actions, expenses, or other damages in any way arising by reason of, relating to, or based upon, the Processing of Personal Information by a Downstream Participant, including any related acts or omissions.
4. Personnel. Supplier will ensure that individuals that access Customer Personal Information will: (i) only do so as necessary to perform their job duties in connection with the performance of services; (ii) be bound by a written obligation of confidentiality; and (iii) have undergone adequate training in connection with handling Personal Information as required by applicable laws.
5. Reasonable Security. Supplier will implement and maintain reasonable security procedures and practices appropriate to protect the Customer Personal Information from unauthorized access or use. Such measures will include, at a minimum, the twenty (20) CIS controls (as set forth in https://www.cisecurity.org/controls/cis-controls-list/ as of the date of this Agreement). Supplier shall notify PCHI in writing of a material change in the system infrastructure or third-party providers. At PCHI’s request, Supplier will provide PCHI with its incident response policy, network security policy, and data flow diagram, in an industry standard format.
6. Consumer Requests
6.1 Supplier will provide reasonable assistance to PCHI by implementing appropriate technical and organizational measures and taking other necessary compliance steps for the fulfilment of PCHI’s obligations, as reasonably understood by PCHI, to respond to requests to exercise consumer rights under Data Protection Laws.
6.2 Supplier will, without undue delay, and not later than forty-eight (48) hours after receiving such request, notify PCHI if it receives a request from a Data Subject to exercise rights under Data Protection Laws. Supplier will respond to any such request only on the documented instructions of PCHI. To the extent necessary, Supplier will cooperate with PCHI as necessary to verify the identity of a Data Subject filing a request.
6.3 Upon instruction from PCHI to do so, Supplier will, without undue delay, and no later than five (5) calendar days from receipt of PCHI’s instruction, provide to PCHI, all information required to comply with a Data Subject’s access request pursuant to Data Protection Laws.
6.4 Upon instruction from PCHI to do so, Supplier will, without undue delay, and no later than five (5) calendar days from receipt of PCHI’s instruction, delete a Data Subject’s Personal Information from its records, unless Supplier is required to maintain the Data Subject’s Personal Information in accordance with Section 1798.105 of the CCPA or other applicable Data Protection Law. To this end, Supplier will notify PCHI, without undue delay, of the reason for retention of the Data Subject’s Personal Information. Within ten (10) calendar days from the date on which PCHI’s instruction was received, Supplier shall certify to PCHI that the Personal Information was deleted. With respect to a Data Subject request exercising the right to deletion (or other applicable Data Subject rights) and/or to the extent required by Data Protection Laws, Supplier shall notify its Sub-processors to take the required actions with respect to the Data Subject’s Personal Information that they are Processing on behalf of Supplier and shall ensure such actions are taken.
7.1 PCHI authorizes Supplier to appoint Sub-processors (and permits each Sub-processor to appoint additional Sub-processors) in accordance with this Section 7.
7.2 A list of Supplier’s current Sub-processors is set forth on Annex I, which may include the name and location of, and a brief description of the Processing undertaken by, each current Sub-processor.
7.3 Supplier may continue to use those Sub-processors already engaged by Supplier as of the date of this Agreement (provided that such Sub-processors are listed in Annex I).
7.4 Supplier will inform PCHI in advance of the appointment of any new Sub-processor. If within thirty (30) calendar days after receiving such notice, PCHI objects to the new Sub-processor in its sole discretion, PCHI shall notify Supplier in writing and Supplier will use reasonable efforts to make available to PCHI a change in the services provided or recommend a commercially reasonable change to PCHI’s configuration or use of the services provided to avoid Processing of Personal Information by the objected-to new Sub-processor. If Supplier cannot reasonably accommodate PCHI’s objection, Supplier will notify PCHI. PCHI may, by written notice to Supplier, with immediate effect, terminate your relationship to the extent it relates to the services you provide, which require the use of the objected-to new Sub-processor, with immediate effect.
7.5 Supplier will carry out appropriate due diligence on each Sub-processor in advance of engagement of such Sub-Processor. Supplier will enter into a written contract with each Sub-processor which: (i) includes terms substantially equivalent to those set out in this Agreement (which terms will be enforced by Supplier upon PCHI’s request); and (ii) meets the requirements of applicable Data Protection Laws. Supplier will be liable for its Sub-processor’s acts and omissions in relation to Supplier’s obligations under this Agreement.
8. Data Breach
8.1 Supplier will notify PCHI without undue delay and, where feasible, within forty eight (48) hours, after Supplier becomes aware of a Data Breach affecting Customer Personal Information, and will fully cooperate with PCHI in response to such Data Breach. In its notification, Supplier shall provide PCHI with sufficient information and documentation to allow PCHI to meet any obligations to report or inform Data Subjects of the Data Breach. At a minimum, such notification shall include the following, to the extent available at the time of the notification:
(i) the types of Personal Information that were or are reasonably believed to have been the subject of the breach;
(ii) the date or estimated date of the breach;
(iii) a general description of the breach; and
(iv) whether notification was delayed as a result of a law enforcement investigation.
Supplier will not make any notification in connection with such Data Breach unless instructed to do so by PCHI in writing. Supplier will continuously supplement the information provided to PCHI as additional information becomes available to it.
In addition, Supplier shall use commercially reasonable efforts to remedy any Data Breach as soon as reasonably practicable and prevent any further Data Breach at Supplier’s expense. PCHI may, in its sole discretion, take any and all actions necessary or reasonable with respect to a Data Breach, including, without limitation, conducting an investigation into the cause of the incident and notifying affected persons or government agencies accordingly.
8.2 Supplier will make commercially reasonable efforts, in accordance with its security incident management policies and procedures, to identify the cause of such Data Breach, to remediate it, and to put in place any measures designed to prevent additional breaches. Supplier will, without derogating from any of PCHI’s other remedies under this Agreement or under applicable law: (i) bear all costs associated with the remediation and notification of the Data Breach; and (ii) bear the cost of appropriate identity theft prevention and mitigation services to all affected individuals for not less than twelve (12) months, or as otherwise required by applicable Data Protection Laws.
9.1 Supplier will (i) make available to PCHI, on request, all information necessary to demonstrate compliance with this Agreement, and the Data Protection Laws, and (ii) allow for and contribute to audits, including inspections, by an auditor mandated by PCHI in relation to the Processing of the Customer Personal Information by Supplier.
9.2 Supplier will allow PCHI and PCHI’s authorized representatives to conduct audits or inspections to ensure compliance with the terms of this Agreement and Data Protection Laws in accordance with this Section 9. Notwithstanding the foregoing, any audit must be conducted during Supplier’s regular business hours, with reasonable advance notice to Supplier and subject to reasonable confidentiality procedures. In addition, audits shall be limited to once per year, unless (i) Supplier has experienced a Data Breach in the prior twelve (12) months; (ii) an audit reveals a material noncompliance; or (iii) otherwise required by Data Protection Laws or any Regulatory Authority responsible for the enforcement of such law.
9.3 Supplier will: (i) procure a third-party independent SOC 2 Type II report audit/evaluation that tests and validates the internal controls of Supplier and its third-party hosting providers with regard to security, availability, processing integrity, confidentiality and/or privacy, as applicable to the services provided; (ii) update this audit report annually; and (iii) regularly perform testing and validations of the internal controls of Supplier with regard to security, availability, processing integrity, confidentiality and/or privacy, as applicable to the services provided. Supplier shall procure its SOC 2 Type II report upon execution hereof, and thereafter, annually, on a date designated by PCHI. PCHI may immediately terminate your relationship upon notice to Supplier upon Supplier’s failure to timely submit its SOC 2 Type 2 report when due.
9.4 Supplier shall conduct regular (i) penetration testing (at least once every calendar quarter) of its information technology infrastructure and networks, and (ii) vulnerability testing (at least once every month) of its information technology infrastructure and networks. Upon PCHI’s written request, to confirm compliance with this Agreement, as well as any applicable laws and industry standards, Supplier shall complete a written information security questionnaire of reasonable scope and duration that is provided by PCHI. PCHI will treat the information provided by Supplier in the security questionnaire as Supplier’s Confidential Information.
9.5 Upon PCHI’s request and to the extent required under Data Protection Laws, Supplier shall provide PCHI with the necessary information and with reasonable cooperation and assistance needed to fulfill PCHI’s obligation to carry out a Data Protection Assessment related to PCHI’s use of the services provided, to the extent that PCHI does not otherwise have access to the relevant information and that such information is reasonably available to Supplier.
10. Return or Deletion of Personal Information. At PCHI’s election, made by written notice, to Supplier, Supplier shall (and shall ensure Sub-processors shall), within thirty (30) calendar days of receipt of such election, as reasonably practicable: (i) return a complete copy of all Customer Personal Information to PCHI in such format and manner requested by PCHI and reasonably acceptable to Supplier; and (ii) delete all other copies of Customer Personal Information, except to the extent Supplier (or Sub-processor) is required to retain such Customer Personal Information by law or where such Customer Personal Information is necessary for defense of legal claims. In such cases, the confidentiality obligations and any applicable use restrictions in this Agreement and the Existing Terms shall continue to apply to such Customer Personal Information and/or copies so retained.
11. Deidentified Data. To the extent that Supplier receives Deidentified Data from PCHI or processes Customer Personal Information in such a way that it becomes Deidentified Data, Supplier shall: (i) take reasonable measures to ensure that the Deidentified Data cannot be associated with an individual or household; (ii) publicly commit to maintain and use the Deidentified Data only in a de-identified fashion and not attempt to re-identify the data, unless otherwise permitted by Data Protection Laws; and (iii) contractually obligate any recipients of the Deidentified Data, including any Sub-processors, to comply with the requirements of this Section 11.
12. Indemnification. Without limitation, Supplier will defend and indemnify PCHI, its affiliates, directors, officers, employees, agents, successors or assigns, from and against any and all loss, liability, claims, actions or expenses, including remediation expenses, reasonable attorneys’ fees, and (without limitation) any loss or liability sustained by any person or entity, including but not limited to employees or contractors of PCHI, arising from (i) failure by Supplier (including its employees, contractors, Sub-processors, and any Downstream Participants) to comply with the confidentiality, data privacy and other obligations hereunder, or (ii) violation by Supplier (including its employees, contractors, Sub-processors, and any Downstream Participants) of any and all applicable federal, state or local laws, including, without limitation, Data Protection Laws. This indemnification obligation shall survive the expiration or termination of this Agreement.
13. NO LIMITATION OF LIABILITY. NOTWITHSTANDING ANY OTHER AGREEMENT TO THE CONTRARY, NO PROVISION OF THE EXISTING TERMS OR THIS AGREEMENT SHALL OPERATE TO EXCLUDE OR LIMIT SUPPLIER’S LOSSES OR LIABILITY UNDER THIS AGREEMENT, INCLUDING WITH RESPECT TO LIABILITY RELATING TO A DATA BREACH, BREACH OF THIS AGREEMENT, OR ALLEGED OR ACTUAL VIOLATION OF DATA PROTECTION LAW.
14. Survival. The obligations set forth herein will survive termination of any applicable Existing Terms for as long as Supplier is Processing Customer Personal Information.
15. No Amendment; Order of Precedence. Nothing in this Agreement reduces the Supplier’s obligations under the Existing Terms with respect to the protection of Personal Information or permits Supplier to Process (or permit the Processing of) Personal Information in a manner that is prohibited by the Existing Terms. In the event of inconsistencies between the provisions of this Agreement and any other agreements between the parties, including the Existing Terms and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Agreement, the provisions of this Agreement shall prevail.
16. Changes in Data Protection Laws. If any amendment is required for this Agreement as a result of a change in applicable laws, then either party may provide written notice to the other party of that change in law. The parties will discuss and negotiate in good faith any necessary variations to this Agreement to address such changes. If PCHI gives notice under this Section 16, the parties shall without undue delay discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in PCHI’s notice as soon as is reasonably practicable.
17. Severability. Should any provision of this Agreement be deemed invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, or (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.