AMENDMENT NUMBER 2 TO THE AMENDED AND RESTATED MASTER SERVICES AGREEMENT
Exhibit 10.3
AMENDMENT NUMBER 2 TO THE
AMENDED AND RESTATED MASTER SERVICES AGREEMENT
This AMENDMENT NUMBER 2 (the Data Privacy Amendment), effective as of October 31, 2007 (Amendment Effective Date) is made and entered into by and between TCS and Nielsen and modifies the AMENDED AND RESTATED MASTER SERVICES AGREEMENT, dated as of October 1, 2007, between TCS and Nielsen (the Agreement).
PRELIMINARY STATEMENT
The Parties have agreed to amend and supplement certain of the terms, conditions, rights and obligations of the Parties under the Agreement with regard to data privacy and data protection pursuant to the provisions of this Data Privacy Amendment.
NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, and of other good and valid consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties, intending to be legally bound, hereby agree as follows:
A. | DATA PRIVACY |
The Parties agree to insert the following provisions of this Section A between Section 14 (DATA OWNERSHIP, PROTECTION AND RETURN OF DATA) of the Agreement and Section 15 (CONSENTS) of the Agreement as a new Section 14A (DATA PRIVACY) of the Agreement:
Section 14A DATA PRIVACY
In performing the Services, TCS will comply with the requirements of this Section 14A.
14A.1 Data Privacy Rules, Generally
(a) Data Privacy Rules means the following:
(i) all Laws applicable to Nielsen and the Nielsen Regulatory Requirements regarding personal data privacy and data protection rights (including breach notification requirements) with respect to Personally Identifiable Information held and/or controlled by Nielsen and its Affiliates, including personal data relating to employees, customers, consumers, panelists, survey respondents, and other individuals. Such Laws and Nielsen Regulatory Requirements include: (A) the Gramm-Leach Bliley Act and its effective implementing rules and regulations (GLB Act); (B) the Health Insurance Portability and Accountability Act of 1996 and its effective implementing rules and regulations (HIPAA) and analogous state laws; (C) the Canadian Privacy Legislation and its effective implementing rules and regulations; and (D) legislation implementing the European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the EU Data Protection Directive or the Directive) and analogous legislation in European countries not part of the European Union (collectively EU Privacy Laws); and
1
(ii) the provisions of this Agreement that address TCS obligations regarding data privacy and data protection, including Section 5.6, Section 14, this Section 14A, Section 16, Section 20, and Schedule G to this Agreement.
(b) General Requirements.
(i) TCS and Nielsen will comply, and will support the other Party in complying, with all relevant provisions of Data Privacy Rules.
(ii) TCS will observe, comply with, and perform the Services in a manner consistent with, the Data Privacy Rules.
(iii) TCS will cause those TCS Affiliates and Approved Subcontractors performing the Services to comply with the obligations of TCS provided in this Section 14A.
(iv) Except as provided in Section 14A.1(c), TCS will meet the requirements of this Section 14A at no additional charge to Nielsen.
(v) If TCS suspects or becomes aware of any breach of the Data Privacy Rules, TCS will promptly notify Nielsen and will cooperate with Nielsen to investigate, mitigate, rectify and respond to such breach.
(vi) Upon Nielsens request, TCS will provide to Nielsen certifications (whether self-certifications or, on an Out-of-Pocket Expense basis, third party certifications, as Nielsen reasonably requests) that demonstrate TCS compliance with the Data Privacy Rules.
(vii) Nielsen will have the right to screen and approve all TCS Personnel who might have access to the Personally Identifiable Information that is the subject of the Data Privacy Rules.
(viii) Nothing in this Agreement will be deemed to prevent Nielsen from taking the steps it deems necessary to comply with the Data Privacy Rules.
(ix) The obligations provided in this Section 14A will survive the termination or expiration of this Agreement.
(c) Changes to the Data Privacy Rules.
(i) Statutory and Regulatory Changes. If during the Initial Term or a Renewal Period a change is made to any Laws or Nielsen Regulatory Requirements described in Section 14A.1(a), or a new Law or Nielsen Regulatory Requirement is implemented that affects any of the Parties rights and obligations regarding data protection and data privacy in this Agreement, TCS will comply with such changed or new Law or Nielsen Regulatory Requirement in accordance with the provisions of Section 20.8.
2
(ii) Change Control Procedure. TCS will perform the Services in compliance with any additional or revised Nielsen standards, policies and requirements disclosed to TCS from time to time relating to the Data Privacy Rules, whether or not additions or revisions arise from changed or new Laws or Nielsen Regulatory Requirements (such as those relating to information security, or instructions from Nielsen or any Nielsen Affiliate in connection with a signed EU Model Contract), subject to application of the Change Control Procedure to the extent TCS reasonably demonstrates that such standards, policies, requirements and instructions impose material incremental costs upon TCS in excess of those that would otherwise be necessary for TCS to comply with its obligations under this Agreement.
14A.2 EU Privacy Laws.
Without limiting the generality of Section 14A.1, TCS will comply with the obligations provided in this Section 14A.2 regarding applicable EU Privacy Laws.
(a) Definitions. The following non-capitalized terms used in Section 14A.2 will have the meanings given to them in the EU Privacy Laws: controller; data exporter; data importer; data subject; personal data; processing (and processed will be construed accordingly); and processor. In addition:
(i) EU Model Contract means a contract between the applicable data importer and the applicable data exporter, which contract will include the standard contractual clauses provided or approved by the applicable European Union or implementing country authorities governing the transfer and processing of personal data outside of the European Union. As of the Agreement Effective Date, such standard contractual clauses are those provided in the annex to Decision 2002/16/EC of the European Commission dated December 27, 2001 for the transfer of personal data to processors established in third countries; and
(ii) Nielsen Personal Data means personal data that is processed by or on behalf of TCS in performing the Services, including personal data relating to the employees, customers, consumers, panelists, and survey respondents of Nielsen and its Affiliates, and/or which is made available directly or indirectly to TCS by Nielsen or Nielsen Affiliates.
(b) Compliance with EU Privacy Laws. Nielsen and TCS will each comply, and will support the other Party in complying, with their respective obligations under the EU Privacy Laws, including maintaining all necessary notifications or registrations that may be required.
3
(c) The Parties Roles. The Parties agree that:
(i) Nielsen Solely Responsible. Nielsen is solely responsible for determining the purposes for which and the manner in which Nielsen Personal Data are, or are to be, processed under this Agreement in the course of TCS performing the Services; TCS will only process Nielsen Personal Data in accordance with written instructions given by Nielsen and in accordance with this Agreement; and
(ii) Controller and Processor. Nielsen will be the data controller with respect to all Nielsen Personal Data and TCS will be the data processor with respect to all Nielsen Personal Data.
(d) TCS Obligations.
(i) General. In a manner that conforms to any time limits provided in applicable EU Privacy Laws, and in any event as soon as reasonably practicable, TCS will comply with any written request to provide reasonable assistance to Nielsen as necessary to allow Nielsen to comply with EU Privacy Laws.
(ii) Nielsen Consent for Transfers. Where TCS intends to transfer any Nielsen Personal Data either (A) to third parties (including TCS Affiliates and Approved Subcontractors), or (B) across any countrys border (except to countries or territories within the European Union or to a country that the European Commission has found to ensure an adequate level of protection within the meaning of Article 25(2) of the Directive), TCS will obtain Nielsens prior written consent, which Nielsen may withhold in its sole discretion. Nielsen may grant such consent subject to any conditions Nielsen deems appropriate, and any such transfer of Nielsen Personal Data will in any event be subject to TCS compliance with the applicable provisions of Section 14A.2(f).
(iii) Other TCS Obligations.
(A) TCS will promptly notify Nielsen in writing if TCS: (1) receives any complaints about the processing of Nielsen Personal Data from third parties (including data subjects); or (2) receives, or becomes aware of, any allegation by any relevant EU privacy or information commissioner (or any corresponding supervisory authority) that Nielsen or TCS is not complying with the EU Privacy Laws; and in each such case, TCS will not make any admissions, or take any action, which may be prejudicial to the defense or settlement of any such complaint or allegation and will provide to Nielsen such reasonable assistance as it may require in connection with such complaint.
(B) Nielsen in any event will ensure that any Nielsen Personal Data it provides to TCS or requires TCS to obtain on Nielsens behalf in relation to this Agreement can be lawfully processed in the manner contemplated by this Agreement.
4
(e) Article 17 of the Directive. TCS agrees that with respect to Nielsen Personal Data TCS is obligated to comply with applicable legislation implementing Article 17 of the Directive, including the following obligations:
(i) Technical and Organization Measures. Take appropriate technical and organizational measures (including in accordance with the requirements of this Agreement) to safeguard against: (A) unauthorized accesses to, and unlawful processing of, Nielsen Personal Data; (B) accidental loss, misuse or destruction of, or damage to, Nielsen Personal Data; and (C) unauthorized disclosure of Nielsen Personal Data;
(ii) Written Instructions. Only process Nielsen Personal Data in accordance with written instructions given by Nielsen, including as provided in this Agreement;
(iii) Reliability of Third Parties and of Personnel. Take reasonable steps to ensure the reliability of those third parties (including TCS Affiliates and Approved Subcontractors) that, and those TCS Personnel who, have access to Nielsen Personal Data; and
(iv) Training. Ensure that all TCS Personnel involved in processing Nielsen Personal Data have undergone (and on an ongoing basis continue to undergo) reasonably adequate training in the care and handling of personal data generally and Nielsen Personal Data in particular.
(f) Transfers to Third Parties. Where TCS intends to transfer any Nielsen Personal Data to any third party (including TCS Affiliates and Approved Subcontractors), the following provisions will apply:
(i) Transfers to Third Parties Within the European Union and Certain Other Countries. If such transfer is to a third party providing some portion of the Services within the European Union (or where a third party is providing some portion of the Services from a country that the European Commission has found to ensure an adequate level of protection within the meaning of Article 25(2) of the Directive), TCS will ensure that no transfer takes place until such time as TCS has concluded a subcontract (or intra-group arrangement) with the relevant third party, which subcontract (or intra-group arrangement) includes provisions to protect such Nielsen Personal Data that are substantially equivalent to those set forth in this Section 14A; or
(ii) Transfers to Third Parties Outside the European Union. If such transfer is to a third party providing some portion of the Services from outside the European Union (except where such third party is providing some portion of the Services from a country that the European Commission has found to ensure an adequate level of protection within the meaning of Article 25(2) of the Directive), TCS will ensure that no such transfer takes place until such time as TCS has:
(A) caused the relevant third party to enter into an EU Model Contract with Nielsen and/or with any Nielsen Affiliate(s) designated by Nielsen (pursuant to which the relevant third party will be the data importer and Nielsen and/or the applicable Nielsen Affiliate will be the data exporter); and
5
(B) concluded a subcontract (or intra-group arrangement) with the relevant third party, which subcontract (or intra-group arrangement) will include obligations for such third party with respect to (1) its ability to process Nielsen Personal Data; and (2) its obligations with regard to legislation implementing Article 17 of the Directive, which will be substantially equivalent to those provided in Section 14A.2(e).
In addition, prior to the transfer of any Nielsen Personal Data outside the European Union (or a country that the European Commission has found to ensure an adequate level of protection within the meaning of Article 25(2) of the Directive) for processing, the Parties will take such steps as may be necessary to comply with the requirements and time limits provided in applicable EU Privacy Laws of the relevant country or territory, including by lodging a copy of any EU Model Contract with, or seeking any permits or licenses from, the relevant privacy or information commissioner (or any corresponding government office or agency) in the applicable jurisdiction.
B. | OTHER AMENDMENTS TO THE AGREEMENT |
1. | Defined Terms |
Terms used with initial capitalization in this Amendment and not otherwise defined herein shall have the meaning provided in the Agreement.
2. | Additional Definitions. |
2.1. The following definitions shall be added into Section 1.5 of the Agreement, preserving the alphabetical order of such Section, and the numbering of the existing definitions shall be adjusted accordingly:
(a) Data Privacy Rules has the meaning provided in Section 14A.1(a)(i).
(b) EU Data Protection Directive or Directive has the meaning provided in Section 14A.1(a)(i).
(c) EU Model Contract has the meaning provided in Section 14A.2(a)(i).
(d) EU Privacy Laws has the meaning provided in Section 14A.1(a)(i).
(e) GLB Act has the meaning provided in Section 14A.1(a)(i).
(f) HIPAA has the meaning provided in Section 14A.1(a)(i).
(g) Nielsen Personal Data has the meaning provided in Section 14A.2(a)(ii).
6
2.2 The existing definitions of Canadian Privacy Legislation and Personally Identifiable Information in Section 1.5 of the Agreement shall be deleted in their entirety and replaced with the following:
(a) Canadian Privacy Legislation shall mean the Personal Information Protection and Electronics Documents Act, S.C. 2001, c-5, and any analogous provincial laws, including the Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q. c. P-39.1, the Personal Information Protection Act, S.B.C. 2003, c-63, the Personal Information Protection Act, R.S.A., c. P-65, and any similar legislation applicable in Canada.
(b) Personally Identifiable Information means any information that relates to a specific, identifiable individual, and any information that otherwise is defined as personal information or personal data (or an equivalent term) under Laws regarding personal data privacy and data protection (including the EU Data Protection Directive), regardless of whether such Laws apply to such information.
3. | Section 14 (Ownership of Nielsen Data) |
3.1 The second sentence of Section 14.1(a) of the Agreement shall be amended by inserting the phrase Regardless of whether the Nielsen Data has been de-identified or de-personalized, at the beginning of such sentence.
3.2 Section 14.1(b) of the Agreement shall be amended by inserting the word misuse between the words loss and theft in the second and fourth lines of such Section.
3.3 Section 14.1(d) of the Agreement shall be amended by inserting the phrase Regardless of whether the Nielsen Data has been de-identified or de-personalized, at the beginning of such Section.
3.4 Section 14.3 of the Agreement shall be amended by inserting the word misuse between the words destruction and loss.
4. | Section 23 (Confidentiality) |
4.1 Section 23.1(d) of the Agreement shall be deleted in its entirety and replaced with the following:
(d) Personally Identifiable Information of Nielsen employees, customers, consumers, panelists and survey respondents; and
4.2 The last sentence of Section 23.1 of the Agreement shall be amended by adding the parenthetical (even if de-identified or de-personalized) at the end of such sentence.
4.3 Section 23.4 of the Agreement is amended by adding the following sentence as the final paragraph of such Section, which paragraph shall not be numbered:
The foregoing does not relieve TCS of its obligations under Section 14A.
7
5. | Section 31 (Miscellaneous Provisions) |
Section 31.9 of the Agreement shall be amended by adding the phrase Section 14A (Data Privacy) between the phrases Section 14 (Data Ownership, Protection and Return of Data) and Section 17.4 (Payment Upon Termination or Expiration).
REMAINDER OF PAGE INTENTIONALLY BLANK
8
All other provisions of the Agreement shall continue to be in full force and effect. In case of a conflict between the provisions of this Data Privacy Amendment and the Agreement, the provisions of this Data Privacy Amendment shall control.
IN WITNESS WHEREOF, the Parties have each caused this Agreement to be signed and delivered by its duly authorized representative.
ACNIELSEN (US), INC. | TATA AMERICA INTERNATIONAL CORPORATION | |||||||
By: | /s/ Michael E. Elias | By: | /s/ Satyanarayan S. Hegde | |||||
Name: | Michael E. Elias | Name: | Satyanarayan S. Hegde | |||||
Title: | V.P. | Title: | General Counsel & Senior Vice President | |||||
TATA CONSULTANCY SERVICES LIMITED | ||||||||
By: | /s/ Satyanarayan S. Hegde | |||||||
Name: | Satyanarayan S. Hegde | |||||||
Title: | General Counsel & Senior Vice President |
9