Version Date: November 5, 2021
1. Applicability. This Data Protection Addendum (“DPA”) forms part of and is subject to the governing services agreement (“Agreement”) between Customer and Lumen and is applicable to the provision of certain Lumen Services. “Lumen” is defined for purposes of this Addendum as CenturyLink Communications, LLC d/b/a Lumen Technologies Group or its affiliated entities. In the event of a conflict between the Agreement and this DPA, the terms of this DPA will control.
2. Definitions. In this DPA, the following definitions apply:
“Controller” “Processor” “Data Subjects” “Personal Data” “Personal Data Breach” and “Processing" will have the meanings ascribed to them in the GDPR.
"Data Protection Laws" means the provisions of applicable laws regulating the use and processing of Personal Data, as may be defined in such provisions, including (a) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), (b) the Electronic Communications Data Protection Directive 2002 as amended and (d) all other applicable laws and regulations relating to processing of personal data.
"Services" means the Lumen Processing Services to be provided to Customer under the Agreement.
3. Compliance with Data Protection Laws. Each party is an independent Controller with respect to Personal Data collected from the other which is necessary for administering its business relationship with the other (e.g. name, address, email address). Customer is a Controller (or effectively the Controller to Lumen as Processer/subprocessor) with respect to Personal Data Processed by Lumen. Lumen is a Controller with respect to billing, utilization, usage patterns/counts/statistics, traffic data and other business and operational information, to the extent it is Personal Data, and a Lumen Privacy Notice applicable to the foregoing can be found at: https://www.lumen.com/en‑us/about/legal/privacynotice.html. Each party will comply at all times with its Controller obligations under Data Protection Laws with respect to any Personal Data processed under the Agreement, including providing individuals with notice, required consents and ensuring a valid legal basis of processing.
4. Data Processing. Unless otherwise set forth in a Service Attachment:
1. Lumen acknowledges that it is a Processor on behalf of the Customer when providing Services and performing its related obligations (including incident resolution, support or consultancy services). Details about the Processing can be found a https://www.lumen.com/en‑us/about/legal/trust‑center/processing‑lumen‑services.html
2. In so far as Lumen processes Personal Data on behalf of Customer as a Processor, Lumen will (and will procure that Lumen affiliates will):
i. Process Personal Data only in accordance with the Customer’s documented instructions, including as set out in the Agreement and this DPA and ensure that Lumen personnel process Personal Data only on such instructions of the Customer, unless processing is required by EU or member state law to which Lumen is subject, in which case Lumen will, to the extent permitted by such law, inform Customer of that legal requirement before processing that Personal Data;
ii. Restrict the disclosure and processing of Personal Data to the extent necessary to provide the Services, or as otherwise permitted under the Agreement and this DPA, or by Customer in writing, and disclose Personal Data only on a need to know basis in connection with the Services to those who have committed themselves to confidentiality, or as required by applicable law;
iii. Taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing and ensure a level of security appropriate to the risk presented by the processing;
iv. Ensure that only those personnel who need to have access to Personal Data are granted access to it, and that such access is granted only for the proper provision of the Services; and
v. If and to the extent Lumen retains a copy of any Personal Data, not retain that Personal Data for longer than is necessary to perform the Services and at Customer’s option, securely destroy or return such Personal Data, except where required to retain the Personal Data by law or regulation. The parties agree that Lumen will not actively process such Personal Data and will be bound by the provisions of this DPA in respect of any such retained Personal Data. Lumen will delete such data promptly after it ceases to be obliged to retain it and will only process it to the extent required to comply with applicable laws.
5. Subprocessing.
1. Prior to disclosing any Personal Data to any subprocessor, Lumen will ensure that it has undertaken appropriate due diligence with respect to such subprocessor, and will ensure the subprocessor enters into a written agreement on terms which provide that the subprocessor has equivalent obligations to those set out in this DPA. Lumen will remain fully liable to Customer for any breach of such obligations by the subprocessor. The Customer generally authorizes Lumen to appoint subprocessors in accordance with the terms of this DPA and the Agreement.
2. Lumen will maintain an up to date list of its subprocessors available at https://www.lumen.com/en‑us/about/legal/trust‑center/processing‑lumenservices.html and will inform Customer with details of any intended change in subprocessors at least 30 days prior to any such change. The Customer may object to Lumen’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds. In such event, Lumen will either not appoint or replace the subprocessor or, if this is not possible, the Customer may terminate the applicable Service (without prejudice to any fees incurred by the Customer prior to termination).
6. Cooperation.
1. Lumen will, in so far as is possible, promptly notify Customer of any inquiry, complaint notice or other communication it receives from any supervisory authority, or from any Data Subject relating to the Services (including any requests to access, correct, delete, block or restrict access to their Personal Data or receive a machine‑readable copy thereof) and, insofar as is possible and to the extent technically feasible, assist Customer with Customer’s obligation to respond to any notification or Data Subject rights request in accordance with the timeframes set out in the Data Protection Laws.
2. If Customer reasonably believes that Lumen’s processing of Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, Lumen will, on request from Customer, assist Customer in connection with any data protection impact assessment and prior consultation, that may be required under Data Protection Laws, taking into account the nature of the processing and the information available to Lumen. This assistance from Lumen may be subject to additional, mutually agreed fees and terms.
7. Breach Reporting. Lumen will notify Customer without undue delay on becoming aware of any Personal Data Breach involving Personal Data Processed on behalf of Customer using the Services, and thereafter co‑operate with Customer and provide assistance as may be reasonably required by Customer in the investigation, remediation and mitigation of such breach. Lumen will provide reasonable assistance to Customer with respect to any breach reporting obligations Customer may have, and provide additional information relating to such breach as Customer may reasonably require. The parties will agree in advance and in writing on any material remediation responsibilities and costs that exceed Lumen’s standard incident response process.
8. Audits. Lumen will maintain all information necessary to demonstrate compliance with its obligations identified in this DPA and a written record of all processing of Personal Data on behalf of Customer and, upon reasonable request grant Customer and its auditors and agents a right of access to and to take copies of records relating to compliance and all processing of such Personal Data on behalf of Customer in order to assess whether Lumen has complied with its obligations in respect of the processing of Personal Data. Upon reasonable notice, Lumen will allow Customer to, or where applicable, will cooperate with Customer and Lumen’s third‑party providers to arrange for access to premises and other materials and personnel and will provide reasonable assistance in order to assist Customer in exercising its audit rights under this clause provided that: (i) such access will occur at a mutually agreeable time and the scope of the visit will be mutually agreed upon; (ii) such access will not unreasonably interfere with Lumen’s operations; and (iii) access to Lumen premises, documentation and systems will be subject to Lumen’s reasonable access requirements and security policies.
9. Transfers. Lumen will not transfer any Personal Data outside the EEA except to the extent authorized by Customer and in accordance with this paragraph. At the date of this DPA Customer authorizes Lumen to transfer Personal Data outside the EEA, including to the United States, for the specific purpose of providing Services and performing its obligations under the Agreement. Such transfer will be subject to the Standard Contractual Clauses (in the form adopted pursuant to Regulation (EU) 2016/679).
10. Damages Cap. NOTWITHSTANDING ANYTHING TO THE CONTRARY ELSEWHERE IN THE AGREEMENT, THE TOTAL AGGREGATE LIABILITY FOR EACH PARTY ARISING OUT OF OR RELATED TO THIS ADDENDUM WILL BE LIMITED TO THE TOTAL MRCs AND USAGE CHARGES PAID OR PAYABLE BY CUSTOMER TO LUMEN IN THE 12 MONTHS IMMEDIATELY PRECEDING THE OCCURRENCE OF THE EVENT GIVING RISE TO THE CLAIM. IN ADDITION, LUMEN WILL NOT BE LIABLE UNDER THIS ADDENDUM TO THE EXTENT ANY LIABILITY IS CAUSED BY OR CONTRIBUTED TO BY ANY PARTY OTHER THAN LUMEN OR ITS SUBPROCESSORS.
11. Future Amendments. The parties may amend this DPA at any time during the term of the Agreement by written agreement if necessary to comply with any legal requirement or guidance from a supervisory authority, or if required to take account of any changes to the processing of Personal Data pursuant to the Agreement.