Spotify for Backstage

DATA PROCESSOR APPENDIX

LAST UPDATED: July 1, 2024
This Data Processor Appendix (“DPA”) shall apply if and to the extent Spotify or an Affiliate of Spotify processes Personal Data on behalf of you (or the “Customer”), where the Customer is an independent Controller, and Spotify or an Affiliate of Spotify is a Processor. The parties agree that this DPA shall be incorporated into and form part of the Agreement.
  1. Definitions. For the purposes of this DPA:
    Controller”, “Processor”, “Data Subject”, “Personal Data” , and "Personal Data Breach" shall mean as defined in the Data Protection Legislation ("GDPR");
    "Affiliate" shall mean any entity that directly or indirectly controls, is controlled by, or is under common control with a Party;
    "Agreement" shall mean the Supplemental Hosting Terms between Spotify and the Customer to which this DPA is linked from;
    "Business Day" shall mean a day (other than a Saturday, Sunday or public holiday) on which commercial banks are open for general banking business in Sweden, other than for Internet banking services only;
    "Data Protection Legislation" shall mean all data protection and privacy legislation applicable to the Parties, which for the avoidance of doubt shall include the EU General Data Protection Regulation 2016/679 (“GDPR”);
    "Force Majeure" shall mean as defined in Section 8;
    "Party/Parties" shall mean the Customer and Spotify separately, or jointly, as the case may be; and
    "Service" shall mean the Managed Service, as defined by the Agreement.
  2. Undertakings of the Parties.
    1. Roles, ownership of Personal Data, processing, and purpose. For the purposes of processing the Customer’s Personal Data under the Agreement, the Customer shall be regarded as a Controller and Spotify shall be regarded as a Processor. Spotify may only process the Customer’s Personal Data for the purposes and to the extent it is necessary for the fulfillment of Spotify’s obligations under the Agreement.
    2. Undertakings of the Customer. The customer undertakes to:
      1. Ensure that under the Data Protection Legislation there is a legally valid ground for processing the Personal Data covered by this DPA;
      2. Ensure that the Data Subjects, as required by the Data Protection Legislation, have received sufficient information regarding the processing, including information that Spotify may process the Personal Data on behalf of the Customer;
      3. Immediately after it is brought to the Customer’s attention, inform Spotify of any erroneous, rectified, updated, or deleted Personal Data subject to Spotify’s processing; and
      4. In a timely manner, provide Spotify with lawful and documented instructions regarding Spotify’s processing of Personal Data.
    3. Undertakings of Spotify. Spotify undertakes to:
      1. Ensure that such employees (of Spotify or its subcontractors) which process Personal Data on behalf of the Customer have contractually committed themselves to confidentiality;
      2. Take all measures required pursuant to GDPR, Article 32, as applicable;
      3. Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations to respond to requests for exercising the Data Subject’s rights laid down in the Data Protection Legislation;
      4. Except in cases of Personal Data Breach, upon a timely request by the Customer, assist the Customer in ensuring compliance with the obligations pursuant to GDPR, Articles 32 to 36 (as applicable);
      5. Notify Customer without undue delay on becoming aware of a Personal Data Breach, and take reasonable steps to mitigate the impact of any such Personal Data Breach and to reasonably cooperate with Customer to enable Customer to comply with its obligations under Applicable Laws. To the extent necessary and reasonably requested by Customer, Spotify will, at Customer's expense, assist Customer with its required notification obligations under Applicable Laws; and
      6. Make available to the Customer the information necessary to demonstrate compliance with Spotify’s obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another third party mandated by it, in accordance with Section 5.
    Spotify shall immediately inform the Customer if, in its opinion, an instruction issued by the Customer infringes the Data Protection Legislation.
  3. Subcontractors.
    1. The Customer authorises Spotify to appoint (and permit each sub-Processor appointed in accordance with this Section 3 to appoint) sub-Processors in accordance with this Section 5. Spotify may continue to use those sub-Processors already engaged by us as of the effective date of this DPA. Spotify has entered or will enter into a written agreement with each sub-Processor containing data protection obligations substantially similar to those in this DPA with respect to the protection of Customer’s Personal Data to the extent applicable to the nature of the services provided by such sub-Processor.
    2. Spotify may appoint its Affiliates as sub-Processors at any time. Spotify will give the Customer written notice of the appointment of any new or replacement sub-Processors. Customer has five (5) business days from the receipt of that notice to object in writing (on reasonable grounds) to the proposed appointment. We will not appoint (or disclose any of Customer’s Personal Data to) that proposed sub-Processor until reasonable steps have been taken to address Customer’s objections or permit Customer to terminate the Agreement.
  4. Data Transfers.
    The EU standard contractual clauses adopted by decision of 4 June 2021 document number C/2021/3972 (Module 2, Controllers to Processors) (“SCCs”) shall apply to any transfers of Personal Data under this DPA from the European Union (“EU”) and the European Economic Area (“EEA”) to countries which do not ensure an adequate level of data protection within the meaning of Applicable Laws of the foregoing territories, to the extent such transfers are subject to such Applicable Laws.
    The parties agree that Customer is the “data exporter” and Spotify is the “data importer” as defined in the SCCs.
    For the purposes of Annex I of the Appendix to the SCCs, the following will apply:
    A: List of Parties. The names and contact details of the parties shall be as set out in the applicable order form or customer Intake form for the services.
    B: Description of Transfer.
    1. Data subjects: Users of the Service; customers, employees, contractors and other agents of the Customer.
    2. Categories of data. As provided for in the Agreement.
    3. Sensitive data: None
    4. Frequency of transfer: Continuous
    5. Nature and purpose of processing: To provide the Service under the Agreement.
    6. Period for which data will be retained: To the extent required to provide the Service under the Agreement.
    C: Competent Supervisory Authority. The relevant competent supervisory authority(ies) for the Customer as data exporter as applicable.
    For purposes of Annex II of the Appendix to the SCCs, the following will apply:
    Data importer shall undertake appropriate technical and organizational security measures to protect personal data against the unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. These measures should take into account available encryption technology and the costs of implementing the specific measures and must ensure a level of security appropriate to the harm that might result from a breach of security and the nature of the data to be protected.
    The parties further agree that: (i) option 2 in clause 9 of the SCCs shall apply for the general authorisation for the use of sub-Processors with a time period of thirty days for notice of the addition or replacement of sub-Processors; (ii) the optional additional clauses of the SCC shall not apply; and (iii) the laws and courts of Sweden shall apply for the purposes of clause 17 of the SCC. Information for the purposes of impact assessments is available if requested.
  5. Audit Rights.
    Spotify will, during normal business hours and upon reasonable notice make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and the Data Protection Legislation (including processing that may be carried out by Spotify’s subcontractors, if any) and allow for and contribute to reasonable audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
    Spotify accepts and agrees that supervisory authorities may request information from Spotify, and carry out investigations in the form of data protection audits of Spotify, in accordance with Data Protection Legislation.
    The Customer is responsible for all reasonable costs associated with the audit, save for when the audit concludes a material breach of Spotify’s undertakings in violation of this DPA. If so, Spotify shall compensate the Customer for reasonable and verified costs associated with the audit.
  6. Termination of the Service.
    Upon termination of the Service provided under the Agreement, Spotify shall, upon the Customer’s request, return all Personal Data in Spotify’s possession to the Customer or securely destroy such Personal Data and demonstrate to the satisfaction of the Customer that it has taken such measures, unless storage of the Personal Data is required under Data Protection Legislation.
  7. Liability.
    Each Party shall compensate the other Party for all losses due to claims from third parties resulting from, arising out of, or relating to any breach by such first-mentioned Party of this DPA. Notwithstanding the above, Spotify shall not be held liable for indirect losses, including damages and/or consequential damages such as loss of profit or revenue, or other economic losses incurred pursuant to this DPA, except in cases of wilful intent or gross negligence on part of Spotify. Spotify’s total liability towards the Customer under this DPA shall never exceed the greater of 100 EURO or the amounts, if any, paid to Spotify pursuant to the Agreement during the last twelve (12) months’ period.
  8. Force Majure.
    Spotify shall not be liable for any default or delay in the performance of its obligations under this DPA if and to the extent the default or delay is caused by circumstances that are outside Spotify’s control and that Spotify could not reasonably have foreseen or prevented by reasonable precaution (“Force Majeure”). A failure by a subcontractor will be considered a Force Majeure event provided that the underlying reason for the subcontractor’s non-performance is an event which, if it had been related directly to Spotify, would have qualified as a Force Majeure event under this DPA.
  9. Miscellaneous.
    Spotify may assign this DPA, and its rights and obligations hereunder, to any Spotify Affiliate without the Customer’s consent. The Customer may not assign this DPA, or any of its rights and obligations hereunder, without Spotify’s prior written consent.