Data Protection and Security Requirements

These data protection and security requirements (“Requirements”) govern all supplier, service providers and business partners (“Supplier(s)”) services provided to CBS Corporation, or its Affiliate(s) (individually or collectively, as the context may require, “CBS”) under one or more agreements with Supplier. (each, an “Agreement”). In the event of any conflict between these Requirements and any Agreement, these Requirements shall govern unless otherwise agreed in writing by the parties.

  1. Definitions. For purposes of these Requirements, initially capitalized terms that appear in these Requirements are used with the meanings ascribed herein (whether or not such terms are otherwise defined in an Agreement), including as follows:
    1. “Affiliate” means an entity, directly or indirectly, controlling or under direct or indirect common control with that Party, either now or in the future. For the purposes of an Affiliate, ‘control’ means ownership of fifty percent (50%) or more of the outstanding shares having voting rights, or management or operational control by agreement or otherwise. Affiliates of CBS are limited to CBS Corporation and its direct and indirect subsidiaries;
    2. “Authorized Recipients” means employees, contractors, agents, and auditors who need to access CBS Data for Supplier to perform its obligations under the Agreement, and who are bound by confidentiality agreements that impose obligations and restrictions consistent with Supplier’s adherence to these Requirements;
    3. “CBS Data” means data or information provided or otherwise made available to Supplier or any of its employees, agents or contractors by CBS or by any other party in connection with the Agreement, as well as all data and works derived from or based on such data or information;
    4. “Data Law” means, as in effect from time to time, all provisions of constitutions, statutes, rules, regulations and orders of governmental bodies or regulatory agencies applicable to Supplier or CBS anywhere in the world relating to data security, data protection and/or privacy;
    5. “Data Subject” means a person who can be identified by reference to CBS Data, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
    6. “Personal Data” means any information in the CBS Data relating to a Data Subject;
    7. “Process” or “Processing” means any operation or set of operations performed on CBS Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
    8. “Remediation Efforts” means, with respect to any Security Incident, activities designed to remedy a Security Incident which may be required by a Data Law or by Supplier’s or CBS’s policies or procedures, or which may otherwise be necessary, reasonable or appropriate under the circumstances, commensurate with the nature of such Security Incident. Remediation Efforts may include: (i) development and delivery of notices to individuals or entities whose interests may be impacted (including Data Subjects whose Personal Data was affected); (ii) establishment and operation of websites, toll-free hotlines, and other services to provide related information and assistance to the public; (iii) procurement of credit monitoring, credit or identity repair services and identity theft insurance from third parties that provide such services for affected Data Subjects; (iv) cooperation with and response to regulatory, government and/or law enforcement inquiries and other similar actions; (v) undertaking of investigations (whether conducted internally or in cooperation with a governmental body) of such Security Incident, including forensics; (vi) public relations and other crisis management services; and (vii) cooperation with and response to litigation with respect to such Security Incident (including, but not limited to, class action suits or similar proceedings);
    9. “Security Incident” means, with respect to any CBS Data: (i) the unauthorized or unlawful destruction, alteration, disclosure, grant of access to, corruption, transfer, sale, rental, or other Processing of any portion of such CBS Data; (ii) any act or omission that compromises the security, confidentiality or integrity of such CBS Data or any safeguards put in place to protect the same, (iii) any failure by Supplier to adhere to these Requirements, or (iv) any attempt to cause any of the events described in clauses (i)-(iii); and
    10. “Security Policies” means Supplier’s written security policies or procedures, including those provided to and approved in writing by CBS from time to time.
  2. Rights and Use of CBS Data. Except as expressly provided in an Agreement: (i) Supplier acknowledges that, as between Supplier and CBS, CBS owns all right, title and interest in and to the CBS Data; (ii) CBS does not grant any license, permission, or other interest in or to the CBS Data to Supplier; and (iii) Supplier shall not disclose or Process CBS Data for any purpose that is not approved in writing by CBS (except as required by applicable law, provided that Supplier notifies CBS of any obligation to do so as soon as possible and, at CBS’s request, uses best efforts to cooperate with CBS to lawfully resist or minimize any such obligation).
  3. Compliance with Data Law and Security Policies. Supplier shall at all times comply with: (i) Data Law applicable to all Services and Processing; and (ii) the Security Policies.
  4. Description of Processing. The types of CBS Data, the categories of Data Subjects to whom that CBS Data relate, and the Processing operations carried out by Supplier will be as set out in or contemplated by the Agreements. The duration of the Processing shall be for the term of or as permitted by the Agreements. The subject matter and the objective of the Processing shall be the Processing of CBS Data as necessary for Supplier to perform the services to CBS pursuant to the Agreements.
  5. Supplier Obligations. In Processing CBS Data on behalf of CBS in connection with the provision of the Services, Supplier shall:
    1. Process CBS Data solely for the purpose of performing its obligations under the Agreement and in accordance with CBS’s documented instructions and not for any other purpose, unless required to do so by applicable law to which Supplier is subject, in which case Supplier shall inform CBS of that legal requirement before commencing Processing;
    2. immediately inform CBS if Supplier is of the opinion that an instruction of CBS regarding the Processing of Personal Data infringes Data Law;
    3. keep the CBS Data confidential and maintain reasonable organizational, physical, technical and administrative safeguards to protect CBS Data that are no less rigorous than accepted industry practices as they pertain to the Services and Processing of CBS Data, including without limitation ISO 27001 (Information and Security Management Systems), ISO 27002 (Code of Practice for International Security Management), NIST and, if applicable, the most current Payment Card Industry Data Security Standard (including the Payment Application Data Security Standard);
    4. not engage any subcontractor unless, expressly permitted by the Agreement or otherwise approved by CBS, and provided that Supplier remain fully liable for the acts or omissions of its subcontractors and Supplier shall inform CBS of any intended changes to such subcontractors and if CBS objects to such changes then CBS may terminate the Agreement to which the proposed subcontracting relates;
    5. ensure that (i) except as otherwise expressly approved by CBS, only Authorized Recipients use, obtain copies of, or have access to CBS Data (ii) all Authorized Recipients comply with Supplier’s obligations under these Requirements;
    6. notify CBS, without undue delay (and in any event within 24 hours), of: (i) any request for information from or complaint by a regulatory authority in relation to CBS Data that Supplier processes for the purpose of performing its obligations under the Agreement; and (ii) any request to Supplier by a Data Subject to exercise rights under Data Law, and Supplier shall not respond to any of the requests in the foregoing (i) or (ii) without the prior written approval of CBS unless otherwise required by applicable law;
    7. provide all assistance to CBS as is reasonably necessary for CBS to meet its obligations under Data Law (including in respect of Data Subject rights and data breach notification requirements);
    8. provide CBS with all information necessary to demonstrate compliance with Data Law and allow CBS or an auditor mandated by CBS to audit compliance with these Requirements from time to time upon CBS’s request and subject to agreeing the scope, duration and timing of the audit (Supplier’s agreement not to be unreasonably withheld, delayed or conditioned);
    9. retain CBS Data only for as long as necessary to perform the Services or as required by applicable law, and thereafter promptly return or destroy all copies of CBS Data in Supplier’s possession or control and notify CBS in writing once completed and certify as to its compliance with these requirements if so requested by CBS; provided that where continued storage or Processing of copies of the CBS Data is required by applicable law, Supplier shall so inform CBS and these Requirements will continue to apply in their entirety to such CBS Data and Supplier’s Processing thereof; and
    10. Process CBS Data only at physical locations and/or jurisdictions approved in writing by CBS prior to any such Processing.
  6. Security Incidents. If Supplier becomes aware of a Security Incident, or information that should reasonably lead Supplier to suspect a Security Incident has occurred, Supplier shall notify CBS without undue delay (and in any event within 24 hours), and on an ongoing basis provide the following information as soon as possible: the segment and quantity of CBS Data affected (including whether Personal Data was affected), the categories and approximate number of Data Subjects affected, the nature of the intrusion (if applicable) and any indication of likely unauthorized use of CBS Data, and the corrective action taken or to be taken by Supplier. Following any Security Incident, Supplier shall consult in good faith with CBS regarding Remediation Efforts that may be necessary and reasonable. Supplier shall (i) undertake Remediation Efforts requested by CBS or any government agency with jurisdiction over Supplier, in either case at Supplier’s sole expense, (ii) ensure and provide assurance (including written evidence) to CBS that reasonable measures were and are being taken to prevent recurrence of the same or similar type of Security Incident, and (iii) reasonably cooperate with any Remediation Efforts undertaken by CBS. Without limiting CBS’s other rights hereunder, Supplier shall reimburse CBS for all costs of Remediation Efforts incurred by CBS as a result of any Security Incident that occurs with respect to CBS Data while under the control or possession of Supplier or Authorized Recipients.
  7. Survival. The obligations, restrictions and other terms in these Requirements shall survive expiration or termination of any Agreement.