Niantic Controller-Controller Data Processing Agreement
Effective Date: April 6, 2021
Niantic and you, the party agreeing to these terms (“Customer”), have entered into an agreement for access to and use of the Niantic Developer Platform and/or the Niantic SDK (collectively herein, the “Niantic Developer Platform”), as amended from time to time (the “License Agreement”). These Controller-Controller Data Processing Agreement (the “Controller Agreement”) is entered into between you and Niantic, together with any attachments and appendices, and are incorporated by reference into the License Agreement.
This Controller Agreement reflects the parties’ agreement on the processing of Controller Personal Data in connection with the Applicable Data Protection Law.
For the purposes of this Controller Agreement:
“Affiliate” shall mean, as to any entity, any other entity that, directly or indirectly, controls, is controlled by or is under common control with such entity.
“Applicable Data Protection Law” shall mean any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (including any and all legislative and/or regulatory amendments or successors thereto), to which a party to this Controller Agreement is subject and which is applicable to a party’s information protection and privacy obligations. For the avoidance of doubt, Applicable Data Protection Law shall include without limitation the General Data Protection Regulation (Regulation 2016/679).
“Controller Data Subject” shall mean any individual to whom Controller Personal Data relates.
“Controller Personal Data” shall mean any information processed by a party under the Agreement in connection with your access to or use of the Niantic Developer Platform and/or the Niantic SDK that identifies an individual or directly or indirectly relates to an identifiable individual.
“Niantic” means Niantic, Inc. if you reside in the United States, or Niantic International Ltd. if you reside outside of the United States.
The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in this Controller Agreement have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses.
ROLES AND RESTRICTIONS
- Each party to this Controller Agreement: (a) is an independent controller of Controller Personal Data under Applicable Data Protection Law; (b) will individually determine the purposes and means of its processing of Controller Personal Data; and (c) will comply with the obligations applicable to it under Applicable Data Protection Law with respect to the processing of Controller Personal Data. Nothing in this Section 2 shall modify any restrictions applicable to either party’s rights to use or otherwise process Controller Personal Data under your License Agreement or other agreements with Niantic, and you will process Controller Personal Data solely and exclusively for the purposes specified in such License Agreement or other agreements.
Either party may transfer Controller Personal Data to third countries if it complies with the provisions on the transfer of personal data to third countries in the Applicable Data Protection Law.
Where a party receiving Controller Personal Data is located in a country not recognized by the European Commission as providing an adequate level of protection for Personal Data within the meaning of EU Data Protection Law, no Controller Personal Data processed within the European Economic Area, the United Kingdom or Switzerland (“EEA”), by either of the parties pursuant to this Controller Agreement shall be exported outside the EEA (or transferred onward to another non-EEA location) without a legally recognized transfer mechanism, such as the Standard Contractual Clauses. To that end, the Standard Contractual Clauses for data controller to data controller transfers approved by the European Commission in decision 2004/915/EC are hereby incorporated by reference, provided that Annex B of the Standard Contractual Clauses shall be deemed completed as set forth in Attachment 1 to this Controller Agreement.
SECURITY AND CONFIDENTIALITY
Each party shall implement appropriate technical and organisational measures to protect the Controller Personal Data from a possible or actual unauthorized access or disclosure, unauthorized, unlawful or accidental loss, destruction, acquisition of or damage to Personal Information, or any other breach of Applicable Data Protection Law or Controller Agreement in relation to the Processing of Personal Information by any current or former employee, contractor or agent of Customer or by any other person or third party (“Security Incident”).
In the event that a party experiences a Security Incident, it shall notify the other party without undue delay, but in any event within seventy-two (72) hours of it confirming same, and both parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Security Incident. Nothing herein prohibits either party from providing notification of the Security Incident to regulatory authorities as may be required by Applicable Data Protection Laws prior to notification of the other party so long as the notifying party provides notification to the other party without undue delay. Each party shall ensure that all of its personnel who have access to and/or process Controller Personal Data are obliged to keep the Controller Personal Data confidential.
Niantic may from time to time add new components to the Niantic Developer Platform. As a result, Niantic may subject your continued use of the Niantic Developer Platform to your acceptance of additional or amended terms, including amendments to this Controller Agreement. In case of a conflict between this Controller Agreement and additional terms applicable to a given component of the Niantic Developer Platform, this Controller Agreement will control.
TERM AND TERMINATION
This Controller Agreement shall be effective as of the date on which Customer clicked to accept or the parties otherwise agreed to this Controller Agreement. Notwithstanding anything to the contrary in the License Agreement, the obligations pursuant to this Controller Agreement shall survive termination of the License Agreement for as long as you hold or process Controller Personal Data.
The liability of the parties under or in connection with this Controller Agreement will be subject to the exclusions and limitations of liability in the License Agreement.
This Controller Agreement shall be governed by the laws of the jurisdiction specified in the License Agreement. Notwithstanding the foregoing and anything to the contrary in the License Agreement, if Applicable Data Protection Laws require application of the laws of another jurisdiction to this Controller Agreement, such laws shall govern.
The parties agree that Affiliates are intended third party beneficiaries of this Controller Agreement and that the provisions of this Controller Agreement are intended to inure to the benefits of such Affiliates. Without limiting the foregoing, such Affiliates will be entitled to enforce all processing and transfer provisions of this Controller Agreement as if each was a signatory to this Controller Agreement.
Each party warrants that the execution and performance of its obligations under this Controller Agreement do not conflict with or violate any other instrument, contract, agreement, or other commitment or arrangement to which it is a party or by which it is bound, and that it knows of no other fact or circumstance that prevents it from entering into this Controller Agreement.
ANNEX B TO THE STANDARD CONTRACTUAL CLAUSES
DESCRIPTION OF THE TRANSFER
(Capitalized terms used in this Annex are as defined in the Controller Agreement)
Depending on the nature of the access to or use of the Niantic Developer Platform, data subjects may include individuals: (a) who are customers or users of the products or services of Customer; (b) who are customers or users of the products or services of Niantic; and/or (c) who have visited specific websites or applications in connection with access to or use of the Niantic Developer Platform.
Purposes of the transfer(s)
Categories of data
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
Special data (if appropriate)
Data protection registration information of data exporter (where applicable)
When required under applicable data protection law, the data exporter will file relevant registration(s) in its relevant location(s).
Additional useful information (storage limits and other relevant information)
Contact points for data protection enquiries
Niantic, Inc. or Niantic International Ltd.: contact details as stated in the License Agreement.