Last Updated: January 21, 2020
This Oculus for Business Data Processing Addendum (“Addendum”) supplements the Oculus for Business Enterprise Use Agreement, available at https://www.oculusforbusiness.com/enterprise-use-agreement/ (the “Agreement”) between you and Facebook Technologies Ireland Limited (“Oculus”). This Addendum applies solely to the extent that Personal Data (as defined below) collected pursuant to the Agreement is subject to the General Data Protection Regulation (EU) 2016/679) (“GDPR”). In the event of any inconsistency between the Agreement and this Addendum pertaining to privacy and Personal Data, this Addendum prevails.
Within this Addendum, “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Processing” shall have the same meanings as are defined in the GDPR. “Processed” and “Process” shall be construed in accordance with the definition of “Processing”. All other defined terms herein (such as “you” and “Oculus”) shall have the same meanings as are defined in the Agreement.
- Data Processing
- As between the parties, you shall be the Controller of any Personal Data within the content or data that your Authorized Users submit, post or provide to the Enterprise Software, or usage or functional information that we process regarding how your Authorized Users interact with the Enterprise Software (“Your Personal Data”), and Oculus shall be the Processor of Your Personal Data.
- In conducting its activities as Processor under this Addendum in relation to Your Personal Data, Oculus confirms that:
- the duration, subject matter, nature and purpose of the Processing shall be as specified in the Agreement;
- the types of Personal Data Processed shall include those specified in the Oculus for Business Privacy Disclosure, available at https://www.oculus.com/legal/enterprise-privacy-disclosure/;
- the categories of Data Subjects include your representatives, Authorized Users and any other individuals identified or identifiable by Your Personal Data; and
- your rights as Controller in relation to Your Personal Data are as set out in this Addendum.
- To the extent that Oculus Processes Your Personal Data under or in connection with the Agreement, Oculus shall:
- only Process Your Personal Data in accordance with your instructions as set out under the Agreement, including this Addendum, subject to any exceptions permitted by Article 28(3)(a) of the GDPR;
- ensure that those of its employees authorised to Process Your Personal Data under this Addendum have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in relation to Your Personal Data;
- implement the technical and organisational measures designed to protect Personal Data against anticipated threats or hazards to their security, confidentiality or integrity;
- respect the conditions referred to below in Sections 2.d and 2.e of this Addendum when appointing sub-Processors;
- assist you by implementing appropriate technical and organisational measures, insofar as this is possible through Oculus for Business, to enable you to fulfil your obligations to respond to requests for the exercise of rights by a Data Subject under Chapter III of GDPR;
- on termination of the Agreement, delete Your Personal Data pursuant to the Agreement, unless European Union or Member State law requires Personal Data to be retained; and
- make available to you the information described in this Addendum and via the Products in satisfaction of Oculus’ obligation to make available all information that is necessary to demonstrate compliance with the obligations of Oculus under Article 28 GDPR.
- You authorise Oculus to subcontract its data Processing obligations under this Agreement to its affiliates, and to other third parties, a list of which Oculus will provide to you upon your written request. Oculus shall do so only by way of a written agreement with such sub-Processor which imposes obligations on the sub-Processor that are no less protective of Your Personal Data than the obligations imposed on Oculus under this Agreement. Where that sub-Processor fails to fulfil such obligations, Oculus shall remain fully liable to you for the performance of that sub-Processor's data protection obligations, in accordance with the Agreement.
- Where Oculus engages an additional or replacement sub-Processor(s), Oculus shall inform you of such additional or replacement sub-Processor(s) no later than fourteen (14) days in advance of the appointment of such additional or replacement sub-Processor(s). You may object to the engagement of such additional or replacement sub-Processor(s) within fourteen (14) days of being so informed by Oculus by terminating the Agreement immediately on written notice to Oculus.
- Oculus shall notify you without undue delay upon becoming aware of a Personal Data Breach relating to Your Personal Data. Such notice shall include, at the time of notification or as soon as possible after notification, relevant details of the Personal Data Breach where possible, including the number of your records affected, the category and approximate number of affected Authorized Users, anticipated consequences of the breach and any actual or proposed remedies, where appropriate, for mitigating the possible adverse effects of the breach.
- In conducting its activities under the Agreement, Oculus may transfer Your Personal Data to various locations, which may include locations both inside and outside of the European Economic Area (“EEA”), including to Facebook Technologies, LLC in the U.S. Oculus and Facebook Technologies, LLC in the U.S. have entered into an agreement to facilitate such transfer of Personal Data between them.