DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “DPA”) is effective as of June 1, 2023, by and between American Campus Communities Services, Inc., and any other relevant property or properties (together, “ACC” or “Controller”) and any service provider or contractor (a “Service Provider”) identified in a relevant agreement or service contract with us (“Agreement”). This DPA may refer to Controller and Service Provider each as a “Party” and collectively as the “Parties.” Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
1. INTRODUCTION
1.1. This DPA is incorporated into the Agreement between Controller and Service Provider and is intended to reflect the Parties’ agreement with regard to the Processing (including the collection, use, retention, and sharing) of Personal Data and Personal Information (as defined below).
1.2. Service Provider collects, receives, and/or is granted access to Personal Data and Personal Information in connection with the provision of the services under the Agreement.
1.3. To comply with applicable data protection and privacy legislation, including Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”) and laws implementing or supplementing the GDPR), the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018, as amended by the Data Protection Act 2018 (the “UK GDPR”), the California Privacy Laws (as defined below), and similar data protection and privacy laws that are in effect or come into effect during the term of the Agreement and apply to the Personal Data or Personal Information Processed in connection with the Agreement, Controller requires Service Provider to agree to this DPA.
1.4. Controller and Service Provider wish to agree to this DPA, and have it apply to the Agreement, on the terms and conditions stated below.
1.5. The obligations and rights of Controller and Controller’s affiliates (as applicable) are set out in the Agreement and this DPA.
2. DEFINITIONS
In addition to capitalized terms defined in the Agreement, the following terms shall have the following meanings:
2.1 “Applicable Law” means any applicable (a) statute, regulation, regulatory requirement, bylaw, ordinance, subordinate legislation, or other law (regardless of its source), mandatory guidance, or code of practice (including in each case any judicial or administrative interpretation of it) in force from time to time in any applicable jurisdiction (including Data Protection Laws); or (b) judgment of a relevant court of law or sanction, directive, order, or requirement of any regulatory authority.
2.2 “Business”, “Business Purpose”, “Consumer”, “Sell”, “Service Provider”, and “Share” shall have the meanings given to such terms in the California Privacy Laws.
2.3 “California Privacy Laws” means the California Consumer Privacy Act of 2018, as amended (including by the California Privacy Rights Act), and including any regulations promulgated thereunder.
2.4 “Controller,” “Data Subject,” “Personal Data Breach,” “Processing (and its cognates),” “Processor,” and “Supervisory Authority” shall be interpreted in accordance with the GDPR or other applicable Data Protection Laws in the relevant jurisdiction. The terms “Controller” and “Processor” as used herein shall refer to “Business” and “Services Provider”, respectively, as defined under the California Privacy Laws.
2.5 “Data Protection Laws” means the GDPR, the UK GDPR, Directive 2002/58/EC, and any laws and/or regulations implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, the California Privacy Laws, and all other Applicable Laws relating to the Processing of Personal Data or Personal Information and privacy that may exist in any relevant jurisdiction, including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, and the Connecticut Data Privacy Act.
2.6 “Personal Data” means any information relating to an identified or identifiable Data Subject that is collected, transferred, or Processed in connection with the Agreement and this DPA, and that is classified as personal data under the applicable Data Protection Laws (as amended or replaced from time to time), or as specified in the Agreement.
2.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data or Personal Information transmitted, stored, or otherwise Processed. The term “Personal Data Breach” also includes any unauthorized or unlawful act or omission that compromises either the security, confidentiality or integrity of any Personal Data or Personal Information or the physical, technical, administrative or organizational safeguards put in place by Service Provider to protect the security, confidentiality or integrity of Personal Data or Personal Information.
2.8 “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with persons or entities who are Consumers, or prospective, former, or existing customers or employees of Business or its affiliates that Service Provider receives or derives in any manner from any source in the course of performing its obligations under the Agreement. By way of example, Personal Information includes, without limitation, names, addresses, telephone numbers, email addresses, dates of birth, payment card numbers, location information, IP addresses or other device identifiers, financial account information, or inferences about individuals or Consumers derived from Personal Information, or as otherwise classified as personal information under the California Privacy Laws.
2.9 “Standard Contractual Clauses” means: (i) where the GDPR applies, the “standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679” as set out in European Commission Implementing Decision (EU) 2021/914 or that may be subsequently adopted by the European Commission; and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under the UK GDPR.
2.10 “Sub-processor” means an entity engaged by a Service Provider who agrees to receive from the Service Provider Personal Data or Personal Information exclusively intended for the Processing activities to be carried out under the Agreement.
2.11 “Third Countries” means countries outside of the European Union/European Economic Area (“EEA”)/United Kingdom (“UK”) which are not recognized as countries providing adequate protection of Personal Data.
3. INTERPRETATION
3.1 For purposes of this DPA, ACC may act as a “Controller” or a “Business”, or it may act as a “Processor” or “Service Provider” of Personal Data and/or Personal Information. Service Provider therefore acknowledges that it may act as a “Processor” or “Sub-processor” or “Service Provider” of ACC. Where ACC acts as a “Processor” or “Service Provider”, ACC is obligated contractually and/or under Applicable Law to impose certain data protection-related obligations on its appointed “Sub-processors” or “Service Providers”. Therefore, all obligations placed on the “Processor” in this DPA shall apply to Service Provider regardless of ACC’s particular role and whether Service Provider acts as a “Processor” or “Sub-Processor” or “Service Provider”.
3.2 The provisions of this DPA (in particular, the provisions regarding governing law and jurisdiction) apply to this DPA. If there is any conflict or inconsistency between this DPA and the Agreement, the provisions contained in this DPA shall prevail to the extent of the inconsistency, provided always that nothing in this DPA shall permit Service Provider to Process Personal Data or Personal Information in a manner prohibited by the Agreement, nor shall this DPA narrow or reduce the scope of any Service Provider obligations under the Agreement (including the definitions in the Agreement applicable to Personal Data, Personal Information, or Personal Data Breach). The Parties hereby agree that the Agreement is amended accordingly to give effect to this Section 3.2.
3.3 To the extent that a term of this DPA requires the performance by a Party of an obligation “in accordance” (or similar terms) with Data Protection Laws, this term requires performance in accordance with such Data Protection Laws as is in force and applicable at the time of performance and, if the relevant obligation is not then a requirement under applicable Data Protection Laws, it shall not apply until it is so required.
4. PROCESSING
4.1 Processing Personal Data and Personal Information. The Parties agree that the subject matter and details of Processing of Personal Data are set forth in the Agreement and/or this DPA (including Annex 1). Service Provider shall Process Personal Data and Personal Information for the duration of the Agreement (unless otherwise agreed in writing) only: (a) as necessary to effect Service Provider’s obligations under the Agreement; and/or (b) on documented and customary instructions from Controller, unless otherwise required by Applicable Law(s). Service Provider shall notify Controller if Service Provider believes such instruction(s) violate(s) applicable Data Protection Laws. Service Provider shall comply with the obligations that apply to it under applicable Data Protection Laws for the duration of the Processing and shall immediately inform Controller if it can no longer meet its obligations under applicable Data Protection Laws, in which case, Controller shall have the right either to terminate the Agreement without penalty or take other reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data or Personal Information. Service Provider shall keep the Personal Data and/or Personal Information confidential.
4.2 Service Provider Personnel. Service Provider shall take reasonable steps to ensure that access to Personal Data and/or Personal Information is limited on a need to know/access basis, that only persons authorized by Service Provider have access to Personal Data and/or Personal Information, and that all Service Provider personnel (including Sub-processors) with such access are competent to handle the Personal Data and/or Personal Information and subject to confidentiality obligations with respect to such Personal Data and/or Personal Information.
4.3 Sub-Processing. Service Provider shall engage Sub-processors only with written authorization of Controller. With respect to any Sub-processor, Service Provider shall:
4.3.1 Ensure that the Sub-processor is committed, by written contract, to provide the level of protection for Personal Data and Personal Information (as applicable) required by the Agreement, this DPA, and applicable Data Protection Law(s);
4.3.2 Identify all Sub-processors used to Process Personal Data and/or Personal Information (as applicable), and provide Controller with prior notice and the opportunity to object to any changes to such Sub-processors; and
4.3.3 At all times remain liable for the acts and omissions of any Sub-processors it engages with respect to the processing of Personal Data and/or Personal Information.
4.4 Service Provider will receive from or on behalf of the Business Personal Information, pursuant to a Business Purpose as described in the Agreement or an applicable order. Service Provider will Process such Personal Information only for the agreed upon Business Purpose and within the direct business relationship with the Business as specified in the Agreement and will not retain, use or disclose such Personal Information for any purpose other than the specific purpose of performing the Services in the Agreement or combine such Personal Information with Personal Information that Service Provider receives from, or on behalf of, another person or persons, or collects from its own interactions with Consumers or individuals, unless such combining of Personal Information is expressly permitted by and carried out in strict accordance with applicable Data Protection Laws. Service Provider will not Sell or Share such Personal Information. Controller has the right to take reasonable and appropriate steps to ensure that Personal Data and/or Personal Information is used by Service Provider in accordance with Data Protection Laws and to stop and remediate unauthorized use of Personal Data and/or Personal Information.
4.5 Service Provider agrees that Personal Information subject to the terms and conditions of this DPA is made available to Service Provider to fulfill the applicable Business Purpose only, and is not being provided to or made accessible to Service Provider directly in exchange for monetary or other valuable consideration. Nothing about the Agreement or the Services involves a Sale or Sharing of Personal Data and/or Information under Data Protection Laws.
5. DATA SUBJECT RIGHTS AND SERVICE PROVIDER ASSISTANCE
Service Provider shall implement and maintain technical and organizational measures to: (a) promptly assist Controller to fulfill Controller’s obligations regarding requests from individuals seeking to exercise their rights, as applicable, under applicable Data Protection Laws (e.g., rights of access, rectification/correction, erasure/deletion, restriction of Processing, data portability, objection, etc.) in relation to Personal Data or Personal Information; and (b) immediately notify Controller in writing if it receives a request from any individual seeking to exercise his or her rights, as applicable, under applicable Data Protection Laws regarding Personal Data or Personal Information Processed on behalf of Controller.
6. INFORMATION SECURITY PROGRAM
6.1 Information Security. Service Provider shall implement reasonable and appropriate technical and organizational measures to provide an adequate level of security and protect Personal Data and Personal Information against unauthorized or unlawful Processing or a Personal Data Breach. Without limiting the foregoing, such technical and organizational measures must comply with and be as stringent as, the most protective standards set forth in the Massachusetts Data Security Regulations, 201 CMR 17 (the “Massachusetts Standards”), the New York SHIELD Act, or any U.S. State Law that, from time to time, sets forth greater protective standards than may be set forth in the Massachusetts Standards, and any applicable U.S. federal regulations, as such standards and regulations may be modified from time to time, and/or this DPA (including Annex 2) with respect to Personal Data and Personal Information. Service Provider shall ensure that all personnel and relevant Sub-processors complete relevant training sufficient to operationalize the requirements in this Section 6, including, without limitation, security awareness training.
6.2 Personal Data Breach. In the event Service Provider becomes aware of a Personal Data Breach involving Personal Data or Personal Information, it shall:
6.2.1 Immediately (but in no event later than twenty-four (24) hours after discovery) notify Controller of (a) the nature of the Personal Data Breach and any actions taken (or proposed to be taken) to address or mitigate the Personal Data Breach; (b) the number of individuals, the location of the individuals potentially affected (if known) and types of Personal Data and Personal Information concerned; (c) contact information for Service Provider’s data protection officer or other relevant contact who can provide additional information;
6.2.2 Assist Controller in meeting its obligations under applicable Data Protection Laws and, to the extent reasonable and applicable, its obligations to any third-party in connection with a Personal Data Breach;
6.2.3 Following the initial notice, provide to Controller weekly reports and updates describing the investigation into the Personal Data Breach, all corrective or remedial actions taken or to be taken by the Service Provider or its representative or agent, as the case may be, and promptly provide any further information that Controller may request in connection with the Personal Data Breach. Service Provider will assist Controller to investigate and remedy any breach and any related dispute, inquiry, or claim; and
6.2.4 Assist Controller in complying with Applicable Law regarding notification of a Personal Data Breach. Unless required by law, Service Provider shall not provide notice of any Personal Data Breach to any party without prior written consent of Controller.
7. DATA PROCESSING LOCATION
All Personal Data and Personal Information, including Personal Data originating from the European Economic Area and United Kingdom, must be Processed only in data centers located in the United States.
8. TRANSFERS OUTSIDE THE EUROPEAN UNION/EUROPEAN ECONOMIC AREA/UNITED KINGDOM
With respect to any Personal Data that has been or will be transferred outside the EEA or the UK and Processed pursuant to the Agreement, unless otherwise agreed to the contrary expressly in writing with Controller (such form of writing to refer expressly to this Section 8 of this DPA) Service Provider and Controller agree that such transfer will be subject to the appropriate Standard Contractual Clauses, and Service Provider represents, warrants and undertakes that it will (and will contractually require each of its Sub-processors to) implement procedures necessary to comply with all of the obligations under the Standard Contractual Clauses, to the extent enforceable against Service Provider. In the event from time to time that either: (a) the basis on which it transfers Personal Data originating from the EEA and/or UK changes (for example, by reason of Controller’s adoption of binding corporate rules or otherwise); or (b) the scope, content or validity of any data transfer mechanism used to legitimize any of Controller’s or any of its affiliates’, or Service Provider’s or any of Service Provider’s Sub-processors or affiliates’, Processing of such Personal Data outside of the EEA and/or UK is nullified, or required by applicable Data Protection Laws to be enhanced or amended (any such change, challenge, nullification, enhancement or amendment being a “Privacy Change”); then Service Provider agrees to cooperate with and follow Controller’s instructions regarding such Privacy Change. Under no circumstances shall Service Provider be permitted to impose upon Controller obligations arising under any data transfer mechanism.
9. DATA PROTECTION IMPACT ASSESSMENT AND OTHER OBLIGATIONS
In relation to Processing of Personal Data and/or Personal Information by Service Provider, Service Provider shall, at the written request of Controller:
9.1 Assist Controller with any assessments (including data protection impact assessments) or prior consultations with Supervisory Authorities, as required under applicable Data Protection Laws;
9.2 Maintain and make available to Controller all records of Processing and information necessary to demonstrate compliance with Service Provider’s obligations under applicable Data Protection Laws, this DPA, and the Agreement; and
9.3 Make available to Controller information necessary to demonstrate its compliance with the obligations laid down in this DPA and allow for and contribute to audits conducted by Controller. In the event that information provided by Service Provider or an audit performed by Controller reveals any unauthorized use of Personal Data or Personal Information by Service Provider or its Sub-processors, Controller shall have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use.
10. DELETION OR RETURN OF PERSONAL DATA AND PERSONAL INFORMATION
Upon termination or expiration of the Agreement, at Controller’s option, Service Provider shall permanently and securely delete or return all Personal Data and Personal Information, including any existing copies thereof in Service Provider’s possession (and instruct its Sub-processors to do the same), unless Applicable Law(s) require(s) otherwise, in which case Service Provider shall continue to provide an adequate level of security and protection to the Personal Data and Personal Information and ensure it is Processed only to the extent required by Applicable Law(s).
11. GENERAL
11.1 Severance. Should any provision of this DPA be held invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
11.2 Material Breach. Service Provider’s failure to comply with any of the provisions of this DPA is a material breach of this DPA and the Agreement. In such event, Controller may terminate the Agreement effective immediately upon written notice to Service Provider and Controller shall have no further liability or obligation to Service Provider.
11.3 Equitable Relief. Service Provider acknowledges that any breach of its covenants or obligations set forth in this DPA may cause Controller irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, Controller is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance, and any other relief that may be available from any court, in addition to any other remedy to which Controller may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive, but shall be in addition to all other remedies available at law or in equity, subject to any express exclusions or limitations in this DPA to the contrary.
11.4 Indemnification. Service Provider shall defend, indemnify, and hold harmless Controller, and its subsidiaries, affiliates, and their respective officers, directors, employees, agents, successors, and permitted assigns (each, a “Controller Indemnitee”) from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs or expenses of whatever kind, including reasonable attorneys’ fees, the cost of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers, arising out of or resulting from: (a) all costs and expenses associated with any Personal Data Breach reasonably determined to be the responsibility of Service Provider, including costs of containment, investigation, remediation, notification, and costs of credit monitoring and identity theft insurance; and (b) any third party claim or investigation against any Controller Indemnitee arising out of or resulting from (i) any breach by the Service Provider of its obligations under Data Protection Laws or this Agreement (including this DPA); or (ii) the Service Provider (or any person acting on its behalf) acting outside or contrary to the instructions of the Controller in respect of the Processing of Personal Data.
Annex 1:
Subject Matter and Details of Processing
Data Subjects: The Personal Data/Personal Information Processed may concern the following categories of individuals, as further specified in the Agreement
- Residents of the property name or ACC properties identified in the relevant Agreement
- First and last name
- Unit number
- Physical/street address
- Phone number
- Other data reasonably required to implement the services and performance requested by Controller under the Agreement.
- Processing activities in the performance of the services as set forth in the Agreement
Annex 2:
Technical and Organizational Security Measures
Annex II:
Description of the technical and organizational security measures implemented by Service Provider with respect to Personal Data.
Service Provider will adopt and maintain appropriate security, organizational and technical measures to protect against unauthorized or accidental loss or access, alteration, disclosure or destruction and all other unlawful forms of processing. Such measures shall be based on a recognized standard such as ISO 27001, the NIST Cybersecurity Framework, Version 1.1 or similar.
Service Provider will implement at least the following minimum security measures:
1. Service Provider must have access management controls commensurate with industry-standard best practices to prevent unauthorized use or abuse of Personal Data and systems.
2. Service Provider must have network security controls commensurate with industry-standard best practices to ensure Personal Data remains secure, available to authorized entities, and is protected against deliberate or unintentional alteration.
3. Service Provider must ensure that Personal Data remains secure throughout the lifecycle of the Agreement.
4. Service Provider must ensure that all devices that access Personal Data are secured.
5. Service Provider must have a centralized authentication management mechanism.
6. Service Provider must have formal personnel security and organizational security policies commensurate with industry-standard best practices.
7. Service Provider must conduct periodic internal and external security assessments against their physical and logical environment commensurate with industry-standard best practices.
8. Service Provider must have a formal logging and monitoring, vulnerability management, risk management and incident management programs commensurate with industry standard best practices.
9. Service Provider will use industry-standard and reasonable organizational and technical safeguards to protect ACC Personal Data.