Data Processing Addendum
(United States Vendor)
Last Updated: July 16, 2023
Qurate Retail Group is a group of companies that includes QVC, Inc. (“QVC”) and QVC’s Affiliates. In this Data Processing Addendum, “Qurate Company” means QVC or the QVC Affiliate that is a party to the Agreement with Vendor. This Addendum forms part of any Agreement between Qurate Company and Vendor covering use of the Services.
- “Addendum” means this Data Processing Addendum.
- "Affiliate" means with respect to QVC any other present or future entity that directly or indirectly controls, is controlled by, or is under common control with QVC. For purposes of the preceding sentence, "control", "controlled", and "controls" with respect to an entity means (a) direct or indirect ownership of at least 35% of such entity’s capital stock or other voting interests or (b) the ability to direct the senior management of such entity.
- “Agreement” means any purchase order or other contract that incorporates this Addendum.
- “Data Protection Law” means any present or future federal, state, territorial, or local law or regulation that relates to data privacy, data security, or the use or other processing of Personal Data.
- “Data Regulator” means any regulatory, supervisory, or governmental authority that is responsible for administering or enforcing Data Protection Laws.
- “Personal Data“ means information provided to, or Processed by, Vendor or Vendor’s Subcontractors by or on behalf of Qurate Company and its Affiliates if such information identifies, relates to, describes, is capable of being associated with, or could be directly or indirectly linked to a natural person.
- “Privacy Rights” means rights provided to people under Data Protection Law including, without limitation (a) deleting Personal Data; (b) obtaining a copy of Personal Data; (c) correcting Personal Data; (d) obtaining Personal Data in a portable format; and (e) terminating any sales of Personal Data.
- “Processing” means any creation, access, modification, disclosure, transfer, storage, deletion, destruction, or other use of Personal Data. “Process" and “Processed” shall be construed in accordance with the preceding part of this definition.
- “Security Breach” means (a) a breach of security or Personal Data under any Data Protection Law; or (b) any other unauthorized access, unauthorized acquisition, unauthorized destruction, unauthorized deletion, unauthorized disclosure, unauthorized use, unauthorized modification, loss, or misappropriation of Personal Data or other compromise of the security, confidentiality, integrity, or availability of Personal Data.
- "Security Controls" means the Security Controls at this link.
- “Services” means goods, services, technology or other products provided by Vendor under the Agreement.
- "Subcontractor" means any person or entity other than Vendor and Vendor’s employees.
- “Vendor” means the company that is a party to the Agreement with Qurate Company.
- The type of Personal Data Vendor shall Process is Qurate Company customer, prospective customer, employee, applicant, or vendor data. Additional details of Vendor’s Processing may be set forth in data processing exhibits that reference this Addendum.
- Vendor shall comply with Data Protection Law applicable to Vendor, and Vendor shall notify Qurate Company if Vendor determines that Vendor is not able to comply with Data Protection Law applicable to Vendor. Qurate Company has the right to take reasonable and appropriate steps to ensure that Vendor is using Personal Data in a manner consistent with Vendor’s obligations under Data Protection Law.
- Vendor shall ensure that each person or entity that Processes Personal Data by or on behalf of Vendor is subject to contractual duties to Vendor with respect to Personal Data that are at least as restrictive and protective as Vendor's obligations to Qurate Company with respect to Personal Data. If Vendor uses a Subcontractor to Process Personal Data, Vendor will provide Qurate Company with notice of the Subcontractor's identity at least 15 days before Vendor permits the Subcontractor to Process Personal Data, and Qurate Company shall have 15 days from receipt of such notice to object to the Subcontractor by providing a notice of objection to Vendor. If a Qurate Company provides a notice of objection with respect to a Subcontractor, Vendor and Qurate Company agree to work together to resolve such notice of objection. If such notice of objection cannot be resolved, Qurate Company may terminate the portion of the Services for which Vendor is retaining the Subcontractor.
- Taking into account the context of Processing of Personal Data, Vendor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data. Without limiting the previous sentence, Vendor shall implement and maintain the Security Controls with respect to Personal Data.
- Vendor (a) shall Process Personal Data solely for the benefit of Qurate Company and Qurate Company’s Affiliates and solely for the business purpose of providing Services; (b) shall not combine Personal Data with other data about natural persons that Vendor collects from Vendor’s own interactions with natural persons or that Vendor receives from another person; (c) shall not Process Personal Data for any purpose other than as set forth in Section 6(a). Without limiting the previous part of this Section 6, Vendor shall not use Personal Data for marketing, advertising, analytics or any other secondary use.
- Vendor shall Process Personal Data only while the Agreement is in effect. Vendor shall delete and destroy and cause the deletion and destruction of all Personal Data, except to the extent such Personal Data is required by law to be maintained by Vendor, upon the earlier of (a) the Agreement’s expiration or termination; or (b) 30 days after Qurate Company requests that Vendor delete Personal Data. Vendor shall certify in writing to Qurate Company that Vendor has complied with its obligations under this Section 7 within 45 days after Qurate Company's request for such certification, and in such certification, Vendor shall disclose any applicable laws under which Vendor is retaining Personal Data if Vendor is retaining Personal Data.
- At Qurate Company’s option, Vendor shall either (a) allow for, and contribute to, reasonable audits and inspections by Qurate Company or Qurate Company’s designated auditor of locations where Personal Data is Processed by or for Vendor; or (b) arrange for a qualified and independent auditor to conduct annually an audit of Vendor's policies and technical and organizational measures in support of Vendor’s obligations under this Addendum using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. Subject to the next sentence, Qurate Company may exercise its option under this Section 8 only once per calendar year. If a Security Breach occurs, Qurate Company may also exercise its option under this Section 8 even if Qurate Company has already exercised its option in the same calendar year. Vendor shall provide a report of any audits or inspections at Qurate Company’s request. Vendor shall provide to Qurate Company all information reasonably necessary to demonstrate Vendor’s compliance with Vendor's obligations under this Addendum or Data Protection Law.
- Vendor shall promptly investigate, and take all reasonable steps to limit and stop, each Security Breach. In addition to any notice required under the Agreement, Vendor shall notify Qurate Company at firstname.lastname@example.org of a Security Breach promptly, but in any event within 48 hours, after Vendor first becomes aware of a Security Breach. Such notification shall include, at a minimum: (a) a description of the nature of the Security Breach, the number of people affected, and the types and numbers of Personal Data records affected; (b) identification of the name and contact details of the data protection officer or other person at Vendor from whom additional information can be obtained; (c) a description of the likely consequences of the Security Breach; and (d) a description of the measures taken or proposed to be taken to address the Security Breach. Following the initial notification described in this Section 9, Vendor shall promptly provide Qurate Company with any further information regarding the Security Breach as requested by Qurate Company or Data Regulators. Vendor shall cooperate with and assist Qurate Company, its agents, and Data Regulators in connection with any investigation, response and other activities conducted with respect to a Security Breach. Vendor grants Qurate Company the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data by or through Vendor or Vendor’s agents.
- As part of the Services, Vendor shall assist Qurate Company promptly (and, in any event, within any period of time required by Data Protection Law) in responding to, and fulfilling, exercises of Privacy Rights.
- As set forth in this Section 11, Qurate Company may change this Addendum if Qurate Company reasonably determines that this Addendum should be changed so that uses of Personal Data subject to this Addendum or the Agreement comply with Data Protection Law. Qurate Company may change this Addendum by giving Vendor prior written, email or other electronic notice no less than 15 days before the effective date of such change. Such changes shall be effective on the date specified in the notice. If Vendor does not accept a change, Vendor must inform Qurate Company in writing before the effective date. If Vendor sends such written notice for receipt by Qurate Company before the effective date, Vendor and Qurate Company shall negotiate with respect to Qurate Company’s proposed change. Absent Qurate Company’s receipt of such notice as set forth in this Section 11, Vendor shall be bound by the changes to this Addendum. Notwithstanding the foregoing, if the Agreement is renewed pursuant to its renewal terms, then all Addendum changes not already effective shall become effective as of the commencement date of the renewal term immediately following the effective date of the change, regardless of any notice from Vendor.
- This Addendum is in addition to any obligations of Vendor under Vendor’s other contracts with Qurate Company or its Affiliates. If this Addendum conflicts with any provision of the Agreement with respect to Personal Data, then this Addendum shall control with respect to Personal Data. This Addendum shall continue to be in effect with respect to Personal Data for so long as Vendor or any agent on behalf of Vendor Processes Personal Data, notwithstanding the termination of the Agreement.