Exhibit 10.3
AMENDMENT NUMBER 2 TO
THE
AMENDED AND RESTATED MASTER
SERVICES AGREEMENT
This AMENDMENT NUMBER 2 (the “
Data Privacy Amendment ”), effective as of
October 31, 2007 (“ Amendment Effective Date
”) is made and entered into by and between TCS and Nielsen
and modifies the AMENDED AND RESTATED MASTER SERVICES AGREEMENT,
dated as of October 1, 2007, between TCS and Nielsen (the
“ Agreement ”).
PRELIMINARY
STATEMENT
The Parties have agreed to amend and
supplement certain of the terms, conditions, rights and obligations
of the Parties under the Agreement with regard to data privacy and
data protection pursuant to the provisions of this Data Privacy
Amendment.
NOW, THEREFORE
, in consideration of the mutual
promises and covenants contained herein, and of other good and
valid consideration, the receipt and sufficiency of which is hereby
acknowledged, the Parties, intending to be legally bound, hereby
agree as follows:
The Parties agree to insert the
following provisions of this Section A between Section 14
(DATA OWNERSHIP, PROTECTION AND RETURN OF DATA) of the Agreement
and Section 15 (CONSENTS) of the Agreement as a new
Section 14A (DATA PRIVACY) of the Agreement:
“Section 14A DATA
PRIVACY
In performing the Services, TCS will
comply with the requirements of this “Section 14A.
14A.1 Data Privacy Rules,
Generally
(a) “ Data Privacy
Rules ” means the following:
(i) all Laws applicable to Nielsen
and the Nielsen Regulatory Requirements regarding personal data
privacy and data protection rights (including breach notification
requirements) with respect to Personally Identifiable Information
held and/or controlled by Nielsen and its Affiliates, including
personal data relating to employees, customers, consumers,
panelists, survey respondents, and other individuals. Such Laws and
Nielsen Regulatory Requirements include: (A) the Gramm-Leach
Bliley Act and its effective implementing rules and regulations
(“ GLB Act ”); (B) the Health Insurance
Portability and Accountability Act of 1996 and its effective
implementing rules and regulations (“ HIPAA ”)
and analogous state laws; (C) the Canadian Privacy Legislation
and its effective implementing rules and regulations; and
(D) legislation implementing the European Directive 95/46/EC
on the protection of individuals with regard to the processing of
personal data and on the free movement of such data (the “
EU Data Protection Directive ” or the “
Directive ”) and analogous legislation in European
countries not part of the European Union (collectively “
EU Privacy Laws ”); and
1
(ii) the provisions of this
Agreement that address TCS’ obligations regarding data
privacy and data protection, including Section 5.6,
Section 14, this Section 14A, Section 16,
Section 20, and Schedule G to this Agreement.
(b) General Requirements
.
(i) TCS and Nielsen will comply, and
will support the other Party in complying, with all relevant
provisions of Data Privacy Rules.
(ii) TCS will observe, comply with,
and perform the Services in a manner consistent with, the Data
Privacy Rules.
(iii) TCS will cause those TCS
Affiliates and Approved Subcontractors performing the Services to
comply with the obligations of TCS provided in this “Section
14A.
(iv) Except as provided in
Section 14A.1(c), TCS will meet the requirements of this
“Section 14A at no additional charge to Nielsen.
(v) If TCS suspects or becomes aware
of any breach of the Data Privacy Rules, TCS will promptly notify
Nielsen and will cooperate with Nielsen to investigate, mitigate,
rectify and respond to such breach.
(vi) Upon Nielsen’s request,
TCS will provide to Nielsen certifications (whether
self-certifications or, on an Out-of-Pocket Expense basis, third
party certifications, as Nielsen reasonably requests) that
demonstrate TCS’ compliance with the Data Privacy
Rules.
(vii) Nielsen will have the right to
screen and approve all TCS Personnel who might have access to the
Personally Identifiable Information that is the subject of the Data
Privacy Rules.
(viii) Nothing in this Agreement
will be deemed to prevent Nielsen from taking the steps it deems
necessary to comply with the Data Privacy Rules.
(ix) The obligations provided in
this “Section 14A will survive the termination or expiration
of this Agreement.
(c) Changes to the Data Privacy
Rules .
(i) Statutory and Regulatory
Changes . If during the Initial Term or a Renewal Period a
change is made to any Laws or Nielsen Regulatory Requirements
described in Section 14A.1(a), or a new Law or Nielsen
Regulatory Requirement is implemented that affects any of the
Parties’ rights and obligations regarding data protection and
data privacy in this Agreement, TCS will comply with such changed
or new Law or Nielsen Regulatory Requirement in accordance with the
provisions of Section 20.8.
2
(ii) Change Control Procedure
. TCS will perform the Services in compliance with any additional
or revised Nielsen standards, policies and requirements disclosed
to TCS from time to time relating to the Data Privacy Rules,
whether or not additions or revisions arise from changed or new
Laws or Nielsen Regulatory Requirements (such as those relating to
information security, or instructions from Nielsen or any Nielsen
Affiliate in connection with a signed EU Model Contract), subject
to application of the Change Control Procedure to the extent TCS
reasonably demonstrates that such standards, policies, requirements
and instructions impose material incremental costs upon TCS in
excess of those that would otherwise be necessary for TCS to comply
with its obligations under this Agreement.
14A.2 EU Privacy Laws.
Without limiting the generality of
Section 14A.1, TCS will comply with the obligations provided
in this Section 14A.2 regarding applicable EU Privacy
Laws.
(a) Definitions . The
following non-capitalized terms used in Section 14A.2 will
have the meanings given to them in the EU Privacy Laws: “
controller ”; “ data exporter ”;
“ data importer ”; “ data subject
”; “ personal data ”; “
processing ” (and “ processed ”
will be construed accordingly); and “ processor
”. In addition:
(i) “ EU Model Contract
” means a contract between the applicable data importer and
the applicable data exporter, which contract will include the
standard contractual clauses provided or approved by the applicable
European Union or implementing country authorities governing the
transfer and processing of personal data outside of the European
Union. As of the Agreement Effective Date, such standard
contractual clauses are those provided in the annex to Decision
2002/16/EC of the European Commission dated December 27, 2001
for the transfer of personal data to processors established in
third countries; and
(ii) “ Nielsen Personal
Data ” means personal data that is processed by or on
behalf of TCS in performing the Services, including personal data
relating to the employees, customers, consumers, panelists, and
survey respondents of Nielsen and its Affiliates, and/or which is
made available directly or indirectly to TCS by Nielsen or Nielsen
Affiliates.
(b) Compliance with EU Privacy
Laws . Nielsen and TCS will each comply, and will support the
other Party in complying, with their respective obligations under
the EU Privacy Laws, including maintaining all necessary
notifications or registrations that may be required.
3
(c) The Parties’ Roles
. The Parties agree that:
(i) Nielsen Solely
Responsible . Nielse
