Last updated: September 23, 2019
This Data Processing Addendum (this “DPA”) is incorporated into the Terms of Service (the “Terms of Service”) between Unity Technologies SF and its Affiliates (collectively, “Unity” or “Processor”) and you, (“You” or “Customer”), each a (“party”) and collectively (the “parties”). Acceptance of the Terms of Service includes acceptance of this DPA. Capitalized but undefined terms used in this DPA will have the meanings assigned to those terms in the Terms of Service.
In the course of providing the Services to you pursuant to the Terms of Service, Unity may Process Personal Data on behalf of you. Unity agrees to comply with the following provisions, including the Standard Contractual Clauses (processors) as referenced herein and its related Appendices and incorporated into the DPA (the “Clauses”), to the extent applicable as provided in Section 2.8 below, with respect to its Processing of any Personal Data submitted by or for you to Unity in connection with your use of the Services.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
“Customer Data” means any data, information or material originated by Customer that Customer submits, collects or provides in the course of using the Services, including any Customer Personal Data.
“Customer Personal Data” means Personal Data submitted by or for Customer to Unity in connection with Customer’s use of the Services. For purposes of this DPA, Customer Personal Data includes the following categories of data: IP address, UserID, and Device ID
“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Customer Personal Data by Unity under the Terms of Service.
“Data Subject” means an identified or identifiable natural person. For purposes of this DPA, “Data Subjects” include individuals from one or more of the following categories: (a) Customer’s users, (b) individuals collaborating and communicating with Customer’s users, and (c) individuals whose Personal Data is possessed by Customer and stored within Customer Data.
“GDPR” means the EU General Data Protection Regulation 2016/679.
“Personal Data”, has the same meaning as “personal data” as defined in the GDPR.
“Personal Data Breach”, has the same meaning as “personal data breach” as defined in the GDPR.
“Privacy Shield” means the EU-US Privacy Shield Framework established by the European Commission and the United States Department of Commerce, or its successor framework.
“Process/Processing” has the same meaning as “processing” as defined in the GDPR.
“Processor” means the entity that Processes Personal Data on behalf of the Controller.
“Security, Privacy and Architecture Documentation” means the Security, Privacy and Architecture Documentation applicable to the Services purchased by Customer, as described in summaries that Unity generally makes available to its Customers as updated from time to time, or otherwise made reasonably available by Unity.
“Sub-Processor” means any entity that Unity engages to Process Customer’s Personal Data on behalf of Unity.
2. PROCESSING OF CUSTOMER PERSONAL DATA
2.1. Roles of the Parties; Purpose. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller and that Unity may engage Sub-processors pursuant to the requirements set forth in this Addendum. The purpose of Processing of Customer Personal Data by Unity is the performance of the Services for Customer and the exercise of Customer's rights pursuant to the Terms and Service and this Addendum.
2.2. Unity’s Processing of Personal Data. Unity will only Process Customer Personal Data on behalf of and in accordance with your instructions. For the purposes of this DPA and Clause 5(a) of the Clauses, Customer will instruct Unity to Process Customer Personal Data for the following purposes: (i) to store and use data as described more fully in the Terms of Service and any applicable descriptions of the Services; and (ii) to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Terms of Service and this DPA. This DPA and the Terms of Service are Customer’s complete and final instructions to Unity for the Processing of Customer Personal Data. Any additional instructions that are inconsistent with the terms of the Terms of Service or this DPA must be agreed upon separately in writing signed by authorized representatives of both parties. Customer acknowledges that Unity may have data in its own right related to the Data Subject for which Customer permits game play to be stored. Customer is not a Controller of such data and is in no way responsible for Unity’s use of such data.
2.3. Customer’s Processing of Personal Data. In its use of the Services, Unity will Process Customer Personal Data in accordance with the requirements of Data Protection Laws. Your instructions for the Processing of Personal Data by Unity will comply with all Data Protection Laws. You will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired such Customer Personal Data.
2.4. Security of Processing. Unity will secure Customer Personal Data by implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required under the applicable Data Protection Laws. Such measures include those set forth in the Security, Privacy and Architecture Documentation. Unity will not materially decrease the overall security of the Services during the term of the Terms of Service.
2.5. Personal Data Breach Notification. Unity will notify you without undue delay after becoming aware of a Personal Data Breach. To the extent such Personal Data Breach is caused by a violation of the requirements of this DPA by Unity, Unity will make reasonable efforts to identify and remediate the cause of such Personal Data Breach.
2.6. Assistance. Unity agrees to provide you with reasonable assistance in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Unity’s Processing and the information available to Unity. Unity will, to the extent legally permitted, promptly notify you if Unity receives a request from a Data Subject for access to, correction, amendment or deletion of such Data Subject’s Customer Personal Data. Upon request from you, Unity will provide commercially reasonable assistance to you by appropriate technical and organizational measures, insofar as this is possible, in relation to handling of a Data Subject’s request for exercising Data Subject’s rights set forth in Chapter III of the GDPR, taking into account the nature of Unity’s Processing of Customer Personal Data and solely to the extent you are unable to fulfill such requests through the Services. You will be responsible for any costs arising from Unity’s provision of such assistance.
2.7. Deletion of Customer Personal Data. Unity will delete all Customer Personal Data and copies thereof upon request of Customer upon termination or expiration of the Terms of Service and upon a rolling basis every twenty-eight (28) days during the Term of the Terms of Service, unless otherwise required by the applicable Data Protection Laws. The parties agree that the certification of the deletion of Customer Personal Data that is described in Clause 12(1) will be provided by Unity to you only upon your written request.
2.8. Data Transfers. With respect to Customer Personal Data transferred from the European Economic Area (“EEA”) to outside the EEA in conjunction with your use of the Services, either directly or via onward transfer, Unity will provide at least the same level of protection for such Customer Personal Data as is required by the relevant principles in accordance with Article 46 of the GDPR. If Unity determines that it can no longer provide this level of protection, Unity will promptly notify you of that determination, and you will have the right to terminate the Terms of Service without penalty upon notice to Unity. The Clauses apply only to Customer Personal Data that is transferred from the EEA to outside the EEA, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for Personal Data, and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data. For the purpose of the Clauses and this DPA, Customer and all Affiliates of Customer established within the EEA that have purchased Services on the basis of a the Terms of Service will be deemed “Data Exporters” and will be collectively included in the term “Customer.”
For purposes of this Terms of Service, the Parties agree to comply with the requirements of the Standard Contractual Clauses for Controller-Unity transfers laid out in 2010/87/: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593). Such clauses are incorporated by reference as if fully laid out herein. Unity Technologies SF may be contacted by DPO@Unity3d.com or at its main address in the European Union: Unity ApS Niels Hemmingsens Gade 24, 1153 København K Denmark. The personal data processed under this arrangement includes, IP address, UserID, and Device ID. Such data will be processed in order to assist the Controller with personalizing game play experiences as more fully described in the Terms of Service.
2.9. Audits. Unity will make available to you all information necessary to demonstrate compliance with its obligations under the GDPR. Upon your written request at reasonable intervals, Unity will provide a copy of Unity’s then most recent summaries of third-party audits or certifications or other documentation, as applicable, that Unity generally makes available to its Customers at the time of such request. The parties agree that the audit rights described in Article 28 of the GDPR and Clauses 5(f) and 12(2) of the Clauses will be satisfied by Unity’s provision of such summaries and/or reports.
3. UNITY PERSONNEL
3.1. Confidentiality. Unity will ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of Customer Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality Terms of Services or are under an appropriate statutory obligation of confidentiality. Unity will ensure that such confidentiality obligations survive the termination of the personnel engagement.
3.2. Limitation of Access. Unity will ensure that Unity’s access to Customer Personal Data is limited to those personnel who require such access to perform under the Terms of Service.
3.3. Data Protection Officer. Certain of Unity’s parent employees have been appointed as data protection officers where such appointment is required by Data Protection Laws. The appointed person may be reached at firstname.lastname@example.org.
4.1. General Authorization. You authorize Unity to subcontract Processing of Customer Personal Data under this DPA to Sub-processors, provided that Unity: (a) provides Customer with information about the Sub-Unity(s) as may be reasonably requested by Customer from time to time; (b) flows down its obligations under this DPA to such Sub-Processor, such that the Processing requirements of such Sub-Processor with respect to Customer Personal Data are no less onerous than the Processing requirements of Unity as set forth in this DPA; and (c) will be fully liable to Customer for the performance of the Sub-Processor’s obligations under this DPA if such Sub-Processor fails to fulfill its data protection obligations.
4.2. New Sub-Processors. Unity will inform you of any intended changes concerning the addition or replacement of Sub-processors upon reasonable audit request.
4.3. Sub-Processor Agreement. The parties agree that if copies of the Sub-Processor Agreements must be sent by Unity to Customer pursuant to applicable Data Protection Laws, such copies may have all commercial information and clauses unrelated to this DPA redacted by Unity beforehand; and, that such copies will be provided by Unity only upon reasonable request by Customer.
5. GENERAL PROVISIONS.
5.1. Conflicting Terms. This DPA applies only to Customer and Unity and does not confer any rights to any third party. This DPA does not replace any additional rights related to privacy or data security set forth in the Terms of Service.
5.2. Term and Termination. This DPA will become effective as of the date Customer has both: (i) accepted a valid Terms of Service; and (ii) this DPA. This DPA will terminate simultaneously and automatically upon the termination of the Terms of Service. Unity may terminate this DPA at any time upon notice to Customer if Unity offers alternative means to Customer that complies with all applicable Data Protection Laws. Customer may terminate this DPA at Customer’s discretion upon Unity’s receipt of Customer’s written notice of termination.
5.3. Remedies. Customer’s remedies, including those of its Affiliates, arising from any breach of the terms of this DPA will be limited to two times the amounts paid or payable in the past 12 months under the Terms of Service.
5.4. Governing Law. To the extent required by the applicable Data Protection Laws, this DPA will be governed by the laws of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the jurisdiction stated in the Terms of Service.