Data Processing Addendum
This Data Processing Addendum, including the Standard Contractual Clauses, as applicable, referenced herein (“DPA”) amends and supplements any existing and currently valid service agreement (the “Agreement”) either previously or concurrently made between you (together with subsidiary(ies) and affiliated entities, collectively, “Customer”) and CoStar Realty Information, Inc. (together with subsidiary(ies) and affiliated entities, collectively “CoStar”) and sets forth other terms that apply to the extent any information you provide to CoStar pursuant to the Agreement includes Customer Personal Data (as defined below). Each Processor and Customer may be referred to hereafter as a “Party” and collectively the “Parties.”
1. Definitions and interpretation
1.1 In this DPA, unless the context otherwise requires:
“Customer Personal Data” means all Personal Data processed by CoStar on behalf of the Customer under or in connection with this DPA.
“Data Protection Laws” means any laws and regulations relating to privacy or the use or processing of data relating to natural persons, including: (a) the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (“CCPA”); (b) the General Data Protection Regulation ((EU) 2016/679), the Data Protection Act 2018 (“DPA 2018”), UK GDPR, as defined in section 3(10) (as supplemented by section 205(4)) of DPA 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003;; and (c) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the foregoing; and (c) any guidance or codes of practice issued by a governmental or regulatory body or authority in relation to compliance with the foregoing; in each case, to the extent in force, and as such are updated, amended or replaced from time to time.
“Data Controller” shall mean a person or entity that, alone or jointly with others, determines the purpose(s) and means of processing personal data. The term shall have the same meaning given to the terms “controller” or “business,” as applicable, under Data Protection Laws.
“Data Processor” shall mean a person or entity that processes personal data on behalf of a controller. The term shall have the same meaning given to the terms “processor” or “service provider,” as applicable, under Data Protection Laws.
“DP Regulator” means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.
“Standard Contractual Clauses” means the standard contractual clauses set out in the European Commission’s Implementing Decision 2021/914 of June 4, 2021 for the transfer of Personal Data to processors established in third countries.
“Data Subject” shall have the same meaning as that term or “customer,” as applicable, are defined under Data Protection Laws.
“Personal Data” shall have the same meaning as that term or “personal information,” as applicable, are defined under Data Protection Laws.
“process” shall have the same meaning as that term or “processing,” as applicable, are defined under Data Protection Laws.
2. Application
2.1 The terms of this DPA will only apply to the extent that the Data Protection Laws apply to the processing of Customer Personal Data, including if:
(a) The processing is in the context of the activities of an establishment of Customer in the European Economic Area;
(b) Customer Personal Data is personal data relating to data subject who are in the European Economic Area, and the processing relates to the offering to them of goods or services or the monitoring of their behaviour in the European Economic Area; or
(c) Customer Personal Data is personal data relating to data subject who are residents of certain U.S. states with Data Protection Laws.
2.2 If Data Protection Laws require and CoStar processes Customer Personal Data as described in 1.1(a) or (b), CoStar shall:
(a) subject to 1.2(b), below, not transfer, access or process such Personal Data outside the UK or the European Economic Area without the prior written consent of the Customer in accordance with (and, if the Customer so consents, take such steps as are required by the Customer to ensure that the relevant transfer, access or processing complies with the Data Protection Laws including entering into Standard Contractual Clauses). If the Standard Contractual Clauses are entered into between the Customer and CoStar, they shall be deemed to be populated as referenced at Appendix 2 of this DPA.
(b) Unless the transfer of Personal Data is based on an “adequacy decision,” is otherwise “subject to appropriate safeguards” or if a “derogation for specific situations” applies, each within the meanings given to them in Articles 45, 46 and 49 of the GDPR respectively, CoStar shall not transfer, access or process such Personal Data outside the European Economic Area without the prior written consent of the Customer (not to be unreasonably withheld or delayed).
2.3 In the event of any inconsistency between this DPA and the Agreement, the terms of this DPA shall take precedence.
2.4 Except as expressly modified hereby, all of the terms of the Agreement shall remain in full force and effect.
3. Data processing
3.1 In relation to the performance of its obligations under this DPA, each Party shall comply with the provisions of the Data Protection Laws and any equivalent legislation or regulations in any relevant jurisdiction.
3.2 Each Party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request.
3.3 Appendix 1 sets out further details of the processing of Personal Data that may be undertaken by CoStar in connection with this DPA, including in respect of the types of Personal Data, categories of Data Subjects, and nature and purposes of processing, which is generally to provide information about commercial real estate and CoStar. Such processing shall take place throughout the duration of this DPA and until deletion of all Customer Personal Data by CoStar as described in this DPA.
3.4 In so far as CoStar receives from or processes any Personal Data on behalf of the Customer, and unless otherwise permitted or required by Data Protection Laws, CoStar shall:
- process such Personal Data only in accordance with the Customer’s written instructions from time to time (including those set out in this DPA);
- ensure that any personnel who have access to Personal Data are subject to binding obligations of confidentiality when processing such Personal Data;
- implement and maintain technical and organizational measures and procedures to ensure an appropriate level of security for such Personal Data, including protecting such Personal Data against the risks of accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, dissemination, or access, including such technical and organisational measures set out at Appendix 3 of this DPA;
- (d) inform the Customer if it determines that any such Personal Data is (while within CoStar’s or its subcontractors’ possession or control) subject to a personal data breach (as defined by Data Protection Laws;
- other than at the written request of the Customer or as expressly provided for in this DPA, not use or disclose any Personal Data outside the direct business relationship with the Customer or to any Data Subject or third party, or use Personal Data for CoStar’s own commercial purpose;
- as the Customer so directs, return or delete all Personal Data on termination or expiry of this DPA, and not make any further use of such Personal Data;
- provide to the Customer and any DP Regulator (at the Customer’s cost) all information and assistance necessary to demonstrate or ensure compliance with the obligations in this clause 2 and/or the Data Protection Laws;
- permit the Customer or its representatives (at the Customer’s cost) to access any relevant premises, personnel, or records of CoStar on reasonable notice to audit and otherwise verify compliance with this DPA and/or Data Protection Laws;
- permit the Customer or its representatives (at the Customer’s cost) to, on reasonable notice, take reasonable and appropriate steps to stop and remediate unauthorized use;
- take such steps as are reasonably required to provide Customer (at the Customer’s cost) with evidence of CoStar’s compliance with Data Protection Laws;
- notify the Customer if it receives a request from a Data Subject to exercise its rights under the Data Protection Laws in relation to that person’s Personal Data;
- not “sell” or “share” Personal Data as those terms are defined by the CCPA;
- provide the Customer (at the Customer’s cost) with its reasonable cooperation and assistance in relation to any request made by a Data Subject to exercise its rights under the Data Protection Laws in relation to that person’s Personal Data;
- notify the Customer if it determines that it cannot meet its obligations under Data Protection Laws; and
- comply with its applicable obligations under Data Protection Laws.
3.5 If either Party receives any complaint, notice, or communication which relates directly or indirectly to the processing of Personal Data by the other Party or to either Party’s compliance with the Data Protection Laws, it shall promptly notify the other Party and it shall provide the other Party with reasonable cooperation and assistance in relation to any such complaint, notice, or communication.
3.6 The Customer acknowledges that CoStar is reliant on the Customer alone for direction as to the extent CoStar is entitled to use and process the Personal Data. Consequently, CoStar shall be entitled to relief from liability in circumstances where a Data Subject makes a claim or complaint with regards to CoStar’s actions to the extent that such actions result from (a) instructions received from the Customer or (b) a breach by the Customer of its obligations under this Clause 2.
3.7 CoStar may subcontract its processing of the Personal Data on behalf of the Customer. CoStar shall ensure that any such sub-contractors enter into a written contract with CoStar which contains obligations for the protection of the Personal Data which are no less onerous than those set out in this DPA and require compliance with Data Protection Laws, as applicable.
3.8 CoStar shall make available to the Customer on request a current list of those sub-contractors which are used by CoStar to undertake processing of Personal Data on behalf of the Customer under this DPA. By entering into this DPA, the Customer is deemed to have approved the use of CoStar’s current sub-contractors as at the date of this DPA (“Current Sub-Contractors”).
3.9 Customer grants a general authorization to CoStar to appoint its affiliates as sub-processors and a specific authorization to CoStar and its affiliates to appoint as sub-processors third parties that provide reasonable technological and organizational safeguards to protect the Personal Data. Please email us at CoStarUKPrivacy1@costar.co.uk at any time to request a list of our sub-processors.
4. General
4.1 Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DPA” means this DPA including its exhibits and appendices.
4.2 This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by the laws of the state set forth in the Agreement. The Parties irrevocably agree that any dispute that arises out of or in connection with DPA or its subject matter or formation (including non-contractual disputes or claims) shall be referred to the jurisdiction set forth in the Agreement.
4.3 This DPA may be executed in any number of counterparts, each of which is an original and all of which evidence the same agreement between the parties.
4.4 No failure by a Party in exercising any right, power or privilege hereunder shall constitute a waiver or abandonment by such Party of any such right, power or privilege, nor shall any single or partial exercise thereof preclude any further exercise of any such right, power or privilege. 3.5 This DPA, together with the documents referred to in it, constitutes the entire agreement and understanding between the parties in respect of the matters dealt with in it. Each of the Parties acknowledges and agrees that in entering into this variation agreement, it does not rely on, and will have no remedy in respect of, any statement, representation, warranty or understanding (whether negligently or innocently made) of any person (whether Party to an Agreement or not) other than as expressly set out herein.
4.5 This DPA, together with the documents referred to in it, constitutes the entire agreement and understanding between the Parties in respect of the matters dealt with in it. Each of the Parties acknowledges and agrees that in entering into this variation agreement, it does not rely on, and will have no remedy in respect of, any statement, representation, warranty or understanding (whether negligently or innocently made) of any person (whether Party to an Agreement or not) other than as expressly set out herein.
Appendix 1: Details of Processing
| Categories of data subjects whose personal data is processed and/or transferred | Individual subscribers of the CoStar Platform in addition to individuals whose personal data subscribers add to their section of the CoStar database. |
| Categories of personal data processed and/or transferred | email address, first name and last name |
| Sensitive data processed and/or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | None. |
| The frequency of the processing and/or transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Periodically when the client (i) makes an introduction and/or referral and/or (ii) uses the Real Estate Manager tools |
| Nature of the processing | Collection of personal information in order to provide agreed services to clients. Processing may include but is not limited to: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| Purpose(s) of the data transfer and further processing | To facilitate the provision of the services under your agreement with CoStar. |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | Data will be retained for the duration of your agreement with CoStar and in accordance with its termination provisions. |
| For processing by, or transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | n/a |
Appendix 2: Information to be included in the Standard Contractual Clauses
To the extent that the Standard Contractual Clauses are entered into between the Customer and CoStar pursuant to clause 1.2 of this DPA, they shall be deemed to be populated as follows:
| Exporter Organization Name: | CoStar Realty Information Inc and its affiliate companies, as applicable, including CoStar UK Limited |
| Address: | 1331 L Street, NW Washington, DC 20005 |
| Contact Person’s name, position, and contact details: | European Head of Legal, 26th Floor, The Shard, 32 London Bridge Street, London, SE1 9SG costarukprivacy1@costar.com |
In addition the Standard Contractual Clauses shall be deemed populated as follows:
- Module 2 applies;
- In clause 17, option 1 will apply and the EU Standard Contractual Clauses will be governed by the laws of [Germany]
- In clause 18(b) dAnnex I of the EU Standard Contractual Clauses shall be deemed completed with the information set out in Appendix I of this DPA. Module 2 applies;
In relation to Personal Data that is protected by UK GDPR, the UK Standard Contractual Clauses will apply completed as follows:
(i) The UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner’s Office under s119A(1) of the UK Data Protection Act 2018 shall be deemed executed between the Customer and CoStar, and the EU Standard Contractual Clauses shall be deemed amended as specified by the UK Addendum in respect of the transfer of such UK Personal Data.
Appendix 3: Technical and Organisational Measures
- Software, such as antivirus and antimalware, threat detection tools to identify and address technical flaws.
- Encryption and pseudonymisation.
- Physical security, such as CCTV cameras.
- Passwords and MFA (multi-factor authentication).
- Information security policies governing the approach to data protection and GDPR compliance.
- Business continuity plans, to explain the actions the organisation will take in response to an information security incident.
- Risk assessments to identify information security threats and determine appropriate controls.
- Staff awareness training.
- Reviews and audits to assess the effectiveness of the measures that have been implemented, and to identify opportunities for improvement.
Last revised January 07, 2023