Current Version - 2026/01

  • 11 minute(s) read
Prev Next

Data Processing Agreement

Version: 2026/01
Date: 1 January 2026

Click on the three dots on the top right to export this article in PDF.

This Data Processing Agreement (“DPA”) applies between Cint and any Customers of Cint receiving Services where Personal Data may be processed by Cint on behalf of the Customer. This DPA forms part of the service agreement entered into between Cint and the Customer under which the Customer receives the relevant Services (the “Agreement”). This DPA shall be subject to the governing law and dispute resolution that applies to the Agreement. 

1. DEFINITIONS


Defined terms used for the purposes of this DPA shall have the meanings set out at the end of this DPA.

2. DATA PROCESSING


2.1. The parties shall each comply with their respective obligations under the Data Protection Law as regards the Customer Personal Data. The parties acknowledge that the Customer is the Controller of Customer Personal Data and that Cint is appointed by the Customer as Processor to process Customer Personal Data on behalf of Customer to provide the Services.

2.2. The Customer's documented instructions for the processing of Customer Personal Data by Cint are set out in this DPA, including the details of processing activities (including scope, nature and purpose) listed in Schedule A. Cint shall process Customer Personal Data only in accordance with these documented instructions. 

2.3. Cint agrees to process Customer Personal Data in accordance with the terms of this DPA and shall:

2.3.1. implement appropriate technical and organisational measures to protect Customer Personal Data processed by it against unauthorised and unlawful processing and against accidental loss, destruction, disclosure, damage or alteration. Cint’s current technical and organisational measures are available here: https://trust.cint.com/;

2.3.2. only make the Customer Personal Data available to personnel who are bound by appropriate obligations of confidentiality;

2.3.3. taking into account the nature of the processing and the information available to Cint, provide reasonable assistance to Customer insofar as this is possible (at Customer’s cost), as Customer may require to allow Customer to comply with its obligations under the Data Protection Law, including in relation to data security; data breach notification; data protection impact assessments; prior consultation with supervisory authorities; the fulfilment of data subject’s rights; and any enquiry, notice or investigation by a supervisory authority;

2.3.4. Delete all Customer Personal Data, and delete any existing copies (unless required to retain such Customer Personal Data under applicable law) i) upon the written request by Customer or ii) 366 days after the Customer Opportunity;

2.3.5. on written request, make available to Customer all information necessary to demonstrate compliance with this DPA and allow for, and contribute to, remote audits conducted by Customer or its representatives (bound by appropriate obligations of confidentiality), provided that Customer provides thirty (30) days prior written notice to Cint and such audit is carried out at Customer’s cost. Audits are limited to one (1) per calendar year and the duration and scope of any such audit shall be proportionate and agreed upon between the parties in advance. However, additional audits may be allowed if: (a) the audit is required by a relevant Supervisory Authority; or (b) the Customer has reasonable and verifiable grounds to suspect a material violation of this DPA by Cint. The duration of any such remote audit shall be proportionate to its agreed-upon scope and shall not exceed five (5) business days, unless otherwise mutually agreed in writing by both parties.


2.3.6. Cint shall inform the Customer if, in its opinion, an instruction infringes the Data Protection Law.

2.4. Cint shall inform Customer in writing without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, and at least within a timeframe that allows the Customer to meet its own legal deadline under Data Protection Laws. The notification shall, at a minimum and to the extent the information is reasonably available to Cint at the time of notification, include the following:

(a) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects and records concerned;
(b) the name and contact details of the Data Protection Officer or other relevant contact point;

(c) a description of the likely consequences of the Personal Data Breach; and

(d) a description of the measures taken or proposed to be taken by Cint to address the Personal Data Breach and mitigate its possible adverse effects.

If all required information is not available at the time of initial notification, Cint shall provide the information in phases without undue further delay as it becomes available.

2.5. Customer consents to the appointment by Cint of third-party sub-processors, which may include other companies within Cint’s group, to process the Customer Personal Data on its behalf as part of the Services (each, a “Sub-processor”). The list of currently authorized Sub-processors is located at legal.cint.com. Prior to allowing such Sub-processor to access the Customer Personal Data, Cint shall impose legally binding contract terms on the Sub-processor which are the same as or equivalent to those imposed on Cint under this DPA. Cint shall at all times remain liable for the acts and omissions of its Sub-processors.

2.6. Cint shall inform the Customer of any intended changes concerning the addition or replacement of any Sub-processor by updating the URL provided in Clause 2.5 at least 14 days prior to implementation of such change. As a condition of receiving such notifications, Customer shall be solely responsible for subscribing to the email notification list at the provided URL. If mandatory under applicable Data Protection Laws, Customers have the right to object to such Sub-processor on reasonable grounds. A Customer's right to object must be exercised by providing a written objection to privacy@cint.com within 14 days of receiving the notification. In the event of the Customer objecting to such change, Cint shall make reasonable efforts to address the Customer’s concerns. If the parties are unable to agree on the appointment of a Sub-processor, either party may at its option terminate the Services on 30 days’ notice without penalty.

3. INTERNATIONAL DATA TRANSFERS

3.1. In the event of a Restricted Transfer between the parties, they agree to be bound by the applicable SCCs. If there is a Restricted Transfer from Cint to Customer, the parties agree to be bound by the P2C SCCs and if there is a Restricted Transfer from Customer to Cint, the parties agree to be bound by the C2P SCCs. Cint is the Processor, and Customer the Controller.

3.2. If and to the extent that the Restricted Transfer is subject to the UK GDPR, the incorporated SCCs shall apply as amended by the UK Addendum, which is also hereby incorporated in these circumstances subject to Clause 4.2.

3.3. If and to the extent that the Restricted Transfer is subject to the laws of any other jurisdiction outside of the EEA or the UK, the incorporated SCCs shall be interpreted as necessary to enable the laws of the relevant jurisdiction to be complied with. In particular:

(a) “European Union” or “EU Member State” shall be replaced with the jurisdiction of the Customer making the Restricted Transfer; and

(b) “Regulation (EU) 2016 / 679” and all references to the Regulation shall mean the equivalent Data Protection Law that results in there being a Restricted Transfer.

3.4. Cint may make transfers of Personal Data to Sub-processors, including to third countries outside the EEA or UK, only where such transfers are made in compliance with applicable Data Protection Law(s) and this DPA, for example: Cint shall ensure that an appropriate transfer mechanism is in place prior to any Restricted Transfer to a Sub-processor, which may include, as applicable: 

  1. a valid adequacy decision covering the destination; 

  2. the execution of SCCs then in force and, where the UK GDPR applies, the UK Addendum; or

  3. as applicable, any other lawful transfer mechanism recognised under applicable Data Protection Law.

4. SCCs

4.1. Where SCCs are incorporated into this DPA under Clause 3:

4.1.1. they will come into effect upon commencement of the relevant Restricted Transfer and any clauses which are expressed to be optional are not included;

4.1.2. option 2 of Clause 9 is selected and the time period for informing the Customer of any intended changes concerning Sub-processors shall be at least 14 days in advance;

4.1.3. for the purposes of Clauses 17 and 18, the parties agree that the Member State for the purposes of governing law and jurisdiction is Sweden; and

4.1.4. for the purposes of: (a) Annex 1.A, when C2P SCCs are applicable, the ‘data importer’ will be Cint and the ‘data exporter’ will be Customer and when P2C SCCs are applicable, the ‘data importer’ will be Customer and the ‘data exporter’ will be Cint; (b) Annex 1.B, the description of the transfer is set out in Schedule A; (c) Annex 1.C, the competent supervisory authority shall be the supervisory authority competent in the country in which the Customer is established; and (d) for the purposes of Annex 2, the technical and organisational measures are as available here: https://trust.cint.com/

4.2 UK ADDENDUM: Where the UK Addendum is incorporated into this DPA under Clause 3.2: (a) for the purposes of Table 1, the Start Date shall be the commencement of the relevant Restricted Transfer, the Parties’ details are defined in Clause 1 and no signature is required; (b) the first option is selected in Table 2, the Approved EU SCCS are defined in Clause 1; (c) the Appendix Information in Table 3 is set out in Schedule A; and (d) the first two options (“Importer” and “Exporter”) are selected in Table 4.


DEFINITIONS

The terms “Controller”, “Processor”, “Data Subject”, “Supervisory Authority”, “Personal Data”, “Personal Data Breach”, “Special categories of Personal Data” and “processing” shall have the meaning given to them in the GDPR (and the UK GDPR); and for processing subject to other Data Protection Laws, those terms shall be read to include the closest local equivalents (including, for example CCPA/CPRA, Business/Service Provider or Contractor/Consumer/Personal Information/Sensitive Personal Information/the California Privacy Protection Agency or Attorney General, and “security breach” for Personal Data Breach), and the parties’ role-based obligations under this DPA shall be interpreted to satisfy any mandatory local requirements for such processing.

“Customer Personal Data” means all Personal Data which is processed by Cint on behalf of Customer in connection with the Services;

“C2P SCCs” means Module 2 of the SCCs;

“Data Protection Law” means all binding laws, rules and regulations applicable to processing of Personal Data, in connection with the delivery and use of the Services, including, but not limited to: 

(i) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”);

(ii) the GDPR as incorporated into UK law (“UK GDPR”), together with the UK Data Protection Act 2018;

(iii) the US California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), along with any successor or implementing legislation; any other applicable US state or federal data protection or privacy laws; and

(v) any other national data protection or privacy legislation in a jurisdiction where the Services are performed or the Personal Data is Processed.

This definition also includes any legally binding guidance, directives, or decisions issued by a competent Supervisory Authority.

“P2C SCCs” means Module 4 of the SCCs;

“Restricted Transfer” means a transfer of Personal Data to a Third Country in circumstances where such transfer is subject to any of: (i) the EU GDPR; (ii) the UK GDPR; or (iii) an other applicable regional, federal or national laws or regulation applicable in a country outside the EEA or UK, which prohibits or restricts the transfer of Personal Data from that region or country;

“SCCs” means the standard contractual clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as may be amended, replaced or supplemented from time to time;

“Third Country” means a country outside the EU that does not benefit from an adequacy decision pursuant to Article 45 of the GDPR (or the equivalent UK adequacy regulations, as applicable); and

“UK Addendum” means the UK International Data Transfer Addendum to the SCCs in force from 21 March 2022.

SCHEDULE A

I. DESCRIPTION OF PERSONAL DATA PROCESSING (APPLICABLE FOR MEDIA MEASUREMENT SERVICES)

The data processing activities carried out by Cint under this DPA may be described as follows:

Duration of processing: Personal Data is deleted 366 days after the end of the Customer Opportunity (as defined in the Agreement). 

Special categories of Personal Data: The Services shall not include processing of special categories of Personal Data except in cases where data subject responses to Controller-directed survey questions include special categories of data.

Nature and purpose of processing: Collecting, storing, organizing, structuring, analyzing, retrieving, using, transmitting, or other processing activities necessary for Cint to provide the Services in accordance with the Agreement.

Personal Data categories: technical data (IP addresses, cookie IDs, mobile identifiers and other device identifiers), administrative data (controller-specific and processor-specific identifiers), and other Personal Data, if any, made available by Controller to Processor. Including, without limitation, responses to surveys or other Personal Data Processed as part of providing survey hosting services, exclusive of Participant Data.

Data subjects: Data subjects include Participants invited to and choosing to respond to a Customer Survey via the Services, and as applicable individuals to whom advertisements are displayed.

II. DESCRIPTION OF PERSONAL DATA PROCESSING (APPLICABLE FOR MANAGED SERVICES THAT INCLUDES HOSTING SURVEY SERVICES)

The data processing activities carried out by Cint under this DPA may be described as follows:

Duration of processing: Personal Data is deleted 366 days after the end of the Customer Opportunity (as defined in the Agreement) 

Special categories of Personal Data: The Services shall not include processing of special categories of Personal Data except in cases where data subject responses to Controller-directed survey questions include special categories of data.

Nature and purpose of processing: Collecting, storing, organizing, structuring, analyzing, retrieving, using, transmitting,pseudonymizing and anonymizing or other processing activities necessary for Cint to provide the Services in accordance with the Agreement.

Personal Data categories: technical data (IP addresses, cookie IDs, mobile identifiers and other device identifiers), administrative data (controller-specific and processor-specific identifiers), and other Personal Data, if any, made available by Controller to Processor. Including, without limitation, responses to surveys or other Personal Data Processed as part of providing survey hosting services, exclusive of Participant Data.

Data subjects: Data subjects include Participants invited to and choosing to respond to a Customer Survey via the Services.