1. Meta shall only Process Personal Information in accordance with the Applicable Product Terms.
2. Meta shall ensure that any person authorized to Process Personal Information under these Data Processing Terms is bound by appropriate obligations of confidentiality.
3. Meta shall implement appropriate technical and organisational measures to protect the Personal Information Processed under these Data Processing Terms; this includes the measures listed in Meta’s Data Security Terms (as updated from time to time, for example to reflect technological developments) which are expressly incorporated into these Data Processing Terms.
4. Taking into account the nature of the Processing of Personal Information under these Data Processing Terms, Meta will assist you by appropriate technical and organisational measures, insofar as this is possible, to enable you as Controller to fulfill your binding obligations, if any, under applicable privacy and data protection laws to respond to requests from Data Subjects for the exercise of their Data Subject rights.
5. To the extent the GDPR applies to your Processing of Personal Information under these Data Processing Terms, Meta shall assist you in ensuring compliance with your binding obligations as a Controller pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to Meta.
6. On termination of the Applicable Product Terms, Meta shall delete the Personal Information within the period set forth in the Applicable Product Terms, unless applicable law requires further storage. To the extent the EU GDPR applies to your Processing of Personal Information under these Data Processing Terms, “applicable law” in this paragraph means EU or EU/EEA member state law. To the extent the UK GDPR applies to your Processing of Personal Information under these Data Processing Terms, "applicable law" in this paragraph means UK law.
7. Meta will make available to you all information that is reasonably necessary to demonstrate Meta's compliance with its obligations as a Processor under these Data Processing Terms and, to the extent the GDPR applies to your Processing of Personal Information under these Data Processing Terms, under Article 28 of the GDPR.
8. Meta shall provide a copy of its then-current audit report once per year upon request. Such audit report refers to a SOC 2 Type II audit or another industry standard audit that may be deemed appropriate by Meta as part of Meta’s audit programs which relates to the data processing services and is conducted by an independent third-party auditor on an annual basis, such third-party auditor hereby deemed mandated by you. The audit report will be deemed to be Meta's confidential information.
9. To the extent required by privacy and data protection laws applicable to you as the Controller, Meta shall notify you without undue delay of the discovery by Meta of a Personal Information Breach involving the Personal Information Processed under these Data Processing Terms. Such notice shall include, where possible at the time of notification, or as soon as possible after notification, details of the nature of the Personal Information Breach and number of records affected, the category and approximate number of affected Data Subjects, the anticipated consequences of the Personal Information Breach and any actual or proposed remedies for mitigating its possible adverse effects.
10. You agree that Meta may subcontract its obligations under these Data Processing Terms to a sub-processor which might be based in the United States, the European Union (EU)/European Economic Area (EEA) or in other countries but only by way of a written agreement with the sub-processor which imposes obligations on the sub-processor no less onerous than as are imposed on Meta under these Data Processing Terms. Where the sub-processor fails to fulfill such obligations, Meta shall remain fully liable to you for the performance of that sub-processor’s obligations.
11. To the extent GDPR applies to your Processing under these Data Processing Terms as Controller, you hereby authorise Meta to engage other Meta companies as its sub-processor(s) (a list of Meta sub-processor(s) is available here). Meta shall notify you of any additional sub-processor(s) in advance. If you reasonably object to such additional sub-processor(s), you may inform Meta in writing of the reasons for your objections. If you object to such additional sub-processor(s), you should stop using the Applicable Products and providing data to Meta.
12. To the extent EU GDPR or the data protection laws in the EEA or Switzerland apply to your Processing under these Data Processing Terms as Controller and Meta Platforms Ireland Limited is the Meta entity to which these terms apply, the European Data Transfer Addendum is applicable to transfers originating in the EU, EEA or Switzerland of Personal Information and forms part of, and is incorporated by reference into, these Data Processing Terms.
13. To the extent UK GDPR applies to your Processing under these Data Processing Terms as Controller and Meta Platforms, Inc. is the Meta entity to which these terms apply, the UK Data Transfer Addendum is applicable to transfers originating in the UK of Personal Information to Meta Platforms, Inc. and forms part of, and is incorporated by reference into, these Data Processing Terms.

Definitions
For the purposes of these Data Processing Terms, the following terms have the meaning set out below:

“GDPR” means, as applicable, (i) the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679 ("EU GDPR"); and (ii) UK GDPR as defined in the UK's Data Protection Act 2018 ("UK GDPR").

"Personal Information” means any information, whether true or not, relating to an identified or identifiable natural person (“Data Subject”) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, financial, cultural or social identity of that natural person. The term “Personal Information” also covers information of deceased natural persons where this is required under applicable privacy and data protection laws.

“Controller” means the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of Personal Information.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Information on behalf of the Controller.

“Personal Information Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed under these Data Processing Terms.

“Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


Effective Date: April 25, 2023