Movio Data Processing Terms

1. Definitions 

1.1

Unless the context otherwise requires, terms defined in the Standard Terms have the same meanings when used in these Data Processing Terms. In addition, the following terms have the meanings set out below:

(a) “Affiliate” means in respect of a Party, any company, organization, partnership, person or other entity which directly or indirectly (a) controls, or is controlled by, that Party; or (b) is controlled by a company, organization, partnership, person or other entity which also controls that Party, (where “control” means possession of the power to direct or cause the direction of management and/or policies of the relevant entity, whether directly or indirectly through ownership of voting securities, by contract or otherwise);

(b) “Australian Privacy Principles” means the Australian Privacy Principles under the (AU) Privacy Act 1988);

(c) “CCPA” means California Consumer Privacy Act of 2018, California Civil Code §§1798.100 et seq., including any implementing regulations and as amended or superseded from time to time;

(d) "Data Protection Laws" means applicable legislation protecting the personal data of natural persons, including where applicable the GDPR, CCPA, LGPD, and the Australian Privacy Principles (and any data protection laws substantially amending, replacing or superseding the same) together with binding guidance and codes of practice issued from time to time by relevant supervisory authorities, or other legal or self-regulatory requirements relating to privacy or data protection as applicable to each Party’s performance in connection with the Agreement;

(e) “EU personal data” means personal data to which Data Protection Laws of the European Union, or of a Member State of theEuropean Union or European Economic Area, was applicable prior to its processing by Movio;

(f) “GDPR” means, in each case to the extent applicable to the processing activities: (i) Regulation (EU) 2016/679 (“EUGDPR”); and (ii) UK GDPR;

(g) “LGPD” means the Brazilian General Data Protection Law No.13,709/2018;

(h) “Personal Data” means any information relating to identified or identifiable natural persons; that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular individual, consumer, data subject, or household; or that is defined as “personal data,” “personal information,” “personally identifiable information” or similar term under applicable Data Protection Laws (as defined herein);

(i) “Protected Area” means:

• in the case of EU personal data, the members states of the European Union and the European Economic Area and any country, territory, sector or international organisation in respect of which an adequacy decision under Art.45 GDPR is in force; and

• in the case of UK personal data, the United Kingdom and any country, territory, sector or international organisation in respect of which an adequacy decision under United Kingdom adequacy regulations is in force;

(j) "Standard Contractual Clauses” or “SCC” means:

• in respect of EU personal data, the standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914; and/or

• in respect of UK personal data, theInternational Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner in accordance with s.119A of the Data Protection Act 2018

(k) “Sensitive Data” has the meaning given to that term (or any analogous term) in the applicable Data Protection Laws and may include personal, health, financial or legal data that could lead to identity theft, including but not limited to, passwords, credit card data, financial account numbers, personal identification numbers, social security numbers, driver’s license number, state-issued identification card numbers or any equivalent data relating to a Data Subject;

(l) "Services" means the services which are provided by Movio to the Client in accordance with this Agreement;

(m)“UK GDPR” means the EU GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended).

(n) “UK personal data” means the processing of personal data to which data protection laws of the United Kingdom were applicable prior to its processing by Movio; and

(o) The terms “Business”, “Business Purposes”, “Consumer”, "Data Controller", "Data Processor", "Data Subject","Personal Data Breach", "Process/Processing", “Sell”,“Service Provider”, and “Third Party” have the same meaning as described by such term (or the nearest equivalent term) in the Data Protection Laws.

2. Description of Personal Data Processing

2.1

To the extent that Movio Processes Personal Data on behalf of the Client pursuant to the GDPR, the Client hereby appoints Movio as Data Processor in relation to the Processing of Personal Data. The parties agree to act in accordance with their respective obligations under these Terms.

2.2

Notwithstanding anything to the contrary herein, pursuant to the CCPA, Movio may operate as a Business, Service Provider, or a Third Party with respect to Personal Data, when providing Services to Client. Client acknowledges and agrees that in order to provide the Services described in the Agreement, Movio must Process and Use Client Personal Data and other Personal Data. Where Movio combines Personal Data from different sources, it may do this as a Service Provider at Client’s instruction, or as a Third Party or Business where it has a lawful basis for such Processing, including based on its own Business Purposes. Movio may combine the Client Personal Data with Personal Data provided by other sources in order to provide certain proprietary Services (for example, the Madex Services).

2.3

Schedule 1 sets out the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of personal data and categories of data subject as required by Article 28(3) of the GDPR or equivalent provisions of any Data Protection Laws. 

3. Data Processing Terms

3.1

In the respect of their obligations under this Agreement, both parties shall observe their respective obligations under the Data Protection Laws which arise in connection with the provision and use of the Services. 

3.2

Where Movio processes Personal Data for the Client as a Data Processor under GDPR and LGPD, it shall:

3.2.1 process the Personal Data solely on the Client's lawful documented instructions (whether in this Agreement or otherwise) for the purposes of providing the Services or as otherwise required by applicable law or the Agreement. If Movio is required by applicable law to process the personal data for any other purpose, Movio will inform Client of this requirement first, unless such law(s) prohibit this on important grounds of public interest;

3.2.2 notify the Client immediately if, in Movio’s opinion, an instruction for the processing of personal data given by the Client infringes applicable Data Protection Laws, it being acknowledged that Movio shall not be obliged to undertake additional work to determine if Client's instructions are compliant;

3.2.3 implement appropriate technical and organisational measures to ensure the security of the Personal Data including the minimum security measures set out in Schedule 2 and any additional security measures set out on Movio’s support website made accessible to the Client on entering into this Agreement, as such measures may be updated by Movio from time to time; 

3.2.4 (i) not transfer Personal Data subject to GDPR outside of the European Economic Area and/or the UK other than to countries which have been deemed to offer an adequate level of protection for Personal Data by the European Commission and/or the UK government as applicable, without the prior written consent of the Client; (ii) not transfer Personal Data subject to LGPD outside of Brazil other than to countries which have an adequate level of protection for Personal Data, or that the transfer is subject to the standard contractual clauses designed to facilitate transfers of Personal Data from Brazil to other countries in accordance with the LGPD, without the prior written consent of the Client. The Parties acknowledge that Movio may Process Personal Data subject to GDPR or LGPD from New Zealand where New Zealand is a country which the European Commission currently officially recognises as ensuring an adequate level of protection for the rights of individuals in connection with the transfer of their Personal Data outside the European Economic Area;

3.2.5 (i) only transfer EU or UK Personal Data outside of the Protected Area in accordance with clause 4 or otherwise with the prior written consent of the Client; (ii) not transfer Personal Data subject to LGPD outside of Brazil other than to countries which have an adequate level of protection for Personal Data, or that the transfer is subject to the standard contractual clauses designed to facilitate transfers of Personal Data from Brazil to other countries in accordance with the LGPD, without the prior written consent of the Client. The Parties acknowledge that Movio may Process Personal Data subject to GDPR or LGPD from New Zealand and the United Kingdom and that New Zealand and the United Kingdom are countries which are within the Protected Area;

3.2.6 notify the Client promptly (and within no later than 5 working days) of any communication from a third party (including a Data Subject or any Supervisory Authority) regarding the Processing of Personal Data and, subject to clause 3.5, provide reasonable assistance in responding to such communication;

3.2.7 notify the Client without undue delay upon becoming aware of any Personal Data Breach;

3.2.8 provide such information to the Client as the Client may reasonably require, and within the timescales reasonably specified by the Client, to allow the Client to comply with the rights of Data Subjects, including subject-access rights, or with notices served by the Supervisory Authority;

3.2.9 upon request, and subject to clause 3.5, provide the Client with reasonable assistance in carrying out its obligations under Articles 32 to 36 of the GDPR, where applicable;

3.2.10 on reasonable prior notice provide the Client with information to demonstrate compliance with Movio’s obligations under these Terms, at the Client's expense, submit to audits conducted by the Client provided that:

3.2.10.1 such audit is carried out within Movio’s normal business hours;

3.2.10.2 the Client shall not conduct more than1 audit per calendar year; and 

3.2.10.3 Movio will not be required to provide or permit access to:

(a) Information relating to other Clients of Movio;

(b) Information relating to internal Movio pricing;

(c) Internal reports prepared by Movio internal audit function and non- public external reports; and

3.2.10.4 any third party auditor engaged by the Client to carry out such audit enters into such confidentiality obligations with Movio (or its Sub-Processor as the case may be) as may be necessary to respect the confidentiality of Movio (or its Sub-Processor's) business interests and any third party data or information that the auditor becomes aware of during an audit; and

3.2.11 at the Client's option either return, or securely delete the Personal Data within no more than 30days save to the extent Movio is required to retain copies of any Personal Data pursuant to applicable laws.

3.3

To the extent Movio processes Personal Data for the Client as a Service Provider under CCPA, Movio shall not: (a) Sell such Personal Data; (b) retain, use, or disclose such Personal Data for any purpose other than performing the Services specified in this Agreement (or as otherwise permitted by the CCPA); or (c) retain, use, or disclose such Personal Data outside of the direct business relationship between the Client and Movio. Movio certifies that it and each of its employees, agents, and representatives who will receive such personal information understand, and shall comply with, the restrictions set forth in this clause 3.3. Client is responsible for determining whether its sharing of Personal Data under the Agreement is a Sale or otherwise impacts Client’s legal obligations. If Client deems the disclosure and usage of Personal Data as permitted under the Agreement constitutes a Sale or otherwise modifies Client’s notice and choice obligations to individuals under Data Protection Law, then Client agrees to provide such notice and choice as required under Data Protection Law.

3.4

To the extent that the disclosure of Personal Data as contemplated by the Agreement is deemed to be a Sale, the disclosing Party shall inform the other Party of any “Do Not Sell” or opt-out request received from a Consumer requiring that the Party in receipt of the request refrain from selling that Consumer’s Personal Data. Upon notice of such a request, each Party shall promptly cease any sale of that Consumer’s Personal Data.

3.5

Movio will be responsible for costs and expenses incurred by Movio in complying with its obligations as a Data Processor or Service Provider under these Terms unless otherwise agreed by the Parties. The Client will be responsible for costs and expenses incurred by the Client in complying with its obligations as a Data Controller or Business under these Terms unless otherwise agreed by the Parties. Unless stated otherwise in these Terms, Movio reserves its right to charge the Client additional reasonable fees for any assistance provided by Movio to the Client to assist the Client to comply with its obligations as a Data Controller under these Terms which go beyond any reasonable level of support/assistance, such fees to be pre-agreed by the Parties in writing. 

3.6

The Client will not provide Sensitive Data to Movio via the Services or otherwise. Where Movio becomes aware that it has received Sensitive Data, Movio will promptly notify the Client in writing and delete from its systems all Sensitive Data. Movio will have no liability to the Client or any third party in respect of any Sensitive Data provided to Movio.

4. Transfers of EU and UK Personal Data outside of the Protected Area

4.1

Movio shall not, and shall ensure that none of its Affiliates or Sub-Processors, transfer, access or use EU, or UK personal data outside of the Protected Area without Client’s prior authorisation.  Client agrees to authorise the transfers to Sub-Processors listed on the Vista Cloud Sub-processors page and any additional Sub-Processors appointed in accordance with clause 5.3 below of these Data Processing Terms, and Movio confirms that it has in place a mechanism for lawful transfer and where necessary agrees to procure that its Affiliates or Sub-Processor’s (as applicable) comply with the obligations set out in the Standard Contractual Clauses, with Movio as the ‘data exporter’ and the relevant Movio Affiliate or Sub-Processor (as applicable) as the ‘data importer’.

4.2

For the purpose of clause 3.2.5 above, in the event that a relevant European Commission decision or other valid adequacy method under applicable Data Protection Laws on which the parties have relied as the basis for any data transfer is held to be invalid, or that any supervisory authority requires transfers of personal data made pursuant to such decision to be suspended, then the parties agree to discuss in good faith and facilitate use of an alternative transfer mechanism.

5. Sub-Processing

5.1

The Client authorizes Movio to appoint third parties to Process the Personal Data (together, "Sub-Processors") in accordance with this clause 5.

5.2

The Client agrees to Movio’s continued use of any Sub-Processors already engaged by Movio as at the date of these Terms as set out on the Vista Cloud Sub-processors page and, subject to clause 4 above, to the processing of Personal Data outside the Protected Area detailed therein. 

5.3

The Client agrees to Movio's appointment of additional Sub-Processors for the purposes of providing the Services on the condition that Movio shall provide notice to the Client at least ten (10) days prior to the date on which the Sub-Processor shall commence processing Personal Data. Movio will enter into a contract with all Sub-Processors on terms which impose on such Sub-Processor data protection obligations that are no less onerous as are set out in these Terms.

5.4

If the Client reasonably objects to such additional Sub-Processors(s), the Client should notify Movio in writing, stop using the Services and providing data to Movio and Movio may terminate the Agreement by providing written notice to the Client with immediate effect and the Parties’ obligations on termination will apply in accordance with clause 9 of the Standard Terms.

5.5

Movio's use of Sub-Processors shall not relieve it of any liability and it shall remain responsible for its compliance with its obligations under Data Protection Laws and this Agreement.

6. General

6.1

The provisions of these Terms are supplemental to the provisions of the Agreement and shall not reduce either party's obligations under the Agreement in relation to the protection of Personal Data. In the event of inconsistencies between the provisions of these Terms and the provisions of the Agreement the provisions of these Terms shall prevail.

6.2

The Parties shall cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to Data Protection Laws, including applicable regulatory or self- regulatory guidance.

Schedule One - Personal Data

This Schedule 1 includes certain details of the Processing of the Personal Data as required by Article 28(3) GDPR or equivalent provisions of any Data Protection Law.

Subject matter and duration of the Processing of the Personal Data

The subject matter and duration of the Processing of the Personal Data are set out in the Agreement.

The nature and purpose of the Processing of the Personal Data

Movio may access, collect and process Personal Data (as that term is defined in the Client’s Agreement) from time to time in conjunction with the Client’s licensing and use of Movio’s software pursuant to the Agreement.

The types of the Personal Data to be Processed

The types of personal data to be Processed are Personal Data commonly including, but not limited to, the following:

a) A copy of the following data points is transferred from the Client’s Vista Loyalty into the Client’s primary application database and processed by Movio for the purpose of providing the Movio Cinema Services:

  • Name
  • Address
  • E-Mail
  • Telephone number
  • Date of Birth
  • Client History (transactional and programme history (e.g. duration of membership, movies watched))
  • Recognitions (rewards applied to that customer account(e.g. points, free tickets, discounts, etc.))
  • Sales Channels (where the customer transacted (e.g. online, kiosk, box office))
  • Transactional Data (including but not limited to: Venue Hires, Box Office, group bookings (e.g. schools))

b) A copy of the following data points is transferred from the Client’s primary application database to Movio’s Data Warehouse where it is logically separated from other Client data and processed by Movio for the purpose of providing the Madex Services:

  • Movio ID (i.e. the data is pseudonymised)
  • Gender
  • Year of Birth
  • Transaction History relating to movies only (i.e. no exhibitor specific information such as points, clubs, tiers nor any concession POS items purchased)

c) A copy of the following data points is transferred from Movio’s Data Warehouse to the Madex application database and processed by Movio for the purpose of providing the Madex Services:

  • Hashed email (at the date of this Agreement, using SHA-256)
  • Gender
  • Year of Birth
  • Transaction History relating to movies watched

d) A copy of the following data points is transferred from Movio’s Data Warehouse to the Madex application database and processed by Movio for the purpose of providing the Madex Services:

  • Hashed email (at the date of this Agreement, using SHA-256)
  • Gender
  • Year of Birth
  • Transaction History relating to movies watched

The categories of Data Subject to whom the Personal Data relates

The categories of Data Subjects to whom Personal Data relates is comprised of moviegoer customers of the Client.

The obligations and rights of the Data Controller and Data Controller Affiliates

The obligations and rights of the Data Controller are set out in the Agreement and these Terms.

Schedule Two - Security Measures

This Schedule 2 sets out the security measures which Movio shall take to ensure a level of security for the Personal Data appropriate to the level of the risk.

1. Overall instructions

1.1

In addition to the obligations set out in the Agreement, Movio will comply with the instructions regarding security and information security measures set out in this Schedule 2 for the Movio systems used to process Personal Data for the Client (“Systems”).

1.2

Movio will ensure ongoing confidentiality, integrity, availability, and resilience of the Systems and services, as set out in the Agreement and this Schedule 2.

1.3

Movio will perform a risk analysis for the Systems prior to using the Systems to process Personal Data for the Client.

2. Confidentiality

2.1

Movio will implement the measures and processes set out below:

2.1.1 Ensure the use of role-based access and login to sections with Personal Data (including the option of follow-up on/adjustment of role-based access) and that only authorised devices and relevant employees with a work-related need for data processing have access to Personal Data.

2.1.2 If an employee changes roles within Movio, ensure that they do not retain access to Personal Data unless such Personal Data is required for their new role. When an employee leaves Movio, ensure that they do not take with them any business-critical information. Ensure that no previous employees or external consultants have access rights to the systems holding Personal Data.

2.1.3 Ensure use of pseudonymisation and encryption of Personal Data where feasible.

2.1.4 Use secure/encrypted transfer of Personal Data on the open internet.

Physical Security: 

2.1.5 Fit appropriate locks or other physical controls to the doors and windows of rooms where computers are kept.

2.1.6 Destroy or remove all Personal Data from media such as CDs before disposing of them.

2.1.7 Ensure that all Personal Data is removed from the hard drives of any used computers before disposing of them.

Access Controls:

2.1.8 Password procedures must be in place, including using strong passwords, periodically updating passwords and ensuring that employees do not write them down.

Logs:

2.1.9 Log failed login attempts, including log of time, user, etc. and block access after a certain number of failed login attempts for each user.

2.1.10 Log user activities, including log of time, user, search, search criteria, access, modification, close, print, export, erasure/delete, etc. and automated erasure of log after a certain time interval.

3. Integrity and availability

3.1

Movio will implement the measures and processes set out below:

3.1.1 Protect networks, systems, logs, and Personal Data against tampering.

3.1.2 Ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, including by backing-up data.

4. Resilience

4.1

Movio will have a vulnerability management program, including regular monitoring of potential vulnerabilities and performance of penetration tests of networks and Systems.

4.1.1 The vulnerability management program will include, but is not limited to:

i) Performing vulnerability scans on internal and external perimeters at least quarterly.

ii) Performing penetration tests on external network perimeters at least annually or more frequently where incidents disclose the need for such tests.

iii) Following up on and remedy of any weaknesses identified in connection with such scans and tests.

4.2

On an ongoing basis, Movio will keep networks and systems up to date with regard to new versions, updates, and patches.

5. Awareness, training and security checks in relation to personnel

5.1

Movio will implement the measures and processes set out below:

5.1.1 Perform reference checks on all new employees.

5.1.2 Provide training to new employees regarding information security and ensure that they read and understand Movio’s Information Security Policy. Ensure employees know where to find details of the information security standards and procedures relevant to their role and responsibilities.

6. Incident response management and business continuity

6.1

Movio will implement the measures and processes set out below:

6.1.1 Ensure that employees understand what a Personal Data Breach and a Security Incident mean, and train employees to recognize the signs thereof and to respond appropriately.

6.1.2 Movio will have a plan in place to assure business continuity in the event of a serious security incident and will test the plan at least once a year. After an incident in which the plan is used and after every test, it must be re-examined and updated according to the lessons learned.

7. Audits

7.1

Movio will monitor and keep up to date all measures, processes, and risk analyses.

7.2

Movio will implement a process for periodical testing, assessing, and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing, including, but not limited to, the measures set out herein.

7.3

Movio will implement procedures for effectively following up on non-compliance.

7.4

Movio will conduct internal audits at least once per year.