DATA PROTECTION ADDENDUM CONTROLLER TO PROCESSOR

In order to fulfill its obligations under applicable data protection and security regulations, Constellation Brands, Inc., including any of is subsidiary entities as may be appliable to this addendum, (“Company”) will share certain Personal Data with service provider (“Service Provider”) subject to the terms of this addendum (“Addendum”), and only as necessary for Service Provider to perform its obligations under the master agreement between the parties (the “Primary Agreement”). Service Provider will operate as an “agent” for Company for the limited purposes of using, storing, and otherwise processing this Personal Data. This Addendum is hereby incorporated by reference into the Primary Agreement.

  1. 1. Definitions. For the purposes of this Addendum, the following terms shall have the following meanings:

“Personal Data” means any information received by the Service Provider from Company, or on the Company’s behalf, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.

“Process” or “Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

  1. 2. Obligations of the Service Provider.
    The Service Provider represents and warrants that:

    a. It will Process the Personal Data on behalf of Company, only for the purpose of fulfilling its obligations under the Primary Agreement(s) or as otherwise instructed in writing by Company, and in accordance with all applicable privacy and data protection laws, and the terms of this Addendum. For the avoidance of doubt, Service Provider is prohibited from: (i) selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, or in writing, or by electronic or other means Personal Data to another entity (whether affiliated or not); (ii) processing the Personal Data for Service Provider's own cross-contextual behavioral advertising; (iii) retaining, using, or disclosing the Personal Data outside of the relationship between Company and Service provider; and (iv) combining the Personal Data with any other personal data processed by Service Provider outside of its relationship with Company, except as expressly permitted by the Primary Agreement.

    b. It will notify Company in writing immediately upon making a determination that it has not met, or can no longer meet, its obligations under Section 2(a) of this Addendum, and, in such case, will abide by Company’s written instructions, including instructions to cease further Processing of the Personal Data, and take any necessary steps to remediate any Processing of such Personal Data not in accordance with Section 2(a) of this Addendum.

    c. It will submit its data processing facilities, data files and documentation needed for Processing the Personal Data to auditing and/or review by Company or any independent auditor or inspection entity reasonably selected by Company to ascertain compliance with this Addendum upon the request of Company, with reasonable notice and during normal business hours.

    d. It will obtain the prior written approval of Company to disclose Personal Data to any third party or otherwise allow any third party to access Personal Data; and, in such an event, it shall: (i) impose the same privacy and security requirements on any such third party to which Service Provider is subject under this Addendum; (ii) remain responsible for any such third party’s actions with respect to the Personal Data; and (iii) provide to Company, at least 60 days before disclosing or allowing access to any such Personal Data, a list detailing the name and address of all such third parties to which it discloses or allows access to Personal Data, including the locations of such third party’s servers hosting or Processing Personal Data, in order to allow Company to evaluate whether supplemental data processing agreements or other controls are needed to protect Personal Data and/or to decide whether to decline approval for subcontracting to any such third parties.

    e. With respect to the Personal Data transferred to or received by Service Provider under the Primary Agreement(s), Service Provider has implemented, and will maintain, a comprehensive written information security program (“Information Security Program”) that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Personal Data. In particular, the Information Security Program shall include, but not be limited to, the following safeguards where appropriate or necessary to ensure the protection of Personal Data:

    i. Access Controls – policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to Personal Data have appropriately controlled access and will maintain the confidentiality of the Personal Data, and to prevent those workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Personal Data or information relating thereto to unauthorized individuals; and (iv) to encrypt and decrypt Personal Data where appropriate.

    ii. Security Awareness and Training – a security awareness and training program for all members of Service Provider’s workforce (including management), which includes training on how to implement and comply with its Information Security Program.

    iii. Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes. Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including a data backup plan and a disaster recovery plan.

    iv. Device and Media Controls – policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of a Service Provider facility, and the movement of these items within a Service Provider facility, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use. Service Provider shall ensure that no Personal Data is downloaded or otherwise stored on laptops or other portable devices. 

    v. Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

    vi. Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.

    vii. Storage and Transmission Security – technical security measures to guard against unauthorized access to Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.

    viii. Assigned Security Responsibility – Service Provider shall designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. Service Provider shall inform Company as to the person responsible for security.

    ix. Storage Media - policies and procedures to ensure that prior to any storage media containing Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, Service Provider will irreversibly delete such Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media such that it is impossible to recover any portion of data on the media that was destroyed. Service Provider shall maintain an auditable program implementing the disposal and destruction requirements set forth in this Section for all storage media containing Personal Data.

    x. Testing – Service Provider shall regularly (but not less frequently than annually) test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs. Additionally, those tests should be conducted or reviewed by independent third parties at least once every three years.

    xi. Adjust the Program – Service Provider shall monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Service Provider or the Personal Data, and Service Provider’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. Service Provider will inform Company about relevant changes in the Information Security Program.

    f. It will provide assistance to Company as may be reasonably necessary for Company to comply with applicable data protection laws, including, but not limited to, (i) assisting Company in responding to data subject requests for exercising data subject rights under applicable law; (ii) assisting Company in responding to data protection authority or other regulatory requests for information related to Service Provider’s Processing; and (iii) providing all information necessary related to Service Provider’s Processing for Company to demonstrate compliance with applicable data protection laws. Specifically, Service Provider agrees that it has the technical ability to and shall assist Company with
  1. securely deleting Personal Data, as well as providing Company with a list of Personal Data elements about a specific individual held by Service Provider on Company's behalf, upon Company's request and within 15 days of receiving such request.

    g. It shall notify Company immediately in writing in the event that: (i) any Personal Data is disclosed by Service Provider in violation of the Primary Agreement and/or this Addendum, or applicable laws relating to privacy or data protection or (ii) Service Provider discovers, is notified of, or suspects that unauthorized access, acquisition, disclosure or use of Personal Data has occurred, may have occurred, or may occur (“Security Incident”). Service Provider shall cooperate fully in the investigation of the Security Incident, indemnify and reimburse Company for any and all damages, losses, fees, fines or costs (whether direct, indirect, special or consequential), including reasonable attorneys’ fees and costs, incurred as a result of such incident, and remedy any harm or potential harm caused by such incident. To the extent that a Security Incident gives rise to a need, in Company’s sole judgment to provide (i) notification to public authorities, individuals, or other persons, or (ii) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a “Remedial Action”)), at Company’s request, Service Provider shall, at Service Provider’s cost, undertake such Remedial Actions.  The timing, content and manner of effectuating any notices shall be determined by Company in its sole discretion.

    h. Service Provider shall promptly notify Company if it receives a request for subject access, rectification, cancellation, objection or any other data protection related requests, and, should any court, government agency or law enforcement agency contact Service Provider with a demand for Company’s Data, Service Provider will direct the law enforcement agency to request such information directly from Company. As part of this effort, Service Provider may provide Company’s basic contact information to the agency. If compelled to disclose Company’s Data to law enforcement, then Service Provider will promptly, and without any undue delay, notify Company and deliver a copy of the request (except where Service Provider is legally prohibited from doing so) to allow Company to seek a protective order or any other appropriate remedy. To the extent permitted by applicable law, Service Provider shall take all reasonable actions to prevent disclosure of Company Personal Data to a government agency and/or in response to a legal demand such as subpoena or similar demand, without Company's prior express written consent. If and only to the extent that is not legally possible, Service Provider will notify Company in advance of any disclosure and provide Company with the opportunity to object, unless prohibited by applicable law.

    i. Service Provider shall not Process Personal Data in a jurisdiction outside of the agreed Processing location without the written consent of Company. The remaining language in this Section 2(i) shall only apply to agreements where Service Provider has access to Personal Data of data subjects in the EU, European Economic Area, or Switzerland, or if one of the parties to the agreement is located in the EU or in Switzerland. To the extent that Personal Data includes information about individuals who are located in the European Economic Area (“EEA”) or Switzerland, and Service Provider or any subcontractors store or otherwise obtain access to such Personal Data outside of the EEA or Switzerland, the Service Provider agrees to Process this Personal Data in accordance with the EC Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to the Commission Implementing Decision (EU) 2021/914, Module Two, which is incorporated by reference herein (“Model Processor Contract”) and for Personal Data on which the Swiss data protection laws apply including the specific Swiss local law amendments to the Model Processor Contract. With respect to the Model Processor Contract: (i) the signature to this Addendum constitutes signature to the Model Processor Contract, including the appendices thereto; (ii) each of Company and/or Company’s subsidiaries established in the EEA or Switzerland shall be deemed for the purposes of this Addendum to be the “data exporter”; (iii) Service Provider and each subcontractor that stores, accesses, or otherwise processes such Personal Data shall be deemed for the purposes of this Addendum to be a “data importer”; (iv) the data processing activities in Appendix I to the Model Processor Contract shall be as described in Appendix 1 to this Addendum; and (v) the data security measures in Appendix II to the Model Processor Contract shall be those identified in Appendix 2 to this Addendum; and the Primary Agreement(s)

With respect to the Model Processor Contract, the following is acknowledged and agreed to by both the Company and Service Provider: (i) Clause 7 is intentionally omitted; (ii) the data exporter is to receive 60 days’ notice pursuant to Clause 9(a); (iii) Service Provider must obtain specific authorization (as detailed above in Section 2(d) for the appointment of subprocessors; (iv) the optional language under Clause 11(a) (Optional Redress with Independent Resolution Body) shall not apply; the governing law with respect Clause 17, Option 1 (Governing Law) shall apply, Model Processor Contract shall be governed by the laws of the jurisdiction applicable Company exporter; and (x) for purposes of Clause 18 (Choice of Forum and Jurisdiction), any disputes arising from the Model Processor Contract shall be resolved by the courts of applicable Company exporter.

The Swiss local law amendments to the Model Processor Contract are the following: 1. Supervisory Authority: The Federal Data Protection and Information Commissioner is the competent supervisory authority; 2. Applicable Law for Contractual Claims under Clause 17: Swiss law (or the law of a country that allows and grants rights as a third party beneficiary for contractual claims regarding data transfers pursuant to the Federal Act on Data Protection "FADP"); 3. Member State / European Union: Switzerland is to be considered as a Member State within the meaning of the Model Processor Contract so that data subjects among others are entitled to file claims according to clause 18c of the Model Processor Contract at their habitual residence in Switzerland; 4. References to the General Data Protection Regulation and the Regulation (EU) 2016/679 are to be understood as references to the FADP; 5. Personal Data: Until the revised FADP enters into force on September 1, 2023 that does no longer protect data of legal persons but only data of natural persons, the Model Processor Contract also applies to data of legal persons.

j. Service Provider shall, upon the Company’s request, promptly execute supplemental data processing agreement(s) with Company or any of its subsidiaries or take other appropriate steps to address cross-border transfer and requirements if Company concludes, in its sole judgment, that such steps are necessary to address applicable data protection or privacy laws concerning Personal Data.

k. Service Provider certifies that it understands and will comply and cause all Service Provider personnel to certify that they understand and will comply with the requirements of this Addendum.

l. The parties agree that, to the extent such right is clearly established in the Primary Agreement, Service Provider may use Company's Personal Data on the Company's behalf to improve services and for related business purposes. In such cases, Company instructs Service Provider to use only de-identified or aggregate information, and, for the sake of clarity, Company instructs Service Provider to first anonymize, aggregate, and/or de-identify the Personal Data as necessary for that purpose. With respect to such de-identified or aggregated information: (1) Service Provider shall comply with all applicable laws, including the implementation of: (a) technical safeguards that prohibit reidentification; (b) business processes that specifically prohibit reidentification; (c) business processes to prevent inadvertent release of deidentified information; and (2) Service Provider shall make no attempt to reidentify the information unless such reidentification is permitted under all applicable laws.

  1. 3. Governing Law.

This Addendum will be governed by and construed in accordance with the laws of the state which govern the Primary Agreement, without regard for its choice of law rules.

  1. 4. Term, Termination, and Effective Date.
    a. This Addendum shall be effective as of the date last executed by a party (the “Effective Date”) and shall remain in full force and effect for so long as the Primary Agreement(s) remains in effect, unless earlier terminated pursuant to Section 4(b).

    b. Company may terminate this Addendum and/or the Primary Agreement immediately, without judicial notice or resolution and without prejudice to any other remedies, in the event that (i) compliance with the terms of this Addendum by the Service Provider would put Service Provider in breach of its legal obligations; (ii) the Service Provider is in substantial breach of any representations or warranties given by it under this Addendum and fails to cure such breach with (30) days’ notice from Company; (iii) Service Provider provides notice to Company pursuant to Section 2(b) of this Addendum; (iv) a data protection or other regulatory authority or other tribunal or court in the countries in which Company or its subsidiaries operates finds that there has been a breach of any relevant laws in that jurisdiction by virtue of the Service Provider’s or Company’s processing of the Personal Data; or (v) if either party makes an assignment for the benefit of creditors, becomes subject to a bankruptcy proceeding, is subject to the appointment of a receiver, or admits in writing its inability to pay its debts as they become due.

    c. This Addendum shall immediately terminate if all applicable Primary Agreement are terminated for any reason.

    d. Upon termination of this Addendum for any reason, the Service Provider shall return all Personal Data and all copies of the Personal Data subject to this Addendum to Company or, at Company’s request, shall destroy (i.e., render the information permanently unreadable and not reconstructable into a usable format in accordance with the then-current U.S. Department of Defense, or similar data destruction standard or CESG standards, as applicable) all such Personal Data and shall certify to Company that it has done so.

APPENDIX 1 AND APPENDIX 2 ONLY APPLY TO AGREEMENTS WHERE THE SERVICE PROVIDER HAS ACCESS TO PERSONAL DATA OF DATA SUBJECTS IN THE EUROPEAN UNION, EUROPEAN ECONOMIC AREA, OR SWITZERLAND, OR IF ONE OF THE PARTIES TO THE AGREEMENT IS LOCATED IN THE EUROPEAN UNION, EUROPEAN ECONOMIC AREA, OR SWITZERLAND.


APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

*PLEASE COORDINATE WITH YOUR POINT OF CONTACT AT CONSTELLATION BRANDS, INC. FOR THE PRIMARY AGREEMENT TO COMPLETE APPENDIX 1 TO THIS AGREEMENT, IF APPLICABLE.


APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

Taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of individuals, Service Provider shall implement appropriate technical and organisational measures to ensure a level of security of Personal Data appropriate to the risk, as follows:


1. Pseudonymisation

Personal data belonging to Constellation Brands can be processed in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which exclude the unauthorized identification of the data subject.

Nevertheless, data pseudonymized in this way remains personal data according to the GDPR and the FADP. Pseudonymisation is a technical and organisational measure and can be implemented by the Processor as follows:

  • separate storage of additional information for identification
  • use of IDs instead of names
  • encryption of additional information for identification
  • management and documentation of differentiated authorizations concerning additional information for identification
  • authorization process or approval routines for authorizations to process additional information for identification
  • copy protection with regard to additional information for identification

2. Measures for encryption

  • encryption of mobile devices such as laptops, tablets, smartphones
  • encryption of mobile storage media (CD/DVD- ROM, USB sticks, external hard drives)
  • encryption of files
  • encryption of systems
  • encrypted storage of passwords
  • encryption of e-mails and e-mail attachments
  • secured data sharing (e.g. SSL, FTPS, TLS)
  • secured WLAN

3. Measures to ensure confidentiality

    a. Measures which ensure that unauthorized persons do not have access:

  • access control system, document reader (magnetic / chip card)
  • door protections (electric door opener, number lock, etc.)
  • safety doors / windows
  • grates in front of windows / doors
  • fence systems
  • key management / documentation of key assignment
  • protection of facilities, guards
  • alarm system
  • video surveillance
  • special protective measures for the server room
  • special protective measures for storage of back-ups and/or other data carriers
  • irreversible destruction of data carriers
  • employee and authorization documents
  • prohibited areas
  • visitor rules (e.g. pick-up at reception, documentation of visiting hours, visitor pass, accompanying visitors to exit after visit)

b. Measures which prevent that unauthorized persons can use the processing systems:

  • personal and individual user log-in for registration in the systems or company network
  • authorization process for access authorizations
  • limitation of authorized users
  • single sign-on
  • two-factor authentication
  • BIOS passwords
  • password procedures (indication of password parameters with regard to complexity and update interval)
  • electronic documentation of passwords and protection of this documentation against unauthorized access
  • personalized chip cards, token, PIN/TAN, etc.
  • logging of access
  • additional system log-in for certain applications
  • automatic locking of the clients after expiry of a certain period without user activity (also password protected screensaver or automatic stand-by)
  • firewall

    c. Measures which ensure that only authorized persons have access to the processing systems and that personal data cannot be read, copied, modified or removed without authorization:

  • management and documentation of differentiated authorizations
  • evaluations/logging of data processing
  • authorization process for authorizations
  • approval routines
  • profiles/roles
  • encryption of CD/DVD-ROM, external hard drives and/or laptops (e.g. per operating system, Safe Guard Easy, PGP)
  • measures to prevent unauthorized transfer of data on data carriers which can be used externally (e.g. copy protection, locking of USB ports, Data Loss Prevention (DLP) system)
  • Mobile Device Management system
  • four-eyes principle
  • segregation of functions "segregation of duties"
  • expert destruction of records
  • irreversible deletion of data carriers
  • privacy foil for mobile data processing systems
  • cyber-related logs retained for no less than six months

d. Measures which ensure that data collected for different purposes can be processed separately:

  • storage of the data sets in physically separated databases
  • separate systems
  • access authorizations by functional responsibility
  • separate data processing by differentiating access rules
  • multi-client capability of IT systems
  • use of test data
  • separation of development and production environment

4. Measures to ensure integrity

  • access rights
  • system-side logging
  • document management system (DMS) with change history
  • security / logging software
  • Functional responsibilities, organisationally specified responsibilities
  • multiple-eyes principle
  • tunnelled remote data connections (VPN = virtual private network)
  • Data Loss Prevention (DLP) system
  • electronic signature
  • logging of data transfer or data transport
  • logging of read accesses
  • logging of the copying, modifying or removal of data

5. Measures to ensure and restore availability

  • security concept for software and IT applications
  • back-up procedures
  • storage process for back-ups (fire-protected safe, separate fire sections, etc.)
  • ensuring data storage in secured network
  • need-based installation of security updates
  • mirroring of hard drives
  • set-up of an uninterrupted power supply
  • suitable archiving facilities for paper documents
  • fire and/or extinguishing water protection for the server room
  • fire and/or extinguishing water protection for the archiving facilities
  • air-conditioned server room
  • virus protection
  • firewall
  • emergency plan
  • successful emergency exercises
  • redundant, locally separated data storage (off-site storage)

6. Measures to ensure resilience

  • emergency plan in case of machine breakdown / business recovery plan
  • redundant power supply
  • sufficient capacity of IT systems and plants
  • logistically controlled process to avoid power peaks
  • redundant systems / plants
  • resilience and error management

7. Procedure for regular review, assessment and evaluation of the effectiveness of the technical and organisational measures

  • procedures for regular controls/audits
  • concept for regular review, assessment and evaluation
  • reporting system
  • penetration tests
  • emergency tests

8. "Control of instructions / assignment control"

  • process of issuing and/or following instructions
  • specification of contact persons and/or responsible employees
  • control / examination that the assignment is executed in accordance with instructions
  • training / instruction of all Service Provider's access-authorized employees
  • independent auditing of adherence to instructions
  • commitment of employees to maintain confidentiality
  • agreement on penalties for infringements of instructions
    appointment of a data protection officer
  • according to art. 37 et seq. GDPR or art. 10 FADP
  • data protection manager / coordinator
  • keeping records of processing activities in
  • accordance with art. 30, para. 2 GDPR or art. 12 FADP
  • documentation and escalation process for personal data breaches
  • guidelines / instructions which guarantee
  • technical-organisational measures for the security of the processing
  • process for forwarding requests of data subjects