Where you are in the European Economic Area, you acknowledge and agree that your use of some APIs associated with Oculus Software Development Kit (particularly Spatial Audio VoIP API) (the “Services”) may involve sending Personal Data (as defined below) to Facebook Technologies Ireland Limited (“Oculus”). To the extent that we process such data as your Processor (as defined below) these Data Processing Terms apply in addition to our other applicable terms and policies made available to you, including those on our Developer Portal (together “Applicable Developer Terms”).
Oculus and you agree to the following:
1.1 For the purposes of these Data Processing Terms, the following terms have the meaning set out below:
1.1.1 "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach" and "Processing" shall have the same meanings as in the GDPR and "Processed" and "Process" shall be construed in accordance with the definition of "Processing".
1.1.2 "Data" means Personal Data controlled by you which is Processed by Oculus in connection with its provision of Services as described in Annex A.
1.1.3 "GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679).
2. Data Processing Terms
2.1 The terms of these Data Processing Terms shall apply only where and to the extent that Data processed by Oculus as a Processor on behalf of Oculus is subject to the GDPR.
2.2 Oculus shall:
2.2.1 only process Data for the purposes described in Annex A;
2.2.2 implement appropriate technical and organisational measures to protect the Data;
2.2.3 assist you by appropriate technical and organisational measures insofar as this is possible (taking into account the nature of the Processing) to enable you to fulfil any obligations to respond to requests for the exercise of Data Subject rights by a Data Subject under GDPR;
2.2.4 assist you in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to Oculus;
2.2.5 on termination of the Applicable Developer Terms, delete the Data as soon as reasonably practicable and within a maximum period of 180 days unless EU or EU Member State law requires further storage, provided however that Oculus may keep the Data if necessary to provide other services set forth in the Applicable Developer Terms;
2.2.6 make available to you all information that is reasonably necessary to demonstrate Oculus's compliance with its legal obligations as a Data Processor under Article 28 of the GDPR; and
2.2.7 upon your reasonable written request, and subject to the confidentiality obligations set out in the Applicable Developer Terms (if any), Oculus shall make available to you no more than once in any 12 month period, information regarding Oculus’s compliance with Oculus’s data processing obligation under this Agreement in the form of such third-party certifications and/or audit reports as Oculus may deem appropriate to be carried out as part of Oculus's own internal audit programs.
2.3 You agree that Oculus may subcontract its data processing obligations under these Data Processing Terms to a sub-processor, but only by way of a written agreement with the sub-processor, which imposes obligations on the sub-processor no less onerous than as are imposed on Oculus under these Data Processing Terms. Where the sub-processor fails to fulfil such obligations, Oculus shall remain fully liable to you for the performance of that sub-processor's obligations. You hereby authorize Oculus to engage Facebook Technologies LLC or Facebook Inc. (and other Facebook Companies) as its sub-processor(s). Oculus shall notify you of any additional sub-processor(s) in advance. If you reasonably object to such additional sub-processor(s), you may inform Oculus in writing of the reasons for your objections. If you object to such additional sub-processor(s), you should stop using the Services and providing Data to Oculus.
2.4 Oculus shall notify you without undue delay of the discovery by Oculus of any actual or suspected Personal Data Breach involving the Data. Such notice shall include, at the time of notification or as soon as possible after notification, details of the nature of the breach and number of records affected, the category and approximate number of affected data subjects, anticipated consequences of the breach and any actual or proposed remedies for mitigating the possible adverse effects of the breach.
2.5 For the purposes of the transfer of any Data from the European Economic Area or (after EU law ceases to apply to the UK) the UK, by you to Facebook: (i) the European Commission's 2010 standard contractual clauses for controller-to-processor transfers (as amended or superseded) (the "Processor SCCs") are hereby incorporated by reference into these Data Processing Terms to govern such international transfer of Data; (ii) for the purposes of the Processor SCCs, you shall be deemed the "data exporter" and Oculus, the "data importer"; and (ii) Appendix 1 to the Processor SCCs shall be deemed to have been completed with the description of Processing set out in Annex A to these Data Processing Terms.
3.1 In the event of any conflict, these Data Processing Terms shall take precedence over the Applicable Developer Terms and the terms of the Processor SCCs shall take precedence over these Data Processing Terms.
3.2 These Data Processing Terms, in conjunction with the Applicable Developer Terms, constitutes the entire understanding and agreement between you and Oculus with respect to its subject matter.
3.3 These Data Processing Terms shall automatically terminate upon the termination or expiration of the Applicable Developer Terms.
Data Processing Description
This Annex A forms part of the Data Processing Terms and describes the Processing that Oculus will perform on your behalf.
1. Categories of Data
The Data to be Processed concern the following categories of Personal Data (please specify):
VOIP/audio data and spatial data (with randomized ID)
2. Special Categories of Data
The Data transferred concern the following special categories of Data (please specify):
3. Data subjects
The Data to be Processed concern the following categories of Data Subjects (please specify):
Users of your app(s)
4. Processing activities
The Data will be subject to the following basic Processing activities (please specify):
to return realistic audio (or spatial audio data) based on the position of users within your app(s);
to derive metadata from the activity of users within your app(s) (inclusive of zone ID, length of time associated with the zone ID, randomized ID, App ID, bits of audio dropped, latency for zone) which is necessary in order to provide support and/or operate the Services; and
to anonymize the metadata so that it is no longer Personal Data for the purposes of GDPR. You understand and agree that Oculus may retain such anonymized metadata for its own legitimate purposes, including improvement and development of the Services.
Oculus shall process the Data:
As necessary to provide support and/or operate the Services under the Applicable Developer Terms or otherwise in accordance with your documented instructions.