Data Processing Addendum
This Data Processing Addendum (“DPA”) is incorporated into the Letter of Engagement or other agreement signed in writing (“Agreement”) by Client and Walker & Dunlop (including any members of the Walker & Dunlop corporate group are party to the Agreement) (each as defined in the Agreement) (together, the “parties” and each a “party”). The parties agree as follows:
- DEFINITIONS
- Capitalized terms not defined herein shall have the meaning given to them in the Agreement and otherwise the capitalized terms in this DPA shall have the meanings given below:
- “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Privacy Protection Agency or California Attorney General;
- “Controller to Processor Clauses” means: (a) in respect of transfers of Personal Data subject to the EU GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) (“EU SCCs”); and (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner (“UK Addendum”), in each case as amended, updated or replaced from time to time;
- “Data Privacy Laws” means, as applicable to the parties, EU/UK Privacy Laws, the CCPA, and any similar law of any other jurisdiction which relates to data protection, privacy or the use of Personal Data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time;
- “EU/UK Privacy Laws” means, as applicable: (a) the General Data Protection Regulation 2016/679 (the “GDPR”); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018, the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the UK Data Protection Act 2018, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, directive, order, rule, regulation or other binding instrument which implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time;
- “Personal Data” means any information Walker & Dunlop processes on behalf of Client to provide the Services that is defined as “personal data” under the applicable Data Privacy Laws. For the avoidance of doubt, “Personal Data” does not include de-identified data, anonymized data, or publicly available information as such terms are defined in applicable Data Privacy Laws;
- “Processor to Processor Clauses” means: (a) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time; and
- “Third Country” means any country or territory outside of the scope of the data protection laws of the European Economic Area or the UK, as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time.
- USE OF PERSONAL DATA AND HANDLING RESTRICTIONS
- Roles of the parties. The parties agree that for the purposes of applicable Data Privacy Laws, Client is the “controller” or any similar term provided under applicable Data Privacy Laws, and Walker & Dunlop is the “processor” or any similar term provided under applicable Data Privacy Laws.
- Details of processing. The parties agree the details of processing for the purposes of compliance with EU/UK Privacy Laws are as described in Section 4.
- Client obligations. Client shall comply with all Data Privacy Laws in providing Personal Data to Walker & Dunlop in connection with the Services. Client represents and warrants that: (a) the Data Privacy Laws applicable to Client do not prevent Walker & Dunlop from fulfilling the instructions received from Client and performing Walker & Dunlop’s obligations under this DPA; (b) all Personal Data was collected and at all times processed and maintained by or on behalf of Client in compliance with all Data Privacy Laws, including with respect to any obligations to provide notice to and/or obtain consent from individuals; and (c) Client has a lawful basis for disclosing Personal Data to Walker & Dunlop and enabling Walker & Dunlop to process the Personal Data as set out in this DPA. Client shall notify Walker & Dunlop without undue delay if Client makes a determination that the processing of Personal Data under the Agreement does not or will not comply with applicable Data Privacy Laws, in which case, Walker & Dunlop shall not be required to continue processing such Personal Data.
- Processing of Personal Data. To the extent required by applicable Data Privacy Laws, in processing Personal Data under this DPA, Walker & Dunlop shall:
- only process Personal Data on Client’s documented instructions, for the limited and specific purpose described in Section 4, and at all times in compliance with applicable Data Privacy Laws, unless required to process such Personal Data by applicable law to which Walker & Dunlop is subject; in such a case, Walker & Dunlop shall inform Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- to the extent EU/UK Privacy Laws apply, notify Client if, in its opinion, the instruction of Client infringes applicable;
- to the extent EU/UK Privacy Laws apply, that each employee or other person processing Personal Data is subject to an appropriate duty of confidentiality with respect to such Personal Data; and
- to the extent EU/UK Privacy Laws apply, maintain records and information that demonstrate its compliance with all applicable EU/UK Privacy Laws and the requirements of this DPA and will make all such records and information available to Client or an auditor Client selects for the purpose of auditing Walker & Dunlop’s compliance. Client shall be permitted to conduct such an assessment no more than once every twelve (12) months, upon thirty (30) days’ advance written notice to Walker & Dunlop, and only after the parties come to agreement on the scope of the audit and the auditor is bound by a duty of confidentiality.
- Transfers. To the extent EU/UK Privacy Laws apply, Walker & Dunlop processes Personal Data in a Third Country, and it is acting as data importer, Walker & Dunlop shall comply with the data importer’s obligations and Client shall comply with the data exporter’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this DPA, and:
- for the purposes of Annex I of the EU SCCs or Part 1 of the UK Addendum (as relevant), Client is a controller and Walker & Dunlop is a processor, and the parties, contact person’s details and processing details set out in the Agreement and this DPA shall apply, and the start date is the effective date of the Agreement;
- if applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this DPA by virtue of this Section 2(f);
- for the purposes of Annex II of the EU SCCs or Part 1 of the UK Addendum (as relevant), the technical and organizational security measures, and the technical and organizational measures taken by Walker & Dunlop to assist Client, as each are set out in Annex I, shall apply;
- if applicable, for the purposes of: (i) clause 9 of the EU SCCs, option 2 (“general written authorization”) is deemed to be selected and the notice period specified in Section 5(b) shall apply; (ii) clause 11(a) of the EU SCCs, the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) clause 13 and Annex I.C of the EU SCCs, the competent supervisory authority shall be the Dutch Data Protection Authority (Autoriteit Persoonsgegevens); (iv) clauses 17 and 18 of the EU SCCs, Option 1 is deemed to be selected and the governing law and the competent courts shall be Netherlands law and courts; (vi) part 1 of the UK Addendum, Walker & Dunlop as importer may terminate the UK Addendum pursuant to section 19 of such UK Addendum; and
- Client acknowledges and agrees that Walker & Dunlop may appoint an affiliate or third-party subcontractor to process the Personal Data in a Third Country, in which case, Walker & Dunlop shall execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Client.
- Deletion of Personal Data. To the extent EU/UK Privacy Laws applies, Walker & Dunlop shall, in accordance with any written request from Client, delete or return Personal Data at the end of the provision of the Services for which the Personal Data was processed, provided that Walker & Dunlop may retain copies of Personal Data in accordance with any legal or regulatory requirements, or any guidance issued by a supervisory authority relating to deletion or retention, or as needed to protect Walker & Dunlop from legal claims.
- CALIFORNIA PERSONAL DATA PROCESSING
- This Section 3 applies only to the extent that Walker & Dunlop will receive or process Personal Data of California residents on behalf of Client, where Client and such Personal Data are subject to the CCPA.
- Walker & Dunlop shall, in connection with its processing of such Personal Data: (i) comply with applicable obligations under the CCPA and provide the same level of privacy protection as is required by the CCPA; and (ii) grant Client the right to take reasonable and appropriate steps to help ensure Walker & Dunlop uses the Personal Data in a manner consistent with Client's obligations under the CCPA and stop and remediate any unauthorized use of the Personal Data.
- Taking into account the nature of the processing, Walker & Dunlop shall assist Client through appropriate technical and organizational measures in responding to consumer requests, including by providing or correcting the relevant Personal Data, or by enabling Client to do the same.
- Except to the extent permitted by the CCPA, Walker & Dunlop shall not: (i) sell the Personal Data or share the Personal Data for cross-context behavioural advertising purposes; (ii) retain, use, or disclose the Personal Data outside of the direct business relationship between Walker & Dunlop and Client and for any purpose other than for the specific purpose of performing the services provided under the Agreement; and (iii) combine the Personal Data received from, or on behalf of, Client with any Personal Data that may be collected from Walker & Dunlop's separate interactions with the individual(s) to whom the Personal Data relates or from any other sources.
- DETAILS OF PROCESSING OR TRANSFER
- Nature of the processing or transfer. The nature of the processing is using, recording, editing, storing, and accessing Personal Data, for the purposes of the processing described in sub-clause (b), in connection with Walker & Dunlop’s provision of the Services to the Client as set out in the Agreement.
- Purpose(s) of the processing or transfer. Walker & Dunlop will process Personal Data for the following purposes:
- for the purpose of providing Client with products, services, or information related to the Property;
- for the purpose of providing Client with information about the Agreement or required notices;
- for the purpose of customizing Client staff and end user experience when using Walker & Dunlop services;
- for the purpose of providing content based on Client staff and end user interests;
- for the purpose of safety and security, including detecting, preventing and responding to fraud, violations or law or other misuse related to the Transaction or Engagement;
- for the purpose of Walker & Dunlop protecting its rights when it believes, in good faith, that disclosure is necessary to protect the integrity of the Engagement or Client’s safety or the safety of others; and
- for the purpose of improving the performance, features, and functionality of Transactions, Financing, Disposals of Properties and Walker & Dunlop Engagements, including collecting and using diagnostic, technical and related performance information that will be aggregated and/or anonymised for the purposes of generating and analysing statistics about Walker & Dunlop’s systems, user demographic, and traffic patterns, product offerings and services; and for avoidance of doubt, Client's instructions explicitly cover and permit processing for the foregoing purposes.
- Categories of individuals whose Personal Data is processed or transferred. Unless otherwise defined elsewhere in the Agreement, may include the following in respect of Client: employees, contractors, representatives, building occupants, tenants, landlords, guarantors, visitors, owner, borrower, loan guarantor, and similar.
- Categories of Personal Data processed or transferred. Any Personal Data processed by Walker & Dunlop on behalf of Client including, but not limited to: (i) Name and contact information (including phone number, address, email, social media details, emergency contact); (ii) proof of identity and signatures (including drivers’ license, passport, and other forms of ID); (iii) information related to the application for a property, or the property itself (including unit number, occupancy information, financial information and history (such as rent value, deposits, credit searches, bank details, etc.), application information, lease documents and information, employment details and income history, social security numbers, proof of insurance, housing assistance information, automobile related information, photographs of the property); and (iii) financial information (including financial statements, tax returns, tax IDs, entity records, invoices, investment summaries, search authorisations, other credit information).
- Special category data processed or transferred. To the extent required for housing assistance information, social security numbers, race, ethnicity, citizenship, disability, and criminal history information may be processed. Walker & Dunlop works to minimize collection of special categories of personal data to what is required.
- Frequency of processing or transfer. Continuous.
- The subject matter, nature and duration of processing or transfer carried out by any sub-processors authorised pursuant to Section 5 is as set out in this Section 4 and Annex II.
- USE OF SUBPROCESSORS
- To the extent the EU/UK Privacy Laws apply, when Walker & Dunlop engages any sub-processors to process Personal Data on its behalf:
- Client hereby grants Walker & Dunlop general written authorisation to engage the sub processors set out in Annex II, subject to the requirements of this Section 5;
- if Walker & Dunlop appoints a new sub-processor or intends to make any changes concerning the addition or replacement of any subcontractor, it shall update its list of sub-processors, and Client shall have ten (10) business days to object to the appointment or replacement on reasonable and documented grounds related to the confidentiality or security of Personal Data or the subcontractor’s compliance with applicable EU/UK Privacy Laws (and if Client does not so object, Walker & Dunlop may proceed with the appointment or replacement);
- Walker & Dunlop shall engage subcontractors only pursuant to a written agreement that contains obligations on the subcontractor which are no less onerous on the relevant subcontractor than the obligations on Walker & Dunlop under this DPA; and
- in the event Walker & Dunlop engages a sub-processor to carry out specific processing activities on behalf of Client, where that subcontractor fails to fulfill its obligations, Walker & Dunlop shall remain fully liable to Client for the performance of that subcontractor’s obligations.
- ASSISTANCE
- To the extent required by applicable Data Privacy Laws, and taking into account the nature of the processing, Walker & Dunlop shall, in relation to the processing of Personal Data and to enable Client to comply with its obligations which arise as a result thereof, provide reasonable assistance to Client, through appropriate technical and organisational measures, in:
- responding to requests from individuals pursuant to their rights under applicable Data Privacy Laws, including by providing, deleting or correcting the relevant Personal Data, or by enabling Client to do the same, insofar as this is possible and does not fall under a permitted exception;
- implementing reasonable security procedures and practices appropriate to the nature of the Personal Data to protect the Personal Data from unauthorised or illegal access, destruction, use, modification, or disclosure;
- notifying relevant competent authorities and/or affected individuals of Personal Data breaches; and
- to the extent EU/UK Privacy Laws apply, conducting data protection impact assessments and, if required, prior consultation with relevant competent authorities.
- SECURITY
- To the extent EU/UK Privacy Laws apply, Walker & Dunlop shall, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purpose of processing, implement appropriate technical and organisational measures designed to provide a level of security appropriate to the risk, as set out in Annex I, or otherwise agreed and documented between Client and Walker & Dunlop from time to time.
- To the extent EU/UK Privacy Laws apply, Walker & Dunlop shall (i) notify Client without undue delay in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data unless the incident is unlikely to result in a risk to the rights and freedoms of the individuals concerned (“Privacy / Security Incident"); and (ii) promptly take reasonable measures and actions to remedy or mitigate the effects of the Privacy / Security Incident and will keep Client informed of all material developments in relation to it.
- GENERAL
- Except as expressly set forth in this Addendum, the terms of the Agreement shall remain unmodified and in full force and effect. If there is a conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA shall prevail. If applicable law requires survival of any terms of this DPA, such terms will survive after expiration or termination of the Processing. This DPA is part of and governed by the terms and conditions of the Agreement.
- The parties agree to negotiate in good faith modifications to this DPA if changes are required for Walker & Dunlop to continue to process the Personal Data as contemplated by the Agreement or this DPA in compliance with applicable Data Privacy Laws, or to address the legal interpretation of the applicable Data Privacy Laws..
Annex I
TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Annex II
LIST OF SUB-PROCESSORS
Walker & Dunlop may use the sub-processor(s) listed at here. For any questions about our use of sub-processors, please contact your client account manager. To subscribe to changes in Walker & Dunlop’s list of sub-processors, email consumercompliance@walkerdunlop.com.
ESG
We’re passionate about creating meaningful change–in commercial real estate, in our communities, and in the wider world.
DE&I
We believe that diversity, equity, and inclusion is a moral imperative and a critical success factor for our innovation and growth.