Data Processing Addendum

 

 

1. INTERPRETATION 
   
   1.1  In this DPA the following capitalised terms shall have the meanings set out below: 

Advertiser Processing	has the meaning set out in Clause 3.2.
Applicable Laws	all laws or regulations, regulatory policies, guidelines or industry codes which apply to Network Personal Data;
Business Intelligence	the processing of Network Personal Data under the Agreement for the purposes of understanding consumer use of or interactions with any websites, apps or services of the Advertiser, as determined the Advertiser, by use of the Company technology (as applicable).
Cross Device Tracking	the processing of Network Personal Data under the Agreement, relating to consumer journeys across websites on multiple devices, for the purposes of attributing the referral of that consumer to the websites, apps or services of the Advertiser by a third party publisher of advertising.
Data Protection Law	GDPR, national laws implementing or supplementing the GDPR (including the UK Data Protection Act 2018) and, to the extent applicable, the data protection or privacy laws of any other country;
EEA	the European Economic Area;
GDPR	the EU General Data Protection Regulation 2016/679;
JC Processing	has the meaning set out in Clause 3.1.
Lead Generation	the processing for Network Personal Data under the Agreement (and any related or ancillary agreements between the Parties and any third parties) for the purposes of generating a sales lead for the Advertiser, to be subsequently used in the Advertiser’s own marketing efforts.
Network Personal Data	any Personal Data Processed by either Party in connection with the provision of the Services under the Agreement;
Plugin Integration	the processing of Network Personal Data under the Agreement (and any related or ancillary agreements between the Parties and any third parties) for the purposes of facilitating the integration of any websites, apps or services of the Advertiser with the technology of a third party adtech provider, by use of the Company technology (as applicable).
Reporting	the processing of Personal Data for the purposes of reporting on Tracking and Cross Device Tracking, and “Reports” shall be interpreted accordingly.
Services	the services provided by (or on behalf of) the Company to the Advertiser pursuant to the Agreement;
Subprocessor	any person (excluding an employee of either Party) appointed by or on behalf of either Party to Process Personal Data on behalf of such Party or otherwise in connection with the Agreement.
Tracking	the processing of Network Personal Data under the Agreement, relating to consumer journeys across websites on a single device, for the purposes of attributing the referral of that consumer to the websites, apps or services of the Advertiser by a third party publisher of advertising.
Transaction Queries	the processing of Network Personal Data under the Agreement, relating to consumer journeys across websites, undertaken at the request of a third party publisher of advertising, for the purposes of reassessing the attribution of any referrals of consumers to the websites, apps or services of the Advertiser by Tracking or Cross Device Tracking.

1.2  The terms, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Profiling” shall have the meanings given to them in GDPR.  

2.  GENERAL 

2.1  This DPA constitutes both an arrangement between joint Controllers pursuant to Article 26 of the GDPR, and a contract between a Controller and a Processor pursuant to Article 28(3) of the GDPR, as set out below and as the context requires or permits. 

2.2  This DPA shall only apply to the extent that the Parties are Processing Network Personal Data.  

2.3  In the event of inconsistencies between the provisions of this DPA and the Agreement, this DPA shall take precedence, unless explicitly agreed otherwise in writing.  

3.  PROCESSING OF NETWORK PERSONAL DATA 

3.1  The Company and the Advertiser shall act as joint Controllers in respect of the Processing of Network Personal Data for the purposes of: 

3.1.1  Tracking 

3.1.2  Cross Device Tracking 

3.1.3  Reporting; and 

3.1.4  Transaction Queries 

together, “JC Processing", and this DPA sets out the arrangements made between the Parties pursuant to Article 26 of the GDPR in respect of that Processing.  

3.2  The Advertiser shall act as Controller, and the Company shall act as Processor, in respect of any Processing of Network Personal Data for the purposes of: 

3.2.1  capturing consumer names and contact information on behalf of the Advertiser’s Lead Generation;   

3.2.2  Business Intelligence; and  

3.2.3  Plugin Integration 

together, “Advertiser Processing", and this DPA sets out the agreement made between the Parties pursuant to Article 28 of the GDPR in respect of that Processing and any other Processing under which one Party acts as Controller and the other Party acts as Processor.  

3.3  Processing of Network Personal Data for Lead Generation may be undertaken subject to further agreements between the Parties and third parties (as applicable). 

3.4  The Company and the Advertiser will each comply with their respective obligations under Data Protection Law. Each Party will provide the other Party any co-operation reasonably requested to enable the other Party’s compliance with this Clause 3. 

3.5  The Advertiser will not provide any Personal Data to the Company without the Company's prior written consent, unless anticipated by the Company in the Company's ordinary operation of its marketing network of publishers and advertisers facilitate, amongst other things, affiliate and performance marketing. 

4.  TERMS APPLICABLE TO JC PROCESSING 

4.1  This Clause 4 shall apply in respect of any JC Processing only. 

4.2  Both Parties jointly agree that, in respect of JC Processing, Article 6(1)(f) of the GDPR applies to the Processing of Network Personal Data and that the Processing of Network Personal Data is necessary for the purposes of the legitimate interest pursued by both Parties and/or by a third party. 

4.3  Transparency 

4.3.1  Advertiser must take appropriate measures to provide Data Subjects with information about how Network Personal Data is being processed by or on behalf of the Advertiser, which shall at a minimum include all the information required by Articles 13, 14 and 26 of the GDPR, in a concise, transparent and easily accessible form, using clear and plain language (“Advertiser Fair Processing Notice”). 

4.3.2  the Company must take appropriate measures to provide Data Subjects with information about how Network Personal Data is being Processed by or on behalf of the Company, which shall at a minimum include all the information required by Articles 13, 14 and 26 of the GDPR, in a concise, transparent and easily accessible form, using clear and plain language (“Company Fair Processing Notice”). 

4.3.3  Advertiser must either: 

(A)  include a hyperlink to the current Company Fair Processing Notice in the Advertiser Fair Processing Notice; or 

(B)  ensure the Advertiser Fair Processing Notice contains sufficient information to enable the Company to Process Network Personal Data in accordance with Articles 13, 14 and 26 of the GDPR.  

4.4  Data Subject Rights  

Each Party shall fulfil their obligations to respond to requests to exercise Data Subject rights under Data Protection Law.  Unless otherwise agreed in writing by between the Parties, the first recipient of any request by a Data Subject to exercise his or her rights under Data Protection Law shall be primarily responsible for its response.  Each Party will provide the other Party any co-operation reasonably requested to enable the other Party’s compliance with this Clause 4.4. 

4.5  Personnel 

4.5.1  Each Party shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Network Personal Data, ensuring in each case that access is: 

(A)  strictly limited to those individuals who need to know and/or access the relevant Network Personal Data; and 

(B)  as strictly necessary for the purposes of the Agreement and to comply with Applicable Laws in the context of that individual's duties.  

4.5.2  Each Party shall ensure that all individuals referred to in Clause 4.5.1 are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. 

4.6  Security And Confidentiality Of Data 

4.6.1  Each Party shall in relation to the Network Personal Data, implement appropriate technical and organisational measures to ensure an appropriate level of security, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In doing so, each Party shall take into account: 

(A)  the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing; and  

(B)  the risk of varying likelihood and severity for the rights and freedoms of natural persons. 

4.6.2  In assessing the appropriate level of security, each Party shall in particular take account of the risks that are presented by Processing, including from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Network Personal Data transmitted, stored or otherwise Processed.  

4.7  Personal Data Breach  

4.7.1  Each Party shall:  

(A)  notify the other Party without undue delay upon becoming aware of a Personal Data Breach affecting Network Personal Data (“Network Data Breach”); and 

(B)  provide the other Party with sufficient information to allow it to meet any obligations to report or inform Data Subjects of the Network Data Breach under or in connection with Data Protection Law; and 

(C)  meaningfully consult with the other Party in respect of the external communications and public relations strategy related to the Network Data Breach; and 

(D)  subject to Applicable Law, not notify any data protection regulator of the Network Data Breach without having obtained prior written approval of the other Party; and   

(E)  not issue a press release or communicate with any member of the press in respect of the Network Data Breach, without having obtained prior written approval by the other Party.  

4.7.2  The notification set out in Clause 4.7.1(a) above, shall as a minimum: 

(A)  describe the nature of the Network Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; and 

(B)  describe the likely consequences of the Network Data Breach; and 

(C)  describe the measures taken or proposed to be taken to address the Network Data Breach.  

4.7.3  The Advertiser shall co-operate with the Company and take such reasonable commercial steps as are directed by the Company to assist in the investigation, mitigation and remediation of each Network Data Breach. 

4.8  Data Transfers  

Neither Party shall transfer Network Personal Data to countries outside of the EEA in breach of Data Protection Law. 

4.9  Profiling 

The Advertiser shall not use any Personal Data revealed by any Reports for the Profiling of consumers. 

4.10  Engagement of Processors 

With respect to a proposed Processor, each Party shall: 

4.10.1  before the Processor first Processes Network Personal Data, carry out adequate due diligence to ensure that the Processor is capable of providing the level of protection for Network Personal Data required by Data Protection Law; and 

4.10.2  ensure that the arrangement with such a Processor , is governed by a written contract including terms meet the requirements of Article 28(3) of the GDPR. 

5. TERMS APPLICABLE TO ADVERTISER PROCESSING 

5.1  This Clause 5 shall apply in respect of any Advertiser Processing only (if applicable). 

5.2  The Company will:  

5.2.1  Process Personal Data for the purposes of Advertiser Processing only in accordance with the Advertiser’s instructions, including in respect of the deletion or return of Personal Data; and 

5.2.2  make available to the Advertiser requested information in respect of Personal Data, on at least 30 days prior written notice and during normal business hours, necessary to demonstrate compliance with this Clause 5.2, including to allow for and contribute to reasonable audits, conducted by the Advertiser or the Advertiser’s designated auditor (such designated auditors being subject to the Company’s prior written approval);  and 

5.2.3  promptly notify the Advertiser if it receives any request from a Data Subject to exercise his or her rights under Data Protection Law, and provide the Advertiser any co-operation reasonably requested to enable the Advertiser to respond to such requests; and 

5.2.4  engage Subprocessors in a manner consistent with clause 4.10; and 

5.2.5  comply with clauses 4.5 - 4.8. 

5.3  The Advertiser hereby grants a general authorisation to the Company under Article 28(2) of the GDPR to engage Subprocessors.  The Company shall inform the Advertiser of any intended changes concerning the addition or replacement of Subprocessors. 

6.  FURTHER PROCESSING 

6.1  In relation to any other further Processing of Network Personal Data under the Agreement, to the extent not specified otherwise under this DPA, any Party acting as a Processor will: 

6.1.1  Process Network Personal Data for such purposes only in accordance with the Controller’s instructions, including in respect of the deletion or return of Personal Data;  

6.1.2  make available to the Controller requested information in respect of Network Personal Data, on at least 30 days prior written notice and during normal business hours, necessary to demonstrate compliance with this Clause 6.1, including to allow for and contribute to reasonable audits, conducted by the Controller or the Controller’s designated auditor (such designated auditors being subject to the Company’s prior written approval);   

6.1.3  promptly notify the Controller if it receives any request from a Data Subject to exercise his or her rights under Data Protection Law, and provide the Controller any co-operation reasonably requested to enable the Controller to respond to such requests;  

6.1.4  engage Subprocessors in a manner consistent with clause 4.10; 

6.1.5  comply with clauses 4.5 - 4.8. 

6.2  In the event of any conflict between this Clause 6 and any other agreement between the Parties in respect of the same Processing, such other agreement shall take precedence. 

7.  LIABILITY 

7.1  Each Party shall be solely liable for any costs, claims, losses, damages, expenses or fines arising from: 

7.1.1  its breach of Data Protection Law; and 

7.1.2  its breach of this DPA or the Agreement; and 

7.1.3  Processing of Personal Data in its possession; and 

7.1.4  events for which it is responsible; 

and accordingly there shall be no joint liability between the Parties in respect of such breaches. 

7.2  The Company shall not be liable for any for breaches of Data Protection Law arising in respect of Processing by or in connection with any third party adtech provider whose technology may be integrated with any websites, apps or services of the Advertiser by use of the Company technology (as applicable from time to time). 

7.3  Nothing in this DPA limits or excludes the liability of either Party for death, personal injury, fraud, fraudulent misrepresentation or fraudulent misstatement. 

8.  BREXIT 

In the event that the United Kingdom withdraws from the European Union on such terms that the transferring of Personal Data to the UK constitutes a transfer of Personal Data to a third country pursuant to Article 44 of the GDPR, in the absence of an adequacy decision pursuant to Article 45(3) the parties shall be deemed to have entered into standard contractual clauses issued by the European Commission, from time to time, for data transfers from Controllers established in the EEA to: 

8.1  Controllers established outside the EEA; and/or  

8.2  Processors established outside the EEA; 

immediately on written notice to the Advertiser (including by the posting of a notice on the Interface), on terms the Company thinks fit, provided that such terms shall satisfy the requirements of an appropriate safeguard pursuant to Article 46 of the GDPR. 

9.  CHANGES TO THIS DPA 

The Company may on at least 7 days' written notice to the Advertiser (including by the posting of a notice on the Interface) make binding variations to this DPA, which the Company reasonably considers to be necessary to address the requirements of Data Protection Law. 

1. SEVERANCE 
   
   1.1  Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be:  
   
   1.1.1  amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible; or 
   
   1.1.2  construed in a manner as if the invalid or unenforceable part had never been contained in the DPA. 
   
   
2. RIGHTS OF THIRD PARTIES 

Third parties shall not be entitled to enforce any of the terms of this DPA.  

3.  GOVERNING LAW AND JURISDICTION 

The governing law and jurisdiction of this DPA shall be the same as that of the Principal Agreement.