Data Processing Addendum

 

1. INTERPRETATION

1.1. In this DPA the following capitalised terms shall have the meanings set out below:

Advertiser Processing	has the meaning set out in Clause 3.2.
Advertiser Website	the websites, apps or online services of the Advertiser.
Applicable Laws	all laws or regulations, regulatory policies, guidelines or industry codes which apply to Network Personal Data (including without limitation Data Protection Laws).
Business Intelligence	the Processing of Network Personal Data under the Agreement for the purposes of enabling the Advertiser to better understand a consumer’s online journey and the use and audience of the Advertiser Website, as determined by the Advertiser by use of the Company’s technology.
Cross Device Tracking	the Processing of Network Personal Data under the Agreement for the purposes of understanding a consumer’s online journey from the Publisher Website to the Advertiser Website, made after viewing or clicking an advertisement, when this journey is commenced on one device, but a Transaction is completed on another device.
Data Protection Law	any data protection, privacy or similar laws that apply to data Processed in connection with the Agreement, including the GDPR, the UK GDPR, the UK Data Protection Act 2018, ePrivacy and any amendments to these laws or replacements of these laws.
EEA	the European Economic Area.
ePrivacy	the Privacy and Electronic Communications Directive 2002/58 and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 (including any replacing or superseding legislation).
GDPR	the EU General Data Protection Regulation 2016/679.
JC Processing	has the meaning set out in Clause 3.1.
Lead Generation	the Processing of Network Personal Data under the Agreement (and any related or ancillary agreements with any third parties and/or between the parties) for the purposes of generating a sales lead for the Advertiser, to be subsequently used in the Advertiser’s own marketing efforts.
MasterTag	the Company’s JavaScript code, which may be integrated into the Advertiser Website for the purposes of the Advertiser receiving certain Services and/or enabling Plugin Integration.
Network Personal Data	any Personal Data Processed by either Party in connection with the provision of the Services under the Agreement.
Plugin	the technology of a Plugin Operator, which integrates with the Advertiser Website through the MasterTag, and which is used to enable the delivery of the services of the Plugin Operator.
Plugin Integration	the Processing of Network Personal Data under the Agreement (and any related or ancillary agreements with any third parties and/or between the parties) for the purposes of facilitating the integration of the Advertiser Website with the Plugin, by use of the Company technology, such as the MasterTag.
Plugin Operator	a third party adtech provider.
Publisher	the operator of a website, application or service that markets advertisers or their products as an affiliate.
Publisher Website	the websites, apps, emails or online services of a Publisher, or third party services used by a Publisher.
Referral	the referral of a consumer from a Publisher Website to the Advertiser Website.
Reporting	the Processing of Personal Data for the purposes of reporting on the Advertiser’s use of the Services and related performance, as enabled by the Interface, and “Reports” shall be interpreted accordingly.
SCCs Addendum	https://www.awin.com/gb/legal/dpa-scc.
Services	the services provided by (or on behalf of) the Company to the Advertiser pursuant to the Agreement.
Subprocessor	any person (excluding an employee of either Party) appointed by or on behalf of either Party to Process Personal Data on behalf of such Party or otherwise in connection with the Agreement.
Tracking	the Processing of Network Personal Data under the Agreement, relating to consumer journeys across websites/online services on a single device, for the purposes of attributing the Referral of that consumer to the Advertiser Website by a Publisher or Publishers including to (i) understand a consumer’s online journey to a Publisher Website and from a Publisher Website to the Advertiser Website, made after viewing or clicking an advertisement; (ii) match the arrival of a consumer at the Advertiser Website to an online journey from a Publisher Website; and (iii) be informed when a Transaction has been completed, receive basic information about the nature of that Transaction, and attribute that Transaction to the respective Referral.
Transaction	either: (i) a purchase by a consumer of a product from the Advertiser; or (ii) the provision of information by a consumer to the Advertiser, for the purposes of generating a sales lead for the Advertiser, to be used in the Advertiser’s subsequent marketing efforts.
Transaction Queries	the Processing of Network Personal Data under the Agreement, in relation to the submission of requests from a Publisher to an Advertiser for the payment of commission in respect of a Transaction which was not tracked by the Company, or which was not validated by the Advertiser.
UK GDPR	the retained UK law version of the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).

1.2. The terms, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Profiling” shall have the meanings given to them in the GDPR.

1.3. References in this DPA to Articles or terms of the GDPR shall mean those Articles or terms, and/or any corresponding Articles or terms of the UK GDPR, where the UK GDPR is applicable to the processing activities carried out under this Agreement.

2. GENERAL

2.1. This DPA constitutes both an arrangement between joint Controllers pursuant to Article 26 of the GDPR, and a contract between a Controller and a Processor pursuant to Article 28(3) of the GDPR, as set out below and as the context requires or permits.

2.2. This DPA shall only apply to the extent that the Parties are Processing Network Personal Data.

2.3. In the event of inconsistencies between the provisions of this DPA and the Agreement, this DPA shall take precedence, unless explicitly agreed otherwise in writing.

3. PROCESSING OF NETWORK PERSONAL DATA

3.1. The Company and the Advertiser shall act as joint Controllers in respect of the Processing of Network Personal Data for the purposes of:

3.1.1. Tracking

3.1.2. Cross Device Tracking; and

3.1.3. Reporting

together, “JC Processing", this DPA sets out the arrangements made between the Parties pursuant to Article 26 of the GDPR in respect of that Processing, and the subject-matter, duration of the processing, the nature and purpose, the type of personal data and categories of data subjects, in relation to JC Processing, are set out below in Schedule 1.

3.2. The Advertiser shall act as Controller, and the Company shall act as Processor, in respect of any Processing of Network Personal Data for the purposes of:

3.2.1. capturing consumer names and contact information on behalf of the Advertiser’s Lead Generation;

3.2.2. Business Intelligence;

3.2.3. Plugin Integration; and

3.2.4. Transaction Queries

together, “Advertiser Processing", this DPA sets out the agreement made between the Parties pursuant to Article 28 of the GDPR in respect of that Processing and any other Processing under which one Party acts as Controller and the other Party acts as Processor, and the subject-matter, duration of the processing, the nature and purpose, the type of personal data and categories of data subjects, in relation to Advertiser Processing, are set out below in Schedule 1.

3.3. The Company and the Advertiser will each comply with their respective obligations under Data Protection Law. Each Party will provide the other Party any co-operation reasonably requested to enable the other Party’s compliance with this Clause 3.

3.4. The Advertiser will not provide any Personal Data to the Company without the Company's prior written consent, unless anticipated by the Company in the Company's ordinary operation of its marketing network of Publishers and advertisers to facilitate, amongst other things, affiliate and performance marketing.

4. TERMS APPLICABLE TO JC PROCESSING

4.1. This Clause 4 shall apply in respect of any JC Processing only.

4.2. Both Parties jointly agree that, in respect of JC Processing, Article 6(1)(f) of the GDPR applies to the Processing of Network Personal Data and that the Processing of Network Personal Data is necessary for the purposes of the legitimate interest pursued by both Parties and/or by a third party.

4.3. Transparency

4.3.1. Advertiser must take appropriate measures to provide Data Subjects with information about how Network Personal Data is being Processed by or on behalf of the Advertiser, which shall at a minimum include all the information required by Articles 13, 14 and 26 of the GDPR, in a concise, transparent and easily accessible form, using clear and plain language, and specify an appropriate contact point which Data Subjects can use if they have any questions regarding the Advertiser’s compliance with Data Protection Laws or wish to exercise their rights under Data Protection Laws (“Advertiser Privacy Policy”).

4.3.2. The Company must take appropriate measures to provide Data Subjects with information about how Network Personal Data is being Processed by or on behalf of the Company, which shall at a minimum include all the information required by Articles 13, 14 and 26 of the GDPR, in a concise, transparent and easily accessible form, using clear and plain language, and specify an appropriate contact point which Data Subjects can use if they have any questions regarding the Company’s compliance with Data Protection Laws or wish to exercise their rights under Data Protection Laws (“Company Privacy Policy”).

4.3.3. Advertiser must either:

(a) include a hyperlink to the current Company Privacy Policy in the Advertiser Privacy Policy; or

(b) ensure the Advertiser Privacy Policy contains sufficient information to enable the Company to Process Network Personal Data in accordance with Articles 13, 14 and 26 of the GDPR.

4.4. Data Subject Rights

Each Party shall fulfil their obligations to respond to requests to exercise Data Subject rights under Data Protection Law. Unless otherwise agreed in writing between the Parties, the first recipient of any request by a Data Subject to exercise their rights under Data Protection Law shall be primarily responsible for its response. Each Party will provide the other Party any co-operation and information reasonably requested to enable the other Party’s compliance with this Clause 4.4.

4.5. Personnel

4.5.1. Each Party shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Network Personal Data, ensuring in each case that access is:

(a) strictly limited to those individuals who need to know and/or access the relevant Network Personal Data; and

(b) as strictly necessary for the purposes of the Agreement and to comply with Applicable Laws in the context of that individual's duties.

4.5.2. Each Party shall ensure that all individuals referred to in Clause 4.5.1 are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4.6. Security and Confidentiality of Data

4.6.1. Each Party shall in relation to the Network Personal Data, implement appropriate technical and organisational measures to ensure an appropriate level of security, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In doing so, each Party shall take into account:

(a) the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing; and

(b) the risk of varying likelihood and severity for the rights and freedoms of natural persons.

4.6.2. In assessing the appropriate level of security, each Party shall in particular take account of the risks that are presented by Processing, including from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Network Personal Data transmitted, stored or otherwise Processed.

4.7. Personal Data Breach

4.7.1. Each Party shall:

(a) notify the other Party without undue delay upon becoming aware of a Personal Data Breach affecting Network Personal Data (“Network Data Breach”);

(b) provide the other Party with sufficient information to allow it to meet any obligations to report or inform Data Subjects of the Network Data Breach under or in connection with Data Protection Law;

(c) meaningfully consult with the other Party in respect of the external communications and public relations strategy related to the Network Data Breach;

(d) subject to Applicable Law, not notify any data protection regulator of the Network Data Breach without having notified the other Party; and

(e) not issue a press release or communicate with any member of the press in respect of the Network Data Breach, without having obtained prior written approval by the other Party.

4.7.2. The notification set out in Clause 4.7.1(a) above, shall as a minimum:

(a) describe the nature of the Network Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; and

(b) describe the likely consequences of the Network Data Breach; and

(c) describe the measures taken or proposed to be taken to address the Network Data Breach.

4.7.3. The Advertiser shall co-operate with the Company and take such reasonable commercial steps as are directed by the Company to assist in the investigation, mitigation and remediation of each Network Data Breach.

4.8. Data Transfers

4.8.1. Each Party shall only transfer Network Personal Data to countries outside of the EEA where this is in compliance with Data Protection Law.

4.8.2. Where, as part of providing the Services,

(a) the Company transfers Network Personal Data to the Advertiser; and

(b) the Advertiser or any of the Advertiser’s offices or operations are based outside of the European Economic Area,

such transfer of Network Personal Data shall be subject to the SCCs Addendum.

4.8.3. Where the transfer of Network Personal Data under Clause 4.8.2 is undertaken for Advertiser Processing, the Advertiser hereby instructs the Company to transfer personal data outside of the European Economic Area.

4.9. Profiling

The Advertiser shall not use any Personal Data revealed by any Reports for the Profiling of consumers.

4.10. Engagement of Processors

With respect to a proposed Processor that a Party wishes to engage, such Party shall:

4.10.1. before the Processor first Processes Network Personal Data, carry out adequate due diligence to ensure that the Processor is capable of providing the level of protection for Network Personal Data required by Data Protection Law; and

4.10.2. ensure that the arrangement with such a Processor is governed by a written contract including terms meet the requirements of Article 28(3) of the GDPR.

5. TERMS APPLICABLE TO ADVERTISING PROCESSING

5.1. This Clause 5 shall apply in respect of any Advertiser Processing only (if applicable).

5.2. The Company will:

5.2.1. Process Personal Data for the purposes of Advertiser Processing only in accordance with the Advertiser’s instructions, including in respect of the deletion or return of Personal Data;

5.2.2. allow for and contribute to one reasonable written audit per calendar year on at least 30 days prior written notice by the Advertiser and during normal business hours, to the extent necessary to demonstrate compliance with this Clause 5.2 provided that any costs incurred by either Party in relation to any written audits are borne by the Advertiser;

5.2.3. engage Subprocessors in a manner consistent with Clause 4.10 and, in addition ensure that the contract between the Subprocessor and the Company includes terms which offer at least the same level of protection for Network Personal Data as those set out in this DPA in respect of Advertiser Processing; and

5.2.4. comply with Clauses 4.5 - 4.8.

5.3. The Advertiser hereby grants a general authorisation to the Company under Article 28(2) of the GDPR to engage Subprocessors. The Company shall inform the Advertiser of any intended changes concerning the addition or replacement of Subprocessors. The Advertiser may reasonably object in writing to such an intended change within 14 days of the notification thereof by the Company. Following an objection by the Advertiser, Company may within 30 days of receipt of the objection either:

5.3.1. notify the Advertiser that the intended change shall not be implemented in relation to the Agreement; or

5.3.2. cease the relevant Advertiser Processing immediately on written notice to the Advertiser.

6. OTHER PROCESSING

6.1. In relation to any other Processing of Network Personal Data under the Agreement, to the extent not specified otherwise under this DPA, any Party acting as a Processor will:

6.1.1. process Network Personal Data for such purposes only in accordance with the Controller’s instructions, including in respect of the deletion or return of Personal Data;

6.1.2. make available to the Controller requested information in respect of Network Personal Data, on at least 30 days prior written notice and during normal business hours, necessary to demonstrate compliance with this Clause 6.1, including to allow for and contribute to reasonable audits, conducted by the Controller or the Controller’s designated auditor (such designated auditors being subject to the Company’s prior written approval);

6.1.3. engage Subprocessors in a manner consistent with Clause 4.10 and, in addition ensure that the contract between the Subprocessor and the party acting as a Processor includes terms which offer at least the same level of protection for Network Personal Data as those set out in this Clause 6.1;

6.1.4. comply with Clauses 4.5 - 4.8.

6.2. In the event of any conflict between this Clause 6 and any other agreement between the Parties in respect of the same Processing, such other agreement shall take precedence.

7. LIABILITY

7.1. Each Party shall be solely liable for any costs, claims, losses, damages, expenses or fines arising from:

7.1.1. its breach of Data Protection Law;

7.1.2. its breach of this DPA or the Agreement;

7.1.3. Processing of Personal Data in its possession; and

7.1.4. events for which it is responsible;

and accordingly there shall be no joint liability between the Parties in respect of such breaches.

7.2. The Company shall not be liable for any for breaches of Data Protection Law arising in respect of Processing by or in connection with any third party adtech provider whose technology may be integrated with the Advertiser Website by use of the Company’s technology (as applicable from time to time).

7.3. In addition to the limitations outlined in this Clause 7, each Party’s liability under this DPA shall be limited in a manner consistent with any limitations of liability set out in the Agreement.

8. CONSENT VERIFICATION

8.1. The Advertiser will, on behalf of the Company, to comply with ePrivacy consent requirements, obtain the prior, freely-given, specific, informed, unambiguous and revocable consent of users of Advertiser Website(s) to cookies or other tracking technologies of the Company served under the Agreement.

8.2. The Company may request information (including consent records/logs) from the Advertiser to objectively verify whether the Advertiser has complied with Clause 8.1, and the Advertiser shall promptly (and no later than 14 days following the Company’s written request) make such information available to the Company.

9. CHANGES TO THIS DPA

The Company may on at least 7 days' written notice to the Advertiser (including by the posting of a notice on the Interface) make binding variations to this DPA, which the Company reasonably considers to be necessary to address the requirements of Data Protection Law.

10. SEVERANCE

10.1. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be:

10.1.1. amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible;

10.1.2. construed in a manner as if the invalid or unenforceable part had never been contained in the DPA.

11. RIGHTS OF THIRD PARTIES

Third parties shall not be entitled to enforce any of the terms of this DPA.

12. GOVERNING LAW AND JURISDICTION

The governing law and jurisdiction of this DPA shall be the same as that of the Agreement.

 

SCHEDULE 1

The subject-matter, duration of the processing, the nature and purpose, the type of personal data and categories of data subjects of the Advertiser Processing and JC Processing is set out below.

For both the Advertiser Processing and JC Processing, the duration of the processing shall be the term of the Agreement, unless otherwise agreed in writing, and the obligations and rights of the relevant controllers are as set out in this DPA.

1. JC PROCESSING

Subject-matter, nature and purpose of processing	Categories of data subject	Type of personal data
Tracking	Current or prospective consumers (as determined by the Advertiser)	Information relating to cookies, information relating to consumers’ IP addresses, information relating to consumer transactions (including consumers’ engagement with advertisers and publishers), device identifiers and device attributes.
Cross Device Tracking	Current or prospective consumers (as determined by the Advertiser)
Reporting	Current or prospective consumers (as determined by the Advertiser)

2. ADVERTISER PROCESSING

Subject-matter, nature and purpose of processing	Categories of data subject	Type of personal data
Capturing consumer names and contact information on behalf of the Advertiser’s Lead Generation	Current or prospective consumers (as determined by the Advertiser)	As determined by the Advertiser
Business Intelligence	Current or prospective consumers (as determined by the Advertiser)	As determined by the Advertiser
Plugin Integration	Current or prospective consumers (as determined by the Advertiser)	As determined by the Advertiser
Transaction Queries	Current or prospective consumers (as determined by the Advertiser)	As determined by the Advertiser