Data Processing Agreement
This Data Processing Agreement (“DPA”) only applies to the extent that EU Data Protection Law (as defined below) applies to the Processing of Personal Data under the parties applicable agreement, including if (a) the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”) or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behaviour in the EEA by or on behalf of a party.
Notwithstanding the above, this DPA and the obligations hereunder do not apply to aggregated reporting or statistics information a party may collect from end users or provide to the other party, which does not constitute or contain Personal Data. Capitalised terms not defined hereunder shall have the meaning ascribed to them in the Agreement to which this DPA is attached.
1.1. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law (GDPR), the California Consumer Protection Act (CCPA) and the US Children’s Online Privacy Protection Act (COPPA)) as may be amended or superseded from time to time.
1.2. “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law.
1.3. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
1.4. “ID” means: (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) a re-settable advertising ID associated with a mobile device or an application.
1.5. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
1.6. “Publisher Data” means any and all data shared between the parties that may include, inter alia, device information, IDs, events, and country level geo location data. The Publisher Data includes, without limitation, data deemed as Personal Data and IDs all as detailed in Schedule 1 attached herein.
2. RELATIONSHIP OF THE PARTIES
2.1. The parties acknowledge that in relation to all Publisher Data, as between the parties, Publisher is the Controller of Publisher Data, and that Company, in providing the Services, is acting as a Processor on behalf of Publisher (e., the Controller). The subject-matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Schedule 1.
3. REPRESENTATIONS AND WARRANTIES
3.1. Publisher represents and warrants that: (a) its Processing instructions shall comply with applicable Data Protection Law, and Publisher acknowledges that, taking into account the nature of the Processing, Company is not in a position to determine whether Publisher’s instructions infringe applicable Data Protection Law; and (b) it will comply with EU Data Protection Law, specifically with the lawful basis for Processing Personal Data.
3.2. The Company represents and warrants that it shall process Personal Data, as set forth under Article 28(3) of the GDPR and Schedule 1 attached herein, on behalf of Publisher, solely for the purpose of providing the Services. Notwithstanding the above, in the event required under applicable laws, Company may Process Personal Data other than as instructed by Publisher, in such event, Company shall make best efforts to inform Publisher of such requirement unless prohibited under applicable law.
4. PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAW
4.1. Publisher represents and warrants that Special Categories of data shall not be Processed or shared in connection with the performance of Company’s obligations under the Agreement, unless agreed in writing by Company and shared in accordance with applicable Data Protection Law.
4.2. Unless otherwise agreed to in writing by the parties, Publisher shall not share any Personal Data with Company that contains Personal Data relating to children under 16 years old.
4.4. As between the parties, Publisher acknowledges that the Company and the Data Subject do not have a direct relationship, further, for the purpose of profiling the Data Subject and displaying personalised ads, the Publisher shall obtain the Data Subject’s consent as its legal basis to Process Personal Data. In compliance with the above, Publisher shall, as feasible and as available, implement an industry-wide consent mechanism such as the mechanism being developed by the IAB, EDAA (“CMP”) in order to comply with the consent requirements. In the absence of a CMP, the Publisher acknowledges that the Advertiser will display solely non-personalized ads. In addition, when buying demand through any applicable Google platform (i.e., DoubleClick, AsMob, AdSense, etc.) the Publisher will support Google’s consent tool (“GCP”) and be able to provide applicable consent strings (i.e., npa=1/0). It is hereby clarified that if the Publisher’s CMP does not support the GCP, the Company will not be able to display any Google demand inventory.
5. RIGHTS OF DATA SUBJECT AND PARTIES COOPERATION OBLIGATIONS
It is agreed that where Company receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by Company, where relevant, Company will direct the Data Subject or the applicable authority to Publisher in order to enable Publisher to respond directly to the Data Subject’s or applicable authority’s request. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law. Notwithstanding the above, the parties shall cooperate reasonably and in good faith in order to respond to any correspondence or request by the Commission or Supervisor Authorities in accordance with any requirements under Applicable Data Protection Law.
Publisher acknowledges that Company may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). Publisher hereby, authorises the Company to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Company may, continue to use those Sub-Processors already engaged by the Company and the Company may, engage an additional or replace an existing Sub-Processor to process Personal Data provided that it notifies Publisher. Company shall, where it engages any Sub-Processor impose, through a legally binding contract between the Company and Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
7. TECHNICAL AND ORGANISATIONAL MEASURES
The Company has implemented appropriate technical and organisational measures to protect the Personal Data as detailed herein: https://display.io/en/publishers/security.
8. SECURITY INCIDENT
Company will notify Publisher upon becoming aware that an actual Security Incident involving Publisher Data in Company’s possession or control has occurred, as Company determines in its sole discretion. Company’s notification of or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by Company of any fault or liability with respect to the Security Incident. Company will, in connection with any Security Incident affecting Publisher Data: (i) quickly and without delay, take such steps as are necessary to contain, remediate, minimise any effects of and investigate any Security Incident and to identify its cause (ii) co-operate with Publisher and provide Publisher with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; and (iii) notify Publisher in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
9. AUDIT RIGHTS
9.1. Company shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by Publisher, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Publisher Data (“Audit”) in accordance with the terms and conditions hereunder.
9.2. The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards third parties). Company may object in writing to an auditor appointed by Publisher in the event Company reasonably believes the auditor is not suitably qualified or independent, a competitor of Company or otherwise manifestly unsuitable (“Objection Notice”). In the event of an Objection Notice, Publisher will appoint a different auditor or conduct the Audit itself.
9.3. Publisher shall bear all expenses related to the Audit and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Company’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to the Company immediately.
10. DATA TRANSFER
Where EU Data Protection Law applies, neither party shall transfer Personal Data to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data.