Data Processing Agreement
Effective Date: February 16, 2020
[Last Version as of September 5, 2019, is available here]
This Data Processing Agreement ("DPA") is incorporated into, and is subject to the terms and conditions of the agreement between Display.io Ltd. and its subsidiaries or affiliates ("Company" or "we"), and you, a business partner that is a party to the Agreement ("you"), (the "Agreement").
The DPA applies to the extent that (1) the EU Data Protection Law (as defined below) applies to the Processing of Personal Data under the parties applicable agreement, including if (a) the Processing is in the context of the activities of an establishment of either party in the European Economic Area ("EEA") or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party; and/or (2) the parties to the agreement operate in or with respect to residents of specific Special Jurisdictions as stated in Schedule 2.
Notwithstanding the above, this DPA and the obligations hereunder do not apply to aggregated reporting or statistics information a party may collect from end users or provide to the other party, which does not constitute or contain Personal Data.
Capitalized terms not defined hereunder shall have the meaning ascribed to them in the IO to which this DPA is attached.
- “Data Protection Law" means any and all privacy and data protection laws and regulations applicable to a party’s processing activities of Data Subject’s Personal Data (including, where applicable, EU Data Protection Law (GDPR) and other non-EU data protection laws as detailed in Schedule 2 and including, without limitation the California Consumer Protection Act (CCPA), as may be updated from time to time.
- "Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and "Process"), "Personal Data Breach" and "Special Categories of Personal Data" shall all have the meanings given to them in EU Data Protection Law.
- "EU Data Protection Law" means the (i) EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
- “ID” means: (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) a resettable advertising ID associated with a mobile device or an application.
- “Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
- "Company Data" means any and all data shared between the parties that may include, inter alia, device information, IDs, events, and end user geo location data.
- "Advertiser Data" means any Personal Data owned by Advertiser and used together with Company Data for the purpose of profiling and targeting end users.
2. RELATIONSHIP OF THE PARTIES
- The parties acknowledge that in relation to Advertiser Data and Company Data, as between the parties, Advertiser is the Controller and that Display.io is acting as a Processor on behalf of Advertiser. The subject-matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Schedule 1.
3. REPRESENTATIONS AND WARRANTIES
- Advertiser represents and warrants that: (a) its Processing instructions shall comply with applicable Data Protection Law, and Advertiser acknowledges that, taking into account the nature of the Processing, Display.io is not in a position to determine whether Advertiser’s instructions infringe applicable Data Protection Law; and (b) it will comply with EU Data Protection Law, specifically with the lawful basis for Processing Personal Data.
- Display.io represents and warrants that it shall process Personal Data, as set forth under Article 28(3) of the GDPR and Schedule 1 attached herein, on behalf of Advertiser, solely for the purpose of providing the Services. Notwithstanding the above, in the event required under applicable laws, Display.io may Process Personal Data other than as instructed by Advertiser, in such event, Display.io shall make best efforts to inform Advertiser of such requirement unless prohibited under applicable law.
4. PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAW
- As between the parties, Advertiser acknowledges that Display.io and the Data Subject do not have a direct relationship, further, for the purpose of profiling purposes and displaying personalized ads, the Advertiser shall obtain the Data Subject’s consent as its legal basis to Process Personal Data. In compliance with the above, Advertiser shall, as feasible and as available, implement an industry-wide consent mechanism such as the mechanism being developed by the IAB, EDAA (“CMP”) in order to comply with the consent requirements. In the absence of a CMP, the Advertiser acknowledges that the Advertiser will display solely non-personalized ads. In addition, when buying demand through any applicable Google platform (i.e., DoubleClick, AsMob, AdSense, etc.) the Advertiser will support Google’s consent tool (“GCP”) and be able to provide applicable consent strings (e., npa=1/0). It is hereby clarified that if the Advertiser’s CMP does not support the GCP, Display.io will not be able to display any Google demand inventory.
- Without derogating the foregoing, it is hereby clarified that Display.io may process certain non-Personal Data relating to end users such as: country, ad unit and category, in connection with the provision of the Services and Advertisement, and such non-Personal Data may be transferred from Display.io to Advertiser as instructed by Advertiser or as required for the provisions of the Services. In case, such non-Personal Data is combined with Personal Data then such information shall be treated as Personal Data in accordance with this DPA.
5. RIGHTS OF DATA SUBJECT AND PARTIES COOPERATION OBLIGATIONS
It is agreed that where Display.io receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by Display.io, where relevant, Display.io will direct the Data Subject or the applicable authority to Advertiser in order to enable Advertiser to respond directly to the Data Subject’s or applicable authority’s request. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law. Notwithstanding the above, the parties shall cooperate reasonably and in good faith in order to respond to any correspondence or request by the Commission or Supervisor Authorities in accordance with any requirements under Applicable Data Protection Law.
Advertiser acknowledges that Display.io may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). Advertiser hereby, authorizes Display.io to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Display.io may, continue to use those Sub-Processors already engaged by the Display.io and Display.io may, engage an additional or replace an existing Sub-Processor to process Personal Data provided that it notifies Advertiser. Display.io shall, where it engages any Sub-Processor impose, through a legally binding contract between Display.io and Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
7. TECHNICAL AND ORGANIZATIONAL MEASURES
The Display.io has implemented appropriate technical and organizational measures to protect the Personal Data as detailed herein: https://display.io/en/security.
8. SECURITY INCIDENT
Display.io will notify Advertiser upon becoming aware that an actual Security Incident involving Advertiser Data in Display.io’s possession or control has occurred, as Display.io determines in its sole discretion. Display.io’s notification of or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by Display.io of any fault or liability with respect to the Security Incident. Display.io will, in connection with any Security Incident affecting Advertiser Data: (i) quickly and without delay, take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause (ii) co-operate with Advertiser and provide Advertiser with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; and (iii) notify Advertiser in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
9. AUDIT RIGHTS
- Display.io shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by Advertiser, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Advertiser Data (“Audit”) in accordance with the terms and conditions hereunder.
- The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards third parties). Display.io may object in writing to an auditor appointed by Advertiser in the event Display.io reasonably believes, the auditor is not suitably qualified or independent, a competitor of Display.io or otherwise manifestly unsuitable (“Objection Notice”). In the event of Objection Notice, Advertiser will appoint a different auditor or conduct the Audit itself.
- Advertiser shall bear all expenses related to the Audit and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Display.io’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to Display.io immediately.
10. DATA TRANSFER
Where EU Data Protection Law applies, neither party shall transfer Personal Data to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data.
11. CONFLICT AND SPECIFIC JURISDICTION(S)
11.2. To the extent that Display.io Personal Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Schedule B, then the terms specified in Schedule 2 with respect to the applicable jurisdiction(s) (“Specific Terms”) apply in addition to the terms of this DPA, with the required adjustments. In the event of any conflict or ambiguity between the Specific Terms and any other terms of this DPA, the applicable Specific Terms will take precedence only to the extent of their applicability to Display.io.
Details of Processing of Controller Personal Data
This Schedule 1 includes certain details of the Processing Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Personal Data
Processing carried out in connection with the provision of the Services. The duration shall be for the term of the partnership with an additional period of 60 days from the expiration of the partnership until deletion of Advertiser Data by Display.io in accordance with the terms of this DPA.
The nature and purpose of the Processing of Personal Data
To provide the Services in accordance with the Agreement
The types of Personal Data Processed
- User’s Identifiers (device advertising identifier)
- IP Address
- Device information (Operating system type and version, device model)
- Advertising parameters such as: gender, keywords.
The categories of Data Subject to whom the Personal Data relates
Users/Data Subject in the EEA that have used or interacted with Advertisement in the Platform.
Schedule 2 - Specific Jurisdictions
The following additional terms shall apply with respect to end users which are California residents:
- For the purpose of this California section of Schedule 2, the definitions of: “Controller” includes “Business”; "Processor" includes "Service Provider", "Sub-Processor" includes "Sub-Provider"; "Data Subject" includes "Consumer"; "Personal Data" includes "Personal Information", "Purpose" includes "Business Purpose"; in each case as defined under CCPA.
- This “California” section of Schedule 2 only, incorporates by reference the terms and conditions of the IAB Limited Service Provider Agreement (LSPA), available at: https://www.iabprivacy.com/lspa-2019-12.pdf as may be updated and published by IAB from time to time.
- For the avoidance of any doubt, for this purpose, and in cases of a Consumer opt-out of data sale, Display.io Services include the Permitted Digital Advertising Activities listed under Schedule B of the LSPA, and includes, without limitation, advertising and marketing tools and services, respective analytics, insights and anti-fraud validations. This includes, without limitation, campaign management, advertisements, placement optimization and viewability.
- For this “California” section of Schedule 2 only, "Permitted Purposes" shall include processing Customer Personal Information only for the purposes described in this DPA and in accordance with the applicable Controller’s documented lawful instructions as (a) set forth in this DPA, and (b) as necessary to comply with applicable law, (c) as otherwise agreed in writing, or (d) as otherwise may be permitted for"Service Providers" as defined under the CCPA and specified under the LSPA.
- Notwithstanding any use restriction contained elsewhere in this DPA, Display.io shall process Personal Information only to perform the Services, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, except where otherwise required by applicable law. Display.io may de-identify or aggregate Consumer Personal Information as part of performing the Services specified in this DPA and the Agreement.