Data Processing Agreement
This DPA only applies to the extent that EU Data Protection Law (as defined below) applies to the Processing of Personal Data under this Agreement, including if (a) the Processing is in the context of the activities of an establishment of either party in the EEA or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party. Notwithstanding the above, this DPA and the obligations hereunder do not apply to aggregated reporting or statistics information a party may collect from end users or provide to the other party.
- “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.
- “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall have the meanings given in EU Data Protection Law.
- “Company Data” means data collected on behalf of Company’s publishers and shared with the Advertiser subject to the Agreement and for the purpose of providing the service, including without limitations, IDs.
- “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
- “IDs” means: (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, (iii) a resettable advertising ID associated with a mobile device or an application; or (iv) IP Address.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
- RELATIONSHIP OF THE PARTIES
The parties agree and acknowledge that with respect to the Processing of Company Data, the Company is the Data Controller and the Advertiser is the Data Processor. Each party shall be individually and separately responsible for complying with the obligations that apply to it subject to the Data Protection Law. The subject-matter and duration of the Processing carried out by the Processor in connection with the Agreement, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex A.
- PROCESSING AND PROTECTION OF PERSONAL DATA
- Each party shall Process Personal Data in compliance with applicable Data Protection Law, industry standards and its obligations herein. Without derogating from the general or specific terms herein, the Advertiser hereby warrants and confirms it is compliant with EU Data Protection Law.
- In respect of the Processing of Personal Data by Advertiser in connection with the Agreement where EU Data Protection Law applies, the Advertiser is responsible for and shall comply with applicable Data Protection Law and agrees that it shall: (a) treat all Company Data processed by it on behalf of the Company as confidential and ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (b) cooperate as requested by the Company and implement appropriate technical and organizational measures to enable Company to comply with any exercise of rights by a Data Subject under applicable Data Protection Law in respect of Personal Data processed by Company under the Agreement (including, without limitation, deletion of a Data Subject’s Personal Data); (c) not access or transfer outside the EEA any Personal Data without the prior written consent of the Company; (d) provide the Company with reasonable resources and assistance as are required by the Company pursuant to Articles 32 to 36 of the GDPR; (e) by Company’s sole disclosure, delete all the Company Data following the completion of the Processing, and delete existing copies unless European Union or Member State law requires storage of such; (f) make available to the Company at its request all information necessary to demonstrate compliance with the obligations herein and under Article 28 of the GDPR, including without limitation, provide the Company with a written description of the technical and organizational methods employed by Advertiser and its Sub- Processors (if any) for the Processing of Personal Data; and (g) immediately inform the Company if, in the its opinion, an instruction from the Company infringes applicable Data Protection Law.
- NOTIFICATION OF SECURITY INCIDENT
The Advertiser will notify the Company without undue delay, and, in any event within forty-eight (48) hours, upon becoming aware that an actual Security Incident has occurred. The Advertiser will, as soon as possible, provide the Company with at least the following information with respect to the Security Incident: (a) a description of the cause and nature of the Security Incident including the categories and approximate numbers of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the measures being taken to contain, investigate and remediate the Security Incident; (c) the likely consequences and risks for the Company and its Data Subjects as a result of the Security Incident; and (d) any mitigating actions taken and a proposed plan to mitigate any risks for Data Subjects as a result of the Security Incident. Further, the Advertiser shall (i) immediately and without delay, take necessary steps to contain, remediate, minimize any effects of the Security Incident and to identify its cause; (ii) co-operate with the Company and provide the Company with applicable assistance and information as it may reasonably require in connection with the mitigation of the Security Incident; and (iii) immediately notify the Company in writing of any request, inspection, audit or investigation by a Supervisory Authority.
- TECHNICAL AND ORGANIZATIONAL MEASURES
The Company has implemented appropriate technical and organizational measures to protect the Personal Data as detailed herein: www.display.io/security. The Advertiser shall implement and maintain the technical and organizational measures and take all other measures required pursuant to Article 32 of the GDPR including all organizational and technical security measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Company Data, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and in any event, with respect to the Company Data the security measures implemented are at least as strict as the Company’s.
The Advertiser may engage with Sub-Processors and notified in writing to Company prior to this DPA. In the event the Advertiser requires to engage with additional or replace an existing Sub-Processor to process Personal Data, it shall notify the Company in writing of any intended use or replacement of a Sub-Processor (email notification to the DPO at: firstname.lastname@example.org shall be sufficient) within thirty (30) days of the engagement or replacement of the Sub-Processor concerned, unless the Company objects in writing to the proposed use or replacement of the relevant Sub-Processor within thirty (30) days of receipt of the email notification (in which case Advertiser shall not use or replace the Sub-Processor concerned in relation with the Company Data. The Advertiser shall (i) only use a Sub-Processor that has provided sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR and this DPA and ensure the protection of the rights of Data Subjects; and (ii) impose, through a legally binding contract between Advertiser and Sub-Processor, the same data protection obligations as set out in this DPA. The Advertiser acknowledges and agrees that if any Sub-Processor fails to fulfil its obligations in the contract between the Advertiser and Sub-Processor, Advertiser shall remain fully liable to the Company for the performance of the Sub-Processor’s obligations.
Upon reasonable request of the Company, the Advertiser will submit its data processing facilities, data files and documentation as reasonably needed by the Company for the purpose of auditing or inspecting the Advertiser to ensure compliance with the warranties and undertakings under this DPA (“Audit”). The Audit will be conducted (i) by the Company or any independent or impartial inspection agents or auditors agreed between the parties; and (ii) by providing reasonable notice and during regular business hours. The request will be subject to the extent permitted under applicable law.
Each party (an ‘Indemnifying Party’) shall indemnify and save harmless the other party and its directors, officers, employees, representatives and agents (the ‘Indemnified Party’), against all demands, claims, actions, liabilities, losses, costs, damages or expenses whatsoever (including reasonable attorneys’ fees) asserted against, imposed upon or incurred by the Indemnified Party, to the extent and portion they result from or arise out of the Indemnifying Party’s actions or omissions in violation of applicable Data Protection Law or this DPA.
Each party shall take out and maintain insurance policies to the value sufficient to meet their respective liabilities under this DPA and Agreement. Upon a party’s request, the other party will provide evidence that such insurance is in place.
DETAILS OF PROCESSING ACTIVITIES
Processing carried out for the purpose of providing the services as detailed in the Agreement and specifically for the purpose of placing advertisement within the digital assets of Company’s partners (i.e., publishers, suppliers, etc.)
Categories of Data
The Personal Data of the Data Subjects in the EEA that have installed a mobile application that contains the Company SDK in which the Advertiser will display advertisement.
Types of Personal Data
Special Categories of Data
Solely for the purpose of providing the services (i.e., bidding on ad placement or placing an ad) and shall be promptly deleted thereafter.