Data Processing Addendum

Schedule A:  Data Processing Addendum – Controller to Controller

UPON EXECUTING AN ORDER FORM THAT REFERENCES THESE TERMS OF SERVICE, OR BY OTHERWISE ACCEPTING THESE TERMS OF SERVICE AND DATA PROCESSING ADDENDUM, PUBLISHER AGREES TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT AND DATA PROCESSING AGREEMENT, INCLUDING SIGNING THE STANDARD CONTRACTUAL CLAUSES AS APPLICABLE.

1. APPLICATION.‍

This Data Processing Addendum (“DPA”) applies to any Personal Data Processed under the Terms of Service.

2. DEFINITIONS AND INTERPRETATION.

Definitions from the Terms of Service apply in this DPA. Additionally, in this DPA:

“Controller” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, the Party that determines the purpose and means of Processing Personal Data. 

“Data Protection Laws” means any applicable international, foreign, national, federal, state, or local, statutes, ordinances, regulations, rules, executive orders, supervisory requirements, directives, circulars, opinions, judgments, interpretive letters, official releases, and other pronouncements having the effect of law relating to the collection, use, storage, disclosure, transfer, or other Processing of Personal Data, including, without limitation: (a) the General Data Protection Regulation (“GDPR”) (Regulation 2016/679); (b) the European Union (“EU”) e-Privacy Directive (Directive 2002/58/EC); (c) the United Kingdom (“UK”) Data Protection Act, 2018; the “UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner’s Office (“ICO”) under the UK GDPR; (d) the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.) (“CCPA”); (e) the California Consumer Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 et seq.) (“CPRA”) (when in effect); (f) the Canadian Personal Information Protection and Electronics Documents Act (“PIPEDA”); and (g) the Swiss Federal Act on Data Protection (“Swiss Data Laws”); and any other relevant privacy law, as amended from time to time and any successor legislation thereto and any regulations promulgated thereunder.

“Data Subject” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, the visitor of a Publisher’s digital properties who will see Ad Impressions.

“Industry Guideline(s)” means, as applicable, any industry standards or guidelines to which the Party has agreed to be bound, including, standards from the Interactive Advertising Bureau (“IAB”), the Network Advertising Initiative (“NAI”), and the Digital Advertising Alliance ("DAA”), or similar industry trade bodies, as amended or superseded from time to time.

“Member State” means a member state of the EU and/or the European Economic Area (“EEA”), as may be amended from time to time.

“Personal Data” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, any information that identifies or relates to an individual who can be identified directly or indirectly through the provision of the Services described in this Agreement. Personal Data includes “personal information” as defined under Data Protection Laws. “Sensitive Data” means: (a) any data considered to be special categories of Personal Data under the GDPR; (b) characteristics that are considered sensitive under the NAI Code; or (c) any such intrusive data that directly identifies a Data Subject.

“Process”, “Processing” or “Processed” means the meaning set forth in the relevant Data Protection Laws. 

“Security Breach” means: (a) any unauthorized use, modification, loss, compromise, destruction, or disclosure of Personal Data transmitted pursuant to the Processing under these Terms of Service. 

“Services” means the provision of services or other work products by Sharethrough as described and set out in the Terms of Service, and such other services as the Parties may agree upon in writing from time to time.

“Signal(s)” means the technical privacy signals developed by Industry Guideline bodies, including the NAI opt-out for tailored advertising, the IAB Transparency and Consent Framework, the IAB U.S. Privacy String, DAA Ad Choices, the Children's Online Privacy Protection Act (“COPPA”) flag, and any other signal(s) whether now known or hereafter created that transmit an action by a Data Subject with respect to their Personal Data Processing.

“Standard Contractual Clauses” or “SCCs” means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data to third countries (Module One: controller-to-controller), as amended or superseded from time to time.

“Processor” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, a third-party engaged by a Party to assist with the provision of the Services which involves the Processing of Personal Data.

3. PURPOSE.

In performing its obligations under these Terms of Service, Publisher may disclose Personal Data to Sharethrough. Sharethrough shall process Personal Data provided by Publisher: (a) only for the purposes set forth in these Terms of Service or as otherwise agreed to in writing by the Parties, and provided such Processing strictly complies with: (i) Data Protection Laws and Industry Guidelines, and (ii) its obligations under these Terms of Service (the “Permitted Purposes”).

4. ROLES AND RESTRICTIONS ON PROCESSING. 

Each Party:

• is an independent Controller of Personal Data under the relevant Data Protection Laws; 
• acknowledges that no provision of these Terms of Service will be interpreted as a joint-controllership or co-controllership between the Parties;
• shall individually determine the purpose(s) and mean(s) of its Processing of Personal Data;
• shall comply with its obligations under both, Industry Guidelines and Data Protection Laws; 
• shall action any Signal it receives in accordance with the Industry Guideline that such Signal adheres to;
• shall not Process Sensitive Data;
• shall only Processes Personal Data when it has a lawful basis to do so under relevant Data Protection Laws; including collecting and transmitting consent as required by Data Protection Laws;
• shall publish, in a public facing manner, all the notices required under Data Protection Laws and Industry Standards, including a privacy policy and cookie policy (as applicable) (“Privacy Policies”); and shall comply with the information posted on its Privacy Policies;
• shall implement appropriate technical and organizational security measures to protect Data Subject’s Personal Data that are at least equivalent to those required under Data Protection Laws, and also meet best industry standards;
• shall ensure persons authorized to Process Personal Data receive appropriate training and commit themselves to confidentiality via contractual obligation;
• shall provide the other Party with such assistance as may be reasonably required to demonstrate its compliance with Data Protection Laws, including, without limitation, in respect of security, breach notifications, privacy impact assessments, and consultations with supervisory authorities or other regulators, or other relevant obligations; and
• shall promptly notify the other Party of any circumstances in which such Party is unable or becomes unable to comply with Data Protection Laws.

5. DATA SUBJECT RIGHTS

Each Party:

• shall enable Data Subjects to exercise their rights under Data Protection Laws (such as providing access, deletion, and opt-out rights) and respond to such requests within the timeframe as determined by Data Protection Laws; and
• shall: (i) inform the other Party (without undue delay) in the event that it receives a Data Subject request related to the other Party's respective Processing activities; and (ii) provide all reasonable assistance to ensure such Data Subject request are completed within the timeframe set out in Data Protection Laws.

6. CHILDREN’S PERSONAL DATA 

In the event Publisher Processes the Personal Data of children (as defined by Data Protection Laws), Publisher shall either: (a) obtain all the necessary consents, including parental consents, prior to sharing such data downstream to Sharethrough; or (b) transmit the COPPA flag downstream to Sharethrough.

7. SECURITY BREACH. 

In the event of a Security Incident, each Party shall: (a) promptly notify the other Party; (b) liaise with the other Party in good faith to consider what action(s) are required to resolve the issue in accordance with the Data Protection Laws; and (c) provide such reasonable assistance as is necessary to the other Party to facilitate the handling of such Security Incident in an expeditious and compliant manner.

8. ONWARD TRANSFERS.

For any onward transfers of Publisher Personal Data by Sharethrough to third parties, Sharethrough may transfer such Personal Data, provided it contractually requires the third party to: (a) comply with Data Protection Laws; (b) only Process such Personal Data for the Permitted Purposes as set forth in these Terms of Service. 

9. PROCESSORS  

The Parties agree that Sharethrough may engage Processors to provide its Services pursuant to these Terms of Service. Upon reasonable written request from Publisher (email to suffice), Sharethrough shall provide an up-to-date list of: (a) all Processors involved in the Processing of Publisher Personal Data; and (b) any reasonable information relevant to such Processing. Sharethrough is responsible for the acts of its Processors.

10. RESOLUTION OF DISPUTES 

If either Party is the subject of a claim by: (a) a Data Subject; (b) a supervisory authority; or (c) receives a notice or complaint from a supervisory authority relating to its respective processing activities under these Terms of Service (a "DP Claim"), it shall promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim. The Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the Claim in a timely manner. Neither Party is authorised to act or answer on behalf of the other Party.

11. CROSS-BORDER TRANSFERS OF PERSONAL DATA

Where Data Protection Laws require supplementary measures to protect the international transfer of Personal Data, each Party will ensure the transfer occurs in compliance with such supplementary measures. Such measures include the transfer of Personal Data from the EEA to a country that has an adequate level of protection, as confirmed by the European Commission. 

A. European Union transfers: 

As applicable, the SCCs are hereby incorporated by reference to this DPA and shall be considered an integral part thereof. The Parties’ signatures in this DPA shall be construed as the Parties’ signature to the SCCs. 

For the purposes of the SCCs, the following apply:

• Sharethrough shall be the data importer and Publisher shall be the data exporter; 
• Clause 7 (Docking clause) shall be excluded;
• Clause 11 (Redress): optional clause (optional redress mechanism before an independent dispute resolution body) shall be excluded; 
• Clause 17 (Governing law): the governing law shall be the law of Germany;
• Clause 18 (b) (Choice of forum and jurisdiction):  any dispute arising from the SCCs shall be resolved by the courts of Germany;
• Any provision in the SCCs relating to liability of the Parties with respect to each other shall be subject to the limitations and exclusions of this DPA; and
• Any provision in the SCCs relating to the right to audit shall be interpreted in accordance with Section 11 of the DPA and these Terms of Service.     

B. UK transfers: 

To the extent Personal Data of UK residents transmitted by Publisher and is Processed by Sharethrough outside the UK (except if to an adequate country) in circumstances where such transfer would be prohibited by UK GDPR, (e.g., in the absence of a legal transfer mechanism), the Parties agree UK Addendum, subject to the SCCs, shall apply. The UK Addendum is hereby incorporated into this DPA.

C. Swiss transfers:

If the transfer of Personal Data pursuant to these Terms of Service and DPA involves citizens of Switzerland: (a) Data Subjects in Switzerland may enforce their rights in Switzerland under Clause 18c of the SCCs; (b) references to the GDPR will be construed as references to the Swiss Data Laws; (c) references to “supervisory authorities” will be construed as references to the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).

Annex I and Annex II of the SCCs apply the UK and Swiss transfers as outlined in 11(b) and 11(c) above.

12. CONFLICTS.

In the event of any conflict or discrepancy between the SCCs, Data Protection Laws and these Terms of Service, the following order of precedence shall apply: (a) the SCCs (where applicable); (b) Data Protection Laws; and (c) these Terms of Service.

ANNEX I to the SCCs

LIST OF PARTIES.

Data importer(s):

Data exporter(s):

ANNEX I of the SCCs

DESCRIPTION OF TRANSFER.

Categories of data subjects whose personal data is transferred

Visitors of Publisher’s Digital Properties.

Categories of personal data transferred

‍The Personal Data transferred concerns the following categories of data: any data transmitted under Open RTB including: Sharethrough cookie identifiers, third party online identifiers, mobile device identifiers, browser and device information, IP addresses and geo location data as obtained from a Data Subject’s device pursuant to the Terms of Service.

Sensitive data transferred (if applicable)

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous basis in accordance with the Terms of Service.

Nature of the processing

For the purposes of delivering personalized advertising to the Data Subject pursuant to the Terms of Service.

Purpose(s) of the data transfer and further processing

For the purposes of delivering personalized advertising to the Data Subject pursuant to the Terms of Service.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In accordance with each Party’s data retention policy, and only for the time period necessary to deliver each Party’s Services pursuant to the Terms of Service.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

ANNEX II to the SCCs

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA.

Please find below the measures undertaken by Sharethrough to protect Personal Data.

• Pseudonymization
  The data processing under the Agreement does not require pseudonymization.
• Encryption
  The personal data may be encrypted depending on the location of the personal data within the solution.
• Confidentiality of the processing systems and of the services
  The following measures shall be implemented to address the confidentiality of the processing systems and of the Services:

1. prevent unauthorized persons from gaining access to data processing systems with which Data Exporter data are processed or used,
2. prevent data processing systems from being used without authorization,
3. ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Data Exporter data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage,
4. ensure that Data Exporter data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged,
5. ensure that data collected for different purposes can be processed separately;
6. install software updates as they are released and applicable.

• Integrity of the processing systems and of the services
  The following measures shall be implemented to address the integrity of the processing systems and of the Services:

1. ensure that it is possible to check and establish whether and by whom Data Exporter data have been input into data processing systems, modified or removed.
2. protection by technical and organizational means regarding authorizations, protocols/logs including analyzing protocols, audits.

• Availability of the processing systems and of the services
  The following measures shall be implemented to address the availability of the processing systems and of the Services:

1. ensure that Data Exporter data are protected from accidental destruction or loss or destruction.
2. ensure that, in the case of commissioned processing of Data Exporter data, the data is processed strictly in accordance with terms of the Service Agreement.

• Resiliency of the processing systems and of the services
  The following measures shall be implemented to address the resiliency of the processing systems and of the Services:

1. ensure that systems and services are designed in a way that they can handle punctual or constant high load of processing operations; this is especially related to storage, access and performance capacity.‍

• Ability to restore the availability and access to the Data Exporter data in a timely manner in the event of a physical or technical incident

The measures implemented by Data Importer to address the ability to restore the availability and access to the Data Exporter data in a timely manner in the event of a physical or technical incident shall dependent upon the obligations set forth in the Service Agreement.

• Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures

The following measures shall be implemented to address the regularly testing, assessing and evaluating of the effectiveness of technical and organizational measures:

• internal audit reviews 
• review by the data protection officer