Exchange DPA
Exchange DPA
Exchange Data Privacy Addendum
This Exchange Data Privacy Addendum, including the Standard Contractual Clauses (“Addendum“) forms part of the Exchange Insertion Order which incorporates it by reference (“IO“) in place between the Liftoff Mobile group entity set out in the IO (“Liftoff”) and the company identified as the “Demand Partner” in the IO. The terms of the Addendum shall only apply to the extent a Party processes Personal Data protected by Data Protection Laws under or in connection with the IO which incorporates these Addendum terms by reference. Capitalized terms used in this Addendum shall have the same meaning given to them in the main body of the IO unless otherwise defined in this Addendum.
Introduction
A. Liftoff is a provider of a supply-side platform, a technology platform, which engages in the provision of auction or facilitation of purchases of digital advertising inventory. Demand Partner is a provider of a demand-side platform, ad exchange, agency, agency trading desks or ad network which uses a technology platform or similar technology to engage in the buying of digital advertising inventory.
B. Liftoff and Demand Partner have entered into an IO, under which Demand Partner may purchase digital advertising inventory via Liftoff’s supply side services (the “Demand Services”).
C. Liftoff (and/or its publisher customer) is a controller of certain personal data that it wishes to share with Demand Partner, in connection with the performance of Liftoff’s obligations under the IO, which the Demand Partner may use independently as a separate controller.
D. The parties have entered into this Addendum to ensure that in sharing such personal data pursuant to the IO, they both comply with Applicable Privacy Law.
1. Definitions:
“Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of personal data including: (a) EU Regulation 2016/679 (“GDPR”); (b) GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (c) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (d) in the UK, the Data Protection Act 2018 (“DPA”); (e) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); (f) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in the USA, (g) Children’s Online Privacy Protection Act; (h) California Consumer Privacy Act; and (i) California Privacy Rights Act, in each case, as updated, amended or replaced from time to time; and the terms “data subject”, “processing”, “personal data breach”, “Commissioner”, “processor” and “controller” referred to in this Addendum shall have the meanings set out in the UK GDPR
“EEA Standard Contractual Clauses” means the Module One standard Controller to Controller contractual clauses for the transfer of EEA Personal Data to Controllers established in Third Countries set out in the European Commission Decision 2021/914 dated 4 June 2021 (and for these purposes, the provision relating to Modules 2, 3 and 4 of the standard contractual clauses are deleted) as amended or replaced from time to time;
“EEA” means the European Economic Area;
“Enquiry” means any request, complaint, investigation, notice or communication from an data subject or a governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.;
“Ex-EEA Transfer” means a transfer of Personal Data subject to GDPR by a Party, to a Party (or its premises) in a Restricted Country;
“Ex-UK Transfer” means a transfer of Personal Data subject to UK GDPR by a Party, to a Party (or its premises) in a Restricted Country;
“Parties” means the Demand Partner and Liftoff;
“Personal Data” means any information relating to an identified or identifiable natural person (which shall include for the avoidance of doubt, any personally identifiable information) or as otherwise defined in Data Protection Laws;
“Restricted Country” means (a) any country outside the UK or EEA which is not deemed adequate by (for Personal Data subject to GDPR) the European Commission pursuant to article 45 of GDPR or by (for Personal Data subject to UK GDPR) the Secretary of State in accordance with the relevant provisions of the UK GDPR and the DPA, or an adequacy decision recognised pursuant to paragraphs 4 and 5 of Schedule 21 of the DPA;
“UK” means the United Kingdom; and
“UK Addendum” means the International Data Transfer Addendum to the EEA Standard Contractual Clauses, as may be amended, replaced or superseded by the UK’s Information Commissioner’s Office (“ICO”) from time to time (including as formally issued by the ICO under section 119A(1) DPA).
2. Relationship between the Parties and Controller-Controller terms
2.1. The Parties acknowledge and agree that for the purposes of Data Protection Laws, each Party is an independent controller with respect to their processing of Personal Data. Each Party will determine their legal basis for processing Personal Data independently.
2.2. Liftoff acknowledges and agrees that in connection with the Demand Services, Demand Partner may collect or otherwise receive data (including Personal Data) relating to end users, including unique device identifiers, log information, as well as usage data (such as performance data), including information about ads viewed or clicked, post-install data, geo-location of an end user’s device and streaming data, (collectively “Ad Data“).
2.3. Liftoff grants Demand Partner a revocable, worldwide, non-sublicenseable right and license to use, copy, modify, distribute and otherwise process Ad Data, only for the purposes of:
2.3.1. receiving the Demand Services;
2.3.2. to undertake statistical analysis for their own internal business purposes only (for example; to help determine the amount to bid on the inventory made available via the Demand Services);
2.3.3. disclosing Ad Data to third parties: (i) if required by any court order, process, law or governmental agency; and/or (ii) generally when it is aggregated, such that the specific information relating to Liftoff or any underlying end user is not directly identifiable (“Permitted Purposes“).
2.4. Each Party must at all times:
2.4.1. process Personal Data in accordance with Data Protection Laws; and
2.4.2. not cause or permit anything to be done which may result in a breach by the other Party of Data Protection Laws.
2.5. Nothing in the IO (including this Addendum) shall limit or prevent Liftoff from collecting or using data that Liftoff would otherwise collect and process independently of Demand Partner’s use of the advertising services.
2.6. Each Party is responsible for responding to any Enquiries independently of the other Party.
2.7. If either Party receives an Enquiry which relates to the other Party’s: (i)processing of Personal Data; or (ii) potential failure to comply with Data Protection Laws in respect of the Personal Data, that Party must, without undue delay, notify the other Party of such Enquiry and direct the person making the Enquiry to the other Party.
2.8. If a Party needs assistance from the other Party to respond to an Enquiry, the other Party shall co-operate and provide such information and assistance as the other Party may reasonably require to enable the other Party to comply with its obligations under Data Protection Laws in respect of such Enquiry.
2.9. Each Party shall as soon as reasonably practicable after discovering any Personal Data breach notify the other Party of the same and, at its own expense, shall use its reasonable endeavours to:
2.9.1. minimise the impact of such Personal Data breach and prevent such Personal Data breach recurring; and
2.9.2. provide all reasonable assistance as the other Party shall require to provide such notifications as may be required in accordance with Data Protection Laws.
3. International Transfers
3.1. Neither Party shall process any Personal Data, or transfer the Personal Data (nor permit any Personal Data to be processed) in connection with the IO to any Restricted Country unless it has taken such measures as are necessary to ensure there is adequate protection and appropriate safeguards for such Personal Data in accordance with Data Protection Laws. Such adequate protection and appropriate safeguards may include entering into the EEA Standard Contractual Clauses and/or UK Addendum.
3.2. The Parties agree that in the event of an Ex-EEA Transfer, the transferring Party shall comply with the data exporter’s obligations in the EEA Standard Contractual Clauses and the receiving Party shall comply with the data importer’s obligations in the EEA Standard Contractual Clauses, and the EEA Standard Contractual Clauses are deemed to have been executed by the Parties and incorporated into (and form part of) this Addendum, with the following amendments:
3.2.1. Clause 7 (docking clause) of the EEA Standard Contractual Clauses shall be included;
3.2.2. the optional language in Clause 11 shall apply;
3.2.3. the governing law for the purposes of Clause 17 (governing law) of the EEA Standard Contractual Clauses shall be the law of Ireland;
3.2.4. the relevant courts for the purposes of Clause 18 (choice of forum and jurisdiction) of the EEA Standard Contractual Clauses shall be the courts of Ireland;
3.2.5. Annexes IA, IB and IC to the EEA Standard Contractual Clauses shall be deemed to have been completed with the information in Appendix A to this Addendum;
3.2.6. Annex II to the EEA Standard Contractual Clauses shall be deemed to have been completed with the information in Appendix B to this Addendum. The security measures listed in Appendix B shall be put in place even if the Parties are both in the EEA or UK.
3.3. The Parties agree that in the event of an Ex-UK Transfer, such transfer shall be conducted pursuant to the EEA Standard Contractual Clauses as supplemented and amended by the UK Addendum, which will be deemed to be executed by the Parties and incorporated into and form part of this Addendum, with the Part 1 tables to the UK Addendum completed as follows:
3.3.1. Table 1 shall be deemed completed with the information from Appendix A to this Addendum, and the start date shall be the Effective Date of the IO;
3.3.2. In Table 2, the first option shall be selected and the relevant version of the “Approved EEA Standard Contractual Clauses” referenced in that option shall be the EEA Standard Contractual Clauses referenced in Clause 3.2 above (as amended in accordance with Clause 3.2);
3.3.3. Table 3 shall be deemed completed with the information from Appendix A and Appendix B to this Addendum;
3.3.4. Table 4 shall be deemed completed such that the Importer has the right to end the UK Addendum as set out in Section 19 of Part 2 of the UK Addendum; and
3.3.5. the transferring Party shall comply with the data exporter’s obligations in the UK Addendum and the receiving Party shall comply with the data importer’s obligations in the UK Addendum, and if there is any conflict between this Addendum and the UK Addendum, the UK Addendum shall prevail.
3.4. in the case of any transfers of Personal Data protected by Data Protection Laws applicable to Switzerland, (i) general and specific references in the Standard Contractual Clauses to GDPR (or any predecessor to the GDPR) shall have the same meaning as the equivalent reference in Data Protections Laws of the Switzerland; (ii) any obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or data subject is established shall refer to an obligation such aforementioned Data Protection Laws; and (iii) references to the “competent supervisory authority” and “competent courts” shall be replaced with “the Swiss Federal Data Protection and Information Commissioner ” and “relevant courts in Switzerland”.
4. Miscellaneous:
4.1. Liftoff reserves the right to modify, suspend or terminate the IO should the Demand Partner violate or breach this Addendum.
4.2. This Addendum shall survive termination or expiry of the IO. Upon termination or expiry of the IO, Liftoff may continue to process Personal Data provided that such processing complies with the requirements of this Addendum.
4.3. Notwithstanding anything to the contrary in the IO, Liftoff may periodically make modifications to this Addendum as may be required to comply with the Data Protection Laws.
Appendix A
Details of Transfer
Annex 1(A): List of parties | |
Data Exporter: | Name: The Liftoff group entity specified in the IO Address: As specified in the IO Official registration number (if any): Contact person’s name, position and contact details: DPO, [email protected] Activities relevant to the data transferred: SSP services Signature and date: As per the IO Role (Controller/Processor): Controller |
Data Importer: | Name: As set out for the “Demand Partner” in the IO Address: As set out for the “Demand Partner” in the IO Official registration number (if any): Contact person’s name, position and contact details: As set out for the “Demand Partner” in the IO Activities relevant to the data transferred: Demand Partner services (demand-side platform, ad exchange, agency, agency trading desks or ad network) Signature and date: As per the IO Role (Controller/Processor): Controller |
Annex 1(B): Description of the processing / transfer | |
Categories of Data Subjects whose personal data is transferred: | End users of the publisher properties covered by the Demand Services or end users viewing ads delivered to Data Exporter’s publisher properties. |
Categories of personal data transferred |
|
Recipients of data | Demand Partner |
Sensitive data transferred (if appropriate) | None |
Frequency of the transfer | Data is transferred on a continuous basis. |
Nature, subject matter and duration of the processing | Personal data transferred will be processed in accordance with the IO (including the Addendum) and may be subject to the following processing activities: (i) Storage and other processing necessary to provide the Demand Services to Liftoff; and (ii) Disclosures in accordance with the IO and/or as compelled by applicable laws |
Purposes of the data transfer and further processing | To enable Demand Partner to process C2C Data as a controller solely for the purposes of providing the Demand Services to Liftoff pursuant to the IO, including for the purposes of determining the amounts to bid on publisher inventory and bidding on advertising impression opportunities. |
Period for which the personal data will be retained, or if that is not possible the criteria used to determinate that period, if applicable | The duration of the data processing under this Addendum is until the termination of the IO in accordance with its terms plus the period from the expiry of the IO until deletion of the Data by Demand Partner in accordance with the terms of the IO. |
Annex 1(C): Competent supervisory authority | |
The competent supervisory authority, in accordance with Clause 13 of the New SCCs | The competent supervisory authority will be determined in accordance with the GDPR and the UK GDPR. |
Appendix B
Technical and Organisational Security Measures of the Demand Partner
Introduction
Each party employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorised access, disclosure or destruction.
Governance and Policies
Each party assigns personnel with responsibility for the determination, review and implementation of security policies and measures.
Each party:
● has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents;
● reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.
Each party establishes and follows secure configurations for systems and software, and ensures that security measures are considered during project initiation and the development of new IT systems.
Breach response
Each party has a breach response plan that has been developed to address data breach events. The plan is regularly tested and updated no less than once per year.
Intrusion, anti-virus and anti-malware defences
Each party’s IT systems used to process personal data have appropriate data security measures, including: (a) physical access controls; (b) remote access control includes firewalls on the internal network; (c) user access is logged and monitored for unusual and unauthorized access; (d) threat assessment and vulnerability scanning; (e) data is encrypted at rest.
Access controls
Each party limits access to personal data by implementing appropriate access controls, including: (a) limiting administrative access privileges and use of administrative accounts; (b) changing all default passwords before deploying operating systems, assets or applications; (c) requiring authentication and authorisation to gain access to IT systems (i.e. require users to enter a user id and password before they are permitted access to IT systems); (d) only permitting user access to personal data which the user needs to access for their job role or otherwise limited to the purpose for which they are given access (i.e. Service Provider implements measures to ensure least privilege access to IT systems); (e) appropriate procedures for controlling the allocation and revocation of personal data access rights, including procedures for revoking employee access to IT systems when they leave their job or change role; (f) encouraging users to use strong passwords, such as passwords with over fourteen characters, combination of upper and lower case letters, numbers and special characters; (g) automatic timeout and locking of user terminals if left idle; (h) monitoring and logging access to IT systems.
Availability and Back-up personal data
Each party has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated. Service Provider regularly backs-up information on IT systems and keeps back-ups in separate locations. Back-ups of information are tested periodically.
Segmentation of personal data
Each party separates and limits access between network components and, where appropriate, implements measures to provide for separate processing (storage, amendment, deletion, transmission) of personal data collected and used for different purposes.
Disposal of IT equipment
Each party has in place processes to securely remove all personal data before disposing of IT systems, and uses appropriate technology to purge equipment of data and/or destroy hard disks.
Encryption
Each party uses encryption technology where appropriate to protect personal data held electronically, including encryption of data where appropriate and encryption of company issued portable devices used to process personal data. Encryption keys are stored separately from the encrypted information, and are subject to appropriate security measures.
Transmission or transport of personal data
Appropriate controls are implemented by each party to secure personal data during transmission or transit, including, but not limited to: use of VPNs; SSL in transit; logging personal data when transmitted electronically; ensuring physical security for personal data as appropriate when transported.
Asset and Software management
Each party maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets. Service Provider: documents and implements rules for acceptable use of IT assets; proactively monitors software vulnerabilities and promptly implements any out of cycle patches.
Physical security
Each party implements physical security measures to safeguard personal data. This may include deployment of appropriate building security, including visitor logs, ID card access for staff, logs of staff access to buildings, and CCTV.
Staff training and awareness
Each party’s agreements with staff and contractors and employee handbooks set out its personnel’s responsibilities in relation to information security.
Each party requires: staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the on boarding procedures); appropriate screening and background checks on individuals that have access to sensitive personal data; that Staff are subject to disciplinary measures for breaches of such party’s policies and procedures relating to data privacy and security.
Selection of service providers and commission of services
Each party assesses service providers’ ability to meet their security requirements before engaging them. Each party has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with Service Provider’s instructions.
Each party audits service providers (including sub-processors) that have access to such party’s data either through physical inspection by appropriately qualified security auditors or by reviewing its service providers’ security accreditation (such as ISO 27001 or SOC II) reports. Each party’s breach response protocol and agreements with its service providers provide for the audit of such service providers (and sub-processors) following receipt of any notice of a security incident from that service provider.
Assistance with Data Subject Rights Requests
Each party has implemented appropriate policies and measures to identify and address data subject rights requests, including: (a) maintaining accurate records to enable it to identify quickly all personal data processed on behalf of the other party; (b) ensuring deletion and rectification requests are fully actioned.