DATA PROTECTION ADDENDUM
Yieldmo, Inc., on behalf of itself and its Affiliates (“Yieldmo”) and the counterparty agreeing to this Data Protection Addendum (“Company”) have entered into an agreement, insertion order or other contract for the provision of the Controller Services, as amended from time to time (the “Main Agreement”). This Data Protection Addendum (‘DPA”) is intended to comply with the parties’ obligations under Data Privacy Laws with respect to the Processing of Controller Personal Data pursuant to the Main Agreement. Yieldmo and Company are Individually referred to as a “Party” or together as “Parties”. In the event of a conflict between this DPA and the Main Agreement, this DPA shall prevail.
a) “Affiliate” means, with respect to a Party, an entity that owns or controls, is owned or controlled by or is or under common control or ownership with the Party, where “control” is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
b) “Data Privacy Laws” shall mean all applicable laws governing the handling of Personal Data, including without limitation (1) EC Regulation 2016/679 (“GDPR“) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”) (collectively, “EU Data Protection Law”); (2) the local law of the place(s) where Processing by a Party and its Personnel takes place; and (3) the California Consumer Privacy Act of 2018 (“CCPA“); in each case, all of the foregoing as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries or jurisdictions.
c) “Controller Personal Data” means any Personal Data that is provided or made available by a Party to the other Party under the Main Agreement in connection with the providing Party’s provision or use (as applicable) of the Controller Services.
d) Controller Services means the services as described in the Main Agreement.
e) “Data Subject” means a natural person to whom any Controller Personal Data pertains.
f) “Process, Processing and Processed” means any operation or set of operations which is performed on Controller Personal Data or on subsets thereof, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
g) “Personal Data” or the equivalent ‘personal information’ means any information relating, directly or indirectly, to an identified or identifiable natural person or otherwise as defined in applicable Data Privacy Laws.
h) “Personal Data Breach” means confirmed unauthorised, accidental or unlawful Processing, access, loss, or disclosure of Controller Personal Data.
i) “Personnel” means all officers, directors and employees, independent contractors or service providers of a Party or its Affiliates.
j) “Sell” shall have the meaning assigned to it in the CCPA.
k) The terms “controller”, and “processor” as used in this Agreement have the meanings given in the GDPR.
2. Role of the Parties. For purposes of EU Data Protection Law, each Party is an independent Controller of the Controller Personal Data that it collects or Processes pursuant to the Main Agreement. Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under EU Data Protection Law. The Parties agree that they are not joint Controllers of any Controller Personal Data. Each Party will individually determine the purposes and means of its Processing of Controller Personal Data. For purposes of the CCPA, each Party is considered to be a “third party”.
3. Obligations of the Parties.
a) Each Party shall comply with all applicable requirements of Data Privacy Laws.
Each Party represents and warrants at all times that: (i) it has the necessary right and authority to enter into this DPA and to perform its obligations herein; (ii) its execution and performance under this DPA and the Main Agreement will not violate any agreement to which it is a party; (iii) it has provided all required information to Data Subjects including, where required, that Personal Data that may be passed to third parties for the purposes of the Main Agreement; and (iv) in collecting Controller Personal Data, it did not violate any applicable self-regulatory principles promulgated by the Network Advertising Initiative (“NAI”), the Digital Advertising Alliance (“DAA”) or the European Interactive Digital Advertising Alliance (“EDAA”) (such Self-Regulatory Principles, collectively, the “SRPs”). In the event that Company is the owner or operator of the mobile websites, mobile applications or other media from which it collects or makes available the Controller Personal Data, Company represents and warrants that either: (x) it is a participant in the IAB Europe Transparency & Consent Framework (“TCF”) and will adhere to TCF rules and guidelines, or (y) that it has otherwise obtained any legally required consent to the collection, use and disclosure of Controller Personal Data to allow Yieldmo to Process such Controller Personal Data in connection with the Controller Services.
c) Each Party will notify the other Party in writing of any action or instruction of the other Party under this DPA or the Main Agreement which, in its opinion, infringes applicable Data Privacy Laws.
d) Subject to this DPA, each Party, acting as a Controller, may Process the Controller Personal Data in accordance with, and for the purposes permitted in, the Main Agreement (the “Permitted Purposes”).
e) The types of Controller Personal Data may include, but are not necessarily limited to, the following types of Personal Data:
- IP address;
- Mobile advertising identifier; and/or
- Cookie identifier.
f) Data Subjects whose information is contained in the Controller Data may include, but are not necessarily limited to, the following:
- End users of digital properties (e.g. mobile websites and/or mobile applications); and/or
- To the extent applicable under EU Data Protection Law, Personal Data of employees, consultants or other contacts of a Party.
4. Security and Confidentiality. Each Party shall implement appropriate technical and organisational measures to protect the Controller Personal Data from unauthorised, accidental or unlawful access, loss, disclosure or destruction. In the event that a Party suffers a Personal Data Breach, it shall notify the other Party without undue delay, but in any event within seventy-two (72) hours of it confirming same, and both Parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Nothing herein prohibits either Party from providing notification of the Personal Data Breach to regulatory authorities as may be required by Data Protection Laws prior to notification of the other Party so long as the notifying Party provides notification to the other Party without undue delay. Each Party shall ensure that all of its Personnel who have access to and/or Process Controller Personal Data are obliged to keep the Controller Personal Data confidential.
5. Transfers outside the EEA. Where a Party receiving Controller Personal Data is located in a country not recognized by the European Commission as providing an adequate level of protection for Personal Data within the meaning of EU Data Protection Law, no Controller Personal Data Processed within the European Economic Area, the United Kingdom or Switzerland (“EEA”), by either of the Parties pursuant to this DPA shall be exported outside the EEA (or transferred onward to another non-EEA location) without a legally recognized transfer mechanism, such as Binding Corporate Rules (“BCRs”), Standard Contractual Clauses for the transfer of Personal Data to Processors established in Third Countries (Controller to Controller Transfers SET II) approved by EC Commission decision of 27 December 2004 (without modifications or optional clauses), as amended or replaced from time to time (“SCC”), or a successor program to the EU-US Privacy Shield (“Privacy Shield”). In the event that a successor program to Privacy Shield or BCRs do not apply to the export or transfer, the SCCs shall apply as between the Parties, and such SCCs are incorporated herein by reference.
6. Data Subject Requests. Each Party will process its own requests for Data Subjects to exercise their rights. With respect to objections from, or on behalf of Data Subjects to the Processing of Personal Data that is shared between the Parties, including requests to opt-out from the Sale of Personal Information pursuant to CCPA, the parties will collaborate to honor such objections or opt-out requests.
7. Compliance Cooperation. Both Parties agree to reasonably cooperate and assist each other in relation to any regulatory inquiry, complaint or investigation concerning the Controller Personal Data shared between the Parties.
8. Data Retention. Both Parties shall fulfill their obligations with regards to their respective data retention periods as stated in their respective privacy policies.
9. Allocation of Costs. Each Party shall perform its obligations under this DPA at its own cost, except as otherwise specified herein.
10. Liability. The liability of the Parties under or in connection with this Agreement will be subject to the exclusions and limitations of liability in the Main Agreement.
11. Miscellaneous. If any provision or condition of this DPA is held or declared invalid, unlawful or unenforceable by a competent authority or court, then the remainder of this DPA shall remain valid. The provision or condition affected shall be construed to be amended in such a way that ensures its validity, lawfulness and enforceability while preserving the parties’ intentions, or if that is not possible, as if the invalid, unlawful or unenforceable part had never been contained in this DPA. This DPA shall be governed by and construed in accordance with the laws governing the Main Agreement, and any disputes shall be resolved by the courts agreed for resolution of disputes under the Main Agreement.