DATA PROCESSING AGREEMENT
[Last Updated: July 1, 2020]
This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data during the course of the engagement between the parties.
1.1. “Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.
1.2. “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, as may be amended as well as all regulations promulgated thereunder from time to time.
1.3. The terms “Controller”, “Processor”, “Data Subject”, “Processing” (and “Process“), “Personal Data Breach” shall all have the same meanings as ascribed to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such terms defined in the CCPA.
1.4. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law and the CCPA) as may be amended or superseded from time to time.
1.5. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (iv) any legislation replacing or updating any of the foregoing (v) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
1.6. “ID” means (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) an online identifier associated with a device.
1.7. “Personal Data” or “Personal Information” means any information which (i) can be related, describes, is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual or Data Subject; and; (ii) processed by Advertiser pursuant to the Agreement, including by way of access to the data, and may include, inter alia, demographic data, device information, IDs, cookies, browsing URLs, events, and geo localization data.
1.8. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. Any Personal Data Breach will comprise a Security Incident.
2. Parties’ Roles
3. Representations and Warranties
The Publisher represents and warrants that: (a) its Processing instructions shall comply with applicable Data Protection Law, and the Publisher acknowledges that, taking into account the nature of the Processing, PubMax is not in a position to determine whether the Publisher’s instructions infringe applicable Data Protection Law; and (b) it will comply with EU Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data, as well as the CCPA provisions. PubMax represents and warrants that it shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Publisher, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Publisher’s written instructions including the Terms and this DPA. Notwithstanding the above, in the event PubMax is required under applicable laws to Process Personal Data other than as instructed by Publisher, PubMax shall make its best efforts to inform the Publisher of such requirement prior to Processing such Personal Data, unless prohibited under applicable law.
4. Processing of Personal Data and Compliance with Data Protection Law
The Publisher represents and warrants that Special Categories of data shall not be Processed or shared in connection with the performance of the Services, unless agreed in writing by PubMax. Unless otherwise agreed to in writing by the parties, the Publisher shall not share any Personal Data with PubMax that contains Personal Data relating to children under 16 years old.
As between the parties, the Publisher undertakes accepts and agrees that the Data Subject do not have a direct relationship with PubMax and that PubMax relies on Publisher’s lawful basis (as required under Data Protection Law). In the event consent is needed under Data Protection Law, the Publisher shall ensure that it obtains a proper act of consent from Data Subjects and present all necessary and appropriate notices in accordance with applicable Data Protection Law and other relevant privacy requirements in order to Process Personal Data and enable lawful transfer and Processing of Personal Data to and by Advertisers, as well as where applicable, provide the Data Subjects with the ability to opt out. In the event Data Subject consent is required under Data Protection Law, Publisher shall be fully responsible to support and transmit to Advertiser, through the Services, the parameter of consent, or opt-out, as applicable. The Publisher shall maintain a record of all consents obtained from Data Subject, including the time and data on which consent was obtained, the information presented to Data Subject in connection with their giving consent, and details of the mechanism used to obtain consent, as well as a record of the same information in relation to all withdrawals of consent by Data Subject. Publisher shall make these records available to PubMax promptly upon request.
5. Rights of Data Subject and Parties Cooperation Obligations
It is agreed that where PubMax receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by PubMax, where relevant, PubMax will direct the Data Subject or the applicable authority to the Publisher in order to enable the Publisher to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. PubMax shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
6. No Sale of Personal Information
It is hereby agreed that any share of Personal Data between the parties is made solely for fulfilling a Business Purpose and PubMax does not receive or process any Personal Data in consideration for the Services. Thus, such Processing of Personal Data shall not be considered as a Sale. Notwithstanding the above, the process of sharing the Personal Data by PubMax with Advertisers might be considered as a Sale under the CCPA. Thus, the Publisher is solely liable for its compliance with the CCPA in its use of the Services. It is the Publisher’s sole responsibility and liability to determine whether the sharing or transferring of Personal Data of Consumers during the course of the Services constitute a Sale of Personal Data, as well as to comply with the applicable CCPA requirements in this regard, including providing a “Do Not Sell” signal of end users who have exercised their right to opt out, where applicable.
The Publisher acknowledges that PubMax may transfer Personal Data to and otherwise interact with third party data processors (“Sub–Processor”). The Publisher hereby, authorizes PubMax to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. PubMax may, continue to use those Sub-Processors already engaged by PubMax and PubMax may, engage an additional or replace an existing Sub-Processor to process Personal Data provided that it notifies the Publisher of its intention to do so. PubMax shall, where it engages any Sub-Processor, impose, through a legally binding contract between PubMax and the Sub-Processor, data protection obligations as required under applicable Data Protection Laws. PubMax shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Laws.
8. Technical and Organizational Measures
PubMax hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Personal Data as required under Data Protection Laws to ensure lawful processing of Personal Data and safeguard Personal Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.
9. Security Incident
PubMax will notify the Publisher upon becoming aware of any confirmed Security Incident involving the Personal Data in PubMax’s possession or control. PubMax’s notification regarding or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by PubMax of any fault or liability with respect to the Security Incident. PubMax will, in connection with any Security Incident affecting the Personal Data: (i) take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Publisher and provide the Publisher with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; and (iii) notify the Publisher in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
10. Audit Rights
PubMax shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by the Publisher, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Personal Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). PubMax may object to an auditor appointed by the Publisher in the event PubMax reasonably believes the auditor is not suitably qualified or independent, is a competitor of PubMax or otherwise unsuitable (“Objection Notice”). The Publisher will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from PubMax. Publisher shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to PubMax’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to PubMax immediately.
11. Data Transfer
Where EU Data Protection Law applies, neither party shall transfer Personal Data to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data.
In the event of a conflict between the terms and conditions of this DPA and the Terms or IO, this DPA shall prevail.