Media Partner DPA

MEDIA PARTNER DATA PROCESSING ADDENDUM

Version: MPDPA201001

Date published: ,30 October 2020

This Data Processing Addendum (“DPA”) is incorporated by reference into the Media Partner Terms and Conditions (“Terms”) and all current and future amendments and related orders by and between you (“Media Partner” or “Controller”) and Avow GmbH (“Avow”, “Company” or “Processor”), and together with the Media Partner Insertion order (if applicable) collectively constitute the “Agreement”. This DPA sets out the terms governing the processing of Personal Data by Company on behalf of Media Partner under the Agreement.

In the course of providing the Services to Customer pursuant to the Agreement, Processor may Process Personal Data on behalf of Controller and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

 

  1. Definitions

In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:

1.1 “Applicable Laws” means (a) European Union or Member State laws with respect to any Controller Personal Data in respect of which Controller is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Controller Personal Data in respect of which the Controller is subject to any other Data Protection Laws.

1.2 “Controller Personal Data” means any Personal Data Processed by Processor on behalf of Controller pursuant to or in connection with the Agreement.

1.3 “Data Protection Laws” means EU Data Protection Laws, the California Consumer Privacy Act and all applicable legislation relating to data protection and privacy, including without limitation all local laws, regulations and secondary legislation, together with any national implementing laws, as amended or updated from time to time.

1.4 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

1.5 “GDPR” means EU General Data Protection Regulation 2016/679.

1.6 “Services” means the services that Processor provides to Controller as described in the Services Agreement.

1.7 “Sub-processor” means any person appointed by or on behalf of Processor to Process Personal Data on behalf of the Controller in connection with the Principal Agreement.

1.8 The terms, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processor“, “Processing“, “Data Protection Impact Assessment” and “Supervisory Authority“, and other words and expressions used in this Agreement but not defined herein shall have the same meaning as given to such words and expressions in the EU Directive 95/46/EC (“Directive”) or, from 25 May 2018, the General Data Protection Regulation (2016/679).

 

  1. Processing of Personal Data

2.1 Both parties will comply with all applicable requirements of the Data Protection Laws.

2.2 The subject matter and duration of processing, nature and purpose of processing, specific types of Personal Data that Company will process and categories of Data Subjects whose Personal Data will be processed are set forth in Schedule 1 (Scope of Processing).

2.3 The parties acknowledge that, under the Data Protection Laws, Company is the Data Processor and Media Partner is the Data Controller (or Processor acting under the instructions of a third party Controller) as applicable, of Personal Data.

2.4 Authorisation by Third Party Controller. If Media Partner is a Processor, Media Partner warrants to Company that Media Partner’s instructions and actions with respect to Personal Data, including its appointment of Company as another Processor, have been authorised by the relevant Controller.

2.5 Media Partner instructs Company to process Personal Data:

a) in accordance with the Agreement and Schedule 1;

b) to provide the Services and any related technical support;

c) to comply with other reasonable instructions provided by Media Partner where such instructions are consistent with the terms of the Agreement.

2.6 Company shall collect, process and use Personal Data only within the scope of Media Partner’s instructions.

Company may process Personal Data other than on the instructions of Media Partner if it is required under applicable law to which Company is subject. Where Company is relying on applicable law as the basis for processing Personal Data, Company shall promptly notify Media Partner of this before performing the processing required by the applicable law unless such applicable law prohibits Company from so notifying Media Partner.

If Company believes or becomes aware that any of Media Partner’s instructions conflict with any Data Protection Laws, Company shall inform Media Partner promptly and cease all processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Media Partner issues new instructions with which Company is able to comply. If this provision is invoked, Company will not be liable to Media Partner under the Agreement for any failure to perform the Services until such time as the Media Partner issues new instructions in regard to the processing.

 

  1. Media Partner’s obligations 

Media Partner hereby confirms that:

a) it has complied, and will continue to comply, with all statutory requirements imposed by the Data Protection Laws, including but not limited to having an adequate legal basis for processing Personal Data in accordance with the terms of the Agreement and this DPA;

b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Company for processing in accordance with the terms of the Agreement and this DPA;

c) it will inform Company comprehensively and without undue delay about any errors or irregularities related to statutory provisions on the processing of Personal Data.

To avoid any confusion, the acceptance of this DPA does not subject a Media Partner that is not established in the EU and does not process Personal Data of EU/EEA data subjects to GDPR.

 

  1. Company’s obligations

Company hereby obliges itself to:

a) implement appropriate technical and organizational measures to safeguard Personal Data, taking into account the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;

b) ensure that all persons who have access to and/or process Personal Data, including its personnel, contractors and Sub-processors to the extent applicable to their scope of performance, are subject to confidentiality obligations with respect to the Personal Data;

c) comply with its obligations under the Data Protection Laws by providing an adequate level of protection to any Personal Data that is transferred;

d) assist the Media Partner, at Media Partner’s cost and by appropriate technical and organizational measures considering the nature of processing, in fulfilling Media Partner’s obligations to respond to Data Subjects’ requests under the Data Protection Laws, to the extent Media Partner does not have access to the Personal Data necessary to respond to such requests through its use or receipt of the Services. For the avoidance of doubt, Media Partner is solely responsible for responding to Data Subjects’ requests for access, correction, restriction, objection, erasure or data portability, as applicable, of that Data Subjects’ Personal Data;

e) take reasonable measures to cooperate and assist Media Partner in conducting a Data Protection Impact Assessment and related consultations with any supervisory authority, if Media Partner is required to do so under the Data Protection Laws;

f) notify Media Partner without undue delay on becoming aware of a Personal Data breach affecting Personal Data, provided that such breach is not caused by Media Partner or Media Partner’s personnel or end users. At Media Partner’s request, Company will promptly provide Media Partner with all reasonable assistance necessary to enable Media Partner to notify Personal Data breaches to competent authorities and/or affected Data Subjects, if Media Partner is required to do so under the Data Protection Laws;

g) make available to Media Partner all information reasonably necessary to demonstrate Company’s compliance with this DPA. No more than once per year, Media Partner may engage a mutually agreed upon third party to audit Company solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the GDPR. To request an audit, Media Partner must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to [email protected] The auditor must execute a written confidentiality agreement acceptable to Company before conducting the audit. The audit must be conducted during regular business hours, subject to Company’s policies, and may not unreasonably interfere with Company’s business activities. Any audits are at Media Partner’s sole cost and expense; and

h) upon termination or expiration of the Agreement, cease all processing of Personal Data subject to this DPA and delete or make available to Media Partner for retrieval all relevant Personal Data in Company’s possession, except as otherwise prohibited, allowed or required by any applicable law. Company shall extend the protections of the Agreement and this DPA to any such Personal Data and limit any further processing of such Personal Data to only those limited purposes that require the retention.

 

  1. Sub-processors

5.1 Company shall be entitled to engage third-party processors (“Sub-processors”) to fulfil its obligations defined in the Agreement only with Media Partner’s written consent. Media Partner hereby consents to Company appointing the third parties listed in Schedule 2 as Sub-processors of Personal Data under this DPA.

5.2 Company will execute contracts imposing data protection obligations on its Sub-processors that are at least equivalent to those data protection obligations imposed on Company under this DPA. As between Media Partner and Company, Company shall remain fully liable for all acts or omissions of any Sub-processor appointed by it pursuant to this Section 5.2.

5.3 If Company engages a new Sub-processor, Company will notify Media Partner by updating its list of Sub-processors located in this DPA and informing Media Partner of the change via email or the use of Company Platform. Media Partner has the right to object to the engagement of new Sub-processors within 30 days after being notified, provided that the objection is based on reasonable grounds. If Media Partner and Company are unable to resolve such objection, the parties will work together to find a mutually agreeable solution.

 

  1. General provisions

6.1 Except as stated in this DPA, the Agreement will remain in full force and effect.

6.2 Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.

6.3 The party agreeing to this DPA as Media Partner represents that it is authorized to agree to and enter into this DPA for, and is agreeing to this DPA solely on behalf of, the Media Partner.

6.4 Any claims brought under this DPA shall be subject to the Terms.

 

  1. GDPR applicability (for clarification purposes)

As per Art. 3 of the GDPR, GDPR applies to the processing of personal data: 1) in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not, 2) of data subjects who are in the Union by a controller or processor not established in the Union […], 3) by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Therefore, a Controller that is not established in the EU and does not process Personal Data of EU/EEA data subjects is not subject to GDPR and does not become subject to GDPR by working with Avow, as a processor based in European Union.

Acceptance of this DPA by the aforementioned non-EU Media Partners, that do not process Personal Data of EU/EEA data subjects only ensures that the processing made by Avow remains lawful with regards to the Processor’s obligations under EU law. The Controller obligations mentioned in the DPA do not apply to such non-EU Controllers that do not process Personal Data of EU/EEA data subjects.

For further details please see Guidelines 3/2018 on the territorial scope of the GDPR

(Article 3) that can be found online at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf

 

List of Schedules:

Schedule 1: Details of Processing

Schedule 2: Sub-processors

 

 SCHEDULE 1 DETAILS OF PROCESSING

Details of Data Processing

 

  1. Subject Matter: The subject matter of the data processing under this DPA is the provision of the Services and any related technical support to Media Partner.

 

  1. Duration: Personal Data will be processed for the duration of the Agreement, in accordance with its terms, except as otherwise required by applicable law.

 

  1. Purpose: The purpose of the processing of Personal Data under this DPA is the provision of the Services and any related technical support to Media Partner and the performance of Company’s obligations under the Agreement and any applicable order, or as otherwise agreed by the parties in mutually executed written form. The purpose may include campaign attribution matching, settlement, dispute resolution and anti-fraud reviews.

 

  1. Nature of the Processing: Company provides the Services as described in the Agreement, which involve processing Personal Data upon the instruction of the Media Partner in accordance with the terms of the Agreement and any applicable order.

 

  1. Categories of Data Subjects: Personal Data relates to the following categories of data subjects:

a) Employees, agents, advisors, representatives, consultants, partners of Media Partner (who are natural persons); and/or

b) Media Partner’s end users.

 

  1. Types of data and Personal Data:

a) Relating to Data Subjects identified in 5.a: Identification and contact information, including name and email address, the extent of which is determined and controlled by the Media Partner in its sole discretion; financial information;

b) Relating to Data Subjects identified in 5.b:

–              Device Identifier (IDFA for iOS and Android Advertising ID for Android devices)

–              IP address of the device

–              country, region, city where the app was installed

–              date and time when the app was installed

–              technical data about the device and operating system used

–              browser type and version, mobile phone carrier, network status

–              post-install events such as acquisitions, registrations, etc. incurred after the app was installed

 

  1. Sensitive and Special Categories of Personal Data: Media Partner shall not send Company any Sensitive or Special Categories of Personal Data, as defined in the Data Protection Laws.

 

SCHEDULE 2 SUB-PROCESSORS

Name Service Location
Everflow Technologies Inc. Web-based affiliate tracking, targeting, reporting and analytics services United States
24metrics GmbH Ad Fraud detection Germany