DATA PRIVACY ADDENDUM
This Addendum (a) establishes the Parties’ relationship and obligations with respect to personal data and/or personal information accessed in accordance with the Monetization Activities; and (b) replaces and supersedes any existing data processing addendum, attachment, exhibit, or standard contractual clauses that App Publisher and Company may have entered into previously in connection with the Agreement. Company and App Publisher are each from time to time referred to herein as a “Party” and collectively as the “Parties”. Capitalized terms used but not defined herein have the meanings given in the Agreement.
1. Definitions.
a. “Applicable Data Law” means all data protection and privacy laws, regulations and self-regulatory codes applicable to the personal data in question, including, where applicable, the CCPA, the CPA, the CTDPA, the UCPA, the VCDPA, European Data Law, the LGPD, and all FTC guidelines and any other applicable laws, rules and regulations with respect to data privacy.
b. The “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended, including without limitation any and all applicable implementing regulations. The “CPA” means the Colorado Privacy Act, Senate Bill 21-190 (2021), as amended, including without limitation any and all applicable implementing regulations. The “CTDPA” means the Connecticut Data Protection Act, Senate Bill 6 (2022), as amended, including without limitation any and all applicable implementing regulations. The “UCPA” means the Utah Consumer Privacy Act, Senate Bill 227 (2022), as amended, including without limitation any and all applicable implementing regulations. The “VCDPA” means Virginia Consumer Data Protection Act, Va. Code §§ 59.1-575 et seq., as amended, including without limitation any and all applicable implementing regulations.
c. “European Data Law” means (i) the EU General Data Protection Regulation 2016/679 (“EU GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s (“UK”) European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iv) the Swiss Federal Act on Data Protection 1992 (“Swiss DPA”); and (v) any and all applicable national laws made under or pursuant to (i), (ii), (iii) and (iv); in each case as may be amended or superseded from time to time.
d. The “LGPD” means the Lei Geral de Proteção de Dados (Law No. 13.709/2018), as amended, including without limitation any and all applicable implementing regulations.
e. “Restricted Transfer” means (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; (iii) where the Swiss DPA applies, a transfer of personal data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council (as applicable); and (iv) where another Applicable Data Law applies, a cross-border transfer of personal data from that jurisdiction to any other country which is not based on adequacy regulations pursuant to that Applicable Data Law.
f. “SCCs” means the standard contractual clauses (i) where the EU GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”); and (iii) where another Applicable Data Law applies, the standard contractual clauses or other appropriate cross-border transfer mechanisms approved by an appropriate data protection authority or similar body that is adopted or permitted under that Applicable Data Law.
g. “business”, “consumer”, “controller”, “processor”, “data subject“, “personal data“, “personal information“, “processing” (and “process”), “recipient”, “sale”, “sensitive data“, “service provider“, “sharing” (and “share(s)“), and “third party” shall have the meanings given in Applicable Data Law.
1. Terms
a. Each Party shall disclose or make available personal data to the other Party for the sole purpose provided in Attachment 1 to this Addendum (the “Purpose”). The Parties shall be treated as separate data controllers and not as joint controllers or as a data controller and data processor.
b. Each Party shall be individually and separately responsible for complying with the obligations that apply to it under Applicable Data Law. Without limiting the foregoing, each Party shall (i) maintain a publicly accessible privacy policy on its website that satisfies the requirements of Applicable Data Law, and in particular advises data subjects of their rights and remedies under Applicable Data Law; (ii) conduct and document a data protection assessment that satisfies the requirement of Applicable Data Law; and (iii) implement and maintain appropriate technical and organizational measures for processing of personal data appropriate to the risk and designed to be adequate under Applicable Data Law.
c. Neither Party shall sell the personal information of a consumer if such Party has actual knowledge the consumer is less than 16, unless the consumer, in the case of consumers at least 13 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of that consumer’s personal information.
d. App Publisher shall ensure that appropriate notice and consent mechanisms as may be required by Applicable Data Law are displayed to all data subjects such that Company can serve cookies lawfully. Company shall provide App Publisher with such information as App Publisher may reasonably require about Company’s cookies so that App Publisher can ensure that such notice is provided. Company shall not use cookies to collect personal data from a data subject that has opted not to receive Company’s cookies.
3. Restricted Transfers.
The Parties agree that when the transfer of personal data under the Agreement is a Restricted Transfer, the SCCs shall be incorporated into this Addendum by this reference, with each Party being deemed to have entered into the SCCs in its own name and on its own behalf as follows:
a. EU SCCs. In relation to personal data that is protected by the EU GDPR, the EU SCCs shall apply completed as follows: (i) Module One shall apply; (ii) App Publisher shall ensure that the information called for by Section II, Clause 8.2(a) of the EU SCCs, as well as a copy of the EU SCCs, are supplied free of charge to all data subjects; (iii) in Clause 7, the optional docking clause shall not apply; (iv) in Clause 11, the optional language shall not apply; (v) in Clause 17, Option 1 shall apply, and the EU SCCs shall be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Attachment 1 to this Addendum; and (viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Attachment 2 to this Addendum.
b. UK SCCs. In relation to personal data that is protected by the UK GDPR, the UK SCCs will apply completed as follows: (i) as set out above in Section 3.a of this Addendum and the EU SCCs shall be deemed amended as specified by Part 2 of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018 (“UK Addendum”) in respect of the transfer of such personal data; and (ii) tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at Section 3.a (as applicable), in Attachment 1 and Attachment 2 of this Addendum and table 4 in Part 1 shall be deemed completed by selecting “neither party”.
c. Swiss SCCs. In relation to personal data that is protected by the Swiss DPA, the EU SCCs shall apply as set out in Section 3.a of this Addendum amended as follows: (i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs shall be deemed to refer to the Swiss DPA; (ii) references to specific articles of ‘Regulation (EU) 2016/679’ shall be deemed replaced with the equivalent article or section of the Swiss DPA; (iii) references to ‘EU’, ‘Union’ and ‘Member State’ shall be deemed replaced with ‘Switzerland’; (iv) references to the ‘competent supervisory authority’ shall be replaced with the ‘Swiss Federal Data Protection Information Commissioner’; and (v) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.
d. Other jurisdictions. In relation to personal data that is protected by another Applicable Data Law, the Parties agree that such SCCs shall automatically apply to the transfer of personal data from App Publisher to Company and, where applicable shall be deemed completed on a mutatis mutandis basis to the completion of the SCCs as described above.
4. LGPD
In respect of data subjects whose personal data is processed in the course of providing the Monetization Activities, App Publisher will be responsible for providing notice in accordance with the LGPD, including but not limited to notice as required under Article 18 of the LGPD. Each Party shall separately be responsible for fulfilling requests they receive from data subjects to exercise their rights under the LGPD.
5. UNITED STATES.
a. To the extent either Party collects and shares the personal information of California residents, each Party (i) shall be considered a business under the CCPA; and (ii) will only process personal information in furtherance of the Purpose, unless required by Applicable Data Law.
b. Each Party (the “Discloser”) may disclose personal information of United States data subjects to a person or entity that is a processor, contractor and/or service provider (each a “Vendor”) in order to fulfill the Purpose, provided the Discloser prohibits the Vendor from (i) selling or sharing such personal information to any third party in violation of Applicable Data Law; (ii) retaining, using, or disclosing such personal information for any reason other than for the Purpose, detecting data security incidents, and/or protecting against fraudulent or illegal activity; (iii) combining such personal information with other personal information unless permitted by Applicable Data Law; (iv) in the case of a contractor, accessing such personal information without first certifying that said contractor understands the restrictions of Applicable Data Law; (v) accessing such personal information unless the Parties can monitor the Vendor’s compliance. Without limiting the foregoing, each Party will ensure that any Vendor that may receive such personal information first executes a written contract compatible with Applicable Data Law.
6. Miscellaneous.
a. Conflicts. In the event of any inconsistency between the Agreement, this Addendum and/or any SCCs, the superiority of governing terms and conditions are: first, the SCCs for the relevant jurisdiction; second, this Addendum; and third, the Agreement.
b. Entire agreement. This Addendum is the Parties’ entire agreement as it relates to the Parties’ obligations under Applicable Data Law and supersedes all related prior and contemporaneous oral understandings, representations, prior discussions, letters of intent, or agreements (executed or otherwise).
c. No further amendment. Except as modified by this Addendum, the Agreement remains unmodified and in full force and effect.
A. LIST OF PARTIES
Data exporter(s): Same as App Publisher (see information above).
Activities relevant to the personal data transferred under the Clauses: Facilitate the sale of space to display ads on any website, webpage, and/or application or any other similar property that is owned, operated or controlled by App Publisher, or on which App Publisher has a contractual right to serve ads and is approved for Monetization Activities by Media.net; Placement of ads on any website, webpage, and/or application or any other similar property; Measuring and optimizing the performance of the Parties’ digital marketing activities.
Signature and date: See above.
Role (controller/processor): Independent Data Controller
Data importer(s): Media.net
Activities relevant to the personal data transferred under the Clauses: Facilitate the sale of space to display ads on any website, webpage, and/or application or any other similar property that is owned, operated or controlled by App Publisher, or on which App Publisher has a contractual right to serve ads and is approved for Monetization Activities by Media.net; Placement of ads on any website, webpage, and/or application or any other similar property; Measuring and optimizing the performance of the Parties’ digital marketing activities.
Signature and date: See above.
Role (controller/processor): Independent Data Controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: End users of data exporter (or App Publisher).
Categories of personal data transferred: Online identifiers provided by devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. Other data: exporter’s general marketing and transactional communications and personal data use may span broad categories of any data relevant to data exporter’s relationship with the data subject, and may vary from time to time.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: None.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Daily. Nature of the processing: For the data importer to provide the Monetization Activities and the processing of personal data of end users of data exporter.
Purpose(s) of the data transfer and further processing: For the data importer to provide the Monetization Activities, including but not limited to the following: Facilitate the sale of space to display ads on any website, webpage, and/or application or any other similar property that is owned, operated or controlled by App Publisher, or on which App Publisher has a contractual right to serve ads and is approved for Monetization Activities by Media.net; Placement of ads on any website, webpage, and/or application or any other similar property; Measuring and optimizing the performance of the Parties’ digital marketing activities.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The greater of the Term or twelve (12) months.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Not applicable to the extent each party is an Independent Data Controller. Notwithstanding the foregoing, each Party shall for all personal data exchanged as part of this Agreement and independently enter into an agreement with their respective processors specifying subject matter, nature and duration of the processing. In the event of the use of processors and/or sub-processors, each Party shall be responsible for complying with the requirements of Article 28 of the EU GDPR. Accordingly, each Party shall, inter alia: use only processors that can provide the necessary guarantees that they implement appropriate technical and organizational measures in such a way as to ensure that processing complies with the requirements of the EU GDPR and safeguards the rights of the data subject; ensure that a valid data processing arrangement is in place between the relevant Party and the processor; and ensure that there is a valid sub-processor arrangement between the processor and any sub-processor.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: The Data Protection Commission of Ireland.
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Each Party shall be responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that processing is in compliance with the EU GDPR; taking into account the nature, scope, context and purposes of the processing involved, as well as the risks of varying degrees of likelihood and severity for the rights and freedoms of natural persons. The measures shall be reviewed and updated as necessary (Article 24 of the EU GDPR) but shall include but not be limited to the following:
- Measures of pseudonymisation and encryption of personal data: Pseudonymization of personal data of data subjects where possible. Application of security controls, e.g., data siloing, restricting and monitoring access, designating confidential status, employing best-practice technologies.
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: Development and implementation of technologies and systems that accord with industry standards. Evaluation and monitoring of security of each important third-party partner during initiation of and periodically over the life of its relationship with Media.net.
- Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: Development and implementation of response plans for incidents of concern, which permit investigation, mitigation and notification. Such plans are organized according to security risk and include internal and external messaging protocols.
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing: Performance of periodic reviews by privacy, security and engineering teams to ensure all measures align with best industry practices.
- Measures for user identification and authorization: Development and implementation of procedures to authenticate and respond to DSARs and to limit systems access to authorized individuals.
- Measures for the protection of data during storage: Rejection of all sensitive data and/or special categories of personal data potentially sourced by App Publisher; pseudonymization and minimization of personal data of data subjects where possible; storage of data only so long as needed and in accordance with agreed-upon timeframes.
- Measures for ensuring physical security of locations at which personal data are processed: Restriction of access to storage facilities on need-to-know basis; implementation of access and security controls in accordance with industry standards; training of all relevant personnel regarding security and protection of data.
- Measures for ensuring system configuration, including default configuration: Implementation of configuration management tools where appropriate.
- Measures for internal IT and IT security governance and management: Appointment of persons responsible for maintaining security management and data protection.
- Measures for certification/assurance of processes and products: Implementation of relevant controls and processes.
- Measures for ensuring data minimisation: Rejection of all sensitive data and/or special categories of personal data potentially sourced by App Publisher; pseudonymization and minimization of personal data of data subjects where possible; storage of data only so long as needed and in accordance with agreed-upon timeframes; limitation to data necessary to perform the Monetization Activities.
- Measures for ensuring limited data retention: Implementation and periodic review of data retention and destruction policies and procedures.
- Measures for ensuring accountability: Implementation and periodic review of data mapping and data protection policies and procedures.
- Measures for allowing data portability and ensuring erasure: Development and implementation of procedures to authenticate and respond to DSARs.