This Data Processing Addendum (“DPA”) only applies to the extent that EU Data Protection Law (as defined below) applies to the Processing of Personal Data under the Agreement, including if (a) the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”) or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party. Capitalized terms not defined hereunder shall have the meaning ascribed to them in the Agreement to which this DPA is attached.
- “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.
- “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law.
- “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.
- “User Data” means any and all end users’ Personal Data Processed through the Interactive Units by Apester, Advertiser or on behalf of Publisher as applicable and subject to the Agreement signed between the parties.
- RELATIONSHIP OF THE PARTIES
- REPRESENTATIONS AND WARRANTIES
The Publisher represents and warrants that: (a) its Processing instructions shall comply with applicable Data Protection Law, and the Publisher acknowledges that, taking into account the nature of the Processing, Apester is not in a position to determine whether the Publisher’s instructions infringe applicable Data Protection Law; and (b) it will comply with EU Data Protection Law, specifically with the lawful basis for Processing Personal Data. Apester represents and warrants that it shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Publisher, solely for the purpose of providing its services and set forth in the Agreement. Notwithstanding the above, in the event required under applicable laws, Apester may Process Personal Data other than as instructed by Publisher, in such event, Apester shall make best efforts to inform the Publisher of such requirement unless prohibited under applicable law.
- PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAW
- The Publisher represents and warrants that Special Categories of data shall not be Processed or shared in connection with the performance of Apester obligations under the Agreement, unless agreed in writing by Apester and shared in accordance with applicable Data Protection Law.
- As between the Parties, the Publisher undertakes, accepts and agrees that Apester and the Data Subject do not have a direct relationship. The Publisher shall ensure that it obtains a proper affirmative act of consent from Data Subjects in the event required in accordance with applicable Data Protection Law and other relevant privacy requirements in order to Process User Data as set out herein.
- RIGHTS OF DATA SUBJECT AND PARTIES COOPERATION OBLIGATIONS
It is agreed that where the Apester receives a request from a Data Subject or an applicable authority in respect of User Data Processed by Apester, where relevant, Apester will direct the Data Subject or the applicable authority to the Publisher in order to enable the Publisher to respond directly to the Data Subject’s or applicable authority’s request, unless otherwise required under applicable laws. Both Parties shall provide each other with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
The Publisher acknowledges that Apester may transfer User Data to and otherwise interact with Advertisers or third party data processors (“Sub-Processor”). The Publisher hereby, authorizes Apester to engage and appoint such Sub-Processors to Process User Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Apester may, continue to use those Sub-Processors already engaged by Apester and Apester may, engage an additional or replace an existing Sub-Processor to process Personal Data provided that it provides an applicable notification. Apester shall, where it engages any Sub-Processor impose, through a legally binding contract between Apester and Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
- TECHNICAL AND ORGANIZATIONAL MEASURES
Apester has implemented appropriate technical and organizational measures to protect the User Data, as required under Data Protection Law.
- SECURITY INCIDENT
Apester will notify the Publisher upon becoming aware that an actual Security Incident involving the User Data in Apester’s possession or control has occurred, as Apester determines in its sole discretion. Apester’s notification of or response to a Security Incident under this Section 8 shall not be construed as an acknowledgment by Apester of any fault or liability with respect to the Security Incident. Apester will, in connection with any Security Incident affecting the User Data: (i) take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Publisher and provide the Publisher with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; and (iii) notify the Publisher in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
- AUDIT RIGHTS
Apester shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by the Publisher, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the User Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards third parties). Apester may object to an auditor appointed by the Publisher in the event Apester reasonably believes, the auditor is not suitably qualified or independent, a competitor of Apester or otherwise manifestly unsuitable (“Objection Notice”). In the event of Objection Notice, Publisher will appoint a different auditor or conduct the Audit itself. Publisher shall bear all expenses related to the Audit and shall avoid causing any damage, injury or disruption to Apester’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to Apester immediately.
- DATA TRANSFER
Where EU Data Protection Law applies, neither party shall transfer Personal Data to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data.
In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. Except as set forth herein all of the terms and conditions of the Agreement shall remain in full force and effect.