Advertiser Data Protection Rider
Effective Date of Rider: May 25th, 2018
We refer to the Advertiser Terms located at https://www.inmobi.com/advertiser-terms/ which You have accepted or an applicable insertion order (IO)/agreement, as the case may be, (“Agreement”) to avail InMobi’s advertising services as an advertiser or agency or reseller, whether pursuant to insertion orders or otherwise, (referred as “You” or “Advertiser” or “Agency” or “Reseller” as the context may require). In the event You have signed an IO or paper agreement, the terms below shall be deemed to be part of such IO or paper agreement.
Under the Agreement, you act as a Data Processor on our behalf.
Until 25 May 2018, the Data Protection Act 1998 (the “DPA”) is the key piece of legislation governing data protection. The General Data Protection Regulation (the “GDPR”), is a new piece of legislation which will largely supersede the DPA on 25 May 2018. The GDPR will then apply to the processing you carry out on our behalf under the Agreement. The GDPR requires data processing contracts – such as the Agreement – to contain additional provisions regulating the processing of personal data. As a result, we wish to add the Data Protection Rider, set out in the schedule attached, to the Agreement with effect from 25 May 2018 (the “Variation Date”). Additionally, due to the implementation of the GDPR, we are required to adhere to new rules relating to the international transfer of personal data. One of the simplest ways to protect the personal data transferred between us is to use the “Model Contract Clauses”, produced by the European Commission, which is incorporated into this Rider as if they had been set out in full. The full legal name for the Model Contract Clauses is: “The EU-controller to Non-EU/EEA processor model contractual clauses annexed to European Commission Decision C(2010)”.
In order to make compliance with GDPR as simple and straightforward as possible, we will add this Data Protection Rider to the Agreement. To ensure the Rider fits in with the Agreement, it is important to note that:
1. except as set out in this Rider, the Agreement and any other agreements already in place between us shall continue in full force and effect;
2. in the event of any conflict or inconsistency between this Rider and the terms and conditions of the Agreement, this Rider shall prevail; and
3. to the extent that this Rider does not address project-specific data mechanics or specific details relevant to data processing already set out in the Agreement (such as a particular type or frequency of data transfer), those project-specific mechanics will remain in place, save that they shall be interpreted to give full effect to the provisions of this Rider, the Data Protection Rider, and the GDPR.
This Rider, (including the Model Contract Clauses, particularly at clauses 9 and 11.3) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the law of England and Wales. The parties irrevocably agree that the courts of England and Wales have exclusive jurisdiction to settle any Claim. Please sign and return the enclosed copy of this Rider to acknowledge your agreement of these terms. If you do not notify us of your disagreement with any of the terms of this Rider, you will be deemed to have accepted it. If you do not accept these terms, we will discontinue any EU user related transactions with You.
DATA PROTECTION RIDER
Parties agree that it is of paramount importance that any Processing of Personal Data is in compliance with Data Protection Laws as applicable to such party at all times in their respective capacity as a Controller or a Processor. Between You and InMobi, InMobi as the Controller will have the responsibility to obtain appropriate consents for Processing of Personal Data as permitted under this Rider. The Controller will notify You of any Data Subject request towards deletion, rectification or opt-out election.
1 DATA PROTECTION
1.1.1 “Controller”, “Data Subject”, “Personal Data”, “Processor” “Processes/Processing” shall each have the meanings given in the applicable Data Protection Legislation.
1.1.2 “Data Protection Legislation” means the European Union’s General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable laws and regulations relating to the processing of personal data and privacy as amended, re-enacted, replaced or superseded from time to time, including, where applicable, the mandatory guidance and codes of practice issued by the United Kingdom’s Information Commissioner.
1.2 Obligations of the Processor:
1.2.1 Paragraphs 1.2.2 – 18.104.22.168 shall apply if and to the extent that the Processor processes any Personal Data on the Controller’s behalf when performing its obligations under the Agreement.
1.2.2 Each party acknowledges that:
22.214.171.124 Processor shall only Process Personal Data for the following permitted purpose in relation to advertising campaigns distributed through Controller:
(1) For attribution, audience verification and fraud detection via trackers, verification partners and affiliate postbacks;
(2) For internal reporting purposes and for reporting to Controller;
126.96.36.199 the processing shall continue, subject to paragraph 2.3.6, for the duration of this agreement;
188.8.131.52 the processing concerns: clicks and impressions data, IP Address, device identifiers, handset model/type, carrier device identifiers, HTTP headers, publisher details (such as site ID, partner ID, publisher name), campaign details (such as campaign ID, creative ID) and such other data sets.
1.2.3 The Processor shall:
184.108.40.206 process the Personal Data only to the extent necessary for the purposes of performing its obligations under the Agreement and otherwise in accordance with the documented instructions of the Controller and applicable laws;
220.127.116.11 not process the Personal Data in any country outside the European Economic Area other than in accordance with the terms of the Model Contract Clauses. If the Processor is required by applicable laws to transfer the Personal Data outside of the European Economic Area, the The processor shall inform the Controller of such requirement before making the transfer and shall execute appropriate documentation as required under Data Protection Legislation (unless the Processor is barred from making such notification under the relevant applicable law);
18.104.22.168 ensure that all persons authorized by it to process the Personal Data are committed to confidentiality or are under a statutory obligation of confidentiality under applicable law;
22.214.171.124 have at all times during the term of the Agreement appropriate technical and organizational measures to ensure a level of security appropriate to the risk to protect any Personal Data, with particular regard to its accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access. If You or your processor are not agreeable to implement Controller’s secure or encrypted transmission mechanisms at your end, You will notify Controller how you would like to obtain the same, and in such a case, You will remain liable during transmission thereof to You or your processor; In case of conflict between the date provided here and referred under the Agreement, the latter shall prevail.
126.96.36.199 not engage another Processor of the Personal Data without the prior authorization of the Controller, and where the Processor does engage another Processor, substantially similar obligations to those set out in paragraphs 1.2.2 – 1.2.3 shall be imposed by the Processor on the other Processor in a written contract and the Processor shall remain fully liable to the Controller for the performance of the other Processor’s data protection obligations. Without limiting the generality of the foregoing, You acknowledge and agree that if the Controller is required to share any Personal Data with your trackers or such other third parties including Your advertisers for the purpose of the Agreement, You will remain liable to ensure that such trackers or third parties remain processors to You and will contractually require them to comply with the terms of this Rider and remain liable for their acts or omissions;
188.8.131.52 cease processing the Personal Data immediately upon the termination or expiry of this Agreement or, if sooner, on cessation of the contractual activity to which it relates and, at the Controller’s election, delete or return all Personal Data to the Controller, and delete all existing copies unless applicable law requires their retention;
184.108.40.206 You shall not retain Personal Data for longer than necessary to meet the permitted purposes hereunder or use the same for any purposes other than such permitted purposes.
220.127.116.11 If requested by Controller, Processor shall without delay, rectify the Personal Data, to ensure it remains accurate, complete and current or deletes the same to honor any Data Subject’s request.
18.104.22.168 make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this clause, and allow for the contribution to audits, including inspections, conducted by the Controller of its representative; and
22.214.171.124 at the earliest opportunity, and in any event within 48 hours after having become aware, notify the Controller of any unauthorized or unlawful processing of any Personal Data to which this clause applies and of any loss or destruction or other damage and shall take such steps consistent with good industry practice to mitigate the detrimental effects of any such incident on the Data Subjects and co-operate with the Controller in dealing with such incident and its consequences; and
126.96.36.199 indemnify, defend and hold harmless the Controller against all loss, liability, damages, costs (including legal costs), fees, claims and expenses arising from any third party claims, which the Controller may incur or suffer by reason of any breach of this paragraph 1.2.3 by the Processor.
1.2.4 Where the Processor intends to or replace other Processors, it shall first inform the Controller of the intended change, and shall not add or replace such other Processor until the Controller has given its approval to the proposal.
1.2.5 The Processor acknowledges that the Controller is under certain recordkeeping obligations under the Data Protection Legislation, and agrees to provide the Controller with all reasonable assistance and information required by the Controller to satisfy such record keeping obligations.
2 MODEL CONTRACT CLAUSES
The Model Contract Clauses require us to set out more detail about what data we are transferring to you and why, as well as how you keep that data secure. We have set this out in the sections below.
2.1 Description of your data processing for us
2.1.1 We are the Data Controller and our contact details are set out in this Rider.
2.1.2 You are the Data Processor and your contact details are also set out in this Rider.
2.1.3 The types of data we are transferring to you or your processors are Personal Data, which does not include special categories of data.
2.1.4 You will be carrying out the tasks in relation to that data as set out in 188.8.131.52.
2.2 Description of your security measures
2.2.1 Restriction of access to data centers, systems and server rooms as necessary to ensure the protection of Personal Data.
2.2.2 Monitoring of unauthorised access.
In case of conflict between the date provided here and referred under the Agreement, the latter shall prevail.
2.2.3 Written procedures for employees, contractors, and visitors covering confidentiality and security of information.
2.2.4 Restricting access to systems depending on the sensitivity/criticality of such systems.
2.2.5 Use of password protection where such functionality is available.
2.2.6 Maintaining records of the access granted to which individuals.
2.2.7 Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
2.3 Additional Provision
2.3.1 The illustrative indemnity contained in the Model Contract Clauses is deemed deleted.