Advertiser Data Protection Rider
Effective Date of Rider: May 25th, 2018
We refer to the agreement between You (in the capacity of an “advertiser” or “agency” or “reseller” or “demand partner” as the context may require and also referred to as “you”) and InMobi Pte Ltd or any of its affiliates (“InMobi” or “we” or “us”) dated _________(the “Agreement”).
We refer to the Advertiser Terms as located at https://www.inmobi.com/advertiser-terms/ (“Agreement”) which you have accepted as an advertiser or agency or reseller, whether pursuant to insertion orders or otherwise, (referred as “advertiser” or “agency” or “reseller” as the context may require).
This Rider is incorporated into the Agreement and is made and entered into as of the Effective Date. Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement.
Until 25 May 2018, the Data Protection Act 1998 (the “DPA”) was the key piece of legislation governing data protection. The General Data Protection Regulation (the “GDPR”), is a new piece of legislation which will largely supersede the DPA on 25 May 2018. The GDPR will then apply to the processing a party carries out on the other party’s behalf under the Agreement. The GDPR requires data processing contracts – such as the Agreement – to contain additional provisions regulating the processing of personal data. As a result we wish to add the Data Protection Rider, set out in the schedule attached, to the Agreement with effect from the date stated on the top of this Rider (the “Variation Date”). Additionally, due to the implementation of the GDPR, we are required to adhere to new rules relating to the international transfer of personal data. One of the simplest ways to protect the personal data transferred between you and us is to use the “Model Contract Clauses”, produced by the European Commission, which are incorporated into this Rider as if they had been set out in full. The full legal name for the Model Contract Clauses is: “The EU-controller to Non-EU/EEA processor model contractual clauses annexed to European Commission Decision C(2010)” located here
In order to make compliance with the GDPR as simple and straightforward as possible, we will add this Rider to the Agreement. To ensure the Rider fits in with the Agreement, it is important to note that:
- except as set out in this Rider, the Agreement and any other agreements already in place between you and us shall continue in full force and effect;
- in the event of any conflict or inconsistency between this Rider, the Model Contract Clauses and the remaining terms and conditions of the Agreement, the order of precedence shall be the Model Contract Clauses, this Rider and then the rest of the Agreement; an
- to the extent that this Rider does not address project specific data mechanics or specific details relevant to data processing already set out in the Agreement (such as a particular type or frequency of data transfer), those project specific mechanics will remain in place, save that they shall be interpreted to give full effect to the provisions of this Rider and the GDPR.
This Rider, (including the Model Contract Clauses, particularly at clauses 9 and 11.3) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the law of England and Wales. The parties irrevocably agree that the courts of England and Wales have exclusive jurisdiction to settle any Claim.
DATA PROTECTION RIDER
Parties agree that it is of paramount importance that any Processing of Personal Data is in compliance with Data Protection Laws as applicable to such party at all times in their respective capacity as a Controller or a Processor. To the extent a party is sharing Personal Data (each a “Controller”) with the other party (each a “Processor”), the former as the Controller will have the responsibility to obtain appropriate consents for Processing of Personal Data as permitted under this Rider. The Controller will notify the Processor of any Data Subject request towards deletion, rectification or opt-out election, which the Processor will facilitate without undue delay.
1 DATA PROTECTION
1.1.1 “Controller”, “Data Subject”, “Personal Data”, “Processor” and “Processes/Processing” shall each have the meanings given in the applicable Data Protection Legislation.
1.1.2 “Data Protection Legislation” means the European Union’s General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable laws and regulations relating to the processing of personal data and privacy as amended, re-enacted, replaced or superseded from time to time, including, where applicable, the mandatory guidance and codes of practice issued by the United Kingdom’s Information Commissioner.
1.2 Obligations of the Processor:
1.2.1 Paragraphs 1.2.2 – 1.2.4 shall apply if and to the extent that the Processor processes any Personal Data on the Controller’s behalf when performing its obligations under the Agreement.
1.2.2 Each party acknowledges that:
18.104.22.168 Processor shall only Process Personal Data for the following permitted purpose in relation to advertising campaigns distributed through Controller:
(1) for attribution, real-time-bidding, audience verification and fraud detection via trackers, verification partners and affiliate postbacks;
(2) for internal reporting purposes and for reporting to Controller;
(3) Where InMobi is the Processor, the permitted purpose shall also include, targeted advertising and optimization of campaigns.
22.214.171.124 the processing shall continue, subject to paragraph 126.96.36.199, for the duration of the Rider; and
188.8.131.52 the processing concerns: clicks and impressions data, IP Address, device identifiers, handset model/type, carrier device identifiers, http headers, publisher details (such as site ID, partner ID, publisher name), campaign details (such as campaign ID, creative ID) and such other data sets as are agreed in writing between the parties from time to time.
1.2.3 The Processor shall:
184.108.40.206 Process the Personal Data only to the extent necessary for the purposes of performing its obligations under the Agreement and otherwise in accordance with the documented instructions of the Controller and applicable laws;
220.127.116.11 not process the Personal Data in any country outside the European Economic Area other than in accordance with the terms of the Model Contract Clauses. If the Processor is required by applicable laws to transfer the Personal Data outside of the European Economic Area, the Processor shall inform the Controller of such requirement before making the transfer and shall execute appropriate documentation as required under Data Protection Legislation (unless the Processor is barred from making such notification under the relevant applicable law);
18.104.22.168 ensure that all persons authorised by it to Process the Personal Data are committed to confidentiality or are under a statutory obligation of confidentiality under applicable law;
22.214.171.124 have at all times during the term of the Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data, with particular regard to its accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access. If the Processor or its other Processors are not able to implement Controller’s secure or encrypted transmission mechanisms in connection with the Personal Data, the Processor shall notify the Controller as to how it will implement equivalent measures and in such a case, Processor shall remain liable for the use of such measures;
126.96.36.199 where the Processor engages another Processor, substantially similar obligations to those set out in paragraphs 1.2.2 – 1.2.4 shall be imposed by the Processor on the other Processor in a written contract, and the Processor shall remain fully liable to the Controller for the performance of the other Processor’s data protection obligations. The permitted categories of sub-Processors are set out under Exhibit A. Without limiting the generality of the foregoing, You acknowledge and agree that if the Controller is required to share any Personal Data with your trackers or such other third parties including Your advertisers for the purpose of the Agreement, You will remain liable to ensure that such trackers or third parties remain processors to You and will contractually require them to comply with substantially similar obligations to the terms of this Rider and remain liable for their acts or omissions;
188.8.131.52 cease processing the Personal Data immediately upon the termination or expiry of th
is Agreement or, if sooner, on cessation of the contractual activity to which it relates and, at the Controller’s election, delete or return all Personal Data to the Controller, and delete all existing copies unless applicable law requires their retention;
184.108.40.206 not retain Personal Data for longer than necessary to meet the permitted purposes hereunder or use the same for any purposes other than such permitted purposes;
220.127.116.11 if requested by Controller, without delay, rectify the Personal Data, to ensure it remains accurate, complete and current or delete the same to honour any Data Subject’s request;
18.104.22.168 make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this clause, and allow for contribution to audits, including inspections, conducted by the Controller of its representative;
22.214.171.124 at the earliest opportunity, and in any event within 48 hours after having become aware, notify the Controller of any unauthorised or unlawful processing of any Personal Data to which this clause applies and of any loss or destruction or other damage and shall take such steps consistent with good industry practice to mitigate the detrimental effects of any such incident on the Data Subjects and co-operate with the Controller in dealing with such incident and its consequences.
1.2.4 The Processor acknowledges that the Controller is under certain record keeping obligations under the Data Protection Legislation, and agrees to provide the Controller with all reasonable assistance and information required by the Controller to satisfy such record keeping obligations.
2.1.1 Each party shall indemnify and defend the other party against all loss, liability, damages (including reasonable legal costs) fees, claims and expenses arising from any third-party claims, which a party may incur or suffer due to a breach of applicable Data Protection Laws by the other party. EXCEPT IN CONNECTION WITH INDEMNIFICATION OBLIGATIONS (SECTION 2.1.1) HEREUNDER IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR LOST PROFITS, INDIRET OR CONSEQUENTIAL DAMAGES AND EACH PARTY’S TOTAL AGGREGATE LIABILITY TO THE OTHER PARTY OR ANY THIRD PARTY FOR ALL CLAIMS ARISING UNDER OR IN CONNECTION WITH THIS RIDER EXCEED US$100,000. THE LIMITATIONS OF THIS SECTION SHALL APPLY EVEN IF EITHER OR BOTH PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
3 MODEL CONTRACT CLAUSES
The Model Contract Clauses require us to set out more detail about what data a Controller is transferring to the Processor and why, as well as how the Processor must keep that data secure. The Controller has set this out in the sections below.
3.1 Description of data processing
3.1.1 The respective contact details of each party are set out in this Rider.
3.1.2 The types of data are Personal Data, which does not include special categories of data.
3.1.3 Processor will be carrying out the tasks in relation to that data as set out in paragraph 126.96.36.199.
3.2 Description of Processor’s security measures
3.2.1 Restriction of access to data centres, systems and server rooms as necessary to ensure protection of Personal Data.
3.2.2 Monitoring of unauthorised access.
3.2.3 Written procedures for employees, contractors and visitors covering confidentiality and security of information.
3.2.4 Restricting access to systems depending on the sensitivity/criticality of such systems.
3.2.5 Use of password protection where such functionality is available.
3.2.6 Maintaining records of the access granted to which individuals.
3.2.7 Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
3.3 Additional Provision
3.3.1 The illustrative indemnity contained in the Model Contract Clauses is deemed deleted.
3.3.2 Although the parties have taken the approach set out in this Rider, the parties acknowledge that the applicable Data Protection Legislation(s) ultimately determines status with respect to each party. In the event any regulatory body identifies the parties each as controllers of the relevant personal data (whether on a “joint” or “in-common” basis) under applicable Data Protection legislation, each party shall:
(i) ensure that it has a legal basis (also referred to as a “processing condition” in the applicable Data Protection Legislation) to process the relevant personal data;
(ii) ensure that their privacy notices are clear and provide sufficient information to data subjects to enable them to understand what aspects of their personal data will be shared/received, as well as the circumstances in which such sharing will take place; and
(iii) provide reasonable assistance to each other to enable them to facilitate data subjects exercising their rights under the applicable Data Protection Legislation.
The pre-approved categories of sub-Processors are: (a) trackers for attribution and fraud detection, (b) agencies or advertisers, (c) data partners and (d) affiliates.