Chicago
Home separator DPA

Data Processing Addendum

Division-D Data Processing Addendum

 

This DATA PROCESSING Addendum (“Addendum”) is expressly incorporated by reference into any and all services agreements, insertion orders and addendums (“Agreement”) currently in place between iii-interactive, LLC dba Division-D (“Media Company”) and Client (as specified in the Agreement). Media Company and Client shall each be referred to herein as a “Party”  and collectively as the “Parties.”

The Parties agree to comply with the following provisions with respect to any Personal Data of data subjects located in a jurisdiction governed by Data Protection Laws in connection with the Addendum. References to the Agreement will be construed as including this Addendum. To the extent that the terms of this Agreement differ from those in the Addendum, the terms of this Addendum shall govern.

1          Definitions


1.1        “Affiliates” means any entity which is controlled by, controls or is in common control with one of the Parties.

1.2        “Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Addendum, including but not limited to, as applicable: (a) the GDPR; (b)  The UK General Data Protection Regulation; (c) the Federal Data Protection Act of 19 June 1992 (Switzerland); (d) The Personal Information Protection Act (PIPA) of South Korea; (e) The Act on the Protection of Personal Information (“APPI”) of Japan; (f) the Singapore Personal Data Protection Act; (g) The Australia Privacy Act; (h) The Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada; and/or (i) U.S. Privacy Laws and applicable to the Processing of Personal Data under the Agreement.

1.3        “Data Subject” means the individual to whom Personal Data relates.

1.4        “Effective Date” shall have the meaning ascribed to such term in Section 11.

1.5        “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.6         “Security Breach” has the meaning set forth in Section 7 of this Addendum.

1.7        “Sensitive Information” means information defined as “sensitive” or “special category” about an individual or household under Data Protection Laws, including but not limited to: financial account numbers, insurance plan numbers, precise information about health or medical conditions, medical records or pharmaceutical prescriptions, government-issued identifiers (such as a Social Security number), race, ethnicity, religion, trade union membership, sexual orientation, genetic or biometric information and precise location information such as GPS coordinates.

1.8        “Sub-processor” means any Data Processor and/or Service Provider engaged by Media Company for the Processing of Personal Data under the Agreement.

1.9        “Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR and/or a privacy or consumer protection regulator established under Data Protection Laws.

1.10      “Term” means the period from the Effective Date to the date the Addendum is terminated in accordance with Section 10.1.

 1.12      “U.S. Privacy Laws” means any U.S. state or federal privacy or security law that are in effect during the Term, and which apply to Personal Information processed pursuant to the Agreement, including but not limited to the Virginia Consumer Data Protection Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Protection Act, the Utah Consumer Privacy Act, each as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries, states or other jurisdictions.

1.13      The terms “Controller“, “Personal Data”, “Personal Information”, “Processor,” “Processed,”  “Processing” and “Service Provider” have the meanings given to them in Data Protection Laws.

2          Processing of Personal Data


2.1        The Parties agree that Client is directing Media Company to provide the services outlined in the Agreement (the “Services”) and as such, Client is determining the purposes and means of the processing of Personal Data under this Addendum as described in Annex I. Media Company’s role as Processor is to engage reputable third-party vendors to Process such Personal Data at the direction of Client as Controller. Media Company shall have written agreements in place with its third-party vendors which require that such vendors process Personal Data in compliance with Data Protection Laws. Both Parties shall keep a record of all Processing activities with respect to Personal Data covered under this Addendum where required under Data Protection Laws.

2.2        Each of the Parties represent and warrant that it understands the rules, restrictions, requirements and definitions of the Data Protection Laws and agrees to adhere to the requirements of the Data Protection Laws that applies to each Party’s processing of Personal Data and/or Personal Information for the Services stated in the Agreement, including, but not limited to: a) having a privacy policy in compliance with Data Protection Laws; and b) providing Data Subjects with a privacy notice, providing opt-out choice and obtaining Data Subject consent where required by Data Protection Laws. Client understands and agrees that any Personal Data provided by Client to Media Company in connection to the Services must have been collected pursuant to a privacy notice that clearly describes the Permitted Purposes outlined below.

2.3        The Business Purpose(s); Any Personal Data Processed in connection with this Addendum is provided only for the following business purpose(s): (a) purchasing advertising slots on websites, mobile applications, social media platforms and other forms of digital media pursuant to Client’s advertising campaigns, (b) engaging third-party vendors and platforms to run Client’s advertising campaigns, (c) providing Client’s Personal Data (i.e., the Provided Data) to onboarding vendors to enable upload of Client data onto social platforms, (d) Processing to comply with other reasonable instructions provided by Client where such instructions are acknowledged by Media Company as consistent with the terms of the Agreement. Either Party may also Process Personal Data other than on the instructions of the other Party if it is mandatory under applicable law to which such Party is subject and will notify the other Party unless the law prohibits such notification.  Each of the aforementioned purposes is deemed a “Permitted Purpose” of Personal Data. During the Term of the Agreement, both Parties shall only Process Personal Data it receives in connection with the Services on behalf of and in accordance with the Permitted Purposes as laid out in this Addendum. Both Parties shall cooperate with reasonable requests from the other Party to ensure compliance with Data Protection Laws. Media Company understands and agrees that it shall not sell or share Personal Data except as directed by Client, that Media Company understands and shall abide by these restrictions, and that Media Company shall notify Client promptly should Media Company no longer be able to honor these restrictions.

3          Rights of Data Subjects; Data Deletion


3.1        Each Party is responsible for honoring Data Subject access requests under Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) and responding to correspondence, inquiries, and complaints from data subjects. Each Party shall provide reasonable and timely assistance to the other Party as necessary to help facilitate compliance with this Section 3.1. To the extent that Media Company receives a request from a Data Subject that it determines involves Provided Data and/or Personal Data of Client, the Media Company shall notify Client promptly and await Client’s instructions.

4          Division-D Personnel


4.1        Media Company shall ensure that their personnel engaged in the Processing of Personal Data under this Addendum are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such data. Notwithstanding the foregoing, the Parties understand and agree that, except where directed in writing by Client (e.g., receipt of Provided Data and pass-on of data to onboarding vendors or social platforms), Media Company shall not take actual possession of Client Personal Data.

4.2        Media Company will take appropriate steps to ensure compliance with the Security Measures outlined in Annex II by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data covered under this Addendum have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with Media Company.

4.3        The Parties shall ensure that access to Personal Data covered under this Addendum is limited to those personnel who require such access to ensure the delivery of the Services.

 5          Sub-Processors


5.1        The Parties acknowledge and agree that Media Company may, upon written notice to the other Party, engage third-Party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only in conjunction with the Services or Permitted Purposes as set forth in the Addendum and are prohibited from using Personal Data for any other purpose. Media Company shall have a written agreement with each Sub-processor and agrees that any agreement with a Sub-processor shall include substantially the same data protection obligations as set out in this Addendum.

5.2        A list of Media Company’s Sub-processors (if applicable) is available to Client upon request. Media Company may change the list of such other Sub-processors by no less than 10 business days’ notice. If Client objects to the other Party’s change in such Sub-processors, Client may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days’ written notice to the Media Company.

5.3        Media Company shall be liable for the acts and omissions of its Sub-processors to the same extent that the Media Company would be liable if performing the services of each Sub-processor directly under the terms of this Addendum, except as otherwise set forth in the Agreement.

6          Security; Audit Rights; Privacy Impact Assessments


6.1        Each Party shall maintain, in writing, reasonable security procedures and practices which include administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it Processes under this Addendum. Media Company will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access as described in Annex II (the “Security Measures”). Client represents and warrants that it has implemented Security Measures that are at least as stringent as those outlined in Annex II. As described in Annex II, the Security Measures include measures to encrypt Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Media Company’s systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. The Parties may update or modify their Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

6.3        Both Parties will (taking into account the nature of the processing of Personal Data under this Addendum) cooperatively and reasonably assist each other in ensuring compliance with any each other’s respective obligations with respect to any obligations pursuant to Articles 35 of the GDPR (covering data protection impact assessments).

7          Security Breach Management and Notification


7.1        If Media Company becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on the Media Company’s equipment or facilities under this Addendum (“Security Breach”) which, in the reasonable opinion of that Media Company’s Data Protection Officer, requires such notification, the Media Company will promptly notify the Client of the Security Breach. Notifications made pursuant to this section will take place promptly after discovery and shall describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and any recommended steps that the Media Company should take to address the Security Breach. Media Company will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the Client as reasonably necessary for both Parties to meet their obligations under Data Protection Laws.

7.2        Both Parties agree that an unsuccessful Security Breach attempt will not be subject to this Section 7. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Personal Data processed pursuant to this Addendum or to any of either Party’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.

7.3        Notification(s) of Security Breaches, if any, will be delivered to one or more of the other Party’s business, technical or administrative contacts by any reasonable means, including via email. It is each Party’s responsibility to ensure it maintains accurate contact information.

7.4        Any notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by either Party of any fault or liability with respect to the Security Breach.

7.5        Media Company shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk in respect to the Personal Data. As technical and organizational measures are subject to technological development, the Media Company is entitled to implement alternative measures provided they are at least as protected as those offered by the Security Measures and they do not fall short of the level of data protection set out by Data Protection Law.

8          Return and Deletion of Personal Data


8.1        Media Company will comply with instructions from Client to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.

9          Cross-Border Data Transfers


9.1        The Parties may, subject to this Section 9, store and process the relevant Personal Data in the European Economic Area, in addition to various locations outside of the European Economic Area. Media Company’s data storage locations are located in the United States.

9.2   Given that the Services may involve the storage and/or Processing of Personal Data which transfers such Personal Data out of the European Economic Area or Switzerland to a jurisdiction that does not have adequate Data Protection Laws, and the Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), the Parties agree that the EU Commission Implementing Decision (EU) 2021/914 and available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (as amended or updated from time to time) (“Standard Contractual Clauses“) will apply and such Standard Contractual Clauses shall be incorporated by reference and form an integral part of this Addendum. Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between Client and Media Company, the Parties agree that: (a) Roles: the Parties agree that Media Company is a “data importer” and Client is the “data exporter” under the Standard Contractual Clauses. (b) Governing Law and Supervisory Authority: The Standard Contractual Clauses shall be governed by the law of the EU Member State in which the data exporter is established and enforced by the Supervisory Authority of such EU Member State; (c) Sub-Processors: the Parties select general written authorization for Sub-processors; (d) Redress: The Parties elect to omit the optional text; (e) the Parties agree to the optional docking clause; and (f) Annex I, II and III are provided at the end of this Addendum as Appendix A and to the extent that there’s a conflict as between the Addendum and the Appendix A, the Appendix A shall govern.

9.3  The Parties further agree that if Transferred Personal Data includes UK Personal Data, and the Data Protection Laws apply to the transfers of such data, both Parties agree that the Standard Contractual Clauses for transfers reflecting the roles of the Parties as described in the Addendum in the form approved by the UK Information Commissioner’s Office and currently available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf (as amended or updated from time to time) (“UK Standard Contractual Clauses”) shall be incorporated by reference and form an integral part of this Addendum. For the purposes of the UK Standard Contractual Clauses, Appendix A of these Terms shall take the place of Annex 1, Annex II and Annex III respectively of the UK Standard Contractual Clauses.

9.4  If the Standard Contractual Clauses or any other model clause transfer agreement are deemed invalid by a governmental entity with jurisdiction over Transferred Personal Data (e.g., the EU Court of Justice) or if such governmental entity imposes additional rules and/or restrictions regarding such Transferred Personal Data, the Parties agree to work in good faith to find an alternative and/or modified transfer mechanism.

10          Liability


10.1      Both Parties agree that their respective liability under this Addendum shall be apportioned according to each Parties’ respective responsibility for the harm (if any) caused by each respective Party.

10.2      Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

11          Miscellaneous


11.1      This Addendum will take effect on the date it is executed by Client and Media Company at the bottom of this Addendum (the “Effective Date”) and will remain in effect until, and automatically expire upon, the deletion of all Personal Data by Media Company or Client through the Services as described in this Addendum.

11.2      Nothing in this Addendum shall impact either Party’s intellectual property rights with respect to Personal Data provided by such Party under the Addendum except to the extent required by applicable law.

11.3      Nothing in this Addendum shall confer any benefits or rights on any person or entity other than the Parties to this Addendum.

11.5      Both Parties agree to notify the other Party within five (5) business days if it (i) has reason to believe that it is unable to comply with any of its obligations under this Addendum and it cannot cure this inability to comply within a reasonable timeframe; or (ii) becomes aware of any circumstances or change in Data Protection Laws that is likely to prevent it from fulfilling its obligations under this Addendum.  If this Addendum, or any actions to be taken or contemplated to be taken in performance of this Addendum, does not or would not satisfy either Party’s obligations under such Data Protection Laws, the Parties will negotiate in good faith an amendment to this Addendum. If such negotiations fail, Client reserves the right to take reasonable and appropriate steps to stop and remediate any non-compliance or unauthorized processing of Personal Data, including by terminating the Agreement without penalty.

Appendix A

ANNEX I

Data Subject to Processing Under This Addendum


Data Subjects


The personal data processed concern the following categories of data subjects:

The data subjects are customers / users of Client and/or visitors / users of websites, mobile applications, CTV, or other forms of media on which Client’s advertising messages are places pursuant to the Services.

Purposes of transfer(s)


The transfer and other processing activities are made for the following purposes as part of the Services: (a) purchasing advertising slots on websites, mobile applications, social media platforms and other forms of digital media pursuant to Client’s advertising campaigns, (b) engaging third-party vendors and platforms to run Client’s advertising campaigns, (c) providing Client’s Personal Data to onboarding vendors to enable upload of Client data onto social platforms  facilitating User loyalty programs, (d) Processing to comply with other reasonable instructions provided by Client where such instructions are acknowledged by Media Company as consistent with the terms of the Agreement.

Categories of data


The personal data transferred concern the following categories of data:

Contact information: Name, email address for upload onto social platforms and for onboarding (i.e., the Provided Data).

Data on user behavior collected through pixels placed on the Client’s websites, mobile applications and/or digital mediums owned and/or that data processed by third-party adtech vendors and platforms as directed by Client, including cookie IDs, mobile advertising identifiers and other pseudonymous identifiers of the users of the data importer’s websites, mobile applications and/or digital mediums as outlined in the Agreement.

The Parties respective billing and contact details as required to fulfill the terms of the Agreement.

Recipients


The personal data transferred may be disclosed only to the following recipients or categories of recipients:

The Parties may transfer data to Sub-processors as well as adtech vendors and social media platforms as directed by Client pursuant to the Services.

Sensitive data (if appropriate)


The personal data transferred concern the following categories of sensitive data:

None.

Processing operations


The personal data transferred will be subject to the following basic processing activities:

The data importer will access, reproduce, display, and store the relevant personal data in order to provide the Services as set out in the Agreement between data importer and data importer (together, the “Parties”). The Parties may further process such Personal Data for the Permitted Purposes outlined above.

Annex II Security Measures


Description of the technical and organizational security measures implemented by Media Company (the TOM’s and/or “Security Measures”).

 
Media Company shall adopt reasonable security measures to provide any Personal Data it receives under the Agreement. Upon request. Media Company shall provide TOMs or similar documentation for each of its vendors that Process Client’s Personal Data upon request as agreed upon herein.

 


ANNEX III

List of Sub-Processors


The Client has authorized the use of sub-processors, and the Media Company shall make such list available to Client upon request.

 

Close