Data Processing Agreement
This DPA only applies to the extent that EU Data Protection Law (as defined below) applies to the Processing of Personal Data under this Agreement, including if (a) the Processing is in the context of the activities of an establishment of either party in the EEA or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party. Notwithstanding the above, this DPA and the obligations hereunder do not apply to aggregated reporting or statistics information a party may collect from end users or provide to the other party.
- “Publisher Data” means any and all data shared between the parties that may include, inter alia, device information, IDs, events, and country level geo location data. The Publisher Data includes, without limitation, data deemed as Personal Data and IDs all as detailed in Schedule 1 attached herein.
- “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.
- “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach”, “Special Categories of Personal Data” and “Supervisory Authority” shall have the meanings given in EU Data Protection Law.
- “EU Data Protection Law” means the (i) General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (iv) any legislation replacing or updating any of the foregoing (v) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
- “ID” means online identifiers such as IPs, advertising IDs, cookies and agents.
- “Security Incident” means any security breach relating any Personal Data elements leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data within, Personal Data transmitted, stored or otherwise processed; including without limitation the meaning assigned to it under section 12 of Article 4 of the GDPR.
- RELATIONSHIP OF THE PARTIES
In relation to all Publisher Data, the parties acknowledge that, as between the parties, Publisher is the Controller of Publisher Data, and that the Company, in providing the services is acting as a Processor on behalf of the Controller. The subject-matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Schedule 1.
- REPRESENTATIONS AND WARRANTIES
The Publisher represents and warrants that: (a) its Processing instructions comply with all applicable Data Protection Laws, the Publisher acknowledges that, taking into account the nature of the Processing, the Company is not in a position to determine whether the Publisher’s instructions infringe applicable Data Protection Laws; and (b) the Publisher hereby warrants and represents that as of the Effective Date it will comply with EU Data Protection Law, specifically with the lawful basis for Processing Personal Data. The Company represents and warrants it shall process Personal Data, as set forth under Article 28(3) of the GDPR and Schedule 1 attached herein, on behalf of the Publisher, solely for the purpose of providing the service. Notwithstanding the above, in the event required under applicable laws, the Company may Process Personal Data other than as instructed by the Publisher, in such event the Company shall make best efforts to inform the Publisher of such requirement unless prohibited under applicable law.
- RIGHTS OF THE DATA SUBJECT
It is agreed that where either party receives a request from a Data Subject or an applicable authority in respect of Personal Data Controlled or Processed by the other party, where relevant, the party receiving such request will direct the Data Subject or the authority to the other party, as applicable, in order to enable the other party to respond directly to the Data Subject’s request. Each party shall reasonable cooperate and assist the other party in handling of a Data Subject’s or an authority’s request, to the extent permitted under Data Protection Law.
The Publisher acknowledges that the Company may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). Publisher hereby, authorizes the Company to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub- Processor on its behalf. The Company may, continue to use those Sub-Processors already engaged by the Company (as detailed in Schedule 2) and the Company may, engage an additional or replace an existing Sub-Processor to process Personal Data provided that it notifies the Publisher. The Company shall, where it engages any Sub-Processor impose, through a legally binding contract between the Company and Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
- TECHNICAL AND SECURITY MEASURES
Each party shall implement appropriate technical and organizational measures to protect the Personal Data and its security, confidentiality and integrity and the Data Subject’s rights, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing the Personal Data, as well as the risk of varying likelihood and severity for the consumer’s rights, in order to ensure a level of security appropriate to that risk, including measures such as access control, auditing, encrypted transmission of data, encrypted storage and physical protections in line with industry best practices, all in accordance with the Data Protection Laws. Description of the technical and organizational measures implemented by Company, are available at: http://www.brightcom.com/security-policy/ (“Security Information Page”). Company may update or modify the Security Information Page from time to time, provided that such updates and modifications will not result in the degradation of the overall security of the Personal Data. Company takes reasonable steps to ensure that its personnel’s access to the Personal Data is limited on a need to know or access basis, and that its personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access or use of the Personal Data.
- SECURITY INCIDENT
The Company will notify Publisher without undue delay upon becoming aware that an actual Security Incident involving the Publisher Data in Company’s possession or control has occurred, as Company determines in its sole discretion. Company’s notification of or response to a Security Incident under this section 3 shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident. The Company will, in connection with any Security Incident affecting Publisher Data: (i) quickly and without delay, take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause (ii) co-operate with Publisher and provide Publisher with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; and (iii) immediately notify Publisher in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
- AUDIT RIGHTS
The Company shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by the Publisher, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Publisher Data (“Audit”).
The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards third parties). The Company may object in writing to an auditor appointed by the Publisher in the event the Company reasonably believes, the auditor is not suitably qualified or independent, a competitor of the Company or otherwise manifestly unsuitable (“Objection Notice”). In the event of Objection Notice, the Publisher will appoint a different auditor or conduct the Audit itself.
The Publisher shall bear all expenses related to the Audit and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Company’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to the Company immediately.
- DATA TRANSFER
Where EU Data Protection Law applies, neither party shall transfer to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data.
Each party shall take out and maintain insurance policies to the value sufficient to meet their respective liabilities under or in connection with this DPA.
Details of Processing of Controller Personal Data
This Schedule 1 includes certain details of the Processing Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Personal Data
Processing carried out in connection with the provision of the services. The duration shall be for the terms of the Agreement, with an additional period from the expiration of the partnership until deletion of Publisher Data by the Company in accordance with the terms of this DPA.
The nature and purpose of the Processing of Personal Data
To provide the services and display advertisement on Digital Assets
The types of Personal Data Processed
The categories of Data Subject to whom the Personal Data relates
Users/Data Subject in the EEA.