Advertiser Data Protection Rider

Effective Date of Rider: September 2021
We refer to (as applicable to you):
(a)
the agreement between you in your capacity as an advertiser, demand partner, agency or demand reseller ("Advertiser") and InMobi Pte Ltd or any of its affiliates ("InMobi"); or
(b)
the Advertiser Terms located at www.inmobi.com/advertiser-terms which you have accepted, whether pursuant to insertion orders or otherwise,
(each, the "Agreement").
The Rider takes account of changes brought in by the Data Protection Legislation (defined below) including the Standard Contractual Clauses.
1.
Terms
1.1.
The Rider is incorporated into the Agreement and is made and entered into as of the Effective Date.
1.2.
Except as set out in the Rider, the Agreement and any other agreements already in place between InMobi and the Advertiser shall continue in full force and effect.
1.3.
In the event of any conflict or inconsistency between the Agreement, the Rider and the Standard Contractual Clauses, the following order of priority shall apply: (i) the Standard Contractual Clauses; (ii) the Rider; and (iii) the Agreement.
1.4.
To the extent that the Rider does not address specific data processing activities carried out between the parties, the terms of the Agreement shall apply, save that they shall be interpreted to give full effect to the provisions of the Rider.
1.5.
Any capitalised terms not defined herein shall have the respective meanings given to them in the Agreement.
1.6.
The Rider and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a "Claim") shall be governed by and interpreted in accordance with the laws of Ireland. The parties irrevocably agree that the courts of Ireland have exclusive jurisdiction to settle any Claim.
2.
Definitions
2.1.
"Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processor", "Process / Processing" and "Supervisory Authority" shall each have the meanings given in the Data Protection Legislation.
2.2.
"Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK and EU, including Regulation (EU) 2016/679 ("GDPR"); the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.
2.3.
"Permitted Purpose" means, for:
2.3.1.
targeted advertising and optimization of campaigns;
2.3.2.
attribution, real-time-bidding, audience verification and fraud detection via trackers, verification partners and affiliate post-backs;
2.3.3.
internal reporting purposes; and / or
2.3.4.
for InMobi’s data analytics in connection with optimization of campaigns.
3.
Status of the Parties
3.1.
The parties agree to act at all times in compliance with the Data Protection Legislation.
3.2.
The parties acknowledge and agree that for the purposes of the Data Protection Legislation:
3.2.1.
In circumstances where InMobi shares Personal Data with the Advertiser, it is the parties’ intent that InMobi will be the Controller and the Advertiser will be the Processor; and
3.2.2.
in circumstances where the Advertiser shares Personal Data with InMobi, it is the parties’ intent that InMobi will be the Processor and the Advertiser will be the Controller.
3.3.
Although the parties have taken the approach set out in this Rider, the parties acknowledge that the applicable Data Protection Legislation(s) ultimately determines status with respect to each party. In the event (a) any regulatory body identifies the parties each as controllers of the relevant personal data under applicable Data Protection legislation, each party shall:
3.3.1.
ensure that it has a lawful basis to process the relevant personal data;
3.3.2.
ensure that their privacy notices are clear and provide sufficient information to data subjects to enable them to understand what aspects of their personal data will be shared/received, as well as the circumstances in which such sharing will take place; and
3.3.3.
provide reasonable assistance to each other to enable them to facilitate data subjects exercising their rights under the applicable Data Protection Legislation.
4.
Controller's Obligations
Controller agrees to:
4.1.
obtain the appropriate consents for the Processing of Personal Data and ensure that clear and sufficient information to the Data Subjects is provided, in accordance with the Data Protection Legislation, of the purposes for which it will process their Personal Data, the legal basis for such purposes and such other information as is required by the Data Protection Legislation
5.
Processor's Obligations
Processor agrees to:
5.1.
process the Personal Data only for the Permitted Purpose and on Controller's written instructions. Processor will immediately notify Controller if, in its opinion, Controller's instructions would not comply with the Data Protection Legislation;
5.2.
promptly comply with any request or instruction from Controller requiring Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised Processing;
5.3.
maintain the confidentiality of all Personal Data and not disclose Personal Data to third parties unless Controller or this Rider specifically authorises the disclosure, or as required by law;
5.4.
if a law, court, regulator or supervisory authority requires the Processor to process or disclose Personal Data, the Processor will first use reasonable endeavours to inform Controller of the legal or regulatory requirement and give Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice;
5.5.
reasonably assist Controller with meeting Controller's compliance obligations under the Data Protection Legislation, taking into account the nature of the Processor's processing and the information available to the Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with Supervisory Authorities under the Data Protection Legislation;
5.6.
promptly notify Controller of any changes to Data Protection Legislation that may adversely affect the Processor's performance of the services under the Agreement; and
5.7.
ensure that any and all employees:
5.7.1.
are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
5.7.2.
have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
5.7.3.
are aware both of the Processor's duties and their personal duties and obligations under the Data Protection Legislation and this Rider.
6.
Security
6.1.
Each party will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in the Annex.
6.2.
If the Advertiser is not able to implement InMobi's secure or encrypted transmission mechanisms in connection with the Personal Data, the Advertiser shall notify InMobi as to how it will implement equivalent measures and in such a case, Advertiser shall remain liable for the use of such measures.
6.3.
Processor will maintain an up-to-date written record of Processor's then-current security measures, which Processor shall provide to Controller on request, and review at least on an annual basis to ensure they remain current and complete.
6.4.
Processor will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
6.4.1.
the encryption of Personal Data or equivalent measures;
6.4.2.
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
6.4.3.
the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
6.4.4.
a process for regularly testing, assessing and evaluating the effectiveness of security measures.
7.
Data Breach
7.1.
The parties shall each comply with their obligations to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) Data Subjects under the Data Protection Legislation and shall each inform the other party of any Personal Data Breach irrespective of whether there is a requirement to notify any Supervisory Authority or Data Subject.
7.2.
The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.
7.3.
Processor will promptly and without undue delay notify Controller if any of Controller's Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Processor will restore such Personal Data at Processor's own expense.
7.4.
Processor will without undue delay notify Controller if Processor becomes aware of:
7.4.1.
any accidental, unauthorised or unlawful processing of Controller's Personal Data; or
7.4.2.
any Personal Data Breach relating to Controller's Personal Data.
7.5.
Where Processor becomes aware of an event within the scope of clause 7.4, Processor shall, without undue delay, also provide Controller with the following information:
7.5.1.
a description of the nature of such event, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
7.5.2.
the likely consequences of the event; and
7.5.3.
a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.
7.6.
Immediately following any unauthorised or unlawful Processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Processor will reasonably co-operate with Controller in Controller's handling of the matter, including:
7.6.1.
assisting with any investigation;
7.6.2.
making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Controller; and
7.6.3.
taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Processing.
7.7.
Processor will not inform any third party of any Personal Data Breach without first obtaining Controller's prior written consent, except when required to do so by law, to maintain any policy of insurance, or to maintain regulatory or equivalent certifications.
7.8.
Subject to clause 7.7 Controller has the sole right to determine:
7.8.1.
whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Controller's discretion, including the contents and delivery method of the notice; and
7.8.2.
whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
8.
Cross-Border Transfers of Personal Data
8.1.
If an adequate protection measure for the international transfer of Personal Data is required under the Data Protection Legislation (and has not otherwise been arranged by the parties) the Annex shall apply.
8.2.
If applicable, Controller consents to Processor (and its sub-processors) transferring Personal Data outside the UK and the European Economic Area (EEA) ("GDPR Territories"). Provided that where such processing occurs, Processor:
8.2.1.
is Processing Personal Data in a territory which is subject to a current finding by the UK's Information Commissioner's Office and/or the European Commission (as applicable) under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals;
8.2.2.
participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Processor (and, where appropriate, Controller) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Data Protection Legislation; or
8.2.3.
otherwise ensures that the transfer complies with the Data Protection Legislation.
8.3.
In the case of any Processing of Personal Data outside of the GDPR Territories as at the date of this Rider, the parties have identified in the Annex the relevant transfer mechanism.
9.
Sub-Processors
9.1.
If applicable, Processor may only authorise a sub-processor to process the Personal Data if:
9.1.1.
the sub-processor falls within the permitted categories of sub-processor in the Annex or Controller otherwise provides written consent prior to the appointment of a sub-processor;
9.1.2.
Processor enters into a written contract with the sub-processor that contains terms substantially the same to those set out in this Rider, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Controller's written request and at Processor's expense, provide Controller with copies of such contracts; and
9.1.3.
Processor maintains control over all Personal Data Processor entrusts to the sub-processor.
9.2.
The permitted categories of sub-processors approved as at the Effective Date are set out in the Annex.
9.3.
Advertiser acknowledges and agrees that if InMobi is required to share any Personal Data with sub-processors including Advertiser's trackers or third-party advertisers for the purpose of the Agreement, Advertiser will remain liable to ensure that such sub-processors / trackers comply with substantially similar obligations to the terms of this Rider and remain liable for their acts or omissions. Where the sub-processor fails to fulfil its obligations under such written agreement, Advertiser remains fully liable to InMobi for the sub-processor’s performance of its obligations.
9.4.
On Controller's written request, Processor will audit a sub-processor's compliance with its obligations regarding the Personal Data and provide Controller with the audit results. Where Controller concludes reasonably that the sub-processor is in default of its obligations regarding the Personal Data, Controller may in writing instruct Processor to instruct the sub-processor to remedy such deficiencies within five (5) working days.
10.
Complaints, Data Subject Requests and Third-Party Rights
10.1.
The parties will take such technical and organisational measures as may be appropriate to comply with:
10.1.1.
the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
10.1.2.
information or assessment notices served on either party by any Supervisory Authority under the Data Protection Legislation.
10.2.
In the event of a dispute or claim brought by a Data Subject, the Information Commissioner or a Supervisory Authority concerning the processing of Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
10.3.
Processor will notify Controller without undue delay if Processor receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
10.4.
The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Data Subject rights requests within the time limits imposed by the Data Protection Legislation.
10.5.
Processor will not disclose the Personal Data to any Data Subject or to a third party other than at Controller's request or instruction, as provided for in this Rider or as required by law.
10.6.
Each party shall abide by a decision of a competent court of the other party's country of establishment or of the Information Commissioner or a Supervisory Authority.
11.
Liability
Each party shall indemnify and defend the other party against all loss, liability, damages (including reasonable legal costs) fees, claims and expenses arising from any third-party claims, which a party may incur or suffer due to a breach of applicable Data Protection Laws by the other party. IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR LOST PROFITS, INCIDENTAL, PUNITIVE, INDIRECT OR CONSEQUENTIAL DAMAGES. EXCEPT IN CONNECTION WITH INDEMNIFICATION OBLIGATIONS SET OUT UNDER SECTION 11 HEREIN FOR WHICH THE AGGREGATE LIABILITY OF A PARTY SHALL NOT EXCEED USD ONE MILLION ($ 1,000,000), EACH PARTY’S TOTAL AGGREGATE LIABILITY TO THE OTHER PARTY OR ANY THIRD PARTY FOR ALL CLAIMS ARISING UNDER OR IN CONNECTION WITH THIS RIDER SHALL NOT EXCEED USD FIFTY THOUSAND ($50,000). THE LIMITATIONS OF THIS SECTION SHALL APPLY EVEN IF EITHER OR BOTH PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
Term and Termination
11.1.
This Rider will remain in full force and effect for so long as either party retains any of the other's Personal Data related to the Agreement in its possession or control.
11.2.
Any provision of this Rider that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.
11.3.
If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Agreement, the parties will discuss in good faith with a view to implementing any changes necessary to ensure the processing of Personal Data complies with the new requirements.
12.
Data Return and Destruction
12.1.
At Controller's request, Processor will give Controller a copy of or access to all or part of Controller Personal Data in Processor's possession or control in a commonly accessible and electronic format determined by Controller.
12.2.
On termination of the Agreement for any reason or expiry of its term, Processor will promptly securely delete or destroy or, if directed in writing by Controller, return and not retain, all or any Personal Data related to this Rider in Processor's possession or control. This requirement shall not apply to Personal Data which Processor has archived on Processor's backup systems which are not reasonably accessible, provided that such Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by Processor using those backups to restore Processor's systems).
12.3.
Clause 13.2 shall not apply to the extent any law, regulation, or government or regulatory body requires Processor to retain any documents or materials that Processor would otherwise be required to return or destroy.
13.
Records
Processor will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data Processor carries out for Controller ("Records") and provide Controller with copies of the Records upon request.
14.
Audit
14.1.
Processor will permit Controller and its third-party representatives to audit Processor's compliance with Processor's obligations, on at least 5 working days' written notice, during the term of the Agreement.
14.2.
Processor will give Controller and its third-party representatives all necessary assistance to conduct such audits at no additional cost to Controller. The assistance may include, but is not limited to:
14.2.1.
physical access to, remote electronic access to, and copies of the Records and any other information held at Processor's premises or on systems storing the Personal Data;
14.2.2.
access to and meetings with any of Processor's personnel reasonably necessary to provide all explanations and perform the audit effectively; and
14.2.3.
inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.
14.3.
The notice requirements in clause 15.1 will not apply if Controller reasonably believes that a Personal Data Breach has occurred or is occurring, or Processor is in material breach of any of Processor's obligations under the Agreement, the Rider or the Data Protection Legislation.
14.4.
On Controller's written request, Processor will exercise any relevant audit rights it has in connection with any sub-processors’ compliance with their obligations regarding Controller's Personal Data, and provide Controller with a summary of the audit results.
14.5.
Nothing in this Rider shall prevent or is intended to undermine the rights and powers granted to Data Subjects or supervisory authorities, and accordingly Processor shall submit to any audits required by a supervisory authority or under Data Protection Legislation.
If you do not accept these terms, we may discontinue any UK or EEA user related transactions with You. Additionally, please do not share any UK or EEA user data with us unless agreed otherwise.
ANNEX

INTERNATIONAL DATA TRANSFERS (UK AND EU)
1.
INCORPORATION OF UK AND EU STANDARD CONTRACTUAL CLAUSES
1.1.
To the extent this Annex relates to transfers of Personal Data subject to the UK GDPR:
1.1.1
paragraphs 1.2, 1.3 and 3 of this Annex apply, and override any conflicting provision set out elsewhere in this Annex; and
1.1.2
paragraph 1 of this Annex does not apply.
1.2.
This Annex shall be read and interpreted in the light of the provisions of applicable data protection laws in the United Kingdom, and so that it fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR.
1.3.
To the extent the processing of personal data is subject to the UK GDPR and an international transfer mechanism is required under the UK GDPR relating to the parties' transfer of personal data:
1.3.1
in their capacity as controllers, the standard contractual clauses for the transfer of personal data to controllers established in third countries pursuant to European Commission Decision 2004/915/EC of 27 December 2004, subject to the Modifications and without any optional or illustrative clauses are incorporated into this Annex as if they had been set out in full, with the processing particulars set out in paragraph 3 of this Annex;
1.3.2
where the exporter of data is a controller and the importer is a processor, the standard contractual clauses for the transfer of data to processors established in third countries pursuant to European Commission Decision 2010/87/EU of 5 February 2010, subject to the Modifications and without any optional or illustrative clauses are incorporated into this Annex as if they had been set out in full with the processing particulars set out in paragraph 3 of this Annex; and
1.3.3
for the purposes of this paragraph 1.3 the "Modifications" means: the modifications made by the UK's Information Commissioner to the standard contractual clauses. Such modifications being: (i) general references to Supervisory Authority and similar (such as relevant authorities of the Member State) shall be changed to Commissioner; (ii) general references to member state law and member state courts shall be changed to applicable data protection law (being the UK GDPR and the UK's Data Protection Act 2018) and UK courts respectively; (iii) general references to Directive 95/46/EC shall be changed to the UK GDPR; (iv) general references to adequacy and specific section references to Article 25(1) or Directive 95/46/EC shall be changed to UK adequacy regulations and Section 17A of the Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018; (v) references to Member State or European Economic Area shall be changed to UK; and (vi) the variation provisions shall be deemed to include the following: the parties are not precluded from modifying the Clauses where permitted by Paragraphs 7(3) and (4) of Schedule 21 of the Data Protection Act 2018. The modified standard contractual clauses are referred to as the "UK SCCs".
1.4.
To the extent this Annex relates to transfers of Personal Data to which the GDPR applies:
1.4.1
module 1 of the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021 EU SCCs (the "2021 EU SCCs"), and no other optional clauses unless explicitly specified, are incorporated into this Annex as if they had been set out in full in the case where the exporter is a controller, the importer is also a controller and the transfer requires such additional protection;
1.4.2
module 2 of the 2021 EU SCCs and no other optional clauses unless explicitly specified, are incorporated into this Annex as if they had been set out in full in the case where the InMobi is the exporter acting as a controller, Advertiser is the importer acting as a processor, and the transfer requires such additional protection;
1.4.3
module 4 of the 2021 EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Annex as if they had been set out in full in the case where Advertiser is the exporter acting as a controller, InMobi is the importer acting as a processor, and the transfer requires such additional protection; and
1.4.4
paragraphs 1.2 and 1.3 of this Annex do not apply.
2.
CLARIFICATIONS TO THE 2021 EU SCCS
2.1.
Module 1 clarifications. To the extent Module 1 of the 2021 EU SCCs applies as determined by paragraph 1.4.1 of this Annex, for the purposes of:
2.1.1
clause 8.2 of the 2021 EU SCCs and to enable data subjects to effectively exercise their rights, the parties have agreed that the exporter shall inform data subjects of the information required and;
2.1.2
clause 8.3 the parties hereby agree that the data exporter shall be primarily responsible for ensuring that personal data is accurate and, where necessary, kept up to date. The data exporter shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.
2.2.
Module 2 clarifications. Paragraphs 2.3 – 2.9 of this Annex apply to the extent module 2 of the 2021 EU SCCs applies.
2.3.
Deletion of data. For the purposes of clause 8.5 of the 2021 EU SCCs (Duration of processing and erasure or return of data), the parties agree as follows: At the end of the provision of the processing services the Importer shall delete all personal data and shall certify to the Exporter that it has done so, if requested to provide such certification by the Exporter in writing.
2.4.
Auditing. The parties acknowledge that the Importer complies with its obligations under clause 8.9 of the 2021 EU SCCs (Section II to the Standard Contractual Clauses (Documentation and compliance)) by exercising its contractual audit rights it has agreed with its sub-processors.
2.5.
Sub-Processors. For the purposes of clause 9 of the 2021 EU SCCs (Section II to the Standard Contractual Clauses (Use of sub-processors)), the parties agree that the process for appointing sub-Processors set out in clause 9 applies.
2.6.
International Transfer Assessments. For the purposes of clause 14(c) of the 2021 EU SCCs (Local laws and practices affecting compliance with the Clauses)) the data exporter has been provided with a transfer impact assessment by the data importer which the data exporter accepts as sufficient to fulfil the data importer's obligations pursuant to clause 14(c) and 14(a). The Exporter acknowledges that it has been provided with the security measures applied to the personal data and approves such measures as being in compliance with these Clauses.
2.7.
Best Efforts Obligations. For the purposes of clauses 14(c), 15.1(b) and 15.2 of the 2021 EU SCCs (Section III to the Standard Contractual Clauses (Local laws and practices affecting compliance with the Clauses)) the parties agree that "best efforts" and the obligations of the data importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
2.8.
Competent Supervisory Authority. For the purposes of clause 13 of the 2021 EU SCCs, the Competent Supervisory Authority shall be:
2.8.1
if the data exporter is established in the EU: The Irish Data Protection Commissioner;
2.8.2
where the data exporter is not established in an EU Member State and has appointed a representative pursuant to Article 27(1) regulation (EU) 2016/679, it shall notify the importer of this and the EU Member State in which the exporter's representative is appointed shall be the competent supervisory authority; and
2.8.3
where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) but has not appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: the data exporter shall notify the data importer of its chosen competent supervisory authority, which must be the supervisory authority of a Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
2.9.
Governing Law & jurisdiction. For the purposes of clauses 17 and 18 of the 2021 EU SCCs, the parties agree that the governing law shall be where the exporter is established. If those laws do not allow for 3rd party rights, the law of Ireland shall apply.
2.10.
Module 4 clarifications. To the extent module 4 of the 2021 EU SCCs applies as determined by paragraph 1.4.4 of this Annex: (i) paragraphs 4.1 and 4.2 of this Annex shall be modified to reflect that the exporter is a processor and the importer is a controller; (ii) for the purposes of clause 8.1(d) of the 2021 EU SCCs, at the end of the provision of the processing services the importer shall delete all personal data and shall certify to the exporter that it has done so, if requested to provide such certification by the exporter in writing; and for the purposes of clauses 17 and 18 of the 2021 EU SCCs, the laws and courts of Ireland will apply.
3.
APPENDICES AND ANNEXURES TO THE SCCS
3.1.
The processing details required by the UK SCCs and the 2021 EU SCCs are set out in paragraph 4:
3.1.1
the details required for Appendix 1 of the UK SCCs are set out at paragraphs 4 – 4.5 and 4.7 and each party shall act as a Controller or Processor based on the circumstances outlined at paragraph 3.2;
3.1.2
the details required for Appendix 2 of the UK SCCs are set out at paragraph 4.12 and the illustrative indemnity and commercial clauses are deleted;
3.1.3
the details required at Annex 1.A of the 2021 EU SCCs is set out at paragraphs 4 – 4.2;
3.1.4
the details required at Annex 1.B of the 2021 EU SCCs is set out at paragraph 4.3 – 4.10; and
3.1.5
the details required at Annex 1.C of the 2021 EU SCCs is set out a paragraph 2.8; and
3.1.6
the details required at Annex 2 of the 2021 EU SCCs is set out at paragraph 4.10.
4.
PROCESSING PARTICULARS FOR THE UK AND EU SCCS
The Parties
4.1.
Exporter: as determined by paragraph 3 of this Rider.
4.2.
Importer: as determined by paragraph 3 of this Rider.
Description Of Data Processing
4.3.
Categories of data subjects: Users who interact with ad campaigns
4.4.
Categories of personal data (that may be transferred): Clicks and impressions data, IP address, location, device identifiers, handset model/type, carrier device identifiers, http headers, publisher details (such as site ID, partner ID, publisher name), campaign details (such as campaign ID, creative ID) and such other data sets as are agreed in writing between the parties from time to time.
4.5.
Sensitive data transferred: None.
4.6.
Frequency of the transfer: Continuous transfers.
4.7.
Nature of the processing: As set out in the Permitted Purpose.
4.8.
Purpose of the processing: For the Permitted Purpose.
4.9.
Duration of the processing: For the term of the Agreement.
4.10.
Sub-Processor Transfers: Yes, for the purpose of the Agreement and Permitted Purpose
4.11.
Competent Supervisory Authority: As set out in paragraph 2.8.
4.12.
Technical and Organisational Measures:
4.12.1.
Restriction of access to buildings, data centres, systems and server rooms.
4.12.2.
Monitoring of unauthorised access.
4.12.3.
Written procedures for employees, contractors and visitors covering confidentiality and security of information.
4.12.4.
Restricting access to systems depending on the sensitivity/criticality of such systems.
4.12.5.
Use of password protection where such functionality is available.
4.12.6.
Maintaining records of the access granted to which individuals.
4.12.7.
Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
Permitted categories of sub-processors
Trackers for attribution and fraud detection
Agencies, DSPs or Advertisers
Additional permitted categories of sub-processors for InMobi
Infrastructure / data partners
Affiliates