Affiliate Promotion Property: Demand - Data Protection Rider
Effective Date of Rider: May 25, 2018
Contractual Changes Required by the GDPR
We refer to the agreement or Insertion Order between You (in the capacity of an “Advertiser” or “Agency” or “Reseller” as the context may require) and InMobi Pte. Ltd or any of its affiliates (“ InMobi”) [dated [ ________________*] (the "Agreement"). [ This is ONLY for Paper contracts ]
We refer to the Advertiser Terms as located at https://www.inmobi.com/advertiser-terms/ (“Agreement”) which they have accepted to promote your advertisements on InMobi’s Affiliate Promotion Property (as defined under the Agreement) as an advertiser or agency or reseller, whether pursuant to insertion orders or otherwise, (referred as “Advertiser” or “Agency” or “Reseller” as the context may require).
This GDPR Rider(“ Addendum”) is incorporated into the Agreement and is made and entered into as of the Effective Date. Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement.
Relationship of the parties: In connection with all data and information provided by a party to the other party in the course of doing business under the Agreement, the parties agree that with regard to the Processing of Personal Data (as defined below), the party sharing Personal Data is a Data Provider and the other party is the Data Receiver . In the event You elect to be identified as a Data Controller, You as the Controller will have the responsibility to obtain appropriate consents for Processing of Personal Data by InMobi as a Processor to You as permitted under this Addendum. You as the Controller will notify Us of any Data Subject requests including requests towards deletion, rectification or opt-out election. Further, in connection with all data and information provided by InMobi to You in the course of doing business under the Agreement, the parties agree that with regard to the Processing of Personal Data (as defined below), InMobi is a Data Processor (to its supply or publisher partners) and You are a Sub-processor.
Each party hereby represents and warrants to adhere to the terms of this Addendum. Although the parties have taken the foregoing approach, the parties acknowledge that the applicable Data Protection Law(s) ultimately determines status with respect to each party. In the event any regulatory body identifies the parties each as Data Controllers of the relevant Personal Data it provides or obtains hereunder under applicable Data Protection Laws, section 2.2 of this Addendum shall apply only to the extent that the parties are both Data Controllers/ In the event any regulatory body identifies a party as a Data Controller of the relevant Personal Data it is sharing under this Addendum under applicable Data Protection Laws, such a party will comply with the terms of Section 2.2 while the other party will comply with Section 4 as a Data Processor.
The parties agree that the following terms shall be defined as follows in connection with this Addendum:
a. “ Data Controller” has the meaning given to such term under Data Protection Laws.
b. “ Data Processor” has the meaning given to such term under Data Protection Laws.
c. “ Data Protection Laws” means the European Union’s General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable laws and regulations relating to the processing of personal data and privacy as amended, re-enacted, replaced or superseded from time to time, including, where applicable, the mandatory guidance and codes of practice issued by the United Kingdom’s Information Commissioner.
d. “ Data Subject” has the meaning given to such term under Data Protection Laws.
e. “ Personal Data” has the meaning given to such term under Data Protection Laws. The types of Personal Data and categories of Data Subjects Processed under this Addendum are set forth in Section 2.
f. “ Processing” has the meaning given to such term under Data Protection Laws. “Process”, “Processes” and “Processed” shall have the same meaning.
g.“ Sub-processor” means any Data Processor engaged by the Data Processor as another Data Processor.
h.“ Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
2. 1 DATA PROCESSING COMPLIANCE. Each party shall comply with all Data Protection Laws which apply to it inconnection with the Agreement. The Data Controller will have the responsibility to ensure that there is appropriate legal basis including consents for Processing of Personal Data by the other party as a Data Processor/Sub-processor as permitted under this Addendum. To the extent that any party Processes any Personal Data that is either:
a) Controlled by a party; or
b) Controlled by another party in relation to this Addendum; or
c) Processed by another party on behalf of a third party Controller it shall comply with the obligations as set out in clause 2.1 of this Addendum.
Each party shall notify the other of an individual within its organization authorized to respond from time to time to inquiries regarding any Personal Data and shall address such inquiries promptly. If either party believes or becomes aware that any of other party’s instructions conflict with any Data Protection Laws, it shall promptly inform the other party at firstname.lastname@example.org in the case of InMobi and [ _________________ ] in the case of the Advertiser/Agency/Reseller , or such other contact as provided by each party to the other. The contact information of each party is as set forth below:
InMobi Contact: 30 Cecil Street, 19-08 Prudential Towers, Singapore 049712 with a copy to email@example.com.
- Types of Personal Data that may be transferred from the Data Provider to the Data Receiver: impression data, IP Address, demographic data, device identifiers, latitude/longitude information, handset model/type, carrier device identifiers, http headers, publisher details (such as site ID, partner ID, publisher name), campaign details (such as campaign ID, creative ID).
- Categories of Data Subjects: The Personal Data transferred concerns end users of advertising placements, who are deemed Data Subjects.
- Duration of the Processing: will be until the earliest of: (i) the effective date of termination of the Agreement; (ii) the date upon which Processing is no longer necessary for the purposes of either party performing its obligations under the Agreement (to the extent applicable); (iii) Data Provider’s written request; or (iv) Data Subject’s request.
- Nature and purpose of the Processing: to Process data in accordance with the Agreement, to optimize campaigns under the Agreement, relevant/optimised targeting, attribution, audience verification and fraud detection, verification of partners, internal reporting and to comply with other reasonable written instructions provided by the Data Provider where such instructions are consistent with the terms of the Agreement.
2.2 In the event You elect to be identified as a Data Controller, You:
- will ensure that You have a legal basis (also referred to as a “processing condition” in the applicable Data Protection Law) to Process the relevant Personal Data;
- ensure that Your privacy notice is clear and provide sufficient information to Data Subjects to enable them to understand what aspects of their Personal Data will be shared/received, as well as the circumstances in which such sharing will take place; and
- provide reasonable assistance to the other party to enable them to facilitate Data Subjects exercising their rights under the applicable Data Protection Laws.
3.GENERAL. Each party represents and warrants to the other party that (a) the person executing this Addendum on its behalf has the legal authority to bind such party; and (b) it has right, power, and authority to (i) enter into this Addendum, (ii) make the representations and warranties contained herein.
In no event shall a party be liable for any consequential, incidental, indirect, punitive, special or other similar damages and any loss of profits, loss of revenue, loss of use, whether under tort, contract or other theories of recovery, even if it has been aware or advised of the possibility of such damages. The cumulative liability of a party for all claims relating to this Addendum, regardless of the form of action, shall not exceed 50,000 USD.
A Data Receiver shall:
- Process the Personal Data in furtherance of their obligations under the Agreement and otherwise in accordance with applicable laws specifically Data Protection Laws;
- not Process the Personal Data in any country outside the European Economic Area other than in accordance with the terms of the Model Contract Clauses or substantially similar obligation in accordance with applicable law. If such a party is required by applicable laws to transfer the Personal Data outside of the European Economic Area, it shall execute appropriate documentation as required under Data Protection Legislation;
- ensure that all persons authorised by it to process the Personal Data are committed to confidentiality or are under a statutory obligation of confidentiality under applicable law;
- have at all times during the term of the Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data, with particular regard to its accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access. If the Data Receiver or its processor are not agreeable to implement the Data Controller’s ’s secure or encrypted transmission mechanisms at their end, the Data Receiver will remain liable during transmission thereof to the Data Receiver or its processor.
- In the event We are the Data Processor and You are the Sub-processor, You will not engage another Sub-processor unless the Sub-processor executes substantially similar obligations as set out under this Addendum and required data processing agreements with such Sub-processors in accordance with Data Protection Laws and the You shall remain fully liable to Us for the performance of the other Sub-processor’s data protection obligations. Without limiting the generality of the foregoing, You acknowledge and agree that if We are required to share any Personal Data with Your trackers or such other third parties including the Your advertisers for the purpose of the Agreement, You will remain liable to ensure that such trackers or third parties remain processors to the You and will contractually require them to comply with the terms of this Addendum or substantially similar terms and remain liable for their acts or omissions;
- cease processing the Personal Data immediately upon the termination or expiry of this Agreement or, if sooner, on cessation of the contractual activity to which it relates and delete all existing copies unless applicable law requires their retention;
- The Data Receiver shall not retain Personal Data for longer than necessary to meet the permitted purposes hereunder or use the same for any purposes other than such permitted purposes.
- If requested by the Data Provider, the Data Receiver shall without delay, rectify the Personal Data, to ensure it remains accurate, complete and current or delete the same to honor any Data Subject’s request.
- If, and to the extent required by applicable law, make available all information reasonably necessary to demonstrate compliance with the obligations set out in this clause, and/or allow for contribution to audits, including inspections, conducted by the Data Provider or its representative; and
- at the earliest opportunity, and in any event within 48 hours after having become aware, notify the Data Provider of any unauthorised or unlawful Processing of any Personal Data to which this clause applies and of any loss or destruction or other damage and shall take such steps consistent with good industry practice to mitigate the detrimental effects of any such incident on the Data Subjects and co-operate with the Data Provider in dealing with such incident and its consequences; and
The Data Receiver acknowledges that the Data Provider is under certain record keeping obligations under the Data Protection Laws, and agrees to maintain records as required under Data Protection Laws and provide the Data Provider with all reasonable assistance and information required by it to satisfy such record keeping obligations.
The Data Receiver will notify the Data Provider if there is any material breach of the Data Protection Laws. If such breach is not remedied within 30 days of written notice from the Data Provider to do so, the Data Provider shall be entitled to terminate this agreement with immediate effect.
The Data Receiver shall Process the Personal Data in furtherance of the obligations under the Agreement and otherwise in accordance with applicable privacy laws specifically Data Protection Laws;
Each party shall indemnify and defend the other party against all loss, liability, damages (including reasonable legal costs) and expenses arising from any third-party claims, which a party may incur due to a breach of applicable Data Protection Laws by the other party.
6. MODEL CONTRACT CLAUSES
As a Data Processor/Sub-processor under Data Protection Laws, the Model Contract Clauses as set out below will apply. The Model Contract Clauses require us to set out more detail about what data a Data Controller/Data Processor is transferring to the Data Processor/Sub-processor and why, as well as how the Data Processor/Sub-processor keeps that data secure. We have set this out in the sections below. To the extent a regulatory body identifies the parties each as Controllers of the relevant Personal Data it provides or obtains hereunder as per the Data Protection Legislation the Standard contractual clauses for the transfer of Personal Data from the European Union to third countries (controller-to-controller transfers) shall be deemed to be incorporated herein as further set out under Appendix 2.
Description of the Data Processor/Sub-processor data Processing for the Data Controller/Data Processor
The types of data the Data Controller/Data Processor is transferring to theData Processor/Sub-processoror their processors does not include special categories of data.
The Data Processor/Sub-processor will be carrying out the tasks in relation to that data as set out in Section 2 (d) of this Addendum
Description of the Data Processor/Sub-processor security measures
- Restriction of access to data centres, systems and server rooms as necessary to ensure protection of Personal Data.
- Monitoring of unauthorised access.
- Written procedures for employees, contractors and visitors covering confidentiality and security of information.
- Restricting access to systems depending on the sensitivity/criticality of such systems.
- Use of password protection where such functionality is available.
- Maintaining records of the access granted to which individuals.
- Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
The illustrative indemnity contained in the Model Contract Clauses is deemed deleted.
6. KEY CHANGES:
In order to make compliance with GDPR as simple and straightforward as possible, we will add this GDPR Addendum to the Agreement. To ensure the Addendum fits in with the Agreement, it is important to note that:
- except as set out in this Addendum, the Agreement and any other agreements already in place between us shall continue in full force and effect;
- in the event of any conflict or inconsistency between this Addendum and the terms and conditions of the Agreement, this Addendum shall prevail; and
- to the extent that this Addendum does not address project specific data mechanics or specific details relevant to data processing already set out in the Agreement (such as a particular type or frequency of data transfer), those project specific mechanics will remain in place, save that they shall be interpreted to give full effect to the provisions of this Addendum and the GDPR.
This Addendum (including the Model Contract Clauses) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “ Claim”) shall be governed by and interpreted in accordance with the law of England and Wales. The parties irrevocably agree that the courts of England and Wales have exclusive jurisdiction to settle any Claim.
Please sign and return the enclosed copy of this Addendum to acknowledge your agreement of these terms. If the Advertiser/Agency/Reseller as per the context does not accept these terms, InMobi will be unable to run any targeted advertising for EEA users for the Advertiser/Agency/Reseller.
For and on behalf of InMobi Pte Limited
For an on behalf of ___________________