Until 25 May 2018, the Data Protection Act 1998 (the “DPA”) is the key piece of legislation governing data protection. The General Data Protection Regulation (the “GDPR”), is a new piece of legislation which will largely supersede the DPA on 25 May 2018. The GDPR will then apply to the processing carried out under the Agreement. The GDPR requires data processing contracts – such as the Agreement – to contain additional provisions regulating the processing of personal data. As a result, this Data Protection Rider, sets out in the schedule attached, to the Agreement with effect from 25 May 2018 (the “Variation Date”). Additionally, due to the implementation of the GDPR, each party is required to adhere to new rules relating to the international transfer of personal data. One of the simplest ways to protect the personal data transferred between us is to use the “Model Contract Clauses”, produced by the European Commission, which are incorporated into this Rider as if they had been set out in full. The full legal name for the Model Contract Clauses is: “The EU-controller to Non-EU/EEA processor model contractual clauses annexed to European Commission Decision C (2010)”.

Key changes:

In order to make compliance with GDPR as simple and straightforward as possible, parties agree to add this Data Protection Rider to the Agreement. To ensure the Rider fits in with the Agreement, it is important to note that:

  1. except as set out in this Rider, the Agreement and any other agreements already in place between us shall continue in full force and effect;
  1. in the event of any conflict or inconsistency between this Rider and the terms and conditions of the Agreement, this Rider shall prevail; and
  1. to the extent that this Rider does not address project specific data mechanics or specific details relevant to data processing already set out in the Agreement (such as a particular type or frequency of data transfer), those project specific mechanics will remain in place, save that they shall be interpreted to give full effect to the provisions of this Rider, the Data Protection Rider and the GDPR.

This Rider, (including the Model Contract Clauses, particularly at clauses 9 and 11.3) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the law of England and Wales. The parties irrevocably agree that the courts of England and Wales have exclusive jurisdiction to settle any Claim.

Please sign and return the enclosed copy of this Rider to acknowledge your agreement of these terms. If you do not notify us of your disagreement with any of the terms of this Rider, you will be deemed to have accepted it. If you do not accept these terms, we will discontinue any EU user related transactions with You.

DATA PROTECTION RIDER

Parties agree that it is of paramount importance that any Processing of Personal Data is in compliance with Data Protection Laws as applicable to such party at all times.

1 Data Protection

1.1 Definitions:

1.1.1 “Controller”, “Data Subject”, “Personal Data”, “Processor” “Processes/Processing” shall each have the meanings given in the applicable Data Protection Legislation.

1.1.2 “Data Protection Legislation” means the European Union’s General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable laws and regulations relating to the processing of personal data and privacy as amended, re-enacted, replaced or superseded from time to time, including, where applicable, the mandatory guidance and codes of practice issued by the United Kingdom’s Information Commissioner.

1.2 Obligations:

Between You and InMobi, You are sharing Personal Data in relation to the Agreement. Therefore, You, as the Controller will have the responsibility to obtain appropriate consents for Processing of Personal Data by InMobi in the capacity of a Processor as permitted under this Rider. You will comply with the requirements of the Data Protection Legislation as a Controller and will be responsible for notifying InMobi of any Data Subject request towards deletion, rectification or opt-out election.

Each party hereby represents and warrants to adhere to the terms of this Rider. The parties acknowledge that the applicable Data Protection Law(s) ultimately determines status with respect to each party. In the event any regulatory body identifies the parties each as Data Controllers of the relevant Personal Data it provides or obtains hereunder under applicable Data Protection Laws, section 1.2 of this Addendum shall apply only to the extent that the parties are both Data Controllers/ In the event any regulatory body identifies a party as a Data Processor of the relevant Personal Data it is sharing under this Addendum under applicable Data Protection Laws, such a party will comply with the terms of Sections 1.2.2 – 1.2.4.2 as a Data Processor.

1.2.1 Paragraphs 1.2.2 – 1.2.4.2 shall apply if and to the extent that the Processor processes any Personal Data on the Controller’s behalf when performing its obligations under the Agreement.

1.2.2 Each party acknowledges that:

1.2.2.1 Processor shall only Process Personal Data for the following permitted purpose in relation to advertising campaigns distributed through Controller:

(1) For fraud detection purposes including creating fraud reports to be shared with advertisers;

(2) For reporting purposes including reports to be shared with advertisers or for reporting to Controller;

(3) For determining performance of campaigns distributed through Publisher’s inventory or network and billing purposes.

1.2.2.2 the processing shall continue for the duration of this agreement;

1.2.2.3 the processing concerns: clicks and impressions data, IP Address, device identifiers, http headers, publisher details (such as site ID, partner ID, publisher name), campaign details (such as campaign ID, creative ID) and such other data sets.

1.2.3 The Processor shall:

1.2.3.1 process the Personal Data only to the extent necessary for the purposes of the Agreement and otherwise in accordance with the documented instructions of the Controller;

1.2.3.2 not process the Personal Data in any country outside the European Economic Area other than in accordance with the terms of the Model Contract Clauses. If the Processor is required by applicable laws to transfer the Personal Data outside of the European Economic Area, the Processor shall execute appropriate documentation as required under Data Protection Legislation (unless the Processor is barred from making such notification under the relevant applicable law). Publisher acknowledges that InMobi may need to transfer Personal Data outside of EEA in the context of Processing;

1.2.3.3 ensure that all persons authorised by it to process the Personal Data are committed to confidentiality or are under a statutory obligation of confidentiality under applicable law;

1.2.3.4 have at all times during the term of the Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data, with particular regard to its accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access;

1.2.3.5 where the Processor does engage another Processor, substantially similar obligations to those set out in paragraphs 1.2.2 – 1.2.3 shall be imposed by the Processor on the other Processor in a written contract;

1.2.3.6 cease processing the Personal Data immediately upon the termination or expiry of this Agreement or, if sooner, on cessation of the contractual activity to which it relates and, at the Controller’s election, delete or return all Personal Data to the Controller, and delete all existing copies unless applicable law requires their retention;

1.2.3.7 You shall not retain Personal Data for longer than necessary to meet the permitted purposes hereunder or use the same for any purposes other than such permitted purposes.

1.2.3.8 If requested by Controller, Processor shall without delay, rectify the Personal Data, to ensure it remains accurate, complete and current or delete the same upon notification by Controller to honour any Data Subject’s request. Controller agrees to notify Processor of such requests upon being aware of the same promptly upon receiving the same without any undue delay.

1.2.3.9 make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this Rider, and reasonably assist in audits, including inspections, conducted by the Controller or its representative to determine Processor’s compliance with its obligations hereunder. Processor shall have audit rights to determine Controller’s compliance with Data Protection Legislation and Controller shall make available to the Processor all information reasonably necessary to demonstrate such compliance. Any audit will be conducted upon provision of reasonable notice and during regular working hours;

1.2.3.10 at the earliest opportunity, and in any event within 48 hours after having become aware, notify the Controller of any unauthorised or unlawful processing of any Personal Data to which this clause applies and of any loss or destruction or other damage and shall take such steps consistent with good industry practice to mitigate the detrimental effects of any such incident on the Data Subjects and co-operate with the Controller in dealing with such incident and its consequences; and

1.2.4 Where the Processor intends to or replace other Processors, it shall first inform the Controller of the intended change, and shall implement appropriate data processing terms with such new Processors.

1.2.5 The Processor acknowledges that the Controller is under certain record keeping obligations under the Data Protection Legislation, and agrees to provide the Controller with all reasonable assistance and information required by the Controller to satisfy such record keeping obligations.

2 Model Contract Clauses

The Model Contract Clauses require setting out more detail about what data is being transferred and why, as well as how the Processor must keep that data secure.

2.1 Description of Processor’s data Processing

2.1.1 The types of data being transferred are Personal Data, which does not include special categories of data.

2.1.2 Processor will be carrying out the tasks in relation to that data as set out in 1.2.2.1.

2.2 Description of Processor’s security measures

2.2.1 Restriction of access to data centres, systems and server rooms as necessary to ensure protection of Personal Data.

2.2.2 Monitoring of unauthorised access.

2.2.3 Written procedures for employees, contractors and visitors covering confidentiality and security of information.

2.2.4 Restricting access to systems depending on the sensitivity/criticality of such systems.

2.2.5 Use of password protection where such functionality is available.

2.2.6 Maintaining records of the access granted to which individuals.

2.2.7 Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.

2.3Additional Provision

2.3.1 The illustrative indemnity contained in the Model Contract Clauses is deemed deleted.