Publisher Data Protection Rider

 

Data Protection Rider

 

We refer to the Terms of Service located at https://www.inmobi.com/terms-of-service/ (“Agreement”) which You have accepted to avail InMobi’s advertising services as a publisher (referred as “You” or “Publisher”).

Introduction:

 

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, the General Data Protection Regulation (the “GDPR”), is a new piece of legislation which will largely supersede the existing data protection law applicable in the European Union. As at May 25, 2018, the GDPR will then apply to the processing that is carried out under the Agreement for any Personal Data related to Data Subjects in the European Union (“EU”).

 

The GDPR requires data processing contracts – such as the Agreement – to contain additional provisions regulating the processing Personal Data of Data Subjects based in EU. Therefore, the parties agree to add the Data Protection Rider, set out below to the Agreement with effect from 25 May 2018 (the “Variation Date”). These terms of the Data Protection Rider shall be deemed to be incorporated within the Agreement.

 

This Data Protection Rider makes reference to the “Standard Contractual   Clauses”, produced by the European Commission, which are incorporated into this Data Protection Rider as if they had been set out in full. The full legal name for the Standard Contractual Clauses is: “Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC no. 2001/497/EC” (commonly referred to as Controller-Controller Set I).

 

General Terms:

Except as set out in this Data Protection Rider, the Agreement and any other agreements already in place between us shall continue in full force and effect. In the event of any conflict or inconsistency between this Data Protection Rider and the terms and conditions of the Agreement, this Data Protection Rider shall prevail. To the extent that this Data Protection Rider does not address project specific data mechanics or specific details relevant to data processing already set out in the Agreement (such as a particular type or frequency of data transfer), those project specific mechanics will remain in place, save that they shall be interpreted to give full effect to the provisions of this Data Protection Rider and the GDPR.

 

This Data Protection Rider (including the Standard Contractual Clauses,) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the law of Ireland.

 

The parties irrevocably agree that the courts of Ireland have appropriate jurisdiction to address any Claim.

 

Please accept or sign and return the Data Protection Rider to acknowledge your agreement of these terms.

 

If you do not accept these terms, we will discontinue any EU user related transactions with your applications/sites. Additionally, please do not share any EU user personal data with us.

However, if you continue to use our services, you will be deemed to have accepted these terms.

 

 

DATA PROTECTION RIDER

 

  1. definitions
    1. The following definitions apply in this Data Protection Rider:

Controller”, “Data Subject”, “Personal Data”, “Processor” and “Processes/Processing” shall each have the meanings given in the applicable Data Protection Legislation.

Data Protection Legislation” means the European Union’s General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive), and all laws and regulations applicable to the Parties relating to the processing of personal data and privacy, as amended, re-enacted, replaced or superseded from time to time.

Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any Personal Data transmitted, stored or otherwise processed.

Publisher” is the “Publisher” under the Agreement.

  1. Mutual Obligations when processing data
    1. Each Party acknowledges that:
      1. 2.1.1.InMobi shall Process the Personal Data for (a) optimizing online advertising campaigns across its ad network/advertising channels or platforms whether owned, operated or controlled by InMobi including but not limited to the programmatic channels; (b) serving interest based targeting of InMobi ad campaigns or other survey based services; (c) providing data-targeted ad inventory forecasting; (d) providing its customers, partners and relevant third parties with data as part of data analytics, campaign reporting and performance (which may be used for advertising purposes as per their privacy policies), and (e) creation and enhancement of audience profile/segments. Publisher further acknowledges that InMobi may need to transfer Personal Data outside of EU in the context of Processing;
      2. the processing shall continue, for the duration of the Agreement;
      3. the processing concerns the following Personal Data:
        1. 2.1.3.1.user device identifier;
        2. 2.1.3.2.IP address;
        3. 2.1.3.3.User agent or such device information;
        4. 2.1.3.4.Fine location;
        5. 2.1.3.5.Persistent online identifiers (such as cookie ids, IMEI, IDFA, ADID, GPID, GAID etc.,)

The name, company email, position and phone number of those employees/personnel of a party who will be involved in management and support of the contractual relationship arising under the Agreement shall be deemed to be business information.

 

  1. It is acknowledged that both Parties are, under the Data Protection Legislation, under certain obligations to maintain records of processing activities under their responsibilities and agree to provide the other Party with all reasonable assistance and information required by the other Party to satisfy such record keeping obligations.
  2. In the event of any Personal Data breach (actual or suspected) involving the Personal Data being processed under the Agreement, the Party that was affected by such Personal Data Breach shall:
    1. notify the other Party of the Personal Data breach without undue delay (but in no event no later than five days after becoming aware of or first suspecting the Personal Data Breach);
    2. provide the other Party without undue delay (and wherever possible, no later than five days after becoming aware of or first suspecting the Personal Data Breach) with such details as the other Party may require in relation to:
  3. the nature and impact of the Personal Data Breach, including the categories and approximate numbers of Data Subjects and Personal Data records concerned, impacted or threatened;
  4. any investigations into such Personal Data Breach;
  5. the likely consequences of the Personal Data Breach; and
  6. any measures taken, or that the affected Party will take to address the Personal Data Breach, including to mitigate its possible adverse effects and prevent the reoccurrence of the Personal Data Breach or a similar breach,

provided that, (without prejudice to the above obligations) if the affected Party cannot provide all these details within such timeframes, it shall, before the end of this timeframe, provide the other Party with reasons for the delay, and the information as to when it expects to be able to provide the relevant details (which may be phased), and give the other Party regular updates on these matters.

  1. Controller requirements
    1. The Publisher and InMobi acknowledge that they are each independent Controllers of the Personal Data Processed in order to fulfil their respective obligations under the Agreement, and that in no event will the Parties process Personal Data as Controllers.
    2. Each Party shall, in its respective capacity as a individual Controller:
      1. at no cost to the other Party, record and then refer to the other Party promptly (and in any event within 5 Business Days of receipt) any Data Subject request or complaint which is made under Data Protection Legislation in relation to the processing of Personal Data under the Agreement;
      2. at its cost and expense, provide such information and cooperation and other assistance as a Party reasonably requests in relation to a Data Subject request or complaint made under Data Protection Legislation within a reasonable timeframe so as to allow the relevant Party to comply with its obligations under Data Protection Legislation concerning Data Subject requests;
      3. implement and maintain a program to ensure that all Processing at its end and transmission of Personal Data is safeguarded and secure;
      4. implement a legally adequate privacy policy in accordance with the Data Protection Legislation, and enact all other compliance requirements as applicable to its business;
      5. maintain, monitor and review records of user activities, exceptions, faults and privacy in relation to the relevant Personal Data;
      6. ensure information security events are produced, maintained, monitored and reviewed on an ongoing basis; and

3.2.7 ensure that its relevant technical solutions are configured such that the default settings protect Data Subject privacy.

3.3       Publisher Requirements: Publisher shall:

3.3.1        seek consent from the Data Subject to the standard required by the Data Protection Legislation to collect, Process, transmit or use their Personal Data as contemplated by the Agreement including as enumerated in section 2.1.1 hereunder;

3.3.2       in the event that the consent to handle Personal Data is withdrawn by the Data Subject, the Publisher shall notify InMobi without undue delay (but in any event no later than 24 hours after becoming aware of the consent being withdrawn);

  3.3.3    allow for audits conducted by InMobi or another auditor mandated by InMobi for the purpose of demonstrating compliance by the Publisher with its obligations under the Data Protection Legislation and under this Agreement;

3.3.4        indemnify, defend and hold harmless InMobi against and from all loss, liability, damages, costs (including legal costs), fees, claims and expenses arising out any third party claims which InMobi may incur or suffer by reason of any breach of this Data Protection Rider by the Publisher;

3.4 InMobi Requirements: InMobi shall process personal data strictly for the purposes set out in the Agreement and this Rider and during the term of the Agreement; after the expiration of the Agreement or the period set out under its privacy policy, whichever is longer, it shall delete or anonymize all personal data processed under the Agreement (including all copies), unless it is necessary to further process personal data due to legal obligations to which it is subject, or for archival purposes towards billing related disputes or in case that such further processing is in its legitimate interest.

  1. RELATIONSHIP TO THE AGREEMENT

This Data Protection Rider shall apply to the processing of Personal Data carried out under the Agreement.

  1. Standard ContractUAL Clauses

Standard contractual clauses provide for Controller to Controller personal data transfers between EU and non-EU countries.  The Standard Contractual Clauses concluded for the purpose of the Agreement and this Data Protection Rider form Annex No. 1 and integral part hereof.

 

Description of our data processing

  1. In the event when either party Processes Personal Data on behalf of the other the parties will execute appropriate data processing agreement.

Description of security measures

  1. Restriction of access to buildings, data centres and server rooms as necessary.
  2. Monitoring of unauthorised access.
  3. Written procedures for employees, contractors and visitors covering confidentiality and security of information.
  4. Restricting access to systems depending on the sensitivity/criticality of such systems.
  5. Use of password protection where such functionality is available.
  6. Maintaining records of the access granted to which individuals.
  7. Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.

Additional Provision

  1. You will not provide any unsolicited data related to Data Subjects with us.
  2. In no event shall InMobi’s total aggregate liability for all claims arising out of or in connect with this Agreement exceed Euro 20,000.

 

 

 

 

 

 

Annex No. 1

Standard Contractual Clauses

Name of the data exporting organisation: Address: e-mail:

('the data exporter')

 

and

Name of the data importing organisation: InMobi Pte. Ltd.

Address: Headquartered in Singapore, at 30 Cecil Street, #19-08 Prudential Tower Singapore 049712

e-mail: dpo@inmobi.com

('the data importer')

HAVE AGREED on the following contractual clauses ('the Clauses') in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1:

Clause 1

Definitions

For the purposes of the Clauses:

  1. 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ('hereinafter the Directive');
  2. the 'data exporter' shall mean the controller who transfers the personal data;
  3. the 'data importer shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country's system ensuring adequate protection.

Clause 2

Details of the transfer

The details of the transfer, and in particular the categories of personal data and the purposes for which they are transferred, are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

The data subjects can enforce this Clause, Clause 4(b), (c) and (d). Clause 5(a), (b), (c) and (e), Clause 6(1) and (2), and Clauses 7, 9 and 11 as third-party beneficaries. The parties do not object to the data subjects being represented by an association or other bodies if they so wish and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

  1. that the processing, including the transfer itself, of the personal data by him has been and, up to the moment of the transfer, will continue to be carried out in accordance with the relevant provisions of the Member State in which the data exporter is established (and where applicable has been notified to the relevant authorities of that State) and does not violate the relevant provisions ofthat State;
  2. that if the transfer involves special categories of data the data subject has been informed or will be informed before the transfer that this data could be transmitted to a third country not providing adequate protection;
  3. to make available to the data subjects upon request a copy of the Clauses; and
  4. to respond in a reasonable time and to the extent reasonably possible to enquries from the supervisory authority on the processing of the relevant personal data by the data importer and to any enquiries from the data subject concerning the processing of this personal data by the data importer.

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

  1. that he has no reason to believe that the legislation applicable to him prevents him from fulfilling his obligations under the contract and that in the event of a change in that legislation which is likely to have a substantial adverse effect on the guarantees provided by the Clauses, he will notify the change to the data exporter and to the supervisory authority where the data exporter is established, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  2. to process the personal data in accordance with the mandatory data protection principles set out in Appendix 2;

or, if explicitly agreed by the parties by ticking below and subject to compliance with the mandatory data protection principles set out in Appendix 3, to process in all other respects the data in accordance with:

  • the relevant provisions of national law (attached to these Clauses) protecting the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data applicable to a data controller in the country in which the data exporter is established, or
  • the relevant provisions of any Commission Decision under Article 25(6) of Directive 95/46/EC finding that a third country provides adequate protection in certain sectors of activity only, if the data importer is based in that third country and is not covered by those provisions, in so far as those provisions are of a nature which makes them applicable in the sector of the transfer;
  • to deal promptly and properly with all reasonable inquiries from the data exporter or the data subject relating to his processing of the personal data subject to the transfer and to cooperate with the competent supervisory authority in the course of all its inquiries and abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  • at the request of the data exporter to submit its data processing facilities for audit which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  • to make available to the data subject upon request a copy of the Clauses and indicate the office which handles complaints.

 

Clause 6

Liability

  1. The parties agree that a data subject who has suffered damage as a result of any violation of the provisions referred to in Clause 3 is entitled to receive compensation from the parties for the damage suffered. The parties agree that they may be exempted from this liability only if they prove that neither of them is responsible for the violation of those provisions.
  2. The data exporter and the data importer agree that they will be  liable for damage to the data subject resulting from any violation referred to in paragraph 1.
  3. The parties agree that if one party is held liable for a violation referred to in paragraph 1 by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.

Clause 7

 Mediation and jurisdiction

1. The parties agree that if there is a dispute between a data subject and either party which is not amicably resolved and the
data subject invokes the third-party beneficiary provision in clause 3, they accept the decision of the data subject:

  1. to refer the dispute to mediation by an independent person or, where applicable, by the supervisory authority;
  2. (b)to refer the dispute to the courts in the Member State in which the data exporter is established.

 

  1. The parties agree that by agreement between a data subject and the relevant party a dispute can be referred to an arbitration body, if that party is established in a country which has ratified the New York convention on enforcement of arbitration awards.
  2. The parties agree that paragraphs 1 and 2 apply without prejudice to the data subject's substantiive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

The parties agree to deposit a copy of this contract with the supervisory authority ifit so requests or if such deposit is required under national law.

Clause  9

Termination of the Clauses

The parties agree that the termination of the Clauses at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under the Clauses as regards the processing of the data transferred.

Clause 10

Governing Law

The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.

 

Clause 11

Variation of the contract

The parties undertake not to vary or modify the terms of the clauses.

Appendix 1
 to the standard contractual clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

(The Member States may complete or specify, according to their national procedures, any additional necessarily information to be contained in this Appendix.)

Data exporter - The data exporter is provider of certain applications/sites

Data importer - The data importer is a technology-driven advertising platform provider which distributes advertisements on the exporter’s applications or sites.

Data subjects - The personal data transferred concern the following categories of data subjects (please specify):

End users of the services of the data exporter.

Purposes of the transfer - The transfer is necessary for the following purposes:

Commercial Processing Operations

Under the Agreement, data are processed in the course of the following processing operations:

  1. Provision of services and fulfillment of obligations under the Agreement and/or as further specified in Clause 2.1 of the Data Protection Rider; and

 

  1. Management and support of the contractual relationship arising under the Agreement, including billing, account maintenance, and internal administration and accounting for all commercial relationships.

Categories of data

The personal data transferred fall within the following categories of data (please specify) - For the purpose specified under point no.(i) of Purposes of the transfer, these categories shall include user device identifier, IP address, user agent or such device information; fine location; persistent online identifiers (such as cookie ids, IDFA, ADID, GPID etc.,);

Sensitive data (if appropriate) - The personal data transferred fall within the following categories of sensitive data (please specify): Not applicable.

Recipients - The personal data transferred may be disclosed only to the following recipients or categories of recipients (please specify): the data exporter, its processors, affiliates and in the context of InMobi its customers/partners as part of data analytics, campaign reporting and performance (which may be used for advertising purposes)

Storage limit - The data importer shall only store personal data strictly for the duration of the Agreement or in accordance with its privacy policy, whichever is longer.Appendix 2

to the standard contractual clauses

Mandatory data protection principles referred to in the first paragraph of Clause 5(b)

 

These data protection principles should be read and interpreted in the light of the provisions (principles and relevant exceptions) of Directive 95/46/EC.

They shall apply subject to the mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others.

  1. Purpose limitation: data must be processed and subsequently used or further communicated only for the specific purposes in Appendix I to the Clauses. Data must not be kept longer than necessary for the purposes for which they are transferred.
  2. Data quality and proportionality: data must be accurate and, where necessary, kept up to date. The data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.
  3. Transparency: data subjects must be provided with information as to the purposes of the processing and the identity of the data controller in the third country, and other information insofar as this is necessary to ensure fair processing, unless such information has already been given by the data exporter.
  4. Security and confidentiality: technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as unauthorised access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the controller.
  5. Rights of access, rectification, erasure and blocking of data: as provided for in Article 12 of Directive 95/46/EC, the data subject must have a right of access to all data relating to him that are processed and, as appropriate, the right to the rectification, erasure or blocking of data the processing of which does not comply with the principles set out in this Appendix, in particular because the data are incomplete or inaccurate. He should also be able to object to the processing of the data relating to him on compelling legitimate grounds relating to his particular situation.
  6. Restrictions on onwards transfers: further transfers of personal data from the data importer to another controller established in a third country not providing adequate protection or not covered by a decision adopted by the Commission pursuant to Article 25(6) of Directive 95/46/EC (onward transfer) may take place only if either:

(a) data subjects have, in the case of special categories of data, given their unambiguous consent to the onward transfer or, in other cases, have been given the opportunity to object.

  • or

(b) the data importer enters to adequate data protection agreements in accordance the Standard Contractual Clauses.

Not Applicable

Appendix 3

to the standard contractual clauses

Mandatory data protection principles referred to in the second paragraph of Clause 5(b)

 

  1. Purpose limitation: data must be processed and subsequently used or further communicated only for the specific purposes in Appendix I to the Clauses. Data must not be kept longer than necessary for the purposes for which they are transferred.
  2. Rights of access, rectification, erasure and blocking of data: as provided for in Article 12 of Directive 95/46/EC, the data subject must have a right of access to all data relating to him that are processed and, as appropriate, the right to the rectification, erasure or blocking of data the processing of which does not comply with the principles set out in this Appendix, in particular because the data is incomplete or inaccurate. He should also be able to object to the processing of the data relating to him on compelling legitimate grounds relating to his particular situation.