Publisher Data Protection Rider (Previous Version)

Effective Date of Rider: September 2021
We refer to the Terms of Service located at www.inmobi.com/terms-of-service which you have accepted in connection with your use of InMobi Pte Ltd.'s ("InMobi") advertising services as a publisher ("Publisher") (the "Agreement").
The Rider takes account of changes brought in by the Data Protection Legislation (defined below) including the Standard Contractual Clauses.
1.
Incorporation Terms
1.1.
The Rider is incorporated into the Agreement and is made and entered into as of the Effective Date.
1.2.
Except as set out in the Rider, the Agreement and any other agreements already in place between InMobi and the Publisher shall continue in full force and effect.
1.3.
In the event of any conflict or inconsistency between the Agreement, the Rider and the Standard Contractual Clauses, the following order of priority shall apply: (i) the Standard Contractual Clauses, (ii) the Rider and (iii) the Agreement.
1.4.
To the extent that the Rider does not address specific data processing activities carried out between the parties, the terms of the Agreement shall apply, save that they shall be interpreted to give full effect to the provisions of the Rider.
1.5.
Any capitalised terms not defined herein shall have the respective meanings given to them in the Agreement.
1.6.
The Rider and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the laws of Ireland. The parties irrevocably agree that the courts of Ireland have exclusive jurisdiction to settle any Claim.
2.
Definitions
2.1.
"Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processor", "Process / Processing" and "Supervisory Authority" shall each have the meanings given in the Data Protection Legislation.
2.2.
"Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK and EU, including Regulation (EU) 2016/679 ("GDPR"); the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.
2.3.
"Permitted Purpose" means Processing in connection with all or any of the following:
2.3.1.
optimising online advertising campaigns across InMobi's network and advertising channels or platforms whether owned, operated, contracted or controlled by InMobi including but not limited to the programmatic channels;
2.3.2.
serving interest-based targeting of ad campaigns or other survey-based services;
2.3.3.
providing data-targeted ad inventory forecasting;
2.3.4.
providing its customers, partners and relevant third parties with data as part of data analytics, campaign reporting and performance (which may be used for advertising purposes as per their privacy policies); and / or
2.3.5.
creation and enhancement of audience profiles and segments.
3.
Status of the Parties
3.1.
The parties agree to act at all times in compliance with the Data Protection Legislation.
3.2.
The parties acknowledge that for the purposes of the Data Protection Legislation each party determines on their own (i.e. alone) the purposes and means of the Processing of Personal Data when it is Processed within their respective technology environments, as such both Parties are Controllers in their own right (i.e. Independent Controllers).
4.
Publisher Obligations
Publisher agrees to:
4.1.
obtain the appropriate consents for the Processing of Personal Data and ensure that it provides clear and sufficient information to the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their Personal Data, the legal basis for such purposes and such other information as is required by the Data Protection Legislation including:
4.1.1.
that Personal Data will be transferred to a third party, and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer before deciding whether to give consent; and
4.1.2.
sufficient information about any transfer outside of the UK or EEA, including the purpose of such transfer and the safeguards put in place by the Publisher to enable the Data Subject to understand the purpose and risks of such transfer.
5.
Mutual Processing Obligations
Each party agrees to:
5.1.
notify the other of any Data Subject requests to exercise their rights, including but not limited to access, deletion and rectification;
5.2.
process the Personal Data only for the Permitted Purpose;
5.3.
maintain the confidentiality of all Personal Data and not disclose Personal Data to third parties unless this Rider specifically authorises the disclosure, or as required by law;
5.4.
reasonably assist the other with meeting each party's compliance obligations under the Data Protection Legislation, taking into account the nature of the processing and the information available to the parties, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with Supervisory Authorities under the Data Protection Legislation; and
5.5.
ensure that any and all employees:
5.5.1.
are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
5.5.2.
have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
5.5.3.
are aware both of their employer's duties and their personal duties and obligations under the Data Protection Legislation and this Rider.
6.
Mutual Security Obligations
6.1.
Each party will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
6.2.
Each party will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
6.2.1.
the encryption of Personal Data or equivalent measures;
6.2.2.
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
6.2.3.
the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
6.2.4.
a process for regularly testing, assessing and evaluating the effectiveness of security measures.
7.
Mutual Personal Data Breach Obligations
7.1.
The parties shall each comply with their obligations to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) Data Subjects under the Data Protection Legislation and shall each inform the other party of any Personal Data Breach irrespective of whether there is a requirement to notify any Supervisory Authority or Data Subject.
7.2.
The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.
8.
Cross-Border Transfers of Personal Data
8.1.
If an adequate protection measure for the international transfer of Personal Data is required under the Data Protection Legislation (and has not otherwise been arranged by the parties) the Annex shall apply.
8.2.
Each party approves the other transferring Personal Data outside the UK and the European Economic Area (EEA) ("GDPR Territories"). Provided that where such processing occurs:
8.2.1.
the Processing of Personal Data is in a territory which is subject to a current finding by the UK's Information Commissioner's Office and/or the European Commission (as applicable) under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals;
8.2.2.
participates in a valid cross-border transfer mechanism under the Data Protection Legislation including appropriate data protection agreement terms, so that InMobi (and, where appropriate, Publisher) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Data Protection Legislation; or
8.2.3.
otherwise ensures that the transfer complies with the Data Protection Legislation.
9.
Processors
9.1.
Each Controller acknowledges and agrees that if such Controller is required to share any Personal Data with processors for the purpose of the Agreement, such party will remain liable to ensure that such processors comply with substantially similar obligations to the terms of this Rider.
10.
Complaints, Data Subject Requests and Third-Party Rights
10.1.
The parties will take such technical and organisational measures as may be appropriate to comply with:
10.1.1.
the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
10.1.2.
information or assessment notices served on either party by any Supervisory Authority under the Data Protection Legislation.
10.2.
The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Data Subject rights requests within the time limits imposed by the Data Protection Legislation. In the event of a dispute or claim brought by a Data Subject, the Information Commissioner or a Supervisory Authority concerning the processing of Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
10.3.
Each party shall abide by a decision of a competent court of the other party's country of establishment or of the Information Commissioner or a Supervisory Authority.
11.
Liability
The Publisher shall indemnify and defend InMobi against and from all loss, liability, damages, costs (including reasonable legal costs), fees, claims and expenses arising out any third party claims which InMobi may incur or suffer by reason of any breach of this Data Protection Rider by the Publisher. Neither party shall be liable for any loss of profits, indirect, incidental, consequential, or punitive damages or losses. InMobi's total aggregate liability pursuant to any claims arising out of or in connection with this Rider shall be limited to USD 100,000.
12.
Term and Termination
12.1.
This Rider will remain in full force and effect for so long as either party retains any of the other's Personal Data related to the Agreement in its possession or control.
12.2.
Any provision of this Rider that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.
12.3.
If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Agreement, the parties will discuss in good faith with a view to implementing any changes necessary to ensure the processing of Personal Data complies with the new requirements.
13.
Data Retention
13.1.
On termination of the Agreement for any reason or expiry of its term, Publisher shall not provide any further Personal Data to InMobi. InMobi will Process and retain Personal Data in accordance with its Privacy Policy, subject to Data Subject Rights, Data Protection Legislation and such other statutory and regulatory requirements.
If you do not accept these terms, we may discontinue any UK or EEA user related transactions with You. Additionally, please do not share any UK or EEA user data with us unless agreed otherwise.
ANNEX

INTERNATIONAL DATA TRANSFERS (UK AND EU)
1.
INCORPORATION OF UK AND EU STANDARD CONTRACTUAL CLAUSES
1.1.
To the extent this Annex relates to transfers of Personal Data subject to the UK GDPR:
1.1.1
paragraphs 1.2, 1.3 and 3 of this Annex apply, and override any conflicting provision set out elsewhere in this Annex; and
1.1.2
paragraph 2 of this Annex does not apply.
1.2.
This Annex shall be read and interpreted in the light of the provisions of applicable data protection laws in the United Kingdom, and so that it fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR.
1.3.
 
To the extent the processing of personal data is subject to the UK GDPR and an international transfer mechanism is required under the UK GDPR relating to the parties' transfer of personal data, 1.3.1 – 1.3.2 shall apply:
1.3.1.
if the parties are acting in their capacity as controllers, the standard contractual clauses for the transfer of personal data to controllers established in third countries pursuant to European Commission Decision 2004/915/EC of 27 December 2004, subject to the Modifications and without any optional or illustrative clauses are incorporated into this Annex as if they had been set out in full, with the processing particulars set out in paragraph 3 of this Annex; and
1.3.2.
for the purposes of this paragraph 1.3 the "Modifications" means: the modifications made by the UK's Information Commissioner to the standard contractual clauses. Such modifications being: (i) general references to Supervisory Authority and similar (such as relevant authorities of the Member State) shall be changed to Commissioner; (ii) general references to member state law and member state courts shall be changed to applicable data protection law (being the UK GDPR and the UK's Data Protection Act 2018) and UK courts respectively; (iii) general references to Directive 95/46/EC shall be changed to the UK GDPR; (iv) general references to adequacy and specific section references to Article 25(1) or Directive 95/46/EC shall be changed to UK adequacy regulations and Section 17A of the Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018; (v) references to Member State or European Economic Area shall be changed to UK; and (vi) the variation provisions of the UK SCCs shall be deemed to include the following: the parties are not precluded from modifying the Clauses where permitted by Paragraphs 7(3) and (4) of Schedule 21 of the Data Protection Act 2018. The modified standard contractual clauses in this paragraph 1.3 are referred to as the "UK SCCs".
1.4.
To the extent this Annex relates to transfers of Personal Data to which the GDPR applies:
1.4.1.
module 1 of the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021 EU SCCs (the "2021 EU SCCs"), and no other optional clauses unless explicitly specified, are incorporated into this Annex as if they had been set out in full in the case where the exporter is a controller, the importer is a controller and the transfer requires such additional protection; and
1.4.2.
paragraphs 1.2 and 1.3 of this Annex do not apply.
2.
CLARIFICATIONS TO THE 2021 EU SCCS
2.1.
Module One Clarifications. For the purposes of:
2.1.1
clause 8.2 of the 2021 EU SCCs and to enable data subjects to effectively exercise their rights, the parties have agreed that the exporter shall inform data subjects of the information required; and
2.1.2
clause 8.3 the parties hereby agree that the data exporter shall be primarily responsible for ensuring that personal data is accurate and, where necessary, kept up to date. The data exporter shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.
3.
APPENDICES AND ANNEXURES TO THE SCCS
3.1.
The processing details required by the UK SCCs and the 2021 EU SCCs are set out in paragraph 4:
3.1.1
the details required for Appendix 1 of the UK SCCs are set out at paragraphs 4 – 4.5 and 4.7 and both parties are Controllers;
3.1.2
the details required for Appendix 2 of the UK SCCs are set out at paragraph 4.12 and the illustrative indemnity and commercial clauses are deleted;
3.1.3
the details required at Annex 1.A of the 2021 EU SCCs is set out at paragraphs 4 – 4.2;
3.1.4
the details required at Annex 1.B of the 2021 EU SCCs is set out at paragraph 4.3 – 4.10;
3.1.5
the details required at Annex 1.C of the 2021 EU SCCs is set out a paragraph 4.11; and
3.1.6
the details required at Annex 2 of the 2021 EU SCCs is set out at paragraph 4.10.
4.
PROCESSING PARTICULARS FOR THE UK AND EU SCCS
The Parties
4.1.
Exporter: Publisher
4.2.
Importer: InMobi
Description Of Data Processing
4.3.
Categories of data subjects: User of Publisher’s applications, sites and such other digital inventory
4.4.
Categories of personal data transferred: Email-id; Phone number; User device identifier; USIM; IP address; user agent or such device information; fine location; and / or persistent online identifiers (such as cookie ids, IMEI, IDFA, IFA, ADID, GPID, GAID etc.).
4.5.
Sensitive data transferred: None.
4.6.
Frequency of the transfer: Continuous transfers.
4.7.
Nature of the processing: As set out in the Permitted Purpose.
4.8.
Purpose of the processing: For the Permitted Purpose.
4.9.
Duration of the processing: For the term of the Agreement.
4.10.
Sub-Processor Transfers: Yes, as set out below
4.11.
Competent Supervisory Authority: Ireland.
4.12.
Technical and Organisational Measures:
4.12.1.
Restriction of access to buildings, data centres, systems and server rooms as necessary.
4.12.2.
Monitoring of unauthorised access.
4.12.3.
Written procedures for employees, contractors and visitors covering confidentiality and security of information.
4.12.4.
Restricting access to systems depending on the sensitivity/criticality of such systems.
4.12.5.
Use of password protection where such functionality is available.
4.12.6.
Maintaining records of the access granted to which individuals.
4.12.7.
Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
Permitted categories of sub-processors
Categories: Media partners, data / infrastructure vendors and / or attribution partners