The following Data Processing Addendum (“DPA”) applies to any Personal Data Processed under the Terms of Service.
Last Modified: December 1, 2022
1. Schedule A: Data Processing Addendum – Controller to Controller
2. ANNEX I to the SCCs
3. ANNEX I of the SCCs
4. ANNEX II to the SCCs
UPON EXECUTING AN ORDER FORM THAT REFERENCES THESE TERMS OF SERVICE, OR BY OTHERWISE ACCEPTING THESE TERMS OF SERVICE AND DATA PROCESSING ADDENDUM, PUBLISHER AGREES TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT AND DATA PROCESSING AGREEMENT, INCLUDING SIGNING THE STANDARD CONTRACTUAL CLAUSES AS APPLICABLE.
This Data Processing Addendum (“DPA”) applies to any Personal Data Processed under the Terms of Service.
2. DEFINITIONS AND INTERPRETATION.
Definitions from the Terms of Service apply in this DPA. Additionally, in this DPA:
“Controller” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, the Party that determines the purpose and means of Processing Personal Data.
“Data Protection Laws” means any applicable international, foreign, national, federal, state, or local, statutes, ordinances, regulations, rules, executive orders, supervisory requirements, directives, circulars, opinions, judgments, interpretive letters, official releases, and other pronouncements having the effect of law relating to the collection, use, storage, disclosure, transfer, or other Processing of Personal Data, including, without limitation: (a) the General Data Protection Regulation (“GDPR”) (Regulation 2016/679); (b) the European Union (“EU”) e-Privacy Directive (Directive 2002/58/EC); (c) the United Kingdom (“UK”) Data Protection Act, 2018; the “UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner’s Office (“ICO”) under the UK GDPR; (d) the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.) (“CCPA”); (e) the California Consumer Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 et seq.) (“CPRA”) (when in effect); (f) the Canadian Personal Information Protection and Electronics Documents Act (“PIPEDA”); and (g) the Swiss Federal Act on Data Protection (“Swiss Data Laws”); and any other relevant privacy law, as amended from time to time and any successor legislation thereto and any regulations promulgated thereunder.
“Data Subject” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, the visitor of a Publisher’s digital properties who will see Ad Impressions.
“Industry Guideline(s)” means, as applicable, any industry standards or guidelines to which the Party has agreed to be bound, including, standards from the Interactive Advertising Bureau (“IAB”), the Network Advertising Initiative (“NAI”), and the Digital Advertising Alliance ("DAA”), or similar industry trade bodies, as amended or superseded from time to time.
“Member State” means a member state of the EU and/or the European Economic Area (“EEA”), as may be amended from time to time.
“Personal Data” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, any information that identifies or relates to an individual who can be identified directly or indirectly through the provision of the Services described in this Agreement. Personal Data includes “personal information” as defined under Data Protection Laws. “Sensitive Data” means: (a) any data considered to be special categories of Personal Data under the GDPR; (b) characteristics that are considered sensitive under the NAI Code; or (c) any such intrusive data that directly identifies a Data Subject.
“Process”, “Processing” or “Processed” means the meaning set forth in the relevant Data Protection Laws.
“Security Breach” means: (a) any unauthorized use, modification, loss, compromise, destruction, or disclosure of Personal Data transmitted pursuant to the Processing under these Terms of Service.
“Services” means the provision of services or other work products by Sharethrough as described and set out in the Terms of Service, and such other services as the Parties may agree upon in writing from time to time.
“Signal(s)” means the technical privacy signals developed by Industry Guideline bodies, including the NAI opt-out for tailored advertising, the IAB Transparency and Consent Framework, the IAB U.S. Privacy String, DAA Ad Choices, the Children's Online Privacy Protection Act (“COPPA”) flag, and any other signal(s) whether now known or hereafter created that transmit an action by a Data Subject with respect to their Personal Data Processing.
“Standard Contractual Clauses” or “SCCs” means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data to third countries (Module One: controller-to-controller), as amended or superseded from time to time.
“Processor” means either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, a third-party engaged by a Party to assist with the provision of the Services which involves the Processing of Personal Data.
In performing its obligations under these Terms of Service, Publisher may disclose Personal Data to Sharethrough. Sharethrough shall process Personal Data provided by Publisher: (a) only for the purposes set forth in these Terms of Service or as otherwise agreed to in writing by the Parties, and provided such Processing strictly complies with: (i) Data Protection Laws and Industry Guidelines, and (ii) its obligations under these Terms of Service (the “Permitted Purposes”).
4. ROLES AND RESTRICTIONS ON PROCESSING.
5. DATA SUBJECT RIGHTS
6. CHILDREN’S PERSONAL DATA
In the event Publisher Processes the Personal Data of children (as defined by Data Protection Laws), Publisher shall either: (a) obtain all the necessary consents, including parental consents, prior to sharing such data downstream to Sharethrough; or (b) transmit the COPPA flag downstream to Sharethrough.
7. SECURITY BREACH.
In the event of a Security Incident, each Party shall: (a) promptly notify the other Party; (b) liaise with the other Party in good faith to consider what action(s) are required to resolve the issue in accordance with the Data Protection Laws; and (c) provide such reasonable assistance as is necessary to the other Party to facilitate the handling of such Security Incident in an expeditious and compliant manner.
8. ONWARD TRANSFERS.
For any onward transfers of Publisher Personal Data by Sharethrough to third parties, Sharethrough may transfer such Personal Data, provided it contractually requires the third party to: (a) comply with Data Protection Laws; (b) only Process such Personal Data for the Permitted Purposes as set forth in these Terms of Service.
The Parties agree that Sharethrough may engage Processors to provide its Services pursuant to these Terms of Service. Upon reasonable written request from Publisher (email to suffice), Sharethrough shall provide an up-to-date list of: (a) all Processors involved in the Processing of Publisher Personal Data; and (b) any reasonable information relevant to such Processing. Sharethrough is responsible for the acts of its Processors.
10. RESOLUTION OF DISPUTES
If either Party is the subject of a claim by: (a) a Data Subject; (b) a supervisory authority; or (c) receives a notice or complaint from a supervisory authority relating to its respective processing activities under these Terms of Service (a "DP Claim"), it shall promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim. The Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the Claim in a timely manner. Neither Party is authorised to act or answer on behalf of the other Party.
11. CROSS-BORDER TRANSFERS OF PERSONAL DATA
Where Data Protection Laws require supplementary measures to protect the international transfer of Personal Data, each Party will ensure the transfer occurs in compliance with such supplementary measures. Such measures include the transfer of Personal Data from the EEA to a country that has an adequate level of protection, as confirmed by the European Commission.
A. European Union transfers:
As applicable, the SCCs are hereby incorporated by reference to this DPA and shall be considered an integral part thereof. The Parties’ signatures in this DPA shall be construed as the Parties’ signature to the SCCs.
For the purposes of the SCCs, the following apply:
B. UK transfers:
To the extent Personal Data of UK residents transmitted by Publisher and is Processed by Sharethrough outside the UK (except if to an adequate country) in circumstances where such transfer would be prohibited by UK GDPR, (e.g., in the absence of a legal transfer mechanism), the Parties agree UK Addendum, subject to the SCCs, shall apply. The UK Addendum is hereby incorporated into this DPA.
C. Swiss transfers:
If the transfer of Personal Data pursuant to these Terms of Service and DPA involves citizens of Switzerland: (a) Data Subjects in Switzerland may enforce their rights in Switzerland under Clause 18c of the SCCs; (b) references to the GDPR will be construed as references to the Swiss Data Laws; (c) references to “supervisory authorities” will be construed as references to the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).
Annex I and Annex II of the SCCs apply the UK and Swiss transfers as outlined in 11(b) and 11(c) above.
In the event of any conflict or discrepancy between the SCCs, Data Protection Laws and these Terms of Service, the following order of precedence shall apply: (a) the SCCs (where applicable); (b) Data Protection Laws; and (c) these Terms of Service.
LIST OF PARTIES.
DESCRIPTION OF TRANSFER.
Categories of data subjects whose personal data is transferred
Visitors of Publisher’s Digital Properties.
Categories of personal data transferred
The Personal Data transferred concerns the following categories of data: any data transmitted under Open RTB including: Sharethrough cookie identifiers, third party online identifiers, mobile device identifiers, browser and device information, IP addresses and geo location data as obtained from a Data Subject’s device pursuant to the Terms of Service.
Sensitive data transferred (if applicable)
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Continuous basis in accordance with the Terms of Service.
Nature of the processing
For the purposes of delivering personalized advertising to the Data Subject pursuant to the Terms of Service.
Purpose(s) of the data transfer and further processing
For the purposes of delivering personalized advertising to the Data Subject pursuant to the Terms of Service.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
In accordance with each Party’s data retention policy, and only for the time period necessary to deliver each Party’s Services pursuant to the Terms of Service.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA.
Please find below the measures undertaken by Sharethrough to protect Personal Data.
The measures implemented by Data Importer to address the ability to restore the availability and access to the Data Exporter data in a timely manner in the event of a physical or technical incident shall dependent upon the obligations set forth in the Service Agreement.
The following measures shall be implemented to address the regularly testing, assessing and evaluating of the effectiveness of technical and organizational measures: