IPONWEB GmbH Data Processing Addendum for Curator

IPONWEB GmbH Data Processing Addendum for Curator

This Data Processor Addendum was updated on March 31st 2021.

  1. The terms and conditions in this Data Processing Addendum (“DPA”) are incorporated into and a part of the agreement between IPONWEB GmbH. on behalf of itself and any Affiliates that are providing the Grid Services (as defined below) to Customer (“Grid”); and You (“Customer”, “Your”) (collectively the “Parties” or, as to each individually, “Party”), pursuant to the terms of the Agreement (defined below).
  2. This DPA together with the Agreement (the “Agreement”), constitute a legally binding agreement and governs Your use of the Grid Services and the Parties’ processing of any Personal Data under the Agreement. Customer agrees to enter into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of any group companies or affiliates that use the Services.
  3. Background

3.1. Grid and Customer have entered into an Agreement, pursuant to which Grid has agreed to provide the Services.

3.2. The parties wish to define their respective data protection obligations relating to the Grid’s provision of Services to Customer.

  1. Definitions:

In this DPA, the following terms shall have the following meanings. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.:

(a) “Applicable Data Protection Laws” means all applicable international, federal, national and state data protection and privacy laws, regulations, and industry self-regulatory rules, codes and guidelines that apply to the processing of Data as applicable to Grid and its Media Buyers, including without limitation: (i) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national laws made under or pursuant to (i) or (ii) (in each case, as superseded, amended or replaced); (iv) the California Consumer Privacy Act of 2018, California Civil Code §1798.100 et seq. (“CCPA”); (v) the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (“EDAA”); and (vi) the Network Advertising Initiative (“NAI”).

(b) “Controller” means the entity that determines the purposes and means of the Processing of Personal Data, for purposes of European Data, and shall also mean a Business, where applicable, pursuant to the CCPA.

(c) “Processor” (and “Process”) means an entity that processes personal data solely at the direction of a Controller, for European Data, and shall also mean a Service Provider, where applicable, pursuant to the CCPA.

(d) “Data Subject” and “Special Categories of Personal Data” shall have the meanings given in the GDPR. For purposes of this DPA, the term “Data Subject” shall include a consumer as defined under the CCPA.

(e) “EEA” means for the purposes of this DPA, the member states of the European Economic Area, Switzerland, and the United Kingdom.

(f) “Grid Services” has the meaning given to it in the Agreement or if not set forth in the Agreement, means the ad services provided by Grid to Customer in accordance with and as described in the Agreement.

(g) “Media Buyers” shall mean Grid’s media buying clients, including but not limited to demand side platforms, ad exchanges, agencies, agency trading desks and ad networks.

(h) “Permitted Purposes” means to perform the Agreement, carry out the Grid Services, and take other actions as permitted by law and under the Agreement.

(i) “Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular individual, consumer, data subject, or (for purposes of CCPA) household, processed pursuant to the Agreement and as to which one or both of the Parties is a Controller, and is defined as “personal information” or “personal data” under Applicable Data Protection Laws.

(j) “Grid Privacy Policy” means the Grid privacy policy available on Grid Inc’s public-facing website, the most current version of which is available at https://iponweb.enigma-hosting.co.uk/policies-legal/themediagrid-privacy-policy (as updated or amended from time to time).

(k) “Subprocessor” shall mean a Processor appointed by a Party to Process Personal Data on behalf of that Party.

(l) “Tracking Technologies” means technologies used to store or gain access to data stored on an end user’s device, including (as applicable), cookies, mobile SDKs, browser cache, unique identifiers, web beacons, pixels and/or similar tracking technologies.

  1. Details of the processing

5.1. The parties acknowledge and agree that each party shall only process Personal Data for the Permitted Purposes consistent with any consents (where required) given by any end users or other data subjects. In the case of Grid. Inc and for the avoidance of doubt, such Permitted Purposes include the purposes described in the Grid Privacy Policy. Each party will not disclose the Data to any third party without the other party’s prior written consent except: (i) where necessary for the Permitted Purposes; (ii) as permitted or required pursuant to the Agreement; or (iii) where permitted or required by applicable law. If the Agreement is materially deficient in respect of the subject matter of this Clause 5, the parties may supplement the Agreement with additional information.

5.2. Service Provider Certification: Where acting as a Processor, the Grid will not (a) sell (as defined under the CCPA) the Personal Data received from a Controller; (b) retain, use or disclose the Personal Data for any purpose other than for the specific purpose of performing the Grid Services on behalf of a Controller; (c) retain, use, or disclose the Personal Data for a commercial purpose (as defined under the CCPA) other than providing the Services; or (d) retain, use, or disclose the Personal Data outside of the direct business relationship between the Grid and the Controller. As to the Grid’s role as a Processor only, the Grid certifies that it understands these restrictions and will comply with them.

  1. Data Protection Obligations

6.1. Relationship of the parties: The parties agree that in connection with the Grid Services: (i) each party may receive or otherwise collect Personal Data and (ii) Grid Inc and its Media Buyers use Tracking Technologies in order to collect Personal Data. The parties further acknowledge and agree each party will process Personal Data received from the other party in their own right as separate and independent Controllers for the Permitted Purposes. In no event will the parties process Data jointly as joint controllers (in accordance with the meaning ascribed in the GDPR).

6.2. Prohibited data: Customer shall not disclose (and shall not direct or permit any data subject to disclose) any Special Categories of Personal Data to Grid

6.3. Requesting Consent: Neither Grid nor its Media Buyers has a direct relationship with any data subject visiting the Customer properties or viewing ads delivered to Sites that are linked to and/or from Advertising displayed via the Customer and/or viewing such Advertising through the Grid Services. Accordingly, in each case where consent is the lawful basis for processing Personal Data or required for use of Tracking Technologies pursuant to Applicable Data Protection Laws, Customer agrees that it has obtained and shall be responsible for obtaining and maintaining all necessary consents from the relevant data subjects to lawfully to use Tracking Technologies in order to Process Data in connection with the performance of the Grid Services. Customer represents and warrants that it shall, at all times have in place a mechanism on Sites that are linked to and/or from Advertising displayed via the Customer for obtaining and recording consent and enabling the data subject to withdraw their consent in accordance with Applicable Data Protection Laws, including, where applicable, the CCPA. For Customers located in the EEA, Grid is registered with and supports the IAB Transparency and Consent Framework. For Customers that qualify as a business as defined under the CCPA, Grid supports the IAB’s CCPA Framework.

6.4. Notice Requirements: Customer agrees that it is responsible for ensuring that all Data Subjects are appropriately notified about the data collection and use practices taking place on Sites that are linked to and/or from Advertising displayed via the Customer through the Grid Services. Customer represents and warrants that all Sites that are linked to from Advertising displayed via the Customer shall conspicuously post, maintain and abide by a publicly-accessible privacy notice that satisfies the requirements of Applicable Data Protection Laws from which the Personal Data is collected. Without limiting the generality of the foregoing, such notice shall at a minimum include the following information: (i) a statement that data may be collected for advertising purposes; (ii) a description of the type of Personal Data collected by Grid and its Media Buyers and the purposes of Processing, including for delivering ads across all Sites that are linked to and/or from Advertising displayed via the Customer over time or as otherwise set forth in this Agreement; (iii) a description of the categories of recipients who will have access to the Personal Data; (iv) the identity of the Controller(s) of the Personal Data; (v) a conspicuous link to or description of how to access relevant choice mechanisms; and (vi) any other information required to comply with the disclosure and transparency requirements of Applicable Data Protection Laws; and/or The Grid Privacy Policy.

6.5. International transfers: To the extent that Grid Processes (or causes to be Processed) the Personal Data of a Data Subject form the EEA in a country outside of the EEA, it shall first take all such measures as are necessary to ensure appropriate safeguards and/or an adequate level of protection for such Personal Data in accordance with Applicable Data Protection Laws.

6.6. Confidentiality of Processing: The Parties shall ensure that any Subprocessor that either Party authorises to Process Personal Data shall protect the Personal Data in accordance with the confidentiality obligations under the Agreement.

6.7. Security: Both parties shall implement technical and organisational measures as required by the Applicable Data Protection Laws to protect the Personal Data (i) from accidental or unlawful destruction, and (ii) unauthorised loss, alteration, disclosure of, or access to the Personal Data (a “Security Incident”). In the event a Party suffers a Security Incident, it shall notify the other party without undue delay and both parties shall cooperate in good faith to agree and carry out such measures as may be necessary to mitigate or remedy the effects of the Security Incident.

6.8. Cooperation and data subjects’ rights: The parties shall, upon request, provide reasonable and timely assistance and cooperation to the other party (at their own expense) to enable that party to respond to: (i) any request from a data subject to exercise any of its rights under the Applicable Data Protection Laws (including the rights of access, correction, objection, erasure/deletion, opting out of third party sales of Personal Data, and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data.