This Data Processing Addendum (“Addendum“) is entered into by and between PubMatic, Inc. (“PubMatic“) and the party identified in the signature block below (“Publisher”), and forms part of the Publisher Connect Addendum (the “Agreement”) between the parties relating to the subject matter of this Addendum.

 

The terms in this Addendum shall only apply to the extent PubMatic collects or otherwise processes Personal Data contained within Audience Data protected or otherwise regulated by EU Data Protection Law. Capitalized terms used in this Addendum shall have the meaning given to them in the main body of the Agreement unless otherwise defined in this Addendum.

 

IT IS AGREED:

 

  1. Definitions

Demand Partners” means PubMatic’s media buying Publishers, including but not limited to demand side platforms, ad exchanges, agencies, agency trading desks and ad networks and PubMatic Customers described in Section 10.8 of the Agreement.

 

Europe” means for the purposes of this Addendum, the European Economic Area and/or its member states, Switzerland and the United Kingdom.

 

EU Data Protection Law” means all data protection and privacy laws and regulations enacted in Europe, including (i) the EU General Data Protection Regulation (Regulation 2016/679)(“GDPR“); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national laws made under or pursuant to (i) or (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“) and (v) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, “UK Privacy Law“); (in each case, as superseded, amended or replaced).

 

Personal Data” means any information relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable EU Data Protection Law.

 

Privacy Requirements” means all applicable international, federal, national and state data protection and privacy laws, regulations, and industry self-regulatory rules, codes and guidelines that apply to the processing of Data (including Personal Data) that is protected by EU Data Protection Law, as applicable to Publisher, PubMatic and its Demand Partners , including without limitation: (i) the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (EDAA) and the Network Advertising Initiative (NAI); and (iii) EU Data Protection Law (in each case, as amended, superseded or replaced).

 

“PubMatic Products” has the meaning given to it in the Agreement.

 

Standard Contractual Clauses” means Module 2 (Controller to Processor) of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf, as applicable and completed in accordance with this Addendum.

 

Subprocessor” means any third party that has access to the Audience Personal Data and which is engaged by PubMatic to assist in fulfilling its obligations to provide the Services. Subprocessors may include PubMatic affiliates but shall exclude any PubMatic employee, contractor or consultant.

 

UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under S119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.

 

Controller”, “data subject“, “processing” (and “process“), and “Processor” shall have the meanings given to them in EU Data Protection Law.

  1. Scope of processing:  Publisher acknowledges and agrees that in connection with the PubMatic Products, PubMatic may receive from Publisher Personal Data contained within Audience Data (as defined in the Agreement) about or related to End Users of the Publisher Properties, as more particularly described in Appendix 1 of this Addendum (“Audience Personal Data”).
  2. Relationship of the parties: The parties acknowledge that PubMatic shall process Audience Personal Data under the Agreement as a Processor acting on behalf of Publisher (whether acting as a Controller or a Processor on behalf of third party Controllers) in accordance with this Addendum. Nothing in the Agreement (including this Addendum) shall limit or prevent PubMatic from collecting or using data that PubMatic would otherwise collect and process independently of Publisher’s use of the PubMatic Products.
  3. Data Protection. PubMatic agrees that:
    1. the description of the processing of Audience Personal Data is set out in Appendix 1 of this Addendum;
    2. PubMatic shall process the Audience Personal Data only for the purposes of delivering the PubMatic Products in accordance with the Agreement and on the documented lawful instructions of Publisher as set out in full in this Addendum and the Agreement, including with regard to transfers of Audience Personal Data to a third country, unless required otherwise by applicable law; in such event, PubMatic shall inform Publisher of the legal requirement before processing, unless that law prohibits the provision of such information to Publisher. PubMatic shall inform Publisher if, in its opinion, Publisher’s instructions infringe EU Data Protection Law;
    3. PubMatic shall ensure that persons authorized to process Audience Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    4. PubMatic shall respect the conditions for appointing a Subprocessor as set out in Section 5 below;
    5. taking into account the nature of the processing, PubMatic shall assist Publisher by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of any obligation Publisher has under EU Data Protection Law to respond to requests from individuals to access, correct, delete, object or exercise any other rights they have in respect of the Audience Personal Data under EU Data Protection Law.
    6. if PubMatic receives any correspondence, enquiry or complaint from a data subject, regulatory or any other person relating to its processing of Audience Personal Data, it will promptly inform Publisher and provide it with full details of the same unless and to the extent prevented by applicable law. Unless otherwise required by applicable law, PubMatic will not respond to such correspondence, enquiry or complaint directly except to direct the data subject to the Publisher, unless authorised by Publisher (such permission not to be unreasonably withheld or delayed), and Publisher agrees that PubMatic shall have no obligation to respond on Publisher’s behalf;
    7. if Publisher is required by applicable Privacy Requirements to conduct a data protection impact assessment in respect of the PubMatic Products, PubMatic shall provide (on a confidential basis) all information reasonably requested by Publisher in connection with such assessment;
    8. at the choice of Publisher, PubMatic shall delete or return all the Audience Personal Data to Publisher after the end of the provisions of the PubMatic Products and the certificate of deletion of Personal Data described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by PubMatic to Publisher upon Publisher’s written request; and
    9. PubMatic shall make available to Publisher all information reasonably necessary for PubMatic to demonstrate its compliance with the obligations in this Addendum, including by way of providing written respondes to any audit questions raised by Publisher (such audits not to be conducted more than once per annum and at Publisher’s expense).
  4. Subprocessing: Publisher provides PubMatic with a general authorization to engage Subprocessors to assist in processing the Audience Personal Data in the performance of the PubMatic Products provided that:
    1. PubMatic shall ensure that its Subprocessors are subject to data protection terms that protect the Audience Personal Data to the same or substantially similar standard as set out in this Addendum;
    2. PubMatic accepts full liability for any breach of this Addendum that is caused by the act, error or omission of its Subprocessors;
    3. PubMatic maintains a list of its then-current Subprocessors and shall provide such a list to Publisher upon request; and
    4. if PubMatic wishes to appoint or replace a Subprocessor it shall provide Publisher with a minimum of [ten (10)] days prior notice and Publisher may object to such appointment or replacement on reasonable data protection grounds within [five (5)] days following receipt of such notice. If Publisher so objects, then either (i) PubMatic shall not use the proposed Subprocessor to process the Data; or (ii) if this is not possible, Publisher may terminate the Agreement for its convenience upon written notice to PubMatic.
  5. International Transfers:
    1. To the extent that PubMatic processes (or causes to be processed) any Audience Personal Data protected by EU Data Protection Law and/or originating from Europe in a country outside of Europe, it shall first take all such measures as are necessary to ensure an adequate level of protection for such Audience Personal Data in accordance with the requirements of EU Data Protection Law. For these purposes, the parties acknowledge and agree that PubMatic shall process such Audience Personal Data in accordance with the Standard Contractual Clauses, which shall be incorporated into and form an integral part of this Addendum as follows:
      1. (i) PubMatic shall be deemed the “data importer” and Publisher shall be deemed the “data exporter”; (ii) Clause 7, the optional docking clause will apply; (iv) in Clause 9, Option 2 will apply and the time period for notice of changes to Subprocessors shall be as agreed under Section 5 above; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of [the Netherlands]; (v) in Clause 18(b), disputes shall be resolved before the courts of [the Netherlands]; (vi) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 1 to this Addendum; and (vii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 2 to this Addendum;
      2. in relation to transfers of Audience Personal Data protected by UK Privacy Law, the Standard Contractual Clauses: (i) shall apply as completed in accordance with paragraph (a) above; and (ii) shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the Parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Appendices 1 and 2 of this Addendum and Table 4 in Part 1 shall be deemed completed by selecting “neither party”; and
      3. in relation to transfers of Audience Personal Data protected by the Swiss DPA, the Standard Contractual Clauses shall also apply in accordance with paragraph (a) above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
    2. The terms of the Standard Contractual Clauses shall apply where and to the extent (a) the applicable transfer of Audience Personal Data is not subject to the laws of a jurisdiction recognized as providing an adequate level of protection for Personal Data (as described in applicable EU Data Protection Law); or (b) PubMatic (as the data importer) and the applicable transfer of Audience Personal Data is not covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data (an “Adequacy Mechanism”). Where an Adequacy Mechanism applies, PubMatic may process the Audience Personal Data in compliance with the Adequacy Mechanism.
  6. Security: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, PubMatic shall implement appropriate technical and organizational security measures to protect the Audience Personal Data as described in Appendix 2 of this Addendum. Such measures shall protect the Audience Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Audience Personal Data transmitted, stored or otherwise processed by PubMatic (a “Security Incident”). PubMatic shall inform Publisher without undue delay in the event of a Security Incident.
  7. General: If there is any conflict between any provision in this Addendum and any provision in the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this Addendum, and then (c) the main body of the Agreement. With effect from the effective date, this Addendum is part of, and incorporated into the Agreement.  To the extent there are any prior agreements with regard to the subject matter of this Addendum, this Addendum supersedes and replaces such prior agreements. This Addendum shall survive termination or expiry of the Agreement.  Upon termination or expiry of the Agreement PubMatic may continue to process the Audience Personal Data provided that such processing complies with the requirements of this Addendum and the Privacy Requirements. This Addendum may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement.  This Addendum may be executed via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes.

 

EXHIBIT A – Appendix 1

Description of Processing / Transfer

Annex 1(A): List of parties
 
Data Importer: Name: PubMatic, Inc.

Contact person’s name, position and contact details: DPO, contactable at dpo@pubmatic.com

Activities relevant to the data transferred: See Annex 1(B) below.

Signature and date: See Addendum.

Role (Controller/Processor): Processor

Data Exporter: Name: The party identified as “Publisher” in the Agreement or Addendum.

Contact person’s name, position and contact details: As specified in the Agreement.

Activities relevant to the data transferred: See Annex 1(B) below.

Signature and date: See Addendum.

Role (Controller/Processor): Controller

 
Annex 1(B): Description of the processing / transfer
 
Categories of Data Subjects whose personal data is transferred:
The personal data transferred concern the following categories of data subjects: End Users of Publisher Properties or otherwise viewing ads delivered via the PubMatic Products.
Categories of personal data transferred
The personal data transferred concern the following categories of data: Identifiers: cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.), IP address.
Sensitive data transferred (if appropriate)
The personal data transferred concern the following categories of sensitive data: N/A.
Frequency of the transfer
(e.g. whether the data is transferred on a one-off or continuous basis) Continuous.
Nature, subject matter and duration of the processing
The nature and subject matter of the processing is the provision of the PubMatic Products pursuant to the Agreement.

The duration of the data processing is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of the Audience Personal Data by PubMatic in accordance with the terms of this Addendum.

Purposes of the data transfer and further processing
The transfer is made for the following purposes: For the purposes of delivering the PubMatic Products in accordance with the Agreement.
Period for which the personal data will be retained, or if that is not possible the criteria used to determinate that period, if applicable
The criteria used to determine the period is: The Publisher determines the retention period for the processing in accordance with the terms of this Addendum.
Annex 1(C): Competent supervisory authority
The competent supervisory authority, in accordance with Clause 13 of the New SCCs The competent supervisory authority will be determined in accordance with the GDPR.

 

 

 

EXHIBIT B – Appendix 2

Technical and Organisational Security Measures

PubMatic implements the Security Measures, available as agreed between the parties in the Publisher Master Services Agreement