Dated: May 11, 2021
This Demand Partner Data Processing Addendum (the “Addendum“) forms part of the Contract(s) (defined below) between PubMatic, Inc. (“PubMatic“) and the party identified in the signature block below (“Demand Partner“). Capitalized terms used in this Addendum shall have the meanings given to them in the main body of the Contract(s) unless otherwise defined in this Addendum.
- PubMatic is a provider of a supply-side platform, a technology platform which engages in the provision of auction or facilitation of purchases of digital advertising inventory. Demand Partner is a provider of a demand-side platform, ad exchange, agency, agency trading desks or ad network which uses a technology platform or similar technology to engage in the buying of digital advertising inventory.
- PubMatic and Demand Partner have entered into a master contract, together with one or more connected statements of work, purchase orders, contracts and/or agreements (collectively the “Contract(s)”), under which Demand Partner may purchase digital advertising inventory via PubMatic’s demand services (the “Demand Services”).
- PubMatic (and/or its publisher customer) is a controller of certain personal data that it wishes to share with Demand Partner, in connection with the performance of PubMatic’s obligations under the Contract(s).
- The parties have entered into this Addendum to ensure that in sharing such personal data pursuant to the Contract(s), they both comply with Applicable Privacy Law, with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
IT IS AGREED:
- “controller“, “processor“, “data subject“, “personal data“, “processing” (and “process“) and “special categories of personal data” shall have the meanings given in Applicable Privacy Law;
- “Applicable Privacy Law” means any and all applicable privacy and data protection laws including, where applicable, European Data Protection Law (as may be amended or superseded from time to time);
- “European Data Protection Law” means all data protection and privacy laws and regulations enacted in Europe, including (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts the GDPR and e-Privacy Directive in domestic law or that relates to data and privacy and is enacted as a consequence of the United Kingdom leaving the European Union; in each case, as may be amended, superseded or replaced from time to time.
- “Europe” means, for the purposes of this Addendum, the European Economic Area (EEA), the United Kingdom and Switzerland;
- “Industry Protocol” means the Transparency and Consent Framework developed by the IAB Europe, its policies, its global vendor list and specifications and/or any other mutually agreed upon industry protocols, as amended and updated from time to time;
- “Model Clauses” means the Processor Standard Contractual Clauses and/or the Controller Standard Contractual Clauses;
- “Processor Standard Contractual Clauses” means the Standard Contractual Clauses for processors as approved by the European Commission pursuant to the European Commission decision C(2010) 593 of 5 February 2010 (as updated, amended or replaced from time to time);
- ”Privacy Shield” means the Swiss-US and EU-US Privacy Shield Frameworks, as operated by the U.S. Department of Commerce (as amended, superseded or replaced);
- “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced);
- “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data; and
- “Controller Standard Contractual Clauses” means the standard contractual clauses for controllers (2004) as approved by the European Commission pursuant to the European Commission’s decision C(2004) 5271 of 27 December 2004 (as updated, amended or replaced from time to time).
- Processing Description: In connection with the Demand Services, PubMatic will submit to Demand Services and/or Demand Partner may otherwise collect or receive certain PubMatic Data, including (but not limited to) in bid requests submitted to Demand Partner. Demand Partner acknowledges that such PubMatic Data may contain personal data, as more particularly described in Annex B (the “C2C Data”) and Annex C (“C2P Data'”) (collectively, the “Data“).
- Controller Terms applicable to C2C Data
- Demand Partner agrees that it shall (and shall ensure that any of its buyers, partners and other clients enabled by it within the Demand Services) only process and collect the C2C Data solely for the purposes expressly permitted under the Contract(s) and in a manner that complies with Applicable Privacy Laws, the Contract(s) and where applicable, the Industry Protocol (collectively and individually, the “Permitted Purposes“).
- Relationship of the parties: The parties acknowledge that PubMatic is a controller of the C2C Data it discloses to Demand Partner, and that Demand Partner will process the C2C Data as a separate and independent controller strictly for the Permitted Purpose. In no event will the parties process the Data jointly as joint controllers.
- Consent Signals: Demand Partner shall (and shall ensure that its buyers, partners and other clients enabled by it via the Demand Services) honor all “consent”, “no consent” and “opt-out” signals received from PubMatic (or any of its publisher clients or other controllers enabled by PubMatic through the Demand Services) in compliance with Applicable Privacy Laws and where applicable, the Industry Protocol.
- Controller Standard Contractual Clauses: Demand Partner agrees to abide by and process C2C Data protected by European Data Protection Law in accordance with the Controller Standard Contractual Clauses, which shall be incorporated into and form an integral part of this Addendum. The terms of the Controller Standard Contractual Clauses will apply where the applicable transfer of C2C Data is not subject to the laws of a jurisdiction recognized as providing an adequate level of protection for personal data (as described in European Data Protection Law). For the purposes of the descriptions in the Standard Contractual Clauses, (i) Demand Partner shall be deemed the “data importer” and PubMatic shall be deemed the “data exporter” (notwithstanding that PubMatic is located outside of Europe); (ii) Annex B of this Addendum shall replace Annex B of the Standard Contractual Clauses; and (iii) the data importer selects option (iii) for the purposes of Clause 2(h) of the Standard Contractual Clauses.
- Deletion: Demand Partner will not, and will not permit any third party, to retain the C2C Data for longer than the period during which the Demand Partner has a legitimate need to retain the Data the Permitted Purposes and in compliance with Applicable Privacy Law.
- Processor Terms applicable to C2P Data: Demand Partner acknowledges and agrees that: (i) it shall process the C2P Data as a processor on behalf of PubMatic (whether itself the controller or acting on behalf of a third party controller); and (ii) the extent such C2P Data is protected by European Data Protection Law, then the Demand Partner agrees to comply with the additional terms set out in Annex A of this Addendum.
- General Terms applicable to all Data
- Non-disclosure: Demand Partner will not disclose the Data to any third party without PubMatic’s prior written consent except: (i) where necessary for processing purposes expressly permitted under this Addendum; (ii) as permitted or to the extent required pursuant to the Contract(s); or (iii) where required by applicable law.
- Subcontracting:Demand Partner may appoint third party processors to process Data for the purposes expressly permitted under this Addendum, provided that such processors: (a) agree in writing to process Data in accordance with Demand Partner’s documented instructions; (b) implement appropriate technical and organizational security measures to protect the Data against a Security Incident; and (c) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Applicable Privacy Law and this Addendum.
- Security: Demand Partner shall implement appropriate technical and organizational measures to protect the Data from Security Incidents (“Security Measures“). Such Security Measures shall at a minimum comply with the requirements of Applicable Privacy Laws. In the event that Demand Partner suffers a Security Incident, it shall notify PubMatic without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
- International transfers:Where European Data Protection Law applies to the Data, the Demand Partner shall not process any such Data (nor permit any Data to be processed) in a territory outside of Europe (whether directly or via onward transfer) unless it has taken such measures as are necessary to ensure the transfer is in compliance with European Data Protection Law (including such measures as may be communicated by PubMatic to Demand Partner from time to time) and this Addendum.
- Privacy Shield: For so long as PubMatic is certified under the Privacy Shield and where Demand Partner processes any Data protected by PubMatic’s Privacy Shield certification, Demand Partner agrees to provide the same level of protection for such Data as is required by the Privacy Shield Principles. Demand Partner shall notify PubMatic if it makes a determination that it can no longer provide such protection and in such event, shall cease processing or take other reasonable and appropriate steps to remediate, (if remediable) any processing until such time as the processing meets the level of protection as is required by the Privacy Shield Principles.
- Transfer arrangements: To the extent that PubMatic adopts a data export mechanism not described in this Addendum (including any new version of or successor to the Model Clauses pursuant to applicable European Data Protection Law) for the transfer of Data (“Alternative Transfer Mechanism“), such Alternative Transfer Mechanism shall apply instead of any mechanism described in this Addendum. Notwithstanding anything to the contrary, an Alternative Transfer Mechanism shall only apply to the extent that it complies with Applicable Privacy Law applicable to the country where the processing activities take place. Demand Partner agrees to execute any document and take any appropriate action as reasonably necessary to give effect to such Alternative Transfer Mechanism.
- Cooperation and data subject rights: In the event that either party receives: (i) any request from a data subject to exercise any of its rights under Applicable Privacy Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the(collectively, “Correspondence”) then, where such Correspondence relates to processing conducted by the other party, it shall promptly inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Privacy Law.
- Change in Law: Notwithstanding anything to the contrary in the Contract or this Addendum, in the event of a change in Applicable Privacy Law or a determination or order from a supervisory authority or competent court affecting this Addendum or any processing activities under this Addendum, PubMatic may, in its sole discretion, amend this Addendum as reasonably necessary to ensure continued compliance with Applicable Privacy Law or compliance with any such orders.
- Survival: This Addendum shall survive termination or expiry of the Contract(s). Upon termination or expiry of the Contract(s), Demand Partner may continue to process the Data provided that such processing complies with the requirements of this Addendum and Applicable Privacy Law.
- Miscellaneous:This Addendum shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Contract(s), unless required otherwise by Applicable Privacy Laws. With effect from the effective date of the Contract(s), this Addendum shall be deemed a part of and incorporated into the Contract(s) so that references in the Contract(s) to the “Agreement” shall be interpreted to include this Addendum. Except for the changes made by this Addendum, the Contract(s) shall remain unchanged and in full force and effect. In the event of any conflict or inconsistency between this Addendum and any other term or terms of the Contract(s), this Addendum shall prevail in respect of the subject matter (i.e. the protection of personal data). This Addendum may be executed: (i) in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement; and (ii) via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of the Contract(s), including this Addendum, the Model Clauses shall prevail to the extent of such conflict. The parties further agree this Addendum (with any commercially sensitive information redacted) may be shared with the US Department of Commerce on request.
Demand Partner agrees:
- it will process the C2P Data (and ensure that any persons authorized by the Demand Partner to process C2P Data (“Authorized Persons“) in accordance with PubMatic’s (or the third-party controller’s) documented lawful instructions, except where otherwise required by applicable law;
- it shall only process C2P Data for the purposes described in and in accordance with Annex C;
- it shall ensure that Authorized Persons are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise) and shall not permit any person who is not under such a duty of confidentiality to process the C2P Data. Demand Partner shall ensure that all Authorized Persons process the C2P Data only as necessary for the purposes described in Annex C;
- it shall not sub-contract any processing of the C2P Data to a third-party processor without the prior written consent of PubMatic and shall remain liable for any breach of this Addendum as it relates to C2P Data that is caused by an act, error or omission of its sub-contractor. If PubMatic refuses to consent to Demand Partner’s appointment of a third party sub-contractor on reasonable grounds relating to the protection of the C2P Data, then the parties shall discuss such concerns with a view to achieving a commercially reasonable resolution. PubMatic hereby consents to Demand Partner engaging sub-contractors to process C2P Data on behalf of Demand Partner provided that (i) Demand Partner provides at least 30 days prior notice of the addition or removal of any subcontractor (including details of the processing it performs or will perform; and (ii) Demand Partner imposes data protection terms on any subcontractor it appoints that protect the C2P Data to the same standard required of Demand Partner in respect of all C2P Data processed by Demand Partner pursuant to this Addendum;
- it shall permit PubMatic (or its third-party auditors) to audit Demand Partner’s compliance with Applicable Privacy Law in respect of C2P Data processing, and shall for these purposes make available to PubMatic all information reasonably necessary for PubMatic (or its appointed third-party auditors) to conduct such audit;
- upon becoming aware of a Security Incident involving C2P Data, Demand Partner shall inform PubMatic and provide all reasonable co-operation and assistance in accordance with and as more fully described in Section 5 (c) (“Security“) of this Addendum;
- if PubMatic is required by Applicable Privacy Law to conduct a data protection impact assessment in respect of the Demand Services, Demand Partner shall provide all information reasonably requested by PubMatic in connection with such assessment;
- upon termination or expiry of the Addendum, it shall (at PubMatic’s election) destroy or return to PubMatic all C2P Data (including all copies of the C2P Data) in its possession or control (including any data sub-contracted to a third party for processing), except to the extent that it or any sub-contractor is required by applicable law to retain some or all of the C2P Data, in which event it shall isolate and protect the C2P Data from further processing except to the extent required by such law; and
- where Demand Partner is a recipient of C2P Data outside of Europe in a country that does not provide adequate protection for personal data (as described in European Data Protection Law), it shall comply with the Processor Standard Contractual Clauses, which shall be incorporated into and form an integral part of this Addendum. For the purposes of the descriptions in the Processor Standard Contractual Clauses: (a) PubMatic shall be the “data exporter” (notwithstanding that it is located outside of Europe) and Demand Partner shall be the “data importer”; and (ii) Annex C of this Addendum and the Security Measures shall replace Appendixes 1 and 2 of the Processor Standard Contractual Clauses respectively.