Dated: January 1, 2019
This Demand Partner Data Processing Addendum (the “Addendum“) forms part of the Contract(s) (defined below) between PubMatic, Inc. (“PubMatic“) and the party identified in the signature block below (“Demand Partner“). Capitalized terms used in this Addendum shall have the meanings given to them in the main body of the Contract(s) unless otherwise defined in this Addendum.
A. PubMatic is a provider of a supply-side platform, a technology platform which engages in the provision of auction or facilitation of purchases of digital advertising inventory. Demand Partner is a provider of a demand-side platform, ad exchange, agency, agency trading desks or ad network which uses a technology platform or similar technology to engage in the buying of digital advertising inventory.
B. PubMatic and Demand Partner have entered into a master contract, together with one or more connected statements of work, purchase orders, contracts and/or agreements (collectively the “Contract(s)”), under which Demand Partner may purchase digital advertising inventory via PubMatic’s demand services (the “Demand Services”).
C. PubMatic (and/or its publisher customer) is a controller of certain personal data that it wishes to share with Demand Partner, in connection with the performance of PubMatic’s obligations under the Contract(s).
D. The parties have entered into this Addendum to ensure that in sharing such personal data pursuant to the Contract(s), they both comply with Applicable Privacy Law, with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
IT IS AGREED:
- “controller“, “processor“, “data subject“, “personal data“, “processing” (and “process“) and “special categories of personal data” shall have the meanings given in Applicable Privacy Law;
- “Applicable Privacy Law” means any and all applicable privacy and data protection laws (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time;
- “EU Data Protection Law” means (i) prior to 25 May 2018, the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any national data protection laws made under or pursuant to (i), (ii) or (iii).
- ”Privacy Shield” means the Swiss-US and EU-US Privacy Shield Frameworks, as operated by the U.S. Department of Commerce.
- ”Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced)
- Purpose of processing: In performing its obligations under the Contract(s), PubMatic will submit certain bid requests to Demand Partner and Demand Partner will submit bids to PubMatic. Demand Partner acknowledges, that such bid requests may contain personal data (including, IP addresses and other unique device identifiers) (the “Data”). Demand Partner will process such personal data only for the purposes of determining amounts to be bid Publisher Inventory through the Demand Services (or as otherwise agreed in writing by the parties) (the “Permitted Purpose”).
- Relationship of the parties: The parties acknowledge that PubMatic is a controller of the Data it discloses to Demand Partner, and that Demand Partner will process the Data as a separate and independent controller strictly for the Permitted Purpose. In no event will the parties process the Data jointly as joint controllers.
- Non-disclosure: Demand Partner will not disclose the Data to any third party without PubMatic’s prior written consent except: (i) where necessary for the Permitted Purpose; (ii) as permitted or required pursuant to the Contract(s); or (iii) where required by applicable law.
- Security: Demand Partner shall implement appropriate technical and organisational measures to protect the Data: (i) from accidental or unlawful destruction; and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident”). In the event that Demand Partner suffers a confirmed Security Incident, it shall notify PubMatic without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
- Subcontracting: Demand Partner may appoint third party processors to process Data for the Permitted Purpose, provided that such processors: (a) agree in writing to process Data in accordance with Demand Partner’s documented instructions; (b) implement appropriate technical and organisational security measures to protect the Data against a Security Incident; and (c) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Applicable Privacy Law.
- International transfers: Where EU Data Protection Law applies, the Demand Partner shall not process any Data (nor permit any Data to be processed) in a territory outside of the European Economic Area and/or its member states or Switzerland (collectively, for the purposes of this Addendum, the “EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Privacy Law, to a recipient in the United States that has certified compliance with the Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
- Privacy Shield: PubMatic has self-certified its compliance to the Privacy Shield and may transfer Data protected by EU Data Protection Laws to Demand Partner. To the extent Demand Partner processes any such Data (including C2P Data), Demand Partner agrees to provide the same level of protection for such Data as is required by the Privacy Shield Principles. Demand Partner shall notify PubMatic if it makes a determination that it can no longer provide such protection and in such event, shall cease processing or take other reasonable and appropriate steps to remediate, (if remediable) any processing until such time as the processing meets the level of protection as is required by the Privacy Shield Principles.
- Deletion: Demand Partner will not, and will not permit any third party, to retain the Data for longer than the period during which the Demand Partner has a legitimate need to retain the Data for or in connection with the Permitted Purposes.
- Cooperation and data subject rights: In the event that either party receives: (i) any request from a data subject to exercise any of its rights under Applicable Privacy Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the(collectively, “Correspondence”) then, where such Correspondence relates to processing conducted by the other party, it shall promptly inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Privacy Law.
- Processor Terms: Notwithstanding the parties’ acknowledgment that they are acting as independent controllers in respect of the Data, to the extent that there are any particular circumstances in which Demand Partner processes any Data as a processor on behalf of PubMatic (whether itself the controller or acting on behalf of a third party controller) and such Data is protected by Applicable Privacy Law in the EEA (“C2P Data”), then the Demand Partner agrees to comply with the additional terms set out in Annex A of this Addendum.
- Survival: This Addendum shall survive termination or expiry of the Contract(s). Upon termination or expiry of the Contract(s), Demand Partner may continue to process the Data provided that such processing complies with the requirements of this Addendum and Applicable Privacy Law.
- Miscellaneous: This Addendum shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Contract(s), unless required otherwise by Applicable Privacy Laws. With effect from the effective date of the Contract(s), this Addendum shall be deemed a part of and incorporated into the Contract(s) so that references in the Contract(s) to the “Agreement” shall be interpreted to include this Addendum. Except for the changes made by this Addendum, the Contract(s) shall remain unchanged and in full force and effect. In the event of any conflict or inconsistency between this Addendum and any other term or terms of the Contract(s), this Addendum shall prevail in respect of the subject matter (i.e. the protection of personal data). This Addendum may be executed: (i) in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement; and (ii) via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes.
To the extent that there are any particular circumstances in which Demand Partner processes C2P Data, Demand Partner agrees:
- it will process the C2P Data (and ensure that any persons authorized by the Demand Partner to process C2P Data (“Authorized Persons“)) in accordance with PubMatic’s (or the third-party controller’s) documented lawful instructions, except where otherwise required by applicable law;
- it shall only process C2P Data for the Permitted Purposes. The subject matter of the processing of C2P Data by Demand Partner is the Permitted Purposes. Unless otherwise specified in in this Addendum, the duration of processing, the types of C2P Data and the categories of data subjects are described in the Master Addendum;
- it shall ensure that Authorized Persons are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise) and shall not permit any person who is not under such a duty of confidentiality to process the Data. Demand Partner shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose;
- it shall not sub-contract any processing of the C2P Data to a third-party processor without the prior written consent of PubMatic and shall remain liable for any breach of this Addendum as it relates to C2P Data that is caused by an act, error or omission of its sub-contractor. If PubMatic refuses to consent to Demand Partner’s appointment of a third party sub-contractor on reasonable grounds relating to the protection of the C2P Data, then the parties shall discuss such concerns with a view to achieving a commercially reasonable resolution. PubMatic hereby consents to Demand Partner engaging sub-contractors to process C2P Data on behalf of Demand Partner provided that (i) Demand Partner provides at least 30 days prior notice of the addition or removal of any subcontractor (including details of the processing it performs or will perform; and (ii) Demand Partner imposes data protection terms on any subcontractor it appoints that protect the C2P Data to the same standard required of Demand Partner in respect of all C2P Data processed by Demand Partner pursuant to this Addendum;
- it shall permit PubMatic (or its third-party auditors) to audit Demand Partner’s compliance with Applicable Privacy Law in respect of C2P Data processing, and shall for these purposes make available to PubMatic all information reasonably necessary for PubMatic (or its appointed third-party auditors) to conduct such audit;
- upon becoming aware of a Security Incident involving C2P Data, Demand Partner shall inform PubMatic and provide all reasonable co-operation and assistance in accordance with and as more fully described in Section 6 (“Security“) of this Addendum;
- if PubMatic is required by Applicable Privacy Law to conduct a data protection impact assessment in respect of the Demand Services, Demand Partner shall provide all information reasonably requested by PubMatic in connection with such assessment;
- upon termination or expiry of the Master Addendum, it shall (at PubMatic’s election) destroy or return to PubMatic all C2P Data (including all copies of the C2P Data) in its possession or control (including any data sub-contracted to a third party for processing), except to the extent that it or any sub-contractor is required by applicable law to retain some or all of the C2P Data, in which event it shall isolate and protect the C2P Data from further processing except to the extent required by such law; and
- it shall not process or permit the processing of such C2P Data outside the EEA without first taking all such measures as are necessary to ensure the transfer is in compliance with Applicable Privacy Law. Such measures, may include (without limitation) transferring C2P Data: (i) in reliance on the standard contractual clauses for processors approved by the European Commission; (ii) in reliance on the U.S. recipient’s Privacy Shield certification; and/or (iii) in reliance on the recipient having implemented Binding Corporate Rules approved by competent EEA data protection authorities. PubMatic hereby authorises any transfer of C2P Data to, or access to C2P Data from, any destinations outside the EEA, including to Demand Partner in the United States subject to any of these measures having been taken.