Dated: December 1, 2022
This Event Partner Data Processing Addendum (“DPA“) is entered into by and between PubMatic, Inc. (“PubMatic“) and the Event Partner, and forms part of all agreements between the parties relating to the subject matter of this Addendum (“Agreement“). In the event of a conflict between the Agreement and this DPA, this DPA shall control to the extent of the conflict with respect to the Event Partner’s Processing and disclosure of any Data (including Personal Data).
- Any capitalized terms used but not defined in this DPA shall have the meaning set forth in the Agreement.
- “Data Protection Laws” means any privacy and/or data protection laws, regulations and binding guidance that apply to the Processing of Personal Data under this DPA and/or to the privacy of electronic communications, including (but not limited to) European Data Protection Law.
- “European Data Protection Law” means as applicable: (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“); and (v) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 the (together, “UK Privacy Law“); in each case, as may be amended, superseded or replaced from time to time.
- “Controller” shall have the meaning given to it under the GDPR.
- “Data Subject” shall have the meaning given to it in the GDPR.
- “Personal Data” shall mean any information that directly or indirectly identifies an individual, including any information that is “personal data”, “personal information” or “personally identifiable information” under Data Protection Laws. For the avoidance of doubt, information about an individual in the business context is considered Personal Data. For example, business contact information is considered Personal Data.
- “Processing” shall have the meaning given to it in the GDPR and “process“, “processes” and “processed” shall be interpreted accordingly.
- “Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK Privacy Law applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
- “Security Breach” means a potential or confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Data Processed under or in connection with the Agreement.
- “Standard Contractual Clauses” means Module 1 (Controller to Controller) of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at: https://eur-lex.europa.eu/eli/dec_impl/2021/914 .
- “UK Addendum” means the International Data Transfer Addendum (version B1.0) to the EU Commission Standard Contractual Clauses issued by UK Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded or replaced from time to time.
- Relationship of the Parties: The parties acknowledge and agree that pursuant to the Agreement (including this DPA), Event Partner will disclose the Personal Data described in Annex A (“Data”) to PubMatic for processing. The parties acknowledge and agree that Event Partner is a Controller of such Data and that PubMatic will process the Data as a separate and independent Controller for the purposes described in Annex A (or as otherwise agreed in writing by the parties) (the “Permitted Purpose“). In no event will the parties process the Data as joint Controllers.
- Data Protection Obligations
- Compliance with law: Without prejudice to Event Partner’s obligations under Section 2 of this DPA, each party agrees that it shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Data Protection Laws. Event Partner represents and warrants to PubMatic that it is a Controller of the Data under Data Protection Laws and that it is lawfully entitled to process, and has (and, to the extent that Event Partner has obtained the Data from third party sources (“Sources“), procures that all Sources have) provided all required notices and obtained all necessary and valid consents, approvals, and authorizations (including, without limitation meeting the consent standard (where applicable) set by Data Protection Laws) from the relevant Data Subjects to: (i) process and share the Data in accordance with this Agreement; and (ii) to enable PubMatic to lawfully process the Data for the purposes contemplated by this Agreement, including the Permitted Purposes. Event Partner acknowledges that PubMatic does not have a direct relationship with the Data Subjects whose Personal Data is Processed under this DPA and accordingly accepts responsibility for the provision of notice and obtaining of consent (where applicable) in accordance with the foregoing.
- Consent Records.Event Partner shall maintain (and procure that all Sources maintain) a record of all consents obtained from Data Subjects pursuant to Section 3.1 above as required by Data Protection Laws, including the time and date on which consent was obtained, the information presented to Data Subjects in connection with their giving consent, and details of the mechanism used to obtain consent. Event Partner shall make these records available to PubMatic promptly upon written request.
- Form of Notice and Consent. Without limitation to Section 3.1 above, Event Partner agrees that where and to the extent it is responsible for providing any notice and obtaining any consents on behalf of PubMatic pursuant to this DPA or where otherwise reasonably requested by PubMatic: (a) it must obtain (and procure that all Sources obtain) PubMatic’s prior written approval of the form and method of the notice, choice and/or consent mechanism(s) used to notify data subjects and obtain their consent or exercise choice (as applicable) with respect to the processing of their personal data for the purposes contemplated by this Agreement; and (b) Event Partner agrees to make (and procure that all Sources make) any changes to such notices, choice and consent mechanisms, including with respect to form, method of delivery, or otherwise, as reasonably requested by PubMatic. If Event Partner (or any of its Sources) is unable to comply with its notice and consent obligations under this Section 3, Event Partner shall promptly notify PubMatic.
- Assistance and Cooperation.
In the event that either party receives any correspondence, enquiry or complaint from a Data Subject, regulator or other third party related to the disclosure of the Data by Event Partner to PubMatic for the Permitted Purpose; or that relates (or also relates) to the business of the other party (“Correspondence“), it shall promptly inform the other party giving full details of the same, and the parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Data Protection Laws.
- Both parties shall implement and maintain an information security program (which shall include appropriate technical and organizational measures, policies, and processes) to protect against Security Breaches and to ensure the security, availability, integrity, resilience and confidentiality of the systems storing and Processing the Data.
- Data Transfers.
- Subject to Section 6.2, the parties agree that when the transfer of Data from Event Partner (as exporter) to PubMatic (as importer) is a Restricted Transfer and European Data Protection Law applies, the transfer shall be subject to the Standard Contractual Clauses, which shall be deemed incorporated into and shall form part of this DPA, as follows:
(a) in relation to transfers of Data protected by the GDPR, the Standard Contractual Clauses shall apply, completed as follows: (i) in Clause 7, the optional docking clause will apply, (ii) in Clause 11, the optional language will not apply; (iii) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of Ireland; (iv) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (v) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex A to this DPA; and (vii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex B to this DPA;
(b) in relation to transfers of Data protected by UK Privacy Law, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, but as modified and interpreted by Part2: Mandatory Clauses of the UK DPA, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK DPA shall be completed respectively with the information set out in Annexes A and B of this DPA and Table 4 in Part 1 shall be deemed completed by selecting “neither party”; and
(c) in relation to transfers of Data protected by the Swiss DPA, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex A are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
(d) It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement, including this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.
- The terms of the Standard Contractual Clauses will not apply where and to the extent PubMatic (as data importer) and the applicable transfer of Data are covered by an alternative, suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data provided that it is deemed legally valid in jurisdictions subject to European Data Protection Law (an “Adequacy Mechanism“), in which case PubMatic shall process the Personal Data in compliance with the Adequacy Mechanism and the Standard Contractual Clauses shall not apply.
- The parties agree that if Data Protection Laws no longer allow the lawful transfer of Data under the Standard Contractual Clauses and/or a relevant regulator or court of competent jurisdiction requires the parties to adopt additional measures (“Additional Measures“) or an alternative data export solution (“Alternative Transfer Mechanism“) to enable the lawful transfer of Data outside of the European Economic Area, United Kingdom or Switzerland and such requirements are not satisfied by an Adequacy Mechanism in line with Section 6.2 above (if applicable), both parties agree to cooperate and agree any Additional Measures or Alternative Transfer Mechanism that may be required (but only to the extent such Additional Measures or Alternative Transfer Mechanism extend to the territories to which Data is transferred).
- Event Partner shall indemnify PubMatic from and against all loss, cost, harm, expense (including reasonable legal fees), liabilities or damage (“Damage“) suffered or incurred by PubMatic as a result of Event Partner’s breach of the data protection provisions set out in this Agreement or Data Protection Laws, and provided that: (i) PubMatic gives Event Partner prompt notice of any circumstances of which it is aware that give rise to an indemnity claim; and (ii) PubMatic takes reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of Event Partner’s breach.
- Annexes to this DPA will be deemed to be an integral part of this Agreement to the same extent as if they had been set forth verbatim herein.
- This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
- Event Partner shall notify PubMatic of an individual within its organisation authorised to respond from time to time to enquiries regarding the Data and shall deal with such enquiries promptly. The individual within PubMatic authorised to respond from time to time to enquiries regarding the Data and who shall deal with such enquiries promptly can be contactable here: firstname.lastname@example.org(or such other contact as may be communicated to Event Partner from time to time).
- In the event that there is a change in the Privacy Requirements that apply to the processing of Data, that would, in the reasonable opinion of a party, require changes to the terms and conditions of this DPA, that party reserves the right (acting reasonably) to request such changes; provided that, to the extent possible, the party requesting the change will provide at least thirty (30) days prior written notice (including by email) of such changes and agrees to discuss such changes in good faith.
- Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between any provision in this DPA and any provision in the Agreement, this DPA controls and takes precedence. With effect from the effective date, this DPA is part of, and incorporated into the Agreement. To the extent there are any prior agreements with regard to the subject matter of this DPA, this DPA supersedes and replaces such prior agreements. This DPA shall survive termination or expiry of the Agreement. Upon termination or expiry of the Agreement PubMatic may continue to process the Data provided that such processing complies with the requirements of this DPA.
- This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This DPA may be executed via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes.
Description of the Transfer
- List of Parties
Controller/ Data exporter:
|Contact person’s name, position and contact details:||See Agreement|
|Activities relevant to the data transferred under these Clauses:||See Section B (description of Transfer) below.|
|Signature and date:||See Agreement|
Controller / Data importer:
|Address:||May 24, 2021|
|Contact person’s name, position and contact details:||DPO, contactable at email@example.com|
|Activities relevant to the data transferred under these Clauses:||See Section B (description of Transfer) below.|
|Signature and date:||See Agreement|
- Description of Transfer
Defined terms are as set out in the Data Processing Addendum agreed between the parties.
|Categories of data subjects:||Registrants of Event Partner’s event(s)
|Categories of personal data:
|Contact details (name, email, telephone, address) and professional details (role).
|Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
|The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
|Nature of the processing:
|Receipt and subsequent use of personal data for marketing purposes (described below).
|Purpose(s) of the data transfer and further processing:
|To send marketing and promotional communications. For example, PubMatic and/or its third-party marketing partners may use the information for our marketing purposes, in accordance with an individual’s marketing preferences.
For PubMatic’s business purposes. PubMatic may use information for our business purposes, such as determining the effectiveness of our promotional campaigns, and to evaluate and improve our marketing, and client relationships.
|The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
|PubMatic will retain the personal data for as long as it remains necessary to do so for the fulfilment of the purposes described above. Generally speaking, (i) for marketing and promotional communications, this will be for so long as the contact details remain accurate, in the absence of any indication by the data subject that they no longer wish for us to contact them, (ii) for our internal business purposes, this will be for so long as our client relationship with the data subject continues.|
- Competent Supervisory Authority
The competent supervisory authority will be (i) for Personal Data protected by the GDPR, determined in accordance with Clause 13 of the Standard Contractual Clauses; (ii) for Personal Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (“FDPIC”); and (iii) for Personal Data protection by UK Privacy Law, the Information Commissioners Office (the “ICO”).
Technical and Organizational Measures
The technical and organisational measures implemented by the PubMatic as data importer (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
|Measures of pseudonymisation and encryption of personal data||Data at rest is protected via access control policies involving authentication and authorization. Data in transit is encrypted/protected via HTTPS / TLS. PubMatic supports HTTPS for S2S/ad tags and API for publishers.|
|Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services||PubMatic uses vulnerability assessment, patch management, threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.|
|Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident||Business resiliency/continuity and disaster recovery procedures are in place, as appropriate, and are designed to maintain service and/or recovery from foreseeable emergency situations or disasters.|
|Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing||PubMatic uses multiple types of automated vulnerability scans and assessments which are run at various frequencies (e.g., when code changes occur, daily, weekly, and monthly). Additionally, PubMatic perform annual third-party penetration tests.|
|Measures for user identification and authorisation||PubMatic uses logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions (e.g., use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates).|
|Measures for the protection of data during transmission||Data is encrypted in transit using TLS.|
|Measures for the protection of data during storage||Where applicable, data is encrypted which gets stored in datacentres|
|Measures for ensuring physical security of locations at which personal data are processed||PubMatic maintains physical and environmental security controls of areas, within PubMatic’s co-lo facilities, containing client confidential information designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of PubMatic’s facilities, and (iii) guard against environmental hazards. Physical security controls such as logged key card access to buildings and sensitive areas in buildings, fire alarms and suppression systems, are in use.|
|Measures for ensuring events logging||PubMatic has system audit and event logging and related monitoring procedures in place to record user access and system activity. Automated analytics are used to generate alerts for suspicious or potentially malicious activity|
|Measures for ensuring system configuration, including default configuration||PubMatic uses configuration management tools to deploy and enforce baseline configurations on our systems.|
|Measures for internal IT and IT security governance and management||PubMatic uses network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, as well as intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of an attack. Additionally, PubMatic has Incident management procedures designed to allow PubMatic to investigate, respond to, mitigate, and notify of events related to PubMatic technology and information assets. Change management controls and procedures are established to ensure human review of production changes is performed to identify potential security issues before changes are made.|
|Measures for certification/assurance of processes and products||PubMatic regularly reviews its processes on an annual or as-needed basis. Additionally, PubMatic undergoes a SOX audit annually to ensure the effectiveness of controls relevant to security.|
|Measures for ensuring data minimisation||PubMatic has an Acceptable Use Policy which covers the ways in which personal data may be used, transferred, stored, and deleted. The policy states that personal data “should only be stored on PubMatic technology assets and only the minimum information necessary to satisfy a business need should be stored.”|
|Measures for ensuring data quality||PubMatic uses change management procedures and tracking mechanisms designed to test, approve, and monitor changes to PubMatic and information assets.|
|Measures for ensuring limited data retention||Data retention policies are in place which are reviewed regularly by information security and applicable stakeholders.|
|Measures for ensuring accountability||PubMatic has an Information Security department which is tasked with ensuring accountability, which is responsible for security governance (defining and socializing security policies and standards), security risk management (risk assessments, maturity assessments, etc.), security compliance (coordinating audits for third-party compliance assessments), customer trust (responding to security questionnaires, etc.) and security training and culture. The Security Engineering group is responsible for network and host-based vulnerability assessments, threat detection, and incident response, network security, and endpoint security, and application security. The Portfolio and Program Management group is responsible for providing project management support, coordinating, and updating strategic roadmaps, and driving cross-functional alignment processes|
|Measures for allowing data portability and ensuring erasure]||Data subject request processes are in place to handle erasure and data portability requests. Customers may reach out to firstname.lastname@example.org in order to exercise their rights.|