EU Data Processing Addendum

Last Updated: October 26, 2021

This EU Data Processing Addendum (“Addendum“) is entered into by and between PubMatic, Inc. (“PubMatic“) and you (“Publisher”), and forms part of all agreements between the parties relating to the subject matter of this Addendum (each, an “Agreement”). This Addendum is effective as of the date on which the Addendum is entered into or otherwise adopted by both parties (“Effective Date”).

The terms in this Addendum shall only apply to the extent PubMatic collects or otherwise processes Data (including Personal Data) protected or otherwise regulated by European Data Protection Law. Capitalized terms used in this Addendum shall have the meaning given to them in the main body of the Agreement unless otherwise defined in this Addendum.

IT IS AGREED:

  1. Definitions

Adequacy Mechanism” has the meaning described in Section 9.

Controller” means the entity that determines the purposes and means of the processing of Personal Data.

Data” has the meaning given to it in Section 2 of this Addendum.

Demand Partners” means PubMatic’s media buying clients, including but not limited to advertisers, demand side platforms, ad exchanges, agencies, agency trading desks, and ad networks.

European Data Protection Law” means as applicable to a party in its Processing of Data: (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances; and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts the GDPR and e-Privacy Directive in domestic law or that relates to data and privacy and is enacted as a consequence of the United Kingdom leaving the European Union; in each case, as may be amended, superseded or replaced from time to time.

Europe” means, for the purposes of this DPA, the European Economic Area (EEA), the United Kingdom, and Switzerland.

Personal Data” means any information relating to an identified or identifiable natural person to the extent that such information is protected as “personal data” under applicable European Data Protection Law.

Privacy Requirements” means: (i) European Data Protection Law, as applicable to Publisher, PubMatic, its Demand Partners, and their respective processing of Data under this Addendum; and (ii) any applicable self-regulatory codes, rules or guidelines, including without limitation, the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (EDAA), the Network Advertising Initiative (NAI), and IAB Transparency and Consent Framework (TCF) (in each case, as amended, superseded or replaced).

“Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce (as may be amended, superseded or replaced).

Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced).

Publisher Property” has the meaning given to it in the Agreement or, if not set forth in the Agreement, means the websites, mobile applications and/or other digital media properties owned or operated by the Publisher and accessible through the PubMatic Services or via which Personal Data used in connection with the PubMatic Services is collected.

PubMatic Services”has the meaning given to it in the Agreement or if not set forth in the Agreement, means PubMatic’s online advertising services, products, and features described at https://pubmatic.com/legal/program-descriptions.

Tracking Technologies” means technologies used to store or gain access to data stored on a user’s device, including (as applicable), cookies, mobile SDKs, browser cache, unique identifiers, web beacons, pixels and/or similar tracking technologies.

PubMatic Privacy Policy” means the PubMatic privacy policy available on PubMatic’s public facing website, the most current version of which is available at www.pubmatic.com/privacy-policy (as updated or amended from time to time).

Standard Contractual Clauses” means the standard contractual clauses for controllers (2004) as approved by the European Commission pursuant to the European Commission’s decision C(2004) 5271 of 27 December 2004.

New SCCs” means: the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

The terms “data subject“, “processing” (and “process“) shall have the meanings given to them in European Data Protection Law.

  1. Scope of processing: The parties agree that unless otherwise agreed between the parties: (i) in connection with the PubMatic Services, PubMatic may collect or otherwise receive data (including Personal Data) about or related to end users of the Publisher Properties as more particularly described in Annex A of this Addendum (collectively, “Data”); and (ii) PubMatic and its Demand Partners use Tracking Technologies in order to collect certain Data. The parties agree that PubMatic (and its Demand Partners) may process the Data for the purposes contemplated by the Agreement and for any other purposes described in the PubMatic Privacy Policy (“Permitted Purposes”).
  2. Relationship of the parties: The parties acknowledge that to the extent the Data is Personal Data, each party shall process such Data as a Controller and in PubMatic’s case, only for the Permitted Purposes.
  3. Requesting Consent: Neither PubMatic nor its Demand Partners has a direct relationship with any data subject visiting the Publisher Properties or viewing ads delivered to the Publisher Properties through the PubMatic Services. Accordingly, in each case where consent is the lawful basis for processing Personal Data and/or required for use of Tracking Technologies pursuant to the Privacy Requirements, Publisher agrees that it shall be responsible for obtaining all necessary consents from the relevant data subjects on behalf of PubMatic and applicable Demand Partners to lawfully permit PubMatic and all applicable Demand Partners to: (i) collect, process and share Data via the PubMatic Services for Permitted Purposes; and (ii) use Tracking Technologies in order to collect Data in connection with the performance of the PubMatic Services. Publisher represents and warrants that it shall, at all times maintain and make operational on Publisher Properties a mechanism for obtaining and recording such consent and that enables such consent to be withdrawn, in accordance with applicable Privacy Requirements. PubMatic is registered with and supports the IAB Transparency and Consent Framework (“Industry Framework”).
  4. Notice Requirements: Publisher agrees that it is responsible for ensuring that all data subjects are appropriately notified about the data collection and use practices taking place on the Publisher Properties through the PubMatic Services. Publisher represents and warrants that it shall conspicuously post, maintain and abide by a publicly accessible privacy notice within all Publisher Properties from which the Data is collected that satisfies the requirements of the Privacy Requirements and the Agreement (including this Addendum). Without prejudice to the generality of the foregoing, such notice shall at a minimum include the following information: (i) a statement that data may be collected for advertising purposes; (ii) a description of the type of Personal Data collected by PubMatic and its Demand Partners and the purposes of processing thereof, including for delivering ads across the Publisher Properties over time; (iii) a description of the categories of individuals who will have access to the Personal Data; (iv) the identity of the Controller(s) of the Data; (v) a conspicuous link to or description of how to access a relevant choice mechanism; and/or (vi) any other information required to comply with the information and transparency requirements of applicable Privacy Requirements. The PubMatic Privacy Policy, its explanation of the Data PubMatic collects and how the PubMatic Services use it, may assist you in complying with your notification obligations under this Addendum.
  5. Prohibited Data Sharing: Publisher shall not include or launch any Publisher Property on any of the PubMatic Services if such Publisher Property is directed at or likely to be accessed by any data subject that is deemed a child under applicable Privacy Requirements of the country in which the child resides. Publisher shall flag within the PubMatic Services or inform PubMatic in writing prior to launching any of such Publisher Properties on any of the PubMatic Servicesor pass to PubMatic or its Demand Partners any Personal Data of any data subject that is deemed a child under applicable European Data Protection Law.
  6. Noncompliance: If Publisher is unable to comply with its consent and notice obligations under the Agreement (including this Addendum) in respect of the Data, Publisher shall promptly notify PubMatic.
  7. Co-operation and Data Subject Rights: The parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) and co-operation to enable the other party to comply with its obligations under the Privacy Requirements, including in order to enable the other party to respond to: (i) any request from a data subject to exercise any of its rights under European Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) in relation to the Data; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data (“Correspondence”). Each party shall promptly inform the other if it receives any Correspondence directly from a data subject in relation to the Data. Subject to obligations of confidentiality and polices on disclosure of information, where a party has a concern that the other party has not complied with this Addendum, the parties agree to exchange information to ascertain the cause of such non-compliance and take reasonable steps to remediate.
  8. Standard Contractual Clauses:
    (a) The Standard Contractual Clauses and Section 9(c) of this Addendum shall only apply where PubMatic and Publisher entered into this Addendum on or prior to September 27, 2021, and will apply through December 27, 2022, after which date the New SCCs and Section 9(d) will apply and the Standard Contractual Clauses will no longer apply. Where PubMatic and Publisher enter into this Addendum on or after September 27, 2021, the New SCCs and Section 9(d) shall apply. PubMatic agrees to abide by and process Data in accordance with the Standard Contractual Clauses or the New SCCs, whichever apply as set forth in this Section 9(a) (collectively referred to as “Applicable SCCs”). The parties agree that the Applicable SCCs are hereby incorporated into and form an integral part of this Addendum. The terms of the Standard Contractual Clauses and New SCCs (as applicable) will apply where and to the extent (i) the applicable transfer of Data is not subject to the laws of a jurisdiction recognized as providing an adequate level of protection for Personal Data (as described in applicable European Data Protection Law); or (ii) PubMatic and the applicable transfer of Data is not covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data, such as Privacy Shield (provided that it is deemed legally valid in jurisdictions subject to European Data Protection Law) and any superseding U.S. – EU cross-border data transfer program (an “Adequacy Mechanism”).
    (b) Where an Adequacy Mechanism applies, PubMatic shall process the Data in compliance with the Adequacy Mechanism, including (if applicable) the Privacy Shield Principles.
    (c) For the purposes of the Standard Contractual Clauses the parties agree, (i) PubMatic shall be deemed the “data importer” and Publisher shall be deemed the “data exporter”; (ii) Annex A of this Addendum shall replace Annex B of the Standard Contractual Clauses; and (iii) the data importer selects option (iii) for the purposes of Clause 2(h) of the Standard Contractual Clause. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement, including this Addendum, the Standard Contractual Clauses shall prevail to the extent of such conflict.
    (d) For the purposes of the New SCCs the parties agree, (i) PubMatic shall be deemed the “data importer” and Publisher shall be deemed the “data exporter”; (ii) Module 1 will apply; (iii) in Clause 7, the optional docking clause will apply and in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the New SCCs will be governed by laws of the Netherlands; (v) in Clause 18(b), disputes shall be resolved before the courts of the Netherlands; (vi) Annex I of the New SCCs shall be deemed completed with the information set out in Annex A to this Addendum; and (vii) Annex II of the New SCCs shall be deemed completed with the information set out in Annex B to this Addendum.
    It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses or New SCCs (as applicable). Accordingly, if and to the extent the Standard Contractual Clauses or the New SCCs conflict with any provision of the Agreement, including this Addendum, the Standard Contractual Clauses or New SCCs (as applicable) shall prevail to the extent of such conflict.
  9. Contact. Publisher shall notify PubMatic of an individual within its organisation authorised to respond from time to time to enquiries regarding the Data and shall deal with such enquiries promptly. The individual within PubMatic authorised to respond from time to time to enquiries regarding the Data and who shall deal with such enquiries promptly can be contactable here: dpo@pubmatic.com (or such other contact as may be communicated to Publisher from time to time).
  10. Changes in Law. In the event that there is a change in the Privacy Requirements that apply to the processing of Data, that would, in the reasonable opinion of a party, require changes to the PubMatic Services, the means by which the PubMatic Services are provided or used and/or terms and conditions of this Addendum, that party reserves the right (acting reasonably) to request such changes; provided that, to the extent possible, the party requesting the change will provide at least thirty (30) days prior written notice (including by email) of such changes and agrees to discuss such changes in good faith. If the requested changes will cause a material harm to any party (which includes for the avoidance of doubt, causing a party to be in breach of European Protection Law) or materially alter any party’s provision or use (as applicable) of the PubMatic Services, such party may terminate the Agreement for the affected PubMatic Services upon written notice without liability for such termination.
  11. Security: Both parties shall implement appropriate technical and organizational measures to protect the copy of the Data in their possession or control (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data.
  12. General: Except for the changes made by this Addendum, the Agreement remain unchanged and in full force and effect. If there is any conflict between any provision in this Addendum and any provision in the Agreement, this Addendum controls and takes precedence. With effect from the effective date, this Addendum is part of, and incorporated into the Agreement. To the extent there are any prior agreements with regard to the subject matter of this Addendum, this Addendum supersedes and replaces such prior agreements. This Addendum shall survive termination or expiry of the Agreement. Upon termination or expiry of the Agreement PubMatic may continue to process the Data provided that such processing complies with the requirements of this Addendum and the Privacy Requirements. This Addendum may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This Addendum may be executed via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes.

Annex A

Description of the Transfer

A. List of Parties

Controller/ Data exporter:

1. Name: See Addendum
Address: See Addendum
Contact person’s name, position and contact details: See Addendum
Activities relevant to the data transferred under these Clauses: See Section B (description of Transfer) below.
Signature and date:   See Addendum
Role (controller/processor): Controller

 

Controller / Data importer:

1. Name: PubMatic, Inc.
Address: 3 Lagoon Drive, Suite 180
Redwood City, CA 94065
Contact person’s name, position and contact details: DPO, contactable at dpo@pubmatic.com
Activities relevant to the data transferred under these Clauses: See Section B (description of Transfer) below.
Signature and date:   See Addendum
Role (controller/processor): Controller

 

B. Description of Transfer

Defined terms are as set out in the Data Processing Addendum agreed between the parties.

Categories of Data Subjects whose Personal Data is transferred:

  • End users of the Publisher Properties or end users viewing ads delivered to the Publisher Properties;
  • Publisher employees and other personnel authorized to use the PubMatic Services.

Categories of Personal Data transferred: 

End users

  • Identifiers: cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.,); IP address, data that could be used for fingerprinting , latitude and longitude;
  • Demographic information: location, age range, gender, other Publisher-specified demographics (tied to an identifier);
  • User agent or such device information;
  • Behavioral data: frequency of identifiers visiting and viewing Publisher Sites and viewing and taking actions with respect to advertising .

Publisher Personnel:

Contact details (name, email, telephone) and professional details (role).

Recipients:  Demand Partners, sub-contractors, Advertisers/ad-buyers, supervisory authority, Affiliates, Publisher.

Sensitive data transferred (if applicable): None.

Frequency of the transfer:

End Users – Continuous

Publisher Personnel – Only where required to facilitate communication between the parties.

Nature of the Processing: The provision of the PubMatic Services.

Purpose(s) of the data transfer and further processing:

End Users: For the Permitted Purposes (as defined in this Addendum)

Publisher Personnel:  For business relationship and account management purposes.

Period for which Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: :

Personal Data will be retained in accordance with Section 4.7 of the PubMatic Privacy Policy at https://pubmatic.com/legal/privacy-policy/

Contact points for data protection enquiries:

Data Importer:  See Section A (List of Parties)
Data Exporter:  See Section A (List of Parties)

C. Competent Supervisory Authority

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs will be, for Data protected by the EU GDPR, the EU supervisory authority determined to be appropriate in the event that a relevant situation arises, and for Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (“FDPIC”). With respect to UK Data, the competent supervisory authority is the Information Commissioners Office (the “ICO”).

Annex B

Technical and Organizational Measures

The technical and organizational measures implemented by PubMatic (including any relevant certifications) to maintain an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:

Type of measure Terms
Measures of pseudonymisation and encryption of personal data Description of technical measures in place to prevent re-identification

·       PubMatic has implemented data minimisation and privacy-by-design into its software development process to prevent personal data from being directly linkable to a data subject.  This includes measures such as truncating coordinates of geolocation data and removing the last octet from IP addresses.

·       PubMatic only works with pseudonymized identifiers and has management and organizational controls are in place to prohibit internal teams, any relevant partners and subprocessors, from re-identifying data processing in connection with the Agreement.

·       If and when directly identifiable information were to be processed in connection with the services for addressability purposes, PubMatic will ensure that industry standard cryptographic techniques are immediately applied to such data, including but not limited to, hashing, to help ensure data cannot be reidentified by unauthorised parties.

·       Advertising identifiers used by PubMatic to track devices and deliver ads are not persistent; they are designed to deprecate within a reasonable time frame.

·       When activating/monetizing audiences, sensitive or directly identifiable personal data is not processed, but instead segment codes/deal codes are exchanged by the parties. PubMatic does not process any characteristics about data subjects in connection with the services.

·       The data importer uses, as far as possible, encryption for the transport of personal data.

Measures for ensuring ongoing confidentiality of processing systems and services Description of measures in place to secure information stored on systems.

·       PubMatic has implemented and maintains a written information security program and has implemented measures to ensure the integrity, availability and security of personal information, including regular vulnerability scans and endpoint protection.

·       PubMatic limits the risk that personal data will be exposed by implementing a data retention schedule to systems that store personal data processed under the agreement.

·       Operational, technical management level controls in place that ensure end-user data processed by the platform cannot be linked to a natural person’s identity. Confidentiality terms with personnel.  Security program that aligns to industry good practices.

Measures for ensuring ongoing integrity of processing systems and services PubMatic has implemented and maintains an information security program that contains administrative, technical and physical safeguards appropriate to protect against anticipated threats to, confidentiality and integrity of, and the unauthorized or accidental destruction, loss, access, acquisition, alteration or use of, personal data, and that meets (i) reasonable security practices applicable to PubMatic’s industry; and (iii) any security requirements under the laws applicable company under applicable law.
Measures for ensuring ongoing availability and resilience of processing systems and services PubMatic maintains personal data availability and resilience through a variety of technical, physical, and administrative measures.

Examples of these measures include: tolerant infrastructure with geographically distinct availability zones for redundant data; secured and monitored operational sites; and, processes and policies for topics such as incident response and review, and vendor review.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident ·       See response above.

·       Further measures include regular backups, business continuity readiness plans, and disaster recovery plans.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing ·       At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.

·       Security compliance has been integrated into Company’s product development practices, and the Company privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date.

Measures for user identification and authorisation ·       PubMatic has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.

·       PubMatic has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”.

·       PubMatic has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data.

Measures for the protection of Data during storage ·       PubMatic does not process any sensitive personal information, and personal data processing is limited in scope, pseudonymized (i.e., cookie ID, user agent information, etc.) and cannot be directly identified with a natural person by PubMatic.

·       Data is only stored for as long as necessary for Demand Partner’s legitimate business purposes and is subject to a data retention schedule.

·       Personal data minimization procedures are in place with regard to personal data stored on PubMatic’s systems (e.g., last octet of IP address is redacted, certain unique identifiers that are not needed for RTB are not logged, etc.)

Measures for ensuring physical security of locations at which personal data are processed ·       Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware.  Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.

·       PubMatic provides personnel who access personal data with appropriate information security and data protection training. PubMatic maintains appropriate physical security measures at each facility where personal data is processed, including authentication of all personnel who access data centres, IT equipment having physical barriers designed to prevent access by unauthorized individuals, and manned reception areas or logbooks with visitor entry/exit dates and times.

Measures for certification/assurance of processes and products ·       PubMatic participates in industry certification and self-regulatory programs such as DAA, NAI Code of Practice. IAB TCF 2.0, and the IAB CCPA Compliance Framework.
Measures for ensuring data minimisation ·       Procedures are embedded in the system development process to minimize personal data collected and processed by the PubMatic (e.g., truncation of IP address, stripping of personal data when an impression will be monetized using contextual ad-targeting, no data collection from unconsented or improperly consented impressions).

·       PubMatic has a dedicated technical privacy specialist whose role focuses is at least partly dedicated to reviewing the implementation of data minimization across the organization.

 

Measures for ensuring accountability ·       PubMatic performs a data mapping exercise that complies with Article 30 of GDPR and has created a record of processing activity to ascertain the scope of personal data processing activities performed by the organization.

·       PubMatic has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes a personal data breach policy, data protection and legitimate interest assessments (where appropriate), appointment of a data protection officer (DPO), and data protection controls such as privacy by design.

·       The foregoing measures are regularly reviewed (at least once annually) and updated to ensure alignment with applicable law and industry standards.

Measures for allowing data portability and ensuring erasure ·       PubMatic has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws.  PubMatic has designated a data protection leader who is responsible for ensuring all requests from data subjects are reviewed and documented, including requests for erasure and copies of personal data, and that data subject requests are carried out timely and in accordance with law.