Dated: July 1, 2023
This Data Processing Addendum (“DPA“) is made a part of and incorporated into the agreement entered into by and between the PubMatic, Inc. (“PubMatic“) and the party identified in the signature block of the originating Agreement (“Supplier”), governing the PubMatic’s use of the Supplier’s services (the “Agreement” or “Contract”). In the event of a conflict between the Agreement and this DPA, this DPA shall control to the extent of the conflict with respect to the Vendor’s Processing and disclosure of any Data (including Personal Data).
- DEFINITIONS
- “Affiliate” means any entity that is directly or indirectly controlled by, controlling or under common control with PubMatic and/or Supplier (as applicable). “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Authorized Affiliate” means any PubMatic Affiliate permitted to use the Services pursuant to the Contract(s) between PubMatic and Supplier but has not signed its own agreement with Supplier.
- “Applicable Privacy Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, European Data Protection Law, US Privacy laws.
- “Authorized Persons” means any person who processes Personal Data on Supplier’s behalf, including Supplier’s employees, officers, partners, principals, contractors and Sub-processors.
- “European Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any national data protection laws made under or pursuant to (i) or (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“) and (v) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, “UK Privacy Law“), in each case, as superseded, amended or replaced.
- “Standard Contractual Clauses” means Module 1 (Controller to Controller), Module 2 (Controller to Processor) or Module 3 (Processor to Processor), as applicable, of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914, completed in accordance with this DPA.
- “Personal Data” means any PubMatic Data relating to an identified or identifiable natural person (“data subject”) and/or any PubMatic Data that is deemed personal data or personally identifiable information under Applicable Privacy Laws.
- “Privacy Shield” means the EU-US and Swiss-US Privacy Shield Frameworks, as operated by the U.S. Department of Commerce.
- “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 pursuant to the Directive, details of which can be found at www.privacyshield.gov/eu-us-framework.
- “PubMatic Data” means all information (i) provided to Supplier by or at the direction of PubMatic; (ii) created or obtained by Supplier on behalf of PubMatic; or (iii) which Supplier accesses at the direction of PubMatic , in the course of Supplier’s performance under the Contract(s), including (but not limited to) any information that pertains to PubMatic and/or is Confidential Information (as defined under the Contract(s)).
- “Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK Privacy Law applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner;
- “Security Incident” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to PubMatic Data and/or Business Contact Data.
- “Sub-processor” means any third party (including any Supplier’s affiliate) engaged directly or indirectly by Supplier to process any Personal Data relating to this DPA and/or the Contracts. The term “Sub-processor” shall also include any third party appointed by a Sub-processor to process any Personal Data relating to this DPA and/or the Contracts.
- “US State Privacy Addendum” means the addendum to this DPA incorporating necessary requirements of relevant US Privacy Laws.
- “US Privacy Laws” means privacy laws passed in the United States including the California Consumer Privacy Act, § 1798.100 et. seq., as amended by the California Privacy Rights Act of 2021 (“CCPA”), the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, and the Virginia Consumer Data Protection Act, and any supplements, amendments, or replacements to the same, and other such privacy laws that may be passed from time to time in the United States
- “UK Addendum” means the International Data Transfer Addendum (version B1.0) to the EU Commission Standard Contractual Clauses issued by UK Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded or replaced from time to time.
- The terms “Controller”, “Processor”, “personal data” and “processing”, have the meanings given to them in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in European Data Protection Law will apply.
- ROLE AND SCOPE OF PROCESSING
- Roles of the Parties and Details of Processing. Supplier shall process Personal Data under the Contract(s) as a Processor acting on behalf of PubMatic and/or its Affiliates (whether acting as Controller or acting as a Processor on behalf of third party Controllers). Supplier agrees that it will process Personal Data in compliance with the terms of this DPA.
- Supplier’s Processing of Personal Data. Supplier shall at all times: (i) process the Personal Data only for the purpose of providing the Services to PubMatic under the Contract(s) and in accordance with PubMatic’s documented instructions (of which this DPA shall form part); (ii) not process the Personal Data for its own purposes or those of any third party.
- Supplier’s Notification Obligations Regarding PubMatic Instructions. Suppliers shall promptly notify PubMatic in writing, unless prohibited from doing so under Applicable Privacy Law, if:
- It becomes aware or believes that any data processing instruction from PubMatic violates Applicable Privacy Law;
- It is unable to comply with PubMatic ’s data processing instructions for any reason; and/or
- It is unable to comply with the terms of the Contract(s) (including this DPA) as they relate to or govern the processing of Personal Data and/or the security of PubMatic Data for any reason.
- Business Contact Data. PubMatic shall disclose to Supplier contact information relating to PubMatic’s representatives for (i) invoicing, billing and other business inquiries, (ii) information on usage of the Services, and (iii) contract management, which may include personal data (“Business Contact Data”). Supplier shall comply with all applicable laws and its applicable privacy policies with respect to the Processing of Business Contact Data and use Business Contact Data only for the purposes outlined in this Section 2.4.
- No Rights for Supplier. Except as expressly set forth to the contrary in this DPA and the Contract(s), Supplier acknowledges that it has no right, title or interest in PubMatic Data (including all Personal Data, intellectual property or proprietary information) and may not sell, rent or lease PubMatic Data to anyone.
- SUBPROCESSING
- Appointment of Sub-processors. Supplier shall not subcontract any processing of the Personal Data to a Sub-processor without the prior written consent of PubMatic. Notwithstanding the foregoing, PubMatic consents to Supplier engaging Sub-processors to process the Personal Data provided that:
- Supplier has or shall provide upon request a list of its current Sub-processors prior to the date of the execution of the Agreement and this DPA and thereafter provides at least 30 days prior written notice to PubMatic of the engagement of any new Sub-processor (including details of the processing and location) and Supplier shall update the list of all Sub-processors engaged to process Personal Data under this Agreement in writing and send such updated version to PubMatic prior to the engagement of the Sub-processor;
- Supplier imposes the same data protection terms on any Sub-processor it engages as contained in this DPA (including the Privacy Shield Principles and/or other data transfer provisions, where applicable); and
- Supplier remains fully liable for any breach of this DPA or the Contract(s) that is caused by an act, error or omission of such Sub-processor.
- Objection Right for New Sub-Processors. PubMatic may object to the appointment or replacement of a Sub-processor within 20 days after PubMatic first receives prior notice of such change in accordance with Section 3.1(a) above, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss in good faith commercially reasonably alternative solutions. If the parties cannot reach resolution within a reasonable period of time, which shall not exceed thirty (30) days, Supplier will either not appoint or replace the Sub-processor or, if this is not possible, PubMatic may terminate the Contract(s) (in whole or in part), by providing written notice to Supplier. PubMatic shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of the terminated products or services without imposing a penalty for such termination on PubMatic.
- Appointment of Sub-processors. Supplier shall not subcontract any processing of the Personal Data to a Sub-processor without the prior written consent of PubMatic. Notwithstanding the foregoing, PubMatic consents to Supplier engaging Sub-processors to process the Personal Data provided that:
- DATA SUBJECT RIGHTS AND COOPERATION
- Data Subject Request. Supplier shall reasonably cooperate with PubMatic to enable PubMatic (or its third-party Controller) to respond to any requests, complaints or other communications from data subjects and data protection supervisory authorities, regulatory or judicial bodies relating to the processing of Personal Data and Business Contact Data under the Contract(s), including requests from data subjects seeking to exercise their rights under Applicable Privacy Laws. In the event that any such request, complaint or communication is made directly to Supplier, Supplier shall promptly pass this onto PubMatic and shall not respond to such communication without PubMatic’s express authorization.
- Subpoenas and Court Orders. If Supplier receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement, data protection supervisory authority, or other public or judicial authorities) seeking the disclosure of Personal Data, Supplier shall not disclose any information but shall immediately notify PubMatic in writing of such request, and reasonably cooperate with PubMatic if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.
- Data Privacy Impact Assessments (“DPIA’s”). Supplier will provide reasonable assistance to PubMatic (or its third-party Controller) in connection with data protection impact assessments and any consultation with applicable data protection authorities in respect of any processing of Personal Data under the DPA, where such assessments and consultation are deemed necessary by PubMatic (or a third-party Controller).
- DATA ACCESS & SECURITY MEASURES
- Confidentiality and Limitation of Access. Supplier shall ensure that any Authorized Person is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they process the Personal Data only for the purpose of delivering the Services under the Contract(s) to PubMatic. Supplier shall ensure that Supplier’s access to Personal Data is limited to those personnel performing Services in accordance with this DPA.
- Security Measures. Supplier will implement and maintain all appropriate technical and organizational security measures to protect PubMatic Data and Business Contact Data from Security Incidents and to preserve the security, integrity and confidentiality of such data (“Security Measures”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall at a minimum include: the pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a Security Incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing. At a minimum, Supplier agrees to the Security Measures identified at Annex II to this DPA.
- SECURITY INCIDENTS
- Notification of Security Incidents. In the event of a Security Incident, Supplier shall promptly (and in no event later than 24 hours of becoming aware of such Security Incident) inform PubMatic and provide written details of the Security Incident, including the type of data affected and the identity of affected person(s) as soon as such information becomes known or available to Supplier.
- Suppliers Obligations Following Security Incident. Furthermore, in the event of a Security Incident, Supplier shall:
- provide timely information and cooperation as PubMatic may require to fulfil PubMatic’s data breach reporting obligations under Applicable Privacy Laws or to comply with or respond to any inquiries by a data protection supervisory authority or any lawsuit arising from the Security Incident, including without limitation collecting and preserving all evidence pertaining to the Security Incident and the investigation conducted by Supplier;
- take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Incident and shall keep PubMatic up-to-date about all developments in connection with the Security Incident; and
- reimburse PubMatic for the reasonable costs for PubMatic to prepare and send all notifications that are legally required or reasonably necessary (as determined in the sole discretion of PubMatic). At the written request of PubMatic, Supplier agrees to provide, at its sole expense, credit monitoring and identity theft protection services to individuals affected by a Security Incident involving Personal Data of those individuals.
- The content and provision of any notification, public/regulatory communication or press release concerning the Security Incident shall be solely at PubMatic’s discretion, except as otherwise required by applicable laws.
- SECURITY REPORTS & INSPECTIONS
- Supplier Security Standards. Supplier shall maintain records in accordance with ISO 27001 or similar Information Security Management System (“ISMS”) standards. Upon request, Supplier shall provide copies of relevant external ISMS certifications, audit report summaries and/or other documentation reasonably required by PubMatic to verify Supplier’s compliance with this DPA.
- Right of Inspection. While it is the parties’ intention ordinarily to rely on Supplier’s obligations set forth in Section 7.1 to verify Supplier’s compliance with this DPA, PubMatic (or its appointed representatives) may carry out an inspection of the Supplier’s operations and facilities during normal business hours and subject to reasonable prior notice where PubMatic considers it necessary or appropriate (for example, without limitation, where PubMatic has reasonable concerns about Supplier’s data protection compliance, following a Security Incident or following instruction from a data protection authority).
- INTERNATIONAL TRANSFERS
- International Transfers. Supplier and/or its Affiliates shall not process or transfer any Personal Data and/or Business Contact Data in or to a territory other than the territory in which the Personal Data and/or Business Contact Data was first collected (nor permit such data to be so processed or transferred) unless it takes all such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Privacy Laws (including such measures as may be communicated by PubMatic to Supplier). Supplier shall inform PubMatic of any international transfers of Personal Data in advance of making the transfer and shall assist PubMatic in assessing the parties’ respective obligations to comply with Applicable Privacy Laws.
- Privacy Shield Flow Downs. To the extent that PubMatic and/or the Authorized Affiliates are self-certified to the Privacy Shield, Supplier represents and warrants that it shall:
- provide (and procure all Sub-processors that provide) at least the same level of protection to such Personal Data as is required by the Privacy Shield Principles and the Security Measures set forth in Section 5.2 of this DPA;
- promptly notify PubMatic if it makes a determination that it can no longer meet its obligations under Section 8.2(a) above, and in such event, to work with PubMatic and promptly take all reasonable and appropriate steps to stop and remediate (if remediable) any processing until such time as the processing meets the level of protection as is required by Section 8.2(a); and
- immediately cease (and procure all Sub-processors immediately cease) processing such Personal Data if in PubMatic ‘s sole discretion, PubMatic determines that Supplier has not or cannot correct any non-compliance with Section 8.2(a) above in accordance with Section 8.2(b) within a reasonable time frame.
- Transfer Mechanism. The parties agree that when the transfer of personal data from PubMatic (as exporter) to Supplier (as importer) is a Restricted Transfer and European Data Protection Law applies, the transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and shall form part of this DPA, as follows:
- in relation to Personal Data that is protected by the GDPR and processed in accordance with Section 2.1 of this DPA, (i) Module Two (controller to processor transfers), or Module 3 (processor to processor transfers) will apply, as appropriate; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Section 3 of this DPA; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex I to this DPA, as applicable; and (viii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex II to this DPA;
- in relation to Business Contact Data that is protected by the GDPR and processed in accordance with Section 2.4 of this DPA, the Standard Contractual Clauses will apply completed as follows: (i) Module One will apply (controller to controller transfers); (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of the Ireland; (vii) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex I to this Agreement, as applicable; and (viii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex II to this Agreement;
- in relation to personal data that is protected by the UK Privacy Law, the Standard Contractual Clauses shall apply in accordance with Sections 8.3(a) and 8.3(b) of this DPA (as applicable), but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which shall be incorporated into and form an integral part of this DPA. Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I (as applicable) and Annex II of this DPA and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”;
- in relation to personal data that is protected by the Swiss DPA, the Standard Contractual Clauses shall apply in accordance with Sections 8.3(a) and 8.3(b) of this DPA (as applicable), but with the following modifications: (i) any references in the Standard Contractual Clauses to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein; (ii) any references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; (iii) any references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in Switzerland; and (iv) the Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts;
- in the event that any provision of this DPA and/or the Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail;
- Supplier will not participate in any other Restricted Transfers of personal data unless the Restricted Transfer is made in compliance with Applicable Privacy Laws and pursuant to Standard Contractual Clauses implemented between the relevant exporter and importer of the personal data, as necessary in order to comply with Applicable Data Protection Law.
- Disclosures. Supplier acknowledges that PubMatic may disclose this DPA and any relevant privacy provisions in the Contract(s) to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request.
- Alternative Transfer Mechanism. To the extent that PubMatic adopts a data export mechanism not described in this DPA (including any new version of or successor to the Standard Contractual Clauses pursuant to applicable European Data Protection Law) for the transfer of Data (“Alternative Transfer Mechanism“), such Alternative Transfer Mechanism shall apply instead of any mechanism described in this DPA. Notwithstanding anything to the contrary, an Alternative Transfer Mechanism shall only apply to the extent that it complies with Applicable Privacy Law applicable to the country where the processing activities take place. Supplier agrees to execute any document and take any appropriate action as reasonably necessary to give effect to such Alternative Transfer Mechanism.
- DELETION & RETURN
- Upon PubMatic’s request, or upon termination or expiry of this DPA, Supplier shall destroy or return to PubMatic all Personal Data (including copies) in its possession or control (including any Personal Data processed by its Sub-processors). This requirement shall not apply to the extent that Supplier is required by any applicable law to retain some or all of the Personal Data, in which event Supplier shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
- LIABILITY
- Notwithstanding anything else to the contrary in the Contract(s), Supplier acknowledges and agrees that:
- (a) it shall be liable for any loss of PubMatic Data (including Personal Data) and Business Contact Data arising under or in connection with the Contract(s) and this DPA to the extent such loss results from any failure of Supplier (or its Sub-processors) to comply with its obligations under this DPA and/or Applicable Privacy Laws; and
- (b) any exclusion of damages or limitation of liability that may apply to limit the Supplier’s liability in the Contract(s) shall not apply to the Supplier’s liability arising under or in connection with this DPA, howsoever caused, regardless of how such amounts or sanctions awarded are characterized and regardless of the theory of liability, which liability shall be expressly excluded from any agreed exclusion of damages or limitation of liability.
- The parties acknowledge and agree that any breach by Supplier of this DPA shall constitute a material breach of the Contract(s), in which event and without prejudice to any other right or remedy available to it, PubMatic may elect to immediately terminate the Contract(s) in accordance with the termination provisions in the Contract(s).
- Notwithstanding anything else to the contrary in the Contract(s), Supplier acknowledges and agrees that:
Annex I
Data Processing Description
- i) LIST OF PARTIES
Data exporter(s):
Name: | PubMatic, Inc. |
Address: | See Agreement |
Contact person’s name, position and contact details: | See Agreement |
Activities relevant to the data transferred under these Clauses: | Receipt of services offered by Supplier. |
Signature and date: | See signature and date of Agreement |
Data importer(s):
Name: | Supplier (as defined in the Agreement) |
Address: | See Agreement |
Contact person’s name, position and contact details: | See Agreement |
Activities relevant to the data transferred under these Clauses: | Receipt of services offered by Supplier. |
Signature and date: | See signature and date of Agreement |
iii) DESCRIPTION OF PROCESSING / TRANSFER
Part (a) – Applicable to EU SCCs Modules 2 and 3 (controller/processor to processor transfers)
PubMatic as controller or processor
Supplier as processor
Categories of data subjects whose personal data is transferred: | May include but not limited to: PubMatic employees, customers, and prospective customers |
Categories of personal data transferred:
|
May include but not limited to: Contact details (name, email, telephone, address) and professional details (role) |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
|
N/A. However, PubMatic may submit special categories of data to the Services, the extent of which is determined and controlled by the PubMatic in its sole discretion and the Supplier shall ensure compliance with security measures |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
|
On a continuous basis for the duration of the agreement unless otherwise agreed in writing |
Nature of the processing:
|
For the performance of the Services in the Agreement |
Purpose(s) of the data transfer and further processing:
|
May include but not limited to: purpose necessary to perform the Services or as may be instructed by PubMatic |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
|
For the duration of the Agreement, unless otherwise agreed upon in writing. |
Part (b) – Applicable to EU SCCs Module 1 (controller to controller transfers) – Business Contact Data
PubMatic as controller
Supplier as controller
Categories of data subjects whose personal data is transferred: | PubMatic employees and representatives |
Categories of personal data transferred:
|
Business contact information (email addresses, telephone numbers, addresses) |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
|
N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
|
Continuous |
Nature of the processing:
|
Storage and use for the purposes listed below. |
Purpose(s) of the data transfer and further processing:
|
(i) Invoicing, billing and other business inquiries, (ii) information on usage of the Services, and (iii) contract management. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
|
Duration of the Agreement. |
iii) COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority will be (i) for Personal Data protected by the GDPR, determined in accordance with Clause 13 of the Standard Contractual Clauses; (ii) for Personal Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (“FDPIC”); and (iii) for Personal Data protection by UK Privacy Law, the Information Commissioners Office (the “ICO”).
Annex II
Technical and Organisational Measures
The technical and organisational measures implemented by the processor/data importer (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measure | Description |
Measures of pseudonymisation and encryption of personal data | Supplier shall:
|
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Supplier shall keep Data strictly confidential and represent that it has implemented adequate physical, technical, and organizational measures, which are reasonable based upon the sensitivity of the Data and/or necessary to secure the Personal Data and to prevent unauthorized access, disclosure, alteration, or loss of the same considering relevant risks presented by the processing. Such measures shall include, but shall not be limited to:
|
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Supplier shall:
|
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | Supplier shall:
|
Measures for user identification and authorisation | Supplier shall ensure that:
|
Measures for the protection of data during transmission | Supplier shall:
|
Measures for the protection of data during storage | Supplier shall:
|
Measures for ensuring physical security of locations at which personal data are processed | Supplier shall:
|
Measures for ensuring events logging | Supplier shall:
|
Measures for ensuring system configuration, including default configuration | Supplier shall ensure:
|
Measures for internal IT and IT security governance and management | Supplier shall ensure:
|
Measures for certification/assurance of processes and products | Supplier shall ensure that:
|
Measures for ensuring data minimisation | Supplier shall:
|
Measures for ensuring data quality | Supplier shall:
|
Measures for ensuring limited data retention | Supplier shall:
|
Measures for ensuring accountability | Supplier shall:
|
Measures for allowing data portability and ensuring erasure | If a data subject seeks to object to the processing of, or seeks to access, rectify, erase, restrict or block Personal Data pertaining to him or her, or exercise any rights regarding automated decision-making, withdrawal of consent, profiling or portability, Supplier shall co-operate and promptly inform PubMatic DPO at dpo@pubmatic.com to take the actions required under the Applicable Privacy Law in accordance with PubMatic’s instructions. |
Annex III
US STATE PRIVACY LAW ADDENDUM
- General. To the extent the provisions in the DPA mutually apply to US Privacy Laws, those provisions shall be deemed incorporated by reference to this Addendum.
- Sell and Share. The terms “Sell,” and “Share,” shall have the meanings given to them in the CCPA.
- CALIFORNIA DATA PROCESSING. To the extent Supplier processes Personal Data of California consumers (as defined by the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et. seq. (“CCPA”), and Supplier is deemed a service provider under the CCPA, PubMatic instructs the following in connection with Supplier’s Processing of that Personal Data:
- Instruction and Direction. Supplier shall use, retain, disclose, or otherwise Process Personal Data only on behalf of PubMatic and for the specific business purpose of providing the Services (or, and as hereinafter referenced, as otherwise similarly defined under the Agreement) and in accordance with PubMatic’s instructions, including as described in the Agreement. Supplier shall not Sell or Share Personal Data, where Sell and Share have the meanings given by the CCPA, nor use, retain, disclose, or otherwise Process Personal Data outside of its business relationship with PubMatic or for any other purpose except as required by law. Supplier will inform PubMatic within the time period required by Applicable Privacy Law if Supplier determines that it is no longer able to meet its obligations under Applicable Privacy Laws or where in Supplier’s reasonable opinion, any of PubMatic’s instructions infringes any Applicable Privacy Laws. PubMatic reserves the right to take reasonable and appropriate steps to discontinue and remediate unauthorized use of Personal Data.
- Limitation on Use. Supplier shall have rights to use Personal Data solely (i) to the extent necessary to (a) perform its obligations under the Agreement; (b) operate, manage, test and maintain the Services including as part of its business operations; (c) to disclose aggregate statistics about the Services in a manner that prevents individual identification or re-identification of PubMatic, PubMatic Data, or Personal Data, including without limitation any individual device or individual person; and/or (d) protect the Services from a threat to the Services or Personal Data; or (ii) if required by court order of a court or authorized governmental agency, provided that prior notice first be given to PubMatic; (iii) as otherwise expressly authorized by PubMatic.
- No Combination of Personal Data. Supplier shall not combine Personal Data it Processes on PubMatic’s behalf with Personal Data it receives from or on behalf of another person or persons or that it collects from its own interaction with individuals, provided that Supplier may combine personal information to perform any business purpose permitted or required under the Agreement to perform the Services.
- Third Parties. To the extent Supplier is a Third Party under the CCPA, the following provisions shall apply in lieu of Sections 3.1 through 3.3 for such processing conducted as a Third Party: Supplier may process Personal Data only for the limited and specified purposes described in the Agreement and related mutually executed PM Approved – CC Schedules, Service Orders, Order Forms, Exhibits, Annexes, or Statements of Work, including the data protection or processing addendum and this Addendum. Supplier must comply with all Applicable Privacy Laws, including all applicable sections of the CCPA and provide the same level of privacy protection as required of businesses by the CCPA. Among these, the Supplier must comply with consumer requests to opt out of Sales or Sharing forwarded by PubMatic. Where Supplier is providing Services that includes the collection of Personal Data on either PubMatic or Supplier’s behalf on a PubMatic-managed website, Supplier shall check for and comply with the website visitor’s opt-out preference signal unless otherwise informed by PubMatic that such website visitor has consented to the Sale and Sharing of their Personal Data. Supplier will inform PubMatic in the time period required by Applicable Privacy Law if Supplier determines that it is no longer able to meet its obligations under Applicable Privacy Laws or where in Supplier’s reasonable opinion, any of PubMatic’s instructions infringes any Applicable Privacy Laws. PubMatic reserves the right to take reasonable and appropriate steps to discontinue and remediate unauthorized use of Personal Data.
- DE-IDENTIFICATION. Where Supplier is permitted by Applicable Privacy Law or this DPA to use PubMatic Personal Data for its internal business purposes in an aggregated and de-identified manner, Supplier agrees to take reasonable measures designed to ensure that the Personal Data cannot be associated with an individual (or, household, where applicable), publicly commits to maintain and use the information in de-identified form only and make no attempt to re-identify the information except where necessary to test its de-identification processes, and contractually obligates any authorized recipients to comply with these obligations.
- Certification. Supplier certifies that it understands these obligations and restrictions and will comply with them.
- Amendment. If PubMatic issues updates to the US State Law Addendum to account for changes in Applicable Privacy Laws concerning privacy or data security, or changes in the legal landscape based on enforcement or guidance related to Applicable Privacy laws (“Updates”), provided PubMatic shall not materially reduce its obligations hereunder, the Parties agree such updates to the Addendum will apply to this Addendum automatically as of the date such updates take effect to the Addendum provided PubMatic notifies Updates to Supplier in writing and Updates does not materially impact Suppliers obligations hereunder.