DATA PROCESSING ADDENDUM
This Data Processing Addendum is entered into as of September 10, 2019 (the “Effective Date”) between Affluent Ads, LLC d/b/a Leadnomics (“Advertiser”) and the individual or entity who signed up through the Advertiser’s online interface or entered into an Insertion Order or other governing agreement for the Advertiser Services (“Publisher”) and will apply in connection with the advertising and monetization services performed by Advertiser for Publisher (the “Services”) under the governing agreement(s) between the parties (including without limitation the Leadnomics Partner Network Terms and Conditions and any other written agreement between the parties) (collectively, the “Agreement”) which involve processing of personal data (each as defined below).
1. Data Protection
1.1. Definitions: In this Data Processing Addendum, the following terms shall have the following meanings:
(a) "controller", "processor", "data subject", "personal data" and "processing" (and "process") shall have the meanings given in Applicable Data Protection Law;
(b) "Applicable Data Protection Law" shall mean: Regulation 2016/679 General Data Protection Regulation (“GDPR”) of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any applicable rules, regulations, directives, or laws adopted under or in furtherance thereof, from time to time. If the Agreement involves the processing of personal data of a data subject in a jurisdiction which has data privacy or data protection laws and regulations which are more protective of the data subject’s rights than the GDPR, then such additional laws and regulations shall be considered as part of the Applicable Data Protection Law under this Data Processing Addendum.
(c) “Publisher Properties” shall mean any and all of the Publisher’s websites, software applications, platforms, or other internet properties, as well as those owned or operated by Publisher’s third-party advertisers, publishers, or affiliates, in connection with which Publisher utilizes Advertiser’s Services.
1.2. Relationship of the Parties: Publisher (the controller) has acquired or will acquire certain personal data from data subjects (the “Data”), and hereby appoints Advertiser as a processor of such personal data in order to enable Advertiser to provide Services to Publisher. Such Data includes all personal data from data subjects collected through Publisher Properties. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
1.3. Subject Matter, Duration, Purpose, Types of Personal Data, Categories of Data Subjects: The Agreement, any Insertion Orders issued thereunder, any amendments, addendums, and/or exhibits thereto, including this Data Processing Addendum, shall set forth the subject-matter and duration of the processing, the nature and purpose of the processing, the types of personal data processed and the categories of data subjects. Advertiser shall process the Data as a processor solely as Advertiser deems necessary to perform its obligations under the Agreement to provide the Services and this Data Processing Addendum in accordance with the instructions of Publisher (the "Permitted Purpose"), except where otherwise required by Applicable Data Protection Law. In no event shall Advertiser process the Data for its own purposes or those of any third party, except where otherwise permitted under the Agreement or required by Applicable Data Protection Law. Publisher shall obtain any necessary consent for Advertiser to access and utilize Publisher employee personal data as necessary for the provision of Advertiser Services, such as for correspondence related to business operations such as invoicing, payments, and technical issues relating to the Advertiser Services. Advertiser shall process such personal data under the legitimate business interest of maintaining business operations with Publisher.
1.4. International Transfers: Publisher shall not transfer the Data (nor permit the Data to be transferred) to any jurisdiction other than those to which transfers are permitted under the Applicable Data Protection Law unless it first establishes such protections as are necessary to ensure that the transfer is in compliance with Applicable Data Protection Law. Such protections may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission, or has certified to the U.S.-E.U. Privacy Shield and such certification has not lapsed or been revoked. Publisher hereby consents to Advertiser’s transfer of the Data for processing in the United States.
1.6. Confidentiality of Processing: Advertiser shall ensure that any person that it authorizes to process the Data (including Advertiser employees, agents, and subcontractors) (an "Authorized Person") shall be subject to a duty of confidentiality (whether a contractual duty or a statutory or other legal duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Advertiser shall ensure that all Authorized Persons process the Data only as necessary for the Permitted Purpose, or otherwise in accordance with Applicable Data Protection Law.
1.7. Security: Taking into account the state of the art, the costs of implementation, and nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of the data subjects, each party shall implement appropriate technical and organizational measures to protect the Data from accidental or unlawful destruction, and from any loss, alteration, unauthorized disclosure of, or access to the Data (each such event being a "Security Incident"). Such measures shall include, as practicable and appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
1.8. Subcontracting: Advertiser may engage any of its affiliates or third-party partners or vendors as sub-processors, provided that Advertiser or the Advertiser affiliate has entered into a written agreement with each such third-party sub-processor containing data protection obligations not less protective than those in this Data Processing Addendum with respect to the protection of Publisher’s Data to the extent applicable to the nature of the portion of the Services being provided in whole or in part by such third-party sub-processor. Advertiser may engage third-party subprocessors for purposes including without limitation: to handle the processing of payments, to detect and protect against fraud, to provide data storage and management, to assist in marketing Advertiser’s products or services, to conduct audits, to provide web analytics and business intelligence, to provide customer support, to send email and platform alerts, to provide customer surveys and messaging services, and to provide hosting, design, development and other operations which make our services possible.
1.9. Cooperation and Data Subjects' Rights: Each party shall provide reasonable and timely assistance to the other party to enable the other party to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party for which a duty to respond is triggered under Applicable Data Protection Law in connection with the processing of the Data. Each party shall promptly provide reasonable assistance required to permit the other party to comply with the other party’s obligations under Applicable Data Protection Law to communicate with a data subject regarding a breach with regard to such data subject’s personal data.
1.10. Data Protection Impact Assessment: If either party believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform the other party and provide the other party with all such reasonable and timely assistance as the other party may require under applicable Data Protection Law in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
1.11. Security Incidents: Each party shall inform the other party without undue delay after becoming aware of any Security Incident arising under or relating to the Agreement. The informing party shall provide information and cooperation as the other party may reasonably require in order for the other party to fulfill its data breach reporting obligations under Applicable Data Protection Law. The informing party shall further take reasonable measures and actions to remedy or mitigate the effects of the Security Incident and shall provide the other party with additional information about developments in connection with the Security Incident.
1.12. Destruction or Return of Data: Upon termination or expiration of the Agreement (or a statement of work, service order, or equivalent engagement document under the Agreement), Advertiser shall (at Publisher’s election) destroy or return to Publisher all Data (including all copies of the Data) in its possession or control (including by any sub-processor(s)), unless longer retention of the personal data is required by law, regulation or other retention obligation, including, but not limited to, Advertiser data retention and back-up/archival requirements, in which case Advertiser will use reasonable efforts to isolate and protect the retained Data from further processing, except to the extent required or permitted by Applicable Data Protection Law.
1.13. Audit: Publisher shall permit Advertiser (or its appointed third party auditors, or its authorized regulators) to audit Publisher’s compliance with this Data Processing Addendum or Applicable Data Protection Law, and shall make available to Advertiser information, systems and staff reasonably necessary for Advertiser (or its third party auditors) to conduct such audit. Publisher acknowledges that Advertiser (or its third party auditors) may enter its premises for the purposes of conducting this audit, provided that Advertiser gives Publisher a minimum of 30 (thirty) days’ prior written notice of its intention to audit, the auditors conduct the audit during Publisher’s normal business hours, and the auditors take all reasonable measures to prevent unnecessary disruption to Publisher’s operations. Advertiser will not exercise its audit rights more than once in any twelve (12) calendar month period. Advertiser agrees to treat all information acquired during the course of any audits as confidential information of Publisher, and maintain the confidentiality of such information to the same nature and extent that Advertiser maintains its own confidential information.
1.14. Notifications: If Advertiser is no longer able to satisfy any of its obligations under this Data Processing Addendum, then Advertiser shall immediately notify Publisher and, if necessary, stop processing Publisher’s Data.
Publisher shall indemnify and hold harmless Advertiser and its affiliates, employees, and agents, for all costs, damages, or losses incurred in connection with claims, demands, or proceedings by a data subject or any other third party, and/or any associated financial penalties imposed by supervisory or regulatory authorities, arising from (1) any breach by Publisher of its obligations under this Data Processing Addendum, including but not limited to any misrepresentation or omission as to the legal basis for Publisher’s acquisition of the Data and/or Advertiser’s processing of the Data, or (2) any breach by Publisher of Applicable Data Protection Law. Publisher shall not enter into any settlement without Advertiser’s express prior written consent that (1) assigns, imparts or imputes fault or responsibility to Advertiser or its affiliates, (2) includes a consent to an injunction or similar relief or otherwise imposes any obligation binding upon Advertiser or its affiliates, or (3) provides for relief other than monetary damages that Publisher solely bears. Any indemnification made under this Section 2 of this Data Processing Addendum shall not be subject to any limitation of liability set forth in the Agreement, any Insertion Orders, amendments, addendums, and/or exhibits thereto.
3. Priority of Documents; Notices & Updates
In case of any conflict between the Agreement and this Data Processing Addendum, the terms of this Data Processing Addendum shall control with respect to the subject matter in conflict. Any notice to Publisher shall be effective upon Advertiser’s sending of an email to the address currently on file in Advertiser’s systems, or posting of a notice in Publisher’s account within Advertiser’s platform website. Advertiser may amend or replace this Data Processing Addendum at any time, and any such amendment or replacement will become effective immediately upon posting to the Advertiser platform website, or as otherwise communicated to Publisher. Publisher’s use of the Advertiser Services after that date will constitute acceptance of the updated Data Processing Addendum. Publisher’s sole and exclusively remedy if it objects to the amended or new Data Processing Addendum is to terminate its use of the Advertiser Services.