Publication Date: November 13, 2020
This Data Processing Agreement (the “Agreement”) applies to all “Publishers” who have entered into who enters into an Advertising Sales Representation Agreement (the “ASRA”) with Playwire, LLC (“Playwire”) unless otherwise specifically set forth in the ASRA. Publisher and Playwire are referred to as a “Party” and collectively, the “Parties.”
A. The Parties have previously entered into an ASRA for the provision of Services. The Parties agree that there may be Personal Data shared between the Parties, including but not limited to, internet protocol addresses, precise location data and similar unique IDs such as cookie IDs and device IDs, in connection with the performance of each Party’s obligations under the ASRA described below.
B. This Agreement only applies to the extent that EU Data Protection Law applies to the Processing of Personal Data under this Agreement, including if (i) the Processing is in the context of the activities of an establishment of either Party in the European Economic Area (“EEA”) and/or (ii) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a Party.
C. The Parties shall ensure that they will Process Personal Data solely for the purposes contemplated in the ASRA or as otherwise agreed to in writing by the Parties. For the avoidance of doubt, this Agreement and the obligations hereunder do not apply to aggregated reporting or depersonalized statistics a Party may provide to the other Party in connection with the provision of the Services hereunder.
TERMS AND CONDITIONS
In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an addendum to the ASRA. Except where the context requires otherwise, references in this Agreement to the ASRA are to the ASRA as amended by, and including, this Agreement.
- Definitions and Interpretation. In this Agreement, the following terms shall have the following meanings:
a. Applicable Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.
b. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and “Process”), “Personal Data Breach” and “Special Categories of Personal Data” shall have the meanings given in EU Data Protection Law.
c. “Controller to Controller Standard Clauses” in relation to the Processing of Personal Data pursuant to this Agreement means the standard clauses for the transfer of Personal Data to Controllers established in third countries approved by the European Commission from time to time, the approved version of which in force at present is that set out in the European Commission’s Decision 2004/915/EC of 27 December 2004, available at: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32004D0915. Exhibit A to this Agreement shall apply as an amendment to the to Controller Standard Clauses.
d. “Controller to Processor Standard Clauses” in relation to the Processing of Personal Data pursuant to this Agreement means the standard clauses for the transfer of Personal Data to Processors established in third countries approved by the European Commission from time to time, the approved version of which in force at present is that set out in the European Commission’s Decision 2010/87/EU of 5 February 2010.
e. “Cross-App Advertising” as currently defined by the Network Advertising Initiative (“NAI”), means the collection of data through applications owned or operated by different entities on a particular device for the purpose of delivering advertising based on the preferences or interests known or inferred from the data collected, or as may be amended by the NAI from time to time.
f. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
g. “ID” means: (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) a resettable advertising ID associated with a mobile device or an application.
h. “ASRA” means any agreement between Playwire and Publisher where a Party engages in or is permitted to engage in the Processing of Personal Data of Data Subjects.
i. “Relevant Privacy Requirements” mean all (i) applicable advertising self-regulatory requirements, laws, governmental regulations and court or government agency orders, decrees and policies relating in any manner to the collection, use or dissemination of information from or about users, user traffic or otherwise relating to privacy rights or with respect to the sending of marketing and advertising communications; (ii) any written agreements Publisher or Playwire may have with non-governmental certification or self-regulatory bodies and that are made available in writing by one Party to the other; (iii) posted privacy policies; and (iv) for mobile applications, the terms of service for the applicable mobile operating system.
j. “Security Incident” shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other Party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
k. “Services” means services provided to the other Party pursuant to the terms of an ASRA.
l. “Subprocessor” means any entity which provides processing services on behalf of a Processor.
- Obligations of the Parties
a. The Parties agree that Publisher is a Controller and Playwire is a Processor. The Obligations of the parties are set forth on Exhibit A.
b. The Parties shall, at all times, comply with their respective obligations under Applicable Data Protection Laws.
c. Additionally, the Parties agree that the following email addresses shall be monitored for data protection enquiries and Data Subject Requests: firstname.lastname@example.org.
d. Publisher: The email address provided by Publisher during the process of accepting these terms and stored by Playwire in the course of processing Publisher’s acceptance.
- International Transfers
a. Where EU Data Protection Law applies, neither Party shall transfer or permit any Personal Data shared by the other Party to be transferred to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data or to a recipient in the United States that has certified compliance with the EU-US Privacy Shield framework.
b. Where each Party is a Controller, the following terms apply: Except with regard to Personal Data transferred from one Party to the other Party in reliance on the transferring Party’s Privacy Shield certification or other appropriate transfer mechanism specified in Section 3a above, the Controller to Controller Standard Clauses shall apply to the receiving party’s Processing of the Personal Data in countries outside the EEA that do not provide an adequate level of data protection. To the extent that the Parties transfer Personal Data in reliance on the Controller to Controller Standard Clauses, the Controller to Controller Standard Clauses shall be incorporated herein upon execution of this Agreement by the Parties. Where and to the extent that the Controller to Controller Standard Clauses apply pursuant to this Section 3, if there is any conflict between this Agreement and the Controller to Controller Standard Clauses the standard clauses shall prevail.
c. Where a Party is the other Party’s Processor, the following terms apply. Unless the Processor transfers Personal Data pursuant to a transfer mechanism specified in Section 3a above, the Processor shall execute and abide by the Controller to Processor Standard Clauses which shall apply to Processing of Personal Data in countries outside the EEA that do not provide an adequate level of data protection. To the extent that the Parties transfer Personal Data in reliance on the Standard Clauses, the Standard Clauses shall be incorporated herein upon execution of this Agreement by the Parties. Where and to the extent that the Controller to Processor Standard Clauses apply pursuant to this Section 3, if there is any conflict between this Agreement and the Controller to Processor Standard Clauses the standard clauses shall prevail.
- Term and Concluding Provisions.
The term of this Agreement will take effect on the date of execution of this Agreement (the “Effective Date”) by the Parties and will remain in effect until terminated by either Party (the “Term”). The Parties agree that Personal Data will be processed by the other Party for the duration of the Services under the Agreement. This Agreement shall survive termination or expiry of the ASRA. Upon termination or expiry of the ASRA, each Party may continue to Process Personal Data provided that such Processing complies with the requirements of this Agreement and Applicable Data Protection Law and provided that such Processing ceases within thirty (30) days, or earlier upon written request by the other Party. Notwithstanding the Effective Date of this Addendum, the Parties agree that the obligations under this Addendum that are specific to the GDPR shall not apply until the GDPR has come into full force and effect (the “GDPR Effective Date”).
This Agreement and any underlying ASRA shall constitute the entire agreement between the Parties with respect to the subject matter hereof, and this Agreement supersedes all prior agreements or representations, oral or written, regarding such subject matter including any provisions in the ASRA which address the processing of Personal Data. This Agreement and all disputes arising out of or relating to this Agreement shall be interpreted, construed and enforced in accordance with the laws of the Republic of Ireland. Each Party irrevocably consents to the exclusive jurisdiction of the courts situated in the Republic of Ireland over all such disputes and claims under this Agreement and all actions to enforce such claims or to recover damages or other relief in connection with such claims under this Agreement except to the extent that Applicable Data Protection Law requires otherwise. The exhibits form part of this Agreement.
- Relationship of the Parties
a. In relation to all Publisher Data, Playwire acknowledges that, as between the Parties, Publisher is either (a) the Controller of Publisher Data, and that Playwire, in providing or using the Services is acting as a Processor on behalf of the Controller; (b) or Publisher is a Processor of Publisher Data, and that Playwire, in providing or using the Services is acting as a Subprocessor on behalf of Publisher. “Publisher Data” means any and all Personal Data (as that term is defined in EU Data Protection Law) that is processed by Playwire or its sub processors on behalf of Publisher in the performance of the Playwire Processor Services and its other obligations under the ASRA.
b. The subject-matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing and the type of Personal Data described in the ASRA.
c. Publisher represents and warrants that: (a) its Processing instructions comply with all Applicable Data Protection Laws; and (b) it has obtained and maintains all legally required notices, consents and permissions for the Processing and transfer of all Personal Data provided to Playwire. Publisher acknowledges that, taking into account the nature of the Processing, Playwire is not in a position to determine whether Publisher’s instructions infringe Applicable Data Protection Laws.
- Protection of Personal Data
a. In respect of the Processing of Personal Data by Playwire in connection with the Playwire Processor Services where EU Data Protection Law applies, Playwire is responsible for and shall comply with Applicable Data Protection Law and agrees that it shall:
i. process the Publisher Data only on written instructions from Publisher (which may, in particular, be given electronically or through the functionality of the Services), including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which Playwire is subject; in such a case, Playwire shall inform Publisher of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
ii. implement and maintain the technical and organizational measures set out in below and take all measures required pursuant to Article 32 of the GDPR including all organizational and technical security measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Publisher Data, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing;
iii. treat all Publisher Data processed by it on behalf of Publisher as confidential and ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, even after the end of their employment contract or at the end of their assignment or engagement;
iv. cooperate as reasonably requested by Publisher and implement appropriate technical and organizational measures to enable Publisher to comply with any exercise of rights by a Data Subject under Applicable Data Protection Law in respect of Personal Data processed by Playwire under the ASRA (including, without limitation, in relation to the retrieval and/or deletion of a Data Subject’s Personal Data);
v. without prejudice to Section 3 of the Terms and Conditions (International Transfers) of this Agreement, not access or transfer outside the European Economic Area (“EEA”) any Personal Data without the prior written consent of Publisher unless in accordance with EU Data Protection Law;
vi. provide (at no additional cost to Publisher) Publisher with all resources and assistance as are reasonably required by Publisher in connection with the Services performed by Playwire under the ASRA for Publisher to discharge its duties pursuant to Articles 32 to 36 of the GDPR including, but not limited to, promptly at the request of Publisher provide information in respect of any data protection impact assessment which Publisher conducts and assist Publisher with any prior consultations with any supervisory authority;
vii. at the choice of Publisher, delete or return all the Publisher Data to Publisher after the end of the provision of the Playwire Processor Services, and delete existing copies unless European Union or Member State law requires storage of the Publisher Data;
viii. make available to Publisher at its request all information necessary to demonstrate compliance with the obligations laid down in this Agreement and Article 28 of the GDPR including without limitation a detailed written description of the technical and organizational methods employed by Playwire and its Subprocessors (if any) for the Processing of Personal Data; and
ix. immediately inform the Controller if, in the Processor’s opinion, an instruction from the Controller infringes Applicable Data Protection Law.
b. Publisher may exercise its audit right under the Applicable Data Protection Laws in relation to Publisher Data through a request that Playwire initially provide Publisher with a summary copy of Playwire’s audit report(s) related to Playwire’s technical and organizational security measures. For the avoidance of doubt, such reports shall be subject to the confidentiality provisions of the ASRA. If following Playwire’s delivery of such reports, Publisher wishes further information necessary for Playwire to demonstrate its compliance with its security obligations herein, then Playwire agrees at the request of Publisher to submit its data processing facilities (including all equipment, documents and electronic data relating to the Processing of Publisher Data) and/or any location from which Publisher Data can be accessed by Processor for audit to ascertain and/or monitor compliance with this Agreement and Applicable Data Protection Law. Such audit shall be carried out, with reasonable notice and during regular business hours and under a duty of confidentiality, by Publisher and/or by a third party appointed by Publisher.
- Notification of Security Incident
a. Playwire will notify Publisher without undue delay (and, in any event within forty-eight (48) hours) upon becoming aware that an actual Security Incident involving the Publisher Personal Data in Playwire’s possession or control has occurred, as Playwire determines in its sole discretion. Playwire’s notification of or response to a Security Incident under this Section 3 (Notification of Security Incident) shall not be construed as an acknowledgment by Playwire of any fault or liability with respect to the Security Incident.
b. Playwire will, as soon as reasonably possible, provide Publisher with at least the following information with respect to the Security Incident affecting Publisher Data: (i) a description of the cause and nature of the Security Incident including the categories and approximate numbers of Data Subjects (including the number of Publisher Data Subjects) concerned and the categories and approximate number of Personal Data records concerned; (ii) the measures being taken to contain, investigate and remediate the Security Incident; (iii) the likely consequences and risks for Publisher and its Data Subjects as a result of the Security Incident; (iv) any mitigating actions taken; and (v) a proposed plan to mitigate any risks for Data Subjects and/or Publisher as a result of the Security Incident.
c. Playwire will, in connection with any Security Incident affecting Publisher Data: (i) quickly and without delay, take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident (and without destroying any evidence) and to identify its cause (ii) co-operate with Publisher and provide Publisher with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation and/or mitigation of the Security Incident; and (iii) immediately notify Publisher in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
d. Playwire agrees that it will not communicate with any third party, including but not limited to the media, vendors, consumers and affected individuals regarding any Security Incident involving Publisher Data without the express written consent and direction of Publisher.
a. Playwire may, subject to compliance with Section 4b, continue to use those Subprocessors already engaged by Playwire and as identified to Publisher prior to commencement of the Agreement to process any Publisher Data. Playwire may, subject to compliance with Section 4b, engage an additional or replace an existing Subprocessor to process Personal Data.
b. Playwire shall, where it engages any Subprocessor in accordance with Section 4a; (i) only use a Subprocessor that has provided sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR and the Agreement and ensure the protection of the rights of Data Subjects; and (ii) impose, through a legally binding contract between Playwire and Subprocessor, data protection obligations no less onerous than those set out in the Agreement (including those that apply pursuant to the Controller to Processor Standard Clauses) on the Subprocessor, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Playwire acknowledges and agrees that if any Subprocessor fails to fulfil its obligations in the contract between Playwire and Subprocessor, Playwire shall remain fully liable to Publisher for the performance of the Subprocessor’s obligations.
- Liability and Payment of Compensation.
Without prejudice to the provisions of the ASRA, Playwire shall defend, indemnify and hold Publisher harmless and keep Publisher indemnified, on demand from and against any and all damages (including non-material damage) incurred by Publisher as a result of Playwire’s and/or its employees or representatives unauthorized and/or unlawful Processing, or accidental loss, disclosure, destruction or damage to any Publisher Data obtained from (or held by Playwire or its personnel on behalf of) Publisher, save where such loss, disclosure, destruction or damage was carried out or incurred at the Publisher’s request. Playwire shall be liable for and shall indemnify Publisher and its employees and agents from and against all damages (including non-material damage) which Publisher may suffer consequent upon breach of Applicable Data Protection Law, recklessness or willful default of Playwire, its employees or agents. In no event shall Playwire’s total liability to Publisher under this Agreement exceed $500,000.00.
Playwire may change this Code of Conduct from time to time in its sole and absolute discretion.