ADVERTISER IO ADDENDUM TO STANDARD TERMS AND CONDITIONS FOR INTERNET ADVERTISING FOR MEDIA BUYS ONE YEAR OR LESS
The IAB/AAAA Standard Terms and Conditions Version 3.0 (“IAB/AAAA Terms”) shall apply to the IO, except as set forth in this Addendum. The specific subsections of the IAB/AAAA Terms referenced below are replaced with the modified provisions contained below, and the additional provisions contained below are added, where applicable.
XV. DATA PROTECTION
For the purposes of these terms ‘Applicable Data Protection Law’ shall mean: (a) any applicable local implementing legislation of the Data Protection Directive; (b) from 25th May 2018, the General Data Protection Regulation ((EU) 2016/679 (“GDPR”), read in conjunction with and subject to any applicable UK national legislation that provides for specifications or restrictions of the GDPR’s rules; (c) from the date of implementation, any applicable local legislation that supersedes or replaces the GDPR in a country or territory or which applies the operation of the GDPR as if the GDPR were part of any applicable local legislation; and (d) any other applicable data protection or privacy law of any jurisdiction. Advertiser and the Media Company agree to comply with the relevant provisions of Applicable Data Protection Laws. To the extent that any party processes any personal data that is either Controlled (as defined in Schedule 1) by another party in relation to this Agreement or Processed (as defined in Schedule 1) by another party on behalf of a third party Controller, it shall comply with the provisions contained in Schedule 1 of this Agreement. Where relevant, both parties warrant and undertake that they have obtained and shall obtain all necessary consents (in accordance with all applicable law, including Applicable Data Protection Law) in relation to any Personal Data Controlled by either party and Processed (each as defined in Schedule 1) in accordance with this Agreement.
1.1 In this Schedule the following terms shall have the following meanings:
“Controller” shall have the same meaning as set out in Applicable Data Protection Law;
“Data Subject(s)” shall have the same meaning as set out in Applicable Data Protection Law;
“European Economic Area, EEA” means the member states of the European Union from time to time plus additional states that are party to the EEA Agreement from time to time;
“Personal Data” shall have the same meaning as set out in Applicable Data Protection Law;
“Personnel” shall mean any staff (including temporary, casual and unpaid workers) and sub-contractors employed or appointed by the Processor;
“Processing” shall have the same meaning as set out in Applicable Data Protection Law and other parts of the verb “to process” shall be construed accordingly;
“Processor” shall have the same meaning as set out in Applicable Data Protection Law.
1.2 For the purposes of this Schedule the parties agree either Advertiser or Media Company may be the Controller or the Processor under this Agreement.
1.3 Where the Processor Processes Personal Data on behalf of the Controller, the Processor shall:
1.3.1 process the Personal Data only in accordance with the documented instructions of the Controller;
1.3.2 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm and risk which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
1.3.3 only employ or appoint Personnel to Process the Personal Data who have given binding undertakings of confidentiality;
1.3.4 not transfer Personal Data outside of the EEA without the prior written consent of the Controller and (where the Controller consents to such transfer) covenant that the transfer shall be made in such a way as to ensure that the level of protection offered to natural persons by Applicable Data Protection Law is not undermined, which may, at Controller’s election, involve the parties entering into standard contractual clauses as approved pursuant to ‘Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries’ (or any applicable superseding clauses);
1.3.5 comply with any obligations placed on it under Applicable Data Protection Law;
1.3.6 obtain prior written consent from the Controller in order to transfer the Personal Data to any third parties and where the Controller consents, the Processor shall:
(a) ensure that the third parties are subject to, and contractually bound by, at least the same obligations as the Processor under this paragraph 1.3;
(b) provide to the Controller copies of any documentation to demonstrate compliance with the obligations under this paragraph 1.3; and
(c) remain fully liable to the Controller for all acts and omissions of any third parties;
1.3.7 immediately alert and inform the Controller of a Personal Data breach (including, but not limited to, any unauthorised or unlawful Processing, loss of, damage to or destruction of the Personal Data) suffered by the Processor or third parties to which Personal Data has been transferred (“Personal Data Breach”) and provide all necessary co-operation and assistance to enable the Controller to comply with its obligations under Applicable Data Protection Law;
1.3.8 permit, or procure permission for, the Controller (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Processor’s data Processing activities (and/or those of its agents, sub-contractors, Affiliates and third parties) and comply with all reasonable requests for information or directions by the Controller to enable the Controller to verify and/or procure that the Processor is in full compliance with its obligations under this Agreement;
1.3.9 immediately notify the Controller if it receives a request from or on behalf of a Data Subject to have access to that person’s Personal Data or to exercise any of their other rights under Applicable Data Protection Law (a “Data Related Request”);
1.3.10 not respond to any Data Related Request without the prior written consent of the Controller and shall provide the Controller with full co-operation and assistance in relation to a Data Related Request, including by:
(a) providing the Controller with full details of the Data Related Request;
(b) assisting the Controller to comply with a Data Related Request (within any relevant timescales required by applicable law, including Applicable Data Protection Law and in accordance with the Controller’s instructions;
(c) providing the Controller with any Personal Data it holds in relation to an individual; and
(d) providing the Controller with any other relevant information requested by the Controller;
1.3.11 unless applicable law requires otherwise, upon termination of this Agreement:
(a) at the option of the Controller comply or procure the compliance with the following:
(i) return to the Controller all Personal Data and any other information provided by the Controller to the Processor; and/or
(ii) delete all Personal Data provided by the Controller to the Processor permanently, safely and securely and provide the Controller with a certificate of destruction; and
(b) cease to process the Personal Data;
1.3.12 where the laws of the country where the Processor is established require the Processor to transfer the Personal Data to a third country or an international organisation, inform the Controller as soon as reasonably possible of that legal requirement unless that law prohibits such communication on important grounds of public interest.
1.4 The nature/purpose of the Processing under this Agreement is: to enable the Controller to carry out its obligations under the Agreement.
1.5 The duration of the Processing under this Agreement will be for the term of this Agreement or as otherwise required by applicable law.
1.6 The types of Personal Data which may be subject to Processing under this Agreement may concern employees, consultants, subcontractors or customers of each party.