PUBLISHER DATA PROTECTION RIDER
This Protection Rider supplements the agreement between You and MAGGO, LLC or any of its affiliates (hereinafter referred to as “MAGGOMEDIA” or “we” or “us”) dated ______________ (the “Agreement”).
The Terms of Service located at www.maggomedia.com/terms-of-service/ (“Agreement”) which You (hereinafter referred to as “You” or “Publisher”) have accepted to avail MAGGOMEDIA’s advertising services as a publisher.
The General Data Protection Regulation (the “GDPR”), is a new piece of legislation that goes into effect on May 25, 2018 which largely supersedes the mandates of the DPA (Data Protection Act of 1998). The GDPR applies to the processing that is carried out under the Agreement for any Personal Data related to Data Subjects in the European Union (“EU”).
The GDPR requires data processing contracts – such as the Agreement – to contain additional provisions regulating the processing Personal Data of Data Subjects based on EU. Therefore, the parties agree to add the Data Protection Rider, set out below to the Agreement which shall go into effect on May 25, 2018 (the “Variation Date”). These terms of the Data Protection Rider shall be deemed to be incorporated into the Agreement.
This Data Protection Rider makes reference to the “Model Contract Clauses”, produced by the European Commission, which provisions are made part of and incorporated into this Data Protection Rider in full. The Model Contract Clauses is officially known as: “The EU-controller to Non-EU/EEA processor model contractual clauses annexed to European Commission Decision C (2010)”.
Except as set out in this Data Protection Rider, the Agreement and any other agreements already in place between You and MAGGOMEDIA shall continue in full force and effect; In the event of any conflict or inconsistency between this Data Protection Rider and the terms and conditions of the Agreement, this Data Protection Rider shall prevail; and to the extent that this Data Protection Rider does not address project-specific data mechanics or specific details relevant to data processing already set out in the Agreement (such as a particular type or frequency of data transfer), such project specific mechanics shall remain in place, except that they shall be interpreted to give full effect to the provisions of this Data Protection Rider and the GDPR.
This Data Protection Rider (including the Model Contract Clauses, particularly clauses 9 and 11.3) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the laws of the Commonwealth of Pennsylvania. The parties irrevocably agree that the courts sitting in the County of Allegheny, Pennsylvania shall have exclusive jurisdiction to settle any Claim.
Please accept by clicking the acceptance button or sign and return the Data Protection Rider to acknowledge and document your agreement to these terms.
If you decline acceptance of these terms, MAGGOMEDIA will discontinue any EU user related transactions with Your applications/mobile websites. Additionally, please do not share any EU user data with MAGGOMEDIA. However, if You continue to use MAGGOMEDIA’s services, You will be deemed to have accepted these terms.
The Parties agree to the variation of the Agreement with effect from the Variation Date on the terms set out above.
For an on behalf of __________________
DATA PROTECTION RIDER
1.1 The following definitions apply in this Data Protection Rider:
“Controller”, “Data Subject”, “Personal Data”, “Processor” and “Processes/Processing” shall each have the meanings given in the applicable Data Protection Legislation.
“Data Protection Legislation” means the European Union’s General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable laws and regulations relating to the processing of personal data and privacy as amended, re-enacted, replaced or superseded from time to time, including, where applicable, the applicable mandatory guidance and codes of practice issued by the regulators with proper jurisdiction.
“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise processed. “Publisher” is the organization to whom this letter is addressed.
2 MUTUAL OBLIGATIONS WHEN PROCESSING DATA
2.1 Each party acknowledges that:
2.1.1 MAGGOMEDIA shall Process the Personal Data for the purposes of (a) optimizing mobile online advertising campaigns across its ad network whether owned, operated or controlled by MAGGOMEDIA including but not limited to the programmatic channel; (b) interest based targeting of MAGGOMEDIA ad campaigns or other survey based services; (c) data-targeted ad inventory forecasting; (d) providing its customers, partners and relevant third parties with data as part of campaign reporting and performance (e) enrichment, creation of audience profile/segments including sharing with data partners for enrichment purposes. Publisher further acknowledges that MAGGOMEDIA may need to transfer Personal Data outside of EU in the context of Processing ;
2.1.2 The processing shall continue, for the duration of this Agreement;
2.1.3 The processing concerns the following Personal Data:
126.96.36.199 User device identifier;
188.8.131.52 IP address;
184.108.40.206 User-agent or such device information;
220.127.116.11 Fine location;
18.104.22.168 Persistent online identifiers (such as IDFA, ADID, GPID etc.)
2.2 The Parties acknowledge and agree that both are required to fulfill certain recordkeeping obligations under the Data Protection Legislation, and agree to provide the other Party, upon request, with all reasonable assistance and information required to satisfy such record keeping obligations.
2.3 In the event of any Personal Data breach (actual or suspected) involving the Publisher or a sub-Processor, the Publisher shall (at no cost to MAGGOMEDIA):
2.3.1 notify MAGGOMEDIA of the Personal Data breach without undue delay (but in no event no later than 24 hours after becoming aware of or first suspecting the Personal Data Breach);
2.3.2 provide MAGGOMEDIA without undue delay (and wherever possible, no later than 48 hours after becoming aware of or first suspecting the Personal Data Breach) with such details as MAGGOMEDIA may require in relation to:
(a) the nature and impact of the Personal Data Breach, including the categories and approximate numbers of Data Subjects and Personal Data, records concerned;
(b) any investigations into such Personal Data Breach;
(c) the likely consequences of the Personal Data Breach; and
(d) any measures taken, or that the Publisher will take to address the Personal Data Breach, including those aimed at mitigating its possible adverse effects and preventing the reoccurrence of the Personal Data Breach or a similar breach, provided that, (without prejudice to the above obligations) if Publisher cannot provide all these details within such timeframes, it shall, before the end of this timeframe, provide MAGGOMEDIA with the reasons for the delay and the assessment as to when it expects to be able to provide such relevant details (which may be phased), and give MAGGOMEDIA regular updates on these matters.
3 CONTROLLER REQUIREMENTS
3.1 Joint Controller Requirements: The Parties shall, in their respective capacities as joint Controllers:
3.1.1 at no cost to the other Party, record and then refer to the other Party promptly (and in any event within 5 Business Days of receipt) any Data Subject request or complaint which is made under Data Protection Legislation in relation to the Publisher’s processing;
3.1.2 at their respective cost and expense, provide such information and cooperation and other assistance as a Party reasonably requests in relation to a Data Subject request or complaint made under Data Protection Legislation within the timeframes reasonably required by the party;
3.1.3 implement and maintain a program to ensure that all Processing at its end and transmission of Personal Data is safeguarded and secure;
3.1.5 maintain, monitor and review records of user activities, exceptions, faults and privacy in relation to the relevant Personal Data; and
3.1.6 ensure information security events are produced, maintained, monitored and reviewed on an ongoing basis.
3.1.7 ensure that the Publisher’s relevant technical solutions are configured such that the default settings protect Data Subject privacy;
3.2 Publisher Requirements: Publisher shall:
3.2.1 seek consent from the Data Subject to the standard required by the Data Protection Legislation to collect, Process, transmit or use their Personal Data as contemplated by the Agreement including those enumerated in section 2.1.1 hereunder;
3.2.2 notify MAGGOMEDIA without undue delay (but in any event no later than 24 hours after becoming aware of the consent being withdrawn)when the consent to handle Personal Data is withdrawn by the Data Subject;
3.2.3 allow MAGGOMEDIA, or an independent auditor selected by MAGGOMEDIA, to conduct audits for the purpose of veryfing compliance by the Publisher with its obligations under the Data Protection Legislation and under this Agreement;
3.2.4 indemnify, defend and hold harmless MAGGOMEDIA against and from all loss, liability, damages, costs (including legal costs), fees, claims and expenses arising out any third party claims which MAGGOMEDIA may incur or suffer by reason of any breach of this Data Protection Rider by the Publisher;
4 MAGGOMEDIA DATA ANALYTICS
4.1 The Publisher acknowledges that MAGGOMEDIA:
4.1.1 will add the Personal Data it processes in the context of its advertising services, and in respect of such use MAGGOMEDIA is a joint Controller; and
4.1.2 is free to use meta-data, statistics and such other information derived from the Personal Data it receives from the Publisher which cannot be identified as originating or deriving directly from such Personal Data and cannot be reverse-engineered by a third party such that it can be so identified, for any purpose whatsoever.
5 MODEL CONTRACT CLAUSES
When You are a Controller, the Model Contract Clauses require us to set out more detail about what data You are transferring to us and why, as well as how we keep that data secure. We have set this out in the sections below.
Description of MAGGOMEDIA’S data processing for You
5.1 When either party Processes Personal Data on behalf of the other, such party shall execute an appropriate data processing agreement.
Description of security measures
5.2 Restriction of access to buildings, data centers and server rooms as necessary.
5.3 Adequate locks on all doors.
5.4 Monitoring of unauthorized access.
5.5 Written procedures for employees, contractors, and visitors covering confidentiality and security of information.
5.6 Restricting access to systems depending on the sensitivity and/or criticality of such systems.
5.7 Use of password protection where such functionality is available.
5.8 Maintenance of records of the access granted to individuals.
5.9 Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
5.10 The illustrative indemnity contained in the Model Contract Clauses is deemed deleted.
5.11 You will not provide any unsolicited data related to Data Subjects to us.