Advertiser Data Protection Rider (“RIDER”)

Effective Date of Rider: _________

Contractual Changes Required by the GDPR

We refer to the agreement between You (in the capacity of an “Advertiser” or “Agency” or “Reseller” as the context may require) and MAGGO, LLC or any of its affiliates (“MAGGOMEDIA” or “we” or “us”) [dated [ ______________*] (the “Agreement”).

OR

We refer to the Advertiser Terms located at https://www.maggomedia.com/advertiser-terms/ (“Agreement”) which You have accepted to avail MAGGOMEDIA’s advertising services as an advertiser or agency or reseller, whether pursuant to insertion orders or otherwise, (referred as “You” or “Advertiser” or “Agency” or “Reseller” as the context may require).

 

Under the Agreement, you act as a Data Processor on our behalf.

 

The General Data Protection Regulation (the “GDPR”), is a new piece of legislation which largely supersedes the mandates of DPA (Data Protection Act of 1998)which has gone into effect on May 25th, 2018. The GDPR will then apply to the processing you carry out on our behalf under the Agreement. The GDPR requires data processing contracts – such as the Agreement – to contain additional provisions governing the processing of personal data. Consequently, we hereby append this Data Protection Rider, set out in the schedule attached, to the Agreement with effective date as of May 25th, 2018 (the “Variation Date”). Additionally, due to the implementation of the GDPR, we are required to adhere to new rules relating to the international transfer of personal data. One of the simplest ways to protect the personal data transferred between us is to use the “Model Contract Clauses”, produced by the European Commission, which is incorporated by reference into this Rider, in full. The official  name for the Model Contract Clauses is: “The EU-controller to Non-EU/EEA processor model contractual clauses annexed to European Commission Decision C (2010)”.

KEY CHANGES:

In order to be compliant with the mandates of GDPR in a manner as simple and straightforward as possible, we hereby append this Data Protection Rider to the Agreement. To ensure the Rider is consistent with the terms of the Agreement, it is important to note that:

  1. except as set out in this Rider, the Agreement and any other agreements already in place between us shall continue to be in full force and effect;
  2. in the event of any conflict or inconsistency between this Rider and the terms and conditions of the Agreement, this Rider shall prevail; and
  3. to the extent that this Rider does not address project-specific data mechanics or specific details relevant to data processing already set out in the Agreement (such as a particular type or frequency of data transfer), such project-specific mechanics will remain in place, save that they shall be deemed to give full effect to the provisions of this Rider, the Data Protection Rider, and the GDPR.

 

This Rider, (including the Model Contract Clauses, particularly at clauses 9 and 11.3) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the laws of the Commonwealth of Pennsylvania. The parties irrevocably agree that the courts sitting in the County of Allegheny, Pennsylvania shall have exclusive jurisdiction to settle any Claim.

 

Please accept by clicking the acceptance button or sign and return the Data Protection Rider to acknowledge and document your agreement to these terms. If you decline acceptance of these terms, MAGGOMEDIA will discontinue any EU user related transactions with Your applications/mobile websites. Additionally, please do not share any EU user data with MAGGOMEDIA. However, if You continue to use MAGGOMEDIA’s services, You will be deemed to have accepted these terms.

 

The Parties agree to the variation of the Agreement with effect from the Variation Date on the terms set out above.

 

For and on behalf of MAGGO, LLC  we agree to the variation of the Agreement with effect from the Variation Date on the terms set out above.

 

………………………………………………….

 

For an on behalf of ___________________

 

DATA PROTECTION RIDER

Parties agree that it is of utmost importance that any Processing of Personal Data be done in compliance with Data Protection Laws as applicable to such party at all times in their respective capacity as a Controller or a Processor.  MAGGOMEDIA in its capacity of Controller will have the responsibility to obtain appropriate consents for Processing of Personal Data as permitted under this Rider. The Controller will notify You of any Data Subject request towards deletion, rectification or opt-out election.

 

1 DATA PROTECTION

1.1 Definitions:

1.1.1 “Controller”, “Data Subject”, “Personal Data”, “Processor” “Processes/Processing” shall each have the meanings given in the applicable Data Protection Legislation.

1.1.2 “Data Protection Legislation” means the European Union’s General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable laws and regulations relating to the processing of personal data and privacy as amended, re-enacted, replaced or superseded from time to time, including, where applicable, the mandatory guidance and codes of practice issued by the United Kingdom’s Information Commissioner.

1.2 Obligations of the Processor:

1.2.1 Paragraphs 1.2.2 – 1.2.4.2 shall apply if and to the extent that the Processor processes any Personal Data on the Controller’s behalf when performing its obligations under the Agreement.

1.2.2 Each party acknowledges that:

1.2.2.1 Processor shall only Process Personal Data for the following permitted purpose in relation to advertising campaigns distributed through Controller:

(1) For attribution, audience verification and fraud detection via trackers, verification partners and affiliate postbacks;

(2) For internal reporting purposes and for reporting to Controller;

1.2.2.2 the processing shall continue, subject to paragraph 2.3.6, for the duration of this agreement;

1.2.2.3 the processing concerns: clicks and impressions data, IP Address, device identifiers, handset model/type, carrier device identifiers, HTTP headers, publisher details (such as site ID, partner ID, publisher name), campaign details (such as campaign ID, creative ID) and such other data sets.

1.2.3 The Processor shall:

1.2.3.1 process the Personal Data only to the extent necessary for the purposes of performing its obligations under the Agreement and otherwise in accordance with the documented instructions of the Controller and applicable laws;

1.2.3.2 not process the Personal Data in any country outside the European Economic Area other than in accordance with the terms of the Model Contract Clauses. If the Processor is required by applicable laws to transfer the Personal Data outside of the European Economic Area, then the Processor shall inform the Controller of such requirement before making the transfer and shall execute appropriate documentation as required under Data Protection Legislation (unless the Processor is barred from making such notification under the relevant applicable law);

1.2.3.3 ensure that all persons authorized by it to process the Personal Data are committed to confidentiality or are under a statutory obligation of confidentiality under applicable law;

1.2.3.4 have at all times during the term of the Agreement appropriate technical and organizational measures to ensure a level of security appropriate to the risk to protect any Personal Data, with particular regard to its accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access. If You or your processor are not agreeable to implement Controller’s secure or encrypted transmission mechanisms at your end, You will notify Controller how you would like to obtain the same, and in such a case, You will remain liable during transmission thereof to You or your processor; In case of conflict between the date provided here and referred under the Agreement, the latter shall prevail.

1.2.3.5 not engage another Processor of the Personal Data without the prior authorization of the Controller, and where the Processor does engage another Processor, substantially similar obligations to those set out in paragraphs 1.2.2 – 1.2.3 shall be imposed by the Processor on the other Processor in a written contract and the Processor shall remain fully liable to the Controller for the performance of the other Processor’s data protection obligations. Without limiting the generality of the foregoing, You acknowledge and agree that if the Controller is required to share any Personal Data with your trackers or such other third parties including Your advertisers for the purpose of the Agreement, You shall remain liable to ensure that such trackers or third parties remain processors to You and will contractually require them to comply with the terms of this Rider and remain liable for their acts or omissions;

1.2.3.6 cease processing the Personal Data immediately upon the termination or expiry of this Agreement or, if sooner, on cessation of the contractual activity to which it relates and, at the Controller’s election, delete or return all Personal Data to the Controller, and delete all existing copies unless applicable law requires their retention;

1.2.3.7 You shall not retain Personal Data for longer than necessary to meet the permitted purposes hereunder or use the same for any purposes other than such permitted purposes.

1.2.3.8 If requested by Controller, Processor shall without delay, rectify the Personal Data, to ensure it remains accurate, complete and current or deletes the same to honor any Data Subject’s request.

1.2.3.9 make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this clause, and allow for the contribution to audits, including inspections, conducted by the Controller of its representative; and

1.2.3.10 at the earliest opportunity, and in any event within 48 hours after having become aware, notify the Controller of any unauthorized or unlawful processing of any Personal Data to which this clause applies and of any loss or destruction or other damage and shall take such steps consistent with good industry practice to mitigate the detrimental effects of any such incident on the Data Subjects and co-operate with the Controller in dealing with such incident and its consequences; and

1.2.3.11 indemnify, defend and hold harmless the Controller against any and all losses, liabilities, damages, costs (including legal costs), fees, claims and expenses arising from any third party claims, which the Controller may incur or suffer by reason of any breach of this paragraph 1.2.3 by the Processor.

1.2.4 Where the Processor intends to or replaces other Processors, it shall first inform the Controller of the intended change, and shall not add or replace such other Processor until the Controller has given its approval to the proposal.

1.2.5 The Processor acknowledges that the Controller is under certain recordkeeping obligations under the Data Protection Legislation, and agrees to provide the Controller with all reasonable assistance and information required by the Controller to satisfy such record keeping obligations.

2 MODEL CONTRACT CLAUSES

The Model Contract Clauses require us to set out more detail about what data we are transferring to you and why, as well as how you keep that data secure. We have set this out in the sections below.

2.1 Description of your data processing for us

2.1.1 We are the Data Controller and our contact details are set out in this Rider.

2.1.2 You are the Data Processor and your contact details are also set out in this Rider.

2.1.3 The types of data we are transferring to you or your processors are Personal Data, which does not include special categories of data.

2.1.4 You will be carrying out the tasks in relation to that data as set out in 1.2.2.1.

2.2 Description of your security measures

2.2.1 Restriction of access to data centers, systems and server rooms as necessary to ensure the protection of Personal Data.

2.2.2 Monitoring of unauthorized access.

In case of conflict between the date provided here and referred under the Agreement, the latter shall prevail.

2.2.3 Written procedures for employees, contractors, and visitors covering confidentiality and security of information.

2.2.4 Restricting access to systems depending on the sensitivity/criticality of such systems.

2.2.5 Use of password protection where such functionality is available.

2.2.6 Maintaining records of the access granted to which individuals.

2.2.7 Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.

2.3 Additional Provision

2.3.1 The illustrative indemnity contained in the Model Contract Clauses is deemed deleted.

 

In case of conflict between the date provided herein and the one referred to under the Agreement, the latter shall prevail.