Independent Controller Data Processing Addendum

Last Updated July 23, 2021
  1. ACCEPTANCE. This Independent Controller Data Processing Addendum (“DPA“) is entered into by and between Sovrn and Customer. This DPA sets forth the legally binding terms between Customer and Sovrn that govern the processing of Personal Data (as defined below) of under the Agreement.
  2. DEFINITIONS. For the purposes of this DPA, the following definitions apply. Capitalized terms that are used but not otherwise defined herein shall have the meanings as set forth in the Agreement.
    1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or Sovrn respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
    2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the avoidance of doubt, a Controller is also, where applicable, a “data controller” (as such term is defined under European Data Protection Laws) and a “business” (as such term is defined under the CCPA).
    3. “Data Subject” means the individual to which the Personal Data relates.
    4. “Data Protection Laws and Regulations” means, with respect to a Party, all privacy and data protection laws applicable to such Party’s Processing of Personal Data including, where applicable: (i) European Data Protection Laws; (ii) the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder (as amended from time to time, the “CCPA“); and (iii) any other similar data protection laws in any other applicable territory, each as amended, replaced, supplemented or superseded.
    5. “EEA” means the European Economic Area and any country for which the European Commission has published an adequacy decision finding that such country ensures an adequate level of protection in accordance with Article 45 of the GDPR.
    6. “European Data Protection Laws” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) and any other data protection laws of the EU, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent it applies to the relevant Personal Data or Processing thereof under the Agreement.
    7. “Personal Data” means any information Processed under the Agreement that constitutes “personal data,” “personal information,” “personally identifiable information” or similar information defined under applicable Data Protection Laws and Regulations.
    8. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    9. “Processor” means the entity which Processes Personal Data on behalf of the Controller.
    10. “Services” means the services the Parties are obligated to provide or permitted to receive pursuant to the Agreement for which each Party determines the purposes and means of the Processing of Personal Data.
    11. “Sensitive Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, as well as any other type of data that is considered sensitive according to Data Protection Laws and Regulations.
    12. “Controller to Controller Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission on standard contractual clauses for the transfer of Personal Data to Controllers established in third countries (excluding any optional clauses) as amended or replaced from time to time by the European Commission and made available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32004D0915.
    13. “Transfer” means the access by, transfer or delivery to, or disclosure to a person, entity or system of Personal Data where such person, entity or system is located in a country or jurisdiction other than the country or jurisdiction from which the Personal Data originated.
  3. ROLE OF THE PARTIES. In performing their respective obligations under the Agreement, each Party may receive Personal Data which may be subject to Data Protection Laws and Regulations. The Parties acknowledge and agree that each Party is a separate and independent Controller in respect of such Personal Data and shall individually determine the purposes and means of its Processing of such Personal Data. The Parties further acknowledge that neither Party is responsible for determining the requirements of Data Protection Laws and Regulations applicable to the other Party.
  4. PROCESSING DESCRIPTION; RESTRICTION ON SENSITIVE DATA. For the purposes of Annex B to Exhibit 1 of the SCCs,
    1. The Personal Data transferred concerns the following category of data subjects: End users of Customer’s digital properties.
    2. The categories of Personal Data transferred include: (i) Cookies (session, persistent, LSO, other); (ii) Interest activity, behavioral targeting, or other profiling data; (iii) Purchase history; (iv) IP address; and (v) User agent string/OS/chipset/screen. For the avoidance of doubt, the Parties acknowledge and agree that neither Party shall provide or make available Sensitive Data to the other Party in connection with the Services. Nothing in this DPA shall be interpreted to limit any restrictions under the Agreement regarding the types of Personal Data that may be provided by Customer.
    3. The purpose of the transfer(s) is to perform obligations defined in the Agreement.
    4. The Personal Data may be disclosed only to the following recipients or categories of recipients, depending on the Services: the Parties to the Agreement, and their affiliates, Sub-processors, contractors, officers and agents.
    5. Data protection registration information of data exporter (where applicable) shall be documented in the Party representing the data exporter’s Privacy Policy.
    6. Additional useful information (storage limits and other relevant information): the Personal Data transferred between the Parties may only be retained for the period of time permitted under this DPA and the Agreement.
  5. OBLIGATIONS OF THE PARTIES.
    1. Lawfulness of Processing. Each Party acknowledges and confirms that: (a) it will comply with applicable Data Protection Laws and Regulations and this DPA in connection with its Processing of Personal Data; (b) it will only give lawful instructions to any Processors and/or Sub-Processors; (c) it will be responsible for determining the legal basis(es) of its own Processing activities; and (d) it will provide the other Party with reasonable assistance, information and cooperation as such Party may reasonably request to ensure compliance with the Parties’ respective obligations under Data Protection Laws and Regulations.
    2. Consent for Processing. Where applicable, each Party agrees that it has obtained, or has taken commercially reasonable efforts to cause to be obtained, valid Data Subject consent (including renewal of consent) as required by Data Protection Laws and Regulations for each Processing purpose for all Personal Data made available for use in connection with the Services, and, as between the Parties, remains solely responsible for obtaining such valid consent and communicating all relevant withdrawals or revocations of consent to the other Party. Each Party shall (a) notify the other Party of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Personal Data that it provides to such Party (the “Data Receiving Party“) under the Agreement that would impact the Data Receiving Party’s ability to comply with the Agreement, this DPA or applicable Data Protection Laws and Regulations, and (b) where applicable, accept and abide by instructions and/or any consent signals transmitted by the other Party for Processing of Personal Data in the format consistent with the OpenRTB guidelines, the IAB Europe’s GDPR Transparency & Consent Framework, and/or the IAB’s CCPA Framework. For the avoidance of doubt, nothing in this Section 5(b) shall limit Customer’s notice and/or consent obligations under the Agreement or under Section 9 of this DPA.
    3. Privacy Notices. In addition to any privacy policy or notice requirements under the Agreement, each Party agrees to provide all notices and disclosures to Data Subjects required to be provided by such Party under Data Protection Laws and Regulations regarding the Processing of Personal Data contemplated under this DPA and the Agreement including, where applicable, all disclosures regarding a Data Subject’s right to opt-out of Personal Data sales (as such term is defined under the CCPA). Customer acknowledges that Sovrn is a Data Broker (as such term is defined under California Civil Code § 1798.99.80) registered with the State of California.
  6. NO OWNERSHIP OR LICENSE. Nothing in this DPA shall be construed to convey any ownership interest or license in the Personal Data that is contrary to the ownership interests and licenses set forth in the Agreement.
  7. DATA SUBJECTS’ RIGHTS. Each Party hereby authorizes the other Party to release all Personal Data in its possession directly pertaining to a verified Data Subject request for data portability to the Data Subject or his/her authorized representative, without regard to whether such Personal Data are owned/licensed by Customer or Sovrn.
  8. REGULATORS. Each Party agrees to: (a) promptly notify the other Party in writing of any question, complaint, investigation, inquiry, warrant, subpoena or proceedings from or brought by any public, governmental, and/or judicial agency or authority (each, a “Regulatory Request”), that relates to such other Party’s (i) Processing of Personal Data in relation to the Services, or (ii) potential failure to comply with Data Protection Laws and Regulations; and (b) . comply with any written litigation hold, document preservation notice, or similar legal hold requested by the other Party in connection with any Regulatory Request, lawsuit, or other claim, except to the extent required by applicable law.
  9. DATA TRANSFERS.
    1. Transfer Authorization. Subject to this Section 9, the Parties acknowledge and agree that each Party is authorized to Transfer the Personal Data Processed in connection with the Services in accordance with Data Protection Laws and Regulations. Each Party shall ensure that any Transfer it initiates will, where applicable, be subject to a lawful data transfer mechanism and/or appropriate onward transfer agreements that require that any further Transfers be conducted under a lawful data transfer mechanism.
    2. Onward Transfers by Sovrn. Customer acknowledges and agrees that Sovrn may (i) store and Process Personal Data in the United States or anywhere Sovrn or its Processors maintain facilities, and (ii) disclose and/or Transfer Personal Data to third-party Controllers located in the United States and other countries as contemplated under the Agreement.
    3. Transfers Out of the EEA and UK. In the event that either Party is established in the European Economic Area or the United Kingdom and Transfers Personal Data to the other Party outside of the EEA, and no lawful alternative basis for such Transfer applies, such Transfer shall be governed by the Standard Contractual Clauses, the terms of which are hereby incorporated into this DPA. In furtherance of the foregoing, the Parties agree that: (i) the Standard Contractual Clauses shall come into effect on the later of (aa) the data exporter becoming a party to them, (bb) the data importer becoming a party to them, and (cc) commencement of the relevant Transfer; (ii) where Customer are acting as the data exporter, (xx) Customer acknowledges and agrees that this Section 9 shall constitute notice from Sovrn to Customer of onward Transfers to third party Controllers outside of the European Economic Area for purposes of clause II(i) of the Standard Contractual Clauses, and (yy) Customer represents and warrants that Customer have informed Data Subjects of such onward Transfer (including the purposes of the Transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards) and given Data Subjects the opportunity to object to such onward Transfer; (iii) if in effect, the Standard Contractual Clauses shall automatically terminate once the Transfer of Personal Data governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis. In the event that the Standard Contractual Clauses cease to be recognized as a legitimate basis for Transfers out of the European Economic Area or the United Kingdom, the Parties shall cooperate to identify and implement an alternative legitimate basis to the extent that one is required by European Data Protection Laws.
  10. CONFIDENTIALITY. The Parties agree to take steps to ensure that any person acting under their authority who has access to the Personal Data is subject to an appropriate confidentiality obligation.
  11. LIMITATION OF LIABILITY. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a Party means the aggregate liability of the Party under the Agreement and this DPA together. Additionally, each Party shall be independently liable for its own Processing of Personal Data to the extent such Processing does not comply with Data Protection Laws and Regulations.
  12. APPLICABLE LAW AND JURISDICTION. This DPA is and remains governed by and shall be construed in accordance with the law designated as applicable in the Agreement.
  13. ORDER OF PRECEDENCE. Except as specifically set forth in this DPA, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms and provisions of this DPA shall prevail with regard to data protection matters.
  14. MODIFICATION. This DPA may only be modified by a written amendment signed by each of the Parties. If an amendment is required in order to comply with applicable Data Protection Laws and Regulations, both Parties will work together in good faith to promptly execute a mutually agreeable amendment to this DPA reflecting the requirements set out by the applicable Data Protection Laws and Regulations.
  15. TERMINATION AND SURVIVAL. The Parties agree that this DPA is terminated upon the termination of the Agreement.
  16. INVALIDITY AND SEVERABILITY. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.