Independent Controller Data Processing Addendum

Last Updated January 28, 2022

Effective January 2022
Access prior version(s)

  1. ACCEPTANCE. This Independent Controller Data Processing Addendum (“DPA”) is entered into by and between Sovrn and Customer (each, a “Party” and together, the “Parties”). This DPA sets forth the legally binding terms between Customer and Sovrn that govern the Processing of Personal Data (as defined below) of under the Agreement.
  2. DEFINITIONS. For the purposes of this DPA, the following definitions apply. Capitalized terms that are used but not otherwise defined herein shall have the meanings as set forth in the Agreement.
    1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Sovrn or Customer respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
    2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the avoidance of doubt, a Controller is also, where applicable, a “data controller” (as such term is defined under European Data Protection Laws) and a “business” (as such term is defined under the CCPA).
    3. “Data Subject” means the individual to which the Personal Data relates.
    4. “Data Protection Laws and Regulations” means, with respect to a Party, all privacy and data protection laws applicable to such Party’s Processing of Personal Data including, where applicable: (i) European Data Protection Laws; (ii) the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder (as amended from time to time, the “CCPA”); and (iii) any other similar data protection laws in any other applicable territory, each as amended, replaced, supplemented or superseded.
    5. “EEA” means the European Economic Area.
    6. “European Data Protection Laws” means, in each case to the extent applicable to the relevant Personal Data or Processing thereof under the Agreement, (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), (b) laws relating to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the United Kingdom, including the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018 (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FDPA”); and (d) any other data protection laws of the EEA and its Member States.
    7. “Personal Data” means any information Processed under the Agreement that constitutes “personal data,” “personal information,” “personally identifiable information” or similar information defined under applicable Data Protection Laws and Regulations.
    8. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    9. “Processor” means the entity which Processes Personal Data on behalf of the Controller. For the avoidance of doubt, a Processor is also, where applicable, a “data processor” (as such term is defined under European Data Protection Laws) and a “service provider” (as such term is defined under the CCPA).
    10. “Services” means the services the Parties are obligated to provide or permitted to receive pursuant to the Agreement for which each Party determines the purposes and means of the Processing of Personal Data.
    11. “Sensitive Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, as well as any other type of data that is considered sensitive according to Data Protection Laws and Regulations.
    12. “SCCs” means “Module One: Transfer controller to controller” of the Standard Contractual Clauses set forth in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, made available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/, as supplemented and/or amended by the selections and addendum set forth at https://www.sovrn.com/legal/SCC-selections/.
    13. “Transfer” means the access by, transfer or delivery to, or disclosure to a person, entity, or system of Personal Data where such person, entity or system is located in a country or jurisdiction other than the country or jurisdiction from which the Personal Data originated.
  3. ROLE OF THE PARTIES. In performing their respective obligations under the Agreement, each Party may receive Personal Data which may be subject to Data Protection Laws and Regulations. The Parties acknowledge and agree that each Party is a separate and independent Controller in respect of such Personal Data and shall individually determine the purposes and means of its Processing of such Personal Data. The Parties further acknowledge that neither Party is responsible for determining the requirements of Data Protection Laws and Regulations applicable to the other Party.
  4. RESTRICTION ON SENSITIVE DATA. The Parties acknowledge and agree that neither Party shall provide or make available Sensitive Data to the other Party in connection with the Services. The Parties acknowledge and agree that Sovrn shall have no responsibility or liability for any Sensitive Data erroneously or inadvertently transferred under this DPA. Nothing in this DPA shall be interpreted to limit any restrictions under the Agreement regarding the types of Personal Data that may be provided by Customer to Sovrn.
  5. OBLIGATIONS OF THE PARTIES.
    1. Lawfulness of Processing. Each Party acknowledges and confirms that: (a) it will comply with applicable Data Protection Laws and Regulations and this DPA in connection with its Processing of Personal Data; (b) it will only give lawful instructions to any Processors and/or Sub-Processors; (c) it will be responsible for determining the legal basis(es) of its own Processing activities; and (d) it will provide the other Party with reasonable assistance, information and cooperation as such Party may reasonably request to ensure compliance with the Parties’ respective obligations under Data Protection Laws and Regulations.
    2. Consent for Processing. Where applicable, each Party agrees that it has obtained, or has taken commercially reasonable efforts to cause to be obtained, valid Data Subject consent (including renewal of consent) as required by Data Protection Laws and Regulations for each Processing purpose for all Personal Data made available for use in connection with the Services, and, as between the Parties, remains solely responsible for obtaining such valid consent and communicating all relevant withdrawals or revocations of consent to the other Party. Each Party shall (a) notify the other Party of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Personal Data that it provides to such Party (the “Data Receiving Party”) under the Agreement that would impact the Data Receiving Party’s ability to comply with the Agreement, this DPA or applicable Data Protection Laws and Regulations, and (b) where applicable, accept and abide by instructions and/or any consent signals transmitted by the other Party for Processing of Personal Data (including, for example, in the format consistent with the OpenRTB guidelines and/or relevant IAB framework signals). For the avoidance of doubt, nothing in this Section 4(b) shall limit Customer’s notice and/or consent obligations under the Agreement or under Section 8 of this DPA.
    3. Privacy Notices. In addition to any privacy policy or notice requirements under the Agreement, each Party agrees to provide all notices and disclosures to Data Subjects required to be provided by such Party under Data Protection Laws and Regulations regarding the Processing of Personal Data contemplated under this DPA and the Agreement including, where applicable, all disclosures regarding a Data Subject’s right to opt-out of Personal Data sales (as such term is defined under the CCPA). Customer acknowledges that Sovrn is a Data Broker (as such term is defined under California Civil Code § 1798.99.80) registered with the State of California.
  6. NO OWNERSHIP OR LICENSE. Nothing in this DPA shall be construed to convey any ownership interest or license in the Personal Data that is contrary to the ownership interests and licenses set forth in the Agreement.
  7. DATA SUBJECTS’ RIGHTS. Each Party hereby authorizes the other Party to release all Personal Data in its possession directly pertaining to a verified Data Subject request for data portability to the Data Subject or his/her authorized representative, without regard to whether such Personal Data are owned/licensed by Sovrn or Customer.
  8. REGULATORS. Each Party agrees to: (a) promptly notify the other Party in writing of any question, complaint, investigation, inquiry, warrant, subpoena or proceedings from or brought by any public, governmental, and/or judicial agency or authority (each, a “Regulatory Request”), that relates to such other Party’s (i) Processing of Personal Data in relation to the Services, or (ii) potential failure to comply with Data Protection Laws and Regulations; and (b) comply with any written litigation hold, document preservation notice, or similar legal hold requested by the other Party in connection with any Regulatory Request, lawsuit, or other claim, except to the extent required by applicable law.
  9. DATA TRANSFERS.
    1. Transfer Authorization. Subject to this Section 9, the Parties acknowledge and agree that each Party is authorized to Process and Transfer Personal Data in any jurisdiction provided that such Processing complies with Data Protection Laws and Regulations. Each Party shall ensure that any Transfer it initiates will, where applicable, be subject to a lawful data transfer mechanism and/or appropriate onward transfer agreements that require that any further Transfers be conducted under a lawful data transfer mechanism.
    2. Onward Transfers by Sovrn. Customer acknowledges and agrees that Sovrn may (i) store and Process Personal Data in the United States or anywhere Sovrn or its Processors maintain facilities, and (ii) disclose and/or Transfer Personal Data to third-party Controllers located in the United States and other countries as contemplated under the Agreement.
    3. Transfers of Personal Data From the EEA, Switzerland or the United Kingdom. With respect to any Transfer of Personal Data originating from the EEA, Switzerland, or the United Kingdom to a Party in a country whose laws have not been deemed by the European Commission to provide an adequate level of protection for Personal Data, and such Transfer is not subject to an alternative adequate transfer mechanism or otherwise exempt from Transfer restrictions under European Data Protection Laws, the Parties agree that the SCCs will be incorporated herein by reference and will apply to the relevant Transfer governed thereby. In furtherance of the foregoing, the Parties agree to the selections and addendum set forth at https://www.sovrn.com/legal/SCC-selections/. The SCCs shall automatically terminate with respect to a given Transfer once the Transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such SCCs on any other basis.
  10. CONFIDENTIALITY. The Parties agree to take steps to ensure that any person acting under their authority who has access to the Personal Data is subject to an appropriate confidentiality obligation.
  11. LIMITATION OF LIABILITY. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a Party means the aggregate liability of the Party under the Agreement and this DPA together. Additionally, each Party shall be independently liable for its own Processing of Personal Data to the extent such Processing does not comply with Data Protection Laws and Regulations.
  12. APPLICABLE LAW AND JURISDICTION. This DPA is and remains governed by and shall be construed in accordance with the law designated as applicable in the Agreement, except to the extent required otherwise under the SCCs.
  13. ORDER OF PRECEDENCE. Except as specifically set forth in this DPA, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms and provisions of this DPA shall prevail with regard to data protection matters.
  14. MODIFICATION. Modifications to this DPA will be posted on the Legal Page of Sovrn’s website at https://www.sovrn.com/legal or Customer can subscribe to receive notifications of changes to this DPA by clicking on the RSS feed icon at the top of this page. Changes will not apply retroactively and generally will become effective 14 days after they are posted. However, changes addressing new functions for a Service or made for legal reasons will be effective immediately. If Customer does not agree to any terms in this Agreement, Customer must not use the Services. Customer’s continued use of the Services after the effective date of this DPA or the effective date of any change constitutes Customer’s acceptance of and agreement to follow and be bound by such changes.
  15. TERMINATION AND SURVIVAL. The Parties agree that this DPA is terminated upon the termination of the Agreement.
  16. INVALIDITY AND SEVERABILITY. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
  17. COUNTERPARTS. This DPA may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement.