Data Protection Addendum (Sovrn as the Exporter)  Data Protection Addendum (Sovrn as the Exporter) 

Data Protection Addendum (Sovrn as the Exporter) 

Last Updated January 11, 2023

Effective January 2023

  1. ACCEPTANCE. This Independent Controller Data Processing Addendum (Sovrn as Data Exporter) (“DPA”) is entered into by and between Sovrn and Company (each, a “Party” and together, the “Parties”). This DPA sets forth the legally binding terms between Company and Sovrn that govern the Processing of Personal Data (as defined below) of under the Agreement.
  2. DEFINITIONS. For the purposes of this DPA, the following definitions apply. Capitalized terms that are used but not otherwise defined herein shall have the meanings as set forth in the Agreement.
    1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Sovrn or Company respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
    2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the avoidance of doubt, a Controller is also, where applicable, a “data controller” (as such term is defined under European Data Protection Laws) and a “business” (as such term is defined under the CCPA).
    3. “Data Subject” means the individual to which the Personal Data relates.
    4. “Data Protection Laws and Regulations” means, with respect to a Party, all privacy and data protection laws applicable to such Party’s Processing of Personal Data including, where applicable: (i) European Data Protection Laws; (ii) United States Data Protection Laws; and (iii) any other similar data protection laws in any other applicable territory, each as amended, replaced, supplemented or superseded.
    5. “EEA” means the European Economic Area.
    6. “European Data Protection Laws” means, in each case to the extent applicable to the relevant Personal Data or Processing thereof under the Agreement, (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), (b) laws relating to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the United Kingdom, including the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018 (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FDPA”); and (d) any other data protection laws of the EEA and its Member States.
    7. “Personal Data” means any information Processed under the Agreement that constitutes “personal data,” “personal information,” “personally identifiable information” or similar information defined under applicable Data Protection Laws and Regulations.
    8. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    9. “Processor” means the entity which Processes Personal Data on behalf of the Controller. For the avoidance of doubt, a Processor is also, where applicable, a “data processor” (as such term is defined under European Data Protection Laws) and a “service provider” (as such term is defined under the CCPA).
    10. “Services” means the services the Parties are obligated to provide or permitted to receive pursuant to the Agreement for which each Party determines the purposes and means of the Processing of Personal Data.
    11. “Sensitive Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, as well as any other type of data that is considered sensitive according to Data Protection Laws and Regulations.
    12. “SCCs” means (i) “MODULE ONE: Transfer controller to controller” of the Standard Contractual Clauses set forth in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, made available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/, as supplemented and/or amended by the selections and addendum attached hereto as Appendix A (Standard Contractual Clauses Addendum); and (ii) the template addendum to the SCCs issued by the Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18 of such thereof (“Approved Addendum”).
    13. “Transfer” means the access by, transfer or delivery to, or disclosure to a person, entity, or system of Personal Data where such person, entity or system is located in a country or jurisdiction other than the country or jurisdiction from which the Personal Data originated.
    14. “United States Data Protection Laws” means, in each case to the extent applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, “CCPA”); (b) the Virginia Consumer Data Protection Act (“VCPDA”); (c) the Colorado Privacy Act and its implementing regulations (“CPA”); (d) the Utah Consumer Privacy Act (“UCPA”); (e) Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”); and (f) any other applicable law or regulation related to the protection of Personal Data in the United States that is already in force or that will come into force during the term of this DPA.
  3. ROLE OF THE PARTIES. In performing their respective obligations under the Agreement, each Party may receive Personal Data which may be subject to Data Protection Laws and Regulations. The Parties acknowledge and agree that each Party is a separate and independent Controller in respect of such Personal Data and shall individually determine the purposes and means of its Processing of such Personal Data. The Parties further acknowledge that neither Party is responsible for determining the requirements of Data Protection Laws and Regulations applicable to the other Party.
  4. OBLIGATIONS OF THE PARTIES.
    1. Lawfulness of Processing. Each Party acknowledges and confirms that: (a) it will comply with applicable Data Protection Laws and Regulations and this DPA in connection with its Processing of Personal Data; (b) it will only give lawful instructions to any Processors and/or sub-Processors; (c) it will be responsible for determining the legal basis(es) of its own Processing activities; and (d) it will provide the other Party with reasonable assistance, information and cooperation as such Party may reasonably request to ensure compliance with the Parties’ respective obligations under Data Protection Laws and Regulations.
    2. Consent for Processing. Where applicable, Sovrn has obtained, or has taken commercially reasonable efforts to cause to be obtained, valid Data Subject consent (including renewal of consent) as required by Data Protection Laws and Regulations for each Processing purpose for all Personal Data made available for use in connection with the Services, and, as between the Parties, remains solely responsible for obtaining such valid consent and communicating all relevant withdrawals or revocations of consent to the other Party. Sovrn shall (a) notify Company of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Personal Data that it provides to Company under the Agreement that would impact Company’s ability to comply with the Agreement, this DPA or applicable Data Protection Laws and Regulations, and (b) where applicable, accept and abide by instructions and/or any consent signals transmitted by Company for Processing of Personal Data (including, for example, in the format consistent with the OpenRTB guidelines and/or relevant IAB framework signals).
    3. Privacy Notices. In addition to any privacy policy or notice requirements under the Agreement, Sovrn agrees to take commercially reasonable efforts t to provide, or cause to be provided, all notices and disclosures to Data Subjects required to be provided under Data Protection Laws and Regulations regarding the Processing of Personal Data contemplated under this DPA and the Agreement including, where applicable, all disclosures regarding a Data Subject’s right to opt-out of Personal Data sales (as such term is defined under the CCPA).
  5. NO OWNERSHIP OR LICENSE. Nothing in this DPA shall be construed to convey any ownership interest or license in the Personal Data that is contrary to the ownership interests and licenses set forth in the Agreement.
  6. PROCESSING SUBJECT TO THE CCPA. For purposes of the CCPA, the Parties acknowledge that the Personal Data disclosed by Sovrn to Company is provided to Company only for the limited and specified purposes permitted under the express license to Data granted by Sovrn to Company pursuant to the Agreement. Company will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Data as is required by the CCPA. Sovrn has the right to take reasonable and appropriate steps to help ensure that Company uses the Personal Data transferred in a manner consistent with Sovrn’s obligations under the CCPA. Company will notify Sovrn if it makes a determination that Company can no longer meet its obligations under the CCPA. If Company notifies Sovrn of unauthorized use of Personal Data, including under the foregoing sentence, Sovrn will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use.
  7. DATA SUBJECTS’ RIGHTS. Each Party hereby authorizes the other Party to release all Personal Data in its possession directly pertaining to a verified Data Subject request for data portability to the Data Subject or his/her authorized representative, without regard to whether such Personal Data are owned/licensed by Sovrn or Company.
  8. REGULATORS. Each Party agrees to: (a) promptly notify the other Party in writing of any question, complaint, investigation, inquiry, warrant, subpoena or proceedings from or brought by any public, governmental, and/or judicial agency or authority (each, a “Regulatory Request”), that relates to such other Party’s (i) Processing of Personal Data in relation to the Services, or (ii) potential failure to comply with Data Protection Laws and Regulations; and (b) comply with any written litigation hold, document preservation notice, or similar legal hold requested by the other Party in connection with any Regulatory Request, lawsuit, or other claim, except to the extent required by applicable law.
  9. DATA TRANSFERS.
    1. Transfer Authorization. Subject to this Section 8, the Parties acknowledge and agree that each Party is authorized to Process and Transfer Personal Data in any jurisdiction provided that such Processing complies with Data Protection Laws and Regulations. Each Party shall ensure that any Transfer it initiates will, where applicable, be subject to a lawful data transfer mechanism and/or appropriate onward transfer agreements that require that any further Transfers be conducted under a lawful data transfer mechanism.
    2. Transfers of Personal Data From the EEA, Switzerland or the United Kingdom. If Sovrn Transfers Personal Data subject to European Data Protection Laws to Company in a country whose laws have not been deemed by the European Commission or other applicable authority to provide an adequate level of protection for Personal Data, and such Transfer is not subject to an alternative adequate transfer mechanism or otherwise exempt from Transfer restrictions under European Data Protection Laws, the Parties agree that the SCCs will be incorporated herein by reference. The SCCs shall automatically terminate with respect to a given Transfer once the Transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such SCCs on any other basis.
  10. CONFIDENTIALITY. The Parties agree to take steps to ensure that any person acting under their authority who has access to the Personal Data is subject to an appropriate confidentiality obligation.
  11. LIMITATION OF LIABILITY. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a Party means the aggregate liability of the Party under the Agreement and this DPA together. Additionally, each Party shall be independently liable for its own Processing of Personal Data to the extent such Processing does not comply with Data Protection Laws and Regulations.
  12. APPLICABLE LAW AND JURISDICTION. This DPA is and remains governed by and shall be construed in accordance with the law designated as applicable in the Agreement, except to the extent required otherwise under the SCCs.
  13. ORDER OF PRECEDENCE. Except as specifically set forth in this DPA, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms and provisions of this DPA shall prevail with regard to data protection matters. In the event of a conflict between the terms of this DPA and the SCCs, the SCCs shall prevail.
  14. MODIFICATION. Modifications to this DPA will be posted on the Legal Page of Sovrn’s website at https://www.sovrn.com/legal or Customer can subscribe to receive notifications of changes to this DPA by clicking on the RSS feed icon at the top of this page. Changes will not apply retroactively and generally will become effective 14 days after they are posted. However, changes addressing new functions for a Service or made for legal reasons will be effective immediately. If Customer does not agree to any terms in this Agreement, Customer must not use the Services. Customer’s continued use of the Services after the effective date of this DPA or the effective date of any change constitutes Customer’s acceptance of and agreement to follow and be bound by such changes.
  15. TERMINATION AND SURVIVAL. The Parties agree that this DPA is terminated upon the termination of the Agreement.
  16. INVALIDITY AND SEVERABILITY. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
  17. COUNTERPARTS. This DPA may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement.

APPENDIX 1 – STANDARD CONTRACTUAL CLAUSES ADDENDUM

  1. Execution of the SCCs. The Parties agree that execution of the DPA by each Party shall constitute execution of the SCCs by both Parties as of the DPA Effective Date.
  2. Selections. The Parties agree that the selections set forth in the table below shall supplement and apply to the SCCs.
    Section Reference Concept Selection by the Parties
    Section IV, Clause 17 Governing law The Republic of Ireland
    Section IV, Clause 18(b) Choice of forum and jurisdiction The Republic of Ireland
    Annex I.A List of parties – Data exporter Name: Sovrn
    Address: As set forth in the DPA.
    Contact person’s name, position and contact details: As set forth in the DPA.
    Activities relevant to the data transferred under these Clauses: Performance of the Agreement.
    Role: controller
    Annex I.A List of parties – Data importer Name: Company
    Address: As set forth in the DPA.
    Contact person’s name, position and contact details: As set forth in the DPA.
    Activities relevant to the data transferred under these Clauses: Performance of the Agreement.
    Role: controller
    Annex I.B Description of the Transfer
    Categories of data subjects whose personal data is transferred: End users of digital properties owned or operated by Sovrn and/or Sovrn’s customers; data subjects whose personal data has been collected by other parties and transferred to Sovrn.
    Categories of personal data transferred: Categories of personal data transferred may include, depending on the agreed upon Exhibit: (i) Cookies (session, persistent, LSO, other) or other unique IDs; (ii) Interest activity, behavioral targeting, or other profiling data; (iii) IP address; (iv) hashed email; (v) User agent string/OS/chipset/screen; (vi) purchase intent and/or history; and (vii) mobile device ID.
    Sensitive data transferred (if applicable) and applied restrictions or safeguards: N/A
    The frequency of the transfer: On a continuous basis for the terms of the Agreement.
    Nature of the processing: As described in the Agreement.
    Purpose(s) of the data transfer and further processing: To allow the Parties to perform and/or receive the Services under the Agreement.
    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data is retained only for as long as needed to fulfill obligations defined in the Agreement, or as long as needed to support a business purpose.
    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As above.
    Annex I.C Competent Supervisory Authority Irish Data Protection Commissioner
    Annex II Technical and Organisational Measures https://www.sovrn.com/company/security/
  3. Supplemental Business-Related Clauses. In accordance with Clause 2 of the SCCs, the Parties wish to supplement the SCCs with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. The Parties therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the SCCs, including without limitation the following: (a) in the event of a data subject request for a copy of the clauses in accordance with Clause 8.2(c), each Party agrees to make all redactions reasonably necessary to protect business secrets or other confidential information of the other Party; and (b) the terms of the Agreement governing indemnification and limitation of liability, including Section 9 of the DPA, shall apply to each Party’s liability under Clauses 12(a), 12(c), and 12(d).
  4. Transfers from the United Kingdom. If Sovrn transfers Personal Data to Company that is subject to UK Data Protection Laws, this Section shall apply to and modify the SCCs to the extent that UK Data Protection Laws apply to Sovrn’s Processing when making that transfer. The Parties acknowledge and agree that: (a) the information required to be set forth in “Part 1: Tables of the Approved Addendum” shall be completed in accordance with this Appendix 1; and (b) “Part 2: Mandatory Clauses” of the Approved Addendum, as it is revised under Section 18 thereof, is hereby incorporated herein by reference. For purposes of Section 19 of the Approved Addendum, Sovrn may end the Approved Addendum in accordance with Section 19 thereof.
  5. Transfers from Switzerland. If Sovrn transfers Personal Data to Company that is subject to the Swiss FDPA, the following modifications shall apply to the SCCs to the extent that the Swiss FDPA applies to Sovrn’s Processing when making that transfer: (a) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c); (b) the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss FDPA on or about 1 January 2023; (c) references to the GDPR or other governing law contained in the SCCs shall also be interpreted to include the Swiss FDPA; and (d) the Parties agree that the supervisory authority as indicated in Annex I.C shall be, insofar as the data transfer is governed by the Swiss FDPA, the Swiss Federal Data Protection and Information Commissioner.