Advertiser Data Protection Module

Effective Date of Data Protection Module: May 1, 2018

We refer to the Advertiser Terms located at (“Agreement”) which You have accepted to avail Addictive Ads’s advertising services as an advertiser or agency or publisher, whether pursuant to insertion orders or otherwise, (referred as “You” or “Advertiser” or “Agency” or “publisher” as the context may require).

Under the Agreement, you act as a Data Processor on our behalf.

Until 25 May 2018, the Data Protection Act 1998 (the “DPA”) is the key piece of legislation governing data protection. The General Data Protection Regulation (the “GDPR”), is a new piece of legislation which will largely supersede the DPA on 25 May 2018. The GDPR will then apply to the processing you carry out on our behalf under the Agreement. The GDPR requires data processing contracts – such as the Agreement – to contain additional provisions regulating the processing of personal data. As a result, we wish to add the Data Protection Data Protection Module, set out in the schedule attached, to the Agreement with effect from 25 May 2018 (the “Variation Date”). Additionally, due to the implementation of the GDPR, we are required to adhere to new rules relating to the international transfer of personal data. One of the simplest ways to protect the personal data transferred between us is to use the “Model Contract Clauses”, produced by the European Commission, which is incorporated into this Data Protection Module as if they had been set out in full. The full legal name for the Model Contract Clauses is: “The EU-controller to Non-EU/EEA processor model contractual clauses annexed to European Commission Decision C(2010)”.

In order to make compliance with GDPR as simple and straightforward as possible, we will add this Data Protection Data Protection Module to the Agreement. To ensure the Data Protection Module fits in with the Agreement, it is important to note that:

  1. except as set out in this Data Protection Module, the Agreement and any other agreements already in place between us shall continue in full force and effect;
  2. in the event of any conflict or inconsistency between this Data Protection Module and the terms and conditions of the Agreement, this Data Protection Module shall prevail; and
  3. to the extent that this Data Protection Module does not address project-specific data mechanics or specific details relevant to data processing already set out in the Agreement (such as a particular type or frequency of data transfer), those project-specific mechanics will remain in place, save that they shall be interpreted to give full effect to the provisions of this Data Protection Module, the Data Protection Data Protection Module, and the GDPR.

This Data Protection Module, (including the Model Contract Clauses) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the law of England and Wales. The parties irrevocably agree that the courts of England and Wales have exclusive jurisdiction to settle any Claim. Please sign and return the enclosed copy of this Data Protection Module to acknowledge your agreement of these terms. If you do not notify us of your disagreement with any of the terms of this Data Protection Module, you will be deemed to have accepted it. If you do not accept these terms, we will discontinue any EU user related transactions with You.

Data Protection Module
Parties agree that it is of paramount importance that any Processing of Personal Data is in compliance with Data Protection Laws as applicable to such party at all times in their respective capacity as a Controller or a Processor. Between You and Addictive Ads, Addictive Ads as the Controller will have the responsibility to obtain appropriate consents for Processing of Personal Data as permitted under this Data Protection Module. The Controller will notify You of any Data Subject request towards deletion, rectification or opt-out election.

    1. Definitions:
      1. Controller”, “Data Subject”, “Personal Data”, “Processor” “Processes/Processing” shall each have the meanings given in the applicable Data Protection Legislation.
      2. Data Protection Legislation” means the European Union’s General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable laws and regulations relating to the processing of personal data and privacy as amended, re-enacted, replaced or superseded from time to time, including, where applicable, the mandatory guidance and codes of practice issued by the United Kingdom’s Information Commissioner.
    2. Obligations of the Processor:
      1. Paragraphs 1.2.2 – shall apply if and to the extent that the Processor processes any Personal Data on the Controller’s behalf when performing its obligations under the Agreement.
      2. Each party acknowledges that:
        1. Processor shall only Process Personal Data for the following permitted purpose in relation to advertising campaigns distributed through Controller:
          (1) For attribution, audience verification and fraud detection via trackers, verification partners and affiliate postbacks;
          (2) For internal reporting purposes and for reporting to Controller;
        2. the processing shall continue, subject to paragraph 2.3.6, for the duration of this agreement;
        3. the processing concerns: clicks and impressions data, IP Address, device identifiers, handset model/type, carrier device identifiers, HTTP headers, publisher details (such as site ID, partner ID, publisher name), campaign details (such as campaign ID, creative ID) and such other data sets.
      3. The Processor shall:
        1. process the Personal Data only to the extent necessary for the purposes of performing its obligations under the Agreement and otherwise in accordance with the documented instructions of the Controller and applicable laws;
        2. not process the Personal Data in any country outside the European Economic Area other than in accordance with the terms of the Model Contract Clauses. If the Processor is required by applicable laws to transfer the Personal Data outside of the European Economic Area, the The processor shall inform the Controller of such requirement before making the transfer and shall execute appropriate documentation as required under Data Protection Legislation (unless the Processor is barred from making such notification under the relevant applicable law);
        3. ensure that all persons authorized by it to process the Personal Data are committed to confidentiality or are under a statutory obligation of confidentiality under applicable law;
        4. have at all times during the term of the Agreement appropriate technical and organizational measures to ensure a level of security appropriate to the risk to protect any Personal Data, with particular regard to its accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access. If You or your processor are not agreeable to implement Controller’s secure or encrypted transmission mechanisms at your end, You will notify Controller how you would like to obtain the same, and in such a case, You will remain liable during transmission thereof to You or your processor; In case of conflict between the date provided here and referred under the Agreement, the latter shall prevail.
        5. not engage another Processor of the Personal Data without the prior authorization of the Controller, and where the Processor does engage another Processor, substantially similar obligations to those set out in paragraphs 1.2.2 – 1.2.3 shall be imposed by the Processor on the other Processor in a written contract and the Processor shall remain fully liable to the Controller for the performance of the other Processor’s data protection obligations. Without limiting the generality of the foregoing, You acknowledge and agree that if the Controller is required to share any Personal Data with your trackers or such other third parties including Your advertisers for the purpose of the Agreement, You will remain liable to ensure that such trackers or third parties remain processors to You and will contractually require them to comply with the terms of this Data Protection Module and remain liable for their acts or omissions;
        6. cease processing the Personal Data immediately upon the termination or expiry of this Agreement or, if sooner, on cessation of the contractual activity to which it relates and, at the Controller’s election, delete or return all Personal Data to the Controller, and delete all existing copies unless applicable law requires their retention;
        7. You shall not retain Personal Data for longer than necessary to meet the permitted purposes hereunder or use the same for any purposes other than such permitted purposes.
        8. If requested by Controller, Processor shall without delay, rectify the Personal Data, to ensure it remains accurate, complete and current or deletes the same to honor any Data Subject’s request.
        9. make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this clause, and allow for the contribution to audits, including inspections, conducted by the Controller of its representative; and
        10. at the earliest opportunity, and in any event within 48 hours after having become aware, notify the Controller of any unauthorized or unlawful processing of any Personal Data to which this clause applies and of any loss or destruction or other damage and shall take such steps consistent with good industry practice to mitigate the detrimental effects of any such incident on the Data Subjects and co-operate with the Controller in dealing with such incident and its consequences; and
        11. indemnify, defend and hold harmless the Controller against all loss, liability, damages, costs (including legal costs), fees, claims and expenses arising from any third party claims, which the Controller may incur or suffer by reason of any breach of this paragraph 1.2.3 by the Processor.
      4. Where the Processor intends to or replace other Processors, it shall first inform the Controller of the intended change, and shall not add or replace such other Processor until the Controller has given its approval to the proposal.
      5. The Processor acknowledges that the Controller is under certain record-keeping obligations under the Data Protection Legislation, and agrees to provide the Controller with all reasonable assistance and information required by the Controller to satisfy such record keeping obligations.
    3. MODEL CONTRACT CLAUSES The Model Contract Clauses require us to set out more detail about what data we are transferring to you and why, as well as how you keep that data secure. We have set this out in the sections below.
      1. Description of your data processing for us
        1. We are the Data Controller and our contact details are set out in this Data Protection Module.
        2. You are the Data Processor and your contact details are also set out in this Data Protection Module.
        3. The types of data we are transferring to you or your processors are Personal Data, which does not include special categories of data.
        4. You will be carrying out the tasks in relation to that data as set out in
      2. Description of your security measures
        1. Restriction of access to data centers, systems and server rooms as necessary to ensure the protection of Personal Data.
        2. Monitoring of unauthorised access.
        3. In case of conflict between the date provided here and referred under the Agreement, the latter shall prevail.

        4. Written procedures for employees, contractors, and visitors covering confidentiality and security of information.
        5. Restricting access to systems depending on the sensitivity/criticality of such systems.
        6. Use of password protection where such functionality is available.
        7. Maintaining records of the access granted to which individuals.
        8. Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
      3. Additional Provision
        1. The illustrative indemnity contained in the Model Contract Clauses is deemed deleted.