Data Processing Addendum | Awin
This U.S. Data Processing Addendum (“DPA”) forms a part of the affiliate marketing advertiser agreement (the “Agreement") entered into by the Company and the Advertiser, in which this DPA is incorporated by reference.
1. INTERPRETATION
1.1. In this DPA the following capitalised terms shall have the meanings set out below:
|
Advertiser Processing |
has the meaning set out in Clause 3.2. |
|
Advertiser Website |
the websites, apps or online services of the Advertiser. |
|
Applicable Laws |
all laws or regulations, regulatory policies, guidelines or industry codes which apply to Network Personal Data (including without limitation Data Protection Laws). |
|
Business (or “Controller”) Business Intelligence |
an entity that determines the purposes and means of Processing of Personal Data.
the Processing of Network Personal Data under the Agreement for the purposes of enabling the Advertiser to better understand a consumer’s online journey and the use and audience of the Advertiser Website, as determined by the Advertiser by use of the Company’s technology. |
|
Consumer (or “Data Subject”) Cross Device Tracking |
the individual to whom Personal Data relates.
the Processing of Network Personal Data under the Agreement for the purposes of understanding a consumer’s online journey from the Publisher Website to the Advertiser Website, made after viewing or clicking an advertisement, when this journey is commenced on one device, but a Transaction is completed on another device.
|
|
Data Protection Law |
any data protection, privacy or similar laws that apply to data Processed in connection with the Agreement, including but not limited to, as and when applicable, the GDPR, the UK GDPR, the UK Data Protection Act 2018, ePrivacy, the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act (the “CPRA”), the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”), the Utah Consumer Privacy Act, (the “UCPA ”) and any similar laws, including any final implementing regulations to any of the foregoing that are in effect or that become effective on or after the effective date of this DPA, and any amendments to these laws or replacements of these laws. |
|
EEA |
the European Economic Area. |
|
ePrivacy |
the Privacy and Electronic Communications Directive 2002/58 and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 (including any replacing or superseding legislation). |
|
GDPR |
the EU General Data Protection Regulation 2016/679. |
|
JC Processing |
has the meaning set out in Clause 3.1. |
|
Lead Generation |
the Processing of Network Personal Data under the Agreement (and any related or ancillary agreements with any third parties and/or between the parties) for the purposes of generating a sales lead for the Advertiser, to be subsequently used in the Advertiser’s own marketing efforts. |
|
MasterTag |
the Company’s JavaScript code, which may be integrated into the Advertiser Website for the purposes of the Advertiser receiving certain Services and/or enabling Plugin Integration. |
|
Network Personal Data |
any Personal Data Processed by either Party in connection with the provision of the Services under the Agreement. |
|
Personal Data
Personal Data Breach
Plugin |
any information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a Consumer, or as otherwise defined by Data Protection Law, including any equivalent terminology such as “Personal Information” or “Personally Identifiable Information”. unauthorised, accidental or unlawful Processing, access, loss, disclosure or destruction of Network Personal Data. the technology of a Plugin Operator, which integrates with the Advertiser Website through the MasterTag, and which is used to enable the delivery of the services of the Plugin Operator. |
|
Plugin Integration |
the Processing of Network Personal Data under the Agreement (and any related or ancillary agreements with any third parties and/or between the parties) for the purposes of facilitating the integration of the Advertiser Website with the Plugin, by use of the Company technology, such as the MasterTag. |
|
Plugin Operator |
a third party adtech provider. |
|
Processing
Publisher |
any operation or set of operations performed, whether by manual or automated means, on information or on sets of information, such as the collection, use, storage, disclosure by transmission, dissemination or otherwise making available, alignment or combination, analysis, restriction, deletion, or modification of information. the operator of a website, application or service that markets advertisers or their products as an affiliate. |
|
Publisher Website |
the websites, apps, emails or online services of a Publisher, or third party services used by a Publisher. |
|
Referral |
the referral of a consumer from a Publisher Website to the Advertiser Website. |
|
Reporting |
the Processing of Personal Data for the purposes of reporting on the Advertiser’s use of the Services and related performance, as enabled by the Interface, and “Reports” shall be interpreted accordingly. |
|
Service Provider (or “Processor”) SCCs Addendum |
an entity that Processes Personal Data on behalf of a Business or Controller. |
|
Services |
the services provided by (or on behalf of) the Company to the Advertiser pursuant to the Agreement. |
|
Subprocessor |
any person (excluding an employee of either Party) appointed by or on behalf of either Party to Process Personal Data on behalf of such Party or otherwise in connection with the Agreement. |
|
Tracking |
the Processing of Network Personal Data under the Agreement, relating to consumer journeys across websites/online services on a single device, for the purposes of attributing the Referral of that consumer to the Advertiser Website by a Publisher or Publishers including to (i) understand a consumer’s online journey to a Publisher Website and from a Publisher Website to the Advertiser Website, made after viewing or clicking an advertisement; (ii) match the arrival of a consumer at the Advertiser Website to an online journey from a Publisher Website; and (iii) be informed when a Transaction has been completed, receive basic information about the nature of that Transaction, and attribute that Transaction to the respective Referral. |
|
Transaction |
either: (i) a purchase by a consumer of a product from the Advertiser; or (ii) the provision of information by a consumer to the Advertiser, for the purposes of generating a sales lead for the Advertiser, to be used in the Advertiser’s subsequent marketing efforts. |
|
Transaction Queries |
the Processing of Network Personal Data under the Agreement, in relation to the submission of requests from a Publisher to an Advertiser for the payment of commission in respect of a Transaction which was not tracked by the Company, or which was not validated by the Advertiser. |
|
UK GDPR |
the retained UK law version of the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). |
1.2. The terms “Business Purpose”, “Sale”, “Sell”, “Sold”, “Share”, “Sharing”, “Third Party” and “Profiling” shall have the meanings given to them in applicable Data Protection Law.
1.3. References in this DPA to Articles or terms of the GDPR shall mean those Articles or terms, and/or any corresponding Articles or terms of the UK GDPR, where the UK GDPR is applicable to the processing activities carried out under this Agreement.
2. GENERAL
2.1. Where the GDPR applies, this DPA constitutes both an arrangement between joint Controllers pursuant to Article 26 of the GDPR, and a contract between a Controller and a Processor pursuant to Article 28(3) of the GDPR, as set out below and as the context requires or permits. The subject-matter, duration of the processing, the nature and purpose, the type of personal data and categories of data subjects are set out below in Schedule 1.
2.2. This DPA shall only apply to the extent that the Parties are Processing Network Personal Data.
2.3. In the event of inconsistencies between the provisions of this DPA and the Agreement, this DPA shall take precedence, unless explicitly agreed otherwise in writing.
3. ROLE OF THE PARTIES
3.1. Where GDPR applies, the Company and the Advertiser shall act as joint Controllers in respect of the Processing of Network Personal Data for the purposes of:
3.1.1. Tracking
3.1.2. Cross Device Tracking; and
3.1.3. Reporting
together, “JC Processing". Where Data Protection Laws in the United States apply, for the purposes of JC Processing, the Company shall act as a Business and/or a Controller in respect of the Processing of Network Personal Data, and the Advertiser shall also act as a Business and/or a Controller in respect of the Processing of Network Personal Data.
3.2. The Advertiser shall act as Business and/or a Controller, and the Company shall act as Service Provider and/or a Processor, in respect of any Processing of Network Personal Data for the purposes of:
3.2.1. capturing consumer names and contact information on behalf of the Advertiser’s Lead Generation;
3.2.2. Business Intelligence;
3.2.3. Plugin Integration; and
3.2.4. Transaction Queries
together, “Advertiser Processing".
3.3. The Company and the Advertiser will each comply with their respective obligations under Data Protection Law. Each Party will provide the other Party any co-operation reasonably requested to enable the other Party’s compliance with this Clause 3.3. The Advertiser will not provide any Personal Data to the Company without the Company's prior written consent, unless anticipated by the Company in the Company's ordinary operation of its marketing network of Publishers and advertisers to facilitate, amongst other things, affiliate and performance marketing.
4. TERMS APPLICABLE ONLY TO JC PROCESSING
4.1. This Clause 4 shall apply in respect of any JC Processing only.
4.2. Where required, the Advertiser will provide Consumers with a clear and conspicuous link on the Advertiser's internet homepage, titled "Do Not Sell My Personal Information," in accordance with Data Protection Laws in the United States.
4.3. In the event that the Advertiser receives notice from or on behalf of a Consumer of the Consumer's exercise of its right of opt-out, its right to delete, its right to access or modify, or its right to know, as provided under applicable Data Protection Laws in the United States, where the Advertiser has Sold Personal Data in respect of that Consumer to the Company, the Advertiser shall notify the Company of the exercise of such rights in writing by email to global-privacy@awin.com and: (i) on receipt of a notice of an exercise of a right of opt-out, the Company shall promptly implement measures to prevent the further Sale of such Personal Data; (ii) on receipt of a notice of an exercise of a right to delete and verification the Company considered reasonably necessary pursuant to applicable Data Protection Laws, the Company shall promptly delete such data; and (iii) on receipt of a notice of an exercise of a right to know, access or modify, use reasonable endeavours to assist the Advertiser in respect of the Advertiser's response to the exercise of such right, at the Advertiser's cost.
4.4. Both Parties jointly agree that, where the GDPR applies in respect of JC Processing, Article 6(1)(f) of the GDPR shall be applicable to the Processing of Network Personal Data and that the Processing of Network Personal Data is necessary for the purposes of the legitimate interest pursued by both Parties and/or by a third party.
4.5. Upon Advertiser’s reasonable request, the Company will make available such written information in the Company’s possession as is reasonably necessary for Advertiser to conduct and document data protection assessments in accordance with applicable Data Protection Laws. Advertiser will have the right to: (i) take reasonable and appropriate steps to help ensure that the Company uses Network Personal Data Processed under the Agreement in a manner consistent with the Company's obligations under and to the extent required by applicable Data Protection Laws, and (ii) upon reasonable prior written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of such Network Personal Data under and to the extent required by applicable Data Protection Laws.
4.6. Transparency
4.6.1. Advertiser must take appropriate measures to provide Data Subjects with information about how Network Personal Data is being Processed by or on behalf of the Advertiser, which shall at a minimum include all the information required by applicable Data Protection Laws, in a concise, transparent and easily accessible form, using clear and plain language, and specify an appropriate contact point which Data Subjects can use if they have any questions regarding the Advertiser’s compliance with Data Protection Laws or wish to exercise their rights under Data Protection Laws (“Advertiser Privacy Policy”).
4.6.2. The Company must take appropriate measures to provide Data Subjects with information about how Network Personal Data is being Processed by or on behalf of the Company, which shall at a minimum include all the information required by applicable Data Protection Laws, in a concise, transparent and easily accessible form, using clear and plain language, and specify an appropriate contact point which Data Subjects can use if they have any questions regarding the Company’s compliance with Data Protection Laws or wish to exercise their rights under Data Protection Laws (“Company Privacy Policy”).
4.6.3. Advertiser must either:
(a) include a hyperlink to the current Company Privacy Policy in the Advertiser Privacy Policy; or
(b) ensure the Advertiser Privacy Policy contains sufficient information to enable the Company to Process Network Personal Data in accordance with applicable Data Protection Laws.
4.7. Data Subject Rights
Each Party shall fulfil their obligations to respond to requests to exercise Data Subject rights under Data Protection Law. Unless otherwise required by applicable Data Protection Laws or agreed in writing between the Parties, the first recipient of any request by a Data Subject to exercise their rights under Data Protection Law shall be primarily responsible for its response. Each Party will provide the other Party any co-operation and information reasonably requested to enable the other Party’s compliance with this Clause 4.7.
5. TERMS APPLICABLE ONLY TO ADVERTISER PROCESSING
5.1. This Clause 5 shall apply in respect of any Advertiser Processing only (if applicable).
5.2. The Advertiser confirms that such Processing of Network Personal Data by the Company on behalf of the Advertiser shall be undertaken by the Company for the Advertiser’s own Business Purpose.
5.3. The Company shall not: (i) Sell Network Personal Data; (ii) Share any Network Personal Data with any third party for cross-context behavioral advertising; (iii) retain, use, or disclose Network Personal Data it receives from the Advertiser under the Agreement for any purpose other than for the specific purpose of performing the Services to the Advertiser, including retaining, using, or disclosing such Network Personal Data for a commercial purpose other than providing the Services; (iv) retain, use, or disclose the Network Personal Data outside of the direct business relationship between the Company and the Advertiser; or (v) to the extent prohibited by Data Protection Laws, combine Personal Data with other information that the Company receives from or on behalf of another person or persons, or collects from its own interaction with the Consumer. The Company will notify Advertiser if it determines that it can no longer meet its obligations under applicable Data Protection Law. Entry by the Company into this DPA shall constitute a certification that the Company understands the restrictions in this Clause 5.3 of this DPA and will comply with them.
5.4. Upon Advertiser’s reasonable request, the Company will make available such written information in the Company’s possession as is reasonably necessary for Advertiser to conduct and document data protection assessments in accordance with applicable Data Protection Laws. Advertiser will have the right to: (i) take reasonable and appropriate steps to help ensure that the Company uses Network Personal Data Processed under the Agreement in a manner consistent with the Company's obligations under and to the extent required by applicable Data Protection Laws, and (ii) upon reasonable prior written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of such Network Personal Data under and to the extent required by applicable Data Protection Laws.
5.5. The Company will:
5.5.1. Process Personal Data for the purposes of Advertiser Processing only in accordance with the Advertiser’s instructions, including in respect of the deletion or return of Personal Data;
5.5.2. allow for and contribute to one reasonable written audit per calendar year on at least 30 days prior written notice by the Advertiser and during normal business hours, to the extent necessary to demonstrate compliance with this Clause 5 provided that any costs incurred by either Party in relation to any written audits are borne by the Advertiser;
5.5.3. engage Subprocessors in a manner consistent with Clause 11 and, in addition ensure that the contract between the Subprocessor and the Company includes terms which offer at least the same level of protection for Network Personal Data as those set out in this DPA in respect of Advertiser Processing; and
5.5.4. comply with Clauses 6 - 9.
5.6. The Advertiser hereby grants a general authorisation to the Company under applicable Data Protection Laws to engage Subprocessors. The Company shall inform the Advertiser of any intended changes concerning the addition or replacement of Subprocessors. The Advertiser may reasonably object in writing to such an intended change within 14 days of the notification thereof by the Company. Following an objection by the Advertiser, Company may within 30 days of receipt of the objection either:
5.6.1. notify the Advertiser that the intended change shall not be implemented in relation to the Agreement; or
5.6.2. cease the relevant Advertiser Processing immediately on written notice to the Advertiser.
6. PERSONNEL
6.1.1. Each Party shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Network Personal Data, ensuring in each case that access is:
(a) strictly limited to those individuals who need to know and/or access the relevant Network Personal Data; and
(b) as strictly necessary for the purposes of the Agreement and to comply with Applicable Laws in the context of that individual's duties.
6.1.2. Each Party shall ensure that all individuals referred to in Clause 6.1.1 are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
7. SECURITY AND CONFIDENTIALITY OF DATA
7.1.1. Each Party shall in relation to the Network Personal Data, implement appropriate technical and organisational measures to ensure an appropriate level of security, including the measures referred to in applicable Data Protection Laws. In doing so, each Party shall take into account:
(a) the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing; and
(b) the risk of varying likelihood and severity for the rights and freedoms of natural persons.
7.1.2. In assessing the appropriate level of security, each Party shall in particular take account of the risks that are presented by Processing, including from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Network Personal Data transmitted, stored or otherwise Processed.
8. PERSONAL DATA BREACH
8.1.1. Each Party shall:
(a) notify the other Party without undue delay upon becoming aware of a Personal Data Breach affecting Network Personal Data (“Network Data Breach”);
(b) provide the other Party with sufficient information to allow it to meet any obligations to report or inform Data Subjects of the Network Data Breach under or in connection with Data Protection Law;
(c) meaningfully consult with the other Party in respect of the external communications and public relations strategy related to the Network Data Breach;
(d) subject to Applicable Law, not notify any data protection regulator of the Network Data Breach without having notified the other Party; and
(e) not issue a press release or communicate with any member of the press in respect of the Network Data Breach, without having obtained prior written approval by the other Party.
8.1.2. The notification set out in Clause 8.1.1(a) above, shall as a minimum:
(a) describe the nature of the Network Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; and
(b) describe the likely consequences of the Network Data Breach; and
(c) describe the measures taken or proposed to be taken to address the Network Data Breach.
8.1.3. The Parties shall reasonably cooperate and take reasonable commercial steps to assist in the investigation, mitigation and remediation of each Network Data Breach.
9. DATA TRANSFERS
9.1.1. Each Party shall only transfer Network Personal Data within the EEA to countries outside of the EEA where this is in compliance with Data Protection Law.
9.1.2. Where, as part of providing the Services,
(a) the Company transfers Network Personal Data within the EEA to the Advertiser; and
(b) the Advertiser or any of the Advertiser’s offices or operations are based outside of the EEA,
such transfer of Network Personal Data shall be subject to the SCCs Addendum.
9.1.3. Where the transfer of Network Personal Data under Clause 9.1.2 is undertaken for Advertiser Processing, the Advertiser hereby instructs the Company to transfer personal data outside of the EEA.
10. PROFILING
The Advertiser shall not use any Personal Data revealed by any Reports for the Profiling of consumers.
11. ENGAGEMENT OF PROCESSORS
With respect to a proposed Processor that a Party wishes to engage, such Party shall:
11.1.1. before the Processor first Processes Network Personal Data, carry out adequate due diligence to ensure that the Processor is capable of providing the level of protection for Network Personal Data required by Data Protection Law; and
11.1.2. ensure that the arrangement with such a Processor is governed by a written contract including terms meet the requirements of applicable Data Protection Laws, including ensuring that such Processor is engaged for a Business Purpose, pursuant to a written contract, which prohibits the Processor from retaining, using, or disclosing the Network Personal Data for any purpose other than for the specific purpose of performing the services specified in the contract for that party, or as otherwise permitted by applicable Data Protection Laws.
12. OTHER PROCESSING
12.1. In relation to any other Processing of Network Personal Data under the Agreement, to the extent not specified otherwise under this DPA, any Party acting as a Processor will:
12.1.1. Process Network Personal Data for such purposes only in accordance with the Controller’s instructions, including in respect of the deletion or return of Personal Data;
12.1.2. make available to the Controller requested information in respect of Network Personal Data, on at least 30 days prior written notice and during normal business hours, necessary to demonstrate compliance with this Clause 12.1, including to allow for and contribute to reasonable audits, conducted by the Controller or the Controller’s designated auditor (such designated auditors being subject to the Company’s prior written approval);
12.1.3. engage Subprocessors in a manner consistent with Clause 11 and, in addition ensure that the contract between the Subprocessor and the party acting as a Processor includes terms which offer at least the same level of protection for Network Personal Data as those set out in this Clause 12.1;
12.1.4. comply with Clauses 6 - 9.
12.2. In the event of any conflict between this Clause 12 and any other agreement between the Parties in respect of the same Processing, such other agreement shall take precedence.
13. LIABILITY
13.1. Each Party shall be solely liable for any costs, claims, losses, damages, expenses or fines arising from:
13.1.1. its breach of Data Protection Law;
13.1.2. its breach of this DPA or the Agreement;
13.1.3. Processing of Personal Data in its possession; and
13.1.4. events for which it is responsible;
and accordingly there shall be no joint liability between the Parties in respect of such breaches.
13.2. The Company shall not be liable for any for breaches of Data Protection Law arising in respect of Processing by or in connection with any third party adtech provider whose technology may be integrated with the Advertiser Website by use of the Company’s technology (as applicable from time to time).
13.3. In addition to the limitations outlined in this Clause 13, each Party’s liability under this DPA shall be limited in a manner consistent with any limitations of liability set out in the Agreement.
14. CONSENT VERIFICATION
14.1. The Advertiser will, on behalf of the Company, where required to comply with ePrivacy consent requirements, obtain the prior, freely-given, specific, informed, unambiguous and revocable consent of users of Advertiser Website(s) to cookies or other tracking technologies of the Company served under the Agreement.
14.2. The Company may request information (including consent records/logs) from the Advertiser to objectively verify whether the Advertiser has complied with Clause 14.1, and the Advertiser shall promptly (and no later than 14 days following the Company’s written request) make such information available to the Company.
15. CHANGES TO THIS DPA
The Company may on at least 7 days' written notice to the Advertiser (including by the posting of a notice on the Interface) make binding variations to this DPA, which the Company reasonably considers to be necessary to address the requirements of Data Protection Law.
16. SEVERANCE
16.1. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be:
16.1.1. amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible;
16.1.2. construed in a manner as if the invalid or unenforceable part had never been contained in the DPA.
17. RIGHTS OF THIRD PARTIES
Third parties shall not be entitled to enforce any of the terms of this DPA.
18. GOVERNING LAW AND JURISDICTION
The governing law and jurisdiction of this DPA shall be the same as that of the Agreement.
SCHEDULE 1
The subject-matter, duration of the processing, the nature and purpose, the type of personal data and categories of data subjects of the Advertiser Processing and JC Processing is set out below.
For both the Advertiser Processing and JC Processing, the duration of the processing shall be the term of the Agreement, unless otherwise agreed in writing, and the obligations and rights of the relevant controllers are as set out in this DPA.
1. JC PROCESSING
|
Subject-matter, nature and purpose of processing |
Categories of data subject |
Type of personal data |
|
Tracking |
Current or prospective consumers (as determined by the Advertiser) |
Information relating to cookies, information relating to consumers’ IP addresses, information relating to consumer transactions (including consumers’ engagement with advertisers and publishers), device identifiers and device attributes. |
|
Cross Device Tracking |
Current or prospective consumers (as determined by the Advertiser) |
|
|
Reporting |
Current or prospective consumers (as determined by the Advertiser) |
2. ADVERTISER PROCESSING
|
Subject-matter, nature and purpose of processing |
Categories of data subject |
Type of personal data |
|
Capturing consumer names and contact information on behalf of the Advertiser’s Lead Generation |
Current or prospective consumers (as determined by the Advertiser) |
As determined by the Advertiser |
|
Business Intelligence |
Current or prospective consumers (as determined by the Advertiser) |
As determined by the Advertiser |
|
Plugin Integration |
Current or prospective consumers (as determined by the Advertiser) |
As determined by the Advertiser |
|
Transaction Queries |
Current or prospective consumers (as determined by the Advertiser) |
As determined by the Advertiser |
