LAST UPDATED: May 23, 2018
This Data Protection Agreement (“DPA”) amends the current version of that certain agreement as executed by and between the Interested Party and GumGum (“GumGum”), each a “Party” or collectively the “Parties”. This DPA applies to and takes precedence over that document and any associated contractual document between the parties, such as an order form, statement of work or other applicable addendum thereunder (collectively, the “Main Agreement”), to the extent of any conflict.
Interested Party and GumGum hereby agree as follows:
1. Definition
1.1 “Applicable Laws” means laws, rules, directives, regulations issued or enacted by any government entity (including any domestic or foreign, supra-national, state, county, municipal, local, territorial or other government, which includes to the extent applicable, Directive 95/46/EC, Directive 2002/58/EC, European Commission decisions and guidance) each as transposed into domestic legislation of each Member State or other country and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR, and any industry self-regulatory principles that are applicable in the location or region where the Services are provided or received, related to the Processing of Personal Data or the interception, recording or monitoring of communications.
1.2 “Main Agreement” means any agreement between the Interested Party and GumGum whereby GumGum provides the Services and, in connection with the supply of such Services, engages in the processing of Personal Data of Data Subjects on behalf of Data Controller.
1.3 “GDPR” (General Data Protection Regulation) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC; The terms, “Controller”, “Processor” “Data Subject”, “Member State”, “Personal Data” or “Data”, “Personal Data Breach”, and “Processing”, and “Supervisory Authorities” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.4 “EU Model Clauses” means the standard contractual clauses approved by European Commission on standard contractual clauses for the transfer of Personal Data to Processors or Controllers established in third countries (but which shall exclude any contractual clauses designated by the European Commission as optional in that decision), as amended or replaced from time to time by the European Commission.
1.5 “Interest-Based Advertising” means each of (i) the collection of data across multiple digital properties or other sources for the purpose(s) of profiling and delivering advertising based on preferences or interests known or inferred from the data collected and (ii) the collection of data about a user’s activity on or in one digital property or source for the purpose(s) of profiling and delivering advertising based on that data on a different digital property.
1.6 “Interested Party” means the party to this Agreement and on whose behalf GumGum processes the Personal Data of Interested Party or of Interested Party’s clients, whether received from Data Subjects, third parties or Interested Party.
1.7 “Services” means the services as defined in the Main Agreement between Interested Party and GumGum.
1.8 “Sub-processor” means any third party (including any Processor affiliate) appointed by or on behalf of Data Processor to process Personal Data on behalf of Interested Party in connection with an Agreement.
2. GumGum's obligations
GumGum shall undertake to:
2.1 Process the Personal Data hereto solely for the Purpose and in accordance with the documented instructions of Publisher (instructions defined in the Agreement and/or any other written instructions that are consistent with the Agreement);
2.2 Where GumGum considers that an instruction infringes the Applicable Laws, it shall immediately inform Interested Party thereof;
2.3 Protect the confidentiality of Data processed hereunder; and
2.4 Take reasonable steps to ensure the reliability of any employees, affiliates, subcontractors, or agents (“Personnel”) engaged in the Processing of Data. GumGum confirms that any Data to which it has access will be accessible only to its Personnel who: (i) need to have access to it, and (ii) are subject to contractual obligations of privacy, security, and confidentiality in respect of such Personal Data.
3. Data Subjects’ consent and right to information
3.1 Each Party confirms that if it is an operator of a digital property, including for example websites and apps, through which Data is collected:
a. Such Party has in place and can evidence, mechanisms for obtaining appropriate consent to such collection of Personal Data by means and for the Purpose as set out in the Agreement; and includes a clear and unambiguous link to an easy-to-use mechanism that provides the Data Subject the ability to opt out, including where applicable the ability for a Data Subject to opt out of Interest-Based
b. Such Party will ensure that it has a privacy notice that complies with Applicable Laws.
3.2 Each Party confirms that if it facilitates the provision of Data from digital properties operated by third parties:
a. Such Party shall have in place legally enforceable obligations with such third parties requiring them to obtain appropriate consent and to enable such Party to provide evidence of such consent to the other Party, for the means and for the Purpose required for Interested Party’s use of such Data as set out in the Agreement. GumGum will be responsible for providing Interested Party with any relevant information intended for such third parties operating digital properties from which Data is generated; and
b. Such Party will contractually require its relevant contracting parties to ensure that each relevant digital property has a privacy notice that complies with Applicable Laws.
3.3 If GumGum is a data provider to Interested Party:
a. GumGum confirms that it has proof of appropriate consent (where applicable) of any Data Subject, whose Personal Data it shares with Interested Party and in all cases, such Data Subjects were provided with a clear and unambiguous option to an easy-to-use mechanism to opt-out, including where applicable the ability for a Data Subject to opt out of Interest-Based Advertising; and
b. GumGum warrants that all parties collecting or receiving Personal Data which is made available by it to Interested Party (“Supplier Data”) have a privacy notice, that clearly and unambiguously discloses the collection, provision and usage of Supplier Data, including without limitation descriptions of data collection for any applicable Interest-Based Advertising by Interested Party, in compliance with Applicable Laws and provides an easy-to-use mechanism that enables the Data Subject to opt out (including where applicable the ability for a Data Subject to opt out of Interest-Based Advertising) through the services provided by GumGum or its data sources.
3.4 GumGum will ensure that it maintains an accessible, up-to-date privacy policy explaining the technology that it uses and how it processes Personal Data.
4. Rights of Data Subjects
GumGum shall assist Interested Party, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the Data Subject's rights (and in particular right of access, to rectification, erasure and to object, right to restriction of Processing, right to data portability, right not to be subject to an automated individual decision (including profiling)).
GumGum confirms it has the means and will take all reasonable action to allow Interested Party to comply with reasonable requests from Data Subjects (in relation their rights under Article 12-22 of GDPR) in relation to their Personal Data while processed by GumGum.
5. Security Breach Management and Notification
GumGum confirms that in the event of a Personal Data Breach which involves Data under the Agreement GumGum will:
a. Promptly take all necessary and appropriate corrective action to remedy the underlying causes of the Personal Data Breach and make reasonable commercial efforts to ensure that such Personal Data Breach will not recur;
b. Notify Interested Party without delay, and, where the Personal Data Breach is reasonably likely to require a data breach notification by the Interested Party under Applicable Law, in any event within fourty eight (48) hours, providing reasonable detail of the Personal Data Breach and likely impact on Data Subjects. Said notification shall be sent along with any necessary documentation to enable Interested Party, where necessary, to notify this breach to the competent Supervisory Authority, especially information and measures referred to Article 33(3) of GDPR; and
c. Take any action required by Applicable Law and/or at the reasonable request of Interested Party.
Upon Interested Party’s request and at the expense of Interested Party, GumGum shall notify the Data Subjects, in the name and on behalf of Interested Party, of the Personal Data Breach without undue delay. The content of such notice will be defined by mutual agreement between the Parties, it being understood such communication shall describe in clear and plain language the nature of the Personal Data Breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the GDPR.
6. Data Protection Impact Assessment
GumGum shall provide reasonable assistance to Interested Party with any Data Protection Impact Assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Interested Party reasonably considers to be required by Article 35 and/or 36 of GDPR or equivalent provisions of any other Applicable Law, in each case solely in relation to Processing of Interested Party Data by GumGum, and taking into account the nature and materiality of the Processing and information available to GumGum.
7. Security measures
GumGum undertakes to implement and maintain administrative, technical, physical and organizational measures designed for the protection of the security (including protection against unauthorized or unlawful Processing, and against accidental or unlawful destruction, loss or alternation or damage, unauthorized disclosure of, or access to Personal Data), confidentiality and integrity of Personal Data, in accordance with best practices.
8. Fate of Data
GumGum will ensure that any Interested Party Data in its possession is returned to Interested Party or destroyed, each at Interested Party’s election and request to the extent that such Data is no longer required for the performance of the Services or as otherwise permitted to be retained by GumGum in accordance with law.
9. Data Protection Officer and Record of categories of processing activities
9.1 Data Protection Officer.
GumGum confirms it has a duly appointed Data Protection Officer who is responsible for ensuring the lawful management of Personal Data and all related issues at GumGum, and who will be available to help Interested Party, in a timely manner, should there be any enquiries received from Data Subjects or any competent Supervisory Authority, in relation to Data. Please contact GumGum’s DPO at: gdpr@gumgum.com.
GumGum confirms it will give Interested Party such assistance and information as it may reasonably request, in a timely manner, to assist Interested Party to comply with its obligations under GDPR, in relation to any Interested Party Data.
9.2 Record of categories of processing activities.
GumGum states that it maintains a written record of all categories of processing activities carried out on behalf of Interested Party, containing information required under Article 30.2 of the GDPR.
10. Documentation and audit
GumGum will comply with obligations under all Applicable Laws with respect to the Processing of Personal Data connection with the Agreement.
GumGum confirms that it will cooperate fully with any reasonable requests for information from Interested Party about the Processing of Data. To the extent necessary to enable Interested Party to comply with its obligations under Applicable Laws GumGum will permit Interested Party to conduct an audit of its compliance with this Article and Applicable Laws. Such audit shall be conducted no more than once per calendar year during the term of the Agreement, take place during normal business hours, and upon Interested Party giving GumGum no less than ten (10) business days prior written notice.
11. Sub-processor
Subject to the following provisions and conditions provided under Article 28 of GDPR, GumGum may engage another processor (hereinafter "the Sub-processor") to conduct specific Processing activities.
In this case, GumGum shall inform Interested Party, in writing beforehand, of any intended changes concerning the addition or replacement of other Processors and Interested Party has twenty-one (21) days from the date on which it receives said information to object thereto. Such sub-contracting is only possible where Interested Party has not objected thereto within the agreed timeframe.
The Sub-processor will be obliged to comply with the obligations hereunder on behalf of and on instructions from Interested Party.
With respect to each Sub-processor, GumGum shall:
a. Before the Sub-processor first Processes Publisher Data carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Interested Party Data required by Applicable Laws and the Agreement;
b. Ensure that the Sub-processor executes a written contract including terms which offer at least the same level of protection for Interested Party Data as those set out in this Article and meet the requirements of Applicable Law;
c. Upon reasonable request provide to Interested Party for review such copies of the agreements with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Clause); and
d. Be liable for the acts and omissions of its Sub-processors to the same extent GumGum would be liable if performing the Services of each Sub-processor directly under the terms of this Clause. GumGum remains fully liable to Interested Party for the performance of its obligations by each Sub-processor.
12. Transfers of Data
GumGum confirms that it will not transfer, and will ensure that any Sub-processor does not transfer, Interested Party Data out of the country in which it is provided to it, except (a) between member states of the European Economic Area (“EEA”); or (b) on the written instructions of Interested Party.
Moreover, where GumGum is obliged to transfer Data to a third country or an international organization, under Union law or Member State law to which GumGum is subject, GumGum shall inform Interested Party of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.