This U.S. Data
Processing Addendum (“DPA”) forms a part of the affiliate marketing
advertiser agreement (the “Agreement") entered into by the Company
and the Advertiser, in which this DPA is incorporated by reference.
1.1
In this DPA the following capitalised terms shall have the meanings set
out below:
|
Advertiser
Processing |
has the meaning set out in Clause 3.2. |
|
Advertiser
Website |
the websites, apps or online services of the
Advertiser. |
|
Applicable
Laws |
all laws or regulations, regulatory policies,
guidelines or industry codes which apply to Network Personal Data (including
without limitation Data Protection Laws). |
|
Business (or
“Controller”) Business
Intelligence |
an entity that
determines the purposes and means of Processing of Personal Data. the Processing of Network Personal Data under
the Agreement for the purposes of enabling the Advertiser to better
understand a consumer’s online journey and the use and audience
of the Advertiser Website, as determined by the Advertiser by use of the
Company’s technology. |
|
Consumer
(or “Data Subject”) |
the individual to whom
Personal Data relates. |
|
Data Protection Law |
any data protection, privacy or similar laws
that apply to data Processed in connection with the Agreement, including but
not limited to, as and when applicable, the GDPR, the UK GDPR, the UK Data
Protection Act 2018, ePrivacy, the California Consumer Privacy Act (the “CCPA”),
the California Privacy Rights Act (the “CPRA”), the Virginia Consumer
Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”),
the Connecticut Data Protection Act (the “CTDPA”), the Utah Consumer
Privacy Act, (the “UCPA ”) and any similar laws, including any final
implementing regulations to any of the foregoing that are in effect or that
become effective on or after the effective date of this DPA, and any
amendments to these laws or replacements of these laws. |
|
EEA |
the European Economic Area. |
|
ePrivacy
|
the Privacy and Electronic Communications
Directive 2002/58 and the UK Privacy and Electronic Communications (EC
Directive) Regulations 2003 (including any replacing or superseding
legislation). |
|
GDPR |
the EU General Data Protection Regulation 2016/679. |
|
JC
Processing |
has the meaning set out in Clause 3.1. |
|
Lead
Generation |
the Processing of Network Personal Data under
the Agreement (and any related or ancillary agreements with any third parties
and/or between the parties) for the purposes of generating a sales lead for
the Advertiser, to be
subsequently used in the Advertiser’s own marketing efforts. |
|
MasterTag |
the Company’s JavaScript code, which may be
integrated into the Advertiser Website for the purposes of the Advertiser
receiving certain Services and/or enabling Plugin Integration. |
|
Network
Personal Data |
any Personal Data Processed by either Party in
connection with the provision of the Services under the Agreement. |
|
Personal Data Personal Data Breach Plugin |
any information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a Consumer, or as otherwise defined by Data Protection Law, including any equivalent terminology such as “Personal Information” or “Personally Identifiable Information”. unauthorised, accidental or unlawful Processing, access, loss, disclosure or destruction of Network Personal Data. the technology of a Plugin Operator,
which integrates with the Advertiser Website through the MasterTag,
and which is used to enable the delivery of the services of the Plugin Operator. |
|
Plugin
Integration |
the Processing of Network Personal Data under
the Agreement (and any related or ancillary agreements with any third parties
and/or between the parties) for the purposes of facilitating the integration
of the Advertiser Website with the Plugin,
by use of the Company technology, such as the MasterTag. |
|
Plugin
Operator |
a third party adtech
provider. |
|
Processing Publisher |
any operation or set
of operations performed, whether by manual or automated means, on information
or on sets of information, such as the collection, use, storage, disclosure
by transmission, dissemination or otherwise making available, alignment or
combination, analysis, restriction, deletion, or modification of information. the operator of a
website, application or service that markets advertisers or their products as
an affiliate. |
|
Publisher Website |
the websites, apps,
emails or online services of a Publisher, or third party services used by a
Publisher. |
|
Referral |
the referral of a consumer from a Publisher Website
to the Advertiser Website. |
|
Reporting |
the Processing of Personal Data for the purposes
of reporting on the Advertiser’s use of the Services and related performance,
as enabled by the Interface, and “Reports” shall be interpreted
accordingly. |
|
Service
Provider (or “Processor”) SCCs Addendum |
an entity that Processes Personal Data on behalf of a Business or Controller. https://static.shareasale.com/termsofuse/dpa_eu_addendum.html |
|
Services |
the services provided by (or
on behalf of) the Company to the Advertiser pursuant to the Agreement. |
|
Subprocessor |
any person (excluding an employee of either
Party) appointed by or on behalf of either Party to Process Personal Data on
behalf of such Party or otherwise in connection with the Agreement. |
|
Tracking |
the Processing of Network Personal Data under
the Agreement, relating to consumer journeys across websites/online services
on a single device, for the purposes of attributing the Referral of that consumer
to the Advertiser Website by a Publisher or Publishers including
to (i) understand a consumer’s online journey to a
Publisher Website and from a Publisher Website to the Advertiser Website,
made after viewing or clicking an advertisement; (ii) match the arrival of a
consumer at the Advertiser Website to an online journey from a Publisher Website;
and (iii) be informed when a Transaction has been completed, receive basic
information about the nature of that Transaction, and attribute that
Transaction to the respective Referral. |
|
Transaction |
either: (i) a purchase by a consumer of a
product from the Advertiser; or (ii) the provision of information by a
consumer to the Advertiser, for the purposes of generating a sales lead for
the Advertiser, to be used in the Advertiser’s subsequent marketing efforts. |
|
Transaction
Queries |
the Processing of Network Personal Data under
the Agreement, in relation to the submission of
requests from a Publisher to an Advertiser for the payment of commission in
respect of a Transaction which was not tracked by the Company, or which was
not validated by the Advertiser. |
|
UK
GDPR |
the retained UK law version of the GDPR as it forms part of the law of England
and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection,
Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations
2019 (SI 2019/419). |
1.2
The terms “Business Purpose”,
“Sale”, “Sell”, “Sold”, “Share”, “Sharing”,
“Third Party” and “Profiling” shall have the meanings given to
them in applicable Data Protection Law.
1.3 References in this DPA to Articles or terms of the GDPR shall mean those Articles or terms, and/or any corresponding Articles or terms of the UK GDPR, where the UK GDPR is applicable to the processing activities carried out under this Agreement.
2.
GENERAL
2.1
Where the GDPR applies, this DPA constitutes both an arrangement
between joint Controllers pursuant to Article 26 of the GDPR, and a contract
between a Controller and a Processor pursuant to Article 28(3) of the GDPR, as
set out below and as the context requires or permits. The subject-matter,
duration of the processing, the nature and purpose, the type of personal data
and categories of data subjects are set out below in Schedule 1.
2.2
This DPA shall only apply to the extent that the Parties are Processing
Network Personal Data.
2.3
In the event of inconsistencies between the provisions of this DPA and
the Agreement, this DPA shall take precedence, unless explicitly agreed
otherwise in writing.
3.1
Where GDPR applies, the Company and the Advertiser shall act as joint Controllers
in respect of the Processing of Network Personal Data for the purposes of:
3.1.1 Tracking; and
3.1.2 Reporting
together, “JC Processing". Where Data Protection Laws in the United
States apply, for the purposes of JC Processing, the Company shall act as a
Business and/or a Controller in respect of the Processing of Network Personal Data,
and the Advertiser shall also act as a Business and/or a Controller in respect
of the Processing of Network Personal Data.
3.2
The Advertiser shall act as Business and/or a Controller, and the
Company shall act as Service Provider and/or a Processor, in respect of any Processing
of Network Personal Data for the purposes of:
3.2.1 capturing consumer names and
contact information on behalf of the Advertiser’s Lead Generation;
3.2.2 Business Intelligence;
3.2.3 Plugin Integration; and
3.2.4 Transaction Queries
together, “Advertiser Processing".
3.3
The Company and the Advertiser will each comply with their respective
obligations under Data Protection Law. Each Party will provide the other Party
any co-operation reasonably requested to enable the other Party’s compliance
with this Clause 3.3. The Advertiser will not provide any Personal Data to the Company
without the Company's prior written consent, unless anticipated by the Company
in the Company's ordinary operation of its marketing network of Publishers and
advertisers to facilitate, amongst other things, affiliate and performance
marketing.
4.
TERMS APPLICABLE ONLY TO JC
PROCESSING
4.1
This Clause 4 shall apply in respect of any
JC Processing only.
4.2
The Advertiser will provide Consumers such disclosures and choices as
may be required under Data Protection Laws from time to time.
4.3
In the event that the Advertiser receives notice from or on behalf of a
Consumer of the Consumer's exercise of its right of opt-out, its right to
delete, its right to access or modify, or its right to know, as provided under
applicable Data Protection Laws in the United States, with respect to Network
Personal Data, the Advertiser shall notify the Company of the exercise of such
rights in writing by email to global-privacy@awin.com. On receipt of a notice
of an exercise of a right to delete and verification the Company considered
reasonably necessary pursuant to applicable Data Protection Laws, the Company
shall promptly delete such data. On receipt of a notice of an exercise of a
right to know, access or modify, the Company shall use reasonable endeavours to
assist the Advertiser in respect of the Advertiser's response to the exercise
of such right, at the Advertiser's cost.
4.4
Both Parties jointly agree that, where the GDPR applies in respect of
JC Processing, Article 6(1)(f) of the GDPR shall be applicable to the
Processing of Network Personal Data and that the Processing of Network Personal
Data is necessary for the purposes of the legitimate interest pursued by both
Parties and/or by a third party.
4.5
Upon
Advertiser’s reasonable request, the Company will make available such written
information in the Company’s possession as is reasonably necessary for
Advertiser to conduct and document data protection assessments in accordance
with applicable Data Protection Laws. Advertiser will have the right to: (i)
take reasonable and appropriate steps to help ensure that the Company uses
Network Personal Data Processed under the Agreement in a manner consistent with
the Company's obligations under and to the extent required by applicable Data
Protection Laws, and (ii) upon reasonable prior written notice, to take
reasonable and appropriate steps to stop and remediate unauthorized use of such
Network Personal Data under and to the extent required by applicable Data
Protection Laws.
4.6.1 Advertiser must take appropriate
measures to provide Data Subjects with information about how Network Personal
Data is being Processed by or on behalf of the Advertiser, which shall at a
minimum include all the information required by applicable Data Protection
Laws, in a concise, transparent and easily accessible form, using clear and
plain language, and specify an appropriate contact point which Data Subjects
can use if they have any questions regarding the Advertiser’s compliance with
Data Protection Laws or wish to exercise their rights under Data Protection
Laws (“Advertiser Privacy Policy”).
4.6.2 The Company must take
appropriate measures to provide Data Subjects with information about how
Network Personal Data is being Processed by or on behalf of the Company, which
shall at a minimum include all the information required by applicable Data
Protection Laws, in a concise, transparent and easily accessible form, using
clear and plain language, and specify an appropriate contact point which Data
Subjects can use if they have any questions regarding the Company’s compliance
with Data Protection Laws or wish to exercise their rights under Data
Protection Laws (“Company Privacy Policy”).
4.6.3 Advertiser must either:
(a) include a hyperlink to the
current Company Privacy Policy in the Advertiser Privacy Policy; or
(b) ensure the Advertiser Privacy
Policy contains sufficient information to enable the Company to Process Network
Personal Data in accordance with applicable Data Protection Laws.
Each Party shall fulfil their obligations to respond to requests to exercise Data Subject rights under Data Protection Law. Unless otherwise required by applicable Data Protection Laws or agreed in writing between the Parties, the first recipient of any request by a Data Subject to exercise their rights under Data Protection Law shall be primarily responsible for its response. Each Party will provide the other Party any co-operation and information reasonably requested to enable the other Party’s compliance with this Clause 4.7.
5.
TERMS APPLICABLE oNLY TO
Advertiser PROCESSING
5.1
This Clause 5 shall apply in respect of any Advertiser
Processing only (if applicable).
5.2
The
Advertiser confirms that such Processing of Network Personal Data by the
Company on behalf of the Advertiser shall be undertaken by the Company for the
Advertiser’s own Business Purpose.
5.4
Upon
Advertiser’s reasonable request, the Company will make available such written
information in the Company’s possession as is reasonably necessary for
Advertiser to conduct and document data protection assessments in accordance
with applicable Data Protection Laws. Advertiser will have the right to: (i)
take reasonable and appropriate steps to help ensure that the Company uses
Network Personal Data Processed under the Agreement in a manner consistent with
the Company's obligations under and to the extent required by applicable Data
Protection Laws, and (ii) upon reasonable prior written notice, to take
reasonable and appropriate steps to stop and remediate unauthorized use of such
Network Personal Data under and to the extent required by applicable Data
Protection Laws.
5.5
The Company will:
5.5.1
Process Personal Data for the purposes of Advertiser Processing only in
accordance with the Advertiser’s instructions, including in respect of the
deletion or return of Personal Data;
5.5.2
allow for and contribute to one reasonable written audit per calendar
year on at least 30 days prior written notice by the Advertiser and during
normal business hours, to the extent necessary to demonstrate compliance with
this Clause 5 provided that any costs incurred by either
Party in relation to any written audits are borne by the Advertiser;
5.5.3
engage Subprocessors in a manner consistent with Clause 11 and, in addition ensure that the contract
between the Subprocessor and the Company includes terms which offer at least the same level of protection for Network
Personal Data as those set out in this DPA in respect of Advertiser Processing; and
5.5.4
comply with Clauses 6 - 9.
5.6
The Advertiser hereby grants a general authorisation to the Company
under applicable Data Protection Laws to engage Subprocessors. The Company
shall inform the Advertiser of any intended changes concerning the addition or
replacement of Subprocessors. The Advertiser may reasonably object in writing
to such an intended change within 14 days of the notification thereof by the
Company. Following an objection by the Advertiser, Company may within 30 days
of receipt of the objection either:
5.6.1 notify the Advertiser that the intended change shall not be implemented in relation to the Agreement; or
5.6.2 cease the relevant Advertiser Processing immediately on written notice to the Advertiser.
6.
PERSONNEL
(a) strictly limited to those
individuals who need to know and/or access the relevant Network Personal Data;
and
(b) as strictly necessary for the
purposes of the Agreement and to comply with Applicable Laws in the context of
that individual's duties.
6.1.2 Each Party shall ensure that all
individuals referred to in Clause 6.1.1 are subject to confidentiality
undertakings or professional or statutory obligations of confidentiality.
7.
SECURITY AND CONFIDENTIALITY OF
DATA
7.1.1 Each Party shall in relation to
the Network Personal Data, implement appropriate technical and organisational
measures to ensure an appropriate level of security, including the measures
referred to in applicable Data Protection Laws. In doing so, each Party shall
take into account:
(a) the state of the art, the costs
of implementation and the nature, scope, context and purposes of Processing;
and
(b) the risk of varying likelihood
and severity for the rights and freedoms of natural persons.
7.1.2 In assessing the appropriate
level of security, each Party shall in particular take account of the risks
that are presented by Processing, including from accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to Network
Personal Data transmitted, stored or otherwise Processed.
8.
PERSONAL DATA BREACH
(b) provide the other Party with
sufficient information to allow it to meet any obligations to report or inform
Data Subjects of the Network Data Breach under or in connection with Data
Protection Law;
(c) meaningfully consult with the
other Party in respect of the external communications and public relations
strategy related to the Network Data Breach;
(d) subject to Applicable Law, not
notify any data protection regulator of the Network Data Breach without having notified
the other Party; and
(e) not issue a press release or
communicate with any member of the press in respect of the Network Data Breach,
without having obtained prior written approval by the other Party.
8.1.2 The notification set out in
Clause 8.1.1(a) above, shall as a minimum:
(a) describe the nature of the
Network Data Breach, the categories and numbers of Data Subjects concerned, and
the categories and numbers of Personal Data records concerned; and
(b) describe the likely consequences
of the Network Data Breach; and
(c) describe the measures taken or
proposed to be taken to address the Network Data Breach.
9.1.1 Each Party shall only transfer Network Personal Data between countries within the EEA and countries outside of the EEA in compliance with Data Protection Law.
9.1.2 Where, as part of the Services,
(a) the Advertiser transfers Network Personal Data within the EEA to the Company; and
(b) the Advertiser or any of the Advertiser’s offices or operations are based in the EEA/UK,
such transfer of Network Personal Data shall be subject to the SCCs Addendum.
10.
PROFILING
The
Advertiser shall not use any Personal Data revealed by any Reports for the
Profiling of consumers.
With
respect to a proposed Processor that a Party wishes to engage, such Party
shall:
11.1.1 before the Processor first
Processes Network Personal Data, carry out adequate due diligence to ensure
that the Processor is capable of providing the level of protection for Network
Personal Data required by Data Protection Law; and
11.1.2 ensure that the arrangement with
such a Processor is governed by a written contract including terms meet the
requirements of applicable Data Protection Laws, including ensuring that such
Processor is engaged for a Business Purpose, pursuant to a written contract,
which prohibits the Processor from retaining, using, or disclosing the Network
Personal Data for any purpose other than for the specific purpose of performing
the services specified in the contract for that party, or as otherwise
permitted by applicable Data Protection Laws.
12.1.1 Process Network Personal Data for
such purposes only in accordance with the Controller’s instructions, including
in respect of the deletion or return of Personal Data;
12.1.2
make available to the Controller requested information in respect of
Network Personal Data, on at least 30 days prior written notice and during
normal business hours, necessary to demonstrate compliance with this Clause 12.1, including to allow for and contribute to
reasonable audits, conducted by the Controller or the Controller’s designated
auditor (such designated auditors being subject to the Company’s prior written
approval);
12.1.3 engage Subprocessors in a manner
consistent with Clause 11 and, in addition ensure that the contract between the Subprocessor and
the party acting as a Processor includes terms which
offer at least the same level of protection for Network Personal Data as those
set out in this Clause 12.1;
12.1.4 comply with Clauses 6 - 9.
12.2
In the event of any conflict between this Clause 12 and any other agreement between the Parties in respect of the same
Processing, such other agreement shall take precedence.
13.1.1 its breach of Data Protection
Law;
13.1.2 its breach of this DPA or the Agreement;
13.1.3 Processing of Personal Data in
its possession; and
13.1.4 events for which it is
responsible;
and accordingly there shall be no joint
liability between the Parties in respect of such breaches.
13.2
The Company shall not be liable for any for breaches of Data Protection
Law arising in respect of Processing by or in connection with any third party adtech provider whose technology may be integrated with the
Advertiser Website by use of the Company’s
technology (as applicable from time to time).
13.3
In addition to the limitations outlined in this Clause 13, each Party’s liability under
this DPA shall be limited in a manner consistent with any limitations of
liability set out in the Agreement.
14.
CONSENT VERIFICATION
14.2
The Company may request information (including consent records/logs) from
the Advertiser to objectively verify whether the Advertiser has complied with
Clause 14.1, and the Advertiser shall
promptly (and no later than 14 days following the Company’s written request)
make such information available to the Company.
The Company may on at least 7 days' written
notice to the Advertiser (including by the posting of a notice on the
Interface) make binding variations to this DPA, which the Company reasonably considers
to be necessary to address the requirements of Data Protection Law.
16.1 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be:
16.1.1 amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible;
16.1.2 construed in a manner as if the invalid or unenforceable part had never been contained in the DPA.
Third parties shall not be entitled to enforce any of the terms of this DPA.
18.
GOVERNING LAW AND JURISDICTION
The governing law and jurisdiction of this DPA shall be the same as that of the Agreement.
The
subject-matter, duration of the processing, the nature and purpose, the type of
personal data and categories of data subjects of the Advertiser Processing and
JC Processing is set out below.
For both the
Advertiser Processing and JC Processing, the duration of the processing shall
be the term of the Agreement, unless otherwise agreed in writing, and the
obligations and rights of the relevant controllers are as set out in this DPA.
1.
jc processing
|
Subject-matter,
nature and purpose of processing |
Categories
of data subject |
Type
of personal data |
|
Tracking |
Current or prospective consumers (as
determined by the Advertiser) |
Information relating to cookies,
information relating to consumers’ IP addresses, information relating to
consumer transactions (including consumers’ engagement with advertisers and publishers),
device identifiers and device attributes. |
|
Reporting |
Current or
prospective consumers (as determined by the Advertiser) |
2.
ADVERTISER PROCESSING
|
Subject-matter,
nature and purpose of processing |
Categories
of data subject |
Type
of personal data |
|
Capturing
consumer names and contact information on behalf of the Advertiser’s Lead
Generation |
Current or
prospective consumers (as determined by the Advertiser) |
As
determined by the Advertiser |
|
Business
Intelligence |
Current or
prospective consumers (as determined by the Advertiser) |
As
determined by the Advertiser |
|
Plugin
Integration |
Current or
prospective consumers (as determined by the Advertiser) |
As
determined by the Advertiser |
|
Transaction
Queries |
Current or
prospective consumers (as determined by the Advertiser) |
As
determined by the Advertiser |