Advertiser Data Protection Rider

Effective Date of Rider: 6th December 2024

We refer to (as applicable to you):

(a) the agreement between you in your capacity as an advertiser, demand partner, agency or reseller ("Advertiser ") and MobAvenue Media Pvt. Ltd. (as defined below) ("Mobavenue "); or

(b) the Advertiser Terms which you have accepted, whether pursuant to insertion orders or otherwise (each, the " Agreement").

The Rider takes account of changes brought in by the Data Protection Legislation (defined below) including the Data Transfer Provisions and shall apply where both Parties are Controllers.

  • Incorporation Terms

    • The Rider is incorporated into the Agreement and is made and entered into as of the Effective Date.

    • Except as set out in the Rider, the Agreement and any other agreements already in place between Mobavenue and the Advertiser shall continue in full force and effect.

    • In the event of any conflict or inconsistency between the Agreement, the Rider and the Data Transfer Provisions, the following order of priority shall apply: (i) the Data Transfer Provisions, (ii) the Rider and (iii) the Agreement.

    • To the extent that the Rider does not address specific data processing activities carried out between the parties, the terms of the Agreement shall apply, save that they shall be interpreted to give full effect to the provisions of the Rider.

    • Any capitalised terms not defined herein shall have the respective meanings given to them in the Agreement.

    • The Rider and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a "Claim") shall be governed by and interpreted in accordance with the laws of Ireland. The parties irrevocably agree that the courts of Ireland have exclusive jurisdiction to settle any Claim.

  • Definitions

    • "Addendum" means as defined at Annex 2.

    • "Associate" means, an entity that directly or indirectly controls, is controlled by or is under common control with a company. “Control” for purposes of this definition, means direct or indirect ownership (including ownership through one or more associate) of more than 25% of the paid-up share capital of an entity.

    • "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processor", "Process / Processing" and "Supervisory Authority" shall each have the meanings given in the Data Protection Legislation.

    • "Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK and EU, including Regulation (EU) 2016/679 ("GDPR"); the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); the Data Protection Act 2018 ("DPA 2018"); the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.

    • "Data Transfer Provisions" means, together, the EU SCCs and the Addendum.

    • "EU SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021.

    • "Permitted Purpose" means Processing by a party or its Associates, in connection with all or any of the following:

      • targeted advertising and optimization of campaigns in connection with the Agreement;

      • attribution, real-time-bidding, frequency capping, audience verification, system maintenance, fraud detection and other tracking and measurement purposes;

      • internal reporting purposes; and / or

      • for Mobavenue's data analytics and machine learning with respect to advertising services / platforms, and/or to improve Mobavenue's products and services.

    Note: Permitted Purposes exclude reselling or rebrokering of Personal Data in any manner.

  • Status of the Parties

    • The parties agree to act at all times in compliance with the Data Protection Legislation.

    • The parties acknowledge that for the purposes of the Data Protection Legislation in circumstances where each party determines on their own (i.e. alone) the means of the Processing of Personal Data when it is Processed within their respective technology environments, both Parties are Controllers in their own right (i.e. Independent Controllers, and not joint Controllers).

  • Controller's Obligations

    Controller collecting the Personal Data agrees to obtain the appropriate consents for the Processing of Personal Data for the Permitted Purposes and ensure that it or its first party Controllers (through contractual requirements) provide clear and sufficient information to the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their Personal Data, the legal basis for such purposes and such other information as is required by the Data Protection Legislation including:

    • that Personal Data will be transferred to a third party, and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer before deciding whether to give consent; and

    • sufficient information about any transfer outside of the UK or EEA, including the purpose of such transfer and the safeguards put in place by the first party Controller to enable the Data Subject to understand the purpose and risks of such transfer.

  • Mutual Processing Obligations

    Each party agrees to:

    • notify the other of any Data Subject requests to exercise their rights, including but not limited to access, deletion and rectification;

    • process the Personal Data only for the Permitted Purpose;

    • maintain the confidentiality of all Personal Data and not disclose Personal Data to third parties unless this Rider specifically authorises the disclosure, or as required by law;

    • reasonably assist the other with meeting each party's compliance obligations under the Data Protection Legislation, taking into account the nature of the processing and the information available to the parties, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with Supervisory Authorities under the Data Protection Legislation; and

    • ensure that any and all employees:

      • are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;

      • have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and

      • are aware both of their employer's duties and their personal duties and obligations under the Data Protection Legislation and this Rider.

  • Mutual Security Obligations

    • Each party will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.

    • Each party will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

      • the encryption of Personal Data or equivalent measures;

      • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

      • the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

      • a process for regularly testing, assessing and evaluating the effectiveness of security measures.

  • Mutual Personal Data Breach Obligations

    • The parties shall each comply with their obligations to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) Data Subjects under the Data Protection Legislation and shall each inform the other party of any Personal Data Breach irrespective of whether there is a requirement to notify any Supervisory Authority or Data Subject.

    • The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.

  • Cross-Border Transfers of Personal Data

    • If an adequate protection measure for the international transfer of Personal Data is required under the Data Protection Legislation (and has not otherwise been arranged by the parties) the Data Transfer Provisions shall be incorporated into this Rider in the Annexes as if they had been set out in full.

    • Each party approves the other transferring Personal Data outside the UK and the European Economic Area (EEA) ("GDPR Territories"). Provided that where such processing occurs:

      • the Processing of Personal Data is in a territory which is subject to a current finding by the UK's Information Commissioner's Office and/or the European Commission (as applicable) under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals;

      • participates in a valid cross-border transfer mechanism under the Data Protection Legislation including appropriate data protection agreement terms, so that Mobavenue (and, where appropriate, Advertiser) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Data Protection Legislation; or

      • otherwise ensures that the transfer complies with the Data Protection Legislation.

  • Processors

    Each Controller acknowledges and agrees that if such Controller is required to share any Personal Data with processors such as data partners, attribution partners, customers, etc., such party will remain liable to ensure that such processors comply with Data Protection Legislation.

  • Complaints, Data Subject Requests and Third-Party Rights

    • The parties will take such technical and organisational measures as may be appropriate to comply with:

      • the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data;

      • information or assessment notices served on either party by any Supervisory Authority under the Data Protection Legislation.

    • The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Data Subject rights requests within the time limits imposed by the Data Protection Legislation. In the event of a dispute or claim brought by a Data Subject, the Information Commissioner or a Supervisory Authority concerning the processing of Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.

    • Each party shall abide by a decision of a competent court of the other party's country of establishment or of the Information Commissioner or a Supervisory Authority.

  • Liability

    Each party ("Indemnifying Party") shall indemnify and defend The other party ("Indemnified Party") against all loss, liability, damages (including reasonable legal costs) fees, claims and expenses arising from any third-party claims, Which the indemnified party may incur or suffer due to a breach of this data protection rider by the indemnifying party. In no event shall either party be liable for lost profits, incidental, punitive, indirect or consequential damages. Notwithstanding anything to the contrary in the dgreement, each party's total aggregate liability to the other party or any third party for all claims arising under or in connection with this rider shall not exceed the greater of usd two million (2,000,000) or twice the amounts paid or payable to mobavenue by the advertiser under the agreement during the twelve (12) months immediately preceding the claim. The limitations of this section shall apply even if either or both parties have been advised of the possibility of such damages in advance.

  • Term and Termination

    • This Rider will remain in full force and effect for so long as either party retains any of the other's Personal Data related to the Agreement in its possession or control.

    • Any provision of this Rider that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.

    • If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Agreement, the parties will discuss in good faith with a view to implementing any changes necessary to ensure the processing of Personal Data complies with the new requirements.

  • Data Retention

    On termination of the Agreement for any reason or expiry of its term, Mobavenue shall not provide any further Personal Data to Advertiser and in certain cases require deletion of Personal Data provided by it, pursuant to Data Subject Rights or other statutory, regulatory or contractual requirements. Advertiser will Process and retain Personal Data in accordance with its Privacy Policy, subject to Data Subject Rights, Data Protection Legislation and such other statutory and regulatory requirements.

    If You do not accept these terms, we may discontinue any UK or EEA user related transactions with You. Additionally, please do not share any UK or EEA user data with us unless agreed otherwise. All communications can be sent to legal@mobavenue.com .

ANNEX 1

International Data Transfers (EU)

  • INCORPORATION OF EU SCCS

    To the extent this Annex 1 relates to transfers of Personal Data subject to the GDPR, this Annex 1 and the following terms shall apply: module 1 of the EU SCCs and no other optional clauses unless explicitly specified, are incorporated into this Annex 1 as if they had been set out in full in the case where the exporter is a controller, the importer is a controller and the transfer requires such additional protection.

  • CLARIFICATIONS TO THE EU SCCS

    Module 1 Clarifications. For the purposes of:

    • clause 8.2 of the EU SCCs and to enable data subjects to effectively exercise their rights, the parties have agreed that the exporter shall inform data subjects of the information required; and

    • clause 8.3 of the EU SCCs the parties hereby agree that the data exporter shall be primarily responsible for ensuring that personal data is accurate and, where necessary, kept up to date. The data exporter shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.

  • APPENDICES AND ANNEXURES TO THE EU SCCS

    The processing details required by the EU SCCs are set out in paragraph 4:

    • the details required at Annex 1.A of the EU SCCs is set out at paragraphs 4.1 – 4.2;

    • the details required at Annex 1.B of the EU SCCs is set out at paragraph 4.3 – 4.10;

    • the details required at Annex 1.C of the EU SCCs is set out a paragraph 4.10; and

    • the details required at Annex 2 of the EU SCCs is set out at paragraph 4.11.

  • PROCESSING PARTICULARS FOR THE UK AND EU SCCS
      The Parties

    • Exporter: Mobavenue when transferring Personal Data from Mobavenue's entity in the UK or EEA to an Advertiser in a third country; or Advertiser when transferring Personal Data from the Advertiser based in the UK or EEA to Mobavenue's entity in a third country.

    • Importer: Mobavenue when receiving Personal Data in a third country from an Advertiser in the UK or EEA; or Advertiser when receiving Personal Data in a third country from Mobavenue's entity in the UK or EEA

      • Description Of Data Processing

    • Categories of data subjects: End Users who are served with Ads

    • Categories of personal data transferred:

      • Data shared by Mobavenue with the Advertiser: User device Identifiers or online persistent identifiers (such as cookie ids, IMEI, IDFA, IFA, ADID, GPID, GAID etc.), and IP Address; and

      • Data shared by the Advertiser with Mobavenue: User device Identifiers or online persistent identifiers (such as cookie ids, IMEI, IDFA, IFA, ADID, GPID, GAID etc.),

      • and such other data sets as are agreed in writing between the parties from time to time.

  • Sensitive data transferred: None.
  • Frequency of the transfer: Continuous transfers.
  • Nature of the processing: As set out in the Permitted Purpose.
  • Purpose of the processing: For the Permitted Purpose.
  • Duration of the processing: For the term of the Agreement.
  • Competent Supervisory Authority: As set out at clause 1.6.
  • Technical and Organisational Measures

    • Restriction of access to buildings, data centres, systems and server rooms.

    • Monitoring of unauthorised access.

    • Written procedures for employees, contractors and visitors covering confidentiality and security of information.

    • Restricting access to systems depending on the sensitivity/criticality of such systems.

    • Use of password protection where such functionality is available.

    • Maintaining records of the access granted to which individuals.

    • Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.

ANNEX 2

UK INTERNATIONAL TRANSFER ADDENDUM TO THE EU SCCS (the "Addendum")

Part 1

  • Parties

    As set out in Annex 1.

  • Selected SCCs, Modules and Clauses

    Module 1 of the EU SCCs and no other optional clauses unless explicitly specified, and as amended by the clarifications in Annex 1, paragraph 2, but subject to any further amendments detailed in this Annex 2 ("ICO Modified EU SCCs").

  • Appendix Information

    The processing details required by this Addendum are as set out in Annex 1 ("Appendix Information"):

    • Annex 1A: List of Parties: paragraphs 4.1 and 4.2 and both parties are Controllers;

    • Annex 1B: Description of Transfer: paragraphs 4.3 – 4.9; and

    • Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: paragraph 4.11.

  • Termination of the Addendum

    In the event the template Addendum issued by the Information Commissioner's Office ("ICO") and laid before Parliament in accordance with s119A of the DPA 2018 on 2 February 2022, as it is revised under Section 18 ("ICO's Addendum") is amended, either party may terminate this Addendum on written notice to the other in accordance with Part 2, paragraph 4 of this Annex 2 and replace it with a mutually acceptable alternative.

Part 2

  • Interpretation

    • Except as otherwise defined in this Addendum, where this Addendum uses terms that are defined in the EU SCCs, those terms shall have the same meaning as in the EU SCCs.

    • This Addendum must always be interpreted:

      • in a manner that is consistent with UK Data Protection Laws, being all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR (as defined in section 3 of the DPA 2018) and the DPA 2018 ("UK Data Protection Laws"); and

      • so that it fulfils the Parties' obligation to provide the appropriate safeguards, being the standard of protection over the Personal Data and of Data Subjects' rights, which is required by UK Data Protection Laws when a party is making a transfer which is covered by Chapter V of the UK GDPR ("Restricted Transfer") relying on standard data protection clauses under Article 46(2)(d) UK GDPR ("Appropriate Safeguards").

    • If the provisions included in the ICO Modified EU SCCs amend the EU SCCs in any way which is not permitted under the EU SCCs or the ICO's Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the ICO's Addendum will take their place.

    • If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, the UK Data Protection Laws apply.

    • If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with the UK Data Protection Laws applies.

    • Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

  • Hierarchy

    • Although clause 5 of the EU SCCs sets out that the EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in paragraph 2.2 will prevail.

    • Where there is any inconsistency or conflict between the ICO's Addendum and the ICO Modified EU SCCs (as applicable), the ICO's Addendum overrides the ICO's Modified EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the ICO's Modified EU SCCs provides greater protection for data subjects, in which case those terms will override the ICO's Addendum.

    • Where this Addendum incorporates EU SCCs which have been entered into to protect transfers subject to the GDPR then the Parties acknowledge that nothing in this Addendum impacts those EU SCCs.

  • Incorporation of and changes to the EU SCCs

    • This Addendum incorporates the EU SCCs which are amended to the extent necessary so that:

      • together they operate for data transfers made by the exporter to the importer, to the extent that UK Data Protection Laws apply to the exporter's processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

      • paragraphs 2.1 to 2.3 override clause 5 (Hierarchy) of the EU SCCs; and

      • this Addendum (including the EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

    • Unless the Parties have agreed alternative amendments which meet the requirements of paragraph 3.1, the provisions of paragraph 3.4 will apply.

    • No amendments to the EU SCCs other than to meet the requirements of paragraph 3.1 may be made.

    • The following amendments to the EU SCCs (for the purpose of paragraph 3.1) are made:

      • References to the "Clauses" means this Addendum, incorporating the ICO Modified EU SCCs;

      • In Clause 2, delete the words: "and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679";

      • Clause 6 (Description of the transfer(s)) is replaced with: "The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter's processing when making that transfer.";

      • Clause 8.7(i) of Module 1 is replaced with: "it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer";

      • References to "Regulation (EU) 2016/679", "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)" and "that Regulation" are all replaced by "UK Data Protection Laws". References to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK Data Protection Laws;

      • References to Regulation (EU) 2018/1725 are removed;

      • References to the "European Union", "Union", "EU", "EU Member State", "Member State" and "EU or Member State" are all replaced with the "UK" (being the United Kingdom of Great Britain and Northern Ireland);

      • The reference to "Clause 12(c)(i)" at Clause 10(b)(i) of Module 1, is replaced with "Clause 11(c)(i)";

      • Clause 13(a) and Part C of Annex I are not used;

      • The "competent supervisory authority" and "supervisory authority" are both replaced with the "Information Commissioner";

      • In Clause 16(e), subsection (i) is replaced with: "the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;";

      • Clause 17 is replaced with: "These Clauses are governed by the laws of England and Wales.";

      • Clause 18 is replaced with: "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts."; and

      • The footnotes to the EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

  • Amendments to this Addendum

    • From time to time, the ICO may issue a revised ICO Addendum which:

      • makes reasonable and proportionate changes to the ICO Addendum, including correcting errors in the ICO Addendum; and/or

      • reflects changes to UK Data Protection Laws;

    • The revised ICO Addendum will specify the start date from which the changes to the ICO Addendum are effective and whether the parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised ICO Addendum from the start date specified in any such replacement ICO Addendum issued.

    • If the ICO issues a revised ICO Addendum under Section 18, if either Party will as a direct result of the changes in the ICO Addendum have a substantial, disproportionate and demonstrable increase in:

      • its direct costs of performing its obligations under the ICO Addendum; and/or

      • its risk under the ICO Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may terminate this Addendum on fourteen (14) days' written notice to the other Party before the start date of the revised ICO Addendum.

    • The parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.