Data Protection Rider
We refer to the AERSERV AD SERVING TERMS AND CONDITIONS located at https://www.aerserv.com/terms-and-conditions/ (“Agreement”) which You have accepted (in the capacity of a “publisher” or “supply partner” as the context may require and also referred to as “Publisher” or “you”) to avail the AerServ (“AerServ” or “InMobi” or “we” or “us“) aerMarket platform services as set out under the Agreement, whether pursuant to insertion orders, service agreement or otherwise. All references to AerServ shall include its parent and affiliates if the context may so require.
Until 25 May 2018, the Data Protection Act 1998 (the “DPA”) is the key piece of legislation governing data protection. The General Data Protection Regulation (the “GDPR”), is a new piece of legislation which will largely supersede the DPA on 25 May 2018. The GDPR will then apply to the processing that is carried out under the Agreement for any Personal Data related to Data Subjects in the European Union (“EU”).
The GDPR requires data processing contracts – such as the Agreement – to contain additional provisions regulating the processing Personal Data of Data Subjects based in EU. Therefore, the parties agree to add the Data Protection Rider, set out below to the Agreement with effect from 25 May 2018 (the “Variation Date”). These terms of the Data Protection Rider shall be deemed to be incorporated within the Agreement.
This Data Protection Rider makes reference to the “Model Contract Clauses”, produced by the European Commission, which are incorporated into this Data Protection Rider as if they had been set out in full. The full legal name for the Model Contract Clauses is: “The EU-controller to Non-EU/EEA processor model contractual clauses annexed to European Commission Decision C(2010)”.
Except as set out in this Data Protection Rider, the Agreement and any other agreements already in place between us shall continue in full force and effect;
In the event of any conflict or inconsistency between this Data Protection Riderand the terms and conditions of the Agreement, this Data Protection Rider shall prevail; and
To the extent that this Data Protection Rider does not address project specific data mechanics or specific details relevant to data processing already set out in the Agreement (such as a particular type or frequency of data transfer), those project specific mechanics will remain in place, save that they shall be interpreted to give full effect to the provisions of this Data Protection Rider and the GDPR.
This Data Protection Rider (including the Model Contract Clauses, particularly at clauses 9 and 11.3) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the law of England and Wales.
The parties irrevocably agree that the courts of England and Wales have exclusive jurisdiction to settle any Claim.
Please accept the Data Protection Rider to acknowledge your agreement of these terms.
If you do not accept these terms, we will discontinue any EU user related transactions with your applications/mobile websites. Additionally, please do not share any EU user data with us. However, if you continue to use our services, you will be deemed to have accepted these terms.
All communications to be sent to AerServ LLC with a principal place of business at 15420 Laguna Canyon Rd, Irvine, CA 92618, USA with a copy to email: firstname.lastname@example.org
DATA PROTECTION RIDER
- 1. DEFINITIONS
1.1. The following definitions apply in this Data Protection Rider:
“Controller”, “Data Subject”, “Personal Data”, “Processor” and “Processes/Processing” shall each have the meanings given in the applicable Data Protection Legislation.
“Data Protection Legislation” means the European Union’s General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable laws and regulations relating to the processing of personal data and privacy as amended, re-enacted, replaced or superseded from time to time, including, where applicable, the mandatory guidance and codes of practice issued by the United Kingdom’s Information Commissioner.
“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any Personal Data transmitted, stored or otherwise processed.
“Publisher” is the organisation to whom this letter is addressed.
- 2. MUTUAL OBLIGATIONS WHEN PROCESSING DATA
2.1. Each party acknowledges that:
2.1.1. AerServ shall Process the Personal Data for the purposes of (a) optimizing mobile online advertising campaigns across its platform or InMobi ad network whether owned, operated or controlled by AerServ or InMobi including but not limited to the programmatic channel; (b) interest based targeting of ad campaigns or other survey based services; (c) data-targeted ad inventory forecasting; (d) providing its customers, partners and relevant third parties with data as part of campaign reporting and performance (e) enrichment, creation of audience profile/segments including sharing with data partners for enrichment purposes. Publisher further acknowledges that AerServ may need to transfer Personal Data outside of European Economic Area (“EEA”) in the context of Processing;
2.1.2. the processing shall continue, for the duration of this agreement;
2.1.3. the processing concerns the following Personal Data:
184.108.40.206. user device identifier;
220.127.116.11. IP address;
18.104.22.168. User agent or such device information;
22.214.171.124. Fine location;
126.96.36.199. Persistent online identifiers (such as IDFA, ADID, GPID etc.,)
2.2. It is acknowledged that both Parties are under certain record keeping obligations under the Data Protection Legislation, and agree to provide the other Party with all reasonable assistance and information required by the other Party to satisfy such record keeping obligations.
2.3. In the event of any Personal Data breach (actual or suspected) involving the Publisher or a sub-Processor, the Publisher shall (at no cost to AerServ):
2.3.1. notify AerServ of the Personal Data breach without undue delay (but in no event no later than 24 hours after becoming aware of or first suspecting the Personal Data Breach);
2.3.2. provide AerServ without undue delay (and wherever possible, no later than 48 hours after becoming aware of or first suspecting the Personal Data Breach) with such details as AerServ may require in relation to:
(a) the nature and impact of the Personal Data Breach, including the categories and approximate numbers of Data Subjects and Personal Data records concerned;
(b) any investigations into such Personal Data Breach;
(c) the likely consequences of the Personal Data Breach; and
(d) any measures taken, or that the Publisher will take to address the Personal Data Breach, including to mitigate its possible adverse effects and prevent the reoccurrence of the Personal Data Breach or a similar breach,
provided that, (without prejudice to the above obligations) if the Publisher cannot provide all these details within such timeframes, it shall, before the end of this timeframe, provide AerServ with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give AerServ regular updates on these matters.
- 3. CONTROLLER REQUIREMENTS
3.1. Joint Controller Requirements: The Parties shall, in their respective capacities as joint Controllers:
3.1.1. at no cost to the other Party, record and then refer to the other Party promptly (and in any event within 5 Business Days of receipt) any Data Subject request or complaint which is made under Data Protection Legislation in relation to the Publisher’s processing;
3.1.2. at its cost and expense, provide such information and cooperation and other assistance as a Party reasonably requests in relation to a Data Subject request or complaint made under Data Protection Legislation within the timescales reasonably required by AerServ;
3.1.3. implement and maintain a program to ensure that all Processing at its end and transmission of Personal Data is safeguarded and secure;
3.1.5. maintain, monitor and review records of user activities, exceptions, faults and privacy in relation to the relevant Personal Data; and
3.1.6. ensure information security events are produced, maintained, monitored and reviewed on an ongoing basis.
3.1.7. ensure that the Publisher’s relevant technical solutions are configured such that the default settings protect Data Subject privacy;
3.2. Publisher Requirements: Publisher shall:
3.2.1. seek consent from the Data Subject to the standard required by the Data Protection Legislation to collect, Process, transmit or use their Personal Data as contemplated by the Agreement including as enumerated in section 2.1.1 hereunder;
3.2.2. in the event that the consent to handle Personal Data is withdrawn by the Data Subject, the Publisher shall notify AerServ without undue delay (but in any event no later than 24 hours after becoming aware of the consent being withdrawn);
3.2.3. allow for audits conducted by AerServ or another auditor mandated by AerServ for the purpose of demonstrating compliance by the Publisher with its obligations under the Data Protection Legislation and under this Agreement;
3.2.4. indemnify, defend and hold harmless AerServ against and from all loss, liability, damages, costs (including legal costs), fees, claims and expenses arising out any third party claims which AerServ may incur or suffer by reason of any breach of this Data Protection Rider by the Publisher;
3.2.5. If at Publisher’s request and cost, AerServ agrees to build any user interface software feature (“feature”) for Publisher, Publisher acknowledges that such a feature is not to be construed as a consent management platform hosted or managed by AerServ. Enabling such feature, implementation and obtaining of appropriate consents from Data Subjects shall remain the responsibility of Publisher and Publisher shall implement technical mechanisms at its end to ensure the same. Publisher agrees that it will maintain records of consent obtained through such feature and continue to comply with its obligations as set out under Section 3.2.
- 4. AERSERV DATA ANALYTICS
4.1. The Publisher acknowledges that AerServ:
4.1.1. will add the Personal Data it processes in the context of its advertising services, and in respect of such use AerServ is a joint Controller; and
4.1.2. is free to use meta-data, statistics and such other information derived from the Personal Data it receives from the Publisher which cannot be identified as originating or deriving directly from such Personal Data, and cannot be reverse-engineered by a third party such that it can be so identified, for any purpose whatsoever.
- 5. MODEL CONTRACT CLAUSES
When You are a Controller, the Model Contract Clauses require us to set out more detail about what data You are transferring to us and why, as well as how we keep that data secure. We have set this out in the sections below.
Description of our data processing for You
5.1. In the event when either party Processes Personal Data on behalf of the other the parties will execute appropriate data processing agreement.
Description of security measures
5.2. Restriction of access to buildings, data centres and server rooms as necessary.
5.3. Adequate locks on all doors.
5.4. Monitoring of unauthorised access.
5.5. Written procedures for employees, contractors and visitors covering confidentiality and security of information.
5.6. Restricting access to systems depending on the sensitivity/criticality of such systems.
5.7. Use of password protection where such functionality is available.
5.8. Maintaining records of the access granted to which individuals.
5.9. Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
5.10. The illustrative indemnity contained in the Model Contract Clauses is deemed deleted.
5.11. You will not provide any unsolicited data related to Data Subjects with us.