Publisher Data Protection Rider
Effective Date of Rider: April 26, 2018
We refer to the Terms of Service located at www.inmobi.com/terms-of-service/ (“Agreement”) which You have accepted to avail InMobi’s advertising services as a publisher (referred as “You” or “Publisher”). In the event You have signed a paper contract (“Agreement”) with Us, the terms below shall be deemed to be part of such Agreement.
Until 25 May 2018, the Data Protection Act 1998 (the “ DPA”) is the key piece of legislation governing data protection. The General Data Protection Regulation (the “GDPR”), is a new piece of legislation which will largely supersede the DPA on 25 May 2018. The GDPR will then apply to the processing that is carried out under the Agreement for any Personal Data related to Data Subjects in the European Union (“EU”).
The GDPR requires data processing contracts – such as the Agreement – to contain additional provisions regulating the processing Personal Data of Data Subjects based on EU. Therefore, the parties agree to add the Data Protection Rider, set out below to the Agreement with effect from 25 May 2018 (the “Variation Date”). These terms of the Data Protection Rider shall be deemed to be incorporated within the Agreement.
This Data Protection Rider makes reference to the “Model Contract Clauses”, produced by the European Commission, which are incorporated into this Data Protection Rider as if they had been set out in full. The full legal name for the Model Contract Clauses is: “The EU-controller to Non-EU/EEA processor model contractual clauses annexed to European Commission Decision C(2010)”.
Except as set out in this Data Protection Rider, the Agreement and any other agreements already in place between us shall continue in full force and effect; In the event of any conflict or inconsistency between this Data Protection Rider and the terms and conditions of the Agreement, this Data Protection Rider shall prevail; and To the extent that this Data Protection Rider does not address project-specific data mechanics or specific details relevant to data processing already set out in the Agreement (such as a particular type or frequency of data transfer), those project specific mechanics will remain in place, save that they shall be interpreted to give full effect to the provisions of this Data Protection Rider and the GDPR.
This Data Protection Rider (including the Model Contract Clauses, particularly at clauses 9 and 11.3) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the law of England and Wales. The parties irrevocably agree that the courts of England and Wales have exclusive jurisdiction to settle any Claim.
Please accept or sign and return the Data Protection Rider to acknowledge your agreement of these terms.
If you do not accept these terms, we will discontinue any EU user related transactions with your applications/mobile websites. Additionally, please do not share any EU user data with us. However, if you continue to use our services, you will be deemed to have accepted these terms.
DATA PROTECTION RIDER
1.1 The following definitions apply in this Data Protection Rider:
“Controller”, “Data Subject”, “Personal Data”, “Processor” and
“Processes/Processing” shall each have the meanings given in the applicable Data Protection Legislation.
“Data Protection Legislation” means the European Union’s General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable laws and regulations relating to the processing of personal data and privacy as amended, re-enacted, replaced or superseded from time to time, including, where applicable, the mandatory guidance and codes of practice issued by the United Kingdom’s Information Commissioner.
“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise processed. “Publisher” is the organization to whom this letter is addressed.
2 MUTUAL OBLIGATIONS WHEN PROCESSING DATA
2.1 Each party acknowledges that:
2.1.1 InMobi shall Process the Personal Data for the purposes of (a) optimizing mobile online advertising campaigns across its ad network whether owned, operated or controlled by InMobi including but not limited to the programmatic channel; (b) interest based targeting of InMobi ad campaigns or other survey based services; (c) data-targeted ad inventory forecasting; (d) providing its customers, partners and relevant third parties with data as part of campaign reporting and performance (e) enrichment, creation of audience profile/segments including sharing with data partners for enrichment purposes. Publisher further acknowledges that InMobi may need to transfer Personal Data outside of EU in the context of Processing. ;
2.1.2 the processing shall continue, for the duration of this agreement;
2.1.3 the processing concerns the following Personal Data:
18.104.22.168 user device identifier;
22.214.171.124 IP address;
126.96.36.199 User-agent or such device information;
188.8.131.52 Fine location;
184.108.40.206 Persistent online identifiers (such as IDFA, ADID, GPID etc.,)
2.2 It is acknowledged that both Parties are under certain recordkeeping obligations under the Data Protection Legislation, and agree to provide the other Party with all reasonable assistance and information required by the other Party to satisfy such record keeping obligations.
2.3 In the event of any Personal Data breach (actual or suspected) involving the Publisher or a sub-Processor, the Publisher shall (at no cost to InMobi):
2.3.1 notify InMobi of the Personal Data breach without undue delay (but in no event no later than 24 hours after becoming aware of or first suspecting the Personal Data Breach);
2.3.2 provide InMobi without undue delay (and wherever possible, no later than 48 hours after becoming aware of or first suspecting the Personal Data Breach) with such details as InMobi may require in relation to:
(a) the nature and impact of the Personal Data Breach, including the categories and approximate numbers of Data Subjects and Personal Data, records concerned;
(b) any investigations into such Personal Data Breach;
(c) the likely consequences of the Personal Data Breach; and
(d) any measures are taken, or that the Publisher will take to address the Personal Data Breach, including to mitigate its possible adverse effects and prevent the reoccurrence of the Personal Data Breach or a similar breach, provided that, (without prejudice to the above obligations) if the Publisher cannot provide all these details within such timeframes, it shall, before the end of this timeframe, provide InMobi with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give InMobi regular updates on these matters.
3 CONTROLLER REQUIREMENTS
3.1 Joint Controller Requirements: The Parties shall, in their respective capacities as joint Controllers:
3.1.1 at no cost to the other Party, record and then refer to the other Party promptly (and in any event within 5 Business Days of receipt) any Data Subject request or complaint which is made under Data Protection Legislation in relation to the Publisher’s processing;
3.1.2 at its cost and expense, provide such information and cooperation and other assistance as a Party reasonably requests in relation to a Data Subject request or complaint made under Data Protection Legislation within the timescales reasonably required by InMobi;
3.1.3 implement and maintain a program to ensure that all Processing at its end and transmission of Personal Data is safeguarded and secure;
3.1.5 maintain, monitor and review records of user activities, exceptions, faults and privacy in relation to the relevant Personal Data; and
3.1.6 ensure information security events are produced, maintained, monitored and reviewed on an ongoing basis.
3.1.7 ensure that the Publisher’s relevant technical solutions are configured such that the default settings protect Data Subject privacy;
3.2 Publisher Requirements: Publisher shall:
3.2.1 seek consent from the Data Subject to the standard required by the Data Protection Legislation to collect, Process, transmit or use their Personal Data as contemplated by the Agreement including as enumerated in section 2.1.1 hereunder;
3.2.2 in the event that the consent to handle Personal Data is withdrawn by the Data Subject, the Publisher shall notify InMobi without undue delay (but in any event no later than 24 hours after becoming aware of the consent being withdrawn);
3.2.3 allow for audits conducted by InMobi or another auditor mandated by InMobi for the purpose of demonstrating compliance by the Publisher with its obligations under the Data Protection Legislation and under this Agreement;
3.2.4 indemnify, defend and hold harmless InMobi against and from all loss, liability, damages, costs (including legal costs), fees, claims and expenses arising out any third party claims which InMobi may incur or suffer by reason of any breach of this Data Protection Rider by the Publisher;
4 INMOBI DATA ANALYTICS
4.1 The Publisher acknowledges that InMobi:
4.1.1 will add the Personal Data it processes in the context of its advertising services, and in respect of such use InMobi is a joint Controller; and
4.1.2 is free to use meta-data, statistics and such other information derived from the Personal Data it receives from the Publisher which cannot be identified as originating or deriving directly from such Personal Data and cannot be reverse-engineered by a third party such that it can be so identified, for any purpose whatsoever.
5 MODEL CONTRACT CLAUSES
When You are a Controller, the Model Contract Clauses require us to set out more detail about what data You are transferring to us and why, as well as how we keep that data secure. We have set this out in the sections below. Description of our data processing for You
5.1 In the event when either party Processes Personal Data on behalf of the other the parties will execute appropriate data processing agreement. Description of security measures
5.2 Restriction of access to buildings, data centers and server rooms as necessary.
5.3 Adequate locks on all doors.
5.4 Monitoring of unauthorized access.
5.5 Written procedures for employees, contractors, and visitors covering confidentiality and security of information.
5.6 Restricting access to systems depending on the sensitivity/criticality of such systems.
5.7 Use of password protection where such functionality is available.
5.8 Maintaining records of the access granted to which individuals.
5.9 Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
5.10 The illustrative indemnity contained in the Model Contract Clauses is deemed deleted.
5.11 You will not provide any unsolicited data related to Data Subjects with us.