This Data Privacy Addendum (“Addendum”) forms part of Vungle Advertising Insertion Order (“I/O”) in place between Vungle, Inc. and the company identified as the ” Customer” in the I/O. Capitalized terms used in this Addendum shall have the meaning given to them in the main body of the I/O unless otherwise defined in this Addendum. This Addendum shall only apply to the extent Vungle processes Personal Data protected by EU Data Protection Law as a processor under or in connection with the I/O.
“Advertiser Data” has the meaning given to it in Section 2 of this Addendum;
” EU Data Protection Law” means (i) prior to 25 May 2018, the EU Data Protection Directive (Directive 95/46/EC) and on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national data protection laws made under or pursuant to (i) or (ii) (in each case, as amended or superseded);
” Personal Data” means any information relating to an identified or identifiable natural person (which shall include for the avoidance of doubt, any personally identifiable information) or as otherwise defined in applicable Privacy Requirements;
” Privacy Requirements” means all applicable privacy and data protection laws and regulations, that apply to the processing of Personal Data that is the subject of this Addendum, in each case as amended or superseded, including but not limited to Children’s Online Privacy Protection Act and EU Data Protection Law;
” Privacy Shield” means the EU-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016 and by the Swiss Federal Council on January 11, 2017 respectively;
” Privacy Shield Principles” means the Privacy Shield Principles and Supplemental Principles contained in Annex II to the Privacy Shield (as may be amended or superseded);
” controller“, ” processor“, ” data subject“, ” processing” (and ” process“) shall have the meanings given to them in EU Data Protection Law.
Customer acknowledges and agrees that, Vungle may receive from Customer or Customer’s third-party agents certain end user data relating to Vungle’s delivery of Advertising Services under the applicable I/O, including, for example, end user device information (e.g. unique device identifiers), interactions with Ads, clicks, views, installs, as well as post-install event data (collectively ” Advertiser Data“). For the avoidance of doubt, “Advertiser Data” as defined herein does not include any data (including Personal Data) or information which is already known, accessible, discernible, or otherwise collected by Vungle independently.
To the extent the Advertiser Data contains Personal Data, Vungle shall process such data as a processor (where the Privacy Requirements recognize this concept) on behalf of Customer in accordance with this Addendum. In no event will the parties process Personal Data under this I/O as joint controllers. Nothing in the I/O (including this Addendum) shall limit or prevent Vungle from collecting or using data that Vungle would otherwise collect and process independently of Customer’s use of the Advertising Services.
Vungle agrees that:
4.1. the (i) subject-matter, nature and purpose of the processing are the Purpose (defined below); and (ii) duration of processing shall be as set out in this the I/O (including any further Insertion Orders agreed between the parties);
4.2. Vungle shall process the Advertiser Data only for the purposes of delivering the Advertising Services in accordance with the I/O (the ” Purpose“) and on the documented lawful instructions of Customer as set out in full in this Addendum and the I/O, including with regard to transfers of Advertiser Data to a third country, unless required otherwise by applicable law; in such event, Vungle shall inform Customer of the legal requirement before processing, unless that law prohibits the provision of such information to Customer. Vungle shall inform Customer if, in its opinion, Customer’s instructions infringe applicable Privacy Requirements;
4.3. Vungle shall ensure that persons authorized to process the Advertiser Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.4. Vungle shall respect the conditions for appointing another sub-processor as set out in Section 7 below;
4.5. taking into account the nature of the processing, Vungle shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of any obligation Customer has under EU Data Protection Law to respond to requests from individuals to access, correct, delete, object or exercise any other rights they have in respect of the Advertiser Data under EU Data Protection Law;
4.6. if Vungle receives any correspondence, enquiry or complaint from a data subject, regulator or any other person relating to its processing of Advertiser Data, it will promptly inform Customer and provide it with full details of the same. It will not respond to such correspondence, enquiry or complaint unless authorised by Customer (such permission not to be unreasonably withheld or delayed), and Customer agrees that Vungle shall have no obligation to respond on Customer’s behalf;
4.7. if Customer is required by applicable Privacy Requirements to conduct a data protection impact assessment in respect of the Advertising Services, Vungle shall provide all information reasonably requested by Customer in connection with such assessment;
4.8. at the choice of Customer, Vungle shall delete or return all the Advertiser Data to Customer after the end of the provision of the Vungle Services; and
4.9. Vungle shall make available to Customer all information reasonably necessary for Vungle to demonstrate its compliance with the obligations in this Addendum, including by way of providing written responses to any audit questions raised by Customer (such audits not to be conducted more than once per annum and at Customer’s expense).
5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vungle shall implement appropriate technical and organisational security measures for the Advertiser Data. Such measures shall protect the Advertiser Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, Advertiser Data transmitted, stored or otherwise processed by Vungle (a ” Security Incident“).
5.2. Vungle shall inform Customer without undue delay in the event of a Security Incident and inform Customer what measures and actions it is taking to mitigate or remedy the effects of the Security Incident.
6.1. If and to the extent Vungle processes or transfers (directly or via onward transfer) Advertiser Data that is protected by EU Data Protection Law and/or that originates from European Economic Area (including for the purposes of this Addendum Switzerland and the United Kingdom, the ” EEA“) (” EEA Personal Data“) in or to any country outside the EEA and not recognized by the European Commission as providing an adequate level of protection for Personal Data, it shall first take all such measures as are necessary to ensure an adequate level of protection for such EEA Personal Data in accordance with the requirements of EU Data Protection Law.
5.2. For these purposes, the parties acknowledge and agree that Vungle is located in the United States and accordingly shall provide adequate protection for any EEA Personal Data processed by it in the United States by virtue of Vungle having self-certified its compliance with the Privacy Shield. Vungle agrees to protect EEA Personal Data in accordance with the requirements of the Privacy Shield Principles.
Customer agrees that Vungle may engage sub-processors to assist it in processing Advertiser Data in the performance of the Vungle Services provided that Vungle:
7.1. shall ensure that its sub-processors are subject to data protection terms that protect the Advertiser Data to the same or a substantially similar standard as set out in this Addendum;
7.2. accepts full liability for any breach of this Addendum that is caused by the act, error or omission of its sub-processors;
7.3. maintains a list of its then-current sub-processors and shall provide such list upon request to Customer; and
7.4. with effect from May 25, 2018, if Vungle wishes to appoint or replace a sub-processor it shall provide Customer with a minimum of fourteen (14) days prior notice and Customer may object to such appointment or replacement on reasonable data protection grounds within seven (7) days following receipt of such notice. If Customer so objects, then either (i) Vungle shall not use the proposed sub-processor to process the Advertiser Data; or (ii) if this is not possible, Customer may terminate the I/O for its convenience upon written notice to Vungle.
8.1. This Addendum shall survive termination or expiry of the I/O. Upon termination or expiry of the I/O, Vungle may continue to process Advertiser Data provided that such processing complies with the requirements of this Addendum and the Privacy Requirements.