Appnext Advertiser Data Protection Addendum

Last updated: 20/06/2018

Appnext Ltd. (“Company”) and the legal entity that entered into an agreement for the provision of the services (“Services”) described in the Advertiser Terms & Conditions, as available here: (as amended from time to time), or another agreement signed between the Parties (the “Agreement”), regardless of the form of organization (“Customer”), are agreeing to these Data Protection Terms (“DPA”). This DPA is entered into by Company and Customer and supplement the Agreement. This DPA will be effective, and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date.

Company and/or Customer shall be each referred to as “Party” and together as “Parties”.

If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.

1.   Introduction

1.1   This DPA reflect the parties’ agreement on the processing of Personal Data in connection with the Data Protection Laws.

1.2   Any ambiguity in this DPA shall be resolved to permit the parties to comply with all Data Protection Laws.

1.3   In the event and to the extent that the Data Protection Laws impose stricter obligations on the parties than under this DPA, the Data Protection Laws shall prevail.

2.   Definitions and Interpretation

2.1   In this DPA:

  • (a) “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a Party.

  • (b) “Approved Jurisdictions” means a member state of the EEA, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here:

  • (c) “Data Protection Laws” means, as applicable, any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Data Protection Directive 95/46/EC and the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).

  • (d) “Cross Advertising” means the collection of data through websites or applications owned or operated by different entities on a particular device for the purpose of delivering advertising based on the preferences or interests known or inferred from the data collected.

  • (e) “Data Subject” means a data subject to whom Personal Data relates.

  • (f) “Personal Data” means any personal data that is processed by a party under the Agreement in connection with its provision or use (as applicable) of the Services.

  • (g) “Model Contractual Clauses (Controller-Controller)” means Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries, as available here:

  • (h) “Relevant Privacy Requirements" mean all (i) applicable SRPs, laws, governmental regulations and court or government agency orders and decrees relating in any manner to the collection, use or dissemination of information from or about users, user traffic or otherwise relating to privacy rights or with respect to the sending of marketing and advertising communications; (ii) posted privacy policies; and (iii) for mobile applications, the terms of service for the applicable mobile operating system.

  • (i) "SRPs” mean the rules and self-regulatory principles of the European Interactive Digital Advertising Alliance ("EDAA"), of which Company is a member.

  • (j) "Security Incident" shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach will comprise a Security Incident

  • (k) “Terms Effective Date” means 25 May 2018.

  • (l) The terms “controller”, “processing” and “processor” as used in this have the meanings given in the GDPR.

  • (m) Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3.   Application of this DPA

3.1   This DPA will only apply to the extent all of the following conditions are met:

3.1.1   Either Party processes Personal Data that is made available by the other Party in connection with the Agreement;

3.1.2   The Data Protection Laws applies to the processing of Personal Data.

3.2   This DPA will only apply to the Services for which the parties agreed to in the Agreement, which incorporates the DPA by reference.

4.   Roles and Restrictions on Processing

4.1   Independent Controllers. Each party:

  • (a) is an independent controller of Personal Data under the Data Protection Laws;

  • (b) will individually determine the purposes and means of its processing of Personal Data; and

  • (c) will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data.

4.2   Restrictions on Processing. Section 4.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Personal Data under the Agreement.

4.3   Sharing of Personal Data. In performing its obligations under the Agreement, a Party may provide Personal Data to the other party. Each Party shall process Personal Data only for (i) the purposes set forth in the Agreement or as (ii) otherwise agreed to in writing by the Parties, provided such processing strictly complies with (iii) Data Protection Laws, (ii) Relevant Privacy Requirements and (iii) its obligations under this Agreement (the “Permitted Purposes”). Each Party shall not share any Personal Data with the other Party (i) that allows Data Subjects to be directly identified (for example by reference to their name and e-mail address); (ii) that contains Personal Data relating to children under the legal age for consent.

4.4   Lawful grounds and transparency. Each Party shall maintain a publicly-accessible privacy policy on its mobile apps and websites that is available via a prominent link that satisfies transparency disclosure requirements of Data Protection Laws. Each Party warrants and represents that it has provided Data Subjects with appropriate transparency regarding data collection and use and all required notices and obtained any and all consents or permissions necessary under e-Privacy Law.

4.5   It is hereby clarified that where either Party is the initial Controller of Personal Data, then such Party shall be responsible for obtaining lawful grounds for the collection and processing of the Personal Data for the Permitted Purposes; where such Party relies on consent as its legal basis to Process Personal Data (e.g., for Cross Advertising, or in connection with collection of precise geo-location data), it shall ensure that it obtains a proper affirmative act of consent from Data Subjects in accordance with Data Protection Law and Relevant Privacy Requirements in order for itself and the other Party to Process such Personal Data as set out herein. The foregoing shall not derogate from either Party’s responsibilities under the Data Protection Laws (such as the requirement to provide information to the data subject when the Personal Data in connection with the processing of Personal Data. Both parties will cooperate in good faith in order to identify the information disclosure requirements and each party hereby permits the other party to identify it in the other party’s privacy policy, and to provide a link to the other Party’s privacy policy in its privacy policy.

4.6   Data Subject Rights. It is agreed that where either Party receives a request from a Data Subject in respect of Personal Data controlled by such Party, then such Party shall be responsible to exercise the request, in accordance with Data Protection Laws.

5.   Personal Data Transfers

5.1   Transfers of Personal Data Out of the European Economic Area. Either party may transfer Personal Data outside the European Economic Area if it complies with the provisions on the transfer of personal data to third countries in the Data Protection Laws (such as through the use model clauses or transfer of Personal Data to jurisdictions as may be approved as having adequate legal protections for data by the European Commission).

5.2   To the extent that either Party process Personal Data outside the European Economic Area and Approved Jurisdictions, then the Parties shall be deemed to enter into the Model Contractual Clauses (Controller-Controller), and: (a) the Party that shares the Personal Data shall be deemed as the Data Exporter, and the Party that receives the Personal Data shall be deemed as the Data Importer (as these terms are defined in the Model Contractual Clauses (Controller-Controller); (b) the purposes of the Transfer shall be the Permitted Purposes, and the categories of data subjects, the categories of data and the recipients shall be as described in the Agreement.

6.   Protection of Personal Data.

6.1   The parties will provide a level of protection for Personal Data that is at least equivalent to that required under Data Protection Laws. Both parties shall implement appropriate technical and organizational measures to protect the Personal Data. In the event that a party suffers a confirmed Security Incident, each party shall notify the other party without undue delay and the parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.

7.   Liability

7.1   Notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with this DPA will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (for clarity, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Laws).

8.   Priority

8.1   Effect of this DPA. If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.

9.   Changes to this DPA.

9.1   Company may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the parties as independent controllers of Personal Data under the Data Protection Laws; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Company.

9.2   Notification of Changes. If Company intends to change this DPA under this Section, and such change will have a material adverse impact on Customer, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.