GRID Inc. Data Processing Addendum

GRID Inc. Data Processing Addendum

There are two versions of the Grid Inc. Data Processing Addendum, the version applicable to You depends on the Effective Date of Your Term Sheet.

Part A – Term Sheet with Effective Date of September 27, 2021 or later.

Part B – Term Sheet with Effective Date prior to September 27, 2021.

 

Part A. Data Processing Addendum for Term Sheet with Effective Date post September 27, 2021.

This Data Processing Addendum was updated on September 27, 2021 and applies to all Customers with a Term Sheet Effective Date of September 27, 2021 or later.

  1. The terms and conditions in this Data Processing Addendum (“DPA”) are entered into between The MediaGrid Inc. on behalf of itself and any Affiliates that are providing the Grid Inc. Services (as defined below) to Customer (“Grid Inc.”); and You (“Customer”, “Your”) (collectively the “Parties” or, as to each individually, “Party”), pursuant to the terms of the Agreement (defined below).
  2. This DPA together with the Agreement, constitute a legally binding agreement between the Parties and governs Your use of the Grid Inc. Services and the Parties’ processing of any Personal Data under the Agreement. Customer agrees that this DPA is like any written negotiated agreement signed by Customer and agrees to enter into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of any group companies or affiliates that use the Services.
  3. Background

3.1. Grid Inc. and Customer have entered into a master services agreement, together with one or more connected service orders and/or agreements (collectively the “Agreement”), pursuant to which Grid Inc. has agreed to provide the Services.

3.2. The Parties wish to define their respective data protection obligations relating to the Grid Inc.’s provision of Services to Customer.

  1. Definitions:

In this DPA, the following terms shall have the following meanings. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.:

(a) “Applicable Data Protection Laws” means all applicable international, federal, national and state data protection and privacy laws, regulations, and industry self-regulatory rules, codes and guidelines that apply to the processing of Personal Data as applicable to Grid Inc. and its Media Buyers, including without limitation: (i) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) and the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national laws made under or pursuant to (i) or (ii) (in each case, as superseded, amended or replaced); (iv) the California Consumer Privacy Act of 2018, California Civil Code §1798.100 et seq. (“CCPA“); (v) the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (“EDAA“); and (vi) the Network Advertising Initiative (“NAI“).

(b) “Controller” shall have the meaning given to “controller” under Applicable Data Protection Laws. For purposes of this DPA, the term “Controller” shall also mean a “Business”, where applicable, pursuant to the CCPA.

(c) “Data Subject” and “Special Categories of Personal Data” shall have the meanings given in Applicable Data Protection Laws. For purposes of this DPA, the term “Data Subject” shall also include a “Consumer” as defined under the CCPA.

(d) “EEA” means for the purposes of this DPA, the member states of the European Economic Area, Switzerland, and the United Kingdom.

(e) “Grid Inc. Privacy Policy” means the Grid Inc. privacy policy available on Grid Inc.’s public-facing website, the most current version of which is available at www.themediagrid.com/privacy-policy (as updated or amended from time to time).

(f) “Grid Inc. Services” or “Services” has the meaning given to it in the Agreement or if not set forth in the Agreement, means the ad services provided by Grid Inc. to Customer in accordance with and as described in the Agreement.

(g) “Media Buyers” shall mean Grid Inc.’s media buying clients, including but not limited to demand side platforms, ad exchanges, agencies, agency trading desks and ad networks.

(h) “Permitted Purposes” means to perform the Agreement, carry out the Grid Inc. Services, and take other actions as permitted by law and under the Agreement.

(i) “Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular individual, consumer, data subject, or (for purposes of CCPA) household, processed pursuant to the Agreement and as to which one or both of the Parties is a Controller, and is defined as “personal information” or “personal data” under Applicable Data Protection Laws.

(j) “Processor” shall have the meaning given to “processor” under Applicable Data Protection Laws. For purposes of this DPA, the term “Processor” shall also mean a “Service Provider”, where applicable, pursuant to the CCPA.

(k) “Standard Contractual Clauses” means the Module One: Transfer controller to controller standard contractual clauses approved by the European Commission or the United Kingdom’s Secretary of State (as applicable), as may be amended or replaced by the European Commission or the United Kingdom’s Secretary of State (as applicable) from time to time. The Standard Contractual Clauses as at the date of this DPA are as set out at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.

(l) “Supplementary Measures” means the provisions set out in Appendix 2 to this DPA.

(m) “Tracking Technologies” means technologies used to store or gain access to data stored on an end user’s device, including (as applicable), cookies, mobile SDKs, browser cache, unique identifiers, web beacons, pixels and/or similar tracking technologies.

  1. Details of the processing

5.1. The Parties acknowledge and agree that each Party shall only process Personal Data for the Permitted Purposes consistent with any consents (where required) given by any end users or other Data Subjects. In the case of Grid Inc. and for the avoidance of doubt, such Permitted Purposes include the purposes described in the Grid Inc. Privacy Policy. Each Party will not disclose the Personal Data to any third party without the other Party’s prior written consent except: (i) where necessary for the Permitted Purposes; (ii) as permitted or required pursuant to the Agreement; or (iii) where permitted or required by applicable law. If the Agreement is materially deficient in respect of the subject matter of this Clause 5, the Parties may supplement the Agreement with additional information.

5.2. Service Provider Certification: Where acting as a Service Provider, the Grid Inc. will not (a) sell (as defined under the CCPA) the Personal Data received from a Controller; (b) retain, use or disclose the Personal Data for any purpose other than for the specific purpose of performing the Grid Inc. Services on behalf of a Controller; (c) retain, use, or disclose the Personal Data for a commercial purpose (as defined under the CCPA) other than providing the Services; or (d) retain, use, or disclose the Personal Data outside of the direct business relationship between the Grid Inc. and the Controller. As to the Grid Inc.’s role as a Service Provider only, the Grid Inc. certifies that it understands these restrictions and will comply with them.

  1. Data Protection Obligations

6.1. Relationship of the Parties: The Parties agree that in connection with the Grid Inc. Services: (i) each Party may receive or otherwise collect Personal Data and (ii) Grid Inc. and its Media Buyers use Tracking Technologies in order to collect Personal Data. The Parties further acknowledge and agree each Party will process Personal Data received from the other Party in their own right as separate and independent Controllers for the Permitted Purposes. In no event will the Parties process Personal Data jointly as joint controllers (in accordance with the meaning ascribed in Applicable Data Protection Laws).

6.2. Prohibited data: Customer shall not disclose (and shall not direct or permit any Data Subject to disclose) any Special Categories of Personal Data to Grid Inc.

6.3. Requesting Consent: Neither Grid Inc. nor its Media Buyers has a direct relationship with any Data Subject visiting the Customer properties or viewing ads delivered to the Customer properties through the Grid Inc. Services. Accordingly, in each case where consent is the lawful basis for processing Personal Data or required for use of Tracking Technologies pursuant to Applicable Data Protection Laws, Customer agrees that it has obtained and shall be responsible for obtaining and maintaining all necessary consents from the relevant Data Subjects to lawfully permit Grid Inc. and all applicable Media Buyers to: (i) process Personal Data via the Grid Inc. Services for Permitted Purposes; and (ii) use Tracking Technologies in order to process Personal Data in connection with the performance of the Grid Inc. Services. Customer represents and warrants that it shall, at all times have in place a mechanism on Customer digital properties for obtaining and recording consent and enabling the Data Subject to withdraw their consent in accordance with Applicable Data Protection Laws, including, where applicable, the CCPA. For Customers located in the EEA, Grid Inc. is registered with and supports the IAB Transparency and Consent Framework. For Customers that qualify as a Business as defined under the CCPA, Grid Inc. supports the IAB’s CCPA Framework.

6.4. Notice Requirements: Customer agrees that it is responsible for ensuring that all Data Subjects are appropriately notified about the data collection and use practices taking place on the Customer properties through the Grid Inc. Services. Customer represents and warrants that it shall conspicuously post, maintain and abide by a publicly-accessible privacy notice that satisfies the requirements of Applicable Data Protection Laws within all Customer properties from which the Personal Data is collected. Without limiting the generality of the foregoing, such notice shall at a minimum include the following information: (i) a statement that data may be collected for advertising purposes; (ii) a description of the type of Personal Data collected by Grid Inc. and its Media Buyers and the purposes of processing, including for delivering ads across the Customer properties over time or as otherwise set forth in this Agreement; (iii) a description of the categories of recipients who will have access to the Personal Data; (iv) the identity of the Controller(s) of the Personal Data; (v) a conspicuous link to or description of how to access relevant choice mechanisms; and (vi) any other information required to comply with the disclosure and transparency requirements of Applicable Data Protection Laws; and/or the Grid Inc. Privacy Policy.

6.5. International transfers: To the extent that Grid Inc. processes (or causes to be processed) the Personal Data of a Data Subject from the EEA in a country outside of the EEA, it shall first take all such measures as are necessary to ensure appropriate safeguards and/or an adequate level of protection for such Personal Data in accordance with Applicable Data Protection Laws. Where such processing takes place in a country that does not have adequate data protection laws (as determined by the EU Commission or the United Kingdom’s Secretary of State, as applicable), the Standard Contractual Clauses shall be incorporated by reference into this DPA and shall apply in relation to such Personal Data, the Supplementary Measures herein shall also apply.

For the purposes of the Standard Contractual Clauses:

(a) Customer is the “data exporter” and Grid Inc. is the “data importer”;

(b) the Parties choose Module One: Transfer controller to controller as being the only applicable terms between the Parties, any terms related to and references therein to Module Two, Module Three and Module Four shall be deemed deleted;

(c) Clause 9 of the Standard Contractual Clauses shall be deemed inapplicable;

(d) the optional language in Clause 11(a) shall be deemed deleted;

(e) Clause 13(a) shall be amended as applicable depending on where the Customer is established (as identified in the Agreement);

(f) In Clause 17, the Parties choose Option 1 and agree that this shall be the law of Germany;

(g) Clause 18(b) shall be deemed completed with the courts of Berlin, Germany;

(h) Annex I to the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 1 to this DPA; and

(i) Annex II to the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 2 to this DPA.

6.6. Confidentiality of processing: The Parties shall ensure that any Processor that either Party authorises to process Personal Data shall protect the Personal Data in accordance with the confidentiality obligations under the Agreement.

6.7. Security: Both Parties shall implement technical and organisational measures as required by the Applicable Data Protection Laws to protect the Personal Data (i) from accidental or unlawful destruction, and (ii) unauthorised loss, alteration, disclosure of, or access to the Personal Data (a “Security Incident“). In the event a Party suffers a Security Incident, it shall notify the other Party without undue delay and both Parties shall cooperate in good faith to agree and carry out such measures as may be necessary to mitigate or remedy the effects of the Security Incident.

6.8. Cooperation and Data Subjects’ rights: The Parties shall, upon request, provide reasonable and timely assistance and cooperation to the other Party (at their own expense) to enable that Party to respond to: (i) any request from a Data Subject to exercise any of its rights under the Applicable Data Protection Laws (including the rights of access, correction, objection, erasure/deletion, opting out of third party sales of Personal Data, and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Personal Data.

 

Appendix 1

  1. LIST OF PARTIES

Data exporter: the organisation identified as Customer. Customer’s contact information is specified in the Agreement. Customer’s activities are as described in the Agreement and in relation to these activities Customer is acting as an independent data controller for the personal data.

Data importer: the organisation identified as Grid Inc.. Grid Inc.’s contact information is specified in the Agreement. Grid Inc.’s activities are as described in the Agreement and in relation to these activities Grid Inc. is acting as an independent data controller for the personal data.

 

  1. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: End users that visit publisher and advertiser websites.

Categories of personal data transferred:

Behavioural data, including:

  • Cookie ID, Advertising ID, or any other unique identifier that enables a bid request relating to the display of digital advertising to be linked to a bid to provide such advertising
  • Bid price
  • Creative (the advert / image)
  • Date
  • Domain name of whom the advert is served on behalf of

Sensitive data transferred (if applicable): No special categories of data or sensitive date is transferred.

Frequency of the transfer: On a continuous basis depending on Customer’s use of the Grid Inc. Services.

Nature of the processing: To provide the Services as described in the Agreement.

Purpose(s) of the data transfer and further processing: To provide the Services as described in the Agreement.

The period for which the personal data will be retained: The Services has different automated retention/deletion periods for different types of data and settings but in no event is personal data retained longer than is necessary.

Transfers to (sub-) processors: If applicable, the subject matter of processing of personal data by sub-processors is the personal data processing required for performance of the Services pursuant to the Agreement. The nature of the processing is to provide the Services under the Agreement and duration of the processing is for the Term of the Agreement.

 

  1. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13, the competent supervisory authority is determined depending on where the data exporter is established and is identified in the Agreement.

 

Appendix 2

Description of the technical and organisational measures implemented by the data importer, including technical and organisational measures to ensure security of the data:

In all cases, the data importer uses various security technologies and procedures that help protect personal data from unauthorized access, use, disclosure, alteration or destruction.

For example:

  • Personnel: Only qualified and authorized employees are permitted to access personal data, and they may do so only for permitted business functions.
  • Additional Safeguards: We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your Information. Our security procedures mean that we may request proof of your identity before we disclose personal data to you.
  • Trusted Vendors: We rely only on vendors who ensure an appropriate level of security of your personal data. In this context, we use only secure cloud servers, including AWS cloud – a secure, private cloud platform.
    Amazon Web Services (“AWS”) and Google Cloud Platform are IPONWEB sub-processors. AWS and Google Cloud Platform each use various security technologies and procedures to protect personal data and is compliant with third-party assurance frameworks such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, PCI DSS Level 1, and SOC 1, SOC 2, and SOC 3. For more details please see security and privacy policy at aws.amazon.com and Google Cloud Platform at cloud.google.com.

Supplementary Measures:

  1. If Grid, Inc. receives an order or request to disclose Personal Data transferred under the Agreement (“Transferred Personal Data”) to a law enforcement, regulatory, judicial or governmental authority (an “Authority“), whether on a binding or voluntary basis, Grid, Inc. shall:

(a) promptly notify the Customer of such Authority’s data access request;

(b) inform the Authority that any and all requests or demands for relating to the Transferred Personal Data should be notified to or served upon the Customer (as the originating Controller) in writing; and

(c) not provide the Authority with access to Transferred Personal Data unless and until authorised by the Customer,

save to the extent any such order or request or other legally binding obligation on Grid, Inc. requires Grid, Inc. to do otherwise.

  1. In the event Grid, Inc. is under a legal prohibition or a legal compulsion that prevents it from complying with paragraphs 1(a) to 1(a) in full, Grid, Inc. shall use reasonable and lawful efforts to challenge such prohibition or compulsion (and the Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request and the reasonable prospects and costs of successfully challenging the prohibition or compulsion).
  2. Paragraphs 1 and 2 shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to the Data, Grid, Inc. has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Grid, Inc. shall notify the Customer as soon as practicable following such Authority’s access and provide the Customer with full details of the same, unless and to the extent Grid, Inc. is legally prohibited from doing so.
  3. Grid, Inc. shall not knowingly disclose the Transferred Personal Data in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.
  4. Grid, Inc. shall have in place, maintain and comply with a policy governing personal data access requests from Authorities which at minimum prohibits:

(a) massive, disproportionate or indiscriminate disclosure of personal data relating to data subjects in the European Economic Area or the United Kingdom; and

(b) disclosure of personal data relating to data subjects in European Economic Area or the United Kingdom to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such personal data.

  1. Grid, Inc. shall have in place and maintain in accordance with good industry practice measures to protect the Transferred Personal Data from unauthorised interception (including in transit from the Customer to Grid, Inc. and between different systems and services). This includes having in place and maintaining network protection to deny attackers the ability to intercept Transferred Personal Data and encryption of Transferred Personal Data whilst in transit to deny attackers the ability to read Transferred Personal Data.

 

Part B. Data Processing Addendum for Term Sheet with Effective Date prior to September 27, 2021.

This Data Processing Addendum was last updated on April 22, 2021 and applies to all Customers with a Term Sheet Effective Date prior to September 27, 2021.

  1. The terms and conditions in this Data Processing Addendum (“DPA”) are incorporated into and a part of the agreement between The MediaGrid Inc. on behalf of itself and any Affiliates that are providing the Grid Inc. Services (as defined below) to Customer (“Grid Inc.”); and You (“Customer”, “Your”) (collectively the “Parties” or, as to each individually, “Party”), pursuant to the terms of the Agreement (defined below).
  2. This DPA together with the Agreement (the “Agreement”), constitute a legally binding agreement and governs Your use of the Grid Inc. Services and the Parties’ processing of any Personal Data under the Agreement. Customer agrees to enter into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of any group companies or affiliates that use the Services.
  3. Background

3.1. Grid Inc. and Customer have entered into an Agreement, pursuant to which Grid Inc. has agreed to provide the Services.

3.2. The parties wish to define their respective data protection obligations relating to the Grid Inc.’s provision of Services to Customer.

  1. Definitions:

In this DPA, the following terms shall have the following meanings. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.:

(a) “Applicable Data Protection Laws” means all applicable international, federal, national and state data protection and privacy laws, regulations, and industry self-regulatory rules, codes and guidelines that apply to the processing of Data as applicable to Grid Inc. and its Media Buyers, including without limitation: (i) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) and the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national laws made under or pursuant to (i) or (ii) (in each case, as superseded, amended or replaced); (iv) the California Consumer Privacy Act of 2018, California Civil Code §1798.100 et seq. (“CCPA“); (v) the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (“EDAA”); and (vi) the Network Advertising Initiative (“NAI”).

(b) “Controller” means the entity that determines the purposes and means of the Processing of Personal Data, for European Data, and shall also mean a Business, where applicable, pursuant to the CCPA.

(c) “Processor” means an entity that processes personal data solely at the direction of a Controller, for European Data, and shall also mean a Service Provider, where applicable, pursuant to the CCPA.

(d) “Data Subject” and “Special Categories of Personal Data” shall have the meanings given in the GDPR. For purposes of this DPA, the term “Data Subject” shall include a consumer as defined under the CCPA.

(e) “EEA” means for the purposes of this DPA, the member states of the European Economic Area, Switzerland, and the United Kingdom.

(f) “Grid Inc. Services” has the meaning given to it in the Agreement or if not set forth in the Agreement, means the ad services provided by Grid Inc. to Customer in accordance with and as described in the Agreement.

(g) “Media Buyers” shall mean Grid Inc.’s media buying clients, including but not limited to demand side platforms, ad exchanges, agencies, agency trading desks and ad networks.

(h) “Permitted Purposes” means to perform the Agreement, carry out the Grid Inc. Services, and take other actions as permitted by law and under the Agreement.

(i) “Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular individual, consumer, data subject, or (for purposes of CCPA) household, processed pursuant to the Agreement and as to which one or both of the Parties is a Controller, and is defined as “personal information” or “personal data” under Applicable Data Protection Laws.

(j) “Grid Inc. Privacy Policy” means the Grid Inc. privacy policy available on Grid Inc’s public-facing website, the most current version of which is available at www.themediagrid.com/privacy-policy (as updated or amended from time to time).

(k) “Standard Contractual Clauses” means the standard contractual clauses for Controllers approved by the European Commission or the United Kingdom’s Secretary of State (as applicable), as may be amended or replaced by the European Commission or the United Kingdom’s Secretary of State (as applicable) from time to time. The Standard Contractual Clauses as at the date of this DPA are as set out at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915.

(l) “Supplementary Measures” means the provisions set out in Appendix 2 to this DPA.

(m) “Tracking Technologies” means technologies used to store or gain access to data stored on an end user’s device, including (as applicable), cookies, mobile SDKs, browser cache, unique identifiers, web beacons, pixels and/or similar tracking technologies.

  1. Details of the processing

5.1. The parties acknowledge and agree that each party shall only process Personal Data for the Permitted Purposes consistent with any consents (where required) given by any end users or other data subjects. In the case of Grid. Inc and for the avoidance of doubt, such Permitted Purposes include the purposes described in the Grid Inc. Privacy Policy. Each party will not disclose the Data to any third party without the other party’s prior written consent except: (i) where necessary for the Permitted Purposes; (ii) as permitted or required pursuant to the Agreement; or (iii) where permitted or required by applicable law. If the Agreement is materially deficient in respect of the subject matter of this Clause 5, the parties may supplement the Agreement with additional information.

5.2. Service Provider Certification: Where acting as a Service Provider, the Grid Inc. will not (a) sell (as defined under the CCPA) the Personal Data received from a Controller; (b) retain, use or disclose the Personal Data for any purpose other than for the specific purpose of performing the Grid Inc. Services on behalf of a Controller; (c) retain, use, or disclose the Personal Data for a commercial purpose (as defined under the CCPA) other than providing the Services; or (d) retain, use, or disclose the Personal Data outside of the direct business relationship between the Grid Inc. and the Controller. As to the Grid Inc.’s role as a Service Provider only, the Grid Inc. certifies that it understands these restrictions and will comply with them.

  1. Data Protection Obligations

6.1. Relationship of the parties: The parties agree that in connection with the Grid Inc. Services: (i) each party may receive or otherwise collect Personal Data and (ii) Grid Inc and its Media Buyers use Tracking Technologies in order to collect Personal Data. The parties further acknowledge and agree each party will process Personal Data received from the other party in their own right as separate and independent Controllers for the Permitted Purposes. In no event will the parties process Data jointly as joint controllers (in accordance with the meaning ascribed in the GDPR).

6.2. Prohibited data: Customer shall not disclose (and shall not direct or permit any data subject to disclose) any Special Categories of Personal Data to Grid Inc.

6.3. Requesting Consent: Neither Grid Inc. nor its Media Buyers has a direct relationship with any data subject visiting the Customer properties or viewing ads delivered to the Customer properties through the Grid Inc. Services. Accordingly, in each case where consent is the lawful basis for processing Personal Data or required for use of Tracking Technologies pursuant to Applicable Data Protection Laws, Customer agrees that it has obtained and shall be responsible for obtaining and maintaining all necessary consents from the relevant data subjects to lawfully permit Grid Inc. and all applicable Media Buyers to: (i) process Personal Data via the Grid Inc. Services for Permitted Purposes; and (ii) use Tracking Technologies in order to process Data in connection with the performance of the Grid Inc. Services. Customer represents and warrants that it shall, at all times have in place a mechanism on Customer digital properties for obtaining and recording consent and enabling the data subject to withdraw their consent in accordance with Applicable Data Protection Laws, including, where applicable, the CCPA. For Customers located in the EEA, Grid Inc. is registered with and supports the IAB Transparency and Consent Framework. For Customers that qualify as a business as defined under the CCPA, Grid Inc. supports the IAB’s CCPA Framework.

6.4. Notice Requirements: Customer agrees that it is responsible for ensuring that all Data Subjects are appropriately notified about the data collection and use practices taking place on the Customer properties through the Grid Inc. Services. Customer represents and warrants that it shall conspicuously post, maintain and abide by a publicly-accessible privacy notice that satisfies the requirements of Applicable Data Protection Laws within all Customer properties from which the Personal Data is collected. Without limiting the generality of the foregoing, such notice shall at a minimum include the following information: (i) a statement that data may be collected for advertising purposes; (ii) a description of the type of Personal Data collected by Grid Inc. and its Media Buyers and the purposes of processing, including for delivering ads across the Customer properties over time or as otherwise set forth in this Agreement; (iii) a description of the categories of recipients who will have access to the Personal Data; (iv) the identity of the Controller(s) of the Personal Data; (v) a conspicuous link to or description of how to access relevant choice mechanisms; and (vi) any other information required to comply with the disclosure and transparency requirements of Applicable Data Protection Laws; and/or The Grid Inc. Privacy Policy.

6.5. International transfers: To the extent that Grid Inc. processes (or causes to be Processed) the Personal Data of a Data Subject from the EEA in a country outside of the EEA, it shall first take all such measures as are necessary to ensure appropriate safeguards and/or an adequate level of protection for such Personal Data in accordance with Applicable Data Protection Laws. Where such processing takes place in a country that does not have adequate data protection laws (as determined by the EU Commission or the United Kingdom, as applicable), the Standard Contractual Clauses shall be incorporated by reference into this DPA, shall apply in relation to such Personal Data and the Supplementary Measures shall apply. For the purposes of the Standard Contractual Clauses: (a) Customer is the “data exporter” and Grid Inc. is the “data importer” for the purposes of the Standard Contractual Clauses; (b) in Clause II(h) of the Standard Contractual Clauses the parties choose option (iii); (c) Annex B to the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 1 to this DPA; and (d) the optional illustrative indemnification clause in the Standard Contractual Clauses shall be deemed deleted.

6.6. Confidentiality of Processing: The Parties shall ensure that any Processor that either Party authorises to process Personal Data shall protect the Personal Data in accordance with the confidentiality obligations under the Agreement.

6.7. Security: Both parties shall implement technical and organisational measures as required by the Applicable Data Protection Laws to protect the Personal Data (i) from accidental or unlawful destruction, and (ii) unauthorised loss, alteration, disclosure of, or access to the Personal Data (a “Security Incident”). In the event a Party suffers a Security Incident, it shall notify the other party without undue delay and both parties shall cooperate in good faith to agree and carry out such measures as may be necessary to mitigate or remedy the effects of the Security Incident.

6.8. Cooperation and data subjects’ rights: The parties shall, upon request, provide reasonable and timely assistance and cooperation to the other party (at their own expense) to enable that party to respond to: (i) any request from a data subject to exercise any of its rights under the Applicable Data Protection Laws (including the rights of access, correction, objection, erasure/deletion, opting out of third party sales of Personal Data, and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data.

Appendix 1 – Description of the Transfer

Data subjects: The Personal Data transferred concern the following categories of Data Subjects:

End users that visit publisher and advertiser websites

Purposes of the transfer(s): as described in the Agreement

Categories of data: The Personal Data concern the following categories of data:

Behavioural data, including:

  • Cookie ID, Advertising ID, or any other unique identifier that enables a bid request relating to the display of digital advertising to be linked to a bid to provide such advertising
  • Bid price
  • Creative (the advert / image)
  • Date
  • Domain name of whom the advert is served on behalf of

Recipients

The personal data transferred may be disclosed only to the following recipients or categories of recipients: as described in the Agreement.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

No special categories of data

Data protection registration information of the data exporter: not applicable.

The personal data transferred concern the following special categories of data (please specify):

Contact points for data protection queries

Data exporter: As described in the Agreement

Data importer: As described in the Agreement

 

 

Appendix 2 – Supplementary Measures

  1. If Grid, Inc. receives an order or request to disclose Transferred Personal Data to a law enforcement, regulatory, judicial or governmental authority (an “Authority“), whether on a binding or voluntary basis, Grid, Inc. shall:

(a) promptly notify the Customer of such Authority’s data access request;

(b) inform the Authority that any and all requests or demands for relating to the Transferred Personal Data should be notified to or served upon the Customer (as the originating Controller) in writing; and

(c) not provide the Authority with access to Transferred Personal Data unless and until authorised by the Customer,

save to the extent any such order or request or other legally binding obligation on Grid, Inc. requires Grid, Inc. to do otherwise.

  1. In the event Grid, Inc. is under a legal prohibition or a legal compulsion that prevents it from complying with paragraphs 1(a) to 1(a) in full, Grid, Inc. shall use reasonable and lawful efforts to challenge such prohibition or compulsion (and the Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request and the reasonable prospects and costs of successfully challenging the prohibition or compulsion).
  2. Paragraphs 1 and 2 shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to the Data, Grid, Inc. has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Grid, Inc. shall notify the Customer as soon as practicable following such Authority’s access and provide the Customer with full details of the same, unless and to the extent Grid, Inc. is legally prohibited from doing so.
  3. Grid, Inc. shall not knowingly disclose the Transferred Personal Data in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.
  4. Grid, Inc. shall have in place, maintain and comply with a policy governing personal data access requests from Authorities which at minimum prohibits:

(a) massive, disproportionate or indiscriminate disclosure of personal data relating to data subjects in the European Economic Area or the United Kingdom; and

(b) disclosure of personal data relating to data subjects in European Economic Area or the United Kingdom to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such personal data.

  1. Grid, Inc. shall have in place and maintain in accordance with good industry practice measures to protect the Transferred Personal Data from unauthorised interception (including in transit from the Customer to Grid, Inc. and between different systems and services). This includes having in place and maintaining network protection to deny attackers the ability to intercept Transferred Personal Data and encryption of Transferred Personal Data whilst in transit to deny attackers the ability to read Transferred Personal Data.