Data Processing Addendum
This Addendum is part of the terms and conditions of the Agreement (as defined below) between Next Millennium Media, Inc. (“Next Millennium,” “Us,” or “We“) and its customer that utilizes services under the Agreement (“You” or “Client“) (each individually, a “Party,” and collectively, the “Parties“). The Agreement is incorporated by reference except as otherwise provided herein.>
RECITALS
WHEREAS, the Parties previously entered into one of more Agreements;
WHEREAS, applicable Privacy and Data Protection Laws create various rights and obligations regarding the handling of Personal Information; and
WHEREAS, the Parties wish to supplement the terms of the Agreement with additional provisions to address the impact of data privacy laws, including but not limited to the CCPA and GDPR, as set forth in this Addendum.
NOW, THEREFORE, in consideration of the mutual covenants contained in this Addendum, the Parties hereby agree as follows:
- DEFINITIONS
- The following terms shall have the following meanings:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Agreement” means the agreement to which this Addendum is attached, any agreement that expressly references and incorporates this Addendum, and/or any agreement in effect between the Parties as of the Addendum Effective Data under which Customer Personal Information is processed as part of the Services. “Agreement” includes any SOWs, terms and conditions, insertion orders, exhibits, attachments, and order forms.
“Customer Personal Information” means any Personal Information provided or made available to Us or our Affiliates by or on behalf of You in connection with the Services.
“Inquiry” means any regulatory inspection, inquiry or correspondence that relates to Customer Personal Information in which You are named.
“Personal Information” means any information relating to the identified or identifiable natural persons; that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular individual, consumer, data subject, or household; or that is defined as “personal data,” “personal information,” “personally identifiable information” or similar term under applicable Privacy and Data Protection Laws (as defined herein).
“Privacy and Data Protection Laws” means any applicable privacy or data protection laws or regulations, including, without limitation the: (i) Federal Trade Commission Act, 15 U.S.C. § 45; (ii) CAN-SPAM Act of 2003, 15 U.S.C. §§ 7701 et seq.; (iii) state and local laws governing notification to consumers and regulatory authorities following a data security breach, including without limitation Cal. Civ. Code § 1798.82, N.Y. Gen. Bus. Law § 899-aa, and Mass. Gen. Law 93H; (iv) state and local laws and regulations governing data security, including without limitation Massachusetts Gen. Law Ch. 93H and 201 C.M.R. 17.00, the NY SHIELD Act, and Nev. Rev. Stat. 603A; (v) the California Consumer Privacy Act of 2018 California Civil Code § 1798.100 et seq. (“California Consumer Privacy Act” or “CCPA“); (ix) California’s “Shine the Light Law,” Cal Civ. Code § 1798.83; (vi) other analogous federal, state, or local privacy, data protection, information security, or related laws or regulations (together, including any similar, analogous or successor laws, regulations, or other standards); (vii) with respect to Personal Information from or related to persons residing in the European Economic Area (“EEA“) or the United Kingdom (“UK“), the EU e-Privacy Directive 2002/58/EC and the EU General Data Protection Regulation 2016/679 (“GDPR“), as implemented by countries within the EEA and the UK; and, (viii) any other laws or regulations in that are similar, equivalent to, successors to, or that are intended to implement the laws or regulations that are identified in (i) through (vii) above.
“Services” means any services We provide to You under the Agreement that involve the processing of Customer Personal Information.
“Standard Contractual Clauses” means the standard contractual clauses, as agreed by the European Commission, for the transfer of Personal Information to processors established in third countries which do not ensure an adequate level of protection as set out in Commission Decision C(2010) 593, as updated, amended replaced or superseded from time to time by the European Commission.
“Subcontractor” means an unaffiliated entity/person engaged and selected by Us or our Affiliates, on our own behalf, that is essential to the performance of the Services and whose processing of Customer Personal Information is ancillary to the performance of the Services. Examples of Subcontractors include hosting providers, data centers, ISPs, and other similar infrastructure service providers.
“Vendor” means an unaffiliated entity/person engaged by Us or our Affiliates that processes Customer Personal Information in a complementary capacity to our provision of Services. Examples of Vendors include, without limitation, advertising technology companies, social media platforms, data providers, advertisers, and publishers. Our engagement with Vendors is on Your behalf or for Your benefit and ultimately selected or approved by You, even if We are a party to the agreement with such Vendor.
Where applicable, the terms “business,” “controller,” “consumer request(s),” “data subject,” “data subject request(s)” “personal data,” “personal information,” “processor,” “processing,” “service provider,” “supervisory authorities,” “sell/sale,” and “third party,” shall have the same meanings ascribed to them under Privacy and Data Protection Laws. - Capitalized terms used in this Addendum that are not defined in this clause 1 shall have the meaning ascribed to them elsewhere in this Addendum.
- To the extent that the terms contained in this Addendum conflict with those contained elsewhere in any separate agreements entered into between the Parties, the terms of this Addendum shall control the extent of such conflict.
- The following terms shall have the following meanings:
- RELATIONSHIP OF THE PARTIES; COMPLIANCE WITH PRIVACY AND DATA PROTECTION LAWS
- Next Millennium provides a broad range of products and services to our customers, and as such, may be operating as a service provider, processor, business, controller, or third party, or combination thereof, depending on the services.
- Each Party agrees to comply with its applicable obligations under Privacy and Data Protection Laws.
- GENERAL OBLIGATIONS
- Service Provider or Processor. Where We act as a service provider or processor, the following terms apply:
- We agree that We will not (i) retain, use or disclose the Personal Information other than for the specific purposes of performing the Services or as otherwise permitted by law or authorized by Customer which shall constitute a business purpose; or (ii) further collect, sell, or use Personal Information except as necessary to perform the business purposes. We understand and acknowledge these obligations and will comply.
- In the event that a consumer or data subject request is made directly to Us about Personal Information, We shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. We will direct the consumer or data subject to contact Customer to the extent We can identify Customer as the business or controller. For the avoidance of doubt, nothing in this Addendum or the Agreement shall restrict or prevent Us from responding to any consumer, data subject, or regulatory authority requests in relation to Personal Information which We Process as a business or controller.
- Third Party. In some instances, We may receive Customer Personal Information as a third party; in such circumstances, you will comply with obligations applicable to businesses, and We will comply with obligations applicable to third parties, under applicable Privacy and Data Protection Laws.
- Business or Controller. In connection with our products and services, We may also act as an independent business or controller with respect to Customer Personal Information and with respect to Personal Information We (i) collect directly from consumers, (ii) license from others, including government and other public sources, or (iii) which We infer or derive from Customer Personal Information and/or license to You (all such Personal Information described in (i)-(iii), collectively, “Next Millennium Data“).
- Service Provider or Processor. Where We act as a service provider or processor, the following terms apply:
- VENDORS OR SUBCONTRACTOR PROCESSING OF PERSONAL INFORMATION
- You acknowledge that due to the nature of the services provided by Vendors, such entities may license their own proprietary Personal Information or Personal Information aggregated from multiple sources for use with the Services, or otherwise process Customer Personal Information for independent purposes and/or on Vendor proprietary platforms (collectively, “Vendor Data“). Vendors process such Vendor Data as a business, controller, or third party under applicable Privacy and Data Protection Laws. Where you authorized Us to engage Vendors on Your behalf, the terms agreed to by Us as agent on behalf of Our customers, including provided by the Vendor in fixed and non-negotiable form, shall apply to Your provision of Customer Personal Information to such Vendors (through us or otherwise) and their processing of Personal Information thereunder.
- We may disclose Customer Personal Information to our Subcontractors acting as our service provider or subprocessor. We will restrict such Subcontractors’ use and disclosure of Customer Personal Information as provided under applicable Privacy and Data Protection Laws.\
- CUSTOMER SHARING OR DISCLOSURE OF CUSTOMER PERSONAL INFORMATION
- You acknowledge that You may (i) share Customer Personal Information with Us in our capacity as a third party in order to facilitate the most relevant and cost-effective delivery of the Services, or (ii) direct Us to disclose Customer Personal Information to Vendors. We cannot guarantee (x) the classification of any particular Vendor under applicable Privacy and Data Security Laws as a service provider, processor, business, controller, or third party or (y) that such disclosures will not be considered a sale under the CCPA or other applicable Privacy and Data Protection Laws.
- In furtherance and not in limitation of the foregoing, You acknowledge that the efficient delivery of certain Services may require the usage of cookies or other tracking technologies (“Tracking Technologies“) to collect Customer Personal Information on Your digital properties.
- You remain fully and solely responsible for determining whether You deem Your sharing or disclosure of Customer Personal Information for such purposes to constitute a sale, and You agree to provide notice and choice to the consumer as described in the CCPA and other applicable Privacy and Data Protection Laws.
- You agree to obtain and maintain all legally required rights, permissions, or consents to use the Customer Personal Information for the purpose provided under applicable Privacy and Data Protection Laws (including but not limited to the GDPR).
- You shall not provide to us any Personal Information relating to any consumer who has opted out of a sale or has otherwise opted out of interest-based advertising.
- With respect to data subjects located in the EU or the EEA, You shall not provide to us any Personal Information relating to any such data subject who has not consented via opt in to the use of any non-essential Tracking Technologies, including but not limited to those used for interest-based advertising.
- You agree to make available to consumers a conspicuously posted privacy policy that complies with applicable Privacy and Data Protection Laws and that discloses the use of Tracking Technologies on Your digital properties to collect and use data with the Services, and you agree to provide consumers user choice mechanisms that comply with the GDPR, the CCPA and all other applicable Privacy and Data Protection Laws and self-regulatory principles.
- You agreed to (a) hold a valid registration with the Transparency and Consent Framework launched by IAB Europe an industry association for digital advertising (“IAB TCF”); (b) implement and technically integrate the IAB TCF with respect to all of your digital properties; (c) comply with the IAB Europe policies and specification issued by the IAB that are applicable to participants in the IAB TCF as updated from time to time; (d) add Next Millennium and Next Millennium’s Subcontractors and Vendors to Your IAB Global Vendor List using their applicable IAB vendor IDs; and (e) should there be a compliance need, adopt and demonstrate compliance to Next Millennium with an alternative consent and transparency solution.
- You agree to refresh Customer Personal Information You provide on a regular basis to ensure that sale opt-outs continue to be updated or pass through any sale opt-outs as required by the CCPA and other applicable Privacy and Data Protection Laws.
- Where You are the source of the Customer Personal Information and We or our Vendors are operating as a business or third party, You act as a separate and independent business in connection with Customer Personal Information processed in connection with the Services, including to the extent you process any Vendor Data. In no event will the Parties be deemed to be jointly processing any Customer Personal Information.
- In connection with Services involving online targeted advertising, online identity resolution or personalized messaging, the Parties acknowledge that the IAB CCPA Compliance Framework for Publishers and Technology Companies, available at https://www.iab.com/guidelines/ccpa-framework/ (as may be amended from time to time, the “IAB Framework“) may be used as a tool to help facilitate consumer notice and choice. Where You have deemed Your sharing or disclosure of such Customer Personal Information shared via Tracking Technologies to be a sale:
- where You are utilizing our Services, You agree to provide notice and choice values to Us as described in the IAB Framework technical specifications. Upon receiving a sale opt-out, We agree that We will not retain, use or disclose the Customer Personal Information associated with such opted-out user’s identifier other than for the specific purpose of performing the Services or as otherwise permitted by law; and
- where You have authorized Us to engage Vendors on Your behalf who are integrated with the IAB Framework, We shall notify You of such Vendor integration and You agree to provide notice and choice values to such Vendor as described in the IAB Framework. For the avoidance of doubt, not all such Vendors are or will be integrated with the IAB Framework.
- DATA SECURITY. We shall implement and maintain reasonable security measures, procedures, and practices on Our systems appropriate to the nature of the Customer Personal Information and designed to protect such Customer Personal Information from unauthorized access, destruction, use modification, or disclosure (“Security Measures“).
- INTERNATIONAL TRANSFERS. You acknowledge and agree that Customer Personal Information will be stored and processed in the United States and other countries in which We or our Subcontractors and/or Vendors maintain facilities. You agree to the transfer of any Customer Personal Information to Us outside of the country in which it was provided. For purposes of receiving Personal Information from the European Union, the United Kingdom, the parties hereby enter into the Standard Contractual Clauses.
- INQUIRIES. If We receive an Inquiry, We shall, as permitted by applicable law, (a) provide You with copies of documents relating to the Inquiry; and (b) not refer to You in any correspondence or other response to the Inquiry without Your prior written consent.
- TERM AND TERMINATION. This Addendum shall commence immediately upon its execution by both parties, and shall terminate: (a) automatically upon termination or expiry of the Agreement; or (b) upon either party giving notice to the other party in writing to terminate this Addendum.
- SURVIVAL. The terms of this Addendum that by their nature are intended to survive termination or expiration of this Addendum or the Agreement shall so survive.
- GENERAL.
- This Addendum supersedes all prior agreements and understandings between Next Millennium and Customer whether oral or written, regarding the subject matter hereof, namely the processing of Personal Information in connection with Parties’ performance of the Agreement.
- Except as expressly set forth herein, the terms of the Agreement shall remain unmodified and in full force and effect. The terms of this Addendum supplement and do not replace the terms of the Agreement, provided that in the event of a conflict between the terms of the Agreement and the terms of this Addendum, the terms of this Addendum control. If any modification to this Addendum is required in order to comply with a material change in applicable Privacy and Data Security Laws, changes in the processing activities of Customer Personal Information, and/or a change to Our classification hereunder, We may update this Addendum from time to time at our discretion. We will provide you thirty (30) days’ notice of material changes.
- Each party irrevocably agrees that any disputes shall be determined in accordance with the manner specified in the Agreement, except to the extent that applicable Privacy and Data Protection Laws require otherwise, in which case disputes will be governed in accordance with applicable Privacy and Data Protection Laws.