TRIPLELIFT DATA PROTECTION TERMS
The Data Protection Terms (“DPT”) are incorporated into the TripleLift Publisher Master Services Agreement or TripleLift Supply Master Services Agreement (or other agreement relating to the provision of TripleLift services to Publisher or Seller (as applicable) if not bearing that name) between Triple Lift, Inc. (“TripleLift”) and Publisher or Seller (as applicable) (the “Agreement”) pursuant to which TripleLift provides its services to Publisher or Seller (as applicable) (referred herein as the “Services”). Parties who are referred to as Seller in their Agreement with TripleLift shall be referred to as Publisher throughout this DPT, which is incorporated into Seller’s Agreement with TripleLift. References to the Agreement will be construed as including the DPT. Except as modified below, the terms of the Agreement remain in full force and effect. Certain capitalized terms used in the DPT and not otherwise defined may be defined in Section 9 below. Any capitalized terms not defined in the DPT have the respective meanings given to them in the Agreement. In the event of any conflict between the DPT and the Agreement, the DPT will prevail.
1. Compliance with Data Protection Laws. Each of TripleLift and Publisher will comply with all Data Protection Laws which apply to the parties in respect of the performance of their respective obligations under the DPT and the Agreement. The parties agree that both TripleLift and Publisher are independent Data Controllers for purposes of any Covered Personal Data originating from the European Economic Area, Switzerland, and the United Kingdom (collectively, the “GDPR Territories”), as applicable. For purposes of any Covered Personal Data processed in relation to the Services originating from California, if applicable, both TripleLift and Publisher are Businesses.
2. Contact. Each of TripleLift and Publisher agree to notify each other of an individual within its organization authorized to respond from time to time to enquiries regarding the Covered Personal Data and each of TripleLift and Publisher will handle such enquiries promptly. TripleLift’s data protection officer (DPO) is Lillian Pang, Taceo Limited. Address: Riverbank House, 2 Swan Lane, London, EC4R 3TT.
3. End User Disclosures and Permissions.
3.3. If TripleLift reasonably believes that Publisher’s privacy disclosures or Publisher’s Notice and Choice are not adequate to enable, in a legally compliant and commercially reasonable manner, TripleLift to provide the Services, or Demand Partners to bid for and purchase Inventory, then TripleLift may notify Publisher of its concerns and/or provide a reasonable alternative method. The parties will discuss any changes in good faith.
4. Co-operation between the parties.
4.1. As it relates to the Services, the parties will provide reasonable assistance and cooperate with each other to assist in each party’s compliance with Data Protection Laws.
4.2. Each party may respond directly to Data Subject requests addressed to it relating to its processing of Personal Data. At the request of a party receiving a Data Subject request, the other party will cooperate reasonably in assessing and fulfilling such requests for notification, access, erasure or other requests under Data Protection Laws.
5. Security. Each party will have in place appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data by or on behalf of the parties.
6. International Transfer.
6.1. Publisher acknowledges that certain Covered Personal Data that originates in the GDPR Territories may be processed by TripleLift outside the GDPR Territories. TripleLift and Publisher agree that with respect to such processing (other than that taking place exclusively in an Adequate Country), and as required by Data Protection Laws, the standard contractual clauses (other than those described as optional in the decision) set out in the decision of the European Commission, currently available at available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915, as may be amended, updated or replaced by the European Commission, will apply (“the Clauses”), and form part of the DPT.
6.2. Under the Clauses: (a) Publisher will be, and will comply with the obligations of, the data exporter, (b) TripleLift will be, and will comply with the obligations of the data importer and, for the purposes of Clause II(h) of the Clauses, will comply with the data processing principles set forth in Annex A of the Clauses and (c) the information required for Annex B of the Clauses is set out in Schedule 1 to the DPT.
7. CCPA Compliance.
7.1. The parties agree that this Section 7 is applicable if TripleLift processes Covered Personal Data from residents of California. For purposes of Covered Personal Data originating from California residents, the parties agree that both parties are Businesses.
7.2. In the event that TripleLift is deemed to process Covered Personal Data for a Business Purpose, it will be regarded as a Service Provider and TripleLift will process such Personal Data solely to provide the Services to Publisher, which do not constitute a CCPA Sale. Neither party receives from the other party any monetary or other valuable consideration for using Personal Data or for sharing Personal Data with the other party. Publisher further acknowledges that to facilitate the TripleLift Services, TripleLift transmits Personal Data to Demand Partners and Publisher may use controls provided by TripleLift to select which Demand Partners may access Publisher’s Inventory under the Services. For any End User or device that opts out and about which Publisher shares Personal Data, Publisher will signal the user opt-out to TripleLift in accordance with Industry Standards, and TripleLift will act as Publisher’s Service Provider with respect to Personal Data from such End User, and as such will limit its retention, use, or disclosure as required under the CCPA.
8. Regulatory changes. If changes to applicable Data Protection Laws, or their interpretation or implementation, arise through legislation, claim or regulator guidance or action, which in TripleLift’s reasonable opinion make changes to the DPT necessary or prudent, TripleLift may, on written notice to Publisher, make such changes to the DPT, which Publisher agrees will be binding on Publisher.
The terms “Data Controller”, “Data Subject”, “Personal Data”, and “processing” have the meanings given to such terms under Data Protection Laws.
“Adequate Country” means a country or territory that is recognized under Data Protection Laws from time to time as providing adequate protection for Personal Data.
“Business” has the meaning given to such term under the CCPA.
“Business Purpose” has the meaning given to such term under the CCPA.
“CCPA Sale” has the meaning given to the term “sale” under the CCPA.
“Client” means each third party client on whose behalf Publisher uses the Services or whom Publisher allows to access the Services.
“Complaint” means a complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement, including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority, consumer or industry body.
“Covered Personal Data” means Personal Data (or equivalent term) as such is defined in Data Protection Laws, that relates to End Users, and that TripleLift or Demand Partners process, or that Publisher otherwise causes TripleLift to process, in relation to the Services. Covered Personal Data includes, without limitation, Personal Data that Publisher provides into the Services directly or through a Provider.
“Data Protection Laws” means, as applicable to TripleLift, Publisher or the Services as may be amended, superseded or replaced: (1) the EU General Data Protection Regulation (Regulation 2016/679); (2) any other national laws made under or pursuant to (1) applicable to GDPR Territories; (3) in the United Kingdom, the Data Protection Act 2018 and any later United Kingdom legislation relating to the processing of personal data; (4) ePrivacy Laws; and (5) in Switzerland, the Swiss Federal Act on Data Protection of 19 June 1992; and (6) in California, the California Consumer Privacy Act of 2018 and any regulation promulgated thereunder (“CCPA”).
“Demand Partners” means media buyers who use the Services to bid for and purchase Inventory including demand side platforms, ad exchanges, agency trading desks and ad networks and any third party acting on behalf of such media buyers.
“EEA” means the European Economic Area.
“End User” means the users or consumers of Inventory on whose devices cookies or similar technologies may be used, or persons who are otherwise the subjects of Personal Data that is processed in relation to the Services, as such may be termed and defined under Data Protection Laws, including “Data Subjects” under the GDPR, “Consumers” under the CCPA, or “users” under 2002/58/EC.
“ePrivacy Laws” means (1) in member states of the European Union: the ePrivacy Directive, or the Regulation concerning the respect for private life and the protection of personal data in electronic communications (Regulation on Privacy and Electronic Communications) 2017/0003 (COD), once applicable, and all relevant member state laws, rules and regulations giving effect to or corresponding with any of them, and/or (2) in the United Kingdom: the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulations implementing Directive 2002/58/EC (ePrivacy Directive) and/or any corresponding or equivalent national laws, rules and regulations.
“Industry Standards” means industry standards available at https://go.triplelift.com/industry-standards/.
“Inventory” means Publisher Media or Media Properties as such terms may be defined in the Agreement or any other electronic media on which Publisher places ads through the Services.
“Provider” means any Client, partner, supplier and/or contractor (e.g. a data provider) on whose behalf Publisher uses the Services or whom Publisher allows to access the Services.
“Publisher” means the Publisher as set out in the Agreement, if such defined term is used, or otherwise TripleLift’s customer or counterparty in the Agreement.
“Notice and Choice” means the disclosures and choices that must be provided to, permissions that must be secured from End Users, and End User rights that must be honored, in accord with the requirements of Data Protection Laws, Industry Standards, and the specific implementation criteria set out by TripleLift at https://go.triplelift.com/industry-standards/ (or any successor location). Notice and Choice includes, without limitation, disclosure of data processing purposes and associated legal bases under the GDPR via the TCF or comparable method, ability to give informed consent (as under GDPR), access for the End User to object to processing (as under GDPR), or the right to opt-out of a CCPA Sale.
“Service Provider” has the meaning given to such term under the CCPA.
“Services” means the services provided by TripleLift to Publisher under the Agreement.
“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
DESCRIPTION OF THE TRANSFERS OF PERSONAL DATA
The Personal Data transferred concern the following categories of Data Subjects:
· Publisher’s end users;
· Publisher’s employees, agents, contractors and suppliers;
Purposes of the transfers
The transfer is made for the following purposes:
· to facilitate advertising of information to the Data Subject from the advertiser by way of Inventory;
· the performance of the rights and obligations under the Agreement and any activities that are reasonably necessary or incidental thereto;
Categories of data
The Personal Data transferred concern the following categories of data:
In relation to Data Subjects:
· Cookie, mobile and similar advertising identifiers:
· IP Address;
· Demographic information: age range, gender, other Publisher-specified demographics;
· Data transferred in connection with the data above
In relation to individual employees, contractors, agents or suppliers of Publisher (or its Providers):
· an individual’s business or vocation status, including job role, job description, job title, employment status;
· personal data that is provided by an individual in connection with permitted purposes of processing.
The Personal Data transferred may be disclosed only to the following recipients or categories of recipients:
Demand Partners, vendors (including security, data centre and other providers to the data importer)
Sensitive data (if appropriate)
The Personal Data transferred concern the following categories of sensitive data:
N/A; unless provided by Publisher, which shall be discussed in advance between the parties