Publisher Data Processing Addendum (DPA)
1.1 The parties acknowledge and agree that this DPA sets out:
(i) the terms that are required under the GDPR in relation to the Processing of Agreement Personal Data that Collective undertakes as Processor on behalf of either (as appropriate): (a) the Publisher in connection with the provision of the Services; or (b) the Advertiser/Agency in connection with the Media Services;
(ii) the parties’ respective obligations where the parties each act as independent Controllers; and
(iii) all other terms governing the parties’ Processing of Agreement Personal Data in connection with the Agreement.
2.1 Capitalised terms used but not defined in this DPA shall have the meaning set out in the Agreement.
2.2 The following terms have the following meanings when used in this DPA:
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.
Advertiser/Agency means the client organisation instructing or engaging Collective to provide the Media Services.
Affiliate means, with respect to a party, an entity that (directly or indirectly) controls, is controlled by or is under common control with, such party, where control refers to the power to direct or cause the direction of the management policies of another entity, whether through ownership of voting securities, by contract or otherwise.
Agreement means the agreement for Services agreed between Collective and the Publisher.
Agreement Personal Data means any and all Personal Data which is collected or which is otherwise processed by either party as a result of or in connection with the Agreement.
Campaign(s) means a set of measureable digital advertisements with a single message delivered to the Data Subjects as part of the Media Services.
Cookies means the use of an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user, within the prohibition on such activities in regulation 6(1) of PECR (as defined in Data Protection Legislation below) and any successor legislation thereto
Data Subject Request means a Data Subject’s request to exercise their own rights under Data Protection Legislation, including the right to access, correct, amend, transfer or delete that person’s Personal Data.
Data Protection Legislation means the UK Data Protection Legislation, including the General Data Protection Legislation ((EU) 2016/679) (“GDPR”); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (“PECR”) (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and any other European Union legislation relating to Personal Data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications);
Direct Campaign Services means the provision of digital Campaigns by Collective in accordance with the Advertiser/Agency instructions.
Global Vendor List has the meaning given to it in the IAB Policies.
IAB TCF means the Transparency and Consent Framework launched by IAB Europe an industry association for digital advertising.
IAB Policies means the IAB Europe policies and specification issued by the IAB that are applicable to participants in the IAB TCF as updated from time to time.
Inventory means the access to space made available by the Publisher on owned Publisher Digital Properties for digital advertisements at any given time under the terms of the Agreement.
Media Services mean the Direct Campaign Services and the Programmatic Campaign Services provided by Collective to the Advertiser/Agency.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Agreement Personal Data, transmitted, stored or otherwise Processed.
Programmatic Campaign Services:
Publisher Digital Properties means the various magazines, publications, websites and mobile apps relating to the Publishers activities.
Real-Time Bidding means advertising Inventory bought and sold via programmatic instantaneous auction.
Regulator means any supervisory authority with authority under Data Protection Legislation over the Processing of Personal Data.
Services means the provision of the digital media related services as more particularly defined by the Agreement.
Sub-processor means a subcontractor engaged by Collective or its Affiliates that will Process Agreement Personal Data as part of the performance of the Services or the Media Services where Collective acts as a Processor on behalf of another Controller.
TCF v2 means version 2 of the Transparency and Consent Framework (TCF) launched by IAB Europe to assist the digital advertising ecosystem comply with obligations under Data Protection Legislation.
- Relationship with the Agreement
In the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA shall prevail.
- Processing of Agreement Personal Data – Roles of the Parties
4.1 The parties acknowledge and agree that (to the extent applicable) in relation to the Direct Campaign Services:
(i) Publisher acts as a Controller of Personal Data collected on or on behalf of the Publisher through the Publisher’s Digital Properties and each and every time a Data Subject visits the Publisher website(s) and including, but not limited to, information collected about the Data Subject’s device, browser and operating systems, device identifiers, IP addresses and browsing activities including information relating to digital advertisements accessed, clicked on or viewed.
(ii) Collective acts as Controller of limited Personal Data when Processing Agreement Personal Data for the following purposes: (1) building creatives for Advertisers/Agencies containing ad personalization as defined by TCF v2; (2) where Collective influences and determines the optimization of Campaigns; (3) where Collective influences and determines the quantity and specifications of Inventory purchase; (4) where Collective implements viewability and brand safety measures across Campaigns; (5) where Collective determines the quality and quantity of research conducted to evaluate the effectiveness of Media Services but only to such extent that the research data contains Personal Data; and (6) accessing Inventory through tag or header bidding;
(iii) except as set out in clauses 4.1(a)(i) and (ii) Collective acts solely as a Processor on behalf of another Controller; and
(iv) in the event that, during the course of the Agreement, in response to applicable emerging regulatory guidance or legislation Collective considers that its categorisation for any Processing carried out under the Agreement and/or in connection with the provision of the Media Services should change: (i) from Controller to Processor; or (ii) from Processor to Controller, Collective shall provide written notice of this change to Publisher and the parties agree that the terms under this DPA relating to Collective’s updated categorisation shall apply to all relevant Processing from date of receipt of such notice.
4.2 The parties acknowledge and agree that (to the extent applicable) in relation to the Programmatic Campaign Services Collective acts at all times as a Processor and at all times the Publisher acts as a Controller.
- Publisher’s Processing of Agreement Personal Data – General Obligations
In respect of the parties’ Processing,
5.1 Where the Publisher acts as a Data Controller in respect of the Services the Publisher shall:
(i) comply with Data Protection Legislation and ensure that any instructions it issues to Collective in relation to the Services shall comply with Data Protection Legislation;
(ii) not knowingly or negligently do or omit to do anything which places Collective in breach of the Data Protection Legislation; and
(iii) have sole responsibility for the accuracy, quality, and legality of Agreement Personal Data, and the means by which Publisher acquired Personal Data and shall establish the legal basis for Processing by Publisher under Data Protection Legislation.
5.2 Publisher warrants that:
(i) the disclosure of Agreement Personal Data to Collective is limited to what is necessary in order for Collective to perform the Services; and
(ii) such Agreement Personal Data is accurate and up-to-date at the time that it is provided to Collective.
5.3 Publisher shall:
(i) collect Agreement Personal Data in a manner compliant with Data Protection Legislation, including by providing all notices and obtaining all consents from Data Subjects as may be required under Data Protection Legislation in order for Collective to deploy cookies on the Publisher Properties and lawfully and fairly Process Agreement Personal Data in connection with the provision of the Services and as otherwise contemplated by this DPA and the remainder of the Agreement;
(ii) immediately notify Collective where Agreement Personal Data has been collected or processed in a manner not compliant with the obligations set out in clause 5.3(i) above;
(iii) notify Collective upon becoming aware that Agreement Personal Data has become inaccurate or out of date; and
(iv) at all times during the Term: (a) hold a valid registration with the IAB TCF; (b) implement and technically integrate the IAB TCF on to all Publisher Digital Properties ; (c) comply with the IAB Policies; (d) add Collective and the Collective’s vendors to the Publisher’s IAB Global Vendor List using their applicable IAB vendor IDs; and (e) should there be a compliance need, discuss in good faith adoption of an alternative consent and transparency solution.
Collective’s Processing of Agreement Personal Data – General Obligations
5.4 Where Collective Processes Agreement Personal Data as a Controller, Collective shall only Process Agreement Personal Data:
(i) to the extent that it is reasonably necessary for the purposes of providing the Services and/or the Media Services; and
(ii) as otherwise set out in the Agreement (including this DPA).
5.5 Where Collective Processes Agreement Personal Data as a Processor, it shall comply with the Data Protection Legislation as it applies to Collective as a Processor and Collective shall only Process Agreement Personal Data in accordance with Publisher’s instructions and/or as required by law. Publisher instructs Collective to Process Agreement Personal Data to perform the Services and as described in this DPA (including as set out in the Processing Details at Appendix 2) and the remainder of the Agreement.
5.6 Collective shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised and unlawful processing of Agreement Personal Data and against accidental loss or destruction of, or damage to, Agreement Personal Data, appropriate to the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technical development and the cost of implementing any measures appropriate to the harm.
5.7 Collective shall ensure that all personnel who have access to and/or process Agreement Agreement Personal Data are obliged to keep the Agreement Personal Data confidential.
5.8 This DPA and the Agreement are Publisher’s complete and final instructions to Collective for the Processing of Agreement Personal Data. Collective shall not be bound by additional or alternate instructions except pursuant to the parties’ mutual written agreement.
5.9 Collective shall inform Publisher if, in its reasonable opinion, an instruction issued by Publisher infringes Data Protection Legislation and shall acting reasonably, without liability (whether such liability would otherwise arise under this DPA or the Agreement or otherwise), be entitled to stop Processing Agreement Personal Data in accordance with such infringing instruction. The parties acknowledge and agree that a failure or delay by Collective to identify that an instruction infringes Data Protection Legislation shall not cause Collective to be in breach of this DPA or the Agreement nor relieve Publisher from its liability under this DPA or under the Agreement or otherwise.
5.10 In respect of the Agreement Personal Data for which Publisher and Collective each act as Controllers, Publisher and Collective shall comply with their respective obligations as Controllers under Data Protection Legislation (except to the extent that this DPA allocates responsibility for compliance with a particular requirement under Data Protection Legislation to one party).
5.11 Collective shall, at all times during the Term, hold a valid vendor registration with IAB and be listed on the IAB Global Vendor List.
- Data Subject Rights; Other Complaints and Requests
Data Subject Requests
6.1 If Collective receives a Data Subject Request (where Collective act as a Processor and to the extent such Data Subject Request relates to the Agreement Personal Data):
(i) Collective shall, to the extent permitted by law, promptly notify Publisher upon receipt of a Data Subject Request. Following receipt of a Data Subject Request, Collective may contact the relevant Data Subject to acknowledge receipt of the Data Subject Request and to notify the Data Subject that it has referred the Data Subject Request to Publisher, but Collective shall otherwise not respond to any Data Subject Request without Publisher’s prior written instructions;
(ii) Publisher shall handle the Data Subject Request where required and in accordance with Data Protection Legislation; and
(ii) Collective shall provide such commercially reasonable assistance as Publisher may reasonably request to help Publisher fulfil its obligations under Data Protection Legislation to respond to Data Subject Requests. Publisher shall be responsible for any reasonable costs arising from Collective’s provision of such assistance.
Other Complaints and Requests
6.2 Collective shall, to the extent permitted by law, promptly notify Publisher upon receipt of any complaint or request (other than Data Subject Requests or enquiries made by the Regulator) relating to: (a) Publisher’s obligations under Data Protection Legislation (including by way of example only a Right to be Forgotten request made by a Data Subject); or (b) Agreement Personal Data.
6.3 Unless otherwise agreed between the parties, Publisher shall handle the relevant request or complaint and where applicable to the raised complaint or request in accordance with Data Protection Legislation.
6.4 Collective shall provide such commercially reasonable assistance as Publisher may reasonably request in relation to such complaint or request. Publisher shall be responsible for any reasonable costs arising from Collective’s provision of such assistance.
Cooperation with Regulators and Conduct of Claims
6.5 Collective shall notify Publisher of all enquiries from a Regulator that Collective receives which relate to the Processing of Agreement Personal Data but only to the extent that such Processing relates to this DPA, unless prohibited from doing so at law or by the Regulator.
6.6 Unless a Regulator requests in writing to engage directly with Collective or the parties (acting reasonably and taking into account the subject matter of the request) agree that Collective shall handle a Regulator request itself, Publisher shall:
(i) be responsible for all communications or correspondence with the Regulator in relation to the Processing of Personal Data; and
(ii) keep Collective informed of such communications or correspondence to the extent permitted by law.
6.7 Notwithstanding the obligations set out in this Clause 6 each party agrees to provide such assistance as is reasonably required to enable the other party to comply with; (i) the exercise of rights under the Data Protection Legislation within the prescribed time period and/or (ii) time limits imposed by the Regulator and/or (iii) as required and agreed between the parties to manage and respond to other complaints made by a Data Subject (or their appointed third party) in relation to the Agreement Personal Data.
- Breach Management and Notification
7.1 The parties agree to meet their obligations under the Data Protection Legislation and shall in any event promptly notify the other upon becoming aware of the occurrence of a Personal Data Breach and provide the receiving party with the following information where available and possible:
(i) a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned;
(ii) the name and contact details of the notifying party and from whom more information can be obtained; and
(iii) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
7.2 The parties agree to coordinate in good faith on developing the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant Regulators in connection with a Personal Data Breach, provided that nothing in this clause 2 shall prevent either party from complying with its obligations under Data Protection Legislation.
- Return and Deletion of Publisher Data
8.1 Where Collective acts as a Processor on behalf of Publisher, on termination of the Agreement for any reason, or upon written request from Publisher at any time, Collective shall cease Processing any Agreement Personal Data, and (at Publisher’s direction) return to Publisher (in a form or format to be reasonably agreed by the parties) or delete any Agreement Personal Data, to the extent that such Agreement Personal Data is in Collective’s possession or control, except as required by law or as required in order to defend any actual or possible legal claims.
8.2 Publisher acknowledges that Collective may, in relation to the provision of the Services, have no direct control or access to Agreement Personal Data to the extent that other parties not subject to the Agreement act as independent controllers and/or processors and as necessary to meet Collective’s obligations under the Agreement.
8.3 Publisher acknowledges and agrees that Collective shall have no liability for any losses incurred by Publisher arising from or in connection with Collective’s inability to perform the Services as a result of Collective complying with a request to delete or return Agreement Personal Data made by Publisher pursuant to clause 1.
- Collective Processors and Sub-processors
9.1 Publisher acknowledges and agrees that: (a) Collective may engage Processors (where Collective acts as Controller) and Sub-processors (where Collective acts as Processor and as listed in Appendix 1) in connection with the provision of the Services and the Media Services; and (b) such Processors and Sub-processors may include Collective Affiliates.
9.2 Collective shall ensure that its contract with any Sub-processor imposes on the Sub-processor obligations that are equivalent to the obligations to which Collective is subject when acting as a Processor on behalf of the Publisher under this DPA.
9.3 Publisher may object to Collective’s use of a new Sub-processor where there are reasonable grounds to believe that the new Sub-processor will be unable to comply with the terms of this DPA or the Agreement. If Publisher objects to Collective’s use of a new Sub-processor, Publisher shall notify Collective promptly in writing within ten (10) days after notification regarding such Sub-processor. Publisher’s failure to object in writing within such time period shall constitute approval to use the new Sub-processor. Publisher acknowledges that the inability to use a particular new Sub-processor may result in delay in performing the Services, inability to perform the Services or loss of revenue paid to the Publisher. Collective will notify Publisher in writing of any change to Services or fees that would result from Collective’s inability to use a new Sub-processor to which Publisher has objected. Publisher may either execute a written amendment to the Agreement implementing such change or exercise its right to terminate the Agreement in accordance with the termination provisions thereof. Such termination shall not constitute termination for breach of the Agreement. Collective shall have a right to terminate the Agreement if Publisher unreasonably objects to a Sub-Processor, or does not agree to a written amendment to the Agreement implementing changes in fees or Services resulting from the inability to use the Sub-processor at issue.
9.4 Collective shall be responsible and liable for the acts, omissions or defaults of its Sub-processors in the performance of obligations under this DPA or otherwise as if they were Collective’s own acts, omissions or defaults.
Audits and Requests for Information and Assistance
10.1 In relation to the Services and the Agreement Publisher Data only, Publisher may audit Collective’s compliance with its obligations under this DPA, subject to the following requirements:
(i) Publisher may perform such audits once per year and only more frequently if required by Data Protection Legislation applicable to Publisher;
(ii) Publisher may use a third party to perform the audit on its behalf, provided the third party is mutually agreed to by both Publisher and Collective and provided that the third party executes a confidentially agreement acceptable to Collective before the audit;
(iii) audits must be conducted during regular business hours, subject to Collective’s policies, and may not unreasonably interfere with Collective’s business activities;
(iv) Publisher must provide Collective with any audit reports generated in connection with any audit at no charge unless prohibited by law. Publisher may use the audit reports only for the purposes of meeting its audit requirements under Data Protection Legislation and/or confirming compliance with the requirements of this DPA. The audit reports shall constitute confidential information of the parties under the Agreement;
(v) to request an audit, Publisher must submit a detailed audit plan to Collective at least six (6) weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, and start date of the audit. Collective will review the audit plan and inform Publisher of any concerns or questions (for example, any request for information that could compromise Collective’s confidentiality obligations or its security, privacy, employment or other relevant policies). Collective will work cooperatively with Publisher to agree on a final audit plan;
(vi) nothing in this clause 1 shall require Collective to breach any duties of confidentiality owed to any of its Publishers or employees;
(vii) all audits are at Publisher’s sole cost and expense. Any request for Collective audit assistance requiring the use of resources different from or in addition to those required for provision of the Services will be considered an additional service for which reasonable additional fees may be charged. Collective reserves the right to require Publisher’s written agreement to pay for such fees before providing such audit assistance.
10.2 Each party will be separately responsible for assessing the need to undertake, and the completion of, any data protection impact assessment, including any consultation with a Regulator, under Articles 35 and 36 of the GDPR or otherwise in respect of its use or provision of the Services.
10.3 Where requested by Publisher, Collective shall, at Publisher’s cost, provide Publisher with such assistance and information as may be reasonably required in order for Publisher to comply with any obligation to carry out a data protection impact assessment or consult with a Regulator pursuant to Articles 35 and 36 of the GDPR, respectively.
10.4 Where requested by Collective, Publisher shall, at Collective’s cost, provide Collective with such assistance and information as may be reasonably required in order for Collective to comply with any obligation to carry out a data protection impact assessment or consult with a Regulator pursuant to Articles 35 and 36 of the GDPR, respectively.
11 Transfers Outside of the European Economic Area
11.1 Subject to the remainder of this clause 11, Publisher consents to transfers of Agreement Personal Data to Collective, Collective’s Affiliates or Collective’s and Collective’s Affiliates’ respective Sub-processors based in countries outside the EEA.
Data Transfer Mechanisms where Collective acts as a Processor
11.2 Where Collective acts as a Processor of Agreement Personal Data that is transferred, either directly or via onward transfer, from the UK or the EEA to a recipient outside the UK or the EEA in a country not recognised by the European Commission as providing an adequate level of protection for Personal Data (“Third Country Recipient”), such transfer shall be covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for Agreement Personal Data, including but not limited to Standard Contractual Clauses, binding corporate rules or the EU-US Privacy Shield Framework (each a “Data Transfer Mechanism”).
11.3 If the Standard Contractual Clauses are no longer deemed adequate by a competent authority or the Data Protection Legislation Collective agree to enter into an agreement approved pursuant to the Data Protection Legislation or take other measures reasonably required, as a matter of priority.
11.4 Collective shall ensure each transfer of Agreement Personal Data to a Sub-processor is made under an appropriate Data Transfer Mechanism.
Transfer where Collective acts as a Controller
11.5 Where Collective acts as a Controller and transfers Agreement Personal Data outside of the UK or the EEA or a country recognised by the European Commission as providing an adequate level of protection for personal data, Collective will ensure that such transfers are covered by a Data Transfer Mechanism.
Publisher agrees that during and after the term of the Agreement, Collective may use any information it collects and uses in connection with the Services, together with information from its other Publishers, for data analytics purposes, including to create insights, reports and other analytics to improve the quality of and market Collective’s advice, products and services. The output of such analytics will not identify particular Publishers or individuals.
The parties agree that all liabilities between them under this DPA and the Standard Contractual Clauses will be subject to the limitations and exclusions of liability and other terms of the Agreement, except that such limitations and exclusions of liability will not apply to any party’s liability to Data Subjects under the third party beneficiary provisions of the Standard Contractual Clauses to the extent limitation of such rights is prohibited by Data Protection Legislation.
List of Subprocessors:
- Improve Digital
- Doubleclick Studio
|Appendix 2 – Processing Details (in respect of Collective’s Processing of Agreement Personal Data as a Processor)|
|Subject of processing:||To enable Collective to provide the Services envisaged in the Agreement.|
|Nature of services/ products:||
|Purposes:||☒ Ad selection, delivery and reporting
|Duration:||For the term of the Agreement.|
|Data Subjects:||End users to whom online advertising has been, or will be, directed|
|Types of Personal Data:||☒ Type of browser and settings
☒ Device operating system information
☒ Cookie information
☒ Identifiers assigned to end user device (e.g. advertising IDs)
☒ Geographic location of device when accessing websites / apps