This Data Protection Addendum (the “Addendum”) shall apply and govern as to the processing by Media Horizons (“MH” or “We” or “Us”) of Personal Information for or on behalf of its customers (each a “Customer” and together with MH, the “Parties”) unless MH and the Customer have entered into a separate written agreement governing the processing of Personal Information which specifically provides it shall supersede the terms and conditions below.
RECITALS
A. WHEREAS, MH may Process Covered Personal Information (defined below) for the purposes of providing Services or Deliverables to Customer and, if any, its Authorized Affiliates;
B. WHEREAS, Data Protection Laws (defined below) create various rights and obligations regarding the handling of Personal Information; and
C. WHEREAS, the Parties wish to protect Covered Personal Information and to Process such Covered Personal Information in accordance with the terms and conditions of this Data Protection Addendum.
NOW, THEREFORE, in consideration of the mutual covenants contained in this Addendum, the Parties hereby agree as follows:
1. DEFINITIONS
1.1. Except as otherwise stated in Sections 1.2-1.12, the terms as used in this Addendum shall have the meanings given to those terms under the Data Protection Laws.
1.2. As used herein, “Personal Information” means “personal information,” “personally identifiable information,” “personal data,” or other such similar terms as used by the Data Protection Laws.
1.3. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.4. “Authorized Affiliate” means a Customer Affiliate which is permitted to use the Services pursuant to an agreement accepted in writing by MH (including a statement of work, media buy authorization, purchase order or order form).
1.5. As used herein, “Controller” and “Business” are synonyms; and shall have the definition provided under applicable Data Protection Laws, and mean a party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Information
1.6. “Covered Personal Information” means any Personal Information provided or made available to Us or our Affiliates in connection with the Services.
1.7. “Data Protection Laws” mean any applicable local, national, state, and international data privacy and security laws and regulations, including any legally binding regulations, requirements, orders, or decisions of any regulatory, judicial, or governmental authority in connection with the enforcement thereof. For the avoidance of doubt, “Data Protection Laws” include, but are not limited to the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Delaware Personal Data Privacy Act (“DPDA”), Florida Digital Bill of Rights (“FDBR”), the Iowa Consumer Data Protection Act (“ICDPA”), the Montana Consumer Data Privacy Act (“MCDPA”), the Oregon Consumer Privacy Act (“OCPA”), the Texas Data Privacy and Security Act (“TDPSA”), the Tennessee Information Protection Act (“TIPA”), the Indiana Consumer Data Act (“ICDA”), the New Jersey Data Protection Act (“NJDPA”), the New Hampshire Privacy Act (“NHPA”), the Kentucky Consumer Data Privacy Act (“KCDPA”), the Maryland Online Data Privacy Act (“MODPA”), the Nebraska Data Privacy Act (“NDPA”), and the Minnesota Consumer Data Privacy Act (“MCDPA”).
1.8. “Inquiry” means any regulatory inspection, inquiry or correspondence that relates to Covered Personal Information and which Customer is named.
1.9. “Processing” means any operation or set of operations performed on Personal Information.
1.10. As used herein, “Processor” and “Service Provider” are synonyms; shall have the definition provided under applicable Data Protection Laws; and shall mean a party that Processes Personal Information on behalf of a Controller and in accordance with the Controller’s instructions.
1.11. “Sale” or “Sell” and “Share” or “Sharing” have the meaning set forth in the applicable Data Protection Laws.
1.12. “Services” or “Deliverables” means services and or deliverables provided or made available by MH at the request of Customer and for the sole benefit of Customer.
2. SERVICE PROVIDER/PROCESSOR
2.1. In instances where MH is the Processor of Personal Information on behalf of Customer, MH is the Service Provider or Processor of Covered Personal Information and Customer is the Controller of such Covered Personal Information, as those terms are used in applicable Data Protection Laws. Customer acknowledges and agrees that it has the authority to share Covered Personal Information with Us under applicable Data Protection Laws and that it has obtained any consent required by applicable Data Protection Laws to do so. Customer acknowledges and agrees that We or authorized third parties may use any shared Covered Personal Information in connection with performance of the Services.
2.2. Where We act as a Service Provider, We agree that We will not retain, use or disclose the Covered Personal Information other than for the purposes specified by Customer, or as otherwise permitted by applicable Data Protection Law; including but not limited to retaining, using, or disclosing the Covered Personal Information for a commercial purpose other than the purposes specified by Customer, and We agree that access to Personal Data will be limited to employees or subcontractors subject to a duty of confidentiality. In addition, where We act as a Processor (Service Provider), We will not sell or share the Covered Personal Information or retain, use, or disclose Covered Personal Information outside our direct business relationship with Customer, and will not combine Personal Information We collect or obtain with personal information We receive from another source or collected from our own interaction with a consumer, unless expressly permitted by the applicable Data Protection Laws governing the applicable Personal Information. We understand and acknowledge our obligations as a Processor (Service Provider) under applicable Data Protection Laws and certify that We understand the restrictions in this subparagraph under applicable Data Protection Laws and will comply with them. Upon reasonable request by Customer, We shall make available all information in our possession necessary to demonstrate our compliance with applicable Data Protection Laws.
2.3. Subject to the foregoing restrictions in subparagraph 2.2 of this Addendum above, Customer acknowledges that We shall have the right to use and disclose information necessary for the operation, performance, support and/or use of the Services (“Usage Data”). Such purposes may include billing, technical support, security and fraud prevention, industry benchmarking based on aggregated data and statistics from our platforms and general platform maintenance and improvement as is necessary to provide the Services. To the extent Usage Data is considered Personal Information under the Data Protection Laws, We acknowledge and confirm that the Services are not provided to Customer as consideration for the Usage Data.
2.4. We agree to provide all reasonable cooperation necessary to enable Customer to comply with consumer requests made pursuant to applicable Data Protection Laws, to assist Customer, including by providing any and all necessary information, in completing any cybersecurity audit or risk assessment required by applicable Data Protection Laws, and to allow Customer to provide meaningful information to consumers about any automated decision-making technology. Certain Services may provide Customer with a number of controls that Customer may use to retrieve, delete, optout or restrict Covered Personal Information, which Customer may use to assist with Customer’s consumer obligations under the Data Protection Laws. To the extent that Customer is unable to independently access the relevant Covered Personal Information within the Service, Customer shall contact Us so that We may provide reasonable assistance to Customer in responding to consumer requests. The Parties will work together to establish a consumer handling plan which will include the methods by which Customer will communicate a request to Us and the approximate timing, but not less than ten (10) business days, for facilitating such request. Service time or functional changes to the technology will be provided at Customer’s expense. Certain Services will not require a data subject handling plan as Covered Personal Information is already within Customer’s possession and We will delete any Covered Personal Information on our platforms as soon as no longer required for the Services and not later than the time periods prescribed by the Data Protection Laws.
2.5. In the event that any such consumer request is made directly to Us, We shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. We will direct the consumer to contact Customer to the extent We can identify Customer as the controlling Business. For the avoidance of doubt, nothing shall restrict or prevent Us from responding to any consumer or regulatory authority requests in relation to Personal Information which We Process on our own behalf as a Business.
2.6. Customer authorizes MH to utilize third party subcontractors in connection with the performance of the Services. If We subcontract with another person or legal entity in providing the Services, and the applicable subcontractor will be involved in the Processing of Personal Information, We agree to have in place a written contract with such subcontractor that complies with applicable Data Protection Laws and requires the same commitments of the subcontractor with respect to Processing of Personal Information that We are bound by as a Service Provider. We shall permit Customer the right to object to any subcontractor that processes Personal Information if required under the Data Protection Laws. In instances where a third party subcontractor is acting as the Processor of Personal Information on behalf of Customer, MH shall have no responsibility or liability in connection with such Personal Information or related data.
2.7. We will implement measures to ensure that information that is deleted pursuant to a request to delete remains deleted, deidentified, or aggregated; we will also implement measures to ensure that information that is corrected pursuant to a request to correct remains corrected. We will also stop processing Covered Personal Information upon Customer’s request, when made in accordance with a consumer’s authenticated request.
3. SCOPE
3.1. Each Party agrees that it will comply with its respective obligations under the applicable Data Protection Laws.
3.2. Customer shall have the right to take reasonable and appropriate steps to help ensure that We use Covered Personal Information processed under this Addendum in a matter consistent with Customer’s obligations under the Data Protection Laws. We shall immediately notify Customer if We make a determination that We can no longer meet our obligations under the Data Protection Laws. Customer is granted the right, with notice, to take reasonable and appropriate steps to remediate unauthorized use of Covered Personal Information, including but not limited to upon receiving notice from Us that We can no longer meet our obligations under the Data Protection Laws.
3.3. In instances where We are acting as a Service Provider, if changes to applicable Data Protection Laws, or issuance of other applicable law, regulation, court order or governmental guidance relating to consumer privacy, cause Us to no longer be a Service Provider to Customer for such Services, We shall provide Customer with notice of such change and the Parties will discuss such concerns in good faith with a view to achieving resolution. If this is not possible, either Party may suspend or terminate the impacted Service (without prejudice to any fees incurred by Customer prior to suspension or termination). Any termination under this Section shall be deemed to be without fault by either Party.
4. PRIVACY PROTECTION. We shall implement and maintain reasonable administrative, technical, and physical safeguards and security measures, procedures and practices appropriate to the volume and nature of the Covered Personal Information (“Security Measures”) to protect such Covered Personal Information from unauthorized access, destruction, use, modification, or disclosure. Such Security Measures shall be consistent with industry standards. We will work with Customer to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of responsibilities between Us and Customer to implement said measures. Upon identification of a confirmed Breach of Security (defined herein as the unauthorized access, use, or disclosure of the Covered Personal Information in a manner not permitted hereunder or under applicable law under the appropriate standard of care applicable to the party responsible for the breach), We shall notify Customer within the time required by applicable laws of discovering the Breach of Security and reasonably assist in meeting Customer’s obligations related to the security of the Covered Personal Information in accordance with the laws related to the handling of a Breach of Security.
5. INDEMNIFICATION. In the event of a Breach of Security, the Party that causes the Breach of Security shall indemnify, defend, and hold harmless the other Party and its employees, principals (shareholders or holders of an ownership interest, as the case may be), and agents from and against any and all third party losses, liabilities, damages, costs, expenses (including court costs and reasonable attorneys’ fees), judgments, assessments, fines, and other liabilities to the extent arising out of or resulting from that Breach of Security to the extent required by applicable law.
6. INQUIRIES. If We receive an Inquiry, We shall, as permitted by applicable law, (a) provide Customer with copies of documents relating to the Inquiry, if Customer is named in the Inquiry; and (b) not refer to Customer in any correspondence or other response to the Inquiry without Customer’s prior written consent.
7. SURVIVAL. The terms of this Addendum that by their nature are intended to survive as to MH’s use or possession of Covered Personal Information shall survive such period of use or possession including without limitation to the extent required by applicable Data Protection Laws.