This Data Protection Agreement (the “Agreement”) shall apply and govern as to the processing of Personal Information (as defined below) for or on behalf of Media Horizons (“Media Horizons” or “MH”) by its suppliers (each a “Supplier” and together with MH, the “Parties”) unless the Parties have entered into a separate written agreement governing the processing of Personal Information which specifically provides it shall supersede the terms and conditions below.
RECITALS
-
- WHEREAS, Data Protection Laws (defined below) create various rights and obligations regarding the handling of Personal Information; and
- WHEREAS, the Parties wish to address the impact of the Data Protection Laws in their respective dealings with each other and to protect Covered Personal Information processed by Supplier for Media Horizons and to ensure that Supplier process such Covered Personal Information in accordance with the terms and conditions of this Data Protection Agreement.
NOW, THEREFORE, in consideration of the mutual covenants contained in this Agreement, the Supplier and MH agree as follows:
- DEFINITIONS. All defined terms herein shall have the meanings set forth in the Agreement unless defined in this Agreement.
1.1. Except as otherwise stated in Sections 1.2-1.12, the terms as used in this Agreement shall have the meanings given to those terms under the Data Protection Laws.
1.2. As used herein, “Personal Information” means “personal information,” “personally identifiable information,” “personal data,” or other such similar terms as used by the Data Protection Laws.
1.3. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.4. “Authorized Affiliate” means a Client Affiliate which is permitted to use the Services pursuant to the Agreement between the Parties.
1.5. “Existing Agreement” means any agreement in effect between the Parties as of or after the Effective Date under which Covered Personal Information is Processed as part of the Services. “Agreement” includes any Statements of Work (SOWs), exhibits, attachments, Media Buy Authorizations (MBAs), Purchase Orders (POs), and order forms.
1.6. As used herein, “Controller” and “Business” are synonyms; and shall have the definition provided under applicable Data Protection Laws, and mean a party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Information
1.7. “Covered Personal Information” means any Personal Information provided or made available to Us or our Affiliates in connection with the Services.
1.8. “Data Protection Laws” mean any applicable local, national, state, and international data privacy and security laws and regulations, including any legally binding regulations, requirements, orders, or decisions of any regulatory, judicial, or governmental authority in connection with the enforcement thereof. For the avoidance of doubt, “Data Protection Laws” include, but are not limited to the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Delaware Personal Data Privacy Act (“DPDA”), Florida Digital Bill of Rights (“FDBR”), the Iowa Consumer Data Protection Act (“ICDPA”), the Montana Consumer Data Privacy Act (“MCDPA”), the Oregon Consumer Privacy Act (“OCPA”), the Texas Data Privacy and Security Act (“TDPSA”), the Tennessee Information Protection Act (“TIPA”), the Indiana Consumer Data Act (“ICDA”), the New Jersey Data Protection Act (“NJDPA”), the New Hampshire Privacy Act (“NHPA”), the Kentucky Consumer Data Privacy Act (“KCDPA”), the Maryland Online Data Privacy Act (“MODPA”), the Nebraska Data Privacy Act (“NDPA”), and the Minnesota Consumer Data Privacy Act (“MCDPA”).
1.9. “Inquiry” means any regulatory inspection, inquiry or correspondence that relates to Covered Personal Information and which Client is named.
1.10. “Processing” means any operation or set of operations performed on Personal Information.
1.11. “Processor,” “Service Provider,” and “Supplier” shall have the definitions provided under applicable Data Protection Laws, and shall mean a party that Processes Personal Information on behalf of a Controller and in accordance with the Controller’s instructions.
1.12. “Sale” or “Sell” and “Share” or “Sharing” have the meaning set forth in the applicable Data Protection Laws.
1.13. Services means services provided or made available by Supplier to MH or on behalf of MH Clients.
- SERVICE PROVIDER/PROCESSOR
2.1. MH is acting or may act as a Service Provider (or Processor) for Processing of Covered Personal Information on behalf of its business clients (“Clients” or “Controllers”). Supplier is acting as a Service Provider (or Processor) in providing Services to MH on behalf of MH Clients. and MH’s Clients are Controllers of Personal Information, as those terms are used in applicable Data Protection Laws. MH’s clients acknowledge and agree that they have the authority and required consent to share Covered Personal Information with Us and Supplier under applicable Data Protection Laws for use in connection with the Services performed by Supplier hereunder. As a condition of this Agreement, Supplier agrees to undertake the obligations of Service Provider (or Processor) pursuant to any data protection agreements of MH’s clients which are provided by MH to Supplier.
2.2. Supplier agrees that Supplier will not retain, use, or disclose the Covered Personal Information other than for the purposes specified by MH, or as otherwise permitted by applicable Data Protection Law; including but not limited to retaining, using, or disclosing the Covered Personal Information for a commercial purpose other than the purposes specified by MH, and Supplier agrees that access to Personal Data will be limited to employees or subcontractors subject to a duty of confidentiality. In addition, where Supplier acts as a Processor (Service Provider), Supplier will not sell or share the Covered Personal Information or retain, use, or disclose Covered Personal Information except as specified by MH or otherwise required by applicable Data Protection Law, and will not combine Personal Information Supplier collects or obtains hereunder with Personal Information Supplier receives from another source or collects from its own interaction with any other person, unless expressly required by the applicable Data Protection Laws governing the applicable Personal Information. Supplier understands and acknowledges its obligations as a Processor (Service Provider) under applicable Data Protection Laws and certifies that it understands the restrictions in this subparagraph under applicable Data Protection Laws and will comply with them. Upon request by Us, Supplier shall fully cooperate and assist Us in making available all information necessary to demonstrate our compliance with applicable Data Protection Laws.
2.3. Subject to the foregoing restrictions in subparagraph 2.2 of above, Supplier shall have the right to use and disclose information only as necessary for the operation, performance, support and/or use of any services provided to MH or as specified by MH. Supplier acknowledges and confirms that any services it provides to MH are not provided as consideration for any Covered Personal Information.
2.4. Supplier agrees to fully cooperate as necessary to enable MH to comply with any obligations it may have to its clients to respond to consumer requests made pursuant to applicable Data Protection Laws, to assist MH in assisting its clients, including by providing any and all necessary information, in completing any required cybersecurity audit or risk assessment, and to assist MH in allowing Client to provide meaningful information to consumers about any automated decision-making technology. Supplier agrees to assist MH in providing reasonable assistance to its Clients in responding to consumer requests. Supplier agrees to facilitate communications with MH’s Clients not less than five (5) days from MH’s receipt of a consumer request. In response to a verified consumer request to a Client of MH relating to Covered Personal Information in Supplier’s possession, Supplier agrees to delete any such Covered Personal Information in its possession within the time periods prescribed by and to the extent required by the Data Protection Laws and to confirm such deletion in writing to MH.
2.5. Upon termination or expiration of the Agreement, Supplier shall work with MH to ensure that, at Client’s option, all Personal Information in Supplier’s possession or control obtained from MH or a Client of MH is deleted, unless Supplier is required by applicable law to retain some or all of the Personal Information.
2.6. In the event that any such consumer request is made directly to Supplier, Supplier shall not respond to such communication directly without prior authorization from MH or MH’s Client, unless legally compelled to do so. Supplier will direct the consumer to contact MH or its Client to the extent MH can identify that Client as the Controlling Business. For the avoidance of doubt, nothing contained herein shall restrict or prevent Supplier or MH from responding to any consumer or regulatory authority requests in relation to Personal Information which Supplier or MH Processes on its own behalf as a Business.
2.7. In the event that Supplier is expressly permitted by MH to subcontract with another person or legal entity in providing services to MH, and the applicable subcontractor will be involved in the Processing of Personal Information, Supplier agrees to have in place a written contract with such subcontractor that complies with applicable Data Protection Laws, and requires the same commitments of the subcontractor with respect to Processing of Personal Information that We are bound by as a Service Provider in each instance. Supplier shall permit MH the right to object to any subcontractor that processes Personal Information if required under the Data Protection Laws.
2.8. Supplier will implement measures to ensure that information that is deleted pursuant to a request to delete remains deleted, deidentified, or aggregated; Supplier will also implement measures to ensure that information that is corrected pursuant to a request to correct remains corrected.
- SCOPE
3.1. Each Party agrees that it will comply with its respective obligations under the applicable Data Protection Laws.
3.2. MH shall have the right to take reasonable and appropriate steps to help ensure that Supplier uses Covered Personal Information processed hereunder in a manner consistent with Supplier’s obligations under the Data Protection Laws. Supplier shall immediately notify MH if Supplier makes a determination that Supplier can no longer meet MH’s obligations under the Data Protection Laws. MH is granted the right, with notice, to take reasonable and appropriate steps to remediate unauthorized use of Covered Personal Information, including but not limited to upon receiving notice from Supplier that Supplier can no longer meet MH’s obligations under the Data Protection Laws. Supplier will allow, cooperate with, and contribute to, reasonable audits, assessments, and inspections by MH, MH’s Clients, or MH’s Client’s designated auditor or assessor, or Supplier may, at least annually and at Supplier’s own expense, arrange for a qualified and independent assessor to conduct an audit or assessment of our policies and technical and organizational measures in support of our obligations under applicable Data Protection Laws, using an appropriate and accepted control standard or framework and audit assessment procedure for such audits or assessments and provide a report of such audit or assessment to Client upon request.
3.3. Should enhancements to the Services, changes to applicable Data Protection Laws, or issuance of other applicable law, regulation, court order or governmental guidance relating to consumer privacy, cause Supplier or MH, if and as applicable, to no longer be a Service Provider for such services, the Party who becomes aware of such change shall provide the other with notice of such change.
- PRIVACY PROTECTION.
Supplier shall implement and maintain reasonable administrative, technical, and physical safeguards and security measures, procedures and practices appropriate to the nature of the Covered Personal Information (“Security Measures”) to protect such Covered Personal Information from unauthorized access, destruction, use, modification, or disclosure. Such Security Measures shall be consistent with industry standards. Supplier agrees to assist Us in working with MH Clients to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of responsibilities between Us and MH Clients to implement said measures. Upon identification of a confirmed Breach of Security (defined herein as the unauthorized access, use, or disclosure of the Covered Personal Information in a manner not permitted hereunder or under applicable law under the appropriate standard of care applicable to the party responsible for the breach), Supplier shall notify MH within the time required by applicable laws of discovering the Breach of Security and assist in notification and mitigation to affected Covered Persons as may be required by contract or applicable law. Supplier agrees to fully assist MH in meeting all of MH’s and MH Clients’ obligations related to the security of the Covered Personal Information and any laws related to the handling of a Breach of Security.
- INDEMNIFICATION.
In the event of a Breach of Security caused by Supplier, Supplier shall indemnify, defend, and hold harmless MH and MH Clients and its employees, principals (shareholders or holders of an ownership interest, as the case may be), and agents from and against any and all third party losses, liabilities, damages, costs, expenses (including court costs and reasonable attorneys’ fees), judgments, assessments, fines, and other liabilities arising out of or resulting from that Breach of Security.
- INQUIRIES.
If Supplier receive an Inquiry, Supplier shall, as permitted by applicable law, (a) provide MH with copies of documents relating to the Inquiry, if MH or a client of MH is named in the Inquiry; and (b) not refer to MH or a client of MH in any correspondence or other response to the Inquiry without MH’s prior written consent.
- SURVIVAL.
The terms of this Agreement that by their nature are intended to survive as to MH’s use or possession of Covered Personal Information shall survive such period of use or possession including without limitation to the extent required by applicable Data Protection Laws.