f
s
Legal Documentation myTarget DATA SHARING ADDENDUM
DATA SHARING ADDENDUM

myTarget Data Sharing Addendum (Controller-Controller)

Last updated February 2, 2023

This Addendum applies to the services identified in:

Parties subject to offline agreements may receive a version of these addenda for execution and incorporation to such offline agreement if such offline agreement does not include similar data protection language already.

IF YOU DO NOT AGREE TO ALL TERMS AND CONDITIONS OF THIS ADDENDUM, DO NOT USE myTARGET SERVICES and/or download mytarget sdk.

 Terms and definitions

1. DSA is considered as the Data Sharing Addendum between Company and Contractor (Publisher or Advertiser), which is incorporated into and part of myTarget Agreements. This DSA applies only to the European Union-based users and personal data shall mean personal data of such European Union-based users.

2. Company means company listed in the relevant Offer.

3. Contractor means an individual or legal entity who has entered into an myTarget Agreement with the Company as an Advertiser or a Publisher. If the term "Contractor" is used when describing the rights and obligations of users myTarget system, both, the Advertiser and the Publisher, are meant, unless specifically stated otherwise.

4. Publisher means an individual or legal entity having accepted the Terms and conditions for Publishers and entered into Offer for Publishers (collectively "Publisher Agreement") with the Company by accepting the Offer.

5. Advertiser means the person who have accepted Rules for rendering of advertising services for direct advertisers and entered into Offer for direct advertisers (collectively "Advertiser Agreement") with the Company for its own Advertising materials and/or the Advertising materials of the third parties placement through the Company's System.

6. myTarget System (Company's System, myTarget) shall have the meaning ascribed to it in the respective myTarget Agreement.

7. myTarget Services means the services provided under myTarget Agreement(s).

8. The terms Personal Data (Data), processing, data subject, shall bear the meaning ascribed under the the Regulation, and the term "process" shall be construed accordingly.

9. Data Protection Law means the Directive (as amended or replaced from time to time), guidance, directions, determinations, codes of practice, circulars, orders, notices or demands issued by any supervisory authority and any applicable national, international, regional, municipal or other data privacy and data protection laws or regulations in any other territory in which the Services are provided or which are otherwise applicable, including the Regulation, to the relationship between the Parties.

10. Directive means the European Privacy and Electronic Communications Directive (Directive 2002/58/EC).

11. Regulation means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as and when it becomes applicable (General Data Protection Regulation). 

12. Controller means the entity that determines the purposes and means of the processing of personal data.

13. Standard Contractual Clauses means the Standard Contractual Clauses for the Transfer of Personal Data available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.

14. Processing has the meaning set forth under the Regulation.

15. Permitted purposes of processing means the following terms and purposes of data processing by Company: Contractors using myTarget services or installing myTarget SDK acknowledge, agree and permit the disclosure of the personal data relating to their end users that should be described in the terms and conditions and documentation for the services of Contractors (the "Data") to Company to process (including collecting or otherwise receiving Data, including by using tracking technologies) as a separate and independent Controller of the Data for the purposes described in Company’s privacy policy as applicable by myTarget Services, including but not limited:

(a) accessing or calling the Publisher's apps or websites, or the servers that make them available, to cause the routing, serving, displaying, targeting, and tracking the performance of Advertiser's ads on the Publisher's apps or websites; (b) using Data for Company’s internal business purposes, including to develop and improve the myTarget SDK and myTarget System; (c) for any other purposes identified in the Company’s Privacy Policy; and/or (d) disclosing Data (i) to third parties (including Advertisers and/or Publishers) as reasonably necessary in connection with the operation of myTarget Systems, (ii) if required by any court order, process, law or governmental agency; and/or (iii) generally when it is aggregated, such that the specific information relating to Contractor or any underlying end user is not directly identifiable (e.g. in marketing materials made available to the industry at large about myTarget System); and/or (e) for other purposes defined in Company’s privacy policy or agreed to in writing by the Parties, provided such processing strictly complies with Applicable Data Protection Law.

Specifically, and notwithstanding anything to the contrary in any prior Data Sharing Addendum, Company shall use the Data in identified format to make targeting decisions within its services, provide monetization services to its Contractors, assist its Contractors with maintaining their services, improving their services, and analysing the marketplace for their services as well as the performance of their services. Notwithstanding the foregoing, data obtained by Company independent of any such Contractors using myTarget Services that is the same or similar to the Data described herein shall not be restricted by this Addendum, any license agreement, or any terms or conditions for such services.

Other terms, whereof the definitions are absent in this section shall be interpreted in accordance with the respective myTarget Agreement, if applicable, or usual and customary business practices as well as in accordance with the laws of England and Wales in force.

1. Scope

1.1. This DSA is an integral part of the terms and conditions for myTarget Services. This DSA supersedes such terms of service in case of discrepancy. The Parties agree that this DSA is designed to state the Parties' obligations resulting from the Regulation, and all local implementing legislation within the European Economic Area and, as necessary, to state the obligations of the Parties with respect to legislation of countries following similar regulatory rules to protect data to the extent such laws are subject to an adequacy finding under European laws.

2. Relationship of the Parties

2.1. The parties acknowledge that Contractor is a controller of the Data it discloses to Company, and that Company will process the Data as a controller for the Permitted Purposes and/or for purposes described in its Privacy Policy and myTarget Agreement provided that it has a legal basis for such additional processing and can comply with all aspects of applicable Data Protection Laws.

2.2. The parties acknowledge that Company is a controller of the Data it discloses to Contractor, and that Contractor will process the Data as a controller for purposes described its Privacy Policy provided that it has a legal basis for such processing and can comply with all aspects of applicable Data Protection Laws.

2.3. Nothing in this DSA shall limit or prevent Company from collecting or using data that Company would otherwise collect and process independently of Contractor's use of the myTarget System and myTarget SDK.

3. Data processing and protection

3.1 Each Party shall process the personal data in compliance with and for the purposes described in this DSA and myTarget Agreement(s) and/or otherwise agreed the Parties.

3.2. Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a controller under Data Protection Law. Without limitation to the foregoing, each party shall maintain a publicly-accessible privacy policy on its website that satisfies the transparency disclosure requirements of Data Protection Law. Contractor shall list Company as a third party that is collecting Data within providing myTarget Services in its publicly available privacy policy, including providing a link to Company’s privacy policy.

Publisher agree to keep up to date versions of myTarget SDK and services installed in their applications as Company identifies as necessary to permit Company to maintain its compliance with law. By way of example and without limiting the generality of the foregoing, Company relies on Publisher updating their applications with software changes made to provide certain opportunities for end users to exercise their rights to disclosure and deletion requests; however, updates unrelated to compliance with law may occur from time to time which are not subject to this paragraph nor governed by this DSA. To the extent required by Data Protection Law, the Parties agree that they will specifically identify to the other Party when they require that the Party obtain from the relevant individuals their explicit legally valid consent to the sharing of personal data with other Party for purposes identified by the Parties pursuant to Data Protection Law, thereby permitting the use of his or her Personal Data by the receiving Party as contemplated by that Party.

To the extent Contractor processes any such data, Contractor agrees to provide the same level of protection for such Personal Data as is required by the Privacy Shield Principles. Contractor shall notify Company if it decides a determination that it can no longer provide such protection and, in such event, shall cease processing or take other reasonable and appropriate steps to remediate (if remediable) any processing until such time as the processing meets the level of protection as is required by the Privacy Shield Principles. 

3.3. Each Party shall implement appropriate technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident"). In the event that a party suffers a confirmed Security Incident, it shall notify the other party without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident. Nothing herein prohibits either party with moving forward to notify regulatory authorities as may be required by law prior to notification of the other party so long as the notifying party provides notification to the other party without undue delay. Each Party shall not take any action or make any omission which might reasonably be expected to put the other Party in breach of the Data Protection Law.

3.4. The Parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) to enable the other to comply with its obligations under the Data Protection Law, specifically in order to enable the other to respond to: (i) any request from a data subject to exercise any of its rights under  Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) in relation to the Data ("Data Subject Rights"); and (ii) any other correspondence, inquiry, or complaint received from a data subject, regulator, or other third party in connection with the processing of the Data. Each party shall promptly inform the other if it receives any request directly from a data subject to exercise a Data Subject Right in relation to the Data.

3.5. Each Party is entitled to appoint Processor for the purposes set forth herein provided that such Processor agrees to process personal data in compliance with the provisions of this DSA and myTarget Agreements, as applicable, comply with the Data Protection Law, including implementation of security measures to protect personal data as required by Article 32 of the Regulation or provide other sufficient guarantees that processing of personal data by such Processor will be compliant with the Data Protection law.

3.6. Contractor represents and warrants to Company that it complies with Data Protection Law in respect of the data subject's notice and consent receipt mechanism in order to ensure that such consent is freely given, informed, specific and unambiguous in regard to personal data, processed by Company for Permitted purposes.

3.7. Contractor will not provide Company with personal data which is not received in compliance with the requirements of Data Protection Law or which data subject has used its opt-out option. Company expressly denies receiving of such personal data.

3.8. Contractor will provide to Company upon its request any documentation reflecting Contractor’s compliance with Data Protection Law and implementation of its provisions, including as regards receipt of data subject's consent.

3.9. For clarity, Advertisers agree that to the extent they require Company to present data to a third party install tracker that they have such parties under a valid data processing agreement clearly directing the install tracker as to its usage instructions, duties, and liabilities for processing such data.

3.10. Parties acknowledge and agree that neither Contractor nor Company shall process special categories of personal data, as referenced in Article 9 of the Regulation.

3.11. Publisher shall not share with Company any Data that allows users of apps or websites of Publisher to be directly identified (for example, by reference to their name or email address).

3.12. Contractor shall not pass to Company any personal data of children (as such term is defined under applicable Data Protection Law), unless expressly agreed in writing and as permitted under Data Protection Law.

4. International Transfer Obligations

4.1. The Parties agree that personal data of the European Union-based users shall not be transferred outside the European Union unless the following requirements are met:

4.1.1. the recipient of the personal data is located in the European Union or another country that the European Commission or Swiss Federal Data Protection Authority (as applicable) has decided provides adequate protection for personal data, or

4.1.2. the recipient of the personal data complies with binding corporate rules authorization in accordance with the Data Protection Law or has executed Standard Contractual Clauses with the exporter of personal data; or

4.1.3. the recipient of the personal data received personal data according to another approved transfer mechanism which is compliant with Data Protection Law.

4.2. In case the Standard Contractual Clauses shall be executed under clause 4.1.2 above, you agree to such Standard Contractual Clauses which are hereby incorporated by reference into this DSA.

4.2.1. Standard Contractual Clauses MODULE ONE: Transfer Controller to Controller: (in process execution Advertiser Agreement):

For the purposes of clause 7: The Parties agree that there is no Docking clause.

For the purposes of clause 17: The Parties agree to select Option 1, the governing law shall be the law of the Republic of Cyprus.

For the purposes of clause 18 (b): The Parties agree that disputes shall be resolved by the courts of the Republic of Cyprus.

For the purpose of Annex I:

Categories of data subjects whose personal data is transferred: users viewing ads by Advertiser which run through myTarget or clients of the Advertiser;

Categories of personal data transferred: user data: mobile device identifiers (such as device ID, IDFA, GAID); statistics of interactions with ads

Sensitive data is not transferred;

The frequency of the transfer: On frequent and continuous basis whenever a user interacts with myTarget system;

Nature of the processing: All operations such as collection, recording, structuring, storage, use, restriction, erasure, or destruction of data (whether by automated means), anonymization, etc.;

Purpose(s) of the data transfer and further processing: to provide services in accordance with the Advertiser agreement;

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: during the whole period of the Advertiser Agreement

The Identity of the competent supervisory authority in accordance with Clause 13 of the Standard Contractual Clauses is:

Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State but falls within the territorial scope of the Regulation in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State but falls within the territorial scope of the Regulation in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.

For the purpose of Annex II: The Parties agree to comply with technical and organization measures including technical and organizational measures to ensure the security of the data set out in ANNEX I to this DSA.

4.2.2. Standard Contractual Clauses MODULE ONE: Transfer Controller to Controller: (in process execution Publisher Agreement):

For the purposes of clause 7: The Parties agree that there is no Docking clause.

For the purposes of clause 17: The Parties agree to select Option 1, the governing law shall be the law of the Republic of Cyprus.

For the purposes of clause 18 (b): The Parties agree that disputes shall be resolved by the courts of the Republic of Cyprus.

For the purpose of Annex I:

Categories of data subjects whose personal data is transferred: the data subjects are end users of the mobile applications and/or websites in which you use myTarget Services;

Categories of personal data transferred: user data: device identifiers (e.g. IDFA, Google Advertising ID, Android (Google) ID), device information (e.g. brand, model, Screen resolution, OS version, language), location data, app version data, network data (IP address, MAC address); site or app data: domain or app name; statistics of interactions with ads

Sensitive data is not transferred;

The frequency of the transfer: On frequent and continuous basis whenever a user interacts with myTarget system;

Nature of the processing: All operations such as collection, recording, structuring, storage, use, restriction, erasure, or destruction of data (whether by automated means), anonymization, etc.;

Purpose(s) of the data transfer and further processing: to provide services in accordance with the Publisher agreement;

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: during the whole period of the Publisher Agreement validity

The Identity of the competent supervisory authority in accordance with Clause 13 of the Standard Contractual Clauses is:

Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority

Where the data exporter is not established in an EU Member State but falls within the territorial scope of the Regulation in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State but falls within the territorial scope of the Regulation in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.

For the purpose of Annex II:

The Parties agree to comply with technical and organization measures including technical and organizational measures to ensure the security of the data set out in ANNEX I to this DSA.

In case of any discrepancies or inconsistencies between the text of this DSA and the text of the respective Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

5. Indemnity

5.1. Subject to clauses 6.1-6.2 herein, each party (the "Indemnifying Party") shall indemnify and hold harmless the other, including its officers directors, employees, contractors, and agents (the "Indemnified Party") from and against all claims, losses, costs, liabilities, damages, and expenses, including reasonable attorneys' fees ("Claims") brought by data subjects, supervisory authorities under the Data Protection Law, or other third parties, suffered or incurred by the Indemnified Party to the extent arising from the Indemnifying Party's breach of this DSA.

5.2. Indemnification under this Section is conditioned upon (i) the Indemnified Party providing the Indemnifying Party (x) prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this myTarget DSA and (y) reasonable cooperation as to such claim, including provision of all relevant materials to it; (ii) the Indemnified Party taking reasonable steps and actions to mitigate any ongoing damage it may suffer as a consequence of the Indemnifying Party's breach.

5.3. The Indemnifying Party reserves the right, at its expense, to assume the exclusive defense and control of any matter for which it is required to indemnify the Indemnified Party, and the Indemnified Party shall have the right to participate with counsel of its own choosing at its own expense. The Indemnifying Party will not enter into any settlement of any claim without the prior written consent of the Indemnified Party, such consent not to be unreasonably withheld or conditioned.

6. Limitation of Liability

6.1. Each of our respective liability, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of your applicable myTarget Agreement(s), and any reference in such section to the liability of a party means the aggregate liability of that party and its affiliates under the myTarget Agreement including this DSA together.

6.2. To the extent that a party has an entitlement under Data Protection Law to claim from the other party (breaching party) compensation paid by that first party to a data subject as a result of a breach of Data Protection Law by the breaching party, such breaching party shall be liable only for such amount as it directly relates to its responsibility for any damage caused to the relevant data subject. For the avoidance of doubt, breaching party shall only be liable to make payment only as compensation of direct damages to the other party under this Clause 6.2 upon receipt of evidence, which shall be to breaching party's reasonable satisfaction, that clearly demonstrates breaching party:

6.2.1. has breached Data Protection Law;

6.2.2. that such breach contributed (in part or in full) to the harm caused entitling the relevant data subject to receive compensation in accordance with Data Protection Law; and

6.2.3. the proportion of responsibility for the harm caused to the relevant data subject which is attributable to breaching party.

7. Treatment of Data Rights in Prior Agreements

7.1. Contractors agree that this DSA does not enlarge any rights provided for in their Terms of Service whether such rights are provided in online Terms of Service or in offline Agreements and they continue to be limited to the use rights and restrictions provided for therein. For clarity to the Advertiser Terms of Service, Advertisers agree that to the extent they require Company to present data to a third party install tracker that they have such parties under a valid data processing agreement clearly directing the install tracker as to its usage instructions, duties, and liabilities for processing such data.

8. Miscellaneous 

8.1. Nothing in this DSA shall confer any benefits or rights on any person or entity other than the parties to this DSA; the foregoing shall not limit third-party beneficiary provisions of the Standard Contractual Clauses.

8.2. Except as modified by this DSA, myTarget Agreement(s) remain in full force and effect.

8.3. In case of any discrepancies or inconsistencies between the text of this DSA and the text of the respective myTarget Agreement(s), this DSA shall prevail.

8.4. Company and you mutually represent and warrant that we each, respectively, have the right, power, and authority (a) to enter into this DSA, (b) to make the representations and warranties contained herein, and (c) to perform our respective duties, obligations and covenants set forth in this DSA.

8.5. This DSA is co-terminus with myTarget Agreement(s) concluded between the Parties, terminating automatically with last myTarget Agreement(s).

8.6. This DSA in no way alters the limitations of liability or other legal terms set out in any terms and conditions for service or any services agreement entered between the Parties.

9. Survival

9.1 This DSA shall survive termination or expiry of any terms of service or other agreement to permit Company to comply with its legal obligations. Upon termination or expiry of the Contractor relationship, Company may continue to process the Data for the Permitted Purpose provided that such processing complies with the requirements of this DSA and Data Protection Law.

ANNEX I to myTarget Data Sharing Addendum 

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

1. Measures for ensuring physical security of locations at which personal data are processed

Physical access control

Measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where data are processed, including:

  • Defined security areas with restricted access (data centers, server rooms);
  • Access authorizations for employees and third parties, visitor registration;
  • Access control system (via magnetic cards);
  • Door locking (electric door openers etc.);
  • Security staff;
  • Surveillance, video/CCTV monitor, alarm system.

2. Measures for user identification and authorisation

Access restriction mechanisms

Measures to prevent data processing systems from being used by unauthorized persons, including:

  • Multi-layered network/systems access restriction architecture;
  • User identification and authentication procedures;
  • Strong ID/password security policy (special characters, minimum length, change of password);
  • Two-factor authentication;
  • Automatic blocking (e.g. password or timeout);
  • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous attempts.

3. Measures for the protection of data during storage

Data access control

Measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, including:

  • Internal logical access control policies and procedures;
  • Control authorization schemes;
  • Differentiated access rights via roles and permissions;
  • Logging of accesses;
  • Limiting and monitoring of privileged access;
  • Reports of access;
  • Centralized procedures for access granting, revoking and regular review.

4. Measures of pseudonymisation and encryption of personal data. Measures for the protection of data during transmission.

Communication and transport control

Measures to ensure that data cannot be read, copied, modified or deleted without authorization during electronic transmission, including:

  • Transport encryption HTTPS/TLS;
  • Session management with TTL and logout functions;
  • Network segmentation and firewall protection;
  • Internal separation of access to infrastructure and management of SSH access;
  • Secure Socket Shell (SSH) with key based authentication;

Traffic and service monitoring by dedicated operations team.

5. Measures for ensuring events logging

Entry control

Measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems via logging and reporting capabilities.

6. Measures for ensuring accountability

Processing control

Measures to ensure that data are processed solely in accordance with the instructions of the Controller, including:

  • Clear and detailed wording of the contract and DPA;
  • Imposition of the obligation to adhere to the data secrecy requirements on the contractor's’ employees;
  • Confidentiality agreements/clauses with employees and (sub)contractors.

7. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

Availability control

Measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical), including:

  • Distributed high-availability service architecture;
  • Backup procedures;
  • Mirroring of hard disks (e.g. RAID technology);
  • Uninterruptible power supply (UPS);
  • Remote storage.

8. Measures for ensuring system configuration, including default configuration

Measures for ensuring system configuration via change management controls with appropriate change validation and approvals. Deployment of changes under control of configuration management systems.

9. Measures for ensuring data minimization

Using a risk-based approach to determining the minimum sufficient amount of data to be processed in the course of data protection impact assessments.

10. Measures for ensuring limited data retention

Application of data retention policies.

11. Measures for ensuring data quality. Measures for allowing data portability and ensuring erasure.

Measures for ensuring data quality, allowing data portability and erasure via self-service tools and/or dedicated support procedures.