LAST UPDATED: JUNE 2021 / EFFECTIVE: JUNE 2021
Contractual Changes Required by the GDPR
The General Data Protection Regulation (the “GDPR”) applies to the processing that is carried out under the Agreement for any Personal Data related to Data Subjects in the European Economic Area (“EEA”). The GDPR requires data processing contracts – such as the Agreement – to contain additional provisions regulating the processing Personal Data of Data Subjects based in EEA. Therefore, the parties agree to add the Data Protection Rider to be incorporated within the Agreement.
This Data Protection Rider makes reference to the “Model Contract Clauses”, produced by the European Commission, which are incorporated into this Data Protection Rider as if they had been set out in full. The full legal name for the Model Contract Clauses is: “The EU-controller to Non-EU/EEA processor model contractual clauses annexed to European Commission Decision C(2010)” located at EUR-Lex - 32010D0087 - EN - EUR-Lex (europa.eu).
Except as set out in this Data Protection Rider, the Agreement and any other agreements already in place between us shall continue in full force and effect. In the event of any conflict or inconsistency between this Data Protection Rider and the terms and conditions of the Agreement, this Data Protection Rider shall prevail. To the extent that this Data Protection Rider does not address project specific data mechanics or specific details relevant to data processing already set out in the Agreement (such as a particular type or frequency of data transfer), those project specific mechanics will remain in place, save that they shall be interpreted to give full effect to the provisions of this Data Protection Rider and the GDPR.
This Data Protection Rider (including the Model Contract Clauses, particularly at clauses 9 and 11.3) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the laws of Republic of Ireland. The parties irrevocably agree that the courts of Republic of Ireland have exclusive jurisdiction to settle any Claim.
Please accept or sign and return the Data Protection Rider to acknowledge your agreement of these terms.
If you do not accept these terms, we will discontinue any EEA user related transactions with your applications/mobile websites. Additionally, please do not share any EEA user personal data with us. However, if you continue to use our services, you will be deemed to have accepted these terms.
All communications to be sent to AerServ LLC with a principal place of business at 15420 Laguna Canyon Rd, Irvine, CA 92618, USA with a copy to email: firstname.lastname@example.org
The following definitions apply in this Data Protection Rider:
“Controller”, “Data Subject”, “Personal Data”, “Processor” and “Processes/Processing” shall each have the meanings given in the applicable Data Protection Legislation.
“Data Protection Legislation” means the European Union’s General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable laws and regulations relating to the processing of personal data and privacy as amended, re-enacted, replaced or superseded from time to time, including, where applicable, the mandatory guidance and codes of practice issued by the European Commission.
“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any Personal Data transmitted, stored or otherwise processed.
Paragraph 1 shall apply if and to the extent that AerServ in its capacity as a Processor processes any Personal Data of EEA users on the Publisher’s behalf (acting as a Controller) when performing its obligations under the Agreement.
1.1 Each party acknowledges that:
1.1.1 AerServ shall Process the Personal Data for the purposes of:
(a) making available Meson and its services to Publisher;
(b) for sharing or transmitting (‘onward transfer’) Publisher provided user personal data to Publisher’s demand partners who integrate with Meson “Publisher’s Demand Partners”;
(c) for sharing or transmitting Publisher provided user personal data to Publisher’s demand partners who integrate with Meson;
(d) to enforce the terms of the Agreement and/ or this Rider;
(e) to resolve billing disputes and/ or for fraud detection; and
(f) to comply with any request of a governmental or regulatory body (including subpoenas or court orders). Publisher further acknowledges that AerServ may need to transfer Personal Data outside of European Economic Area (“EEA”) in the context of Processing.
1.1.2. the processing shall continue, for the duration of the Agreement;
1.1.3. the processing concerns the following Personal Data:
(a) Persistent online identifiers and user device identifiers (such as IDFA, ADID, GPID etc.);
(b) location data (including IP address etc.);
(c) User agent or such device data, network data about apps or sites;
(d) demographic data;
(e) Persistent online identifiers
1.2 It is acknowledged that both parties are under certain record keeping obligations under the Data Protection Legislation and agree to provide the other party with all reasonable assistance and information required by the other party to satisfy such record keeping obligations.
1.3 It is further acknowledged, that Publisher has certain Publisher Demand Partners with who Publisher (as the Controller) has executed relevant data protection agreements in substance and form as required by European Commission for allowing Meson (as a processor and on behalf of Publisher) to do an onward transfer of Publisher provided EEA Data Subjects’ Personal Data as described herein.
1.4 In the event of any Personal Data breach (actual or suspected) involving the Publisher or a sub-Processor, the Publisher shall (at no cost to AerServ):
1.4.1 notify AerServ of the Personal Data breach without undue delay (but in no event no later than 48 hours after becoming aware of or first suspecting the Personal Data Breach); any investigations into such Personal Data Breach; and any measures taken, or that the Publisher will take to address the Personal Data Breach, including to mitigate its possible adverse effects and prevent the reoccurrence of the Personal Data Breach or a similar breach.
1.5 The Processor shall:
1.5.1 Process the Personal Data only to the extent necessary for the purposes of performing its obligations under the Agreement and otherwise in accordance with the documented instructions of the Controller and applicable laws;
1.5.2 not process the Personal Data in any country outside the European Economic Area other than in accordance with the terms of the Model Contract Clauses. If the Processor is required by applicable laws to transfer the Personal Data outside of the European Economic Area, the Processor shall inform the Controller of such requirement before making the transfer and shall execute appropriate documentation as required under Data Protection Legislation (unless the Processor is barred from making such notification under the relevant applicable law);
1.5.3 ensure that all persons authorised by it to Process the Personal Data are committed to confidentiality or are under a statutory obligation of confidentiality under applicable law;
1.5.4 have at all times during the term of the Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data, with particular regard to its accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access;
1.5.5 The Controller hereby acknowledges that, as per Controller’s instructions, the Processor may share as ‘onward transfer’, Personal Data of EEA Data Subjects outside of the EEA with Controller’s Demand Partners and attribution/fraud detection partners towards the permitted purposes set out under Paragraph 1.1.1 pursuant to this Rider;
1.5.6 cease processing the Personal Data immediately upon the termination or expiry of the Agreement or, if sooner, on cessation of the contractual activity to which it relates and, at the Controller’s election, delete or return all Personal Data to the Controller, and delete all existing copies unless applicable law requires their retention;
1.5.7 not retain Personal Data for longer than necessary to meet the permitted purposes hereunder or use the same for any purposes other than such permitted purposes;
1.5.8 if requested by Controller, without delay, rectify the Personal Data, to ensure it remains accurate, complete and current or delete the same to honour any Data Subject’s request;
1.5.9 make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this clause, and allow for contribution to audits, including inspections, conducted by the Controller of its representative;
1.5.10 at the earliest opportunity, and in any event within 72 hours after having become aware, notify the Controller of any unauthorised or unlawful processing of any Personal Data to which this clause applies and of any loss or destruction or other damage and shall take such steps consistent with good industry practice to mitigate the detrimental effects of any such incident on the Data Subjects and co-operate with the Controller in dealing with such incident and its consequences.
Each party shall indemnify and defend the other party against all loss, liability, damages (including reasonable legal costs) fees, claims and expenses arising from any third-party claims, which a party may incur or suffer in connection with breach of the terms of this Rider resulting in violation of applicable Data Protection Legislation by the other party. Publisher shall indemnify and defend AerServ against all loss, fines, liability, damages (including reasonable legal costs) fees, claims and expenses arising from any third-party claims including claims from Publisher’s demand partners, which AerServ may incur or suffer in connection with onward transfer or sharing of any EEA Data Subject’s Personal Data with Publisher’s demand partners at Publisher’s request or on behalf of Publisher. The indemnifying party shall have control over the defense. IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR LOST PROFITS, INDIRECT, PUNITIVE OR CONSEQUENTIAL DAMAGES. EACH PARTY’S TOTAL AGGREGATE LIABILITY TO THE OTHER PARTY OR ANY THIRD PARTY FOR ALL CLAIMS ARISING UNDER OR IN CONNECTION WITH THIS RIDER EXCEED US$50,000. THE LIMITATIONS OF THIS SECTION SHALL APPLY EVEN IF EITHER OR BOTH PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
3 MODEL CONTRACT CLAUSES
The Model Contract Clauses require setting out more detail about what data a Controller (in the context of the Agreement and this Rider, the Publisher, which is also deemed to be the data exporter) is transferring to the Processor (in the context of this Agreement and the Rider, AerServ, which is also deemed to be the data importer) and why, as well as how the Processor must keep that data secure. The Controller has set this out in the sections below (EUR-Lex - 32010D0087 - EN - EUR-Lex (europa.eu)).
3.1 Description of data processing
3.1.1 The respective contact details of each party are set out in this Rider.
3.1.2 The types of data are Personal Data, which does not include special categories of data.
3.1.3 Processor will be carrying out the tasks in relation to that data as set out in paragraph 1.4.
3.2 Description of Processor’s security measures
3.2.1 Restriction of access to data centres, systems and server rooms as necessary to ensure protection of Personal Data.
3.2.2 Monitoring of unauthorised access.
3.2.3 Written procedures for employees, contractors and visitors covering confidentiality and security of data.
3.2.4 Restricting access to systems depending on the sensitivity/criticality of such systems.
3.2.5 Use of password protection where such functionality is available.
3.2.6 Maintaining records of the access granted to which individuals.
3.2.7 Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
3.3 Additional Provision
3.3.1 The illustrative indemnity contained in the Model Contract Clauses is deemed deleted.
3.3.2 Although the parties have taken the approach set out in this Rider, the parties acknowledge that the applicable Data Protection Legislation(s) ultimately determines status with respect to each party in which case each party will comply with the relevant requirements.