This Data License Agreement (“License Agreement”) is made part of an Order Form between Matchbook Data, LLC, a Georgia limited liability company (“Licensor”) and the customer or licensee identified in such Order Form (“Licensee”), by virtue of being attached to such Order Form or incorporated by reference through a URL link embedded in such Order Form, and sets forth additional terms and conditions relating to the provision and use of Licensed Data (defined below) licensed under such Order Form which the Licensor and Licensee agree to be bound by. This License Agreement also forms a part of any additional Order Form that both Licensor and Licensee may execute and deliver from time to time which attaches this License Agreement or otherwise incorporates its terms by reference through a URL link embedded in such Order Form. This License Agreement, all such Order Forms to which this License Agreement is a part (each, an “Order Form”), and all exhibits, annexes, appendices, addenda, and schedules hereto and thereto shall collectively be the “Agreement”. Capitalized terms that are not defined in this License Agreement (or in an addendum or exhibit hereto) shall have the meanings given those terms under the Order Form.
1. Definitions. As used in the Agreement, the following terms shall have the following meanings:
1.1 “Applicable Laws” means, to the extent applicable to performance of this Agreement or the receipt, use, or other processing of the Licensed Data, (a) all U.S. state and federal laws, including without limitation the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), Cal. Civil Code § 1798.100 et seq., including any implementing regulations and amendments thereto (collectively, the “CCPA/CPRA”); the Colorado Privacy Act, C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments thereto (the “CPA“); the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto (the “CTDPA”); the Utah Consumer Privacy Act, Utah Code § 13-61-101 et seq. (SB 0227), including any implementing regulations and amendments thereto (the “UCPA”); the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq. (SB 1392), including any implementing regulations and amendments thereto (the “VCDPA”); any similar U.S. personal data privacy or protection laws; the Self-Regulatory Principles of the Digital Advertising Alliance (“DAA”); and the Codes of Conduct of the Network Advertising Initiative (“NAI”); and (b) any personal data privacy or protection laws of any non-US jurisdictions from which Licensed Data under this Agreement is received or otherwise processed, including all applicable European Union (“EU”) or national laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”) and EU Member State laws supplementing the GDPR; the GDPR as incorporated into United Kingdom (“UK”) law (the “UK GDPR”) and the Data Protection Act 2018; and the Principles of the European Interactive Digital Alliance (“EDAA”).
1.2 “Audience Segment” means a grouping of Users based on common interests or behaviors created in connection with Licensee’s use case or vertical identified in the respective Order Form.
1.3 “Dashboard” means a user interface for providing Reports to Licensee, aggregating and displaying metrics and key indicators to communicate contextual insights into metrics with intuitive visualization, including but not limited to charts, scales, gauges, etc.
1.4 “EEA” or “European Economic Area” means the European Union Iceland, Liechtenstein, Norway and Switzerland.
1.5 “Insights” means any analysis or research based on Licensed Data, alone or in combination with other data received from other sources, that is conducted or created in connection with Licensee’s use case or vertical identified in the respective Order Form.
1.6 “Licensed Data” means the data and/or data products (including, without limitation, Reports) specified in one or more Order Forms executed by the parties hereto.
1.7 “Personally Identifiable Information” means any information that relates to, identifies, may be used to identify, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including, without limitation, name, address, email address, social security number, telephone number, social media user ID or handle, financial account number and government-issued identifier.
1.8 “Prohibited Parties” means those entities and businesses whose common names are listed on Exhibit C, as well as their owners, affiliates, subsidiaries, successors, and assigns.
1.9 “Raw Licensed Data” means (a) latitude and longitude coordinates and/or (b) device ID (regardless of whether any device ID is obfuscated or not).
1.10 “Report” means an analysis of raw mobile device data, including, without limitation, reports regarding frequency of visitation to a place of interest, effectiveness of advertising campaigns, and other reports providing insight and context for raw data, whether same is presented either via access to the Dashboard, database, or otherwise transmitted to Licensee by Licensor in another form reasonably suited for Licensee’s use pursuant to the Agreement. For the avoidance of doubt, each Report shall constitute Licensed Data under the Agreement.
1.11 “User” means a visitor to a website, mobile website, application or other digital property to which Licensed Data relates.
2. License.
2.1 Grant of Rights. Subject to the restrictions in Section 2.3 below and the other limitations set forth herein, Licensor hereby grants Licensee a limited, non-exclusive, non-transferable, non-sublicensable (except to the extent set forth in the Order Form), worldwide right and license to use the Licensed Data solely to create Audience Segments and Insights (the “Permitted Uses”). If Licensee elects to receive Licensed Data via Licensor’s export application program interface (“Export API”), which election is reflected on one or more Order Forms, Licensor hereby grants Licensee a limited, non-exclusive, non-transferable, non-sublicenseable, worldwide right and license to use Licensor’s Export API to load up geospatial files to extract specific areas of Licensed Data. If Licensee elects to receive Reports as Licensed Data, which election is reflected in one or more Order Forms, Licensor hereby grants Licensee a limited, non-exclusive, non-transferable, non-sublicensable, worldwide right and license to access and use Licensor’s Dashboard solely for the purpose of generating, storing and reviewing Reports.
2.2 Reserved Rights; Ownership. The Licensed Data and Dashboard are licensed and not sold by Licensor to Licensee, and nothing in this License Agreement shall be construed as conferring upon Licensee any right, title or interest in or to the Licensed Data or the Dashboard other than the limited use rights expressly granted hereunder. As between the parties hereto, Licensor is the sole owner of the Licensed Data, the Dashboard and any patents, copyrights, trademarks, trade secrets and any other proprietary rights associated with the foregoing. Subject to Licensee’s compliance with the terms of the Agreement, including, without limitation, Sections 2.3 and 4 of this License Agreement, Licensee shall be the sole owner of the Audience Segments and Insights created during the Term in compliance with the Agreement. Licensee shall not, directly or indirectly, contest the validity of, or seek to register anywhere in the world, any rights in the Licensed Data. Nothing in this License Agreement shall in any way restrict Licensor’s or its other customers’ use of the Licensed Data.
2.3 Restrictions. Except as expressly set forth herein and in the applicable Order Form, Licensee shall not, directly or indirectly, and shall ensure that its permitted sublicensees (if applicable) do not:
(a) Use the Licensed Data or Dashboard for any purpose other than the Permitted Uses, including, without limitation, for the purpose of developing a standalone geo/IP targeting database or data product;
(b) Resell, transfer, sublicense, distribute, assign, or otherwise provide access to the Dashboard, Licensed Data or any derivative works thereof (other than Audience Segments and Insights) in any form to those persons or entities identified as “Prohibited Parties” in Exhibit C as well as any additional similar designations in any Order Form;
(c) Resell, sublicense, distribute or otherwise provide access to the Dashboard, Raw Licensed Data or any derivative works resulting from the Licensed Data (other than Audience Segments and Insights) to any third party;
(d) Copy, modify, adapt, or translate the Dashboard or Licensed Data;
(e) Reverse engineer, disassemble, or decompile the Dashboard or Licensed Data in any form for any purpose, including, without limitation, to re-identify an anonymous user, such as by associating any Personally Identifiable Information obtained by third party data sources directly with the Licensed Data;
(f) Further license an advertiser ID (such as an IDFA or Android Ad ID), unless required for Licensee’s “AdTech” use case, as defined by and set forth in the respective Order Form(s);
(g) Use Licensed Data obtained from a User operating iOS version 14.5 or higher for the purpose of tracking such User’s activity across mobile applications and/or websites, unless the User has provided affirmative, opt-in consent to such usage;
(h) Further license, sublicense, distribute, use, market, or sell the Dashboard or Licensed Data, or information derived from Licensed Data (whether alone or combined with other third party data sources):
(i) to law enforcement agencies or to any governmental agency to be used for a law enforcement purpose, except to the extent strictly necessary (and then redacted to the greatest extent possible) to comply with a judicial or other governmental order or as may be required by Applicable Laws; provided, however, that Licensee will give Licensor as much advance notice as reasonably possible of any such disclosure so that Licensor may seek a protective order or other remedy;
(ii) for any unlawful tracking or unlawful surveillance;
(iii) to promote any illegal product or engage in any illegal purpose;
(iv) to associate any User, device or individual to create profiles or inferences related to social networks, health status or ailments, sexual orientation or activity, political activity or beliefs, or religious convictions;
(v) to identify or locate, or associate any User, device or individual with any:
(1) medical facilities (e.g., family planning or pregnancy centers, general medical and surgical hospitals, offices of physicians, offices of mental health physicians and practitioners, residential mental health and substance abuse facilities, outpatient mental health and substance abuse centers, outpatient care centers, psychiatric and substance abuse hospitals, and specialty hospitals);
(2) religious organizations;
(3) correctional facilities;
(4) labor union offices;
(5) locations of entities held out to the public as predominantly providing education or childcare services to minors;
(6) associations held out to the public as predominantly providing services based on racial or ethnic origin; or
(7) locations held out to the public as providing temporary shelter or social services to homeless, survivors of domestic violence, refugees, or immigrants;
(vi) for purposes related to political campaigns or fundraising;
(vii) to make decisions about any individual’s eligibility for employment, health care, credit or insurance, or for any other purpose that is covered by the Fair Credit Reporting Act; or
(viii) in a manner that violates Applicable Laws, any contract into which Licensee has entered, or any privacy policy posted by Licensee;
(ix) to associate the Licensed Data with (a) locations held out to the public as predominantly providing services to LGBTQ+ individuals such as service organizations, bars and nightlife, (b) locations of public gatherings of individuals during political or social demonstrations, marches and protests, or (ii) using such Licensed Data to determine the identity or the location of an individual’s home, i.e., the location of any individual’s private residences.
2.4 Mapped Displays Prohibited. Notwithstanding any provision herein or in any Order Form, Licensee agrees not to use and not to authorize or permit any entity (including any permitted sublicensees) to use any Licensed Data (in whole or in part) in a manner that makes available to the general public any display of population, traffic or movement patterns against a map, except (a) as confined to census-tract level display or (b) displayed by (i) a minimum data aggregation threshold of twenty-five (25) for the number of unique advertiser IDs (whether obfuscated or unobfuscated) or a unique identifier established by Licensor that is required to underpin a reported value or distribution, and (ii) ensuring that the minimum data aggregation threshold value for an extrapolated estimate of the number of individuals related to a specific combination of location and time will be twenty-five (25). Solely as an example (and without limitation), Licensee shall not use Licensed Data to publicly display the fact or likelihood that an individual or device (regardless how represented or described, and whether or not identified or identifiable) has been located at or near a particular street, address, intersection or venue.
2.5 Data Security. Licensee acknowledges and agrees that it is solely responsible for the security of the Licensed Data and other Confidential Information of Licensor (collectively, the “Licensor Proprietary Data”) to the extent it resides on Licensee’s computer system, and Licensee shall use its best efforts, with due regard to the state of the art, to safeguard and to prevent unauthorized disclosure of the Licensor Proprietary Data. Further, Licensee shall implement and maintain internal technical and procedural security measures that conform to industry best practices and are designed to (a) identify reasonably foreseeable threats and hazards to the security and confidentiality of the Licensor Proprietary Data and (b) protect the security and confidentiality of the Licensor Proprietary Data from such threats and hazards. Licensee shall have in place and maintain appropriate processes and procedures that conform to industry practices and are designed to ensure that any data security breach involving the Licensor Proprietary Data (a “Security Incident”) is detected in a timely manner. In the event of a Security Incident, Licensee shall notify Licensor within twelve (12) hours of becoming aware of it and provide to Licensor (within such timescales as Licensee requires) all support and information, necessary to enable Licensor to manage the Security Incident, mitigate the impact of the Security Incident and comply with its notification obligations set out in any Applicable Law.
3. Order Form.
The parties may enter into one or more Order Form(s) during the Term (defined below). Upon execution and delivery by both parties, each Order Form will be deemed incorporated into the Agreement by reference. In the event of any conflict between this License Agreement and an Order Form, the terms of this License Agreement shall govern, except (a) for fees payable, and (b) to the extent the Order Form expressly states that it should override this License Agreement and specifically identifies the overridden clause, in which case, the override applies only to that particular Order Form and not to other Order Forms.
4. Fees and Payment.
4.1 Fee. Licensee shall pay Licensor all amounts set forth in the applicable Order Form, without offset or deduction. Payments shall be paid to Licensor with immediately available funds in United States Dollars by wire transfer or other method as mutually agreed by the parties.
4.2 Annual Payment Terms. Except to the extent otherwise stated in an Order Form, under each Order Form that provides for the fees due to Licensor to be invoiced on an annual basis (an “Annual Order Form”), Licensor will deliver to Licensee an invoice for the annual fees owed by Licensee (i) on or around the beginning of the Initial Term (defined below) and (ii) with respect to an upcoming Renewal Term (defined below), at least thirty (30) days before the start of such Renewal Term, as applicable. Licensee shall pay to Licensor all amounts stated as due to Licensor on an invoice delivered to Licensee within thirty (30) days after receipt of invoice.
4.3 Taxes. The fees set forth in the Order Form and due hereunder are exclusive of any taxes, levies, duties or similar governmental assessments of any nature, including value-added, sales, use or withholding taxes (“Taxes”). Licensee is solely responsible for paying all Taxes associated with its purchases hereunder. If Licensor is legally required to pay or collect Taxes for which Licensee is responsible, Licensor shall invoice Licensee therefor and Licensee shall pay such amount; provided that, Licensor is solely responsible for Taxes on its income, property and employees.
4.4 Late Payment. Amounts not paid by Licensee on their due date will be subject to a delinquency charge on any outstanding balance, including accrued interest, at a rate of the lesser of (a) one and one-half percent (1.5%) per month and (b) the maximum rate permitted by Applicable Laws. Failure to make timely payment shall be considered a material breach of this License Agreement. Failure of Licensee to use the Licensed Data shall not affect the payments owed hereunder.
5. Confidentiality.
5.1 Confidential Information. For purposes of this License Agreement, “Confidential Information” shall include all non-public, confidential or proprietary information disclosed by one party to the other, including, without limitation, the terms set forth in this License Agreement or any Order Form, the Licensed Data, the Dashboard, and any information regarding a party’s business activities, operations, customers and vendors. Confidential Information shall not include information that: (a) is already legitimately known to the other party at the time of disclosure without a breach of the License Agreement or the breach of a duty by any third party to keep such information confidential, (b) is or otherwise becomes available to the public other than by breach of this License Agreement by the receiving party, (c) was received without restriction from any person or entity that the receiving party reasonably believes was not in violation of any duty of non-disclosure, or (d) the receiving party developed independently without reference to or use of the Confidential Information received from the other party.
5.2 Restrictions; Permitted Disclosures. Each party will use a reasonable standard of care to protect the Confidential Information of the other, and will use the other party’s Confidential Information only for purposes of the Agreement and only to the extent necessary for such purposes. Neither party will disclose (whether orally or in writing, or by press release or otherwise) to any third party any Confidential Information of the other party, or any information with respect to the terms and provisions of the Agreement, except:
(a) To each party’s respective officers, directors, employees, subcontractors, auditors and attorneys who have a need to know such Confidential Information, in their capacity as such, are informed by such party of the confidential nature of the Confidential Information, and have a duty or obligation to comply with the non-use and non-disclosure terms herein that are applicable to such party; provided, however, that such party shall be responsible for any breach of the provisions of this Section committed by its officers, directors, employees, subcontractors, auditors or attorneys to the same extent as if such party committed such breach itself;
(b) To the extent strictly necessary (and then redacted to the greatest extent possible) to comply with a judicial or other governmental order or as may be required by Applicable Laws; provided, however, that a party so disclosing Confidential Information will give the other party as much advance notice as reasonably possible of any such disclosure so that such party may seek a protective order or other remedy;
(c) In order to exercise or enforce its rights under the Agreement, provided that prior to disclosure, such party will to the greatest extent reasonably possible seek confidential treatment of the information; or
(d) As mutually agreed by the parties in writing.
6. Privacy; Compliance.
6.1 Compliance. Licensee shall not use the Licensed Data or the Dashboard in violation of any Applicable Law, including, to the extent limited by Applicable Law, combining the Licensed Data with Personally Identifiable Information acquired by Licensee. If the licensing of Licensed Data contemplated hereunder is subject to regulation under the EU GDPR, then the parties acknowledge and agree that (a) each party shall constitute a “Controller”, as defined by the EU GDPR, and (b) the additional terms and conditions set forth in the Standard Contractual Clauses attached hereto as Exhibit A shall apply and each party agrees to be bound thereby. If the licensing of Licensed Data contemplated hereunder is subject to regulation under the UK GDPR, then the parties acknowledge and agree that (a) each party shall constitute a “Controller”, as defined by the UK GDPR, and (b) the additional terms and conditions set forth in the Data Processing Addendum attached hereto as Exhibit B shall apply and each party agrees to be bound thereby. In addition, Licensee shall also delete and purge the Licensed Data on a periodic basis as further described in the applicable Order Form.
6.2 Privacy Policies. To the extent required by Applicable Law, each party shall prominently post a link on its website to a privacy policy, which shall comply with all Applicable Laws and in a legally sufficient manner describe: (a) the types of data it collects; (b) the material ways in which it uses and shares such data, and (c) how Users may opt out through mobile device settings.
6.3 Respect for User Preferences. Each party shall honor mobile opt-out signals. If Licensor transmits to Licensee any opt-out signals it receives through device settings (e.g., “LMT” signal, flag or integer) or in-app opt-out mechanisms, then Licensee shall not knowingly store or use for any purpose Licensed Data regarding any device that has opted out for commercial purposes (except for purposes of honoring suppression).
7. Representations and Warranties.
7.1 Mutual Representations. Each party covenants, represents and warrants, as applicable, to the other that (a) it has the power and authority to enter into and perform its obligations under the Agreement, and (b) it shall comply with all Applicable Laws in connection with the provision or use of Licensed Data and the other activities contemplated hereunder, including, without limitation, those laws relating to User privacy, the collection, use, and sale of Personally Identifiable Information, and data security.
7.2 Disclaimer of Warranties. EXCEPT AS EXPRESSLY SET FORTH HEREIN LICENSOR MAKES NO WARRANTIES OR REPRESENTATIONS OF ANY KIND, WHETHER EXPRESS, IMPLIED, ORAL OR STATUTORY, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE. LICENSOR DOES NOT MAKE ANY REPRESENTATION OR WARRANTIES REGARDING THE BENEFIT THAT MAY BE OBTAINED FROM USE OF THE LICENSED DATA OR THAT THE LICENSED DATA MAY BE ERROR-FREE. THE LICENSED DATA IS PROVIDED STRICTLY ON AN “AS IS” AND “AS AVAILABLE” BASIS.
8. Term; Termination.
8.1 Term. This License Agreement shall be in effect as of the effective date of the first Order Form entered into hereunder and shall continue until all Order Forms hereunder have terminated or expired. Each Order Form shall set forth an initial term for the Licensed Data provided under that Order Form (the “Initial Term”). Neither the Initial Term nor Licensee’s license to any Licensed Data provided under an Order Form shall automatically renew. Instead, such Initial Term shall be subject to renewal as set forth below:
(a) For each Order Form identified as “Annual” invoice frequency, upon expiration of the Initial Term, the term of the Order Form may be renewed for additional successive one (1) year periods (each, a “Renewal Term”, and together with the Initial Term, the “Term”) only upon completion of the following steps: (i) Licensor, at its discretion, provides an invoice to Licensee, at least thirty (30) days before the end of the then-current Initial Term or Renewal Term, as applicable, setting forth the Renewal Term and the fees for such Renewal Term; and (ii) Licensee pays such invoice in full before the end of the then-current Initial Term or Renewal Term, as applicable. Licensee may decline the Renewal Term either by: (A) providing to Licensor a written notice of its election not to accept such renewal (a “Renewal Rejection Notice”); or (B) simply not paying the invoice before the end of the then-current Initial Term or Renewal Term, as applicable. If Licensee has delivered a Renewal Rejection Notice prior to the end of the then-current term and mistakenly pays the invoice for the Renewal Term, then Licensor shall return such payment, and the Order Form and Licensee’s license to the Licensed Data provided in an Order Form shall terminate effective as of the end of the then-current term.
8.2 Termination. In addition, either party may terminate this License Agreement or any Order Form (a) upon immediate written notice if the other party commits a material breach of this License Agreement or the Order Form and fails to cure the breach within thirty (30) days of receiving notice thereof from the non-breaching party; and (b) upon immediate written notice if the other party becomes insolvent, files a voluntary petition in bankruptcy or has an involuntary petition filed against it that is not dismissed within sixty (60) days after filing, makes arrangements for the benefit of creditors, has a receiver or trustee appointed for the benefit of its creditors, or initiates reorganization proceedings or takes any step toward liquidation. Without limiting the definition of a material breach, Licensee’s failure to pay any amount due hereunder shall constitute a material breach of this License Agreement. Without limiting the foregoing, Licensor may either suspend the provision of Licensed Data or terminate any Order Form or this License Agreement, in its sole discretion and without liability to Licensee, immediately upon written notice if: (w) Licensee violates or threatens to violate the terms of Section 2 or Section 5, including, without limitation, by providing the Licensed Data to persons or entities included on any “Prohibited Parties” list or similar list included in an Order Form, (x) Licensor is directed or ordered to do so by any regulatory or supervisory authority, (y) Licensor reasonably determines that the suspension or termination is necessary to comply with any change in Applicable Laws (including, without limitation, any guidelines, regulations or opinions issued by a regulatory or supervisory authority), or (z) third party platform provider agreements to which Licensor or any of its data suppliers is a party are implemented, revised, amended, updated or otherwise modified such that Licensor, in its sole discretion, reasonably believes it can no longer continue to provide some or all of the Licensed Data in accordance with its obligations under the Agreement.
8.3 Effect of Termination. If this License Agreement is terminated, the Agreement and all Order Forms then in effect shall also terminate, but if an Order Form expires or is terminated, this License Agreement and any other Order Forms then in effect shall continue in accordance with their terms. Upon termination or expiration of an Order Form for any reason, (a) all rights and licenses of Licensee to use the Licensed Data provided under such Order Form shall immediately cease, (b) Licensee shall make no further use of the Licensed Data and shall immediately completely and permanently purge and erase all copies of the Licensed Data under Licensee’s control and require any sublicensees to do the same; provided that, Licensee may retain any Audience Segments and Insights created prior to the termination or expiration, and (c) any amounts outstanding shall become immediately due and payable. Termination or expiration of this License Agreement or any Order Form shall be without prejudice to any other right or remedy that it may have at law or in equity and will not relieve either party from liability arising from a breach, act or omission occurring prior to the effective date of such termination or expiration.
9. Indemnification.
9.1 Licensee. Licensee shall indemnify, defend and hold harmless Licensor and its affiliates and their respective officers, directors, members, employees and agents (“Licensor Indemnified Parties”), from and against any and all claims, proceedings and demands asserted or alleged against a Licensor Indemnified Party by any third party, and from and against any damages, liabilities, losses, costs and expenses, including reasonable legal fees, arising in connection therewith, that arise out of or relate to (a) a breach of any representation or warranty by Licensee, or (b) any allegation that the Audience Segments, Insights or other Licensee information or products infringe, violate, dilute, or misappropriate any copyright, trade secret, patent, trademark, database rights, or other intellectual property rights of a third party; provided, however, that Licensee shall not have any obligation to indemnify, defend, or hold harmless any Licensor Indemnified Party from or against, and Licensee shall not have any liability for, any claims, proceedings, demands, damages, liabilities, losses, costs, or expenses to the extent resulting from any breach of the Agreement, violation of law, negligence, or willful misconduct, by any Licensor Indemnified Party.
9.2 Licensor. Licensor shall indemnify, defend and hold harmless Licensee and its affiliates and their respective officers, directors, members, employees and agents (“Licensee Indemnified Parties”) from and against any and all claims, proceedings and demands asserted or alleged against a Licensee Indemnified Party by any third party, and from and against any damages, liabilities, losses, costs and expenses, including reasonable legal fees, arising in connection with such third party claim, that arise out of or relate to (a) a breach of any representation or warranty by Licensor or (b) any allegation that the Licensed Data infringe, violate, dilute, or misappropriate any copyright, trade secret, patent, trademark, database rights, or other intellectual property rights of a third party; provided, however, that Licensor shall not have any obligation to indemnify, defend, or hold harmless any Licensee Indemnified Party from or against, and Licensor shall not have any liability for, any claims, proceedings, demands, damages, liabilities, losses, costs, or expenses to the extent resulting from any breach of the Agreement, violation of law, negligence, or willful misconduct, by any Licensee Indemnified Party.
9.3 Procedure. The parties acknowledge and agree that each person or entity entitled to indemnification under Section 9, which is not a party to this License Agreement is an express third-party beneficiary of its terms. The person or entity entitled to indemnification under this Section 9 (“Indemnified Party”) agrees that the party obligated to provide such indemnification (“Indemnifying Party”) may assume sole and exclusive control over the defense and settlement of any claim with respect to which the foregoing indemnity obligations apply. The Indemnified Party shall promptly notify the Indemnifying Party of any claim against it of which it becomes aware; provided that, Indemnified Party’s failure to provide timely notice will not relieve the Indemnifying Party of any liability that it may have to any Indemnified Party, except to the extent that the Indemnifying Party demonstrates that the Indemnifying Party is actually and materially prejudiced by the Indemnified Party’s failure to give such notice. The Indemnified Party shall provide reasonable cooperation to the Indemnifying Party in connection with the defense or settlement of any such claim. The Indemnified Party shall be entitled to participate in the defense of any such claim at its sole cost and expense, but neither party may agree to any settlement with respect to such claim or consent to the entry of any judgment in connection with such claim without the prior written consent of the other party, which consent shall not be unreasonably withheld, conditioned or delayed.
10. Limitation of Liability.
EXCEPT FOR LIABILITY IN RESPECT OF THE INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 9 OR DAMAGES RESULTING FROM GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, A PARTY’S BREACH OF CONFIDENTIALITY OBLIGATIONS UNDER SECTION 5, OR A BREACH OF SECTION 2 (EXCLUSIVE OF SUBSECTION 2.5) BY LICENSEE OR ITS PERMITTED SUBLICENSEES (“EXCLUDED DAMAGES”), IN NO EVENT SHALL A PARTY BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF REVENUE AND/OR PROFIT AND WHETHER OR NOT FORESEEABLE), ARISING OUT OF THE AGREEMENT, REGARDLESS OF WHETHER THE LIABILITY IS BASED ON BREACH OF CONTRACT, TORT, STRICT LIABILITY, BREACH OF WARRANTIES OR OTHERWISE, AND EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF THOSE DAMAGES. EXCEPT FOR EXCLUDED DAMAGES, IN NO EVENT SHALL EITHER PARTY’S TOTAL LIABILITY UNDER THE AGREEMENT EXCEED THE AGGREGATE FEES PAID UNDER THE AGREEMENT FOR THE SIX (6) MONTH PERIOD PRECEDING THE DATE THE APPLICABLE LIABILITY FIRST AROSE. IN ADDITION, IN NO EVENT SHALL EITHER PARTY’S LIABILITY IN RESPECT OF ITS INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 9 EXCEED IN THE AGGREGATE THE SUM OF TWO MILLION DOLLARS ($2,000,000). NOTWITHSTANDING THE FOREGOING, LICENSEE’S (A) VIOLATION OF SECTION 2.3, AND (B) OBLIGATION TO PAY FEES AND ANY OTHER AMOUNTS DUE TO LICENSOR PURSUANT TO THE AGREEMENT, SHALL BE EXCLUDED FROM THE FOREGOING LIMITATIONS ON LIABILITY. PAYMENT OF FEES SHALL REMAIN AN INDEPENDENT OBLIGATION UNTIL PAID IN FULL.
11. Audit.
11.1 Licensor. During the Term Licensee shall have the right upon reasonable prior written notice, but no more often than bi-annually, to request to inspect and audit the consent language presented by certain of Licensor’s data providers to Users solely to verify Licensor’s compliance with the terms and conditions of the Agreement and Applicable Laws. Licensor shall use commercially reasonable efforts to respond to all audit requests within thirty (30) days of receipt of written notice thereof; provided that, in the event that Licensor is unable to respond to such audit request without disclosing the identity of one or more of Licensor’s data providers, Licensor shall not be obligated to fulfill the audit request, and in any event, Licensor shall not have any obligation to disclose to Licensee the identities of any of Licensor’s data providers as part of such audit or otherwise. All costs and expenses of such audit shall be paid by Licensee. Any information provided in connection with such audit shall constitute “Confidential Information” of Licensor under this License Agreement.
11.2 Licensee. Licensee shall keep accurate and complete records regarding the activities contemplated hereunder, including, without limitation, information regarding use of the Licensed Data. During the Term and for a period of two (2) years thereafter, Licensor shall have the right upon reasonable prior notice to, or to cause an independent third party to, inspect, audit and copy such records and Licensee’s systems solely to verify Licensee’s compliance with the terms and conditions of this Agreement and Applicable Laws. All costs and expenses of such audit shall be paid by Licensor, unless (a) the audit reveals an underpayment of more than three percent (3%) for any invoice period, in which case Licensee shall (i) promptly reimburse Licensor for all reasonable out-of-pocket costs and expenses related to the audit, and (ii) immediately pay Licensor the underpaid amount with interest in accordance with Section 4.4 of this License Agreement from the date such amount is due until the date such amount is paid in full, or (b) the audit reveals a violation of the terms and conditions of this Agreement or any Applicable Law by Licensee or its permitted sublicensees, in which case Licensee shall promptly reimburse Licensor for all reasonable out-of-pocket costs and expenses related to the audit, without prejudice or limitation to any other rights or remedies of Licensor consistent with this Agreement.
12. Miscellaneous.
12.1 Governing Law; Venue. The Agreement will be governed by and construed in accordance with the laws of the State of Delaware, U.S.A., as it applies to contracts made and performed in such state and, to the extent applicable, the intellectual property laws of the United States. The Agreement shall not be governed by the United Nations Convention on Contracts for the Sale of International Goods, the application of which is expressly excluded by the parties. Each party irrevocably consents to the exclusive jurisdiction and venue of the Delaware Court of Chancery and any state appellate court therefrom within the State of Delaware (or, only if the Delaware Court of Chancery declines to accept jurisdiction over a particular matter, any state or federal court within the State of Delaware) in connection with any dispute, claim or controversy arising out of or relating to the Agreement, and waives any objections as to such jurisdiction or venue.
12.2 Independent Contractors. Licensor and Licensee are, and shall be deemed to be, independent contractors under the Agreement, and nothing herein shall be construed to create a joint venture, partnership, agency, franchise or fiduciary relationship between them. Neither party has any authority to enter into agreements of any kind on behalf of the other party, and neither party will attempt to or will create any representation or warranty or other obligation, express or implied, on behalf of the other party.
12.3 Survival. The provisions of Sections 2.3, 5, 8, 9, 10, 11.2, and 12 shall survive any expiration or termination of the Agreement.
12.4 Remedies. Licensee acknowledges and agrees that a breach of Section 2 or Section 5 by Licensee or its permitted sublicensees would subject Licensor to irreparable harm for which there would be no adequate remedy at law and, therefore, in the event of any actual or threatened breach of Section 2 or Section 5, Licensor shall be entitled to equitable relief, including injunctive relief and specific performance, without any requirement to post any bond or security or prove the inadequacy of any monetary remedy at law.
12.5 Publicity. The parties shall consult with each other before issuing any press release or other similar public statements incorporating Licensed Data in connection with the Permitted Uses (including the subject matter of this Agreement) and shall not issue any such press release or make any such public statements without the prior written consent of the other party, which may be provided via electronic mail. Notwithstanding the foregoing, (i) either party may, without the prior consent of the other party make such public statements or third party disclosures as may be required by any applicable law, rules, or regulations; and (ii) Licensor may disclose Licensee’s publicly available information, including, but not limited to, Licensee’s business name and privacy policy (where applicable) on Licensor’s Trusted Partner List in compliance with Applicable Laws, which Trusted Partner List shall be made available only to Users.
12.6 Severability. In the event that any one or more of the provisions contained in the Agreement shall for any reason be held to be invalid, illegal or unenforceable in any respect, such invalidity, illegality or unenforceability shall not affect any other provision of the Agreement, and both parties shall negotiate in good faith to substitute for such invalid, illegal, or unenforceable provision a mutually acceptable provision that is consistent with the original intent of the parties.
12.7 Modifications This License Agreement may be updated and modified by Licensor from time to time to comply with developing Applicable Laws. Except as required by law, any such modification shall not: (i) increase the proportion of liability or expenses of Licensee relative to Licensor’s proportion of liability or expenses hereunder; or (ii) interfere with Licensee’s authorized use case for the Licensed Data; or (iii) introduce commercial terms that conflict with any of the terms of an existing Order Form between Licensee and Licensor. Licensor shall provide written notice to Licensee in the event of any such modification of this Agreement. Notwithstanding any other provision of this Agreement, if Licensee reasonably determines that any such modification would materially increase Licensee’s costs or liability or otherwise violate the limitations stated in this section, then notwithstanding anything to the contrary in section 8 of this Agreement, Licensee may within thirty (30) days provide written notice of termination of this Agreement and the applicable Order Form to Licensor, without further liability of either party to the other for expenses or damages arising from such termination..
12.8 Waiver. A waiver by either of its rights hereunder shall not be binding unless contained in writing signed by an authorized representative of the party waiving its rights. Further, the non-enforcement or waiver of any provision of the Agreement on one occasion shall not constitute a waiver of such provision on any other occasion unless expressly so agreed in writing. It is agreed that no use of trade or other regular practice or method of dealing between the parties hereto shall be used to modify, interpret, supplement, or alter in any manner the terms of the License Agreement.
12.9 Assignment. Licensee shall not assign or otherwise transfer the Agreement or any rights or obligations hereunder without the prior written consent of Licensor, and any attempted unauthorized assignment shall be void and of no effect. Licensor may assign or transfer the Agreement or any of its rights or obligations hereunder to an affiliate or in connection with a sale of assets or all or part of the business of Licensor without the prior written consent of Licensee. The Agreement shall be binding upon and inure to the benefit of the parties and their respective successors and permitted assigns.
12.10 Notices. All notices or other communications required to be given hereunder shall be in writing and delivered to the applicable party at its mailing address, e-mail address, or facsimile number specified on the Order Form (or as such party may hereafter specify for that purpose by notice to the other party). All notices shall be deemed delivered if delivered as indicated: (a) by personal delivery, (b) by overnight courier upon written verification of receipt, (c) by email upon delivery (except that if such delivery is after normal business hours, such email will be deemed delivered on the following business day), (d) by facsimile transmission upon confirmation of receipt, or (e) by certified or registered mail, return receipt requested, upon verification of receipt. All notices shall be effective upon delivery as provided herein.
12.11 Entire Agreement. The Agreement, including the exhibits hereto, the Order Form, and any amendments hereto and thereto, embodies the entire understanding and agreement of the parties hereto with respect to the subject matter hereof and supersedes all prior and contemporaneous written or oral agreements. Either party’s quotes, proposals, invoices, delivery receipts, acknowledgements, standard or preprinted forms, or other writings wherever located or contained, that are otherwise inconsistent with, in addition to, or different from these terms and conditions of the Agreement will be deemed material alterations that are rejected and of no force and effect. Counterparts. Each Order Form and any amendment thereof may be executed in any number of counterparts, including via facsimile, PDF transmission, and/or electronic signatures, each of which, when so executed and delivered, shall be deemed to be an original and all of which taken together shall constitute one and the same instrument. In producing an Order Form, it shall not be necessary to produce or account for more than one such counterpart signed/accepted by the party against whom enforcement is sought.
EXHIBIT A
EU Data
Standard Contractual Clauses – Controller to Controller
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
(b) The Parties:
(I) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.5 (e) and Clause 8.9(b);
(iii) N/A
(iv) Clause 12(a) and (d);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Docking clause
N/A
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:
(i) where it has obtained the data subject’s prior consent;
(ii) where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iii) where necessary in order to protect the vital interests of the data subject or of another natural person.
8.2 Transparency
(a) In order to enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:
(i) of its identity and contact details;
(ii) of the categories of personal data processed;
(iii) of the right to obtain a copy of these Clauses;
(iv) where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore pursuant to Clause 8.7.
(b) Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.
(c) On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
(d) Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.3 Accuracy and data minimisation
(a) Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.
(b) If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
(c) The data importer shall ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.
8.4 Storage limitation
The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymisation of the data and all back-ups at the end of the retention period.
8.5 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
(b) The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(c) The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(d) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.
(e) In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.
(f) In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.
(g) The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.
8.6 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter ‘sensitive data’), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.
8.7 Onward transfers
The data importer shall not disclose the personal data to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:
(i) it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;
(iii) the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;
(iv) it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;
(v) it is necessary in order to protect the vital interests of the data subject or of another natural person; or
(vi) where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.8 Processing under the authority of the data importer
The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.
8.9 Documentation and compliance
(a) Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.
(b) The data importer shall make such documentation available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
N/A
Clause 10
Data subject rights
(a) The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request. The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.
(b) In particular, upon request by the data subject the data importer shall, free of charge:
(i) provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i);
(ii) rectify inaccurate or incomplete data concerning the data subject;
(iii) erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.
(c) Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.
(d) The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter ‘automated decision’), which would produce legal effects concerning the data subject or similarly significantly affect him/her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject’s rights and legitimate interests. In this case, the data importer shall, where necessary in cooperation with the data exporter:
(i) inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and
(ii) implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.
(e) Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.
(f) The data importer may refuse a data subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.
(g) If the data importer intends to refuse a data subject’s request, it shall inform the data subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.
Clause 13
Supervision
- The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.
Clause 18
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of the Republic of Ireland.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts
ANNEX I
- LIST OF PARTIES
Data exporter(s): Matchbook Data, LLC
150 Granby Street Norfolk, Virginia 23510
Data exporter is a controller with respect to the personal data transferred under these Standard Contractual Clauses. Activities relevant to the data transferred under these Clauses include: collection, aggregation, modification and sale of personal data to data importer.
Data importer(s): Data importer is a controller with respect to the personal data transferred under these Standard Contractual Clauses. Please see the Order Form for identity and contact details of the data importer and activities related to the data transferred under these Clauses.
- DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: The personal data transferred may include the following categories of data subjects:
- End Users of mobile applications or other properties that are owned or operated by the third party data suppliers of data exporter
Categories of personal data transferred: The personal data transferred concern the following categories of data:
- Precise Location Data
- Relative Location Data
- Unique Device Identifiers
- Time and Date Information
- IP Addresses
Sensitive data transferred (if applicable) and applied restrictions or safeguards: No sensitive data is transferred between the parties.
Frequency of Data Transfer:
- As stipulated on an Order Form in accordance with the Agreement (one-off and/or continuous basis)
Nature of the processing:
- Data exporter collects, stores and disseminates the personal data to data importer, and data importer uses, adapts and alters the personal data as described in the purpose below and pursuant to the underlying agreements between the parties.
Purpose(s) of the data transfer and further processing: The transfer is made for the following purposes:
- The data exporter providing data importer with Precise Location Data, Relative Location Data, Unique Device Identifiers, Time and Date Information, IP Addresses, and related information, to facilitate tracking for digital advertising and data analytics or other licensed use cases, described as the Permitted Uses, set forth in the underlying agreements between the parties.
The period for which the personal data will be retained:
- Data importer shall delete all personal data transferred by data exporter on a rolling basis, in every case no later than 12 months from the date on which data importer received such data (as to each delivery set of such data).
- COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
- The Republic of Ireland
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Please see the information provided in Exhibit A to the Order Form(s) executed between data exporter and data importer.
EXHIBIT B
UK Data
Data Processing Addendum
This Data Processing Addendum, including any appendices or annexes attached hereto, (“DPA”) is made part of the Data License Agreement and Order Form between Matchbook Data, LLC (“Provider”) and the customer or licensee identified in such Order Form (such customer or licensee, “Customer”, and the Order Form and License Agreement, collectively, the “Agreement”), pursuant to which Provider transfers Personal Data (as defined herein) to and shares Personal Data with the Customer, as further described in the Agreement and in this DPA. The parties agree to comply with the following provisions with respect to Personal Data provided or made available by Provider to the Customer. This DPA relates only to Personal Data provided or made available by Provider to the Customer and the parties agree and acknowledge that nothing in this DPA creates or adds any rights or obligations for either party for any other data.
References to the “Agreement” will be construed as including this DPA, and, except as modified below, the terms of the Agreement shall remain in full force and effect. Reference to the “Agreement” includes any Order Forms, exhibits, annexes or other documentation incorporated into the Agreement. Any capitalized terms not defined herein shall have the meanings given to them in the Agreement. In the event of a conflict or inconsistency regarding the Processing of Personal Data between this DPA and the Agreement, this DPA will prevail. To the extent any provisions in the Standard Contractual Clauses in Appendix A of this DPA conflict with any provisions elsewhere in the DPA or the Agreement, the Standard Contractual Clauses in Appendix A shall govern.
For purposes of this DPA, and as further described below, the parties (1) acknowledge that each party is a Controller (as defined herein) of the Personal Data that it collects, Processes, or employs to deliver its services; and (2) agree that the Controller to Controller Standard Contractual Clauses as laid out in Appendix A form a part of this DPA.
- DEFINITIONS
“Binding Corporate Rules” shall mean any internal corporate rules approved pursuant to the EU cooperation procedure that enable international transfers in compliance with Articles 25 and 26 of the European Union (“EU”) Data Protection Directive (Directive 95/46/EC) or Article 47 of the GDPR.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, each party is a Controller of the Personal Data that it collects, Processes or employs to deliver its services, absent a further amendment that sets forth circumstances in which either party is a Processor.
“Processor” means an entity that Processes Personal Data on behalf of a Controller.
“Data Protection Laws” means all laws and regulations, including, without limitation, laws and regulations of the EU applicable to the Processing of Personal Data, such as: (i) prior to 25 May 2018, the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC), including subsequent variations, such as the Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (“ePrivacy Regulation”), if enacted; and (iv) any national data protection laws made under or pursuant to (i), (ii) or (iii).
“Data Subject” means the individual to whom Personal Data relates.
“Standard Contractual Clauses” shall mean the Standard Contractual Clauses for the Transfer of Personal Data to Controller as set out in EU Commission Decision 2004/915/ECC currently available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en ), as well as any new laws, rules, regulations, and/or contracts that that replace, supersede, or are required to be implemented in connection with the Standard Contractual Clauses.
“Personal Data” means any information relating to an identified or identifiable person processed pursuant to the Agreement and as to which a party is a Controller. The types of Personal Data and categories of Data Subjects Processed under this DPA are set forth in Appendix A attached hereto.
“Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning). For avoidance of doubt, the term “Processing” is intended to describe such operations whether the entity performing such operations is deemed (or deems itself) a Controller or a Processor.
“Security incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
“Transfer” means the access by, transfer or delivery to, or disclosure of Personal Data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction where the Personal Data originated from.
- PURPOSE OF PROCESSING
- Provider and Customer are parties to the Agreement, under which Provider provides Personal Data to Customer. Provider and Customer each shall Transfer and Process such Personal Data only for the purposes described in the Agreement and this DPA.
- The parties agree that Customer may Process the Personal Data for its own purposes, which may include providing services for the benefit of other platforms and clients, to the extent set forth in the Data License Agreement or other agreements between the parties.
- Neither party shall have responsibility for Processing special categories of personal data, as referenced in Article 9 of the GDPR. Neither party shall provide the other with any special categories of personal data.
- CONTROLLER OBLIGATIONS
- Each party shall comply with all applicable laws, including Data Protection Laws.
- As further set forth herein, the parties agree that when either party acts as a Controller of Personal Data, it will fulfill all duties required of Controllers under the Data Protection Laws, including, without limitation (as applicable), with regard to determining the legal basis or bases for their collection or processing of Personal Data, providing sufficient notice to Data Subjects, appointing a data protection officer, managing and reporting Security Incidents, ensuring that rights of data subjects are honored, Transferring Personal Data, contracting with only those Processors that provide adequate protections for Personal Data, implementing required and appropriate contractual language in agreements with Processors and other Controllers, maintaining records of data processing, and conducting data protection impact assessments.
- Each party shall have the sole obligation (as between the parties) to receive and manage Data Subject requests regarding its Personal Data, including without limitation any request to access, correct, amend, restrict processing of, port, object to the Processing of, block or delete Personal Data. The party that was the recipient of the Data Subject request shall be responsible for responding to the Data Subject, provided that where applicable, and to the extent legally permitted, the parties shall provide each other with reasonable cooperation and assistance in relation to handling of a Data Subject’s request.
- PRIVACY POLICY DISCLOSURES
- Each party shall post a privacy notice on its website, mobile application, or where otherwise appropriate, that is in compliance with Data Protection Laws, reflects the nature of the relationship and Transfer of data between the parties, describes how data subjects may exercise their applicable rights (including as applicable a right to withdrawal of consent) and identifies a contact point for Data Subjects
- Customer shall authorize Provider to disclose Customer’s publicly available information, including but not limited to Customer’s business name and privacy policy (where applicable) to reflect the nature of the data Transfer relationship on Provider’s Trusted Partner List in compliance with Data Protection Laws.
- OBLIGATIONS SPECIFIC TO OBTAINING CONSENT FROM DATA SUBJECTS
- Provider may use mobile device identifiers and geolocation data (“Device Data”) to provide its services. Provider shall, and as applicable shall contractually require its data sources to, implement appropriate notice and consent mechanisms upon their digital properties so that Provider can capture applicable Personal Data lawfully through applicable mobile applications in order to perform its services under the Agreement, and engage in further commercially reasonable measures to ensure that such consent is obtained.
- Each party shall honour mobile opt-out signals it receives through (i) device settings (e.g., LMT=1); or (ii) in-app opt-out mechanisms (“Opt-Out Mechanism”), and Customer shall not knowingly collect or use for commercial purposes (except for purposes of honouring suppression) Device Data regarding any device that has opted out through an Opt-Out Mechanism.
- Upon the development of an industry standard in-app consent mechanism (such as an in-app consent mechanism developed by the Interactive Advertising Bureau (IAB)), each party shall make good faith efforts to deploy, list itself in, or otherwise comply with such mechanism and related consent standards. The parties shall cooperate in good faith regarding the deployment of any such mechanism.
- [RESERVED]
- SECURITY
- Each party will implement and maintain security measures for protection of the security, confidentiality and integrity of Personal Data, including all measures required pursuant to Article 32 of the GDPR.
- Pursuant to Article 28, Section 3(c) of the GDPR, each party will ensure (and contractually require) that any Processors with which it contracts take all measures required pursuant to Article 32 of the GDPR.
- Each party will immediately notify the other party if it becomes aware of any advance in technology and methods of working, which indicate the parties should adjust their security measures.
- Each party shall promptly notify the other party if it becomes aware of any Security Incident.
- Immediately following any Security Incident, the parties will co-ordinate with each other to investigate the matter. Each party will reasonably co-operate with other party in its handling of the matter.
- Each party will not inform any third party of any Security Incident without first obtaining the other party’s prior written consent, except when law or regulation requires it.
- TRANSFERS OF PERSONAL DATA
- To the extent the Processing of Personal Data involves a Transfer, including if Provider and Customer Transfer Personal Data through its affiliates, subcontractors or other third parties, and such Transfers of Personal Data originated from the European Economic Area (“EEA”), Switzerland or other countries or jurisdictions recognizing EU GDPR, each party represents and warrants that its Processing and/or Transfer of Personal Data does and will comply with the Standard Contract Clauses in Exhibit A for EU GDPR and with applicable Data Protection Laws.
- The provisions of Section 8.1 above are not applicable to the extent the Transfer is:
- to a recipient located in an EU member state of the EEA or Switzerland; or
- to a recipient covered by a binding adequacy determination by a competent authority with jurisdiction over either party, as applicable, (including the European Commission decisions on the adequacy of the protection of personal data in third countries); or
- subject to another approved Transfer mechanism that provides an adequate level of protection in accordance with Data Protection Laws, such as, without limitation, Binding Corporate Rules.
- To the extent the Processing of Personal Data involves a Transfer, including if Provider and Customer Transfer Personal Data through its affiliates, subcontractors or other third parties, and such Transfers of Personal Data originated from the United Kingdom, or other countries or jurisdictions recognizing UK GDPR, each party represents and warrants that its Processing and/or Transfer of Personal Data does and will comply with the Standard Contract Clauses in Exhibit B for UK GDPR and with applicable Data Protection Laws.
- The provisions of Section 8.3 above are not applicable to the extent the Transfer is:
- to a recipient located in the United Kingdom; or
- to a recipient covered by a binding adequacy determination by a competent authority with jurisdiction over either party, as applicable; or
- subject to another approved Transfer mechanism that provides an adequate level of protection in accordance with the UK Data Protection Laws, such as, without limitation, Binding Corporate Rules.
- In the event that the Standard Contractual Clauses of either Exhibit A or Exhibit B are amended, replaced or repealed by the applicable governing jurisdiction, the parties shall work together in good faith to enter into any updated version of the Exhibit A or Exhibit B, as the case may be, or negotiate in good faith a solution to enable a transfer of Personal Data to be conducted in compliance with Data Protection Laws.
- SUBCONTRACTING:
- Each party may appoint third party Processors to Process Personal Data for the purposes set forth herein or in the Agreement, provided that such Processors agree in writing to: (a) Process Personal Data in accordance with documented instructions; (b) implement appropriate technical and organisational security measures to protect the Personal Data against a Security Incident; and (c) otherwise provide sufficient guarantees that they will process the Personal Data in a manner that will meet the requirements of applicable Data Protection Law and at least as protective as those set forth in the Standard Contract Clauses and all requirements under GDPR Article 28, including entering into agreements that incorporate Standard Contract Clauses where applicable.
- MISCELLANEOUS PROVISIONS
- Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
- This DPA takes effect as of the effective date referenced below and shall remain in effect during the existence of the Agreement. All provisions of the DPA will remain in force with respect to Personal Data that is transferred between the parties regardless of the existence of the Agreement as long as that data remains in the recipient’s possession in a form where it is considered Personal Data. Without prejudice the remedies as set forth elsewhere herein or in the Agreement, if either party violates this Agreement, the other is entitled to terminate this Agreement in its sole discretion and without any extra costs of expenses (provided any payments due and owing shall remain so).
- Customer and Provider each mutually represent and warrant that (i) the person executing this DPA on its respective behalf has the legal authority to bind such party, and (ii) it has right, power, and authority to (a) enter into this DPA, (b) make the representations and warranties contained herein, and (c) commit to and perform the respective duties, obligations and covenants set forth hereunder.
APPENDIX A TO EXHBIT B: DATA PROCESSING ADDENDUM FOR UK DATA
Standard Contractual Clauses – Controller to Controller
Standard contractual clauses for the transfer of personal data from the Community to third countries (Controller to Controller transfers) by and between Matchbook Data, LLC, P.O. Box 1724, Arlington, VA 22216 (hereinafter “Data exporter”) and the customer or licensee referenced in the Order Form to which the Data Processing Addendum is attached or which incorporates such Data Processing Addendum by reference (hereinafter “Data importer”).
Definitions
For the purposes of the clauses:
“personal data”, “special categories of data/sensitive data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority/authority” shall have the same meaning as in Directive 95/46/EC of 24 October 1995 (whereby “the authority” shall mean the competent data protection authority in the territory in which the data exporter is established);
“the data exporter” shall mean the controller who transfers the personal data;
“the data importer” shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country’s system ensuring adequate protection;
“clauses” shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
The details of the transfer (as well as the personal data covered) are specified in Annex B, which forms an integral part of the clauses.
1. Obligations of the data exporter:
The data exporter warrants and undertakes that:
a. The personal data have been collected, processed and transferred in accordance with the laws applicable to the data exporter.
b. It has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses.
c. It will provide the data importer, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the data exporter is established.
d. It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time
e. It will make available, upon request, a copy of the clauses to data subjects who are third party beneficiaries under clause III, unless the clauses contain confidential information, in which case it may remove such information. Where information is removed, the data exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the data exporter shall abide by a decision of the authority regarding access to the full text of the clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. The data exporter shall also provide a copy of the clauses to the authority where required.
2. Obligations of the data importer:
The data importer warrants and undertakes that:
a. It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
b. It will have in place procedures so that any third party it authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data.
c. It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.
d. It will process the personal data for purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.
e. It will identify to the data exporter a contact point within its organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e).
f. At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage).
g. Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion.
h. It will process the personal data in accordance with the data processing principles set forth in Annex A.
i. It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area (EEA) unless it notifies the data exporter about the transfer and the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection.
3. Liability and third party rights
a. Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the data exporter under its data protection law.
b. The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data subject is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses (the data exporter shall have the burden to prove that it took reasonable efforts).
4. Law applicable to the clauses
These clauses shall be governed by the law of the country in which the data exporter is established, with the exception of the laws and regulations relating to processing of the personal data by the data importer under clause II(h), which shall apply only if so selected by the data importer under that clause.
5. Resolution of disputes with data subjects or the authority
a. In the event of a dispute or claim brought by a data subject or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
b. The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
c. Each party shall abide by a decision of a competent court of the data exporter’s country of establishment or of the authority which is final and against which no further appeal is possible.
6. Termination
a. In the event that the data importer is in breach of its obligations under these clauses, then the data exporter may temporarily suspend the transfer of personal data to the data importer until the breach is repaired or the contract is terminated.
b. In the event that:
- the transfer of personal data to the data importer has been temporarily suspended by the data exporter for longer than one month pursuant to paragraph (a);
- compliance by the data importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import;
- the data importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses;
- a final decision against which no further appeal is possible of a competent court of the data exporter’s country of establishment or of the authority rules that there has been a breach of the clauses by the data importer or the data exporter; or
- a petition is presented for the administration or winding up of the data importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs then the data exporter, without prejudice to any other rights which it may have against the data importer, shall be entitled to terminate these clauses, in which case the authority shall be informed where required. In cases covered by (i), (ii), or (iv) above the data importer may also terminate these clauses.
c. Either party may terminate these clauses if (i) any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the data importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.
d. The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause VI(c)) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.
7. Variation of these clauses
The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.
8. Description of the Transfer
The details of the transfer and of the personal data are specified in Annex B. The parties agree that Annex B may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause I(e). The parties may execute additional annexes to cover additional transfers, which will be submitted to the authority where required. Annex B may, in the alternative, be drafted to cover multiple transfers.
Annex A to Standard Contractual Clauses for UK Data
Data Processing Principles
- Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorised by the data subject.
- Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.
- Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the data exporter.
- Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.
- Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organisation holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organisations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organisation may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the authority.
- Sensitive data: The data importer shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data in accordance with its obligations under clause II.
- Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.
- Automated decisions: For purposes hereof “automated decision” shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when:
(a)(i) such decisions are made by the data importer in entering into or performing a contract with the data subject, and
(ii) (the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties; or
(b) where otherwise provided by the law of the data exporter.
Annex B to Standard Contractual Clauses for UK Data
Description of the Transfer
Data Subjects: The personal data transferred may include the following categories of data subjects:
- End User of data exporter’s mobile applications or other properties
- End Users of data exporter’s customers’ mobile applications or other properties
Purposes of the Transfer(s): The transfer is made for the following purposes:
- The data exporter providing data importer with Precise Location Data, Relative Location Data, Unique Device Identifiers, Time and Date Information, IP Addresses, and related information, to facilitate tracking for digital advertising and data analytics or other licensed use cases set forth in the underlying agreements between the parties.
Categories of Data: The personal data transferred concern the following categories of data:
- Precise Location Data
- Relative Location Data
- Unique Device Identifiers
- Time and Date Information
- IP Addresses
Recipients: The personal data transferred may be disclosed only to the following recipients or categories of recipients:
- Transfer of personal data is limited to the data importer.
Sensitive Data: The personal data transferred concern the following categories of sensitive data
- Not applicable
Data Protection Registration Information of Data Exporter (where applicable):
- Not applicable
Additional useful information (storage limits and other relevant information):
- None
Contact Points for Data Protection Inquiries:
- Data Importer: Please see the information provided on the Order Form.
- Data Exporter: Data Protection Officer privacy@matchbookdata.com
UK Representative: ukrep@matchbookdata.com Alternatively, they can be reached by post (The DPO Centre Ltd, 50 Liverpool street, London, EC2M 7PY) or +44 (0) 203 797 6340. https://www.dpocentre.com/contact-us/
EXHIBIT C
Prohibited Parties
- AdvanResearch
- Agoop
- Anamoly
- Azira/Near.co/Ubermedia
- BabelStreet/LocateX
- Cuebiq
- Datastream
- DatastreamX/Quadrant.io
- Factual/Foursquare/Placed
- Freckle
- GeoComply Solutions Inc.
- GroundTruth/xAD
- Hands
- InLoco
- IP Info
- Lifesight
- Local Blox
- MaxMind
- Mobile Walla
- Mogean
- Narrative
- NinethDecimal/InMarket
- Neustar, Inc, (Neustar IP (Quoca))
- NYBSYS
- Obsidian Works
- PlaceIQ/Precise.ly
- Predic.io/Pickwell/Echo Analytics
- Qualia/ALC
- Reveal Mobile
- Safegraph/Veraset/Onemeta
- Skyhook
- Spur Intelligence
- Tamaco
- Twine/TrueData
- Unacast/Gracy/Venntel
- Venpath
Last Updated: September, 05 2024.