This Data Protection Addendum for Publishers (“DPA
”) is incorporated into and is subject to the Marzipan Terms of Service for Publishers available at http://madex.world/terms-of-service/
or other applicable offline agreement (the “Agreement
”) between SUR IT MARZIPAN UNLOOSEN CUTS LTD Cyprus company (even if the Principal Agreement is with a different Marzipan Affiliate) (“Marzipan
”) and Publisher (“User
”). To the extent you are using the Services, you shall be deemed to have accepted this DPA upon acceptance or execution of the applicable Agreement.1. SCOPE
- The Parties agree to enter into this DPA for the purposes of ensuring compliance with applicable Data Protection Laws. User enters into this DPA on behalf of itself and on behalf of its authorized Affiliates. Marzipan may receive Personal Data through User’s use of the Services and, in consideration of the mutual obligations set out herein, the Parties agree to comply with the following provisions with respect to any Personal Data processed through the Services. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In addition to the terms defined in the Agreement and above, the following terms shall have the following meanings for the purposes of this DPA:
3. DATA PROCESSING; INDEPENDENT CONTROLLERS
- “Adequate Jurisdiction” means a country which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as determined by the European Commission in the case that GDPR applies, and as determined by the UK Information Commissioner’s Office in the case that the UK GDPR applies.
- “Affiliates” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a Party.
- “Approved Addendum” means the template addendum (version B.1.0) issued by the United Kingdom International Commissioner’s Office (ICO) and laid before the United Kingdom Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of such addendum.
- “CCPA” means the California Consumer Privacy Act of 2018, Cal Civ. Code §1798.100 et seq., and all implementing regulations, as amended from time to time, such as by the California Privacy Rights Act of 2020 (“CPRA”).
- “Data Protection Laws” means EU Data Protection Law, the CCPA, the Brazilian General Personal Data Protection Law, No. 13,709/2018 (the “LGPD”), and any other legislation protecting natural persons’ right to privacy with regard to the processing of Personal Data to the extent applicable to a Party’s Processing of Personal Data under the Services.
- “Data Subject Rights” means the rights granted to Data Subjects under Data Protection Laws.
- “EU Data Protection Law” means the GDPR, the e-Privacy Directive and national implementing legislation and the Swiss Federal Data Protection Act.
- “GDPR” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“EU GDPR”) and, where applicable, the “UK GDPR” as defined in the Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019.
- “Member State” means a member state of the European Economic Area, together with Switzerland and the United Kingdom.
- “SCCs” means (a) with respect to data transfers from the European Union to third countries that are not deemed adequate jurisdiction by the European Commission, Module 1 (controller to controller) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 (the “EU SCCs”); (b) with respect to data transfers from the United Kingdom, Module 1 (controller to controller) of the EU SCCs as further amended by Part 2: Mandatory Clauses of the Approved Addendum (the “UK Mandatory Clauses”), together with any other necessary conforming changes to the EU SCCs (collectively, the “UK SCCs”); and (c) any updated, revised, or separate clauses relating to data transfer requirements of the GDPR issued from time to time by the European Commission, UK Information Commissioner’s Office, any other applicable data protection authority, or other body with competent authority and jurisdiction.
- “Shared Personal Data” means Personal Data Processed by a Party to the extent such Party received that Personal Data from the other Party (that other party, the “Sharing Party” under this definition) in connection with the performance of the Agreement. For the avoidance of doubt, a Party is also deemed to “receive” Personal Data from a Sharing Party where the Sharing Party grants access to such Personal Data to the receiving Party.
- “Transparency Notices” has the meaning given to it in clause 3.2(a).
- The terms “Controller,” “Process,” “Processor,” “Data Subject,” and “Personal Data,” shall have the meanings given in EU Data Protection Law. To the extent Data Protection Laws use different terms to cover concepts similar to those covered under the aforementioned bold terms in this Section 2.13, then “Controller,” “Process,” “Processor,” “Data Subject,” and “Personal Data” shall have the meaning assigned to those different terms under such Data Protection Laws.
1) each Party shall provide all applicable notices to Data Subjects as required under Data Protection Laws for the lawful Processing by it of Shared Personal Data (“Transparency Notices“). User shall disclose its use of the Services and how Marzipan Processes Personal Data in its Transparency Notices. For example, for Users that have embedded Marzipan advertising Services in their mobile applications, this can be done by including the following language in the User’s Transparency Notices: “We work with Marzipan to deliver ads in our mobile application. For more information about Marzipan’s collection and use of your information visit: https://Marzipan.world/privacy-policy;2) each Party shall provide all required mechanisms for, and give effect to, applicable Data Subject Rights pursuant to Data Protection Laws and respond to inquiries by governmental authorities;3) neither Party shall Process the Shared Personal Data for any purpose other than as set out in its Transparency Notice and unless such Processing is also authorized under Data Protection Laws and the Agreement;4) each Party shall ensure that all of its employees engaged in the Processing of such Shared Personal Data act consistently with this DPA;5) each Party shall implement technical and organisational security measures to prevent (i) the accidental, unlawful, or unauthorized destruction, loss, alteration, or disclosure of, or access to, Shared Personal Data or (ii) any other security incident that amounts to a “personal data breach” (as such term or similar term, such as “breach of the security system” or “data breach,” is defined under Data Protection Laws) of Shared Personal Data (in either case of (i) and (ii), a “Data Breach”); and6) each Party agrees that any agreement with a subprocessor shall comply with the Data Protection Laws.
- Marzipan and User: (a) are independent Controllers with regard to the Shared Personal Data; and (b) will individually determine the purposes and means of its processing of Personal Data.
- Each Party shall, with respect to the Processing of any Shared Personal Data, comply with Data Protection Laws, including as follows:
3. Each Party shall in particular, unless prohibited under applicable law, notify the other without undue delay (i) of any requests to exercise Data Subject Rights received by that Party regarding the Shared Personal Data, to the extent such notices are required under Data Protection Law; (ii) about regulatory inquiries involving the Processing of Shared Personal Data, and (iii) any Data Breach involving the Shared Personal Data to the extent resulting in material destruction, loss, alteration, or disclosure of, or access to, that Shared Personal Data.
4. User represents and warrants it has provided (and shall maintain) all required notices and obtained all necessary permissions and consents required under the Data Protection Laws from the relevant Data Subjects on behalf of Marzipan to lawfully permit Marzipan to process Personal Data as contemplated in the Agreement.
5. Where consent is the lawful basis for processing Personal Data or otherwise required for the use of the Services, User represents and warrants that it shall, at all times, make available, maintain, and make operational on the User’s properties: (i) a mechanism for obtaining such consent from Data Subjects in accordance with the requirements of the Data Protection Laws; and (ii) a mechanism for Data Subjects to withdraw such consent (opt-out) in accordance with the Data Protection Laws.
6. With respect to the CCPA, (i) the Shared Personal Data is disclosed to Marzipan for the limited and specified purposes of enabling Marzipan (or its demand partners) to bid on advertising inventory, serve Advertisements in connection with the Services, and optimize the Services, as further set forth in Marzipan’s Transparency Notices; (ii) Marzipan shall comply with the CCPA, including by providing the same level of privacy protection as required of Businesses under the CCPA; (iii) User may take reasonable and appropriate steps to ensure that Marzipan Processes Shared Personal Data in a manner consistent with User’s obligations under the CCPA; (iv) Marzipan shall notify User promptly after Marzipan makes a determination that it can no longer meet its obligations under the CCPA; and (v) User may, upon notice, take reasonable and appropriate steps to stop and remediate the unauthorized Processing of Shared Personal Data.4. GENERAL
5. INTERNATIONAL TRANSFERS
- In the event of any conflict or discrepancy between the SCCs, the Agreement, and this DPA, the following order of precedence will apply: (i) the SCCs, (ii) this DPA, and (iii) the Agreement.
- This DPA does not alter the limitations of liability set out in the Agreement.
- This DPA will become effective on the date User has accepted the Agreement or the date on which the User started to use the Services. This DPA will terminate simultaneously and automatically upon the termination or expiration of the Agreement.
- To the extent required by Data Protection Law, this DPA will be governed by the laws of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the jurisdiction set forth in the Agreement.
1. The Parties agree that the SCCs shall apply to the transfer of, including access to, Shared Personal Data:
1) in the case of a transfer from User to Marzipan, where the processing of the Shared Personal Data by the User is subject to EU Data Protection Law or the LGPD; or
2) in the case of a transfer from Marzipan to User, where:
- the User is not established in an Adequate Jurisdiction;
- the Processing of the Shared Personal Data is subject to EU Data Protection Law or the LGPD or Marzipan is otherwise contractually required to enter into the SCCs.
2. For the purposes of the SCCs:
1) Annex 1.A (List of Parties) shall be deemed to incorporate the information in Schedule I;
2) Annex 1.B (Description of Transfer) shall be deemed to incorporate the information in Schedule III;
3) Annex 1.C (Competent Supervisory Authority) shall be deemed to refer to the supervisory authority identified in Schedule II;
4) Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in Schedule II;
5) The optional language within clause 7 of the SCCs does not apply;
6) The optional language within clause 11(a) of the SCCs does not apply;
7) Pursuant to clause 17, the SCCs will be governed by the laws of Ireland;
8) Pursuant to clause 18(b) of the SCCs, the Parties shall resolve disputes under the SCCs before the courts of Cyprus;
9) In relation to Table 4 referenced in the UK Mandatory Clauses, neither Party will be entitled to terminate the Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses; and
10) For data exporters established within Brazil (for purposes of transfers of Shared Personal Data under the LGPD), the SCCs shall be governed by the laws of the Federative Republic of Brazil. Further, for such transfers under the LGPD, the applicable Data Protection Law shall be understood as the LGPD and the supervisory authority is the National Data Protection Authority in Brazil (ANPD).