Online Data Processing Agreement

This Data Processing Addendum (“DPA“) supplements any associated services agreements or insertion orders (the “Agreement“) agreed between Captify Technologies Limited, of 5 Langley Street, London, WC2H 9JA (“Captify“) and the party identified in the Agreement (“you“, or the “Controller“) into which this DPA is incorporated by reference.

1. In this DPA, the following terms shall have the following meanings:

“controller“, “processor“, “data subject” and “processing” (and “process“) shall have the meanings given in European Data Protection Law; and

“Applicable Data Protection Law” means all international, national, state, or local data protection and privacy laws and regulations applicable to the personal data in question, including, where in force and applicable to a party’s activities under the Agreement: (i) European Data Protection Law, (ii) UK Data Protection Law, and (iii) any Jurisdiction Specific Terms, as set out in Appendix C.  

“European Data Protection Law” means (i) all EU regulations applicable (to the processing of personal data (such as Regulation (EU) 2016/679 (the “GDPR“)), (ii) the national laws of each EEA member state implementing any EU directive applicable to the processing of personal data (such as Directive 2002/58/EC (the “e-Privacy Directive“)), and (iii) any other national laws of each EEA member state applicable to the processing of personal data; in each case, as may be amended, superseded or replaced.

“personal data” means any data protected under Applicable Data Protection Law, and includes data designated as “personal data”, “personal information”, “personally identifiable information”, or similar terms.

“UK Data Protection Law” means (i) the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“), (ii) the Data Protection Act 2018 (the “DPA 2018“), (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of section 2 of the European Union (Withdrawal) Act 2018 (“PECR“); in each case, as may be amended, superseded or replaced from time to time.  

 2. In performing its obligations under the Agreement, Captify may receive and process on behalf of Controller certain personal data of Controller’s customers or potential customers (or if Controller is an agency, those of Controller’s advertiser clients), together “Users“. This DPA relates to the processing activities detailed in the relevant Agreement.

 3. Controller must only provide personal data to Captify in compliance with all Applicable Data Protection Law. 

4. Controller shall ensure that it has a valid legal basis to process and provide such personal data to Captify for the specified purpose, including all necessary consents for storage of, or access to, pixels, cookies or similar technologies or information on any user’s device. Controller shall indemnify Captify in relation to any claims, loss, damage, costs and expenses caused to Captify by Controller’s breach of Applicable Data Protection Law and/or this provision. Controller will list Captify as a recipient of personal data in any consent tool and user information applicable to the personal data.

5. Captify will only process personal data on behalf of Controller and in accordance with Controller’s documented instructions. Captify will inform Controller if, in Captify’s opinion, any such instructions may infringe Applicable Data Protection Law. Captify will not be required to combine such personal data with any additional data, e.g. search data, that Captify may hold in relation to the same data subject for other purposes.

6. Captify shall:

a) have in place appropriate technical and organisational measures (as described in Appendix B) to safeguard the personal data against accidental or unlawful destruction, alteration, loss, access, unauthorised disclosure or any other unlawful forms of processing (a “Security Incident“);

b) notify Controller as soon as practicable of any Security Incident affecting any User personal data;

c) ensure that its staff are required to keep User personal data confidential; and

d) only engage subprocessors who will process User personal data (“Subprocessors“) in accordance with Applicable Data Protection Law. Captify’s list of Subprocessors can be provided on request.

7. Controller consents to Captify engaging third party subprocessors as set out in Section 6(d). Controller may object to the use of any new or replacement subprocessor provided such objection is based on reasonable grounds relating to data protection. In such event, Captify will either not appoint or replace the subprocessor or, if this is not possible, Controller may suspend or terminate the Agreement (without prejudice to any fees incurred by Controller prior to suspension or termination).

8. Captify shall cooperate with Controller:

a) in enabling data subjects to exercise their legal rights under Applicable Data Protection Law. Where Captify cannot identify the Controller from a data subject request, Captify may respond to, and deal with, the data subject request as if Captify is the controller;

b) to assist with compliance with Controller’s data processing obligations, including in relation to security measures and Security Incidents, and where required for the performance of Controller’s data protection impact assessments or prior consultations required to be made to competent authorities; and

c) if Captify or Controller receives an inquiry, subpoena or request for personal data, information, inspection or audit from a competent authority, relating to the processing (except where a party is prohibited by law from disclosing the request to the other party).

9. Captify shall not transfer the personal data to (nor permit the personal data to be processed in or from) a country outside of Europe unless it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. For the purpose of this clause, “Europe” means (i) the European Economic Area, and (ii) the United Kingdom. Notwithstanding this, Controller consents to Captify transferring the personal data to a recipient in a country that the European Commission (or, for transfers from the UK, the Secretary of State) has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission (or, for transfers from the UK, the Secretary of State), which are incorporated herein by reference and which may be amended or superseded from time to time.

 10. To the extent Captify processes User personal data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Appendix C, then the terms specified in Appendix C with respect to the applicable jurisdiction(s) apply in addition to the terms of this DPA. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this DPA, the applicable Jurisdiction Specific Terms will take precedence.

 11. Upon Controller’s request, or at the termination or expiry of the Agreement, Captify shall at Controller’s option delete or return all personal data (unless required to retain it under Applicable Data Protection Law).

 12. Upon Controller’s written request, Captify shall (i) provide written responses (on a confidential basis) to all reasonable requests for information made by Controller related to its processing of User personal data, including responses to information security and audit questionnaires that are necessary to confirm Captify’s compliance with this DPA; or where written responses would be insufficient (ii) cooperate with audits conducted by or on behalf of the Controller, upon reasonable prior written notice, limited to Users’ personal data, and without disrupting Captify’s other business. Controller shall not exercise its rights under this section more than once in any 12 month rolling period, unless required by Applicable Data Protection Law or order of a competent data protection supervisory authority, or immediately following a Security Incident.

 13. Captify’s total liability arising out of or in relation to this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement, and any reference to liability means the aggregate liability under and in connection with the Agreement and this DPA together.

 14. This DPA is incorporated into the Agreement and, except as expressly modified and supplemented by this DPA, the Agreement shall continue in full force and effect. In case of any conflict or ambiguity between any terms of this DPA and the Agreement, the term in this DPA will take precedence.

APPENDIX A: Data Processing Description

This Appendix A forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.

Controller

The controller is (please specify briefly the controller’s activities relevant to the processing):

A client of Captify and user of the services referred to in the Agreement.

Processor

The processor is (please specify briefly the processor’s activities relevant to the processing):

Captify Technologies Ltd (or the relevant Captify entity which is party to the Agreement). Captify provides services for the Controller as referred to in the Agreement. 

Data subjects

Users as referred to in the Agreement

Categories of data

Data from searches made by Users, which may include:

COOKIE DATA (desktop web and mobile web)

Cookie ID (AppNexus or DBM ID) = “7832112024900048695“

User_agent = “Mozilla/5.0 (Linux; U; Android 4.4.2; en-gb; SM-T210 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30“

Timestamp = “2017-11-16 02:00:52”

Page_url = “http://www.imdb.com/find?ref_=nv_sr_fn&q=alien&s=all”

Referrer = “http://search.bt.com/result?p=test&y=&pr=dp”

IP Address (last octet can be removed/hashed)= “255.255.255.0”

MOBILE ADVERTISING ID DATA (MAID)

adid = “1F31480F-133C-4610-BCFD-69762AA1117C”;

aname = “com.captify.CPLoggerExample”;

contype = WiFi;

dev = “Iphone of john”;

did = “74E2C427-A8BE-484E-A54E-5A5303AB03C2”;

kw = Search Term;

lat = “37.785834”;

long = “-122.406417”;

os = iOS;

osver = “11.0”;

time = “2017-10-12 17:57:27”;

uid = 123456;

“wifi_ip” = “192.168.205.60”

Special categories of data (if appropriate)

The personal data to be processed concern the following special categories of data (please specify):

N/A. Controller shall not transfer to Captify any special categories of data.

Processing operations

The transfer is made for the following purposes:

•   Display of Impressions to Users
•   Provision of services to customers (e.g. measurement / reporting / planning / activation / data classification / User classification)
•   Product development