Data Protection Supplement for Data Processors and Subprocessors
Innovid and Company (as each such term is defined below) have entered into an agreement, order form, terms and conditions, statement of work or other contract for the provision of certain services (“Services”) by Company to Innovid (“Services Agreement”), including any data protection addendum, data processing addendum, data protection agreement or data processing agreement entered into in connection therewith (the “DPA”, and collectively with the Services Agreement, “Agreement”). This Data Protection Supplement (“Supplement”) is entered into between the Innovid entity set forth in the Agreement (“Innovid”) and the counterparty that entered into such Agreement (“Company”). This Supplement supplements and modifies the Agreement with regard to the Processing of Personal Information (as such terms are defined below). Capitalized terms used but not defined in this Supplement shall have the meanings assigned to them in the Agreement. In the event of a conflict between this Supplement and the Agreement, this Supplement shall prevail.
1. Definitions.
a. “Business” or “Controller” shall mean an entity that determines the purposes and means of Processing of Personal Information.
b. “Consumer” shall mean the individual to whom Personal Information relates.
c. “Innovid Data” means Personal Information in any form that is collected, generated, accessed, Processed or used for or in relation to the Services or the Agreement.
d. “Data Protection Laws” means any applicable laws, rules and regulations relating to the use, collection, retention, storage, security, disclosure, transfer, sale or other Processing or Personal Information, including but not limited to the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act (the “CPRA”), the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”), the Utah Consumer Privacy Act, (the “UCPA ”), EU 2016/679 General Data Protection Regulation (“GDPR”), and any similar laws including any amendments and any final implementing regulations to any of the foregoing that are in effect or that become effective on or after the effective date of this Supplement.
e. “Individual Rights Request” or “IRR” means a request from a Consumer for information, access or action with respect to Personal Information contained in the Innovid Data that, under Data Protection Laws, requires a response from either or both of the Controller and the Processer with respect to such Personal Information.
f. “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a Consumer or household, or as otherwise defined by Data Protection Laws, including any equivalent terminology such as “Personal Data” or “Personally Identifiable Information”.
g. “Process” or “Processing” means any operation or set of operations performed, whether by manual or automated means, on information or on sets of information, such as the collection, use, storage, disclosure by transmission, dissemination or otherwise making available, alignment or combination, analysis, restriction, deletion, or modification of information.
h. “Service Provider” or “Processor” shall mean an entity that Processes Personal Information on behalf of a Business or Controller.
i. “Sell”, “Selling”, “Share” and “Sharing” shall have the meanings assigned to them in Data Protection Laws.
2. Role of the Parties; Compliance with Laws. With regard to Innovid Data: (i) Company is a Service Provider and Processor, and (ii) Innovid is either (1) a Business and a Controller, or (2) a Service Provider and a Processor, as applicable depending on the nature of the Personal Information contained in the Innovid Data. Each party will comply with its obligations under Data Protection Laws.
3. Innovid’s Rights. Upon Innovid’s reasonable request, Company will make available such information in Company’s possession as is reasonably necessary for Innovid to conduct and document data protection assessments in accordance with Data Protection Laws. Innovid will have the right to: (i) take reasonable and appropriate steps to help ensure that Company uses Innovid Data in a manner consistent with Company’s obligations under and as required by Data Protection Laws, and (ii) upon reasonable prior written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of such Innovid Data under and as required by applicable Data Protection Laws.
4. Company Obligations. Company will notify Innovid if it determines that it can no longer meet its obligations under applicable Data Protection Laws. Company will Process Innovid Data for the sole purpose of providing to Innovid the Services set forth in the Agreement and in accordance with Innovid’s instructions set forth in the Agreement or in writing. Company shall provide at least the level of privacy protection for Innovid Data as those required under Data Protection Laws and the Agreement. Company acknowledges and confirms that it does not receive any Innovid Data as consideration for any Services or other items provided to Innovid. Without limiting the foregoing, Company is prohibited from: (i) Selling Innovid Data or otherwise making Innovid Data available to any third party for monetary or other valuable consideration; (ii) Sharing Innovid Data with any third party for cross-context behavioral advertising; (iii) retaining, using, or disclosing Innovid Data for any purpose other than for the business purposes specified in the Agreement; (iv) retaining, using, or disclosing Innovid Data outside of the direct business relationship between the parties; (v) unless expressly permitted under Data Protection Laws, combining Innovid Data with other information that Company receives from or on behalf of another person or persons, or collects from its own interaction with the Consumer. Company agrees to refrain from taking any action that would cause any transfers of Innovid Data to or from Company, or to or from any of Company’s personnel or sub-processors, to qualify as “Selling” or “Sharing” any Personal Information under any Data Protection Laws. Company hereby certifies that it understands the restrictions in the applicable Data Protection Laws and will comply with them.
5. Transfers. In the event that the Services or activities under the Agreement involve transfers of Personal Information from the EEA and/or UK to a country that is not the beneficiary of an adequacy decision under applicable European Data Protection Laws, such transfers shall be governed as follows:
(a) for EEA Personal Information, by the unchanged version of the standard contractual clauses as can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN) (the “EU SCC”). Clause 7 (Docking Clause), but not the option under Clause 11 (independent dispute resolution) of the EU SCC, shall apply; (ii) for data subjects located in the UK, by the EU SCC plus the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as can be found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (or as it may be amended or replaced) (the “UK Addendum”). The applicable Module in the EU SCC and UK Addendum shall be deemed selected based upon the parties’ respective roles in accordance with Section 2 of this Supplement. For purposes of the EU SCC and the UK Addendum, Innovid is the “exporter”, and Company is the “importer”. The EU SCC and if applicable the UK Addendum shall be incorporated into this Supplement by reference and form an integral part of this Supplement. The information required by the Annexes in the EU SCC and by the UK Addendum is deemed completed by reference to the information set forth in the Agreement.
(d) if terms in this Agreement are inconsistent with the terms of the EU SCC or the UK Addendum, the terms of the EU SCC or UK Addendum as applicable shall prevail.
6. Sub-Processors. Company may engage a third party to act as a sub-processor for Innovid Data provided that Company gives Innovid not less than thirty (30) days prior written notice of any new sub-processor and provides Innovid with the opportunity to object to the engagement, and provided in any event that: (i) Company remains responsible for its sub-processors’ compliance with this Supplement and the Agreement, and (ii) the engagement is pursuant to a written contract that requires the sub-processor to meet the obligations of Company under this Supplement and the Agreement with respect to Innovid Data.
7. Data Security. Company shall implement and maintain reasonable security procedures, practices, and controls appropriate based on the nature of the information, designed to protect Innovid Data from unauthorized access, disclosure or destruction. Company will provide the notifications and assistance to Innovid as required by the data breach provisions of Data Protection Laws. Innovid may monitor Company’s compliance with this Supplement through measures Including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.
8. Individual Rights Requests. If Company receives an IRR from a Consumer related to the Consumer’s Personal Information contained in the Innovid Data, Company shall notify Innovid of the receipt of such IRR within two (2) business days and will reasonably cooperate with Innovid to promptly comply with such IRR in accordance with and to the extent required under Data Protection Law.
9. Termination and Survival; Jurisdiction and Venue; Limitation of Liability. This Supplement and all provisions herein shall survive so long as, and to the extent that, Company Processes or retains Innovid Data. The choice of law and jurisdiction as set forth in the Agreement apply to this Supplement.