DATA PROCESSING AGREEMENT – PUBLISHER
THIS DATA PROCESSING AGREEMENT (“DPA”) forms part of the Platform Provider Agreement (“Agreement”) between Subset Digital Pvt Ltd, or any other entity that directly or indirectly controls, is controlled by, or is under common control with Subset Digital Pvt Ltd (“Subset Digital”), and Publisher (collectively the “Parties”), whereby Subset Digital will use commercially reasonable efforts to provide its digital advertising services to Publisher (the “Services”).
This DPA reflects the Parties’ responsibilities and obligations regarding the terms governing the processing of Personal Data during the performance of the Agreement. This DPA is incorporated into the Agreement and is subject to its terms and conditions. In the event of any conflict between the Agreement and this DPA, the terms of this DPA shall prevail. This DPA shall remain effective for the Services Period established under the Agreement. Any capitalized terms not defined herein shall have the meanings assigned to them in the Agreement.
1. DEFINITIONS
Data Controller means the entity that determines the purposes and means of the Processing of Personal Data.
Data Processor means the entity that Processes Personal Data on behalf of the Data Controller.
Data Protection Laws means all laws and regulations, including laws and regulations of the European Union, applicable to the Processing of Personal Data under the Agreement.
Data Subject means the individual to whom Personal Data relates.
Personal Data means any information relating to an identified or identifiable person. The types of Personal Data and categories of Data Subjects Processed under this DPA include, but are not limited to: IP addresses, location data, interest segments, device data, retargeting data, advertising data, browser-generated data, and online identifiers of end users of digital properties.
Processing means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, blocking, erasure, or destruction (“Process,” “Processes,” and “Processed” shall have the same meaning).
Security Breach has the meaning set forth in Section 7 of this DPA.
Sub-processor means any entity engaged by Subset Digital to Process Personal Data in connection with the Services.
TOMs (Technical and Organizational Measures) means the measures defined in Article 32 of the General Data Protection Regulation (GDPR).
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, Publisher is the Controller and Subset Digital is the Data Processor.
2.2 Publisher’s Processing of Personal Data. Publisher shall, in its use of the Services and provision of instructions, Process Personal Data in accordance with applicable Data Protection Laws. Publisher is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which such data was obtained. If Subset Digital becomes aware that any of Publisher’s instructions conflict with Data Protection Laws, it shall inform Publisher.
2.3 Subset Digital’s Processing of Personal Data. As Publisher’s Processor, Subset Digital shall only Process Personal Data for:
(i) providing the Services in accordance with the Agreement; and
(ii) complying with other reasonable instructions of Publisher consistent with the Agreement.
Subset Digital shall Process Personal Data in accordance with Data Protection Laws and the instructions of Publisher that comply with such laws.
2.4 Appointment of Sub-processors. Subset Digital may engage sub-processors for providing the Services. A list of sub-processors will be maintained and made available upon request. Subset Digital will notify Publisher before appointing new sub-processors, allowing Publisher to object within a reasonable period. Each Sub-processor shall agree in writing to:
(a) process Data according to documented instructions;
(b) implement appropriate TOMs; and
(c) provide sufficient guarantees to meet Data Protection Law requirements.
3. RIGHTS OF DATA SUBJECTS
Subset Digital shall, to the extent legally permitted, notify Publisher if it receives a request from a Data Subject to exercise their rights (access, rectification, restriction, erasure, portability, objection, or automated decision-making). If Publisher cannot act independently, Subset Digital shall assist as reasonably possible. Publisher is responsible for costs arising from such assistance.
4. SUBSET DIGITAL PERSONNEL
Subset Digital shall ensure that all personnel engaged in Processing Personal Data are informed of its confidential nature, trained appropriately, and bound by confidentiality obligations. Access will be limited to personnel who require it to fulfill obligations under the Agreement.
5. SECURITY
5.1 Controls for Protection. Subset Digital shall maintain appropriate TOMs to ensure the security, integrity, and confidentiality of Personal Data and prevent unauthorized Processing, destruction, or disclosure.
5.2 Certifications and Audits. Subset Digital may obtain third-party certifications or audits to verify compliance. Upon reasonable request, Subset Digital shall provide verification of such certifications or audit reports to Publisher.
6. AUDIT RIGHTS
Publisher may request one audit per year, as required under applicable laws. Publisher shall reimburse Subset Digital for time and resources expended. Both Parties shall agree on scope, timing, and cost before commencement. Any non-compliance identified shall be addressed by Subset Digital using commercially reasonable efforts.
7. SECURITY BREACH MANAGEMENT AND NOTIFICATION
7.1 Incident Management. If Subset Digital becomes aware of a Security Breach involving Personal Data, it will:
(i) notify Publisher promptly;
(ii) investigate and share relevant details; and
(iii) take all reasonable steps to mitigate any damage.
7.2 Notification. Notifications will be sent to Publisher’s designated contact(s). Publisher must ensure accurate contact information is maintained with Subset Digital at all times.
8. RETURN AND DELETION OF PERSONAL DATA
Upon termination of Services, Subset Digital shall, upon Publisher’s request, return or securely delete all Personal Data, unless retention is required by law. Publisher must promptly remove all Subset Digital tags or code following termination. Failure to do so may result in Publisher’s liability for any resulting damages.
9. LIMITATION OF LIABILITY
Each Party’s aggregate liability arising out of or related to this DPA shall be subject to the “Limitation of Liability” section of the Agreement. The total liability of each Party and its Affiliates shall not exceed the aggregate liability under the Agreement and all associated DPAs combined.
10. LEGALLY REQUIRED DISCLOSURES
Except as required by law, Subset Digital shall promptly notify Publisher of any legal or governmental demand (e.g., subpoena or court order) concerning the Processing of Personal Data. Subset Digital shall provide available information and reasonable assistance to enable Publisher to respond.
11. SECURITY
Subset Digital shall maintain administrative, physical, and technical safeguards designed to ensure the security, confidentiality, and integrity of Personal Data, following industry best practices.
12. PARTIES TO THIS DPA
This DPA confers no rights or benefits on any third party other than the Parties hereto.
13. LEGAL AUTHORITY
Both Parties represent and warrant that the individuals signing this DPA have legal authority to bind their respective entities and perform the obligations set forth herein. The governing law and jurisdiction clause of the Master Agreement shall apply to any disputes arising from this DPA.
14. ENTIRE AGREEMENT; AMENDMENT; SEVERABILITY
This DPA constitutes the entire agreement between the Parties concerning its subject matter and supersedes all prior agreements. Any modification must be in writing and signed by both Parties. If any provision is found invalid or unenforceable, it shall be adjusted to the minimum extent necessary to remain valid, and the remainder of the DPA shall continue in full force and effect.