Adagio Data Protection Addendum

This Data Protection Addendum ("DPA") is part of the Agreement (defined below) and establishes the terms under which one party ("Disclosing Party") may share or disclose Personal Data with the other party ("Receiving Party") for the Processing Purposes defined herein, and how the Receiving Party may Process such Personal Data. This DPA supersedes all prior agreements between the Parties regarding data protection.  

This DPA consists of these general terms (the "DPA General Terms") and the Schedules listed below (each a "DPA Schedule") each of which are part of this DPA to the extent Personal Data processed by the Parties under the Agreement is subject to applicable Data Protection Laws in those jurisdictions.

• US DPA
• GDPR DPA

The terms in this DPA prevail over any conflicting provisions in the Agreement and an applicable DPA Schedule will control over conflicting terms in the DPA General Terms.

Section 1.  Definitions.  For purposes of this DPA, the following terms will have the meaning ascribed below:

1.1 "Agreement" means the Master Terms, this DPA, and any Order Forms between the Parties. 

1.2 "Consumer" means a "consumer," "data subject," or equivalents as defined under applicable Data Protection Laws.

1.3 "Data Breach" means any unauthorized acquisition or access to, or use, loss, or other disclosure of Personal Data, as such term or its equivalents is defined under applicable Data Protection Laws.

1.4 "Data Protection Laws" means all applicable international, federal, state, and local data protection and privacy laws, rules, directives, regulations, orders, decrees, judgments, and governmental requirements currently in effect, or as they become effective, to the extent they apply to Personal Data processed by a Party under the Agreement, including, as applicable, European Data Protection Law and the State Privacy Laws.

1.5 "Explicit Consent" means the consent required under applicable Data Protection Laws for processing Sensitive Data or for processing Personal Data for Secondary Purposes. 

1.6 "European Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (the General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the UK Privacy and Electronic Communications (EC Directive) Regulations 2003; (v) Switzerland’s Federal Act of 25 September 2020 on Data Protection, and (vi) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of the foregoing, in each case as may be amended or superseded from time to time.

1.7 "Global Privacy Protocol" or "GPP" means the IAB’s industry framework for the sharing of consent, opt-out or other Consumer flags or signals, including the Transparency and Consent Framework ("TCF"), and applicable GPP signaling systems in the United States, Canada, or any other applicable territory, with technical specifications available at https://github.com/InteractiveAdvertisingBureau/Global-Privacy-Platform.

1.8 "GDPR Countries" means countries subject to European Data Protection Law, including countries in the European Union, the European Economic Area, Switzerland, and the United Kingdom. 

1.9 "Minor’s Data" means data of individuals under eighteen (18) years of age subject to regulation under applicable Data Protection Laws as defined under such laws.

1.10 "Precise Location Data" has the meaning set forth in applicable Data Protection Laws. 

1.11 "Processing Purposes" means processing for the purposes of each Party’s performance under the Agreement as further defined in the DPA Schedules and as otherwise permitted by applicable Data Protection Laws. 

1.12 "Secondary Purposes" means new or different purposes other than the Processing Purposes defined herein as such term or its equivalents is defined under applicable Data Protection Laws.

1.13 "Sensitive Personal Data" means any data or information (including inferences) related to a Consumer defined as "sensitive personal data," "sensitive personal information," "special categories of data" or equivalents under applicable Data Protection Laws, including Minor’s Data and Precise Location Data.

1.14 "State Privacy Laws" has the meaning set forth in the US DPA. 

1.15 "Supervisory Authority" means the relevant regulatory authority under applicable Data Protection Laws.

1.16 "Controller", "Processor", "Personal Data" and "Process(-ing)" (or their analogous terms) shall have the meanings ascribed to them in the applicable Data Protection Laws.

Section 2.  Roles.

2.1. Each Party acts as a separate and independent Controller (or similar term under applicable Data Protection Laws) with respect to its own Processing activities, except as otherwise set forth in this DPA including in an applicable DPA Schedule. Each Party will comply with its responsibilities under applicable Data Protection Laws in respect of its Processing of Personal Data under the Agreement, including having in place appropriate physical, technical and organizational measures to protect the security of the Personal Data.

2.2. Each Party may engage or use Processors, provided that the arrangement with their Processors is governed by a written contract which includes terms that provide at least the same level of protection for Personal Data as those set out in this DPA and as required under applicable Data Protection Laws. Each Party shall remain responsible for the acts or omissions of its Processors as required by applicable Data Protection Laws.

Section 3.  Disclosing Party's Obligations.

3.1 Publisher will provide prominent notice at the point of data collection and obtain and transmit all Consumer choices required by applicable Data Protection Laws to permit each Party to Process Personal Data for the Processing Purposes, including Explicit Consent where required under applicable Data Protection Laws.

3.2 Adagio participates in TCF and complies with its Policies and Specifications. Publisher will implement the latest TCF specifications on all digital properties it uses to transmit Personal Data to Adagio and it will add Adagio as a vendor in TCF. For other jurisdictions where GPP functionality is available, Publisher agrees to integrate with the applicable GPP framework. Where required by applicable Data Protection Laws, Publisher will maintain mechanisms and technical signals to ensure Consumers have the ability to exercise their choices 

to opt-out of specific Processing Purposes as such purposes are defined under applicable Data Protection Laws.

 3.3 Publisher will ensure all Consumer choice signals transmitted to Adagio are operational and accurately transmit the Consumer’s choices to Adagio. Publisher will not disclose or make available to Adagio any Personal Data relating to Consumers who have opted-out of Processing for any particular Processing Purposes. 

3.4 Where the Disclosing Party is providing Personal Data originally collected by another Controller, the Disclosing Party will (i) contractually obligate such Controller to provide all notices and obtain and transmit Consumer permissions or consents, including Explicit Consents (to the extent applicable), required by relevant Data Protection Laws necessary to permit each Party to Process Personal Data for the Processing Purposes, and (ii) take reasonable steps to ensure such Controller’s compliance with such contractual obligations.

3.5 The Disclosing Party will take all reasonable steps to ensure that the Personal Data it shares with the Receiving Party is accurate, complete, relevant and up to date and will correct any errors in the relevant Personal Data as soon as practicable. The Disclosing Party further agrees to implement appropriate technical and organizational measures to ensure the security of Personal Data while in transit to the Receiving Party.

Section 4.  Receiving Party’s Obligations.

Receiving Party will only Process the Personal Data for the Processing Purposes. If the Receiving Party wishes to process the Personal Data for Secondary Purposes, it may do so provided it first does all such acts and things as are necessary to ensure that its proposed processing of the Personal Data for the Secondary Purposes fulfils the requirements of applicable Data Protection Law (including by obtaining any consents from data subjects, where necessary). Provided such requirements are met, such Secondary Purpose shall be deemed a Processing Purpose.

Section 5.  Each Party’s Obligations. 

5.1 Each Party will ensure the Personal Data it Processes under the Agreement is adequate, relevant and limited to what is necessary in relation to the Agreement and the Processing Purposes.

5.2 Each Party will maintain prominent and publicly accessible privacy notices on its digital properties that satisfies applicable Data Protection Laws and ensure such privacy notices disclose the means by which a Consumer can exercise its privacy rights under applicable Data Protection Laws.

5.3 Each Party will be separately responsible for responding to Consumer privacy requests. To the extent the Receiving Party receives a request relating to Processing performed by the Disclosing Party, the Disclosing Party shall provide such information and assistance as is reasonably necessary to the Receiving Party to enable the Receiving Party to respond to such request in accordance with applicable Data Protection Law. 

5.4 Where the relevant correspondence or requirements relates to the Processing conducted by the other Party, the Parties will reasonably cooperate with each other in relation to Consumer requests or complaints, inquiries or investigations conducted by any Supervisory Authority, or assistance needed to conduct data privacy impact assessments or other legally required risk assessments. 

5.5 Except as otherwise set forth in a DPA Schedule or as required by applicable Data Protection Laws, each Party shall be responsible for its own reporting and information obligations related to any Data Breach. 

5.6 When applicable Data Protection Laws have requirements relating to cross-border transfers of Personal Data, the Parties will comply with such requirements and will coordinate in good faith to take all necessary steps to facilitate compliance, including entering into supplemental contract terms if legally required.

5.7 Each Party agrees to notify the other Party if it believes it is unable to comply with the terms of this DPA or any applicable Data Protection Laws.

Section 6.  General.

6.1 Unless otherwise defined in applicable Data Protection Laws or this DPA, all capitalized terms used in the DPA will have the meanings ascribed to them in the Agreement. This DPA shall be interpreted in accordance with applicable Data Protection Laws as applied to Personal Data in the relevant jurisdiction.

6.2 This DPA does not prevent the Parties from agreeing on additional clauses or safeguards, provided they do not directly or indirectly contradict this DPA. Notwithstanding anything to the contrary in the Agreement, in the event any variation is required to this DPA as a result of a change in applicable Data Protection Laws, including any orders from a Supervisory Authority, Adagio may amend this DPA from time-to-time to ensure continued compliance with applicable Data Protection Laws or such orders. 

6.3 This DPA survives the termination of the Agreement (including any Order Form) for as long as Personal Data collected under the Agreement continues to be Processed by either Party.

Section 7.  Governing Law and Jurisdiction.

7.1 Except as otherwise required by applicable Data Protection Laws or as set forth herein, the governing law and jurisdiction shall be the same as set out in the Agreement, without regard to conflict of laws principles. 

7.2 Disputes or claims arising out of or relating to the processing of Personal Data are subject to:

7.2.1 any matter arising out of a State Privacy Law shall be governed by the laws of the applicable state, provided that the exclusive place of jurisdiction for all disputes arising out of or in connection with a State Privacy Law or U.S. federal law shall be the state or federal courts of New York County, New York;

7.2.2 any matter arising out of European Data Protection Law shall be governed by the governing law of, and disputes in connection therewith shall be subject to the exclusive jurisdiction of the courts of: (i) France, where Publisher is based in the GDPR Countries (excluding the United Kingdom); (ii) England and Wales, with courts located in London, where Publisher is based in the United Kingdom; and

7.2.3 any matter concerning applicable Data Protection Laws in the Asia Pacific area (APAC) shall be governed by the governing required by applicable Data Protection Laws, and disputes in connection therewith shall be subject to the exclusive jurisdiction of Singapore, should Publisher be based in the Asia Pacific region.

Section 8.  Liability.

To the fullest extent permitted by applicable Data Protection Laws, any claims brought in connection with this DPA (including its DPA Schedules) will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations, set forth in the Agreement.