GDPR DPA
Last updated: July 22, 2025
This GDPR DPA supplements and forms part of the DPA and governs the Processing of Personal Data by Parties subject to European Data Protection Law for the Processing Purposes defined herein. Capitalized terms not defined herein shall have the meanings set forth in the Agreement including the DPA.
This GDPR DPA consists of these general terms (the “GDPR General Terms”) and the Schedules listed below (each “GDPR DPA Schedule”) each of which are part of the GDPR DPA as applicable.
- GDPR DPA Schedule A: Joint Controller Addendum (JCA)
- GDPR DPA Schedule B: Processor Addendum
- GDPR DPA Schedule C: Restricted Transfer Addendum
Section 1. Roles
1.1 The Parties are Joint Controllers for the initial collection and transfer of Personal Data from Publisher to Adagio. Following such transfer, the Parties may continue to act as Joint Controllers or Adagio may act as an independent Controller or as a Processor to Publisher as set forth in Section 2 below.
1.2 The Joint Controller Addendum applies when the Parties act as Joint Controllers and the Processor Addendum applies when Adagio acts as a Processor. For any data processing activities that fall outside the scope of both the Joint Processing and the Processor activities defined herein, each Party acts as an independent Controller and shall independently comply with its obligations under European Data Protection Law and the Agreement.
1.3 Under this GDPR DPA, references to the “Controller Services” are where Adagio acts as a Controller and the “Processor Services” are where Adagio acts as a Processor, each as designated below.
Section 2. Processing Purposes
The TCF Processing Purposes are necessary for Publisher’s use of the Adagio Platform (including the SSP and Prebid Server) and Adagio’s provision of services to Publisher under the Agreement.
| TCF Processing Purposes | Joint data processing for Publisher’s initial collection and transfer of Personal Data from Publisher to Adagio | Adagio’s role for subsequent data processing activities following the transfer of Personal Data from Publisher to Adagio |
|---|---|---|
| Store and/or access information on a device (TCF Purpose 1) | Yes | Independent Controller |
| Use limited data to select advertising (TCF Purpose 2) | Yes | Processor |
| Create profiles for personalized advertising (TCF Purpose 3) | Yes | Independent Controller |
| Use profiles to select personalized advertising (TCF Purpose 4) | Yes | Independent Controller |
| Measure advertising performance (TCF Purpose 7) | Yes | Independent Controller |
| Measure content performance (TCF Purpose 8) | Yes | Independent Controller |
| Develop and improve services (TCF Purpose 10) | Yes | Independent Controller |
| Ensure security, detect fraud, and fix errors (TCF Special Purpose 1) | Yes | Independent Controller |
| Deliver and present advertising and content (IAB Special Purpose 2) | Yes | Processor |
| Save and communicate privacy choices (IAB Special Purpose 3) | Joint Controller with Publisher and IAB Europe in accordance with IAB TCF policies | Processor |
Section 3. Disclosing Party's Obligations.
Disclosing Party shall (in addition to its other obligations under the DPA and European Data Protection Law:
3.1. Communicate to Receiving Party any rectification or erasure of personal data or restriction of Processing carried out in accordance with Art. 16, Art. 17 (1) and Art. 18 GDPR / UK GDPR unless this proves impossible or involves disproportionate effort.
3.2. Communicate to Receiving Party any withdrawal of consent (Art. 7 (3) GDPR / UK GDPR) in relation to Personal Data which has been disclosed to Receiving Party.
3.3. Not transfer any Sensitive Personal Data (Art. 9 GDPR / UK GDPR) to Receiving Party unless explicitly authorized in writing and with appropriate safeguards in place as required by applicable law.