EXHIBIT B1 – ANIVIEW CUSTOMER DATA PROTECTION ADDENDUM
AniView Ltd., an Israeli company, and its subsidiaries (“Company”) and the legal entity detailed below (“Customer”) who entered into a binding agreement for the provision of the services (“Services”), whether under an executed agreement signed between the parties hereto or under the Aniview Marketplace Service Terms, and as amended from time to time (the “Agreement”), are agreeing to these Data Protection Terms (“DPA”). This DPA is entered into by Company and Customer and supplements the Agreement. This DPA will be effective, and will replace any previously applicable terms relating to the subject matter hereof, from the Terms Effective Date.
If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.
- 1.1 This DPA reflect the parties’ agreement on the processing of Personal Data in connection with the Data Protection Laws.
- 1.2 Any ambiguity in this DPA shall be resolved to permit the parties to comply with all Data Protection Laws.
- 1.3 In the event and to the extent that the Data Protection Laws impose stricter obligations on the parties than those under this DPA, the Data Protection Laws shall prevail.
2. Definitions and Interpretation
- 1.1 In this DPA:
- (a) “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
- (b) “Data Protection Laws” means, as applicable, any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Data Protection Directive 95/46/EC and the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
- (c) “Cross Advertising” means the collection of data through websites or applications owned or operated by different entities on a particular device for the purpose of delivering advertising based on the preferences or interests known or inferred from the data collected.
- (d) “Personal Data” means any personal data that is processed by a party under the Agreement in connection with its provision or use (as applicable) of the Services.
- (e) “Customer Properties” means the websites, mobile applications and/or other digital media properties owned or operated by the Customer or its Customer clients, on which the Services are deployed.
- (f) “Relevant Privacy Requirements” mean all (i) applicable SRPs, laws, governmental regulations and court or government agency orders and decrees relating in any manner to the collection, use or dissemination of information from or about users, user traffic or otherwise relating to privacy rights or with respect to the sending of marketing and advertising communications (including any applicable Data Protection Laws); (ii) posted privacy policies; and (iii) for mobile applications, the terms of service for the applicable mobile operating system.
- (g) “SRPs” mean the rules and self-regulatory principles of the European Interactive Digital Advertising Alliance (“EDAA”).
- (h) “Security Incident” shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data breach will comprise a Security Incident
- (i) “Terms Effective Date” means 25 May 2018.
- (j) “Tracking Technologies” means cookies, mobile SDKs, browser cache, unique identifiers, web beacons, pixels and/or similar tracking technologies.
- (k) The terms “controller”, “data subjects”, “personal data”, “processing” and “processor” as used in this have the meanings given in the GDPR.
- (l) Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
3. Application of this DPA
This DPA will only apply to the extent all of the following conditions are met:
- 3.1 Company processes Personal Data that is made available by the Customer in connection with the Agreement;
- 3.2 The Data Protection Laws apply to the processing of Personal Data.
4. Company Responsibilities
- 4.1 Notwithstanding anything to the contrary in this DPA, it is hereby clarified that:
- 4.1.1 Company and Customer enter into this DPA as the deployment of the Services may involve the transmission of certain Personal Data (such as IP addresses, online identifiers or location data), relating to the Customer’s end users, to the Company’s upstream demand partners (such as ad agencies and/or fraud prevention services; collectively “<strongpartners< strong=””>”).</strongpartners<>
- 4.1.2 Company shall take commercial reasonable efforts (including through the use of contractual arrangements) to ensure that the Partners comply with applicable Data Protection Laws;
5. Roles and Restrictions on Processing
- 5.1 Independent Controllers. Each party:
- (a) is an independent controller of Personal Data under the Data Protection Laws;
- (b) will individually determine the purposes and means of its processing of Personal Data; and
- (c) will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data.
- 5.2 Sharing of Personal Data. In performing its obligations under the Agreement, a party may provide Personal Data to the other party. Each party shall process Personal Data only for (i) the purposes set forth in the Agreement or as (ii) otherwise agreed to in writing by the parties, provided such processing strictly complies with (a) Data Protection Laws, (b) Relevant Privacy Requirements, and (c) its obligations under this DPA (the “Permitted Purposes”). Each Party shall not share any Personal Data with the other Party (i) that allows data subjects to be directly identified (for example by reference to their name and e-mail address); (ii) that contains Personal Data relating to children under 16 years.
- 5.4 Obtaining Consent: With respect to processing Personal Data for Cross Advertising and/or in connection with collection of precise geo-location data, Customer represents and warrants that: (a) it shall obtain, or contractually obligate its relevant Customer client to obtain, all necessary permissions and valid consents from the relevant data subjects on behalf of Customer and applicable Partners in accordance with the Relevant Privacy Requirements to lawfully permit Company and all applicable Partners to collect, process and share personal data via the Services for the purposes contemplated by the Agreement (including this DPA), deploy Tracking Technologies in order to collect Personal Data in connection with the performance of the Services; and (b) it shall, or contractually obligate its relevant Customer client to, at all times maintain and make operational on the Customer Properties: (i) a mechanism for obtaining such consent from data subjects in accordance with the requirements of the Relevant Privacy Requirements; and (ii) a mechanism for data subjects to withdraw such consent (opt-out) in accordance with the Relevant Privacy Requirements. Customer shall maintain, or contractually obligate its Customer clients to maintain, a record of: (i) all consents obtained from data subjects, and (ii) all withdrawals of consent by data subjects, all as required by Relevant Privacy Requirements.
6. Personal Data Transfers
- 6.1 Transfers of Personal Data Out of the European Economic Area. Either party may transfer Personal Data outside the European Economic Area if it complies with the provisions on the transfer of personal data to third countries in the Data Protection Laws (such as through the use of model clauses or transfer of Personal Data to jurisdictions that have adequate legal protections for data, as determined by the European Commission).
7. Protection of Personal Data.
- 7.1 To the extent applicable to their processing activities, the parties will provide a level of protection for Personal Data that is at least equivalent to that required under Data Protection Laws. Both parties shall implement appropriate technical and organizational measures to protect the Personal Data. In the event that a party suffers a confirmed Security Incident, each party shall notify the other party without undue delay and the parties shall cooperate in good faith to agree on such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
- 8.1 Notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with this DPA will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (for clarity, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Laws).
- 9.1 If there is any conflict or inconsistency between the terms of this DPA and of the Agreement then the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
10. Changes to this DPA.
- 10.1 Company may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the parties as independent controllers of Personal Data under the Data Protection Laws; (ii) expand the scope of, or remove any restrictions on either party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Company.
- 10.2 Notification of Changes. If Company intends to change this DPA and such change will have a material adverse impact on Customer, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Customer at least 30 days before the change will take effect.