Data Processing Agreement – Publisher

This Data Processing Agreement (“DPA”) forms part of the Platform Provider Agreement (“Agreement”) between Playstream Media or any other entity that directly or indirectly controls, is controlled by, or is under common control with Playstream Media (“Playstream”), and Publisher (collectively the “Parties”) whereby Playstream will use commercially reasonable efforts to provide its digital advertising services to Publisher (the “Services”).

This DPA reflects the Parties’ responsibilities and obligations with respect to the terms governing the processing of Personal Data during the performance of the Agreement. This DPA is incorporated into the Agreement and is subject to its terms and conditions. In the event of any conflict between the terms of the Agreement and the terms of this DPA, the relevant terms of this DPA shall take precedence. This DPA shall be effective for the Services Period established under the Agreement. Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement.

  1. Definitions
    1. Data Controller: The entity that determines the purposes and means of the Processing of Personal Data.
    2. Data Processor: The entity which Processes Personal Data on behalf of the Data Controller.
    3. Data Protection Laws: All laws and regulations, including laws and regulations of the European Union, applicable to the Processing of Personal Data under the Agreement.
    4. Data Subject: The individual to whom Personal Data relates.
    5. Personal Data: Any information relating to an identified or identifiable person. The types of Personal Data and categories of Data Subjects Processed under this DPA include but are not limited to the following: IP addresses, location data, interest segments, device data, retargeting data, advertising data, browser-generated data, and online identifiers of the end users of digital properties.
    6. Processing: Any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction (“Process”, “Processes”, and “Processed” shall have the same meaning).
    7. Security Breach: As set forth in Section 7 of this DPA.
    8. Sub-processor: Any entity engaged by Playstream to Process Personal Data in connection with the Services.
    9. TOMs: Technical and Organizational Measures, as defined in Article 32 of the GDPR.
  2. Processing of Personal Data
    1. Roles of the Parties
      The parties acknowledge and agree that with regard to the Processing of Personal Data, Publisher is the Controller and Playstream is the Data Processor.
    2. Publisher’s Processing of Personal Data
      Publisher shall, in its use of the Services and provision of instructions, Process Personal Data in accordance with the requirements of applicable Data Protection Law. Publisher shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Publisher acquired Personal Data. If Playstream believes or becomes aware that any of Publisher’s instructions conflicts with any Data Protection Laws, Playstream shall inform Publisher.
    3. Playstream’s Processing of Personal Data
      As Publisher’s Processor, Playstream shall only Process Personal Data for the following purposes: (i) as required to provide the Services in accordance with the Agreement; and (ii) to comply with other reasonable instructions provided by Publisher that are consistent with the Agreement. Playstream acts on behalf of and on the instructions of Publisher. Playstream shall process Personal Data in accordance with Data Protection Laws.
    4. Appointment of Sub-processors
      Sub-processors may be retained by Playstream for the provision of Services. Publisher shall be notified in advance and may object to new Sub-processors. Playstream will provide Publisher with options to avoid the use of such Sub-processor, if reasonably feasible. Sub-processors must: (a) process data per documented instructions; (b) implement appropriate TOMs; and (c) offer guarantees of GDPR compliance. Publisher may request the list of active Sub-processors at any time.
  3. Rights of Data Subjects

    Data Subject Requests
    Playstream shall notify Publisher of any Data Subject Request (access, rectification, erasure, objection, etc.) and assist where legally permitted. If Publisher cannot fulfill the request directly via the Services, Playstream shall provide reasonable support at Publisher’s expense.

  4. Playstream Personnel

    Playstream shall ensure personnel engaged in Processing Personal Data are trained, informed of confidentiality obligations, and access is limited to what is necessary.

  5. Security
    1. Controls
      Playstream shall maintain appropriate TOMs to protect the security, confidentiality, and integrity of Personal Data and shall not reduce security during the term of the Agreement.
    2. Certifications
      Upon written request, Playstream may share details of recent third-party certifications or audits relating to data privacy, subject to confidentiality.
  6. Audit Rights

    Publisher may request an audit, up to once per year, of Playstream’s procedures relevant to the protection of Personal Data but only as required under applicable Data Protection Laws. Publisher shall reimburse Playstream for any time expended for any such audit. The amount of reimbursement shall be based on the personnel and time required to perform the audit. Before the commencement of any such on-site audit, Publisher and Playstream shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement for which Publisher shall be responsible. Publisher shall promptly notify Playstream with information regarding any perceived noncompliance discovered during the course of an audit, and Playstream shall use commercially reasonable efforts to address any confirmed non-compliance.

  7. Security Breach Management and Notification
    1. Incident Management
      Playstream shall promptly notify Publisher of a Security Breach, investigate it, and take appropriate mitigation steps.
    2. Notification
      Notices will be delivered to Publisher’s designated contact by email or other reasonable means. Publisher is responsible for maintaining up-to-date contact details.
  8. Return and Deletion of Personal Data

    Upon termination of the Services, Playstream shall return or delete Personal Data upon request, unless legally required to retain it. Publisher must remove all Playstream-related tags/code; failure to do so will result in Publisher being liable for any resulting issues.

  9. Limitation of Liability

    Each party’s liability under this DPA is subject to the Limitation of Liability clause of the Agreement. Any reference to liability includes that of affiliated parties and sub-processors under this DPA.

  10. Legally Required Disclosures

    Except as otherwise required by law, Playstream will promptly notify Publisher of any subpoena, judicial, administrative, or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority (“Demand”) that it receives, and which relates to the Processing of Personal Data. At Publisher’s request, Playstream will provide Publisher with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Publisher to respond to the Demand in a timely manner. Publisher acknowledges that Playstream has no responsibility to interact directly with the entity making the Demand.

  11. Security

    Playstream will maintain administrative, technical, and physical safeguards to ensure the integrity, confidentiality, and availability of Personal Data.

  12. Parties to this DPA

    This DPA does not grant rights or benefits to any third party not part of the Agreement.

  13. Legal Authority

    Playstream and Publisher mutually represent and warrant that: (i) the person executing this DPA on its respective behalf has the legal authority to bind such party, and (ii) it has right, power, and authority to: (a) enter into this DPA, (b) make the representations and warranties contained herein, and (c) commit to and perform the respective duties, obligations, and covenants set forth hereunder. Without limiting the foregoing, the choice of law and venue clause section of the Master Agreement will apply to any disputes arising out of this DPA.

Entire Agreement; Amendment; Severability

This Agreement constitutes the entire Agreement between the parties with respect to the subject matter of this Agreement. This Agreement supersedes all previous agreements between the parties relating to the subject matter hereof. No provision of this Agreement will be deemed waived, amended, or modified by either party, unless such waiver, amendment, or modification is made in writing and signed by both parties. If any provision of this Agreement is invalid or unenforceable for any reason in any jurisdiction, including but not limited to a change in law(s), such provision will be construed to have been adjusted to the minimum extent necessary to cure such invalidity or unenforceability. If any provision of this Agreement is found by a proper authority to be unenforceable or invalid, such unenforceability or invalidity will not render this Agreement unenforceable or invalid as a whole and such provision will be changed and interpreted so as to best accomplish the objectives of such unenforceable or invalid provision within the limits of applicable law or applicable court decisions.