DATA PROTECTION TERMS AND CONDITIONSTERMS (FOR MEDIA INVENTORY SUPPLIERS)

These Data Protection Terms and Conditions (“Terms“) will be applied for and will form an integral part of any commercial agreement made by and between Thirdpresence Oy, a Finnish limited liability company with business ID 2092760-4 (Advertiser) and its media company client (“Media Company“) regarding processing of personal data in connection with the services provided by Thirdpresence to the Media Company.

1. Definitions

1.1 In these Terms, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 “Process/Processing”, “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Special Categories of Personal Data” shall have the same meaning as in the Data Protection Laws;

1.1.2 “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Agreement, (i) the EU Data Protection Directive 95/46/EC until 25 May 2018 and the General Data Protection Regulation (EU) 2016/679 (“GDPR”) on and from 25 May 2018), in each case together with all laws implementing or supplementing the same, (ii) any laws or regulations implementing Directive 2002/58/EC (ePrivacy Directive), and any forthcoming laws or regulations replacing the ePrivacy Directive, in each case together with all national laws implementing or supplementing the same, (iii) California Consumer Privacy Act, 2018 (“CCPA”), and (iv) any other applicable data protection or privacy laws;

1.1.3 “EEA” means the European Economic Area;

1.1.4 “Personal Data” means, for the purpose of this Agreement, any Personal Data provided by the Media Company to Advertiser under the Agreement, including, without limitation, segment data (such as demographic, behavioural, contextual or other similar targeting data) or query string data;

1.1.5 “Services” means the services provided by the Advertiser to the Media Company under the Agreement;

1.1.6 “Sites” means the digital properties (e.g. websites or applications) for which the Advertiser provides the Services under the Agreement or through which Personal Data used in the delivery of the Services is collected;

1.1.7 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to Processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;

1.1.8 “Subprocessor” means any Data Processor (including any third party and any Advertiser Affiliate) appointed by Advertiser to Process Personal Data on behalf of the Media Company or any Media Company Affiliate.

2. Scope of Processing

2.1 The Media Company has instructed the Advertiser to Process the Personal Data as reasonably required in order to provide the Services.

2.2 In connection with the Services, Advertiser may collect or otherwise receive data (including Personal Data) about or related to end users using the Sites and Advertiser and its media buying clients, including but not limited to demand side platforms, ad exchanges, agencies, agency trading desks and ad networks, may use cookies, browser cache, unique identifiers, web beacons, pixels and/or similar tracking technologies in order to collect data (including Personal Data) about or related to end users.

3. Compliance with Data Protection Laws

3.1 Each party agrees to comply with the applicable Data Protection Laws and the provisions of these Terms with respect to its performance of the Agreement.

3.2 The parties will provide reasonable assistance and reasonably cooperate with each other to assist with each party’s compliance with Data Protection Laws. Subject to obligations of confidentiality and policies on the disclosure of information, where a party has a concern that the other party has not complied with these Terms, the parties agree to exchange information to ascertain the cause of such non-compliance and take reasonable steps to remediate.

3.3 In each case where consent is the lawful basis for processing Personal Data for the Services or where consent is necessary for the use of cookies or collection of information from Data Subjects’ devices pursuant to the Data Protection Laws, the Media Company shall be responsible for obtaining, and ensuring its clients and third party service providers obtain, the specific, informed, unambiguous and freely given consent of each Data Subject for the processing, in accordance with these Terms, of their Personal Data by the Advertiser or its media buying clients.

3.4 The Media Company shall ensure that the Sites contain appropriate, clear and concise notifications in accordance with Data Protection Laws that provide transparency to Data Subjects about what Personal Data is being processed by the Advertiser or its media buying clients, the purposes of such processing, and other disclosures as stipulated by the applicable Data Protection Laws, including without limitation description of mechanisms for opt-out elections under the CCPA.

4. Advertiser Personnel

The Advertiser shall ensure that persons authorized to process the Personal Data all are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Advertiser shall implement appropriate technical and organisational measures regarding Processing of the Personal Data in the Services to ensure a level of security appropriate to the risk.

6. Subprocessing

6.1 Advertiser may engage Sub-Processors in connection with providing the Services, provided that:

6.1.1 the Advertiser and the Sub-Processor enter into an agreement regarding Processing of the Personal Data on terms that are materially at least as protective as these Terms; and

6.1.2 the Advertiser updates the list of its demand-side partners which may Process the Personal Data from time to time thereby informing the Media Company of any intended additions to or replacements of the Sub-Processors, giving the Media Company an opportunity to object to changes on reasonable grounds of non-compliance or material risk of non-compliance by the Media Company with Data Protection Laws. Should the Media Company so object to the use of a Sub-Processor, the Media Company may within 30 days after notice of any intended additions or replacements of a Sub-Processor terminate the Agreement related to an affected service upon written notice without liability for such termination.

6.2 Advertiser shall remain fully liable for the performance of each Sub-Processor’s obligations.

7. Data Subject Rights

7.1 Advertiser shall promptly notify the Media Company if it receives a request from a Data Subject under any Data Protection Laws in respect of Personal Data.

7.2 Advertiser shall reasonably co operate to enable the Media Company to fulfil its obligations relating to exercise of rights by a Data Subject (e.g. right to delete under CCPA) under any Data Protection Laws.

7.3 If, after making reasonable efforts to cooperate with the Media Company, the Advertiser receives a Data Subject’s request that the Advertiser reasonably believes to be well-founded under Data Protection Laws, the Advertiser may, in an effort to comply with applicable Data Protection Laws, respond to the request, confirming whether its role in respect of the Personal Data that is the subject of the request is as Data Controller, Data Processor or Sub-Processor, and, upon receiving a request for access, rectification, erasure or restriction, delete, or put beyond effective use, their Personal Data, as applicable.

8. Personal Data Breach

With respect to any Personal Data Breach, the party who or the party whose Processors and/or Sub-Processors suffers such breach (“Data Breaching Party”), without undue delay (but in no event later than 48 hours after becoming aware of the Personal Data Breach) agrees to (i) notify the other party (“Non-Data Breaching Party”) of the Personal Data Breach and (ii) provide the Non-Data Breaching Party with such details as the Non-Data Breaching Party reasonably requires regarding the nature of the Personal Data Breach, any related investigations, the likely consequences, and any measures taken by the Data Breaching Party to address the Personal Data Breach, and thereafter provide regular updates on these matters. Where the Non-Data Breaching Party is a Data Controller, the Data Breaching Party will co-operate reasonably with the Non-Data Breaching Party including with any proposed notification to a competent supervisory authority and/or communication to a Data Subject where required by Data Protection Laws.

9. Data Protection Impact Assessment and Prior Consultation

Advertiser shall provide reasonable assistance to the Media Company with any data protection impact assessments which are required under the Data Protection Laws in relation to Processing of Personal Data by Advertiser on behalf of the Media Company and taking into account the nature of the Processing and information available to Advertiser.

10. Deletion or return of Personal Data

10.1 Subject to section 10.2, Advertiser shall without undue delay after the termination of the Agreement, delete all copies of Personal Data Processed by the Advertiser.

10.2 Advertiser may retain Personal Data to the extent required by the Data Protection Laws and only to the extent and for such period as required by the Data Protection Laws and always provided that Advertiser shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

11. Audit rights

11.1 Advertiser shall make available to the Media Company on request all information necessary to demonstrate compliance with these Terms and allow for and contribute to audits, including inspections by the Media Company or another auditor mandated by the Media Company.

11.2 The auditor must execute a confidentiality agreement reasonably acceptable to the Advertiser. The result of the audit and all information reviewed during such audit will be deemed the confidential information of the Advertiser (save for disclosure to any competent supervisory authority or otherwise required by law). Additionally, the Media Company shall give at least four (4) weeks’ notice of any audit, reasonably ensure the audit is undertaken with minimal disruption to the Advertiser’s business and shall pay the Advertiser’s reasonable costs for assisting with the provision of information and allowing for and contributing to audits unless a material breach of these Terms is determined to have occurred.

11.3 Advertiser shall immediately inform the Media Company if, in its opinion, an instruction pursuant to this section 11 (Audit Rights) infringes any Data Protection Laws.

12. International Transfers

12.1 The use of or provision of the Services may require the transfer of the Personal Data of Data Subjects located in the EU to countries outside the EEA. Each party will ensure an appropriate mechanism that is recognized by applicable Data Protection Laws is implemented to allow for the data transfer, and shall ensure both it and its Data Controllers, Data Processors, and Sub-Processors will comply with the related requirements of the alternative mechanism for data transfer.

12.2 If the Advertiser transfers the Personal Data of Data Subjects located in the EU to countries outside the EEA not deemed adequate under applicable Data Protection Laws and no legally enforceable mechanism(s) for the transfers of the Personal Data (as permitted under Data Protection Laws) is in place in relation to that transfer, Media Company instructs and mandates the Advertiser to:

12.2.1 confirm it has certified its compliance with the EU-US Privacy Shield and commits to comply with the Privacy Shield principles, including with regard to onward transfer, unless and if Privacy Shield is no longer considered an appropriate mechanism for data transfers under Data Protection Laws; or

12.2.2 to sign standard contractual clauses, approved by the EU authorities under Data Protection Laws, with the Media Company.

13. General Terms

13.1 Each party shall promptly notify the other party if it receives notice of any claim or complaint in connection with Data Protection Laws by any Data Subject in relation to the Personal Data processed in connection with the Services.

13.2 In the event that there is a change in applicable Data Protection Laws that would, in the reasonable opinion of a party, require changes to the Services or the means by which the Services are provided, the parties agree to discuss in good faith any required changes to the Services and, if the required changes will cause a material harm to either party or materially alter either party’s provision or use of the Services, such party may terminate the Agreement upon written notice without liability for such termination.

13.3 With regard to the subject matter of these Terms, in the event of inconsistencies between the provisions of these Terms and any other agreements between the parties, the provisions of these Terms shall prevail with regard to the parties’ data protection obligations under the Data Protection Laws.

13.4 Should any provision of these Terms be invalid or unenforceable, then the remainder of these Terms shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

13.5 Advertiser may change these Terms at any time by publishing revised terms and conditions on its website. Should the Media Company not accept the change, it shall notify the Advertiser of its rejection within 30 days of such publication in which case the Advertiser may terminate the Agreement upon written notice without liability for such termination.