Data Processing Addendum
This Data Processing Addendum (hereinafter the “Addendum”) supplements the agreement between You (“Publisher”) and Nativex (hereinafter the “Agreement”) for the digital marketing service or other related service (“Service”). This Addendum is an agreement incorporated into and form part of the Agreement. This Addendum shall be effective since the effective date of the Agreement, and survive termination or expiry of the Agreement. To the extent there are any prior agreements with regard to the subject matter of this Addendum, this Addendum supersedes and replaces such prior agreements. In case of any conflict between a provision of this Addendum and the Agreement, as it relates to Personal Data, the provision of this Addendum shall prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or the Data Protection Laws.
1. Definitions
“Applicable Data Protection Law” means all applicable laws and regulations, including without limitation international, federal, national and state privacy, data security, and data protection laws and regulations (including without limitation, where applicable, European/UK Data Protection Law, LGPD, China Data Protection Law and the CCPA).“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended, including without limitation any and all applicable implementing regulations.
“COPPA” means the Children’s Online Privacy Protection Rule (“COPPA”) formulated by the Federal Trade Commission of the United States.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Data, Where the China Data Protection Law applies, Controller means the personal information handler (“个人信息处理者”) ; Where the European/UK Data Protection Law or VCDPA applies, Controller means the controller; Where the CPPA applies, Controller means the Business.
“China Data Protection Law” means (1) the Personal Information Protection Law, (2) the Data Security Law, (3) the Cyber Security Law and (4) any and all applicable laws and regulations related to the protection of Personal Data, of the People’s Republic of China; in each case as may be amended or superseded from time to time.
“Data Exporter” means Publisher or its affiliate who transfers Personal Data to Data Importer pursuant to a Restricted Transfer.
“Data Importer” means Nativex or its affiliate who receives Personal Data from Data Exporter pursuant to a Restricted Transfer.
“Destroy” means to burn, pulverize, or shred papers, or to destroy or erase electronic files or media, so that all such information cannot be read or reconstructed.
“EEA” means the European Economic Area.
“European/UK Data Protection Law” means: (1) the EU General Data Protection Regulation 2016/679 (“EU GDPR”); (2) the EU e-Privacy Directive (Directive 2002/58/EC); (3) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s (“UK”) European Union (Withdrawal) Act 2018 (the “UK GDPR”); (4) the Swiss Federal Act on Data Protection 1992 (“Swiss DPA”); and (5) any and all applicable national laws made under or pursuant to (1), (2), (3) and (4); in each case as may be amended or superseded from time to time.
“LGPD” means the Lei Geral de Proteção de Dados (Law No. 13.709/2018), as amended, including without limitation any and all applicable implementing regulations.
“Nativex Privacy Policy” means the privacy policy available at Nativex’s official website: https://www.nativex.com/en/privacy/ or at any other or additional location, as may be updated from time to time.
“Personal Data” means any information relating to an identified or identifiable natural person, or that relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or household. The term Personal Data shall include (but not be limited to) names, postal addresses, e-mail addresses, social security numbers, driver’s license or identification card numbers, account numbers, credit card or debit card numbers, medical information, device identifiers, Internet Protocol addresses; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology, unique pseudonyms, user aliases, telephone numbers, any other persistent identifiers that can be used to recognize a consumer, a family, or a device that are linked to an individual or family, over time and across different services, or other forms of persistent or probabilistic identifiers that can be used to identify a particular individual or device, and any other information which is deemed “personal information” or “Personal Data” under Applicable Data Protection Law. For the avoidance of doubt, Personal Data includes, where relevant, special or sensitive categories of data under Applicable Data Protection Law.
“Process” means to perform any operation upon Personal Data, whether manually or by automatic means, including but not limited to collection, recording, sorting or organization, structuring, accessing, storage, adaptation or alteration, retrieval, consultation, use, transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means an entity that Processes Personal Data on behalf of the Controller. Where the China Data Protection Law applies, Processor means an entity that the Controller(s) entrust to Process Personal Data on behalf thereof; where the European/UK Data Protection Law or VCDPA applies, Processor means the Processor; where the CCPA applies, Processor means Service Provider defined under CCPA.
“Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for Personal Data by the Federal Data Protection and Information Commission or Federal Council (as applicable); (iv) where the China Data Protection Law applies, a transfer of Personal Data from the People's Republic of China to a country/region outside of the People's Republic of China ; and (iv) where another Applicable Data Protection Law applies, a cross-border transfer of Personal Data from that jurisdiction to any other country which is not based on adequacy regulations pursuant to that Applicable Data Protection Law.
“Russian Data Protection Law” means (1) the Federal Law No. 149-Fz On Information, Informational Technologies And The Protection Of Information; (2) the Federal Law No. 152-Fz On Personal Data; (3) the Federal Law No. 242-FZ on Amending Certain Legislative Acts of the Russian Federation as to the Clarification of the Processing of Personal Data in Information and Telecommunications Networks; and (4) any and all applicable national laws and regulations made under or pursuant to (1), (2) and (3); in each case, as may be amended or superseded from time to time.
“SCCs” means (i) where the EU GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR, including the International Data Transfer Agreement (VERSION A1.0, in force 21 March 2022) issued by the UK Information Commissioner and the EU SCCs to which the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (VERSION B1.0, in force 21 March 2022) issued by the UK Information Commissioner is appended (“UK SCCs”); and (iii) where another Applicable Data Protection Law applies, the Standard Contractual Clauses or other appropriate cross-border transfer mechanisms approved by an appropriate data protection authority or similar body that is adopted or permitted under that Applicable Data Protection Law.
“User” means a Data Subject who is an end-user accessing a mobile application/website and accessing ads served by Nativex or Publisher.
“Nativex’s Affiliates” means Nativex's affiliates, Nativex's advertising partners and advertisers, Nativex's technology partners and Nativex's other business partners.
VCDPA means the Virginia Consumer Data Protection Act, Chapter 53 of Title 59.1 of the Code of Virginia, as may be amended or superseded from time to time, and all regulations made pursuant thereto.
Capitalized terms used and not specifically defined in this Addendum shall have the same meaning as in the Agreement.
2. Data Protection
2.1 Relationship of the Parties
2.1.1.To the extent Nativex is processing Personal Data for the purpose of the Major Activities set forth in the Agreement, the parties acknowledge that Publisher will Process the Personal Data as a Controller and Nativex will Process the Personal Data as a Processor. 2.1.2.The parties acknowledge that for the processing Personal Data for the purpose of the Additional Activities in the Agreement, Nativex shall be a Controller. 2.1.3.Details of Processing are set out in Schedule 1 to this Addendum. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.2.2 Rights and Obligations
2.2.1.Publisher guarantees that it shall prominently announce and display its privacy policy in its Products in accordance with the Application Data Protection Laws and this Addendum and shall provide Users with appropriate notice of and obtain their valid consent to such privacy policy. In case that European/UK Data Protection Law applies, to further clarify, an acceptance of Publisher’s terms and conditions by Users does not constitute valid consent under the Applicable Data Protection Laws. Instead, Publisher must display a valid consent prompt (e.g. a“Cookie Banner”) to Users, and only start collecting Personal Data after Users have voluntarily agreed, without limiting Users’ access to all Product functionalities if no consent is given. In case that Chinese Data Protection Law applies, the privacy policy shall shall meet the following (without limitation) requirements: (1)Publisher’s privacy policy shall be independently written, easily understandable and clearly reminding. After the User enters the main function interface, he or she can access to the privacy policy within no more than 4 time’s click or swipe; (2)Publisher warrants that when the Product runs for the first time, the User will be notified to read its privacy policy by pop-up window and other obvious ways. Publisher shall collect any Personal Data of the User only after the User confirms and agrees to the privacy policy; (3)The User should be given the choice to choose actively whether to agree Publisher’s privacy policy, and the User’s authorization should not be obtained by default or deceived; (4)The content that Publisher should clearly inform the User through its privacy policy and other documents includes but is not limited to: (a) the type of Personal Data processed by Publisher, the purpose, the processing method, the retention period, etc.; (b) Publisher has chosen Nativex as its partner, the Publisher has used Nativex's Services, and Nativex related information, including without limitation, Nativex's company name and contact information, the types, processing purposes, and processing methods of Personal Data processed by Nativex/Nativex’s Affiliates and its ad Partners and/or advertisers, and any other information that shall be notified to Users according to Privacy Requirements; (c) that Nativex will process Personal Data in accordance with Nativex Privacy Policy, and User shall be notified of the link to Nativex Privacy Policy, and User can access the Nativex Privacy Policy by clicking on the link; (d) any other information that needs to be included to meet the Applicable Data Protection Laws.2.2.2.Publisher acknowledges that Nativex does not establish a direct relationship with Users. Therefore, Publisher warrants that it, before collecting any Personal Data of the Users, by fulfilling the covenant in Section 2.2.1 of this Addendum or by using other legally valid consent mechanisms, has provided appropriate notices to and obtained valid consents from Users, to the extent necessary for Nativex to Process the Personal Data according to the purposes, ranges and methods stipulated in this Addendum and the Nativex Privacy Policy, specifically, for purposes of : (i) ads attribution and making settlement, detecting fraud and resolving dispute related to the Agreement (the “Major Activities”) and (ii) profiling data subjects, tracking data subjects and serving data subjects with interest-based ads or personalized ads for any ad campaigns of Nativex and its Affiliates (the “Additional Activities”) (Major Activities and Additional Activities collectively the “Purposes”). If Publisher Processes Personal Data for purposes other than the Purposes (“Publisher Purposes”), it shall also ensure that it has obtained the valid consent of the User. Upon Nativex’s request, Publisher shall provide Nativex with a record of all User consents. Publisher shall notify Nativex in writing within 24 hours of receipt of a User's refusal of consent or withdrawal of consent to any data processing.
2.2.3.Publisher shall provide convenient manner to Users which allows Users to: (1)refuse personalized information and commercial marketing through automated decision-making manners; (2)refuse to sell its Personal Data; and (3)Exercise its rights under Applicable Data Protection Law.
2.2.4.Publisher warrants that it has provided adequate notices to, and obtained valid consents from, its employees who has direct contact with Nativex’s employees or who views Nativex’s platform or website (hereinafter the “Publisher’s Employee”), to the extent necessary for Nativex and/or its, Affiliates to store their Personal Data in accordance with Nativex Privacy Policy and send direct marketing by email to them in relation to the products and services of Nativex and/or its Affiliates. Publisher will provide on request records of all consents obtained from Publisher’s Employee to Nativex and shall notify Nativex in writing within 24 hours of Publisher receiving employee’s objection to or withdrawal of consent.
2.2.5.Publisher will not by act or omission, cause Nativex to violate the Nativex Privacy Policy, any Data Protection Law, notices provided to, or consents obtained from, Users as result of Processing Personal Information in connection with or otherwise performing the Service under the Agreement.
2.2.6.If Publisher's Product is or likely directed to children as defined by Applicable Data Protection Laws, Publisher warrants that it has complied with and fulfilled all of the following requirements: (1)Publisher shall inform Nativex by email or other effective written form upon the commencement date of the Service; (2)Publisher undertakes to comply with the Applicable Data Protection laws relating to the protection of minors and the protection of children's personal information, and if Publisher's products may provide services to child Users and may transmit children's Personal Data to Nativex, Publisher undertakes to have taken relevant measures and to ensure that it has obtained valid and explicit consent from child User’s parents or other entitled guardians (the manner, method and procedure of consent shall be lawful) to ensure that the Publisher and Nativex can process the child User's Personal Data in accordance with this Addendum; (3)Publisher complies with any other requirements as directed by Nativex.
2.2.7.Given that Nativex does not collect age information of Users, if Publisher discovers that Nativex has collected Personal Data from a child without prior verifiable parental or guardian consent, Publisher shall promptly inform Nativex, and Nativex will attempt to promptly delete it upon discovery.
2.3 Confidentiality of Processing
Publisher shall keep strictly confidential all of the Personal Data in accordance with the confidentiality provisions of the Agreement. Publisher shall ensure that any person that it authorizes to Process the Personal Data (including each party’s staff, agents and subcontractors) (an “Authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality. Publisher shall ensure that only Authorized Persons will have access to, and Process, the Personal Data, and that such access and Processing shall be limited to the extent strictly necessary to achieve the purposes specified in this Addendum.2.4 Security
Publisher shall implement and maintain reasonable and appropriate physical, technical and organizational measures to ensure the ongoing integrity, confidentiality and availability of Personal Data, and the resilience of systems and services Processing Personal Data, as appropriate to the nature and scope of Publisher’s activities and services, and in accordance with Applicable Personal Data Protection Law. Such measures will include without limitation: (1) protecting the Personal Data from accidental or unlawful (a) destruction, and/or (b) loss, alteration, or unauthorized disclosure or access (a “Security Incident”); (2) all the controls provided in Schedule 2; and (3) the measures required pursuant to Article 32 of the EU GDPR or the UK GDPR, if applicable. Publisher will implement and maintain comprehensive and written privacy and information security policies and procedures and provide such documents: (a) upon written request, to Nativex and (b) at appropriate intervals (including prior to Processing any Personal Data), to Authorized Persons that will Process the Personal Data. Publisher shall also provide reasonable assistance in order for Nativex to comply with the obligations related to the security of Processing under Applicable Personal Data Protection Law.2.5 Cooperation and Individuals’ Rights
Publisher shall, at its own expense, provide all reasonable and timely assistance to Nativex to enable Nativex to respond to: (1) any request from an individual to exercise any of its rights under Applicable Personal Data Protection Law (including its rights of access, correction, objection, erasure and Personal Data portability, as applicable); and (2) any other correspondence, inquiry, or complaint received from an individual, regulator, court or other third party in connection with the Processing of the Personal Data. If any such request, correspondence, inquiry, or complaint is made directly to Publisher, Publisher shall promptly inform Nativex providing full details of the same. Publisher shall delete and permanently destroy the Personal Data or otherwise Process the Personal Data upon request by Nativex as necessary to respond to a consumer request.2.6 Security Incidents
Upon becoming aware, or if there is a reasonable belief, of a Security Incident, Publisher shall inform Nativex without undue delay (and, in any event, within 24 hours) and shall provide all such timely information and cooperation as Nativex may require in order for Nativex to fulfill its data breach reporting obligations under Applicable Data Protection Law. Publisher shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Nativex informed of all developments in connection with the Security Incident.2.7 Deletion of Data
Each party shall destroy all Personal Data in its possession or control as soon as the Purposes and the Publisher's Purposes have each been achieved or are unlikely to be achieved (including all copies of the Personal Data) in its possession or control (including any Personal Data provided to a third party for Processing) immediately, unless it has obtained the lawful basis for retaining Personal Data under Applicable Personal Data Protection Law. This provision shall not apply to the extent that Publisher or Nativex is required by any applicable law to retain some or all of the Personal Data, in which event Publisher shall isolate and protect the Personal Data from any further Processing except to the extent required by such law until deletion is possible.2.8 Audit
Publisher shall permit Nativex (or its appointed third-party auditors) to audit Publisher’s compliance with this Addendum, and shall make available to Nativex all information, systems and staff necessary to demonstrate Publisher’s compliance with this Addendum and Applicable Data Protection Law, and for Nativex (or its third-party auditors) to conduct such audit. Publisher acknowledges that Nativex (or its third-party auditors) may enter its premises for the purposes of conducting this audit, provided that Nativex gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Publisher’s operations. Nativex will not exercise its audit rights more than once in any 12 calendar month period, except (1) if and when required by instruction of a competent data protection authority; or (2) Nativex believes a further audit is necessary due to a Security Incident suffered by Publisher. In the event that Publisher is regularly audited against ISO 27001, ISO 27701, SSAE 18 SOC 1, 2 and 3, and/or PCI standards, as applicable, by independent third party auditors, Publisher shall supply a summary copy of its audit report(s) to Nativex upon request, which reports shall be subject to the confidentiality provisions of the Agreement.2.9 Indemnity
Publisher shall indemnify Nativex from and against all claims (including claims filed by a third party against Nativex), loss, cost, harm, expense (including reasonable legal fees), liabilities or damage (“Damage”) suffered or incurred by Nativex as a result of Publisher’s breach of the data protection provisions set out in this Addendum.3. Restricted Transfer
3.1 Personal Data protected by the China Data Protection Law
Where the China Data Protection Law applies and if any transfer of Personal Data under the Agreement is a Restricted Transfer, the Parties shall comply with the relevant provisions of China Data Protection Law regarding the export of personal information, including but not limited to conducting data export security assessments (if required), signing standard contracts, and taking reasonable organizational and technical measures to safeguard exported data. The Data Importer shall use its best effort to assist the Data Exporter to comply with the requirements of China Data Protection Law. For the avoidance of doubt, when the Publisher is a Data Exporter and constitutes a Processor of personal information under the China Data Protection Law, the Publisher shall fulfill the obligations related to data export under the China Data Protection Law as described above in relation to the Restricted Transfer, and Nativex will provide the necessary assistance to the Publisher upon the express request of the Publisher.3.2 Personal Data protected by the Russian Data Protection Laws
Where Russian Data Protection Laws apply, if any transfer of personal information under the Agreement is a Restricted Transfer, the Publisher shall first store such Personal Data on a local server in Russia and make cross-border transfers to Nativex in compliance with Russian data protection laws; if required by Russian data protection laws, the Publisher shall obtain the written consent of the Users.3.3 Standard Contractual Clauses
The parties agree that when the transfer of Personal Data under the Agreement is a Restricted Transfer, the SCCs will be incorporated into this Addendum by this reference, with each Data Exporter and Data Importer being deemed to have entered into the SCCs in its own name and on its own behalf as follows: 3.3.1.In relation to Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows: (1)MODULE ONE shall apply while section 2.1.2 of this Addendum applies. (2)MODULE TWO shall apply while section 2.1.1 of this Addendum applies and both parties agree to choose OPTION 2: GENERAL WRITTEN AUTHORISATION of Clause 9. Specifically, Data Exporter generally agrees that Data Importer is entitled to engage its cloud servers as its sub-processors; (3)in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law of Netherlands ; (4)in Clause 18(b), disputes shall be resolved before the Dutch courts; (5)Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this Addendum; and (6)Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this Addendum.3.3.2.In relation to Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows: (1)the International Data Transfer Agreement (VERSION A1.0, in force 21 March 2022, the “IDTA”) issued by the UK Information Commissioner shall be deemed to have been entered into; (2)Table 1-4, Part 1 of the IDTA shall be deemed completed as specified below – A.UK country’s law that governs the IDTA shall be England and Wales; B.Primary place for legal claims to be made by the parties to the IDTA shall be England and Wales; C.The Linked Agreement is the Agreement D.UK GDPR applies to the Data Exporter; E.The parties to the IDTA can end the IDTA before the end of its term by serving one months’ written notice; F.The parties to the IDTA that may end the IDTA when the Approved IDTA changes shall be Data Importer; G.If the information of the below items is updated in the Linked Agreement (as defined in the IDTA) referred to, the following information in the IDTA will update automatically: a.The categories of the transferred Personal Data; b.The categories of special category and criminal records data; c.The Data Subject of the transferred Personal Data; d.The purposes for which the Data Importer may Process the transferred Personal Data; e.The security requirements. (3)Unless explicitly specified in point A to F above, Table 1-3 shall be deemed completed with the information set out in Schedule 1 to this Addendum; (4)Table 4 shall be deemed completed with the information set out in Schedule 2 to this Addendum.
3.3.3.In relation to Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in Section 3.2.1 of this Addendum amended as follows: (1)references to “Regulation (EU) 2016/679” in the EU SCCs will be deemed to refer to the Swiss DPA; (2)references to specific articles of “Regulation (EU) 2016/679” will be deemed replaced with the equivalent article or section of the Swiss DPA; (3)references to “EU,” “Union,” and “Member State” will be deemed replaced with “Switzerland”; (4)references to the “competent supervisory authority” are replaced with the “Swiss Federal Data Protection Information Commissioner”; and (5)in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.
3.3.4.In relation to Data that is protected by another Applicable Data Protection Law, the Data Exporter and the Data Importer agree that such SCCs shall automatically apply to the transfer of Data from the Data Exporter to the Data Importer and, where applicable shall be deemed completed on a mutatis mutandis basis to the completion of the SCCs as described above.
3.4 Data Importer shall not participate in (nor permit any (sub-) processor to participate in) any other Restricted Transfers of Personal Data under or related to the performance of the Agreement (whether as an exporter or an importer of the Personal Data) unless the Restricted Transfer is made in full compliance with Applicable Data Protection Law.
3.5 If there is any conflict between this Addendum and the SCCs, the SCCs will prevail.
Schedule 1
Data Processing Description
A. LIST OF PARTIES
Data exporter(s)
| Name: | Publisher |
| Official registration number (if any) (company number or similar identifier): | Refer to Publisher's certificate number specified in the Agreement |
| Contact person’s name, position and contact details (including email): | As specified in the Agreement |
| Role (controller/processor): | Controller |
Data importer(s)
| Name: | Nativex |
| Official registration number (if any) (company number or similar identifier): | As specified in the Agreement |
| Contact person’s name, position and contact details ,including email (shall also be the Importer Data Subject Contact when Section 3.3.2 is applicable): | As specified in the Agreement |
| As specified in the Agreement | Controller/Processor |
B. DESCRIPTION OF TRANSFER
| Categories of data subjects whose Personal Data is transferred: |
A. Users B. Publisher’s Employee |
| Categories of Personal Data transferred: | For Users |
| A. Interactive Data: view or click history. | |
| B. view or click history: IP address, country, time zone and locale settings (including country information and preferred language). | |
| C. Persistent Identifiers: IMEI, Android ID, OAID, IDFV, IDFA, GAID. MAC Address. | |
| D. Application Information: package name of the app of Nativex’s business partners, whether it is downloaded from App Store, version and characteristic of the app used by Users when Users interact with Nativex’s Service. | |
| E. Device Information: device make, device model, information of operating system, device type. | |
| F. Others: timestamp, device event information such as crashes, system activity, the date and time of your request and referral URL, user-agent, advertising effectiveness data (optional, depending on whether the Publisher actually transmits it). | |
| For Publisher’s Employee | |
| A. For Publisher’s Employee: Name | |
| B. Contact details: E-mail and telephone details. | |
| C. Employment contact information: Description of current position; title; unit/department; working base. | |
| Methods of transfer | Publisher transfers Personal Data to Nativex's server. |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards: | N/A |
| The frequency of the transfer | Happening on a continuous basis for the length of the Agreement |
| Nature and purposes of the transfer and processing: |
Nature: collection, storage, duplication, analysis, deletion Purposes: as specified in Section 2.2.2 |
| The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: | As specified in Section 2.7 |
| Can and when the Data Importer make further Transfer of the Personal Data? (only if Section 3.3.2 is applicable) | The Importer may transfer on the Transferred Data to only to its advertisers or 3rd party designated by advertiser for the Purposes in accordance with Section 16.1 (Transferring on the Transferred Data) of IDTA . |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | Transfer in accordance with IDTA Article 16.1 (Transfer of data) and for the Purposes |
| Dates to review the transfer (only if Section 3.3.2 is applicable) | The Parties must review the Security Requirements at least each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment. |
C. COMPETENT SUPERVISORY AUTHORITY
For Personal Data protected under the EU GDPR: the competent supervisory authority/ies are as provided in Clause 13 of the EU GDPR
For Personal Data protected under the Swiss DPA:Federal Data Protection and Information Commissioner (FDPIC)
For Personal Data protected under the UK GDPR: Information Commissioner’s Office
SCHEDULE 2
Technical and Organisational Security Measures: Minimum Security Controls
The following is a description of the technical and organisational measures that must be the minimum implemented by the Publisher and, where applicable, by any (sub-) processors taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Nativex has implemented physical, technical and administrative security measures for the Service that comply with applicable laws and industry standards. For example, Nativex uses firewalls, encryption technology and other automated software designed to protect against fraud and identity theft; Nativex’s data is only stored in centers that provide high-level security for Users’ information. Physical access is strictly controlled both at the perimeter and at building ingress points by our staff utilizing video surveillance and other electronic means.
Nativex protects User’s privacy by seeking to minimize the amount of sensitive data that it stores on its servers. Nativex also seeks appropriate contractual protection from its partners regarding their treatment of User data.
Nativex has completed the ISO27001 audit and has received the SOC2 Type1 audit report which provides detailed information and assurances about its security, availability, processing integrity, confidentiality and privacy controls, based on its compliance with the Trust Services Criteria (“TSC”) of the American Institute of Certified Public Accountants (AICPA).
