Ozone

The Audience Connection Platform

Resources

Advertiser Data Protection Agreement

These data protection terms constitute the Data Protection Agreement (“DPA“) and are incorporated into any insertion order, purchase order or any other agreement between Ozone and the applicable Advertiser (as defined below) (the “Agreement”). This DPA supersedes and replaces any privacy or data protection terms and conditions which may be contained in the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail. This DPA shall apply in the event either Party processes Personal Data whether under or in connection with the Agreement or independently of the Agreement. The provisions of this DPA shall survive termination of the Agreement (where applicable) and continue in force for the duration of any such processing of Personal Data by either Party.

Definitions and interpretation

Capitalised terms used in this DPA shall have the meanings given to them as follows:

  • “UK GDPR” has the meaning given to it in the DPA 2018. 
  • “Advertiser” means the advertiser or its media agency which enters into the Agreement with Ozone or which otherwise processes Personal Data, or enables Ozone to utilise a pixel or other similar technology on Advertiser Properties, in each case in connection with the purchase of advertising inventory by or on behalf of the Advertiser via Ozone’s platform; 
  • “Advertiser Property” means a website, mobile app or other digital property which is owned, operated or controller by or on behalf of the Advertiser (including all applicable landing pages);
  • “Controller” has the meaning given to that term in the Data Protection Laws;
  • “Consent” has the meaning given to that term in the Data Protection Laws; 
  • “Data Protection Laws” means (a) the EU GDPR and the UK GDPR as applicable; (b) the DPA 2018; (c) EC Directive 2002/58/EC on Privacy and Electronic Communications; (d) The Privacy and Electronic Communications (EC Directive) Regulations 2003;  and (e) the Data (Use and Access) Act 2025; (f) all local laws or regulations implementing or supplementing the foregoing legislation and all other laws concerning the processing or protection of Personal Data; and (g) all binding codes of practice and guidance issued by national regulators relating to aforementioned laws and regulations;
  • “Data Subject” has the meaning given to that term in the Data Protection Laws;
  • “Data Subject Request” means the exercise by a Data Subject and/or User of their rights under the Applicable Data Protection Laws; 
  • “DPA 2018” means the UK Data Protection Act 2018;
  • “EEA” means the European Economic Area;
  • “EU GDPR” means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  • “IAB TCF ” means the IAB Europe Transparency & Consent Framework published by the Interactive Advertising Bureau Europe as amended from time to time;
  • “Joint Controller” has the meaning given to that term in the Data Protection Laws; 
  • “Joint Controller Terms” means the terms set out in ANNEX A to this DPA;
  • “Ozone Privacy Notice” means Ozone’s Platform Privacy Notice which is located at https://ozoneproject.com/platform-privacy (as may be updated by Ozone from time to time);
  • “Personal Data Breach” has the meaning given to it in the Data Protection Laws;
  • “Personal Data” has the meaning given to that term in the Data Protection Laws;
  • “Processing” has the meaning given to that term in the Data Protection Laws;
  • “Processor” has the meaning given to that term in the Data Protection Laws; 
  • “Processor Terms” means the terms set out in ANNEX B to this DPA;
  • “Supervisory Authority” has the meaning given to that term in the Data Protection Laws; 
  • “Advertiser Privacy Notice” has the meaning given to it in clause 3.1a of this DPA; and 
  • “UK GDPR” has the meaning given to it in the DPA 2018.

General data protection requirements

  • Where this DPA is entered into by a media agency or other media buying entity (“Agency”) on behalf of its advertiser client, such Agency represents and warrants that it is authorised by such client to procure its client’s compliance with the obligations under this DPA and for the purposes of this DPA, “Advertiser” shall be deemed to refer to such client accordingly but the Agency acknowledges and agrees that it will be jointly and severally liable with its client for the obligations under this DPA.
  • Notwithstanding any other provisions of this DPA or the Agreement, each party shall:
    • comply with the obligations imposed on it by applicable Data Protection Laws;
    • provide each other with reasonable cooperation and assistance in respect of any communication issued or investigation initiated by a Supervisory Authority relating to the Services; and
    • notify the other party of any Personal Data Breach or any other attempted IT security breach or incident that compromises or may compromise the confidentiality, integrity, availability and resilience of either Party’s systems, without undue delay after becoming aware of the same, and in any event within 48 hours after becoming aware.

General requirements for advertiser properties

Advertiser shall:

  • procure that each Advertiser Property prominently displayed a privacy policy or notice that satisfies Advertiser’s obligation to comply with its transparency obligations contained in the Data Protection Laws (“Advertiser Privacy Notice(s)”);
  • procure that the Advertiser Privacy Notice(s) expressly name Ozone (including where such Advertiser Privacy Notice is made available as part of a consent management platform implemented in accordance with Data Protection Laws) as a party for whom, and by whom, Personal Data is collected through the Advertiser Properties; and procure to include in such Advertiser Privacy Notice(s) clear and prominent links to the Ozone Privacy Notice (to enable Ozone to fulfil its own transparency obligations contained in the Data Protection Laws); and  any opt-out mechanisms operated by Ozone, in each case as notified to Advertiser by Ozone;
  • for and on behalf of Ozone and/or any applicable digital advertising partners of Ozone (As notified by Ozone to Advertiser) obtain, and on reasonable request evidence, Consent for cookies (and/or similar technologies) of Ozone and/or such ad partners (as applicable) to be set on and accessed from users’ devices when they visit each of the Advertiser Properties;
  • assist Ozone as reasonably necessary to enable Ozone and/or any of Ozone’s applicable digital advertising partners to demonstrate that it has a lawful basis for processing the applicable Personal Data under this DPA; and
  • on and in respect of each Advertiser Property, procure that appropriate technical measures (such as cookie banners and consent management platforms) are implemented, and adopt the IAB TCF (and/or such other framework or policy which complies with Data Protection Laws) for the purposes of ensuring that:
  • Advertiser complies with its obligations under the Data Protection Laws as well as its obligations set out in this DPA.
  • Ozone and its applicable digital advertising partners are able to comply with their respective obligations under the Data Protection Laws; and
  • Advertiser complies with its obligations under the Data Protection Laws as well as its obligations set out in this DPA.

Status of the parties and applicable data protection terms

  • The parties acknowledge and agree that as part of its provision of services to publishers, Ozone will process certain Personal Data which, depending on the specific services to be provided by Ozone, will include the following: first and third party identifiers including IP address, device ID, a publisher first party cookie (named: “pubcid”), an Ozone third party cookie, an internal ID (where supplied), an Ozone ad partner ID, user page-view data, bid requests, bid responses, win notices, and other user identifiers as may be agreed with and provided by either applicable publisher or the Advertiser (including for example hashed email addresses (“HEMs”)).
  • Ozone and the Advertiser acknowledge that the status of each party is a matter of fact under Data Protection Laws and dependent on the applicable services Ozone provides to the publisher. Notwithstanding the foregoing, the Parties acknowledge and agree that:
  • where the Advertiser and Ozone Process any Personal Data prior to the commencement of, or which is independent of, this DPA, the parties shall be separate and independent controllers;
  • where Ozone collects Personal Data from the Advertiser Properties via a pixel and similar technologies, in connection with the measurement, delivery or analysis of Advertiser’s campaigns which (i) map Personal Data to the Ozone ID, (ii) leverage Ozone’s own digital advertising partners, and/or (iii) involve the  activation of cross-publisher audience segments, the parties will act as Joint Controllers to the extent applicable under European Laws and the Joint Controller terms attached here to as Annex A shall apply to such Processing;
  • where Ozone Processes Personal Data for other purposes, on the Advertiser’s instructions without (i) utilising the Ozone ID and/or (ii) leveraging Ozone’s own digital advertising partner, in such cases the Advertiser shall act as the Controller and Ozone will act as the Advertiser’s Processor in relation to such Processing and the Processor Terms, attached hereto as Annex B shall apply to such Processing; and
  • in relation to any other Processing by Ozone of Personal Data, Ozone and the Advertiser shall act as a separate and independent controllers.

Liability and indemnity

  • The parties acknowledge and agree that the limitations and exclusions of liability in the Agreement (if any) shall apply in respect of this DPA. In the absence of any such limitations and exclusions of liability, the parties agree that each party’s liability under or in connection with this DPA, whether in contract (tort, including negligence), or otherwise, in each twelve (12) month period from the commencement of any Processing pursuant to this Agreement shall be limited to one million pounds sterling (£1,000,000). Nothing herein is intended to exclude or limit either party’s liability for death or personal injury caused by negligence, for fraud, or for any other liability which cannot be excluded or limited by applicable law.
  • Where, in accordance with the provisions Article 82 of the EU GDPR or UK GDPR both parties are responsible for the act, or omission to act, resulting in the payment of Losses by a party, or both parties, then a party shall only be liable for that part of such Losses which is in proportion to its respective responsibility.
  • Each party shall indemnify the other against all Losses suffered or incurred by the indemnified party arising out of or in connection with a breach of the Data Protection Laws by the indemnifying party, its employees or agents.
  • The indemnified party shall give to the indemnifying party prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and, to the extent permitted by the Data Protection Laws and the applicable supervisory authority, sole authority to manage, defend and/or settle it.

General

  • This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by and construed in accordance with English law.
  • Each party irrevocably agrees to submit to the exclusive jurisdiction of the courts of England in relation to any claim or matter arising out of or in connection with this DPA (including non-contractual disputes or claims).

Annex A: Joint controller terms

General

  • Where the parties act as Joint Controllers pursuant to this DPA, then in such case these Joint Controller Terms shall apply.
  • Each party agrees to comply with these Joint Controller Terms and acknowledges that, except as expressly stated otherwise in this DPA or as required by applicable Data Protection Law, it is (as between the parties) solely responsible for ensuring that it meets all of its obligations under Data Protection Law.
  • These Joint Controller Terms determine and specify the parties’ respective responsibilities for compliance with Data Protection Laws in relation to the applicable Processing as set out below:
    • each party shall be responsible for ensuring it has an appropriate legal basis for its processing;
    • the Advertiser shall be responsible for providing information to Data Subjects regarding the applicable processing undertaken by the parties pursuant to this DPA, and, in accordance with Advertiser’s obligations herein, shall ensure that the Advertiser Privacy Notice includes appropriate and sufficient information regarding the collection by and transmission to Ozone of Personal Data; and
    • without prejudice to  Advertiser’s obligations under clause 1.3b of this Annex, Ozone shall also make the essence of the Joint Controller arrangement between the parties available to Data Subjects by way of the Ozone Privacy Notice.
  • The parties shall designate a contact point for Data Subjects and make the details of such contact point available in its respective privacy notice.
  • The parties agree to provide to the other party such cooperation as may reasonably be required to assist that other party in compliance with its obligations under Article 26 of the EU GDPR and UK GDPR.

Communication

  • If either party receives any communication from a supervisory authority which relates directly or indirectly to:
    • the other party’s processing of Personal Data; or
    • a potential failure to comply with Data Protection Laws in relation to the applicable Services, the receiving party shall, to the extent permitted by Data Protection Laws and Applicable Laws, promptly provide notice of the communication to the other party.

Handling of personal data of supplied by or on behalf of advertisers

  • Ozone shall ensure that any Personal Data supplied by or on behalf of Advertiser shall:
    • be kept confidential in accordance with the Agreement; and
    • only be accessible to its staff to the extent necessary to properly perform its obligations and exercise its rights under the Agreement, who are informed of its confidential nature and the security procedures relating to it, and who are contractually bound to maintain its confidentiality.

Rights of individuals

  • The parties acknowledge and agree that Data Subjects may exercise their rights against either of the parties. Accordingly, each party shall have in place a process for handling:
    • requests that it receives from Data Subjects to exercise any of their rights to access, rectify, erase, restrict or object to processing of Personal Data, or to data portability; and
    • any other requests, complaints, queries or claims made by a User in relation to the processing of their Personal Data, (each a “Data Subject Request”) in accordance with Data Protection Laws.
  • If a party receives a Data Subject Request concerning Personal Data processed in connection with the Agreement, the receiving party shall respond to that Data Subject Request in accordance with Data Protection Laws.
  • If and to the extent that such a Data Subject Request refers to the other party, or where it is otherwise required to enable the other party to comply with its obligations under Data Protection Laws, the receiving party shall promptly, and in any event within seven days after it receives the Data Subject Request, inform the other party of the Data Subject Request and the parties shall cooperate and provide reasonable information and assistance to each other to enable the parties to comply with their respective obligations under Data Protection Laws.

International transfers

  • Neither party shall transfer any Personal Data to the other party where such other party is located outside of the European Economic Area (EEA) and/or United Kingdom (UK) unless adequate safeguards (including without limitation any applicable and necessary supplemental measures) are implemented in accordance with Data Protection Laws.

Annex B: Processor terms

General

Where the DPA specifies that the Advertiser shall be the Controller and Ozone shall be the Processor in relation to certain processing, then in such cases these Processor Terms shall apply and the parties agree to comply with them.

Ozone obligations

Ozone shall:

  • Only act on the Advertiser’s documented instructions unless otherwise required by Applicable Laws to which Ozone is subject, and Ozone shall immediately inform the Advertiser if, in Ozone’s opinion, an instruction infringes applicable Data Protection Laws;
  • Ensure that Ozone’s employees, officers, agents, sub-contractors and/or authorised representatives authorised to Process the applicable Personal Data are subject to a contractual duty of confidentiality in relation to the applicable Processing;
  • Maintain and implement appropriate technical and organisational measures to protect the applicable Personal Data Breach (including, as appropriate, measures pursuant to Article 32 of the EU and/or UK GDPR);
  • Assist the Advertiser by appropriate technical and organisational measures in responding to, and complying with, Data Subject Requests;
  • Provide such assistance as the Advertiser may reasonably require to allow it to comply with its obligations under Articles 32 to 36 (inclusive) of the EU and/or UK GDPR (and analogous obligations contained in the Data Protection Laws) in relation to the applicable Personal Data; and
  • Provide the Advertiser with all information required to demonstrate compliance with the obligations in this Annex, and submit to annual audits and inspections of systems and processes which are relevant to the Processing of the Personal Data under this Annex, as may be conducted by it or by a third-party auditor mandated by it, provided that: (i) Ozone shall be compensated for its costs and expenses in relation to such audit, (ii) reasonable advance notice shall be given in respect of any such audit, (iii) any such audit shall only be conducted during Ozone’s normal business hours, (iv) any such audit shall be conducted to cause minimal disruption to the Ozone’s business operations, (v) no access shall be given to Ozone’s confidential information or any information relating to Ozone’s Other Advertisers and/or financial data, and (vi) any third party auditor shall enter into confidentiality obligations directly with Ozone which are reasonably acceptable to Ozone.

Advertiser obligations

The Advertiser shall ensure that:

  • the supply and/or making available to Ozone of the applicable Personal Data for the purposes of Processing undertaken by Ozone pursuant to this DPA, where such Processing is authorised by the Advertiser, shall comply with the Data Protection Laws; and
  • the instructions given by the Advertiser to Ozone comply with the Data Protection Laws.

Where, by operation of clause 2.1 of this Annex, Ozone is obliged to provide assistance to the  Advertiser, or to third parties at its request (including submission to an audit or inspection and/or the provision of information), such assistance shall be provided at the Advertiser sole cost and expense, except where such assistance directly arises from Ozone’s breach of its obligations under this Annex, in which event the costs of such assistance shall be borne by Ozone.

Further processors

  • Notwithstanding any other provision of the Agreement, Ozone shall be entitled to appoint further Processors to Process the applicable Personal Data, subject to the following conditions:
    • Ozone shall notify the Advertiser in writing (email sufficient) of its intention to engage such further Processors. Such notice shall give details of the identity of such further Processor and the services to be supplied by it;
    • The Advertiser shall be deemed to have approved the engagement of the further Processor if it has not served on Ozone a notice in writing (email sufficient) objecting (acting reasonably) to such appointment within 14 days of the date of such notice.
    • In the event that the Advertiser objects to any such appointment, Ozone and/or the Advertiser shall be entitled to terminate with immediate effect the Agreement or any affected part of the Agreement.
  • Where Ozone engages another Processor for carrying out specific processing activities on behalf of the Advertiser pursuant to this Annex, materially equivalent data protection obligations as set out in this Annex shall be imposed on that other Processor. Where that other Processor fails to fulfil its data protection obligations, Ozone shall remain fully liable to the  Advertiser, subject to the limitations and exclusions of liability set out in the Agreement, for the performance of that other Processor’s obligations.
  • Ozone shall only use Processors outside of the European Economic Area (EEA) and/or United Kingdom (UK) provided that adequate safeguards are implemented in accordance with Data Protection Laws (including without limitation any applicable and necessary supplemental measures).

Connect with us

Name