Ozone

The Audience Connection Platform

Resources

Publisher Data Protection Agreement

These data protection terms constitute the Data Protection Agreement (“DPA“) referred to in the Ozone Publisher Terms and Conditions (the “Agreement”), and are incorporated into the Agreement between Ozone and the Publisher identified on the applicable Service Order. This DPA shall apply in respect of the processing of Personal Data by either Party under or in connection with the Agreement and shall survive termination of the Agreement and continue in force for the duration of any such processing.

Definitions and interpretation

Capitalised terms used in this DPA shall have the meanings given to them in the Agreement. All other capitalised terms used in this DPA (which are not defined in the Agreement) shall have the meanings given to them as follows:

  • “Adequate Country” means as applicable: (a) in relation to European Law, any country outside of the EEA that is recognized by the European Commission from time to time as providing an adequate level of privacy protection by reason of its domestic law or of the international commitments it has entered into; and (b) in relation to the UK, any country outside of the UK that is recognized by the UK from time to time as providing an adequate level of privacy protection by reason of its domestic law or of the international commitments it has entered into;
  • “Controller” has the meaning given to that term in the Data Protection Laws. “Controller” shall include the term “Business” under the CCPA. and similar terms as defined under applicable Data Protection Laws.
  • “Controller Terms” means the terms set out in Appendix 1 to this DPA.
  • “Data Exporter” shall mean the Party who transfers the Personal Data to the Data Importer.
  • “Data Protection Laws” means any applicable international, national, federal, state, provincial, and local laws, regulations, rules, directives, and governmental requirements and guidance concerning the processing or protection of Personal Data. “Data Protection Laws” shall include, but is not limited to, (i) the EU GDPR and the UK GDPR as applicable; (ii) the DPA 2018; (iii) EC Directive 2002/58/EC on Privacy and Electronic Communications; (iv) The Privacy and Electronic Communications (EC Directive) Regulations 2003 and (v) the California Consumer Privacy Act (“CCPA”).
  • “Data Importer” shall mean the Party who receives the Personal Data from the Data Exporter.
  • “Data Subject” has the meaning given to that term in the Data Protection Laws. “Data Subject” includes “Consumer” and similar terms as defined under applicable Data Protection Laws.
  • “DPA 2018” means the UK Data Protection Act 2018.
  • “EEA” means the European Economic Area.
  • “EU GDPR” means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • “EU Model Clauses” means the standard contractual clauses for the transfer of Personal Data, in accordance with the EU GDPR, approved by the European Commission from time to time, the approved version of which in force at the date of signature of this DPA is that set out in the European Commission’s Decision 2021/914 of 4 June 2021, as such standard contractual clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and as may be amended or replaced by the European Commission from time to time.
  • “European Laws” means (i) EU GDPR, (ii) the UK GDPR; (iii) the DPA 2018; (iv) EC Directive 2002/58/EC on Privacy and Electronic Communications; and (v) The Privacy and Electronic Communications (EC Directive) Regulations.
  • “IAB TCF ” means the IAB Europe Transparency & Consent Framework published by the Interactive Advertising Bureau Europe as amended from time to time.
  • “Joint Controller” has the meaning given to it in Article 26 of the EU GDPR and/or UK GDPR as applicable.
  • “Ozone Privacy Notice” means Ozone’s Platform Privacy Notice which is located at https://ozoneproject.com/platform-privacy (as may be updated by Ozone from time to time).
  • “Personal Data Breach” has the meaning given to it in the Data Protection Laws.
  • “Personal Data” has the meaning given to that term in the Data Protection Laws. “Personal Data” includes “Personal Information,” “Personally Identifiable Information,” and similar terms as defined under applicable Data Protection Laws.
  • “Processor” means the entity which Processes Personal Data on behalf of the Controller. “Processor” includes “Service Provider,” and “Contractor,” under the CCPA and similar terms as defined under applicable Data Protection Laws.
  • “Processor Terms” means the terms set out in Appendix 2 to this DPA.
  • “Publisher Privacy Notice” has the meaning given to it in clause 3.1(a) of this DPA.
  • “Subprocessor” means all other processors, service providers, and vendors of Ozone who are involved in Processing or sub-Processing Personal Data in connection with the provision of the Services.
  • “Third Country” has the meaning given to it under Data Protection Laws.
  • “UK Addendum” means the United Kingdom (“UK”) ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.
  • “UK GDPR” has the meaning given to it in the DPA 2018.
  • The terms “Business,” “Business Purpose,” “Commercial Purpose,” “Cross-Context Behavioral Advertising,” “Process,” “Sell,” “Service Provider,” “Share,” “Targeted Advertising,” and “Third Party” shall have the meaning ascribed to them under applicable Data Protection Laws.

Status of the parties and data processing

  • The parties acknowledge and agree that as part of its provision of the Services, Ozone will process certain Personal Data relating to Users, which, depending on the specific Services to be provided under the applicable Service Order, will include the following: first and third party identifiers including IP address, device ID, a Publisher first party cookie (named: “pubcid”), an Ozone third party cookie, a Publisher internal ID (where supplied), an Ozone Ad Partner ID, user page-view data, bid requests, bid responses, win notices, and other user identifiers as may be agreed with and provided by the Publisher in connection with the Services (including for example hashed email addresses (“HEMs”)).
  • Ozone and Publisher acknowledge that the status of each party is a matter of fact under Data Protection Laws and dependent on the Services Ozone provides to Publisher, as detailed in the Service Order. Notwithstanding the foregoing, the Parties acknowledge and agree that:
    • where the Publisher and Ozone Process any Personal Data relating to Users prior to the commencement of, or which is independent of, the Services, the parties shall be separate and independent controllers;
    • where Ozone Processes Personal Data for the following purposes: (i) to map Personal Data to the Ozone ID, (ii) to leverage Ozone’s Ad Partners, and/or (iii) to activate cross-publisher audience segments, in each case as part of the Services, the parties will act as Joint Controllers to the extent applicable under European Laws in relation to such Processing; and to the extent applicable under other Data Protection Laws, Ozone shall be the Third Party and Publisher shall be the Controller. Without prejudice to the general requirements of clauses 3 and 4 of this DPA, the Controller Terms, attached hereto as Appendix 1 shall apply to such Processing for this clause 2.2(b);
    • where Ozone Processes Personal Data without (i) utilising the Ozone ID and/or (ii) leveraging Ozone’s Ad Partners, for example where Ozone activates the Publisher’s Ad Partners instead of leveraging Ozone’s Ad Partners, in such cases the Publisher shall act as the Controller and Ozone will act as the Publisher’s Processor in relation to such Processing. Without prejudice to the general requirements of clauses 3 and 4 of this DPA, the Processor Terms, attached hereto as Appendix 2 shall apply to the Processing for this clause 2.2(c); and
    • in relation to any other Processing by Ozone of Personal Data, Ozone and Publisher shall act as a separate and independent controller.

General data protection requirements

The Parties may agree Service Orders from time to time (which incorporate this DPA). Notwithstanding any other provisions of this DPA or the Agreement, each party shall:

  • comply with the obligations imposed on it by applicable Data Protection Laws;
  • provide each other with reasonable cooperation and assistance in respect of any (i) communication issued or investigation initiated by a supervisory authority; auditing or documentation of any data protection assessments; or (ii) any request or complaint from a User, in each case which relates to the Services; and
  • comply with its respective obligations with respect to Security Breaches of Personal Data Processed under the Agreement, including without limitation notifying the other party of Security Breaches without undue delay after becoming aware of the same, and in any event within 48 hours after becoming aware. For the purposes of this DPA and the Agreement, the parties acknowledge and agree that a Personal Data Breach shall constitute a Security Breach (as defined in the Agreement)
  • Ozone shall ensure that any Personal Data supplied by or on behalf of Publisher shall:
    • be kept confidential in accordance with the Agreement; and
    • only be accessible to its staff to the extent necessary to properly perform its obligations and exercise its rights under the Agreement, who are informed of its confidential nature and the security procedures relating to it, and who are contractually bound to maintain its confidentiality.
  • Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, Ozone shall implement the security measures required in order to ensure a level of security appropriate to the risk, including providing the level of privacy protection as is required by applicable Data Protection Laws.

General requirements for publisher properties

Publisher shall:

  • publish, on each Publisher Property, a privacy policy or privacy notice that satisfies Publisher’s obligation to comply with its notice and transparency obligations under applicable Data Protection Laws (“Publisher Privacy Notice(s)”);
  • expressly name Ozone in the Publisher Privacy Notice(s) (including where such Privacy Notice is made available as part of a consent management platform implemented in accordance with Data Protection Laws) as a party for whom, and by whom, Personal Data about the User is collected through the Publisher Properties and include in such Publisher Privacy Notice(s) clear and prominent links to the Ozone Privacy Notice: https://ozoneproject.com/website-privacy-cookie/ (to enable Ozone to fulfil its own transparency obligations contained in the Data Protection Laws) and any opt-out mechanisms operated by Ozone, in each case as notified to Publisher by Ozone;
  • for and on behalf of Ozone and any applicable Ad Partners, obtain, and on reasonable request evidence, valid consent for cookies (and/or similar technologies) of Ozone and any applicable Ad Partners to be set on and accessed from devices that are used by Users when they visit each of the Publisher Properties together with any other Personal Data which may be transferred from the Publisher to Ozone as part of the Services, in each case as may be required by Data Protection Laws;
  • assist Ozone as reasonably necessary to enable Ozone and any applicable Ad Partner to demonstrate that it has a lawful basis for processing the Personal Data relating to Users of the Publisher Properties for the purposes of performing the applicable Services described in the applicable Service Order; and
  • on and in respect of each Publisher Property, implement appropriate technical measures (such as cookie banners and consent management platforms), and adopt the IAB TCF (and/or such other framework or policy which complies with Data Protection Laws) for the purposes of ensuring that:
    • Ozone and Ad Partners are able to comply with their respective obligations under the Data Protection Laws; and
    • Publisher complies with its obligations under the Data Protection Laws as well as its obligations set out in this DPA.

Liability and indemnity

  • The parties acknowledge and agree that the limitations and exclusions of liability in the Agreement shall apply in respect of this DPA.
  • To the extent the provisions Article 82 of the EU GDPR or UK GDPR are applicable, both parties are responsible for the act, or omission to act, resulting in the payment of Losses by a party, or both parties, then a party shall only be liable for that part of such Losses which is in proportion to its respective responsibility.
  • Each party shall indemnify the other against all Losses suffered or incurred by the indemnified party arising out of or in connection with a breach of the Data Protection Laws by the indemnifying party, its employees or agents.
  • The indemnified party shall give to the indemnifying party prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and, to the extent permitted by the Data Protection Laws and the applicable supervisory authority, sole authority to manage, defend and/or settle it.

General

  • This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by and construed in accordance with English law.
  • Each party irrevocably agrees to submit to the exclusive jurisdiction of the courts of England in relation to any claim or matter arising out of or in connection with this DPA (including non-contractual disputes or claims).

Appendix 1: Controller Terms

General

  • Each party agrees to comply with these Terms to the extent they apply as described in clause 2.2(b) of this DPA, and acknowledges that, except as expressly stated otherwise in this DPA or as required by applicable Data Protection Law, it is (as between the parties) solely responsible for ensuring that it meets all of its obligations under Data Protection Law.
  • These Terms determine and specify the parties’ respective responsibilities for compliance with Data Protection Laws in relation to the applicable Processing as set out below:
    • each party shall be responsible for ensuring it has an appropriate legal basis for its Processing;
    • Publisher shall be responsible for providing information to Data Subjects regarding the applicable Processing undertaken by the parties pursuant to the applicable Service Order, and, in accordance with Publisher’s obligations under clause 4.1 of the DPA, shall ensure that the Publisher Privacy Notice includes appropriate and sufficient information regarding the collection by and transmission to Ozone of Personal Data; and
    • without prejudice to Publisher’s obligations under clause 1.3(b) of this Appendix, Ozone shall also make the essence of the arrangement between the parties available to Data Subjects by way of the Ozone Privacy Notice.
  • The parties shall designate a contact point for Data Subjects and make the details of such contact point available in its respective privacy notice.

Communications

If either party receives any communication from a supervisory authority which relates directly or indirectly to:

  • the other party’s processing of Personal Data; or
  • a potential failure to comply with Data Protection Laws in relation to the applicable Services,

the receiving party shall, to the extent permitted by Data Protection Laws and Applicable Laws, promptly provide notice of the communication to the other party.

Rights of individuals

  • The parties acknowledge and agree that Data Subjects may exercise their rights against either of the parties in accordance with the Data Protection Laws. Accordingly, each party shall have in place a process for handling:
    • requests that it receives from Users to exercise any of their rights to access, rectify, erase, restrict or object to processing of Personal Data, opt out of the Sale or Sharing of Personal Data for Cross-Context Behavioral Advertising or Targeted Advertising, or to data portability; and
    • any other requests, complaints, queries or claims made by a User in relation to the Processing of their Personal Data,
    (each a “Data Subject Request”) in accordance with Data Protection Laws.
  • If a party receives a Data Subject Request concerning Personal Data processed in connection with the Agreement, the receiving party shall respond to that request in accordance with Data Protection Laws.
  • If and to the extent that such a Data Subject Request refers to the other party, or where it is otherwise required to enable the other party to comply with its obligations under Data Protection Laws, the receiving party shall promptly, and in any event within seven days after it receives the request, inform the other party of the Data Subject Request and the parties shall cooperate and provide reasonable information and assistance to each other to enable the parties to comply with their respective obligations under Data Protection Laws.

CCPA Terms

  • This clause 4 of this Appendix applies only when Personal Data is Sold or Shared for Cross-Context Behavioral Advertising under the Agreement.
  • The parties agree that Personal Data is Processed by Ozone for the specific and limited purposes set forth in the relevant sections of the Service Order and clause 2 of this DPA.
  • Ozone will (i) comply with all applicable Data Protection Laws in the Processing of Personal Data and Ozone shall provide the same level of privacy protection as is required by applicable Data Protection Laws and this DPA; and (ii) only Process Personal Data for the purposes set forth in the relevant sections of the Service Order and clause 2 of this DPA and as otherwise permitted or required pursuant to the Agreement or applicable Data Protection Laws.
  • Ozone will promptly notify Publisher if it determines that Ozone can no longer meet its obligations under applicable Data Protection Law. Upon such notice, Publisher shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data.

Appendix 2: Processor Terms

General

Where Publisher is the Controller and Ozone is the Processor in relation to certain Processing, then in such cases these Processor Terms shall apply, and the parties agree to comply with them.

Ozone obligations

Ozone shall:

  • Only act on the Publisher’s documented instructions unless otherwise required by Applicable Laws to which Ozone is subject, and Ozone shall immediately inform the Publisher if, in Ozone’s opinion, an instruction infringes applicable Data Protection Laws;
  • Ensure that Ozone’s employees, officers, agents, sub-contractors and/or authorised representatives authorised to Process the applicable Personal Data are subject to a contractual duty of confidentiality in relation to the applicable Processing;
  • Maintain and implement appropriate technical and organisational measures to protect the applicable Personal Data against any data breach or other form of unlawful processing, loss, or destruction (including, as appropriate, measures pursuant to Article 32 of the EU and/or UK GDPR);
  • Assist the Publisher by appropriate technical and organisational measures in responding to, and complying with, Data Subject Requests;
  • Provide such assistance as the Publisher may reasonably require to allow it to comply with its obligations under Articles 32 to 36 (inclusive) of the EU and/or UK GDPR (and analogous obligations contained in the Data Protection Laws) in relation to the applicable Personal Data; and
  • Provide the Publisher with all information required to demonstrate compliance with the obligations in this Appendix, and submit to annual audits and inspections of systems and processes which are relevant to the Processing of the Personal Data under this Appendix, as may be conducted by it or by a third-party auditor mandated by it, provided that: (i) Ozone shall be compensated for its costs and expenses in relation to such audit, (ii) reasonable advance notice shall be given in respect of any such audit, (iii) any such audit shall only be conducted during Ozone’s normal business hours, (iv) any such audit shall be conducted to cause minimal disruption to the Ozone’s business operations, (v) no access shall be given to Ozone’s confidential information or any information relating to Ozone’s Other Publishers and/or financial data, and (vi) any third party auditor shall enter into confidentiality obligations directly with Ozone which are reasonably acceptable to Ozone; and
  • notify the Advertiser without undue delay on becoming aware of a Personal Data Breach.

Publisher’s obligations

The Publisher shall ensure that:

  • the supply and/or making available to Ozone of the applicable Personal Data for the purposes of Processing undertaken by Ozone as part of the applicable Services and its permitted further Processors, where such Processing is authorised by the Publisher, shall comply with the Data Protection Laws; and
  • the instructions given by the Publisher to Ozone comply with the Data Protection Laws.

Where, by operation of clause 2.1 of this Appendix, Ozone is obliged to provide assistance to the Publisher, or to third parties at its request (including submission to an audit or inspection and/or the provision of information), such assistance shall be provided at the Publisher’s sole cost and expense, except where such assistance directly arises from Ozone’s breach of its obligations under this Appendix, in which event the costs of such assistance shall be borne by Ozone.

Subprocessors

  • Notwithstanding any other provision of the Agreement, Ozone shall be entitled to appoint Subprocessors to Process the applicable Personal Data, subject to the following conditions:
    • Ozone shall notify the Publisher in writing (email sufficient) of its intention to engage such Subprocessors. Such notice shall give details of the identity of such Subprocessors and the services to be supplied by it;
    • The Publisher shall be deemed to have approved the engagement of the further Processor if it has not served on Ozone a notice in writing (email sufficient) objecting (acting reasonably) to such appointment within 14 days of the date of such notice.
    • In the event that the Publisher objects to any such appointment, Ozone and/or the Publisher shall be entitled to terminate with immediate effect the Agreement or any affected part of the Agreement.
  • Where Ozone engages a Subprocessor for carrying out specific processing activities on behalf of the Publisher pursuant to this Appendix, materially equivalent data protection obligations as set out in this Appendix shall be imposed on that Subprocessor. Where that Subprocessor fails to fulfil its data protection obligations, Ozone shall remain fully liable to the Publisher, subject to the limitations and exclusions of liability set out in the Agreement, for the performance of that Subprocessor’s obligations.
  • A list of Subprocessors that are currently engaged to Process Personal Data are available upon request

CCPA Terms

  • This clause 5 of this Appendix applies only when Ozone Processes Personal Data for the specific Business Purpose identified in the relevant sections of the Service Order and clause 2 of this DPA.
  • Ozone shall not: (i) retain, use or disclose Personal Data for any purpose other than for the limited business purpose(s) set forth in the relevant sections of the Service Order and clause 2 of this DPA and in accordance with instructions from Publisher; (ii) retain, use, or disclose Personal Data for a Commercial Purpose other than providing the Services to Publisher; (iii) “Sell” or “Share” Personal Data; (iv) retain, use or disclose Personal Data outside of the direct business relationship between Ozone and Publisher; or (v) combine Personal Data received from or on behalf of Publisher with Personal Data received from or on behalf of any other person or collected from Ozone’s own interactions with a consumer, except as specifically allowed under applicable Data Protection Law.
  • Ozone will comply with all applicable Data Protection Laws in the Processing of Personal Data and Ozone shall provide the same level of privacy protection as is required by applicable Data Protection Laws and this DPA. Ozone will promptly notify Publisher if it determines that Ozone can no longer meet its obligations under applicable Data Protection Law. Upon such notice, Publisher shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data.

Appendix 3: International Transfers

EU SCCs

Where Personal Data is transferred from a party that is subject to the EU GDPR to a party that is established outside of the EEA or an Adequate Country such as a Third Country, except where permitted by way of derogations or conditions in the EU GDPR, the EU SCCs are hereby incorporated by reference with the same force and effect as though fully set forth in this Agreement, wherein:

  • with the Data Exporter as Ozone and the Data Importer as the Publisher, the applicable modules are:
    • Module One: controller to controller terms shall apply to the extent that the Data Exporter, acting as controller, is transferring Personal Data to the Data Importer, also acting as a controller; and
    • Module Four: processor to controller terms shall apply to the extent that Data Exporter, acting as processor, is transferring Personal Data to Data Importer, acting as a controller.
  • Clause 7 of the EU SCCs (the optional docking clause) shall not apply;
  • the optional language in Clause 11 of the EU SCCs will not apply;
  • the Parties agree that the governing law and forum for disputes for the EU SCCs in respect of Clauses 17 and 18 of the EU SCCs will be in accordance with clauses 6.1 and 6.2 of this DPA;
  • Annex I of the EU SCCs shall be deemed completed by:
    • the relevant and applicable information set out in the Service Order and clause 2 of this DPA with the Data Exporter as Ozone and the Data Importer as the Publisher;
    • the frequency of the transfer being continuous throughout the Term of the Agreement;
    • the Subprocessors shall be deemed completed with the information provided by the relevant party upon request to the extent that the Module applies; and
    • the competent supervisory authority shall be the UK’s Information Commissioner.
  • Annex II (Technical and Organisational Measures) of the EU SCCs will be deemed completed with the information provided by the relevant party upon request to the extent that the Module requiring it applies;
  • Annex III (List of Sub-Processors) of the EU SCCs apply, Annex III shall be deemed completed with the information provided by the relevant party upon request to the extent that the Module requiring it applies; and
  • if and to the extent the EU SCCs conflict with any provision of this Agreement, the EU SCCs will prevail to the extent of such conflict.

UK ADDENDUM

Where Personal Data is transferred from a party that is subject to the UK GDPR to a party that is established outside of the UK or an Adequate Country such as to a Third Country, except where permitted by way of derogations or conditions in the UK GDPR, the UK Addendum is hereby incorporated by reference with the same force and effect as though fully set forth in this Agreement, wherein:

  • the EU SCCs will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of this Agreement;
  • Table 1 of the UK Addendum will be deemed completed in accordance with the Service Order with the Data Exporter as Ozone and the Data Importer as the Publisher;
  • Table 2 will be deemed completed by:
    • selecting the check box labelled “the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”;
    • selecting Modules 1 and 4;
    • Clause 7 (Docking Clause) is not selected;
    • the optional language in Clause 11 is not selected; and
    • the Personal Data received from the Data Importer is combined with Personal Data collected by the Exporter.
  • Table 3 will be deemed completed by:
    • the relevant sections of the Service Order and clause 2 of this DPA; and
    • The Technical and Organisational Measures and “List of Sub Processors” shall be deemed completed with the information provided by the relevant party upon request to the extent that the Module requiring it applies;
  • Table 4 of the UK Addendum will be deemed completed by selecting “Exporter” and “Importer”; and
  • any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

Connect with us

Name