EasyJoy Data Protection Addendum
This Data Protection Addendum (“DPA”) is incorporated into and part of any insertion order (“IO”) or service agreement between EasyJoy Technologies International Limited (“EasyJoy”) and you (“you”, and “Advertiser” or “Publisher” as applicable) relating to your use of EasyJoy’s Advertising Service, Publisher Services, or both (such services collectively, the “EasyJoy Services”, and the agreements applicable to you (“Advertising Agreement” and/or “Publisher Agreement”, as applicable, and collectively, your “EasyJoy Agreements” or “Agreement”), available at Legal Resources.
If and to the extent you provide EasyJoy with personal data, you and EasyJoy agree that this DPA governs our respective collection, transfer, and processing of personal data in the course of our provision and your use of our Services.
Definitions
The terms in this DPA, whether capitalized or not, have the meanings set forth below, and shall, to the greatest extent possible, have the meanings given to them in Applicable Data Protection Laws. Terms not defined here have the definition set forth in your applicable EasyJoy Agreement.
“Advertising Conversion Signal Data”
Means personal data that signals a user conversion (e.g., completion of an ad offer’s requirements or install of an advertised app) in connection with the Advertising Service.
“Advertising Service”
Means mobile in-app advertising services provided by EasyJoy pursuant to one or more insertion orders executed under your Advertising Agreement.
“Advertising Service Data”
Means personal data provided by you to EasyJoy used solely for your benefit in connection with your use of the Advertising Service, such as campaign targeting or suppression lists.
“Applicable Data Protection Laws”
Means all applicable international, federal, national and state privacy and data protection laws, rules, regulations, self-regulatory guidelines, or implementing legislation that apply to the processing of personal data covered by this DPA, including but not limited to: (i) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, “UK GDPR”); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”); (v) the California Consumer Privacy Act of 2018, California Civil Code §1798.100 et seq. (“CCPA”); and (vi) any national data protection laws made under or pursuant to (i) or (ii) or otherwise applicable to you; in each case as amended, superseded or replaced from time to time.
“Controller”
Means the entity that determines the purposes and means of the Processing of personal data and shall also mean a Business, where applicable, pursuant to the CCPA.
“EEA”
Means the European Economic Area.
“Personal Data”
Means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular individual, consumer, data subject, or (for purposes of CCPA) household, processed pursuant to the Agreement and as to which one or both of us is a Controller, and is defined as “personal information,” “personal data,” or similar term under Applicable Data Protection Laws.
“Processor”
Means an entity that processes personal data solely at the direction of a Controller, and shall also mean a Service Provider, where applicable, pursuant to the CCPA.
“Processing”
Has the meaning set forth under Applicable Data Protection Laws.
“Publisher Monetization Data”
Means personal data provided, via the EasyJoy SDK/API as integrated in your mobile application, for use in connection with EasyJoy’s Publisher Monetization Services, including mobile device identifiers and IP addresses of data subjects who are end users of your mobile application.
“Publisher Service Data”
Means personal data provided by you to EasyJoy used solely for your benefit in connection with your use of EasyJoy’s ancillary Publisher Services (those other than Monetization).
“Publisher Services”
Means the EasyJoy publisher services used by you pursuant to your Publisher Agreement, which may include Monetization Services, Analytics Services, and Virtual Currency Management Services, each as defined in EasyJoy’s Publisher Terms of Service.
“Security incident”
Means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data stored or otherwise processed.
“Standard Contractual Clauses”
Means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, a copy of which is available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.
“Sub-processor”
Means any third party engaged by EasyJoy or its affiliates to process Advertising Service Data or Publisher Service Data on your behalf, not including EasyJoy employees or contractors.
“Transfer”
Means the access by, transfer or delivery to, or disclosure of personal data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction where the personal data originated from.
Purpose and Details of Processing
Respective Roles
You and EasyJoy agree that each of us will process and transfer personal data only for the purposes described in your EasyJoy Agreement(s) and this DPA, or as otherwise agreed in writing between us.
Advertising Conversion Signal Data
You, as Controller, acknowledge that you and EasyJoy each serve as an independent Controller with respect to Advertising Conversion Signal Data provided in connection with the Advertising Service in accordance with this DPA.
Advertising Service Data
You, as Controller, appoint EasyJoy as Processor to process Advertising Service Data in connection with the Advertising Service pursuant to your Advertising Agreement and in accordance with this DPA.
Publisher Monetization Data
You, as Controller, acknowledge that you and EasyJoy each serve as an independent Controller with respect to Publisher Monetization Data provided in connection with the Publisher Monetization Services and in accordance with this DPA.
Publisher Service Data
You, as Controller, appoint EasyJoy as Processor to process Publisher Service Data pursuant to your Publisher Agreement and in accordance with this DPA.
Other Publisher Services
You, as Controller, appoint EasyJoy as Processor to process Publisher Service Data pursuant to your Publisher Agreement and in accordance with this DPA.
No Special Category Data
Neither you nor EasyJoy shall transfer, provide each other, or have responsibility for processing special categories of personal data under this DPA, as defined under Applicable Data Protection Laws.
Service Provider Certification
Where acting as a Processor, EasyJoy will not(a) sell the personal data received from a Controller; (b) retain, use or disclose the personal data for any purpose other than for the specific purpose of performing the Services on behalf of a Controller; (c) retain, use, or disclose the personal data for a commercial purpose other than providing the Services; or (d) retain, use, or disclose the personal data outside of the direct business relationship between EasyJoy and a Controller. As to EasyJoy’s role as a Processor, EasyJoy certifies that it understands these restrictions and will comply with them.
Obligations As Controllers
Compliance with Obligations
You and EasyJoy each agree, when acting as a Controller of personal data to comply with all applicable laws, including Applicable Data Protection Laws, in your use and our provision of the EasyJoy Services, including fulfillment of all duties required of Controllers under Applicable Data Protection Laws. Each of us will implement and maintain security measures to protect personal data from any Security Incident.
Data Subject Requests
Each of us, when acting as a Controller, has the sole and independent obligation (as between the parties) to receive and manage data subject requests regarding our respective personal data, including without limitation any request to access, know, correct, amend, restrict processing of, port, object to the Processing of, block or delete, or, where applicable, stop the sale of personal data. If applicable, and to the extent legally permitted, each of us will provide the other with reasonable cooperation and assistance in relation to the handling of a data subject’s request. Each of us acknowledges that fulfilling a request may not be possible where doing so would interfere with the ability of either party to comply with applicable law or legal obligation, or protect its rights or those of a third party.
Requests from Others
If applicable, and to the extent legally permitted, each of us will provide the other upon request with reasonable cooperation and assistance in relation to any correspondence, inquiry, or complaint received from a regulator, individual, supervisory authority, court, or other third party. Each of us acknowledges that fulfilling a request may not be possible where doing so would interfere with the ability of either party to comply with applicable law or legal obligation, or protect its rights or those of a third party.
Appointing Processors
Where you and EasyJoy are independent Controllers, each party may appoint third-party Processors to Process personal data for the purposes set forth in this DPA and your Publisher Agreement, provided that such Processors (i) agree in writing to Process personal data in accordance with the Publisher Agreement (and any other contractual agreements between the parties); (ii) implement appropriate technical and organizational security measures, no less protective than those in this DPA, to protect personal data subject to the Publisher Agreement against a Security Incident, in compliance with the standards required by this DPA; and (iii) otherwise provide sufficient guarantees that they will process the personal data in a manner that will meet the requirements of Applicable Data Protection Laws. Each of us will be liable for the acts and omissions of its Processors to the same extent each of us would be liable if performing the services of each Processor directly under the Publisher Agreement.
International Transfer Obligations
European Data
Each of us agrees that personal data originating in the EEA, Switzerland or the United Kingdom (such locations collectively, the “Covered Areas” and such data, “European Data”) shall not be Transferred to a jurisdiction outside the Covered Areas unless the transfer is subject to an Approved Transfer Mechanism, meaning that (i) the recipient is located in the EEA, Switzerland, the United Kingdom, or another country that has been specified by the European Commission, Swiss Federal Data Protection Authority, or United Kingdom authorities (as applicable) as providing an adequate level of protection for personal data, or (ii) the recipient (a) receives the European Data pursuant to a binding corporate rules authorization in accordance with Applicable Data Protection Laws; (b) has executed the Standard Contractual Clauses with respect to the personal data; or (c) receives the personal data pursuant to another approved transfer mechanism under Applicable Data Protection Laws.
Standard Contractual Clauses as Data Transfer Mechanism
You hereby agree to and hereby enter into the Model Clauses applicable to you with The parties hereby enter into the Standard Contractual Clauses with respect to European Data, the terms of which are hereby incorporated by reference into and form part of your EasyJoy Agreement(s) in accordance with Attachment 1: Standard Contractual Clauses.
UK Data Transfers
To extent that and for so long as the Standard Contractual Clauses as implemented in accordance with Section 4(b) cannot be relied on to lawfully Transfer personal data in compliance with the UK GDPR, the applicable standard data protection clauses issued, adopted or permitted by the United Kingdom authorities shall be incorporated by reference, and the annexes, appendices or tables of such clauses shall be deemed populated with the relevant information set out in Attachment 1: Standard Contractual Clauses.
Future Requirements
You and EasyJoy agree to work together as commercially reasonable to allow each other to apply for and obtain any permit, authorization or consent that may be required under current and future Applicable Data Protection Laws or policies. In addition, if and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on by the parties to lawfully transfer and process European Data, you and EasyJoy agree to work together as commercially reasonable to implement any additional measures or safeguards not described in this DPA or alternative transfer mechanism to enable the lawful transfer and processing of European Data.
Privacy Policy Disclosures
Each party shall designate a contact point for Data Subjects in its publicly posted privacy policy.
Each party shall post a privacy policy on its web site and in its mobile application(s) that reflects the nature of the relationship and transfer of data between the parties as required by Applicable Data Protection Laws.
Your Data Subject Consent Obligations
You acknowledge that we use mobile device advertising identifier and IP address data to provide the EasyJoy Services; accordingly, for personal data that you provide under this DPA as to which you are Controller, you represent that, where required by Applicable Data Protection Laws, you have implemented notice and consent mechanisms sufficient to ensure that any data subject consent is freely given, informed, specific and unambiguous, and (for Publisher Monetization Data and Advertising Conversion Signal Data) covers use for audience segmentation and targeting in connection with online behavioral advertising.
You and EasyJoy will each honor mobile opt-out signals where required by Applicable Data Protection Laws. You will not provide EasyJoy with personal data from any device that has opted out through device settings (“Opt-Outs”) unless you also provide any accompanying opt-out signal. EasyJoy will not knowingly collect or use personal data from any Opt-Outs for purposes of online behavioral advertising and where required by Applicable Data Protection Laws.
You agree to provide EasyJoy, on request, with documentation explaining your consent processes or mechanisms for obtaining consent from data subjects, where required by Applicable Data Protection Laws, with respect to Publisher Monetization Data and Advertising Conversion Signal Data.
You and EasyJoy each agree to use and honor any applicable OpenRTB specifications that pass any signal regarding underage status, consent status, or Opt-Outs.
If and to the extent that we, in our sole discretion, opt to provide you with a notice or consent mechanism or template (e.g., a privacy notice and consent screen or interstitial enabled via EasyJoy’s SDK) (“SDK Tool”), you acknowledge that the decision of whether to implement it is at your discretion. You understand and agree that any such SDK Tool is provided solely on an “As Is” basis, and that you should not rely on it or our provision of it as legal advice; as between you and EasyJoy, you are solely liable for the nature and sufficiency of your compliance with data subject consent obligations.
EasyJoy Obligations As Processor
EasyJoy, when acting as your Processor, agrees as follows:
Requests
We will, to the extent legally permitted, promptly notify you if we receive a request from an individual or data subject wishing to exercise rights under Applicable Data Protection Law in connection with our processing of personal data processed for you, or any other correspondence, enquiry or complaint from an individual, regulator, court or other third party in connection with our processing of personal data for you (“Request”). Taking into account the nature of the processing and the Request, we will assist you insofar as possible in fulfillment of your obligation to respond to the Request under Applicable Data Protection Laws. At your request, to the extent you do not have the ability to fulfill the Request, we will provide commercially reasonable efforts to help you in responding, to the extent we are legally permitted to do so and the response is required under Applicable Data Protection Laws and Regulations. You acknowledge that EasyJoy may not be able to fulfill Requests where doing so would interfere with EasyJoy’s ability to comply with applicable law or legal obligation, or protect its rights or those of a third party.
Confidentiality and Security
We agree to maintain reasonable and appropriate technical and organizational measures for the protection, confidentiality, and integrity of personal data that we process for you, in accordance with the confidentiality provisions of your EasyJoy Agreement(s). We require our personnel involved in the processing of personal data for you to have executed written confidentiality agreements that survive the termination of their work for us, and we limit access to personal data processed by us for you to those personnel with a business need to know, in accordance with your EasyJoy Agreement(s). Upon request, we will provide you with a copy of our written privacy and information security policies and procedures. You acknowledge that EasyJoy may update or modify its privacy and information security policies and procedures from time to time, provided that such updates and modifications do not materially decrease the overall security of the protection afforded to the personal data. In the event of a Security Incident affecting you, EasyJoy will promptly notify you, take reasonable steps to mitigate any effects and damage from the Security Incident, and will provide you with timely information and cooperation as reasonably requested by you for you to fulfill your own Security Incident reporting obligations pursuant to Applicable Data Protection Laws. You agree that an attempted security breach, meaning an event which does not result in unauthorized access to your personal data or to our equipment or facilities storing your personal data, does not give rise to any obligations on our part to you, and that our compliance with this paragraph shall not be deemed an acknowledgement of fault or liability on our part in connection with any actual or attempted Security Incident.
Treatment at Termination
Upon termination or expiration of the EasyJoy Agreements under which EasyJoy is a Upon termination or expiration of the EasyJoy Agreement(s) under which EasyJoy is a Processor for you, EasyJoy will, at your written request, return, destroy, de-identify, aggregate, or anonymize all associated personal data, including copies and personal data held by Sub-processors, except that EasyJoy may retain certain personal data for its legal, accounting and auditing purposes.
Data Privacy Audit
To the extent that Applicable Data Protection Laws require you to be in a position to audit EasyJoy’s Processing of your Personal Data and subject to the confidentiality provisions of the EasyJoy Agreement(s), EasyJoy grants you, as the Controller, to the extent reasonably possible, and through mutually-agreed, reputable and independent third-party auditors, the right to request an audit, at your expense, solely for the purposes of, and as absolutely necessary for, meeting your audit requirements pursuant to Applicable Data Protection Laws, and solely those of our systems and documents directly related to that purpose for the twelve (12) months prior to the audit, or the maximum period required by Applicable Data Protection Laws (if longer). Your audit right is conditioned upon your providing a detailed audit request specifying the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, the audit, at least four (4) weeks in advance of the proposed audit date. Audit requests must be sent in a written form to your designated EasyJoy contact person, with a copy to legal@EasyJoy.com. The auditor must execute a written confidentiality agreement acceptable to us prior to conducting the audit. The audits shall take place during normal business hours, subject to our policies and reasonable confidentiality obligations, and must not unnecessarily disrupt our operations. This audit right may be exercised up to once per year, except to the extent (i) when sooner required by instruction of a competent data protection authority; or (ii) you reasonably believe a further audit is necessary due to a Security Incident affecting us. Where applicable, you agree that you will exercise your audit rights under the Standard Contractual Clause by instructing us to comply with the measures described in this Section 8(d). Nothing in this Section will require us to disclose to you or any auditor, or otherwise to allow you or any auditor to access any third-party data, internal financial information, trade secret, or data that we reasonably determine not to have been requested in good faith, resulting in an interference with EasyJoy’s business, or for purposes other than conducting an audit as required by Applicable Data Protection Laws. We may, at our option, provide you with a copy of our most recent third-party audits or certifications by an independent third-party auditor, as applicable, or any summaries thereof. You acknowledge that any audit results, findings, or third-party certifications or audits are EasyJoy confidential information, and you agree to keep the audit results in strict confidentiality, and not to disclose them to any third party without our prior express written approval. If you are required to disclose the audit results to a competent authority, you shall provide us with a prior written notice explaining the details and necessity of the disclosure, and agree to provide all necessary assistance to prevent or reduce the scope of such disclosure. In the event that such disclosure occurs despite your best efforts to prevent or reduce such disclosure, you will disclose only the portion of the results of the audit that is expressly required to be disclosed.
Sub-Processors
You provide EasyJoy with general written authorization and consent to engage Sub-processors to process personal data provided that: (i) if and to the extent you provide us with European Data, EasyJoy will provide you, upon request, with a list of our then-current Sub-processors and provide you at least fourteen (14) days’ notice of the addition of any Sub-processor (including details of the processing to be performed); (ii) EasyJoy requires its Sub-processors to abide by data protection terms as protective as the terms of this DPA; and (iv) EasyJoy remains fully liable for any breach of this DPA caused by its Sub-processors’ acts, errors or omissions. If you reasonably object, for reasons related to the protection of personal data, to our appointment of a new Sub-processor, then we will either not appoint the Sub-processor or you may opt to terminate this DPA and cease your use of our Services. You acknowledge that EasyJoy complies with its obligations under clause 9 of the Standard Contractual Clauses by complying with this Section 8(e).
Indemnity
Each party (the “Indemnifying Party“) shall indemnify and hold harmless the other, including its officers directors, employees, contractors, and agents (the “Indemnified Party“) from and against all claims, losses, costs, liabilities, damages, and expenses, including reasonable attorneys’ fees (“Claims“) brought by data subjects, supervisory authorities under the Applicable Data Protection Laws, or other third parties, suffered or incurred by the Indemnified Party to the extent arising from the Indemnifying Party’s breach of this DPA.
Indemnification under this Section is conditioned upon (i) the Indemnified Party providing the Indemnifying Party (A) prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this DPA and (B) reasonable cooperation as to such claim, including provision of all relevant materials to it; (ii) the Indemnified Party taking reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of the Indemnifying Party’s breach.
The Indemnifying Party reserves the right, at its expense, to assume the exclusive defense and control of any matter for which it is required to indemnify the Indemnified Party, and the Indemnified Party shall have the right to participate with counsel of its own choosing at its own expense. The Indemnifying Party will not enter into any settlement of any claim without the prior written consent of the Indemnified Party, such consent not to be unreasonably withheld or conditioned.
Limitation of Liability
Each of our respective liability, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of your applicable EasyJoy Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and its affiliates under the EasyJoy Agreement including this DPA together; for the avoidance of doubt, each reference to this DPA includes all applicable Attachments and Appendices.
Miscellaneous
Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA; the foregoing shall not (where applicable) limit any third-party beneficiary rights under the Standard Contractual Clauses.
Except as modified by this DPA, your EasyJoy Agreement(s) remains in full force and effect. In the event of any conflict between your EasyJoy Agreement(s), this DPA, and (where applicable) the Standard Contractual Clauses, the terms shall apply in the following order of precedence: (i) the Standard Contractual Clauses; (ii) this DPA; and then (iii) your applicable EasyJoy Agreement.
EasyJoy and you mutually represent and warrant that we each, respectively, have the right, power, and authority (a) to enter into this DPA, (b) to make the representations and warranties contained herein, and (c) to perform our respective duties, obligations and covenants set forth in this DPA.
This DPA is coterminous with your EasyJoy Agreements, terminating automatically This DPA is coterminous with your EasyJoy Agreement(s), terminating automatically with your last EasyJoy Agreement. Sections 8(c) (Treatment at Termination), 9 (Indemnity), 10 (Limitation of Liability), and this Section 11 (Miscellaneous) survive termination. Without prejudice to remedies set forth elsewhere in this DPA or in your EasyJoy Agreement(s), if either of us breaches this DPA, the other is entitled to terminate the EasyJoy Agreement(s) in its sole discretion effective upon written notice; such termination shall be without any extra costs or expenses, and without effect on any payments then due and owing.
ATTACHMENT 1: STANDARD CONTRACTUAL CLAUSES
The Standard Contractual Clauses are incorporated by reference into and apply and form part of your EasyJoy Agreement(s) as follows: (i) either you are the ‘data exporter’ and EasyJoy is the ‘data importer’ or you are the ‘data importer’ and EasyJoy is the ‘data exporter’, (ii) the Module One (C2C) and Module Two (C2P) terms apply as set out in ‘List of Parties’ below and the Module Three (P2P) terms are not used, (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 (General Written Authorization) applies and the time period for notifying of the addition or replacement of Sub-processors is set out in Section 8(e) of the DPA; (v) in Clause 11, the optional language does not apply, (vi) in Clause 17, Option 1 applies and the Standard Contractual Clauses are governed by Irish law, (vii) in Clause 18(f), disputes will be resolved before the courts of Ireland, and (viii) the Annexes of the Standard Contractual Clauses are populated with the information set out below.
To the extent the personal data is protected by the UK GDPR or Swiss DPA, the Standard Contractual Clauses apply with the following modifications (as applicable): (i) references to ‘Regulation (EU) 2016/679’ are interpreted as references to the UK GDPR or Swiss DPA, (ii) references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the UK GDPR or Swiss DPA, (iii) references to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘United Kingdom’ or ‘Switzerland’, (iv) Clause 13(a) and Part C of Annex 2 are not used and the ‘competent supervisory authority’ is the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner, (v) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘United Kingdom Information Commissioner’ and ‘courts of England and Wales’ or the ‘Swiss Federal Data Protection Information Commissioner’ and ‘competent courts of Switzerland’, (vi) in Clause 17, the Standard Contractual Clauses are governed by the laws of England and Wales or Switzerland, and (vii) in Clause 18(f), disputes will be resolved before the competent courts of England and Wales or Switzerland.