EPSILON DIGITAL DATA PROCESSING ADDENDUM - EU/UK

This Data Processing Addendum (“DPA”) applies to the Processing of Personal Data under any agreement that incorporates this DPA (as applicable, the “Agreement”) and notwithstanding the parties to the Agreement, on entry into the Agreement this DPA shall be deemed to have been entered into by and between Epsilon International UK Ltd (“Epsilon”) and your company (“Marketing Partner”). If Marketing Partner is defined in the Agreement, it shall have the meaning given to it in the Agreement.

Epsilon and Marketing Partner may be referred to herein each as a “party” or collectively as the “parties”.

In consideration of the mutual promises contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1. In this DPA, the following terms shall have the following meanings:
   1. "Controller", "Data Subject", "Personal Data", “Personal Data Breach”, "Processing" (“Processed” and "Process"), "Processor", "Special Categories of Personal Data" and “Supervisory Authority” shall have the meanings given in Applicable Data Protection Law;
   2. "Applicable Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) ) the UK Privacy and Electronic Communications (EC Directive) Regulations 2003; and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii), (iii) or (iv); in each case as may be amended or superseded from time to time;
   3. “Tags” means any technology, tool, or code (including cookies, pixels, SDKs, APIs, local shared objects, and scripts) embedded within an advert or within Marketing Partner's digital property(ies) or server(s) that enables access to or storage of information on a Data Subject’s device;
   4. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area (“EEA”) to a recipient in a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom (“UK”) to a recipient in a country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;
   5. “TCF” means the Interactive Advertising Bureau's Transparency and Consent Framework.
2. Marketing Partner may disclose or otherwise permits Epsilon to collect certain Personal Data about visitors to Marketing Partner's digital properties including but not limited to (i) identifiers such as name, address, email, phone number, device identifiers, advertising IDs, cookie IDs, IP-addresses, and information about the Data Subject’s browser and/or device; and (ii) transactional and browsing information such as the digital property and/or content that the Data Subject engages with and information about purchases and transactions that the Data Subject has made, as well as customer IDs, transaction IDs, and order IDs; each to the extent applicable to the services provided under the Agreement (collectively, the "Data"). Epsilon will Process the Data for the purpose of performing the services under the Agreement including to (i) store and/or access information on a device; (ii) use limited data to select advertising; (iii) create profiles for personalised advertising; (iv) use profiles to select personalised advertising; (v) create profiles to personalise content; (vi) use profiles to select personalised content; (vii) measure advertising performance; (vii) measure content performance; (xi) understand audiences through statistics or combinations of data from different sources; (x) develop and improve services; (xi) use limited data to select content; (xii) ensure security, prevent and detect fraud, and fix errors; (xiii) deliver and present advertising and content; (xiv) save and communicate privacy choices, and (xv) in connection with (i) – (xiii) match and combine data from other data source, link different devices, and identify devices based on information transmitted automatically (the "Permitted Purposes"). Marketing Partner shall ensure that no Special Categories of Personal Data are disclosed or made available to Epsilon nor any Personal Data relating to Data Subjects under the age of 16.
3. Marketing Partner acknowledges that it is a Controller of the Data it discloses or otherwise permits Epsilon to collect, and Epsilon will also Process the Data as a Controller for the Permitted Purposes. Epsilon may share the Data back with Marketing Partner for Marketing Partner to use solely for purposes compatible with the Permitted Purposes and always in accordance with Applicable Data Protection Law. Each party will comply with its responsibilities as a Controller under Applicable Data Protection Law in respect of its Processing of the Data.
4. Without limiting each party's obligation to comply with the Applicable Data Protection Law to which it is subject (in accordance with Section 3), the Parties agree that they shall each fulfil the specific data protection compliance responsibilities described below:
   1. Each party shall: (i) maintain a prominent and publicly accessible privacy notice on their respective digital properties that satisfies the transparency and other requirements of Applicable Data Protection Law; (ii) ensure such privacy notice discloses the means by which a Data Subject can contact the party in order to exercise its data protection rights under Applicable Data Protection Law; and (iii) identify, and only Process the Data in a manner consistent with, one or more lawful bases under Applicable Data Protection Law.
   2. Marketing Partner shall integrate all its digital properties where Epsilon’s Tags are deployed to collect Data with a consent management platform that is verified by the TCF, and Marketing Partner shall list (i) Epsilon International UK Ltd (vendor 24) as vendor; and (ii) the Permitted Purposes.
   3. If Marketing Partner does not implement a consent management platform that is verified by the TCF as per 4.2 above, Marketing Partner shall implement another mechanism to obtain visitor consent on any digital properties on which Marketing Partner will deploy Epsilon’s Tags to collect Data. Such mechanism must: (a) provide prominent notice to visitors that the digital property deploys Tags operated by Epsilon for the Permitted Purposes; (b) provide visitors a link to Epsilon's privacy notice; (c) display to visitors all necessary disclosures, and obtain all necessary consents, prior to service of the Tags to the visitor; and (d) offer all necessary opt-out mechanisms; in each case in accordance with Applicable Data Protection Law. Marketing Partner shall, upon Epsilon’s request, provide Epsilon with records and/or documentation evidencing that such disclosures have been provided and that such consents have in fact been obtained from Data Subjects.
   4. Marketing Partner shall ensure that, in respect of any Data that it collects and provides to Epsilon (that is, other than Data collected by Epsilon using Tags on Marketing Partner's digital properties): (a) it collects the Data fairly and lawfully and in compliance with Applicable Data Protection Law; (b) it provides prominent notice to Data Subjects, at the point of Data collection, that their Data shall be Processed by Epsilon for the Permitted Purposes, and such notice shall include a link to Epsilon's privacy notice; (c) it offers Data Subjects the ability to opt-out of such Processing by Epsilon; and (d) it will not disclose or make available to Epsilon any Data relating to Data Subjects that have opted-out of Processing for the Permitted Purposes.
   5. Marketing Partner shall have a clear and conspicuous link on all applicable digital properties to its privacy notice, and such privacy notice shall include a link directing visitors to the European Interactive Digital Advertising Alliance’s opt-out page.
   6. Upon request Epsilon shall provide Marketing Partner with such information as Marketing Partner may reasonably require about Epsilon's Processing of Data under this DPA (including the use of Tags) so that Marketing Partner can ensure that such information is presented to Data Subjects.
5. Epsilon may make available to Marketing Partner certain Personal Data about visitors to third party digital properties on which adverts are served, including device identifiers, cookie IDs, non-precise geolocation, date and time, information about the visitor’s browser and/or device and information about the visitors browsing behavior such as the digital property and/or content that the visitor engages with (the "Metrics Data"). Marketing Partner will Process the Metrics Data solely for the purpose of measuring advertising performance.
6. If Epsilon agrees, at Marketing Partner’s request, to place Marketing Partner’s or a third party's (each such third party a "Attribution Partner") Tags in advertising disseminated under the Agreement, Marketing Partner acknowledges and agrees that: (i) it shall be solely responsible for the Attribution Partner; (ii) it shall be solely responsible for ensuring such Attribution Partner has the rights to Process any data (including Personal Data) collected by the Attribution Partner’s Tracking Technologies (the "Attribution Data") for the permitted uses listed below; (iii) it shall use the Attribution Data and shall contractually require any Attribution Partner to use the Attribution Data solely for one or more of the following applicable permitted uses: (a) attribution analysis, (b) click and impression tracking; (c) campaign measurement; (d) customization of creatives; and/or (e) any other purpose approved in writing by Epsilon. For the avoidance of doubt, Attribution Data cannot be used by Marketing Partner, Attribution Partner and/or any other party for any other purposes including but not limited to retargeting or audience creation. Marketing Partner will be responsible, and will indemnify and hold harmless Epsilon, for any breach of the aforementioned obligation by Marketing Partner or by such Attribution Partner.
7. Each party shall, taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to protect the Data and Metrics Data from and against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
8. Each Party shall be individually responsible for notifying Supervisory Authorities and/or Data Subjects (as applicable) in respect of any Personal Data Breach related to Data and/or Metrics Data that it Processes.
9. Either Party shall, upon request from the other, provide reasonably requested information regarding its Processing of Personal Data to enable the other Party to carry out data protection impact assessments and prior consultations with Supervisory Authorities, as required by Applicable Data Protection Laws.
10. Each party shall be individually responsible for responding to lawful data protection requests that it receives from Data Subjects in respect of Data and/or Metrics Data that it Processes. To the extent that either party (the "Receiving Party") receives a request relating to Processing performed by the other party (the "Other Party") the Receiving Party shall direct the Data Subject to the Other Party and shall, upon request, provide such information and assistance to the Other Party as is reasonably necessary to enable the Other Party to respond to such request in accordance with Applicable Data Protection Law.
11. In the event that either party receives any correspondence, enquiry or complaint from a Supervisory Authority ("Correspondence") directly related to the Data and/or Metrics Data Processed under this DPA (i) it shall use commercially reasonable efforts to inform the other party giving details of the same if such Correspondence mentions the other party, unless legally prohibited from doing so, and (ii) the Parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Applicable Data Protection Law.
12. Neither Party shall engage in a Restricted Transfer in relation to Data or Metrics Data unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. To the extent that Marketing Partner's disclosure of Data to, or permitted collection of Data by, Epsilon is a Restricted Transfer such Restricted Transfer shall be subject to the Data Transfer Addendum available here: https://legal.epsilon.com/eu/crm-model-clauses