EDAA Trust Seal

DATA TRANSFER ADDENDUM (“DTA”) 

  1. Definitions.
    1. Affiliate” means any entity directly or indirectly Controlling, Controlled by, or under common Control with a party. “Control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of another entity (whether through the ownership of voting shares, by contract, or otherwise), the terms “Controls” and “Controlled” being construed accordingly.
    2. "Agreement" means the General Services Agreement, Master Services Agreement, Service Order, Insertion Order and/or similar between Epsilon and Marketing Partner, which set forth the terms of the parties' agreement with regards to the Controller Services and/or Processor Services.
    3. "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law.
    4. Controller Services" means the advertising and marketing relates services that Epsilon provides to Marketing Partner acting as a controller, provided Marketing Partner by Epsilon, including any services that utilizes Epsilon’s identity graph/CORE ID, including but not limited to:
      1. PeopleCloud Discovery
      2. PeopleCloud Prospect
      3. PeopleCloud Digital Media Solutions (aka PeopleCloud Loyalty Digital Media Member Engagement Loyalty Module)
      4. Bridge
      5. Signals
      6. Agility IQ (aka PeopleCloud Messaging Content Personalization Module)
      7. Agility Events (aka PeopleCloud Messaging Site Behavior or PeopleCloud Loyalty Digital Messaging Triggers Modules)
      8. CDP Identity Essentials
      9. Digital Identity Essentials
      10. Conversant Private Exchange (CPE)
      11. CitrusAd
    5. Data” means any personal data that Marketing Partner discloses or otherwise permits Epsilon to collect about Marketing Partner's customers and prospective customers, and/or about visitors to Marketing Partner's digital properties.
    6. European Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) ) the UK Privacy and Electronic Communications (EC Directive) Regulations 2003; and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii), (iii) or (iv); in each case as may be amended or superseded from time to time.
    7. Epsilon” the Epsilon branded entity or any if its Affiliates providing services to Marketing Partner under the Agreement, including but not limited to Epsilon Data Management LLC and Conversant LLC.
    8. Marketing Partner” means the company that is receiving services from Epsilon under the Agreement, and which may therein be identified as “Marketing Partner”, “Advertiser”, “Client” or other similar term.
    9. Metrics Data” means personal data about visitors to (i) Marketing Partner’s digital properties, and/or (ii) third party digital properties on which advertising has been delivered; disclosed by Epsilon to Marketing Partner.
    10. Processor Services” means all the advertising and marketing related services that Epsilon provides to Marketing Partner under the Agreement, excluding the Controller Services, but including but not limited to Messaging and Loyalty.
    11. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area (“EEA”) to a recipient in a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom (“UK”) to a recipient in a country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
    12. Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs").
    13. Any other capitalised but undefined terms shall have the meanings given in the Agreement. If there are any inconsistencies between a definition used this DTA and the Agreement, the definition in the Agreement shall prevail.
  2. Restricted Transfers
    1. For Controller Services, the parties agree that when Marketing Partner's disclosure of Data to, or permitted collection of Data by, Epsilon is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
      1. in relation to Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
        1. Module One will apply.
        2. in Clause 7, the optional docking clause will apply;
        3. in Clause 11, the optional language will not apply;
        4. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland;
        5. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
        6. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DTA; and
        7. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex III to this DTA.
      2. in relation to Data that is protected by the UK GDPR, the EU SCCs as modified by the "International Data Transfer Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”) shall apply to the Restricted Transfer of Data protected by the UK GDPR as follows:
        1. The EU SCCs, completed as set out above in clause 2.1(a) of this DTA shall also apply to transfers of such Data, and shall be modified by the UK Addendum (completed as set out in the remainder of this clause 2.1(b)); and
        2. Table 1 to 3 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs as set out above in clause 2.1(a) of this DTA;
        3. The option "Importer" shall be deemed checked in Table 4 of the UK Addendum; and
        4. The start date of the UK Addendum (as set out in Table 1 of the UK Addendum) shall be the date of this DTA.
    2. For Processor Services, the parties agree that when Marketing Partner's disclosure of Data to, or permitted collection of Data by, Epsilon is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
      1. in relation to Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
        1. Module Two will apply.
        2. in Clause 7, the optional docking clause will apply;
        3. In Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be 30 days;
        4. in Clause 11, the optional language will not apply;
        5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland;
        6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
        7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DTA; and
        8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex III to this DTA.
      2. in relation to Data that is protected by the UK GDPR, the EU SCCs as modified by the "International Data Transfer Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”) shall apply to the Restricted Transfer of Data protected by the UK GDPR as follows:
        1. The EU SCCs, completed as set out above in clause 2.2(a) of this DTA shall also apply to transfers of such Data, and shall be modified by the UK Addendum (completed as set out in the remainder of this clause 2.2(b)); and
        2. Table 1 to 3 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs as set out above in clause 2.2(a) of this DTA;
        3. The option "Importer" shall be deemed checked in Table 4 of the UK Addendum; and
        4. The start date of the UK Addendum (as set out in Table 1 of the UK Addendum) shall be the date of this DTA.
  3. Restricted Transfers of Metrics Data
    1. For Controller Services, the parties agree that when Epsilon's disclosure of Metrics Data to Marketing Partner is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
      1. in relation to Metrics Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
        1. Module One will apply.
        2. in Clause 7, the optional docking clause will apply;
        3. in Clause 11, the optional language will not apply;
        4. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland;
        5. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
        6. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex II to this DTA; and
        7. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex III to this DTA.
      2. in relation to Metrics Data that is protected by the UK GDPR, the EU SCCs as modified by the "International Data Transfer Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”) shall apply to the Restricted Transfer of Metrics Data protected by the UK GDPR as follows:
        1. The EU SCCs, completed as set out above in clause 3.1(a) of this DTA shall also apply to transfers of such Metrics Data, and shall be modified by the UK Addendum (completed as set out in the remainder of this clause 3.1(b)); and
        2. Table 1 to 3 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs as set out above in clause 3.1(a) of this DTA;
        3. The option "Exporter" shall be deemed checked in Table 4 of the UK Addendum; and
        4. The start date of the UK Addendum (as set out in Table 1 of the UK Addendum) shall be the date of this DTA.
  4. Collaboration. If the Parties' compliance with requirements under Applicable Data Protection Law relating to Restricted Transfers of Data is affected by circumstances outside of the Parties' control, including if the Standard Contractual Clauses or any other legal instrument for international transfers of Data is invalidated, amended or replaced, then the Parties will work together in good faith to reasonably resolve such non-compliance.

Annex I 

Data Processing Description 

 

This Annex I forms part of the DTA and describes the processing and transfer of the Data.  

 

A. LIST OF PARTIES 

Controller(s) / Data exporter(s):  

Name:

Marketing Partner, the entity that is party to the Agreement and is receiving services from Epsilon, as specified in the Agreement.

Address:

As specified in the Agreement.

Contact person’s name, position and contact details:

As specified in the Agreement.

Activities relevant to the data transferred under these Clauses:

Marketing Partner has engaged Epsilon to provide advertising related services as set out in more detail in the Agreement.

Signature and date:

This DTA will be deemed signed on the date the Agreement is executed or accepted.

Role (controller/processor):

Controller

Controller(s) / Data importer(s):

Name:

The Epsilon entity that is party to the Agreement and is providing services to Marketing Partner, as specified in the Agreement.

Address:

As specified in the Agreement.

Contact person’s name, position and contact details:

Epsilon Data Protection Officer

DPOfficer@epsilon.com

Activities relevant to the data transferred under these Clauses:

Epsilon has been engaged by Marketing Partner to provide advertising related services as set out in more detail in the Agreement.

Signature and date:

This DTA will be deemed signed on the date the Agreement is executed or accepted.

Role (controller/processor):

Controller for Controller Services

Processor for Processor Services

В. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Current and potential customers of Marketing Partner, including data subjects who visit Marketing Partners’ digital properties.

Categories of personal data transferred:

For Controller Services:

  • Browser and device information: Including device identifiers, advertising IDs, cookie IDs, IP-addresses, hashed email addresses, non-precise geolocation, date and time, information about the data subject’s browser and/or device, information about the data subject’s browsing behavior such as the digital property and/or content that the data subject engages with or the nature of transactions that the data subject has made, as well as relating customer, transaction and order IDs.  
  • Contact and transactional details: Including name, address, email address, phone number, gender, and records of interactions and/or purchases with Marketing Partner, demographical information, interests and preferences, as well as relating customer, transaction and order IDs.

For Processor Services:

  • Identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, telephone number and other contact details, including email address), personal interests or preferences (including marketing preferences and purchasing and transactional history); communications data (including time/date of communications, and communications content sent and received through the Processor Services); cookie ids, device ids, IP-address and any other similar types of personal data Marketing Partner has included or input to be processed via the Processor Services.

Additional categories of personal data may be specified in the Agreement.  

Sensitive data transferred (if applicable):

Marketing Partner shall ensure that no special categories of personal data or any personal data relating to data subjects under the age of 16 are disclosed or made available to Epsilon.  

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous

Nature of the processing:

The provision of advertising and related measurement services as set out in the Agreement.

Purpose(s) of the data transfer and further processing:

For Controller Services:

The Data will be processed for the purpose of; (a) storing and/or access information on a device; (b) selecting basic ads; (c) creating a personalised ads profile; (d) selecting personalised ads; (e) creating a personalised content profile; (f) selecting personalised content; (g) measuring ad performance; (h) applying market research to generate audience insights; (i) developing and improving products; (j) ensuring security, preventing fraud and debugging; and (k) technically delivering ads or content; in each case as more particularly described in the Interactive Advertising Bureau's Transparency and Consent Framework.

For Processor Services:

The provision of advertising and related measurement services as set out in the Agreement.

Additional purposes may be specified in the Agreement.  

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

For Controller Services:

The Data will be kept for as long as it’s necessary to fulfil the purposes for which it’s processed. For further details please see Epsilon Privacy Policy which is available here: https://www.epsilon.com/emea/privacy-policy-services    

For Processor Services:

Subject to any provision in the Agreement, until the termination or expiration of the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

N/A

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)

Where the EU GDPR applies, the competent supervisory will be determined by Clause 13 in the Standard Contractual Clauses.

Where the UK GDPR applies, the competent supervisory is the Information Commissioner's Office (ICO).

Annex II

Data Processing Description – Metrics Data

This Annex II forms part of the DTA and describes the processing and transfer of Metrics Data.

A. LIST OF PARTIES

Controller(s) / Data exporter(s):

Name:

The Epsilon entity that is party to the Agreement and is providing services to Marketing Partner, as specified in the Agreement.

Address:

As specified in the Agreement.

Contact person’s name, position and contact details:

Epsilon Data Protection Officer

DPOfficer@epsilon.com

Activities relevant to the data transferred under these Clauses:

Epsilon has been engaged by Marketing Partner to provide advertising related services as set out in more detail in the Agreement.

Signature and date:

This DTA will be deemed signed on the date the Agreement is executed or accepted.

Role (controller/processor):

Controller

Controller(s) / Data importer(s):

Name:

Marketing Partner, the entity that is party to the Agreement and is receiving services from Epsilon, as specified in the Agreement.

Address:

As specified in the Agreement.

Contact person’s name, position and contact details:

As specified in the Agreement.

Activities relevant to the data transferred under these Clauses:

Marketing Partner has engaged Epsilon to provide advertising related services as set out in more detail in the Agreement.

Signature and date:

This DTA will be deemed signed on the date the Agreement is executed or accepted.

Role (controller/processor):

Controller


В. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Current and potential customers of Marketing Partner, including data subjects who visit Marketing Partner’s digital properties and/or third-party digital properties on which Epsilon serves Marketing Partner advertisements.

Categories of personal data transferred:

Browser and device information: Including device identifiers, advertising IDs, cookie IDs, IP-addresses, hashed email addresses, non-precise geolocation, date and time, information about the Data Subject’s browser and/or device, information about the Data Subject’s browsing behavior such as the digital property and/or content that the Data Subject engages with or the nature of transactions that the Data Subject has made, as well as relating customer, transaction and order IDs.

Additional categories of personal data may be specified in the Agreement.  

Sensitive data transferred (if applicable):

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous

Nature of the processing:

The provision of advertising and related measurement services as set out in the Agreement.

Purpose(s) of the data transfer and further processing:

The Metrics Data will be processed for the purpose of; measuring ad performance; as more particularly described in the Interactive Advertising Bureau's Transparency and Consent Framework (Purpose 7).

Additional purposes may be specified in the g.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

The Metric Data will be kept for as long as it’s necessary to fulfil the purposes for the purposes of the Marketing Partner's ad measurement purposes.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

N/A

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)

Where the EU GDPR applies, the competent supervisory will be determined by Clause 13 in the Standard Contractual Clauses.

Where the UK GDPR applies, the competent supervisory is the Information Commissioner's Office (ICO).

Annex III

Technical and Organisational  
Security Measures 

Description of the technical and organisational measures implemented by the data importer (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. 

Any specific measures that are implemented by Epsilon where it acts as data importer with respect to Restricted Transfers of Data pursuant to Section 2 of the DTA, or specific measures that apply only to Controller Services or Processor Services are marked as such. Otherwise, the measures stated shall apply to both parties when acting as data importer.

Measure

Description

Measures of pseudonymisation and encryption of personal data, as well as measures for the protection of data during transmission

Secure FTP is used for transfers where applicable.

A documented policy is in place that specifies the data importer’s approved encryption standards and key management practices. Personal data is always encrypted at rest.

Specific measures applicable to Controller Services:

  • The data importer has measures in place to ensure that pseudonymised personal data does not get deidentified, and to ensure that no direct identifiable personal data is inserted into any pseudonymised environment.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

The data importer takes steps to help ensure that personal data processed is stored and transmitted securely. This includes keeping all solutions and applications behind secure firewalls, which are used to logically segregate the corporate network from the Internet and DMZ (demilitarized zone) segments. Firewalls are configured as per industry best practices. A default deny policy is applied on firewalls.

Specific measures applicable to Controller Services where Epsilon is data importer:

  • Where Epsilon is the data importer, directly identifiable personal data is managed and pseudonymised in a separate environment before used to deliver the Controller Services.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Information backup and restore requirements are covered as part of the data importer's adopted security policies. Incremental/differential backups of enterprise applications are generally taken on a daily basis and a full back-up is performed on a weekly basis. Backup media is sent to an offsite location for secure storage, wherever required.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Periodic vulnerability assessments are performed on publicly exposed devices to proactively identify and fix vulnerabilities that may otherwise expose personal data to unauthorized access/losses. The data importer engages a third party to perform penetration testing of its network on an annual basis and has a comprehensive business continuity and disaster recovery framework in place. Business critical infrastructure and applications are deployed to provide disaster recovery capabilities.

Measures for user identification and authorisation

Access is provided based on an employee’s specific job assignment(s) or responsibilities and is granted on a need-to-know basis (principle of least privileged access) with the default being no access. Requests for access are approved by pertinent stakeholders and the data importer revokes access privileges of terminated employees as part of the termination process. User accounts are managed centrally under the data importer’s account management procedures, and user ID creation or deletion requests submitted by authorized persons or entities are actioned by its ID provisioning team. All employees are assigned a unique login ID. Generic user IDs are generally not permitted.

The data importer’s security policy mandates that passwords must comply with our security standards. This includes requirements for length, complexity, age, history and other factors. Password protected screen saver locks are enabled to activate after a defined period of inactivity. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every 120 days.

The data importer employs multiple levels of security to manage authorization and access to personal data, including:
- VPN
- Multi-factor authentication (MFA)
- Role based access to systems and platforms
- Regular user access reviews

Specific measures applicable to Controller Services where Epsilon is data importer:

  • Access to personal data is limited to employees in EEA, United Kingdom, United States and India.

Data storage and measures for the protection of data during storage

The data importer ensures that access to data centres is limited to key personnel, requiring a physical badge for access. Access is monitored on a periodic basis and reviewed as part of the third-party external audits of the facilities.

Specific measures applicable to Controller Services where Epsilon is data importer:

  • Epsilon stores all pseudonymised personal data in the United States. Epsilon ensures that directly identifiable personal data is, prior to being pseudonymised, stored in a separate environment that is hosted in Ireland. Epsilon employees from United States can access such directly identifiable personal data as they assist with the pseudonymisation process, but they cannot download it.

Measures for ensuring events logging

The data importer uses industry standard logging tools to log events. Events are automatically logged for each occurrence with alerts sent to the team responsible for analysing and resolving the issue.

Measures for internal IT and IT security governance and management

The data importer follows a layered approach model for implementing security that consists of a combination of industry-accepted administrative, physical and technical security controls at the organization, system and network layers. The data importer maintains documented information security policies. The data importer provides an information security program for employees and in addition, awareness is created through security articles, training, bespoke videos and announcements.

Specific measures applicable to Controller Services and Processor Services where Epsilon is data importer:

  • Publicis Groupe (which Epsilon is part of) has a dedicated security team called “Global Security Office” (GSO), that is promoting and maintaining security.
  • Epsilon maintains documented information security policies in place, which are based on the requirements of the ISO 27001 security standard.
  • The GSO provides an Information Security Awareness Program for employees and in addition, awareness is created through security articles, training, bespoke videos and announcements.
  • There is an IT asset management program in place to manage allocation and ownership of assets, and Epsilon has information classification and handling guidelines to address the information handling and labelling requirements.

Measures for certification/assurance of processes and products

Specific measures applicable to Controller Services and Processor Services where Epsilon is data importer:

Epsilon is ISO 27001 certified and undergoes, for parts of its business, an additional SOC 2 audit.

Measures for ensuring data minimisation and quality

Data importer shall ensure only personal data that is necessary to achieve the purposes is collected.

The importer has measures in place with the purpose of ensuring that its systems only capture the personal data points that are necessary.

Measures for ensuring limited data retention and erasure

The data importer has in place a data retention policy that complies with applicable law.

Employees are required to return company assets upon termination of employment. All assets are disposed of securely in line with our security policy when no longer required.

Specific measures applicable to Controller Services and Processor Services where Epsilon is data importer:

  • Epsilon’s procedures contain US Department of Defense (DOD) or other industry recognized standards regarding secure wiping and physical destruction of software, hardware, and removable media. A documented and approved patch management procedure is in place.

Other measures

The data importer has in place, maintains and complies with a policy governing personal data requests from public authorities which at minimum prohibits: (1) massive, disproportionate or indiscriminate disclosure of personal data; and (2) the disclosure of personal data without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such.  

 
 

 Last Updated: 15 November 2022