DATA PROCESSING AGREEMENT LATAM

This Data Processing Agreement (DPA) applies to the Processing of Personal Data under any Master Service Agreement, Service Order, Statement of Work, Insertion Order or other document that incorporates or references this DPA (the Agreement). This DPA is between your company (Marketing Partner) and the Epsilon entity that is a party to the Agreement ("Epsilon") and shall apply to the extent Epsilon as part of the services provided under the Agreement (Services) Processes Personal Data originating from territories within Latin America, including but not limited to Argentina, Brazil, Chile, Colombia, Costa Rica, Dominican Republic, Ecuador, El Salvador, Guatemala, Mexico, Panama and Peru as a Controller (as defined below). The parties agree that this DPA shall replace: (i) any existing data processing agreement the parties may have previously entered into in connection with the Services; and (ii) any conflicting data protection and security terms in the body of the Agreement, in each case as such data processing agreement and terms relate to Personal Data within the scope of this DPA.

In consideration of the mutual promises contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1. In this DPA, the following terms shall have the following meanings:
   1. Applicable Data Protection Laws means the applicable data protection laws of the Latin American region, including but not limited to Argentina, Brazil, Chile, Colombia, Costa Rica, Dominican Republic, Ecuador, El Salvador, Guatemala, Mexico, Panama and Peru, including any other legislation and regulatory requirements in force from time to time relating to Personal Data, as they may be amended or superseded from time to time;
   2. "Processor" means a party that carries out the Processing of Personal Data on behalf of the Controller, and includes Data Processor as defined under Applicable Data Protection Laws;
   3. "Sub-Processor" means any further Processor that is engaged by the Processor as a sub-contractor, which agrees to receive from Processor any Personal Data exclusively for purposes of carrying out the Processing activities with Processor's instructions and under this DPA;
   4. "Controller" means a party which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, and includes Data Controller as defined under Applicable Data Protection Laws;
   5. "Data Subject" is anidentified or identifiable natural person who can be identified, directly or indirectly;
   6. Device Tracking Technologies means any technology, tool, or code (including cookies, pixels, SDKs, APIs, local shared objects, and scripts) embedded within an advert or within Marketing Partner's digital property(ies) or server(s) that enables access to or storage of information on a Data Subject's device.
   7. "Personal Data" means any information relating to a Data Subject as defined under Applicable Data Protection Laws, including but not limited to information such as name, identification number, location data and online identifiers;
   8. Processingmeans any operation or set of operations which is performed on Personal Data, including, but not limited to any operation carried out with Personal Data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction;
   9. Sensitive Personal Data means special categories of Personal Data accorded a higher level of protection under Applicable Data Protection Laws, included but not limited to, as applicable, any information related to racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person; and
   10. Standard Contractual Clauses means standard contractual clauses adopted by the relevant supervisory authority(ies) within Latin America for international transfer(s) of personal data to a country that is not deemed adequate under the Applicable Data Protection Laws.
2. Marketing Partner may disclose or otherwise permits Epsilon to collect certain Personal Data about visitors to Marketing Partner's digital properties and/or about Marketing Partner's customers including but not limited to: (i) identifiers such as name, address, email, phone number, national IDs, device identifiers, advertising IDs, cookie IDs, IP-addresses, and information about the Data Subjects browser and/or device; and (ii) transactional and browsing information such as the digital property and/or content that the Data Subject engages with or the nature of transactions that the Data Subject has made, as well as customer IDs, transaction IDs, and order IDs (collectively, the "Data"). Epsilon will Process the Data for the following purposes: (i) to create a personalized advertising and content profile, (ii) to provide Data Subjects with personalized adverts and contents, (iii) to measure advertising performance; (iv) to develop and improve its services; and (v) as otherwise described in the relevant Service Order and/or IO (the "Permitted Purposes"). Epsilon may share the Data with its affiliates, including but not limited to Epsilon Data Management LLC, for processing for the Permitted Purposes. Marketing Partner shall ensure that no Sensitive Personal Data are disclosed or made available to Epsilon, nor any Personal Data relating to Data Subjects under the age of 18.
3. Marketing Partner acknowledges that it is a Controller of the Data it discloses or otherwise permits Epsilon to collect, and Epsilon will also Process the Data as a Controller for the Permitted Purposes. Epsilon may share the Data back with Marketing Partner for Marketing Partner to use for purposes compatible with the Permitted Purposes and always in accordance with Applicable Data Protection Laws. It is not intended that either party acts as a Processor for the other party in relation to any Processing activity of any Personal Data in scope of this DPA.
4. Marketing Partner will comply with its responsibilities as a Controller under Applicable Data Protection Laws in respect of its Processing of the Data. Without limiting this obligation Marketing Partner shall fulfil the specific data protection compliance responsibilities described below:
   1. Marketing Partner shall: (i) maintain a prominent and publicly accessible privacy notice and cookie banner on all its digital properties that satisfies the transparency and other requirements of Applicable Data Protection Laws or shall provide such privacy notice and information to the Data Subjects in a different manner if so required under the Applicable Data Protection Laws; (ii) ensure such privacy notice discloses the means by which a Data Subject can contact Marketing Partner in order to exercise its data protection rights under Applicable Data Protection Laws; (iii) if so required by law, ensure such privacy notice addresses the provision of Data from Marketing Partner to Epsilon (or the collection of Data from Marketing Partner by Epsilon) per the terms of this Agreement.
   2. Marketing Partner shall ensure that, in respect of any Data that it collects and provides to Epsilon (including any Data it permits Epsilon to collect using Device Tracking Technologies on Marketing Partners digital properties): (a) the Data is collected fairly and lawfully and in compliance with Applicable Data Protection Laws; (b) it has provided all necessary disclosures and obtained all necessary consents or otherwise has all necessary rights as it relates to its own Processing of the Data, its provision of Data to Epsilon (or collection of Data by Epsilon), as well as Epsilons Processing of the Data for the Permitted Purposes, prior to sharing the Data with Epsilon and/or permitting Epsilon to collect the Data; (c) it offers Data Subjects the ability to opt-out of its own and Epsilons Processing of the Data; and (d) it will not disclose or make available to Epsilon any Data relating to Data Subjects that have opted-out of or otherwise exercised other rights that bar the provision of Data to Epsilon and/or the Processing for the Permitted Purposes; in each case as may be required by Applicable Data Protection Laws. Upon Epsilons request, Marketing Partner agrees to provide documentation evidencing that such information has in fact been provided to Data Subjects, and that such consent has in fact been obtained from Data Subjects. If a Data Subject withdraws its consent or exercises any other right that bars the Processing for the Permitted Purposes, Client will notify Epsilon promptly in accordance with the process agreed between the parties and provide Epsilon a copy of the privacy notice made available to and, if required by law, consented to by the Data Subjects of the Personal Data that it collects and discloses to Epsilon.
   3. Epsilon shall have the right to audit Client, including by using a third-party independent auditor, for the purpose of ensuring that 4.2 is fulfilled.
5. Epsilon will comply with its responsibilities as a Controller under Applicable Data Protection Laws in respect of its Processing of the Data. Without limiting this obligation Epsilon shall fulfil the specific data protection compliance responsibilities described below:
   1. Epsilon shall: (i) maintain a prominent and publicly accessible privacy notice on its digital properties that satisfies the transparency and other requirements of Applicable Data Protection Laws; and (ii) ensure such privacy notice discloses the means by which a Data Subject can contact Epsilon in order to exercise its data protection rights under Applicable Data Protection Laws.
   2. Upon request Epsilon shall provide Marketing Partner with such information as Marketing Partner may reasonably require about Epsilons Processing of Data under this Agreement (including the use of Device Tracking Technologies) so that Marketing Partner can ensure that such information is presented to Data Subjects.
6. Epsilon may also make available to Marketing Partner certain Personal Data about visitors to third party digital properties on which adverts are served (the "Metrics Data"). Marketing Partner will Process the Metrics Data solely for the purpose of measuring advertising performance, or as otherwise agreed between the Parties in writing, and always in accordance with Applicable Data Protection Laws.
7. If Marketing Partner requests and Epsilon agrees in its sole discretion, to place Marketing Partner's or a third party's (each such third party an "Attribution Third Party") Device Tracking Technologies in Ads, Marketing Partner shall: (1) be solely responsible for the Attribution Third Party; (2) enter into a contract with the Attribution Third Party which: (a) meets the requirements of Applicable Data Protection Laws; (b) requires the Attribution Third Party to Process Personal Data in accordance with Applicable Data Protection Laws; and (c) guarantees at least the same level of protection of Personal Data as set out herein; (3) be solely responsible for satisfying a lawful basis to process any data (including Personal Data) collected by the Attribution Third Partys Device Tracking Technologies (the "Attribution Data") for the permitted uses listed below; (4) use the Attribution Data and shall contractually require any Attribution Third Party to use the Attribution Data, solely for the following applicable permitted uses: (a) attribution analysis, (b) click and impression tracking; (c) campaign measurement; (d) customization of creatives; and/or (e) any other purpose approved in writing by Epsilon. For the avoidance of doubt, Attribution Data cannot be used by Marketing Partner, any Attribution Third Party and/or any other third party for any other purposes including but not limited to retargeting or audience creation. Notwithstanding any contrary provision in the Agreement, Marketing Partner shall and shall procure that Attribution Third Party complies with the obligations set out in this Section 7 of this DPA, and shall indemnify Epsilon, its affiliates, and their respective employees, officers, directors (each an Indemnitee) against all liabilities, damages, costs, expenses, actions, proceedings, judgments, fines, penalties, settlement costs, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by an Indemnitee arising out of or in connection any breach and/or omission by Marketing Partner and/or Attribution Third Party which violates Section 7 of this DPA.
   1. The obligations described in this Section 7 will also apply to Processors and/or Sub-Processors (as applicable) appointed by an Attribution Third Party, i.e., if an Attribution Third Party, acting as a Processor subcontracts any third parties to carry out one or more Processing operations involving the Personal Data.
8. Each party shall, taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and any other requirement set forth in the Applicable Data Protection Laws, implement appropriate technical and organizational measures to protect the Data and Metrics Data from and against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such technical and organizational measures shall include at least the following components: security policies and procedures; measures ensuring confidentiality, integrity, and availability; vulnerability management measures; asset management measures; identity and access management measures; availability controls measures; and a security risk management program relating to third parties.
9. Each party shall be individually responsible for responding to lawful data and/or consumer protection requests that it receives from Data Subjects in respect of Data and/or Metrics Data that it Processes. To the extent that either party (the "Receiving Party") receives a request relating to Processing performed by the other party (the "Other Party"), the Other Party shall provide such information and assistance as is reasonably necessary to the Receiving Party to enable the Receiving Party to respond to such request in accordance with Applicable Data Protection Laws.
10. Any transfers of Personal Data subject to Applicable Data Protection Laws for Processing in any country that is deemed adequate by Applicable Data Protection Laws shall be permitted in accordance with this DPA.
    1. In the event any disclosure/sharing of Personal Data by either Party to the other Party (the Recipient) under this Agreement is considered an international transfer of Personal Data under the Applicable Data Protection Laws and where required therein the following shall apply:
       1. the Recipient agrees to comply with the same obligations the sharing Party has under the Applicable Data Protection Laws in connection with the protection of the Personal Data;
       2. the transfer shall be subject to the Standard Contractual Clauses (as applicable), with the Recipient being deemed the importer and the other Party the exporter. The Standard Contractual Clauses shall be completed with the information set out in this DPA and shall be deemed signed by the Parties when this DPA is signed; and
       3. Epsilon and/or Marketing Partner (as applicable) shall, upon the other Partys reasonable request, cooperate in carrying out any assessment of such Processing that may be required under Applicable Data Protection Laws.
    2. With respect to any transfers of Personal Data that is subject to Applicable Data Protection Laws in a Latin American country, for Processing in any country that is not deemed adequate by Applicable Data Protection Laws, the parties must put in please the adequate legal mechanisms to ensure a lawful and safe transfers of personal data. Specifically, the parties might use Standard Contractual Clauses approved by the corresponding authority, which include, but are not limited to the Standard Contractual Clauses issued by the Red Iberoamericana de Proteccin de Datos (RIPD). The Standard Contractual Clauses shall be completed with the information set out in this agreement and shall be deemed signed by the Parties when this DPA is signed.
       1. With respect to any transfers of Personal Data that is subject to Applicable Data Protection Laws of Argentina, the competent supervisory authority is the National Directorate for Personal Data Protection, and any Data Subject located in Argentina is entitled to bring legal proceedings against the data exporter and/or data importer before the courts of Argentina.
       2. With respect to any transfers of Personal Data that are subject to the Applicable Data Protection Laws of Brazil, such transfers shall be subject to the Standard Contractual Clauses approved by the Brazilian Data Protection Authority (ANPD) under Resolution CP/ANPD No. 19 of 23 August 2024 (Regulation on International Data Transfers), the text of which is available at https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-19-de-23-de-agosto-de-2024-580095396 (the Brazilian Standard Contractual Clauses) or other appropriate safeguards as established by the Applicable Data Protection Laws of Brazil. The Brazilian Standard Contractual Clauses shall be deemed incorporated into this Agreement and completed with the information provided herein and shall be deemed signed by the Parties when this DPA is signed. With respect to the Brazilian Standard Contractual Clauses, the following sections and content shall apply: (i) Clause 1.1 Identification of the Parties will consist of the content in the headings of this DPA and the Parties will acts as Exporter/Controller and Importer/Controller; (ii) Clause 2.1 Description of the international data transfer will consist of the content in Clause 2 of this DPA (Data and Permitted Purposes); (iii) Clause 3 Onward Transfers, option B is selected for 3.1 and will consist of the content in Clause 2 of this DPA (Data, Permitted Purposes and in relation to the period, the Data will be processed for the period necessary to fulfill the purposes for which it is processed); (iv) Clause 4 Responsibilities of the Parties, Option A is selected for 4.1 and the obligations in 4.1-a, 4.1-b and 4.1-c are designated to both the Exporter/Controller and the Importer/Controller; and (v) Section III will consist of the content in Clause 8 (Technical and Organisational Measures) of this DPA.
    3. Notwithstanding the foregoing, Epsilon and/or Marketing Partner undertake to comply with any other specific international data transfer requirements under the Applicable Data Protection Laws, as applicable under the specific jurisdiction.
11. In the event that either party receive any correspondence, enquiry or complaint from a supervisory authority or government authority ("Correspondence") directly related to the Data and/or Metrics Data Processed under this Agreement it shall promptly inform the other party giving details of the same, and the Parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Applicable Data Protection Laws.
12. If Epsilon becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Data, then Epsilon will only make available the Data to the extent Epsilon is legally required to do so. In no event shall Epsilon disclose Data in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.
13. To the fullest extent permitted by law, each party's liability under this DPA shall be subject to the limitations of liability set forth in the Agreement, save that nothing in the DPA or the Agreement shall seek to exclude either party's liability to Data Subjects.
14. Each party shall, upon the other party's reasonable request, provide all such information reasonably requested to demonstrate compliance with its obligations under this Agreement and Applicable Data Protection Laws.
15. This DPA may be terminated: (i) by mutual agreement between the parties; (ii) in the event of any breach of the obligations provided for herein, which is not satisfactorily remedied within thirty (30) days of notification by the other party; and if the business relationship between the parties is terminated the parties shall no longer share Personal Data. Upon termination or expiry of the Agreement each party may continue to Process the Personal Data under its control provided that such Processing complies with the requirements of this DPA and Applicable Data Protection Laws.
16. All amendments to this DPA shall only be valid if agreed in writing by the parties.
17. This DPA shall be governed by and interpreted in accordance with the manner specified in the Agreement, except to the extent that Applicable Data Protection Law requires otherwise or as specifically provided in this DPA, in which case disputes will be governed in accordance with Applicable Data Protection Law or as specifically provided in this DPA.