EDAA Trust Seal

DATA PROCESSING ADDENDUM

This Data Processing Addendum (DPA) applies to the Processing of Personal Data under any agreement that incorporates this DPA (the Agreement) by and between the Affiliate of Publicis Groupe Holdings B.V. (Publicis) and your company (Client). This DPA will form part of the Agreement, and any breach of this DPA will be a breach of the Agreement. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will control.

All references to Publicis shall be deemed references to a Publicis Affiliate that is a party to the Agreement or fulfills orders under the Agreement. All references to Client shall be deemed references to a Client Affiliate that is a party to the Agreement or places orders under the Agreement. Publicis and Client may be referred to herein each as a party or collectively as the parties.

In consideration of the mutual promises contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

  1. Definitions. All capitalized words used within this DPA are defined in the attached Schedule 1 Definitions.
  2. Compliance with Applicable Data Protection Law. Each party understands and agrees that it will comply with its respective obligations under Applicable Data Protection Law. For clarity, a party shall not be required to comply with the obligations of a data protection law unless such law applies to that party in accordance with the laws territorial provisions, or the party is acting as a Processor for a Controller to whom the law applies.
  3. Permitted Purposes. Recipient will Process the Personal Data made available by Disclosing Controller solely in accordance with the Permitted Purpose(s) identified within the specific description(s) of Processing as contemplated in the Agreement and/or as agreed by the parties from time to time for which email acknowledgment is sufficient. Each description of Processing shall identify the partys role (e.g., Controller, Processor, Third Party) with regards to the Personal Data Processed and shall form a part of this DPA. If the Agreement does not contain a description of Processing and the services include the serving of digital advertisements by Epsilon (a Publicis Groupe entity), the provision of clean room services by Epsilon, or the provision of services by Lotame or ReTargetly, the description of Processing for these Services can be found at https://legal.epsilon.com/us/description-of-processing.
  4. TOMS. Each party will implement and maintain technical and organizational measures appropriate to the nature of the Personal Data it Processes (including any Personal Data it may receive or access from the other party) in accordance with Applicable Data Protection Law. This includes measures that are designed to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure. Publicis has no obligation to protect Client Data that Client elects to transfer outside of Publicis and its Subprocessors systems.
  5. Cooperation. Upon written request, the parties shall provide each other with such information as either party may reasonably require about the other partys Processing of Personal Data under the Agreement, to the extent such party does not have access to the relevant information, so that the parties can:
    1. ensure that such information is presented to Data Subjects;
    2. complete statutorily required data protection assessments;
    3. respond to an inquiry from a Regulator related to a partys performance under this DPA; and
    4. ensure the Recipient is Processing Personal Data made available by the Disclosing Controller consistent with the obligations under Applicable Data Protection Law.
  6. Confidentiality. The parties will ensure that their personnel engaged in the Processing of Personal Data under the Agreement have received appropriate training regarding the access, use and treatment of Personal Data under Applicable Data Protection Laws and are subject to written confidentiality agreements governing the access, use and treatment of Personal Data.
  7. Notice, Choice and Consent. Disclosing Controller warrants that all Personal Data it makes available to Recipient under this Agreement has been collected, disclosed, and transferred in compliance with Applicable Data Protection Law. This includes: (a) providing Data Subjects with appropriate notices, at or before the time of collection; (b) obtaining all necessary and legally enforceable consents or establishing another lawful basis for Recipients Processing for the Permitted Purposes, including any required regulatory approvals; and (c) ensuring that no Personal Data is disclosed to Recipient relating to Data Subjects who have opted out, withdrawn consent, or otherwise exercised rights that prohibit such Processing (except where such requests are shared for suppression purposes). Disclosing Controller shall promptly notify Recipient of any Data Subjects withdrawal of consent and provide documentation evidencing compliance with these obligations upon Recipients request. Where Publicis Tags are deployed on Clients digital properties or Client makes available Client Data for Publicis digital advertising services, the terms in Schedule 2 shall apply.
  8. Prohibited Data. Unless otherwise set out in the Agreement, Client shall ensure that no Personal Data that is afforded a higher level of protection under Applicable Data Protection Law is disclosed or made available to Publicis nor any Personal Data relating to a Data Subject under the age of 18 or any higher age that is considered a child under applicable laws.
  9. International Transfers.
    1. The parties may Process Personal Data throughout the world provided that any transfer of Personal Data outside the country of origin is subject to an appropriate data export mechanism where required by Applicable Data Protection Law. Upon request, and to the extent required by Applicable Data Protection Law, Publicis will provide Client with a list of countries to which Client Data is transferred.
    2. In the event the disclosure of Personal Data (including Client Data) by one party (the data exporter) to the other party (the data importer) under this DPA is considered a transfer of Personal Data outside the country of origin under Applicable Data Protection Law, and where required by such Applicable Data Protection Law, the transfer shall subject to the following:
      1. The data importer agrees to comply with the same obligations the data exporter has under Applicable Data Protection Law in connection with the protection of Personal Data;
        1. The transfer shall be subject to the relevant Standard Contractual Clauses adopted under Applicable Data Protection Law or other lawful and valid transfer mechanism. The Standard Contractual Clauses shall be completed with the data exporter being the Exporter, the data importer the Importer and with the information set out in this DPA and the Agreement, and shall be deemed signed by the parties when this DPA is signed; and
        2. Each party shall, upon the other partys request, cooperate reasonably with the other in carrying out any assessment of such transfer that may be required under Applicable Data Protection Law.
    3. With respect to Personal Data (including Client Data) that is subject to Applicable Data Protection Law of the European Union (EU) and/or the United Kingdom (UK), such transfers shall be subject to the applicable Standard Contractual Clauses available here (as applicable):
      1. for Epsilon branded Services, here: https://legal.epsilon.com/eu/model-clauses
      2. for CJ branded Services, here: https://www.cj.com/legal/model-clauses
      3. for Lotame branded Services, here: https://www.lotame.com/wp-content/uploads/2024/12/2024.12_dpa-msa_GDPR-schedule_lotame.pdf
      4. for all other Services, here: https://sccsclients.publicisgroupe.com
    4. In the event that any provision of this DPA contradicts the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail, and any and all liability owed by Publicis or any of its Affiliates to Client under the Standard Contractual Clauses shall be limited to what is set out in the Agreement.
  10. Additional Requirements under Applicable Data Protection Law. The parties will adhere to the following terms if required under Applicable Data Protection Law:
    1. Suspension of Processing. If the Recipient determines it can no longer meet its obligations under Applicable Data Protection Law, it shall promptly notify the Disclosing Controller. Upon such notice, or if the Disclosing Controller identifies unauthorized use or non-compliance, the Disclosing Controller may require the Recipient to immediately cease Processing the Personal Data made available by Disclosing Controller.
    2. Deidentified Data. To the extent Recipient receives deidentified data (as defined by Applicable Data Protection Law) from Disclosing Controller, Recipient will (i) take reasonable measures to ensure that such data cannot be associated with a Data Subject or household, (ii) maintain and use the information in deidentified form, and (iii) not attempt to reidentify such data.
  11. Processor Services. This Section shall apply only where Publicis is providing Services to Client that involves the Processing of Client Data by Publicis as a Processor.
    1. Client Instructions. Publicis will Process Client Data for the purposes of providing the Services as set out in the Agreement, and in accordance with Clients clear, documented instructions (email sufficient). Where required by Applicable Data Protection Law, Publicis will immediately inform Client if, in its opinion, an instruction from Client infringes Applicable Data Protection Law. Publicis is under no obligation to Process Client Data until the instructions are clarified to Publiciss satisfaction. Client assumes full liability under the Applicable Data Protection Law for the lawfulness of its instructions.
    2. Data Subject Requests. In the event that a lawful request referencing Client from a Data Subject seeking to exercise any right available to it under Applicable Data Protection Law is made directly to Publicis, Publicis shall not respond to such request directly without Client's prior authorization, unless required by applicable law. To the extent Client does not have direct access to Client Data through its use of the Services, and therefore does not have the ability to address such Data Subject request itself, Publicis shall, upon Client's request, provide commercially reasonable cooperation to assist Client to respond, to the extent required under Applicable Data Protection Law, and in accordance with any Data Subject request handling plan(s) mutually agreed upon by the parties (which may differ depending on the specific Services relevant to the request(s) at issue).
    3. Vendors. Client authorizes Publicis to use Vendors to assist in providing the Services. Depending on the governing laws of the Agreement, Publicis may act as an agent for a disclosed principal (Client) in its engagement of Vendors on Clients behalf. The terms of the Vendors agreement will govern the Processing of Personal Data by and between Client and Vendor. Certain Vendors may offer options where Client can restrict the Vendors Processing. Such options may impact the functionality of the Services and/or the Vendors position under Applicable Data Protection Law. Client is solely responsible for evaluating such options and providing written instructions to Publicis (email sufficient) regarding its decision on such options. To the extent required by Applicable Data Protection Law, Publicis will, upon request, provide a list of the Vendors used to assist in providing the Services.
    4. Engagement of Sub-Processors. Client authorizes Publicis to use Sub-Processors to assist in providing the Services (including but not limited to Publicis Affiliates and their Sub-Processors). If required by Applicable Data Protection Law, Publicis shall inform the Client of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Client the opportunity to object to such changes. If the Client objects the parties will negotiate a suitable solution in good faith. If required by Applicable Data Protection Law, Publicis will: (i) enter into a written agreement with each Sub-Processor imposing data protection terms that comply with the requirements of Applicable data Protection Law (which for EU and UK must meet the standards of Art. 28 in the General Data Protection Regulation and/or the equivalent in the UK General Data Protection Regulation), and require the Sub-Processor to protect Client Data to the same standards provided for by this DPA, to the extent applicable to the nature of the services provided by the Sub-Processor; and (ii) remain responsible for any acts or omissions of the Sub-Processor inconsistent with this DPA.
    5. Audit. Client acknowledges that Publicis is regularly audited against appropriate security standards. Upon request and provided that the parties have an effective non-disclosure or confidentiality agreement in place, Publicis shall supply a summary copy of its available audit report(s) to Client, which reports shall be subject to the confidentiality provisions of the Agreement. Publicis shall also respond to any reasonable written audit questions submitted to it by Client, provided that Client shall not exercise this right more than once per year. Notwithstanding anything to the contrary in the Agreement and except as otherwise mutually agreed in a writing signed by the authorized representatives of the parties that specifically references this Section, any audit related to data protection shall be governed solely and exclusively by this Section.
    6. Personal Data Breach. If Publicis has determined that a Personal Data Breach has occurred, Publicis will (1) notify Client of the Personal Data Breach without undue delay but no later than the timeframes set forth in an Applicable Data Protection Laws, and (2) promptly take appropriate measures to address the Personal Data Breach, including measures to mitigate any adverse effects resulting from the Personal Data Breach in accordance with its established procedures. Publicis reporting of a Personal Data Breach in accordance with this section is not and will not be construed as an acknowledgement by Publicis of any fault or liability with respect to the Personal Data Breach. Publicis will cooperate with and provide reasonable assistance to Client by including in the notification such information about the Personal Data Breach as Publicis is able to disclose to enable Client to notify Regulators or Data Subjects (as applicable) of the Personal Data Breach as may be required under an Applicable Data Protection Law, taking into account the information available to Publicis, and any restrictions on disclosing the information related to the Personal Data Breach. Notification of Personal Data Breach will be delivered to the Clients Data Protection/Privacy Contact identified in the Agreement via email. Client is solely responsible for complying with incident notification laws applicable to Client and fulfilling any third-party notification obligations related to any Personal Data Breach.
    7. Deletion of Personal Data. Upon termination or expiration of the Agreement and this DPA, Publicis shall delete all Client Data in its possession or control. This requirement shall not apply to the extent Publicis is required by applicable laws to retain some or all Client Data and shall not apply to Client Data that Publicis has archived on back-up systems, which Publicis shall securely isolate and protect from any further Processing.
    8. Additional Processing Prohibitions. As required under Applicable Data Protection Law, Publicis will not: (i) sell or share (as defined by Applicable Data Protection Law) Client Data; (ii) retain, use, or disclose the Client Data (a) except as necessary to perform Clients business purpose, or (b) outside the direct business relationship between the parties; or (iii) combine the Client Data with other Personal Data that Publicis receives from or on behalf of a third party, or collects from its own interaction with a Data Subject, provided that Publicis may combine such information to perform any business purpose as defined under Applicable Data Protection Law. If Client instructs Publicis to combine or match the Client Data with Personal Data provided by a third party, Client represents and warrants that it maintains a data sharing agreement with such third party.
  12. Term and Survival. To the extent that Recipient continues to Process the Personal Data disclosed or made available by Disclosing Controller after the termination or expiration of the Agreement, the terms of this DPA survive such termination or expiration, and Recipient may continue to Process the Personal Data for the period identified in the description of Processing or Agreement, provided that such Processing complies with the requirements of this DPA and Applicable Data Protection Laws.
  13. Entire Agreement. Except as expressly set forth herein, the terms of the Agreement remain unmodified and in full force and effect. The parties agree that this DPA shall replace any existing data processing agreement the parties may have previously entered in connection with the Services, as such data processing agreement and terms relate to Personal Data within the scope of this DPA.
  14. Contracts (Rights of Third Parties) Act 1999. Without prejudice to the rights of any Data Subject, a person who is not a party to this DPA has no rights under the Contracts (Rights of Third Parties) Act 1999 of the United Kingdom or any other applicable law concerning privity of contract to enforce any term of this DPA.
  15. Choice of Law. This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law set out in the Agreement.
  16. Jurisdiction. Each party irrevocably agrees that the courts set out in the Agreement shall have jurisdiction as set out in the Agreement to settle any dispute or claim arising out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

Schedule 1 Definitions

  1. Affiliate means any entity directly or indirectly Controlling, Controlled by, or under common Control with a party. Control means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of another entity (whether through the ownership of voting shares, by contract, or otherwise), the terms Controls and Controlled being construed accordingly.
  2. Applicable Data Protection Law means all laws or regulations relating to the protection of Personal Data Processed under the Agreement that are applicable to a party. For avoidance of doubt, such Applicable Data Protection Law shall only apply to a party that is subject to the territorial and/other scope of such laws or regulations.
  3. Client Data means Personal Data Processed in connection with the Services that is: (a) made available or provided by Client (or a third party, including a Sub-Processor, on Clients behalf) to Publicis; or (b) collected by Publicis or a Sub-Processor on Clients behalf.
  4. Data Subject is a natural person or household that can be identified, directly or indirectly.
  5. Disclosing Controller means a party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, and that discloses to or makes available (including digitally) Personal Data to a Recipient.
  6. Permitted Purpose(s) means the purpose(s) for which Recipient is authorized to Process the Personal Data disclosed or made available by the Disclosing Controller.
  7. Personal Data means any information relating to a Data Subject.
  8. Personal Data Breach means personal data breach, data breach, breach of security safeguards, data security breach, or any substantially similar term as defined under Applicable Data Protection Law.
  9. Process(ing) means any operation or set of operations performed on Personal Data.
  10. Recipient means a party that receives Personal Data from a Disclosing Controller.
  11. Regulator means a regulator, law enforcement, or other government authority which from time-to-time monitor and/or enforce compliance with any Applicable Data Protection Law.
  12. "Services" means the services supplied by Publicis to Client under the Agreement.
  13. Standard Contractual Clauses means (i) where Applicable Data Protection Law of the European Union (EU) applies, the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, (ii) where Applicable Data Protection Law of the United Kingdom (UK) applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR, and (iii) standard contractual clauses (or similar measures as applicable) adopted by Regulators and/or under Applicable Data Protection Law to protect Personal Data when transferred outside the country of origin; each as amended from time to time.
  14. Sub-Processor means a Processor contracted by Publicis to assist in Processing Client Data as part of the Services provided directly by Publicis under the Agreement.
  15. Tags means any technology, tool, or code (including cookies, pixels, SDKs, APIs, local shared objects, and scripts) embedded within an advert, digital property(ies) or server(s) that enables access to or storage of information on a device.
  16. Vendor shall mean a third party contracted by Publicis, on behalf of or for the benefit of Client, which Processes Personal Data.

Schedule 2 Tags and Digital Advertising by Publicis Affiliate (Epsilon/Lotame/ReTargetly)

  1. Without limiting each party's obligation to comply with the Applicable Data Protection Law to which it is subject (in accordance with the DPA), the Parties agree that they shall each fulfil the specific data protection compliance responsibilities related to Personal Data of residents outside of the United States described below:
    1. Client shall integrate all its digital properties where Publicis Tags are deployed to collect Personal Data with a consent management platform verified by the Interactive Advertising Bureaus Transparency and Consent Frame (TCF) and list (i) Epsilon and Epsilon d/b/a Lotame (as applicable to the Services) as a vendor and (ii) the Permitted Purposes.
    2. If Client does not use a TCF-verified consent management platform or if a TCF-verified consent management platform is not available in that market, Client must implement another mechanism to obtain visitor consent on digital properties where Publicis Tags are deployed. Such a mechanism must: (a) provide prominent notice to visitors of Publicis' Tags for the Permitted Purposes; (b) provide visitors a link to Epsilons privacy notice; (c) display all necessary disclosures and obtain required consents before Tags are served; and (d) offer necessary opt-out mechanisms, all in accordance with Applicable Data Protection Law. Upon Publicis request, Client must provide records evidencing these disclosures and consents.
    3. For any Personal Data Client collects and provides to Publicis Affiliate (other than Data collected by the Publicis' Tags), Client must: (a) collect the Personal Data fairly, lawfully, and in compliance with Applicable Data Protection Law; (b) provide Data Subjects with prominent notice at the point of collection that their Data will be processed by Publicis Affiliate, Epsilon, for Permitted Purposes, including a link to Epsilon's privacy notice; (c) offer Data Subjects the ability to opt out of such Processing; and (d) not disclose to Publicis any Data of subjects who have opted out.
  2. Client must maintain a clear and conspicuous link on all relevant digital properties to its privacy notice, which must include a link to the respective country Digital Advertising Alliances opt-out page (e.g., Europe DAA, Canada DAA, US DAA).
  3. Upon request, Publicis will provide Client with information reasonably required about Publicis' Processing of Client Data (including use of Tags) so Client can ensure information is provided to Data Subjects as necessary.
  4. Publicis may provide Client with certain Personal Data regarding visitors to third party digital properties where adverts are served ("Metrics Data"). This includes device identifiers, cookie IDs, non-precise geolocation, date and time, browser/device information, and browsing behavior. Client will only Process Metrics Data to measure advertising performance.
  5. If Publicis, at Clients request, places Clients or a third-party (each such third party an Attribution Partner) tags in advertising served by Publicis Affiliate Epsilon, Client is solely responsible for the Attribution Partner. Client must ensure the Attribution Partner has the rights to Process any collected data (including Personal Data) for permitted uses: (a) attribution analysis, (b) click and impression tracking, (c) campaign measurement, (d) customization of creatives, or (e) another Publicis-approved purpose. Attribution Data cannot be used for retargeting or audience creation by Client, the Attribution Partner, or any other party. Client will indemnify and hold harmless Publicis and its Affiliates for any breach of these obligations by Client or the Attribution Partner.