AMENDMENT TO EXISTING AGREEMENTS
Epsilon to Client
United States Privacy Statutory Required Provisions
All Processing of Personal Data under any master agreements and statements of work, order forms, data processing agreements, and other procurement transaction documents (collectively, “Existing Agreements”) between Epsilon Data Management, LLC or its subsidiaries (each “Epsilon”) and your company (“You”) will be subject to the terms of this Amendment, as applicable, beginning January 1, 2023, and such Amendment terms (and attached Annexes) shall be incorporated into and made a part of the Existing Agreements. In the event of a conflict between the terms of this Amendment and the terms of the Existing Agreements, the terms of this Amendment will govern. Epsilon and You may be referred to herein collectively as the “parties” and each individually as a “party.”
- “Applicable Data Protection Law” means any and all laws or regulations of the United States of America relating to the protection of Personal Data to the extent they apply to the Personal Data Processed by a party as part of a specific Service pursuant to the Existing Agreements.
- “Controller” (including “business” as defined under Applicable Data Protection Law) means a party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- “Data Subject” is an identified or identifiable natural person who can be identified, directly or indirectly.
- “Personal Data” means any information relating to a Data Subject and includes “personal data,” “personal information,” “personally identifiable information,” and any substantially similar term as defined under Applicable Data Protection Law.
- “Processing” means any operation or set of operations performed on Personal Data.
- “Processor” (including “service provider” and/or “contractor” as defined under Applicable Data Protection Law) generally a party that Processes Personal Data on behalf of a Controller and in accordance with the Controller’s instructions.
- "Services" means the services supplied by Epsilon to You under the Existing Agreements.
- “Sub-Processor” means a Processor engaged or contracted by Epsilon to Process Your Data in relation to the Services provided directly by Company.
- “Your Data” means Personal Data that (i) You provide or is provided by a third party on your behalf to Epsilon or that (ii) Epsilon collects or creates solely for your benefit, as part of the Services.
- “Business Purpose”, “Sale”, and “Share” have the meaning set forth in Applicable Data Protection Law.
The parties will comply with Applicable Data Protection Law. Neither party shall be responsible for the other party's compliance with Applicable Data Protection Law. In particular, each party Processing Personal Data as a Controller shall be individually responsible for ensuring that its Processing of the Personal Data is lawful, fair and transparent, and shall make available to Data Subjects a privacy notice that fulfils the requirements of Applicable Data Protection Law.
Each party agrees that to the extent it is a recipient of deidentified data (as defined by Applicable Data Protection Law) from the other party, it will (i) take reasonable measures to ensure that such data cannot be associated with a consumer or household, (ii) will maintain and use the information in deidentified form, and (iii) not attempt to reidentify such data, unless otherwise mutually agreed by the parties in writing and approved by each party’s privacy counsel.
4 Obligations of the Recipient of Personal Data
If required by Applicable Data Protection Law, when a party that is a Controller of Personal Data (“Disclosing Controller”) either (1) discloses such Personal Data to or (2) allows the collection of such Personal Data from its digital properties (websites, mobile applications, online advertisements) by the other party (“Recipient”), the Recipient shall:
- Process the Personal Data in solely in accordance with the description of Processing to include the specifics as required by the template Annex A – Description of Processing, which may be already described in detail in the Existing Agreements or may otherwise be provided in the form of Annex A via email between the parties, or as otherwise permitted by Applicable Data Protection Law;
- comply with Applicable Data Protection Law and provide the same level of privacy protection to the Personal Data as required of Disclosing Controller by Applicable Data Protection Law;
- implement technical and organizational measures appropriate to the nature of the Personal Data received from the Disclosing Controller that are designed to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Applicable Data Protection Law which are at minimum such measures as identified in Annex B – Technical and Organizational Measures;
- upon the request of Disclosing Controller, provide an attestation confirming Recipient’s Processing of the Personal Data is consistent with Disclosing Controller’s obligations under Applicable Data Protection Law;
- within five (5) business days of making such a determination, notify Disclosing Controller if Recipient determines it can no longer meet its obligations under Applicable Data Protection Law related to Recipient’s Processing of the Personal Data; and
- if the Disclosing Controller authorizes the Recipient to collect Personal Data from a consumer through the Disclosing Controller’s digital properties (either on behalf of the Disclosing Controller or for the Recipient’s own purposes), Recipient shall check for and comply with a consumer’s opt-out preference signal unless informed by the Disclosing Controller that the consumer consented to the sale or sharing of their personal information.
- In the event that Recipient has failed to comply with these requirements, Disclosing Controller may require Recipient to stop Processing the Personal Data immediately until Recipient can confirm its compliance.
5 Disclosing Controller Requirements
- Disclosing Controller will pass on the deletion and opt-out requests that Disclosing Controller receives from Data Subjects to Recipient related to the Personal Data disclosed to Recipient, as required by Applicable Data Protection Law.
- As applicable and when required by Applicable Data Protection Law, Disclosing Controller represents and warrants that it has obtained the affirmative opt-in consent from the Data Subject to Process, and to allow Recipient to Process, the Data Subject’s sensitive personal data (as defined by Applicable Data Protection Law) for the purposes identified in Annex A.
6 Controller (You) to Processor (EPSILON)
The following provisions apply where Epsilon Processes Your Data as a Processor.
- Controller Instructions; Details of Processing. Epsilon will Process Your Data only for the purposes of providing the Services in accordance with Your written instructions in the Existing Agreements, this Amendment, and Annex A – Description of Processing, which will comply with Applicable Data Protection Law.
- Confidentiality. Epsilon’s personnel and Sub-Processors shall be subject to an obligation to keep Your Data confidential.
- Return of Deletion of Personal Data. Upon termination or expiration of the Existing Agreements and this Amendment, Epsilon will delete Your Data in its possession or control. This requirement will not apply to the extent Epsilon is required by applicable laws to retain some or all Your Data, or where Epsilon has archived Your Data on back-up systems which Epsilon securely isolates and protects from any further Processing.
- Cooperation. Upon Your request, Epsilon shall provide all such reasonable and timely assistance and information necessary to demonstrate that its Processing of Your Data complies with Applicable Data Protection Law.
- Assessment. Upon Your request, Epsilon will supply a summary copy of its available reports of its own independent audit assessing its policies and technical and organizational measure in support of its obligations under Applicable Data Protection Law that use an accepted control standard or framework (such as NIST, SOC2, ISO27001). Such reports will be subject to the confidentiality provisions of the Existing Agreements.
- Engagement of Sub-Processors. You authorize Epsilon to use Sub-Processors, to assist in providing the Services. Epsilon will: (i) provide an up-to-date list of the Sub-Processors it has appointed upon Your written request; and (ii) notify You (for which email will suffice) of any intended changes concerning the addition or replacement of Sub-Processors; thereby, giving You the opportunity to object to such changes within five (5) business days of such notice, provided that such objection is based on reasonable grounds relating to data protection. Epsilon will: (i) enter into a written agreement with each Sub-Processor imposing data protection terms that require the Sub-Processor to protect Your Data to the same standards provided for by this Amendment, to the extent applicable to the nature of the services provided by the Sub-Processor; and (ii) remain responsible for its compliance with the obligations of this Amendment and for any acts or omissions of the Sub-Processor consistent with this Amendment.
- Processing Prohibitions. Epsilon shall not (i) Sell or Share Your Data,(ii) Process the Your Data outside Your direct business relationship with Epsilon; (iii) Process Your Data for any third party, unless expressly permitted by Applicable Data Protection Law; (iv) combine Your Data with Personal Data that Epsilon receives from or on behalf of another person or persons, or that Epsilon collects from its own interaction with a consumer, provided that Epsilon may combine such information to perform any Business Purpose as expressly permitted by Applicable Data Protection Law; or (v) Process Your Data for cross-contextual behavioral advertising (as defined by Applicable Data Protection Law). Where Epsilon engages a Vendor to provide cross-contextual behavioral advertising services for Your benefit, Epsilon does so as Your agent, and the Vendor’s processing of Your Data for cross-contextual advertising purposes is subject to the Vendor’s contract, not the Existing Agreements or this Amendment.
- Data Subject Requests. You will inform Epsilon of, and provide information necessary for Epsilon to comply with, any Data Subject request related to Your Data that is made pursuant to Applicable Data Protection Law for which Epsilon must comply with as a Processor Processing Your Data. In the event that a Data Subject request related to Your Data is made directly to Epsilon, Epsilon will not respond to such request directly, unless legally compelled to do so. To the extent You do not have direct access to Your Data through Your use of the Services, and therefore do not have the ability to address such Data Subject request Yourself, Epsilon shall, upon Your request, cooperate to assist You to respond, to the extent required under Applicable Data Protection Law.
Annex A – Description of Processing
1 Controller to Processor
Applicable Services: The following Description of Processing applies to any Epsilon services that is not classified as a “Controller Service”. Controller Services include: (a) Services that utilize the CORE ID, including but not limited to: PeopleCloud Discovery; PeopleCloud Prospect; PeopleCloud Digital Media Solutions (aka PeopleCloud Loyalty Digital Media Member Engagement Loyalty Module); Bridge; Signals; Agility IQ (aka PeopleCloud Messaging Content Personalization Module); Agility Events (aka PeopleCloud Messaging Site Behavior or PeopleCloud Loyalty Digital Messaging Triggers Modules); and Retail Media Network (CitrusAd), (b) CDP Identity Essentials and Digital Identity Essentials; (c) Services that involve the provision of Licensed Data, including but not limited to: Total Source Plus; TX Spend; Shopper’s View; Shoppers Voice; New Movers; Contact Complete; Attribute licensing; PMX lift; Optimized audiences produced by PVE; Custom data set list, such as linkage data; and (d) Abacus Cooperative (US/Canada)
Parties: Controller is Client, Processor is Epsilon
Instructions for Processing. Client’s instructions are contained in the Existing Agreements, which may include the Master Services Agreement and any statements of work or order forms.
Data Subjects. The Data to be processed concerns the following categories of Data Subjects: Client’s customers and any other consumer personal data that Client discloses to Epsilon
Purpose(s) of the Processing. The Data may be processed for the following purposes:
Select (x) | Business Purposes that are “Permitted Purpose” |
Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards | |
Helping to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for these purposes. | |
Debugging to identify and repair errors that impair existing intended functionality | |
Short-term, transient use, including but not limited to non-personalized advertising shown as part of a consumer's current interaction with the business, provided that the consumer's personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business. | |
Performing services on behalf of the Controller, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the Controller. | |
X (not PMX Lift) | Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer, provided that for the purpose of advertising and marketing, the Processor shall not combine the personal information of opted-out consumers which the Processor receives from or on behalf of the Controller with personal information which the Processor receives from or on behalf of another person or persons, or collects from its own interaction with consumers |
Undertaking internal research for technological development and demonstration | |
Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the Controller, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the Controller | |
PMX Lift only | Performing services on behalf of the Controller, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the Controller. Specifically, Epsilon will be hosting a matching table between the Client provided identifiers and Epsilon identifiers |
Categories of Personal Data. The Data to be processed concern the following categories of Personal Data:
Duration of the Processing. The Data will be processed solely during the Term of the Existing Agreement
2 Disclosing Controller to Recipient Controller – core id services
Applicable Services. This description of processing applies to Epsilon’s Services that utilize the CORE ID, including but not limited to: PeopleCloud Discovery; PeopleCloud Prospect; PeopleCloud Digital Media Solutions (aka PeopleCloud Loyalty Digital Media Member Engagement Loyalty Module); Bridge; Signals; Agility IQ (aka PeopleCloud Messaging Content Personalization Module); Agility Events (aka PeopleCloud Messaging Site Behavior or PeopleCloud Loyalty Digital Messaging Triggers Modules); and Retail Media Network (CitrusAd). This information only applies if one of these services is listed on an active Agreement (SOW or order) between Client and Epsilon.
Parties
Disclosing Controller is Client
Recipient Controller is Epsilon
Data Subjects
The Data to be processed concerns the following categories of Data Subjects (please specify):
Client’s customers
Visitors to Client’s digital properties (websites, mobile applications, and digital advertisements)
Purpose(s) of the Processing
The Data may be processed for the following purposes:
Cross-context behavioral advertising (aka targeted advertising or interest-based advertising).
If elected by Client to upgrade to full Core Identity, identity resolution.
Categories of Personal Data
The Data to be processed concerns the following categories of Personal Data. As part of the services, Client will disclose commercial or transactions information, but Epsilon will not use this category of personal data as a Controller.
Duration of the Processing
The Personal Data will be Processed for as long as is necessary for the purposes for which the personal data is processed, unless otherwise agreed in the Agreement.
3 Disclosing Controller to Recipient Controller – Ad Logs
Applicable Services. PMX Lift
Parties
Disclosing Controller is Client
Recipient Controller is Epsilon
Data Subjects
The Data to be processed concerns the following categories of Data Subjects (please specify):
Client’s customers
Visitors to Client’s digital properties (websites, mobile applications, and digital advertisements)
Purpose(s) of the Processing
The Data may be processed for the following purposes:
Media Measurment
Categories of Personal Data
The Data to be processed concerns the following categories of Personal Data. As part of the services, Client will disclose commercial or transactions information, but Epsilon will not use this category of personal data as a Controller.
Category | |
x | Personal identifiers: e.g., name; alias; postal address; online identifiers; IP address; email address; account name; or hashed identifiers. |
x | Internet or other electronic network activity information: e.g., browsing history; search history; online interests, such as information about categories of consumer interests derived from online usage; and information on a consumer's interaction with a website, application, or advertisement |
4 Disclosing Controller to Recipient Controller – Identity services
Applicable Services. This description of processing applies to Epsilon’s CDP Identity Essentials and Digital Identity Essentials. This information only applies if one of these services is listed on an active Agreement (SOW or order) between Client and Epsilon.
Parties
Disclosing Controller is Client
Recipient Controller is Epsilon
Data Subjects
The Data to be processed concerns the following categories of Data Subjects (please specify):
Client’s customers
Applicable to Digital Identity only: Visitors to Client’s digital properties (websites, mobile applications, and digital advertisements)
Purpose(s) of the Processing
The Data may be processed for the following purposes:
Identity resolution.
Categories of Personal Data
The Data to be processed concerns the following categories of Personal Data. As part of the services, Client will disclose commercial or transactions information, but Epsilon will not use this category of personal data as a Controller.
Category | |
x | Personal identifiers: e.g., name; alias; postal address; online identifiers; IP address; email address; account name; or hashed identifiers. |
x | Internet or other electronic network activity information: e.g., browsing history; search history; online interests, such as information about categories of consumer interests derived from online usage; and information on a consumer's interaction with a website, application, or advertisement |
Duration of the Processing
The Personal Data will be Processed for as long as is necessary for the purposes for which the personal data is processed, unless otherwise agreed in the Agreement.
5 Disclosing Controller to Recipient Controller – EPSILON DATA
Applicable Services. This description of processing applies to Epsilon Services that involve the provision of personal data from Epsilon to Client, including but not limited to: Total Source Plus; TX Spend; Shopper’s View; Shoppers Voice; New Movers; Contact Complete; PMX Lift; Attribute licensing; Optimized audiences produced by PVE; Custom data set list, Epsilon data assets & third party data assets provided by Epsilon that are in PeopleCloud Discovery & Prospect. This information only applies if one of these services is listed on an active Agreement (SOW or order) between Client and Epsilon.
Parties
Disclosing Controller is Epsilon
Recipient Controller is Client
Data Subjects
The Data to be processed concerns the following categories of Data Subjects (please specify):
Consumers
Purpose(s) of the Processing
The Data may be processed for the following purposes:
Advertising and Marketing
Cross-context behavioral advertising (aka Targeted Advertising or Interest Based Advertising)
Categories of Personal Data
The Data to be processed concern the following categories of Personal Data and depends on the data set provided by Epsilon (e.g. (i) TX Spend includes offline commercial or transaction information; (ii) contextual online labels are only available in Prospect & Discovery; (iv) Total Source Plus includes only offline data, not online data)
Duration of the Processing
Personal Data will be Processed only for the term of the Agreement.
6 Disclosing Controller to Recipient Controller – ABACUS COOPERATIVE (US/CANADA)
Applicable Services. This description of processing applies to the Abacus Cooperative. This information only applies if one of these services is listed on an active Agreement (SOW or order) between Client and Epsilon.
Parties
Disclosing Controller is Client & Epsilon
Recipient Controller is Epsilon & Client
Data Subjects
The Data to be processed concerns the following categories of Data Subjects (please specify):
Client’s customers
Other cooperative members’ customers
Purpose(s) of the Processing
The Data may be processed for the following purposes:
Advertising and Marketing (does not include cross-context behavioral advertising)
Categories of Personal Data
The Data to be processed concern the following categories of Personal Data:
Annex B – Technical and Organizational Measures
Recipient must maintain an effective Information Security Program (in line with industry standards such as ISO 27001, NIST, etc.) and security measures requirements while handling Personal Data and confidential information of the Disclosing Controller including but not limited to the below requirements.
1 Security policies and procedures: Recipient shall maintain a management approved documented Information Security Policy and an established security risk management process to continually assess and evaluate new security risk and manage them through adequate security controls or safeguards.
2 Confidentiality, Integrity and Availability: Recipient shall maintain confidentiality, integrity and availability of the Personal Data disclosed to it by the Disclosing Controller by identifying assets that store, process or transmit such data and deploying adequate technical and organization measures such as, but not limited to, data encryption, physical and logical access control, strong password control, malware and content protection, security vulnerability assessment and patching, secure hardening, network/data segregation controls.
3 Vulnerability management: Wherever applicable, Recipient must ensure that any software component (such as code or API) provided to Recipient is free for any security vulnerability or issues and ensure security of data processed using such component.
4 Availability controls: Recipient shall maintain a comprehensive business continuity and disaster recovery plan to prevent any interruption of services and business impact to the Disclosing Controller.
5 Incident Handling: In the event of a confirmed personal data breach (as defined by Applicable Data Protection Law), Recipient must inform the Disclosing Controller about any impact to its Personal Data without undue delay and designate a security point of contact (POC) to interact and notify the Disclosing Controller on security matters.
6 Notification obligation: Any operational change that impacts the security of the Disclosing Controller’s Personal Data and confidential information or systems that handle such data must be notified to the Disclosing Controller without undue delay.
7 Secure destruction of data: At the end of the Existing Agreements or as otherwise in accordance with Annex A – Description of Processing, on Disclosing Controller’s request, the Recipient must destroy all Personal Data disclosed or authorized to be collected by the Disclosing Controller in a secure manner making the Personal Data un-readable and un-recoverable. If the Personal Data cannot be deleted, the Personal Data must be archived and protected from unauthorized access, modification, and disclosure until securely deleted. The Disclosing Controller at its discretion may request for a data destruction certification that includes method of data destruction used.
8 Security risk management program relating to Third Parties: The Recipient will ensure a similar level of security controls wherever the Personal Data disclosed or authorized to be collected by the Disclosing Controller is exchanged with a third party.
9 Encryption: To the extent the Personal Data disclosed by the Disclosing Controller includes sensitive data (as defined by Applicable Data Protection Laws), Recipient will ensure that such Personal Data is encrypted at rest and in transit.