Global Data Provider Data Processing Agreement

By accepting this Global Data Provider Data Processing Agreement (“DPA”), through execution of a statement of work, order, license, or partnership agreement referencing this DPA or through other means, Data Provider agrees to the terms of this DPA. This DPA is entered into by and between your company (“Data Provider”) and the Publicis Groupe affiliate entity ("Publicis") that is party to any written agreement, statements of work, orders, partnerships, or licenses (collectively, the “Agreement”) for the provision of services and Data from Data Provider to Publicis. Data Provider and Publicis may individually be referred to as a "Party" and jointly as the "Parties".

The Parties have entered into the Agreement under which the Data Provider has made available certain Personal Data to Publicis for the purposes described in the Agreement. This DPA clarifies each Party's role and obligations under Applicable Data Protection Law. In consideration of the mutual promises contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1. Interpretation. This DPA is intended to supplement or replace the Agreement in relation to the Parties’ data protection obligations. This DPA replaces: (i) any existing data processing agreement the Parties may have previously entered into in connection with the Data and (ii) any conflicting data protection and security terms in the body of the Agreement; in each case as such data processing agreement and terms relate to Personal Data within the scope of this DPA. Upon execution, this DPA is incorporated into and deemed a part of the Agreement. In the event of a conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail insofar as it concerns the Processing of Personal Data.
2. Definitions. All capitalized terms used and not expressly defined in this DPA have the meanings given to them in Applicable Data Protection Law or the Agreement. In this DPA, the following terms have the following meanings:
   1. “Applicable Data Protection Law” means any laws and regulations relating to the protection of Personal Data Processed under the Agreement that are applicable to a party based upon the territorial and other applicable scope of such laws or regulations, and only to the extent such Personal Data is subject to those laws or regulations;
   2. “Controller” means a Party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, and also includes the meanings given to cognate terms under Applicable Data Protection Law;
   3. “Data” means the Personal Data that Data Provider Processes as a Controller and licenses or otherwise makes available to Publicis pursuant to the Agreement. The categories of the Personal Data and categories of the Data Subjects included within the Data is identified in the Agreement.
   4. “Data Collector” means the Party or third party that collected the Personal Data directly from the Data Subject;
   5. “Data Subject” means a natural person or household that can be identified, directly or indirectly;
   6. “Deidentified Data” means data that cannot be reasonably linked to a Data Subject or their device;
   7. “Permitted Purpose(s)” means one or more of the following purposes as described in the Agreement:
      1. use limited data to select advertising and/or content;
      2. create profiles for personalised advertising and/or content;
      3. use profiles to select personalised advertising/and or content;
      4. measure advertising and/or content performance;
      5. understand audiences through statistics or combinations of data from different sources;
      6. develop and improve services;
      7. ensure security, prevent and detect fraud, and fix errors;
      8. deliver and present advertising and content;
      9. save and communicate privacy choices;
      10. match and combine data from other data source, link different devices, and identify devices for personalized advertising (identity);
      11. sale of the Data (or a modified form of the Data) to third parties for the third parties’ targeted advertising, marketing, or internal analytics purposes;
      12. analytics and insights for advertising and marketing strategy; and
      13. training of artificial intelligence models.
   8. “Personal Data” means any information relating to a Data Subject;
   9. “Process(ing)” means any operation or set of operations performed on Personal Data.
   10. “Processor” means a party that Processes Personal Data on behalf of a Controller and in accordance with the Controller’s instructions, and also includes the meanings given to cognate terms under Applicable Data Protection Law;
   11. “Restricted Transfer” means a transfer of Personal Data protected by a specific jurisdiction's Applicable Data Protection Law to a recipient in a third country (or territory) where such transfer is not permitted under that Applicable Data Protection Law in the absence of additional safeguards, including because such third country (or territory) is not subject to a formal adequacy decision or other legally recognised transfer mechanism under that law.
   12. “Standard Contractual Clauses” means standard contractual clauses adopted by the relevant data protection authority(ies)/regulator(s) for international transfer(s) of Personal Data to a country that is not deemed adequate under Applicable Data Protection Laws, including but not limited to (i) where the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”) applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”) applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”); and (iii) where Applicable Data Protection Laws of Latin American countries apply, the contractual clauses issued by the Red Iberoamericana de Protección de Datos (RIPD) and/or by the Brazilian Data Protection Agency (ANPD) under Resolution CP/ANPD No. 19 of 23 August 2024 (Regulation on International Data Transfers). Outside of (i), (ii) and (iii) above, the phrase shall mean standard contractual clauses (or similar contractual measures as applicable) adopted by the relevant data protection authority(ies)/regulator(s) under Applicable Data Protection Law to protect Personal Data when it is transferred from the country or territory in which it originated, to a country or territory overseas.
3. Compliance with applicable law. Each Party shall comply with its obligations under Applicable Data Protection Law and this DPA when processing the Data. Data Provider and Publicis shall be individually responsible for ensuring that its Processing of the Data is lawful, fair and transparent, and shall make available to Data Subjects a privacy notice and Data Subject rights that fulfil the requirements of Applicable Data Protection Law.
4. Relationship of the Parties. The Parties shall Process the Personal Data in their possession or control as independent Controllers. Publicis, and any third-party to whom Publicis discloses the Data to, shall Process the Data solely in accordance with the Permitted Purposes as described in the Agreement. If Publicis, or the third-party to whom Publicis discloses the Data to, wishes to process the Data for a new or different purpose other than the Permitted Purpose (an “Alternative Purpose”), it may do so provided it first takes all steps necessary to ensure that such Processing of the Data for the Alternative Purpose complies with Applicable Data Protection Law (such as, obtaining any consents from Data Subjects, where necessary). Provided such requirements are met, the Alternative Purpose shall be deemed a Permitted Purpose. Publicis will Process the Data for as long as is necessary for the Permitted Purposes, unless otherwise agreed in the Agreement, or as needed to comply with another legal obligation.
5. Transparency and Consent. Data Provider represents and warrants:
   1. Prior to sharing the Data with Publicis and/or permitting Publicis to collect the Data, that it has obtained, processed, and disclosed the Data fairly and lawfully and in accordance with Applicable Data Protection Law, including by providing all required notices and obtaining any required consents or other lawful bases (including for Data collected or inferred), and, where applicable, approvals from the relevant data protection authority(ies)/regulator(s), and that it has all rights necessary to permit both its own Processing of the Data and Publicis’s Processing of the Data for the Permitted Purposes;
   2. Where express consent is required to Process the Data for the Permitted Purposes, and/or where mandated by notice requirements under Applicable Data Protection Law:
   3. Data Provider will include a link to Publicis’s privacy policy in its privacy notice to Data Subjects;
   4. Upon Publicis’s request, Data Provider will provide Publicis with documentation that should include factual and exhaustive evidence of (i) the consent mechanisms and processes used for all relevant data collection and (ii) the obtainment of each Data Subjects’ valid consent including but not limited to the data collection forms, information notices, designs, interfaces, screenshots, consent log, timestamping and (iii) its reviews of the foregoing at an appropriate frequency, in compliance with Applicable Data Protection Law;
   5. Data Provider offers Data Subjects the right to object, withdraw consent, and prevent the disclosure of their Personal Data for the Permitted Purposes;
   6. Data Provider will not make available any Personal Data relating to Data Subjects that have exercised rights that bar the provision of Personal Data to Publicis and/or the Processing for the Permitted Purposes; and
   7. Data Provider will pass on the deletion, revocation of consent, and opt-out requests that Data Provider receives from Data Subjects to Publicis, as required by Applicable Data Protection Law.
6. Minors’ Data. Data Provider will not provide Personal Data to Publicis that is collected from or about a Data Subject who is under eighteen (18) years of age.
7. Accuracy. Data Provider represents and warrants that the Data is current and accurate at the time of disclosure to Publicis.
8. Data Collector. If the Data Collector is not the Data Provider, Data Provider has obtained contractual representations and warranties from the Data Collector substantially similar with Data Provider’s obligations in Clauses 5, 6, and 7.
9. International transfers
   1. Each Party shall only transfer the Data (or permit the Data to be transferred) outside its country or territory of origin, if it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law, which may include, without limitation, the execution of the Standard Contractual Clauses approved by the relevant data protection authority(ies)/regulator(s).
   2. To the extent that Data Provider’s disclosure of the Data to Publicis is a Restricted Transfer from the European Economic Area or the United Kingdom, and/or where the Applicable Data Protection Law requires the application of the EU SCCs, whether directly or by functional or legal equivalence, such Restricted Transfer shall be subject to the Data Transfer Addendum available here: https://legal.epsilon.com/eu/model-clauses/
   3. If the Data Provider’s disclosure of Data to Publicis constitutes any other Restricted Transfer, the Standard Contractual Clauses approved by the relevant data protection authority(ies)/regulator(s) shall apply. The competent supervisory authority shall be the competent data protection authority/regulator in the country or territory as determined by Applicable Data Protection Law. Those Standard Contractual Clauses shall be completed by inserting the information set forth in this DPA and the Agreement, incorporated into and form part of this DPA by reference, with the Data Provider being the “Exporter”, and Publicis being the “Importer”. If the relevant Standard Contractual Clauses are amended under Applicable Data Protection Law, the parties agree to re-negotiate these in good faith. The Standard Contractual Clauses shall be deemed executed by the Parties upon execution of this DPA. Each Party shall, upon the other Party’s reasonable request, provide reasonable cooperation and assistance in conducting any assessment of the transfer that may be required under the Applicable Data Protection Laws.
10. Correspondence. If a Party receives any written or oral request, inquiry, correspondence, or complaint (“Correspondence”) that directly refers to the other Party and that relates to the Processing of the Data , including (i) a request from a Data Subject to exercise rights under Applicable Data Protection Law, or (ii) any other Correspondence from a Data Subject, regulator, or other third party, the receiving Party shall promptly notify the other Party. The Parties shall cooperate in good faith as reasonably necessary to respond to the Correspondence and to meet their respective obligations under Applicable Data Protection Law.
11. Deidentified Data. Each Party agrees that to the extent it is a recipient of Deidentified Data from the other Party, it will not reidentify such data, unless otherwise mutually agreed by the Parties in writing and approved by each Party’s privacy counsel.
12. Indemnification. Each Party (the “Indemnitor”) shall indemnify, defend, and hold the other Party (the “Indemnitee”) harmless from any third party claims and resulting loss, cost, damages, and expenses incurred by the Indemnitee that arises from the Indemnitor’s breach of its obligations under this DPA or failure to comply with Applicable Data Protection Law.
13. Notices. Notices related to data protection or privacy matters shall be sent to Publicis at privacyofficer@publicisgroupe.com and to Data Provider at the email address listed in the Agreement. Publicis’s Data Protection Officer varies by market and will be supplied upon request. Within thirty (30) days of execution of the Agreement, Data Provider will email Publicis at privacyofficer@publicisgroupe.com with the name and contact information of its Data Protection Officer(s) and/or privacy contacts.
14. Term and Termination.
    1. This DPA remains in effect until the later of (i) the termination or expiration of all Agreements into which it is incorporated, and (ii) Publicis has ceased Processing the Data. The termination or expiration of the Agreement or this DPA for any reason shall not release either Party from any liabilities or obligations set forth in this DPA that (i) the Parties have expressly agreed shall survive any such termination or expiration, or (ii) by their nature would be intended to be applicable following any such termination or expiration.
    2. The Parties will assess the ongoing effectiveness of this DPA periodically and upon any change in applicable law, circumstances, or the rationale for this DPA. Depending on their assessment of this DPA's effectiveness, the Parties shall negotiate in good faith revisions to any provisions of this DPA that need to be changed as a result of such changes.