Publishers and Marketers Authenticated Traffic Solution Country-Specific Terms

Subject to the terms of your Authenticated Traffic Solution for Publishers Statement of Work or Authenticated Traffic Solution for Marketers Statement of Work respectively, (“SOW”) and provided the LiveRamp privacy team has approved the distribution of data from each of the Approved Geographies below for publishers or marketers, you may transfer Partner Data from the following Approved Geographies (as defined in the respective SOW) in the Approved Geographies. Unless otherwise defined in these terms, all capitalized terms used herein shall have the meanings given to them in the SOW or your Agreement.

LiveRamp may, in its sole discretion, change these terms, from time to time, and will provide notice to you in the event of a material change in the terms. You must monitor your compliance with these terms on a regular basis. If, at any time, you cannot meet these terms or if there is a significant risk that you will not be able to meet them, you must immediately notify us by sending an email to dataethics@liveramp.com and take reasonable and appropriate steps to restore an adequate level of protection, and in case of publishers or marketers, immediately stop collecting and sharing Partner Data.

For the purpose of this country – specific terms:

“Partner” shall mean either Publisher or Marketer, as applicable.

“Partner Data” shall mean either Publisher Data or Marketer Data, as applicable.

COUNTRY/MARKET SELECTION

• North America
  • USA
  • Canada
• LATAM
  • Argentina
  • Brazil
  • Mexico
• Europe
  • Austria
  • Belgium
  • Denmark
  • France
  • Germany
  • Ireland
  • Italy
  • The Netherlands
  • Norway
  • Poland
  • Romania
  • Spain
  • Sweden
  • Switzerland
  • United Kingdom
• APAC
  • Australia
  • New Zealand
  • Japan
  • Singapore
  • Taiwan
  • Hong Kong Special Administrative Region
  • The Republic of Indonesia
• Middle East and North Africa
  • UAE

To the extent that the Partner Data provided by Partner comprises information that is considered personal data as defined by the Privacy Laws (“Personal Information”), then in relation to such data Partner represents and warrants that it will: (a) comply with all applicable privacy, data security, and data protection laws, regulations, and rules, including but not limited to the Privacy Laws; and b) notify their users of the purpose of use of personal ID (i.e., individual identifiers, cookie ID, mobile ID, such as an AAID or IDFA, etc.) and any associated personal data; c) obtain explicit consent regarding its collection, use, and sharing of Personal Information as required under Privacy Laws, including through inclusion of a prominent link to its privacy policy and/or description of data collection and usage practices at the time and location of collection and through notice that Personal Information may be transferred overseas.

United States

Each Party represents, warrants and undertakes to the other that, throughout the term of the services, it shall comply with all applicable Data Protection Laws in addition to its contractual obligations as set forth herein and in the agreement. Neither Party shall instruct the other to take any action that would violate Data Protection Law. A Party shall promptly notify the other if, in its opinion, any instructions from the other Party violate this Section, or if it can no longer comply with its obligations under this Section. The Parties shall reasonably assist each other in meeting their respective obligations under Data Protection Laws. Both parties have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

Partner Responsibilities.

• Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the sharing of the Personal Data.
• Partner warrants that it collects the Partner Personal Data in accordance with applicable Data Protection Laws and it shall maintain documentation to evidence such compliance.
• Partner warrants that the provision of the Partner Personal Data to LiveRamp, and its subsequent use by LiveRamp for the purposes contemplated by the SOW will not violate any applicable Data Protection Laws, or any agreements between Partner and any third parties.
• In addition to any restrictions set forth in the applicable SOW, Partner shall not provide to LiveRamp, or permit any third party to provide to LiveRamp on Partner’s behalf, data defined as sensitive under applicable privacy laws or data collected from a website or mobile application directed at children (“Prohibited Data”). If Partner should transfer Prohibited Data to LiveRamp in violation of this section, Partner shall immediately notify LiveRamp and inform LiveRamp of the date, time, and other pertinent information related to the transfer so LiveRamp may take the steps necessary to remove the Prohibited Data from its systems.
• Partner agrees that it shall be responsible for dealing with and responding to all rights requests made by data subjects under applicable privacy laws which relate to the processing activities which are the subject of the Agreement, including requests to access, delete, or opt out of the collection, use, or disclosure of personal data pertaining to them. Where necessary and required by law, LiveRamp shall promptly and in good faith take such actions and provide such information and assistance as Partner may reasonably request to enable Partner to honor requests of individuals to exercise their rights under applicable privacy laws.
• Partner acknowledges that certain Services may result in disclosure of Personal Data to Partner or a third party on Partner’s behalf (e.g., third-party audiences, custom identifiers, cookies data, mobile identifiers, RampIDs, AbiliTec IDs, or other personal identifiers) by matching to or creating data from Partner Personal Data or providing data directly from another party. In such cases, Partner shall: (i) use the Personal Data only for the permitted Purposes; (ii) ensure that Partner’s use of the Personal Data is consistent with this Section and in compliance with Data Protection Laws; and (iii) upon request, provide LiveRamp with an accurate description of its use of the Personal Data, and certify to LiveRamp its use of the Personal Data complies with the Agreement, this Section, the SOW, and Data Protection Laws.

LiveRamp Responsibilities. LiveRamp shall, as data processor and, in relation to any Partner Data including Personal Data processed in connection with ATS:

• Not authorize any third party to, process, retain, use, sell, transfer, disclose, or otherwise share Partner Personal Data for any Purposes other than for the specific purpose of performing the Services. LiveRamp shall not combine Partner Personal Data with Personal Data that it receives from another source. LiveRamp may, however, disclose the Personal Information to its own processors and service providers where LiveRamp has carried out adequate due diligence on each such service provider and included obligations in the contract between LiveRamp and such service provider that are equivalent to those to which LiveRamp has agreed.
• Process Partner Personal Data only following the written instructions of Partner and shall not process it for any other purposes, unless required to do so by applicable laws.
• Inform the controller if, in its opinion, an instruction related to the processing of Partner Personal Data violates Data Protection Laws or if it comes to LiveRamp’s knowledge that conditions of Partner’s data collection in the context of ATS infringes upon Data Protection Laws.
• Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Partner Data are obliged to keep the Partner Personal Data confidential.
• Provide reasonably requested information regarding the Services to enable Partner to demonstrate compliance with Data Protection Laws and to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Partner does not otherwise have access to the relevant information.
• Insofar as reasonably practicable, shall assist Partner in meeting its obligations related to the security of processing Personal Data and notification of Security Incidents. If LiveRamp becomes aware of a Security Incident involving Partner Personal Data, LiveRamp shall notify Partner without undue delay, and in any event, within seventy two (72) hours upon becoming aware of such Security Incident. LiveRamp shall promptly take reasonable steps to contain, investigate, and mitigate any such Security Incident.
• Process the Partner Personal Data continuously and until deletion of all Partner Personal Data, and at Partner’s written direction, delete Partner Personal Data and any copies still in its possession upon termination of the Agreement or SOW unless required by applicable laws to store Partner Personal Data.
• Maintain complete and accurate records and information to demonstrate its compliance with this Section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, such auditor shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations.
• Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.
• LiveRamp is authorized to engage its Affiliates and the entities listed at https://liveramp.com/legal/subprocessors (for US Personal Data), as sub-processors. LiveRamp shall enter into a written agreement with each sub-processor imposing the same obligations under the Agreement to the extent applicable to the nature of the services provided by such sub-processor. Sub-processors must use industry standard security measures designed to protect against a security incident, including appropriate organizational, contractual, technological, and managerial safeguards. LiveRamp shall remain fully responsible to Partner for the performance of the sub-processor’s obligations. Any person who is authorized to access Partner Personal Data (including staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty). In advance of any proposed changes to its sub-processors, LiveRamp shall inform Partner in writing via a web-based subscription method for email notification accessible here: https://liveramp.com/legal/subprocessors. Partner shall subscribe to such notifications. Partner has fourteen (14) days from receipt of notification (“Objection Period”) to object to a new sub-processor. Any objection must be provided to LiveRamp in writing and state the grounds on which the objection is based. Partner may not unreasonably withhold the approval of a Sub-processor. If it can be reasonably demonstrated to LiveRamp that the new sub-processor is unable to process Integration Data in compliance with the terms of this Agreement and LiveRamp cannot provide an alternative sub-processor, or if the parties are not otherwise able to achieve resolution, Partner, as its sole and exclusive remedy, may provide written notice to LiveRamp terminating the relevant.

Description of the Processing

• Nature and Purpose of the processing of Personal Data
  • Description of the purpose:
    • Provision by LiveRamp to Partner of the Authenticated Traffic Solution consisting in the use of an API which allows Partner to pass user email, phone number or other offline identifiers to LiveRamp, which will return an encrypted LiveRamp ID envelope that can be read and decrypted by RampID enabled supply side platforms, which will embed into the Partner’s first party storage. Hashed email addresses, ARLs (Anonymous Representation Links), RampID envelopes, Cookie IDs and TCF consent string are processed for identifier generation and identity resolution primarily for digital ad targeting and measurement services by Partners. Metadata are processed for fraud prevention, debugging and quality checking.
    • If ATS Analytics is selected, Provision by LiveRamp to Partner of analytics reports related to their use of the Authenticated Traffic Solution by using Partner Analytics Data.
    • If Google PAIR is selected, Provision by LiveRamp to Partner of Google PAIR Integrations. LiveRamp shall store the Integration Data to translate into and store a Publisher specific RampID and a Google PAIR IDs within the environment mutually agreed to be the parties for purposes of facilitating the Google Pair Integration.
  • Description of nature:
    • LiveRamp will perform Processing as needed for the Purpose and to comply with Partner’s Processing instructions as provided in accordance with the Agreement, SOW, and this Section.

• Data Subjects
  
  • Users of the Partner’s websites

• Types of personal data processed‍
  
  • Hashed email addresses, ARLs, RampID envelope (hashed email addresses and/or phone numbers as applicable, converted into user identifiers), Metadata, Cookie IDs.
  • If ATS Analytics is selected, Presence of RampID Envelope, bidder name, bid ID, auction ID, user browser, user platform/OS, timestamp(s), domain, Partner’s placement ID, currency, cost per mille, and net revenue
  • If Google PAIR is selected, Integration Data: email hashed in a one way format and encrypted before being sent to LiveRamp to be translated into Publisher RampIDs and Google Pair IDs.

• Deletion of Personal Data‍
  
  • Hashed email and/or phone number is immediately deleted after the RampID envelope is generated.
  • RampID envelopes expire after thirty (30) days post-generation.
  • Metadata is retained for up to 90 days.
  • For Purposes of ATS Analytics, Partner Analytics Data shall be deleted within thirty (30) days. Aggregate reports based on Analytics Data are retained by LiveRamp for up to one (1) year.
  • For purposes of Google PAIR, Integration Data shall be deleted as soon as the Partner RampID is generated. Publisher RampIDs and Google Pair IDs shall be deleted at the term of the SOW.

ARGENTINA

1. General provisions.

For the purposes of this section, “Argentinian Data Protection Law” means all applicable Argentinian laws relating to data protection and privacy including (without limitation) (without limitation) Personal Data Protection Law No. 25,326 (“PDPL”),the Decree No. 1558/2001 and its related regulations issued by the enforcement local authority (Agencia de Acceso a la Información Pública and Direccón Nacional de Protección de Datos Personales), as well as any other applicable laws and regulations relating to data protection and privacy as implemented, and all amendments to or replacements of the above legislation.

Each party represents, warrants and undertakes to the other that, throughout the term of this SOW, it shall comply with all applicable Data Protection Laws in addition to its contractual obligations as set forth herein.

2. Specific terms for ATS

To the extent that Partner Data provided by you comprises information that is considered personal data as defined by applicable Argentinian Data Protection Law (“ Argentinian Personal Information”), then in relation to such data Partner warrants and agrees that:

• The Data Ethics Review described in the SOW shall take into account rules set out in Data Protection Law and Partner shall make available to LiveRamp all information necessary to allow such Data Ethics Review and contribute to reasonable further reviews conducted by LiveRamp;
• The provision of the Partner Data to LiveRamp, and its subsequent use by LiveRamp for the purposes contemplated by the SOW will not violate Argentinian Data Protection Law, or any agreements between Partner and any third parties;
• Partner will provide a valid notification to the data subjects of the Partner Data, in accordance with Section 6 of the PDPL, which explains (with the necessary level of detail) the sharing of the Partner Data with LiveRamp (naming LiveRamp and linking to the LiveRamp privacy policy), the creation of the envelope, the combination or matching of data, that the envelope is associated with the Partner’s first party storage, and that the first party storage and envelope is used for the purpose of targeted advertising;
• It will obtain the valid consent of the data subjects of the Partner Data (in accordance with the Section 6 of the PDPL) for LiveRamp and Partner’s processing activities and purposes specified in the SOW;
• It will keep records that demonstrate that the Partner has obtained such valid consents, which it shall make available to LiveRamp upon written request; and
• In addition to any Prohibited Data restrictions set forth in your Agreement, it shall not provide to LiveRamp, or permit any third party to provide to LiveRamp on Partner’s behalf, any special categories of data as defined by the Argentinian regulator. If Partner should transfer Prohibited Data to LiveRamp in violation of this section, Partner shall immediately notify LiveRamp and inform LiveRamp of the date, time, and other pertinent information related to the transfer so LiveRamp may take the steps necessary to remove the Prohibited Data from its systems.

In accordance with the SOW, upon termination of the SOW LiveRamp shall not be required to destroy or cease use of any metadata collected at the same as Partner Data but LiveRamp shall use such metadata in compliance with statistical and research & development exceptions to the extent it is applicable. Such metadata may be transferred to LiveRamp Inc. in the USA: Partner agrees that such transfer will be covered by the “Contrato modelo de transferencia internacional de datos personales con motivo de prestación de servicios” published by the Argentinian government in the Disposición 60 – E/2016 (the “Argentinian SCCs”) which are hereby incorporated by reference to the agreement between the Parties. For the purpose of such Argentinian SCCs, Partner shall be considered the data exporter and LiveRamp Inc. the data importer.

Partner agrees that it shall be responsible for dealing with and responding to all requests made by data subjects under Argentinian Data Protection Law which relate to the processing activities which are the subject of the SOW. In the event that LiveRamp receives a data subject request which relates specifically to Partner’s deployment of the Authenticated Traffic Solution, it shall forward that request to Partner without undue delay.

3. Specific terms for ATS Analytics Services

a. Definition. For the purpose of this Section, any reference to Prebid Analytics Services in the SOW shall be construed as a reference to ATS Analytics Services.

b. Privacy and Fair Processing. To the extent that Analytics Data (as defined in the SOW) comprise any personal data, LiveRamp and Partner agree as follows:

• The parties acknowledge that for the purposes of applicable Data Protection Laws, LiveRamp shall act as a Data Processor on behalf of Partner, and Partner is acting as a Data Controller;
• Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the use by LiveRamp of the Analytics Data in combination with ATS Analytics Services;
• Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its Sub-Processors’ obligations in compliance with these data processing terms and the applicable Data Protection Laws.

c. LiveRamp Responsibilities. LiveRamp shall, as data processor and, in relation to any Analytics Data including Personal Data processed in connection with ATS Analytics Services:

• Process that Personal Data only following the written instructions of the Publisher and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable laws.
• Where LiveRamp is relying on applicable laws as the basis for processing Personal Data, LiveRamp shall promptly notify Partner of this before performing the processing required by applicable laws unless prohibited by such laws;
• Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
• Assist Partner at this latter’s cost in responding to any request from a Data Subject and in ensuring compliance with its obligations under applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;
• At Partner’s written direction, delete Personal Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Personal Data; and
• Maintain complete and accurate records and information to demonstrate its compliance with this section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year and the on-premise audit shall be limited to two (2) business days, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, this latter shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations;
• Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.

d. Description of processing of Analytics Data

BRAZIL

1. General provisions.

For the purposes of this section, “Brazilian Data Protection Law” means all applicable Brazilian laws relating to data protection and privacy including (without limitation) Brazilian Law No. 13709/18 (“LGPD”), as well as any other applicable laws, regulations or enforceable guidance from relevant regulators relating to the protection of Personal Data, and  Brazilian Law No. 12965/14; as implemented, and all amendments to or replacements of the above legislation.

Each party represents, warrants and undertakes to the other that, throughout the term of the SOW, it shall comply with all applicable Data Protection Laws in addition to its contractual obligations as set forth herein.

2. Specific terms for ATS

a. Privacy and Fair Processing. To the extent that Partner Data provided by you comprise information that is considered personal data as defined by applicable Brazilian Data Protection Law (“Brazilian Personal Information”), then in relation to such data Partner agree as follows:

• The parties acknowledge that for the purposes of Brazilian Data Protection Laws, LiveRamp shall act as a Data Processor on behalf of Partner, and Partner is acting as a Data Controller.
• Partner warrants that it has collected the Partner Data processed by LiveRamp in accordance with Brazilian Data Protection Laws, including that it has (i) the right lawful basis, (ii) all necessary appropriate notices in place and (iii) Partner shall ensure that it has all necessary appropriate consents and/or notices in place to enable the sharing of the Brazilian Personal Information, to the extent required by Brazilian Data Protection Laws.
• Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its Sub-Processors’ obligations in compliance with these data processing terms and the Brazilian Data Protection Law.
• Data transfers. Where the Services require the transfer of Partner Data to another country, Partner agrees that such transfer will be covered by Standard Contractual Clauses.

b. Partner Responsibilities. Partner warrants and agrees that:

• Partner warrants that it collects the Partner Data in accordance with Brazilian Data Protection Laws and it shall maintain documentation to evidence such compliance.
• The provision of the Partner Data to LiveRamp, and its subsequent use by LiveRamp for the purposes contemplated by the SOW will not violate Brazilian Data Protection Law, or any agreements between Partner and any third parties;
• In addition to any restrictions set forth in Partner’s SOW, it shall not provide to LiveRamp, or permit any third party to provide to LiveRamp on Partner’s behalf, any sensitive data as provided for under Article 5, II of LGPD (“Prohibited Data”). If Partner should transfer Prohibited Data to LiveRamp in violation of this section, Partner shall immediately notify LiveRamp and inform LiveRamp of the date, time, and other pertinent information related to the transfer so LiveRamp may take the steps necessary to remove the Prohibited Data from its systems. Partner further agrees that it shall be responsible for dealing with and responding to all requests made by data subjects under Brazilian Data Protection Law which relate to the processing activities which are the subject of the SOW. In the event that LiveRamp receives a data subject request which relates specifically to Partner’s deployment of LiveRamp’s products, it shall forward that request to Partner without undue delay. Partner will have to respond to data subject requests in accordance with Brazilian Data Protection Law.

c. LiveRamp Responsibilities. LiveRamp shall, as Data Processor and, in relation to any Partner Data including Personal Data processed in connection with ATS:

• Process Partner Data only following the written instructions of the Partner and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable laws.
• Inform the Data Controller if, in its opinion, an instruction related to the processing of Partner Data or if it comes to its knowledge that conditions of Partner data collection in the context of ATS infringes Brazilian Data Protection Law.
• Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Partner Data are obliged to keep the Partner Data confidential;
• Assist Partner, at this latter’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under Brazilian Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;
• At Partner’s written direction, delete Partner Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Partner Data; and
• Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.

d. Description of processing of Partner Data

3. Specific terms for ATS Analytics Services

• Definition.For the purpose of this Section, any reference to Prebid Analytics Services in the SOW shall be construed as a reference to ATS Analytics Services.
• Privacy and Fair Processing. To the extent that Analytics Data (as defined in the SOW) comprise any personal data, LiveRamp and Partner agree as follows:
  • The parties acknowledge that for the purposes of applicable Brazilian Data Protection Laws, LiveRamp shall act as a Data Processor on behalf of Partner, and Partner is acting as a Data Controller;
  • Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the use by LiveRamp of the Analytics Data in combination with ATS Analytics Services;
  • Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its Sub-Processors’ obligations in compliance with these data processing terms and the applicable Data Protection Laws.
  • Data transfers. Where the Services require the transfer of Partner Data to another country, Partner agrees that such transfer will be covered by Standard Contractual Clauses available HERE.
• LiveRamp Responsibilities. LiveRamp shall, as data processor and, in relation to any Analytics Data including Personal Data processed in connection with ATS Analytics Services:
  • Process that Personal Data only following the written instructions of the Publisher and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable laws.
  • Where LiveRamp is relying on applicable laws as the basis for processing Personal Data, LiveRamp shall promptly notify Partner of this before performing the processing required by applicable Brazilian Data Protection Laws unless prohibited by such laws;
  • Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
  • Assist Partner at this latter’s cost in responding to any request from a Data Subject and in ensuring compliance with its obligations under applicable Brazilian Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
  • Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;
  • At Partner’s written direction, delete Personal Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Personal Data; and
  • Maintain complete and accurate records and information to demonstrate its compliance with this section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year and the on-premise audit shall be limited to two (2) business days, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, this latter shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations;
  • Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.
• Description of processing of Analytics Data

‍

4. Specific terms for Google PAIR Integration

a. Privacy and Fair Processing. As Integration Data (as defined in the SOW) comprise personal data, LiveRamp and Partner agree as follows:

• The parties acknowledge that for the purposes of applicable Brazilian Data Protection Laws, LiveRamp shall act as a Data Processor on behalf of Partner, and Partner is acting as a Data Controller;
• Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the use by LiveRamp of the Integration Data in combination with Google PAIR Integration;
• Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its approved Sub-Processors’ obligations in compliance with these data processing terms and the applicable Data Protection Laws.
• Data transfers. Where the Services require the transfer of Partner Data to another country, Partner agrees that such transfer will be covered by Standard Contractual Clauses available HERE.

b. LiveRamp Responsibilities. LiveRamp shall, as Data Processor and, in relation to any Integration Data including Personal Data processed in connection with Google PAIR Integration:

• Process that Personal Data only following the written instructions of the Publisher and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable laws.
• Where LiveRamp is relying on applicable Brazilian Data Protection Laws as the basis for processing Personal Data, LiveRamp shall promptly notify Partner of this before performing the processing required by applicable laws unless prohibited by such laws;
• Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
• Assist Partner at this latter’s cost in responding to any request from a Data Subject and in ensuring compliance with its obligations under applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;
• At Partner’s written direction, delete Personal Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Personal Data; and
• Maintain complete and accurate records and information to demonstrate its compliance with this section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year and the on-premise audit shall be limited to two (2) business days, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, this latter shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations;
• Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.

c. Description of processing of Integration Data

CANADA

1. General Provisions.

Partner will comply with applicable privacy laws, including the Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA) and all substantially similar provincial privacy laws in Canada, as well as the Canada’s Anti-Spam Law (CASL) (for purposes of this section, “Privacy Laws”).

2. Specific terms for ATS

To the extent that the Partner Data provided by Partner comprises information that is considered personal information as defined by the Privacy Laws (“Personal Information”), Partner represents and warrants to LiveRamp that it shall (i) comply with all applicable Privacy Laws; and (ii) get consent from the individual prior to the collection, use, or disclosure of the personal information (and such consent must not be a condition of providing a product or service, beyond what is reasonable to provide such product or service; and must not be obtained through the provision of false or misleading information or through deceptive or misleading practices), and that Partner has also provided the relevant data protection notice (notifying purposes of collection, use and disclosure etc.) to the individual on or before collecting, using or disclosing the Personal Information.

The Data Ethics Review described in the SOW shall take into account rules set out in Data Protection Law and Partner shall make available to LiveRamp all information necessary to allow such Data Ethics Review and contribute to reasonable further reviews conducted by LiveRamp.

In connection with any Personal Information to be transferred outside of Canada, Partner represents and warrants to LiveRamp that it has ensured “comparable protection” to the standards set out in the Privacy Laws. The mechanisms to achieve this include but are not limited to: data transfer agreements; the individual has given consent (and provided required notices have been provided); in connection with performance of contracts between the transferring organization and the individual.

Partner agrees that it shall be responsible for dealing with and responding to all requests made by data subjects under the Privacy Laws which relate to the processing activities which are the subject of the SOW. In the event that LiveRamp receives a data subject request which relates specifically to Partner’s deployment of the Authenticated Traffic Solution, it shall forward that request to Partner without undue delay.

3. Specific terms for ATS analytics Services

• Definition.For the purpose of this Section, any reference to Prebid Analytics Services in the SOW shall be construed as a reference to ATS Analytics Services.
• Privacy and Fair Processing. To the extent that Analytics Data (as defined in the SOW) comprise any personal data, LiveRamp and Partner agree as follows:
  • The parties acknowledge that for the purposes of applicable Data Protection Laws, LiveRamp shall act as a Service Provider on behalf of Partner, and Partner remains the controlling organization;
  • Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the use by LiveRamp of the Analytics Data in combination with ATS Analytics Services;
  • Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its Sub-Processors’ obligations in compliance with these data processing terms and the applicable Data Protection Laws.
• LiveRamp Responsibilities. LiveRamp shall, as service provider and, in relation to any Analytics Data including Personal Data processed in connection with ATS Analytics Services:
  • Process that Personal Data only following the written instructions of the Publisher and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable laws.
  • Where LiveRamp is relying on applicable laws as the basis for processing Personal Data, LiveRamp shall promptly notify Partner of this before performing the processing required by applicable laws unless prohibited by such laws;
  • Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
  • Assist Partner at this latter’s cost in responding to any request from a Data Subject and in ensuring compliance with its obligations under applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
  • Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;
  • At Partner’s written direction, delete Personal Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Personal Data; and
  • Maintain complete and accurate records and information to demonstrate its compliance with this section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year and the on-premise audit shall be limited to two (2) business days, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, this latter shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations;
  • Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.
• Description of processing of Analytics Data

‍

Europe (EU, Norway, Switzerland & UK)

LiveRamp is acting as a Data Processor in the EU, Norway, Switzerland UK and the below terms are applicable:

1. General provisions

For the purposes of this section, “Data Protection Laws” means all applicable EU, UK, Norway or Switzerland laws relating to data protection and privacy including (without limitation) the EU General Data Protection Regulation (2016/679) (the “GDPR”), the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in any applicable EU member state, the UK General Data Protection Regulation (the “UK GDPR”) or any such equivalent legislation applicable in the United Kingdom, the Norwegian Personal Data Act or any such equivalent legislation applicable in Norway, the Swiss Federal Act on Data Protection (the “FADP”) and the Swiss Ordinance on Data Protection (the“DPO”) or any such equivalent legislation applicable in Switzerland, any other local law, regulation or guidance from relevant regulators relating to the protection of Personal Data or the privacy of individuals, each as amended from time to time.

Each Party represents, warrants and undertakes to the other that, throughout the term of the SOW, it shall comply with all applicable Data Protection Laws in addition to its contractual obligations as set forth herein and in the SOW.

2. Specific terms for ATS

a. Privacy and Fair Processing. To the extent that Partner Data provided by you, and the RampID provided to you, comprises information that is considered personal data as defined by applicable Data Protection Law (“EU Personal Information”), then in relation to such data, LiveRamp and Partner agree as follows:

▪   The parties acknowledge that for the purposes of applicable Data Protection Laws, LiveRamp shall act as a Data Processor on behalf of Partner, and Partner is acting as a Data Controller;

▪   Partner warrants that it has collected the Partner Data processed by LiveRamp in accordance with Data Protection Laws, including that it has (i) the right lawful basis, (ii) all necessary appropriate notices in place and (iii) Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the sharing of the EU Personal Information.

▪   Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its Sub-Processors’ obligations in compliance with these data processing terms and the applicable Data Protection Laws.

b. Partner Responsibilities. Partner warrants and agrees that:

• Partner warrants that it collects the Partner Data in accordance with Applicable Data Protection Laws and it shall maintain documentation to evidence such compliance.
• The provision of the Partner Data to LiveRamp, and its subsequent use by LiveRamp for the purposes contemplated by the SOW will not violate Data Protection Law, or any agreements between Partner and any third parties;
• In addition to any restrictions set forth in your SOW, it shall not provide to LiveRamp, or permit any third party to provide to LiveRamp on Partner’s behalf, any special categories of data as defined in Article 9 of GDPR (“Prohibited Data”). If Partner should transfer Prohibited Data to LiveRamp in violation of this section, Partner shall immediately notify LiveRamp and inform LiveRamp of the date, time, and other pertinent information related to the transfer so LiveRamp may take the steps necessary to remove the Prohibited Data from its systems.
• Partner further agrees that it shall be responsible for dealing with and responding to all requests made by data subjects under Data Protection Laws, which relate to the processing activities which are the subject of the SOW. In the event that LiveRamp receives a data subject request which relates specifically to Partner’s deployment of LiveRamp’s products, it shall forward that request to Partner without undue delay. Partner will have to respond to the requests of data subjects following the specific obligations set in Article 12 of GDPR.

Compliance with Article 5(3) of ePrivacy regulation where applicable. Prior to implementing the Authenticated Traffic Solution, LiveRamp may require that Partner undergo a privacy review for each of the Approved Geographies for which Partner chooses to use the Authenticated Traffic Solution and RampID Envelopes. which includes, without limitation, a review of Partner’s transparency and consent practices related to the use of cookies and similar tracking technologies taking into account rules set out in particular in the article 5(3) of the ePrivacy directive 2002/58/EC and Partner shall make available to LiveRamp all information necessary to allow such Data Ethics Review and contribute to reasonable further reviews conducted by LiveRamp. Partner will keep records that demonstrate that the Partner has obtained such valid consents, which it shall make available to LiveRamp upon written request; and

LiveRamp shall determine, in its sole discretion, whether Partner meets the privacy standards for the ePrivacy Directive article 5(3) Services described herein and has the sole approval right for including Partner in the Services. If Partner does not meet LiveRamp’s privacy standards for the Services described herein, LiveRamp may decline such Partner, or, if Services have already started, may immediately terminate this agreement upon advance written notice to Partner.

Given the nature of the requirements outlined above and the guidance of the regulators, Partner warrants to implement a Consent Management Platform allowing such features, including the IAB Transparency and Consent Framework without undue delay.

c. LiveRamp Responsibilities. LiveRamp shall, as data processor and, in relation to any Partner Data including Personal Data processed in connection with ATS:

▪   Process Partner Data only following the written instructions of the Partner and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable laws.

▪   Inform the controller if, in its opinion, an instruction related to the processing of Partner Data or if it comes to its knowledge that conditions of Partner data collection in the context of ATS infringes the Data Protection Laws.

▪   Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Partner Data are obliged to keep the Partner Data confidential;

Assist Partner at this latter’s cost in responding to any request from a Data Subject and in ensuring compliance with its obligations under applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

▪   Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;

▪   At Partner’s written direction, delete Partner Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Partner Data;

• Maintain complete and accurate records and information to demonstrate its compliance with this section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year and the on-premise audit shall be limited to two (2) business days, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, this latter shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations; and
• Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.

d. Description of processing of Partner Data

3. Specific terms for ATS Analytics Services

d. Definition. For the purpose of this Section, any reference to Prebid Analytics Services in the SOW shall be construed as a reference to ATS Analytics Services.

e. Privacy and Fair Processing. To the extent that Analytics Data (as defined in the SOW) comprise any personal data, LiveRamp and Partner agree as follows:

• The parties acknowledge that for the purposes of applicable Data Protection Laws, LiveRamp shall act as a Data Processor on behalf of Partner, and Partner is acting as a Data Controller;
• Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the use by LiveRamp of the Analytics Data in combination with ATS Analytics Services;
• Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its Sub-Processors’ obligations in compliance with these data processing terms and the applicable Data Protection Laws.

f. LiveRamp Responsibilities. LiveRamp shall, as data processor and, in relation to any Analytics Data including Personal Data processed in connection with ATS Analytics Services:

• Process that Personal Data only following the written instructions of the Publisher and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable laws.
• Where LiveRamp is relying on applicable Data Protection laws as the basis for processing Personal Data, LiveRamp shall promptly notify Partner of this before performing the processing required by applicable Data Protection laws unless prohibited by such laws;
• Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
• Assist Partner at this latter’s cost in responding to any request from a Data Subject and in ensuring compliance with its obligations under applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;
• At Partner’s written direction, delete Personal Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Personal Data; and
• Maintain complete and accurate records and information to demonstrate its compliance with this section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year and the on-premise audit shall be limited to two (2) business days, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, this latter shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations;
• Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.

g. Description of processing of Analytics Data

4. Specific terms for Google PAIR Integration

a. Privacy and Fair Processing. As Integration Data (as defined in the SOW) comprise personal data, LiveRamp and Partner agree as follows:

• The parties acknowledge that for the purposes of applicable Data Protection Laws, LiveRamp shall act as a Data Processor on behalf of Partner, and Partner is acting as a Data Controller;
• Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the use by LiveRamp of the Integration Data in combination with Google PAIR Integration;
• Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its approved Sub-Processors’ obligations in compliance with these data processing terms and the applicable Data Protection Laws.

b. LiveRamp Responsibilities. LiveRamp shall, as data processor and, in relation to any Integration Data including Personal Data processed in connection with Google PAIR Integration:

• Process that Personal Data only following the written instructions of the Publisher and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable Data Protection laws.
• Where LiveRamp is relying on applicable Data Protection Laws as the basis for processing Personal Data, LiveRamp shall promptly notify Partner of this before performing the processing required by applicable Data Protection laws unless prohibited by such laws;
• Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
• Assist Partner at this latter’s cost in responding to any request from a Data Subject and in ensuring compliance with its obligations under applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;
• At Partner’s written direction, delete Personal Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Personal Data; and
• Maintain complete and accurate records and information to demonstrate its compliance with this section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year and the on-premise audit shall be limited to two (2) business days, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, this latter shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations;
• Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.
• Affiliates. Client agrees that the Client Data may be processed by LiveRamp and by any of its affiliates situated in the EEA and elsewhere.

c. Description of processing of Integration Data

MEXICO

1. General provisions.

For the purposes of this section, “Mexican Data Protection Law” means all applicable Mexican laws relating to data protection and privacy including (without limitation) the Federal Law for the Protection of Personal Data in Possession of Private Parties and its regulations (“FDPL”), as well as any other applicable laws and regulations relating to data protection and privacy as implemented, and all amendments to or replacements of the above legislation.

2. Specific terms for ATS

Partner agrees and acknowledges that it acts as the data controller for the Partner Data and that it will duly comply with the obligations established by the FDPL. Partner also agrees that within the framework of the SOW, it shall carry out the necessary procedures to ensure that any data transferred to LiveRamp cannot be associated with any data subject or allow, by its structure, content or degree of disaggregation, the identification of the same.  Or, as the case may be, Partner undertakes to implement the required technologies to ensure that LiveRamp only receives dissociated data, which do not constitute personal data in terms of the FDPL.

To the extent that Partner Data includes any information that is considered personal data or sensitive personal data as defined by the Mexican Data Protection Law, then in relation to such data, Partner warrants and agrees that:

• The Data Ethics Review described in the SOW shall take into account rules set out in Data Protection Law and Partner shall make available to LiveRamp all information necessary to allow such Data Ethics Review and contribute to reasonable further reviews conducted by LiveRamp;
• The provision of the Partner Data to LiveRamp, and its subsequent use by LiveRamp for the purposes contemplated by the SOW will not violate Mexican Data Protection Law, or any agreements between Partner and any third parties;
• Partner will provide a valid notification to the data subjects of the Partner Data, in accordance with Articles 15 and 16 of the FDPL, which explains (with the necessary level of detail) the sharing of the Partner Data with LiveRamp, the creation of the envelope, the combination or matching of data, that the envelope is associated with the Partner’s first party storage, and that the first party storage and envelope is used for the purpose of targeted advertising;
• It will obtain the valid consent of the data subjects of the Partner Data (in accordance with Article 10 of the FDPL) for the Partner’s processing activities and purposes specified in the SOW;
• It will keep records that demonstrate that the Partner has obtained such valid consents, which it shall make available to LiveRamp upon written request; and
• In addition to any Prohibited Data restrictions set forth in the Agreement, it shall not provide to LiveRamp, or permit any third party to provide to LiveRamp on Partner’s behalf, any special categories of data as defined by the FDPL. If Partner should transfer Prohibited Data to LiveRamp in violation of this section, Partner shall immediately notify LiveRamp and inform LiveRamp of the date, time, and other pertinent information related to the transfer so LiveRamp may take the steps necessary to remove the Prohibited Data from its systems.
• Partner will promptly notify LiveRamp that it has provided personal data to LiveRamp so that LiveRamp may take actions in order to dissociate such data so that it remains dissociated in compliance with Mexican Data Protection Laws.

In accordance with the SOW, upon termination of the SOW LiveRamp shall not be required to destroy or cease use of any metadata collected at the same time as Partner Data but LiveRamp shall use such metadata in compliance with statistical and research & development exceptions to the extent it is applicable.

Partner agrees that it shall be responsible for dealing with and responding to all requests made by data subjects under Mexican Data Protection Law which relate to the processing activities which are the subject of the SOW.

3. Specific terms for ATS Analytics Services

a. Definition. For the purpose of this Section, any reference to Prebid Analytics Services in the SOW shall be construed as a reference to ATS Analytics Services.

b. Privacy and Fair Processing. To the extent that Analytics Data (as defined in the SOW) comprise any personal data, LiveRamp and Partner agree as follows:

• The parties acknowledge that for the purposes of applicable Data Protection Laws, LiveRamp shall act as a Data Processor on behalf of Partner, and Partner is acting as a Data Controller;
• Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the use by LiveRamp of the Analytics Data in combination with ATS Analytics Services;
• Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its Sub-Processors’ obligations in compliance with these data processing terms and the applicable Data Protection Laws.

c. LiveRamp Responsibilities. LiveRamp shall, as data processor and, in relation to any Analytics Data including Personal Data processed in connection with ATS Analytics Services:

• Process that Personal Data only following the written instructions of the Publisher and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable laws.
• Where LiveRamp is relying on applicable laws as the basis for processing Personal Data, LiveRamp shall promptly notify Partner of this before performing the processing required by applicable laws unless prohibited by such laws;
• Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
• Assist Partner at this latter’s cost in responding to any request from a Data Subject and in ensuring compliance with its obligations under applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;
• At Partner’s written direction, delete Personal Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Personal Data; and
• Maintain complete and accurate records and information to demonstrate its compliance with this section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year and the on-premise audit shall be limited to two (2) business days, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, this latter shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations;
• Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.

d. Description of processing of Analytics Data

APAC

Australia

Partner will comply with applicable privacy laws, including the Privacy Act 1988 (Cth) and the Spam Act 2003 (Cth) and any other applicable analogous legislation (for purposes of this section, “Privacy Laws”).

To the extent that the Partner Data provided by Partner comprises information that is considered personal data as defined by the Privacy Laws (“Personal Information”), then in relation to such data Partner represents and warrants: (a) comply with all applicable privacy, data security, and data protection laws, regulations, and rules, including but not limited to the Privacy Laws; (b) notify their users of the sharing and the purpose of use of personal ID (i.e., individual identifiers, cookie ID, mobile ID, such as an AAID or IDFA, etc.) and any associated personal data; (c) obtain explicit consent regarding its collection, use, and sharing of Personal Information as required under Privacy Laws, including through inclusion of a prominent link to its privacy policy and/or description of data collection and usage practices at the time and location of collection and through notice that Personal Information may be transferred overseas; and (d) it shall provide local consumers with a channel to exercise their consumer rights as granted by the Privacy Laws.

PROHIBITED DATA – AUSTRALIA

The following is considered Prohibited Data as defined in your Agreement: (i) any sensitive information (as that term is defined in the Privacy Laws), including but not limited to the information or an opinion about an individual’s racial or ethnic origin, sexual orientation or practice, criminal record and health information, healthcare/medical identifiers, genetic information; and (ii) any information related to a person under the age of eighteen (18).

NEW ZEALAND

Partner will comply with applicable privacy laws, including the Privacy Act 2020 and the Information Privacy Principles under that Act, and the Unsolicited Electronic Messages Act 2007, and any other applicable analogous legislation, and all amendments to or replacements of the above legislation (for purposes of this section, “Privacy Laws”).

To the extent that the Partner Data provided by Partner comprises information that is considered personal information as defined by the Privacy Laws (“Personal Information”), then in relation to such data Partner represents and warrants: a) that valid notification has been provided to their users for the purpose of use and share of personal information, including personal ID (i.e., individual identifiers, cookie ID, mobile ID, such as an AAID or IDFA, etc.) and any associated personal information; b) that it has ensured “comparable protection” to the standards set out in the Privacy Laws in connection with any Personal Information outside the country; and c) that it shall be responsible for dealing with and responding to all requests made by data subjects under Privacy Laws which relate to the processing activities that are the subject of the SOW.

PROHIBITED DATA – NEW ZEALAND

The following is considered Prohibited Data as defined in your Agreement: (i) any special categories of data as defined in Privacy Laws or any other legislations of the country, like the health information and criminal records; and (ii) any information related to a person under the age of eighteen (18).

JAPAN

Partner will comply with privacy, data security, and data protection laws, regulations, and rules, including the Act on Protection of Personal Information of Japan and any other applicable analogous legislation (for purposes of this section, “Privacy Laws”).

To the extent that the Partner Data provided by Partner comprises information that is considered personal data as defined by Japan applicable Privacy Laws (“Personal Information”), then in relation to such data Partner warrants and agrees: (a) if and where required by Japan Privacy Laws, it will provide a valid notification, or obtain the valid consent to the data subjects of the Partner Data, which explains (with the necessary level of detail) the sharing of the Partner Data with LiveRamp and for the purpose contemplated by the SOW; (b) that it has ensured comparable protection to the standards set out in the Privacy Laws in connection with any Personal Information outside the country; and (c) that it shall provided local consumers with a channel to exercise their consumer rights as granted by the Privacy Laws.

PROHIBITED DATA – JAPAN

The following is considered Prohibited Data as defined in your Agreement: (i) any sensitive personal information (as defined in the Japan Privacy Law), or (ii) any information related to a person under the age of eighteen (18).

SINGAPORE

Partner will comply with applicable privacy laws, including the Personal Data Protection Act of Singapore (“PDPA”), Cybersecurity Act, Data Protection Enforcement Cases (decisions), and any other applicable analogous legislation (for purposes of this section, “Privacy Laws”).

To the extent that the Partner Data provided by Partner comprises information that is considered personal data as defined by the Privacy Laws (“Personal Data”), Partner represents and warrants to LiveRamp that it shall (i) comply with all applicable Privacy Laws; and (ii) get consent from the individual prior to the collection, use, or disclosure of the personal data (and such consent must not be a condition of providing a product or service, beyond what is reasonable to provide such product or service; and must not be obtained through the provision of false or misleading information or through deceptive or misleading practices), and that Partner has also provided the relevant data protection notice (notifying purposes of collection, use and disclosure etc.) to the individual on or before collecting, using or disclosing the Personal Data.

In connection with any Personal Data outside of Singapore, Partner represents and warrants to LiveRamp that it has ensured “comparable protection” to the standards set out in the Privacy Laws. The mechanisms to achieve this include but are not limited to: data transfer agreements; the individual has given consent (and required notices have been provided); in connection with performance of contracts between the transferring organization and the individual.

Partner agrees that it shall be responsible for dealing with and responding to all requests made by data subjects under the Privacy Laws which relate to the processing activities which are the subject of the SOW.

PROHIBITED DATA – SINGAPORE

The following is considered Prohibited Data as defined in your Agreement: (i) national identification (“National ID”) numbers and associated details in National ID documents, such as Singapore’s National Registration Identification Card (“NRIC”), Work Permit, etc.; (ii) credit, debit card, payroll or financial account numbers with the associated name; (iii) any personal information as defined/deemed sensitive by the Privacy Laws, including but not limited to information regarding an individual’s political opinion and/or medical health; or (iv) any data related to a data subject under the age of eighteen (18).

TAIWAN

Partner will comply with all applicable privacy, data security, and data protection laws, directives, regulations, and rules, as may be amended from time to time and/or any successor legislation of Taiwan (for the purpose of this section, “Privacy Laws”).

To the extent that the Partner Data provided by Partner comprises information that is considered personal information as defined by the Privacy Laws (“Personal Information”), then in relation to such data Partner represents and warrants that: (a) it shall obtain the valid consent from the data subject, if required by the Privacy Laws, for your and LiveRamp’s processing activities and purposes specified in the SOW; (b) it shall provide local consumers with a channel to exercise their consumer rights as granted by the Privacy Laws; and (c) shall not provide to LiveRamp or cause LiveRamp to use any Prohibited Data described herein.

PROHIBITED DATA – TAIWAN

The following is considered Prohibited Data as defined in your Agreement: (i) any sensitive personal information as defined in the Privacy Laws, including without limitation to medical records, passport numbers, etc., (ii) any information related to a person under the age of eighteen (18).

HONG KONG SPECIAL ADMINISTRATIVE REGION

Partner will comply with all applicable privacy laws, including but not limited to the Hong Kong Personal Data (Privacy) Ordinance (Cap.486), Personal Data (Privacy) (Amendment) Ordinance 2021, and any other directives, regulations, and rules, as may be amended from time to time and/or any successor legislation of Hong Kong Special Administrative Region (for purpose of this section, “Privacy Laws”).

To the extent that the Partner Data provided by Partner comprises information that is considered personal data as defined by the Privacy Laws (“Personal Information”), then in relation to such data Partner represents and warrants that: (a) it has given the necessary and appropriate notice and obtained valid and sufficient consent from the data subject, as required by the Privacy Laws, for your and LiveRamp’s processing activities; (b) it shall provide, to the extent applicable, communication channels to the data subject in order to honor their data subject rights as granted by the Privacy Laws; and (c) it shall not provide to LiveRamp or cause LiveRamp to use any Prohibited Data described herein.

PROHIBITED DATA – HONG KONG SPECIAL ADMINISTRATIVE REGION

The following is considered Prohibited Data as defined in your Agreement: (i) any personal information that is potentially subject to higher privacy and security measure standards under Privacy Laws, including without limitation to ID card numbers, passport numbers, consumer credit/financial data and biometric data; or (ii) any information related to a person under the age of eighteen (18).

THE REPUBLIC OF INDONESIA

Partner will comply with all applicable privacy laws, including but not limited to the Personal Data Protection Law (Act No. 27 of 2022), Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions, Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions, Minister of Communication and Informatics Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems, and any other directives, regulations, and rules, as may be amended from time to time and/or any successor legislation of Indonesia (for purpose of this section, “Privacy Laws”).

To the extent that the Partner Data provided by Partner comprises information that is considered personal information as defined by the Privacy Laws (“Personal Information”), then in relation to such data Partner represents and warrants: (a) it shall obtain valid and sufficient consent from the data subject, as required by the Privacy Laws, for your and LiveRamp’s processing activities; (b) it shall provide local consumers with a channel to exercise their consumer rights as granted by the Privacy Laws; and (c) shall not provide to LiveRamp or cause LiveRamp to use any Prohibited Data described herein.

PROHIBITED DATA – THE REPUBLIC OF INDONESIA

The following is considered Prohibited Data as defined in your Agreement: (i) specific categories of personal data such as health data and information, biometric data, genetic data, sexual orientation, political view, criminal record, and personal financial data; or (ii) any information related to a person under the age of eighteen (18).

APAC-Specific terms for Google Pair:

For the expansion of Google Pair Integration into APAC markets (Australia, New Zealand, Japan, Singapore, Taiwan, Hong Kong Special Administrative Region and the Republic of Indonesia) the following specific terms shall apply.

Partner acknowledges and agrees that the Integration Data (as defined in the SOW) provided by the Partner will be transferred to LiveRamp Affiliates in the U.S. for the purpose of facilitating the Google Pair Integration under the Agreement and SOW ONLY.

UAE

United Arab Emirates (UAE)
LiveRamp is acting as a Data Processor in the UAE and the below terms are applicable:

1. General provisions.

For the purposes of this section, “Data Protection Laws” means all applicable laws and regulations in the United Arab Emirates relating to data protection and privacy, including (without limitation) Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “PDPL”), Cabinet Decision No. 6 of 2022 concerning its implementing regulations, any applicable data protection laws of the relevant free zones (such as the DIFC Data Protection Law No. 5 of 2020, and any other applicable local law, regulation, or guidance from relevant UAE regulatory authorities relating to the protection of Personal Data or the privacy of individuals, each as amended from time to time.

Each Party represents, warrants and undertakes to the other that, throughout the term of the SOW, it shall comply with all applicable Data Protection Laws in addition to its contractual obligations as set forth herein and in the SOW.

2. Specific terms for ATS

a. Privacy and Fair Processing. To the extent that Partner Data provided by you, and the RampID provided to you, comprises information that is considered personal data as defined by applicable Data Protection Law (“UAE Personal Information”), then in relation to such data, LiveRamp and Partner agree as follows:

• The parties acknowledge that for the purposes of applicable Data Protection Laws, LiveRamp shall act as a Data Processor on behalf of Partner, and Partner is acting as a Data Controller;
• Partner warrants that it has collected the Partner Data processed by LiveRamp in accordance with Data Protection Laws, including that it has (i) obtained valid consent of Data subjects the right lawful basis, (ii) all necessary appropriate notices in place and (iii) Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the sharing of the UAE Personal Information. Upon LiveRamp’s request, the Partner shall promptly provide documentary evidence that such consent was obtained from Data Subjects.
• Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its Sub-Processors’ obligations in compliance with these data processing terms and the applicable Data Protection Laws.

b. Partner Responsibilities. Partner warrants and agrees that:

• Partner warrants that it collects the Partner Data in accordance with Applicable Data Protection Laws and it shall maintain documentation to evidence such compliance.
• The provision of the Partner Data to LiveRamp, and its subsequent use by LiveRamp for the purposes contemplated by the SOW will not violate Data Protection Law, or any agreements between Partner and any third parties;
• In addition to any restrictions set forth in your SOW, it shall not provide to LiveRamp, or permit any third party to provide to LiveRamp on Partner’s behalf, any special categories of data as defined in PDPL (“Prohibited Data”). If Partner should transfer Prohibited Data to LiveRamp in violation of this section, Partner shall immediately notify LiveRamp and inform LiveRamp of the date, time, and other pertinent information related to the transfer so LiveRamp may take the steps necessary to remove the Prohibited Data from its systems.
• Partner further agrees that it shall be responsible for dealing with and responding to all requests made by data subjects under Data Protection Laws, which relate to the processing activities which are the subject of the SOW. In the event that LiveRamp receives a data subject request which relates specifically to Partner’s deployment of LiveRamp’s products, it shall forward that request to Partner without undue delay. Partner will have to respond to the requests of data subjects following the specific obligations set in Article 13 of PDPL.

Given the nature of the requirements outlined above and the guidance of the regulators, Partner warrants to implement a Consent Management Platform allowing such features, including the IAB Transparency and Consent Framework without undue delay.

c. LiveRamp Responsibilities. LiveRamp shall, as data processor and, in relation to any Partner Data including Personal Data processed in connection with ATS:

• Process Partner Data only following the written instructions of the Partner and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable laws.
• Inform the controller if, in its opinion, an instruction related to the processing of Partner Data or if it comes to its knowledge that conditions of Partner data collection in the context of ATS infringes the Data Protection Laws.
• Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Partner Data are obliged to keep the Partner Data confidential;
• Assist Partner at this latter’s cost in responding to any request from a Data Subject and in ensuring compliance with its obligations under applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;
• At Partner’s written direction, delete Partner Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Partner Data; and
• Maintain complete and accurate records and information to demonstrate its compliance with this section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year and the on-premise audit shall be limited to two (2) business days, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, this latter shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations;
• Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.

d. Description of processing of Analytics Data

3. Specific terms for ATS Analytics Services

a. Definition.For the purpose of this Section, any reference to Prebid Analytics Services in the SOW shall be construed as a reference to ATS Analytics Services.

b. Privacy and Fair Processing. To the extent that Analytics Data (as defined in the SOW) comprise any personal data, LiveRamp and Partner agree as follows:

• The parties acknowledge that for the purposes of applicable Data Protection Laws, LiveRamp shall act as a Data Processor on behalf of Partner, and Partner is acting as a Data Controller;
• Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the use by LiveRamp of the Analytics Data in combination with ATS Analytics Services;
• Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its Sub-Processors’ obligations in compliance with these data processing terms and the applicable Data Protection Laws.

c. LiveRamp Responsibilities. LiveRamp shall, as data processor and, in relation to any Analytics Data including Personal Data processed in connection with ATS Analytics Services:

• Process that Personal Data only follows the written instructions of the Publisher and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable laws.
• Where LiveRamp is relying on applicable Data Protection laws as the basis for processing Personal Data, LiveRamp shall promptly notify Partner of this before performing the processing required by applicable Data Protection laws unless prohibited by such laws;
• Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
• Assist Partner at this latter’s cost in responding to any request from a Data Subject and in ensuring compliance with its obligations under applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;
• At Partner’s written direction, delete Personal Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Personal Data; and
• Maintain complete and accurate records and information to demonstrate its compliance with this section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year and the on-premise audit shall be limited to two (2) business days, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, this latter shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations;
• Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.

d. Description of processing of Analytics Data

4. Specific terms for Google PAIR Integration

a. Privacy and Fair Processing. As Integration Data (as defined in the SOW) comprise personal data, LiveRamp and Partner agree as follows:

• The parties acknowledge that for the purposes of applicable Data Protection Laws, LiveRamp shall act as a Data Processor on behalf of Partner, and Partner is acting as a Data Controller;
• Partner shall ensure that it has all necessary appropriate consents and notices in place to enable the use by LiveRamp of the Integration Data in combination with Google PAIR Integration;
• Subprocessors. Partner provides LiveRamp a general written authorization to engage its Affiliates and the approved subcontractors listed in the table below as sub-processors of Personal Data under the SOW. LiveRamp remains responsible at all times for the performance of its approved Sub-Processors’ obligations in compliance with these data processing terms and the applicable Data Protection Laws.

b. LiveRamp Responsibilities. LiveRamp shall, as data processor and, in relation to any Integration Data including Personal Data processed in connection with Google PAIR Integration:

• Process that Personal Data only following the written instructions of the Publisher and shall not process it for any other purposes, unless LiveRamp is required to do so by applicable Data Protection laws.
• Where LiveRamp is relying on applicable Data Protection Laws as the basis for processing Personal Data, LiveRamp shall promptly notify Partner of this before performing the processing required by applicable Data Protection laws unless prohibited by such laws;
• Respect the confidentiality of the information processed and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
• Assist Partner at this latter’s cost in responding to any request from a Data Subject and in ensuring compliance with its obligations under applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• Notify Partner within seventy-two (72) hours on becoming aware of a Personal Data Breach;
  At Partner’s written direction, delete Personal Data and any copies still in its possession on termination of the SOW unless required by applicable laws to store Personal Data; and
• Maintain complete and accurate records and information to demonstrate its compliance with this section, and allow for and contribute to audits, including inspections, conducted by Partner or its mandated auditor, provided that such audit (i) may not be performed more than once a year and the on-premise audit shall be limited to two (2) business days, (ii) shall be notified in writing at least ten (10) business days in advance and, (iii) where the audit is performed by a mandated auditor, this latter shall not be competitor of LiveRamp and it shall be bound by adequate confidentiality obligations;
• Implement and maintain an information security program that contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any consumer information at issue.
• Affiliates. Client agrees that the Client Data may be processed by LiveRamp and by any of its affiliates situated in the EEA and elsewhere.

c. Description of processing of Analytics Data