This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Terms of Services Agreement, Master Client Agreement or other written or electronic terms of service (“Agreement”) between LiveRamp (“LiveRamp”) and the legal entity executing this DPA (“Company”, and together with LiveRamp, the “Parties”). All capitalized terms not defined in this DPA retain the meaning given in the Agreement.
1.1 “Transfer Safeguards” means appropriate safeguards for Transfer provided by Data Protection Laws, such as a decision of adequacy taken by or contractual clauses (such as SCCs or UK SCCs) considered as appropriate by a data protection authority.
1.2 “Authorized Affiliate“ means a Company Affiliate not a Party to the Agreement that is either a Data Controller or Data Processor of Company Personal Data Processed by LiveRamp.
1.3 “Company Personal Data” means Company Data that it is Personal Data, regardless of whether Company acts as a Data Controller or as a Data Processor on behalf of a third-party Data Controller with respect to such Personal Data.
1.4 “Data Controller” has the meaning given to it (and any other analogous terms) under Data Protection Laws (e.g., “Business” as defined in the CCPA).
1.5 “Data Processor” has the meaning given to it (and any other analogous terms) under Data Protection Laws (e.g., “Service Provider” as defined in the CCPA).
1.6 “Data Protection Laws” means all data protection and privacy laws applicable to the jurisdiction where LiveRamp provides the Services and the respective party in its role in the Processing of Personal Data under the Agreement, including:, Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”), the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (“UK GDPR”), California Consumer Privacy Act of 2018 (“CCPA”), California Privacy Rights Act of 2020 (“CPRA”), Connecticut Data Privacy Act (“CTDPA”), Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Canadian Personal Information Protection and Electronic Documents Act, SC 2000, c 5, and Canada’s Anti-Spam Legislation (“CASL”), the Brazilian Law No. 13709/18, as well as Brazilian Law No. 12,965/14, the Argentinian Personal Data Protection Law No. 25,326, together with the Decree No. 1558/2001 and its related regulations, and the Mexican “Ley Federal de Protección de Datos Personales en Posesión de los Particulares” (DOF: 5 de Julio de 2010).
1.7 “Data Subject” has the meaning given to Data Subject, Consumer, or any other analogous term under Data Protection Laws.
1.8 “Data Subject Request” means a request from a Data Subject to exercise any of its rights under Data Protection Laws.
1.9 “Documentation” means: (a) any schedule, statement of work, order form, work order, or similar document agreed to by the parties describing the Services; (b) any written instructions provided by LiveRamp regarding the provisioning or Processing of Company Personal Data in connection with the Services; or (c) the processes established at https://docs.liveramp.com/connect/en/consumer-requests-for-opt-outs,-data-access,-or-data-deletions.html. Any reference to “Documentation” means only the applicable Documentation to which the provisions of this DPA relates.
1.10 “Personal Data” has the meaning given to Personal Data, Personal Information, or any other analogous term under Data Protection Law.
1.11 “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, and dissemination; “Process“, “Processes” and “Processed” will be interpreted accordingly.
1.12 “Purposes“ means LiveRamp’s provision of the Services or processing of Company Personal Data as described in the Documentation.
1.13 “SCCs” means the Standard Contractual Clauses for data transfers between EU and non-EU countries, as issued and updated by the European Commission.
1.14 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Company Personal Data.
1.15 “Security Requirements” means the information security measures set forth in the Agreement that LiveRamp must employ in providing the Services. This includes Exhibit A (Information Security) to the Agreement.
1.16 “Sensitive Data” means Personal Data that is classified as sensitive or special categories of data under Data protection Law, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, sex life or sexual orientation data, or precise geo-location data. Any Personal Data that falls within the definition of “Prohibited Data” within the Agreement is considered Sensitive Data under this DPA.
1.17 “Services” means the services provided by LiveRamp to Company, as described in the Documentation.
1.18 “Sub-Processor” means subcontractors (in the U.S.) and any other Data Processor engaged by LiveRamp or applicable Affiliate of LiveRamp to Process Company Personal Data.
1.19 “Transfer” means the cross-border transfer of Personal Data.
1.20 “UK SCCs” means the international data transfer agreement for data transfers between UK and countries outside of the UK, as issued and updated by the Information Commissioner Office in the UK.
1.21 “Usage Data” means usage and operations data in connection with Company’s use of the Services, including login information, query logs, and metadata (e.g., object definitions and properties).
2. Scope and Applicability of this DPA. This DPA applies to Company Personal Data processed as part of the Services. This DPA does not apply to Usage Data.
3. Roles and Scope of Processing.
3.1 Compliance. Each party shall comply with all Data Protection Law. All obligations or activities performed under this DPA or the Agreement shall be performed in accordance with Data Protection Law. Any instructions regarding Processing issued by a Party shall be lawful and consistent with any instructions provided by any associated third-party Data Controller. Neither Party shall instruct the other to take any action that would violate Data Protection Law. A Party shall promptly notify the other if, in its opinion, any instructions from the other Party violate this DPA, or if it can no longer comply with its obligations under this DPA. The Parties shall reasonably assist each other in meeting their respective obligations under Data Protection Laws. Both parties have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
3.2 Company Instructions. LiveRamp will Process Company Personal Data only for the Purposes. The Agreement, this DPA, and the Documentation set out the instructions to LiveRamp for all Processing of Company Personal Data. Company shall be responsible for any communications, notifications, costs, assistance or authorizations that may be required in connection with a third-party Data Controller of Company Personal Data.
3.3 Restrictions on the Use of Company Personal Data. LiveRamp shall not, and shall not authorize any third party to: (i) process, retain, use, sell, transfer, disclose, or otherwise share Company Personal Data for any Purposes other than as directed by Company under this DPA, the Agreement, or any applicable Documentation; and/or (ii) combine Company Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects on its own, except as directed by Company for the Purposes and permitted by Data Protection Law.
3.4 Authorized Affiliates. Company must communicate any Authorized Affiliate Processing instructions to LiveRamp. Company is responsible for Authorized Affiliate compliance with this DPA. All acts or omissions of an Authorized Affiliate are considered the acts or omissions of Company. If an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding, or otherwise against LiveRamp (“Claim”), all such Claims: (i) must be brought by Company on behalf of the Authorized Affiliate, unless Data Protection Laws require Authorized Affiliate be a party; and (ii) are considered made by Company and remain subject to any limitations on liability in the Agreement.
3.5 Processing of Personal Data.
(a) LiveRamp and Company shall each, respectively, make appropriate use of the Services to ensure a level of security, including technical and organizational measures, appropriate to the nature and content of the Personal Data, such as encrypting, pseudonymizing, and backing-up Personal Data. LiveRamp and Company shall respectively provide notice and obtain all consents, permissions, and rights or related legal basis necessary to lawfully Process Personal Data.
(b) Certain Services result in disclosure of Personal Data to Company or a third party on Company’s behalf (e.g., third-party audiences, custom identifiers, cookies data, mobile identifiers, RampIDs, AbiliTec IDs, or other personal identifiers) by matching to or creating data from Company Personal Data or providing data directly from another party. In such cases, Company shall: (i) use the Personal Data only for the permitted Purpose; (ii) ensure that Company’s use of the Personal Data is consistent with this DPA and in compliance with Data Protection Laws; and (iii) upon request, provide LiveRamp with an accurate description of its use of the Personal Data, and certify to LiveRamp its use of the Personal Data complies with the Agreement, this DPA, the Documentation, and Data Protection Laws.
3.6 Details of Data Processing. Details of the Processing will be included in the Documentation. Otherwise, the following shall apply:
(a) Subject Matter. The subject matter of the Processing under this DPA is Company Personal Data.
(b) Frequency and Duration. Notwithstanding expiry or termination of the Agreement or Documentation, LiveRamp will Process the Company Personal Data continuously and until deletion of all Company Personal Data.
(c) Purpose. LiveRamp will Process the Company Personal Data for the Purpose.
(d) Nature of the Processing. LiveRamp will perform Processing as needed for the Purpose and to comply with Company’s Processing instructions as provided in accordance with the Agreement, Documentation, and this DPA.
(e) Retention Period. The period for which Company Personal Data will be retained by LiveRamp and the criteria used to determine that period shall be determined by Company during the term of the applicable Schedule via its use and configuration of the Service. Upon termination or expiration of the Schedule or Agreement as a whole, Company may retrieve or delete all Company Personal Data as set forth in the Agreement or Schedule. Company Personal Data not deleted by Company shall be deleted by LiveRamp promptly following: (i) expiration or termination of the Agreement or Schedule; and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement or Schedule.
(f) Categories of Data Subjects. The categories of Data Subjects to which Company Personal Data relate are determined and controlled by Company in its sole discretion and may include, but are not limited to: (i) Customers, prospects, companies, business partners, and vendors of Company (who are natural persons); (ii) Employees or contact persons of Company’s customers, prospects, business partners, and vendors; or (iii) Employees, agents, advisors, and freelancers of Company (who are natural persons).
(g) Categories of Personal Data. The types of Company Personal Data are determined by Company, and may include:(i) contact data (such as name, address, phone number, alias, or title); (ii) identifiers (such as personal, government, online, device or mobile identifiers, cookie data, or IP address); (iii) attributes (such as demographic data, geographic location, account name); (iv) Employment data (such as employer, job title, or role); (v) network activity information (such as system, website, application, advertisement, or IT information); or (v) Financial information (such as credit card, account, or payment information). Company Personal Data shall only include Sensitive Data if the Documentation authorizes, with specificity, the exchange of Sensitive Data and Company has obtained the consents necessary to Process the Sensitive Data. If consent is not necessary, then Company must have provided the Data Subject the opportunity to opt out of such Processing.
4.1 Authorized Sub-Processors. LiveRamp is authorized to engage its Affiliates and the entities listed at https://liveramp.fr/gdpr-subprocessors/ (for EU/UK Personal Data) and https://liveramp.com/legal/subprocessors (for US Personal Data), as Sub-processors. Further details on the subject matter, nature and duration of the processing by such Sub-processors may be provided within the Documentation.
4.2 Sub-Processor Obligations. LiveRamp must enter into a written agreement with each Sub-processor imposing the same obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor. Sub-processors must use industry standard security measures designed to protect against a Security Incident, including appropriate organizational, contractual, technological, and managerial safeguards and necessary Transfer Safeguards. Upon written request, and subject to any confidentiality restrictions, LiveRamp shall provide Company relevant information regarding Sub-processor agreements necessary under Data Protection Law. LiveRamp shall remain fully responsible to the Company for the performance of the Sub-processor’s obligations in accordance with its contract with LiveRamp. LiveRamp shall notify the Company of any failure by the Sub-processor to fulfill its contractual obligations.
4.3 Changes to Sub-Processors. In advance of any proposed changes to its Sub-processors, LiveRamp shall inform Company in writing via a web-based subscription method for email notification accessible here: https://liveramp.com/legal/subprocessors. Company shall subscribe to such notifications. Notification will include: (a) the name and address of the Sub-processor; (b) the nature, purpose, location and duration of the Processing; and (c) where applicable, the legal basis for the Transfer of the Company Personal Data; and (e) the duration of the Processing. Company has fourteen (14) days from receipt of notification (“Objection Period”) to object to a new Sub-processor. Any objection must be provided to LiveRamp in writing and state the grounds on which the objection is based. Company may not unreasonably withhold the approval of a Sub-processor. If no objection is received by the end of the Objection Period, the Sub-processor will be deemed approved by Company. If it can be reasonably demonstrated to LiveRamp that the new Sub-processor is unable to Process Company Personal Data in compliance with the terms of this DPA and LiveRamp cannot provide an alternative Sub-processor, or if the Parties are not otherwise able to achieve resolution, Company, as its sole and exclusive remedy, may provide written notice to LiveRamp terminating those Services that cannot be provided by LiveRamp without the use of the new Sub-processor. LiveRamp will refund Company any prepaid unused fees for such Services as of the effective date of termination.
5.1 Security Measures. LiveRamp shall comply with the Security Requirements.
5.2 Confidentiality. LiveRamp shall ensure that any person who is authorized by LiveRamp to Process Company Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.3 No Assessment of Company Personal Data by LiveRamp. LiveRamp shall have no obligation to assess the contents or accuracy of Company Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Company is responsible for reviewing the information made available by LiveRamp relating to data security and making an independent determination as to whether the Services meet Company’s requirements and legal obligations under Data Protection Laws.
6. Company Audit Rights.
6.1 No more than once annually in the ordinary course, Company may request documentation prepared by LiveRamp in the ordinary course of its business evidencing LiveRamp’s compliance with this DPA. The audit scope may not extend beyond information applicable to Company. Company must share audit results with LiveRamp and any remediations based on the audit findings must be agreed to by LiveRamp. Audit findings and results are considered LiveRamp Confidential Information. The exercise of audit rights under the SCCs must adhere to this Section 6.
6.2 The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.
7. Data Transfers.
7.1 Hosting and Processing Locations. LiveRamp will only process Company Personal Data in the region(s) designated in the Agreement and or Documentation or where applicable as Company otherwise configures via the Services (the “Hosting Region”). Company is solely responsible for the regions from which it accesses the Company Personal Data resulting in the transfer or sharing of Company Personal Data by Company. LiveRamp may Process Company Personal Data itself or via authorized subprocessors from outside the Hosting Regions: (a) as reasonably necessary to provide the Services procured by Company or (b) as necessary to comply with applicable law or binding order of a governmental body.
7.2 Transfer Description and Compliance Mechanisms. Any Transfer to a third country or an international organization by LiveRamp shall be done on the basis of documented instructions from the Company or in order to fulfill a specific requirement under applicable Data Protection Laws to which LiveRamp is subject. When such a Transfer occurs, the Parties shall establish the necessary Transfer Safeguards.
7.3 Transfer to a Subprocessor. Company agrees that, where LiveRamp engages a Sub-processor in accordance with Section 4. for carrying out specific processing activities (on behalf of the Company) and those processing activities involve a Transfer, LiveRamp and the Sub-processor can ensure compliance with GDPR or UK GDPR by using SCCs or UK SCCs, provided the conditions for the use of those SCCs or UK SCCs are met.
8. Security Incident Response.
8.1 Security Incident Reporting. Insofar as reasonably practicable, LiveRamp shall assist Company in meeting its obligations related to the security of processing personal data and notification of Security Incidents. If LiveRamp becomes aware of a Security Incident involving Company Personal Data, LiveRamp shall notify Company without undue delay and in accordance with notification timelines and requirements specified in the Security Requirements. LiveRamp shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident.
8.2 Security Incident Communications. LiveRamp shall provide Company with timely information about the Security Incident, including the nature and consequences of the Security Incident, the measures taken or proposed by LiveRamp to mitigate or contain the Security Incident, the status of LiveRamp’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Communications with Company in connection with a Security Incident are not an acknowledgment by LiveRamp of any fault or liability with respect to the Security Incident.
9.1 Company Data Subject Requests. LiveRamp provides Company with a number of mechanisms and controls that Company may use to assist it in responding to Data Subject Requests, and Company will be responsible for responding to any Data Subject Requests using the mechanisms and controls provided by LiveRamp and described in the supporting Documentation. If Company is unable to access the relevant Company Personal Data within the Services using such controls or otherwise, LiveRamp shall (upon Company’s written request and taking into account the nature of the Processing) provide reasonable cooperation to assist Company in responding to Data Subject Requests. If LiveRamp receives a Data Subject Request related to Company Personal Data, it shall notify Company, if required by Data Protection Law, or otherwise direct the Data Subject to exercise a Data Subject Request directly with Company.
9.2 Consumer Consent Requests. LiveRamp will provide mechanisms for Company to receive signals indicating a consumer’s processing instructions applicable to LiveRamp provided data, such as a signal indicating a consumer’s consent to processing or choice to limit processing, opt out, or delete (collectively, “Consent Requests”). Upon receipt of any Consent Request from LiveRamp related to a data subject, Company shall act in accordance with the consumer’s expressed instructions as indicated by the Consent Request and any instructions found in the supporting Documentation.
9.3 Data Protection Impact Assessments. LiveRamp shall provide reasonably requested information regarding the Services to enable Company to demonstrate compliance with Data Protection Laws and to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Company does not otherwise have access to the relevant information.
9.4 Government, Law Enforcement, or Third Party Inquiries. If either party receives any correspondence, inquiry, or complaint from any individual, supervisory authority, other relevant regulator, or other third party in connection to the Services, then the parties shall cooperate in good faith as necessary to enable that party to respond. If LiveRamp receives a demand to retain, disclose, or otherwise Process Company Personal Data for any third party, including, but not limited to law enforcement or a government authority, then LiveRamp shall attempt to redirect the demand to Company by providing Company contact information to such third-party, or, if unable to redirect the demand, LiveRamp shall provide Company reasonable notice of the demand as promptly as feasible. This section does not diminish LiveRamp’s obligations under the SCCs with respect to access by public authorities.
9.5 Right to Suspend Services. If LiveRamp reasonably believes that Company’s use of the Services violates LiveRamp’s privacy standards and practices, is unauthorized, or violates Data Protection Laws, Company grants LiveRamp the right, upon notice, to take reasonable and appropriate steps to stop and remediate, including suspension of Services. LiveRamp will endeavor to provide a 10-day notice; however, suspension may occur contemporaneously with such notice if the violation jeopardizes LiveRamp’s ability to provide Products to its other customers or exposes LiveRamp to a violation of law, potential fines, or civil liability. The notice shall include a description of the violation. Such action will not limit any of LiveRamp’s other rights or remedies at law or in equity.
10. Relationship with the Agreement.
10.1 LiveRamp may update this DPA from time to time, with such updated version posted to www.LiveRamp.com/legal, or a successor website designated by LiveRamp with an email notification also sent to Company; provided, however, that no such update shall materially diminish the privacy or security of Company Personal Data.
10.2 Any conflict between this DPA and the Agreement or Documentation, this DPA shall prevail, except in the case of the terms of any business associate agreement (“BAA”) between Company and LiveRamp governing the safeguarding of protected health information regulated by HIPAA or any similar U.S. federal or state health care laws, in which case the BAA shall prevail.
10.3 Each Party’s liability (including liability for any regulatory penalties incurred by the other Party) arising out of or relating to this DPA or the SCCs remain subject to the limitations on liability in the relevant Agreement governing the Services.
10.4 The DPA does not benefit or create any right or cause of action on behalf of any third party, but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this DPA (including the SCCs).
10.5 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions as set forth in the Agreement.