Document Purpose: This document is a generic Data Processing Agreement that can in place between Ozone and an advertiser and be used when the advertiser wishes Ozone to process their customer data.
Last updated: June 15, 2019
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Ozone Agreement between Customer and Ozone (the “Agreement”) pursuant to which Ozone will provide the Services (as defined in the Agreement) to Customer. Ozone agrees to comply with the following provisions with respect to any Personal Data Processed for Customer in connection with the provision of the Services. References to the Agreement will be construed as including this DPA. For the purpose of this DPA, Customer is the Data Controller and Ozone is the Data Processor. Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement.
“Customer” means the Customer that has executed the Agreement for Services.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable person. The types of Personal Data and categories of Data Subjects Processed under this DPA include but are not limited to the following: IP addresses, location data, interest segments, device data, retargeting data, advertising data, browser generated data, and online identifiers of the end users of digital properties.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
“Security Breach” has the meaning set forth in Section 7 of this DPA.
“Sub-processor” means any Data Processor engaged by Ozone.
2) PROCESSING OF PERSONAL DATA
2.1) The parties agree that with regard to the Processing of Personal Data, Customer is the Data Controller and Ozone is the Data Processor.
2.2) Customer shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws and Customer will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws. If Ozone believes or becomes aware that any of Customer’s instructions conflicts with any Data Protection Laws, Ozone shall inform Customer. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer obtained the Personal Data.
2.3) During the Term of the Agreement, Ozone shall only Process Personal Data on behalf of and in accordance with the Supply Agreement and Customer’s instructions and shall treat Personal Data as confidential information. Customer instructs Ozone to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and any applicable orders; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. Ozone may Process Personal Data other than on the instructions of the Customer if it is required under applicable law to which Ozone is subject. In this situation Ozone shall inform the Customer of such a requirement unless the law prohibits this on important grounds of public interest. The objective of Processing of Personal Data by Ozone is the performance of the Services pursuant to the Agreement
3) RIGHTS OF DATA SUBJECTS
3.1) To the extent Customer, in its use or receipt of the Services, does not have the ability to correct, amend, restrict, block or delete Personal Data, as required by Data Protection Laws, Ozone may use commercially reasonable efforts to comply with reasonable requests by Customer to facilitate such actions to the extent Ozone is legally permitted to do so.
3.2) Ozone shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of that person’s Personal Data. Ozone shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. Ozone shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use or receipt of the Services.
4) OZONE PERSONNEL
4.1) Ozone shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, and are subject to obligations of confidentiality and such obligations survive the termination of that individual’s engagement with Ozone.
4.2) Ozone shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Services.))
5.1) Customer acknowledges and agrees that (i) Ozone Affiliates may be retained as Sub-processors; and (ii) Ozone may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services Ozone has retained them to provide, and are prohibited from using Personal Data for any other purpose. Ozone agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in this DPA.
5.2) A list of the Sub-processors will be made available [RM1]. Ozone may change the list of such other Sub-processors by no less than 5 business days’ notice [RM2]. If Customer objects to Ozone’s change in such other Sub-processors, Customer may, as its sole and exclusive remedy terminate the portion of any Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days’ written notice to Ozone.
5.3) Ozone shall be liable for the acts and omissions of its Sub-processors to the same extent Ozone would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.)
6) SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS
6.1) Ozone shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data.[RM3]
6.2) No more than once per year, Customer may engage a mutually agreed upon third party to audit Ozone solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the General Data Protection Regulation (“GDPR”). To request an audit, Customer must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to legal@Ozone.com. The auditor must execute a written confidentiality agreement acceptable to Ozone before conducting the audit. The audit must be conducted during regular business hours, subject to Ozone’s policies, and may not unreasonably interfere with Ozone’s business activities. Any audits are at Customer’s expense.
6.3) Any request for Ozone to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Customer shall reimburse Ozone for any time spent for any such audit at the rates agreed to by the parties. Before the commencement of any such audit, Customer and Ozone shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Ozone. Customer shall promptly notify Ozone with information regarding any non-compliance discovered during the course of an audit.
6.4) Ozone will reasonably cooperate with Customer, at Customer’s expense, to assist Customer in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Ozone.
7) SECURITY BREACH MANAGEMENT AND NOTIFICATION
7.1) If Ozone becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Customer Personal Data transmitted, stored or otherwise Processed on Ozone’s equipment or in Ozone’s facilities (“Security Breach”), Ozone will promptly notify Customer of the Security Breach.
7.2) Customer agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Customer Personal Data or to any of Ozone’s equipment or facilities storing Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
7.3) Notification(s) of Security Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means Ozone selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on Ozone’s support systems at all times.
8) RETURN AND DELETION OF CUSTOMER DATA
Ozone shall delete or return Customer Data to Customer after the end of the provision of Services under the Agreement and shall delete existing copies unless applicable law requires storage of such data.
9) PARTIES TO THIS DPA
Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
[RM1] Mechanism TBC
[RM2] Mechanism TBC
[RM3] Need to bear in mind that these haven’t been defined/implemented yet