Data Processing Agreement

BACKGROUND

  1. The Company and Playgap entered into Playgap's Terms of Service, whereby Playgap provides the Company with access to and or use of its Services. Such Terms of Service may require Playgap to process Personal Data on behalf of the Company.
  2. This Data Processing Agreement (DPA) sets out the additional terms, requirements and conditions on which Playgap will process Personal Data when providing services under the Terms of Service.

AGREED TERMS

  1. Personal data types and processing purposes

    1. The Company and Playgap agree and acknowledge that for the purpose of the Data Protection Legislation:
      1. in the circumstances that are set out in Playgap's Privacy Policy only, Playgap shall act as a Controller. In circumstances where Playgap makes any updates to its Privacy Policy, Playgap shall notify the Company;
      2. with the exception of the circumstances detailed in clause 1.1(a), in connection with the Services, the Company is the Controller and Playgap is the Processor. In these circumstances:
        1. the Company retains control of the Personal Data and remains responsible for its compliance obligations under Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Playgap;
        2. the Company will ensure that the processing of Personal Data will comply with one or more of the lawful bases expressed in Article 6 of the UK GDPR; and
        3. the Annex to this DPA describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Playgap may process the Personal Data as a Processor.
    2. When processing Personal Data, each Party shall comply with the obligations set out in this DPA and Data Protection Legislation. The Parties acknowledge and agree that clauses 2 - 4 (inclusive) and clauses 6 - 7 (inclusive) apply where Playgap acts as a Processor only.
    3. The Company and Playgap shall regularly review the information listed in the Annex to this DPA to confirm its current accuracy and update it when required to reflect current practices.

  2. Processor obligations

    1. Playgap will only process the Personal Data to the extent, and in such a manner, as is necessary for the provision of the Services in accordance with the Company's written instructions. Playgap will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or Data Protection Legislation. Playgap will notify the Company if, in its opinion, the Company's instructions do not comply with Data Protection Legislation.
    2. Playgap will comply promptly with any Company written instructions requiring Playgap to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
    3. Playgap will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Company or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires Playgap to process or disclose the Personal Data to a third-party, Playgap must first inform the Company of such legal or regulatory requirement and give the Company an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
    4. Playgap will reasonably assist the Company with meeting the Company's compliance obligations pursuant to Articles 32 to 36 of the UK GDPR, taking into account the nature of Playgap's processing and the information available to Playgap, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under Data Protection Legislation.
    5. Playgap will ensure that its employees ensure who have access to and/or process the Personal Data are obliged to keep the Personal Data confidential at all-times.
    6. Playgap shall at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
    7. In the event of a Personal Data Breach, Playgap shall notify the Company without undue delay, and shall cooperate with the Company and provide all reasonable assistance to the Company including, but not limited to:
      1. assisting the Company with its investigation of the Personal Data Breach;
      2. providing and facilitating the Company with access to any relevant facilities, operations, and personnel (including, if applicable, former personnel involved in the Personal Data Breach);
      3. making available all records, logs, files, reports, and similar as reasonably required by the Company or as otherwise required by the Data Protection Legislation; and
      4. promptly taking all reasonable steps to mitigate the effects of the Personal Data Breach and to minimise any damage caused by it.

  3. Cross-border transfers of personal data

    1. The Company hereby provides its consent to Playgap (and any sub-processor) to transfer or otherwise process the Personal Data outside the UK subject to the following conditions:
      1. Playgap is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
      2. Playgap participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Playgap (and, where appropriate, the Company) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR.

  4. Sub-processors

    1. Playgap may only authorise a third-party sub-processor to process the Personal Data if:
      1. the Company is provided with an opportunity to object to the appointment of each sub-processor within 10 working days after Playgap supplies the Company with full details in writing regarding such sub-processor;
      2. Playgap enters into a written contract with the sub-processor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures; and
      3. the sub-processor's contract terminates automatically on termination of this DPA for any reason.
    2. Those sub-processors approved as at the commencement of this DPA are as set out in the Annex to this DPA.
    3. Where the sub-processor fails to fulfil its obligations under the written agreement with Playgap, Playgap remains fully liable to the Company for the sub-processor's non-compliance.
    4. Playgap must notify the Company within 5 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

  5. Term and termination

    1. This DPA will remain in full force and effect so long as the Terms of Service remains in effect (Term).
    2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Terms of Service in order to protect the Personal Data will remain in full force and effect.

  6. Data return and destruction

    1. Subject to Clause 6.2, on termination of the Terms of Service for any reason or expiry of its term, Playgap will securely delete or destroy or, if directed in writing by the Company, return and not retain, all or any of the Personal Data related to this DPA in its possession or control.
    2. If any law, regulation, or government or regulatory body requires Playgap to retain any Personal Data that Playgap would otherwise be required to return or destroy, it will notify the Company in writing of that retention requirement, giving details of the Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

  7. Audit

    1. Playgap shall maintain complete and accurate records and information to demonstrate its compliance with this DPA.
    2. If requested by the Company (at the Company's cost and expense), Playgap shall conduct an audit of its processing of the Personal Data under this Agreement, providing the Customer with a summary of such audit for the Customer's review.
    3. The Company will treat any such audit summaries provided as Playgap's confidential information under the Terms of Service.

  8. Notice

    1. Any notice given to a party under or in connection with this DPA must be in writing and delivered by email to:
      • For the Company: the contact details provided by the Company in writing when entering into the Terms of Service with Playgap.
      • For Playgap: contact@playgap.io
    2. Clause 8.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
    3. Any notice by email shall be deemed to have been delivered at the time of transmission (unless the time of transmission occurs outside of normal business hours, in which case the notice shall be deemed to have been delivered at 8.00am on the following Business Day).

  9. Definitions and Interpretation

    The following definitions and rules of interpretation apply in this DPA.

    1. Definitions:

      Business Day: a day other than a Saturday, Sunday or bank or public holiday in England.

      Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).

      Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing:have the meanings given to them in Data Protection Legislation.

      Controller: has the meaning given to it in section 6, DPA 2018.

      Company: means the legal entity accessing or using Playgap's Services under the Terms of Service.

      Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended, and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).

      Data Subject: the identified or identifiable living individual to whom the Personal Data relates.

      DPA: has the meaning given in Recital (A) above.

      Personal Data: means any information relating to an identified or identifiable living individual that is processed by Playgap on behalf of the Company as a result of, or in connection with, the provision of the services under the Terms of Service; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

      Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.

      Playgap: means Playgap Ltd (company number: 14949926), a company incorporated in England with its registered address at 20 Wenlock Road, London, England, N1 7GU.

      Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

      Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of a Controller.

      Services: means the services provided by Playgap to the Company as described in the Terms of Service.

      Term: has the meaning given in Clause 5.

      Terms of Service: has the meaning given in Recital (A) above.

      UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

    2. This DPA is subject to the terms of the Terms of Service and is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this DPA.
    3. The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
    4. In the case of conflict or ambiguity between:
      1. any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;
      2. the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
      3. any of the provisions of this DPA and the provisions of the Terms of Service, the provisions of this DPA will prevail.

ANNEX #1 Personal Data processing purposes and details

Subject matter of processing: Personal Data relating to Playgap's provision of the Services for the Company.

Duration of Processing: The duration of the Terms of Service until deletion of all Personal Data by Playgap in accordance with the DPA.

Nature of Processing: Playgap shall process the Personal Data set out in this Annex for the purposes of providing the Services to the Company in accordance with the DPA and the Terms of Service as initiated by the Company in its use of the Services.

Personal Data Categories: Personal Data relating to individuals provided to Playgap via the provision of the Services, including but not limited to technical data (such as IP address, device data and location data) and marketing preferences. Further information in connection with the SDK is detailed in Annex #2.

Data Subject Types: Data subjects include individual end-users whose Personal Data is provided to Playgap via the Services, at the direction of the Company.

Approved Sub-processors:

  • Amazon Web Services, Inc.
  • BunnyWay d.o.o.
  • DoubleVerify, Inc.
  • Integral Ad Science (IAS), Inc.
  • Meetrics Inc.
  • Pixalate Europe Limited
  • Protected Media Ltd.
  • Oracle Corporation
  • Nielsen Corporation
  • AdLoox SAS
  • Innovid LLC
  • The IAB Technology Laboratory

ANNEX #2 Data elements processed by the Playgap SDK

For references purposes only, set forth below is a list of certain data elements that are processed by Playgap via the Playgap SDK in Company's mobile applications and Company's implementation of the Services. For certainty, Company is the Controller, and Playgap is the Processor, of the Personal Data that is part of such data.

  • Advertising IDs (e.g., Apple IDFA or Google Advertising ID)
  • Vendor IDs (e.g., Apple IDFV)
  • Device IP address.
  • HTTP header information.
  • Cookie IDs.
  • Device make, model, settings, and properties.
  • Mobiles application names and corresponding properties and IDs.
  • City- and/or country-level, or other coarse, geolocation data.
  • Network information (e.g., carrier or ISP name).
  • Event data related to interactions a mobile application or advertisement (e.g., watching a rewarded ad).
  • IDs for respective advertisements
  • Do-not-track signals