Effective Date: 10 December 2022
THESE DATA TERMS APPLY TO PARTNERS THAT MAKE ADVERTISING INVENTORY AVAILABLE TO PANGLE. PART I APPLIES TO PARTNERS THAT USE PANGLE'S SDK. PART II APPLIES TO OTHER PARTNERS.
THESE DATA TERMS MAY BE UPDATED FROM TIME TO TIME, INCLUDING TO REFLECT ANY CHANGES TO THE APPLICABLE DATA PROTECTION LAWS. ANY UPDATES SHALL BECOME EFFECTIVE ON THE EFFECTIVE DATE SPECIFIED ABOVE.
1. In these Data Terms, capitalised terms not defined herein shall have the meaning given to them under the Pangle Publisher Agreement or the relevant agreement between you as the "Partner" and Pangle (as applicable), and the following additional definitions shall apply:
"Controller" means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
"GDPR" means (i) the General Data Protection Regulation of the European Union (Regulation 2016/679 of 27 April 2016) ("EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law pursuant to s.3 of the United Kingdom’s European Union (Withdrawal) Act 2018 ("UK GDPR"); (iii) any national legislation made under or pursuant to paragraph (i) or (ii); and (iv) any amendments or successor legislation to any of paragraphs (i), (ii) or (iii).
"Joint Controllers" means two or more Controllers that jointly determine the purposes and means of processing. "Joint Controller" shall be construed accordingly.
"Joint Processing" means the collection of Personal Data via the Pangle Technology on the Property and its subsequent transmission to Pangle to be used for the Permitted Purpose, but does not include any processing of the Personal Data that takes place after it has been transmitted to Pangle.
"Joint Controller Terms" means the terms set out in these Data Terms.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed under these Data Terms.
"Restricted Transfer"means (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not subject to an adequacy determination by the competent Swiss authority in accordance with the Swiss DPA.
"Sensitive Data" has the meaning given under Applicable Data Protection Law (or any analogous term, such as "special categories of personal data").
"Swiss DPA" means Switzerland’s Federal Data Protection Act of 1992 (as amended or superseded).
"Standard Contractual Clauses" means (i) where the EU GDPR applies or the Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”).
"UK Addendum" means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner under s.119A(1) of the UK Data Protection Act 2018
2. The Parties each acknowledge and agree that they are Joint Controllers in accordance with Article 26 GDPR for any Joint Processing and these Joint Controller Terms determine the parties' responsibilities for compliance with GDPR with respect to the Joint Processing. All other responsibilities for compliance with obligations under GDPR regarding the Joint Processing not referred to in these Data Terms remain with each of Pangle and Partner individually. If Partner is contacted by a supervisory authority or Data Subject with regard to the Joint Processing (each a "Request"), Partner will promptly notify Pangle at europe_privacy@pangleglobal.com and provide all timely information, cooperation and assistance as Pangle reasonably requires in relation to such Request. Partner is not authorized to act or answer such Request on Pangle's behalf.
3. Pangle and Partner's GDPR compliance responsibilities with respect to the Joint Processing shall be as follows:
| GDPR compliance responsibility | Pangle's responsibility | Partner's responsibility |
A. | Art 6: Legal Basis | X Pangle has the responsibility to establish a lawful basis in respect of its own processing of Personal Data. | X Partner has responsibility to establish a lawful basis in respect of its own processing of Personal Data. In addition, to the extent that Pangle Technology accesses or stores information (including Personal Data), Partner must obtain all necessary and verifiable consents required by virtue of Applicable Data Protection Law and the Agreement. |
B. | Arts 13, 14: Information | X Pangle will display (or procure the display of) a publicly-available privacy notice describing its processing activities (including the Joint Processing) that meets the requirements of Article 13 and 14 of GDPR. | X Partner must display (or procure the display of) a privacy notice describing its processing activities (including the Joint Processing) to meet the requirements of Article 13 and 14. This includes as a minimum the provision of the following information: ● That Pangle is a Joint Controller of the Joint Processing. ● That Partner uses Pangle Technology which enables the collection and transmission of Personal Data for the Permitted Purpose. ● That further information on how Pangle processes Personal Data, including the legal basis Pangle relies on and the ways to exercise Data Subject rights against Pangle, can be found in the Pangle Privacy Policy (with a link to that policy). In addition, to the extent that the Pangle Technology accesses or stores information (including Personal Data), Partner must also provide clear and comprehensive information about such access or storage to Data Subjects as required by Applicable Data Protection Law and the Agreement. |
C. | Art 26(2): Making available Joint Controller Terms |
| X This includes as a minimum the provision of the following information: That Partner and Pangle have: ��● entered into these Joint Controller Terms to determine their respective responsibilities for compliance with the obligations under GDPR with regard to the Joint Processing; ● agreed that Partner is responsible for providing Data Subjects as a minimum with the information listed under point B in this table above; and ● agreed that between the parties, Pangle is responsible for enabling Data Subjects' rights under Articles 15-20 of GDPR with regard to the Personal Data stored or otherwise Processed by Pangle after the Joint Processing. |
D. | Art 15-20: Subject Rights | X Pangle shall respond to the exercise of any Data Subject rights under Articles 15-20 GDPR in respect of Personal Data processed by Pangle with regard to the Joint Processing. |
|
E. | Art 21: Right to object | X Pangle will enable Data Subjects to exercise their right to object in respect of its own Processing of Personal Data. | X Partner will enable Data Subjects to exercise their right to object in respect of Partner's Processing of Personal Data. |
F. | Art 32: Security | X Pangle in respect of security of the Pangle Technology. | X Partner in relation to its correct technical implementation and configuration of the Pangle Technology. |
G. | Arts 33, 34: Personal Data Breaches | X Pangle will comply with its obligations under GDPR in respect of Personal Data Breaches insofar as any Personal Data Breach concerns Pangle's security obligations under these Joint Controller Terms.
| X Partner will comply with its obligations under GDPR in respect of Personal Data Breaches insofar as any Personal Data Breach concerns its security obligations under these Joint Controller Terms. |
4. Where Partner makes a Restricted Transfer of Personal Data to Pangle pursuant to this Agreement, the Standard Contractual Clauses shall apply between Partner (as data exporter) and Pangle (as data importer) as follows:
(a) Where the EU GDPR applies to the Restricted Transfer of Personal Data, the EU SCCs will apply as follows: (i) Module One will apply; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to these Data Terms; and (vii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to these Data Terms; and
(b) Where the UK GDPR applies to the Restricted Transfer of Personal Data, Partner and Pangle hereby agree that the EU SCCs, as amended by the UK Addendum, are incorporated into the Agreement and shall be deemed completed as follows: (i) the EU SCCs shall be deemed completed as set out above in sub-clause 4(a) of these Data Terms; and (ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out in sub-clause 4(a) of these Data Terms; (iii) the option “Importer” shall be deemed checked in Table 4; and (iv) the start date of the UK Addendum (as set out in Table 1 of the UK Addendum) shall be the date of this Agreement; and
(c) in relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in sub-clause 4(a) of these Data Terms with the following amendments: (i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA; (ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA, (iii) references to ‘EU’, ‘Union’ and ‘Member State’ will be deemed replaced with ‘Switzerland’, (iv) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable), (v) in Clause 17, the EU SCCs will be governed by the laws of Switzerland, and (vii) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.
5. If the Parties' compliance with GDPR or UK GDPR or Swiss DPA requirements relating to international transfers of Personal Data is affected by circumstances outside of the Parties' control, including if the Standard Contractual Clauses or any other legal instrument for international transfers of Personal Data is invalidated, amended or replaced, then the Parties will work together in good faith to reasonably resolve such non-compliance.
6. If a Property is within the IAB Europe Transparency & Consent Framework, Partner shall (or shall procure that the relevant Publisher shall) comply fully with the policies of the IAB Europe Transparency & Consent Framework Policies currently available at: https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/.
Data exporter(s):
Name:
| The Partner whose details are specified in the Agreement.
|
Address:
| As above. |
Contact person’s name, position and contact details:
| The contact details that the Partner has specified in its Account with Pangle. |
Activities relevant to the data transferred under these Clauses:
| The receipt of the Services specified in the Agreement in order to serve Advertisements onto Partner's Inventory.
|
Signature and date:
| This Annex I shall be deemed executed upon Partner's execution or acceptance of the Agreement.
|
Role (controller/processor):
| (Joint) Controller |
Data importer(s):
Name:
| The Pangle entity whose details are specified in the Agreement.
|
Address:
| As above. |
Contact person’s name, position and contact details:
| Questions concerning Pangle's processing of Personal Data pursuant to the Standard Contractual Clauses can be submitted to: europe_privacy@pangleglobal.com
|
Activities relevant to the data transferred under these Clauses:
| The provision of the Services specified in the Agreement in order to serve Advertisements onto Partner's Inventory.
|
Signature and date:
| This Annex I shall be deemed executed upon Partner's execution or acceptance of the Agreement.
|
Role (controller/processor):
| (Joint) Controller |
Categories of data subjects whose personal data is transferred
| Data Subjects who visit, view or interact with: (i) Partner's Property (or Properties) and/or (ii) Advertisements served onto Partner's Inventory.
|
Categories of personal data transferred
| The categories of Personal Data transferred include:
i. Identifiers: Device-specific identifiers such as IP address, mobile advertising identifier (such as the "Google Advertising ID" on Android phones or the "ID for Advertisers" on iOS devices), or a Pangle-specific identifier which Pangle assigns to the Data Subject's device. In addition, Pangle may also receive other information about a Data Subject's device, such as the device model, operating system (e.g. iOS or Android), system language and region, time zone, network type, ROM version, screen resolution, mobile country code and mobile network code.
ii. Geolocation data: Pangle may receive the Data Subject's precise latitude and longitude using its phone's GPS data, where Pangle has the Data Subject's consent or is otherwise permitted to do so in accordance with the GDPR.
iii. Internet activity: Pangle may receive information about a Data Subject's app and website usage, including the name and version of the app or website that has integrated Pangle. Pangle may also receive information about the Data Subject's interactions with any Advertisements it delivers (e.g. information about the Advertisements served, viewed, or clicked on, such as the type of Advertisement, where and when the Advertisement was served, whether the Data Subject clicked on it, and whether the Data Subject visited the relevant advertiser's website or downloaded the advertiser's app, as well as any preferences the Data Subject may have expressed in respect of that Advertisement).
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
| None. |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
| Continuous for the duration of the Agreement. |
Nature of the processing
| The nature of the processing is the provision of the Services specified in the Agreement in order to serve Advertisements onto Partner's Inventory.
|
Purpose(s) of the data transfer and further processing
| The purpose of the transfer and further processing is to serve Advertisements onto Partner's Inventory and as otherwise specified in the Agreement.
|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
| Personal Data will be retained for as long as is necessary to provide the Services, and otherwise as permitted by the Agreement and the GDPR or Swiss DPA (as applicable).
|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
| Not applicable. The transfer pursuant to these Standard Contractual Clauses is made on a Controller to Controller basis. |
Identify the competent supervisory authority/ies in accordance with Clause 13 | For transfers made under the EU SCCs, the competent supervisory authority will be determined in accordance with Clause 13 of the EU SCCs. For transfers made under the UK SCCs, the competent supervisory authority will be the United Kingdom Information Commissioner's Office. |
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Establishing, maintaining, monitoring, and using appropriate technical, physical, administrative, and organisational safeguards consistent with the highest industry standards to secure against a security incident including, at a minimum:
(a) Secure user authentication protocols and system access control;
(b) Use of mature and appropriate physical security, current malware, antivirus, and security software that includes e-mail filtering and malware detection;
(c) Use of proper network protection measures;
(d) During idle times, company-issued equipment (e.g., company-issued laptops) are automatically locked;
(e) Encourage use of complex passwords;
(f) Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above requires appropriate authorisation;
(g) IT access privileges are reviewed regularly by appropriate personnel;
(h) Network monitoring services in place 24 x 7 x 365 to detect unauthorised activities;
(i) Vulnerability scanning and remediation in place;
(j) Penetration testing as appropriate;
(k) Encryption protocols applied as necessary under various circumstances.
Taking, among others, the appropriate security measures in order to establish the identity of the authorised persons and prevent unauthorised access to the data importer(s) premises and facilities in which the data are processed.
Taking technical and organisational measures in order to prevent unauthorised activities in the data processing systems outside the scope of any granted authorisations including, at a minimum:
(a) User and administrator access to the network a role-based access rights model. Authorization model grants access rights to data only on a “need to know” basis;
(b) Administration of user rights through system administrators;
(c) Number of administrators is reduced to the absolute minimum;
(d) Perform internal audits as required to assess high risk processes, technologies, and people;
(e) Prohibit each employee from disclosing the Personal Data to any unauthorised third party or using the Personal Data in an unauthorised manner.
(f) Where encryption of data is used, proper key lifecycle management practices are in place.
Taking technical and organisational measures in order to ensure that Personal Data cannot be read, copied, altered, or removed by unauthorised persons under their electronic transmission or during their transport or recording on data carriers and to guarantee that it is possible to examine and establish where Personal Data are or have been transmitted by data transmission equipment including, at a minimum:
(a) Remote access (including during remote maintenance or service procedures) to the IT systems are to be via VPN tunnels, where appropriate, or other secure, encrypted connections;
(b) Encryption protocols applied as necessary under various circumstances;
(c) Data storage devices and paper documents are locked away when not in use (e.g., clean desk policy);
(d) Appropriate destruction and disposal of documents;
(e) Physical destruction processes in place to industry standards;
(f) Secure communication session established via TLS or similar protocols across core applications/services;
(g) Encrypted certificates utilised for authentication between core web client and core web server.
Taking appropriate technical and organisational measures in order to ensure that it is subsequently possible to verify and establish via log files whether and by whom Personal Data have been entered into data processing systems, altered, or removed.
Taking technical and organisational measures in order to ensure that any Personal Data transferred under this Agreement can only be processed for the purposes specified in the Agreement including, at a minimum:
(a) Clear and binding internal policies contain formalised instructions for data processing procedures;
(b) Clearly articulated contractual protections in place as appropriate in underlying contracts;
(c) Regular staff training on the proper use of the computer security system, the security backup and disaster recovery procedures, and the importance of security to ensure compliance with contractual arrangements and maintain awareness regarding data protection requirements;
(d) Secure destruction processes in place to industry standards;
(e) Periodic access reviews that monitor employee access controls;
(f) Company's corporate network is separated from its user services network by means of complex segregation devices.
Taking technical and organisational measures in order to protect the data from accidental destruction or loss including, at a minimum:
(a) Appliances for the monitoring of temperature and humidity in data centers;
(b) Fire/smoke detectors and fire extinguishers or fire suppression system in data centers;
(c) Use of mature and appropriate anti-virus software that includes e-mail filtering and malware detection;
(d) Data recovery measures and emergency plan in place and regularly tested;
(e) Implementation of mature and appropriate backup methods including physical separation of the backup data and storage of data stored in a redundant archive;
(f) Use a combination of full, differential, and cumulative backups to ensure data integrity and timely restoration for core data, as appropriate;
(g) To ensure an uninterrupted supply of power to the system, redundant power supply units are built into the systems wherever possible;
(h) Integrity of stored data regularly verified using checksums;
(i) Processes in place to move data traffic away from affected area to uncompromised area in case of failure;
(j) Preventative maintenance is performed to ensure continued operability of equipment.
(k) Appropriate Denial of Service and Distributed Denial of Service technology in place to defend against network and systems based resource starvation attacks.
1. In these Data Terms, capitalised terms not defined herein shall have the meaning given to them under the relevant agreement between you as the "Partner"and Pangle, and the following additional definitions shall apply:
“Controller” means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
"EEA" means the European Economic Area.
"GDPR" means (i) the General Data Protection Regulation of the European Union (Regulation 2016/679 of 27 April 2016) ("EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law pursuant to s.3 of the United Kingdom’s European Union (Withdrawal) Act 2018 ("UK GDPR"); (iii) any national legislation made under or pursuant to paragraph (i) or (ii); and (iv) any amendments or successor legislation to any of paragraphs (i), (ii) or (iii).
"Restricted Transfer" means (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not subject to an adequacy determination by the competent Swiss authority in accordance with the Swiss DPA.
"Sensitive Data" has the meaning given under Applicable Data Protection Law (or any analogous term, such as "special categories of personal data").
"Standard Contractual Clauses" means (i) where the EU GDPR applies or Swiss DPA applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs").
"Swiss DPA" means Switzerland’s Federal Data Protection Act of 1992 (as amended or superseded).
"UK Addendum" means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner under s.119A(1) of the UK Data Protection Act 2018.
2. The Parties each acknowledge and agree that they are separate and independent Controllers. If Partner is contacted by a supervisory authority with regard to the processing under this Agreement (each a “Request”), Partner will promptly notify Pangle at europe_privacy@pangleglobal.com and provide all timely information, cooperation and assistance as Pangle reasonably requires in relation to such Request.
3. Where Partner makes a Restricted Transfer of Personal Data to Pangle pursuant to this Agreement, the Standard Contractual Clauses shall apply between Partner (as data exporter) and Pangle (as data importer) as follows:
(a) Where the EU GDPR applies to the Restricted Transfer of Personal Data, the EU SCCs will apply as follows: (i) Module One will apply; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to these Data Terms; and (vii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to these Data Terms; and
(b) Where the UK GDPR applies to the Restricted Transfer of Personal Data, Partner and Pangle hereby agree that the EU SCCs, as amended by the UK Addendum, are incorporated into the Agreement and shall be deemed completed as follows: (i) the EU SCCs shall be deemed completed as set out above in Clause 3(a) of this Appendix; and (ii) Table 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out in Clause 3(a) of this Appendix; (iii) the option “Importer” shall be deemed checked in Table 4; and (iv) the start date of the UK Addendum (as set out in Table 1 of the UK Addendum) shall be the date of this Agreement; and
(c) in relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in Clause 3(a) of these Data Terms with the following amendments: (i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA; (ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA, (iii) references to ‘EU’, ‘Union’ and ‘Member State’ will be deemed replaced with ‘Switzerland’, (iv) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable), (v) in Clause 17, the EU SCCs will be governed by the laws of Switzerland, and (vii) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.
4. If the Parties' compliance with GDPR or UK GDPR or Swiss DPA requirements relating to international transfers of Personal Data is affected by circumstances outside of the Parties' control, including if the Standard Contractual Clauses or any other legal instrument for international transfers of Personal Data is invalidated, amended or replaced, then the Parties will work together in good faith to reasonably resolve such non-compliance.
5. If a Property is within the IAB Europe Transparency & Consent Framework, Company shall only work with the Publisher of that Property if it complies fully with the policies of the IAB Europe Transparency & Consent Framework Policies currently available at: https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/.
Data exporter(s):
1. | Name:
| The Partner whose details are specified in the Agreement.
|
| Address:
| As above. |
| Contact person’s name, position and contact details:
| The contact details for the Partner specified on the Partner Platform. |
| Activities relevant to the data transferred under these Clauses:
| The provision of the Services specified in the Agreement in order to serve Advertisements onto Partner Inventory.
|
| Signature and date:
| This Annex I shall be deemed executed upon Partner's execution or acceptance of the Agreement.
|
| Role (controller/processor):
| Controller |
Data importer(s):
1. | Name:
| The Pangle entity whose details are specified in the Agreement.
|
| Address:
| As above. |
| Contact person’s name, position and contact details:
| Questions concerning Pangle's processing of Personal Data pursuant to the Standard Contractual Clauses can be submitted to: europe_privacy@pangleglobal.com
|
| Activities relevant to the data transferred under these Clauses:
| The receipt of the Services specified in the Agreement in order to serve Advertisements onto Partner Inventory.
|
| Signature and date:
| This Annex I shall be deemed executed upon Partner's execution or acceptance of the Agreement.
|
| Role (controller/processor):
| Controller |
Categories of data subjects whose personal data is transferred
| Data Subjects who visit, view or interact with: (i) Properties whose Publishers have integrated with the Partner to offer Partner Inventory through the Partner Platform; and/or (ii) Advertisements served onto Partner Inventory.
|
Categories of personal data transferred
| The categories of Personal Data transferred include:
i. Identifiers: Device-specific identifiers such as IP address, mobile advertising identifier (such as the "Google Advertising ID" on Android phones or the "ID for Advertisers" on iOS devices). In addition, Pangle may also receive other information about a Data Subject's device, such as the device model, operating system (e.g. iOS or Android), system language and region, time zone, network type, ROM version, screen resolution, mobile country code and mobile network code.
ii. Geolocation data: Pangle may receive the Data Subject's precise latitude and longitude using its phone's GPS data, where the Data Subject has consented, or where Pangle is otherwise permitted to do so in accordance with the GDPR.
iii. Internet activity: Pangle may receive information about a Data Subject's app and website usage, including the name (and, if applicable, version) of the Publisher Property on which an Advertisement is displayed. Pangle may also receive information about the Data Subject's interactions with any Advertisements served onto Partner Inventory (e.g. information about the Advertisements served, viewed, or clicked on, such as the type of Advertisement, where and when the Advertisement was served, whether the Data Subject clicked on it, and whether the Data Subject visited the relevant advertiser's website or downloaded the advertiser's app, as well as any preferences the Data Subject may have expressed in respect of that Advertisement).
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
| None. |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
| Continuous for the duration of the Agreement. |
Nature of the processing
| The nature of the processing is Pangle's use of the Services provided by the Partner pursuant to the Agreement in order for Pangle to serve Advertisements onto Partner Inventory.
|
Purpose(s) of the data transfer and further processing
| The purpose of the transfer and further processing is for Pangle to bid on opportunities to serve, and to serve, Advertisements onto Partner Inventory and as otherwise specified in the Agreement.
|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
| Personal Data will be retained for as long as is necessary to use the Services, and otherwise as permitted by the Agreement and the GDPR or Swiss DPA (as applicable).
|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
| Not applicable. The transfer pursuant to these Standard Contractual Clauses is made on a Controller to Controller basis. |
Identify the competent supervisory authority/ies in accordance with Clause 13 | For transfers made under the EU SCCs, the competent supervisory authority will be determined in accordance with Clause 13 of the EU SCCs. For transfers made under the UK SCCs, the competent supervisory authority will be the United Kingdom Information Commissioner's Office. |
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Establishing, maintaining, monitoring, and using appropriate technical, physical, administrative, and organisational safeguards consistent with the highest industry standards to secure against a security incident including, at a minimum:
(a) Secure user authentication protocols and system access control;
(b) Use of mature and appropriate physical security, current malware, antivirus, and security software that includes e-mail filtering and malware detection;
(c) Use of proper network protection measures;
(d) During idle times, company-issued equipment (e.g., company-issued laptops) are automatically locked;
(e) Encourage use of complex passwords;
(f) Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above requires appropriate authorisation;
(g) IT access privileges are reviewed regularly by appropriate personnel;
(h) Network monitoring services in place 24 x 7 x 365 to detect unauthorised activities;
(i) Vulnerability scanning and remediation in place;
(j) Penetration testing as appropriate;
(k) Encryption protocols applied as necessary under various circumstances.
Taking, among others, the appropriate security measures in order to establish the identity of the authorised persons and prevent unauthorised access to the data importer(s) premises and facilities in which the data are processed.
Taking technical and organisational measures in order to prevent unauthorised activities in the data processing systems outside the scope of any granted authorisations including, at a minimum:
(a) User and administrator access to the network a role-based access rights model. Authorization model grants access rights to data only on a “need to know” basis;
(b) Administration of user rights through system administrators;
(c) Number of administrators is reduced to the absolute minimum;
(d) Perform internal audits as required to assess high risk processes, technologies, and people;
(e) Prohibit each employee from disclosing the Personal Data to any unauthorised third party or using the Personal Data in an unauthorised manner.
(f) Where encryption of data is used, proper key lifecycle management practices are in place.
Taking technical and organisational measures in order to ensure that Personal Data cannot be read, copied, altered, or removed by unauthorised persons under their electronic transmission or during their transport or recording on data carriers and to guarantee that it is possible to examine and establish where Personal Data are or have been transmitted by data transmission equipment including, at a minimum:
(a) Remote access (including during remote maintenance or service procedures) to the IT systems are to be via VPN tunnels, where appropriate, or other secure, encrypted connections;
(b) Encryption protocols applied as necessary under various circumstances;
(c) Data storage devices and paper documents are locked away when not in use (e.g., clean desk policy);
(d) Appropriate destruction and disposal of documents;
(e) Physical destruction processes in place to industry standards;
(f) Secure communication session established via TLS or similar protocols across core applications/services;
(g) Encrypted certificates utilised for authentication between core web client and core web server.
Taking appropriate technical and organisational measures in order to ensure that it is subsequently possible to verify and establish via log files whether and by whom Personal Data have been entered into data processing systems, altered, or removed.
Taking technical and organisational measures in order to ensure that any Personal Data transferred under this Agreement can only be processed for the purposes specified in the Agreement including, at a minimum:
(a) Clear and binding internal policies contain formalised instructions for data processing procedures;
(b) Clearly articulated contractual protections in place as appropriate in underlying contracts;
(c) Regular staff training on the proper use of the computer security system, the security backup and disaster recovery procedures, and the importance of security to ensure compliance with contractual arrangements and maintain awareness regarding data protection requirements;
(d) Secure destruction processes in place to industry standards;
(e) Periodic access reviews that monitor employee access controls;
(f) Partner's corporate network is separated from its user services network by means of complex segregation devices.
Taking technical and organisational measures in order to protect the data from accidental destruction or loss including, at a minimum:
(a) Appliances for the monitoring of temperature and humidity in data centers;
(b) Fire/smoke detectors and fire extinguishers or fire suppression system in data centers;
(c) Use of mature and appropriate anti-virus software that includes e-mail filtering and malware detection;
(d) Data recovery measures and emergency plan in place and regularly tested;
(e) Implementation of mature and appropriate backup methods including physical separation of the backup data and storage of data stored in a redundant archive;
(f) Use a combination of full, differential, and cumulative backups to ensure data integrity and timely restoration for core data, as appropriate;
(g) To ensure an uninterrupted supply of power to the system, redundant power supply units are built into the systems wherever possible;
(h) Integrity of stored data regularly verified using checksums;
(i) Processes in place to move data traffic away from affected area to uncompromised area in case of failure;
(j) Preventative maintenance is performed to ensure continued operability of equipment.
(k) Appropriate Denial of Service and Distributed Denial of Service technology in place to defend against network and systems based resource starvation attacks.