ROKT® European Data Processing Agreement for Advertisers

Each party shall comply with its obligations under this DPA with respect to the types of European Personal Data that it processes and according to its responsibilities as a controller, joint controller or processor (as appropriate) for the relevant European Personal Data. In particular: (i) Rokt shall be a “controller” of Rokt Data; (ii) You shall be a “controller” of Rokt Data to the extent only that You receive such Rokt Data in the receipt of the Services; (iii) You shall be a “controller” of Advertiser Data; (iv) Rokt shall be a “processor” of Advertiser Data to the extent only that Rokt receives such Advertiser Data in the receipt of the Services. If either Rokt or You would have a different role with respect to any Rokt Data or Advertiser Data under European Privacy Law or UK Privacy Law according to the way in which Rokt or You make use of the Rokt Data or Advertiser Data, then Rokt or You (as appropriate) will comply with the relevant obligations under this DPA according to that role.

Each party shall implement appropriate technical and organisational measures to protect the European Personal Data from: (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to, the European Personal Data (a “Security Incident“). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and shall include the security measures described in Annex B (Minimum Security Measures) to this DPA.

3.1. Whenever a party is acting in a capacity as a “controller” in relation to European Personal Data, it shall comply in all respects with European Privacy Law and UK Privacy Law (as appropriate), including by processing such European Personal Data fairly and lawfully.

3.2. A controller shall provide assistance reasonably requested by the other Party (and at that other Party's cost) in order for that other Party to comply with European Privacy Law and UK Privacy Law (as appropriate), including with respect to data subject access requests and privacy notices.

3.3. The parties agree that they do not intend to act as “joint controllers” with respect to any European Personal Data. However, if and to the extent that the parties are acting as joint controllers with each other in relation to any European Personal Data, they shall each provide all assistance reasonably required by the other party in order for that other party to comply with its obligations under European Privacy Law and UK Privacy Law (as appropriate), including with respect to data subject access requests, and cooperate to ensure that each data subject is given any notices that are required under European Privacy Law or UK Privacy Law (as appropriate) with respect to the processing that each of the parties undertakes.

Whenever a party is acting in a capacity as a “processor” on behalf of the other party, the following provisions shall apply:

4.1. Purpose limitation: The processor shall process the European Personal Data as necessary to perform its obligations under this Agreement, for such other purposes as may be described in this DPA (including Annex A) and strictly in accordance with the documented instructions of the controller (the “Permitted Purpose“), except where otherwise required by any applicable law. The processor shall immediately inform the controller if, in its opinion, an instruction infringes European Privacy Law or UK Privacy Law (as appropriate).

4.2. Confidentiality of processing: The processor shall ensure that any person that it authorises to process the European Personal Data (including the processor’s staff, agents and subcontractors) (an “Authorised Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the European Personal Data who is not under such a duty of confidentiality.

4.3. Subprocessing: The processor may subcontract its processing of the European Personal Data to a third party subprocessor without the prior written consent of the other party. The processor shall however inform the controller when it adds to or removes sub-processors (which may be done via a website link notified to the controller) in order to give the controller the opportunity to object to the appointment of the subprocessor. If the controller makes such an objection, then the controller may elect to suspend or terminate this Agreement without penalty. Notwithstanding anything to the contrary in the foregoing, the controller consents and authorizes the processor to use the subprocessors listed at https://rokt.com/rokt-subprocessors/ in its provision of the Services.

4.4. Cooperation and data subjects’ rights: The processor shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to the controller to enable the controller to respond to: (i) any request from a data subject to exercise any of its rights under European Privacy Law or UK Privacy Law (as appropriate); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the European Personal Data.

4.5. Data Protection Impact Assessment: If the processor becomes aware that its processing of the European Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform the controller and provide the controller with all such reasonable assistance as the controller may request in order to conduct a data protection impact assessment.

4.6. Security incidents: Upon becoming aware of a Security Incident, the processor shall inform the controller without undue delay and shall provide all such timely information and cooperation as the controller may require in order for the controller to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) European Privacy Law or UK Privacy Law (as appropriate).

4.7. Deletion or return of European Personal Data: Upon termination or expiry of this Agreement, the processor shall (at the controller’s election) destroy or return to the controller all European Personal Data (including all copies of such European Personal Data) in its possession or control (including any European Personal Data subcontracted to a third party for processing).

4.8. Records: Where required by European Privacy Law or UK Privacy Law (as appropriate), the processor shall maintain a record of all categories of processing activities carried out on behalf of the controller (“Processing Records“) and the processor shall make available the Processing Records to the controller within five (5) working days following receipt of a request for such Processing Records from the controller.

4.9. Audit: The processor shall permit the controller (or its appointed third party auditors) to audit the processor’s compliance with this clause, and shall make available to the controller all information, systems and staff necessary for the controller (or its third party auditors) to conduct such audit. The controller will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) the controller reasonably believes that an audit is necessary due to a Security Incident suffered by the processor.

5.1. In the event that a transfer from one party to the other involves a Restrictive Transfer, then the Relevant Transfer Agreement, shall be deemed entered into (and incorporated into this DPA by this reference) between the transferring Data Exporter and the Data Importer and shall be completed as follows:

• a. Where the transfer involves the processing of personal data subject to European Privacy Law between the Data Exporter as controller and the Data Importer as a separate and independent controller, the EU SCCs will be completed as follows:
  • i. Module One will apply;
  • ii. in clause 7, the optional docking clause will apply;
  • iii. in clause 11, the optional language will not apply;
  • iv. in clause 17 (Option 1), the EU SCCs will be governed by Irish law;
  • v. in clause 18(b), disputes shall be resolved before the courts of Ireland;
  • vi. in Annex I, with the information set out in Annex A to this DPA; and in Annex II with the security measures agreed in the Agreement or set out in Annex B (as applicable).
• b. Where the transfer involves the processing of personal data subject to UK Privacy Law between the Data Exporter as controller and the Data Importer as a separate and independent controller, the UK Addendum will be completed as follows:
  • i. The EU SCCs, completed as set out above in clause 5.1(a) of this DPA, shall apply and the EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum in respect of such transfer.
  • ii. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at clause 5.1(a) as applicable, in Annex A, in Annex B and the security measures agreed in the Agreement (as applicable), and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".
• c. Where the transfer involves the processing of personal data subject to European Privacy Law between the Data Exporter as controller and the Data Importer as processor, the EU SCCs will be completed as follows:
  • i. Module Two will apply;
  • ii. in clause 7, the optional docking clause will not apply;
  • iii. in clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in clause 4.3 of this DPA;
  • iv. in clause 11, the optional language will not apply;
  • v. in clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
  • vi. in clause 18(b), disputes shall be resolved before the courts of Ireland;
  • vii. in Annex I, with the information set out in Annex A to this DPA; and in Annex II with the security measures agreed in the Agreement or set out in Annex B (as applicable).
• d. Where the transfer involves the processing of personal data subject to UK Privacy Law between the Data Exporter as controller and Data Importer as processor, the UK Addendum will be completed as follows:
  • i. The EU SCCs, completed as set out above in clause 5.1(c) of this DPA, shall apply and the EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum in respect of such transfer.
  • ii. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at clause 5.1(c) (as applicable) in Annex A, in Annex B and the security measures agreed in the Agreement (as applicable), and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "Data Exporter".

In the event that any provision of this DPA contradicts, directly or indirectly, the Relevant Transfer Agreement, the Relevant Transfer Agreement (as applicable) shall prevail.

5.2. Where either party receives any European Personal Data and subsequently wishes to undertake a Restricted Transfer, then that party shall ensure it has lawful grounds to do so under European Privacy Law or UK Privacy Law (as appropriate).

5.3. Each party agrees that if either party wishes to participate in a Restricted Transfer of the European Personal Data including to any of its Affiliates (whether as an importer or exporter), it may only do so where the Restricted Transfer is made in full compliance with European Privacy Law and/or UK Privacy Law (as applicable) and pursuant to the Relevant Transfer Agreement implemented between the relevant exporter and importer of the European Personal Data.

In this DPA: (i) "Data Exporter" means a party to the Terms that discloses European Personal Data to the other party; (ii) “Data Importer” means a party to the Terms that receives European Personal Data from the other party; (iii) "EU Adequacy Finding" means a decision by the European Commission under European Privacy Law in relation to a country, territory or international organisation or one or more specified sectors that ensures an adequate level of protection for personal data; (iv) "Relevant Transfer Agreement" means: (a) in the case of a Restricted Transfer subject to European Privacy Law, the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in Decision (EU) 2021/914, as amended, re-enacted, replaced or superseded from time to time ("EU SCCs"); and (b) in the case of a Restricted Transfer subject to UK Privacy Law, the standard contractual clauses or a form of international data transfer agreement for the transfer of personal data to third countries approved under the regulations in the United Kingdom, specifically the "UK Addendum to the EU Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the UK Data Protection Act 2018 as amended, re-enacted, replaced or superseded from time to time ("UK Addendum"); (v) "Restricted Transfer" means circumstances where a party transfers or processes European Personal Data: (a) that is subject to European Privacy Law in a territory or sector which is not subject to an EU Adequacy Finding; or (b) that is subject to UK Privacy Law in a territory or sector that is not subject to a UK Adequacy Finding; (vi) "UK Adequacy Finding" means any regulations made by the Secretary of State under Section 17A of the Data Protection Act 2018 that a country, territory, international organisation or sector ensures an adequate level of protection for personal data.

Data Processing Description

This Annex A forms part of the DPA and describes the processing that the processor will perform on behalf of the controller with respect to Advertiser Data.

Minimum Security Measures

https://www.rokt.com/rokt-security-measures