Publisher Data Terms

1. Definitions and Interpretation

1.1. To the extent there is a conflict between the documents comprising the Commercial Agreement and these Publisher Data Terms, these Publisher Data Terms shall take precedence to the extent of the inconsistency.

1.2. Capitalized terms used in these Publisher Data Terms shall have the meaning given to them in the Commercial Agreement and any other attachments agreed between the parties unless otherwise defined in these Publisher Data Terms:

• Ad Serving means Products and Services which make automated decisions as instructed by Customer about which advertising content to serve to Customer Inventory, serve the advertising content to Customer Inventory, and measure user engagement and other data in relation to advertising content.
• Affiliate means an entity that directly or indirectly (through one or more intermediaries) controls, is controlled by or under common control with a party.
• CCPA means the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., as updated, amended or replaced from time to time.
• Commercial Agreement means the underlying commercial agreement between the parties pursuant to which FreeWheel agrees to provide, and Customer agrees to pay for, the Products and Services whether that commercial agreement is called a Master Services Agreement or otherwise.
• Contracted Processor means FreeWheel or FreeWheel’s Subprocessor.
• Controller Activities mean the purposes set out in these Publisher Data Terms.
• Controller Module means module 1 (transfer controller to controller) of the SCCs.
• CPRA means the California Privacy Rights Act of 2020 Cal. Civil Code § 1798.100 et seq., as updated, amended or replaced from time to time.
• Customer Data means any information, including user data (for example in respect of ad calls and bid requests, and any segment data) that FreeWheel collects, uses or stores pursuant to the Commercial Agreement.
• Customer-selected Provider means a Provider with whom Customer has a direct contractual relationship in relation to digital advertising and which Customer instructs FreeWheel to integrate with in connection with the Products and/or the Services.
• Data Protection Laws means (as applicable to Customer, Customer Inventory and/or FreeWheel in providing the Products and Services to Customer), European Data Protection Laws, UK Data Protection Laws, the CCPA, the CPRA, PIPEDA, The Australian Privacy Act 1988 (No. 119, 1988), and any other legislation or regulation from time to time relating to privacy, data protection and/or the collection, use and/or sharing of Personal Information anywhere in the world.
• Demand Partner means a media buying source that is under contract with FreeWheel or a FreeWheel Affiliate, including but not limited to demand side platforms, ad exchanges, agencies, agency trading desks and ad networks.
• Enquiry means a complaint or request relating to either party’s obligations under Data Protection Laws relevant to the Commercial Agreement, including but not limited to any compensation claim from a Data Subject or any notice, investigation or other action from a supervisory authority, consumer or industry body.
• European Data Protection Laws means (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR”)); (ii) the European e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and, when in force, the Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances and (v) in respect of the United Kingdom, UK Data Protection Laws in each case, as may be amended, superseded or replaced from time to time.
• Europe means, for the purposes of these Publisher Data Terms, the European Economic Area (EEA), the United Kingdom, and Switzerland.
• FreeWheel means either or both of FreeWheel Media, Inc. and Comcast International France SAS.
• FreeWheel Privacy Policy means the FreeWheel privacy policy available on FreeWheel’s public facing website as related to the Products and the Services, the most current version of which is available at https://www.freewheel.com/privacy-policy (as updated or amended from time to time).
• Industry Standards means any of the following to which Customer is subject from time to time: (a) the IAB Transparency and Consent Framework (current version available here: https://iabeurope.eu/tcf-2-0/); (b) any applicable self-regulatory codes, rules or guidelines, including the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (EDAA), the Network Advertising Initiative (NAI) and the Digital Advertising Alliance of Canada (DAAC) (or later published or replacement versions of any of the foregoing); and (c) any subsequent industry standards or codes of practice which apply to the Products and/or the Services and which FreeWheel decides are appropriate from time to time for compliance with Data Protection Laws.
• Inventory means online advertising inventory on Properties.
• Party means a party to the Commercial Agreement.
• Personal Information Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information relating to Users.
• Personal Information means Personal Data and any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, household, or device, and includes any information regulated by the applicable Data Protection Laws, and any information that is lawfully made available from federal, state, or local government records, and in each case, which FreeWheel or its Affiliates may collect, process or otherwise receive related to Users in connection with the Products and/or the Services.
• PIPEDA means the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 and the substantially similar provincial privacy laws of Canada, and the regulations, decisions, and guidance under each of the foregoing, in each case, as may be amended, superseded or replaced from time to time.
• Processor Activities means, as set out in these Publisher Data Terms, the processing or use by FreeWheel or its Affiliates as Processor of Personal Information provided by or on behalf of Customer and including by a Customer-selected Provider.
• Processor Activity Data means Personal Information to the extent Processed by or on behalf of FreeWheel for Processor Activities.
• Processor Module means all clauses contained in module 2 (transfer controller to processor) of the SCCs, unless stated otherwise.
• Products and Services means the products and/or services which FreeWheel agrees to provide to Customer pursuant to the Commercial Agreement.
• Property means a website, device, mobile application or other digital media property for which the Products and Services are engaged including, where relevant, the Sites.
• Provider means any data management platform, data broker or other provider who Customer or FreeWheel selects to provide Personal Information in connection with the Products and Services.
• Restricted Transfer means:
  1. a transfer of Personal Information from any Customer Affiliate to a Contracted Processor, Demand Partner or Provider; or
  2. an onward transfer of Personal Information from a FreeWheel or a FreeWheel Affiliate to a Contracted Processor, Demand Partner or Provider
• in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of any adequate data transfer mechanism in accordance with Data Protection Laws. For the avoidance of doubt, where a transfer of Personal Information is of a type authorized by Data Protection Laws in the exporting country, for example in the case of transfers from within the European Union to a country (such as Switzerland and the UK), or is made pursuant to a mechanism approved by the exporting country, for example, in the case of transfers from within the European Union, the European Commission, or (in respect of transfers out of the UK to which UK Data Protection Law applies) the appropriate UK authorities, as ensuring an adequate level of protection, or any transfer which falls within a permitted derogation, such transfer shall not be a Restricted Transfer.
• SCCs means standard contractual clauses contained in the annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and currently available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX: 32021D0914&locale=en and the corresponding annexes, attached to these Publisher Data Terms.
• Sell means sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, an individual’s Personal Information by one entity to another for monetary or other valuable consideration and Sale shall be construed accordingly.
• Share means share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate in any means a consumer’s Personal Information for cross-context behavioral advertising (i.e., targeting of advertising to a consumer based on the consumer’s Personal Information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications or services) and Sharing shall be construed accordingly.
• Special Category Personal Information means, without limitation in relation to any individual:
  1. social security number;
  2. driver’s license numbers, state identification numbers, passport number, or other government issued ID;
  3. financial or bank account information, including details of debit card, credit card or other payment instruments;
  4. health or medical insurance information;
  5. health or medical conditions, including any physical, physiological or mental health condition;
  6. medical records and history;
  7. Protected Health Information, as defined in Section 164.103 of the Health Insurance Privacy and Portability Act’s implementing regulations or other applicable health information law;
  8. racial or ethnic origin, religious or philosophical beliefs;
  9. contents of a consumer’s mail, email or text messages, unless FreeWheel or a FreeWheel Affiliate is the intended recipient of the communication;
  10. consumer’s genetic data;
  11. sexual life or orientation;
  12. information collected by automated license plate recognition systems;
  13. biometric information;
  14. username or email address, in combination with a password or security question and answer that would permit access to an online account;
  15. Personal Information relating to or of children protected under any child protection laws; and
  16. any additional types of information included or that FreeWheel may reasonably construe as included within this term or any similar term (such as “sensitive personal information” or “special categories of personal information”) as used in or defined by Data Protection Laws.
• Subprocessor means any person (including any third party and any FreeWheel Affiliate but excluding FreeWheel staff) appointed by or on behalf of FreeWheel or any FreeWheel Affiliate to Process Personal Information on behalf of any Customer Affiliate in connection with Processor Activities.
• UK Data Protection Laws means the Data Protection Act 2018, Privacy and Electronic Communications (EC Directive) Regulations 2003, and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (as the latter is implemented by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019, and the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2020), in each case, as may be amended, superseded or replaced from time to time.
• UK Approved Addendum means the template Addendum B.1.0 issued by the UK’s Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and in force as of 21 March 2022, as it is revised under Section 18 of the UK Mandatory Clauses.
• UK Mandatory Clauses means the Mandatory Clauses of the UK Approved Addendum, as updated from time to time and replaced by any final version published by the Information Commissioner’s Office.
• UK Transfer means a Restricted Transfer to which UK Data Protection Laws apply.
• User means any individual accessing a Customer Property.
• User Request means a request for notification, access, correction, objection, erasure or other requests from Users in relation to their Personal Information under Data Protection Laws.

1.3. The terms data subject, processing (and process), Controller; Data Subjects; Personal Data; Processing (and “Process”); and Processor shall have the meanings given to them in European Data Protection Laws and/or UK Data Protection Laws (as appropriate). In addition the term Controller shall be deemed to include reference to a “business” as defined under the CCPA and, when in force, the CPRA (other than where Controller is used in the context of data transfer under European Data Protection Laws) and the term Processor shall be deemed to include “service provider” as defined under the CCPA and, when in force, the CPRA (other than where Processor is used in the context of data transfer under European Data Protection Laws).

2. Relationship and Scope of Processing

2.1. The parties agree that: (a) FreeWheel will be considered a Processor (and service provider where CCPA applies) in relation to Processor Activities; and (b) both FreeWheel and Customer will be considered independent Controllers for all other processing of Personal Information in connection with the Products and Services. Each party agrees to comply with all applicable Data Protection Laws in respect of its performance and/or exercise of rights under the Commercial Agreement (including these Publisher Data Terms). The parties agree that FreeWheel, Demand Partners, Providers and Subprocessors may process Personal Information and use cookies, pixels and other technologies for the purposes contemplated by the Commercial Agreement.

2.2. Each of FreeWheel and Customer shall notify each other of an individual within its organization authorized to respond from time to time to enquiries regarding the Personal Information and each of FreeWheel and Customer shall deal with such enquiries within a reasonable time.

2.3. Customer agrees not to transmit, disclose, or make available any Special Category Personal Information using the Products and Services. Customer agrees not to transmit, disclose, or make available Special Category Personal Information to FreeWheel, FreeWheel Affiliates or to Demand Partners or Providers or cause FreeWheel, FreeWheel Affiliates, Demand Partners or Providers to process Special Category Personal Information. Without prejudice to the generality of the foregoing, Customer shall ensure that no descriptions of health-related conditions, treatments or other related information are included in ad requests and/or custom key values.

2.4. Any segment or audience that includes, or was built using, Special Category Information shall be flagged.

3. Notifications to Users; Consent

3.1. Customer will ensure that, at all times and in accordance with applicable Data Protection Laws and in respect of Processor Activities and Controller Activities, each Customer Property shall: (a) post a conspicuous privacy policy and (if required by applicable Data Protection Laws) a prominent on-site notice, including without limitation, an explanation that Personal Information is used for targeted advertising, a description of the types of Personal Information that are collected by FreeWheel, its Affiliates and (where applicable) Demand Partners and Providers, an explanation of how and for which purpose(s) Personal Information will be used and transferred to third parties including FreeWheel, FreeWheel Affiliates and (where applicable) Demand Partners and Providers for the delivery of targeted advertising, and (b) where required by applicable Data Protection Laws and/or Industry Standards (i) secure a consent from each User to the processing of their Personal Information by FreeWheel, FreeWheel’s Affiliates, Demand Partners and Providers for the purposes of the Products, Services and/or (as appropriate) the use of cookies and other technologies used in connection with the Products and Services to store or access information stored on User devices, in accordance with such Industry Standards and Data Protection Laws, ii) provide the Users with a persistent and easy to use opt-out of processing of their Personal Information and/or the use of cookies and other technologies for the delivery of targeted advertising and/or iii) provide the Users with the option to prevent the Sale and Sharing of their Personal Information in connection with the Products and Services. Customer is solely responsible for the accuracy and completeness of signals sent in an ad call and which is intended to indicate whether a User has consented and/or opted out of processing of their Personal Information and/or the use of cookies and other technologies as set out in these Publisher Data Terms, including any consent string required by applicable Industry Standards. Additionally, Customer is solely responsible for accuracy and completeness of any signal sent in an ad call that would indicate the use of any Special Category Information to build or influence any Customer uploaded audience segment.

3.2. Customer will, within 10 days of FreeWheel’s request, provide FreeWheel with copies of screenshots of its proposed user consent flow, opt-out process and the privacy policy in respect of each Customer Property and which relate(s) to the collection of Personal Information for use in the Products and Services, and a brief written explanation of how it proposes to achieve required consents and transparency for targeted advertising and for FreeWheel’s role in particular. The parties will discuss within a reasonable time any comments or concerns FreeWheel may have in this regard in good faith. If FreeWheel reasonably believes at any time that Customer’s notification or consent wording or mechanism, opt-out process, privacy policy or related documentation does not allow FreeWheel, its Affiliates, Demand Partners and/or Providers to process, use or share, or unreasonably restricts FreeWheel’s, Demand Partners’ or Providers’ ability to process, use or share, the Personal Information and/or use cookies or other technologies in accordance with Industry Standards and Data Protection Laws, FreeWheel may notify Customer of its concerns and/or provide a reasonable alternative method. The parties will discuss subsequent amendments to these Publisher Data Terms in good faith.

3.3. FreeWheel may, on prior written notice to Customer at any time and for such period(s) as it thinks fit, delay the launch of, or suspend the provision of, all or specific elements of the Products and Services (as FreeWheel may decide) if, at least thirty (30) calendar days after notification pursuant to section 3.2, FreeWheel remains concerned about any of the matters set out in section 3.2.

3.4. Where Customer uses, through or in connection with the Products and/or Services, any Personal Information sourced from a Customer-selected Provider, it will ensure that such Customer-selected Provider obtains, and ensures that the Customer-selected Provider’s third parties shall, obtain notification and/or consent as set out above.

4. Co-Operation Between the Parties

4.1. In relation to Personal Information where both parties are Controllers (or otherwise both bear sole or primary responsibility for the processing of Personal Information under applicable Data Protection Laws), the parties will provide reasonable assistance and cooperate with each other to assist in each party’s compliance with Data Protection Laws.

4.2. Each party may respond directly to User Requests addressed to it relating to its processing of Personal Information as Controller. At the request of a party receiving a User Request, the other party shall cooperate reasonably and at its own expense in assessing and fulfilling such request in relation to its own processing of Personal Information as Controller.

4.3. With respect to Personal Information in relation to which FreeWheel acts as Processor, FreeWheel and each FreeWheel Affiliate:

• 4.3.1. shall reasonably assist, at Customer’s cost, each Customer Affiliate in responding to User Requests in relation to Processor Activity Data in accordance with Customer’s reasonable instructions.
• 4.3.2. shall within a reasonable time notify Customer if any Contracted Processor receives a User Request in respect of Processor Activity Data;
• 4.3.3. shall ensure that the Contracted Processor does not substantively respond to that User Request except on the documented instructions of Customer or the relevant Customer Affiliate or as required by Data Protection Laws to which the Contracted Processor is subject, in which case FreeWheel shall to the extent permitted by Data Protection Laws inform Customer of that legal requirement before the Contracted Processor responds to the User Request; and
• 4.3.4. may, to the extent a User Request received by FreeWheel or a FreeWheel Affiliate also relates to Personal Information in respect of which FreeWheel or a FreeWheel Affiliate is Controller, respond to the User Request in accordance with section 4.2.

4.4. Each party shall within a reasonable time notify the other party if it receives notice of any Enquiry in relation to Personal Information in respect of which the other party or their Providers are responsible, in whole or in part, for the processing of Personal Information (and including where the parties are independent Controllers), under Data Protection Laws or relevant Industry Standards. Each party will co-operate reasonably, and at its own expense, with each other in assessing and responding to such Enquiry.

4.5. If a party has a concern that the other party has not complied with these Publisher Data Terms, the parties agree to exchange information to ascertain the cause of such non-compliance and take reasonable steps to remediate such non-compliance.

5. Security

5.1. Each party shall have in place appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Information by or on behalf of such party where such party is Controller or is otherwise responsible for the Personal Information under applicable Data Protection Laws, which measures, in FreeWheel’s case, are set out in Annex II to these Publisher Data Terms (which shall be applied by FreeWheel whether or not a Restricted Transfer as set out in section 6 has taken place). If FreeWheel suffers a confirmed Personal Information Breach, it shall notify Customer without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Personal Information Breach.

5.2. To the extent such Personal Information Breach applies to Processor Activities, FreeWheel will:

• 5.2.1. provide Customer with sufficient information to allow Customer and/or any Customer Affiliate to meet any obligations to report or inform Data Subjects and/or supervisory authorities (as appropriate) of the Personal Information Breach under the Data Protection Laws.
• 5.2.2. FreeWheel shall co-operate with Customer and each Customer Affiliate and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Information Breach, at Customer’s cost unless such Personal Information Breach is caused by the act or omission of a Contracted Processor.

5.3. User Credentials. Customer is responsible for maintaining the confidentiality of its users’ passwords and usernames, will use reasonable efforts to ensure that they are used only by the specific user to whom they are first assigned, and will promptly and in any event within one working day notify FreeWheel by email to legalnotices@freewheel.com if: (i) any of its users’ passwords or usernames are compromised; (ii) there is any unauthorized use of its account; (iii) there is any access by any of its users to information, content or data through the Products or Services which Customer is not authorized to access or use; or (iv) any other breach of security (including any failure to comply with section 5.4) that is known or suspected by Customer. Customer shall be deemed to have authorized any actions carried out using then-current passwords and usernames of Customers’ users (even where those actions are not authorized by Customer) until 24 hours after notice specifying the user whose credentials have been compromised has been sent by Customer to FreeWheel as required by this section 5.3.

5.4. Information Security. Customer shall adopt technical and organizational measures at least consistent with generally-accepted industry practice to protect the physical and electronic security of the equipment, if any, used by or on behalf of Customer to access any network, information assets, software, firmware or hardware of FreeWheel (“FreeWheel Systems”) including by using anti-virus, security, and firewall or next-generation end-point security technology. Customer and each of its officers, directors, employees, agents and subcontractors agree to take reasonable actions when accessing FreeWheel Systems to avoid adversely affecting the confidentiality, integrity, and availability of FreeWheel Systems. Neither Customer, nor its officers, directors, employees, agents, or subcontractors, will: (i) access FreeWheel Systems other than, as permitted by the Commercial Agreement; (ii) violate or attempt to violate the security of the FreeWheel Systems including by attempting to: (a) probe, scan, or test the vulnerability of any FreeWheel Systems or to breach any security or authentication measures used by any FreeWheel Systems; (b) monitor data or traffic on any FreeWheel Systems (other than where the functionality of the Products facilitates reporting of the availability and purchase of Inventory); (c) upload data that contains viruses, worms, corrupt files, Trojan horses, or other forms of corruptive code, or any other content that may compromise the FreeWheel Systems; (d) circumvent any security or authentication measures; or (e) attempt to gain (or knowingly permit, or acquiesce, to any attempt by a third party to gain) unauthorized access to the FreeWheel Systems, related systems, networks, or data.

6. Restricted Transfer

6.1. In the event of a Restricted Transfer between the parties, the following clauses shall apply:

• 6.1.1. Subject to sections 8.10.3 and 6.1.3, each Customer Affiliate (as “data exporter”) and FreeWheel or a FreeWheel Affiliate, as appropriate, on behalf of a Contracted Processor (as “data importer”) shall enter into the SCCs incorporating the Processor Module in respect of any Restricted Transfer in relation to Processor Activity Data from that Customer Affiliate to that Contracted Processor.
• 6.1.2. Subject to section 6.1.3, each Customer Affiliate (as “data exporter”) and FreeWheel or a FreeWheel Affiliate, (as “data importer”) shall enter into the SCCs incorporating the Controller Module in respect of any Restricted Transfer other than those referred to in section 6.1.1 from that Customer Affiliate to FreeWheel or the relevant FreeWheel Affiliate (as appropriate).
• 6.1.3. In the event that another data transfer mechanism other than the SCCs is available in respect of any Restricted Transfer in accordance with Data Protection Laws, the parties will work in good faith to determine if such data transfer mechanism is applicable to the Restricted Transfer. If so, the parties will discuss subsequent amendments to these Publisher Data Terms in good faith.
• 6.1.4. In the event of a UK Transfer, the parties agree that the UK Approved Addendum incorporating the UK Mandatory Clauses shall apply in respect of that Restricted Transfer. For the purposes of the UK Approved Addendum the information set out at section B of Annex I to these Publisher Data Terms shall apply. The UK Approved Addendum shall be deemed dated the same date as the SCCs.
• 6.1.5. If the relevant UK authorities approve a successor or amendments to the UK Approved Addendum (“New Addendum”), the parties agree this shall be incorporated by reference in these Publisher Data Terms in place of the UK Approved Addendum. To the extent that the New Addendum requires the inclusion of additional information not covered by these Publisher Data Terms, FreeWheel may incorporate that additional information into the New Addendum.
• 6.1.6. The SCCs shall come into effect under section 6.1.1 or 6.1.2 (as appropriate) on the later of: (a) the data exporter becoming a party to them; (b) the data importer becoming a party to them; and (c) commencement of the relevant Restricted Transfer.
• 6.1.7. Subject to any provisions to the contrary of the UK Approved Addendum in respect of UK Transfers, the following terms shall apply to the SCCs:
  • 6.1.7.1. Option 2 of Clause 9 (general authorization of sub-processors) of the Processor Module shall apply in relation to Customer’s authorization of the use of Subprocessors and FreeWheel shall notify the Customer in writing of any intended changes to that list through the addition or replacement of sub-processors at least 14 days in advance and in accordance with section 8.9 of these Publisher Data Terms.
  • 6.1.7.2. Option 1 of Clause 17 of the SCCs shall apply and the parties agree that the governing law shall be the law of the Republic of Ireland.
  • 6.1.7.3. The parties agree that the Docking Clause 7 shall be included in the SCCs and the optional wording in Clause 11 of the SCCs relating to an independent dispute resolution body shall not be included.
  • 6.1.7.4. The parties agree that any dispute arising from the SCCs shall be resolved by the courts of the Republic of Ireland in accordance with Clause 18 of the SCCs.
• 6.1.8. The parties may from time to time make any variations to the SCCs or any replacement of them incorporated into the Commercial Agreement, as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a supervisory authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law.
• 6.1.9. If and to the extent there is any conflict between any of the SCCs (as applied by these Publisher Data Terms), and any provision of the Commercial Agreement (including these Publisher Data Terms), the following descending order of precedence shall apply:
  • 6.1.9.1. The SCCs;
  • 6.1.9.2. The UK Approved Addendum;
  • 6.1.9.3. These Publisher Data Terms; and
  • 6.1.9.4. The provisions of the Commercial Agreement.

7. Regulatory Changes

7.1. If changes to applicable Data Protection Laws, or their interpretation or implementation, through legislation, court judgment, issuance of new standard contractual clauses or regulator guidance which, in FreeWheel’s reasonable opinion, make changes to these Publisher Data Terms necessary or prudent, FreeWheel may, on written notice to Customer, make such changes to these Publisher Data Terms, which Customer agrees will be binding on Customer.

7.2. If new or alternative provisions are added to these Publisher Data Terms in accordance with sections 6.1.8 or this section 7:

• 7.2.1. FreeWheel and each FreeWheel Affiliate shall within a reasonable time co-operate (and use commercially reasonable efforts to ensure that any affected Subprocessors co-operate within a reasonable time) to use commercially reasonable efforts to ensure that equivalent variations are made to any agreement put in place under section 8.10.2;
• 7.2.2. Customer shall not unreasonably withhold or delay agreement to any consequential variations to these Publisher Data Terms proposed by FreeWheel to protect the Subprocessors against additional risks associated with the new or alternative provisions made under section 6.1.8 or this section 7; and
• 7.2.3. Neither Customer nor FreeWheel shall require the consent or approval of any Customer Affiliate or FreeWheel Affiliate to amend these Publisher Data Terms.

8. Processor Activities

8.1. FreeWheel and each FreeWheel Affiliate shall not Process Processor Activity Data other than on the relevant Customer Affiliate’s lawful documented instructions as represented by the Commercial Agreement, as amended from time to time, or within the direct business relationship between Customer and FreeWheel and/or FreeWheel Affiliate, and the selection of choice by Customer via its staff’s operation of the Products, unless Processing is required by Data Protection Laws to which FreeWheel and each FreeWheel Affiliate is subject, in which case FreeWheel or the relevant FreeWheel Affiliate shall to the extent permitted by Data Protection Laws inform the relevant Customer Affiliate of that legal requirement before the relevant Processing of that Processor Activity Data.

8.2. Each Customer Affiliate instructs FreeWheel and each FreeWheel Affiliate (and authorizes FreeWheel and each FreeWheel Affiliate to instruct each Subprocessor) in connection with Processor Activities to:

• 8.2.1. process Processor Activity Data as reasonably necessary to perform Processor Activities and consistent with the Commercial Agreement; and
• 8.2.2. transfer Processor Activity Data to any country or territory including to FreeWheel Affiliates, Demand Partners and Providers where reasonably required to provide the Products and Services, subject to FreeWheel’s obligation to use contractual, regulatory or organizational measures to ensure adequacy of processing of such Processor Activity Data at its destination, including in respect of security of Processor Activity Data.

8.3. Each Customer Affiliate:

• 8.3.1. warrants and represents that it is and will at all relevant times remain duly and effectively authorized to instruct FreeWheel to process Processor Activity Data set out in these Publisher Data Terms on behalf of each relevant Customer Affiliate; and
• 8.3.2. in connection with Processor Activity Data shall comply with its obligations under applicable Data Protection Laws and shall not, whether by act or omission, cause FreeWheel or any FreeWheel Affiliate to breach any of its obligations under applicable Data Protection Laws.

8.4. FreeWheel and FreeWheel Affiliate Personnel. FreeWheel and each FreeWheel Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to Processor Activity Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Processor Activity Data, as strictly necessary for the purposes of the Commercial Agreement, and to comply with Data Protection Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

8.5. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, FreeWheel and each FreeWheel Affiliate shall in relation to Processor Activity Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk including those set out in Annex II.

8.6. In assessing the appropriate level of security, FreeWheel and each FreeWheel Affiliate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Information Breach.

8.7. Each Customer Affiliate authorizes FreeWheel and each FreeWheel Affiliate to appoint in connection with Processor Activity Data (and permit each Subprocessor appointed in accordance with sections 8.8 to 8.10 inclusive to appoint) Subprocessors in accordance with this section 8 and any restrictions in the Commercial Agreement.

8.8. FreeWheel and each FreeWheel Affiliate may continue to use those Subprocessors already engaged by FreeWheel or any FreeWheel Affiliate as at the date of these Publisher Data Terms (a list of which is available on request), subject to FreeWheel and each FreeWheel Affiliate in each case meeting the obligations set out in section 8.10.4.

8.9. FreeWheel shall provide Customer with a list of existing Subprocessors on request and provide at least 14 (fourteen) days’ prior written notice of the appointment of any new Subprocessor of Processor Activity Data, including full details of the Processing to be undertaken by the Subprocessor. If, within 14 days of receipt of that notice, Customer notifies FreeWheel in writing of any objections (on reasonable grounds) to the proposed appointment, neither FreeWheel nor any FreeWheel Affiliate shall appoint (or disclose any Processor Activity Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Customer Affiliate and Customer has been provided with a reasonable written explanation of the steps taken. If in FreeWheel’s reasonable opinion, reasonable steps cannot be taken to address Customer’s objections, FreeWheel shall be entitled to terminate the Commercial Agreement, or the relevant attachment (either partially or wholly as FreeWheel may decide) upon reasonable notice.

8.10. With respect to each Subprocessor authorized to Process Processor Activity Data, FreeWheel or the relevant FreeWheel Affiliate shall:

• 8.10.1. before the Subprocessor first Processes Processor Activity Data (or, where relevant, in accordance with section 8.8), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Processor Activity Data required by the Commercial Agreement;
• 8.10.2. ensure that the arrangement between on the one hand (a) FreeWheel, or (b) the relevant FreeWheel Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least a similar level of protection for Processor Activity Data as those set out in these Publisher Data Terms and meet the requirements of Data Protection Laws, subject to any standard data processing terms, addendum or equivalent required by international Subprocessors which FreeWheel has no reasonable opportunity to negotiate;
• 8.10.3. if that arrangement involves a Restricted Transfer, ensure that the Processor SCCs are at all relevant times incorporated into the agreement between on the one hand (a) FreeWheel, or (b) the relevant FreeWheel Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand the Subprocessor; and
• 8.10.4. FreeWheel and each FreeWheel Affiliate shall use commercially reasonable efforts to ensure that each Subprocessor of Processor Activity Data performs the obligations under sections 4.3, 5.2, 8.1, 8.4, 8.5, 8.6, 8.11 and 8.13, as they apply to Processing of Processor Activity Data carried out by that Subprocessor, as if it were party to these Publisher Data Terms in place of FreeWheel.

8.11. Audit rights:

• 8.11.1. FreeWheel and FreeWheel Affiliates will cooperate with Customer by responding to any questionnaire issued by a Customer Affiliate that is designed to assess the security policies and procedures covering FreeWheel’s and Contracted Processors’ processing of Processor Activity Data. Furthermore, FreeWheel will, upon request, provide Customer with the results of the most recent data security audit carried out by or for the benefit of FreeWheel in connection with Processor Activities (provided that such report addresses the same category of data as the Processor Activity Data (“Similar Data”)). Where any such audit report requires remedial action to mitigate against identified risk(s) to Similar Data processed by or on behalf of FreeWheel, Customer may seek assurances that such actions have been completed in relation to the Processor Activity Data within the timeframe recommended in such audit report. Where Customer, acting reasonably, can demonstrate an actual or reasonably suspected material breach by FreeWheel of these Publisher Data Terms in relation to the Processor Activity Data or that a competent supervisory authority requires it, it may itself through appropriately-qualified security personnel conduct, or commission a third-party auditor to conduct, a data security audit on the terms set out below. FreeWheel will fully cooperate with such audit requests by providing access to relevant knowledgeable personnel and documentation.
• 8.11.2. Audits will: (a) be on no less than fourteen days’ prior written notice unless otherwise agreed; (b) be conducted during normal business hours; (c) not unreasonably interfere with FreeWheel’s business activities; (d) not take place more than once in any year except where required at law or as agreed between the parties; (e) be subject to FreeWheel’s reasonable security restrictions (e.g., sign-in requirements, badge requirements, escort requirements); (f) not compromise the security of (or grant access to) any data that is not Processor Activity Data; and (g) be at Customer’s sole cost and expense.
• 8.11.3. The appointment of Customer’s auditor(s) and any third-party auditor will be subject to FreeWheel’s prior written consent (not to be unreasonably withheld) and, where a third party is appointed, the agreement of non-disclosure terms between FreeWheel and such third party.
• 8.11.4. If an audit commissioned by a Customer Affiliate reveals a significant security weakness with respect to Processor Activity Data, FreeWheel will deliver to Customer a report setting out the steps it intends to take to mitigate the risk and the timings for implementation.
• 8.11.5. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection: (a) to any individual unless he or she produces reasonable evidence of identity and authority; or (b) if the proposed audit or inspection is outside the scope of the audit parameters agreed by the parties to these Publisher Data Terms in advance of such audit or inspection.
• 8.11.6. Customer may exercise its right of audit under clause 8.9 of the Processor Module as set out in, and subject to the requirements of, this section 8.11 of these Publisher Data Terms.

8.12. FreeWheel and each FreeWheel Affiliate shall provide reasonable assistance, at Customer’s cost, to each Customer Affiliate with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of any Customer Affiliate in accordance with Data Protection Laws, in each case solely in relation to Processing of Processor Activity Data by, and taking into account the nature of the Processing and information available to, the Contracted Processor.

8.13. FreeWheel within 6 months, and in any event shall within 18 months, of receipt of Processor Activity Data, delete all original copies of such Processor Activity Data unless and solely to the extent required by Data Protection Laws or where retained in secure archival and no longer subject to any processing other than storage.

8.14. Where CCPA and/or CPRA (when in force) apply to Processor Activities, FreeWheel may not (a) Sell or Share Processor Activity Data; (b) retain, use or disclose Processor Activity Data for a commercial purpose other than performing the Processor Activities; or (c) combine the Personal Information with other personal information that FreeWheel receives from another entity.

8.15. FreeWheel acknowledges and certifies that it understands the foregoing obligations.

9. Indemnification

9.1. If indemnity for breaches of these Publisher Data Terms is not already provided for in the Commercial Agreement, the terms of this section 9 apply. Otherwise, the indemnity provisions in the Commercial Agreement govern. Subject to the other provisions of this section 9, FreeWheel will defend, at its expense, Customer, and each of its officers, directors and employees (“Customer Indemnitee”) against any claims, demands, and suits brought by a third party (“Claims”), arising out of or related to any breach of these Publisher Data Terms by FreeWheel. FreeWheel will pay any damages finally awarded by a court of competent jurisdiction (or settlement amounts agreed to in writing by FreeWheel) in respect of such Claims and (to the extent not prohibited by applicable law) any fines or administrative penalties imposed by supervisory authorities or other regulators on Customer to the extent resulting from any breach by FreeWheel of these Publisher Data Terms.

9.2. Subject to the other provisions of this section 9, Customer will indemnify, defend, and hold FreeWheel, and each of FreeWheel’s Affiliates, successors, licensors, and each of its and their officers, directors, employees, agents, and/or assignees (“FreeWheel Indemnitee”) harmless against and in respect of any Claims and any audit or investigation by or on behalf of supervisory authorities or other regulators arising out of or related to any breach of these Publisher Data Terms by Customer, including damages and costs reasonably incurred in the defense of any such Claim or responding to such audit or investigation.

9.3. Each indemnifying party’s obligations as set forth in this section 9 are contingent on: (i) the indemnitee providing the indemnifying party with prompt written notice of the Claim (and any information that may reasonably give rise to a Claim or indicate that a Claim is reasonably foreseeable or imminent), but only if the indemnifying party is materially adversely prejudiced by failure to receive such notice; (ii) the indemnifying party having the right to defend the Claim with counsel of its choosing so long as counsel is not adverse to the indemnitee; (iii) the indemnifying party having the right, in its sole discretion, to settle the Claim so long as such settlement does not impose any monetary or material non-monetary obligations on the indemnitee (other than indemnitee no longer using the applicable Products and Services), and provided that the indemnitee and its Affiliates will be included in any release language as part of any such settlement; and (iv) the indemnitee providing (at the indemnifying party’s expense) such assistance and information as the indemnifying party may reasonably require to investigate, defend, or settle the Claim.

10. Limitation of Liability

10.1. If limitations of liability re: these Publisher Data Terms is not already provided for in the Commercial Agreement, the terms of this section 10 apply. Otherwise, the limitation of liability provisions in the Commercial Agreement govern.

10.2. Exclusions of Loss. Subject to section 10.5 and other than liability under the indemnification obligations under section 9, neither party may be held liable for any: (a) loss of profits; (b) loss of use; (c) loss of goodwill; (d) business interruption, computer failure or malfunction; (e) loss of content or data; (f) cost of cover; or (g) any indirect, punitive, special, incidental, or consequential damages of any kind arising out of these Publisher Data Terms or in relation to data protection, privacy or security matters.

10.3. Subject to section 10.5, each party’s total liability with respect to data protection, privacy or security matters (including where such liability is covered by the indemnification obligations under section 9) and including breach by either party of these Publisher Data Terms will not exceed in the aggregate the greater of (1) two million dollars ($2,000,000), or (2) two times the total fees paid by Customer under the applicable Attachment in the prior twelve (12) month period.

10.4. The provisions of this section 10 will apply notwithstanding any provision of the Commercial Agreement to the contrary and regardless of the form of the claim or cause of action.

10.5. Nothing in these Publisher Data Terms shall limit or exclude either party’s liability in respect of (i) intentional misconduct, gross negligence, or willful default (ii) any personal injury (including death) caused by negligence, (iii) fraud or fraudulent misrepresentation or (iv) any other loss which cannot be lawfully excluded.

11. Miscellaneous – Data-Related

11.1. Order of Precedence (in context of Commercial Agreement). If there is any conflict between any provision in these Publisher Data Terms and any provision in the Commercial Agreement, these Publisher Data Terms shall prevail.

11.2. Entire Agreement. To the extent there are any prior agreements with regard to the subject matter of these Publisher Data Terms, these Publisher Data Terms supersede and replace such prior agreements.

11.3. Consequences of termination. These Publisher Data Terms shall survive termination or expiry of the Commercial Agreement. Upon termination or expiry of the Commercial Agreement, FreeWheel may continue to process the Personal Information provided that such processing is in accordance with these Publisher Data Terms and applicable Data Protection Laws.