GENERAL DATA PROTECTION REGULATION ADDENDUM TO THE AGREEMENT
(Independent Controller – Data Sharing Terms)
By using the Services, Supplier Technology, and/or entering into any Order Form, Company agrees to the Supplier General Data Protection Regulation Addendum to the Agreement (the “C2C Data Sharing Addendum”). Supplier and Company are each a “Party” and collectively the “Parties.”
This C2C Addendum is an integral part of the Agreement. Any words or terms not otherwise defined in this Addendum have the same meaning as in the Agreement. In the event of a conflict between definitions in the Agreement and this Addendum, the definitions within this Addendum control.
(a) “Personal Data,” “Process/Processing,” “Controller,” “Processor,” “Data Subject” and “Supervisory Authority” shall have the same meanings given to them in the Regulation.
(b) “Data Protection Law(s)” means the Directive, the Regulation, any successors thereto, and any other data protection law applicable to Personal Data under the Agreement or this Addendum. “Directive” means the Directive 95/46/EC of the European Parliament and of the Council (Personal Data Directive) and “Regulation” means Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation).
(c) “European Territories” means together the European Economic Area (‘EEA”), United Kingdom (including its overseas territories and Crown dependencies where applicable following Brexit), and Switzerland.
(d) “Independent Controller Data” means Personal Data gathered, received, shared and used under the Agreement by each of the parties as separate and independent Controllers.
(e) “Supplier” means the following Rakuten Marketing entities: Rakuten Marketing LLC dba Rakuten Advertising organized and existing under the laws of Delaware, USA successor to LinkShare Corporation (“RM United States”), Rakuten Marketing Europe Limited successor to LinkShare Limited (“RM Europe”), Rakuten Marketing Australia Pty Limited successor to LinkShare Australia Pty Ltd (“RM Australia”), or Rakuten Brazil Holdings, LLC successor to LinkShare Brazil Holdings, LLC (“RM Brazil”).
(f) “Supplier Group” means the international group of companies whose overall parent entity is Rakuten, Inc. registered at Rakuten Crimson House, 1-14-1 Tamagawa Setagaya-ku, Tokyo 158-0094, Japan.
2) Role of the Parties.
The Parties agree that they are each independent Controllers of all Independent Controller Data. In no event shall the Parties be deemed joint Controllers. Details of the types of Personal Data, categories of Data Subjects, the nature and purposes of the Independent Controller Data are set forth on Schedule 1 of this C2C Addendum.
Each Party shall use the Independent Controller Data in accordance with the Data Protection Laws and will individually and separately fulfill all obligations that apply to it as a Controller under the Data Protection Laws.
a. Each Party’s obligations regarding the Independent Controller Data includes without limitation:
(i) implementing appropriate technical and organizational measures to protect Independent Controller Data and to ensure the processing of Independent Controller Data is in accordance with the Regulation;
(ii) identifying and establishing its independent and legal basis for processing the Independent Controller Data; and
(iii) fulfilling transparency requirements regarding its use of Independent Controller Data.
b. If either Party receives any correspondence, inquiry or complaint from a Data Subject or Supervisory Authority (“Inquiry”) related to the use of Personal Data under the Agreement or the processing of Personal Data by the other Party, it will promptly inform the other Party and provide full details of the Inquiry. The Parties shall cooperate in good faith to timely respond to the Inquiry in accordance with requirements under the applicable Data Protection Laws.
4) Requesting Consent:
The parties will work together in good faith, as independent Controllers of Personal Data in accordance with the principles of lawfulness, fairness and transparency in relation to the fundamental rights of Data Subjects. As Supplier does not have a direct relationship with any Data Subject visiting the Company Sites or viewing ads delivered through the Services, in order to be provided with and receive the Services, Company will: (i) implement and maintain lawfully compliant industry standard consent management technologies on the Company Sites to include opt-in and opt-out consent choices to be provided to their end users (Data Subjects) either by (a) a Consent Management Platform (“CMP”) registered and listed at https://iabeurope.eu/cmp-list/) in accordance with requirements of the Interactive Advertising Bureau EU Transparency and Consent Framework (iabeurope.eu), or (b) an alternative or complimentary consent solution; AND (ii) will send end users’ consent signals to Supplier, in a format that complies with technical guidelines to be made available to Company by Supplier. Supplier will provide reasonable assistance to Company to support Company’s efforts to comply with its consent gathering obligations under this section.
5) International Data Transfers.
The Parties hereby acknowledge and agree that in providing the Services, conducting the Actions and otherwise fulfilling Order Forms, Personal Data may be transferred from European Territories to the United States or other territory(ies) whose level of protection for Personal Data differs from that of the European Territories. Supplier shall transfer Personal Data outside of the European Territories to the Supplier Group under its parent company’s Binding Corporate Rules which Supplier and the Supplier Group have adapted (“Supplier BCRs”).
This C2C Addendum shall survive termination or expiration of the Agreement. Upon termination or expiration of the Agreement, Supplier may continue to process Independent Controller Data provided that such use complies the requirements of this C2C Addendum and under the Regulation.
(Independent Controller – Data Sharing Terms)
The subject-matter of the shared personal data involves the online and offline behaviour of end users as they interact with advertisements promoted through Supplier.
The duration of retention of shared personal data will be:
For Display: twelve (12) months from the last time an end user interacts with our services, and
For Affiliate: up to 49 months for reporting/tracking activities.
The nature and purpose of shared personal data is for commercial purposes including: to trace end users from a Company’s Site to an advertiser platform to process commissions, to serve personalized advertisements to end users, to analyse and create online behavioural advertising, and to prevent fraud.
The types of shared personal data involved are online identifiers from end users’ device(s), identifiers created by Supplier, Company’s and customers within the Supplier advertising ecosystem.
The categories of data subjects are end users who visit Company’s, publishers’ and advertisers’ websites and other internet and mobile enabled platforms owned or controlled by Company, publishers and advertisers within the Supplier advertising ecosystem.