Marketing preferences and Data Profile

DATA PROTECTION ADDENDUM

This Data Protection Addendum (“DPA”) is entered into by and between:

A.         Content Technology Partners Ltd a company registered in England and Wales with company number 14764377 whose registered address is at 1 Charterhouse Mews, London, England, EC1M 6BB (“CTP”); and

B.         the Publisher that has entered into CTP’s Publisher Terms (“Publisher”), (each a “party”, and together the “parties”).

In consideration of the mutual promises set out in this DPA and for other good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties each agree as follows:

1           Definitions and Interpretation

1.1       Unless otherwise defined in this DPA, words and phrases used in this DPA (including “Channel”, “Platform”, “Publisher Account” and “User”) shall have the meanings set out in the Publisher Terms.

1.2       In this DPA, the following words shall have the following meanings:

Data Protection Legislation

means any applicable privacy or data protection related laws and regulations, as amended, extended or re-enacted from time to time, including the following:

(a)         the UK Data Protection Legislation;

(b)         EC Directive 2002/58/EC on Privacy and Electronic Communications;

(c)         EC Regulation 2016/679 (the “GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

(d)         Swiss Federal Act on Data Protection 1992 to be replaced by the Swiss Federal Act on Data Protection 2020 (when in force) (‘Swiss FADP”);

(e)         all local laws or regulations implementing or supplementing the EU legislation mentioned in (a) and (b) above; and

(f)         all codes of practice and guidance issued by national regulators relating to the laws, regulations and EU legislation mentioned in (a)–(e) above;

Data Sharing Policy

means the policy set out at Schedule 3, as may be updated or amended by CTP at any time;

International Transfer Requirements

means the requirements of Chapter V of the GDPR (transfers of personal data to third countries or international organisations)

Losses

means all liabilities, including: (a) costs (including legal costs), claims, demands, actions, settlements, charges, procedures, expenses, losses and damages (including costs of reinstating damaged or lost data, additional management costs incurred in dealing with a personal data breach (including costs of notifying a supervisory authority and/or affected data subjects in the event of a personal data breach)); and (b) to the extent permitted by applicable law: (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a supervisory authority or any other relevant regulatory authority; (ii) compensation to a data subject ordered by a supervisory authority, court or other tribunal of competent jurisdiction; and (iii) the costs of compliance with investigations by a supervisory authority or any other relevant regulatory authority;

Publisher Affiliate

means any entity that owns or controls, is owned by or controlled by, or is under common control or ownership with the Publisher;

Publisher Privacy Policy

means a privacy policy, notice or other similarly titled document in respect of each Channel that complies with the Transparency Requirements;

Relevant Transfer Mechanism

means: a) in respect of an EU Restricted Transfer, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (“EU SCCs”); b) in respect of a UK Restricted Transfer, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the ICO under or pursuant to section 119A(1) of the Data Protection Act 2018 (as may be amended by the ICO from time to time pursuant to its terms) (“UK Addendum”); or c) in respect of a Swiss Restricted Transfer, the EU SCCs provided that: (1) any references in the clauses to the GDPR or EU or Member State Law (or similar) shall refer to the FADP and/or other relevant Swiss law (as applicable); (2) the term 'Member State' must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the EU SCCs; and (3) the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority for the purposes of Clause 13 of the EU SCCs (“Swiss SCCs”);

Restricted Country

means: (i) where the EU GDPR applies, a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a country outside the UK which is not based on adequacy regulations pursuant to UK DPA; and (iii) where Swiss FADP, applies, a country outside Switzerland which has not been recognized to provide an adequate level of protection by the Federal Data Protection and Information Commissioner;

Restricted Transfer

means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a Restricted Country (“EU Restricted Transfer”); (ii) where the UK GDPR applies, a transfer of personal data from the UK to a Restricted Country (“UK Restricted Transfer”); and (iii) where the Swiss FADP applies, a transfer of personal data from Switzerland to a Restricted Country (“Swiss Restricted Transfer”);

Shared Personal Data

means the personal data that CTP shares with the Publisher pursuant to, and in accordance with, clause 3;

Transparency Requirements

means the fair and transparent processing requirements set out in the Data Protection Legislation (including, Article 5(1)(a) and Articles 13 and 14 of the GDPR);

UK

means the United Kingdom;

UK Data Protection Legislation

means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018; and

UK GDPR

has the meaning given to it in the Data Protection Act 2018 (as amended from time to time).

1.3       References in this clause to “controller”, “data subject”, “personal data”, “personaldatabreach”, “process”, “processor”, “processing”, and “supervisoryauthority” shall have the same meaning as defined in GDPR.

1.4       A reference to the GDPR and/or an Article or Chapter of the GDPR shall, where the context so requires, be construed as a reference to the UK GDPR and/or the equivalent Article or Chapter of the UK GDPR and/or analogous provisions under Swiss data protection legislation (as applicable).

1.5       Unless the context otherwise requires, references to clauses and to Schedules are to the clauses and Schedules of this DPA.

1.6       Any words following the terms including, include, in particular, for example or any similar expression shall be interpreted as illustrative and shall not limit the sense of the words preceding those terms.

1.7       Any reference to an English legal term for any action, remedy, method of judicial proceeding, legal document, legal status, court, official or any legal concept or thing shall, in respect of any jurisdiction other than England, be deemed to include a reference to that which most nearly approximates to the English legal term in that jurisdiction.

1.8       Any obligation on a party not to do something includes an obligation not to allow that thing to be done.

1.9       Unless the context otherwise requires, references to the Publisher shall be deemed to include any Publisher Affiliate that processes Shared Personal Data.

2           General

2.1       This DPA is incorporated into, and shall form part of, the Publisher Terms (which remains in full force and effect).

2.2       In the event of any conflict or inconsistency between the Publisher Terms and this DPA, this DPA prevails.

2.3       This DPA may be entered into through functionality made available on the Platform or via any other method of acceptance (including incorporation of this DPA into other documents that may be entered into by the parties).

2.4       This DPA will take effect on the date and time of Publisher’s acceptance of this DPA via functionality made available on the Platform or on the date that the parties otherwise signal their intention to be bound by this DPA (whichever is earlier).

2.5       This DPA will remain in effect for the duration of your agreement for a Publisher Account in accordance with the Publisher Terms, unless terminated earlier pursuant to either party’s right to terminate this DPA in accordance this DPA.

2.6       Where relevant. the Publisher shall procure that Publisher Affiliates comply with this DPA as if they were the Publisher and a party to this DPA. The Publisher shall be fully liable to CTP for any acts or omissions of its Publisher Affiliates under this DPA.

3           Shared Personal Data

3.1       This clause sets out the framework for the sharing of the Shared Personal Data by CTP with the Publisher.

3.2       CTP will make the Shared Personal Data available to the Publisher (via functionality made available via the Platform) in accordance with User consents obtained by CTP (on behalf of the Publisher) via the Platform. CTP will, at the point of obtaining such consents, make available a Publisher Privacy Policy in respect of each Channel (the contents and form of which are the sole responsibility of the Publisher, as further set out in clause 3.5, 3.6 and the Data Sharing Policy) to Users.

3.3       The parties acknowledge and agree that each party is an independent controller in respect of its processing of the Shared Personal Data. The details of the sharing, including a description of the Shared Personal Data and the purposes for which it is shared, are set out in Schedule 1. Each party shall, in respect of its processing of Shared Personal Data (at its own expense) comply with obligations applicable to it under the Data Protection Legislation.

3.4       The Data Sharing Policy sets out the principles, procedures and responsibilities that the Publisher shall (as a minimum) adhere to in respect of its processing of the Shared Personal Data. Publisher warrants, represents and undertakes, on a continuous basis, to comply with the Data Sharing Policy. For the avoidance of doubt:

(a)         the parties do not intend that the processing of the Shared Personal Data pursuant to this DPA is on a joint controller basis; and

(b)         the parties acknowledge and agree that the Data Sharing Policy does not constitute an ‘arrangement’ for the purposes of Article 26 of the GDPR.

3.5       Publisher acknowledges and agrees that it is solely responsible for ensuring that its processing of the Shared Personal Data complies with the Data Protection Legislation, including ensuring that the consents obtained by CTP and the transparency information set out in its Publisher Privacy Policy (as set out in clause 3.2), enable it to process the Shared Personal Data in a lawful, fair and transparent manner (Article 5(1)(a) of the GDPR).

3.6       For the avoidance of doubt, CTP makes no representation or warranty (express or implied) that:

(a)         Publisher’s processing of the Shared Personal Data complies with the Data Protection Legislation, including that there is a lawful basis and that Transparency Requirements have been met, in respect of Publisher’s processing of the Shared Personal Data; and

(b)         where CTP provides Publisher with a standard form of a Publisher Privacy Policy (as further described in the Data Sharing Policy), that such document meets the Transparency Requirements or otherwise complies with the Data Privacy Legislation. For clarity, Publisher acknowledges and agrees that (i) such a document may be provided solely for the purposes of CTP providing Publisher with assistance in meeting the Transparency Requirements; (ii) such document does not constitute advice from CTP to Publisher; and (iii) CTP disclaims all liability, and Publisher shall not be entitled to bring a claim against CTP, in respect of Publisher’s reliance on such document.

3.7       Publisher acknowledges and agrees that the Shared Personal Data is confidential information and, accordingly, shall maintain the confidentiality of the Shared Personal Data in accordance with the Publisher Terms. Publisher shall not share the Shared Personal Data except to third party service providers that process it as a processor.

4           Mutual assistance

4.1       Each party will provide such reasonable and necessary assistance as the other party reasonably requests in respect of the other party’s compliance with the Data Protection Legislation. In particular, each party will, without undue delay (and in any event within seventy-two (72) hours), notify the other party and provide such co-operation, assistance and information as the other party may reasonably require if it receives:

(a)         any complaint, notice or communication (including from a supervisory authority or a data subject, and whether written or verbal) which relates directly or indirectly to the processing of the Shared Personal Data; or

(b)         any request from (or on behalf of) a data subject exercising their rights under the Data Protection Legislation in relation to the Shared Personal Data.

4.2       In the event that Publisher sustains a personal data breach affecting the Shared Personal Data, Publisher shall:

(a)         not make any public announcements relating to the personal data breach that may adversely affect CTP; and

(b)         take all reasonable and appropriate corrective action as may be requested by CTP, including providing notice to data subjects whose personal data may have been affected by such personal data breach (whether or not such notice is required by the Data Protection Legislation).

5           Restricted Transfers [MH1]

5.1       The parties acknowledge and agree that to the extent the transfer of Shared Personal Data from CTP to the Publisher (or to any Publisher Affiliate) is considered a Restricted Transfer, the parties shall rely on the applicable Relevant Transfer Mechanism to transfer the Shared Personal Data from CTP to the Publisher (or to any Publisher Affiliate).

5.2       Accordingly each party agrees that by entering into this DPA, the Relevant Transfer Mechanism shall be deemed agreed, incorporated by reference into this DPA and executed by each of the parties acting on their own behalf (and, in the case of Publisher, on behalf of relevant Publisher Affiliates, where applicable) without the need for any further signature from either party (or any Publisher Affiliate), with CTP being the data exporter and Publisher (and any relevant Publisher Affiliate) being the data importer.

5.3       EU Transfers: For the purpose of the EU SCCs, the following provisions shall apply: (i) the Module One terms are selected; (ii) in Clause 7 , the optional docking clause shall not apply; (iii) in Clause 11] , the optional language does apply; (iv) in Clause 17, Option 1 applies and the EU SCCs are governed by The Republic of Ireland law; (v) in Clause 18(b) disputes will be resolved before the courts of The Republic of Ireland, (vi) in Annex I.A and Annex I.B, the details of the parties and the transfer are deemed populated with the relevant information set out in the Publisher Terms, this DPA and the Publisher Privacy Policy (as applicable); (vii) in Clause 13(a) and Annex I.C, The Republic of Ireland's Data Protection Commissioner] will act as competent supervisory authority; and (viii) in Annex II, the description of the technical and organisational security measures shall be in accordance with Schedule 2.

5.4       UK Transfers: For the purpose of the UK Addendum, the following provisions shall apply: (i) the Module One terms are selected; (ii) in Clause 7[LR6] , the optional docking clause shall not apply; (iii) in Clause 11[LR7] , the optional language does apply; (iv) the information required for Table 1 of the UK Addendum (including relevant company and key contact details) shall be provided as set out in the Publisher Terms, this DPA and the Publisher Privacy Policy (as applicable); (v) The Appendix information required for Table 3 of the UK Addendum is set out in Schedules 1 and 2; and (vi) for the purpose of Table 4 of the UK Addendum, the parties agree that [LR8] only the data exporter may end the UK Addendum as set out in Section 19 of the UK Addendum. Any other transfer mechanism requirement, such as a Transfer Risk Assessment, shall be undertaken.

5.5       The Relevant Transfer Mechanism shall cease to apply to the processing of Shared Personal Data if and to the extent that the relevant transfer of the personal data ceases to be a Restricted Transfer.

5.6       The parties acknowledge and agree that the Relevant Transfer Mechanism may not, in isolation, ensure that the Publisher’s processing complies with the International Transfer Requirements. Accordingly, the Publisher shall, promptly on CTP’s request, whether prior to the Restricted Transfer or otherwise, implement and maintain such supplementary measures in respect of the Restricted Transfer to ensure the Restricted Transfer complies with the International Transfer Requirements (including applicable technical, contractual and organisational supplementary measures recommended by the European Data Protection Board as set out in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data adopted on 18 June 2021 as may be updated, amended or replaced from time to time), or such other measures or safeguards as may be otherwise required by CTP (“Supplementary Measures”).

5.7       If the Relevant Transfer Mechanism ceases to exist or is no longer considered by either party to be a lawful method of complying with the International Transfer Requirements for any reason, the Publisher shall cease (and procure that any relevant third party ceases) all substantive processing of such personal data until such time as the Publisher has, in accordance with CTP’s instructions, entered into an alternative transfer mechanism and/or put in place such Supplementary Measures and/or safeguards to comply with the International Transfer Requirements.

5.8       Subject to clause 5.9, if CTP determines (acting reasonably) that it is not feasible to put in place such an alternative transfer mechanism and/or Supplementary Measures and/or safeguards to enable compliance with the International Transfer Requirements, CTP may at its discretion:

(a)     require the Publisher to (and/or procure that any relevant third party processors) to only process the Shared Personal Data in certain jurisdictions and/or subject to certain other restrictions, supplementary measures and/or safeguards;

(b)     delete (or procure the deletion of) and/or destroy the Shared Personal Data such that it is no longer processed in the relevant Restricted Country; and/or

(c)     immediately terminate this DPA and cease the sharing of the Shared Personal Data on written notice.

5.9       Where the Publisher is unable to comply with clause 5.8 because of local laws applicable to the Publisher that prohibit such compliance, the Publisher undertakes that it will use all reasonable efforts to ensure compliance with this DPA and will only process the relevant Shared Personal Data to the extent and for as long as required under that local law.

No conflict

5.10     In the event of a conflict between a Relevant Transfer Mechanism and any other provision of this DPA, the Relevant Transfer Mechanism shall prevail. For the avoidance of doubt, nothing in this DPA is intended to contradict the provisions of the Relevant Transfer Mechanism.

6           Liability and Payment of Compensation

6.1       The Publisher shall indemnify and keep indemnified CTP on demand against any and all Losses suffered or incurred by, awarded against or agreed to be paid by CTP arising from or in connection with:

(a)         the Publisher’s breach of its obligations under this DPA;

(b)         the Publisher’s breach of Data Protection Legislation; and

(c)         any claim, complaint or action brought by a data subject, supervisory authority or another third party arising from or related to a breach by the Publisher of this DPA or Data Protection Legislation.

6.2       The exclusions and limitations of liability set out in the Publisher Terms shall apply to this DPA.

7           Termination

7.1       In the event the Publisher is in breach of its obligations under this DPA, CTP may instruct the Publisher to temporarily suspend the processing of Shared Personal Data until the Publisher complies with this DPA. The Publisher shall promptly inform CTP if it is unable to comply with this DPA.

7.2       Without prejudice to any termination rights set out in the Publisher Terms, CTP shall be entitled to terminate this DPA where:

(a)         the processing of Shared Personal Data by the Publisher has been temporarily suspended by CTP pursuant to clause 7.1 and compliance with the DPA has not been restored within a reasonable time and in any event within one month;

(b)         the Publisher is in breach of the DPA or its obligations under the Data Protection Legislation; and/or

(c)         the Publisher fails to comply with a binding decision of a competent court or supervisory authority (including the ICO) regarding its obligations under the DPA or the applicable Data Protection Legislation.

7.3       Any provision of this DPA that expressly or by implication is intended to come into or continue in force on or after termination or expiry of this DPA shall remain in full force and effect.

7.4       Termination of this DPA, for any reason, shall not affect the accrued rights, remedies, obligations or liabilities of the parties existing at termination.

8           Miscellaneous

8.1       This DPA and the Publisher Terms constitute the entire agreement between the parties with respect to the subject matter hereof, and supersedes all prior agreements or representations, oral or written, regarding such subject matter.

8.2       This DPA and all disputes arising out of or relating to this DPA will be interpreted, construed and enforced in accordance with the laws of the England and Wales.

8.3       Each party irrevocably consents to the exclusive jurisdiction of the courts of England and Wales over all such disputes and claims under this DPA and all actions to enforce such claims or to recover damages or other relief in connection with such claims under this DPA except to the extent that Data Protection Legislation requires otherwise.

By entering into this DPA in accordance with clause 2.3, the parties acknowledge that they have read and understood the terms of this DPA and agree to be legally bound by them.

Schedule 1

Description of Transfer

Categories of Data Subjects whose personal data is transferred

The Shared Personal Data relates to Users of the Platform that have subscribed to the Publisher’s Channel, and who have elected to share their personal data with the Publisher for the purposes described below.

Categories of personal data transferred

The Shared Personal Data may include (in accordance with User preferences):

·   Email address; and

·   Data Profile (first name; last name; gender; date of birth; post/zip code; and country)

Sensitive data transferred

Not applicable.

The frequency of the transfer

The Shared Personal Data will be transferred on a continuous basis and at regular intervals, in accordance with the Data Sharing Policy set out at Schedule 3.

Nature of the processing

The Shared Personal Data will be downloaded by the Publisher via the Platform, and subsequently used by the Publisher for the purposes described below.

Purpose(s) of the data transfer and further processing

·   Email address is transferred for the purposes of the Publisher sending email marketing communications to the User (in accordance with consents obtained from the User via the Platform).

·   Data Profile is transferred for the purposes of the Publisher personalising the marketing emails referred to above.

Duration of the Processing

The Shared Personal Data will be processed for the duration of the Publisher’s advertising and marketing activities and in accordance with the Data Sharing Policy set out at Schedule 3.

The Publisher will cease its processing of the Shared Personal Data in the event that its Publisher Account is terminated.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The Publisher will retain the Shared Personal Data in accordance with the Data Sharing Policy set out at Schedule 3.

Transfers to (sub-)processors, also specify subject matter, nature and duration of the processing

The Publisher may transfer the Shared Personal Data to processors to support the purposes described above.

Schedule 2

Security measures

Description of the technical and organisational measures implemented by the Publisher(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

1. Technical Measures

·   implement industry standard firewalls, malware scans, anti-virus protection, patches and ensure regular updates to all software.

·   implement protections to secure portable storage media and mobile computing devices from damage, destruction, theft or unauthorised access or copying.

·   ensure that any device that is used to store or access Shared Personal Data shall have the entire device encrypted to an appropriate standard.

·   ensure that all devices used to store or access the Shared Personal Data utilise a secure access method (e.g. an appropriately strong passphrase/PIN), and that devices shall automatically lock after 15 minutes of inactivity.

·   ensure appropriate detection, prevention and recovery controls to protect against malicious code in all systems used to store or process Shared Personal Data.

·   ensure system security configuration is implemented in accordance with industry best practice.

·   segregate Shared Personal Data (servers/applications/physical environment) from the Publisher's other data.

2. Organisational measures

Publisher shall:

·   incorporate “Privacy by Design” principles into all systems and processes and have in place organisational measures and policies enforced by controls, reviews and audits to ensure consistency in the protection of Shared Personal Data throughout the full cycle of processing, including an information security policy, documented business continuity plan, compliance plans and risk assessment process, together with a demonstrable culture of security and data protection awareness, including regular and ongoing training.

·   ensure the permanent and secure disposal of paperwork and devices that contains Shared Personal Data.

·   ensure access to Shared Personal Data is granted on a role based policy without blanket access to all employees, and you will implement suitable key management procedures.

·   implement robust measures and protocols for securing access to any office or building, including CCTV, security lighting and alarms, and access logs.

·   have in place appropriate policies and procedures for granting access to Shared Personal Data to any person, including in relation to legal orders for third party access to personal information.

Schedule 3

Data Sharing Policy

CTP takes the privacy of its Users seriously and requires all Publishers that receive Shared Personal Data to process it in accordance with the following principles and requirements, to help ensure that the privacy of Users is respected and to ensure that the Publisher does not bring CTP or the Platform into disrepute:

Lawfulness

Publisher shall process the Shared Personal Data in accordance with consents obtained by CTP on behalf of the Publisher via the Platform.

Publisher acknowledges that such consents may be withdrawn from Users at any time via the Platform. Accordingly, Publisher shall regularly check the status of such consents by refreshing the Shared Personal Data in accordance with the accuracy principle (below).

Publisher shall also provide Users with the ability to communicate their withdraw of consent directly with the Publisher, including:

-  by including an ‘unsubscribe’ (or similar) link in all marketing communications that the Publisher sends to Users; and

-  by having in place effective policies and procedures to give effect to the rights of data subjects (as set out in Chapter 3 of the GDPR); and

-  informing data subjects, in its Publisher Privacy Policy, of such rights and the means through which they can be exercised against the Publisher.

Where Users communicate their withdrawal of consent directly to the Publisher (including as described above), Publisher will:

-  promptly action that withdrawal of consent; and

-  separately and independently maintain a suppression list of Users that have withdrawn their consent; and

-  retain only the email address (for the purposes of operating the suppression list) and will delete the User’s Data Profile; and

-  screen any further Shared Personal Data that it receives via the Platform against such suppression list (and will not retain or use any Shared Personal Data relating to Users that appear on such suppression list).

For the avoidance of doubt:

-  Publisher acknowledges that such direct withdrawals of consent will not be communicated to CTP, and Publisher must at all times honour such withdrawals notwithstanding any conflicting consents that are indicated through the Platform from time to time.

-  Where consents have been withdrawn from Users (whether through the Platform or directly), Publisher must cease its processing of the Shared Personal Data (save for the purposes of operating a suppression list, as set out above).

Fairness and Transparency

Publisher shall, via functionality made available on the Platform, provide CTP with a Publisher Privacy Policy for each of its Channels that complies with the Transparency Requirements (including provision of full and accurate details of the controller that is responsible for the processing of the Shared Personal Data).

Where Publisher does not have a Publisher Privacy Policy, CTP may make available a standard form of such document, which Publisher will populate (or which CTP may populate on Publisher’s behalf) with the Publisher’s details (including identification of the relevant controller). Notwithstanding the foregoing, Publisher acknowledges and agrees that it is solely responsible for its Publisher Privacy Policy, including ensuring that such document meets the Transparency Requirements and fully reflects Publisher’s processing of Shared Personal Data.

Purpose limitation

Publisher shall ensure that it processes the Shared Personal Data solely for the purposes referred to in Schedule 1 (“Agreed Purposes”), and that such purposes are disclosed in its Publisher Privacy Policy.

For the avoidance of doubt, Publisher is entitled to:

-  send email marketing communications relating to its Channel(s) where Users have provided Publisher with consent to send such marketing communications in respect of the relevant Channel(s);

-  use a User’s Data Profile to personalise the marketing communications referred to above where Users have provided Publisher with consent to use such Data Profile and where the Publisher also holds a consent to send the marketing communications referred to above.

The Publisher will not process the Shared Personal Data for any other purpose, including but not limited to custom audience advertising activities (i.e. sharing User personal data with third party platforms to march and target Users via such platforms).

Data Minimisation (including use of Users’ Data Profile):

Publisher shall only download that personal data that it will use for the Agreed Purposes. [MH10] For example, if Publisher does not use gender to personalise advertising or marketing materials, Publisher will not download this part of Users’ Data Profile.

In addition, Publisher acknowledges that the processing of a User’s Data Profile is contingent on the Publisher having consent to send direct marketing to the User. Where the Publisher does not hold such a direct marketing consent, the processing of the User’s Data Profile will neither be relevant nor necessary for the purposes described in this Data Sharing Policy.

Accuracy:

Publisher shall regularly (at least every 7 days, or at more frequent intervals) refresh the Shared Personal Data by downloading a file, which will be made available via the Platform, containing the Current consents (i.e. a file containing details of all consents that are currently active (Status = 'Current_Email_opt_in', 'Current_Data_opt_in').

Storage Limitation

Publisher will delete Shared Personal Data where consents are withdrawn or where the Publisher Account is terminated.

For the avoidance of doubt, Publisher shall no longer be entitled to process the Shared Personal Data for the Agreed Purpose if its Publisher Account is terminated for any reason.

Integrity and Confidentiality

Publisher shall process the Shared Personal Data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (including those described in Schedule 2).

Accountability

Publisher shall maintain adequate records in respect of its processing of the Shared Personal Data and of its compliance with its obligations set out in this DPA (“Records”).

On request, Publisher shall promptly supply the Records to CTP, its third-party representatives or a supervisory authority or its third party representatives.

To the extent necessary to assess Publisher’s compliance with this DPA, Publisher shall, on reasonable notice and during normal business hours (but without notice in case of any reasonably suspected breach of this DPA by the Publisher), allow for and contribute to audits conducted by CTP (or its third-party representatives), including inspections of relevant premises and processing facilities.