Your use of Motorik’s advertising marketplace, Demand Side Platform and/or Supply Side Platform (hereinafter the “Ad Marketplace”) is governed by Your contract with Motorik, which requires compliance with this Motorik EU Data Processing Addendum (hereinafter the “DPA”) as it may be updated by Motorik from time to time. In case You are participating on the supply side (either publisher or SSP), please refer to the Publisher’s part of this DPA; in case your participation refers to the demand side (an advertiser or DSP) please refer to the “Demand Partner Data Processing Addendum”. The obligations set forth herein are the minimum standards for You wishing to participate in the Ad Marketplace. Motorik may update this DPA at any time and without prior notice. All amendments will be posted to this website located at www.motorik.io (hereinafter the “Website”) and will be effective when posted without any notice to You. By using the Motorik’ Advertising Marketplace following such posting, You agree to any updated version of this DPA. With respect to ensuring compliance with the foregoing, please note that Motorik reserves the right to suspend or remove sites and/or advertisers/website publishers from the Ad Marketplace if it reasonably suspects or determines, in its sole discretion, that any of this Motorik EU Data Processing Addendum rules/policies have been violated.
This Publisher Data Processing Addendum (hereinafter the “DPA“) is entered into by and between Motorik sp. z.o.o., a limited company registered under the laws of Poland and having it’s registered address at: ul.Twarda 44, 00-831 Warsaw, Poland (hereinafter the “Motorik”) and you (hereinafter the “Publisher” or “You”), supplements and forms part of Motorik Publisher’s Agreement (hereinafter the “Principal Agreement”) or other written or electronic agreement, between Motorik and Publisher (or SSP or any other supply side partner) to reflect the parties’ agreement with regard to the processing of personal data. This DPA is effective as of the date of Motorik Publisher’s Agreement entered into (“Effective Date”).
The terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Principal Agreement.
“Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data
“Processor” means a natural or legal person, public authority, agency or other body which processes the Personal Data on behalf of the Controller;
"Sub-processor" means any person appointed by or on behalf of Motorik to process the Personal Data on behalf of Motorik in connection with the Principal Agreement; and
“Demand Partners” means Motorik’ media buying clients, including but not limited to advertisers, demand side platforms, ad exchanges, agencies and ad networks
“European Data Protection Law” means as applicable to a party in its Processing of Data: (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances; and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts the GDPR and e-Privacy Directive in domestic law or that relates to data and privacy and is enacted as a consequence of the United Kingdom leaving the European Union; in each case, as may be amended, superseded or replaced from time to time
“Europe” means, for the purposes of this DPA, the European Economic Area (EEA), the United Kingdom, Iceland, Lichtenstein, Norway and Switzerland
“Personal Data” means any information which are related to an identified or identifiable natural person to the extent that such information is protected as “personal data” under applicable European Data Protection Law
“Privacy Requirements” means: (i) European Data Protection Law, as applicable to Publisher, Motorik, its Demand Partners, and their respective processing of Data under this DPA; and (ii) any applicable self-regulatory codes, rules or guidelines, including without limitation, the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (EDAA) and the Network Advertising Initiative (NAI) (in each case, as amended, superseded or replaced)
“Publisher Property” means the websites, mobile applications and/or other digital media properties owned or operated by the Publisher and accessible through the Motorik Services or via which the Personal Data used in connection with the Motorik Services is collected
“Motorik Services” means Motorik’ online advertising services, products, and features
“Motorik Privacy Policy” means the Motorik privacy policy available at www.motorik.io/privacy-policy (as updated or amended from time to time)
“Standard Contractual Clauses” means the standard contractual clauses for controllers (2004) as approved by the European Commission pursuant to the European Commission’s decision C(2004) 5271 of 27 December 2004
“New SCCs” means: the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council;
“Security Incident” means any event which resulted in, or which if successful would have resulted in, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data (as defined in Section 2 herein) while in the control of the Demand Partner, its affiliates, agents, subcontractors, processors or sub-processors etc;
The terms "Commission", "Member State", "Personal Data Breach", "Supervisory Authority", “Data subject“, “personal data“, “processing” (and “process“) and “special categories of personal data” shall have the meanings given in Applicable Privacy Law.
Any other terms not stated herein shall have the meanings given to them in European Data Protection Law.
The parties agree that, unless otherwise agreed between the parties in connection with the Motorik Services, Motorik may receive from Publisher data (including Personal Data) about or related to end users of the Publisher Properties as more particularly described in Annex B of this DPA (collectively, “Data”). The parties agree that Motorik (and its Demand Partners) may process the Data for the purposes contemplated by the Principal Agreement.
The parties also agree that at the moment of the registration Publisher may provide data (including Personal Data) about or related to its personnel as more particularly described in Annex B of this DPA (hereinafter the “Publisher’s Personnel Data”).
Publisher hereby expressly agrees that both Motorik and any of its Demand Partners do not have direct relationship with any data subject visiting the Publisher Properties or viewing ads delivered to the Publisher Properties through the Motorik Services. Thus, in each case where consent is the lawful basis for processing the Personal Data pursuant to the Privacy Requirements, Publisher agrees that it shall be responsible for obtaining all necessary consents from the relevant data subjects on behalf of applicable Demand Partners (acting as the Data Controller) to lawfully permit Motorik and all applicable Demand Partners to collect, process and share Data via the Motorik Services for Prescribed Purposes and in connection with the performance of the Motorik Services. Publisher represents and warrants that it shall, at all times maintain and make operational on Publisher Properties a mechanism for obtaining and recording such consent and that enables such consent to be withdrawn, in accordance with applicable Privacy Requirements.
The parties hereby agree that for the purposes of the processing of the Publisher’s Personnel Data, the legal basis will be the Principal Agreement between the parties.
Publisher agrees that it is responsible for ensuring that all data subjects are appropriately notified about the data collection and use practices on the Publisher Properties through the Motorik Services. Publisher represents and warrants that it shall prominently post, maintain and comply with a publicly available privacy notice regarding all Publisher Properties from which the Data is collected that satisfies the requirements of the Privacy Requirements and this DPA.
The beforementioned notice shall at a minimum include the following information:
Publisher shall not include or launch any Publisher Property on any of the Motorik Services if such Publisher Property is directed at or likely to be accessed by any data subject that is deemed to be a child under applicable Privacy Requirements of the country in which this child resides. Publisher shall flag within the Motorik Services or inform Motorik in writing prior to launching any of such Publisher Properties on any of the Motorik Services and/or pass to Motorik or its Demand Partners any Personal Data of any data subject that is deemed a child under applicable European Data Protection Law.
If Publisher is unable to comply with its consent and notice obligations under the Agreement (including this DPA) in respect of the Data, Publisher shall promptly notify Motorik.
The parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) and co-operation to enable the other party to comply with its obligations under the Privacy Requirements, including in order to enable the other party to respond to:
Each party shall promptly inform the other if it receives any Correspondence directly from a data subject in relation to the Data. Subject to obligations of confidentiality and policies on disclosure of information, where a party has a concern that the other party has not complied with this DPA, the parties agree to share information in order to ascertain the cause of such non-compliance and take reasonable steps to correct.
Publisher shall notify Motorik without undue delay upon Publisher or any its sub-processors becoming aware of a Personal Data Breach affecting Personal Data, providing Motorik with sufficient information to inform its sub-processors/Demand Partner; Publisher shall also inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
Such notification shall as a minimum:
Publisher shall co-operate with Motorik and take such reasonable commercial steps as are directed by Motorik to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Publisher shall inform Motorik the contact details of an individual authorized to respond to enquiries regarding the Data. Publishers hereby guarantees to deal with any and all enquiries regarding the Data promptly. The individual within Motorik authorised to respond from time to time to enquiries regarding the Data can be contacted via: dpo@motorik.io
In the event that there is a change in the Privacy Requirements that apply to the processing of Data, that would, in the reasonable opinion of a party, require changes to the Motorik Services, the means by which the Motorik Services are provided or used and/or terms and conditions of this DPA, that party reserves the right (acting reasonably) to request such changes; provided that, to the extent possible, the party requesting the change will provide at least thirty (30) days prior written notice (where email will be sufficient) of such changes and agrees to discuss such changes in good faith. If the requested changes will cause a material harm to any party (which includes for the avoidance of doubt, causing a party to be in breach of European Protection Law) or materially alter any party’s provision or use (as applicable) of the Motorik Services, such party may terminate the Agreement for the affected Motorik Services upon written notice without liability for such termination.
The parties hereby covenant and guarantee to implement appropriate technical and organizational security measures to protect the copy of the Data in their possession or control (i) from accidental or unlawful destruction, and (ii) loss, alteration, non-authorized disclosure or access to the Data.
Name:
Motorik sp. z.o.o.
Address:
ul.Twarda 44, 00-831 Warsaw, Poland
Contact person’s name, position and contact details:
DPO, contactable at dpo@motorik.io
Activities relevant to the data transferred under these Clauses:
See Annex B (description of Transfer) below.
Signature and date:
See Principal Agreement
Role (controller/processor):
Processor or Sub-processor
Name:
See Principal Agreement
Address:
See Principal Agreement
Contact person’s name, position and contact details:
See Principal Agreement
Activities relevant to the data transferred under these Clauses:
See Annex B (description of Transfer) below.
Signature and date:
See Principal Agreement
Role (controller/processor):
Controller or Processor
Name:
Motorik sp. z.o.o.
Address:
ul.Twarda 44, 00-831 Warsaw, Poland
Contact person’s name, position and contact details:
DPO, contactable at dpo@motorik.io
Activities relevant to the data transferred under these Clauses:
See Annex B (description of Transfer) below.
Signature and date:
See DPA
Role (controller/processor):
Controller
Name:
See Principal Agreement
Address:
See Principal Agreement
Contact person’s name, position and contact details:
See Principal Agreement
Activities relevant to the data transferred under these Clauses:
See Annex B (description of Transfer) below.
Signature and date:
See DPA
Role (controller/processor):
Processor
Defined terms are as set out in the Publisher Data Processing Addendum agreed between the parties.
Categories of Data Subjects whose Personal Data is transferred:
Categories of Personal Data transferred:
End users:
Publisher Personnel:
Recipients:
Sub-contractors, supervisory authority
Sensitive data transferred (if applicable):
None.
Frequency of the transfer:
End Users – Continuous
Publisher Personnel – Only at the moment of registration and when required to update the information.
Nature of the Processing: The provision of the Motorik Services.
Purpose(s) of the data transfer and further processing:
End Users: For the Prescribed Purposes (as defined in this DPA)
Publisher Personnel: For business relationship and account management purposes.
Period for which Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal Data will be retained in accordance with the Motorik Privacy Policy (https://motorik.io/privacy-policy)
Contact points for data protection enquiries:
Data Importer: See Annex A
Data Exporter: See Annex A
Competent Supervisory Authority
The competent supervisory authority, in accordance with Clause 13 of the EU SCCs will be, for Data protected by the EU GDPR, the EU supervisory authority determined to be appropriate in the event that a relevant situation arises, and for Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (“FDPIC”). With respect to UK Data, the competent supervisory authority is the Information Commissioners Office (the “ICO”).
The technical and organizational security measures implemented by Motorik to maintain an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:
Type of measure | Terms |
---|---|
Measures for ensuring confidentiality | Motorik has implemented measures to ensure the integrity, availability and security of personal information, including vulnerability scans |
Measures for ensuring ongoing availability and adaptability of services |
Motorik maintains personal data availability through a variety of technical, physical, and administrative measures. Examples of these measures include: secured and monitored operational sites; processes and policies for topics such as incident response and review, and vendor review |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Further measures include regular backups and disaster recovery plans |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | At least once a year, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices |
Measures for user identification and authorisation |
Motorik has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request Motorik has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized personnel with a “need to know” |
Measures for the protection of Data during storage |
Motorik does not process any sensitive personal information, personal data processing is limited in scope and cannot be directly identified with a natural person by Motorik Data is only stored for as long as necessary for legitimate business purposes |
Measures for ensuring physical security of locations at which personal data are processed |
Facilities involved in the processing of data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, firewalls and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver services under the Principle Agreement Motorik provides personnel who access personal data with appropriate information security and data protection training |
Measures for allowing data portability and ensuring erasure | Motorik has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws. |
This Demand Partner Data Processing Addendum (hereinafter the “DPA“) is entered into by and between Motorik sp. z.o.o., a limited company registered under the laws of Poland and having it’s registered address at: ul.Twarda 44, 00-831 Warsaw, Poland (hereinafter the “Motorik”) and you (hereinafter the “Demand Partner” or “You”), supplements and forms part of the Principal Agreement or any other written or electronic agreement referencing to this DPA between Motorik and Advertiser (or DSP or any other demand side partner) to reflect the parties’ agreement with regard to the processing of personal data. Motorik and Demand Partner have entered into a master contract, or other such governing contract, together with one or more connected statements of work, purchase orders, contracts and/or agreements (collectively the “Principal Agreement”), under which Demand Partner may purchase digital advertising inventory via Motorik’s services (the “Motorik Services”). This DPA is effective as of the date of the Principal Agreement entered into (hereinafter the “Effective Date”). Capitalized terms used in this DPA shall have the meanings given to them in the main body of the Principal Agreement unless otherwise defined in this DPA. Motorik is a provider of a technology platform which engages in the provision of auction of purchases of digital advertising inventory. Demand Partner is a provider of an advertiser, agency, demand-side platform or ad network which uses a technology platform or similar technology to engage in the buying of digital advertising inventory. The parties have entered into this DPA to ensure that in sharing such personal data pursuant to the Principal Agreement, they both comply with Applicable Privacy Law, with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
“Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
"Sub-processor" means any person appointed by or on behalf of Demand Partner to process Personal Data on behalf of Demand Partner in connection with the Principal Agreement; and
“Applicable Privacy Law” means any and all applicable privacy and data protection laws including, where applicable, European Data Protection Law (as may be amended or superseded from time to time);
“European Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
“Europe” means, for the purposes of this DPA, the European Economic Area (EEA), the United Kingdom and Switzerland;
“Industry Rules” means the Transparency and Consent Framework developed by the IAB Europe, its policies, its global vendor list and specifications and/or any other mutually agreed upon industry protocols;
“Model Clauses” means the Standard Contractual Clauses;
“Standard Contractual Clauses” means the standard contractual clauses for controllers (2004) as approved by the European Commission pursuant to the European Commission’s decision C(2004) 5271 of 27 December 2004;
“New SCCs” means: the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council;
“Security Incident” means any event which resulted in, or which if successful would have resulted in, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data (as defined in Section 2 herein) while in the control of the Demand Partner, its affiliates, agents, subcontractors, processors or sub-processors etc;
“Standard Contractual Clauses” means: (i) the standard contractual clauses and its appendices in European Commission Implementing Decision (EU) 2021/91 of 4 June 2021 relating to transfers of personal data to third countries pursuant to Regulation (EU) 2017/679 and any successor clauses issued from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction, in each case, in relation thereto (the “EU SCCs”) and (ii) standard data protection clauses specified in regulations made by the Secretary of State under section 17C(b) of the 2018 Data Protection Act and for the time being in force in the United Kingdom (the “UK SCCs”);
The terms "Commission", "Member State", "Personal Data Breach", "Supervisory Authority", “Data subject“, “personal data“, “processing” (and “process“) and “special categories of personal data” shall have the meanings given in Applicable Privacy Law.
The parties agree that unless otherwise agreed between the parties, based on the Principal Agreement signed between the parties Motorik will submit to Demand Partner the Motorik Services and/or Demand Partner may otherwise collect or receive certain data, including (but not limited to) in bid requests submitted to Demand Partner. Demand Partner acknowledges that such data (as described in the Principal Agreement) may contain personal data, as more particularly described in Annex A (collectively, the “Data“).
The parties also agree that at the moment of the registration Demand Partner may provide data (including Personal Data) about or related to its personnel as more particularly described in Annex B of this DPA (hereinafter the “Demand Partner’s Personnel Data”).
Demand Partner shall notify Motorik without undue delay upon Demand Partner or any its sub-contractors becoming aware of a Personal Data Breach affecting Personal Data, providing Motorik with sufficient information to inform its sub-processors; Demand Partner shall also inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
Such notification shall as a minimum:
Demand Partner shall co-operate with Motorik and take such reasonable commercial steps as are directed by Motorik to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Name:
Motorik sp. z.o.o.
Address:
ul.Twarda 44, 00-831 Warsaw, Poland
Contact person’s name, position and contact details:
DPO, contactable at dpo@motorik.io
Activities relevant to the data transferred under these Clauses:
See Annex B (description of Transfer) below.
Signature and date:
See DPA
Role (controller/processor):
Processor or Sub-processor
Name:
See Principal Agreement
Address:
See Principal Agreement
Contact person’s name, position and contact details:
See Principal Agreement
Activities relevant to the data transferred under these Clauses:
See Annex B (description of Transfer) below.
Signature and date:
See Principal Agreement
Role (controller/processor):
Controller or Processor
Name:
Motorik sp. z.o.o.
Address:
ul.Twarda 44, 00-831 Warsaw, Poland
Contact person’s name, position and contact details:
DPO, contactable at dpo@motorik.io
Activities relevant to the data transferred under these Clauses:
See Annex B (description of Transfer) below.
Signature and date:
See Principal Agreement
Role (controller/processor):
Controller
Name:
See Principal Agreement
Address:
See Principal Agreement
Contact person’s name, position and contact details:
See Principal Agreement
Activities relevant to the data transferred under these Clauses:
See Annex B (description of Transfer) below.
Signature and date:
See Principal Agreement
Role (controller/processor):
Processor
Defined terms are as set out in the Demand Partner Data Processing Addendum agreed between the parties
Categories of Data Subjects whose Personal Data is transferred:
Categories of Personal Data transferred:
End users:
Demand Partner’s Personnel:
Recipients: sub-contractors, supervisory authority
Sensitive data transferred (if applicable): None.
Frequency of the transfer:
End Users – Continuous
Demand Partner’s Personnel – Only at the moment of registration and when required to update the information.
Nature of the Processing: Personal data transferred will be processed in accordance with the Principal Agreement (including this DPA) and may be subject to the following processing activities:
Purpose(s) of the data transfer and further processing:
End Users: To enable Data Importer to process the Data solely for purposes expressly permitted under the Principal Agreement and in a manner that complies with the European Data Protection Law (the “Prescribed Purposes”)
Demand Partner’s Personnel: For business relationship and account management purposes.
Period for which Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
Data Importer will not, and will not permit any third party, to retain the Data for longer than the period during which the Data Importer has a lawful basis to retain the Data for the Prescribed Purposes and in compliance with the European Data Protection Law.
Contact points for data protection enquiries:
Data Exporter: See Annex A
Data Importer: See Annex A/Principal Agreement
Competent Supervisory Authority
The competent supervisory authority, in accordance with Clause 13 of the EU SCCs will be, for Data protected by the EU GDPR, the EU supervisory authority determined to be appropriate in the event that a relevant situation arises, and for Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (“FDPIC”). With respect to UK Data, the competent supervisory authority is the Information Commissioners Office (the “ICO”).
The technical and organizational security measures implemented by Demand Partner to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:
Type of measure | Terms |
---|---|
Measures for ensuring confidentiality | Demand Partner has implemented measures to ensure the integrity, availability and security of personal information, including vulnerability scans. |
Measures for ensuring ongoing availability and adaptability of services |
Demand Partner maintains personal data availability and resilience through a variety of technical, physical, and administrative measures. Examples of these measures include: secured and monitored operational sites; processes and policies for topics such as incident response and review, and vendor review |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Further measures include regular backups and disaster recovery plans |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational security measures in order to ensure the security of the processing | At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices |
Measures for user identification and authorization |
Demand Partner has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request. Demand Partner has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”. |
Measures for the protection of Data during storage |
As per the Principal Agreement, personal data processed in connection with the services will not contain any sensitive personal information, and will be limited in scope and cannot be directly identified with a natural person by Demand Partner Data is only stored for as long as necessary for legitimate business purposes. |
Measures for ensuring physical security of locations at which personal data are processed |
Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement. Demand Partner provides personnel who access personal data with appropriate information security and data protection training. |
Measures for ensuring accountability |
Demand Partner has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes at least a personal data breach policy and appointment of a data protection officer (DPO). The foregoing measures are regularly reviewed (at least once a year) and updated to ensure alignment with applicable law and industry standards. |
Measures for allowing data portability and ensuring erasure | Demand Partner has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws. |