Data Policy

This Data Processing Policy (“DPP”) forms part of the applicable (a) ION Exchange Publisher Terms, (b) Web & Mobile, TV, Outdoor Advertising Service Agreements, and/or (c) other mutually executed written agreement(s) between Company (as identified in the applicable agreement(s)) and ION Exchange, Inc. (“ION Exchange”) (the “Agreement”), pursuant to which Company transfers Personal Data (as defined herein) to and shares Personal Data with ION Exchange, as further described in the Agreement and in this DPP. The parties agree to comply with the following provisions with respect to Personal Data provided or made available by Company to ION Exchange.
References to the Agreement will be construed as including this DPP, and, except as modified below, the terms of the Agreement shall remain in full force and effect. Any capitalized terms not defined herein shall have the meanings given to them in the Agreement. In the event of any conflict between this DPP and the Agreement, this DPP will prevail. Reference to the Agreement includes any exhibits, work orders, SOWs, documentation, or other addenda incorporated into the Agreement.
For purposes of this DPP, and as further described below, the parties acknowledge that each party is a Data Controller of the Personal Data that it collects, Processes, or employs to deliver its services.
  1. DEFINITIONS
    Binding Corporate Rules” shall mean any internal corporate rules approved pursuant to the EU cooperation procedure that enable international transfers in compliance with Articles 25 and 26 of the European Union (“EU”) Data Protection Directive (Directive 95/46/EC) or Article 47 of the GDPR.
    Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For purposes of this DPP, each party is a Data Controller of the Personal Data that it collects, Processes, or employs to deliver its services, absent a further amendment that sets forth circumstances in which either party is a Data Processor.
    Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.
    Data Protection Laws” means all applicable laws and regulations, including, without limitation, the laws and regulations of the EU applicable to the Processing of Personal Data, such as: (i) prior to 25 May 2018, the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC), including subsequent variations, such as the Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (“ePrivacy Regulation”), if enacted; and (iv) any national data protection laws made under or pursuant to (i), (ii) or (iii).
    Data Subject” means the individual to whom Personal Data relates. The categories of Data Subjects under the Agreement include (i) end-users accessing Company’s Web & Web & Mobile applications and/or sites and (ii) recipients of the Web & Mobile advertisements from ION Exchange’s demand partners.
    Personal Data” means any information relating to an identified or identifiable person Processed pursuant to the Agreement and as to which a party is a Data Controller. The types of Personal Data under the Agreement may include Web & Mobile advertising identifiers, precise geolocation (if provided by Company to ION Exchange), IP addresses, and other unique identifiers.
    Privacy Shield” means the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce.
    Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
    Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
    Transfer” means the access by, transfer or delivery to, or disclosure of Personal Data to a person, entity, or system located in a country or jurisdiction other than the country or jurisdiction where the Personal Data originated from.
  2. PURPOSE OF PROCESSING
    2.1
    Company and ION Exchange are parties to the Agreement, under which Company provides Personal Data (such as Web & Mobile advertising identifiers, IP addresses and/or precise location data) to ION Exchange. Company and ION Exchange each shall Transfer and Process such Personal Data only for the purposes described in the Agreement and this DPP, or as otherwise agreed in writing by the parties.
    2.2
    The parties agree that ION Exchange may Process the Personal Data for its own purposes, including to provide services for the benefit of other platforms and clients.
    2.3
    Neither party shall have responsibility for Processing special categories of Personal Data, as referenced in Article 9 of the GDPR. Neither party shall provide the other with any special categories of Personal Data.
  3. CONTROLLER OBLIGATIONS
    3.1
    Each party shall comply with all applicable laws, including Data Protection Laws.
    3.2
    As further set forth herein, the parties agree that when either party acts as a Data Controller of Personal Data, it will fulfill all duties required of Data Controllers under Data Protection Laws, including, without limitation (as applicable), with regard to determining the legal basis or bases for their collection or Processing of Personal Data, providing sufficient notice to Data Subjects, appointing a data protection officer, managing and reporting Security Incidents, ensuring that rights of Data Subjects are honored, Transferring Personal Data, contracting with only those Data Processors that provide adequate protections for Personal Data, implementing required and appropriate contractual language in agreements with Data Processors and other Data Controllers, maintaining records of Processing, and conducting data protection impact assessments.
    3.3
    Each party shall have the sole obligation (as between the parties) to receive and manage Data Subject requests regarding its Personal Data, including without limitation any request to access, correct, amend, restrict Processing of, port, object to the Processing of, block, or delete Personal Data. If applicable, and to the extent legally permitted, the parties shall provide each other with reasonable cooperation and assistance in relation to handling of a Data Subject’s request.
  4. PRIVACY POLICY DISCLOSURES
    4.1
    Each party shall designate a contact point for Data Subjects in its publicly posted privacy policy.
    4.2
    Each party shall post a privacy policy on its website and in its Web & Mobile applications that reflects the nature of the relationship and sharing of data between the parties.
  5. OBLIGATIONS SPECIFIC TO OBTAINING CONSENT FROM DATA SUBJECTS
    5.1
    Company represents that it has implemented a consent mechanism or process (such as a consent screen or check-box) that is legally sufficient, where applicable, for purposes of compliance with Data Protection Laws, in that it permits Data Subjects to provide consent that is freely given, informed, specific, and unambiguous.
    5.2
    ION Exchange uses Web & Mobile device identifiers and geolocation data (“Device Data”) to provide its services, including for the purpose of tracking Data Subject interactions for digital advertising. Company shall, and as applicable shall contractually require its data sources to, implement appropriate notice and consent mechanisms upon its digital properties so that ION Exchange can capture applicable Personal Data lawfully through such digital properties in order to perform its services under the Agreement.
    5.3
    Each party shall use and honor any applicable signals and OpenRTB specifications that are passed to the other party, including any signal regarding (a) COPPA flagging, (b) GDPR consent, or (c) Web & Mobile device-based opt- outs. Company shall not provide to ION Exchange Device Data regarding any device that has opted out through device settings unless it also provides any accompanying opt-out signal (e.g., LMT=1).
    5.4
    Upon the development of an industry-standard consent mechanism (such as IAB Europe’s Transparency & Consent Framework), each party shall make good faith efforts to implement, list itself in, or otherwise comply with such mechanism and related consent standards. The parties shall cooperate in good faith regarding the deployment of any such mechanism.
    5.5
    Upon ION Exchange’s request, Company shall provide to ION Exchange any relevant information documenting its consent processes or mechanisms, and any supporting records regarding the manner in which Company obtains consent from applicable Data Subjects.
  6. SECURITY
    6.1
    Each party will implement and maintain appropriate security measures for protection of the security, confidentiality, and integrity of Personal Data, including all measures required pursuant to Article 32 of the GDPR.
    6.2
    Pursuant to Article 28, Section 3(c) of the GDPR, each party will ensure (and contractually require) that any Data Processors with which it contracts take all measures required pursuant to Article 32 of the GDPR.
  7. TRANSFERS OF PERSONAL DATA
    7.1
    To the extent the Processing of Personal Data involves a Transfer, including if Company and ION Exchange Transfer Personal Data through affiliates, subcontractors, or other third parties, and such Transfers of Personal Data originated from the European Economic Area (“EEA”), Switzerland, or other countries or jurisdictions recognizing the GDPR, each party represents and warrants that its Processing and/or Transfer of Personal Data does and will comply with all Data Protection Laws.
    7.2
    As applicable, for any Transfer originating from the EEA, Switzerland, or other countries or jurisdictions recognizing the GDPR, each party shall ensure that such Transfer is made pursuant to an appropriate mechanism recognized by Data Protection Laws, including: (a) to a recipient located in an EU member state of the EEA or Switzerland; or (b) to a recipient covered by a binding adequacy determination by a competent authority with jurisdiction over either party, as applicable, (including the European Commission decisions on the adequacy of the protection of Personal Data in third countries); or (c) subject to another approved Transfer mechanism that provides an adequate level of protection in accordance with Data Protection Laws, such as, without limitation, Binding Corporate Rules or the Privacy Shield. 7.3
    Company acknowledges that ION Exchange has certified its compliance with the Privacy Shield. Accordingly, Company agrees that ION Exchange may lawfully receive and Process Personal Data in the United States of America for as long as ION Exchange maintains valid and up-to-date Privacy Shield certifications.
    5.3
    Each party shall use and honor any applicable signals and OpenRTB specifications that are passed to the other party, including any signal regarding (a) COPPA flagging, (b) GDPR consent, or (c) Web & Mobile device-based opt- outs. Company shall not provide to ION Exchange Device Data regarding any device that has opted out through device settings unless it also provides any accompanying opt-out signal (e.g., LMT=1).
    5.4
    Upon the development of an industry-standard consent mechanism (such as IAB Europe’s Transparency & Consent Framework), each party shall make good faith efforts to implement, list itself in, or otherwise comply with such mechanism and related consent standards. The parties shall cooperate in good faith regarding the deployment of any such mechanism.
    5.5
    Upon ION Exchange’s request, Company shall provide to ION Exchange any relevant information documenting its consent processes or mechanisms, and any supporting records regarding the manner in which Company obtains consent from applicable Data Subjects.
  8. SUBCONTRACTING
    Company or ION Exchange may appoint third-party Data Processors to Process Personal Data for the purposes set forth herein or in the Agreement, provided that such Data Processors agree in writing to: (a) Process Personal Data in accordance with documented instructions; (b) implement appropriate technical and organizational security measures to protect the Personal Data against a Security Incident; and (c) otherwise provide sufficient guarantees that they will Process the Personal Data in a manner that will meet the requirements of applicable Data Protection Laws, including all requirements under Article 28 of the GDPR.
  9. MISCELLANEOUS PROVISIONS
    9.1
    Nothing in this DPP shall confer any benefits or rights on any person or entity other than the parties to this DPP.
    9.2
    This DPP shall remain in effect during the term of the Agreement. Without prejudice to the remedies as set forth elsewhere herein or in the Agreement, if either party violates this DPP, the other party is entitled to terminate the Agreement in its sole discretion and without any extra costs or expenses (provided any payments due and owing shall remain so).
    9.3
    Each party represents and warrants that it has the right, power, and authority to (a) make the representations and warranties contained herein and (b) commit to and perform the respective duties, obligations, and covenants set forth hereunder.
Download the latest Report summary by ISBA*