Last updated: 21st January 2022.
1. Applicability and interpretation
1.1 This Advertising Services Data Protection Addendum (this “Addendum”) may be incorporated into any agreement made between you and us in respect of Advertising Services (a “Relevant Agreement”), which may or may not be made on the terms and conditions located at www.haymarket.com/advertising-services (our “Advertising Services Terms and Conditions”).
1.2 Terms used but not defined in this Addendum shall have the meaning given to those terms in the Advertising Services Terms and Conditions, even where such Advertising Services Terms and Conditions do not apply to the Relevant Agreement made between you and us).
1.3 Unless otherwise stated, references in this Addendum to clauses are to clauses of this Addendum.
1.4 References in this Addendum to:
“controller”, “processor”, “processing”, “personal data breach” and “supervisory authority” shall have the same meaning as defined in Data Privacy Laws;
“Controller Obligations” means the obligations that are owed by controllers under the Data Privacy Laws, including any obligation to provide transparency information and/or obtain consent prior to accessing or retrieving information from a person’s device and/or sending a person direct marketing via electronic mail;
“Effective Date” means the date on which the Relevant Agreement commenced or was deemed to have commenced, or such later date as may be agreed between you and us in writing;
“Request or Complaint” means any request, complaint, notice or communication which relates directly or indirectly to either party’s compliance with obligations contained in the Data Privacy Laws in respect of the Personal Data;
“Restricted Country” means a country, territory or jurisdiction which is not considered by the EU Commission (or, in respect of personal data transfers caught by the requirements of UK Data Privacy Laws, the relevant UK governmental or regulatory body as applicable) to offer an adequate level of protection in respect of the processing of Personal Data pursuant to Article 45(1) of the GDPR (and/or analogous provisions of UK Data Privacy Laws);
“Restricted Transfer” means a transfer of personal data from an entity whose processing of Personal Data under the Agreement is caught by the requirements of the GDPR (and/or UK Data Privacy Laws) to an entity located in a territory that processes the relevant Personal Data in a Restricted Country; and
“Processor Obligations” means the obligations that are owed by processors under the Data Privacy Laws, including those obligations stipulated in Article 28, GDPR.
1.5 This Addendum shall be deemed to have come into force on the Effective Date and thereafter shall continue in full force and effect for the term of the Relevant Agreement. Any rights or obligations set out in this Addendum that expressly or by implication are to survive termination or expiry of the Relevant Agreement shall survive such termination or expiry.
1.6 Where you are an advertiser, where applicable you will procure that your third party vendors or subcontractors (including Tag Vendors) and/or any Agency that acts on your behalf complies with the obligations owed by you under these terms. Where you are an Agency, where applicable you will procure that your third party vendors or subcontractors (including Tag Vendors) and each relevant advertiser comply with the obligations owed by you under these terms.
2. Data Protection Obligations
2.1 Subject to clause 2.2, each of the parties agree that, in respect of any Personal Data Transfer:
- 2.1.1 we are an independent controller and, accordingly, we shall comply with the Controller Obligations in respect of our processing of the Personal Data; and
2.1.2 you are:
126.96.36.199 an independent controller and, accordingly, you shall comply with the Controller Obligations in respect of your processing of the Personal Data; or
188.8.131.52 a processor that acts on behalf of one or more third party controllers and, accordingly, in respect of your processing of the Personal Data you shall (a) comply with the Processor Obligations and (b) ensure that each relevant third party controller that you act for complies with the Controller Obligations.
2.2 We may from time to time agree in writing that we are your processor (or, where you are a processor, your sub-processor) in respect of a Personal Data Transfer, in which event:
- 2.2.1 we will comply with the Processor Obligations as if they were set out in this Addendum in full, with such amendments as are necessary to give full effect to such obligations (to the exclusion of our obligations under clause 2.1.1);
- 2.2.2 you will continue to comply with your obligations under clause 2.1.2; and
- 2.2.3 you will document and supply to us, in respect of our processing of the relevant Personal Data, the information required by Article 28(3) of the GDPR (i.e. the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects).
2.3 For the avoidance of doubt, the obligations set out in clauses 2.4 to 2.7 (inclusive) are without prejudice to the generality of clauses 2.1 and 2.2.
2.4 Neither party will process the Personal Data for any purpose that is inconsistent with the activities contemplated by the Relevant Agreement.
2.5 Neither party shall intentionally do, or omit to do, any act or thing that puts the other party in breach of the Data Privacy Laws. Each party will provide reasonable cooperation, information and assistance to the other party (and to any relevant supervisory authority at the request of the other party) in order to ensure compliance with the Data Privacy Laws.
2.6 Each party will notify the other as soon as reasonably practicable (and in any event within 48 hours) if it becomes aware of a personal data breach affecting the Personal Data.
2.7 You will promptly provide us with such information necessary to demonstrate compliance with your obligations set out in this Addendum and, to the extent that we reasonably require, allow for and contribute to audits (conducted by us or any independent third party auditor) of your systems and/or premises that are involved in the processing of the Personal Data. Any audits that are undertaken pursuant to this clause, or pursuant to any Processor Obligations that we owe to you, shall be conducted during normal business hours and in a manner that does not unreasonably interfere with the business of the party that is subject to the audit.
2.8 The parties acknowledge and agree that, to the extent the transfer of Personal Data is or does become a Restricted Transfer, the parties shall separately agree a transfer mechanism to legitimise the transfer of the Personal Data from us to you (“Transfer Mechanism”).
2.9 The parties acknowledge and agree that any agreed Transfer Mechanism may not, in isolation, ensure that your processing complies with the International Transfer Requirements, and the parties agree to cooperate with each other in good faith to agree written variations to the Relevant Agreement, and to take such action as may reasonably be required, to ensure that such processing complies with the International Transfer Requirements. To the extent that Haymarket determines that the processing cannot comply with the International Transfer Requirements, it may at no additional cost and without further liability either:
2.9.1 require you to only process the Lead Data within certain jurisdictions and/or subject to certain restrictions, supplementary measures and/or safeguards; and/or
2.9.2 suspend provision of the Advertising Services and/or terminate the Relevant Agreement in whole or in part on immediate written notice without further liability to you.
2.10 Notwithstanding clause 2.9, by entering into any Transfer Mechanism you warrant, represent and undertake (on an ongoing basis) that you can comply in full with the Transfer Mechanism.
3. Use of Tags
3.1 Where a Personal Data Transfer is facilitated by the use (whether by you or a Tag Vendor) of one or more Tags in relation to Advertisements that appear on our Digital Media, the relevant Personal Data Transfer shall be subject to, and you and we will each comply with, our respective obligations under, our Advertising Services Tag Management Addendum located at www.haymarket.com/advertising-services-tag-management-addendum. In the event of any conflict or inconsistency between this Addendum and our Advertising Services Tag Management Addendum, this Addendum shall prevail.