Total Media and the counterparty agreeing to these terms (“Customer”) have entered into an agreement for the provision of the Processor Services (as amended from time to time, the “Agreement”)
These Total Media Data Processing Terms (including the appendices, “Data Processing Terms”) are entered into by Total Media and Customer and supplement the Agreement. These Data Processing Terms will be effective, and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the Processor Services), from the Terms Effective Date.
If you are accepting these Data Processing Terms on behalf of Customer, you warrant that (a) you have full legal authority to bind Customer to these Data Processing Terms; (b) you have read and understand these Data Processing Terms; and (c) you agree, on behalf of Customer, to these Data Processing Terms. If you do not have the legal authority to bind Customer, please do not accept these Data Processing Terms.
These Data Processing Terms reflect the parties’ agreement on the terms governing the processing and security of Customer Personal Data in connection with the Data Protection Law. Customer acknowledges and agrees that any Google Services provided to Customer by Total Media are subject to Google Ads Data Processing Terms located at: https://privacy.google.com/businesses/processorterms/ in addition to Total Media Data Processing Terms. Customer approves that Total Media may perform any right or obligation on behalf of Google if Total Media receive such request from Google or otherwise consider such action required to comply with Data Protection Law requirements.
2. Definitions and Interpretation
- In these Data Processing Terms:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
“Total Media Entity” means Total Media Ltd. RN 51-190084-7 an Israeli incorporated organization with its address at 14, Abba Hillel Silver Rd. Ramat-Gan 5250607 Israel.
“Total Media” means Total Media Entity and its Affiliates engaged in the processing of Customer Personal Data in connection with the subscribed Services.
“Covered Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Total Media, but has not signed its own Order Form with Total Media and is not a “Customer” as defined under the Agreement.
“Customer Personal Data” means personal data that is processed by Total Media on behalf of Customer in Total Media’s provision of the Processor Services.
“Data Incident” means a breach of Total Media’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Total Media. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Data Protection Law” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“EEA” means the European Economic Area.
“EU Data Protection Laws” means laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including European Directives 95/46/EC and any legislation and/or regulation which amends, replaces or re-enacts it (including the GDPR).
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Notification Email Address” means the email address (if any) designated by Customer, via the user interface of the Processor Services or such other means provided by Total Media, to receive certain notifications from Total Media relating to these Data Processing Terms.
“Processor Services” means the applicable services: Platforms Services at: https://privacy.google.com/businesses/adsservices/ and monetization services (if applicable) as listed below in Appendix 3: Service Information
“Security Measures” has the meaning given in Section 7.1.1 (Total Media’s Security Measures).
“Standard Contractual Clauses” means the agreement executed by and between Customer and Total Media Ltd. , pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, available at: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087, on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Sub-processors” means third parties authorised under these Data Processing Terms to have logical access to and process Customer Personal Data in order to provide parts of the Processor Services and any related technical support.
“Term” means the period from the Terms Effective Date until the end of Total Media’s provision of the Processor Services under the Agreement.
“Terms Effective Date” means, as applicable: 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms before or on such date; or the date on which Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms, if such date is after 25 May 2018.
- The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in these Data Processing Terms have the meanings given in the
- Any phrase introduced by the terms “including”, “include” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding those terms. Any examples in these Data Processing Terms are illustrative and not the sole examples of a particular
- Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
3. Duration of these Data Processing Terms
These Data Processing Terms will take effect on the Terms Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by Total Media as described in these Data Processing Terms.
4. Application of these Data Processing Terms
- Application of Data Protection These Data Processing Terms will only apply to the extent that the Data Protection Law applies to the processing of Customer Personal Data, including if:
- the processing is in the context of the activities of an establishment of Customer in the EEA; and/or
- Customer Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services or the monitoring of their behavior in the
- Application to Processor These Data Processing Terms will only apply to the Processor Services for which the parties agreed to these Data Processing Terms (for example: (a) the Processor Services for which Customer clicked to accept these Data Processing Terms; or (b) if the Agreement incorporates these Data Processing Terms by reference, the Processor Services that are the subject of the Agreement).
5. Processing of Data
5.1 Roles and Regulatory Compliance; Authorisation.
- Processor and Controller Responsibilities. The parties acknowledge and agree that
- Appendix 1 describes the subject matter and details of the processing of Customer Personal Data;
- Total Media is a processor of Customer Personal Data under the Data Protection Law;
- Customer is a controller or processor, as applicable, of Customer Personal Data under the Data Protection Law; and
- Each party will comply with the obligations applicable to it under the Data Protection Law with respect to the processing of Customer Personal
- Authorisation by Third Party Controller. If Customer is a processor, Customer warrants to Total Media that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Total Media as another processor, have been authorised by the relevant
- Customer’s Instructions. By entering into these Data Processing Terms, Customer instructs Total Media to process Customer Personal Data only in accordance with applicable law: (a) to provide the Processor Services and any related technical support; (b) as further specified via Customer’s use of the Processor Services (including in the settings and other functionality of the Processor Services) and any related technical support; (c) as documented in the form of the Agreement, including these Data Processing Terms; and (d) as further documented in any other written instructions given by Customer and acknowledged by Total Media as constituting instructions for purposes of these Data Processing
- Total Media’s Compliance with Total Media will comply with the instructions described in Section 5.2 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Total Media is subject requires other processing of Customer Personal Data by Total Media, in which case Total Media will inform Customer (unless that law prohibits Total Media from doing so on important grounds of public interest).
- As of the DPA Effective Date for the duration of the period Total Media provides the Services:
- Total Media will, without undue delay, notify Customer, to the extent legally permitted, if Total Media receives a request from a data subject to exercise the data subject’s right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”); and
- If Total Media receives any request from a data subject in relation to Customer Personal Data, Total Media will advise the data subject to submit his or her request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
- Taking into account the nature of the processing, Total Media will assist Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under EU Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Total Media shall, upon Customer’s written request, provide Customer with reasonable cooperation and assistance to facilitate Customer’s response to such Data Subject Request, to the extent Total Media is legally permitted to do so and the response to such Data Subject Request is required under EU Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Total Media’s provision of such assistance.
6. Data Deletion
If the functionality of the Processor Services does not include the option for Customer to delete Customer Personal Data, then Total Media will comply with:
- any reasonable request from Customer to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Processor Services and unless EU or EU Member State law requires storage; and
- the data retention practices in the Data Protection Law. .
Total Media may charge a fee (based on Total Media’s reasonable costs) for any data deletion under Section 6.1 2(a). Total Media will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.
7. Data Security
7.1 Total Media’s Security Measures
- Total Media’s Security Total Media will implement and maintain technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures: (a) to encrypt personal data; (b) to help ensure the ongoing confidentiality, integrity, availability and resilience of Total Media’s systems and services; (c) to help restore timely access to personal data following an incident; and (d) for regular testing of effectiveness. Total Media may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.
- Security Compliance by Total Media Total Media will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.2 Data Incidents.
- Incident Notification. If Total Media becomes aware of a Data Incident, Total Media will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimise harm and secure Customer Personal Data.
- Details of Data Notifications made under Section 7.2.1 (Incident Notification) will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Total Media recommends Customer take to address the Data Incident.
- Delivery of Notification. Total Media will deliver its notification of any Data Incident to the Notification Email Address or, at Total Media’s discretion (including if Customer has not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and
- Third Party Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident.
- No Acknowledgement of Fault by Total Media. Total Media’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Total Media of any fault or liability with respect to the Data Incident.
7.3 Customer’s Security Responsibilities.
- Customer’s Security Customer agrees that, without prejudice to Total Media’s obligations under Sections 7.1 (Total Media’s Security Measures and Assistance) and 7.2 (Data Incidents):
- Customer is solely responsible for its use of the Processor Services, including:
- making appropriate use of the Processor Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data; and
- securing the account authentication credentials, systems and devices Customer uses to access the Processor Services; and
- Total Media has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Total Media’s and its Sub-processors’
- Customer’s Security Assessment Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Total Media as set out in Section 1.1 (Total Media’s Security Measures) provide a level of security appropriate to the risk in respect of Customer Personal Data.
- Consent to Sub-processor Engagement Customer specifically authorizes the engagement of Total Media’s Affiliates as Sub-processors (“Total Media Affiliate Sub-processors”). In addition, Customer generally authorizes the engagement of any other third parties as Sub-processors (“Third Party Sub-processors”).
- Requirements for Sub-processor Engagement. When engaging any Sub-processor, Total Media will:
- ensure via a written contract that:
- the Sub-processor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including these Data Processing Terms); and
- if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR are imposed on the Sub-processor; and
- Remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor.
- Opportunity to Object to Sub-processor
- When any new Third Party Sub-processor is engaged during the Term, Total Media will, at least 30 days before the new Third Party Sub-processor processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform) by sending an email to the Notification Email
- Customer may object to any new Third Party Sub-processor by terminating the Agreement immediately upon written notice to Total Media, on condition that Customer provides such notice within 90 days of being informed of the engagement of the new Third Party Sub-processor as described in Section 11.4(a). This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third Party Sub-processor.
9. Transfer of Personal Data outside of the EEA
- Total Media makes the Standard Contractual Clauses available as a transfer mechanism for any transfer of Personal Data under this DPA from the European Union, the EEA and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of EU Data Protection Laws of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws.
- The Standard Contractual Clauses and the additional terms specified in this Section 9 (Transfer of Personal Data Outside of the EEA) apply to (i) the legal entity that has executed the Standard Contractual Clauses as a data exporter and its Covered Affiliates and (ii) all Affiliates of Customer established within the EEA, Switzerland and the United Kingdom, which have signed Orders Forms for Services. For the purpose of the Standard Contractual Clauses and this Section 9, all these entities shall be deemed “data exporters”.
- For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to process Personal Data (a) to provide the Services; (b) as further specified via Customer’s use of the Services (including the Services’ user interface dashboard and other functionality of the Services); (c) as documented in the Agreement (including this DPA and any Order Form that requires processing of Personal Data); and (d) as further documented in any other written instructions given by Customer (which may be specific instructions or instructions of a general nature as set out in this DPA, the Agreement or as otherwise notified by Customer to Total Media from time to time), where such instructions are consistent with the terms of the Agreement.
- Pursuant to Clause 5(h) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that (a) Total Media’s Affiliates may be retained as Sub-processors; and (b) Total Media and Total Media’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Total Media will make available to Customer the current list of Sub-processors in accordance with Section 7 (Sub-processors).
- Pursuant to Clause 5(h) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that Total Media and Total Media’s Affiliates may engage new Sub-processors as described in Sections 7 (Sub-processors).
- The parties agree that the copies of the Sub-processor agreements that must be provided by Total Media to Customer pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Total Media beforehand; and, that such copies will be provided by Total Media, in a manner to be determined in its discretion, only upon request by Customer.
- The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with the following specifications:
- Upon Customer’s written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Total Media shall make available to Customer that is not a competitor of Total Media (or Customer’s independent, third-party auditor that is not a competitor of Total Media) information regarding the Total Media Group’s compliance with the obligations set forth in this DPA in the form of independent audit results and/or third-party certifications, as applicable, to the extent Total Media makes them generally available to its customers. No more than once per year, Customer may contact Total Media in accordance with the “Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Customer shall reimburse Total Media for any time expended for any such on-site audit. Before the commencement of any such on-site audit, Customer and Total Media shall mutually agree upon the scope, timing, and duration of the audit that reasonably does not interfere with normal business operations, in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Total Media. Customer shall promptly notify Total Media with information regarding any non-compliance discovered during the course of an audit.
- The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by Total Media to Customer only upon Customer’s written request.
- In the event of any conflict or inconsistency between the body of this DPA and any of its attachments (not including the Standard Contractual Clauses) and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- In the event that the European Commission decision authorizing the Standard Contractual Clauses as a data transfer mechanism is held to be invalid, or that any supervisory authority requires transfer of Personal Data made pursuant to such decision to be suspended, then Customer may, at its discretion, require Total Media to cease processing Personal Data to which this Section 9 applies, or cooperate with Total Media to facilitate use of an alternative transfer mechanism.
- Total Media agrees to comply with the obligations of a data importer as set out in the Standard Contractual Clauses for the transfer of Personal Data to data processors established in third countries under the Standard Contractual Clauses.
- Customer acknowledges that Total Media will, as applicable, be a data importer under the Standard Contractual Clauses. In particular, and without limiting the above obligation:
- Total Media agrees to grant third-party beneficiary rights to data subjects, as set out in Clause 3 of the Standard Contractual Clauses, provided that Total Media’s liability shall be limited to Total Media’s own processing operations only and the limitations set forth in Section 10 (Limitation of Liability) and the Agreement; and
- Total Media agrees that Total Media’s obligations under the Standard Contractual Clauses shall be governed by the law(s) of the EEA member state(s) in which the entity that is the data exporter is established.
- Contacting Total Media; Processing Records
- Total Media’s Processing Customer acknowledges that Total Media is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Total Media is acting and (if applicable) of such processor’s or controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, Customer will, where requested and as applicable to Customer, provide such information to Total Media.
Notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Data Processing Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (for clarity, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Law); or
12. Effect of these Data Processing Terms
If there is any conflict or inconsistency between the terms of these Data Processing Terms and the remainder of the Agreement, the terms of these Data Processing Terms will govern. Subject to the amendments in these Data Processing Terms, the Agreement remains in full force and effect.
13. Changes to these Data Processing Terms
- to reflect a change to the name of a service;
- to remove a service where either: (i) all contracts for the provision of that service are terminated; or (ii) Total Media has Customer’s consent.
- Changes to Data Processing Terms. Total Media may change these Data Processing Terms if the change:
- is expressly permitted by these Data Processing Terms, including as described in Section 15.1 (Changes to URLs);
- reflects a change in the name or form of a legal entity;
- is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or
- does not (i) result in a degradation of the overall security of the Processor Services; (ii) expand the scope of, or remove any restrictions on, Total Media’s processing of Customer Personal Data, as described in Section 5.3 (Total Media’s Compliance with Instructions); and (iii) otherwise have a material adverse impact on Customer’s rights under these Data Processing Terms, as reasonably determined by Total Media.
- Notification of Changes. If Total Media intends to change these Data Processing Terms under Section 15.2(c) or (d), Total Media will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface for the Processor Services. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Total Media within 90 days of being informed by Total Media of the
Appendix 1: Subject Matter and Details of the Data Processing
Total Media’s provision of the Processor Services and any related technical support to Customer.
Duration of the Processing
The Term plus the period from expiry of the Term until deletion of all Customer Personal Data by Total Media in accordance with these Data Processing Terms.
Nature and Purpose of the Processing
Total Media will process (including, as applicable to the Processor Services and the instructions described in Section 5.2 (Customer’s Instructions), collecting, recording, organising, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying) Customer Personal Data for the purpose of providing the Processor Services and any related technical support to Customer in accordance with these Data Processing Terms.
Types of Personal Data
Categories of Data Subjects
Customer Personal Data will concern the following categories of data subjects:
- Data subjects about whom Total Media collects personal data in its provision of the Processor Services; and/or
- Data subjects about whom personal data is transferred to Total Media in connection with the Processor Services by, at the direction of, or on behalf of Customer.
Depending on the nature of the Processor Services, these data subjects may include individuals: (a) to whom online advertising has been, or will be, directed; (b) who have visited specific websites or applications in respect of which Total Media provides the Processor Services; and/or (c) who are customers or users of Customer’s products or services.
Appendix 2: Security Measures
Total Media may update or modify such Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security.
1. Personnel Security
Total Media personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Total Media conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Total Media’s confidentiality and privacy policies. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role. Total Media’s personnel will not process Customer Personal Data without authorization.
Infrastructure Security Personnel. Total Media has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Total Media’s infrastructure security personnel are responsible for the ongoing monitoring of Total Media’s security infrastructure, the review of the Processor Services, and responding to security incidents.
Access Control and Privilege Management Customer’s administrators and users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Processor Services.
2. Sub-processor Security
Before onboarding Sub-processors, Total Media conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to
provide. Once Total Media has assessed the risks presented by the Sub-processor then, subject always to the requirements set out in Section 11.2 (Requirements for Sub-processor Engagement), the Sub-processor is required to enter into appropriate security, confidentiality and privacy contract terms.
Appendix 3: Service Information
The following services are eligible to be in scope of the Data Processing Terms:
Google services listed at: https://privacy.google.com/businesses/adsservices/ (may be update from time to time, subject to the terms of the Data Processing Terms).
- OATH (AOL)
- Creative Clicks
- Smart Adserver
- Vinyl Trading desk
- The Media Street
- Ad Space
- Bold Screen Media
- Jarvis Digital
- The Daily Dot
- Level Up Media
- Spiroox Media
- Clearvelvet Trading
- Purify Digital
- Advand Media
- ADG Solutions
- Velis Media
- Polygon Video
- Tribal TLV
- Diversify Media
- Turf Digital
- 152 Media
- Ads Plus
- ADX (GOOGLE)
- Beachside Media
- Vocal Media
- CLUBHOUSE MEDIA
- Surfboard Digital
- Sparc Media
- 495 Communications
- Soicos International
Types of personal data