Last Modified October, 25th 2022 — For historical versions of our DPA, please contact legal@sharelocalmedia.com.
This Data Processing Addendum ("DPA") forms part of each agreement between Customer and Share Local Media, Inc., a Delaware corporation with a principal office at 44 Wall St, 23 Fl, New York, NY 10005 (“Share Local Media”) that incorporates this DPA by reference (“Agreement”). References to “Customer” in this DPA refer to the counterparty to the applicable Agreement. This DPA applies only to Share Local Media’s Services and does not apply to any service the Customer purchases from any third party other than Share Local Media.
Unless otherwise expressly defined herein, the capitalized terms used in this DPA have the meanings assigned to them in the Agreement.
“Business” or “Controller” shall mean an entity that determines the purposes and means of Processing of Personal Information.
“Content”, “User Content”, “Customer Content” or equivalent term shall have the meaning assigned to it in the Agreement.
“Consumer” shall mean the individual to whom Personal Information relates.
“Customer Data” means the Personal Information related to Consumers that Share Local Media Processes on behalf of Customer as a Service Provider or Processor as set forth in Section 1 of this DPA. Customer Data may include, for example, Personal Information included in customer lists provided by Customer or by a third party on Customer’s behalf, in connection with the provision of Mailings or other Services pursuant to the Agreement.
“Data Protection Laws” means any applicable local, state and federal laws, rules and regulations in the United States relating to the use, collection, retention, storage, security, disclosure, transfer, sale or other Processing or Personal Information, including, but not limited to, the California Consumer Privacy Act, including any amendments and any implementing regulations thereto (the “CCPA”), the California Privacy Rights Act of 2020 (“CPRA”), the Virginia Consumer Data Protection Act (the “VCDPA”), and any similar laws including any amendments and any implementing regulations thereto that are in effect or that become effective on or after the effective date of this DPA.
“Personal Information” shall mean “personal data,” “personal information,” or equivalents as defined in applicable Data Protection Laws. In the absence of applicable Data Protection Laws, “Personal Information” shall mean any information relating, directly or indirectly, to an identified or reasonably identifiable natural person.
“Process” or “Processing” means any operation or set of operations performed, whether by manual or automated means, on information or on sets of information, such as the collection, use, storage, disclosure by transmission, dissemination or otherwise making available, alignment or combination, analysis, restriction, deletion, or modification of information.
“Service Provider” or “Processor” shall mean an entity that Processes Personal Information on behalf of a Business or Controller.
“Services” means the services to be provided by Share Local Media to Customer under the Agreement, as further specified in any applicable purchase order or statement of work.
“SLM Data” means the data generated, sourced, created or maintained by Share Local Media in connection with the Services, other than Customer Data and Content. SLM Data may include Personal Information sourced from third party data providers.
The parties agree as follows:
1. Role of the Parties.
1.1. With regard to Customer Data, such as business contact information, customer lists or “seed file” customer lists provided by Customer to Share Local Media, Share Local Media is a Service Provider and Processor, and Customer is a Business and a Controller.
1.2. With regard to SLM Data, Share Local Media is a Business and a Controller, and Customer also is a Business and a Controller. SLM Data includes:
1.2.1. For Solo Mail - Modeled Mailing Services: targeting lists from third party data services with whom Customer does not have a direct agreement sourced based on Customer’s requests (i.e. demographics, geographic, saturation data) and mail files provided to Customer for attribution purposes.
1.2.2. For Shared Mail Services: measurement data made available for analytics purposes, if and to the extent Customer elects to receive such data pursuant to a valid PO or change order thereto executed by the Parties.
1.2.3. For Poplar Platform - Solo Mailings Services: (i) targeting lists generated based upon a seed file provided by Customer (provided, however, that such underlying seed file shall be deemed “Customer Data” and not “SLM Data”); and (ii) targeting lists from third party data services with whom Customer does not have a direct agreement, that are sourced based on Customer’s requests (i.e. demographics, geographic, saturation data), and mail files made available by SLM for analytics or attribution purposes.
1.2.4. For Matchback services: data made available by SLM to Customer for Matchback Purposes as further described in Section 4.4.
2. Compliance with Laws.
2.1. Each party will comply with its obligations under Data Protection Laws. Without limiting the foregoing, (i) Customer will have the right to take reasonable and appropriate steps to ensure that Share Local Media uses Customer Data in a manner consistent with Customer’s obligations under Data Protection Laws; and (ii) Share Local Media will notify Customer promptly (and in any event within five (5) business days), if Share Local Media determines that it can no longer meet its obligations under Data Protection Laws.
2.2. Customer will inform Share Local Media of any Consumer request made pursuant to Data Protection Laws that Share Local Media must comply with, and provide the information necessary for Share Local Media to comply with the request.
3. Share Local Media’s Obligations.
3.1. Share Local Media will Process Customer Data for the purpose of providing the Services set forth in the Agreement and in accordance with Customer’s instructions set forth in the Agreement or in writing. Without limiting the foregoing, Share Local Media is prohibited from: (i) selling Customer Data or otherwise making Customer Data available to any third party for monetary or other valuable consideration; (ii) sharing Customer Data with any third party for cross-context behavioral advertising; (iii) retaining, using, or disclosing Customer Data for any purpose other than for the business purposes specified in this Agreement or as otherwise permitted by Data Protection Laws; (iv) retaining, using, or disclosing Customer Data outside of the direct business relationship between the parties; (v) to the extent prohibited by Data Protection Laws, combining Customer Data with other information that Share Local Media receives from or on behalf of another person or persons, or collects from its own interaction with the Consumer.
3.2. Share Local Media will limit access to Customer Data to personnel who have a business need to have access to such Customer Data, and will ensure that such personnel are subject to obligations at least as protective of the Customer Data as the terms of this DPA. Notwithstanding the foregoing, nothing in this DPA shall restrict Share Local Media’s ability to disclose Customer Data (i) to a subcontractor for a business purpose pursuant to a written agreement to protect the confidentiality of Customer Data, (ii) to a third party as necessary to comply with applicable laws, or (iii) as otherwise permitted by the Data Protection Laws.
3.3. Share Local Media will be liable to Customer for the acts or omissions of any subcontractor or other third party to whom Share Local Media has disclosed or permitted to access Customer Data as if they were acts or omissions of Share Local Media. Share Local Media will not permit any subcontractor to Process Customer Data, unless Share Local Media and the subcontractor have entered into an agreement that imposes obligations on the subcontractor that are no less restrictive and at least equally protective of Customer Data than those imposed on Share Local Media under this DPA. Share Local Media is responsible for ensuring the compliance of Subcontractor with applicable Data Protection Laws in connection with the Processing of Customer Data.
3.4. Share Local Media agrees to reasonably cooperate with Customer, at Customer’s expense, to assist Customer with ensuring its compliance with Data Protection Laws, including to respond to requests for access, knowledge, deletion, or rectification. If and to the extent Customer instructs Share Local Media to delete Consumer Personal Information in response to a Consumer request received by Customer, Share Local Media agrees to delete or de-identify such information within thirty (30) days of receipt of the request. For the avoidance of doubt, Share Local Media shall have no obligation to delete information that has been de-identified or aggregated or information relating to Customer’s use of the Service that is not Customer Data.
3.5. Share Local Media shall implement and maintain reasonable security procedures, practices, and controls, as may be appropriate based on the nature of the information, designed to protect Customer Data from unauthorized access or destruction, as further described in Section 5 below and at Share Local Media’s security measures overview page located at https://sharelocalmedia.com/policies/security-policy, which overview page may be updated from time to time.
4. Other Data Obligations
4.1. Customer acknowledges and affirms that it has provided all notices to Consumers required under Data Protection Laws in connection with the Services (if any) and obtained all consents from Consumers required under Data Protection Laws in connection with the Services (if any).
4.2. Neither party shall submit or cause to be submitted to the other party any data that includes (i) a social security number, passport number, driver’s license number, or similar identifier, credit card or debit card number, employment, financial or health information; (ii) Personal Information relating to a resident of the European Economic Area or which may be subject to the General Data Protection Regulation (GDPR); (iii) Personal Information relating to an individual under sixteen (16) years of age; (iv) Personal Information relating to any individual that has withdrawn consent or exercised a right to opt-out; or (v) any other information which may be subject to additional protections under applicable laws or regulations including, but not limited to, the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), or which could give rise to notification obligations under data breach notification laws, without Share Local Media’s prior written approval.
4.3. To the extent Customer incorporates third party data services into the Share Local Media Services, for example, to procure modeled lists or to append or supplement Customer Data with data from third party providers (“Third-Party Licensed Data”) pursuant to an agreement between Customer and such third-party provider:
4.3.1. Customer is solely responsible for ensuring compliance with its obligations under such third-party agreements to which it is a party and with Data Protection Laws applicable to such activity in relation to Customer’s use of the Share Local Media Services.
4.3.2. By instructing Share Local Media to disclose Customer Data to such third-party provider for the purpose of generating Third-Party Licensed Data for or on behalf of Customer, Customer represents and warrants that it has all necessary rights and consents needed to support such instruction.
4.3.3. To the extent Customer provides Third-Party Licensed Data to Share Local Media, or instructs such third-party provider to deliver Third-Party Licensed Data to Share Local Media on Customer’s behalf, Share Local Media shall collect, use, retain and disclose such Third-Party Licensed Data in the same manner as Share Local Media shall use Customer Data pursuant to this DPA.
4.4. In certain circumstances, Share Local Media may provide Customer with SLM Data, which could include Third-Party Licensed Data, generated in connection with Customer Mailing campaigns. Customer warrants and agrees that Customer shall use and retain such data solely for internal analytics and attribution purposes (“Matchback Purposes”), and for no other purpose, commercial or otherwise, including for marketing purposes. Customer shall have no right to share, disclose or sell SLM Data to any third party without prior written approval from Share Local Media. Customer warrants and agrees that it shall erase or otherwise destroy any SLM Data provided by Share Local Media within thirty (30) days from the completion of the Services for which such data was provided, unless otherwise permitted by the applicable data provider and/or Share Local Media, as applicable, in writing. Customer is solely responsible for ensuring that its receipt and use of any Third-Party Licensed Data is permitted by the applicable agreement between Customer and the relevant data provider.
4.5. Share Local Media shall have the right to take reasonable and appropriate steps to ensure that Customer uses the SLM Data in a manner consistent with Share Local Media’s obligations under Data Protection Laws. In addition, Share Local Media shall have the right take reasonable and appropriate steps to stop and remediate unauthorized use of SLM Data.
4.6. Customer shall notify Share Local Media no later than five (5) business days after it makes a determination that it can no longer meet its obligations under Data Protection Laws.
5. Data Security. Share Local Media will implement appropriate technical and organizational measures designed to safeguard Customer Data against unauthorized or unlawful Processing, and against accidental loss, destruction or damage. Share Local Media will document those measures in writing and periodically review them to ensure they remain current and complete, at least annually. Further information can be found at https://sharelocalmedia.com/policies/security-policy, which may be updated from time to time.
6. Data Security Incidents. Share Local Media shall promptly notify Customer in the event of unauthorized access to, acquisition or disclosure of unencrypted Customer Data associated to Customer that is in Share Local Media’s or its subcontractors’ control or possession (a “Data Security Incident”). If, and to the extent, that a Data Security Incident requires notice to any regulator, Consumer or other third party under Data Protection Law, Customer shall have sole responsibility for the content, timing and method of distribution of any such notice, unless otherwise required by Data Protection Law. Share Local Media will provide reasonable cooperation with Customer’s investigation of the Data Security Incident.
7. Data Retention and Deletion. Share Local Media shall retain Customer Data for only so long as necessary to perform its obligations under the Agreement, unless otherwise required under applicable laws. Within forty-five (45) days of termination or expiration of the Agreement or earlier request by Customer, Share Local Media shall destroy or return to Customer (at Customer’s election) all Customer Data in its possession, custody and control, except to the extent such Customer Data as must be retained under applicable law (which Share Local Media shall destroy once it is no longer required under applicable law to retain).
8. Termination and Survival. This DPA and all provisions herein shall survive so long as, and to the extent that, Share Local Media Processes or retains Customer Data, or Customer Processes or retains SLM Data.
9. Conflicts. In case of contradictions between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
10. Applicable Law and Jurisdiction. The applicable law and jurisdiction as set forth in the Agreement apply to this DPA.