EEA/UK DATA PROCESSING ADDENDUM
This EEA/UK Processing Addendum (the "Addendum") is entered into by and between Yahoo EMEA Limited (“Yahoo EMEA”), a company incorporated under the laws of Ireland (registration number: 426324) whose principal place of business is at 5-7 Point Square, North Wall Quay, Dublin 1, Ireland, for itself and on behalf of Yahoo Affiliates (defined below), and the counterparty identified in the MSA ("Company") for itself and (where applicable) on behalf of each of its Company Affiliates (defined below). This Addendum forms part of each MSA (as defined below) entered into by and between Company and/or any Company Affiliate and Yahoo EMEA and/or any Yahoo Affiliate for the provision of Services.
"Yahoo Affiliate" means Yahoo Inc., Yahoo Aggregation Holdings LLC and any entity directly or indirectly controlled by those entities. "Company Affiliate" means any entity that owns or controls, is owned by or controlled by or is under common control or ownership with Company.
Any undefined terms used herein shall have the meanings set forth in the MSA. All references in this Addendum below to "Yahoo" shall be deemed references to Yahoo EMEA even if Yahoo EMEA is not party to the MSA (unless it is expressly agreed otherwise in the MSA) and all references below to "Company" shall be deemed references to the Company and/or as applicable to the relevant Company Affiliate that is party to the relevant MSA. Yahoo and Company are each a “Party” and collectively are the “Parties” to this Addendum.
The Company and Yahoo and/or the Yahoo Affiliates are or will become parties to an MSA for the provision of Services under which the Company and Yahoo may share or receive Personal Data as described in the MSA and/or this Addendum. This Addendum only applies to the extent that Applicable Data Protection Law applies to the Processing of Personal Data under the MSA and/or this Addendum, including if (a) the Processing is in the context of the activities of an establishment of either Party in the European Economic Area which, for the purposes of this Addendum, is deemed to include Switzerland (collectively, “EEA”) and/or the United Kingdom (“UK”) and/or (b) the Personal Data relates to Data Subjects who are in the EEA and/or the UK and the Processing relates to the offering to them of goods or services or the monitoring of their behaviour in the EEA and/or the UK by or on behalf of a Party. The Parties shall ensure that they will Process Personal Data in accordance with this Addendum.
TERMS AND CONDITIONS
1. Definitions and Interpretation
1.1 In this Addendum, the following terms shall have the following meanings:
(a) "Adequacy Decision" means a decision made by the European Commission that a third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection in respect of the Processing of Personal Data pursuant to Article 45(1) of the GDPR, excluding a decision made in relation to an Adequacy Framework.
(b) "Adequacy Framework" means (i) the EU-US Data Privacy Framework adopted pursuant to European Commission Implementing Decision of 10 July 2023 ("EU-U.S. DPF"); (ii) the UK Extension to the EU-U.S. DPF; and (iii) the Swiss-U.S. Data Privacy Framework.
(c) "Applicable Data Protection Law" means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (“e-Privacy Law”); (iii) any national data protection laws made under, transposing, or made pursuant to (i) and (ii); (iv) the UK Data Protection Law; (v) the Swiss FDPA; and (v) any legislation replacing or updating any of the foregoing.
(d) "Company Technical and Organisational Measures" means the technical and organisational measures which Company must adhere to, defined by Yahoo and located at https://legal.yahoo.com/ie/en/yahoo/terms/vendor/networksecurity/index.html, together with any additional security measures that are agreed between the parties in writing.
(e) "Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and "Process"), “Personal Data Breach” and "Special Categories of Personal Data" shall have the meanings given in Applicable Data Protection Law.
(f) “Controller to Controller Standard Clauses” means the terms at https://legal.yahoo.com/ie/en/yahoo/terms/scc/index.html, as amended, interpreted, or supplemented by Section 3.3 of this Addendum to meet the requirements of UK Data Protection Law and/or the Swiss FDPA.
(g) “Cross-App Advertising” as currently defined by the Network Advertising Initiative (“NAI”), means the collection of data through applications owned or operated by different entities on a particular device for the purpose of delivering advertising based on the preferences or interests known or inferred from the data collected, or as may be amended by the NAI from time to time.
(h) “End User” means a human visitor to a website, application or other media.
(i) "ID" means: (i) a unique identifier stored on an End-User’s device, (ii) a unique identifier generated on the basis of device or account information, or (iii) a resettable advertising ID associated with an End-User’s device or an application.
(j) "International Transfer Requirements" means the requirements of Chapter V of the GDPR.
(k) "MSA" means any agreement for Services between Yahoo EMEA and/or any Yahoo Affiliate and Company, pursuant to which a Party engages in or is permitted to engage in the Processing of Personal Data.
(l) "NAI Code" means the self-regulatory standards relating to the collection and use of data for Tailored Advertising (as defined in the code) and related practices, as set out at https://thenai.org/wp-content/uploads/2021/07/nai_code2020.pdf, as amended, updated or superseded from time to time.
(m) “Precise Geolocation Data” means any information that identifies or is capable of determining with reasonable specificity the actual physical location of an End User or device (e.g., GPS level latitude/longitude coordinates, location-based Wi-Fi triangulation or cellular tower data).
(n) "Relevant Privacy Requirements" means all (i) regulatory codes of practice and guidance issued pursuant to Applicable Data Protection Laws; (ii) applicable advertising self-regulatory requirements and industry frameworks (e.g. IAB Europe's Transparency and Consent Framework (“TCF”)), and (iii) other policies or guidance relating in any manner to the collection, use or dissemination of information from or about users, user traffic or otherwise relating to privacy rights or with respect to the sending of marketing and advertising communications; and (iv) the terms of service for applicable operating systems/platforms (including for mobile applications and connected televisions/smart TVs).
(o) "Restricted Country" means a country, territory or jurisdiction which is not covered by an Adequacy Decision.
(p) "Restricted Transfer" means a transfer of Personal Data from an entity whose Processing of Personal Data under the MSA and/or this Addendum is caught by the requirements of Applicable Data Protection Law to an entity that (i) Processes the relevant Personal Data in a Restricted Country; and (ii) does not participate in an Adequacy Framework.
(q) "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data that has been shared by the other Party (or which it Processes in connection with the MSA). For the avoidance of doubt, any Personal Data Breach of such Personal Data will comprise a Security Incident.
(r) “Services" means services provided to the other Party pursuant to the terms of an MSA.
(s) "Subprocessor" means any entity which provides Processing services on behalf of a Processor.
(t) "Swiss FDPA" means the Federal Data Protection Act of 19 June 1992 (Switzerland), as updated or replaced from time to time.
(u) "Supplementary Measures” means any relevant contractual, technical or organisational safeguards to supplement the Controller to Controller Standard Clauses, including measures recommended by the European Data Protection Board as set out in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of Personal Data adopted on 18 June 2021 as may be updated, amended or replaced from time to time or any other measures or safeguards as may be required by the data exporter;
(v) "UK Addendum" means the International Data Transfer Addendum to the European Commission's standard contractual clauses for international data transfers, issued by the UK’s Information Commissioner’s Office (ICO) under or pursuant to section 119A(1) of the UK Data Protection Act 2018 (as may be amended by the ICO from time to time pursuant to its terms).
(w) "UK Data Protection Law" means (i) the Data Protection Act 2018 (“DPA 2018”), (ii) the UK GDPR (as defined in the DPA 2018); and (iii) the UK Privacy and Electronic Communications Regulations 2003 (“PECR”), each as updated or replaced from time to time.
(x) “Yahoo Technical and Organisational Security Measures” means the technical and organisational measures located at https://legal.yahoo.com/ie/en/yahoo/terms/securitymeasures/index.html as updated from time to time.
(y) A reference to the GDPR and/or an Article or Chapter of the GDPR shall, where the context so requires and insofar as the Applicable Data Protection Law is the UK Data Protection Law or the Swiss FDPA, be construed as a reference to the UK GDPR or the Swiss FDPA and/or the equivalent Article, Chapter or provision of the UK GDPR or the Swiss FDPA (as applicable).
1.2 This Addendum comprises these Terms and Conditions, the Annexes to these Terms and Conditions and the Exhibits to the Annexes. A reference to a Section is a reference to a section of these Terms and Conditions and a reference to a Paragraph is a reference to a paragraph of an Annex to these Terms and Conditions.
1.3 In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out in this Addendum shall form part of each MSA. Except where the context requires otherwise, references in this Addendum to the MSA are to each MSA, including this Addendum.
1.4 If and to the extent that there is any conflict or inconsistency between this Addendum and the terms of the MSA, the terms of this Addendum shall prevail.
2. Obligations of the Parties
2.1 The Parties agree that they will each act as a Controller, Processor and/or Subprocessor as further detailed in (i) the services description page located at https://legal.yahoo.com/ie/en/yahoo/terms/servicesdescription/index.html (“Services Description Page”); or (ii) the MSA.
2.2 Annex 1 will apply where Yahoo and Company are both Controllers.
2.3 Annex 2 will apply where:
(a) Company is a Controller and Yahoo is a Processor, or
(b) Company is acting as a Processor on behalf of a third party Controller and Yahoo is a Subprocessor.
2.4 The Parties shall, at all times, comply with their respective obligations under Applicable Data Protection Laws.
2.5 The Parties agree that the following email addresses shall be monitored for data protection enquiries and Data Subject Requests:
Company: as set out in the MSA
3. International transfers
3.1 Subject always to any express restrictions in the MSA, each Party shall be entitled to make Restricted Transfers provided that it complies with the requirements of Applicable Data Protection Law in respect of such Restricted Transfers.
3.2 Subject to Section 3.3, where Annex 1 (Yahoo and Company as Controllers) applies and if and to the extent that the Company’s Processing of Personal Data constitutes a Restricted Transfer (including if Company’s Processing becomes a Restricted Transfer after entry into this Addendum), the Parties agree that the Controller to Controller Standard Clauses shall apply in order to ensure compliance with the International Transfer Requirements. By entering into this Addendum, the Controller to Controller Standard Clauses are deemed executed by the Parties (acting on their own behalf and in the case of the Company, on behalf of any relevant Company Affiliate) without the need for any further signature from a Party. For the avoidance of doubt, each Party agrees that Yahoo EMEA is an entity established in the European Union and, accordingly, the Processing of Personal Data by Yahoo (under Annex 1 or Annex 2) does not constitute a Restricted Transfer between the Parties.
3.3 In respect of Restricted Transfers:
(a) subject to UK Data Protection Laws, the UK Addendum (together with any applicable elections set out in the Controller to Controller Standard Clauses) is hereby incorporated into this Addendum by reference. The Parties acknowledge and agree that, by entering into this Addendum, the UK Addendum is deemed executed by the Parties (acting on their own behalf and, in the case of Company, on behalf of any relevant Company Affiliate) without the need for any further signature from a Party;
(b) subject to the Swiss FDPA, the Parties agree that the Controller to Controller Standard Clauses shall be read as follows: (a) general and specific references in the Controller to Controller Standard Clauses to Regulation (EU) 2016/679 or “that Regulation” or EU or Member State law shall be construed as a reference to the Swiss FDPA and/or other relevant Swiss law (as applicable); (b) the term “Member State” will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Controller to Controller Standard Clauses; and (c) the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority for the purposes of Clause 13 of the Controller to Controller Standard Clauses.
3.4 For the purposes of Table 4 of the UK Addendum, the Parties agree that the data exporter may end the UK Addendum as set out in Section 19 of the UK Addendum.
3.5 If the Controller to Controller Standard Clauses cease to exist or the data exporter determines (acting reasonably) that the Controller to Controller Standard Clauses are not a lawful method of complying with the International Transfer Requirements, the data importer shall cease (and procure that any the relevant third party ceases) all substantive Processing of the relevant Personal Data until such time as the data importer has, in accordance with the data exporter’s instructions, entered into an alternative transfer mechanism and/or put in place Supplementary Measures to comply with the International Transfer Requirements.
3.6 Subject to Section 3.8, if the data exporter determines (acting reasonably) that it is not feasible to put in place such an alternative transfer mechanism and/or Supplementary Measures to enable compliance with the International Transfer Requirements, the data exporter shall be entitled to require the data importer to:
(a) Process (and/or procure that any relevant third party Processes) the Personal Data within a jurisdiction which is not a Restricted Country; and/or
(a) delete (or procure the deletion of) and/or destroy the Personal Data such that it is no longer processed in the relevant Restricted Country.
3.7 The data importer shall comply with Sections 3.5 and 3.6 at no additional cost to the data exporter.
3.8 Where the data importer is unable to comply with Section 3.6 because of local laws applicable to the data importer that prohibit such compliance, the data importer warrants that it will continue to ensure compliance with this Section and will only process the relevant Personal Data to the extent and for as long as required under that local law.
3.9 If there is any conflict between this Addendum and the Controller to Controller Standard Clauses, the Controller to Controller Standard Clauses shall prevail. The rights and remedies provided under this Addendum are in addition to, and not exclusive of, any rights or remedies provided by law. For the avoidance of doubt, nothing in this Addendum is intended to vary, modify or contradict the Controller to Controller Standard Clauses.
3.10 The Controller to Controller Standard Clauses shall cease to apply if and to the extent that a transfer of Personal Data ceases to be a Restricted Transfer.
3.11 Where Company transfers Personal Data to third countries on the basis of its participation in one or more Adequacy Framework(s), Company shall:
(a) provide a level of protection to Personal Data that meets the requirements of the Adequacy Framework(s);
(b) notify Yahoo without undue delay if Company determines that it can no longer comply with Section 3.11(a) and/or if Company’s participation in an Adequacy Framework expires or is terminated;
(c) notify Yahoo without undue delay if Company is required to provide a copy (including any summary or a representative copy of the relevant provisions) of this Addendum to any relevant governmental body, and comply with Yahoo’s reasonable directions as to the content and form of such disclosure.
3.12 If Company makes a notification to Yahoo in accordance with Section 3.11(b) or a relevant Adequacy Framework ceases to exist or be a lawful method of complying with the International Transfer Requirements, that Company’s transfer of Personal Data to third countries shall be subject to the Controller to Controller Standard Clauses as set out in Sections 3.2 to 3.9.
4. Precise Geolocation and Cross-App Advertising
Where Company collects, processes or discloses and/or otherwise make available to Yahoo any Precise Geolocation Data for advertising purposes (including Tailored Advertising or Ad Delivery and Reporting as defined in the NAI Code and Cross-App Advertising): (a) Company shall ensure that express (i.e., opt-in) consent is obtained from End Users; and (b) a clear and prominent notice (including just in-time notices) is made available to each End User that: (1) complies with the requirements of Applicable Data Protection Law and the Relevant Privacy Requirements; (2) informs the End User that their Precise Geolocation Data may be shared with third parties; and (3) describes the purposes for which such data may be used, including Tailored Advertising and/or Ad Delivery and Reporting.
5. Term and Concluding Provisions
The term of this Addendum will begin on the earlier of (a) the effective date of the relevant MSA; or (b) the date that the Parties commenced their Processing of Personal Data under this Addendum and/or the MSA (the “Effective Date”) and will remain in effect until the MSA is terminated in accordance with its terms or until either Party ceases to Process Personal Data under or in connection with the MSA and/or this Addendum, whichever is the later (the “Term”). Any provision of this Addendum that is, expressly or by implication, to survive termination or expiry of this Addendum shall survive such termination or expiry.
6.1 This Addendum and any underlying MSA shall constitute the entire agreement between the Parties with respect to the subject matter of this Addendum, and this Addendum, as updated from time to time, supersedes all prior agreements or representations, oral or written, regarding such subject matter, including any provisions in the MSA which address the Processing of Personal Data (insofar as such Processing relates to compliance with the Applicable Data Protection Law).
6.2 This Addendum and all disputes and claims (including all actions to enforce such claims or to recover damages or other relief in connection with such claims under this Addendum) arising out of or relating to this Addendum shall (a) be interpreted, construed and enforced in accordance with the laws of the Republic of Ireland; (b) be subject to the exclusive jurisdiction of the courts situated in the Republic of Ireland, to which each Party irrevocably submits, except in each case to the extent that Applicable Data Protection Law requires otherwise.