ANNEX 1
WHERE BOTH PARTIES ARE CONTROLLERS
1. Relationship of the Parties and scope of Processing
1.1 Where it is indicated in the Services Description Page or the MSA that each Party is a Controller, the Parties acknowledge that they are each a separate and independent Controller of the Personal Data which it discloses or receives under the MSA for those Services. The Parties do not and will not Process Personal Data which it discloses or receives under the MSA as joint controllers. Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Applicable Data Protection Law.
2. Sharing of Personal Data
2.1 Each Party shall collect, share and otherwise Process the Personal Data (i) in a manner consistent with and only for the purposes set forth in the MSA (including, where relevant, in accordance with the Yahoo Pixel and Custom Audience Policy located at: https://legal.yahoo.com/xw/en/yahoo/privacy/enterprise/pixelandcustomaudience/index.html) or (ii) as otherwise agreed to in writing by the Parties, provided that the Processing Party shall ensure that such Processing complies with (a) Applicable Data Protection Law, (b) Relevant Privacy Requirements; (c) its privacy notice or policy that it has made available to Data Subjects; and (d) its obligations under this Addendum and the MSA (the “Permitted Purposes”).
2.2 Each Party agrees to receive Personal Data from the other Party provided that the Party providing the Personal Data strictly complies with (i) Applicable Data Protection Law, (ii) Relevant Privacy Requirements; and (iii) its obligations under the MSA and this Addendum.
2.3 A Party shall not share any Personal Data with the other Party (i) that allows Data Subjects to be directly identified (for example by reference to their name and email address); (ii) that contains any Special Categories of Personal Data and/or; (iii) that contains Personal Data relating to children (i.e. persons that are aged 17 or under or the age provided for in Applicable Data Protection Law and/or Relevant Privacy Requirements if over 17).
2.4 Where Company Processes Personal Data, including where it rebroadcasts Personal Data to third parties, it shall respect all signals or other methods of communicating consent and/or user preferences made available by Yahoo regarding the Company’s right to Process the Personal Data. For example, where Company participates in the TCF as a Vendor or CMP, it must seek from Yahoo and respect the permissions or restrictions in any available Signal (as defined by the TCF policies) that Yahoo provides. Company is responsible for obtaining the signals or other methods from Yahoo’s CMP unless it is technically impossible (e.g. pixel.) If Company is unwilling or unable to do so, it must not Process the Personal Data or rebroadcast to third parties or otherwise must immediately erase the Personal Data it receives.
3. Privacy obligations
3.1 Each Party shall (a) maintain a publicly-accessible privacy policy on each of its mobile applications and websites that is available via a prominent link that satisfies transparency disclosure requirements of Applicable Data Protection Law, and (b) use commercially reasonable endeavours to provide a link to the other Party’s privacy policy in its privacy policy and/or any consent management platform (as applicable).
3.2 Each Party undertakes on an ongoing basis to ensure that it provides Data Subjects with appropriate transparency regarding data collection and use and obtains any and all consents or permissions necessary under Applicable Data Protection Law (in particular under e-Privacy Law and/or PECR).
3.3 Where a Party is the initial Controller and, as between itself and the Data Subject, it shall provide Data Subjects with appropriate transparency and seek their consent in accordance with Applicable Data Protection Law and Relevant Privacy Requirements in order for the other Party to Process such Personal Data as set out herein (including, where applicable, for personalised advertising and ads measurement). For clarity, as noted above, Company is responsible for ensuring that it respects any permissions or restrictions made available by Yahoo. Both Parties will cooperate in good faith in order to comply with the transparency requirements of Applicable Data Protection Law (for example by complying with TCF) and each Party hereby permits the other Party to identify (by reference to its legal and/or trading name) it in the other Party’s privacy policy.
3.4 Where either Party receives a request from a Data Subject in respect of the Personal Data that names or otherwise identifies the other Party, the Party receiving such request will direct the Data Subject to the other Party, as applicable, in order to enable the other Party to respond directly to the Data Subject’s request.
4. Technical and Organisational Measures
4.1 Yahoo and Company shall implement appropriate technical and organisational measures to protect the Personal Data. In particular, where applicable Yahoo shall implement the Yahoo Technical and Organisational Security Measures and the Company shall implement the Company Technical and Organisational Security Measures.
4.2 In the event that Yahoo or Company suffer a confirmed Security Incident relating to Personal Data being Processed under the MSA, where applicable each Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to mitigate or remedy the effects of the Security Incident. Notwithstanding the foregoing, neither party shall be responsible or liable for the Security Incident suffered by the other Party. Each Party shall be independently responsible for the Security Incident it suffers and shall ensure that any such incident is resolved in line with Applicable Data Protection Laws.
5. Limitation on Liability & Insurance
5.1 In no event shall either Party’s total liability under or in connection with this Annex 1 exceed €5,000,000.00.
5.2 Each Party shall take out and maintain insurance policies to the value sufficient to meet their respective liabilities under or in connection with this Addendum. Upon a Party's request, the other Party will provide evidence that such insurance is in place.