ANNEX 2
WHERE THE SERVICES DESCRIPTION PAGE AND/OR THE MSA INDICATES THAT YAHOO IS COMPANY’S PROCESSOR OR SUBPROCESSOR (THE “YAHOO PROCESSOR SERVICES”)
1. Relationship of the Parties
1.1 In relation to all Company Data, Yahoo acknowledges that, as between the Parties, Company is either (a) the Controller of Company Data, and that Yahoo, in providing or using the Services is acting as a Processor on behalf of the Controller; (b) or Company is a Processor of Company Data, and that Yahoo, in providing or using the Services is acting as a Subprocessor on behalf of Company. "Company Data" means any and all Personal Data that is processed by Yahoo or its sub processors on behalf of Company in the performance of the Yahoo Processor Services and its other obligations under the MSA.
1.2 The subject-matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Schedule A to this Annex 2.
1.3 Company represents and warrants that: (a) its Processing instructions comply with all Applicable Data Protection Laws; and (b) it has obtained and maintains all legally required notices, consents and permissions for the Processing and transfer of all Personal Data provided to Yahoo. Company acknowledges that, taking into account the nature of the Processing, Yahoo is not in a position to determine whether Company’s instructions infringe Applicable Data Protection Laws.
2. Protection of Personal Data
2.1 In respect of the Processing of Personal Data by Yahoo in connection with the Yahoo Processor Services, Yahoo is responsible for and shall comply with Applicable Data Protection Law and agrees that it shall:
-
(a) process the Company Data only on written instructions from Company (which may, in particular, be given electronically or through the functionality of the Services), including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or Member State law to which Yahoo is subject; in such a case, Yahoo shall inform Company of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
-
(b) implement and maintain the Yahoo Technical and Organisational Security Measures and take all measures required pursuant to Article 32 of the GDPR (and equivalent provisions of other Applicable Data Protection Law(s)) including all organisational and technical security measures necessary to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of Company Data, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing;
-
(c) treat all Company Data processed by it on behalf of Company as confidential and ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, even after the end of their employment contract or at the end of their assignment or engagement;
-
(d) cooperate as reasonably requested by Company and implement appropriate technical and organisational measures to enable Company to comply with any exercise of rights by a Data Subject under Applicable Data Protection Law in respect of Personal Data processed by Yahoo under the MSA (including, without limitation, in relation to the retrieval and/or deletion of a Data Subject’s Personal Data);
-
(e) without prejudice to Section 3 of the Terms and Conditions (International Transfers), not access or transfer outside the EEA or the UK any Personal Data without the prior written consent of Company unless in accordance with Applicable Data Protection Law;
-
(f) provide (at no additional cost to Company) Company with all resources and assistance as are reasonably required by Company in connection with the Services performed by Yahoo under the MSA for Company to discharge its duties pursuant to Articles 32 to 36 of the GDPR (and equivalent provisions of other Applicable Data Protection Law(s));
-
(g) at the choice of Company, delete or return all the Company Data to Company after the end of the provision of the Yahoo Processor Services, and delete existing copies unless applicable law requires storage of the Company Data;
-
(h) make available to Company at its request all information necessary to demonstrate compliance with the obligations laid down in this Addendum and Article 28 of the GDPR (and equivalent provisions of other Applicable Data Protection Law(s)) including without limitation a detailed written description of the technical and organisational methods employed by its Subprocessors (if any) for the Processing of Personal Data; and
-
(i) immediately inform the Controller if, in the Processor’s opinion, an instruction from the Controller infringes Applicable Data Protection Law.
2.2 Company may exercise its audit right under the Applicable Data Protection Laws in relation to Company Data through a request that Yahoo initially provide Company with information related to the Yahoo Technical and Organisational Security measures. For the avoidance of doubt, such information shall be subject to the confidentiality provisions of the MSA. If, following Yahoo’s delivery of such information, Company can reasonably show that such information does not demonstrate Yahoo’s compliance with its security obligations as required under Article 28 of the GDPR, then Yahoo and Company shall meet to discuss in good faith what additional information is required for Company to ascertain and/or monitor Yahoo’s compliance with this Addendum and Applicable Data Protection Law.
3. Notification of Security Incident
3.1 Yahoo will notify Company without undue delay (and, in any event within forty-eight (48) hours) upon becoming aware that an actual Security Incident involving the Company Personal Data in Yahoo’s possession or control has occurred, as Yahoo determines in its sole discretion. Yahoo’s notification of or response to a Security Incident under this Paragraph 3 (Notification of Security Incident) shall not be construed as an acknowledgment by Yahoo of any fault or liability with respect to the Security Incident.
3.2 Yahoo will, as soon as reasonably possible, provide Company with at least the following information with respect to the Security Incident affecting Company Data: (i) a description of the cause and nature of the Security Incident including the categories and approximate numbers of Data Subjects (including the number of Company Data Subjects) concerned and the categories and approximate number of Personal Data records concerned; (ii) the measures being taken to contain, investigate and remediate the Security Incident; (iii) the likely consequences and risks for Company and its Data Subjects as a result of the Security Incident; (iv) any mitigating actions taken; and (v) a proposed plan to mitigate any risks for Data Subjects and/or Company as a result of the Security Incident.
3.3 Yahoo will, in connection with any Security Incident affecting Company Data: (i) quickly and without delay, take such steps as are necessary to contain, remediate, minimise any effects of and investigate any Security Incident (and without destroying any evidence) and to identify its cause (ii) co-operate with Company and provide Company with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation and/or mitigation of the Security Incident; and (iii) immediately notify Company in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
3.4 Yahoo will not communicate with any third party, including but not limited to the media, vendors, consumers and affected individuals (but excluding its legal counsel, professional advisors and insurers) regarding any Security Incident connected to the Processor Services without the express written consent and direction of Company.
4. Subprocessing
4.1 Yahoo may, subject to compliance with Paragraph 4.2 of this Annex, continue to use those Subprocessors already engaged by Yahoo and as identified to Company prior to commencement of this Addendum to process any Company Data (including those identified in Schedule A to this Annex). Yahoo may, subject to compliance with Paragraph 4.2 of this Annex, engage an additional or replace an existing Subprocessor to process Personal Data. The updated list of Subprocessors relevant for the provision of the Services shall be notified to Company upon request and Company shall have the right to object to the use of any Subprocessor in writing within thirty (30) days of receipt of such notification. In the event that Company objects to the use of any Subprocessor which impacts Yahoo’s ability to provide all or part of the applicable Service(s), and the parties are not able to amicably address any such objection, Yahoo may terminate the impacted Service(s) on written notice to Company.
4.2 Yahoo shall, where it engages any Subprocessor in accordance with Section 4.1; (i) only use a Subprocessor that has provided sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR (and equivalent provisions of other Applicable Data Protection Law(s)) and ensure the protection of the rights of Data Subjects; and (ii) impose, through a legally binding contract between Yahoo and Subprocessor, data protection obligations no less onerous than those set out in this Addendum (including those that apply pursuant to the applicable Standard Clauses) on the Subprocessor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR (and equivalent provisions of other Applicable Data Protection Law(s)). Yahoo acknowledges and agrees that if any Subprocessor fails to fulfil its obligations in the contract between Yahoo and Subprocessor, Yahoo shall remain liable to Company for the performance of the Subprocessor’s obligations.
5. Liability and Payment of Compensation
Yahoo shall indemnify Company from and against any damages incurred by Company as a result of any claim brought by a third party against the Company and caused by Yahoo’s breach of this Annex 2. In no event shall Yahoo’s total liability to Company under this Annex 2 exceed €5,000,000.00. Company shall have a duty to mitigate any losses or damages that may be incurred as a result of such breach under this Annex 2.
DETAILS OF YAHOO PROCESSING ACTIVITIES
| Subject Matter | Processing carried out in connection with the provision of the Services, being Custom Audience services, as detailed in the Services Description Page and/or the MSA. |
| Duration | The Term plus the period from the expiration of the Term until deletion of Company Data by Yahoo in accordance with the terms of this Addendum. |
| Nature & Purpose of the Processing | Yahoo will process Company Data for the purpose of providing the Services, i.e. to create custom audiences, for campaign optimization, for use with the Yahoo Audience Insights tool (or for any other purpose in connection with Company’s advertising campaigns), and any related technical support to Company in accordance with this Addendum. |
| Categories of Data Subjects | End users of Company’s (or the relevant controller’s) digital properties and/or current or prospective customers of Company (or the relevant controller). |
| Types of Personal Data | Unique hashed identifiers (e.g. mobile advertising IDs, hashed email addresses) |
| Subprocessors | Amazon Web Services Inc.; Google LLC; Taboola Inc. (for native advertising services only); Yahoo Affiliates. |