TABOOLA PRIVACY ADDENDUM

This Taboola Privacy Addendum (the “Addendum”) is entered as of May 11, 2018 (the “Addendum Effective Date”), by and between you, the advertiser (“Advertiser”), and the Taboola legal entity (“Taboola”) that signed the Digital Advertising Insertion Order or any other advertising insertion order or agreement entered into between Advertiser and Taboola (the “Underlying Agreement”), and shall be incorporated into the Underlying Agreement. As used herein, all terms, except as otherwise indicated, shall have the respective meanings ascribed to them in the Underlying Agreement.

Whereas, the European Union has passed the General Data Protection Regulation (defined below) to replace the Data Protection Directive 95/46/EC and harmonize data privacy laws across Europe;

Whereas, enforcement of the European Union’s General Data Protection Regulation, which has global implications on the processing of Personal Data (defined below), shall begin on May 25, 2018;

Whereas, Taboola processes Personal Data in connection with its provision of services to Advertiser; and

Whereas, the Parties wish to outline their respective responsibilities and positions with respect to EU Privacy Law (defined below).

Now therefore, for good and valuable consideration, the sufficiency and receipt of which is hereby acknowledged, Advertiser and Taboola agree to add the following provisions to the Underlying Agreement, notwithstanding anything to the contrary in the Underlying Agreement:

 

  1. Privacy and Data Protection
    1. Definitions. In this Section, the following definitions shall apply:
      1. “Controller” shall mean an entity that determines the purposes and means of the processing of Personal Data;
      2. “Personal Data” shall mean any information that relates to an identified or identifiable individual (and such term shall include, where required by Applicable Data Protection Law, unique browser or device identifiers);
      3. “Applicable Data Protection Laws” means any and all applicable federal, national, state or other privacy and data protection laws (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time; and
      4. “EU Data Protection Law” means (i) prior to May 25, 2018, the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after May 25, 2018, the EU General Data Protection Regulation (Regulation 2016/679); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any national data protection laws made under or pursuant to (i), (ii), or (iii).
    2. Application of Data Protection Law. The Parties acknowledge that some or all of the Collected Data (as defined below in Section 1.d) may qualify as, or include, Personal Data and that Applicable Data Protection Laws may apply to the processing of the Collected Data. Where this is the case, each Party shall comply with such Applicable Data Protection Laws with respect to its processing of the Collected Data.
    3. Relationship of the Parties. To the extent that the Collected Data qualifies as, or contains, Personal Data under Applicable Data Protection Laws, each Party shall process the Collected Data it collects as an independent Controller. In no event shall the Parties process the Collected Data as joint Controllers. Each Party shall be individually responsible for its own compliance with Applicable Data Protection Laws, including for providing any transparency and obtaining any consents for the processing of Collected Data that may be required under Applicable Data Protection Laws.
    4. Data Ownership. As between the Parties, each Party owns all data that such Party collects (as to each, the “Collected Data”). As to Taboola, such data may include, without limitation: information collected from Visitors when interacting with Advertiser’s websites (such as landing page or ubsequent page visits, clicks, or conversion data). The foregoing shall further include any reports created, compiled, analyzed, or derived by a Party with respect to such viewing. Taboola’s data collection practices are reflected in its privacy policy, which Taboola recommends that Advertiser review from time to time. Notwithstanding the foregoing ownership provisions, Taboola agrees to not disclose any Campaign-related data to any third party (except for the owners of the Taboola Publisher Websites for reporting and analytic purposes), for any commercial purpose, on a non-Aggregated basis (i.e., in a way that refers specifically to Advertiser, the Campaign or any Advertiser brand). Further, notwithstanding the foregoing ownership provisions, Advertiser shall not use its Collected Data to create any commercial product or dataset based (in whole or in part) on audience or user profiles derived from the Collected Data (for instance, to infer that a particular user may have a particular interest, or be a member of a particular demographic) provided that Advertiser may use the Collected Data may be used for purposes of Campaign attribution, optimization and analytics and/or performance metrics.
    5. Taboola Pixels. Advertiser may place a Taboola pixel(s) or other tracking technology, as mutually agreed to by the Parties, (the “Pixels”) on Advertiser’s landing pages. Taboola may update, change, or substitute the Pixel at any time in its reasonable discretion provided that it does not disrupt the functioning of Advertiser’s landing page and serves the same purpose. Taboola will use such Pixels for operational purposes such as to collect conversion data, perform platform analytics, integrate and link data (e.g., to enable Advertiser Content to be targeted in an optimal way), and otherwise optimize the manner in which it collects, segments, or targets the Advertiser Content. For avoidance of doubt, Taboola may create derivative data products and data models (e.g., segmentation and optimization models) from these Pixels, which it shall own, provided that all right, title, and interest in any Advertiser Content (in whole an in part) shall be and remain with Advertiser.
    6. Purpose Limitation. Each Party agrees that it shall process the Collected Data it collects only for the purposes permitted by this Agreement (as described in this Section) and Applicable Data Protection Law.
    7. Security. Each Party shall implement appropriate technical and organizational measures to protect the Collected Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data.
    8. International Transfers. Where EU Data Protection Law applies, neither Party shall process its Collected Data (nor permit its Collected Data to be processed) in a territory outside of the European Economic Area (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring its Collected Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with EU Data Protection Law, to a recipient in the United States that has certified compliance with the EU-US Privacy Shield framework, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
    9. Consent for Pixels. Taboola uses Pixels (as defined above) to provide its services. Advertiser shall ensure that appropriate notice and consent mechanisms as may be required by Applicable Data Protection Law are displayed upon digital properties in which Advertiser places Taboola Pixels so that Taboola can provide its services lawfully through such properties. Upon written request, Taboola shall provide Advertiser with such information as Advertiser may reasonably require about Taboola’s Pixels so that Advertiser can ensure that appropriate notice and consent mechanisms are displayed. Advertiser shall not fire any Taboola Pixels unless and until any necessary consents required under Applicable Data Protection Laws have been obtained.

Except as set forth herein, the Underlying Agreement is hereby ratified and affirmed in all respects and shall remain in full force and effect. To the extent there is a conflict between the terms of the Underlying Agreement and this Addendum, the terms of this Addendum shall govern and prevail.