ROKT® European Data Processing Agreement
Version: October 2023
This Data Processing Agreement (“DPA”) is effective as of the date of the underlying Rokt Platform Services Agreement or Rokt Ecommerce Services Agreement (as applicable) (“ESA”) covering the applicable Services (as defined therein) between the Partner and Rokt (inclusive of any and all schedules, attachments, addendums, amendments, exhibits, order forms and statements of work, the “Agreement”), or by otherwise accepting or using the Rokt Services described therein. You, on behalf of your company specified in the Agreement, agree to be bound by this DPA, with Rokt Pte Ltd ("Rokt SG"). All capitalized terms that are used, but not defined, in this DPA shall have the meaning given to them in the Agreement.
1. Background
1.1 If: (i) the Partner is established in the European Union or the United Kingdom, (ii) any data processed in the provision of the Services contains any personal data of individuals in the European Union or the United Kingdom, or (iii) if European Privacy Law or UK Privacy Law otherwise applies to such personal data, (“UK and European Personal Data“) then the provisions of this DPA shall apply and will take priority over any of the provisions of Clause 11 (Privacy) of the Agreement if and to the extent only of any conflict or inconsistency between them.
1.2 Partner will use the Rokt Platform pursuant to the ESA, and in connection with such usage and with Rokt’s provision of the Services, Rokt SG will have access to and process certain UK and European Personal Data. The UK and European Personal Data that Rokt SG will process in providing the Services is described in Annex A to this DPA.
1.3 Each party shall comply with its obligations under this DPA with respect to the types of European Personal Data that it processes and according to its responsibilities as controller, joint controller or processor (as appropriate) for the relevant European Personal Data.
1.4 The parties agree that:
- (a) Partner shall be a “controller” under European Privacy Law and UK Privacy Law with regard to European Personal Data, described in Annex A, constituting Partner Data (as defined in the Agreement), that is processed in connection with the Services (“Partner European Personal Data”);
- (b) Subject to paragraph (c), Rokt SG shall be a “processor” under European Privacy Law and UK Privacy Law with regard to Partner European Personal Data;
- (c) Rokt SG and Partner shall both be independent “controllers” under European Privacy Law and UK Privacy Law with regard to the limited subset of Partner European Personal Data collected following the End Customer’s acceptance or opting in to the Advertiser’s or Provider’s offer or promotion (“Referral Data”), but Rokt SG may use Referral Data solely as necessary to deliver or facilitate such offer or promotion in Rokt SG’s provision of the Services;
- (d) Rokt SG shall be a “controller” under European Privacy Law and UK Privacy Law with regard to the Rokt Data; and
- (e) Rokt and Partner shall each be a “controller” under European Privacy Law and UK Privacy Law with regard to Derived Data to the extent necessary to meet their respective obligations as described in Annex A to this DPA.
1.5 This DPA shall be governed by: (a) the laws of England and Wales if and to the extent that this DPA applies to UK and European Personal Data to which UK Privacy Laws apply; and (b) the laws of Ireland if and to the extent that this DPA applies to UK and European Personal Data to which European Privacy Laws apply.
1.6 The parties shall submit to: (a) the non-exclusive jurisdiction of the courts of England if and to the extent that the laws of England and Wales apply to this DPA; and (b) the non-exclusive jurisdiction of the courts of Ireland if and to the extent that the laws of Ireland apply to this DPA, save to the extent provided in clause 5 of this DPA.
2. Security
Rokt SG shall implement appropriate technical and organisational measures designed to protect the Partner European Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to, the Partner European Personal Data (a “Security Incident“). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and shall include the security measures described in Annex B (Minimum Security Measures) to this DPA.
3. Controller obligations
3.1 Whenever a party is acting in a capacity as a controller in relation to European Personal Data, it shall comply in all respects with European Privacy Law and UK Privacy Law (as appropriate) including by processing such data fairly and lawfully.
3.2 A controller shall provide assistance reasonably requested by the other party (and at that other party’s cost) in order for that other party to comply with European Privacy Law and UK Privacy Law (as appropriate), including with respect to data subject access requests and privacy notices.
3.3 The parties agree that they do not intend to act as “joint controllers” with respect to any European Personal Data. However, if and to the extent that the parties are acting as joint controllers with each other in relation to any European Personal Data, they shall each provide all assistance reasonably requested by the other party in order for that other party to comply with its obligations under European Privacy Law and UK Privacy Law (as appropriate), including with respect to data subject access requests, and cooperate to ensure that each data subject is given any notices that are required under European Privacy Law or UK Privacy Law (as appropriate) with respect to the processing that each of the parties undertakes.
4. Processor obligations
4.1 Purpose limitation
Rokt SG shall process the Partner European Personal Data as necessary to perform its obligations under the Agreement, for such other purposes as may be described in this DPA (including Annex A) and in accordance with the documented instructions of the Partner (the “Permitted Purpose”), except where otherwise required by any EU (or any EU Member State) or UK law (as applicable). Rokt SG shall inform the Partner if, in its opinion, an instruction infringes European Privacy Law or UK Privacy Law (as appropriate).
4.2 Confidentiality of processing
Rokt SG shall ensure that any person that it authorises to process the Partner European Personal Data (including Rokt’s staff, agents and subcontractors) (an “Authorised Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person access to Partner European Personal Data who is not under such a duty of confidentiality.
4.3 Subprocessing
Rokt SG may subcontract its processing of Partner European Personal Data to a third party subprocessor without the prior written consent of the Partner. Rokt SG shall however inform the Partner when it adds to or removes the subprocessors (which may be done via a website link notified to the Partner) in order to give the Partner the opportunity to object to the appointment of the subprocessor. Notwithstanding anything to the contrary in the foregoing, the Partner consents and authorizes Rokt SG to use the subprocessors listed at https://rokt.com/rokt-subprocessors/ in its provision of the Services. Rokt SG shall be solely responsible for fulfilling its obligations under this DPA despite the use of any subprocessors.
4.4 Data subjects’ rights
Rokt SG shall:
- (a) respond to any verified and valid request from a data subject to exercise its rights to object or of erasure under European Privacy Law or UK Privacy Law (as appropriate) by deleting all personal data held by Rokt SG that relates to the data subject and is contained within the Partner European Personal Data; provided that Rokt SG may retain personal data as described in this DPA (including Annex A); and
- (b) provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to the Partner (at the Partner’s expense) to enable the Partner to respond to: (i) any verified and valid request from a data subject to exercise any of its other rights under European Privacy Law or UK Privacy Law (as appropriate), including its rights of access, correction, and data portability, as applicable; and (ii) any written correspondence, enquiry or complaint received from a regulator in connection with the processing of the Partner European Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Rokt SG, Rokt SG shall promptly do either or both of the following: inform the Partner of the request, correspondence, enquiry or complaint; or direct the data subject or regulator to contact the Partner.
4.5 Data Protection Impact Assessment
If Rokt SG believes or becomes aware that its processing of Partner European Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform the Partner and provide the Partner with all such reasonable and timely assistance (at the Partner’s expense) as the Partner may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
4.6 Security incidents
Upon becoming aware of a confirmed Security Incident, Rokt SG shall inform the Partner without undue delay and shall provide all such timely information and cooperation as the Partner may reasonably require in order for the Partner to fulfil its data breach reporting obligations under (and in accordance with the timeline required by) European Privacy Law or UK Privacy Law (as appropriate).
4.7 Deletion or return of Partner European Personal Data
Upon termination or expiry of the ESA, Rokt SG shall (if the Partner so requests) destroy or return to the Partner all Partner European Personal Data (including all copies of the same) in its possession or control (including any Partner European Personal Data subcontracted to a third party for processing) for which Rokt SG is acting as a processor. This requirement shall not apply to the extent that: (i) Rokt SG is acting as a controller under European Privacy Law or UK Privacy Law with respect to Referral Data in accordance with this DPA; or (ii) Rokt SG is required by any EU (or any EU Member State) or UK law to retain some or all of that European Personal Data, or Rokt SG retains Partner European Personal Data for the purposes of establishment, exercise or defence of legal claims, in which event Rokt SG shall protect the European Personal Data from any further processing except to the extent required by such law.
4.8 Records
Where required by European Privacy Law or UK Privacy Law (as appropriate), Rokt SG shall maintain a record of all categories of processing activities carried out on behalf of the Partner (“Processing Records”) and Rokt SG shall make available the Processing Records to the Partner within ten (10) working days following receipt of a request for such Processing Records from the Partner.
4.9 Audit
Rokt SG shall permit the Partner (or its appointed third party auditors) to audit at the Partner’s own expense Rokt SG’s compliance with this DPA, and shall make available to the Partner all information, systems and staff necessary for the Partner (or its third party auditors) to conduct such audit. Rokt SG acknowledges that the Partner (or its third party auditors) may enter its premises for the purposes of conducting this audit, provided that the Partner gives Rokt SG 30 days’ prior written notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Rokt SG’s operations. The Partner will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) the Partner reasonably believes a further audit is necessary due to a Security Incident suffered by Rokt SG.
5. International transfers
5.1 No Restricted Transfer shall be permitted under this DPA except in accordance with this clause 5.
5.2 Where a Restricted Transfer occurs, then the Relevant Transfer Agreement will be incorporated into this Agreement by reference and will apply to the processing and will take priority to the extent of any conflict or inconsistency with this Agreement. The Relevant Transfer Agreement shall be deemed entered into (and incorporated into this DPA by this reference) between the transferring Data Exporter and the Data Importer and shall be completed as follows:
- a. Where the transfer involves the processing of personal data subject to European Privacy Law between the Data Exporter as controller and the Data Importer as a separate and independent controller, the EU SCCs will be completed as follows:
- i. Module One will apply;
- ii. in clause 7, the optional docking clause will apply;
- iii. in clause 11, the optional language will not apply;
- iv. in clause 17 (Option 1), the EU SCCs will be governed by Irish law;
- v. in clause 18(b), disputes shall be resolved before the courts of Ireland;
- vi. in Annex I, with the information set out in Annex A to this DPA; and in Annex II with the security measures agreed in the Partner Agreement or set out in Annex B (as applicable).
- b. Where the transfer involves the processing of personal data subject to UK Privacy Law between the Data Exporter as controller and the Data Importer as a separate and independent controller, the UK Addendum will be completed as follows:
- i. The EU SCCs, completed as set out above in clause 5.2(a) of this DPA, shall apply and the EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum in respect of such transfer.
- ii. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at clause 5.2(a) as applicable, in Annex A, in Annex B and the security measures agreed in the Partner Agreement (as applicable), and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".
- c. Where the transfer involves the processing of personal data subject to European Privacy Law between the Data Exporter as controller and the Data Importer as processor, the EU SCCs will be completed as follows:
- i. Module Two will apply;
- ii. in clause 7, the optional docking clause will not apply;
- iii. in clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in clause 4.3 of this DPA;
- iv. in clause 11, the optional language will not apply;
- v. in clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
- vi. in clause 18(b), disputes shall be resolved before the courts of Ireland;
- vii. in Annex I, with the information set out in Annex A to this DPA; and in Annex II with the security measures agreed in the Partner Agreement or set out in Annex B (as applicable).
- d. Where the transfer involves the processing of personal data subject to UK Privacy Law between the Data Exporter as controller and Data Importer as processor, the UK Addendum will be completed as follows:
- i. The EU SCCs, completed as set out above in clause 5.2(c) of this DPA, shall apply and the EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum in respect of such transfer.
- ii. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at clause 5.2(c) (as applicable) in Annex A, in Annex B and the security measures agreed in the Partner Agreement (as applicable), and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "Data Exporter".
- iii. In the event that any provision of this DPA contradicts, directly or indirectly, the Relevant Transfer Agreement, the Relevant Transfer Agreement (as applicable) shall prevail.
5.3 If either party wishes to participate in any other Restricted Transfer of the European Personal Data including to any of its Affiliates (whether as an importer or exporter), it may only do so where the Restricted Transfer is made in full compliance with European Privacy Law and/or UK Privacy Law (as applicable) and pursuant to the Relevant Transfer Agreement implemented between the relevant exporter and importer of the European Personal Data.
6. Consents
Where required under local laws, the Partner shall include the relevant disclosures for the operation of the Rokt Placement to each End Customer; in which case Rokt SG will provide directions with respect to the form of consent and information about how End Customers’ device information is processed to be included in relevant disclosures.
7. Costs
Each party shall bear its own costs for complying with its obligations under this DPA, unless otherwise stated, and shall not be entitled to charge any additional fees to the other party for such compliance, except as may otherwise be expressly agreed in writing by the other party.
8. Definitions
In this DPA:
- (i) "Data Exporter" means a party to the ESA that discloses European Personal Data to the other party;
- (ii) “Data Importer” means a party to the ESA that receives European Personal Data from the other party;
- (iii) "EU Adequacy Finding" means a decision by the European Commission under European Privacy Law in relation to a country, territory or international organisation or one or more specified sectors that ensures an adequate level of protection for personal data;
- (iv) "Restricted Transfer" means where Rokt SG is processing Partner European Personal Data: (a) that is subject to European Privacy Law in a territory or sector which is not subject to an EU Adequacy Finding; or (b) that is subject to UK Privacy Law in a territory or sector that is not subject to a UK Adequacy Finding;
- (v) "Relevant Transfer Agreement" means: (a) in the case of a Restricted Transfer subject to European Privacy Law, the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in Decision (EU) 2021/914, as amended, re-enacted, replaced or superseded from time to time ("EU SCCs"); and (b) in the case of a Restricted Transfer subject to UK Privacy Law, the standard contractual clauses or a form of international data transfer agreement for the transfer of personal data to third countries approved under the regulations in the United Kingdom, specifically, the "UK Addendum to the EU Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the UK Data Protection Act 2018 as amended, re-enacted, replaced or superseded from time to time ("UK Addendum").
- (vi) "UK Adequacy Finding" means any regulations made by the Secretary of State under Section 17A of the Data Protection Act 2018 that a country, territory, international organisation or sector ensures an adequate level of protection for personal data.
All other capitalised terms that are used but not defined in this DPA shall have the meaning given to them in the ESA.
9. ANNEX A TO DPA
Partner European Personal Data – Data Processing Description
This Annex A forms part of the DPA and describes the data processing that Rokt SG will perform.
Derived Data – Respective Controller Obligations under European Privacy Law and UK Privacy Law
10. ANNEX B TO DPA
Minimum Security Measures