This Email Distribution Data Processing Addendum (“DPA”) is made as of the Effective Date by and between Great American Publishing Inc. dba Great American Media Services (“GAP” or “Publisher”) and Advertiser, and because Advertiser purchased email distributions services (“Services”) from Publisher, forms a material part of the Parties’ collective agreement, which also includes and is incorporated as if fully re-written herein, the Proposal and Advertising Services Agreement (hereinafter, and collectively, the “Agreement”).
4. Data Subject Request. Advertiser will assist Publisher with any data subject access, deletion, opt-out requests, objections, and any other right exercised by an individual pursuant to any Applicable Laws. If Advertiser receives any request from data subjects, regulators, or others relating to its processing of Personal Information, Advertiser will immediately inform Publisher and assist Publisher with developing a response (but Advertiser will not itself respond, except per instructions from Publisher). Advertiser will also assist Publisher with the resolution of any request or inquiries that Advertiser receives from data protection regulators relating to Advertiser and, if and to the extent requested by Publisher, cooperate with any regulators’ requests.
5. Information Breach. In the event of an unauthorized disclosure, release, access, or acquisition of Personal Information that compromises the security, confidentiality, or integrity of the Personal Information (“Security Incident”), Advertiser shall notify Publisher immediately but no later than forty-eight (48) hours after Advertiser or any of its subprocessors become aware of an actual or reasonably suspected Security Incident. Such notifications shall include, at a minimum, the following information to the extent known by the Advertiser and as it becomes available: (a) detailed description of the Security Incident, (b) the date or estimated date of the Security Incident, (c) the date range within which the Security Incident occurred, (d) the type of Personal Information that was the subject of the Security Incident, whether the notification was delayed as a result of a law enforcement investigation, and (f) the identity of each relevant data subject. Advertiser shall take immediate action to investigate the breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Incident in accordance with its obligations hereunder. Advertiser shall also provide Publisher with reasonable assistance to satisfy any legal obligations (including obligations to notify persons and any state or federal regulators) of Publisher in relation to such Security Incident.
6. Records and Audits. Advertiser shall maintain complete and accurate records regarding the processing it performs under the Agreement and this DPA, including as necessary to demonstrate its compliance with Applicable Laws. Advertiser will make available to Publisher all information requested by Publisher to demonstrate Advertiser’s compliance with the obligations set out in this DPA. Furthermore, unless otherwise required by Applicable Laws, upon at least thirty days prior written notice, at a time that minimizes business interruptions to Advertiser, and no more than once per year, Advertiser shall allow for and contribute to audits and inspections by Publisher or its designated agents as required for Publisher to establish both Publisher’s and Advertiser’s compliance with this DPA and Applicable Laws.
7. Data Security. Advertiser represents and warrants that it has and will maintain a comprehensive written information security program that: (i) complies with all Applicable Laws; (ii) contains reasonable and appropriate physical, technical, organizational and administrative safeguards to preserve and protect the confidentiality, security, accuracy, integrity, availability, and authenticity of the Personal Information and to protect against Security Incidents; and (iii) that Advertiser will strictly adhere to it at all times it possesses Publisher Personal Information.
8. Confidentiality. Advertiser shall ensure that all persons processing Personal Information on its behalf, including Advertiser’s and its subprocessors’ employees, agents, and contractors, are subject to a duty of confidence or are under an appropriate statutory obligation of confidentiality.
9. Deletion of Personal Information. At the termination or expiration of the Agreement or at the request of Publisher, Advertiser shall promptly either return or delete all Personal Information. Notwithstanding the foregoing, if Advertiser is required by Applicable Laws to retain any such Personal Information, Advertiser may retain the minimal amount of Personal Information required to comply with such Applicable Laws. In the event that Advertiser is required to retain any Personal Information after termination or expiration of the Agreement, Advertiser will continue to safeguard such Personal Information in accordance with Applicable Laws and the terms of this Addendum.
10. Confidentiality Advertiser shall ensure that all persons processing Personal Information on its behalf, including Advertiser’s and its subprocessors’ employees, agents, and contractors, are subject to a duty of confidence or are under an appropriate statutory obligation of confidentiality.
11. General Provisions.