EMAIL DISTRIBUTION DATA PROCESSING ADDENDUM

This Email Distribution Data Processing Addendum (“DPA”) is made as of the Effective Date by and between Great American Publishing Inc. dba Great American Media Services (“GAP” or “Publisher”) and Advertiser, and because Advertiser purchased email distributions services (“Services”) from Publisher, forms a material part of the Parties’ collective agreement, which also includes and is incorporated as if fully re-written herein, the Proposal and Advertising Services Agreement (hereinafter, and collectively, the “Agreement”).

1. Definitions. Capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
2. Roles of the Parties. The parties acknowledge and agree that with regard to the processing of Personal Information under this DPA, Publisher is the “Business” or “Controller” and Advertiser is the “Service Provider” or “Processor” as defined by Applicable Laws.
3. Details of Processing, Including Restriction.

• 3.1 Publisher grants Advertiser a nonexclusive, nontransferable limited right to use its email database of clients/leads, which may contain Personal Information (“Publisher’s Personal Information”), for the purpose of communicating marketing content to advertise Advertiser’s products and services subject to the terms in the Agreement, including those herein.
• 3.2 Advertiser is prohibited from processing Personal Information for any purpose other than the specific purpose as specific in Section 3.1 of this Email Distribution Data Processing Addendum specified in the Agreement. In processing or otherwise accessing any of Publisher’s Personal Information, Advertiser  shall: (i) comply with applicable obligations under Applicable Laws; (ii) provide at least the same level of privacy protection to Publisher’s Personal Information as is required by this Agreement and Applicable Laws and as it provides to its confidential information, trade secret information, and Personal Information; (iii) allow Publisher all rights, including rights of access to its facilities and records, to take reasonable and appropriate steps to help to ensure that Advertiser’s access and/or use of  Publisher’s Personal Information is consistent with Publisher’s obligations under this DPA and Applicable Laws; (iv) shall notify Publisher in writing of any determination made by Advertiser that it can no longer meet its obligations under this DPA or Applicable Laws; and (v) allow Publisher, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
• 3.3 To the extent Publisher provides Advertiser with any information that personally identifies an individual as having purchased, leased, rented, or borrowed written books or other written materials, including magazines (“Subscriber Information”), Advertiser will not share, sale, rent, provide, disclose or otherwise transfer any such Subscriber Information to any individual or entity. To the extent Advertiser does it will be fully and solely responsible for any resulting liability and  will defend, and hold Publisher harmless from and against any and all losses, claims, liability, etc., arising out of its sharing, selling, renting, providing, disclosing or transferring such Subscriber Information.
• 3.4 Advertiser agrees that all Services are provided to Advertiser by Publisher within the United States of American (“U.S.”) and that, with respect to the Publisher Personal Information, Advertiser may not : (a) sell or share any Publisher Personal Information, (b) retain, use or disclose any Publisher Personal Information for any purpose beyond the scope of their business relationship as described the Agreement, (c) combine any Publisher Personal Information with data Advertiser receives from any other source unless contractual, specific statutory or regulatory exceptions apply; (d) transfer, cause or allow to be transferred any Publisher Personal Information outside the US. For the purpose of this DPA, “share” means to use or allow for use for the purpose of allowing or otherwise engaging in cross-context behavioural advertising.
• 3.5 Advertiser is prohibited from using sub-processors with respect to any Publisher Personal Information.

4. Data Subject Request. Advertiser will assist Publisher with any data subject access, deletion, opt-out requests, objections, and any other right exercised by an individual pursuant to any Applicable Laws. If Advertiser receives any request from data subjects, regulators, or others relating to its processing of Personal Information, Advertiser will immediately inform Publisher and assist Publisher with developing a response (but Advertiser will not itself respond, except per instructions from Publisher). Advertiser will also assist Publisher with the resolution of any request or inquiries that Advertiser receives from data protection regulators relating to Advertiser and, if and to the extent requested by Publisher, cooperate with any regulators’ requests.

5. Information Breach. In the event of an unauthorized disclosure, release, access, or acquisition of Personal Information that compromises the security, confidentiality, or integrity of the Personal Information (“Security Incident”), Advertiser shall notify Publisher immediately but no later than forty-eight (48) hours after Advertiser or any of its subprocessors become aware of an actual or reasonably suspected Security Incident. Such notifications shall include, at a minimum, the following information to the extent known by the Advertiser and as it becomes available: (a) detailed description of the Security Incident, (b) the date or estimated date of the Security Incident, (c) the date range within which the Security Incident occurred, (d) the type of Personal Information that was the subject of the Security Incident, whether the notification was delayed as a result of a law enforcement investigation, and (f) the identity of each relevant data subject.  Advertiser shall take immediate action to investigate the breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Incident in accordance with its obligations hereunder.  Advertiser shall also provide Publisher with reasonable assistance to satisfy any legal obligations (including obligations to notify persons and any state or federal regulators) of Publisher in relation to such Security Incident.

6. Records and Audits. Advertiser shall maintain complete and accurate records regarding the processing it performs under the Agreement and this DPA, including as necessary to demonstrate its compliance with Applicable Laws. Advertiser will make available to Publisher all information requested by Publisher to demonstrate Advertiser’s compliance with the obligations set out in this DPA. Furthermore, unless otherwise required by Applicable Laws, upon at least thirty days prior written notice, at a time that minimizes business interruptions to Advertiser, and no more than once per year, Advertiser shall allow for and contribute to audits and inspections by Publisher or its designated agents as required for Publisher to establish both Publisher’s and Advertiser’s compliance with this DPA and Applicable Laws.

7. Data Security. Advertiser represents and warrants that it has and will maintain a comprehensive written information security program that: (i) complies with all Applicable Laws; (ii) contains reasonable and appropriate physical, technical, organizational and administrative safeguards to preserve and protect the confidentiality, security, accuracy, integrity, availability, and authenticity of the Personal Information and to protect against Security Incidents; and (iii) that Advertiser will strictly adhere to it at all times it possesses Publisher Personal Information.

8. Confidentiality. Advertiser shall ensure that all persons processing Personal Information on its behalf, including Advertiser’s and its subprocessors’ employees, agents, and contractors, are subject to a duty of confidence or are under an appropriate statutory obligation of confidentiality.

9. Deletion of Personal Information. At the termination or expiration of the Agreement or at the request of Publisher, Advertiser shall promptly either return or delete all Personal Information. Notwithstanding the foregoing, if Advertiser is required by Applicable Laws to retain any such Personal Information, Advertiser may retain the minimal amount of Personal Information required to comply with such Applicable Laws. In the event that Advertiser is required to retain any Personal Information after termination or expiration of the Agreement, Advertiser will continue to safeguard such Personal Information in accordance with Applicable Laws and the terms of this Addendum.

10. Confidentiality Advertiser shall ensure that all persons processing Personal Information on its behalf, including Advertiser’s and its subprocessors’ employees, agents, and contractors, are subject to a duty of confidence or are under an appropriate statutory obligation of confidentiality.

11. General Provisions.

• 11.1 The General Provisions of the Advertising Services Agreement are incorporated as if fully re-writing herein.
• 11.2 All obligations under this DPA apply in addition to, not in lieu of, any other contractual, statutory, and other obligations of Advertiser. Advertiser hereby certifies that it understands its obligations as detailed in this DPA and will comply with them, and that it has no reason to believe that it will not be able to comply.
• 11.3 If there is a conflict between the Proposal, Advertising Services Agreement, and Email Distribution Data Processing Addendum, the order or priority shall be Email Distribution Data Processing Addendum, Proposal, and then Advertising Services Agreement.
• 11.4 This Advertising Services Agreement becomes effective on the data Advertiser executes the Proposal (the “Effective Date”).