Data Protection Addendum for RTB and Programmatic Partners
Last Update:Effective Date: May 29, 2024
To ensure that Taboola has appropriate data protection terms in place with our Programmatic and RTB Partners (each a “Partner”) Taboola provides this Data Protection Addendum (the “DPA”).
This DPA automatically supplements and forms part of the existing contractual business arrangement between Partner and Taboola relating to the provision of RTB and programmatic services (“Underlying Agreement”).
All capitalized terms used in this DPA, but not defined in this DPA shall have the meanings given to them in the Underlying Agreement. In the event of any conflict between this DPA and the Underlying Agreement, this DPA shall prevail to the extent of that conflict.
- Definitions
“Applicable Data Protection Laws” means any and all applicable federal, national, state, or other privacy and data protection laws as may be amended or superseded from time to time, including, if applicable and without limitation, the CCPA (as defined below),and European Data Protection Laws.
“CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199), as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 – 1798.199).
“Controller” means an entity that determines the purposes and means of processing of Personal Information, and includes any entity that processes Personal Information as a “business” or “third party” under the CCPA and CPRA.
“Data Privacy Framework” or “DPF” means the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.
“European Data Protection Laws” means EU Data Protection Laws and UK Data Protection Laws.
“EU Data Protection Laws” means: (i) EU Regulation 2016/679 (the “EU GDPR“); (ii) EU Directive 2002/58/EC; and (iii) the national laws of each EEA member state made under, pursuant to, or that implement (i) or (ii), or which otherwise relate to the processing of personal data; in each case, as amended or superseded from time to time.
“Personal Information” means any information relating to an identified or identifiable natural person, and includes any information defined as “personal data” or “personal information” as defined under Applicable Data Protection Laws.
“Permitted Purpose” means the real-time bidding purposes, relating to the buying and selling of online advertisements in accordance with the Underlying Agreement, for which Taboola discloses or otherwise makes available Shared Data to Partner for processing, as set out in Annex I.
“Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (an “EU Restricted Transfer“); and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to or based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 (a “UK Restricted Transfer“).
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Shared Data.
“Sell” and “share” shall have the meanings set forth in the CCPA and CPRA and their implementing regulations.
“Shared Data” means the categories of Personal Information listed in Annex I to this DPA.
“Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the DPA 2018 (“UK Addendum”).
“UK Data Protection Laws” means: (i) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“); (ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003; (iii) the Data Protection Act 2018; and (iv) any other laws in the UK made under, pursuant to, or that implement (i) or (ii), or which otherwise relate to the processing of personal data; in each case, as amended or superseded from time to time.
- Disclosure of data
Subject to Partner’s compliance with the Underlying Agreement and this DPA, Taboola will disclose or otherwise make available the Shared Data to Partner for Partner to process strictly for the Permitted Purpose.
- Relationship of the parties
The parties acknowledge that Taboola is a controller of the Shared Data that it discloses to Partner, and that Partner will process the Shared Data as a controller strictly for the Permitted Purpose.
- Partner Obligations
Partner warrants, represents and undertakes that:
(a) it will at all times Process the Shared Data only for the Permitted Purpose and in accordance with Applicable Data Protection Laws;
(b) it has no reason to believe that Applicable Data Protection Laws prevent it from fulfilling its obligations in regard to the Processing of Shared Data for the Permitted Purpose;
(c) if Partner determines it is unable to Process Shared Data for the Permitted Purpose in accordance with Applicable Data Protection Laws, it will promptly notify Taboola;
(d) it shall at all times present and maintain a publicly-accessible privacy notice on its website that complies with the requirements of Applicable Data Protection Laws, and that provides contact details where data subjects may raise enquiries relating to data protection;
(e) it shall enable data subjects to exercise their data protection rights in accordance with Applicable Data Protection Laws, including (without limitation) their right to object to processing of their Shared Data;
(f) in respect of any processing of Shared Data that is protected under European Data Protection Laws, it shall:
(g) process Shared Data only where it has consent to do so, consistent with the requirements of European Data Protection Laws; and
(h) it shall implement appropriate technical and organizational measures including, at a minimum, the measures set out in Annex II to protect the Shared Data from and against a Security Incident.
- Reasonable and Appropriate Steps
Taboola may take reasonable and appropriate steps to ensure that Partner processes the Shared Data pursuant to the Underlying Agreement and this DPA in a manner consistent with Applicable Data Protection Laws.
If Partner is not in compliance with the Underlying Agreement, this DPA or Applicable Data Protection Laws, Taboola take reasonable and appropriate steps to stop and remediate unauthorized use of Shared Data (including suspending or terminating the disclosure of Shared Data to Partner).
- Compliance with Applicable Law
Partner shall comply with Applicable Data Protection Laws, and shall provide the same level of privacy protection to the Shared Data as required by Applicable Data Protection Laws.
- Duty of cooperation
In the event that either party receives any correspondence, enquiry or complaint from a data subject, regulator or other third party (“Correspondence“) related to (a) the disclosure of the Shared Data for the Permitted Purpose; or (b) processing of Shared Data by the other party, it shall promptly inform the other party giving full details of the same, and the parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Applicable Data Protection Law.
- Restricted Transfers from the EU and UK
To the extent that any transfer of Shared Data from Taboola to Partner is a Restricted Transfer, the Standard Contractual Clauses shall be incorporated into this DPA and apply as follows:
(a) where the Restricted Transfer is an EU Restricted Transfer, the EU SCCs will apply between Taboola (as the data exporter) and Partner (as the data importer) as follows:
(i) Module One will apply;
(ii) in Clause 7, the optional docking Clause will apply;
(iii) in Clause 11, the optional language will not apply;
(iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(v) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vi) in Annex I:
(A) Parts A and B shall be deemed completed with the information set out in Annex A to this DPA;
(B) Part C shall be deemed completed in accordance with the criteria set out in Clause 13(a) of the EU SCCs; and
(vii) Annex II shall be deemed completed with the security measures set out in Annex B to this DPA.
(b) where the Restricted Transfer is a UK Restricted Transfer, the UK Addendum will apply between the parties as follows:
(i) the EU SCCs, completed as set out above shall apply between the parties, and shall be modified by the UK Addendum (completed as set out in sub-clause (ii) below); and
(ii) tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options “Exporter” and “Importer” shall be deemed checked in table 4. The start date of the UK Addendum (as set out in table 1) shall be the effective date of this DPA.
Partner will not make an onward Restricted Transfer of Shared Data to a third party unless it has done all such acts and things as are necessary to ensure that the Restricted Transfer is compliant with Applicable Data Protection Law and any Standard Contractual Clauses it has executed with Taboola.
Notwithstanding the above, if the Partner has certified under and complies with the DPF, transfers of Shared Data to Partner made under the DPF shall not be a Restricted Transfer. In such event, Partner will immediately notify Taboola if it fails to comply with its DPF certification or its DPF certification lapses or is otherwise invalidated, in which instance:
(a) any transfers of Shared Data from Taboola to Partner shall immediately be deemed a Restricted Transfer and the Restricted Transfer provisions above shall apply; and
(b) Taboola may, in its absolute discretion, elect to suspend or terminate transfers of Shared Data to Partner without penalty.
- Indemnification
Partner shall defend Taboola and its directors, officers, employees, agents, and clients (the “Taboola Indemnitees”) from and against any and all claims, demands, suits, proceedings, and actions brought by a third party relating to an allegation that Partner violated this DPA or Applicable Data Protection Laws and shall indemnify the Taboola Indemnities for all damages, losses, costs, and expenses (including reasonable attorneys’ fees) incurred by Taboola Indemnitees arising out of or resulting from such claim.
- Miscellaneous
Partner is solely liable for its own compliance with Applicable Data Protection Laws in its processing of the Shared Data.
In the event of any changes to Applicable Data Protection Laws, Taboola may amend and update this DPA where and to the extent necessary to comply with such changes in Applicable Data Protection Laws.
With effect from the effective date of this DPA, references to the “Agreement” in this DPA or the Underlying Agreement shall mean the Underlying Agreement as supplemented by this DPA.
ANNEX I
Data Sharing Description
A. LIST OF PARTIES
| Taboola – Data exporter(s) | |
| Name: | See Taboola’s details set out in the Underlying Agreement.
|
| Address: | See Taboola’s details set out in the Underlying Agreement. |
| Contact person’s name, position and contact details: | privacy@taboola.com |
| Activities relevant to the data transferred under these Clauses: | Disclosure of Shared Data for the Permitted Purpose. |
| Signature and date: | This DPA shall automatically be deemed executed upon execution of the Underlying Agreement. |
| Role (controller/processor): | Controller. |
| Partner – Data importer: | |
| Name: | See Partner’s details set out in the Underlying Agreement. |
| Address: | See Partner’s details set out in the Underlying Agreement. |
| Contact person’s name, position and contact details: | See Partner’s details set out in the Underlying Agreement. |
| Activities relevant to the data transferred under these Clauses: | Receipt and processing of Shared Data for the Permitted Purpose. |
| Signature and date: | This DPA shall automatically be deemed executed upon execution of the Underlying Agreement. |
| Role (controller/processor): | Controller. |
B. DESCRIPTION OF TRANSFER
| Description of Transfer | |
| Categories of data subjects whose personal data is transferred | Visitors to digital properties (such as websites and mobile applications) owned by customers of Taboola and who have integrated Taboola’s advertising technologies on those properties. |
| Categories of personal data transferred | Pre-partnership Integration:
Bid request includes:
Calling Tag Partners:
|
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures | Not applicable. |
| The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) | Continuous for the duration of the Underlying Agreement. |
| Nature of the processing | Processing of Shared Data by Partner for the purposes of real-time bidding in order to buy and sell advertising inventory on digital properties of Taboola’s customers. |
| Purpose(s) of the data transfer and further processing | Partner processes Shared Data, for the following purposes:
|
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | For the duration of the Underlying Agreement and as otherwise required by applicable law. |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | Not applicable. |
C. COMPETENT SUPERVISORY AUTHORITY
| Competent Supervisory Authority | |
| Competent supervisory authority where the EU GDPR applies | The competent supervisory authority shall be determined in accordance with Clause 13 of Module 1 of the EU Standard Contractual Clauses. |
| Competent supervisory authority where the UK GDPR applies | The Information Commissioner’s Office |
ANNEX II
Security Measures
Description of the technical and organisational measures implemented by each party (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. Partner represents and warrants that it has appropriate technical and organisational measures substantially similar to Taboola’s security measures denoted below.
Measures of pseudonymisation and encryption of personal data: Taboola collects only pseudonymized data, which means we do not know who you are because we do not know or process the user’s name, email address, or other identifiable data. User information that we collect includes, but is not limited to, information about a user’s device and operating system, IP address, the web pages accessed by users within our customers’ websites, the link that led a user to a customer’s website, the dates and times a user accesses a customers’ website and other web browsing data. The CookieID is anonymized using Bcrypt and IP address is truncated.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: Taboola uses multiple levels of electronic security (ex: endpoint security, server-side security, detections tracking, periodic penetration tests, and deep intelligence gathering to review post-mortem events).
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: Taboola maintains 9 data centers operating around the world. Every data center is used as a replication of one another so if one falls down the data can be extracted from other data center.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing: Taboola maintains strict processes for testing the effectives of its controls (both technical and organizational). We have system logging and monitoring in place, monthly (at least) DR testing, quarterly penetration tests, Firewalls protecting the web and honeypots spread across the network to find any malicious activity. Moreover, we have bounty program in place which helps us to constantly monitor our network.
Measures for user identification and authorisation: Every user in Taboola is associated with a dedicated username and password. Every access to Taboola’s internal network is done with 2FA using Google authentication. Users are created only by the IT department, during the onboarding process and only after receiving all details and signed contract from the HR department.
Measures for the protection of data during transmission: Taboola supports any data transmission through secure transmission protocols (HTTPS and TLS v1.2 at the minimum). Furthermore, systems which might contain PII are secured and data is kept hashed and anonymized.
Measures for the protection of data during storage: Data that is stored within our databases is anonymized and hashed using Bcrypt. Access to the DB is minimized and based according to the ‘business need to know’ principle.
Measures for ensuring physical security of locations at which personal data are processed: Each of Taboola’s global data centres (in US, Europe, and Asia), has all its servers located in locked cabinets that are maintained exclusively for Taboola’s use. These cabinets are maintained by companies that are either SOC2-certified or Taboola has reviewed their security measures. Further, any access to the servers requires written, logged permission. All Taboola offices are also controlled, and require employees to use access cards to enter. Furthermore, only a limited number of employees have access to Taboola’s servers and any access also requires written, logged permission.
Measures for ensuring events logging: Taboola implements monitoring tools and logs are gathered to our SIEM system which alerts us on any suspicious event and also being monitored by NOC team.
Measures for ensuring system configuration, including default configuration: Servers are scanned for both configuration drift and patch level. Reporting and/or alerting are set on both and relevant patch level is confirmed. New patches are distributed using Puppet. All technical reviews are managed through the R&D application and obtained through a formal process of review (QA) after coding and CI/CD processes are implemented as well.
Measures for internal IT and IT security governance and management: Taboola is ISO/IEC 27001:2013 and ISO/IEC 27701:2019 certified. Taboola have an Information Security Policy in place which states that the Board of Directors and management of Taboola are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout their organisation. Taboola holds security trainings for all new employees, phishing trainings for all employees globally, and regular security trainings for all employees and also dedicate sessions for R&D groups.
Measures for certification/assurance of processes and products: Quarterly / Semi-annual / yearly internal audit on multiple processes and systems to validate that Taboola is complying with its security goals and measures defined.
Measures for ensuring data minimisation: Taboola intentionally limits the data that we collect as part of Taboola’s global data minimization principles of processing only the limited data needed for our specific business purposes. Furthermore, Taboola does not have the ability, nor any business need, to “reverse engineer” any of the data points used in our algorithm in order to provide our services. More specifically, the data points that Taboola collects are never indicative of a user’s identity — as Taboola does not collect or process information such as user’s name, phone number, email, or physical addresses. Instead, Taboola collects only pseudonymous identifiers, which merely identify characteristics about a user’s device. This includes IP addresses (which are truncated upon collection and can only identify the device’s general zip code location, but never a precise geolocation) and, in some limited instances, hashed email addresses (which are inherently irreversible and cannot be decrypted to reveal the original email address). Moreover, even when used collectively, the data that we collect can never produce an individual’s name, phone number, email, or physical address, and our engineers do not work in any way to accomplish this goal. Additionally, Taboola makes and records privacy impact assessments in an effort to minimize the privacy risks of our services, processes, and policies.
Measures for ensuring data quality: The data is collected directly from the user and the user is given the opportunity to correct any data associated with their CookieID via the Taboola Subject Access Request Portal: https://accessrequest.taboola.com/access
Measures for ensuring limited data retention: We retain user information, which is directly collected for purposes of serving ads, for at most thirteen (13) months from the user’s last interaction with our services (often for a shorter period of time), after which time we de-identify the data by removing unique identifiers or aggregating the data. This process is done automatically.
Measures for ensuring accountability: Taboola does multiple security audits and penetration testing (but not for all systems). Taboola also uses cloud providers that are ISO-certified and that comply with other cloud-relevant certifications for maintaining a server’s physical safeguards.
Measures for allowing data portability and ensuring erasure: Taboola related to media disposal same for all kind of media as it might contain PII. Any media must be fully wiped before being reused or disposed. Any media disposal is documented. Employees are instructed to no print any paper which might contain personal information.