Taboola's Publisher Privacy Terms
Last Update:Effective Date: October 10, 2024
These Taboola Publisher Privacy Terms (“Publisher Privacy Terms”) apply to Taboola’s digital advertising services, such as when Taboola places Advertiser content on Publisher properties, including, but not limited to, Publisher products and services like Taboola Newsroom, Header Bidding, Taboola Home Page 4 You, Taboola News, and Taboola Push, pursuant to an agreement between Taboola and a Publisher (“Agreement”), and these Publisher Privacy Terms shall be deemed incorporated into, and form an integral part of, any such Agreement. These Publisher Privacy Terms identify Taboola and Publisher’s roles and responsibilities with respect to Personal Data.
- Order of Precedence. Should there be a conflict between the Publisher Privacy Terms and the Agreement, the Publisher Privacy Terms will govern unless the conflicting provision in the Agreement expressly references the conflicting provision of these Publisher Privacy Terms and specifies that it supersedes the conflicting provision.
- Definitions. Terms defined in this section shall have the meanings set out below, and cognate terms shall be construed accordingly. Capitalized terms used but not defined in the Publisher Privacy Terms shall have the meanings defined in the Agreement.
- “Applicable Data Protection Laws” means any and all applicable federal, national, state, or other privacy and data protection laws that apply to Processing which is the subject of the Agreement and these Publisher Privacy Terms, as may be amended or superseded from time to time.
- “California Privacy Law” means California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq. (also, “CCPA”), as amended (including by the California Privacy Rights Act), and any subordinate legislation and implementing regulations.
- “Controller” means: (i) an entity that determines the purposes and means of the Processing of Personal Data, and (ii) any person or entity that falls within the scope of the term “Controller,” or “Business” (or any substantially analogous term) as defined under Applicable Data Protection Laws.
- “Data Subject” means: (i) an identified or identifiable natural person (and, for these purposes, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person), and (ii) any person that falls within the scope of the term “data subject”, “consumer” (or any substantially analogous term) as defined under Data Protection Laws.
- “EU Data Protection Law” means: (i) the EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national data protection laws made under or pursuant to (i) or (ii), each as may be amended or superseded from time to time.
- “Personal Data” means any information that relates to an identified or identifiable individual (and such term shall include, where required by Applicable Data Protection Law, unique browser or device identifiers), as set out in Annex A, Part B.
- “Interaction Personal Data” means any Personal Data collected from consumers at the time, or following, a consumer’s intentional interaction with Taboola, Taboola’s products, Taboola’s properties, and advertisements Taboola places.
- “Passive-Interaction Personal Data” means any Personal Data collected passively from Publisher Properties, including, but not limited to, IP address, page URL, and user agent string collected by Taboola, prior to or absent a consumer’s intentional interaction with Taboola, Taboola’s products, Taboola’s properties, and advertisements Taboola places.
- “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, receipt, recording, organisation, structuring, use, transmission, access, sharing, disclosure, transfer, storage, adaptation or alteration, retrieval, consultation, dissemination or otherwise making available, alignment or combination, aggregation, inferring, derivation, analysis, restriction, erasure, destruction or disposal or other handling of Personal Data, inclusive of how such term is defined under Applicable Data Protection Law.
- “Processor” means an entity that Processes Personal Data on behalf of a Controller, and is inclusive of how such term and/or the term “data processor” (or any substantially analogous term) is defined under Applicable Data Protection Law.
- “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (an “EU Restricted Transfer“); and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject to or based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 (a “UK Restricted Transfer“).
- “Services” means services provided by Taboola under the Agreement with Publisher.
- “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- “Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the DPA 2018 (“UK Addendum”).
- “Third Party” means a business that acts as a Controller with respect to Personal Data, and that is not the business that the Data Subject whose Personal Data is Processed has intentionally interacted with; the term is inclusive of how such term is defined under Applicable Data Protection Law.
- “UK Data Protection Law” means: (i) the UK Data Protection Act 2018, (ii) the UK GDPR (as defined in s.3(10) of the UK Data Protection Act 2018) (“UK GDPR”), (iii) the UK Privacy and Electronic Communications (EC Directive) Regulations 2003), and (iv) any other UK laws made under or pursuant to (i), (ii) or (iii), each as may be amended or superseded from time to time.
- Purpose Limitation. For Personal Data Processed in connection with the Services, each party agrees that it shall Process the Personal Data that it collects only for the purposes described in Annex A, Part B (the “Permitted Purposes”) and as permitted by these Publisher Privacy Terms, the Agreement, and Applicable Data Protection Laws, as each of these may be updated from time to time. Taboola may also Process the Passive-Interaction Personal Data as permitted by the Taboola Privacy Policy, and as may be updated from time to time.
- Relationship of the Parties. Each Party shall Process the Passive-Interaction Personal Data it collects as a Controller or Third Party, as applicable. Each party shall Process the Interaction Personal Data it collects as a Controller or Business, as applicable. Disclosures (whether directly, or via a party making data available to the other party) of Personal Data from one party to the other are disclosures to Third Parties.
- If US or US state Data Protection Law applies to Personal Data, including without limitation California Privacy Law, to the extent that Taboola Processes Passive-Interaction Personal Data in connection with the Services, Taboola acts as a Third Party to Publisher for such Passive-Interaction Personal Data. Taboola shall Process such Passive-Interaction Personal Data for the purposes described in Annex A, Part B and as permitted by these Publisher Privacy Terms, the Agreement, Applicable Data Protection Law, and Taboola’s Privacy Policy, as each may be updated from time to time. Such Passive-Interaction Personal Data is only made available to Taboola for such purposes. Taboola will provide the same level of privacy protection as required of Businesses by applicable US Data Protection Laws, including if applicable, California Privacy Laws. Publisher has the right to ensure that Taboola uses Passive-Interaction Personal Data in a manner consistent with Publisher’s obligations. Upon providing notice to Taboola, Publisher has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data that it makes available to Taboola. Taboola will inform Publisher in the time period required by Applicable Data Protection Laws if Taboola determines it is no longer able to meet its obligations under Applicable Data Protection Laws. To the extent that Taboola collects Interaction Personal Data in connection with the Services, it shall do so as a separate Business.
- Application of Data Protection Law. The parties acknowledge that they may Process Personal Data and that Applicable Data Protection Laws may apply to each party’s Processing of the Personal Data. Where this is the case, each party shall comply with such Applicable Data Protection Laws with respect to its processing of Personal Data. Where this is the case, and subject to section 7, each party shall be individually responsible for its own compliance with Applicable Data Protection Laws, including any applicable requirements to: (i) provide transparency to Data Subjects, (ii) have consent or another lawful basis for Processing, and (iii) making available a contact point through which Data Subjects may exercise their data protection rights. Publisher shall promptly notify Taboola if and to the extent that it receives any data protection rights request concerning Taboola’s Processing of Personal Data as a Controller so that Taboola may fulfill the request in accordance with its obligations under Applicable Data Protection Law.
- Publisher shall direct any data subject requests received regarding Taboola’s Services to Taboola’s Global Data Subject Access Request Portal or U.S. Consumer Rights Opt-Out Portal, as applicable..
- Cooperation. If either Party receives any inquiry, complaint or correspondence (a “Third Party Notice”) from an individual, regulator, or other third party concerning the processing of Data Subject’s Personal Data in connection with the Services, it shall promptly inform the other Party and the Parties shall cooperate in good faith and as reasonably necessary to address the requirements of such Third Party Notice.
- International Transfers. In the event that either party makes a Restricted Transfer of Personal Data to the other party, the provisions of Annex C shall apply.
- Transparency for Visitors on Publisher Properties. To the extent that Taboola collects Personal Data from Publisher Properties using Taboola code, pixels, and other tracking technology, Publisher shall: (i) provide all required transparency notices to Data Subjects about Taboola’s use of Taboola code to collect Personal Data from Publisher Properties for the Permitted Purposes, and (ii) obtain (and, on request at any time by Taboola, provide appropriate evidence of) Data Subject consent to such use of Taboola code for the Permitted Purposes, in each case in accordance with the requirements of Applicable Data Protection Laws. Publisher’s obligations in this regard include identifying Taboola and its use of Taboola code for the Permitted Purposes expressly within the transparency notices and consent prompts Publisher provides to Data Subjects, as well as any other information required by Applicable Data Protection Laws, so that Taboola can provide its Services lawfully through such Properties and Process Personal Data for the Permitted Purposes. Upon written request, Taboola shall provide Publisher with such information as Publisher may reasonably require about the Taboola code and Taboola’s Processing of Personal Data through the Publisher Properties for Publisher to ensure that its notice and consent mechanisms will comply with Applicable Data Protection Laws. Publisher specifically agrees that:
- as to its web-based Properties, Publisher’s Privacy Policy shall describe the use of cookies, unique identifiers, and non-cookie technologies by third parties (i.e. Taboola) for interest-based advertising and analytics (on and off the Properties), and shall provide a link to either the NAI’s industry opt-out page at http://www.networkadvertising.org, the DAA’s industry opt-out page at http://www.aboutads.info, or (as to European web-based media and data collection) a link to the EDAA opt-out link at http://www.youronlinechoices.eu, in a manner that meets the requirements of Applicable Data Protection Law; and
- as to mobile app-based Properties, Publisher’s Privacy Policy shall describe the use on its mobile apps of SDKs and collection of mobile ad identifiers for interest-based or cross-app advertising and analytics (on and off the Properties); and provide a description of how users and Visitors may opt out of the collection of mobile data for cross-app advertising through device settings.
- for its EU-facing Properties, Publisher shall ensure that it obtains the Visitors’ freely given, specific, informed, and unambiguous consent in accordance with EU Privacy Law, with respect to placing or accessing any Taboola cookies or any other unique identifiers on Visitors’ device(s). Publisher shall provide its Visitors with contact details (which may include making those details available through its Privacy Policy) so that they can contact Publisher to exercise their data protection rights (including in relation to Personal Data processed in connection with the Services). The foregoing obligations apply where the Publisher Properties attract Visitors in jurisdictions requiring consent mechanisms with respect to the Services.
- Not Legal Advice. During the Term, Taboola may provide recommended privacy policy or disclosure language to Publisher. Publisher acknowledges that it shall not rely on such recommended language as, or as a substitute for, legal advice and that Publisher or Company itself is solely responsible for any disclosures in its privacy policy or on its website.
- Data Collected. Publisher shall not provide or configure the Services to collect or otherwise disclose to Taboola any special categories of personal data or sensitive personal information or sensitive data (as defined under Applicable Data Protection Law) to Taboola for processing. Further, Publisher shall ensure that any page URLs made available to Taboola will not contain video title information. Taboola reserves the right to suspend the Services for Publisher’s failure to comply with this paragraph unless and until such failure is remediated.
- Security. Each Party shall implement appropriate technical and organizational security measures to protect Visitors’ Personal Data from a Security Incident. These measures shall include the measures set out in Annex B.
- Security Incidents. If either Party suffers a Security Incident in respect of Personal Data that it Processes and which is the subject of the Agreement and these Publisher Privacy Terms, that Party shall: (i) be responsible for fulfilling (at its own cost) any reporting obligations that apply to it under Applicable Data Protection Laws to data protection authorities and/or affected Data Subjects, (ii) notify the other Party without undue delay, providing such information about the Security Incident as may reasonably be requested by the other Party or as is otherwise required for the other Party to determine whether it may also have reporting obligations under Applicable Data Protection Laws in respect of the Security Incident, and (iii) take all such actions and measures, without undue delay, as are appropriate to remediate and/or mitigate the effects of the Security Incident.
- DPIAs. Where and to the extent required by the Applicable Data Protection Laws to which each party is subject, each party shall carry out any data protection impact assessment in respect of its Processing of Personal Data for the Permitted Purposes and/or consult with applicable data protection authorities, where necessary. Each party shall provide all reasonable cooperation and information reasonably requested by the other party, where this is necessary to enable the other party to complete a data protection impact assessment and/or consult with applicable data protection authorities in accordance with that other party’s obligations under this section.
ANNEX A
Description of the Processing
A. LIST OF PARTIES
Each party shall be:
- a data controller (and data exporter) of Collected Data it discloses, or makes available, to the other party, and
- a data controller (and data importer) of Collected Data it receives from, or to which access is made available by, the other party.
The details of each party are provided below.
Name:
|
See Publisher’s details set out in the Agreement.
|
Address:
|
See Publisher’s details set out in the Agreement.
|
Contact person’s name, position and contact details:
|
See Publisher’s details set out in the Agreement or otherwise agreed between the parties in writing. |
Activities relevant to the data transferred under these Clauses:
|
The receipt of the Services, as set out in the Agreement. |
Signature and date:
|
This Annex A shall be deemed executed upon Publisher’s acceptance of these Publisher Privacy Terms.
|
Role (controller/processor):
|
Controller (where it is a data exporter) and Controller (where it is a data importer)
|
Name:
|
See Taboola’s details set out in the introduction to the Agreement.
|
Address:
|
See Taboola’s details set out in the introduction to the Agreement.
|
Contact person’s name, position and contact details:
|
Taboola’s privacy team: privacy@taboola.com. |
Activities relevant to the data transferred under these Clauses:
|
The provision of the Services, as set out in the Agreement. |
Signature and date:
|
This Annex A shall be deemed executed upon Taboola’s acceptance of these Publisher Privacy Terms.
|
Role (controller/processor):
|
Controller (where it is a data exporter) and Controller (where it is a data importer)
|
B. DESCRIPTION OF THE PROCESSING AND TRANSFER
Categories of data subjects whose personal data is processed and/or transferred
|
Users |
Categories of personal data processed and/or transferred
|
Device Data: User’s device, browser, and operating system; mobile device information (all mobile IDs are hashed) including IDFAs and AAIDs; cookie data that may be read or deployed by Taboola (all cookie IDs/user IDs are hashed); IP addresses; hashed emails; referring website; user’s language; country / region / city. If mobile apps are part of the Services, additional data elements include truncated and imprecise lat/long, connection type, and screen dimensions.
Data about digital property visited by user: how the platform displayed and whether the user interacted with the platform; web or app behavior. To the extent Header Bidding is part of the Services, the following applies: • Bid Request/Response Data: Unique ID of the bid request, IMP object representing the impression offered, Publisher site or app represented, App, Device, Auction Type, Maximum Time, Currency, Blocked Categories, Device ID, Taboola User ID, Calling Tag Partners: URL. With respect to Taboola Newsroom, the following applies: • Events from the publisher’s website: Conversion data |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures
|
Not applicable. |
The frequency of the processing and/or transfers (e.g. whether the data is processed and/or transferred on a one-off or continuous basis)
|
Continuous for the duration of the Agreement |
Nature of the processing
|
Processing of Personal Data necessary for the provision of the Services, as set out in the Agreement.
|
Purpose(s) of the data processing / transfer and further processing
|
The provision of the Services, as set out in the Agreement. For the avoidance of doubt, the Permitted Purposes include: (i) storing and/or accessing information on a device; (ii) selecting basic advertisements; (iii) creating a personalized ads profile; (iv) selecting personalized ads; (v) creating a personalized content profile; (vi) selecting personalized content; (vii) measuring advertisement performance; (viii) measuring content performance; (ix) developing and improving products; (x) ensuring security, preventing fraud, and debugging; (xi) technically delivering ads or content; (xii) matching and combining offline data sources; (xiii) linking different devices; (xiv) receiving and using automatically-sent device characteristics for identification; (xv) using limited data to select content, and (xvi) saving and communicating privacy choices.
With respect to Taboola Newsroom, the following applies: (i) tracking subscription conversion events. With respect to Taboola Push, the following additional purpose applies: (i) sending notifications to a user’s device. To the extent that Header Bidding is part of the Services, the following additional purpose shall apply: (i) determining whether to bid on a placement and serve personalized recommendations. To the extent Home Page 4 You is part of the Services, the following additional purpose shall apply: (i) automating and curating publisher content within designated digital property homepages. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
|
The parties shall retain Personal Data for the period(s) specified below:
● Taboola: Raw data is stored for at most 13 months. ● Publisher: For as long as is necessary to receive the Services or as otherwise specified in the Agreement.
|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
|
Not applicable. |
C. COMPETENT SUPERVISORY AUTHORITY
Competent supervisory authority where the EU GDPR applies
|
The competent supervisory authority for each party is as described below:
● Taboola: The competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs. ● Publisher: The competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs.
|
Competent supervisory authority where the UK GDPR applies
|
The Information Commissioner’s Office. |
Annex B
Security Measures
Description of the technical and organisational measures implemented by each party (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measures of pseudonymisation and encryption of personal data
|
Taboola collects only pseudonymized data, which means we do not know who you are because we do not know or process the user’s name, email address, or other identifiable data. User Information that we collect includes, but is not limited to, Information about a User’s device and operating system, IP address, the web pages accessed by Users within our Customers’ websites, the link that led a User to a Customer’s website, the dates and times a User accesses a Customers’ website and other web browsing data. The CookieID is anonymized using Bcrypt and IP address is truncated. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
|
Taboola uses multiple levels of electronic security (ex: endpoint security, server-side security, detections tracking, periodic penetration tests, and deep intelligence gathering to review post-mortem events). |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
|
Taboola maintains 9 data centers operating around the world. Every data center is used as a replication of one another so if one falls down the data can be extracted from other data center. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
|
Taboola maintains strict processes for testing the effectives of its controls (both technical and organizational). We have system logging and monitoring in place, monthly (at least) DR testing, quarterly penetration tests, Firewalls protecting the web and honeypots spread across the network to find any malicious activity. Moreover, we have bounty program in place which helps us to constantly monitor our network. |
Measures for user identification and authorisation
|
Every user in Taboola is associated with a dedicated username and password. Every access to Taboola’s internal network is done with 2FA using Google authentication. Users are created only by the IT department, during the onboarding process and only after receiving all details and signed contract from the HR department. |
Measures for the protection of data during transmission
|
Taboola supports any data transmission through secure transmission protocols (HTTPS and TLS v1.2 at the minimum). Furthermore, systems which might contain PII are secured and data is kept hashed and anonymized. |
Measures for the protection of data during storage
|
Data that is stored within our databases is anonymized and hashed using Bcrypt. Access to the DB is minimized and based according to the ‘business need to know’ principle. |
Measures for ensuring physical security of locations at which personal data are processed
|
Each of Taboola’s global data centres (in US, Europe, and Asia), has all its servers located in locked cabinets that are maintained exclusively for Taboola’s use. These cabinets are maintained by companies that are either SOC2-certified or Taboola has reviewed their security measures. Further, any access to the servers requires written, logged permission. All Taboola offices are also controlled, and require employees to use access cards to enter. Furthermore, only a limited number of employees have access to Taboola’s servers and any access also requires written, logged permission. |
Measures for ensuring events logging
|
Taboola implements monitoring tools and logs are gathered to our SIEM system which alerts us on any suspicious event and also being monitored by NOC team. |
Measures for ensuring system configuration, including default configuration
|
Servers are scanned for both configuration drift and patch level. Reporting and/or alerting are set on both and relevant patch level is confirmed. New patches are distributed using Puppet. All technical reviews are managed through the R&D application and obtained through a formal process of review (QA) after coding and CI/CD processes are implemented as well. |
Measures for internal IT and IT security governance and management
|
Taboola is ISO 27001:2013 and 27701 certified. Taboola have an Information Security Policy in place which states that the Board of Directors and management of Taboola are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout their organisation. Taboola holds security trainings for all new employees, phishing trainings for all employees globally, and regular security trainings for all employees and also dedicate sessions for R&D groups. |
Measures for certification/assurance of processes and products
|
Quarterly / Semi-annual / yearly internal audit on multiple processes and systems to validate that Taboola is complying with its security goals and measures defined. |
Measures for ensuring data minimisation
|
Taboola intentionally limits the data that we collect as part of Taboola’s global data minimization principles of processing only the limited data needed for our specific business purposes. Furthermore, Taboola does not have the ability, nor any business need, to “reverse engineer” any of the data points used in our algorithm in order to provide our services. More specifically, the data points that Taboola collects are never indicative of a user’s identity — as Taboola does not collect or process information such as user’s name, phone number, email, or physical addresses. Instead, Taboola collects only pseudonymous identifiers, which merely identify characteristics about a user’s device. This includes IP addresses (which are truncated upon collection and can only identify the device’s general zip code location, but never a precise geolocation) and, in some limited instances, hashed email addresses (which are inherently irreversible and cannot be decrypted to reveal the original email address). Moreover, even when used collectively, the data that we collect can never produce an individual’s name, phone number, email, or physical address, and our engineers do not work in any way to accomplish this goal. Additionally, Taboola makes and records privacy impact assessments in an effort to minimize the privacy risks of our services, processes, and policies. |
Measures for ensuring data quality
|
The data is collected directly from the user and the user is given the opportunity to correct any data associated with their CookieID via the Taboola Subject Access Request Portal: https://accessrequest.taboola.com/access. |
Measures for ensuring limited data retention
|
We retain User Information, which is directly collected for purposes of serving ads, for at most thirteen (13) months from the User’s last interaction with our Services (often for a shorter period of time), after which time we de-identify the data by removing unique identifiers or aggregating the data. This process is done automatically. |
Measures for ensuring accountability
|
Taboola does multiple security audits and penetration testing (but not for all systems). Taboola also uses cloud providers that are ISO-certified and that comply with other cloud-relevant certifications for maintaining a server’s physical safeguards. |
Measures for allowing data portability and ensuring erasure
|
Taboola related to media disposal same for all kind of media as it might contain PII. Any media must be fully wiped before being reused or disposed. Any media disposal is documented. Employees are instructed to no print any paper which might contain personal information. |
Annex C
Restricted Transfers
- To the extent that a party makes a Restricted Transfer of Collected Data to the other party, the Standard Contractual Clauses shall be incorporated into these Advertiser Privacy Terms and apply as follows:
a. where the Restricted Transfer is an EU Restricted Transfer, the EU SCCs will apply between the parties as follows:
- (i) Module One will apply;
- (ii) in Clause 7, the optional docking Clause will apply;
- (iv) in Clause 11, the optional language will not apply;
- (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
- (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
- (vii) Parts A, B and C of Annex I shall be deemed completed with the information set out in Parts A, B and C of Annex A to these Advertiser Privacy Terms; and
- (vii) Annex II shall be deemed completed with the security measures set out in Annex B to these Advertiser Privacy Terms;
b. where the Restricted Transfer is a UK Restricted Transfer, the UK Addendum will apply between the parties as follows:
(i) the EU SCCs, completed as set out above shall apply between the parties, and shall be modified by the UK Addendum (completed as set out in sub-clause (ii) below); and
(ii) tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options “Exporter” and “Importer” shall be deemed checked in table 4. The start date of the UK Addendum (as set out in table 1) shall be the Effective Date of these Advertiser Privacy Terms.
2. Onward Restricted Transfers: Neither party will not make an onward Restricted Transfer of Collected Data that they receive from the other party unless it has done all such acts and things as are necessary to ensure that the such onward Restricted Transfer is compliant with Applicable Data Protection Law and any Standard Contractual Clauses it has agreed with the other party.