Annex 1 – Provisions pertaining to Personal Data Protection

WHEREAS

In the context of cooperation between the Parties, DAILYMOTION Advertising SAS (hereinafter the “Service Provider” or “Data Processor”) will solely act as a “Data Processor” for the Buyer (“Buyer”) as part of the processing of Personal Data set up by the Advertiser in the context of an IO.
By signing the IO Parties explicitly accept these clauses relating to the protection of Personal Data (“DPA”).

1. Context
   Service Provider may provide to Buyer additional Services consisting of integration of Tags, provided either directly by the Advertiser or through its Agency or a Third Party Sub-Processor, into the Advertiser’s Ads (hereinafter referred to as the “Services”). In relation to the provision of the Services by the Service Provider, the Buyer is a Data Controller of the processing of Personal Data or, where Buyer is acting on behalf of another Data Controller, namely Advertiser, the Buyer is a Data Processor or a Joint Data Controller. Service Provider acts solely as a Data Processor or a Data Sub-Processor within the meaning of the Applicable Data Protection Law.

It is confirmed that Service Provider may process Personal Data of the Buyer’s staff members and/or of one of the agencies that the Buyer may use, in particular for the purposes of customer relationship management and commercial operations management. In this case, the Service Provider will act as an independent Data Controller.

Each Party undertakes to comply with all its legal obligations under the Applicable Data Protection Law. In its capacity as a Data Processor, Service Provider will enable the deposit of Tags allowing the collection of Personal Data, and such Personal Data will be transmitted to the Buyer in accordance with this DPA, being understood, however, that Service Provider will not have access to the Personal Data thus collected. It is agreed that the Service Provider may sub-process all or part of the Services to a Sub-Processor, such as Dailymotion SA, in accordance with Section 5 of this DPA.

It is expressly confirmed that, as part of operating the Dailymotion Properties, DAILYMOTION Advertising SAS and/or Dailymotion SA may collect Personal Data independently in their respective capacity of independent Data Controllers. The relevant processing operations are excluded from the scope of application of the present DPA.

2. Definitions
   Capitalized terms and phrases used in this DPA have the meaning indicated below, which are applicable to both the singular and the plural forms. Any other term not defined in this DPA has the same meaning as the one attributed under the Applicable Data Protection Law or the Terms.
   “2021 SCCs” means, in relation to the Processing of Personal Data pursuant to the EU Data Protection Law, the standard contractual clauses for the transfer of Personal Data established in Third Countries, as approved by the European Commission from time to time, the approved version of which is the one set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available here.
   “Applicable Data Protection Law”: means any and all applicable privacy and data protection laws and regulations, including without limitation, where applicable, EU Data Protection Law, the California Consumer Privacy Act of 2018 (“CCPA”) and similar state laws in effect at any time during the Term, the Brazilian General Personal Data Protection Law (“LGPD”), etc., as amended, complemented or superseded from time to time.
   “EU Data Protection Law”: means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (“e-Privacy Law”); (iii) the Data Protection Act 2018 (“UK GDPR”); (iv) the Swiss Federal Act on Data Protection (“LPD”), and (v) any national or European data protection laws made under, pursuant to, amending, replacing or succeeding (i), (ii), (iii) or (iv).
   “Personal Data”: means any information relating to an identified or identifiable natural person (hereinafter, a “Data Subject”), directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, or as such term or its equivalent may be otherwise defined under the Applicable Data Protection Laws. In particular, any reference to Personal Data shall include reference to Personal Information as the latter is defined under the CCPA.
   “Personal Data Breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
   “Processing(s)” means the processing of Personal Data entrusted to Service Provider and described in the Appendix of this DPA.
   “Sub-Processor”: means any processor engaged by the Service Provider or any other sub-processor thereof who agrees to receive from the Service Provider or any sub-processor thereof any Personal Data exclusively intended for Processing operations to be carried out on behalf of and in accordance with the instructions of the Buyer under the conditions set out in the Terms and under the terms of a written sub-processing agreement. Sub-Process shall include Service Provider as this term is defined under the CCPA. Any company that is member of the group of companies to which Service Provider belongs and which may become involved in the performance of the Services and the Processing or accessing of Personal Data shall also be considered as a Sub-Processor.
   “Supervisory Authority”: means the independent public authority responsible for monitoring the application of Applicable Data Protection Law in order to protect the fundamental rights and freedoms of natural persons with respect to data processing and to facilitate the free flow of data within the European Union. In France, the competent supervisory authority is the Commission Nationale de l’Informatique et des Libertés (CNIL).
   “Third Countries” means (a) for the purpose of application of the EU Data Protection Law: a country which: (i) is not part of the European Economic Area (“EEA”); and (ii) is not subject of a formal adequacy decision of the European Commission (“EC”) taken in accordance with Art. 25 (6) of Directive 95/46/EC of the European Parliament and the Council of the European Union or Art. 45 (3) of GDPR, recognizing that the country ensures an adequate level of protection of Personal Data; and (iii) is not subject to a formal Swiss adequacy decision, and (iv) is not subject to UK adequacy decision, and b) for the purpose of application of the LGPD: a country outside of Brazil and not considered as providing adequate protection.
   “UK Addendum” means the terms complementing the 2021 SCCs as adapted under the UK GDPR and available here.
3. Details of the Processing
   The Buyer authorizes the Service Provider, for the duration and the purposes of each Campaign, to Process the Personal Data as necessary for the provision of the Services and in conformity with the instructions documented in the Schedule of this DPA (or communicated thereafter).
   If Buyer is a Data Processor itself, Buyer warrants to Service Provider that Buyer’s instructions and actions with respect to the Personal Data, including its appointment of Service Provider as a Sub-Processor, have been authorized by the relevant Data Controller.
   The Service Provider agrees and warrants that it will only process the Personal Data in accordance with the Buyer’s instructions as stipulated in this DPA or through any communication between the Parties, including any instructions transmitted by other Sub-Processors mandated by the Buyer, and undertakes:

• not to use all or any part of the Personal Data for its own account or for the account of a third party for any purpose whatsoever, whether during the Campaign Duration or after the term of the Terms;
• not to make copies of the documents or information systems containing the Personal Data, or disclose the information to any third party, except where it is necessary to provide the Services hereunder or required by law; and
• not to perform research, analysis or statistics which would involve the use of the Personal Data outside the scope of the Services, even in an aggregated or anonymized form.
  The Buyer guarantees the Service Provider that all instructions sent to the Service Provider and, in general, any Processing of Personal Data collected in collaboration with the Service Provider comply with the Applicable Data Protection Laws.
  Service Provider agrees and warrants that it shall keep a register of all data Processing operations carried out on behalf of the Buyer.

2. Security and confidentiality of Personal Data
   Service Provider agrees and warrants that it will implement physical, logical and organizational protective measures necessary to ensure the security of Personal Data, adapted to the risks represented by the Processing, including protecting it against accidental or unlawful destruction, loss or alteration and unauthorized access by third parties.

To that end, the Service Provider agrees and warrants that it will implement, at least the following measures and ensure they are adhered to by its employees and its Sub-Processors:

• ensure that persons authorized to process Personal Data within the framework of the Campaign are subject to confidentiality undertakings or statutory obligations of confidentiality; and
• ensure that all persons it involved in the delivery of the Campaign are sensibilized, trained and organized to offer sufficient safeguards to protect the confidentiality and security of the Personal Data; and
• take all measures to prevent any misappropriate or fraudulent use of the Personal Data, documents and information processed.

In the event of a Personal Data Breach, Service Provider shall notify the Buyer without undue delay, at the address set forth in the IO. The Service Provider undertakes to cooperate with the Buyer to enable the Buyer to notify the DCP Breach to the Supervisory Authority, if applicable.

5. Sub-Processors
   The Buyer authorizes the Service Provider to involve any Sub-Processors of its choice, being agreed that the Service Provider agrees and warrants that it will communicate any information relating to such Sub-Processors relevant to the Processing upon Buyer simple request. The engagement of any new Sub-Processor shall be communicated to Buyer through an update of Schedule B to the present DPA or through a written notification. Buyer may oppose such a change by ceasing cooperation with the Service Provider within 14 days of the aforementioned update or notification.
   The Service Provider agrees and warrants to the Buyer that the agreement it concludes with any Sub-Processor shall contain protection obligations that are at least as protective as those contained in this DPA, so as to ensure Service Provider’s compliance with its data protection obligations under this DPA, in particular its obligation to provide sufficient guarantees to implement appropriate technical and organizational measures. Service Provider shall be fully liable to the Buyer in the event of failure by any of its Sub-Processors to comply with its Personal Data protection obligations.
6. Rights of Data Subjects and Consent Collection
   It is Buyer responsibility to provide information to the Data Subjects before or at the latest at the time of collection of the Personal Data.
   Insofar as the Buyer is not in direct contact with the Data Subjects, namely the Visitors of the DAILYMOTION Properties, Service Provider undertakes to, on the basis of the information relating to the Processing communicated to DAILYMOTION by the Buyer, such as those described in the Schedule 1 to the DPA and only for Processing described in the DPA:

• make available to Data Subjects information relating to the Processing carried out under the present DPA, through the consent management platform deployed on the DAILYMOTION Properties, and its own privacy policy.
• Collect consent or establish alternative legal basis for Buyer’s processing.
  In this respect, the Buyer undertakes to transmit to the Service Provider any necessary or useful information and in particular the URL of its privacy policy.

WHEN THE ABOVE LISTED INFORMATION IS TO BE PROVIDED OR LEGAL BASIS ESTABLISHED ON THE DAILYMOTION PROPERTIES OTHER THAN THE DAILYMOTION SITE AND DAILYMOTION S.A’S MOBILE APPLICATIONS, THE ABOVE OBLIGATION IS SUBJECT TO BUYER’S AND/OR DATA CONTROLLER’S (IF DIFFERENT FROM BUYER) PARTICIPATION IN THE THEN-CURRENT CONSENT MANAGEMENT FRAMEWORK USED BY DAILYMOTION, CURRENTLY THE IAB TCF.

Regarding the rights of the Data Subjects, Service Provider agrees and warrants that it will:

• promptly notify the Buyer of any requests to exercise Data Subjects rights related to the processing under the present Annex, irrespective of the authority or person addressing such request , except in the sole case where such communication to the Buyer is prohibited by the said authority,; and
• assist the Buyer, by all appropriate technical and organizational measures, in the fulfillment of its obligation to respond to a Data Subjects’ request to exercise their rights in accordance with the Applicable Data Protection Law.

Any documented potential costs and expenses relating to such actions shall be borne by the Buyer.

Buyer explicitly (i) authorizes Service Provider to communicate to a Data Subject any and all Buyer contact details for the purpose of exercise of Data Subjects rights, and (ii) indemnify Service Provider against any and all claim, fines or costs relating to Buyer Processing of Personal Data.

7. Assistance to the Buyer
   Service Provider agrees and warrants that it will promptly and fully assist the Buyer in ensuring compliance with its data protection obligations under the Applicable Data Protection Law, taking into account available information and resources. To that end, the Service Provider undertakes to assist the Buyer, upon its request, with:

• Assessment of the risks inherent to the Personal Data Processing and implementation of appropriate mitigation measures as well as ensuring an appropriate level of Personal Data security, taking into account the state of technology and the implementation costs in relation to the risks and the nature of the Personal Data to be protected; and
• carrying out any Personal Data privacy impact assessments, including risk assessments, and to define security measures and mechanisms to address such risks.

In the event that the Buyer is subject to an audit by a Supervisory Authority, the Service Provider agrees to cooperate with the Buyer and the Supervisory Authority. The cost of such actions shall be borne by the Buyer.

8. Information – Audit
   Service Provider agrees and warrants that it will make available to the Buyer all information in its possession necessary to demonstrate compliance with the obligations under Applicable Data Protection Law in relation to the Processing carried our pursuant to the present DPA. Service Provider undertakes to inform the Buyer immediately if it believes that an investigation constitutes a violation of Applicable Data Protection Law.

The Buyer reserves the right to, no more than once a year and on condition that the Service Provider is informed at the latest twenty (20) business days before its planned start date, carry out, through an external, independent and certified auditor, at its own expense, any verification or audit of processing operation undertaken under the present Annex, which it deems necessary in order to verify compliance by the Service Provider with the obligations provided for in this Annex. Subject to the applicable legal obligations, the Buyer will respect the confidentiality of information provided by Service Provider in the context of such audit, in accordance with its legal obligations.

Service Provider agrees and warrants that it will allow such auditor delegated by the Buyer, to carry out audits and that it will participate, at its own expense, in these audits by providing all relevant information and allow access to all equipment, software, data, files, information systems, etc. to the extent used in the Processing of the Personal Data under the present Annex (“Audited Systems”), and subject to respect of the rights of Third Parties and the security requirements of the Service Provider’s IT systems.

If an audit or verification reveals that Service Provider is in breach of any of its guarantees or obligations, Service Provider will be required to take immediate steps to cure such breach, at its own expense. These audit and verification operations and their outcomes shall not in any way relieve Service Provider of its contractual obligations under this Annex.
The Service Provide may satisfy its audit obligations described herein by providing results of an audit of Audited Systems conducted in the preceding 24 months.

9. Transfer of Personal Data to a Third Country
   In the event that the Service Provider is required to transfer Personal Data to Third Country, directly or through its Sub-Processors, Service Provider may transfer the Personal Data provided that Service Provider undertakes to provide, or obtain from the Sub-Processor an undertaking that it will provide, the appropriate safeguards governing such a transfer as provided for in Article 46 of Regulation (EU) 2016/679 of the European Parliament and of the Council, including the execution by Service Provider and/or relevant Sub-Processor of the 2021 SCC (as complemented in Schedule C) and that the signature of the IO constitutes mutual acceptance and signature of the said 2021 SCC. Parties acknowledge that taking into account the Processing operations and the fact that Service Provider does not have access to Personal Data collected, the technical and operational security measures in place at Service Provider represent sufficient warranties to provide adequate protection of Data Subjects’ rights and freedoms.
10. Specific Terms Applicable Under the CCPA:
    When the provision of the Services requires processing of Personal Data of California Consumers who have Opted-Out from Sale of their Personal Data or other processing operations as provided under the CCPA, Service Provider shall process such Personal Data in its capacity of “Service Provider”, Buyer acting in its capacity of a “Business”, as these terms are defined under the CCPA. Parties acknowledge that Personal Data that may be disclosed to Service Provider is provided only for the limited and specific Business Purposes set forth in the Terms, namely to deliver Campaigns. Each Party shall comply with its respective obligations under the CCPA. In particular, Service Provider shall process Personal Data on behalf of Buyer and for Buyer’s Business Purposes and shall refrain from (i) selling or sharing Personal Data, and (ii) retaining, using, or disclosing it for a Commercial Purpose other than for the specific purpose of performing the Services specified in the Terms, or as otherwise permitted under the CCPA, and (iii) retaining, using, or disclosing the Personal Data outside of the direct business relationship with Buyer, and (iv) combining the Personal Data received pursuant to a written agreement with Buyer with Personal Data that it receives from or on behalf of another person or persons, or collects from its own interaction with the Consumers unless otherwise permitted under the CCPA. Service Provider shall provide the same level of protection of Personal Data as required by the CCPA, ensure that its personnel processing Personal Data is subject to a duty of confidentiality with respect of that information and inform Buyer about and assist in replying to any Consumer request received. Upon Buyer’s request, and unless otherwise authorized under the CCPA, Service Provider shall delete any Personal Data from its records and attest thereof. If Buyer discloses or otherwise renders accessible to Service Provider de-identifed data (i.e. data that cannot reasonably be linked to an identifiable individual or their device linked), Service Provider undertakes not to attempt to re-identify such data. If Service Provider engages any other person to assist it in processing of Personal Data for a Business Purpose on behalf of Buyer, or if that other person engages another person to assist in processing of Personal Data for that Business Purpose, Service Provider shall, pursuant to clause 5 of the DPA hereinabove, notify Buyer of that engagement, allow Buyer to object to it on reasonable and justified basis, and formalize the engagement through a written contract binding the other person to observe all the requirements set forth in in the present clause.
    Service Provider explicitly confirms that it understands the restrictions set out in the present clause and will comply with them. To that end Service Provider permits Buyer to (i) monitor Service Provider’s compliance with its obligations under the CCPA including through audits as further described in clause 8 hereinabove, and (ii) take reasonable steps to stop and remedy Service Provider’s unauthorized use of Personal Data. Service Provider shall notify Buyer if it determines no longer being able to meet its obligations under the CCPA.
    The present clause shall be applicable, mutatis mutandis, to processing of Personal Data of other USA Consumers whose Personal Data is processed under the Terms pursuant to federal or USA Privacy State laws applicable thereto.
    Any processing of Personal Data shall be limited to the duration of the Parties’ cooperation unless otherwise agreed by the Parties, authorized by the Applicable Data Protection Law or necessary to respect Party’s obligation hereunder.
11. Obligations after Termination of a Campaign
    Unless otherwise instructed by the Buyer, Parties agree that the Tags allowing the collection of Personal Data shall be deleted concurrently at the end of each Campaign.
12. Liability
    Provider shall notify Buyer if it determines no longer being able to meet its obligations under this DPA. The Service Provider undertakes to cooperate in good faith with the Buyer to find any alternative solution allowing the Processing covered by these Terms to be carried out in compliance with the Applicable Data Protection Law.
13. Insurance Policy
    Parties confirm having subscribed an insurance policy that is adequate for the Processing described under the present DPA. Each Party undertakes to provide, upon other Party’s request, a corresponding insurance certificate(s), specifying the nature of the risks covered and the amount(s) guaranteed.

SCHEDULE A
DETAILS OF THE PERSONAL DATA PROCESSING ENTRUSTED TO THE SERVICE PROVIDER

1. Parties to the Processing:

Data Controller or « Buyer »: The Buyer as mentioned on each IO

Data Processor or « Service Provider »: DAILYMOTION Advertising SAS
140 Boulevard Malesherbes
75017 Paris

Other Data Processor or « Agency »: any media agency, possibly mandated by the Data Controller for the placement of IOs with the Service Provider, and which is involved in the Processing of Personal Data, as defined below, shall also be considered as a Data Processor for the Data Controller, the latter guaranteeing to have concluded any contract required by the Applicable Data Protection Law with this Agency (Other Data Processor).

The Parties agree that the Service Provider shall, where applicable, consider any instruction issued through an Agency as an instruction issued by the Data Controller, the latter guaranteeing the Service Provider against any recourse in this respect.

2. Activities Relevant to the Processing, Subject and Purposes of the Processing:

Data Controller is a Buyer making online media purchases from the Service Provider, directly or via an Agency, for the distribution of its Campaigns.

Data Controller wishes to integrate, directly or through the Agency or Other Sub-Processor, Tags into the Advertisements of its Campaigns in order to be able to collect data, including Personal Data, for the purposes defined by the Buyer. Data Controller declares that such collected Personal Data are used only for one or more of the following purposes and subject always to compliance with the use restrictions set out in Article 10.2.d of the Terms:

• Store and/or access information on a device; Measure ad performance (e.g. carry out Campaign delivery, internal planning or Campaign’s planning and get a better understanding of the audience of its Campaigns, notably by carrying out, a qualitative evaluation of each Campaign concerned by the Processing); and
• Create a personalized ads profile; and
• Select personalized ads.

To that end, the Data Controller has instructed the Service Provider to carry out one or more of the following actions:

• Receipt of the monitoring parameters defined by the Data Controller,
• adjustment of Tags settings by the Service Provider, in conformity with the monitoring parameters received,
• Integration of Tags in Ads provided by the Data Controller and/or the Agency,
• Hosting of Campaign Ads that comprise Tags, whether set or integrated by Service Provider or by a third party,
• Activation of Personal Data’s collection operated through Tags by distributing Ads on the DAILYMOTION Properties,
• Activation of Personal Data’s collection operated through Tags by integrating “vast” files on the ad-serving tools of the DAILYMOTION Properties
• Information and collection of consent of Visitors on behalf of the Data Controller.

Unless otherwise agreed by the Parties, Service Provider shall not collect nor access Personal Data collected through Tags implemented for Data Controller. Only the Data Controller and/or the Agency and/or a third party authorized by the Data Controller can collect and access this Personal Data.

The Data Controller undertakes not to process the Personal Data which collection is facilitated by the Service Provider (as described herein) for purposes other than the ones listed hereinabove and only in the presence of documented legal basis applicable thereto.
The Data controller undertakes not to Process Personal Data through the use of Tags in the absence of a valid and documented legal basis. Data Controller explicitly confirms and acknowledges that Service Provider obligation to collect consent or to establish legitimate interest outside of DAILYMOTION Site and mobile application is conditioned upon Data Controller’s participation in the consent management framework used by the Service Provider, namely, et present, the IAB TCF.

The Data Controller warrants that it provides to Data Subjects all necessary information regarding the Processing notably, through its publicly available privacy and cookie policies and authorizes Service Provider to use and communicate the links thereto.

3. Processing Duration

Corresponds to the Campaign Duration.

The storage period of the Personal Data is determined by the Data Controller. It is explicitly confirmed that the Service Provider does not collect and cannot access the Personal Data related to the Processing.

4. Categories of Data Subjects and Data Subjects Rights:

Data Subjects: Visitors of DAILYMOTION Properties who have been exposed to the Campaigns.
Data Subjects Rights: Data Controller shall be solely responsible for addressing Data Subjects requests. To that end, DAILYMOTION shall transfer any received Data Subject request to a designated contact at Data Controller Organization or, if such contact is not designated, to the main contact as provided by Data Controller. Data Controller authorizes DAILYMOTION to communicate the contact details used for such transfer to the Data Subject.

5. Categories of Personal Data:

According to the configuration of the Tags defined by Data Controller for each Campaign, ex.:

• The Visitor’s identification data when watching an Ad (e.g. the unique identifier assigned to such Visitor).
• The Visitor’s connectivity data when watching an Ad (e.g. IP address, referrer, etc.).
• Engagement data related to the Visitor’s behavior when watching an Ad (e.g. hovering, completing, expanding (zoom in/out), sound (on/off), pause, click, etc.).
  It is expressly confirmed that no Sensitive Data or data related to children under 16 years of age is subject to Processing.

1. Transfers to Third Countries:
   a. Nature of Processing resulting in transfer: It is confirmed that in the absence of collection of Personal Data by the Service Provider, no transfer of Personal Data to Third Country by Service Provider is intended to take place as part of Processing under the present DPA. Nevertheless, Personal Data might be transferred to a Third Country when processing operations agreed upon by the Parties result in the Service Provider transferring the Personal Data to Data Controller (or other entity chosen by Data Controller) situated in a Third Country:, ex. when Personal Data collected by Tags is stored on Service Provider’s IT systems prior to its transfer to Data Controller.
   b. Frequency of transfer: on continuous basis during the Campaign duration.
2. The Personal Data Retention Period:
   As determined by Data Controller.
3. DPO – contact details:

Data Processor: dpo@dailymotion.com
Data Controller: as indicated on the IO

9. Operational and technical measures put in place to ensure Personal Data integrity and security:

• network segmentation and filtering between zones;
• multi-factor authentication;
• event log, collection and centralization of logs;
• anti-virus;
• security patch management;
• security / flow encryption (SSL);
• Internal PKI;
• encryption of data in transit and at rest;
• bug-bounty” program;
• application of anonymization and pseudonymization techniques e.g. tokenization, aggregation, hashing, etc.;
• periodic re-certification of accounts (periodic review of access rights);
• application of the least privilege principle (in the context of access rights management):
• peer-to-peer code review (development methodology);
• periodic security audits (architecture, configuration, codes, intrusion tests, etc.);
• application of the principle of least collection of Personal Data; and
  application of the principle of least retention of Personal Data.Access and authorization management rules:
• centralized management of access rights,
• gradation of access and use rights,
• periodic reviews).

SCHEDULE B
SUB-PROCESSORS:

1. Dailymotion SA
2. Dailymotion Inc.

SCHEDULE C
DETAILS OF THE TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

1. Data Importer and Data Exporter:
   Data exporter(s):
   Name: Dailymotion Advertising SAS
   Address: 140 boulevard Malesherbes, 75017 Paris, France
   Contact person’s name, position and contact details:
   a) Representative: as indicated on the signature page of the IO
   b) DPO (Key Contact under the UK Addendum) and Security Contact Details: dpo@dailymotion.com and security@dailymotion.com
   c) For the purpose of the UK GDPR, the local representative of Dailymotion is : The DPO Centre Ltd, 50 Liverpool street, London, EC2M 7PY, UK, +44 (0) 203 797 6340, advice@dpocentre.com.
   d) Link to privacy policy: https://legal.dailymotion.com/en/privacy-policy
   Role:
   a) Controller: for Processing of Personal Data of other Party staff members.
   b) Processor: for Processing of Personal Data collected by Tags.
   Activities relevant to the data transferred under these Clauses: sale of advertising inventory.

Data Importer(s):
Name: Buyer, whose identification information is provided in the IO
Address: as indicated in the IO.
Contact person’s name, position and contact details:
a) Representative: as indicated in the IO
b) DPO and Security Contact Details: as indicated in the IO
c) If applicable, for the purpose of the UK GDPR, the local representative of Data Importer(s) is: as indicated in the IO
d) If applicable, for the purpose of the GDPR (article 27), the Data Importer(s)’ local representative established in the EEA is: as indicated in the IO
e) Link to privacy policy: as indicated in the IO
Role:
a) Controller: for Processing of Personal Data of Service Provider’s staff members.
b) Controller: for Processing of Personal Data collected by Tags
c) For Agencies only: Processor for Processing of Personal Data collected by Tags

Activities relevant to the data transferred under these Clauses: purchase of advertising inventory.

2. Transfer Mechanisms: the 2021 SCCs and the UK Addendum
3. Specific Provisions:

3.1. Transfers from the EEA. Where a transfer of Personal Data to a Third Country is made from the EEA, the 2021 SCCs are incorporated into this DPA and apply to the transfer as follows:
• with respect to transfers from Service Provider to Data Importer:

• Module One applies where both Service Provider and Data Importer are Controllers – namely for transfer of Personal Data of each Party’s staff members, and
• Module Four applies where Data Importer is a Controller and Service Provider is a Processor, and
• Module Three applies where both Service Provider and Data Importer are Processors, where Data Importer acts as a Processor of a third party who is Controller or when the IO is entered into by an Agency acting on behalf of an Advertiser;
  • in Clause 7, the optional docking clause does not apply;
  • in Clause 9(a) of Modules Three, Option 2 applies, and the time period for prior notice of Sub-processor changes is 14 days;
  • in Clause 11(a), the optional language does not apply;
  • in Clause 17, Option 1 applies with the governing law being that of France;
  • in Clause 18(b), disputes will be resolved before the courts in Paris, France;
  • Annex I of the 2021 SCCs is completed with the information in Schedule A to the DPA;
  • Annex II of the 2021 SCCs is completed with the information in Schedule A to the DPA; and
  • Annex III of the 2021 SCCs is completed with the information in Schedule B to the DPA.

3.2. Transfers from Switzerland. Where a transfer to a Third Country is made from Switzerland, the 2021 SCCs are incorporated into this DPA and apply to the transfer as modified in Section 3.1, except that:
• in Clause 13, the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner if the transfer is governed by the Swiss Federal Act on Data Protection; and
• references to “Member State” in the 2021 SCCs refer to Switzerland, and data subjects located in Switzerland may exercise and enforce their rights under the 2021 SCCs in Switzerland; and
• references to the “General Data Protection Regulation”, “Regulation 2016/679” and “GDPR” in the 2021 SCCs refer to the Swiss Federal Act on Data Protection (as amended or replaced).

3.3. Transfers from the UK. Where a transfer to a Third Country is made from the UK, the UK Addendum is incorporated into this DPA and applies to the transfer as follows: the UK Addendum is completed with the information in Section 3.1 and Schedules A and B to this DPA; and both “Importer” and “Exporter” are selected in Table 4.

4. Conflict. If any provision of this Schedule is inconsistent with any terms in the DPA or the Terms, this Schedule will prevail. If any provision of this Schedule is inconsistent with any terms in the 2021 SCCs or the UK Addendum, as applicable, the 2021 SCCs and the UK Addendum will prevail.

These Terms were last updated on: February 9th, 2024