Magnite SCCs
Last Updated: June 3, 2024
The Parties may transfer “personal data” of data subjects located in the European Economic Area (“EEA”) and/or the United Kingdom (“UK”) to one another, as defined under the European Union (“EU”) GDPR and UK GDPR, (collectively “GDPR”), and Swiss DPA. Magnite represents and warrants that it can adequately protect such data in accordance with the requirements of the GDPR and shall certify to Customer as to its method of adequacy.
The parties agree that when the transfer of Personal Data of data subjects located in the EEA/UK between the Parties, the Parties shall be subject to the appropriate SCC as follows: (“SCCs” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“) https://eur-lex.europa.eu/eli/dec_impl/2021/914/; and (ii) where the UK GDPR applies, the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers adopted by the United Kingdom pursuant to the Data Protection Act of 2018 and other implementation of the GDPR, with an effective date of 21 March 2022, and issued by the UK Information Commissioner’s Office under Section 119A of the Data Protection Act 2018 for the transfer of Personal Information/Data from the United Kingdom to controllers or processors established outside the UK, as set forth at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK SCCs“), and (iii) where the Swiss Federal Data Protection Act (“Swiss DPA”) applies, a transfer of personal data to a country outside of Switzerland where such transfer is not subject to an adequacy determination as shown on the list published by the Swiss Federal Data Protection and Information Commissioner).
1. In relation to data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
(i) Module One will apply;
(ii) In Clause 7, the optional docking clause will apply;
(iii) Clause 9 is Not Applicable;
(iv) In Clause 11, the optional language will not apply;
(v) In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(vi) In Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Agreement; and
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Agreement;
2. In relation to data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
(i) Table 1 of the UK SCCs shall be deemed completed with the information set out Annex I to this Agreement;
(ii) Table 2 of the UK SCCs shall be deemed completed with the information set out below:
The parties select: the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: Module 1 with selections as set forth in Section 1 of this Addendum
(iii) Table 3 of the UK SCCs shall be deemed completed with the information set out Annexes I and II to this Agreement; and
(iv) Table 4 of the UK SCCs shall be deemed completed by selecting: neither party.
3. In relation to transfers of Personal Information protected by the Swiss DPA, the SCCs will also apply in accordance with paragraphs (1) above, with the following modifications:
(i) References to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;
(ii) References to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA;
(iii) References to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” , or “Swiss law”;
(iv) The term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
(v) Clause 13(a) is not used;
(vi) References to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”;
(vii) In Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and
(viii) With respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
4. In the event that any provision of this Agreement contradicts, directly or indirectly, with the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Annex I:
Data Processing Description
This Annex I forms part of the Agreement and describes the processing between Customer and Magnite.
A. DESCRIPTION OF TRANSFER
| Categories of data subjects whose personal data is transferred: | Visitors (e.g., data subjects) of online digital properties, (i.e., visitors to websites). |
| Categories of personal data transferred: | Pseudonymous identifiers relating to user’s devices (e.g., IP address, device identifiers, cookie identifiers, geo location data). |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | Not applicable |
| The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): | Continuous |
| Nature of the processing: | Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction of data, in order to provide services to clients with respect to facilitating the serving of advertisements on digital properties that are purchased or placed using the Magnite Platforms and technology. |
| Purpose(s) of the data transfer and further processing: | To provide advertising services including reporting on buying opportunities and transactions; enablement of buying and selling of advertising opportunities; to improve Magnite’s technology and Services; for frequency capping, fraud prevention, and for record keeping purposes, in the event of a dispute. |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | Magnite stores personal information from Customers in our systems for up to 90 days unless required by applicable law to retain it longer. |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | Not Applicable |
| Categories of data subjects whose personal data is transferred: |
| Categories of personal data transferred: |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: |
| The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): |
| Nature of the processing: |
| Purpose(s) of the data transfer and further processing: |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: |
| Visitors (e.g., data subjects) of online digital properties, (i.e., visitors to websites). |
| Pseudonymous identifiers relating to user’s devices (e.g., IP address, device identifiers, cookie identifiers, geo location data). |
| Not applicable |
| Continuous |
| Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction of data, in order to provide services to clients with respect to facilitating the serving of advertisements on digital properties that are purchased or placed using the Magnite Platforms and technology. |
| To provide advertising services including reporting on buying opportunities and transactions; enablement of buying and selling of advertising opportunities; to improve Magnite’s technology and Services; for frequency capping, fraud prevention, and for record keeping purposes, in the event of a dispute. |
| Magnite stores personal information from Customers in our systems for up to 90 days unless required by applicable law to retain it longer. |
| Not Applicable |
B. COMPETENT SUPERVISORY AUTHORITY
| Identify the competent supervisory authority/ies in accordance (e.g., in accordance with Clause 13 SCCs): | Where the EU GDPR applies, the competent supervisory authority shall be determined in accordance with Clause 13 of these Standard Contractual Clauses. Where the UK GDPR applies, the UK Information Commissioner’s Office will be the competent supervisory authority. Where the Swiss DPA applies, the Swiss Federal Data Protection Information Commissioner will be the competent supervisory authority. |
| Identify the competent supervisory authority/ies in accordance (e.g., in accordance with Clause 13 SCCs): |
| Where the EU GDPR applies, the competent supervisory authority shall be determined in accordance with Clause 13 of these Standard Contractual Clauses. Where the UK GDPR applies, the UK Information Commissioner’s Office will be the competent supervisory authority. Where the Swiss DPA applies, the Swiss Federal Data Protection Information Commissioner will be the competent supervisory authority. |
Annex II:
Technical and Organisational Security Measures
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
| Measure | Description |
|---|---|
| Measures of pseudonymisation and encryption of personal data: | Personal data provided through the Services is limited to pseudonymized values only. Security controls and confidential utilization of commercially available and industry-standard encryption technologies should be used. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: | Measures include: industry standard configuration, monitoring, and maintenance of technology and information systems controls and procedures. Security reviews of key third-party software and service vendors while onboarding and, where appropriate, conducts additional periodic security reviews. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: | Maintenance, testing, review, and updating of incident response plans designed to investigate, respond to, mitigate, and notify of suspected security incidents. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing: | Periodic third-party reviews, including penetration testing. Conducting vulnerability assessments, patch management and threat protection technologies. |
| Measures for user identification and authorisation: | Logical access controls to manage electronic access to data and system functionality based on authority levels and job functions. |
| Measures for the protection of data during transmission: | Cryptographic protocols to protect information in transit over public and internal networks, where possible. Network security controls that provide for the use of enterprise firewalls and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack, including firewalls, load balancers, and third-party DDoS protection at the network edge to filter and/or mitigate. |
Measures for the protection of data during storage: | Logical segregation of data, restricted (e.g., role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies. |
| Measures for ensuring physical security of locations at which personal data are processed: | Protection of information assets from unauthorized physical access; management, monitoring and logging of movement of persons into and out of facilities; and guarding against environmental hazards such as heat, fire and water damage. |
| Measures for ensuring events logging: | Implementation of a system for coordinated logging/alarming and related monitoring procedures. |
Measures for ensuring system configuration, including default configuration: | Industry standard configuration management tools are utilized for all software deployments across the platform, inclusive of alerting for systems that fall out of the standard configurations. |
| Measures for internal IT and IT security governance and management: | Appointment of dedicated staff responsible for the development, implementation, and maintenance of information security and data protection program(s), including regular reporting. |
| Measures for certification/assurance of processes and products: | Ongoing evaluation processes designed to assess, recommend, and implement controls that mitigate or limit internal/external risk to marketplace and core business technologies. |
Measures for ensuring data minimisation: | Collection and processing of the minimum data necessary to provide services. |
Measures for ensuring data quality: | Maintenance of inventory of systems, applications and operating systems. |
Measures for ensuring limited data retention: | Policies and procedures relating to data retention and purging. |
| Measures for ensuring accountability: | Appointment of dedicated staff responsible for the development, implementation, and maintenance of information security and data protection program(s), including regular reporting. |
| Measures for allowing data portability and ensuring erasure: | Mechanisms for data subjects to correct or delete their personal data. |
| Measure |
| Measures of pseudonymisation and encryption of personal data: |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing: |
| Measures for user identification and authorisation: |
| Measures for the protection of data during transmission: |
Measures for the protection of data during storage: |
| Measures for ensuring physical security of locations at which personal data are processed: |
| Measures for ensuring events logging: |
Measures for ensuring system configuration, including default configuration: |
| Measures for internal IT and IT security governance and management: |
| Measures for certification/assurance of processes and products: |
Measures for ensuring data minimisation: |
Measures for ensuring data quality: |
Measures for ensuring limited data retention: |
| Measures for ensuring accountability: |
| Measures for allowing data portability and ensuring erasure: |
| Description |
| Personal data provided through the Services is limited to pseudonymized values only. Security controls and confidential utilization of commercially available and industry-standard encryption technologies should be used. |
| Measures include: industry standard configuration, monitoring, and maintenance of technology and information systems controls and procedures. Security reviews of key third-party software and service vendors while onboarding and, where appropriate, conducts additional periodic security reviews. |
| Maintenance, testing, review, and updating of incident response plans designed to investigate, respond to, mitigate, and notify of suspected security incidents. |
| Periodic third-party reviews, including penetration testing. Conducting vulnerability assessments, patch management and threat protection technologies. |
| Logical access controls to manage electronic access to data and system functionality based on authority levels and job functions. |
| Cryptographic protocols to protect information in transit over public and internal networks, where possible. Network security controls that provide for the use of enterprise firewalls and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack, including firewalls, load balancers, and third-party DDoS protection at the network edge to filter and/or mitigate. |
| Logical segregation of data, restricted (e.g., role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies. |
| Protection of information assets from unauthorized physical access; management, monitoring and logging of movement of persons into and out of facilities; and guarding against environmental hazards such as heat, fire and water damage. |
| Implementation of a system for coordinated logging/alarming and related monitoring procedures. |
| Industry standard configuration management tools are utilized for all software deployments across the platform, inclusive of alerting for systems that fall out of the standard configurations. |
| Appointment of dedicated staff responsible for the development, implementation, and maintenance of information security and data protection program(s), including regular reporting. |
| Ongoing evaluation processes designed to assess, recommend, and implement controls that mitigate or limit internal/external risk to marketplace and core business technologies. |
| Collection and processing of the minimum data necessary to provide services. |
| Maintenance of inventory of systems, applications and operating systems. |
| Policies and procedures relating to data retention and purging. |
| Appointment of dedicated staff responsible for the development, implementation, and maintenance of information security and data protection program(s), including regular reporting. |
| Mechanisms for data subjects to correct or delete their personal data. |