Data Processing Agreement

This Data Processing Addendum (“DPA”) applies to a Promoter who is subject to the EU General Data Protection Regulation (EU) 2016/679 or “GDPR”, or any similar and applicable legislation, and who requires Audience Republic to process Personal Information (which is subject to the GDPR) on their behalf as part of the Promoter’s use of Audience Republic’s Services.

In this DPA references to “you” means the Promoter and references to “we”, “us”, “our” and “Audience Republic” means Audience Republic Pty Ltd, an Australian company ABN 96 606 311 095.

NOTE: To learn more about the applicable terms for a Promoter’s use of Audience Republic’s Services go to Audience Republic’s Terms of Service (PROMOTERS).

1) General

a) The terms of this DPA are hereby incorporated in to Audience Republic’s Terms of Service (PROMOTERS) or any other applicable services agreement between you and Audience Republic (the “Agreement”).

b) With respect to provisions regarding Processing of Personal Information, this Agreement is supplemental to the Agreement and in the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail unless the Promoter and Audience Republic have individually negotiated data processing terms that are different from this DPA and which meet the requirements of the GDPR in full, in which case those negotiated terms will control.

“Data Controller”, “Data Processor”, “Data Subject”, and “Processing” shall have the meanings ascribed to them in GDPR;

“Personal Information” shall mean the same meaning ascribed to “Personal Data” in the GDPR.

“Data Security Breach” means a breach of security which causes the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Information transmitted, stored or otherwise Processed; and

“Services” means a Campaign or Audience Manager (both of which are described and accessible on our Site) or other tools or services offered by Audience Republic to the Promoter from time to time.

“Technical and Organisational Security Measures” means security measures implemented by Audience Republic appropriate to the type of Personal Information being Processed and the Services being provided by Audience Republic to protect Personal Information against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.

2) Applicability Of DPA And Scope Of Data Processing Activities

a) In using Audience Republic’s Services and for the purposes of GDPR, the Promoter is a Data Controller of the Personal Information associated with an individual (a “Fan”) who:

i) uses Audience Republic’s Site to register for a Campaign conducted by the Promoter; or

ii) is otherwise recorded in the Promoter’s database when the Promoter’s database is uploaded to, or integrated with Audience Manager.

The Promoter agrees to Process a Fan’s Personal Information in accordance with the Promoter’s obligations under GDPR and any other applicable data protection laws including the Australian Privacy Act 1988 (Cth). The Promoter indemnifies Audience Republic against all costs, claims, damages and expenses incurred by Audience Republic or for which Audience Republic may become liable due to any failure by the Promoter or the Promoter’s employees or sub-contractors to comply with any obligations under this Agreement, applicable Data Protection Laws, or our instructions.

b) When Audience Republic Processes the Personal Information of Fans on behalf of the Promoter as part of the Services, Audience Republic is a Data Processor in performing such Processing and the Promoter is the Data Controller. This includes circumstances where Audience Republic obtains Personal Information as a result of enabling the Promoter to import the Personal Information of Fans into Audience Manager.

c) In respect of some Processing of Fans’ Personal Information, Audience Republic will act as a Data Controller, for example, where Fans have engaged with a Campaign and Personal Information is Processed by Audience Republic.

d) To the extent that Audience Republic Processes Personal Information as a Data Processor on behalf of the Promoter, clause 3) of this DPA shall apply. When, and to the extent that Audience Republic is not acting as a Data Processor on behalf of the Promoter, Audience Republic’s Processing shall not be subject to this DPA.

e) Details about the Personal Information to be Processed by Audience Republic and the Processing activities to be performed under the Agreement are as follows:

i) duration – as set out in the Agreement;

ii) nature, purpose and subject matter – to enable the Promoter to conduct a Campaign (including the promotion of the Promoter’s products and/or services) or use Audience Manager;

iii) data categories – Personal Information as described in the Privacy Policy.

3) Data Processing Clauses

a) Whenever Audience Republic Processes Personal Information on behalf of the Promoter, Audience Republic shall:

i) Process Personal Information according to the Promoter’s documented instructions, unless required to do otherwise by applicable law. Audience Republic shall inform the Promoter before Processing Personal Information if there is some legal requirement to Process other than in accordance with the Promoter’s instructions, unless that same law prohibits Audience Republic from doing so. Audience Republic will notify the Promoter if in its opinion an instruction is in breach of GDPR. The Promoter hereby instructs Audience Republic, and Audience Republic hereby agrees, to Process Personal Information as necessary to perform Audience Republic’s obligations under the Terms of Service (PROMOTERS) relevant to Campaigns and Audience Manager;

ii) Have in place Technical and Organisational Security Measures to protect Personal Information;

iii) Notify the Promoter in the event of a Data Security Breach without undue delay and assist the Promoter to enable the Promoter to comply with its obligations as a Data Controller in relation to data breach notification requirements;

iv) Ensure its employees have committed themselves to keeping Personal Information confidential by signing binding confidentiality undertakings in the terms of their engagement;

v) Impose obligations on its sub-processors that have access to Personal Information that are the same as or equivalent to those set out in this clause 3) by way of written contract;

vi) Provide reasonable assistance to the Promoter in responding to rights requests under GDPR, complaints, or other communications received from any data protection authority or a Fan. In the event that a Fan submits a Personal Information deletion request to Audience Republic with respect to their Personal Information controlled by the Promoter, then the Promoter hereby authorises Audience Republic to delete or anonymize the Fan’s Personal Information on the Promoter’s behalf;

vii) Upon the Promoter’s written request, make available to the Promoter information which is reasonably necessary to demonstrate its compliance with the obligations set out in this clause ; and

viii) Except for that Personal Information with respect to which Audience Republic acts as a Data Controller, return, delete, or destroy (at the Promoter’s election), the Personal Information and copies thereof, at the Promoter’s request (unless applicable law requires the storage of such Personal Information).

4) Sub-processors

a) The Promoter hereby consents to Audience Republic’s current sub-processors (i.e. those third parties described in Audience Republic’s Privacy Policy,) (“Current Sub-Processors”) to Process Personal Information on its behalf.

b) The Promoter hereby consents to Audience Republic appointing additional and replacement sub-processors (“Replacement Sub-Processors”) to Process Personal Information on its behalf. Audience Republic shall:

i) notify the Promoter if there is a Replacement Sub-Processor via Audience Republic’s website. (The Promoter should regularly check and review Audience Republic’s website for any such changes because Audience Republic’s website shall be the sole means of Audience Republic notifying any such changes); and

ii) give the Promoter the opportunity to object to such changes that take place after the Effective Date of the Agreement.

c) For the avoidance of doubt, any termination rights available herein shall only apply in the instance of objections to Replacement Sub-Processors appointed after the Effective Date of this DPA that are not remedied in accordance with these terms and shall not apply in relation to Current Sub-Processors.

d) The Promoter shall raise any objection to the appointment of Replacement Sub-Processors within ten (10) days of Audience Republic posting the changes on its website by sending its objection to privacy@audiencerepublic.com with the subject line ‘Legal Objection to Replacement Sub-Processor’.

e) Provided that the Promoter’s objection:

i) concerns the Replacement Sub-Processor’s ability to allow Audience Republic to materially comply with its data protection obligations under this DPA; and

ii) includes sufficient detail to support its objection and provide specific examples,

Audience Republic will then use commercially reasonable efforts to review and respond to the Promoter’s objection within thirty (30) days. If Audience Republic does not view the objection as providing sufficient supporting detail, the objection shall be deemed invalid and Audience Republic has no further obligations.

f) If Audience Republic determines in its sole discretion that it cannot reasonably accommodate the Promoter’s objection, upon notice from Audience Republic, the Promoter may choose to terminate the Agreement by providing written notice to Audience Republic, and complying with these terms, which shall be the Promoter’s sole and exclusive remedy. Should the Promoter choose to terminate the Agreement as a result of a Replacement Sub-Processor, then nothing in this clause shall relieve the Promoter from any of its payment and/or repayment obligations to Audience Republic under the Agreement. Without limiting Audience Republic’s other rights and remedies, if the Promoter terminates the Agreement pursuant to this clause f), then the Promoter will immediately pay to Audience Republic all amounts accruing and owed to Audience Republic, including, without limitation, obligations to pay and/or repay Audience Republic for any Fees otherwise payable under the Agreement.

Updated July 2018