Last updated: November 27, 2023
Data Privacy Addendum
DATA PRIVACY ADDENDUM
This Data Privacy Addendum (this “Addendum”) forms part of the Agreement between Customer and Boulevard and governs the Processing of Personal Data that Customer provides or otherwise makes available to Boulevard related to Customer’s use of the Boulevard services (the “Services”). This Agreement may refer to Boulevard and Customer each as a “Party” and collectively as the “Parties.”
This Addendum is incorporated into and made part of the Main Services Agreement (“Agreement”). This Addendum reflects the Parties’ agreement with respect to the Processing of the Customer Personal Data (as defined below) In the event of any inconsistency between the terms of the Agreement and this Addendum, the terms of this Addendum shall prevail.
This Addendum may be updated by Boulevard from time to time upon reasonable notice, which may be provided via your Account, email, or by posting an updated version of this Addendum at https://www.joinblvd.com/legal/data-privacy-addendum. Your continued use of the Boulevard Services shall be deemed your conclusive acceptance of any such revisions.
1. Definitions. Capitalized terms used in this Addendum that are not defined herein shall have the same meaning as set forth in the Agreement.
1.1. “Controller” means the party that alone or jointly with others determines the purpose(s) and means of the Processing of Personal Data.
1.2. “Customer Personal Data” means any Personal Data that Customer provides or otherwise makes available to Boulevard for Processing on Customer’s behalf pursuant to the Agreement.
1.3. “Data Protection and Privacy Laws” means the data protection and privacy laws and regulations applicable to the Processing of Personal Data in any relevant jurisdiction, including the U.S. State Privacy Laws, and any other similar applicable laws that are in effect or come into effect during the term of the Agreement.
1.4. “Personal Data” means any information relating to an identified or identifiable individual that is subject to protection under the Data Protection and Privacy Laws and includes information that is referred to as “personal data” or “personal information” in the Data Protection and Privacy Laws.
1.5. “Personal Data Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to the Customer Personal Data.
1.6. “Privacy Rights Request” means a request made by (or on behalf of) an individual to exercise his or her rights under the Data Protection and Privacy Laws in relation to the Customer Personal Data.
1.7. “Process” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means.
1.8. “Processor” means the party that Processes Personal Data on behalf of the Controller.
1.9. “Subcontractor” means a party engaged by Boulevard in the Processing of the Customer Personal Data on Customer’s behalf
1.10. “U.S. State Privacy Laws” means the U.S. state privacy laws and regulations applicable to the Processing of Personal Data, including the California Consumer Privacy Act, as amended, including by the California Privacy Rights Act and implementing regulations (“CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Act Concerning Protection and Online Monitoring (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and any other similar applicable laws that are in effect or come into effect during the term of the Agreement.
1.11. The terms “Business,” “Service Provider,” and “Share,” have the meanings ascribed to them in the CCPA.
2. Processing of the Customer Personal Data
2.1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Business or Controller, and Boulevard is the Service Provider or Processor. Each Party shall comply with the obligations that apply to it under the Data Protection and Privacy Laws and provide the Customer Personal Data the level of privacy protection required by such laws. In the event that either Party determines that it can no longer meet its obligations under the Data Protection and Privacy Laws with respect to the Customer Personal Data, it shall take commercially reasonable steps to notify the other Party.
2.2. Boulevard’s Processing of Customer Personal Data. Customer makes the Customer Personal Data available to Boulevard for the limited and specified business purpose of performing the Services on behalf of Customer (as further described in Appendix I) (Details of the Processing). Boulevard shall Process the Customer Personal Data only as permitted by the Agreement (including this Addendum) and in accordance with any additional documented instructions from Customer. If Boulevard is required by applicable law to Process the Customer Personal Data for another purpose, Boulevard shall take commercially reasonable steps to inform Customer of the legal obligation unless that law prohibits such information. Boulevard shall not: (i) Sell or Share the Customer Personal Data; (ii) Process the Customer Personal Data for any commercial purpose other than the purposes specified in the Agreement and in this Addendum or as otherwise permitted by the Data Protection and Privacy Laws; (iii) Process the Customer Personal Data outside of the direct business relationship between Customer and Boulevard unless expressly permitted by the Data Protection and Privacy Laws; or (iv) when prohibited by applicable Data Protection and Privacy Laws, combine the Customer Personal Data with Personal Data that Boulevard receives from, or on behalf of, another person or persons, or collects from its own interactions with individuals. Boulevard will grant access to the Customer Personal Data only to its personnel who require access and are subject to appropriate confidentiality agreements or duties of confidentiality.
2.3. Customer’s Processing Obligations. As the Business or Controller of the Customer Personal Data, Customer shall ensure that the Customer Personal Data is collected and provided or otherwise made available to Boulevard in compliance with the Data Protection and Privacy Laws. In particular, Customer shall ensure that it has provided all legally-required notices and privacy disclosures to all individuals to whom the Customer Personal Data relates. Customer shall also be responsible for the accuracy and use of the Customer Personal Data.
3. Data Security. Taking into account the nature of the Processing, Boulevard shall maintain technical and organizational measures designed to protect the Customer Personal Data against any breach of security leading to the accidental or unlawful destruction, use, loss, alteration, unauthorized disclosure of, or unauthorized access to the Customer Personal Data. Boulevard shall notify Customer without undue delay after becoming aware of a Personal Data Breach.
4. Assessments and Other Assistance. Upon reasonable written request, Boulevard shall provide Customer with available information and documentation regarding Boulevard’s Processing of the Customer Personal Data to assist Customer in fulfilling its obligation under the Data Protection and Privacy Laws to conduct and document data protection impact assessments (or other similar assessments). Additionally, taking into account the nature of the Processing and the information available to Boulevard, upon reasonable written request, Boulevard shall assist Customer in ensuring compliance with other obligations pursuant to the Data Protection and Privacy Laws.
5. Compliance Verification and Audits. At reasonable intervals during the term of the Agreement not to exceed more than once in a given twelve (12) month period, Boulevard shall, upon written request, make available to Customer information or documentation necessary to demonstrate its compliance with its obligations under this Addendum with respect to the Customer Personal Data. In the event of a Personal Data Breach, at the reasonable written request of Customer, Boulevard shall allow for and contribute to an audit conducted by an independent third-party auditor mutually agreed upon by the Parties to assess Boulevard’s data security measures. Any such audit shall be at the expense of Customer and conducted during normal business hours and in a manner that minimizes any disruption to Boulevard’s business and operations. If an audit conducted pursuant to this Section 5 reveals any unauthorized use of the Customer Personal Data by Boulevard, Customer and Boulevard shall promptly work together in good faith to agree upon reasonable and appropriate steps to stop and remediate the unauthorized use. If, in Boulevard’s opinion, any instruction from Customer pursuant to this Section 5 infringes the Data Protection and Privacy Laws, Boulevard shall take commercially reasonable steps to notify Customer.
6. Privacy Rights Requests. Customer shall notify Boulevard in writing or through other methods agreed upon by the Parties of all Privacy Rights Requests it receives relating to the Customer Personal Data. Taking into account the nature of the Processing and the information available, Boulevard shall assist Customer in fulfilling its obligation to respond to Privacy Rights Requests, insofar as this is possible.
7. Subcontractors. As of the Effective Date, Customer authorizes Boulevard to engage Subcontractors in the Processing of the Customer Personal Data, provided that Boulevard has in place a written agreement with each party that imposes on it the same restrictions and requirements with respect to Personal Data imposed on Boulevard in this Addendum. Boulevard shall notify the Customer of any intended changes concerning the addition or replacement of subcontractors.
8. Deletion or Return of the Customer Personal Data. Upon termination or expiration of the Agreement, Boulevard, at Customer’s written request and to the extent technically feasible, shall either delete or return to Customer the Customer Personal Data, unless retention of the data is required or permitted by any applicable law.
9. Modifications. The Parties agree to cooperate in good faith to amend the terms of this Addendum and/or enter into additional terms as necessary to address modifications, amendments, or updates to the Data Protection and Privacy Laws.
Appendix I
Details of the Processing
This Appendix I describes the Processing of the Customer Personal Data by Boulevard on Customer’s behalf.
Categories of Personal Data Processed | The categories of Personal Data Processed include: |
Categories of individuals impacted by the Processing | The Customer Personal Data relates to individuals from or about whom Customer collects Personal Data. |
Nature and purpose of the Processing | Boulevard will Process the Customer Personal Data for the following specific business purposes: The specific business purposes are: • Auditing: Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards. • Security & Integrity: Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes. • Repair Functionality: Debugging to identify and repair errors that impair existing intended functionality. • Short-term, transient use: Short-term, transient use, including, but not limited to, non personalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business. • Performing services on behalf of Customer: Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business. • Advertising & Marketing: Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers. • Internal Research: Undertaking internal research for technological development and demonstration. • Quality & Safety: Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business. |
Duration of the Processing | The term of the Agreement. |