Data Processing Agreement

Controller – Processor

This Data Processing Agreement (“DPA”) forms part of an agreement (or applicable statement of work subject to such agreement) between Kantar Media (being the contracting entity identified in the agreement or applicable statement of work, and, where applicable, its Affiliates) (“Kantar Media”) and the counterparty identified in the agreement (“Supplier”), which incorporates this DPA by reference or refers to the URL at which this DPA is located (the “Agreement”). This DPA does not limit any other obligations of Supplier, including those under the Agreement or applicable law. In the event of a conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to the processing of Personal Data.

1 Definitions and Interpretation

1.1 In this DPA, the terms in initial-capitalised form shall have the meaning set out in this clause 1.1, whether or not such terms are otherwise defined in the Agreement. Capitalised terms used but not otherwise defined in this DPA shall have the meanings assigned to such terms in the Agreement. Any terms used in the DPA and which are not defined in the DPA or the Agreement shall have the meaning given in Data Protection Law. Where a term is defined both in this DPA and Data Protection Law, the definition required to comply with Data Protection Law shall prevail.

“Business Purpose” has the meaning set forth in CA Civ Code § 1798.140(e) or equivalent concept under applicable US Privacy Laws.

“Data Protection Law” means, as applicable to the processing of Personal Data, any national, federal, EU, state, provincial or other privacy, data security or data protection law or regulation, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the UK General Data Protection Regulation, as defined in section 3(10) of the Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Data Protection Act (“FADP”) and Brazilian Law No. 13.709 of 14 August 2018 (“LGPD”), the California Consumer Privacy Act of 2018, Cal. Civil Code section 1798.100 et seq., as amended (“CCPA”), and other applicable state and federal United States’ privacy laws (together, with the CCPA, the “US Privacy Laws”) as well as any implementing legislation, regulations, guidance, or codes of practice issued by supervisory authorities, as amended, re-enacted, or replaced from time to time.

“Data Subject Request” means a request made by a data subject or consumer to exercise rights under applicable Data Protection Law including rights of access, rectification, restriction of processing, erasure, portability, and objection to processing.

“Kantar Media Data” means any information, in any form, format, or medium, provided or made available to Supplier in connection with the Agreement, together with all derivatives, models, analyses, adaptations, and aggregations created from or based on such information.

“Kantar Media Personal Data” means Kantar Media Data that constitutes Personal Data.

“Personal Data” has the meaning given in Data Protection Law, and includes information relating to an identified or identifiable natural person, or, under US Privacy Laws, information relating to a consumer, household, or device.

“Public Authority” means any national, supranational, federal, state, provincial, local, or foreign government, or any political subdivision thereof, and any agency, authority, instrumentality, regulatory or supervisory authority, law enforcement agency, court, or tribunal.

“Restricted Transfer” means a transfer of Personal Data by a Party acting as exporter to an importer in a jurisdiction that has not been recognised under applicable Data Protection Law as providing an adequate level of protection.

“Security Incident” means any accidental, unauthorised, or unlawful destruction, loss, alteration, or disclosure of, or access to Kantar Media Personal Data processed by Supplier in connection with the Services, including a breach of the Security Measures.

“Security Measures” means the Kantar Media security requirements as detailed and available at www.kantarmedia.com/data-protection/kantar-media-security-measures, as amended and notified to Supplier from time to time;

“Standard Contractual Clauses” means, as appropriate:

1. in respect of personal data to which the Argentinian Data Protection Act applies, the model contract titled Contrato modelo de transferencia internacional de datos personales con motivo de prestación de servicios as adopted by the Data Protection Agency of the Republic of Argentina under Disposition 60 – E/2016, incorporated into this DPA by reference (“Argentinian Standard Contractual Clauses”);
2. in respect of personal data to which the LGPD applies, the standard contractual clauses set out in Annex II of Resolution CD/ANPD No.19 of 23 August 2024, incorporated into this DPA by reference (“Brazilian Standard Contractual Clauses”);
3. in respect of personal data to which the GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914, including all modules, incorporated into this DPA by reference (“EU Standard Contractual Clauses”);
4. in respect of personal data to which the FADP applies, the EU Standard Contractual Clauses as applicable in Switzerland, including all modules, incorporated into this DPA by reference (“Swiss Standard Contractual Clauses”);
5. in respect of personal data to which the Turkish Personal Data Protection Law No. 6698 dated 24 March 2016 applies, the standard contracts adopted under the By-Law on Procedures and Principles for the Transfer of Personal Data Abroad, published in the Official Gazette on 10 July 2024 and numbered 32598, including all standard contracts, incorporated into this DPA by reference (“Turkish Standard Contractual Clauses”);
6. in respect of personal data to which the UK GDPR applies, the EU Standard Contractual Clauses, as amended by the UK Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018, including all modules, incorporated into this DPA by reference (“UK Standard Contractual Clauses”); and
7. in respect of personal data to which Law No. 18.331 on the Protection of Personal Data and the Habeas Data Act 2008 applies, Model Agreement for the International Transfer of Personal Data from Controllers to Processors adopted by Resolution No. 41/021, incorporated into this DPA by reference (“Uruguayan Standard Contractual Clauses”),

and where required by applicable law, the Parties shall execute the Standard Contractual Clauses in full rather than incorporate them by reference.

To the extent any translated version of this DPA is inconsistent with the English language version, the English language version shall prevail.

1.2 The terms “appropriate technical and organisational measures”, “controller”, “data subject”, “operator” “processing”, “processor”, “subprocessor”, and “supervisory authority” shall be interpreted in accordance with Data Protection Law, and the terms “business”, “consumer”, “sale”, “sell”,“service provider”, and “share” shall be interpreted in accordance with US Privacy Laws.

1.3 In this DPA, a reference to the singular includes the plural and vice versa. The words “include” and “including” mean “included without limitation”. Any examples are illustrative only.

1.4 Except where the context requires otherwise, a reference in this DPA to a clause, schedule, or annex is to a clause of, or schedule or annex to, this DPA.

1.5 Headings are for convenience only and shall not affect the meaning or interpretation of this DPA or its schedules and annexes.

1.6 In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail to the extent required to comply with Data Protection Laws.

1.7 To the extent any translated version of this DPA is inconsistent with the English language version, the English language version shall prevail.

2 Roles of the Parties

2.1 The Parties agree that this DPA shall apply to any Personal Data that the Supplier processes in the course of providing the Services.

2.2 The Parties agree that Kantar Media is the controller or business (as applicable under Data Protection Law) and Supplier is the processor, operator, or service provider (as applicable under Data Protection Law). Supplier represents and warrants that Supplier understands the obligations imposed on it by this DPA and will comply with them. Supplier shall immediately notify Kantar Media if it believes it is required by law to determine the purposes or essential means of processing.

2.3 The subject matter of the processing is the performance of the Services. The obligations and rights of Kantar Media are as set out in this DPA. The Agreement sets out the nature, duration, and purpose of the processing, the Business Purpose (where applicable under US Privacy Laws), the types of Personal Data the Supplier processes, and the categories of data subjects whose Personal Data is processed.

2.4 Except as expressly provided in the Agreement, Supplier acknowledges that, as between Supplier and Kantar Media, Kantar Media owns all rights, title, and interest in Kantar Media Data. Nothing in this clause shall affect Supplier’s rights in any pre-existing intellectual property, tools, models, or methodologies, provided that such rights do not include any Kantar Media Data or Kantar Media Personal Data.

3 Supplier Obligations

3.1 When Supplier, or any subprocessor engaged by it, processes Kantar Media Personal Data under the Agreement, Supplier represents and warrants, for itself and each subprocessor, that it shall:

3.1.1 at all times comply with applicable Data Protection Law and notify Kantar Media immediately if, in Supplier’s opinion, an instruction given by Kantar Media for the processing of Personal Data infringes applicable Data Protection Law;

3.1.2 process Personal Data only in accordance with Kantar Media’s documented instructions, which may be specific instructions, instructions of a general nature as set out in the Agreement, or as otherwise agreed between the Parties from time to time. Supplier shall not:

1. process Kantar Media Personal Data for any purpose other than the Services, or the Business Purpose specified by Kantar Media, unless Supplier is required to do so by applicable law, in which case Supplier shall inform Kantar Media in advance, unless prohibited by law on important grounds of public interest;
2. sell, share, or otherwise use Kantar Media Personal Data for cross-content behavioural advertising, targeted advertising, profiling for marketing and advertising purposes, or any commercial purpose outside the direct business relationship with Kantar Media.

3.1.3 act only as a processor, service provider, or operator, or in an equivalent role as defined by Data Protection Law, and not as a controller, business, or equivalent role;

3.1.4 ensure that personnel (including those of any subprocessor) with access to Kantar Media Personal Data:

1. are duly authorised to process Kantar Media Personal Data only as permitted by this DPA and the Agreement;
2. are subject to a binding duty of confidentiality or an appropriate legal obligation of confidentiality;
3. have undergone adequate training in the care, protection, and handling of Personal Data;
4. and are reliable and competent to perform their duties.

3.1.5 notify Kantar Media without undue delay (and in any event within 48 hours) of any Data Subject Request in relation to Kantar Media Personal Data. Supplier shall not respond to such request except to confirm receipt and direct the data subject to Kantar Media, unless expressly authorised by Kantar Media in writing;

3.1.6 not disclose or give access to any Kantar Media Data to any third party, including any Public Authority, without Kantar Media’s prior written authorisation, unless such disclosure is:

1. to a subprocessor, as necessary for the performance of the Services under the Agreement and in accordance with clause 5; or
2. required by applicable law, including a legally binding request from a Public Authority. For the avoidance of doubt, Supplier shall not respond to any voluntary, informal, or non-binding request from a Public Authority without Kantar Media’s prior written authorisation. In the case of a legally binding request, Supplier shall:
   1. immediately notify Kantar Media upon receipt and before disclosure, unless prohibited by law, and provide all information reasonably necessary to assess the request;
   2. limit the disclosure to the minimum Personal Data required by law; and
   3. use best efforts to challenge, resist, or narrow the scope of such disclosure to the fullest extent permitted by law;

3.1.7 provide full and prompt cooperation and assistance to Kantar Media, taking into account the nature of the processing and the information available to Supplier, and at no extra cost, by:

1. taking appropriate technical and organisational measures, as relevant, to assist Kantar Media in responding to Data Subject Requests;
2. assisting Kantar Media in relation to its notification obligations following a Security Incident to the competent supervisory authority and to data subjects; andassisting Kantar Media with:
   1. any data protection impact assessment that Kantar Media carries out; and
   2. any prior consultations with a supervisory authority; and

3.1.8 maintain records of the processing activities carried out on behalf of Kantar Media under the Agreement, including:

1. the categories of processing carried out;
2. any cross-border transfers of Kantar Media Personal Data, including a list of any countries to which Kantar Media Personal Data has been transferred and the transfer mechanisms and other safeguards relied on; and
3. a general description of the appropriate technical and organisational measures implemented to safeguard Kantar Media Personal Data.

3.2 Except as expressly authorised by Kantar Media in the Agreement or otherwise required by applicable Data Protection Law, Supplier shall not:

3.2.1 attempt to re-identify any anonymised, pseudonymised, or de-identified Kantar Media Data obtained by Supplier in connection with the Services. Where Supplier processes de-identified Kantar Media Data subject to US Privacy Laws, Supplier shall publicly commit to maintain and use such data in de-identified form and not attempt to re-identify it; and;

3.2.2 aggregate, pseudonymise, anonymise, or de-identify Kantar Media Personal Data.

3.2.3 process Kantar Media Data, including anonymised or pseudonymised Kantar Media Personal Data, by Supplier or any subprocessor, in connection with, or for the purposes of developing, training, testing, improving, supporting, or otherwise using any large language model, machine learning model, foundation model, generative artificial intelligence system, or any other artificial intelligence or automated decision-making system, or similar technology. This prohibition includes the synthesis of synthetic data, the combination with any other data or content, and the generation of outputs or models based on such data.

3.3 Supplier shall, at its own cost, make available to Kantar Media all information reasonably required to demonstrate compliance with this DPA, the Security Measures, and Data Protection Law, including by:

3.3.1 completing data protection and information security questionnaires upon request;

3.3.2 subject to conditions set out in the Agreement, allowing for and facilitating audits and inspections of Supplier and subprocessor facilities by Kantar Media or its authorised auditors, including access to the premises, resources, and personnel used in connection with the provision of the Services;

3.3.3 providing accurate records and documentation (including all policies, procedures, papers, correspondence) consistent with generally accepted practices;

3.3.4 permitting Kantar Media to test Supplier’s compliance with Kantar Media’s Security Measures; and

3.3.5 taking reasonable and appropriate steps, upon notice from Kantar Media, to stop and remediate any unauthorised use of Kantar Media Personal Data,

and Supplier shall, at its own cost, make any changes reasonably requested by Kantar Media to correct any compliance failures discovered during such audits, inspections, or tests.

3.4 Supplier shall promptly notify Kantar Media of any determination (by itself or a subprocessor) that it can no longer meet its obligations under this DPA, the Agreement, or applicable Data Protection Laws.

4 Security

4.1 Supplier shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including measures to protect the confidentiality, integrity, availability, and resilience of Kantar Media Personal Data against a Security Incident. Supplier shall review and update such measures regularly, and in any event as necessary to maintain an appropriate level of security, taking into account the risks presented by the processing. Such measure shall include, at a minimum, the requirements set out in the Security Measures.

4.2 Security Incidents

4.2.1 Supplier shall maintain appropriate technical and organisational measures designed to detect, respond to, and otherwise address Security Incidents, including procedures to:

1. identify and respond immediately to reasonably suspected or known Security Incidents, including by mitigating any harmful effects;
2. document Security Incidents and their outcomes; and
3. restore the availability of, and access to, Kantar Media Data in a timely manner.

4.2.2 Except where required by applicable law, if Supplier becomes aware of a Security Incident, or information that should reasonably lead it to suspect a Security Incident has occurred, Supplier shall notify Kantar Media without undue delay (and in any event within 48 hours) and provide Kantar Media with a description of the Security Incident, including, to the extent known at the time:

1. the likely impact of the Security Incident;
2. the categories and approximate number of data subjects affected and their country of residence;
3. the categories and approximate number of records affected;
4. the risk posed by the Security Incident to data subjects; and
5. the measures taken or proposed to be taken by Supplier to address the Security Incident and to mitigate its adverse effects (“Remediation Efforts”).

Supplier shall provide timely updates as further information becomes available and in response to Kantar Media’s reasonable requests.

4.2.3 Following any Security Incident, Supplier shall consult in good faith with Kantar Media regarding the Remediation Efforts and shall:

1. undertake any additional or alternative Remediation Efforts reasonably requested by Kantar Media or any Public Authority with jurisdiction (including a competent supervisory authority), at Supplier’s expense where the Security Incident was caused by Supplier’s breach of this DPA;
2. ensure and provide written assurance to Kantar Media that reasonable measures were and are being taken to prevent recurrence of the same or similar Security Incident; and
3. reasonably cooperate with any Remediation Efforts undertaken by Kantar Media.

4.2.4 Supplier shall not release or publish any filings, notices, press releases, reports, or other public statements that identify Kantar Media in connection with any Security Incident without Kantar Media’s prior written authorisation, unless required by applicable law, in which case Supplier shall notify Kantar Media in advance.

4.2.5 Notwithstanding anything to the contrary in the Agreement, including any limitations of liability, and without limiting Kantar Media’s other rights, Supplier shall reimburse Kantar Media for all reasonable costs and expenses incurred as a direct result of a Security Incident, including investigation, Remediation Efforts, notification, and mitigation, to the extent the Security Incident was caused by Supplier’s breach of this DPA.

5 Subprocessing

5.1 Supplier shall not disclose, enable the processing of, or otherwise make accessible any Kantar Media Personal Data to any subprocessor unless expressly authorised by Kantar Media.

5.2 Kantar Media authorises the subprocessors listed in:

1. the Agreement; or
2. Supplier’s URL, provided that such URL is expressly identified and agreed in the Agreement.

5.3 Notwithstanding anything to the contrary in the Agreement, Supplier shall:

5.3.1 require each subprocessor, as a condition of performing the Services, to enter into a written agreement with the Supplier containing confidentiality, security, and data protection no less protective than those set out in this DPA;

5.3.2 ensure all subprocessors comply with all terms of this DPA and remain liable for any breach by subprocessor;

5.3.3 be responsible for all acts and omissions of any subprocessor;

5.3.4 not permit any subprocessor to further assign, subcontract, or subprocess its obligations (except to a Supplier Affiliate) without Kantar Media’s prior written authorisation.

5.4 Supplier shall ensure that each subprocessor that processes or accesses Kantar Media Personal Data:

5.4.1 is competent to perform the subcontracted Services in accordance with this DPA and the Agreement; and

5.4.2 has implemented appropriate technical and organisational measures to ensure confidentiality, security, and compliance with this DPA and the Agreement.

6 Restricted Transfers

6.1 Where the transfer of Kantar Media Personal Data to Supplier constitutes a Restricted Transfer, the Parties shall ensure that such transfer is carried out subject to appropriate safeguards in compliance with applicable Data Protection Law. Such safeguards shall include, where applicable, the execution of Standard Contractual Clauses or the implementation of an alternative transfer mechanism recognised under Data Protection Law.

6.2 Where the Parties rely on the Standard Contractual Clauses as the transfer mechanism:

6.2.1 for the purposes of each of the Argentinian Standard Contractual Clauses: the details of the processing of Personal Data for Annex A are as set out in the Agreement, and Supplier agrees that its obligations under the Argentinian Standard Contractual Clauses shall be governed by the laws of Argentina;

6.2.2 for the purposes of the Brazilian Standard Contractual Clauses:

1. Kantar Media is the controller and the Supplier is the processor;
2. for clause 2 (Object), the purpose of the transfer, the categories of Personal Data, the retention period, and other information is as set out in the Agreement;
3. for clause 3 (Onward Transfers), Option A applies;
4. for clause 4 (Responsibilities of the Parties), Option A applies and Kantar Media shall be responsible for providing a privacy notice to data subjects, responding to Data Subject Requests, and notifying Security Incidents; and
5. for section III, the Security Measures apply;

6.2.3 for the purposes of the EU Standard Contractual Clauses:

1. (a) module 2 applies;
2. Kantar Media is the Data Exporter and Supplier is the Data Importer;
3. clause 7 (Docking) is incorporated;
4. for clause 9 (Use of sub-processors), option 1 shall apply;
5. the optional provision in clause 11 (Redress) is not incorporated and shall not apply;
6. for clause 13 (Supervision) and Annex I.C (Competent supervisory authority), the supervisory authority will be the supervisory authority competent under the GDPR for the relevant Kantar Media Affiliate;
7. for clause 17 (Governing law), the governing law is the law of the Kantar Media Affiliate or, if that is not the laws of an EU member state which respects third-party beneficiary rights, the law of the Netherlands;
8. for clause 18 (Choice of forum and jurisdiction), the courts of the Netherlands shall have jurisdiction;
9. the content of Annex I.B (Description of transfer) is as set out in the Agreement;
10. the content of Annex II (Technical and organisational measures) is set out in the Security Measures; and
11. the content of Annex III (List of subprocessors) is as set out in the Agreement;

6.2.4 for the purposes of the Swiss Standard Contractual Clauses: the EU Standard Contractual Clauses apply as set out in clause 6.2.3 of this DPA, save that:

1. references in the EU Standard Contractual Clauses to the terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” shall be interpreted to include the FADP;
2. references in the EU Standard Contractual Clauses to Regulation (EU) 2018/1725 shall be removed;
3. references in the EU Standard Contractual Clauses to “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses;
4. Clause 13(a) and Annex I.C are not used and the “competent supervisory authority” shall be the Swiss Federal Data Protection Commissioner (“FDPIC”)and nothing about the Parties’ designation of the competent supervisory authority shall be interpreted to preclude data subjects in Switzerland from applying to the FDPIC for relief;
5. the clauses shall be governed by the laws of Switzerland; and
6. the Parties agree that any dispute arising from the Swiss Standard Contractual Clauses shall be resolved by the courts of Switzerland, and the Parties’ selection of forum in the Agreement may not be construed as forbidding data subjects habitually resident in Switzerland from suing for their rights in Switzerland;

6.2.5 for the purposes of the Turkish Standard Contractual Clauses:

1. standard contract 2 applies;
2. for clause 8 (Subprocessors), option 1 applies;
3. for clause 10 (Redress), the optional provision does not apply;
4. for clause 16 (Notification), Kantar Media shall notify the supervisory authority;
5. the information required by Annex I (Description of Transfers) is as set out in the Agreement, save that
   1. the legal basis for the transfer is the legitimate interest of Kantar Media, and
   2. the VERBİS registration information of Kantar Media is as set out in the VERBİS entry for Kantar Media Medya Araştırmaları Danışmanlik ve Ticaret AS;
6. the information required by Annex II (Technical and organisational measures) is set out in the Security Measures; and
7. the information required by Annex III (List of subprocessors) shall be as set out in the Agreement;

6.2.6 for the purposes of the UK Standard Contractual Clauses:

1. the information required by Table 1 shall be as set out in the Agreement;
2. the information required by Table 2 is as set out in clause 6.2.3 of this DPA, save that
   1. the UK Standard Contractual Clauses shall be governed by the laws of England and Wales,
   2. the Parties agree that any dispute arising from the UK Standard Contractual Clauses shall be resolved by the courts of England and Wales,
   3. the UK GDPR applies to Supplier’s processing of Personal Data as Data Importer,
   4. Supplier may only transfer Personal Data to subprocessors under the conditions set out in clause 5 of this DPA, and
   5. the Parties shall review this DPA at regular intervals to ensure that it remains accurate and up to date, and continues to provide appropriate safeguards to the Personal Data;
3. the information required by Table 3 shall be as set out in the Agreement; and
4. for Table 4, the Parties may end the UK Standard Contractual Clauses in line with the provisions of the Agreement and clause 9.1 of this DPA; and

6.2.7 for the purposes of the Uruguayan Standard Contractual Clauses:

1. for clause 7 (Reliance on subprocessors), option 1 applies;
2. for clause 9 (Redress), the optional provision does not apply;
3. the information required by Annexes B and D is as set out in the Agreement; and
4. the information required in Annex C is the Security Measures.

6.3 Supplier shall ensure that neither it nor any subprocessor makes any further Restricted Transfer of Kantar Media Personal Data without Kantar Media’s prior written authorisation. Where such authorisation is given, Supplier shall:

6.3.1 ensure the Restricted Transfer complies with applicable Data Protection Law;

6.3.2 execute appropriate Standard Contractual Clauses or implement equivalent safeguards; and

6.3.3 where required by applicable Data Protection Law, complete a transfer impact assessment taking into account the circumstances of the transfer, the laws and practices of the third country, and any relevant contractual, technical, and organisational safeguards that Supplier has put in place with the subprocessor. Supplier shall make such assessment, or a summary of it, available to Kantar Media upon request.

6.4 If any transfer mechanism relied upon under this DPA is invalidated or otherwise ceases to be a valid safeguard, Kantar Media may, at its sole discretion, require Supplier to:

6.4.1 implement an alternative transfer mechanism; or

6.4.2 immediately cease the Restricted Transfer and not recommence it until such mechanism is in place.

6.5 Supplier represents and warrants that it has no reason to believe that the laws and practices applicable to it, including any requirements to disclose Personal Data to Public Authorities, prevent it from fulfilling its obligations under this DPA or the applicable Standard Contractual Clauses. In particular, Supplier shall immediately notify Kantar Media in accordance with clause 3.1.6 if:

6.5.1 Supplier receives a Public Authority request, becomes aware of any direct access by a Public Authority to Kantar Media Personal Data, or becomes aware of any circumstance that may affect Supplier’s ability to comply with the Standard Contractual Clauses; or

6.5.2 Supplier determines that it is unable to comply with the Standard Contractual Clauses or to provide an essentially equivalent level of protection for Kantar Media Personal Data subject to a Restricted Transfer. In such a case, Kantar Media may, at its sole discretion:

1. suspend the Restricted Transfer;
2. require Supplier to cease processing of Kantar Media Personal Data; and/or
3. terminate the Agreement or affected Services immediately without cost or liability.

6.6 The Parties shall cooperate promptly and in good faith to address new Data Protection Laws affecting Restricted Transfers that become effective during the term of the Agreement, including entering into additional agreements or formalities required by such laws.

7 Deletion

7.1 Upon expiry or termination of the Agreement or the Services (whichever is earlier), and in any event within 30 days thereafter, Supplier shall, at Kantar Media’s election, return and/or securely destroy all Kantar Media Data. Secure destruction shall include permanent deletion or, where permitted by applicable Data Protection Law, irreversible anonymisation. Supplier shall ensure that all copies, including from backups, are securely destroyed unless and solely to the extent retention is required by applicable law. In such a case, Supplier shall inform Kantar Media of the legal requirement in writing and the retain Kantar Media Data only for as long and to the extent that requirement applies.

7.2 Supplier shall promptly provide Kantar Media with written certification, signed by an officer or duly authorised representative of Supplier, confirming that all Kantar Media Data has been returned or permanently deleted from Supplier’s and any subprocessor’s possession and control.

8 Indemnification

8.1 Notwithstanding anything to the contrary in the Agreement, Supplier shall defend, indemnify, and hold harmless Kantar Media, its officers, directors, employees, and agents from any and all claims, complaints, regulatory actions, suits, causes of action, fines, penalties, losses, costs, and damages, including reasonable legal fees, arising out of or relating to:

8.1.1 any failure by Supplier, its employees, or subprocessors to comply with, or properly perform, any obligation under this DPA; and

8.1.2 any Security Incident to the extent caused by Supplier, its employees, or subprocessors,

except, in each case, to the extent directly and solely resulting from acts or omissions of Kantar Media.

8.2 Notwithstanding anything to the contrary in the Agreement, Supplier’s indemnification obligations under this clause 8 shall not be subject to any limitation or exclusion of liability.

9 Miscellaneous

9.1 Survival. Supplier’s obligations under this DPA shall survive expiry or termination of the Agreement and continue for so long as Supplier, or any of its subprocessors, processes, retains, or otherwise has access to Kantar Media Data.

9.2 Updates. Kantar Media may update this DPA from time to time, as reasonably necessary to reflect changes in Data Protection Laws, court orders, or guidance from supervisory authorities. Such updates will become effective 30 days after notice to Supplier, and Supplier agrees to be bound by the updated DPA once in effect.