Data Sharing Agreement

Controller – Controller


This Data Sharing Agreement (“DSA”) forms part of an agreement (or applicable statement of work subject to such agreement) between Kantar Media (being the contracting entity identified in the agreement or applicable statement of work, and, where applicable, its Affiliates) (“Kantar Media”) and the counterparty identified in the agreement (“Partner”), which incorporates this DSA by reference or refers to the URL at which this DSA is located (the “Agreement”). This DSA does not limit any other obligations of each Party, including those under the Agreement or applicable law. In the event of a conflict between this DSA and the Agreement, the terms of this DSA shall prevail with respect to the processing of Personal Data.

1 Definitions and Interpretation

1.1 In this DSA, the terms in initial-capitalised form shall have the meaning set out in this clause 1.1, whether or not such terms are otherwise defined in the Agreement. Capitalised terms used but not otherwise defined in this DSA shall have the meanings assigned to such terms in the Agreement. Any terms used in the DSA and which are not defined in the DSA or the Agreement shall have the meaning given in Data Protection Law. Where a term is defined both in this DSA and Data Protection Law, the definition required to comply with Data Protection Law shall prevail.

Data Protection Law means, as applicable to the processing of Personal Data, any national, federal, EU, state, provincial or other privacy, data security or data protection law or regulation, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the UK General Data Protection Regulation, as defined in section 3(10) of the Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Data Protection Act (“FADP”) and Brazilian Law No. 13.709 of 14 August 2018 (“LGPD”), the California Consumer Privacy Act of 2018, Cal. Civil Code section 1798.100 et seq., as amended (“CCPA”), and other applicable state and federal United States’ privacy laws (together, with the CCPA, the “US Privacy Laws”) as well as any implementing legislation, regulations, guidance, or codes of practice issued by supervisory authorities, as amended, re-enacted, or replaced from time to time.

Data means any information, in any form, format, or medium, provided or made available to a Party in connection with the Agreement, together with all derivatives, models, analyses, adaptations, and aggregations created from or based on such information.

Data Subject Request means a request made by a data subject or consumer to exercise rights under applicable Data Protection Law including rights of access, rectification, restriction of processing, erasure, portability, and objection to processing.

Permitted Purposes means processing of Personal Data for the purposes expressly set out in the Agreement, including: (i) the provision and receipt of the Services; and (ii) any data use rights expressly set out in the Agreement. For the purposes of US Privacy Laws, the Permitted Purpose constitutes the limited and specific purpose for which the Personal Data is disclosed.

Personal Data has the meaning given in Data Protection Law, and includes information relating to an identified or identifiable natural person, or, under US Privacy Laws, information relating to a consumer, household, or device.

Public Authority means any national, supranational, federal, state, provincial, local, or foreign government, or any political subdivision thereof, and any agency, authority, instrumentality, regulatory or supervisory authority, law enforcement agency, court, or tribunal.

Restricted Transfer means a transfer of Personal Data by a Party acting as exporter to an importer in a jurisdiction that has not been recognised under applicable Data Protection Law as providing an adequate level of protection.

Security Incident means any accidental, unauthorised, or unlawful destruction, loss, alteration, or disclosure of, or access to Personal Data processed by a Party in connection with the Agreement.

Security Measures means the Kantar Media security requirements as detailed and available at http://www.kantarmedia.com/data-protection/kantar-media-security-measureswww.kantarmedia.com/data-protection/kantar-media-security-measures;

Standard Contractual Clauses means, as appropriate:

  1. in respect of personal data to which the Argentinian Data Protection Act applies, the model contract titled Contrato modelo de transferencia internacional de datos personales con motivo de cession de datos personales as adopted by the Data Protection Agency of the Republic of Argentina under Disposition 60 – E/2016, incorporated into this DSA by reference (“Argentinian Standard Contractual Clauses”);
  2. in respect of personal data to which the LGPD applies, the standard contractual clauses set out in Annex II of Resolution CD/ANPD No.19 of 23 August 2024, incorporated into this DSA by reference (“Brazilian Standard Contractual Clauses”);
  3. in respect of personal data to which the GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914, including all modules, incorporated into this DSA by reference (“EU Standard Contractual Clauses”);
  4. in respect of personal data to which the FADP applies, the EU Standard Contractual Clauses as applicable in Switzerland, including all modules, incorporated into this DSA by reference (“Swiss Standard Contractual Clauses”);
  5. in respect of personal data to which the Turkish Personal Data Protection Law No. 6698 dated 24 March 2016 applies, the standard contracts adopted under the By-Law on Procedures and Principles for the Transfer of Personal Data Abroad, published in the Official Gazette on 10 July 2024 and numbered 32598, including all standard contracts, incorporated into this DSA by reference (“Turkish Standard Contractual Clauses”);
  6. in respect of personal data to which the UK GDPR applies, the EU Standard Contractual Clauses, as amended by the UK Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018, including all modules, incorporated into this DSA by reference (“UK Standard Contractual Clauses”); and
  7. in respect of personal data to which Law No. 18.331 on the Protection of Personal Data and the Habeas Data Act 2008 applies, Model Agreement for the International Transfer of Personal Data from Controllers to Controllers adopted by Resolution No. 41/021, incorporated into this DSA by reference (“Uruguayan Standard Contractual Clauses”)

and where required by applicable law, the Parties shall execute the Standard Contractual Clauses in full rather than incorporate them by reference.

1.2 The terms “appropriate technical and organisational measures”, “controller”, “data subject”, “operator” “processing”, “processor”, “subprocessor”, and “supervisory authority” shall be interpreted in accordance with Data Protection Law, and the terms “business”, “consumer”, “sale”, “sell”, “service provider”, and “share” shall be interpreted in accordance with US Privacy Laws.

1.3 In this DSA, a reference to the singular includes the plural and vice versa. The words “include” and “including” mean “included without limitation”. Any examples are illustrative only.

1.4 Except where the context requires otherwise, a reference in this DSA to a clause, schedule, or annex is to a clause of, or schedule or annex to, this DSA.

1.5 Headings are for convenience only and shall not affect the meaning or interpretation of this DSA or its schedules and annexes.

1.6 In the event of a conflict between this DSA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail to the extent required to comply with Data Protection Laws.

1.7 To the extent any translated version of this DSA is inconsistent with the English language version, the English language version shall prevail.

2 DATA PROTECTION OBLIGATIONS

2.1 Each Party represents and warrants that it shall at all times comply with its obligations under applicable Data Protection Law.

2.2 The Parties acknowledge and agree that, as between them, each is an independent controller or business (as applicable under Data Protection Law). Nothing in the Agreement or this DSA creates joint controllership between the Parties, and neither Party instructs the other as a processor, service provider, or operator.

2.3 A Party (the “Data Provider”) may, from time to time and at its own discretion, share with the other Party (the “Data Recipient”) Personal Data for the Permitted Purposes.

2.4 The Data Provider shall:

2.4.1 provide to data subjects to whom the Personal Data relate appropriate information as to how the Data Provider will process the Personal Data as required by Data Protection Law, including the fact that the Personal Data may be shared with the Data Recipient for the Permitted Purposes;

2.4.2 ensure that, if it shares Personal Data with the Data Recipient:

  1. there is an appropriate lawful basis under Data Protection Law that applies to such sharing;
  2. the Data Provider adopts appropriate technical and organisational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing to ensure a level of security appropriate to the risk; and
  3. such sharing meets all other requirements under Data Protection Law applicable to the Data Provider.

2.5 The Data Recipient shall:

2.5.1 provide to data subjects to whom the Personal Data relates appropriate information as to how the Data Recipient will process the Personal Data if and as required by Data Protection Law;

2.5.2 subject to clause 2.5.3, process the Personal Data solely for the Permitted Purposes and retain the Personal Data only for such period as is necessary to achieve such purposes;

2.5.3 ensure that any processing of Personal Data for any purpose or duration beyond the Permitted Purposes (“Additional Purposes”) complies with applicable Data Protection Law. For any such Additional Purposes, the Data Recipient shall:

  1. obtain the Data Provider’s prior written consent for the Additional Purposes, except where otherwise required by applicable law;
  2. ensure that it has an appropriate lawful basis for any Additional Purposes; and
  3. provides to data subjects to whom the Personal Data relates appropriate information about the Additional Purposes;

2.5.4 ensure that Data Recipient’s personnel with access to the Personal Data:

  1. are duly authorised to process the Personal Data only as permitted by this DSA and the Agreement;
  2. are subject to a binding duty of confidentiality or an appropriate legal obligation of confidentiality;
  3. have undergone adequate training in the care, protection, and handling of Personal Data; and
  4. are reliable and competent to perform their duties;

2.5.5 subject to clause 2.5.6, ensure that any third party to whom the Data Recipient makes available any Personal Data, including any processor or controller:

  1. complies with applicable Data Protection Law, including by providing the same level of protection to Personal Data as controllers or businesses are required to provide under applicable Data Protection Law; and
  2. is bound by to a written agreement that complies with applicable Data Protection Law and imposes confidentiality, security, and data protection obligations no less protective than those set out in this DSA.

The Data Recipient acknowledges that the Data Provider does not act as controller in for any onward disclosure of Personal Data and that any processor engaged by Data Recipient does not act as a processor of the Data Provider;

2.5.6 not disclose or give access to any Data Provider Data to any Public Authority without the Data Provider’s prior written authorisation, unless such disclosure is required by applicable law, including a legally binding request from a Public Authority. In the case of a legally binding request, Data Recipient shall:

  1. immediately notify Data Provider upon receipt and before disclosure, unless prohibited by law, and provide all information reasonably necessary to assess the request;
  2. limit the disclosure to the minimum Data Provider Data required by law; and
  3. use best efforts to challenge, resist, or narrow the scope of such disclosure to the fullest extent permitted by law; and

2.5.7 not sell or share Personal Data received from the Data Provider, or use it for cross-context behavioural advertising, except as expressly permitted in the Agreement and in compliance with applicable law.

2.6 If a Party becomes aware of any inaccuracy in the Personal Data it processes, it shall as soon as reasonably possible correct such inaccuracy and inform the other Party accordingly.

2.7 Except as expressed provided in the Agreement or otherwise required by applicable Data Protection Law, neither Party shall:

2.7.1 attempt to re-identify any anonymised, pseudonymised, or de-identified Data of the other Party disclosed or made available to it in connection with the Agreement;

2.7.2 aggregate, pseudonymise, anonymise, or de-identify the other Party’s Data; or

2.7.3 process the other Party’s Data, including anonymised or pseudonymised Personal Data, in connection with, or for the purposes of developing, training, testing, improving, supporting, or otherwise using any large language model, machine learning model, foundation model, generative artificial intelligence system, or any other artificial intelligence or automated decision-making system, or similar technology. This prohibition includes the synthesis of synthetic data, the combination with any other data or content, and the generation of outputs or models based on such data.

2.8 Except as expressly provided in the Agreement, each Party acknowledges that, as between them, Kantar Media owns all rights, title, and interest in Kantar Media Data and Partner owns all rights, title, and interest in Partner Data. Nothing in this clause shall affect either Party’s rights in any pre-existing intellectual property, tools, models, or methodologies, provided that such rights do not include the other Party’s data or Personal Data.

3 SECURITY

3.1 Each Party shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including measures to protect the confidentiality, integrity, availability, and resilience of Personal Data against a Security Incident. Each Party shall review and update such measures regularly, and in any event as necessary to maintain an appropriate level of security, taking into account the risks presented by the processing.

3.2 Security Incidents

3.2.1 Each Party shall maintain appropriate technical and organisational measures designed to detect, respond to, and otherwise address Security Incidents, including procedures to:

  1. identify and respond immediately to reasonably suspected or known Security Incidents, including by mitigating any harmful effects;
  2. document Security Incidents and their outcomes; and
  3. restore the availability of, and access to, Personal Data in a timely manner.

3.2.2 If a Party suffers a Security Incident, it shall:

  1. make all notifications to the competent supervisory authority(ies) and to any affected data subject(s) as required by applicable Data Protection Law;
  2. inform the other Party accordingly, without undue delay, providing reasonable details of the Security Incident;
  3. not release or publish any filings, notices, press releases, reports, or other public statements that identify the other Party in connection with the Security Incident without the other Party’s prior written authorisation, unless required by applicable law.

4 Restricted Transfers

4.1 Where the transfer of Personal Data between the Parties constitutes a Restricted Transfer, the Parties shall ensure that such transfer is carried out subject to appropriate safeguards in compliance with applicable Data Protection Law. Such safeguards shall include, where applicable, the execution of Standard Contractual Clauses or the implementation of an alternative transfer mechanism recognised under Data Protection Law.

4.2 Where the Parties rely on the Standard Contractual Clauses as the transfer mechanism:

4.2.1 For the purposes of each of the Argentinian Standard Contractual Clauses: the details of the processing of Personal Data for Annex A are as set out in the Agreement, and the Data Recipient agrees that its obligations under the Argentinian Standard Contractual Clauses shall be governed by the laws of Argentina.

4.2.2 For the purposes of the Brazilian Standard Contractual Clauses:

  1. each Party is a controller;
  2. for clause 2 (Object), the purpose of the transfer, the categories of Personal Data, the retention period, and other information is as set out in the Agreement;
  3. for clause 3 (Onward Transfers), Option A applies;
  4. for clause 4 (Responsibilities of the Parties), Option A applies and the Data Provider shall be responsible for providing a privacy notice to data subjects, responding to Data Subject Requests, and notifying Security Incidents;
  5. for section III, the Security Measures apply;

4.2.3 For the purposes of the EU Standard Contractual Clauses:

  1. module 1 applies;
  2. the Data Provider is the Data Exporter and the Data Recipient is the Data Importer;
  3. clause 7 (Docking) is incorporated;
  4. the optional provision in clause 11 (Redress) is not incorporated and shall not apply;
  5. for clause 13 (Supervision) and Annex I.C (Competent supervisory authority), the supervisory authority will be the supervisory authority competent under the GDPR for the Data Provider;
  6. for clause 17 (Governing law), the governing law is the law of the Agreement or, if that is not the laws of an EU member state which respects third-party beneficiary rights, the law of the Netherlands;
  7. for clause 18 (Choice of forum and jurisdiction), the courts of the Netherlands shall have jurisdiction;
  8. the content of Annex I.B (Description of transfer) is as set out in the Agreement;
  9. the content of Annex II (Technical and organisational measures) is set out in the Security Measures;

4.2.4 For the purposes of the Swiss Standard Contractual Clauses: the EU Standard Contractual Clauses apply as set out in clause 4.2.3 of this DSA, save that:

  1. references in the EU Standard Contractual Clauses to the terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” shall be interpreted to include the FADP;
  2. references in the EU Standard Contractual Clauses to Regulation (EU) 2018/1725 shall be removed;
  3. references in the EU Standard Contractual Clauses to “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses;
  4. Clause 13(a) and Annex I.C are not used and the “competent supervisory authority” shall be the Swiss Federal Data Protection Commissioner (“FDPIC”) and nothing about the Parties’ designation of the competent supervisory authority shall be interpreted to preclude data subjects in Switzerland from applying to the FDPIC for relief;
  5. the clauses shall be governed by the laws of Switzerland;
  6. the Parties agree that any dispute arising from the Swiss Standard Contractual Clauses shall be resolved by the courts of Switzerland, and the Parties’ selection of forum in the Agreement may not be construed as forbidding data subjects habitually resident in Switzerland from suing for their rights in Switzerland;

4.2.5 For the purposes of the Turkish Standard Contractual Clauses:

  1. standard contract 1 applies;
  2. for clause 9 (Redress), the optional provision does not apply;
  3. for clause 15 (Notification), the Data Provider shall notify the supervisory authority;
  4. the information required by Annex I (Description of Transfers) is as set out in the Agreement, save that
    1. the legal basis for the transfer is the legitimate interest of the Data Provider, and
    2. the VERBİS registration information of the Data Provider is as set out in the VERBİS entry for the Data Provider or Data Provider’s Turkish Affiliate (as applicable);
  5. the information required by Annex II (Technical and organisational measures) is set out in the Security Measures;

4.2.6 For the purposes of the UK Standard Contractual Clauses:

  1. the information required by Table 1 shall be as set out in the Agreement;
  2. the information required by Table 2 is as set out in clause 4.2.3 of this DSA, save that
    1. the UK Standard Contractual Clauses shall be governed by the laws of England and Wales,
    2. the Parties agree that any dispute arising from the UK Standard Contractual Clauses shall be resolved by the courts of England and Wales,
    3. the UK GDPR applies to the Data Recipient’s processing of Personal Data as Data Importer, and
    4. the Parties shall review this DSA at regular intervals to ensure that it remains accurate and up to date, and continues to provide appropriate safeguards to the Personal Data;
  3. the information required by Table 3 shall be as set out in the Agreement;
  4. for Table 4, the Parties may end the UK Standard Contractual Clauses in line with the provisions of the Agreement and clause 6.1 of this DSA;

4.2.7 For the purposes of the Uruguayan Standard Contractual Clauses:

  1. for clause 8 (Redress), the optional provision does not apply;
  2. the information required by Annex B is as set out in the Agreement;
  3. the information required in Annex C is the Security Measures.

4.3 If any transfer mechanism relied upon under this DSA is invalidated or otherwise ceases to be a valid safeguard, the Parties shall promptly discuss in good faith and cooperate to implement an alternative transfer mechanism to ensure continued compliance with Data Protection Law.

4.4 The Data Recipient represents and warrants that it has no reason to believe that the laws and practices applicable to it, including any requirements to disclose Personal Data to Public Authorities, prevent it from fulfilling its obligations under this DSA or the applicable Standard Contractual Clauses. In particular, the Data Recipient shall immediately notify the Data Provider in accordance with clause 2.5.6 if:

4.4.1 Data Recipient receives a Public Authority request, becomes aware of any direct access by a Public Authority to Personal Data, or becomes aware of any circumstance that may affect Data Recipient’s ability to comply with the Standard Contractual Clauses; or

4.4.2 Data Recipient determines that it is unable to comply with the Standard Contractual Clauses or to provide an essentially equivalent level of protection for Personal Data subject to a Restricted Transfer. In such case, the Data Provider may, at its sole discretion:

  1. suspend the Restricted Transfer;
  2. require Data Recipient to cease processing of Personal Data; and/or
  3. terminate the Agreement or affected processing without cost of liability.

4.5 The Parties shall cooperate promptly and in good faith to address new Data Protection Laws affecting Restricted Transfers that become effective during the term of the Agreement, including entering into additional agreements or formalities required by such laws.

5 Deletion

5.1 The Data Recipient shall retain Personal Data received from the Data Provider only for as long as necessary for

  1. the Permitted Purposes,
  2. as required by applicable law, or
  3. for the establishment, exercise, or defence of legal claims (“Retention Period”). At the end of the Retention Period, the Data Recipient shall ensure the secure destruction of the Personal Data, excluding any automatically generated archival copies, such as those created by routine backup or disaster recovery systems, provided that such copies are maintained in accordance with the confidentiality obligations of this Agreement, are not accessed or used for any purpose other than backup or recovery, and are deleted in accordance with the Data Recipient’s standard data retention policies or upon the next scheduled purge of such archival systems, whichever occurs first. Secure destruction shall include permanent deletion or irreversible anonymisation of the Personal Data.

6 Miscellaneous

6.1 Survival. Each Party’s obligations under this DSA shall survive expiry or termination of the Agreement and continue for so long as it processes, retains, or otherwise has access to the other Party’s Personal Data.

6.2 Updates. Kantar Media may update this DSA from time to time, as reasonably necessary to reflect changes in Data Protection Laws, court orders, or guidance from supervisory authorities. Such updates will become effective 30 days after notice to Partner, and Partner agrees to be bound by the updated DSA once in effect.