THIS DATA SHARING AGREEMENT is dated December 2, 2024 (this “Agreement”). PARTIES each a “party” and together the “parties”. RECITALS AGREED TERMS
Exhibit 10.6
Execution Version
THIS DATA SHARING AGREEMENT is dated December 2, 2024 (this “Agreement”).
PARTIES
| (1) | INFORMA PLC incorporated and registered in England and Wales with company number 8860726 whose registered office is at 0 Xxxxxx Xxxxx, Xxxxxx, XX0X 0XX; and |
| (2) | TECHTARGET, INC., a Delaware corporation, headquartered at 000 Xxxxx Xxxxxx, Xxxxxx, XX 00000, |
each a “party” and together the “parties”.
RECITALS
| (A) | As a result of an M&A transaction whereby part of Informa PLC (“Ivory”) was sold to a newly created company TechTarget, Inc. (“New Toro”) in which the Informa Group has a majority holding, the Informa Group and New Toro see opportunities for New Toro and Informa Group Companies to leverage their respective datasets relating to audiences for events and media and website interactions. |
| (B) | The parties intend to leverage their respective datasets in compliance with the Data Protection Laws, supported by, and in accordance with, this Agreement, which sets out the agreed use cases (i.e. purposes) that may be made of data shared between the parties, as well as the restrictions and mitigations that must be applied in respect of such use. |
| (C) | The parties also intend this Agreement to set out in a transparent manner their respective responsibilities for compliance when acting as Joint Controllers for the purposes of Article 26 of GDPR. |
AGREED TERMS
| 1. | DEFINITIONS AND INTERPRETATION |
The following definitions and rules of interpretation apply in this Agreement:
| 1.1 | Definitions: |
| 1.1.1 | Agreed Use Case(s): the uses of Shared Personal Data agreed by the parties as set out in Schedule 1 of this Agreement, which may be updated by the parties in writing (referencing this Agreement), for example, to add, remove or modify use cases, from time to time. |
| 1.1.2 | Commencement Date: the date specified at the top of this Agreement. |
| 1.1.3 | Confidential Information: means any non-public information that is designated as “confidential” by the disclosing party or that should reasonably be considered to be confidential under the circumstances surrounding disclosure. Confidential Information includes Shared Personal Data and the terms of this Agreement. Confidential Information does not include any information that: (a) was previously known to the receiving party; (b) is received from a third party without similar restriction; (c) is or becomes publicly available other than through breach of this Agreement or wrongful act of a third party; or (d) is independently developed by the receiving party without the use of the other party’s Confidential Information. |
| 1.1.4 | Consent Countries: the countries identified in Schedule 4 of this Agreement, which may be updated by the parties in writing referencing this Agreement, from time to time. |
| 1.1.5 | Customer: means any client or customer of either party that purchases products or services that may include the Shared Personal Data. |
| 1.1.6 | Data Protection Laws: all applicable data protection laws, including the California Consumer Protection Act, European Directive 2002/58/EC, GDPR, the UK Data Protection Act 2018, UK GDPR and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates them and all other applicable laws relating to the processing of personal data and privacy that may exist in any relevant jurisdiction where the parties do business. |
| 1.1.7 | Data Subject Request: a request made by a Data Subject to exercise any rights of Data Subjects under the Data Protection Laws. |
| 1.1.8 | GDPR: the General Data Protection Regulation ((EU) 2016/679). |
| 1.1.9 | Group: means, in relation to a company, that company, any subsidiary or holding company from time to time of that company and any subsidiary from time to time of a holding company of that company. |
| 1.1.10 | Informa Group Company: means any member of the Informa Group. |
| 1.1.11 | Material Breach: |
any material failure by a party to comply with any obligations set forth in this Agreement, which failure causes the other party to be in material violation of any law applicable to such other party’s use or provision of such Shared Personal Data.
| 1.1.12 | Personal Data Breach: any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Shared Personal Data. |
| 1.1.13 | Permitted Recipient: any third party Processor appointed by either party and required for the processing of the Shared Personal Data, or each of the parties’ professional advisers, or a relevant supervisory authority or other regulator, or any other third party as may be agreed by the parties in writing from time to time. |
| 1.1.14 | Privacy Assessment: an assessment of the data protection risks and applicable mitigations, carried out by the Data Protection Officer or Privacy team. |
| 1.1.15 | Restrictions and Mitigations: the restrictions on the use and processing of Shared Personal Data and the mitigations set out in Schedule 3 of this Agreement, which may be updated by the parties in writing referencing this Agreement (for example, to add or remove restrictions and/or mitigations), from time to time. |
| 1.1.16 | Shared Personal Data: the Personal Data shared by one party to the other (including in pseudonymous form) as described in Schedule 1 of this Agreement, which may be updated by the parties in writing referencing this Agreement (for example, to add or remove categories of personal data), from time to time. To be clear, Shared Personal Data does not include Personal Data used or otherwise processed by a party unless it was received from the other party pursuant to this Agreement, including any such Personal Data that were obtained by the party directly from the data subject or from a third party, and further including such Personal Data that is duplicative of Shared Personal Data received from the other party. |
| 1.1.17 | Transparency Requirements: the requirements to ensure that processing is fair and transparent, as set out in Schedule 2, which may be updated by the parties in writing referencing this Agreement (for example, to modify the manner in which notice is provided and/or any Data Subject consent (if any) obtained), from time to time. |
2
| 1.1.18 | UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018. |
| 1.2 | Controller, Processor, Data Subject, Personal Data, Joint Controllers, processing, special category data, supervisory authority and appropriate technical and organisational measures shall have the meanings given to them in the GDPR. |
| 2. | COMMENCEMENT AND DURATION |
| 2.1 | This Agreement shall commence on the Commencement Date and shall continue in effect until terminated in accordance with Section 14.1 (the “Term”). |
| 3. | PURPOSE; PROCESS |
| 3.1 | This Agreement sets out the framework for the sharing of Personal Data between the parties as Joint Controllers. |
| 3.2 | Within thirty (30) days following the Commencement Date, the parties shall agree on the process for sharing and identifying Shared Personal Data, as may be adjusted by the parties from time to time in accordance with applicable laws and each party shall comply with and share Shared Personal Data in accordance with the terms of such agreement. |
| 4. | GENERAL |
| 4.1 | Each party shall only use or otherwise process (whether directly or indirectly through a third party, including a Permitted Recipient acting as a Processor) Shared Personal Data for the Agreed Use Cases subject to, and in accordance with, the Restrictions and Mitigations. |
| 4.2 | Each party shall provide the other with contact details of at least one staff member as a point of contact and responsible manager (“Point of Contact for Data”) for all issues arising out of this Agreement and the Data Protection Laws, including the joint training of relevant staff, the procedures to be followed in the event of a Personal Data Breach, maintaining a point of contact for and handling any Data Subject Request, and the regular review of the parties’ compliance with the Data Protection Laws. |
| 4.3 | Each party shall comply with the Data Protection Laws as may be applicable to its processing of the Shared Personal Data, having regard to its role as a Joint Controller, including by publishing revised privacy notices to applicable data subjects relating to its role as a Joint Controller or as otherwise may be required in connection with the execution, delivery, and performance of this Agreement. |
| 4.4 | Each party shall ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of the Shared Personal Data and against accidental loss or destruction of, or damage to, the Shared Personal Data. |
| 5. | PERSONAL DATA BREACHES |
| 5.1 | Any party that discovers a Personal Data Breach shall inform the Point of Contact for Data at the other party as soon as possible and in any event within twenty-four (24) hours of discovery. |
| 5.2 | Where a Personal Data Breach occurs, the parties shall co-operate in addressing it in an appropriate and timely manner, including by deciding whether notification to the supervisory authority, and/or communication to data subjects are required under Articles 33 and 34 of GDPR. |
| 6. | FAIR AND LAWFUL PROCESSING |
| 6.1 | Each party shall ensure that it processes the Shared Personal Data fairly and lawfully and in accordance with Schedule 2 of this Agreement. |
3
| 6.2 | Each party shall ensure that it only processes Shared Personal Data on a lawful basis, which the parties anticipate for the Agreed Use Cases may include the following: |
| 6.2.1 | the processing is necessary for the legitimate interests of each party, where such interests are not overridden by the interests or fundamental rights and freedoms of the Data Subjects; |
| 6.2.2 | compliance with each party’s respective legal obligations; and, |
| 6.2.3 | with a Data Subject’s consent, particularly in respect of the Consent Countries. |
| 7. | PERMITTED RECIPIENTS |
| 7.1 | Each party agrees that the other may engage Permitted Recipients to assist in the performance of this contract, or engage Permitted Recipients for any other legitimate business purpose, except where such engagement may: |
| 7.1.1 | cause either party to breach applicable laws; or |
| 7.1.2 | materially disadvantage either party, |
provided that each Permitted Recipient is subject to written contractual or statutory obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Agreement.
| 7.2 | Each party may only engage Permitted Recipients that are Processors: |
| 7.2.1 | where the Processor has provided sufficient guarantees to implement appropriate technical and organisational measures that applicable processing will meet the requirements of the Data Protection Laws; and, |
| 7.2.2 | subject to written agreements that comply with the Data Protection Laws, including, where applicable, the requirements set out in Article 28 of GDPR and UK GDPR. |
| 7.3 | Except as provided in this Agreement, including with respect to the Agreed Use Cases (but subject always to the Restrictions and Mitigations), or as required by applicable laws, neither party shall disclose Shared Personal Data to any third parties without the other party’s prior written consent. |
| 8. | DATA SUBJECTS’ RIGHTS AND NOTIFICATION TO SUPERVISORY AUTHORITIES |
| 8.1 | Any party that receives a Data Subject Request which relates directly or indirectly to the processing of Shared Personal Data shall contact the Point of Contact for Data at the other party as soon as possible, and in any event within five (5) business days of receipt of the request, providing a copy of the Data Subject Request and reasonable details of the circumstances giving rise to the request. |
| 8.2 | The parties agree to provide reasonable assistance as is necessary to each other to enable them to comply with Data Subject Requests and to respond to any other queries or complaints from Data Subjects. The Joint Controller that originally collected (or otherwise obtained) the Shared Personal Data that is the subject of the Data Subject Request shall have primary responsibility for handling that request. |
| 8.3 | Any party that receives correspondence from a supervisory authority or other data protection regulator which relates to the processing of Shared Personal Data shall contact the Point of Contact for Data as soon as possible and in any event within three (3) business days of receipt of the request. The parties agree to provide reasonable assistance as is necessary to each other to enable them to respond to and comply with the correspondence from the supervisory authority or other data protection regulator. |
4
| 9. | DATA RETENTION AND DELETION |
Each Joint Controller shall handle retention and deletion of Shared Personal Data in accordance with its own data retention policy (or any agreed joint data retention policy, if relevant), but in no event shall retain the data for longer than necessary for the Agreed Use Case(s).
| 10. | TRANSFERS |
Where a party transfers any Shared Personal Data outside a jurisdiction, including the United Kingdom and the European Economic Area, that imposes restrictions on transferring Personal Data outside of such a jurisdiction, it shall ensure that such transfer complies with the Data Protection Laws, including by implementing an approved data transfers mechanism such as approved data transfers agreements.
| 11. | CONFIDENTIALITY |
Each party will use the Confidential Information of the other party only to exercise its rights and perform its obligations under this Agreement. Neither party will disclose Confidential Information of the other party to any third party except to: Permitted Recipients that are subject to substantially similar confidentiality requirements; or, to the extent specifically required by public authorities, pursuant to applicable laws and regulations. The receiving party shall use commercially reasonable efforts to oppose such requests for disclosure where there are reasonable grounds for doing so, and to seek protection or continued confidential treatment of the information.
| 12. | LIABILITY |
| 12.1 | The parties agree that each party shall only be responsible for any fines, regulatory penalties, damages, costs, compensation claims and other liabilities to third parties to the extent that such liabilities result from that party’s breach of the Data Protection Laws or this Agreement. |
| 12.2 | To the fullest extent permitted by applicable laws, neither party will be liable to the other under or in connection with this Agreement, whether in contract, tort (including negligence), misrepresentation (whether tortious or statutory), breach of statutory duty or otherwise for any special, incidental, indirect or consequential damages or for loss of data, loss of profits, business interruption, or similar damages or loss, even if such party has been advised of the possibility of such damages. |
| 13. | GOVERNANCE |
| 13.1 | The parties will meet to review the effectiveness of this data sharing initiative every three (3) months (or such frequency as the parties may agree from time to time), having consideration to the aims and purposes set out in this Agreement. |
| 13.2 | The review of the effectiveness of this Agreement will involve: |
| 13.2.1 | assessing whether the purposes for which the Shared Personal Data is being processed are still the ones listed in Schedule 1 of this Agreement; |
| 13.2.2 | if new or modified purposes for which the Shared Personal Data is being processed are necessary or desirable, assessing whether the risks to the goodwill and reputation of Ivory’s brands (and/or which New Toro would agree to for its own brands for such purposes) are greater than the risks associated with the purposes as set forth in Schedule 1 on the date of this Agreement and, if so, additional consideration shall be given to Ivory in assessing such new or modified purposes; |
| 13.2.3 | assessing whether the Shared Personal Data is still as listed in Schedule 1 of this Agreement; |
5
| 13.2.4 | assessing whether the Restrictions and Mitigations listed in Schedule 3 of this Agreement are being complied with and are fit for purpose (and amending them where they are found not to be fit for purpose); |
| 13.2.5 | assessing whether the legal framework governing data quality, retention, and data subjects’ rights are being complied with; and, |
| 13.2.6 | assessing whether any Personal Data Breaches involving the Shared Personal Data have been handled in accordance with this Agreement and the Data Protection Laws. |
| 14. | TERMINATION |
| 14.1 | Either party may terminate this Agreement: |
| 14.1.1 | For its convenience upon six (6) months’ notice to the other party at any time following the date on which Ivory ceases to be the owner, directly or indirectly, of at least forty percent (40%) of the outstanding shares of New Toro; and |
| 14.1.2 | upon notice to the other party in the event of a Material Breach by the other party if such Material Breach is not remedied by the other party within sixty (60) days following such party’s receipt of notice of such Material Breach. |
| 14.2 | Ivory may terminate this Agreement upon notice to New Toro in the event that the Brand Licence Agreement between the parties expires or otherwise terminates in accordance with the provisions thereof. |
| 14.3 | Upon the effective date of termination of this Agreement for any reason, each party will immediately cease use of Shared Personal Data received from the other party and delete such data from its systems (including those of any Permitted Recipients); provided, for clarity, that the foregoing will not apply to any Personal Data that were obtained by the party directly from the data subject or from a third party, including such Personal Data that are duplicative of Shared Personal Data received from the other party. No further Personal Data will be shared by either party. |
| 14.4 | Termination or expiry of this Agreement (for whatever reason) shall not affect (i) the validity or enforceability of any of the terms and conditions of this Agreement intended to have continuing effect, or (ii) the accrued rights of the parties arising in any way out of this Agreement at the date of termination. |
| 15. | VARIATION |
No variation of this Agreement shall be effective unless it is in writing, referencing this Agreement, and signed by the parties (or their authorised representatives).
| 16. | CHANGES TO THE APPLICABLE LAW |
In case the Data Protection Laws and any ancillary laws change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the parties agree that the parties will negotiate in good faith to review the Agreement in light of such changes.
| 17. | GOVERNING LAW |
This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws of England and Wales.
6
| 18. | JURISDICTION |
Each party irrevocably agrees that the courts of England and Wales shall have non-exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims arising out of or in connection with this Agreement or its subject matter or formation).
7
This Agreement has been entered into on the date stated at the beginning of it.
| Signed by: | Xxxxxx Xxxxxx |
/s/ Xxxxxx Xxxxxx |
||||||
| Position: | Group Finance Director | Authorised Signatory | ||||||
| for and on behalf of Informa PLC | ||||||||
| Signed by: | Xxxxxx X. Xxxxxx |
/s/ Xxxxxx X. Xxxxxx |
||||||
| Position: Chief Financial Officer and Treasurer | Authorised Signatory | |||||||
| for and on behalf of TechTarget, Inc. | ||||||||
Schedule 1
This Schedule 1 sets out the Agreed Use Cases for the Shared Personal Data, together with the categories of Personal Data comprising Shared Personal Data.
| Agreed Use Case | Shared Personal Data | |
| To attract and retain first party audiences for first party media content, via audience marketing campaigns or other similar methods. |
• Demographic data such as event/media registration data, including name, title, business contact details.
• Firmographic data, such as company, company size, market sector.
• Behavioural data, such as noted interests based on historical content consumption on media sites and/or at events.
No special category or sensitive data will be included. | |
| To support the fulfilment of marketing programmes/ services in order to provide impressions, clicks or leads to clients/ customers. |
• Demographic data such as event/media registration data, including name, title, business contact details.
• Firmographic data, such as company, company size, market sector.
• Behavioural data, such as noted interests based on historical content consumption on media sites and/or at events.
No special category or sensitive data will be included. | |
| To derive buyer level insights and intent for both internal use and for customers, including the evaluation of audiences according to their level of depth, recency and frequency of engagement, to help focus and target marketing and sales activities. |
• Demographic data such as event/media registration data, including name, title, business contact details.
• Firmographic data, such as company, company size, market sector.
• Behavioural data, such as noted interests based on historical content consumption, on media sites and/or at events.
No special category or sensitive data will be included. | |
| Each party marketing its products and services (such as events, white papers, etc.) to its respective target market. |
• Demographic data such as event/media registration data, including name, title, business contact details. | |
2
|
• Firmographic data, such as company, company size, market sector.
• Behavioural data, such as noted interests based on historical content consumption on media sites and/or at events.
No special category or sensitive data will be included. | ||
| Enrichment of each party’s audience data and data subject permissions based on the above processing activities. |
• Demographic data such as event/media registration data, including name, title, business contact details.
• Firmographic data, such as company, company size, market sector.
• Behavioural data, such as noted interests based on historical content consumption on media sites and/or at events.
No special category or sensitive data will be included. | |
3
Schedule 2
This Schedule 2 sets out each party’s obligations as they relate to transparency and consent, including by providing fair processing information (i.e. notice) to Data Subjects of the processing of the Shared Personal Data, the managing of obtaining consents and handling opt-out requests (and any revocations of consents), subject to Schedule 3.
| 1. | Obligations on the Party providing Shared Personal Data |
| 1.1. | Legacy Data. Each party shall only make Shared Personal Data available to the other party where: |
| 1.1.1 | the Data Subject was informed of the identity of the Controller collecting their Personal Data at the time of collection; |
| 1.1.2 | the Data Subject was informed that their Personal Data may be processed for purposes the same as, or substantially similar to, the Agreed Use Cases at the time of collection; |
| 1.1.3 | the Data Subject was informed that their Personal Data may be shared with other companies in the same group for such purposes at the time of collection; |
| 1.1.4 | the Data Subject has not indicated that they no longer wish their Personal Data to be used for purposes the same as, or substantially similar to, the Agreed Use Cases, whether by making a Data Subject Rights Request, revoking a consent previously provided or opting-out from such processing by any means; and, |
| 1.1.5 | In respect of the Consent Countries, it has obtained a positive indication of consent from the Data Subject that the processing of their Personal Data in-line with 1.1.1 to 1.1.3 above was acceptable and that the Data Subject has not withdrawn this indication as set out in 1.1.4 above. |
Each party shall take such diligence steps are as are necessary to establish that 1.1.1 to 1.1.4 above are accurate, including by taking such steps and providing such evidence as the other party may reasonably request.
| 1.2. | New Data. From thirty (30) days after the date this Agreement is signed, each party shall only make Shared Personal Data available to the other party where the Data Subject was provided with the following information (which may have been provided through a combination of a privacy policy available at the point of collection and “just in time” notices posted at the point of data collection): |
| 1.2.1 | the identity and the contact details of the Controller collecting the Personal Data, which must also include the following statement at the point of data collection: “An Informa Company”. This shall be communicated alongside a description of the essence of the arrangements between the parties as Joint Controllers, which may be included in the parties’ respective privacy policies; |
| 1.2.2 | the contact details of the data protection officer for the party collecting the Personal Data; |
| 1.2.3 | the purposes for which the Personal Data will be processed and the legal basis for the processing, including a summary of any legitimate interests relied upon by the Controller, and, in particular, that the Personal Data may be processed for the Agreed Use Cases and that the Data Subject may opt-out of such use. In respect of Data Subjects in the Consent Countries, each party will obtain the Data Subject’s prior consent to such use (including by other Informa Group Companies) before including their Personal Data in the Shared Personal Data; |
4
| 1.2.4 | the possibility of the Data Subject’s Personal Data being shared with other Informa Group Companies, together with other potential recipients or categories of recipients, if any; |
| 1.2.5 | the fact that the Controller intends to transfer Personal Data to other countries around the world, including a description of any appropriate or suitable safeguards (e.g. EU Standard Contractual Clauses) and the means by which to obtain a copy of them; |
| 1.2.6 | the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; |
| 1.2.7 | the existence of the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject or to object to processing as well as the right to data portability; |
| 1.2.8 | where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; |
| 1.2.9 | the right to lodge a complaint with a supervisory authority; and, |
| 1.2.10 | whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data. |
| 1.3. | Opt-outs and Revoked Consent |
Shared Personal Data shall not include any Personal Data in respect of which the Data Subject has opted-out (or revoked any previous consent) of processing for purposes the same as, or substantially similar to, the Agreed Use Cases.
| 2. | Obligations on a Party using Shared Personal Data |
| 2.1. | When processing Shared Personal Data, each party shall ensure that every communication sent to Data Subjects as a result of such processing: |
| 2.1.1 | identifies the sender and also includes in a reasonably prominent manner, the descriptor: “an Informa Company”; |
| 2.1.2 | includes a prominent link to a privacy policy that includes each of the items listed in 1.2.1 to 1.2.10 above; and |
| 2.1.3 | contains a clear and easy-to-use means by which the Data Subject may communicate a change in their preferences, such as by opting-out or revoking any previously given consent. Such means may include: (a) providing a prominent unsubscribe option in each electronic communication, and (b) including a prominent link to a preference centre that enables a Data Subject to make granular choices regarding the uses and sharing of their Personal Data. |
| 2.2. | Each party shall promptly record the means, date and time-stamp of any and all indications from Data Subjects, howsoever received, that they no longer wish the Controller to use and/or share their Personal Data for any particular purposes, including the Agreed Use Cases. Each party shall honour such requests in full except to the extent that it is not required to do so by the Data Protection Laws. |
5
Schedule 3
This Schedule 3 sets out the Restrictions and Mitigations that a party processing Shared Personal Data must apply to its processing and use of such data.
| Agreed Use Case | Restrictions and Mitigations | |
| To attract and retain first party audiences for first party media content, via audience marketing campaigns or other similar methods. | The requesting business should show business justification for targeting this audience (i.e. the request should be supported by evidence of profiles’ topic alignment).
High volume of data in EU (over 5,000) will require a Privacy Assessment before data is shared.
Activation via SMS or telephone will require a Privacy Assessment before data is shared.
Where a Privacy Assessment finds a sharing request is high risk despite the existing controls, such a request will require approval of the CEO of the sharing entity/division.
Data access via sharing will be “System to System” and manual downloads of audience records is prohibited.
Data sharing request will be use-case specific, data records obtained via sharing would be limited to the initial use case. Any subsequent use case would warrant a reassessment.
The preference centres, when available, will be the master data for all consent consideration. | |
| To support the fulfilment of marketing programmes/ services in order to provide impressions, clicks or leads to clients/ customers. | Shared Personal Data must not include Personal Data relating to a Data Subject in the European Economic Area where its use may involve it being shared with a third party without the Data Subject having consented to such sharing.
The requesting business should show business justification for targeting this audience (i.e. the request should be supported by evidence of profiles’ topic alignment).
High volume of data in EU (over 5,000) will require a Privacy Assessment before data is shared.
Activation via SMS or telephone will require a Privacy Assessment before data is shared.
Where a Privacy Assessment finds a sharing request is high risk despite the existing controls, such a request will require approval of the CEO of the sharing entity/division. | |
6
| Data access via sharing will be “System to System” and manual downloads of audience records is prohibited.
Data sharing request will be use-case specific, data records obtained via sharing would be limited to the initial use case. Any subsequent use case would warrant a reassessment. | ||
| To derive buyer level insights and intent for both internal use and for customers, including the evaluation of audiences according to their level of depth, recency and frequency of engagement, to help focus and target marketing and sales activities. | Shared Personal Data must not include Personal Data relating to a Data Subject in the European Economic Area where its use may involve it being shared with a third party without the Data Subject having consented to such sharing.
Data access via sharing will be “System to System” and manual downloads of audience records is prohibited.
Data sharing request will be use-case specific, data records obtained via sharing would be limited to the initial use case. Any subsequent use case would warrant a reassessment.
The parties will apply technical and organisational controls to prevent activation. | |
| Each party marketing its products and services (such as events, white papers, etc.) to its respective target market. | The requesting business should show business justification for targeting this audience (i.e. the request should be supported by evidence of profiles’ topic alignment).
High volume of data in EU (over 5,000) will require a Privacy Assessment before data is shared.
Activation via SMS or telephone will require a Privacy Assessment before data is shared.
Where a Privacy Assessment finds a sharing request is high risk despite the existing controls. such a request will require approval of the CEO of the sharing entity/division.
Data access via sharing will be “System to System” and manual downloads of audience records is prohibited.
Data sharing request will be use-case specific, data records obtained via sharing would be limited to the initial use case. Any subsequent use case would warrant a reassessment.
The preference centres, when available, will be the master data for all consent consideration. | |
7
| Enrichment of each party’s audience data and data subject permissions based on the above processing activities. | The parties will apply technical and organisational controls to prevent activation.
Data access via sharing will be “System to System” and manual downloads of audience records is prohibited.
Data sharing request will be use-case specific, data records obtained via sharing would be limited to the initial use case. Any subsequent use case would warrant a reassessment. | |
8
Schedule 4
This Schedule 4 sets out the Consent Countries in which each party must obtain consent before sharing Personal Data with the other party.
| Region | Countries | |
| Americas | Brazil, Canada, Mexico | |
| Europe | 1.1.Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Switzerland, Spain, Sweden, Ukraine | |
| Middle East and Africa | Israel, South Africa | |
| APAC | China, India, Japan, South Korea | |
9
