5
of Personal Data, categories of Data Subjects and duration of Processing are set out in Appendix 1 “Controller-to-
Processor Services - Details of Processing of Personal Data”.
11 Obligations of Partner
11.1 The Partner shall not provide Personal Data to Criteo except as is necessary for performance of the Criteo Services and
unless Partner shall have given the necessary notices and obtained the necessary consents, in each case, from the
applicable Data Subjects whose Personal Data is Processed by Criteo pursuant to the Agreement. Partner shall, in its
use of the Criteo Services, Process Personal Data in accordance with the requirements of Data Protection Law and shall
immediately notify Criteo if Partner is in violation of any Data Protection Law. The Partner’s instructions to Criteo
related to the Processing of Personal Data shall comply with Data Protection Law. The Partner shall be solely responsible
to ensure the accuracy, lawfulness and quality of the Personal Data and to ensure that the Processing entrusted to
Criteo has an adequate legal basis pursuant to Data Protection Law.
12 Obligations of Criteo
12.1 Partner Instructions. Criteo shall process Personal Data for the relevant Controller-to-Processor Services only on the
documented instructions from Partner. Partner may not instruct Criteo to process Personal Data in a manner not
compatible with the Agreement and more particularly this DPA. Criteo shall immediately inform Partner if Criteo
reasonably believes it is unable to follow Partner’s instructions, or if such instructions are not compatible with the STS
or more generally with the Agreement.
12.2 Inaccurate or Outdated Data. Criteo shall inform Partner if Criteo becomes aware that the Personal Data is inaccurate
or has become outdated, and Criteo shall cooperate on request with Partner to erase or rectify such data.
12.3 Personal Data Processing. To the extent required by applicable Data Protection Law, Partner shall only instruct Criteo
to Process Personal Data for those Business Purposes permitted under applicable Data Protection Law and shall disclose
Personal Data to Criteo only for the limited and specified purposes specified in the Agreement. Partner reserves the
right, upon reasonable notice, to take reasonable and appropriate steps to help ensure that Criteo uses Personal Data
transferred in a manner consistent with Partner’s obligations under applicable Data Protection Law, including
reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
Criteo shall not: (a) Sell or Share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than for
the Business Purposes specified in the Agreement; (c) retain, use, or disclose Personal Data outside of the direct
business relationship between Partner and Criteo; or (d) combine Personal Data it receives from Partner with Personal
Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with data
subjects, provided that Criteo may combine Personal Data to perform a Business Purpose (with the exception of
“advertising and marketing services,” as defined under applicable Data Protection Law). Criteo shall comply with
applicable obligations and provide the same level of privacy protection as required by the applicable Data Protection
Law, and shall assist Partner through appropriate technical and organizational measures to comply with Data Protection
Law requirements, taking into account the nature of the processing. Criteo shall notify Partner if it makes a
determination that it can no longer meet its obligations under the applicable Data Protection Law.
12.4 Technical and Organizational Measures. Criteo shall implement appropriate technical and organizational measures to
ensure the security of the Personal Data, including protection against a Personal Data Breach. In complying with its
obligations under this paragraph, Criteo shall at least implement the technical and organizational measures specified
in Appendix 2 “Security Schedule”. Partner hereby confirms to Criteo that it considers that Criteo’s technical and
organizational measures as specified in Appendix 2 “Security Schedule” provide an appropriate level of security. Criteo
shall also assist Partner in complying with its obligations in relation to the security of Processing Personal Data, including
under article 32 of the GDPR.
12.5 Personal Data Breaches. In the event of a Personal Data Breach relating to Personal Data processed by Criteo, Criteo
shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. Criteo shall
also notify Partner without undue delay after having become aware of the breach and providing for the time necessary
to provide relevant information, including e.g. a description of the nature of the breach (including, where possible,
categories and approximate number of Data Subjects and Personal Data records concerned), its likely consequences
and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its
possible adverse effects. In the event of a Personal Data Breach relating to Personal Data processed by Criteo, Partner