General Data Protection Notice for Business Partners, Vendors and Service Providers of Smaato, Inc.

Effective Date: August 1, 2019

Introduction and Scope

This General Data Protection Notice (“Notice”) applies to the general processing of personal data by Smaato, Inc. (“Smaato”, “we”, “us”) and its EU-based establishments and Affiliates (collectively, the “Smaato Group”). For purposes of this Notice, “Affiliates” means any entity with respect to Smaato that, directly or indirectly, is controlled by, or is under common control with Smaato.

We hereby provide information on how we process the personal data of the contact persons of our business partners, vendors, suppliers, and service providers in their role as contact persons and representatives in the context of a business relationship (“you”) in accordance with the EU General Data Protection Regulation (the “GDPR”). Unless otherwise defined herein, terms and expressions used in this Notice shall have the meanings given to such terms and expressions in the GDPR.

Specific information on data protection applicable to our web-based offerings can be found at www.smaato.com/privacy.

Contact Details of the Data Controller:

Smaato, Inc.
Attn: Legal Department
240 Stockton St, 10th Floor
San Francisco, CA 94108

Contact Details of the Data Protection Officer:

For any comments or questions you may have regarding this Notice, please contact our Data Protection Officer (“DPO”):

Smaato, Inc.
Data Protection Officer
Barcastraße 5, 1st Floor
22087 Hamburg, Germany

You may also contact the DPO by email to privacy(at)smaato.com

Purposes of Data Processing and Legal Bases

Smaato will process your personal data in a lawful and transparent manner, in good faith, in accordance with applicable data protection laws, only to the extent and as long as:

• It is necessary for the performance of a contract with you or for the implementation of pre-contractual measures that are taken at your request (Art. 6 para. 1 lit. b) GDPR) (e.g., managing commercial relationships and strategies with current and potential customers as well as business partners such as vendors and suppliers); product support and maintenance, failure diagnostic and identification of fault patterns; managing Smaato’s external accounting, tax, and treasury systems; conducting complaint management;
• You have given appropriate consent to the processing (Art. 6 para. 1 lit. a) GDPR), e.g., for individualized tracking and advertising;
• The processing is necessary due to legitimate interests of us or third parties (Art. 6 para. 1 lit. f) GDPR) (e.g., detection and elimination of abuse, defense in litigation, assertion of claims, credit checks, prevention and investigation of criminal offenses, customer relationship management, quality assurance, complaints management, marketing and promotional activities), and only as long as Smaato’s legitimate interests are not overridden by your interests or fundamental rights and freedoms or if you have given your consent to do so;
• Legal requirements exist (Art. 6 para. 1 lit. c) GDPR) (e.g., for the storage of documents and files for commercial and tax purposes or prevention of money laundering).

If you do not provide Smaato with the necessary information, we may not be able to enter into a business relationship with you or complete your order. We may also no longer be able to fulfill an existing contract with you and we may have to terminate it.

We transmit your data (name, address, email address, company details and, where applicable, contract and claims data) in the event of a credit risk for the purpose of credit check and collection processing, as well as for checking the serviceability of the address indicated to

• Moreton Smith, Central Point, 45 Beech St, Barbican, London EC2Y 8AD (United Kingdom)
• Spector & Bennett, 50 California Street, 15th Floor, San Francisco, CA 94111 (United States of America)

and, if necessary, to other cooperating credit agencies. The legal basis for that transfer is Article 6 para. lit. b) and f) of the GDPR. Transfers for the exercise of Smaato’s legitimate interests may only take place to the extent necessary for Smaato and only as long as Smaato’s legitimate interests are not overridden by your interests arising out of your particular situation – the GDPR requires us to abide by such a general objection only if you give us reasons of overriding importance (e.g., a possible danger to life or health).

Unless otherwise stated in supplementary information on processing of your personal data, no automated decision making, including profiling, is carried out by Smaato.

Categories of Personal Data Processed

In general, we primarily collect data directly from you. However, in line with legal provisions, data may also be collected from third parties. In addition, we collect data from publicly accessible sources (e.g., commercial register, your websites, press articles, commercial internet databases like crunchbase.com, datafox.com, apptopia.com, etc.).

The Personal Data Processed Includes:

• Master data (e.g., names, addresses, and customer numbers);
• Contact details (e.g., email addresses and telephone numbers);
• Contract data (e.g., services used, order history, contract content, contractual communication, and names of contact persons); and
• Payment data (e.g., bank details, payment history, creditworthiness, and terms of payment and financing).

Recipients of Personal Data and International Data Transfer

Due to shared corporate IT systems within the Smaato Group and because of the international nature of our business, personal data collected and processed by Smaato can be shared with or accessed by legal entities that, directly or indirectly, control, are controlled by, or are under common control with Smaato (“Smaato Group Legal Entities”) for the purposes above. An overview of the Smaato Entities can be found at: www.smaato.com/company.

If a transfer of personal data to a third country outside the European Economic Area becomes necessary (e.g., to other Smaato Group Legal Entities or cooperation partners in third countries), Smaato will ensure that there is a legal basis for such transfer and appropriate safeguards were provided. These safeguards are usually:

• the existence of an adequacy decision of the European Commission (Art. 45 GDPR) (a published and constantly updated list of these countries can be found here);
• use of appropriate safeguards guarantees in the form of standard data protection clauses adopted by the European Commission (Art. 46 para. 2 lit. c) GDPR) (a published and constantly updated list of the clauses is available here);
• an approved certification mechanism (Art. 46 para. 2 lit. f) GDPR). As a business under the jurisdiction of the U.S. Federal Trade Commission, Smaato has certified with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from EU member countries and Switzerland. Smaato certifies that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Privacy Shield, and to view the list of entities who have current certifications under the Privacy Shield, please visit this page.

Furthermore, Personal data will only be transferred to carefully selected data processors acting on Smaato’s instructions to comply with the applicable legal and contractual obligations.

In particular, our processors are not allowed to use the data commercially for their own purposes. Your data can be passed on to the following categories of recipients:

• Agencies and cooperation partners;
• Credit agencies and debt collection service providers (e.g., for credit checks, dunning procedures);
• Credit institutions and banks;
• External legal representatives, auditors, and corporate and tax consultants;
• Insurance providers, brokers, and carriers;
• Internal departments, including within other Smaato Group legal entities;
• IT service providers;
• Market and opinion research companies;
• Newsletter and mail service providers;
• Postal and logistics service providers;
• Printing service providers;
• Suppliers; and
• Telecommunication providers.

In addition, we may also be required to share your personal data with authorities or other competent bodies as a result of a legal obligation to which we are subject.

Retention of Personal Data

Personal data will only be used as long as it is necessary for the respective purpose, unless you have given Smaato your consent or Smaato has a legitimate interest in further processing.

In these cases, Smaato will process this data until your consent has been revoked or until you object to Smaato’s legitimate interests arising out of your particular situation – the GDPR requires us to abide by such a general objection only if you give us reasons of overriding importance (e.g., a possible danger to life or health). We will delete your personal data as soon as the purpose of the processing is fulfilled, or storage is otherwise no longer legally permissible. Due to the quantity of data, this check for deletion is carried out with regard to specific types of data or purposes of processing. However, it is possible that your personal data will be stored until legal claims against Smaato can no longer be asserted (legal limitation period between 3 and 30 years). In addition, we store your personal data as far as we are legally required to do so. Corresponding documentation and storage obligations are regulated in the respective applicable national laws (e.g., in the German Commercial Code HGB, the storage periods are up to 10 years).

Data Protection Rights

Subject to other legal requirements stipulated in the GDPR, you have the right to:

• Information about the personal data stored about you (data categories, processing purposes, if applicable recipients of the data, planned storage time) (Art. 15 GDPR);
• Correction or addition of incorrect or incomplete data (Art. 16 GDPR);
• Erasure of personal data (in certain cases) (Art. 17 GDPR);
• Restriction of processing (under certain conditions) (Art. 18 GDPR);
• Data portability (subject to certain conditions) (Art. 20 GDPR);
• Object to the processing of your personal data based on a balance of interest assessment (Art. 21 GDPR); and
• Withdraw your consent to the processing of your personal data with effect for the future, without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7 para. 3 GDPR).

If you exercise your rights of erasure, object to the processing of your personal data, or withdraw your consent, we will no longer process your personal data unless we can prove compelling reasons for the processing which outweigh your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims.

In the case of a request for information or correction, which is not made in writing, we ask for your understanding that Smaato requires proof of your identity. This serves to protect your data from unauthorized access by third parties.

In order to exercise these rights, you can contact us at any time, e.g., via one of the contact channels indicated at the beginning of this Notice.

In addition, Art. 77 of the GDPR entitles you to lodge a complaint with the competent supervisory authority, which you can find in this list.