icn_HexagonData

Data Processing Addendum

Content

The Data Processing Addendum applies to the Customer Data processed by Hexagon Data on behalf of the Customer pursuant to their contractual relationship, for the purpose of providing and enhancing Hexagon Data’s services and as set forth in this Agreement, if and to the extent that (i) the Federal Law on the Protection of Personal Data in the Possession of Individuals and its Regulation (“LFPDPPP”) applies or (ii) any other data protection law identified herein.

Hexagon Data is a mexican company with activities in Mexico. It is incorporated under the laws of Mexico and is called Hexagon Data S.A.P.I. de C.V. We have a legitimate interest in protecting the information that our Customers share with us. 

The Customer accepts on its own behalf what has been agreed in this document. This Agreement applies to the processing of data that Hexagon Data does on behalf of the Customer related to the provision of our Services. 

Our services consist of analyzing the Client’s databases to optimize the KPI’s indicated by the Customer. Hexagon Data usually processes anonymized data where it is not possible to identify specific persons, i.e. not considered personal data according to the Law. However, in the commercial relationship, the Customer may exceptionally transfer Personal Data of its users and/or consumers. 

This Addendum on Data Processing (the “Agreement” and/or “DPA”) is part of the Service Agreement between Hexagon Data and the Customer. It conveys the agreement between the parties regarding the processing of the Customer Data. The Parties agree to comply with the following provisions and aim to act reasonably and in good faith during the validity of this Agreement. 

Definitions

  • Affiliate: refers to any entity that directly or indirectly controls, is controlled by, or is in joint control with the Customer. “Control” means direct or indirect ownership or control of 50% of the stock votes of the entity.
  • Anonymization: for purposes of this Agreement it refers to dissociation, according to the LFPDPPP, understood as the procedure by which personal data cannot be associated with the data subject or allow, due to its structure, content or degree of disaggregation, the identification of the data subject. 
  • CCPA: means the California Consumer Privacy Act which regulates the data of the residents of the State of California in the United States of America.
  • Contract: Hexagon Data establishes its business relationship with its Customers through contracts, service orders, and/or commercial agreements where the bilateral agreements between the parties are established (the “Contract”). We subscribe exclusive contracts with each Customer to address specific needs, specifying the type of data to be collected, the duration and the purpose. This Agreement is part of the Contract. 
  • Controller: means the natural or legal person, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Customer: for purposes of this Agreement, the term “Customer” means the legal entity, including its affiliates, who hires Hexagon Data’s Services. 
  • Customer Data: for purposes of this Agreement, means any data and/or information that the Customer shares with Hexagon Data. The Customer Database is included and, in the unlikely event and explicitly indicated by the Customer, their users and/or consumers Personal Data. 
  • Customer Database: refers to databases that contain general information on the behavior of their users and may include anonymized data on the users and/or consumers of the Customer.
  • Data Protection Laws and Regulations: means all laws and regulations applicable to the protection of personal data. In Mexican territory, particularly the Federal Law of Protection of Personal Data in Possession of Individuals and its Regulations (“LFPDPPP”). At the international level, the leading instruments are the GDPR of the European Union, and the CCPA of the State of California, United States of America. 
  • Data Protection Officer: The GDPR requires companies to appoint a person responsible for supervising how personal data is handled and for informing and advising employees who handle data about their obligations. Hexagon Data has appointed a Data Protection Officer. The designated person can be contacted at [email protected].  
  • Data Subject: means the identified or identifiable natural person to whom the personal data corresponds.
  • First Party Data: the type of data depends on the means by which it is acquired. First Party Data is data that is acquired “first hand” from the Customer. In other words is information that the Customer collects from its own sources, such as its website, APIs, apps, newsletters and/or through direct interaction with its users and/or consumers. It is information from users who have interacted with the Customer, have been interested in the product or service, and have given their data and may already be customers. 
  • GDPR: refers to Regulation (EU) 206/679 of the European Parliament and the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
  • Personal Data: any information concerning an identified or identifiable natural person. 
  • Processing, or “treatment” in terms of Mexican law, refers to the collection, use, disclosure or storage of personal data, by any means. Use includes any action to access, handle, exploit, transfer or dispose of personal data.
  • Processor: means a natural or legal person which processes personal data on behalf of the controller. 
  • Pseudonymisation, also known as reversible dissociation. It means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • Sensitive Personal Data: any personal data that affects the most intimate sphere of the data subject or whose improper use may give rise to discrimination against or entail a serious risk for the data subject. Sensitive data is considered one that may reveal aspects such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, trade union membership, political opinions or sexual preference.
  • Services: Hexagon Data provides services customized to the Customer needs. Our general services consist of being the administrator of the Customer’s account in DMP platforms. Additionally we make analyses, create audiences, reports and generate connections between different databases. The service requirements are indicated by the Client and are included in the Contract. 
  • Sub-Processor: is the person to whom Hexagon Data entrusts the processing of the Customer Data and/or the person who provides a service to Hexagon Data that is required for the performance of the Services for the Customer.
  • Transfer: means any communication of data made to a person other than the Controller or Processor.  

All capitalized terms not defined herein shall have the meaning set forth in this Agreement. 

Clauses

1 Personal Data Processing

1.1 Relationship between the Parties. The Parties agree that in relation to the processing of the Customer Data, the Customer is the Controller and Hexagon Data is the Processor; who may assign sub-processors on the terms described herein.

1.2 Processing Details. Annex A sets out the object, nature and purpose of the processing by Hexagon Data, the duration, the types of data and categories of Data Subjects. Each party shall comply with the obligations under the data protection laws and regulations and this DPA. 

1.3 Processing of personal data by the Customer. The Customer is responsible for obtaining the consent of the Data Subjects and informing them of the processing of the data; as well as, when possible, submit the data to anonymization or pseudonymization, by himself or by means of a third party, before instructing us their processing. The Customer is responsible for the accuracy, quality and legality of the data and the means by which the Customer acquired these data. 

In case the Customer instructs us with the processing of Personal Data, he commits to only share and/or give access to data collected by himself, or under request to his suppliers or authorized third parties, but that at all times is First Party Data. The Customer is the only responsible for these data. Hexagon Data disclaims any liability and/or claims that its suppliers or authorized third parties may make against the Customer, since all actions taken by Hexagon Data are at the Customer’s request and instructions. 

1.4 Processing of Customer Data. In order to provide our Services, Hexagon Data does not analyze Personal Data (in the sense established by the Law), instead we process anonymized data. However, at the explicit request of the Customer, we may process Personal Data on behalf of and according to the instructions of the Customer. In case of receiving Personal Data, we undertake to anonymize them and to treat them as Confidential Information, unless otherwise provided by the Customer.

1.5 Purposes of Processing. Hexagon Data’s Services are customized to the needs and interests of each Client, the specifications are inscribed in each corresponding Contract. In this regard, Hexagon Data only processes Customer Data in accordance with (i) the written instructions of the Customer (ii) the terms of this DPA, and (iii) any Contract and/or agreement between the Parties. Hexagon Data may process certain categories of personal data on behalf of the Customer for certain defined purposes as set forth in Annex A.

2 Data Subject’s rights 

In the event that Hexagon Data receives a request from a user and/or consumer, for whom the Customer is the Controller, to exercise their ARCO rights or any rights specific to their jurisdiction, Hexagon Data will notify the Customer. To the extent permitted by law, Hexagon Data will assist the Customer with appropriate technical and organizational measures to fulfill their obligation to respond to the Data Subject’s request under the Data Protection Laws and Regulations. 

If the Customer or any interested third party would like to exercise their rights over Personal Data for which we are the Controller, they may exercise their rights by following the procedure explained in the section “MEANS TO EXERCISE YOUR RIGHTS” of our Privacy Notice .

3 Hexagon Data’s employees

Hexagon Data has a team of specialists, analysts and employees (the “employees”) trained to offer high quality Services to our Customers. We are committed to the protection of the data we process. Thus we implement internal measures for the processing of data and train the employees to process data according to the standards described in this Agreement. The following security measures are designed to protect the security and privacy of our Customers:

3.1 Confidentiality. We make sure that the team dedicated to the processing of data is informed of the confidential character of the Customers Data, receive suitable training on their responsibilities and sign written agreements of confidentiality. These confidentiality obligations survive the termination of their contract.

3.2 Access limitation. Access to Customers Data is limited to the employees who perform the Services in accordance with the Contract. In addition, each member is provided with a computer for the exclusive use during their relationship with Hexagon Data. Any work they perform with respect to the Service will be on Hexagon Data’s equipment.

3.3 Data Protection Officer. Hexagon Data has appointed a Data Protection Officer. The designated person can be contacted at [email protected].  

4 Sub-processors

The Customer agrees and authorizes that Hexagon Data may engage third parties (the “Suppliers”) in connection with the provision of the Services, who shall be deemed to be Sub-Processors in accordance with this DPA. Hexagon Data signs a written contract with each Sub-Processor which contains obligations regarding the protection of personal data no less protective than those in this DPA. The list of Sub-Processor is set forth in Annex B. 

In the event that Hexagon Data wishes to make a change of Sub-Processor, it will notify the Customer and must obtain his consent to make such change. The Customer may object to Hexagon Data’s use of a new Supplier within 5 (five) days of notification. If the Customer fails to respond and continues to act in accordance with the Agreement, the proposal shall be deemed to be accepted. 

When contracting the Suppliers we commit ourselves to :

a. to engage recognized and market-leading companies that implement security measures no less protective than those established in this Agreement to comply with data protection, insofar as they are applicable to the nature of the services provided by the Sub-Processor;

b. restrict the Sub-Processor’s access to the Customer Data only to the extent necessary to maintain or provide the services to the Customer;

c. Hexagon Data is responsible for compliance with the obligations of this Agreement and for any acts or omissions that a Sub-Processor may cause to breach any of the obligations contained herein, except as otherwise provided. 

5 Security

Hexagon Data implements appropriate technical and organizational measures to protect the security, confidentiality and integrity of the Customer Data.

5.1 Security measures. We establish and maintain administrative, technical and physical security measures to protect personal data against damage, loss, alteration, destruction or unauthorized use, access or treatment. We do not adopt security measures less protective than those we maintain for our information. 

Security measures include: (a) anonymization of Personal Data; (b) we protect the security of your information during transmission to or from Hexagon Data websites, APIs, applications, products or services through the use of encryption software and protocols; (c) we create specific access keys for each party involved in data processing; (d) we adopt internal measures for the processing of data by the employees; and (e) we ensure that our Suppliers comply with the highest standards of data security and privacy, in accordance with applicable Laws.

5.2 Confidentiality. At all times, Hexagon Data will treat Customer Data as Confidential Information and ensures that all employees responsible for processing such data sign confidentiality agreements that will govern the access, use and treatment of Customer Data.

5.3 Management and notification of security incidents. In the event of security incidents, Hexagon Data will notify the Customer as soon as it becomes aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data, including data that has been anonymized, transmitted, stored or otherwise processed by Hexagon Data or its Sub-Processors. 

Hexagon Data will make reasonable efforts to identify the cause of any incident and will take the necessary and reasonable actions to remedy the cause to the extent within Hexagon Data’s reasonable control. The obligations set forth herein shall not apply to incidents caused by the Customer or the Customer’s users.

6 Data transfer

We transfer data the least possible. If we do so, it will be with our Suppliers, who are Sub-Processors under the terms described in the corresponding section within this DPA. The transfers we make are only those under Article 37 of the LFPDPPP. Likewise we ensure that it is to jurisdictions that meet the same or higher security standards than those described in this Agreement.

7 Data deletion

During the contractual relationship with the Customer, we may store Customer Data in any of our databases. We undertake to only store the data that is strictly necessary and to delete it once the purpose for which it was collected has been fulfilled or until the legal deadline. Likewise, as far as possible and prior request, we undertake to return the Customer Data at the end of the contractual relationship. 

8 Additional information for specific jurisdictions

We provide additional information about the privacy, collection and use of personal information of current and prospective Hexagon Data customers located in certain jurisdictions. 

8.1 European Union: GDPR

Hexagon Data processes personal data, in the best of its abilities, in accordance with the requirements of the GDPR directly applicable to the provision of its Services and the needs of its Customers. The Customer specifically acknowledges that his use of the Services will not violate the rights of any Data Subject under the protection of the GDPR. 

8.2 CCPA

Hexagon Data processes personal data, in the best of its abilities, in accordance with the requirements of the CCPA directly applicable to the provision of its Services and the needs of its Customers. Within or by virtue of our Services, we do not sell databases or Personal Data of the Customer nor its users and/or consumers. The Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject who has chosen not to sell or disclose its Personal Data as applicable under the CCPA.

9 Miscellaneous

9.1 Modifications. We are constantly updating our policies to offer the best possible protection. Hexagon Data reserves the right to make modifications and adaptations to this Agreement. In the event we consider that there are substantial changes, we will notify you in advance by posting a visible notice on our website or by any of the available means of communication. As the effective date it will be deemed to be accepted by you. We suggest constantly review our website during the term of our relationship.

9.2 Validity. This Agreement remains effective during the contractual relationship with the Customer. Any obligations or liabilities in force up to the termination date shall remain valid until they have been fulfilled. 

This Agreement will be legally binding once made available to Customer. It will be understood that the Customer consents to the processing of his data, when having made this Agreement available to him, he does not express his opposition to it.

Annex A

Processing Details 

1.1. Nature of the processing

Hexagon Data processes Customer Data for the purpose of providing the Services to the Customer and as instructed by the Customer. The purpose of the processing is to analyze the data to optimize the KPIs indicated by the Customer. We process databases of our Clients that hold general information on the behavior of their anonymized users. Therefore, we usually process anonymized data, however, there are certain and exceptional cases in which the Client requests that we process Personal Data of its users and/or consumers. 

Occasionally, Hexagon Data may require that the Customer gives us access to its data sources. We will only access the data necessary to provide the contracted Services and under the Customer’s instructions.

1.2. Purpose of processing

The purpose of processing Customer Data may be any of the following:

  • Analysis services that may include analysis of campaigns, websites, and/or databases
  • Connection to Customer databases
  • Creation of campaign reports
  • Cross device matching 
  • Customized content delivery
  • Data connection to displays chosen by the Customer
  • Generate audience insights
  • Maintenance and administration of the accounts on behalf of the Client
  • Market Research

1.3. Processing Duration

In accordance with the section on the validity of the DPA, Hexagon Data processes Customer Data during the validity of the contractual relationship with the Customer.

1.4. Types of Personal Data

In the exceptional case that we process Personal Data, it is the Customer who collects, by himself or by an authorized third party, the Personal Data. Hexagon Data collects the data by direct transfer from the Customer or by access to the Customer’s databases. At all times it is the Customer, either by itself or by an authorized third party, who collects the data. It is the Customer’s First Party Data.

The types of Personal Data may include, but are not limited to

  • Address
  • Age
  • Cookie IDs 
  • Email address
  • First and last name
  • Gender
  • Inaccurate geolocalization data 
  • Inferred and declared behavioral data 
  • Information on the use of mobile applications
  • Marital status
  • Mobile Advertising IDs
  • Number of children
  • Web browsing information

1.5. Categories of Data Subjects

The Customer Data is related to the following categories of Data Subjects:

  • Users, consumers and prospects
  • Clients and Client’s vendors

1.6. Sensitive Personal Data

Hexagon Data does not process sensitive data within the provision of our Services

Annex B

Sub-Processors

  • Amazon Web Services, Inc. 
  • Datorama, Inc.
  • Google LLC. 
  • Lotame Solutions, Inc.
  • Microsoft Power Bi
  • QlikView de QlikTech Inc. 
  • Tableau Software LLC.
  • TapClicks, Inc.