Roku Data Processing Terms

This Data Processing Agreement (“DPA”) forms part of any contract (including but not limited to a Roku Advertising Insertion Order (“I/O”)), where the contract:

- is entered into between: (A) Roku, Inc., a Roku group company (including but not limited to Roku International B.V.), or a company identified in such contract as “Media Company” (“Roku” or “Media Company”, as applicable); and (B) a company identified in the contract as the “Agency”, “Advertiser” or “Customer” (or other such equivalent term) (“Media Buyer“); and
- incorporates this DPA by reference,

(collectively, a “Roku Contract”).

Capitalized terms used in this DPA shall have the meaning given to them in the main body of the Roku Contract, unless otherwise defined in this DPA.

IT IS AGREED:

Definitions

“C2C SCCs” means Module One of the European Standard Contractual Clauses (2021/914) as made available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en, including (as applicable for compliance with data protection and privacy law in the UK) as such clauses are otherwise adopted or amended for use under UK GDPR, or as they are otherwise amended or replaced by the European Commission or UK Secretary of State from time to time.

“C2P SCCs” means Module Two of the European Standard Contractual Clauses (2021/914) as made available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en, including (as applicable for compliance with data protection and privacy law in the UK) as such clauses are otherwise adopted or amended for use under UK GDPR, or as they are otherwise amended or replaced by the European Commission or UK Secretary of State from time to time.

“Controller” (which may also be used interchangeably with “Business” or “Third Party”, as applicable) shall have the meaning ascribed in the GDPR, or as otherwise set out in applicable Privacy Laws.

“Data Subject” (which may also be used interchangeably with “Consumer”) shall have the meaning ascribed in the GDPR, or as otherwise set out in applicable Privacy Laws.

“Europe” means for the purposes of this DPA, the European Economic Area (“EEA”), Switzerland and the United Kingdom.

“European Data Protection Law” means applicable privacy and data protection laws within Europe as they apply to the Processing of Personal Data under this DPA, including: (i) the EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) all applicable national privacy laws made in member states of the EEA under or pursuant to (i) or (ii); (iv) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (v) the Data Protection Act 2018 (UK); (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003, as they continue to have effect by virtue of section 2 of the European Union (Withdrawal) Act 2018; (vii) any other laws in force in the UK from time to time applicable to the processing of Personal Data under this DPA; (viii) Federal Act on Data Protection (Switzerland) and (ix) any other laws or regulations applicable to the Processing of Personal Data under this DPA (in each case, as superseded, amended or replaced).  The EU GDPR and UK GDPR shall collectively be referred to as “GDPR”.

“Media Buyer Data” means (i) any data provided to Roku directly by Media Buyer in connection with the Roku Advertising Services, such as custom segments, and/or information to enable Roku to create custom segments, where the Media Buyer and Roku have agreed in writing that Roku may only Process this information on behalf of the Media Buyer for the provision of the Roku Advertising Services; and/ or (ii) Pixel Data (if the Media Buyer has opted out of Roku’s own use of such data in accordance with the Roku Contract).

“Personal Data” shall have the meaning ascribed in the GDPR, or as otherwise set out in applicable Privacy Laws.

“Personal Information” means any information or data that identifies, or relates to, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable individual, household, or device (and includes Personal Data).

“Privacy Laws” means all applicable global privacy and data protection laws and regulations which apply to the parties in respect of their use of Personal Information under this DPA, including (as applicable and without limitation): (i) European Privacy Law; (ii) US State Privacy Laws; and (iii) any other laws and regulations of any country applicable to the Processing of Personal Information hereunder, in each case as may be amended or superseded from time to time.

“Process” or “Processing” shall have the meaning ascribed in the GDPR, or as otherwise set out in applicable Privacy Laws.

“Processor” (which may also be used, as applicable, interchangeably with “Service Provider”, or “Contractor”) shall have the meaning ascribed in the GDPR, or as otherwise set out in applicable Privacy Laws.

“Roku Ad Data” means the information that Roku Processes in order to provide the Roku Advertising Services including, as applicable, Roku Data, Platform Usage Data, the Roku ID for Advertising (RIDA), advertising identifiers, IP addresses, unique device identifiers, any data about Roku and Roku’s devices, channels, end users, data from Third Party Services, Log File Data, any data provided directly by Media Buyer Data in connection with the Roku Advertising Services (excluding Media Buyer Data), Pixel Data (unless the Media Buyer has opted out of Roku’s use of such data in accordance with the Roku Contract), Site Data, or Performance Data (which includes but is not limited to interactions with ads, clicks, views, installs, and other event data).

“Roku Approved Ad Partner(s)” means advertising partner(s) that have been approved by Roku to provide advertising services on the platform, as may be updated by Roku from time to time.

“Roku Privacy Policy” means the Roku privacy policy available on Roku's public facing website, the most current version of which is available at www.roku.com (as updated or amended from time to time).

“Roku Property” and “Roku Properties” means the user interface of the Roku platform, The Roku Channel and on any Roku-branded website and/or application, and/or on any website, application, channel or other property where Roku serves advertisements.

“SCCs” shall mean the C2C SCCs or C2P SCCs, as applicable.

“UK Addendum” means the UK International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers, as such addendum is amended or replaced by the UK Information Commissioner from time to time.

“US State Privacy Laws” means, collectively, all applicable U.S. state privacy laws and their implementing regulations, as amended or superseded from time to time, including but is not limited to the following: (i) California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (California Civil Code §§ 1798.100 to 1798.199) (“CPRA”); (ii) Colorado Privacy Act (Colorado Rev. Stat. §§ 6-1-1301 to 6-1-1313) (“ColoPA”); (iii) Connecticut Personal Data Privacy and Online Monitoring Act (Public Act No. 22-15) (“CPOMA”); (iv) Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 to 13-61-404) (“UCPA”); and (v) Virginia Consumer Data Protection Act (Virginia Code Ann. §§ 59.1-575 to 59.1-585) (“VCDPA”).  The terms, “Contractor”, “Service Provider”, “Share”, “Shared” “Sharing”, “Sale”, “Selling” and “Third Party” shall have the meaning defined in the US State Privacy Laws. In the event of any conflict of means of the defined terms in the US State Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.1.

1. Scope of Processing:

Media Buyer has engaged Roku to serve and measure advertisements on its behalf on the Roku Properties (or otherwise) and to provide associated services, as agreed between the parties (the “Roku Advertising Services”). Media Buyer acknowledges and agrees that, Roku may Process Roku Ad Data and/or Media Buyer Data, as the case may be, in connection with Roku’s delivery of the Roku Advertising Services under the applicable Roku Contract.  Each party shall comply with the obligations that apply to it under Privacy Laws in respect of any Personal Information Processed in connection with the Roku Contract, and will ensure that it provides the same level of privacy protection to such Personal Information as required by Privacy Laws.  Despite this, Media Buyer shall ensure that: (i) it only discloses (or otherwise makes available) Personal Information to Roku relating to individuals who have not opted out (in accordance with Privacy Laws) from the use of their Personal Information by Roku, as envisaged under the Agreement; and (ii) that it has collected such Personal Information in accordance with Privacy Laws (including providing such notice and obtaining any such consents as may be necessary by Privacy Laws) to enable itself and Roku to lawfully use the Personal Information as envisaged under this Agreement. To the extent required by Privacy Laws: (i) each party shall notify the other if it can no longer meet its obligations under Privacy Laws; and (ii) each party may take reasonable and appropriate steps to help to ensure that the other party only uses the Personal Information Processed in connection with the Roku Contract in accordance with its obligations under Privacy Laws.

2. Relationship of the parties:

Roku Ad Data: To the extent the Roku Ad Data contains Personal Information, Media Buyer acknowledges that Roku shall Process such data as a Controller in accordance with the Roku Privacy Policy and the terms of this DPA (except for those in Section 7 below).  Where Roku Inc. is the signatory of the Roku Contract and receives Personal Information in Roku Ad Data protected by European Data Protection Laws directly from the Media Buyer (“European Data”), Roku shall Process such European Data outside of Europe on the basis of the C2C SCCs (as supplemented by the UK Addendum, where required by applicable law), which shall be incorporated into this DPA by reference and which will apply to the Processing as follows:

- Media Buyer shall be the “data exporter” of such data;
- Roku shall be in the “data importer” of such data;
- Annex I of the C2C SCCs shall be deemed completed with the information set out in the relevant part of Annex 1 of this DPA;
- Annex II of the C2C SCCs shall be deemed completed with the information set out in Annex 2 of this DPA;
- Clause 7 (Docking Clause) of the C2C SCCs shall be included;
- Clause 17 (Governing Law) of the C2C SCCs shall refer to the Netherlands as the Member State;
- Clause 18(b) of the C2C SCCs shall refer to the courts of the Netherlands;
- Where EU GDPR applies, in the event of any conflict between the C2C SCCs and the provisions of this DPA, the C2C SCCs shall prevail; and
- Media Buyer warrants that it has right to enter into the C2C SCCs in respect of the Roku Ad Data.

Where UK GDPR applies, the UK Addendum shall be incorporated into this DPA and shall be deemed completed with the information provided in this DPA, including that: (i) Roku may end the UK Addendum as set out in Section 19 of the UK Addendum; and (ii) Part 2: Mandatary Clauses shall be included.  Notwithstanding the foregoing, where UK GDPR applies, the following order of precedence shall apply: (i) the UK Addendum; (ii) the C2C SCCs; (iii) this DPA; and (iv) the Roku Contract.

Media Buyer Data: To the extent Roku Processes Media Buyer Data that contains Personal Information, Roku shall Process such data in accordance with the additional terms in Section 7 below.

In no event will the parties Process Personal Information under the Roku Contract as joint controllers.

Nothing in the Roku Contract (including this DPA) shall limit or prevent Roku from collecting or using data that Roku would otherwise Process independently of Media Buyer's use of the Roku Advertising Services.

3. Data protection: The parties agree:

The (i) subject-matter, nature and purpose of the Processing is to deliver the Roku Advertising Services as set forth in the Roku Contract and as further described in Annex 1 to this DPA; and (ii) duration of Processing shall be as set out in the Roku Contract (including any further contracts agreed between the parties).

Roku shall ensure that persons authorized to Process the Roku Ad Data and/or Media Buyer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Data Security

Roku shall implement appropriate technical and organisational security measures for the Roku Ad Data and/or Media Buyer Data to protect it against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information transmitted, stored or otherwise processed by Roku (a “Security Incident”). 

5. Co-operation and Data Subject Rights:

The parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) and co-operation to enable the other party to comply with its obligations under Privacy Laws, including in order to enable the other party to respond to: (i) any request from a Data Subject to exercise any of its rights under Privacy Laws in relation to the Personal Information; and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Personal Information.

6. Roku Approved Ad Partners:

Media Buyer acknowledges Roku's use of Roku Approved Ad Vendors in providing the Roku Advertising Services. Roku represents and warrants that it has terms in place with the Roku Approved Ad Partners requiring them to Process any Personal Information in accordance with Roku’s instructions.

7. Media Buyer Data – additional terms:

a. Roku shall Process the Media Buyer Data only for the purposes of delivering the Roku Advertising Services in accordance with the Roku Contract and on the documented lawful instructions of Media Buyer as set out in full in this DPA and the Roku Contract (“Permitted Purposes”). Where required by Privacy Laws, Roku shall not (except to the extent required to fulfil the Permitted Purposes, as instructed by Media Buyer, or as otherwise permitted by Privacy Laws): (i) Sell or Share Media Buyer Data; (ii) retain, use or disclose Media Buyer Data for any purpose other than the Permitted Purposes; (iii) retain, use or disclose the Media Buyer Data outside of the direct business relationship between the parties; and (iv) combine Media Buyer Data with Personal Information obtained from, or on behalf of, sources other than Media Buyer Data. The parties acknowledge that the exchange of Media Buyer Data under this DPA does not form part of any monetary or other valuable consideration exchanged between the parties with respect to the Roku Contract or this DPA.  Roku shall inform Media Buyer if, in its opinion, Media Buyer's instructions infringe applicable Privacy Laws.

b. Roku shall inform Media Buyer without undue delay in the event of a Security Incident involving Media Buyer Data, providing details of the incident, and inform Media Buyer what measures and actions it is taking to mitigate or remedy the effects of the Security Incident. Roku shall not release or publish any public information concerning the Security Incident without Media Buyer’s prior approval.

c. Roku may engage Processors to assist it in Processing Media Buyer Data in the performance of the Roku Advertising Services provided that (i) Roku shall ensure that its Processors are subject to data protection terms that protect the Media Buyer Data to the same or a substantially similar standard as set out in this DPA; (ii) maintains a list of its then-current Processors and shall provide such list upon request to Media Buyer; and (iii) if Roku wishes to appoint or replace a Processor it shall provide Media Buyer with a minimum of fourteen (14) days prior notice and Media Buyer may object to such appointment or replacement on reasonable data protection grounds within seven (7) days following receipt of such notice. If Media Buyer so objects, then either (a) Roku shall not use the proposed Processor to Process the Media Buyer Data; or (b) if this is not possible, Media Buyer may terminate the Roku Contract for its convenience upon written notice to Roku.

d. Where Roku Inc. is the signatory of the Roku Contract and receives Media Buyer Data that is protected by European Data Protection Law (“Media Buyer European Data”) directly from the Media Buyer, Roku shall Process the Media Buyer European Data outside of Europe on the basis of the C2P SCCs (as supplemented by the UK Addendum, where required by applicable law), which shall be incorporated into this DPA by reference and which will apply to the Processing as follows:

- Media Buyer shall be the “data exporter” of such data;
- Roku shall be in the “data importer” of such data;
- Annex I of the C2P SCCs shall be deemed completed with the information set out in the relevant part of Annex 1 of this DPA;
- Annex II of the C2P SCCs shall be deemed completed with the information set out in Annex 2 of this DPA;
- Clause 7 (Docking Clause) of the C2P SCCs shall be included;
- Clause 9 of the C2P SCCs shall include OPTION 2 and the time period shall be 14 days;
- In Clause 11, the optional language will not apply;
- Clause 17 (Governing Law) of the C2P SCCs shall include OPTION 1 and shall refer to the Netherlands as the Member State;
- Clause 18(b) of the C2P SCCs shall refer to the courts of the Netherlands;
- Where EU GDPR applies, in the event of any conflict between the C2P SCCs and the provisions of this DPA, the C2P SCCs shall prevail; and
- Media Buyer warrants that it has right to enter into the C2P SCCs in respect of the Media Buyer European Data.

Where UK GDPR applies, the UK Addendum shall be incorporated into this DPA and shall be deemed completed with the information provided in this DPA, including that: (i) Roku may end the UK Addendum as set out in Section 19 of the UK Addendum; and (ii) Part 2: Mandatary Clauses shall be included.  Notwithstanding the foregoing, where UK GDPR applies, the following order of precedence shall apply: (i) the UK Addendum; (ii) the C2P SCCs; (iii) this DPA; and (iv) the Roku Contract.

e. Where required by Privacy Laws: (i) Roku shall assist Media Buyer to respond to requests from individuals to access, correct, delete, object or exercise any other rights they have in respect of the Media Buyer Data under Privacy Laws, at no cost to Roku; and (ii) Media Buyer shall inform Roku of any requests made pursuant to Privacy Laws that Roku must comply with and shall provide Roku with the information reasonably necessary for Roku to comply with that request.

f. If Roku receives any correspondence, enquiry or complaint from a Data Subject, regulator or any other person relating to its Processing of Media Buyer Data, it will promptly inform Media Buyer and provide it with full details of the same.

g. If Media Buyer is required by applicable Privacy Laws to conduct a data protection impact assessment in respect of the Roku Advertising Services, Roku shall provide all information reasonably requested by Media Buyer in connection with such assessment, at no cost to Roku.

h. Where required by Privacy Laws, Roku shall delete or return all the Media Buyer Data to Media Buyer after the end of the provision of the Roku Advertising Services or at the Media Buyer’s request. This requirement shall not apply to the extent that Roku is required by applicable law to retain some or all of the Media Buyer Data, or to Media Buyer Data that it has archived on back-up systems, which Roku shall securely isolate and protect from any further processing except to the extent required by such law.

i. Where required by Privacy Laws, Roku shall make available to Media Buyer all information reasonably necessary for Roku to demonstrate its compliance with the obligations in this DPA, including by way of providing responses to any audit questions raised by Media Buyer (such audits not to be conducted more than once per annum and at Media Buyer’s expense).

8. Miscellaneous

This DPA shall survive termination or expiry of the Roku Contract.

Annex 1: 

Section A: List of Parties

Data exporter(s): Media Buyer (and/or “Agency”, “Advertiser” or “Customer” in the Roku Contract).

Address: As set out in the Roku Contract

Contact person’s name, position and contact details: As set out in the Roku Contract

Activities relevant to the data transferred under these Clauses: Exporter has engaged Roku to provide the Roku Advertising Services as described in this DPA

Date: The Effective Date as set out in the Roku Contract

Role (controller/processor): Controller

 

Data importer(s): Roku, Inc.

Address: 1155 Coleman Avenue, San Jose, CA 95110, USA.

Contact person’s name, position and contact details: privacy@roku.com.

Activities relevant to the data transferred under these Clauses: Roku manufactures and provides a variety of hardware products and media streaming services across the globe; and provides on platform and off-platform advertising services to third party advertisers, enabling them to reach their desired audience and to understand and improve their ad campaigns.

Date: The Effective Date as set out in the Roku Contract

Role (controller/processor): Controller and Processor as further described in section B below.

 

Section B: Description of Transfer

Categories of data subjects whose personal data is transferred

Individuals who are past, present and potential customers of Media Buyer and/or Media Buyer’s customers or clients whose Personal Information is contained within the Media Buyer Data or Roku Ad Data.

Categories of personal data transferred

Personal Information contained with the Roku Ad Data and/or Media Buyer Data for the purpose of providing digital advertising services on behalf of the Data Exporter, including but not limited to end user emails, user IDs, mobile identifiers, device identifiers and other similar types of data.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Data is transferred on a continuous basis during the provision of services under the Roku Contract.

Nature and purpose of the Processing

To provide the Roku Advertising Services to the Exporter, and as otherwise described in the Roku Privacy Policy.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As long as such data is required to provide the Roku Advertising Services to the Exporter and as further described in the DPA or the Roku Privacy Policy.

For transfers to Processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of processing by Processors appointed by Roku (in its role as processor under this DPA) are all concurrent with the importer’s subject matter, nature and duration of processing as described in this Annex 1.

Section C: Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13 SCCs:

Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

 

Annex 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Roku shall protect the Roku Ad Data in accordance with Section 4 of the DPA and its Information Security Policies.