Last Updated: January 10, 2019
Monetization and Advertising Controller Data Protection Addendum
GDPR Terms (Controller-Controller)
(This Addendum applies to the services identified in the main Terms of Service found at www.unity.com/legal. Parties subject to offline agreements may receive a version of these addenda for execution and incorporation to such offline agreement if such offline agreement does not include similar data protection language already.)
1. Scope
This Addendum is an integral part of the terms and conditions for Unity services, including but not limited to Unity’s primary Terms of Service, the Advertiser Terms of Service, and Monetization Terms of Service. This Addendum supersedes such terms of service in case of discrepancy. The Parties agree that this Addendum is designed to state the Parties' obligations resulting from the General Data Protection Regulation, and all local implementing legislation within the European Economic Area and, as necessary, to state the obligations of the Parties with respect to legislation of countries following similar regulatory rules to protect data to the extent such laws are subject to an adequacy finding under European laws.
2. Data Protection
Definitions: In this Clause, the following terms shall have the following meanings:
- "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law;
- “Customer” shall mean any party using Unity Services or software; a “Publisher” shall mean any distributor of software and services for whom Unity provides advertising services of such publisher’s software and services under a Publisher Agreement, and “Advertiser” shall mean any party placing advertisement inventory with Unity under its Advertiser Terms of Service (collectively “Customer”);
- “End User” shall mean customers of Unity’s Customers and/or viewers of Publishers’ content or Advertisers’ content
- "Applicable Data Protection Law" means any and all applicable privacy and data protection laws (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time;
- "EU Data Protection Law" means (i) prior to 25 May 2018, the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any national data protection laws made under or pursuant to (i), (ii) or (iii).
Purpose of processing: Unity Customers using Analytics services or installing Unity’s Ads SDK will permit the disclosure of the personal data described in the terms and conditions and documentation for such services (the "Data") to Unity to process as a Controller of the Data for the purposes described in Unity’s Privacy Policy as applicable by services to which the “Customer” subscribes (the "Permitted Purpose"). Specifically, and notwithstanding anything to the contrary in any prior Data Processing Addendum, Unity shall use the Data in identified format to make targeting decisions within its services, provide monetization services to its Customers, assist its Customers with maintaining their services, improving their services, and analysing the marketplace for their services as well as the performance of their services. Notwithstanding the foregoing, data obtained by Unity independent of any such Customer using Unity software that is the same or similar to the Data described herein shall not be restricted by this Addendum, any license agreement, or any terms or conditions for such services. Unity may use all Data collected on an aggregated or de-identified basis as set out in its Privacy Policy, provided that such use does not reveal End Users or any End User device directly or indirectly.
Relationship of the parties: The parties acknowledge that Customer is a controller of the Data it discloses to Unity, and that Unity will process the Data as a separate and independent controller for the Permitted Purpose or for a purpose described in its Privacy Policy provided that it has a legal basis for such additional processing and can comply with all aspects of applicable Data Protection Laws.
Compliance with law: Each party shall be individually and separately responsible for complying with the obligations that apply to it as a controller under Applicable Data Protection Law. Without limitation to the foregoing, each party shall maintain a publicly-accessible privacy policy on its website that satisfies the transparency disclosure requirements of Applicable Data Protection Law. Customers shall list Unity Technologies as a third party that is collecting data within its App in its publicly available privacy policy, including providing a link to Unity Technologies’ privacy policy. Customers agree to keep up to date versions of Unity software and services installed in their applications as Unity identifies as necessary to permit Unity to maintain its compliance with law. By way of example and without limiting the generality of the foregoing, Unity relies on Customers updating their applications with software changes made to provide certain opportunities for consumers to exercise their rights to disclosure and deletion requests; however, updates unrelated to compliance with law may occur from time to time which are not subject to this paragraph 2.4 nor governed by this Addendum. To the extent required by Applicable Data Protection Law, the Parties agree that they will specifically identify to the other Party when they require that the Party obtain from the relevant individuals their explicit consent pursuant to Applicable Data Protection Law, thereby permitting the use of his or her Personal Data by the receiving Party as contemplated by that Party. The foregoing does not create a general requirement related to Consent, and a Party requiring Consent must provide adequate notice to the other Party of this requirement.
Security: Each party shall implement appropriate technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident"). In the event that a party suffers a confirmed Security Incident, it shall notify the other party without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident. Nothing herein prohibits either party with moving forward to notify regulatory authorities as may be required by law prior to notification of the other party so long as the notifying party provides notification to the other party without undue delay.
Treatment of Data Rights in Prior Agreements: Customers agree that this Addendum does not enlarge any rights provided for in their Terms of Service whether such rights are provided in online Terms of Service or in offline Agreements and they continue to be limited to the use rights and restrictions provided for therein. For clarity to the Advertiser Terms of Service, Advertisers agree that to the extent they require Unity to present data to a third party install tracker that they have such parties under a valid data processing agreement clearly directing the install tracker as to its usage instructions, duties, and liabilities for processing such data.
Survival: This Clause shall survive termination or expiry of any terms of service or other agreement to permit Unity to comply with its legal obligations. Upon termination or expiry of the Customer relationship, Unity may continue to process the Data for the Permitted Purpose provided that such processing complies with the requirements of this Clause and Applicable Data Protection Law.
Effect of this Addendum on other legal terms. This Addendum in no way alters the limitations of liability or other legal terms set out in any terms and conditions for service or any services agreement entered between the Parties.
3. Standard Contractual Clauses
To ensure that appropriate safeguards are afforded to personal data transferred by each party, the parties hereby incorporate the Standard Contractual Clauses for the transfer of personal data from the Community to third countries (controller to controller transfers) approved by the European Commission in decision 2004/915/EC in their entirety, subject to the following: (a) “data exporter” shall mean Customer and “data importer” shall mean Unity and (b) Annex B of the Standard Contractual Clauses shall be as set out below as Section 4 to this Data Protection Addendum
4. Annex B to the Standard Contractual Clauses
Data subjects
The personal data transferred concern the following categories of data subjects:
- End users of mobile applications who view ads, in-app content, and play games as well as the employees of our partners and vendors who participate or service our ad network
Purpose of the transfer(s)
The transfer is made for the following purposes:
- In order to enable Customer to Advertise, Monetize, or otherwise provide services as described in an agreement between Unity and Customer
- To provide analytics and reporting
- For Unity’s internal purposes, including billing and payment processing, fraud prevention, and improving products and services.
Categories of data
The personal data transferred concern the following categories of data:
- End-user data, Advertiser ID or device IDs (e.g., IDFA, GAID, IP address)
- Game play, In-app purchase, and device data, including device identifiers
- Information related to the ad content or attribution data sent by Customer or Customer’s agent
- Customer/Partner and Vendor Employee Personal Data: Names, email addresses, usernames, and telephone numbers of partner or vendor employees who access Unity’s ordering system to place advertisements, bid on the right to advertise to any End User, or any vendor employee who provides such information to Unity in performing services for Unity.
Recipients
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
- Unity Affiliates, Unity Vendors (e.g. data storage), Ad Exchanges, Demand Side Platforms, Supply Side Platforms, Direct Marketing Platforms, Publishers, Advertisers, Ad Networks
Sensitive data (if appropriate)
The personal data transferred concern the following categories of sensitive data:
- None
Contact points for data protection inquiries
Data importer: dpo@unity3d.com
Data exporter: as specified by Customer or the contact information in the agreement.