Skip to content

GDPR Addendum to PMA

General Data Protection Regulation Addendum to the Publisher Membership Agreement

This Addendum to the Rakuten Marketing LLC Publisher Membership Agreement (the “Agreement”) is by and between you (“you”) and depending on your location, either RM United States, RM Europe, RM Australia or RM Brazil as applicable.  For the purposes of this Addendum each of RM United States, RM Europe, RM Australia and RM Brazil will be referred to individually as a “Rakuten Marketing Service Provider” and collectively as “Rakuten Marketing.”  For the purposes of this Addendum, regardless of your location, you may be referred to as “Publisher.” Rakuten Marketing and Publisher are each a Party and collectively the Parties under this Addendum.

This Addendum is an integral part of the Agreement and becomes effective 14 days after this Addendum is made available, if you continue participation in the Network, including the use of Qualifying Links and entering into Engagements.  In the event of a conflict between definitions in the Agreement and this Addendum, the definitions within this Addendum control.

1. Definitions.

a. “Personal Data,” “Process/Processing,” “Controller,” “Processor,” “Data Subject” and “Supervisory Authority” shall have the same meanings given to them in the Regulation.

b. “Data Protection Law(s)” means the Directive, the Regulation, any successors thereto, and any other applicable law, rule, regulation, declaration, decree, directive, statute, any industry self-regulatory principles relating to data protection or privacy of individuals.

c. “Directive” means the Directive 95/46/EC of the European Parliament and of the Council (Personal Data Directive).

d. “Regulation” means Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation).

2. Role of the Parties.

In order to participate in the Network and to enter into Engagements, you collect, use and share Personal Data with Rakuten Marketing for the purposes described in the Agreement, the “Permitted Purposes.”  Publisher is a Controller of the Personal Data it processes and discloses to Rakuten Marketing.  In addition to the Personal Data Rakuten Marketing receives from Publisher, Rakuten Marketing also collects and uses Personal Data for the Permitted Purposes.  Rakuten Marketing is a Controller of the Personal Data that it collects and uses as a separate and independent Controller for the Permitted Purposes.  In no event will the Parties process the Personal Data as joint Controllers.

3. Obligations.

Each Party shall use the Personal Data in accordance with the Regulation and other applicable Data Protection Laws and will individually and separately fulfill all obligations that apply to it as a Controller under the Regulation.

a. In order to disclose Personal Data to for the Permitted Purposes and in compliance with the Regulation, each Party’s obligations include without limitation:

(i). identifying, disclosing and establishing its independent legal basis for processing and disclosing Personal Data; and

(ii). fulfilling transparency requirements regarding its use of and disclosure of Personal Data.

(iii). implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the Regulation. In assessing the appropriate level of security, each Party shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by Processing.

b. Notwithstanding the foregoing, Publisher will assure it: (i) obtains the necessary consent from Data Subjects on behalf of Rakuten Marketing in order for Rakuten Marketing to Process the Personal Data for the Permitted Purposes, (ii) shares such consent with Rakuten Marketing in a manner that is mutually agreed upon (e.g., IAB Europe’s GDPR Transparency and Consent Framework); and (iii) provides Data Subjects with the ability to withdraw such consent, in each case via the technology made available to Publisher by Rakuten Marketing or such other consent tool approved by Rakuten Marketing.

c. Publisher will take all steps reasonably requested by Rakuten Marketing to ensure Rakuten Marketing’s compliance with applicable Data Protection Laws.

d. In the event that either Party receives any correspondence, inquiry or complaint from a Data Subject or Supervisory Authority (“Inquiry”) related to the use of Personal Data for the Permitted Purposes or the processing of Personal Data by the other Party, it will promptly inform the other Party and provide full details of the Inquiry. The Parties shall cooperate in good faith to timely respond to the Inquiry in accordance with requirements under the applicable Data Protection Laws.

4. International Data Transfers.

The Parties acknowledge that Personal Data collected in the European Union (“EU”) or European Economic Area (“EEA”) shall be collected by Rakuten Marketing’s European affiliate, Rakuten Marketing Europe Ltd. Rakuten Marketing Europe Ltd. may transfer Personal Data from the EU or EEA to its affiliates in the United States or other territories where the laws governing the level of protection for Personal Data differs from that of the EU and EEA. Such transfers rely on the Rakuten, Inc. Binding Corporate Rules (BCR) which have been approved by the Luxembourg Data Protection Authority. For more information on the BCR’s please visit

5. Survival.

This Addendum shall survive termination or expiration of the Agreement.  Upon termination or expiration of the Agreement, Rakuten Marketing may continue to process Personal Data received from Company provided that such use complies the requirements of this Addendum and under the Regulation.