EEA/UK/SWISS SPECIFIC DATA TERM
Effective Date: 1 January 2026
This EEA/UK/SWISS Specific Data Terms (“GDPR Terms”) is incorporated into and forms an integral part of the TikTok Pangle Publisher Agreement, or any other applicable online or offline agreement between you as the “Partner” and TikTok Pangle that incorporates these GDPR Terms by reference (“Agreement”).
These GDPR Terms may be updated by TikTok Pangle from time to time, including to reflect any changes to the applicable data protection laws. Any updates shall become effective on the effective date specified above.
1. Definition. In these GDPR Terms, capitalised terms not defined herein shall have the meaning given to them under the Agreement, and the following additional definitions shall apply:
"Controller" means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
"GDPR" means (i) the General Data Protection Regulation of the European Union (Regulation 2016/679 of 27 April 2016) ("EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law pursuant to s.3 of the United Kingdom’s European Union (Withdrawal) Act 2018 ("UK GDPR"); (iii) any national legislation made under or pursuant to paragraph (i) or (ii); and (iv) any amendments or successor legislation to any of paragraphs (i), (ii) or (iii).
"Joint Controllers" means two or more Controllers that jointly determine the purposes and means of processing. "Joint Controller" shall be construed accordingly.
"Joint Processing" means the collection of Personal Data via the TikTok Pangle Technology on the Property and its subsequent transmission to TikTok Pangle to be used for the Permitted Purpose, but does not include any processing of the Personal Data that takes place after it has been transmitted to TikTok Pangle.
"Joint Controller Terms" means the terms set out in Section A1 – Joint Controller Terms.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed under these GDPR Terms.
“Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data subject to the EU GDPR to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data subject to the UK GDPR to a country outside of the UK which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not subject to an adequacy determination by the competent Swiss authority in accordance with the Swiss DPA.
"Sensitive Data" has the meaning given under Applicable Data Protection Law (or any analogous term, such as "special categories of personal data").
"Swiss DPA" means Switzerland’s Federal Data Protection Act of 1992 and the revised version of 25 September 2020 (as amended or superseded).
"Standard Contractual Clauses" means (i) where the EU GDPR applies or the Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”).
“UK Addendum” means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner under s.119A(1) of the UK Data Protection Act 2018.
1. Applicability. This Section A1 – Joint Controller Terms apply solely to the Parties’ Joint Processing, as defined above, in connection with the SDK integration.
2. Roles. The Parties each acknowledge and agree that they are Joint Controllers in accordance with Article 26 GDPR for any Joint Processing and these Joint Controller Terms determine the Parties' responsibilities for compliance with GDPR with respect to the Joint Processing. All other responsibilities for compliance with obligations under GDPR regarding the Joint Processing not referred to in these Joint Controller Terms remain with each of TikTok Pangle and Partner individually. If Partner is contacted by a supervisory authority or Data Subject with regard to the Joint Processing (each a "Request"), Partner will promptly notify TikTok Pangle at pangle_support@tiktok.com and provide all timely information, cooperation and assistance as TikTok Pangle reasonably requires in relation to such Request. Partner is not authorised to act or answer such Request on TikTok Pangle's behalf.
3. Responsibilities. TikTok Pangle and Partner's GDPR compliance responsibilities with respect to the Joint Processing shall be as follows:
| GDPR compliance responsibility | TikTok Pangle's responsibility | Partner's responsibility |
A. | Art 6: Legal Basis | X TikTok Pangle has the responsibility to establish a lawful basis in respect of its own processing of Personal Data. | X Partner has responsibility to establish a lawful basis in respect of its own processing of Personal Data. In addition, to the extent that TikTok Pangle Technology accesses or stores information (including Personal Data), Partner must obtain all necessary and verifiable consents required by virtue of Applicable Data Protection Law and the Agreement. |
B. | Arts 13, 14: Information | X TikTok Pangle will display (or procure the display of) a publicly-available privacy notice describing its processing activities (including the Joint Processing) that meets the requirements of Article 13 and 14 of GDPR. | X Partner must display (or procure the display of) a privacy notice describing its processing activities (including the Joint Processing) to meet the requirements of Article 13 and 14. This includes as a minimum the provision of the following information: ● That TikTok Pangle is a Joint Controller of the Joint Processing. ● That Partner uses TikTok Pangle Technology which enables the collection and transmission of Personal Data for the Permitted Purpose. ● That further information on how TikTok Pangle processes Personal Data, including the legal basis TikTok Pangle relies on and the ways to exercise Data Subject rights against TikTok Pangle, can be found in the TikTok Pangle Privacy Policy (with a link to that policy). In addition, to the extent that the TikTok Pangle Technology accesses or stores information (including Personal Data), Partner must also provide clear and comprehensive information about such access or storage to Data Subjects as required by Applicable Data Protection Law and the Agreement. |
C. | Art 26(2): Making available Joint Controller Terms |
| X This includes as a minimum the provision of the following information: That Partner and TikTok Pangle have: ● entered into these Joint Controller Terms to determine their respective responsibilities for compliance with the obligations under GDPR with regard to the Joint Processing; ● agreed that Partner is responsible for providing Data Subjects as a minimum with the information listed under point B in this table above; and ● agreed that between the Parties, TikTok Pangle is responsible for enabling Data Subjects' rights under Articles 15-20 of GDPR with regard to the Personal Data stored or otherwise Processed by TikTok Pangle after the Joint Processing. |
D. | Art 15-20: Subject Rights | X
TikTok Pangle shall respond to the exercise of any Data Subject rights under Articles 15-20 GDPR in respect of Personal Data processed by TikTok Pangle with regard to the Joint Processing. |
|
E. | Art 21: Right to object | X TikTok Pangle will enable Data Subjects to exercise their right to object in respect of its own Processing of Personal Data. | X Partner will enable Data Subjects to exercise their right to object in respect of Partner's Processing of Personal Data. |
F. | Art 32: Security | X TikTok Pangle in respect of security of the TikTok Pangle Technology. | X Partner in relation to its correct technical implementation and configuration of the TikTok Pangle Technology. |
G. | Arts 33, 34: Personal Data Breaches | X TikTok Pangle will comply with its obligations under GDPR in respect of Personal Data Breaches insofar as any Personal Data Breach concerns TikTok Pangle's security obligations under these Joint Controller Terms.
| X Partner will comply with its obligations under GDPR in respect of Personal Data Breaches insofar as any Personal Data Breach concerns its security obligations under these Joint Controller Terms. |
4. Applicability. This Section A2 – Independent Controller Terms apply to any processing performed by the Parties after the completion of the Joint Processing, and to any processing carried out under other integration models where the Parties acts as independent Controllers.
5. Roles. The Parties each acknowledge and agree that they are separate and independent Controllers. If Partner is contacted by a supervisory authority with regard to the processing under the Agreement (each a “Request”), Partner will promptly notify TikTok Pangle at pangle_support@tiktok.com and provide all timely information, cooperation and assistance as TikTok Pangle reasonably requires in relation to such Request. Partner is not authorised to act or answer such Request on TikTok Pangle's behalf.
1. Where Partner makes a Restricted Transfer of Personal Data to TikTok Pangle pursuant to the Agreement, the Standard Contractual Clauses shall apply between Partner (as the data exporter) and TikTok Pangle (as the data importer) as follows:
(a) Where the EU GDPR applies to the Restricted Transfer of Personal Data, the EU SCCs will apply as follows: (i) Module One will apply; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in the Data Processing Description; and (vii) Annex II of the EU SCCs shall be deemed completed with the information set out in the Standard Security Measures; and
(b) Where the UK GDPR applies to the Restricted Transfer of Personal Data, Partner and TikTok Pangle hereby agree that the EU SCCs, as amended by the UK Addendum, are incorporated into the Agreement and shall be deemed completed as follows: (i) the EU SCCs shall be deemed completed as set out above in sub-clause 1(a) of this Section B – Restricted Transfer; and (ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out in sub-clause 1(a) of this Section B – Restricted Transfer; (iii) the option “Importer” shall be deemed checked in Table 4; and (iv) the start date of the UK Addendum (as set out in Table 1 of the UK Addendum) shall be the date of the Agreement; and
(c) in relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in sub-clause 1(a) of this Section B – Restricted Transfer with the following amendments: (i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA; (ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA, (iii) references to ‘EU’, ‘Union’ and ‘Member State’ will be deemed replaced with ‘Switzerland’, (iv) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable), (v) in Clause 17, the EU SCCs will be governed by the laws of Switzerland, and (vii) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.
2. If the Parties' compliance with GDPR or UK GDPR or Swiss DPA requirements relating to international transfers of Personal Data is affected by circumstances outside of the Parties' control, including if the Standard Contractual Clauses or any other legal instrument for international transfers of Personal Data is invalidated, amended or replaced, then the Parties will work together in good faith to reasonably resolve such non-compliance.
1. If a Property is within the IAB Europe Transparency & Consent Framework, Partner shall (or shall procure that the relevant Publisher shall) comply fully with the policies of the IAB Europe Transparency & Consent Framework Policies currently available at: https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/.