Operate Services – Data Processing Addendum

Updated: September 21, 2021

This Data Processing Addendum (this “DPA”) is incorporated into and forms an integral part of the Unity Operate Terms of Service, available at https://unity3d.com/legal/one-operate-services-terms-of-service, or, as applicable, an offline agreement relating to the subject matter therein (the “Terms of Service”) between Unity Technologies SF, on behalf of itself and its Affiliates (collectively, “Unity”) and you (“Customer” or “you”), each a “party” and collectively the “parties”.  Acceptance of the Terms of Service includes acceptance of this DPA. Capitalized but undefined terms used in this DPA will have the meanings assigned to those terms in the Terms of Service. 

To the extent you are using the services named herein and absent any other offline agreement, you shall be deemed to have accepted this DPA and applicable Standard Contractual Clauses upon acceptance or execution of the applicable Terms of Service. Unity has pre-signed a copy of this document and accompanying SCCs which you may download, execute on your side, and return to DPA@unity3d.com.

1. Scope of Addendum

1.1 Applicable Data Protection Law.  The parties agree that this DPA is designed to set forth the parties' obligations resulting from Applicable Data Protection Law. As such, the parties acknowledge and agree that this DPA will only apply to the extent, as applicable, that (a) EU Data Protection Law applies to the processing of personal data of data subjects located in  or from Customer located (or where Customer is a processor, where the relevant controller is located) in the EEA, UK, or Switzerland, (b) the LGPD applies to the processing of personal data of data subjects located in Brazil and to any  processing activity that is for the purpose of providing goods or services in Brazil, (c) the PIPEDA applies to the processing of personal data of data subjects located in Canada; (d) Personal Data Protection Act, Act No. 25.326 of 2000 applies to the processing of personal data within the territory of Argentina, and (e) the CCPA applies to the processing of personal data of data subjects located in the State of California, United States of America. 

1.2 Non-Applicable Data Protection Law.  Notwithstanding the foregoing, where applicable, certain Additional Terms for Non-Applicable Data Protection Law will supplement this DPA, as set forth Section 8.


2. Definitions

2.1 "controller", "processor", "data subject", "personal data", “personal data breach”, and "processing" (and "process") shall have the meanings given in EU Data Protection Law; provided, however, that:

2.1.1 To the extent that the CCPA is applicable, the definition of “personal data” includes “Personal Information”; the definition of “data subject” includes “Consumer”; the definition of “controller” includes “Business”; and the definition of “processor” includes “Service Provider”, all as defined under the CCPA. 

2.2Additional Terms for Non-Applicable Data Protection Law” means the additional terms referred to in Section 8, which reflect the parties’ agreement on the terms governing the processing of certain data in connection with certain other data protection regulations.

2.3Advertiser” means any party placing advertisements with Unity pursuant to the Terms of Service.

2.4Affiliates” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

2.5Applicable Data Protection Law” means (i) EU Data Protection Law; and (ii) Non-EU Data Protection Law.

2.6Argentina Data Protection Law” means Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act') and Decree No.1558/2001 Regulating Law No. 25.326 ('the Decree'), amended by DecreeNo. 1160/10. 

2.7Argentinian Model Clauses” mean the model contract for the international transfer of “personal data” (as defined under Argentina Data Protection Law) to other countries that do not provide an adequate level of protection for personal data related to Data Subjects residing in Argentina, as set out in Disposition 60-E/2016.”

2.8Compliance Tool” means Unity’s self-serve tools made available to data subjects by Unity for the purposes of exercising their rights under Applicable Data Protection Law.

2.9DPA 2018” means the UK Data Protection Act, 2018. 

2.10End User” means customers of Customer and/or the viewers of Publishers’ and/or Advertisers’ content.

2.11 "EU Data Protection Law" means (i) the GDPR; (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national data protection laws made under or pursuant to (i) or (ii) including the UK GDPR and the DPA 2018.

2.12GDPR” means the EU General Data Protection Regulation 2016/679.

2.13Non-EU Data Protection Law” means the California Consumer Privacy Act (“CCPA”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Brazilian General Data Protection Law ("LGPD"); and Argentina Data Protection Law.

2.14Publisher” means any distributor of software and services for whom Unity provides monetization or backend services for such publisher’s software and services under the Terms of Service.

2.15SCCs” means the standard contractual clauses approved by the European Commission, as may be updated from time to time, for so long as this DPA is effective (in accordance with Section 4.6) for the transfer of personal data to third countries, with the applicable annex to the SCCs as set forth in Appendix A, below.  

2.16Security, Privacy and Architecture Documentation” means the Security, Privacy and Architecture Documentation applicable to the Services purchased by Customer, as described in summaries that Unity generally makes available to its Customers as updated from time to time, or otherwise made reasonably available by Unity.

2.17Services” means the Controller Services and/or Processor Services (as outlined in Section 3) used by Customer pursuant to the Terms of Service.

2.18Sub-Processor” means any entity that Unity engages to process Customer’s personal data on behalf of Unity, which entities may include Unity’s Affiliates.

2.19UK GDPR” means the EU General Data Protection Regulation 2016/679, as incorporated into UK Data Protection Law. 


3. Controller and Processor Services

3.1 Controller Services.  “Controller Services” as used herein shall refer to any Unity services identified in the applicable Terms of Service as Controller Services.

3.2 Processor Services.  “Processor Services” as used herein shall refer to any Unity services identified in the applicable Terms of Service as Processor Services.

3.3 Updates to Services Unity may update the foregoing designation of Controller Services and Processor Services from time to time, subject to the terms and conditions of the Terms of Service and this DPA.

4. General Terms and Conditions

4.1 Control/Application of the DPAIn the event of any conflict or discrepancy between      the      SCCs, the Additional Terms for Non-Applicable Data Protection Law, the Terms of Service, and the terms and conditions of this DPA, the following order of precedence will apply: (a) the       SCCs (where      applicable), (b) the Additional Terms for Non-Applicable Data Protection Law, (c) this DPA, and (d)  the Terms of Service. This DPA applies only to Customer, and Unity and does not confer any rights to any third party hereunder.  This DPA does not replace any additional rights related to privacy or data security set forth in the Terms of Service.

4.2 Treatment of Data Rights and Restrictions in Other Agreements.  Customer agrees that this DPA does not enlarge any rights provided for in the Terms of Service, and Customer continues to be limited to the data use rights and restrictions provided for therein.

4.3 Limitations of Liability.  This DPA in no way alters the limitations of liability or other legal terms set out in the Terms of Service.

4.4 Advertiser’s Mobile Measurement Partners. Where Customer is an Advertiser, it agrees that, to the extent it requires Unity to present data to a third party install tracker in connection with trafficking of its advertising campaigns, that it has such third parties under a valid data processing agreement clearly directing the install tracker as to its usage instructions, duties, and liabilities for processing such data.

4.5 Compliance with Law/Public Notices.  Each party shall maintain a publicly-accessible privacy policy on its website that satisfies the transparency disclosure requirements of Applicable Data Protection Law. Customer shall list Unity as a third party that is collecting data within its application in its publicly available privacy policy, including by providing a link to Unity’s privacy policy.  Customer agrees to keep up to date versions of Unity software and services installed in their applications as Unity identifies as necessary to permit Unity to maintain its compliance with law.  By way of example and without limiting the generality of the foregoing, Unity relies on Customer updating its applications with software changes made to provide certain opportunities for End Users to exercise their rights to disclosure and deletion requests; however, updates unrelated to compliance with law may occur from time to time which are not subject to this Section 4.5 nor governed by this DPA. 

4.6 Term and Termination.  This DPA will become effective as of the date Customer has accepted both: (i) a valid Terms of Service; and (ii) solely to the extent this DPA is not already incorporated into such Terms of Service, this DPA.  Subject to Section      4.8, This DPA will terminate simultaneously and automatically upon the termination of the Terms of Service.  Unity may terminate this DPA (in whole or in part) at any time upon notice to Customer if Unity offers alternative means to Customer that complies with Applicable Data Protection Laws.  Customer may terminate this DPA at Customer’s discretion upon Unity’s receipt of Customer’s written notice of termination.

4.7 Governing Law. To the extent required by Applicable Data Protection Law, this DPA will be governed by the laws of the applicable jurisdiction.  In all other cases, this DPA shall be governed by the laws of the jurisdiction set forth in the Terms of Service.

4.8 Survival.  This DPA shall survive termination or expiry of any terms of service or other agreement to permit Unity to comply with its legal obligations.  Upon termination or expiry of the Parties’ relationship, Unity may continue to process the personal data provided that such processing complies with the requirements of this Section 4.8 and otherwise with Applicable Data Protection Law.


5. Controller-Controller Terms. 

The Controller-Controller Terms set forth in this Section 5 will apply only in connection with Customer’s use of the Controller Services and Unity’s processing of personal data in connection therewith.

5.1 Relationship of the Parties.  Subject to Section 4.2, the parties acknowledge and agree in connection with the processing of personal data for Controller Services, each party (a) is an independent controller of the personal data under Applicable Data Protection Law; (b) will individually determine the purposes and means of its processing of personal data; and (c) will comply with the obligations applicable to it under Applicable Data Protection Law with respect to the personal data.

5.2 Purpose of Processing.  Customer will permit the disclosure of the personal data described in the Terms of Service or otherwise herein for the applicable Controller Services to Unity to process as a controller of the personal data for the purposes described in Unity’s Privacy Policy as applicable by Controller Services to which Customer subscribes (the "Permitted Purpose").  Specifically, and notwithstanding anything to the contrary in any prior data processing addendum, Unity shall use the personal data in an identified format to make targeting decisions within its services, provide monetization services to its customers, assist its customers with maintaining their own services, improving its services, and analyzing the marketplace for its services as well as the performance of its services. Notwithstanding the foregoing, data obtained by Unity independent of Customer using Unity software or services that is the same or similar to the personal data described herein shall not be restricted by this Addendum, any license agreement, or any terms or conditions for such services. For the avoidance of doubt, Unity may use all personal data collected on an aggregated or de-identified basis as set out in its Privacy Policy, provided that such use does not reveal End Users or any End User device directly or indirectly.

5.3 Security.  Each party shall implement appropriate technical and organizational measures to protect the personal data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the personal data (a "Security Incident").  In the event that a party suffers a confirmed Security Incident, it shall notify the other party without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.   Nothing herein prohibits either party from moving forward to notify regulatory authorities as may be required by law prior to notification of the other party so long as the notifying party provides notification to the other party without undue delay.

5.4 Transfers of Personal Data.

  • General Obligations for Transfer of Data. Either party may transfer personal data to third countries if such transfer complies with the provisions for the transfer of such data set forth in Applicable Data Protection Law. To the extent 5.4.c applies below, Customer represents that they are able to act as an exporting controller of data whether by their organisation being within the European Union or by being subject to categorization under Clause 13(a) of the SCCs as an organization capable of acting as an exporter from the European Union..

  • Transfers of EEA Personal Data to Customer To the extent that Unity transfers personal data subject to EU Data Protection Law to Customer and Customer is established in a country outside of the EEA that is not subject to an adequacy decision, then Customer will be deemed to have entered into the required SCCs as the data importer with Unity Technologies ApS, a Danish corporation,  as the data exporter, and such transfers will be subject to those SCCs.

  • Transfers of EEA Personal Data to Unity. To the extent that Customer transfers personal data subject to EU Data Protection Law to Unity,  then Customer will be deemed to have entered into the required SCCs as the data exporter with Unity Technologies SF, a California corporation, as the data importer, and such transfers will be subject to those      SCCs.

  • Transfers of Brazilian Personal Data. To the extent that a party transfers personal data subject to the LGPD to the other party, then the transferring party will be deemed to have entered into the required SCCs as the data exporter with the receiving party as the data importer, and such transfers will be subject to those SCCs. With respect to Unity, such SCCs shall be deemed to be entered into by Unity Technologies SF, a California corporation.

  • Transfers of Personal Data from Argentina to outside of Argentina To the extent that provision of the Services involves the transfer of personal data from Argentina to outside of Argentina (either directly or via onward transfer) to a jurisdiction that does not have adequate legislation in the terms of article 12 of Law No. 25,326 and its regulatory Decree No. 1558/01, then the parties will be deemed to have entered into the required Argentinian Model Clauses, and such transfers will be subject to those Model Clauses. The roles of the parties and the  description of transfers, for the purposes of Annex A to the Argentinian Model Clauses, is set out in Appendix A. 


6. Controller-Processor Terms.

​The Controller-Processor Terms set forth in this Section 6 will apply only in connection with Customer’s use of the Processor Services and Unity’s processing of personal data in connection therewith.

6.1 Processing of Customer Personal Data

6.1.1 Relationship of the Parties The parties acknowledge and agree that with regard to the processing of personal data for Processor Services: (a) Customer is a controller or processor, as applicable, of the personal data under Applicable Data Protection Law; (b) Unity is a processor of the personal data under Applicable Data Protection Law or, where Customer is a processor, Unity is a sub-processor of the personal data under Applicable Data Protection Law; and (c) each party will comply with the obligations applicable to it under Applicable Data Protection Law with respect to the processing of personal data. If Customer is a processor, Customer represents and warrants to Unity that Customer’s instructions and actions with respect to personal data, including its appointment of Unity as another processor, have been authorized by the relevant controller and that such controller is organised in the European Union and capable of acting as a data exporter or is acting upon the instruction of a controller that is or is otherwise categorized as a qualified exporter under Clause 13(a) of the SCCs.

6.1.2 Customer’s Instructions For the purposes of this DPA and, if applicable, the SCCs, Customer instructs Unity to process personal data for the following purposes: (i) to store and use data as described more fully in the Terms of Service and any applicable descriptions of the Processor Services; and (ii) to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms and conditions of the Terms of Service, this DPA, and Applicable Data Protection Law. This DPA and the Terms of Service constitute Customer’s complete and final instructions to Unity for the Processing of Customer personal data. Any additional instructions that are inconsistent with the terms of the Terms of Service or this DPA must be agreed upon separately in a writing signed by authorized representatives of both parties.

6.1.3 Unity’s Processing of Personal Data.  In connection with Customer’s use of the Processor Services, Unity will only process personal data on behalf of and in accordance with Customer’s instructions and otherwise in accordance with the requirements of Applicable Data Protection Law.  Customer’s instructions for the Processing of personal data by Unity will comply with all Applicable Data Protection Law. Customer will have sole responsibility for the accuracy, quality, and legality of the personal data and the means by which Customer acquired such personal data. Customer agrees that Unity may and instructs Unity to transfer data to sub-processors in third countries under adequate protections equal to those found herein, including any SCCs.

6.1.4 Security of Processing Unity will secure Customer’s personal data by implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required under Applicable Data Protection Law.  Such measures include those set forth in the Security, Privacy and Architecture Documentation.  Unity will not materially decrease the overall security of the Services during the term of the Terms of Service.

6.1.5 Personal Data Breach Notification Unity will notify you without undue delay after it becomes aware of a personal data breach.  To the extent such personal data breach is caused by a violation of the requirements of this DPA by Unity, Unity will make reasonable efforts to identify and remediate the cause of such personal data breach. Any notification of a personal data breach provided hereunder will not be construed as an acknowledgement by Unity of any fault or liability in connection with the personal data breach. Further, Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any personal data breach.

6.2 Compliance Assistance To the extent required by Applicable Data Protection Law, Unity agrees to provide you with reasonable assistance in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR and Articles 5, 6, 10, 38 and 46 of the LGPD, taking into account the nature of Unity’s processing and the information available to Unity.  Upon request from you, Unity will further provide commercially reasonable assistance to you by appropriate technical and organizational measures, insofar as this is possible, in relation to handling of a Data Subject’s request for exercising Data Subject’s rights set forth in Chapter III of the GDPR and Article 18 of the LGPD, taking into account the nature of Unity’s processing of personal data and solely to the extent you are unable to fulfill such requests through the Services.  You will be responsible for any costs arising from Unity’s provision of such assistance.

6.3 Data Subject Requests.  Notwithstanding the foregoing, if Unity receives a request from a data subject in relation to personal data, Unity will: (a) if the request is made via a Compliance Tool, respond directly to the data subject’s request in accordance with the standard functionality of the Compliance Tool, or (b) if the request is not made via a Compliance Tool, direct the data subject to submit his or her data subject request to Customer, and Customer will be responsible for responding to such request.

6.4 Government Requests. Unity will notify Customer about any legally binding request for disclosure of the personal data by a law enforcement or other public authority unless otherwise prohibited. 

6.5 Deletion of Customer Personal Data. Unity will delete all Customer personal data and copies thereof upon the request of Customer following termination or expiration of the Terms of Service and otherwise upon a rolling basis every thirty (30) days during the term of the Terms of Service, unless otherwise required by Applicable Data Protection Law and/or Customer’s instructions.  The parties agree that the certification of the deletion of Customer personal data will be provided by Unity to Customer upon Customer’s request at such times and in such manner as the Customer prescribes.

6.6 Audits.  Unity will make available to you all information necessary to demonstrate compliance with its obligations under the GDPR or UK GDPR.  Upon your written request at reasonable intervals, Unity will provide a copy of Unity’s then most recent summaries of third-party audits or certifications or other documentation, as applicable, that Unity generally makes available to its Customers at the time of such request. The parties agree that the audit rights described in Article 28 of the GDPR and, where applicable, as stipulated in the SCCs, will be satisfied by Unity’s provision of such summaries and/or reports.  

6.7 Unity Personnel

6.7.1 Confidentiality Unity will ensure that its personnel engaged in the processing of personal data are informed of the confidential nature of personal data, have received appropriate training on their responsibilities, and have either executed written confidentiality agreements no less protective than the confidentiality provisions set forth in Terms of Services or are under an appropriate statutory obligation of confidentiality.  Unity will ensure that such confidentiality obligations survive the termination of the personnel engagement.

6.7.2 Limitation of Access Unity will ensure that Unity’s access to personal data is limited to those personnel who require such access to perform under the Terms of Service.

6.7.3 Data Protection Officer Certain of Unity’s employees have been appointed as data protection officers where such appointment is required by Applicable Data Protection Law.  The appointed person may be reached at dpo@unity3d.com.

6.8 Sub-Processors

6.8.1 General Authorization.  To the extent required by Applicable Data Protection Law, you authorize Unity to subcontract processing of personal data under this DPA to Sub-processors, provided that Unity: (a) provides Customer with information about the Sub-processor(s) as may be reasonably requested by Customer from time to time; (b) flows down its obligations under this DPA to such Sub-processor, such that the processing requirements of such Sub-Processor with respect to Customer’s personal data are no less onerous than the processing requirements of Unity as set forth in this DPA; and (c) will be fully liable to Customer for the performance of the Sub-Processor’s obligations under this DPA if such Sub-Processor fails to fulfill its data protection obligations.  You agree that Unity has general written authorization to appoint sub-processors under Clause 9 of the SCCs.

6.8.2 New Sub-Processors.  Unity will inform you of any intended changes concerning the addition or replacement of Sub-processors and provide you with five (5) business days to make reasonable objections to any new Sub-processors.  In the event you reasonably object to a new Sub-processor, you may, as a sole remedy, terminate the applicable Terms of Service and this DPA with respect only to those Services that cannot be provided by Unity without the use of the objected-to Sub-processor by providing Unity with written notice provided that all amounts due under the Terms of Service shall be duly paid to Unity.  

6.8.3 Sub-Processor Agreement.  The parties agree that if copies of Unity’s agreements with a  Sub-Processor must be sent by Unity to Customer pursuant to Applicable Data Protection Law, such copies may have all commercial information and provisions unrelated to this DPA redacted by Unity beforehand; and, that such copies will be provided by Unity only upon reasonable request by Customer.

6.9 Transfers of Personal Data

6.9.1 General Obligations for Transfer of Data. Either party may transfer personal data to third countries if such transfer complies with the provisions for the transfer of such data set forth in Applicable Data Protection Law.

6.9.2 Customer agrees that Unity may and instructs Unity to transfer data to sub-processors in third countries under adequate protections equal to those found herein, including any SCCs. Unity may enter agreements as necessary to fulfill the requirements laid down herein.

6.9.3 Transfers of EEA Personal Data to Unity. To the extent that Customer transfers personal data subject to EU Data Protection Law to Unity, then Customer will be deemed to have entered into the required SCCs as the data exporter with Unity Technologies SF as the data importer, and such transfers will be subject to those SCCs. 

6.9.4 Transfers of Brazilian Personal Data to Unity. To the extent that Customer transfers personal data subject to the LGDP to Unity, then Customer will be deemed to have entered into the required SCCs as the data exporter with Unity Technologies SF as the data importer, and such transfers will be subject to those SCCs. 

6.9.5 Transfers of Personal Data from Argentina to outside of Argentina. To the extent that  the provision of the Services involves the transfer of Personal Data from Argentina to outside of Argentina (either directly or via onward transfer) to a jurisdiction that does not have adequate legislation in the terms of article 12 of Law No. 25,326 and its regulatory Decree No. 1558/01, then Customer will be deemed to have entered into the required Argentinian Model Clauses as the data exporter with Unity Technologies SF as the data importer, and such transfers will be subject to those Model Clauses. The description of transfers, for the purposes of Annex A to the Argentinian Model Clauses, is set out in Appendix A. 


7. Changes to this DPA.

7.1 Unity may update the terms of this Addendum from time to time, including, but not limited to: (a) as set forth in Section 3.3; (b) as required to comply with Applicable Data Protection Law, applicable regulation, court order, or regulatory guidance; or (c) to add new Additional Terms for Non-Applicable Data Protection Law.  If such update will have a material adverse impact on Customer, as reasonably determined by Unity, then Unity will use reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with Applicable Data Protection Law) before the change will take effect. If Customer objects to any such change, Customer may terminate this DPA by giving written notice to Unity within 30 days of being informed by Unity of the change.


8. Additional Terms for Non-Applicable  Data Protection Laws

8.1 The parties acknowledge that data protection laws in addition to Applicable Data Protection Law may apply to the parties’ processing of Personal Data.

8.2 Japan. This Section of this DPA applies to all transfers and provisions of Personal Information or Personal Data from Customer to Unity as contemplated by the Terms of Service if the Personal Information or Personal Data is regulated under the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015 and thereafter) ('APPI'), including where applicable, rules, guidance and codes of practices issued by the regulatory bodies of Japan hereinafter, “Japanese Data Protection Laws.” Terms not otherwise defined in Section 2 shall have the meaning ascribed to it by the Japanese Data Protection Laws.

8.2.1 Controller Services.To the extent Controller Services listed under Section 3.1 are subject to Japanese Data Protection Laws, Unity, as a Business Operator Handling Personal Information, is responsible for the handling of Personal Information or Personal Data in its possession. Customer is responsible for providing any consents and notices required to permit (a) Customer's use and receipt of the Controller Services and (b) Unity’s accessing, storing, and processing of data provided by Customer (including Personal Information or Personal Data, if applicable) under the DPA. Additionally, Customer agrees to obtain the consent of each principal to the Provision of Personal Data to a Third Party including those in a Foreign Country as contemplated under this DPA providing necessary information for the principal to give consent thereto, if and to the extent required under the Japanese Data Protection Laws.

8.2.1.1 Purpose of Use.The Customer shall permit Unity to utilize the  Personal Information or Personal Data within the scope of the Permitted Purpose as stated under Section 5.2 Purpose of Processing.

8.2.1.2 Compliance. Unity and the Customer shall warrant that the necessary proceedings under the Japanese Data Protection Laws have been implemented, including, without limitation, the recording of any transfer of Personal Data to a Third Party or receipt of Personal Data from a Third Party.

8.2.1.3 Safety Measures. Unity and the Customer shall comply with Japanese Data Protection Laws and take necessary measures for the management of Personal Information or Personal Data.

8.2.1.4 ​In the case that the Customer provides Personal Information or Anonymously Processed Information, or Pseudonymously Processed Information under Japanese Data Protection Laws to Unity in effecting the Permitted Purpose, the Customer shall specify to that effect in advance.  In the case that the Customer provides Anonymously Processed Information or Pseudonymously Processed Information  to Unity in effecting the Permitted Purpose , the Customer shall warrant that the proceedings under the Japanese Data Protection Laws have been implemented with respect to the Anonymously Processed Information or Pseudonymously Processed Information in order to qualify as such.

8.2.1.4.1 Unity shall, if the data have been provided in accordance with Section 8.2.1.4, comply with Japanese Data Protection Laws and take any measures required thereof for the management of the applicable data.

8.2.1.5 Unity shall at all times implement appropriate technical, physical, personnel and organizational measures designed to safeguard Personal Information or Personal Data as required by Japanese Data Protection Laws.

8.2.2 Processor Services. To the extent that Processor Services listed under Section 3.2 is subject to Japanese Data Protection Laws the definition of “processor” includes an entity entrusted by the Business Operator Handling Personal Information the handling of Personal Information or Personal Data in whole or in part within the scope necessary for the achievement of the purpose of utilization (also a “trustee”), as described under Japanese Data Protection Laws. Customer may exercise necessary and appropriate supervision over the the trustees including subcontractor to ensure the proper security management of the Personal Information or Personal Data.

8.2.2.1 Customer is responsible for providing any consents and notices required to permit (a) Customer's use and receipt of the Processor’s Services and (b) Unity’s accessing, storing, and processing of data provided by Customer (including Personal Information or Personal Data, if applicable) under the DPA. Additionally, Customer agrees to obtain the consent of each principal to the Provision of Personal Data to a Third Party including those in a Foreign Country as contemplated under this DPA by providing necessary information for the principal to give consent thereto, if and to the extent required under the Japanese Data Protection Laws.

8.2.2.2 To the extent required by Japanese Data Protection Laws, Sections 8.2.1.1 to 8.2.1.5 are incorporated by reference as if fully stated forth herein.

8.3 South Korea. This Section of this DPA applies to all transfers and provisions of Personal Information from Customer to Unity as contemplated by the Terms of Service if the personal information is within the scope of the Personal Information from Customer and Unity from South Korea as contemplated by the Terms of Service. Terms not otherwise defined in Section 2 shall have the meaning ascribed to it by the Personal Information Protection Act, the Enforcement Decree and the Enforcement Rule thereof, the Standards on Measures to Ensure Personal Information Security (Personal Information Protection Commission Notification No. 2020-2), the Standard Guidelines on Protection of Personal Information Personal Information Protection Commission Notification No. 2020-1), including where applicable rules, guidance’s and codes of practices issued by the regulatory bodies of South Korea. Hereinafter referred to “Korean Data Protection Laws.”

8.3.1 To the extent Controller Services listed under Section 3.1 is subject to Korean Data Protection Laws the Customer is solely responsible for obtaining any consents and giving any notices required to permit (a) Customer's use and receipt of the Services and (b) Unity’s accessing, storing, and processing of data provided by Customer (including Personal Information, if applicable) under the Terms of Service and this DPA. Additionally, Customer agrees to obtain the consent of each Data Subject for such third party provision and/or international data transfer as contemplated under this DPA if and to the extent required under the Korean Data Protection Laws.

8.3.1.1 The Customer shall permit Unity to utilize the Personal Information within the scope of the Permitted Purpose as stated under Section 5.2 Purpose of Processing.

8.3.1.2 Unity and the Customer shall warrant that the proceedings under the Korean Data Protection Laws have been implemented.

8.3.1.3 Unity and the Customer shall comply with Korean Data Protection Laws and take necessary measures for the management of Personal Information.

8.3.1.4 In the case that the Customer provides data containing personal information, Anonymized, or Pseudonymized Information under the Korean Data Protection Laws to Unity in effecting the Permitted Purpose, the Customer shall specify to that effect in advance.  In the case that the Customer provides Anonymized or Pseudonymized Information to Unity in effecting the Permitted Purpose, the Customer shall warrant that the proceedings under the Korean Data Protection Laws have been implemented with respect to Anonymized or Pseudonymized Information.

8.3.1.4.1 Unity shall, if the data have been provided in accordance with Section 8.3.1.4, comply with Korean Data Protection Laws and take any measures required for the management of the data.

8.3.1.5 Unity shall at all times implement appropriate technical and organizational measures designed to safeguard Personal Information as required by Korean Data Protection Laws.

8.3.2 To the extent that Processor Services listed under Section 3.2 is subject to Korean Data Protection Laws the Customer hereby entrusts Unity as a Service Provider and Unity hereby agrees to provide the processing of personal information related to the services listed under Section 3.2.

8.3.2.1 Service Provider shall perform personal information processing for  the Processor Services listed under Section 3.2 in accordance with the terms and conditions of this DPA.

8.3.2.2 Unless otherwise approved by the Customer in advance, Service Provider may not transfer or re-entrust all or a part of its rights and obligations hereunder to a third party. If Service Provider enters into an entrustment agreement with a third party in connection with this DPA, Service Provider shall inform and consult with the Customer prior to the execution of entrustment agreement.

8.3.2.3 Service Provider shall take managerial and technical measures necessary for securing safety of the personal information pursuant to Articles 23(2), 24(3) and 29 of the Personal Information Protection Act, Articles 21 and 30 of the Enforcement Decree thereof and the Standards on Measures to Ensure Personal Information Security (Personal Information Protection Commission Notification No. 2020-2).

8.3.2.4 Service Provider shall not use the personal information beyond the scope of the tasks entrusted hereunder or disclose or divulge the personal information to any third party during the term of this DPAas well as after the termination of this DPA. Upon the termination or expiration of this DPA, Service Provider shall destroy or promptly return to the Customer the personal information in its possession regarding the tasks entrusted hereunder pursuant to Article 16 of the Enforcement Decree of the Personal Information Protection Act and the Standards on Measures to Ensure Personal Information Security (Personal Information Protection Commission Notification No. 2020-2). If Service Provider destroys the personal information in accordance with the above, Service Provider shall give notice thereof the Customer without undue delay.

8.3.2.5 The Customer may supervise Service Provider in connection with the following matters, and Service Provider shall reasonably comply with such supervision:  

  • Status of the personal information processing;
  • Status of those who can access the personal information and access logs thereof;
  • Compliance of the provisions prohibiting use or third party transfer of the personal information outside the scope of the intended purpose or re-entrustment;
  • Enforcement of measures necessary for securing safety such as encryption, etc.; and
  • Other matters necessary for the protection of the personal information.

8.3.2.6 The Customer may reasonably request documentation to inspect the status of the matters set forth in Section 8.3.2.5 above and require the Service Provider to make necessary corrections thereto. Service Provider shall make commercially reasonable efforts to comply with such requests and make such corrections unless it has a justifiable reason.

8.3.2.7 The Customer reserves the right to conduct training for Service Provider once a year in order to prevent loss, theft, leakage, alteration or damage of personal information, and Service Provider agrees to attend such training by the Customer.

8.3.2.8 The details of the training under Section 8.3.2.7 above, including the time and method, shall be implemented upon consultation between the Customer and Service Provider as necessary.

8.3.2.9 Either party shall indemnify the other party, data subject or any third party for any damages due to the breach of this Section 8.3 by itself or its officer, employee or trustee, or any damages due to termination of this DPA for causes attributable to itself or its officer, employee or trustee.

8.3.2.10 With respect to Section 8.3.2.9 above, if the other party compensates for all or a part of the damage incurred by the data subject or other third party, the other party has the right to claim reimbursement from the offending party.

8.4 Singapore. This Section of this DPA applies to all transfers and disclosures of Personal Data from Customer to Unity as contemplated by the Terms of Service if the personal data is within the scope of the Singapore’s Personal Data Protection Act 2012 (No. 26 of 2012), including where applicable, rules, guidance and codes of practices issued by the regulatory bodies of Singapore hereinafter, “Singapore Data Protection Laws”. Terms not otherwise defined in Section 8.4 shall have the meaning ascribed to it by the Singapore Data Protection Laws

8.4.1 To the extent Controller Services listed under Section 3.1 are subject to Singapore Data Protection Laws, Customer is responsible for any consents and notices required to permit (a) Customer's use and receipt of the Controller Services and (b) Unity’s accessing, storing, and processing of data provided by Customer (including Personal Data, if applicable) under the Terms of Service and this DPA. Additionally, Customer agrees to obtain the consent of each Data Subject to an International Data Transfer as contemplated under this DPAif and to the extent required under the Singapore Data Protection Laws. Personal Information may be transferred, as necessary, world-wide to provide the Controller Services under the Terms of Service.

8.4.1.1 Purpose. Unity shall comply with all its obligations under the PDPA at its own cost. Unity shall only process, use, or disclose Customer Personal Data: Strictly for the within the scope of the Permitted Purpose as stated under Section 5.2 Purpose of Processing of fulfilling its obligations and providing the services required under the Terms of Service; With the Customer’s prior written consent; or When required by law or and order of court, but shall notify the Customer as soon as practicable before complying with such law or order of court at its own costs

8.4.1.2 Accuracy and Correction of Personal Data. Where the Customer provides Customer Personal Data to Unity, the Customer shall make reasonable effort to ensure that the Customer Personal Data is accurate and complete before providing the same to Unity. Unity shall put in place adequate measures to ensure that the Customer Personal Data in its possession or control remain or is otherwise accurate and complete. In any case, Unity shall take steps to correct any errors in the Customer Personal Data, as soon as practicable upon the Customer’s written request.

8.4.1.3 Protection. Unity shall protect Customer Personal Data in Unity’s control or possession by making reasonable security arrangements (including, where appropriate, physical, administrative, procedural and information & communications technology measures) to prevent unauthorized or accidental access, collection, use, disclosure, copying, modification, disposal or destruction of Customer Personal Data, or other similar risks.

8.4.1.4 Retention limitation. Unity shall not retain Customer Personal Data (or any documents or records containing Customer Personal Data, electronic or otherwise) for any period of time longer than is necessary to serve the purposes of this Terms of Service and this DPA.

8.4.1.5 Policies on personal data protection. Unity shall ensure that its employees, agents and sub-contractors who may receive or have access to any of Customer Personal Data are aware of the obligations specified under this clause and agree to abide by the same.

8.4.1.6 Access. The Contractor shall provide the Customer with access to the Customer Personal Data that the Contractor has in its possession or control, as soon as practicable upon Customer’s written request.

8.4.1.7 In the case that the Customer provides Personal Information or Anonymously Processed Information under Singapore Data Protection Laws to Unity in effecting the Purpose, the Customer shall specify that effect in advance.  In the case that the Customer provides Anonymously Processed Information to Unity in effecting the Purpose, the Customer shall warrant that the proceedings under the Singapore Data Protection Laws have been implemented with respect to the Anonymously Processed Information.

8.4.1.7.1 Unity shall, if the data have been provided in accordance with Section 8.4.1.7, comply with Singapore Data Protection Laws and take any measures required for the management of the data.

8.4.2 To the extent that Processor Services listed under Section 3.2 is subject to Singapore Data Protection Laws the definition of “processor” includes a  “data intermediary” as described under Singapore Data Protection Laws. Customer may exercise necessary and appropriate supervision over the data intermediary to ensure proper security management of the personal data

8.4.2.1 Customer is responsible for any consents and notices required to permit (a) Customer's use and receipt of the Processor’s Services and (b) Unity’s accessing, storing, and processing of data provided by Customer (including Personal Information, if applicable) under the Terms of Service and this DPA. Additionally, Customer agrees to obtain the consent of each Data Subject to an International Transfer as contemplated under this DPA if and to the extent required under the Singapore Data Protection Laws. Personal Information may be transferred, as necessary, world-wide to provide the Processor Services under the Terms of Service and this DPA.

8.4.2.1.1 Sections 8.4.1.2 to 8.4.1.6 are incorporated by reference as if fully said forth herein.

 

Appendix A

[FOR CONTROLLER SERVICES]

  • Unity Analytics (if used in conjunction with other Services)

  • Ads Service for Publishers

  • GameTune

  • GameFoundation

  • Audience PinPointer

  • User Acquisition

  • deltaDNA Predictive Segments

  • Unity IAP

  • Oto (SafeVox, DeepTone)

  • Server Side Recording

Annex I to Controller-Controller SCCs

A.   LIST OF PARTIES

Data exporter(s): 


Name: Customer, as identified in the applicable Offering Identification and/or Customer’s Service Account

Address: Customer’s address, as identified in the applicable Offering Identification and/or Customer’s Service Account

Contact person’s name, position and contact details: Customer’s point of contact, as identified in the applicable Offering Identification and/or Customer’s Service Account

Activities relevant to the data transferred under these Clauses: Storing and analyzing data to carry out the purposes of the data transfer

Signature and date: Deemed signed and effective as of the effective date set forth in the applicable Offering Identification or the date on which Customer started to use a Unity service, whichever is earlier.

Role (controller/processor): 

Controller 

Data importer(s): 

Name: Unity Technologies SF

Address: 30 3rd Street, San Francisco, CA 94103

Contact person’s name, position and contact details: Jamie Crabtree; DPO; dpo@unity3d.com

Activities relevant to the data transferred under these Clauses: Storing and analyzing data to carry out the purposes of the data transfer

Signature and date: Deemed signed and effective as of the effective date set forth in the applicable Offering Identification or the date on which Customer registered for any of the Operate Services or otherwise  accessed, enabled or utilized any of the Operate Services or Operate Service Assets, whichever is earlier. 

Role (controller/processor): 

Controller

 

B.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

  • End users of mobile applications who view ads, in-app content, and play games as well as the employees of our partners and vendors who participate or service our ad network 

  • Employees of Unity’s Customer

Categories of personal data transferred

  • End Users data including voice, advertising identifiers or device IDs (e.g. IDFA GAID) and IP address

  • Game play, in-app purchase, and device data, including device identifiers

  • Information related to the ad content or attribution data sent by Customer or Customer’s agent

  • Customers’/Vendors’ employees: Name, work address, email address, phone numbers, usernames of employees who access Unity’s ordering system to place advertisements, bid on the right to advertise to any End User, or any vendor employee who provides such information to Unity in performing services for Unity.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • None

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Transferred continuously

Nature of the processing

  • Storing and analyzing data to carry out the purposes of the data transfer  

Purpose(s) of the data transfer and further processing

  • For game players, the data is transferred to personalize advertising and in game purchase opportunities as well as to personalize game play.

  • To facilitate, support and operate games and player or user experiences 

  • In order to enable Customer to advertise, monetize, or otherwise provide services as described in an agreement between Unity and Customer.

  • To provide analytics reporting

  • For Unity’s internal purposes, including billing and payment processing, fraud prevention, and improving  products and services.

 The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Unity retains personal data for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law.  The criteria used to determine our retention periods include:

  • The length of time Unity has an ongoing relationship with the data subject and/or Customer, including the provision of provision of services;

  • Whether there is a legal obligation to which Unity is subject;

  • Whether retention is advisable in light of our legal position 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • Unity uses processors for storage and retention on a continuous basis for the duration of the retention period.

C.   COMPETENT SUPERVISORY AUTHORITY

Danish Data Protection Agency, Carl Jacobsens Vej 35, DK-2500 Valby; dt@datatilsynet.dk; +45 33 19 32 00

[and/or]

FOR PROCESSOR SERVICES

  • Remote Config

  • Unity Analytics (if not used in conjunction with other Services)

  • deltaDNA (excluding Predictive Segments)

  • Vivox

  • Multiplay

  • ChilliConnect 

  • Furioos

  • CCD / Cloud Content Delivery

 

​ANNEX I to Controller-Processor SCCs

A.   LIST OF PARTIES

Data exporter(s):

Name: Customer, as identified in the applicable Offering Identification and/or Customer’s Service Account,

Address: Customer’s address, as identified in the applicable Offering Identification and/or Customer’s Service Account

Contact person’s name, position and contact details: Customer’s point of contact, as identified in the applicable Offering Identification and/or Customer’s Service Account

Activities relevant to the data transferred under these Clauses: Oversight of common data protection program to assure uses of the transferred data are limited to the uses described herein.

Signature and date: Deemed signed and effective as of the effective date set forth in the applicable Offering Identification or the date on which Customer registered for any of the Operate Services or otherwise  accessed, enabled or utilized any of the Operate Services or Operate Service Assets, whichever is earlier. 

Role (controller)/processor): 

Controller

Data importer(s): 

Name: Unity Technologies SF

Address: 30 3rd Street, San Francisco, CA 94103

Contact person’s name, position and contact details: Jamie Crabtree, DPO dpo@unity3d.com

Activities relevant to the data transferred under these Clauses: Oversight of common data protection program to assure uses of the transferred data are limited to the uses described herein.

Signature and date: Deemed signed and effective as of the effective date set forth in the applicable Offering Identification or the date on which Customer registered for any of the Operate Services or otherwise  accessed, enabled or utilized any of the Operate Services or Operate Service Assets, whichever is earlier. 

Role (controller/processor): 

Processor

B.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

  • End users of applications using Unity’s services

  • Employees or contractors of Unity’s Customer 

Categories of personal data transferred

  • End user Device IDs and IP address; Player Stats; User ID (Multiplay only)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • None

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Transferred continuously

Nature of the processing

  • Storing and analyzing data to carry out the purposes of the data transfer

Purpose(s) of the data transfer and further processing

  • IAP, Remote Config - Personalize Game Play

  • To facilitate, support and operate games and player or user experiences

  • To provide analytics reporting

  • For Unity’s internal purposes, including billing and payment processing, fraud prevention, and improving  products and services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Unity retains personal data for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law.  The criteria used to determine our retention periods include:

  • The length of time Unity has an ongoing relationship with the data subject and/or Customer, including the provision of services;

  • Whether there is a legal obligation to which Unity is subject;

  • Whether retention is advisable in light of our legal position

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • Unity uses processors for storage and retention on a continuous basis for the duration of the retention period.

C.   COMPETENT SUPERVISORY AUTHORITY

Danish Data Protection Agency, Carl Jacobsens Vej 35, DK-2500 Valby; dt@datatilsynet.dk; +45 33 19 32 00

List of sub-processors available inside of your account settings page, or upon request to dpa@unity3d.com.

 

Back to Top