1. BACKGROUND AND PURPOSE
Adnuntius AS (Processor) and the Customer as specified in the applicable Order Form (Controller) have entered into an agreement, where Processor delivers certain services (Services) to Controller under the applicable Order Form, which necessitate the Processing of Personal Data. The Services may include digital advertising software for direct and programmatic advertising, data management software, personalization software, and/or consent management software. Processor and Controller will be collectively referred to as the “Parties”.
Whereas the Processor is in the business of developing and marketing software;
Whereas the Controller is the owner of a set of online properties using the software;
The Parties hereby agree to supplement the Master Terms (located at http://www.adnuntius.com/terms) in order to formalize the terms and conditions that will be applicable to the processing of personal data related to the Master Terms. The purpose is to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of the data subjects and insure that both Parties follow the applicable data protection law.
"Applicable data protection law" shall mean applicable legislation protecting data subjects' right to privacy with respect to the processing of personal data, including but not limited to the GDPR and any local implementation laws.
"Consent", "controller", "processor", "data subject", "personal data", "personal data breach", "processing", "supervisory authority" and other terms in the GDPR shall have the same meaning as set out in the GDPR.
"GDPR" shall mean the EU General Data Protection Regulation 2016/679.
"Publisher Property" means the websites, mobile applications and/or other digital media properties owned or operated by the Controller, using Adnuntius’ Services.
"Standard contractual clauses" shall mean the standard contractual clauses for the transfer of personal data to data processors established in third countries, laid down by the EU Commission decision of 5 February 2010.
3. THE PURPOSE OF PROCESSING
Processor delivers a digital marketing platform that enables Controller to gather and apply user information for the following purposes.
3.1. Gather Personal Data for analytical purposes. Processor gathers information about which pages and what content users consume, where they are at the time of consumption, which devices they use and what they search for. This data is presented as aggregated information through a user interface and API, enabling Controller to better understand user behavior on its properties where Processor gathers data on behalf of the Controlller.
3.2. Gather Personal Data to target advertisements to users’ preferences. Processor gathers information about which pages and what content users consume, where they are at the time of consumption, which devices they use, what they search for, and which ads have been seen by the user. This data is made available as targeting criteria in advertising software enabling Controller to book advertisements directly and programmatically.
3.3. Gather Personal Data to personalize editorial content to users’ preferences. Processor gathers information about which pages and what content users consume, where they are at the time of consumption, which devices they use and what they search for. This data is used to build user profiles, which are in turn made available in personalization software enabling Controller to target editorial content to each user based on their user profiles.
Detailed information on what Personal Data is gathered and the use of sub-processors is described here: https://docs.google.com/spreadsheets/d/1fZOwQFU0MZhO_ZU5iHPUprBkcb6yzo2TWMTgC_zNGew/edit#gid=0.
4. PROCESSOR’S OBLIGATIONS
The Processor shall, when Processing Personal Data according to this agreement, comply with Applicable Data Protection Law. The processor shall not by actions or omission of actions put the Controller in a situation where the Controller is in breach of any provision of Applicable Data Protection Law. The Processor shall process data solely according to the instructions of the Controller.
The Processor shall provide the Controller with reasonable cooperation and assistance to ensure that the Controller complies with its requirements under Applicable Data Protection Law. The Processor shall provide the Controller with solutions enabling data subjects to delete Personal Data.
The Processing shall be limited to the categories of personal data and the categories of the data subjects as specified here: https://docs.google.com/spreadsheets/d/1fZOwQFU0MZhO_ZU5iHPUprBkcb6yzo2TWMTgC_zNGew/edit#gid=0. Here, the Processor shall also keep updated information about tracking mechanisms, responsible parties, sub-processors and other information needed by the Controller.
The Controller retains the formal control of and all ownership to the personal data processed by the Processor and any Sub-Processors hereunder. The Processor shall not have a right of disposition of the personal data, and shall not process them for the Processor’s own purposes.
In case of a data breach resulting in unauthorized disclosure of personal data, the Processor shall without undue delay notify the Controller. The Processor shall without undue delay restore appropriate security levels, and rectify any errors resulting in the breach.
5. CONTROLLER’S OBLIGATIONS
The Controller shall obtain all necessary permissions from relevant data subjects, in order to lawfully permit Adnuntius to collect, process and share personal data in accordance with this Data Processing Agreement. The Controller shall make available a mechanism for obtaining such permissions from data subjects, and for allowing data subjects to withdraw such permissions, as required by Applicable data protection law.
The Controller shall maintain a record of all permissions obtained from data subjects as required by Applicable data protection law, including the time and date on which consent was obtained, the information presented to data subjects in connection with their giving consent, and details of the mechanism used to obtain consent. Publisher shall maintain a record of the same information in relation to all withdrawals of consent by data subjects.
The Controller shall post, maintain and abide by a publicly accessible privacy notice within its Publisher Properties from which the Personal Data is collected, in accordance with Applicable data protection law.
If unable to fulfill its obligations under this Data Processing Agreement, the Controller shall without undue delay notify Processor.
6. USE OF SUB-PROCESSORS
The Processor may sub-contract any of its Processing activities pursuant to article 28 paragraph 4 of the GDPR, upon written notice to Controller If a Sub-processor engaged in accordance with Section 4 of this Data Processor Agreement, is established or otherwise Processes Personal Data outside the EEA, Controller empowers the Processor, in the name of and on behalf of the Controller, to enter into a data processing agreement with such sub-processor that incorporates the Standard Contractual Clauses in non-amended form, if required by Applicable Data Protection Law.
The Processor’s use of sub-processors us described here: https://docs.google.com/spreadsheets/d/1fZOwQFU0MZhO_ZU5iHPUprBkcb6yzo2TWMTgC_zNGew/edit#gid=14801067.
7. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
The Processor shall implement and maintain throughout the term appropriate technical and organizational security measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. These measures shall ensure a level of security appropriate to the risk presented to the processing and the nature of the personal data to be protected having regard to the state of the art and the cost of their implementation.
The Processor shall limit access to the personal data to relevant personnel. The Processor shall ensure that all personnel authorised to process the personal data have committed themselves to confidentiality
The Processor shall make available to the Controller technical and organizational security measures upon reasonable request, so that the Controller is able to fulfil his responsibility as Controller as set forth in Applicable Data Protection Law.
The Processor shall have a responsible person and data protection officer taking responsibility for ongoing compliance with Applicable data protection law. The responsible are listed here: https://docs.google.com/spreadsheets/d/1fZOwQFU0MZhO_ZU5iHPUprBkcb6yzo2TWMTgC_zNGew/edit#gid=117015682.
The Controller shall be allowed to perform annual audits. If the Controller chooses to perform such an audit, it shall be signaled to the Processor no less than 90 days in advance. The Controller shall perform such audit without causing significant interruptions to the Processor’s regular operations.
The audit shall not grant the Controller access to trade secrets or proprietary information unless required to comply with Applicable Data Protection Law. The Controller shall ensure its personnel conducting such audit are subject to adequate secrecy obligations.
If the parties agree that an audit is to be performed by external auditors, such external auditor is to be appointed by the Controller. The Processor may only oppose the appointment if such auditor is a competitor of the Processor. Upon security audits performed by an external auditor, both parties shall be entitled to receive a copy of the audit report.
If the audit reveals non-compliance with this Data Processor Agreement, the Processor shall (and, if relevant, shall procure that the relevant Sub-processor shall) without undue delay remedy such inadequacy or non-compliance.
Each party shall cover its own costs associated with an audit.
9. DATA LOCATIONS AND TRANSFER
The Processing activities (including storage) shall take place on the location(s) set out here: https://docs.google.com/spreadsheets/d/1fZOwQFU0MZhO_ZU5iHPUprBkcb6yzo2TWMTgC_zNGew/edit#gid=14801067.
The Processor may transfer data if this is required by EU law or by any EU member state law to which the processor is subject, provided that the Processor informs the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Each party is liable to the other for any loss, damage, cost, claim, fine and/or expense (any such a “Loss”) incurred by the other Party, which arise from the first mentioned party’s breach of its obligations under this Data Processing Agreement or acts of omissions in breach of applicable law. The Parties’ respective liability is for direct Loss only and under no circumstance for indirect loss, such as loss of profit or opportunity or otherwise.
11. TERM AND TERMINATION
This Data Processing Agreement shall be effective for the duration of the Service Agreement from the date this Data Processing Agreement is signed by both partiesThis Agreement expires when the Service Agreement expires.
Upon termination of the Data Processing Agreement the Processor (and its permitted Sub-Processors) the Controller shall immediately remove any tracking mechanisms used by the Processor for Processing. The Processor shall immediately cease to process the personal data. The Processor shall promptly, without undue delay return all personal data and securely delete any remaining personal data belonging the Controller.
The Controller and Processor shall agree to changes in this Data Processing Agreement to reflect and comply with changes in Applicable data protection law.
13. GOVERNING LAW AND JURISDICTION
The Data Processing Agreement shall be governed by and construed in accordance with the provisions of governing law set out in the Master Terms, save for mandatory provisions in Applicable Data Protection Law. Any dispute arising out of this Data Processing Agreement shall be resolved in accordance with the provisions on jurisdiction and dispute resolution set out in the Master Terms.