Data Processing Agreement
1 Background and Purpose
Adnuntius AS (Processor) and the Customer as specified in the applicable Order Form (Controller) have entered into an agreement, where Processor delivers certain services (Services) to Controller under the applicable Order Form, which may involve Processing of Personal Data.
Processor and Controller (hereafter referred to as the Parties) therefore agree to supplement the Terms and Conditions of using the Services with this Data Processing Agreement, which has as its purpose to secure adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of data subjects, to describe the relationship between Controller and Processor and specify clear instructions for Processor, and to ensure that the Parties are made accountable applicable data protection law.
2 Definitions
“Applicable Data Protection Law” means any applicable legislation protecting data subjects’ right to transparency, control and/or privacy with respect to the processing of personal data. This includes but not limited to the EU General Data Protection Regulation 2016/679, and the Implementing Decision 914/2021/EU.
“Consent”, “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” and other terms in the GDPR mean the same as what is set out in the GDPR.
“GDPR” shall mean the EU General Data Protection Regulation 2016/679, including any future amendments such as, for example, those imposed by the Implementing Decision 914/2021/EU.
“Property” means the websites, mobile applications and/or other digital media properties owned or operated by the Controller, using Adnuntius’ Services.
“Standard contractual clauses” shall mean the standard contractual clauses in the currently valid version, for the transfer of personal data to data processors established in third countries, laid down by the EU Commission implementing decision of 4 June 2021.
3 Instructions and Purposes of Processing
Controller instructs Processor to process Personal Data on behalf of Controller as follows.
3.1 Device Cookies. Processor shall store Personal Data in device cookies so that Controller may identify Data Subjects across multiple sessions and page views, and to build a history of advertisements shown to and clicked by a Data Subject. The purpose of Processing is to enable Controller and potentially its customers to control frequency (how many times an ad has been shown to or clicked by a Data Subject), count how many Data Subjects have seen an advertisement and how many times a Data Subject has seen a particular advertisement, and to target ads to Data Subjects based on their historic actions on Controller’s Properties.
Processor shall perform such Processing to all Data Subjects sent to Processor from Controller. Controller shall have the right to ensure that no cookies or other mechanisms collecting user information are used, by implementing certain measures as described here. Details about the Personal Data processed is available here.
3.2 Location Targeting. Processor shall use Data Subjects’ IP address, or if Controller chooses to collect and send it, longitude and latitude, to identify Data Subjects’ geographical locations when they consume content on Controller’s Properties. The purpose of Processing is to enable Controller and potentially its customers to target ads to named locations or areas drawn on a map.
Processor shall perform such Processing to all Data Subjects sent to Processor from Controller. Details about the Personal Data processed is available here.
3.3 Device Targeting. Processor shall use the user agent string to recognize certain characteristics about data subjects’ devices, operating systems and platforms. The purpose of Processing is to enable Controller and potentially its customers to target ads to certain devices and their properties.
Processor shall perform such Processing to all Data Subjects sent to Processor from Controller. Details about the Personal Data processed is available here.
3.4 Segment Targeting. Processor shall process any Personal Data sent by Controller regarding Data Subjects’ behavior and/or characteristics, and allow Controller to build segments (Data Subjects grouped by their common behavior and/or characteristics). The purpose of Processing is to enable Controller and potentially its customers to target ads to these segments.
Processor shall perform such Processing to all Data Subjects sent to Processor from Controller. Details about the Personal Data processed is available here.
3.5 CRM Matching. Processor shall process any Personal Data sent by Controller with the intent to identify Data Subjects across multiple domains, provided that personally identifiable information such as email addresses and/or phone numbers are sent to Processor. Such cross-domain identification shall only occur under strict control of Controller, and never occur unless certain actions by the Controller are performed. The purpose of Processing is to enable Controller and potentially its customers to target Data Subjects with ads using their own data.
Processor shall perform such Processing to all Data Subjects sent to Processor where appropriate folder IDs are specified.
3.6 Reporting. Processor shall make information about impressions, clicks and other events performed by Data Subjects available, and be made available to Users split by other Personal Data as described here.
If Adnuntius Marketplace is used by Controller, then Controller acknowledges and approves that both sellers of advertising inventory and buyers of such inventory may be allowed to access such information for reporting and analytics purposes (please see under “personal data transferred to customer-controlled databases), and shall secure appropriate consent if needed to allow these parties to lawfully access this information if consent is provided.
3.7 Log In Information. Processor shall collect and store necessary information to allow Users to register to and log into the Services. Details about the Personal Data processed is available here.
4 Processor’s Obligations
4.1 Compliance. The Processor shall, when Processing Personal Data according to this agreement, comply with Applicable Data Protection Law. The processor shall not by commission or omission of actions put the Controller in a situation where the Controller is in breach of any provision of Applicable Data Protection Law. The Processor shall process data solely according to the instructions of the Controller, as they are described in this data processing agreement’s section 3. If the Processors is required to process data by law to which the Processor is subject, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.2 Assistance. The Processor shall, taking into account the nature of the processing, provide the Controller with reasonable cooperation and assistance to ensure that the Controller complies with its requirements under Applicable Data Protection Law, i.a., compliance with the obligations pursuant to GDPR Articles 32 to 36 and to respond to requests for exercising the data subject’s rights laid down in GDPR Chapter III. The Processor shall provide the Controller with solutions enabling data subjects to delete Personal Data. These tools shall be made available in Adnuntius’ privacy policy.
4.3 Limitation. The Processing shall be limited to the categories of personal data and the categories of the data subjects as specified in the documents available in this Processing Agreement’s section 3.
4.4 Control. The Controller retains the formal control of and all ownership to the Personal Data processed by the Processor and any Sub-Processors hereunder. The Processor shall not process them for the Processor’s own purposes, unless required to do so by law to which the processor is subject.
4.5 Breach. In case of a data breach resulting in unauthorized disclosure of personal data, the Processor shall without undue delay notify the Controller in writing. The Processor shall without undue delay restore appropriate security levels and rectify any errors resulting in the breach.
4.6 Notification. If unable to fulfil its obligations under this Data Processing Agreement, the Processor shall without undue delay notify the Controller. The Processor shall also without undue delay notify the Controller if it reasonably suspects that instructions by the Controller are in breach with Applicable Data Protection Law, or if processing requires processing activities outside what is instructed by the Controller.
5 Controller’s Obligations
5.1 Consent. The Controller shall obtain all necessary permissions from relevant data subjects, in order to lawfully permit Adnuntius to collect, process and share personal data in accordance with this Data Processing Agreement. The Controller shall make available a mechanism for obtaining such permissions from data subjects, and for allowing data subjects to withdraw such permissions, as required by Applicable data protection law.
5.2 Privacy policy. The Controller shall if required by Applicable data protection law post, maintain and abide by a publicly accessible privacy policy on its Properties from which the Personal Data is collected, in accordance with Applicable data protection law.
5.3 Notification. If unable to fulfill its obligations under this Data Processing Agreement, the Controller shall without undue delay notify Processor.
6 Use of Sub-Processors
6.1 Sub-contracting. The Processor may sub-contract any of its Processing activities pursuant to article 28 paragraph 4 of the GDPR. The processor shall inform the Controller about new sub-processors, and the Controller shall have the right to refuse new sub-processors within reason, or if the use of that sub-processor cannot be avoided, terminate the license agreement for the relevant service with 30 days’ notice.
6.2 Transparency. The Processor’s use of sub-processors shall be described and continuously updated here. The Processor shall, if requested, share a copy of the Data Processing Agreement between the Processor and the sub-processors. The Processor shall have the right to censor any business critical information that can be reasonably be withheld before sharing such a copy.
7 Technical and Organizational Security Measures
7.1 Measures. The Processor shall implement and maintain appropriate technical and organizational security measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. These measures shall ensure a level of security appropriate to the risk presented to the processing and the nature of the personal data to be protected having regard to the state of the art and the cost of their implementation. The measures are described here, and shall be made available to Controller on request to finance@adnuntius.com.
7.2 Limitation of access. The Processor shall limit access to the personal data to relevant personnel committed themselves to confidentiality.
7.3 Responsible person. The Processor shall have a responsible person and data protection officer taking responsibility for ongoing compliance with Applicable data protection law. The responsible are listed here.
8 Audits
8.1 Audits. The Controller shall be allowed to perform annual audits. If the Controller chooses to perform such an audit, it shall be signaled to the Processor no less than 90 days in advance. The Controller shall perform such audit without causing significant interruptions to the Processor’s regular operations.
8.2 Secrecy. The audit shall not grant the Controller access to trade secrets or proprietary information unless required to comply with Applicable Data Protection Law. The Controller shall ensure its personnel conducting such audit are subject to adequate secrecy obligations.
8.3 Auditor. If the parties agree that an audit is to be performed by external auditors, such external auditor is to be appointed by the Controller. The Processor may only oppose the appointment if such auditor is a competitor of the Processor. Upon security audits performed by an external auditor, both parties shall be entitled to receive a copy of the audit report.
8.4 Remediation. If the audit reveals non-compliance with this Data Processor Agreement, the Processor shall (and, if relevant, shall procure that the relevant Sub-processor shall) without undue delay remedy such inadequacy or non-compliance.
8.5 Cost. Each party shall cover its own costs associated with an audit.
9 Data Locations and Transfer
9.1 Transparency. The Processing activities shall take place on the locations specified in the documents available in this Processing Agreement’s section 3.
9.2 Transfer. The Processor may transfer data if this is required by EU law or by any EU member state law to which the processor is subject, provided that the Processor informs the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Transfers can only be made to countries outside the EEA if such a transfer is in accordance with GDPR Chapter V. Notwithstanding the above, Processor may transfer data to Adnuntius Australia PTY LTD as described here, in order to maintain development activities from its software developers located in Australia.
10 Liability and Limitation of Liability
10.1 Liability. Each party is liable to the other for any direct loss, damage, cost, claim, fine and/or expense (any such a “Loss”) incurred by the other Party, which arise from the first mentioned party’s direct breach of its obligations under this Data Processing Agreement or acts of omissions in breach of applicable law. The Parties’ respective liability is for direct Loss only and under no circumstance for indirect loss, such as loss of profit or opportunity or otherwise.
10.2 Limitation of liability. Each party shall hold each other harmless from and against any and all claims by third parties, including Supervisory Authorities, arising from the claim that Applicable Data Protection Law has been broken.
11 Term and Termination
11.1 Term. This Data Processing Agreement shall be effective from the Effective date on the applicable Order Form. This Agreement expires when cancelled by either Party in accordance with the Master Terms.
11.2 Removal of tracking mechanisms. Upon termination of the Data Processing Agreement the Processor (and its permitted Sub-Processors) the Controller shall immediately remove any tracking mechanisms used by the Processor for Processing. The Processor shall immediately cease to process the personal data, and shall if requested by the Controller delete Personal Data unless required by Applicable Data Protection Law to store such data, in which case the data shall not be actively used for any purpose other than required by law.
12 General Provisions
12.1 Governing law. The Data Processing Agreement shall be governed by and construed in accordance with the provisions of governing law set out in the Master Terms, save for mandatory provisions in Applicable Data Protection Law. Any dispute arising out of this Data Processing Agreement shall be resolved in accordance with the provisions on jurisdiction and dispute resolution set out in the Master Terms.
12.2 Changes. Adnuntius shall have the right to, from time to time, make changes to this Data Processing Agreement and its attachments under the condition that no such change violate Applicable Data Protection Law. Any change shall be communicated to Customer in writing no less than 30 days before the change takes place.