1 Background and Purpose
Adnuntius AS (Processor) and the Customer as specified in the applicable Order Form (Controller) have entered into an agreement, where Processor delivers certain services (Services) to Controller under the applicable Order Form, which may involve Processing of Personal Data.
Processor and Controller (hereafter referred to as the Parties) therefore agree to supplement the Terms and Conditions of using the Services with this Data Processing Agreement, which has as its purpose to secure adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of data subjects and ensure that both Parties follow the applicable data protection law, to describe the relationship between controller and processor, and to ensure that the Parties follow applicable data protection law.
“Applicable data protection law” means applicable legislation protecting data subjects’ right to privacy with respect to the processing of personal data, including but not limited to the GDPR and any local implementation laws.
“Consent”, “controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing”, “supervisory authority” and other terms in the GDPR mean the same as what is set out in the GDPR.
“GDPR” shall mean the EU General Data Protection Regulation 2016/679.
“Property” means the websites, mobile applications and/or other digital media properties owned or operated by the Controller, using Adnuntius’ Services.
“Standard contractual clauses” shall mean the standard contractual clauses for the transfer of personal data to data processors established in third countries, laid down by the EU Commission decision of 5 February 2010.
3 The Purpose of Processing
Processor delivers software that enables Controller to gather and apply user information. Controller can define any purpose of Personal Data collection and application, and Adnuntius shall process these Personal Data solely to obtain the Controller’s purposes. However, with no modification Adnuntius Advertising specifically supports consent for purposes 1, 2, 3, 4 and 7 as they are described in IAB Europe’s Transparency & Consent Framework Policies Appendix A (Purposes and Features Definitions).
3.2 Data collection
In addition to any data that the Controller chooses to send to Processor, Processor automatically collects certain Personal Data unless switched off by the Controller. This information is described here.
4 Processor’s Obligations
The Processor shall, when Processing Personal Data according to this agreement, comply with Applicable Data Protection Law. The processor shall not by actions or omission of actions put the Controller in a situation where the Controller is in breach of any provision of Applicable Data Protection Law. The Processor shall process data solely according to the instructions of the Controller.
The Processing shall be limited to the categories of personal data and the categories of the data subjects as specified in the document available in this Processing Agreement’s section 3.2.
The Controller retains the formal control of and all ownership to the Personal Data processed by the Processor and any Sub-Processors hereunder. The Processor shall not have a right of disposition of the Personal Data and shall not process them for the Processor’s own purposes.
In case of a data breach resulting in unauthorized disclosure of personal data, the Processor shall without undue delay notify the Controller in writing. The Processor shall without undue delay restore appropriate security levels, and rectify any errors resulting in the breach.
If unable to fulfill its obligations under this Data Processing Agreement, the Processor shall without undue delay notify the Controller. The Processor shall also without undue delay notify the Controller if it reasonably suspects that instructions by the Controller are in breach with Applicable Data Protection Law, or if processing requires processing activities outside what is instructed by the Controller.
5 Controller’s Obligations
The Controller shall obtain all necessary permissions from relevant data subjects, in order to lawfully permit Adnuntius to collect, process and share personal data in accordance with this Data Processing Agreement. The Controller shall make available a mechanism for obtaining such permissions from data subjects, and for allowing data subjects to withdraw such permissions, as required by Applicable data protection law.
If unable to fulfill its obligations under this Data Processing Agreement, the Controller shall without undue delay notify Processor.
6 Use of Sub-Processors
The Processor may sub-contract any of its Processing activities pursuant to article 28 paragraph 4 of the GDPR. If a Sub-processor engaged in accordance with Section 4 of this Data Processing Agreement is established or otherwise Processes Personal Data outside the EEA, Controller empowers the Processor, in the name of and on behalf of the Controller, to enter into a written data processing agreement with such sub-processor that incorporates the Standard Contractual Clauses in non-amended form, if required by Applicable Data Protection Law. The processor shall inform the Controller about new sub-processors, and the Controller shall have the right to refuse new sub-processors within reason, or if the use of that sub-processor cannot be avoided, terminate the license agreement for the relevant service with 30 days’ notice.
The Processor’s use of sub-processors shall be described and continuously updated in the document available in this Processing Agreement’s section 3.2. The Processor shall, if requested, share a copy of the Data Processing Agreement between the Processor and the sub-processors. The Processor shall have the right to censor any business critical information that can be reasonably be withheld before sharing such a copy.
7 Technical and Organizational Security Measures
The Processor shall implement and maintain appropriate technical and organizational security measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. These measures shall ensure a level of security appropriate to the risk presented to the processing and the nature of the personal data to be protected having regard to the state of the art and the cost of their implementation.
7.2 Limitation of access
The Processor shall limit access to the personal data to relevant personnel. The Processor shall ensure that all personnel authorized to process the personal data have committed themselves to confidentiality.
The Processor shall make available to the Controller technical and organizational security measures upon reasonable request, so that the Controller is able to fulfil his responsibility as Controller as set forth in Applicable Data Protection Law.
7.4 Responsible person
The Processor shall have a responsible person and data protection officer taking responsibility for ongoing compliance with Applicable data protection law. The responsible are listed in the document available in this Processing Agreement’s section 3.2.
The Controller shall be allowed to perform annual audits. If the Controller chooses to perform such an audit, it shall be signaled to the Processor no less than 90 days in advance. The Controller shall perform such audit without causing significant interruptions to the Processor’s regular operations.
The audit shall not grant the Controller access to trade secrets or proprietary information unless required to comply with Applicable Data Protection Law. The Controller shall ensure its personnel conducting such audit are subject to adequate secrecy obligations.
If the parties agree that an audit is to be performed by external auditors, such external auditor is to be appointed by the Controller. The Processor may only oppose the appointment if such auditor is a competitor of the Processor. Upon security audits performed by an external auditor, both parties shall be entitled to receive a copy of the audit report.
If the audit reveals non-compliance with this Data Processor Agreement, the Processor shall (and, if relevant, shall procure that the relevant Sub-processor shall) without undue delay remedy such inadequacy or non-compliance.
Each party shall cover its own costs associated with an audit.
9 Data Locations and Transfer
The Processing activities shall take place on the locations specified in the document available in this Processing Agreement’s section 3.2.
The Processor may transfer data if this is required by EU law or by any EU member state law to which the processor is subject, provided that the Processor informs the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Transfers can only be made to countries outside the EEA if such a transfer is in accordance with GDPR Chapter 5.
10 Liability and Limitation of Liability
Each party is liable to the other for any direct loss, damage, cost, claim, fine and/or expense (any such a “Loss”) incurred by the other Party, which arise from the first mentioned party’s direct breach of its obligations under this Data Processing Agreement or acts of omissions in breach of applicable law. The Parties’ respective liability is for direct Loss only and under no circumstance for indirect loss, such as loss of profit or opportunity or otherwise.
10.2 Limitation of liability
Each party shall hold each other harmless from and against any and all claims by third parties, including Supervisory Authorities, arising from the claim that Applicable Data Protection Law has been broken.
11 Term and Termination
This Data Processing Agreement shall be effective from the Effective date on the applicable Order Form. This Agreement expires when cancelled by either Party in accordance with the Master Terms.
11.2 Removal of tracking mechanisms
Upon termination of the Data Processing Agreement the Processor (and its permitted Sub-Processors) the Controller shall immediately remove any tracking mechanisms used by the Processor for Processing. The Processor shall immediately cease to process the personal data, and shall if requested by the Controller delete Personal Data unless required by Applicable Data Protection Law to store such data, in which case the data shall not be actively used for any purpose other than required by law.
12 General Provisions
12.1 Governing law
The Data Processing Agreement shall be governed by and construed in accordance with the provisions of governing law set out in the Master Terms, save for mandatory provisions in Applicable Data Protection Law. Any dispute arising out of this Data Processing Agreement shall be resolved in accordance with the provisions on jurisdiction and dispute resolution set out in the Master Terms.
Adnuntius shall have the right to, from time to time, make changes to this Data Processing Agreement and its attachments under the condition that no such change violate Applicable Data Protection Law. Any change shall be communicated to Customer no less than 30 days before the change takes place.