1 Background and Purpose
Adnuntius AS (Processor) and the Customer as specified in the applicable Order Form (Controller) have entered into an agreement, where Processor delivers certain services (Services) to Controller under the applicable Order Form, which necessitate the Processing of Personal Data. The Services may include digital advertising software for direct and programmatic advertising, data management software, personalization software, and/or consent management software. Processor and Controller will be collectively referred to as the “Parties”.
Whereas the Processor is in the business of developing and marketing software;
Whereas the Controller is the owner of a set of online properties using the software;
The Parties hereby agree to supplement the Master Terms (located at https://adnuntius.com/resources/terms-and-conditions/) in order to formalize the terms and conditions that will be applicable to the processing of personal data. The purpose is to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of data subjects and ensure that both Parties follow the applicable data protection law.
“Applicable data protection law” means applicable legislation protecting data subjects’ right to privacy with respect to the processing of personal data, including but not limited to the GDPR and any local implementation laws.
“Consent”, “controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing”, “supervisory authority” and other terms in the GDPR mean the same as what is set out in the GDPR.
“GDPR” shall mean the EU General Data Protection Regulation 2016/679.
“Property” means the websites, mobile applications and/or other digital media properties owned or operated by the Controller, using Adnuntius’ Services.
“Standard contractual clauses” shall mean the standard contractual clauses for the transfer of personal data to data processors established in third countries, laid down by the EU Commission decision of 5 February 2010.
3 The Purpose of Processing
Processor delivers software that enables Controller to gather and apply user information. While Controller can define any purpose of user information collection and applications, Adnuntius processes user information for the following purposes.
3.1 Gather Personal Data for analytical purposes
Processor gathers user information in order to present data as aggregated information through user interfaces and APIs, enabling Controller to better understand user behavior on its properties where Processor gathers data on behalf of the Controller.
3.2 Gather Personal Data to target advertisements to users’ preferences and behavior
Processor gathers information about which pages and what content users consume, where they are at the time of consumption, which devices they use, what they search for, which ads have been seen by the user, and more. This data is made available as targeting criteria enabling Controller to manage advertising using Adnuntius.
3.3 Activate Personal Data in marketing, decision making and more
Processor enables Controller to collect Personal Data, connect that information to a user profile, and to create segments of these users. Controller can send this user information to other connected systems (including but not limited to Adnuntius’ advertising platform) in order to activate the user information for marketing, decision making, or other purposes.
Detailed information on what Personal Data is gathered and the use of sub-processors is described here: https://docs.google.com/spreadsheets/d/1rCZPF_TWBkTgaYeQ9f-lhU8qL_J9eJrv1l1jjf0G9uQ/edit#gid=328667903
4 Processor’s Obligations
The Processor shall, when Processing Personal Data according to this agreement, comply with Applicable Data Protection Law. The processor shall not by actions or omission of actions put the Controller in a situation where the Controller is in breach of any provision of Applicable Data Protection Law. The Processor shall process data solely according to the instructions of the Controller.
The Processor shall provide the Controller with reasonable cooperation and assistance to ensure that the Controller complies with its requirements under Applicable Data Protection Law. The Processor shall provide the Controller with solutions enabling data subjects to delete Personal Data.
The Processing shall be limited to the categories of personal data and the categories of the data subjects as specified here: https://docs.google.com/spreadsheets/d/1rCZPF_TWBkTgaYeQ9f-lhU8qL_J9eJrv1l1jjf0G9uQ/edit#gid=328667903
Here, the Processor shall also keep updated information about tracking mechanisms, responsible parties, sub-processors and other information needed by the Controller.
The Controller retains the formal control of and all ownership to the Personal Data processed by the Processor and any Sub-Processors hereunder. The Processor shall not have a right of disposition of the Personal Data and shall not process them for the Processor’s own purposes.
In case of a data breach resulting in unauthorized disclosure of personal data, the Processor shall without undue delay notify the Controller. The Processor shall without undue delay restore appropriate security levels, and rectify any errors resulting in the breach.
If unable to fulfill its obligations under this Data Processing Agreement, the Processor shall without undue delay notify the Controller.
5 Controller’s Obligations
The Controller shall obtain all necessary permissions from relevant data subjects, in order to lawfully permit Adnuntius to collect, process and share personal data in accordance with this Data Processing Agreement. The Controller shall make available a mechanism for obtaining such permissions from data subjects, and for allowing data subjects to withdraw such permissions, as required by Applicable data protection law.
If unable to fulfill its obligations under this Data Processing Agreement, the Controller shall without undue delay notify Processor.
6 Use of Sub-Processors
The Processor may sub-contract any of its Processing activities pursuant to article 28 paragraph 4 of the GDPR. If a Sub-processor engaged in accordance with Section 4 of this Data Processing Agreement, is established or otherwise Processes Personal Data outside the EEA, Controller empowers the Processor, in the name of and on behalf of the Controller, to enter into a data processing agreement with such sub-processor that incorporates the Standard Contractual Clauses in non-amended form, if required by Applicable Data Protection Law.
The Processor’s use of sub-processors shall be described and continuously updated here: https://docs.google.com/spreadsheets/d/1rCZPF_TWBkTgaYeQ9f-lhU8qL_J9eJrv1l1jjf0G9uQ/edit#gid=328667903
7 Technical and Organizational Security Measures
The Processor shall implement and maintain appropriate technical and organizational security measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. These measures shall ensure a level of security appropriate to the risk presented to the processing and the nature of the personal data to be protected having regard to the state of the art and the cost of their implementation.
7.2 Limitation of access
The Processor shall limit access to the personal data to relevant personnel. The Processor shall ensure that all personnel authorized to process the personal data have committed themselves to confidentiality.
The Processor shall make available to the Controller technical and organizational security measures upon reasonable request, so that the Controller is able to fulfil his responsibility as Controller as set forth in Applicable Data Protection Law.
7.4 Responsible person
The Processor shall have a responsible person and data protection officer taking responsibility for ongoing compliance with Applicable data protection law. The responsible are listed here: https://docs.google.com/spreadsheets/d/1rCZPF_TWBkTgaYeQ9f-lhU8qL_J9eJrv1l1jjf0G9uQ/edit#gid=328667903
The Controller shall be allowed to perform annual audits. If the Controller chooses to perform such an audit, it shall be signaled to the Processor no less than 90 days in advance. The Controller shall perform such audit without causing significant interruptions to the Processor’s regular operations.
The audit shall not grant the Controller access to trade secrets or proprietary information unless required to comply with Applicable Data Protection Law. The Controller shall ensure its personnel conducting such audit are subject to adequate secrecy obligations.
If the parties agree that an audit is to be performed by external auditors, such external auditor is to be appointed by the Controller. The Processor may only oppose the appointment if such auditor is a competitor of the Processor. Upon security audits performed by an external auditor, both parties shall be entitled to receive a copy of the audit report.
If the audit reveals non-compliance with this Data Processor Agreement, the Processor shall (and, if relevant, shall procure that the relevant Sub-processor shall) without undue delay remedy such inadequacy or non-compliance.
Each party shall cover its own costs associated with an audit.
9 Data Locations and Transfer
The Processing activities shall take place on the locations set out here: https://docs.google.com/spreadsheets/d/1rCZPF_TWBkTgaYeQ9f-lhU8qL_J9eJrv1l1jjf0G9uQ/edit#gid=328667903
The Processor may transfer data if this is required by EU law or by any EU member state law to which the processor is subject, provided that the Processor informs the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Each party is liable to the other for any loss, damage, cost, claim, fine and/or expense (any such a “Loss”) incurred by the other Party, which arise from the first mentioned party’s breach of its obligations under this Data Processing Agreement or acts of omissions in breach of applicable law. The Parties’ respective liability is for direct Loss only and under no circumstance for indirect loss, such as loss of profit or opportunity or otherwise.
11 Term and Termination
This Data Processing Agreement shall be effective from the Effective date on the applicable Order Form. This Agreement expires when cancelled by either Party in accordance with the Master Terms.
11.2 Removal of tracking mechanisms
Upon termination of the Data Processing Agreement the Processor (and its permitted Sub-Processors) the Controller shall immediately remove any tracking mechanisms used by the Processor for Processing. The Processor shall immediately cease to process the personal data.
12 General Provisions
12.1 Governing law
The Data Processing Agreement shall be governed by and construed in accordance with the provisions of governing law set out in the Master Terms, save for mandatory provisions in Applicable Data Protection Law. Any dispute arising out of this Data Processing Agreement shall be resolved in accordance with the provisions on jurisdiction and dispute resolution set out in the Master Terms.
Adnuntius shall have the right to, from time to time, make changes to this Data Processing Agreement and its attachments under the condition that no such change violate Applicable Data Protection Law. Any change shall be communicated to Customer no less than 30 days before the change takes place.