Data Processing Agreement
This Data Processing Agreement is entered into between Azerion Technology B.V. (“Processor”) and Seller (“Controller”) as defined by the MSA, each a “Party” and together the “Parties”.
WHEREAS:
- Parties have concluded an agreement for the provision of – among other –data processing services by Processor to Controller, pursuant to which Processor will carry out certain processing of personal data on behalf and on instruction of Controller; and
- In view of each Parties’ obligations under EU Data Protection Law (as defined below) Parties wish to lay down their respective rights and obligations with regard to the data processing of personal data in this data processor agreement.
HAVE AGREED AS FOLLOWS:
Article 1. Definitions
- Unless stated otherwise in this Data Processing Agreement, capitalised terms in the Data Processing Agreement have the meaning as defined in the MSA.
- “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing”, and “Recipient” all have the meaning under EU Data Protection Law.
- “Controller Personal Data” means the Personal Data processed by Processor on Controller’s behalf pursuant to this Data Processing Agreement.
- “EU Data Protection Law” means all applicable EU data protection and privacy laws, including prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“DP Directive”) and local implementing laws and regulations, and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) and any other European Union or EU Member State laws made under or pursuant to the DP or GDPR, in each case as such laws may be amended or superseded from time to time.
- “Master Services Agreement” or “MSA” means the underlying agreement for the provision of services pursuant to which Processor will carry out certain processing of personal data on behalf and on instruction of Controller, including the Seller Terms and Conditions. For the avoidance of doubt, the actual underlying agreement may be entitled differently than ‘Master Services Agreement’, and consist of several connected agreements, order forms, and/or general terms and conditions.
- “Data Processing Agreement” means this agreement.
- “Sub-Processor” means another processor than Processor, engaged by Processor.
Sub-Processors explicitly do not include any third parties that receive Personal Data or that are deployed by Processor at the explicit request of Controller.
- “Effective Date” means the effective date of the MSA.
Article 2. Processing of Controller Personal Data by Processor
- Controller hereby instructs Processor to Process the Controller Personal Data on behalf of Controller for the purposes of performing the MSA. The instructions of Controller are described in more detail in this Processing Agreement and, in certain cases, additionally in the MSA. Controller can provide supplementary instructions or changed instructions in writing.
- The provisions of this Data Processing Agreement apply to all Processing of Controller Personal Data on behalf of Controller by Processor.
- Controller is the Controller of the Controller Personal Data under EU Data Protection Law, and Processor the Processor. Controller has and keeps independent control over determining the purposes and means of the Processing of Controller Personal Data.
- Before conclusion of this Data Processing Agreement, Processor will provide Controller with sufficient information about both the Services that Processor will provide and the Processing of Controller Personal Data by Processor on behalf of Controller. The information provided should enable the Controller to make an informed decision and determination of the purposes and means with regard to the Processing of Personal Data in connection with the Services. The information about the Processing of Controller Personal Data is provided in Schedule 1. Controller affirms that when Controller instructs Processor, on the basis of this Data Processing Agreement, to process the Controller Personal Data on its behalf, that the information provided to it has indeed been sufficient for it to be able to make said informed decision and determination of purposes and means.
- Processor has no independent control over the Controller Personal Data and shall process the Controller Personal Data solely on the documented instructions of the Controller. More specifically, Processor shall not Process the Controller Personal Data for its own purposes or for those of third parties, nor shall it make them available to third parties other than as instructed by the Controller pursuant to this Data Processing Agreement or the MSA.
- In case Ad Inventory is directed to children or personal data from children (or minor) as defined under EU Data Protection Law is processed, Controller shall either (i) provide the respective indication within Processor’s platform or (ii) inform the Processor via end user data protection signals it provides before activating the Services on Ad Inventory or any other industry-wide recognized and used technical solution. Accordingly, the Controller shall assess whether an Ad Inventory is children-directed or not, based on the criteria and considerations determined by case law, self-regulatory authorities and documentation published by supervisory authorities. For the avoidance of doubt, to the extent required by EU Data Protection Law and any supplementary guidance issued by a supervisory authority, Controller shall also not pass to Processor any Personal Data related to children as defined under such regulations. Without prejudice to any other right or remedy, Processor may immediately suspend Controller’s access to the Services or any portion thereof if Processor believes that Controller has failed to comply with this article.In the event that the Controller does not knowingly process personal data of children, but it became aware of(e.g. by a direct contact from a parent) that a data subject whose personal data was processed was children, the Controller shall promptly contact the Processor with all relevant identifiers for Processor to be able to delete such personal data.
Article 3. Engaging Sub-Processors
- Processor is authorised to engage Sub-Processors for carrying out specific Processing activities on behalf of the Controller under this Data Processing Agreement and Controller hereby gives it revocable general authorisation to engage such Sub- Processors, provided that Processor duly notifies the Controller of all Sub-Processors it intends to add or replace, whereby the Controller has the opportunity to object to such changes. If Processor cannot reasonably be asked to not make such changes, Processor may terminate the MSA without incurring any liability in connection therewith.
- When engaging a Sub-Processor, Processor will ensure that the same data protection obligations as set out in this Data Processing Agreement and the MSA are imposed on that Sub-Processor, in particular providing sufficient guarantees to implement
appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of EU Data Protection Law. For the avoidance of doubt, Processor is required to impose similar provisions on any Sub-Processors, but is not required to impose the obligations of this Data Processing Agreement verbatim or back-to-back.
- Where the Sub-Processor fails to fulfil its data protection obligations, Processor remains fully liable to the Controller for the performance of the Sub-Processor’s obligations, to the extent that Processor itself would be liable under the MSA.
Article 4. Security
4.1 Processor shall implement appropriate technical and organizational security measures. These measures, taking into account the state of the art and the costs associated with the implementation and execution of the measures and the risks that the Processing of the Controller Personal Data and its nature entail, ensure adequate protection and are detailed in Schedule 2.
Article 5. Deletion and destruction of Controller Personal Data
- On the expiration of the MSA or on the expiration of the applicable term for saving data (to be determined by Controller), Processor will, at the option of Controller: (i) delete all the Controller Personal Data from its systems (automated or otherwise) or the systems it uses to store data and data carriers, or (ii) return the Controller Personal Data, in both cases without keeping any copies of the Controller Personal Data.
- Processor may derogate from the provisions in the above paragraphs insofar law requires storage of the Controller Personal Data, or as this is necessary in order to prove compliance with its obligations to Controller.
Article 6. Assistance
- Processor will, taking into account the nature of the Processing and the information available to Processor, assists Controller in ensuring compliance with the obligations of Controller under EU Data Protection Law vis-à-vis Data Subject such as the right to be provided with information about the Processing, the right of access, the right to rectification, the right to erasure, the right to a Restriction of Processing, the right to data portability, or the right to object to automated individual decision making if any.
- In the event a Data Subject directs any of the above requests to Processor, Processor shall refer the Data Subject to the Controller and otherwise not respond itself to the request, except if required by EU Data Protection Law.
- Processor will, taking into account the nature of the Processing and the information available to Processor, assists Controller in carrying out any data protection impact assessment or prior consultation as required by EU Data Protection Law.
- Processor can recover its costs, including out-of-pocket costs for assistance from outside advisors and Sub-Processors, incurred in assisting the Controller.
Article 7. Personnel
7.1 Processor shall ensure that the personnel involved in the processing of the Controller Personal Data are aware of the obligations of Processor laid down in this Data Processing Agreement and have committed themselves to confidentiality or are a statutory obligation of confidentiality, for example on the basis of an employment relationship.
Article 8. Information and audit rights
- Processor will provide Controller with all information necessary to demonstrate compliance with Processor’s obligations under this Data Processing Agreement. Processor may fulfil this obligation by means of an annual report.
- Processor will allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, provided such an audit or inspection can in principle only be done once a year. In that regard, the Controller has the right, following advance and reasonable notice, to arrange to investigate the establishment(s) and/or systems of the Processor. Any mandated auditor should have demonstrable experience in performing such audits or inspections. The investigation shall not extend beyond what is necessary for the purpose as described in this paragraph and does not include systems owned by third-parties or Sub-Processors.
- Each Party shall bear its own costs associated with the investigation as referred to in paragraph 2 of this Clause and Controller will bear the costs of the independent auditor if the investigation shows that Processor has substantially complied with its obligations pursuant to this Data Processing Agreement. By way of derogation from the foregoing, Processor shall bear the costs of the independent auditor, if the investigation shows that Processor has breached its obligation(s) pursuant to this Data Processing Agreement, provided that the breach is considerable enough to justify these costs.
- Processor will immediately inform Controller if, in its opinion, an instruction in connection with the investigation referred to in paragraph 2 of this Clause infringes EU Data Protection Law, for example if with such audit or inspection Controller or its mandated auditor would gain access to Personal Data other than Personal Data processed on behalf of Controller.
- Parties agree to handle any information related to inspections and requests for information, confidential to the extent legally permitted.
- Processor can recover its costs, including out-of-pocket costs for assistance from outside advisors and Sub-Processors, incurred in assisting the Controller.
Article 9. Data Breach reporting obligations and incident management
- In the event of a Personal Data Breach, Processor shall immediately, but in any event within 72 hours after Processor learns of the Data Breach, inform the Controller, further to which the Controller will – if necessary – immediately inform the relevant Supervisory Authority and/or Data Subjects.
- Processor will report a Data Breach in writing and use the contact details as mentioned in Schedule 2.
- Processor will include in the report of the Data Breach, to the extent available and if reasonably possible, the information listed in Schedule 2. Where certain information is not yet available, Processor will report the information it has available, and straightaway gather – if reasonably possible – all additional information and provide it to the Controller.
Article 10. Liability
The limitations of liability in the MSA apply in all cases.
Article 11. Miscellaneous
- This Data Processing Agreement is an appendix to and forms part of the MSA. This Data Processing Agreement shall be effective as of the Effective Date and shall remain into effect for the same period as the MSA remains into effect. If and insofar the MSA is legally terminated, this Data Processing Agreement shall without any liability whatsoever be terminated by operation of law without any notice of termination to the other Party being required.
- In the event of differences between the provisions of this Data Processing Agreement and the MSA and/or its annexes, the provisions of this Data Processing Agreement shall take precedence, unless explicitly agreed otherwise in the MSA and/or its annexes.
- Should any provision of this Data Processing Agreement be invalid or unenforceable, then the remainder of this Data Processing Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either: (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, or (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
- Changes and additions to this Data Processing Agreement are valid only if and insofar as approved in writing by both Parties.
- Dutch law governs this Data Processing Agreement, with the exclusion of its conflict of laws rules. All disputes arising out of this Data Processing Agreement shall be settled by the competent court in the district where Processor is registered.
Schedule 1
Controller Personal Data to be processed in the context of the MSA
Controller Contact: As provided under MSA
Processor Contact: dpo@azerion.com
(All terms not defined herein are as defined in the MSA.)
- Service:
Automated selling of Ad Inventory, and managed services by Processor of the same, for
Controller’s Sites (digital properties).
- Subject and duration of processing:
Controller instructs Processor to process the types of data listed below for the purpose of
enabling the automated selling of ad inventory for Controller’s digital properties.
Data itself is processed in principle for up to 90 days. The processing as a whole is for the duration of the MSA (see MSA).
- Nature and purposes of processing:
Controller would like to offer for sale, via an automated process, the Ad Inventory for its Sites (digital properties). In connection with such offer and sale, a limited amount of data needs to be collected, stored and transmitted by Processor on behalf of Controller to the parties indicated below under “Data Sharing”.
- Types of personal data and categories of data subjects:
The following types of (personal) data are processed:
- Date and time of each event
- IP address (can be last proxy in the request)
- Country and region (approximate, based on IP geo database)
- User agent (browser) of visitor
- Device (ad) ID, if available
- Domain visited
- Page visited
Controller’s instruction to Processor may also be indicated (in more detail) in the MSA, a purchase order, during the onboarding process, in the Controller dashboard, or by Controller parameterizing data capture on its Sites.
Controller can also additionally instruct Processor to process third-party data on its behalf, as elected by Controller within the applicable Service.
This data is processed of visitors and users of Controller’s digital properties (Sites). As a result of the data processing, the visitors and users are presented with ads.
- Data Sharing:
- Controller instructs Processor to disclose the Controller Personal Data to advertisers, agencies, networks, technical providers or other parties, that bid on or viewed Controllers’ Ad Inventory in an auction or to which Controller has sold Ad Inventory through the Service.
- Controller instructs Processor to disclose the Controller Personal Data to third parties whose services Controller has elected to use through the applicable Service(s), as
indicated on the purchase order or in the dashboard; and
- as may otherwise be elected by the Controller within the applicable Service.
- Data transfers:
Processor can transfer Personal Data to third countries or organization
Schedule 2
Security measures and data breach communication protocol
- Controller and Processor Contact:
See Schedule 1.
- Security Measures:
Processor has taken a number of technical and organization protection measures:
- Access control
- Identity management
- Logging (event visibility)
- Configuration integrity
- Minimum details for Processor to provide in the event of a Personal Data Breach:
- the nature of the breach;
- the date and time on which the incident occurred and was discovered;
- the (number of) Data Subjects impacted by the incident;
- the categories of personal data involved in the incident; and
- any security measures – such as encryption at rest – that may prevent further unlawful processing of the Personal Data.
- the name and contact details of Processor’s data protection officer or other relevant contact from whom more information can be obtained;
- the (suspected) cause of the breach;
- the consequences of the breach already known and to be expected;
- the recommended measures for remedying or mitigating the consequences