Data Processing Agreement Last modified: April 16, 2019 1. TERMS AND DEFINITIONS
means this Data Processing Agreement between Company and you (Publisher or Advertiser as applicable), which is incorporated into and part of the Terms and conditions for Publishers and Offer for Publishers or Rules for rendering of advertising services for advertising agencies and Offer for direct advertisers, as applicable, collectively referred to as "myTarget Agreements
1.2. Company, myTarget
means My.com B.V, registered address: Barbara Strozzilaan 201, 1083 HN, Amsterdam, the Netherlands.
means an individual or legal entity having accepted the Terms and conditions for Publishers and entered into Offer for Publishers (collectively "Publisher Agreement") with the Company by accepting the Offer.
means the person who have accepted Rules for rendering of advertising services for advertising agencies and entered into Offer for direct advertisers (collectively "Advertiser Agreement") with the Company for its own Advertising materials and/or the Advertising materials of the third parties placement through the Company's System.
1.5. myTarget System (Company's System, myTarget)
shall have the meaning ascribed to it in the respective myTarget Agreement.
1.6. myTarget Services
means the services provided under myTarget Agreement(s).
1.7. The terms "personal data
", "data subject
", shall bear the meaning ascribed under the Data Protection Act 1998 or the Regulation (as applicable), and the term "process
" shall be construed accordingly. This DPA applies only to the European Union-based users and personal data shall mean personal data of such European Union-based users.
1.8. Data Protection Law
means the Directives (as amended or replaced from time to time), guidance, directions, determinations, codes of practice, circulars, orders, notices or demands issued by any supervisory authority and any applicable national, international, regional, municipal or other data privacy and data protection laws or regulations in any other territory in which the Services are provided or which are otherwise applicable, including the Regulation.
means the European Data Protection Directive (95/46/EC) and the European Privacy and Electronic Communications Directive (Directive 2002/58/EC).
means, on and from 25 May 2018, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as and when it becomes applicable.
means the entity that determines the purposes and means of the processing of personal data.
1.12. Model Clauses
means the Standard Contractual Clauses for the Transfer of Personal Data available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
means an entity that processes personal data on behalf of a Controller.
has the meaning set forth under the Regulation.
Other terms, whereof the definitions are absent in this section shall be interpreted in accordance with the respective myTarget Agreement, if applicable, or usual and customary business practices as well as in accordance with the laws of England and Wales in force. 2. DATA PROTECTION
2.1. This DPA applies to the relations between Company and you, related to the provision of personal data of European Union-based users, and governs collection, transfer, and processing of such personal data.
2.2. You and Company agree that according to your and Company's respective roles as Controller or Processor each will process the personal data in compliance with and for the purposes described in this DPA and myTarget Agreement(s) and/or otherwise agreed between Company and you.
2.3.1. When you, the Advertiser, use myTarget functionality to target advertising materials by using the user data collected by you, you act as a Controller.
2.3.2. When the Company is operating the System as defined in the myTarget Agreement, the Company acts as a Controller.
2.3.3. You, as Controller, appoint Company as Processor to process data pursuant to your myTarget Agreement and in accordance with this DPA.
2.4. Each of us agree to make commercially reasonable efforts to cooperate together to meet any other requirement of Data Protection Law or other applicable laws as regards personal data processing.
2.6. You acknowledge and agree that neither you nor Company shall process special categories of personal data, as referenced in Article 9 of the GDPR. 3. Obligations as a Controller
3.1. Each of us, if acting as Controller, agree to comply with all applicable laws, rules and regulations, including Data Protection Law when interacting with myTarget and to fulfill all obligations which shall be borne by the Controller under Data Protection Law. Such obligations include without limitation implementation of security measures to protect personal data as required by Article 32 of the Regulation.
3.2. Each of us, if acting as Controller, shall independently manage any data subject request as regards such data subject personal data and its rights to access, correct, amend, restrict processing of, port, object to the Processing of, block or delete personal data and others. However, each of us shall make commercially reasonable efforts to provide assistance to the other in respect of such data subject request and/or respective supervisory authority, court or other authorized agency request or enquiry.
3.3. If you and Company are both acting as Controllers, each of us is entitled to appoint Processor for the purposes set forth herein provided that such Processor agrees to process personal data in compliance with the provisions of this DPA and myTarget Agreements, as applicable, comply with the Data Protection Law, including implementation of security measures to protect personal data as required by Article 32 of the Regulation or provide other sufficient guarantees that processing of personal data by such Processor will be compliant with the Data Protection law.
3.4. When you act as Controller, you represent and warrant to Company that you comply with Data Protection Law in respect of the data subject's notice and consent receipt mechanism in order to ensure that such consent is freely given, informed, specific and unambiguous, and, if applicable, covers use for audience segmentation and targeting in connection with online behavioral advertising.
3.5. When you act as Controller, you will not provide Company with personal data which is not received in compliance with the requirements of Data Protection Law or which data subject has used its opt-out option. Company expressly denies receiving of such personal data.
3.6. When you act as Controller, upon Company's request, you will provide to Company any documentation reflecting your compliance with Data Protection Law and implementation of its provisions, including as regards receipt of data subject's consent. 4. Obligations as Processor:
4.1. When Company acts as Processor, Company will :
4.1.1. inform you of any enquiry, complaint, notice or other communication it receives from any supervisory authority or any individual, relating to either the Processor or third parties who are appointed by the Processor in connection with myTarget Services or Controller's compliance with Data Protection Law. The Company shall provide all necessary assistance to you to enable you to respond to such enquiries, complaints, notices or other communications and to comply with Data Protection Law;
4.1.2. notify you immediately in writing if it becomes aware of any unauthorised or unlawful processing, disclosure of, or access to, personal data and/or any accidental or unlawful destruction of, loss of, alteration to, or corruption of such personal data (a Data Breach) and provide you, as soon as possible, with complete information relating to a Data Breach, including, without limitation, the nature of the Data Breach, the nature of the personal data affected, the categories and number of data subjects concerned, the number of personal data records concerned, measures taken to address the Data Breach and the possible consequences and adverse effect of the Data Breach. The Company shall maintain a log of Data Breaches including facts, effects and remedial action taken. The Company shall take all steps to restore, re-constitute and/or reconstruct any personal data which is lost, damaged, destroyed, altered or corrupted as a result of a Data Breach as if they were the Company's own data at its own cost with all possible speed and shall provide you with all reasonable assistance in respect of any such Data Breach. The Company shall also provide all reasonable assistance to you in relation to compliance with Articles 32-36 of the Regulation.
4.1.3. comply with confidentiality provision as set forth herein and respective myTarget Agreement(s). If we determine any incident regarding personal data which we are processing for you, we will make commercially reasonable efforts to notify you on such incident. However, such notification shall not be regarded by you as an acknowledgement of fault or liability on our part in connection with any actual or attempted personal data incident.
4.1.4. only process the personal data on the documented instructions of Controller's and otherwise as necessary to perform its obligations under the myTarget Agreement(s) or as required by Data Protection Law applicable to the Controller (provided that the Controller first informs Processor of the legal requirement unless this is prohibited on important grounds of public interest).
4.2. At expiration or other termination of myTarget Agreement(s) with you, if Company acts as Processor, on termination or expiry of the Agreement, for whatever reason, Company will cease all use of the Controller's personal data and shall either destroy or pseudonymize all Controller's personal data except to the extent authorized or required by Data Protection Law, provided that Processor shall ensure the confidentiality of all such Controller 's Data and shall ensure that it is only processed for such legal purpose(s).
4.3. When Company acts as Processor, Company may subcontract its processing of the personal data on behalf of the Controller, in which case Company shall enter into an agreement with all such third parties, containing obligations on such third party, which are equivalent and no less onerous than those set out herein. Company shall make available to the Controller a current list of those subcontractors which are used by the Processor to undertake processing of personal data. Controller is deemed to have approved the use of the Processor's current sub-contractors as at the date of this Agreement ("Current Sub-Contractors"). The Processor shall notify the Controller of its intention to appoint or use a new sub-contractor in respect of processing personal data (which is not a Current Sub-Contractor). If the Controller has a reasonable basis to object to the Processor's use of such sub-contractor, and such objection directly relates to the Controller's obligations under Data Protection Law, the Controller shall notify the Processor promptly in writing within 10 Business Days after receipt of the Processor's notice. If the Controller objects to a new sub-contractor, the Processor will use reasonable efforts to make available to the Controller an alternative solution or arrangement to avoid the processing of personal data by the relevant sub-contractor. 5. International Transfer Obligations.
5.1. Each of us agrees that personal data of the European Union-based users shall not be transferred outside the European Union unless the following requirements are met:
5.1.1. the recipient of the personal data is located in the European Union or another country that the European Commission or Swiss Federal Data Protection Authority (as applicable) has decided provides adequate protection for personal data, or
5.1.2. the recipient of the personal data complies with binding corporate rules authorization in accordance with the Data Protection Law or has executed Model Clauses with the exporter of personal data; or
5.1.3. the recipient of the personal data received personal data according to another approved transfer mechanism which is compliant with Data Protection Law.
5.2. In case the Model Clauses shall be executed under clause 5.1.2 above, you agree to such Model Clauses which are hereby incorporated by reference into this DPA.
5.2.1. Controller to Controller Model Clauses: For the purposes of clause II(h):
We select option (iii) and agree to be governed by and comply with the data processing principles set out in Annex A of the Controller-to-Controller Model Clauses. For the purpose of Annex B:
(i) the data subjects are end users of the mobile applications and/ or websites in which you use myTarget Services; (ii) the purpose of the transfer is to permit use of the data in accordance with your Publisher Agreement; (iii) the data transferred is as described in this DPA and your Publisher Agreement; (iv) the recipient of the personal data is My.com B.V.; (v) no sensitive data is or shall be transferred; (vi) there is no applicable data registration information; (vii) there is no additional useful information; and (viii) the contact points for data protection queries are your and our usual contacts under your Publisher Agreement.
5.2.2. Controller to Processor Model Clauses: For the purpose of Appendix 1:
(i) the data subjects are, for Advertisers, current or potential customers for your products or services advertised through myTarget; for Publishers, end users of your mobile applications and/or websites; and for both Advertisers and Publishers, the individuals (employees, agents or representatives) responsible for your use of myTarget Services; (ii) the data transferred is as described in this DPA and myTarget Agreement(s); (iii) no special categories of data are or shall be transferred; and (iv) the personal data transferred will be processed in connection with our provision of myTarget Services to you under your myTarget Agreements. For the purpose of Appendix 2:
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data provided by data exporter as described in Attachment 1 hereto between data exporter and data importer; data importer will not materially decrease the overall security of the myTarget Services while myTarget Agreement is in effect.
In case of any discrepancies or inconsistencies between the text of this DPA and the text of the respective Model Clauses, the Model Clauses shall prevail. 6. Indemnity.
6.1. Subject to clauses 7.1-7.2 herein, each party (the "Indemnifying Party") shall indemnify and hold harmless the other, including its officers directors, employees, contractors, and agents (the "Indemnified Party") from and against all claims, losses, costs, liabilities, damages, and expenses, including reasonable attorneys' fees ("Claims") brought by data subjects, supervisory authorities under the Data Protection Law, or other third parties, suffered or incurred by the Indemnified Party to the extent arising from the Indemnifying Party's breach of this DPA.
6.2. Indemnification under this Section is conditioned upon (i) the Indemnified Party providing the Indemnifying Party (x) prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this myTarget DPA and (y) reasonable cooperation as to such claim, including provision of all relevant materials to it; (ii) the Indemnified Party taking reasonable steps and actions to mitigate any ongoing damage it may suffer as a consequence of the Indemnifying Party's breach.
6.3. The Indemnifying Party reserves the right, at its expense, to assume the exclusive defense and control of any matter for which it is required to indemnify the Indemnified Party, and the Indemnified Party shall have the right to participate with counsel of its own choosing at its own expense. The Indemnifying Party will not enter into any settlement of any claim without the prior written consent of the Indemnified Party, such consent not to be unreasonably withheld or conditioned. 7. Limitation of Liability.
7.1. Each of our respective liability, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of your applicable myTarget Agreement(s), and any reference in such section to the liability of a party means the aggregate liability of that party and its affiliates under the myTarget Agreement including this DPA together.
7.2. To the extent that a party has an entitlement under Data Protection Law to claim from the other party (breaching party) compensation paid by that first party to a data subject as a result of a breach of Data Protection Law by the breaching party, such breaching party shall be liable only for such amount as it directly relates to its responsibility for any damage caused to the relevant data subject. For the avoidance of doubt, breaching party shall only be liable to make payment only as compensation of direct damages to the other party under this Clause 7.2 upon receipt of evidence, which shall be to breaching party's reasonable satisfaction, that clearly demonstrates breaching party:
7.2.1. has breached Data Protection Law;
7.2.2. that such breach contributed (in part or in full) to the harm caused entitling the relevant data subject to receive compensation in accordance with Data Protection Law; and
7.2.3. the proportion of responsibility for the harm caused to the relevant data subject which is attributable to breaching party. 8. Miscellaneous
8.1. Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA; the foregoing shall not limit third-party beneficiary provisions of the Model Clauses.
8.2. Except as modified by this Addendum, myTarget Agreement(s) remain in full force and effect.
8.3. In case of any discrepancies or inconsistencies between the text of this DPA and the text of the respective myTarget Agreement(s), this DPA shall prevail.
8.4. Company and you mutually represent and warrant that we each, respectively, have the right, power, and authority (a) to enter into this DPA, (b) to make the representations and warranties contained herein, and (c) to perform our respective duties, obligations and covenants set forth in this DPA.
8.5. This DPA is co-terminous with your myTarget Agreement(s), terminating automatically with your last myTarget Agreement(s). Attachment 1 TECHNICAL AND ORGANISATIONAL MEASURES
In the following, the general description of the security measures in respect of processing the Controller's data is provided.
1. Physical access control
Measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where data are processed, including:
• Defined security areas with restricted access (data centers, server rooms);
• Access authorizations for employees and third parties, visitor registration;
• Access control system (via magnetic cards);
• Door locking (electric door openers etc.);
• Security staff;
• Surveillance, video/CCTV monitor, alarm system.
2. Access restriction mechanisms
Measures to prevent data processing systems from being used by unauthorized persons, including:
• Multi-layered network/systems access restriction architecture;
• User identification and authentication procedures;
• Strong ID/password security policy (special characters, minimum length, change of password);
• Two-factor authentication;
• Automatic blocking (e.g. password or timeout);
• Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous attempts.
3. Data access control
Measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, including:
• Internal logical access control policies and procedures;
• Control authorization schemes;
• Differentiated access rights via roles and permissions;
• Logging of accesses;
• Limiting and monitoring of privileged access;
• Reports of access;
• Centralized procedures for access granting, revoking and regular review.
4. Communication and transport control
Measures to ensure that data cannot be read, copied, modified or deleted without authorization during electronic transmission, including:
• Transport encryption HTTPS/TLS;
• Session management with TTL and logout functions;
• Network segmentation and firewall protection;
• Internal separation of access to infrastructure and management of SSH access;
• Secure Socket Shell (SSH) with key based authentication;
• Traffic and service monitoring by dedicated operations team.
5. Entry control
Measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems via logging and reporting capabilities.
6. Processing control
The following measures to ensure that data are processed as agreed with the Controller, including:
• Clear and detailed wording of the contract and DPA;
• Imposition of the obligation to adhere to the data secrecy requirements on the contractor's' employees;
• Confidentiality agreements/clauses with employees and (sub)contractors.
7. Availability control
Measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical), including:
• Distributed high-availability service architecture;
• Backup procedures;
• Mirroring of hard disks (e.g. RAID technology);
• Uninterruptible power supply (UPS);
• Remote storage.
8. Separation control
Measures to ensure that the collected data can be processed separately for different purposes, including:
• Data segregation, that is handled by an authorization implementation. Access to data is split logically by customer;
• Separation of databases;
• Imposed limitations of data use;
• Segregation of functions between production and testing environments.