Data Processing Agreement - Advertiser(s)

 

This Data Processing Agreement (hereafter the “DPA”) complements the Adxnow Advertisers Terms and Conditions (the “T&C”), and any other applicable agreement with Advertisers (the “Partner”), and is hereby incorporated into the agreement between Adxnow and the Partner for the provision of the relevant services (the “Adxnow Services”).

This DPA shall reflect the Parties’ agreement with regard to the Processing of Personal Data. In the course of providing the Adxnow Services, Adxnow may Process Personal Data on behalf or not of the Partner, therefore, the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith, and in accordance with the requirements of Data Protection Law.

1. Definitions

“Consent” means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Under this DPA, the Partner acts as Controller. The term “Controller” is considered as  “Business “under the CPRA.

“Data Protection Law” means, to the extent applicable in the relevant jurisdiction(s) for the Services, (a) the GDPR and all laws and regulations, (b) the Constitutional Act 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights (“LOPDGDD”), (c) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), (d) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.  together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 (collectively, “CPRA”) and any regulations promulgated thereunder.

“Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier (e.g., a name, an identification number, location data, an online identifier) or to one or more factors specific to that natural person. For the purpose of this DPA, “Data Subject” refers to the natural persons whose Personal Data is processed as part of the provision of the relevant Adxnow Services.

“End User” means Data Subjects visiting and/or using Partners Platform or third-party platforms.

“GDPR” means the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. 

“Partners Platform” means any domain name, website, software application, virtual world or other digital platform owned, operated, or managed for the purpose of this DPA by the Partner.

“Personal Data” means any information identifying, relating to, describing, or is capable of being associated with, or can reasonably be linked with, an identified or identifiable natural person or household Processed in connection with the provision of the relevant Adxnow Services.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. Under this DPA, Adxnow acts as Processor.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, by the Controllers or Processors, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Law, but not limited to: the Data Protection Comission Ireland; the UK Information Commissioner’s Office; EU Member State supervisory authorities; the California Privacy Protection Agency; and U.S. state attorneys general.

2. Compliance with Law

Each Party shall comply, and shall be able to demonstrate its compliance with its respective obligations under Data Protection Law and in accordance with this DPA.

The Partner specifically acknowledges and agrees that its use of the Controller-to-Processor Services is compliant with Data Protection Law.

3. Authorizations

A Party shall not disclose Personal Data to the other Party, except where the disclosing Party warrants to the other Party that this disclosure is compliant with Data Protection Law and that it has complied with any applicable requirement(s) of information, notification to, or of authorization or consent from the relevant public authority(ies) or the relevant Data Subjects, with respect to any Personal Data provided by the disclosing Party to the other Party. Each disclosing Party must retain evidence of compliance with any such requirements for the duration of the DPA and provide it promptly to the other Party upon request.

Nothing in this DPA shall prohibit or limit Adxnow’s rights to implement anonymization of Personal Data processed in connection with the DPA, and to the extent required under Data Protection Law, Partner hereby authorizes Adxnow to implement anonymization techniques in compliance with Data Protection Law. For the sake of clarity, data resulting from effective and compliant anonymization is not subject to this DPA and more generally to Data Protection Law. However, they shall be subject to the confidentiality rules agreed in the T&C.

4. Cooperation

The Parties shall cooperate to comply with Data Protection Law and to meet their obligations pursuant to this DPA.

The Parties shall keep appropriate documentation on the Processing activities carried out by each of them and on their compliance with Data Protection Law and with this DPA. For instance, Parties shall facilitate to the other Party, when applicable, the Record of Processing Activities, the Data Protection Impact Assessment, the security measures they have implemented, among other documentation listed in this DPA.

In the event of an investigation, proceeding, formal request for information or documentation, or any similar event in connection with a data protection authority and in relation to the Controller-to-Processor Services or to Personal Data, the Parties shall promptly and adequately deal with enquiries from the other Party that relate to the Processing of Personal Data under the DPA.

5. Communications

For data protection matters and for the purpose of this DPA, Adxnow’s may be reached at: privacy@adxnow.com. The contact details of the Partner must be communicated by email to Adxnow after having accepted this DPA.

Controller to Processor Terms (“CTPT”)

Applies when Partner has ordered Services in which Partner acts as Controller and Adxnow acts as a Processor, processing Personal Data on behalf of Partner (the “Controller-to- Processor Services”).

6. Scope of CTPT

This CTPT shall apply only with respect to Processing of Personal Data carried out in the context of Controller-to- Processor Services ordered by the Partner, acting as a Controller or Business (as applicable), for which Adxnow is acting as a Processor or Service Provider (as applicable), and for which the subject-matter, the nature and purpose, the type of Personal Data, categories of Data Subjects and duration of Processing are set out in Appendix 1 “Controller-to- Processor Services - Details of Processing of Personal Data”.

7. Obligations of Partner

The Partner shall not provide Personal Data to Adxnow except as is necessary for performance of the Adxnow Services and unless Partner shall have given the necessary notices and obtained the necessary consents, in each case, from the applicable Data Subjects whose Personal Data is Processed by Adxnow pursuant to the DPA. Partner shall, in its use of the Adxnow Services, Process Personal Data in accordance with the requirements of Data Protection Law and shall immediately notify Adxnow if Partner is in violation of any Data Protection Law. The Partner’s instructions to Adxnow related to the Processing of Personal Data shall comply with Data Protection Law. The Partner shall be solely responsible to ensure the accuracy, lawfulness and quality of the Personal Data and to ensure that the Processing entrusted to Adxnow has an adequate legal basis pursuant to Data Protection Law.

8. Obligations of Adxnow

Partner Instructions. Adxnow shall process Personal Data for the relevant Controller-to-Processor Services only on the documented instructions from Partner. Partner may not instruct Adxnow to process Personal Data in a manner not compatible with this DPA. Adxnow shall immediately inform Partner if Adxnow reasonably believes it is unable to follow Partner’s instructions, or if such instructions are not compatible with the T&C or more generally with the DPA.

Inaccurate or Outdated Data. Adxnow shall inform Partner if Adxnow becomes aware that the Personal Data is inaccurate or has become outdated, and Adxnow shall cooperate on request with Partner to erase or rectify such data.

Personal Data Processing. To the extent required by applicable Data Protection Law, Partner shall only instruct Adxnow to Process Personal Data for those Business Purposes permitted under applicable Data Protection Law and shall disclose Personal Data to Adxnow only for the limited and specified purposes specified in the DPA. Partner reserves the right, upon reasonable notice, to take reasonable and appropriate steps to help ensure that Adxnow uses Personal Data transferred in a manner consistent with Partner’s obligations under applicable Data Protection Law, including reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

Adxnow shall not: (a) Sell or Share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than for the Business Purposes specified in the DPA; (c) retain, use, or disclose Personal Data outside of the direct business relationship between Partner and Adxnow; or (d) combine Personal Data it receives from Partner with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with Data Subjects, provided that Adxnow may combine Personal Data to perform a Business Purpose (with the exception of “advertising and marketing services,” as defined under applicable Data Protection Law). Adxnow shall comply with applicable obligations and provide the same level of privacy protection as required by the applicable Data Protection Law, and shall assist Partner through appropriate technical and organizational measures to comply with Data Protection Law requirements, taking into account the nature of the processing. Adxnow shall notify Partner if it makes a determination that it can no longer meet its obligations under the applicable Data Protection Law.

Technical and Organizational Measures. Adxnow shall implement appropriate technical and organizational measures to ensure the security of the Personal Data, including protection against a Personal Data Breach. Adxnow shall also assist Partner in complying with its obligations in relation to the security of Processing Personal Data, including under article 32 of the GDPR.

Personal Data Breaches. In the event of a Personal Data Breach relating to Personal Data processed by Adxnow, Adxnow shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. Adxnow shall also notify Partner without undue delay after having become aware of the breach and providing for the time necessary to provide relevant information, including e.g. a description of the nature of the breach (including, where possible, categories and approximate number of Data Subjects and Personal Data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. In the event of a Personal Data Breach relating to Personal Data processed by Adxnow, Partner shall be solely responsible for notifying Data Subjects and/or Regulatory Authorities as required by Data Protection Law, and Adxnow shall cooperate with and assist Partner to enable compliance with any request from a competent authority and/or affected Data Subjects, taking into account the nature of Processing and the information available to Adxnow. Before any such notification is made, Partner shall consult with and provide Adxnow an opportunity to comment on any notification made in connection with a Personal Data Breach. Nothing in this DPA shall be construed to require Adxnow to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach. Adxnow shall have no liability for the Personal Data Breach management and notification obligations described in this DPA unless the Personal Data Breach is caused by Adxnow’s breach of the security obligations of this DPA or other violation of Data Protection Law by Adxnow.

Access to Personal Data. Adxnow shall grant access to the Personal Data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of this DPA. It shall ensure that persons authorized to process the Personal Data have committed themselves to one or several confidentiality agreements or are under an appropriate statutory obligation of confidentiality.

Data Subjects’ Rights. To the extent legally permitted, Adxnow shall promptly notify by email to the designated data protection officer or legal representative of the Partner of any request it has received from a Data Subject to exercise the Data Subject’s rights, including the rights to: knowledge/access; correction; deletion; restriction; objection; data portability; opt out of the Processing of and/or the Sale or Sharing of Personal Data; limit the use or disclosure of sensitive Personal Data; or any other request with respect to Personal Data of the applicable Data Subject, as set forth under applicable Data Protection Law. Adxnow shall not respond to the request itself. Adxnow shall reasonably assist the Partner by implementing appropriate technical and organizational measures, insofar as this is possible, in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights under Data Protection Law, taking into account the nature of the Processing. To the extent legally permitted, Partner shall be responsible for any costs arising from Adxnow’s provision of such assistance. Nothing in this clause shall require Adxnow to disclose or reveal any trade secrets.

Data Protection Impact Assessment. Upon Partner’s request, at Partner’s cost, and to the extent required under Data Protection Law, Adxnow shall assist Partner in complying with any required data protection impact assessment on Partner’s request, taking into account the information available to Adxnow. To the extent required under the GDPR or UK GDPR, Adxnow shall provide reasonable assistance to Partner in its cooperation or prior consultation with a Regulatory Authority in the performance of its tasks relating to this clause.

Sub-Processors. Adxnow may engage sub-Processors. Partner provides Adxnow with general authorization to engage sub-Processors to carry out Processing for the relevant Controller-to-Processor Services. Upon written request from Partner, Adxnow shall inform Partner of any changes concerning the addition or replacement of sub-Processors. If Partner objects to such changes on reasonable grounds within thirty (30) days from the notification by Adxnow to Partner, the Parties will discuss in good faith with a view to find a mutually acceptable solution. If the Parties fail to agree, Adxnow may terminate the DPA in whole, or in part with respect only to the affected Controller-to- Processor Services. When engaging another Processor, Adxnow shall enter into an agreement binding on such Processor and setting out the same or more stringent data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement similar technical and organizational measures.

Processing Personal Data outside of the Partner’s Instructions. Notwithstanding the above, if applicable law or a binding decision from a competent authority requires Adxnow to process Personal Data outside of Partner’s instructions for the purposes of providing the Controller-to-Processor Services, Adxnow shall inform Partner unless otherwise prohibited under applicable law.

Audit. Partner may request in writing, at reasonable intervals, that Adxnow makes available to Partner information regarding Adxnow’s compliance its obligations pursuant to this DPA in the form of a copy of Adxnow’s then most recent third-party audits or certifications.

Partner can request an on-site audit of Adxnow’ Processing activities described in this DPA by providing Adxnow with reasonable notice. Such on-side audit may only be conducted where (i) the information made available by Adxnow as set out above is insufficient, (ii) a Personal Data Breach has occurred or (iii) such audit is required by Data Protection Law or a Regulatory Authority.

The Parties shall agree on the scope, timing and duration of the audit. The audit may not unreasonably interfere with Adxnow’s activities.

The Partner may only appoint a third-party auditor which is not a competitor of Adxnow. Such third-party auditor shall enter into a non-disclosure agreement with Adxnow and the Partner before carrying out the audit.

After the on-site audit, the Partner shall promptly share the results of such audit with Adxnow.

The Parties shall make available, upon request, to a Regulatory Authority, the information referred to in this clause, including the results of any audits.

Partner shall bear all costs related to audits.

Transfers of Personal Data. Any transfer of data to a third country or an international organization by Adxnow shall be done only on the basis of documented instructions from the Partner in compliance with Chapter V of GDPR. The Partner agrees that where the Adxnow engages a sub-Processor for carrying out specific Processing activities (on behalf of the Partner) and those Processing activities involve a transfer of Personal Data within the meaning of Chapter V of GDPR, Adxnow and the sub-Processor can ensure compliance with Chapter V of GDPR by using standard contractual clauses adopted by the European Commission in accordance with of Article 46(2) of GDPR, provided the conditions for the use of those standard contractual clauses are met.

Consequences of Termination. If Partner terminates a Controller-to-Processor Service, or if the DPAt expires or terminates for any reason whatsoever, Adxnow shall, at the choice of the Partner, delete all Personal Data processed only for that Controller-to-Processor Service, or return all such Personal Data to Partner. Adxnow shall provide certification as applicable that copies of such Personal Data have been deleted, on request in writing from the Partner, without prejudice to any operational backups maintained by Adxnow for a reasonable period in accordance with industry standards. In case applicable law prohibit Adxnow from deleting the Personal Data, Adxnow warrants that it will continue to ensure compliance with this DPA and will only process such Personal Data to the extent and for as long as required by applicable law.

This Data Processing Agreement (hereafter the “DPA”) complements the Adxnow Advertisers Terms and Conditions (the “T&C”), and any other applicable agreement with Advertisers (the “Partner”), and is hereby incorporated into the agreement between Adxnow and the Partner for the provision of the relevant services (the “Adxnow Services”).

This DPA shall reflect the Parties’ agreement with regard to the Processing of Personal Data. In the course of providing the Adxnow Services, Adxnow may Process Personal Data on behalf or not of the Partner, therefore, the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith, and in accordance with the requirements of Data Protection Law.

Appendix 1

Controller-to-Processor Services - Details of Processing of Personal Data

1. Category of Data Subjects