Data processing agreement

Updated on May 3, 2022

This Data Processing Agreement (“DPA”) is entered between:

Data Controller (the “Customer”)

Data Processor: Advisible AB, Reg. No. 559188-4977, Box 6075, 102 32 Stockholm, (the “Supplier”)

1. Background

The parties have entered into an agreement regarding the Customer’s use of the Supplier’s advertising platform (the “Terms of Service”) under which the Supplier will process the Customer’s personal data on the Customer’s behalf (“Personal Data”). This DPA is an appendix to the Terms of Service.

In the event of inconsistencies between the provisions of this DPA and the Terms of Service or the other appendices in respect of personal data, the provisions of this DPA shall prevail.

2. Definitions

Terms used but not defined herein, such as “processing”, “data subject”, “personal data breach” and “supervisory authority”, shall have the same meanings as in the EU General Data Protection Regulation (679/2016) (“GDPR”), and their cognate terms shall be construed accordingly.

Defined terms in the Terms of Service shall have the same meanings when used in the DPA.

3. Processing

The parties undertake to fulfil its obligations under the GDPR and any laws implementing or supplementing the GDPR (“Applicable Laws”). As the controller, the Customer is responsible for the processing of the Personal Data being lawful and compatible with the purposes, and for giving information to the data subjects.

The Supplier shall only process the Personal Data in accordance with appendix A and/or the written instructions of the Customer, unless required to do so by the GDPR or the applicable law of the European Union or its member states. In such a case, the Supplier shall inform the Customer of that legal requirement before processing the personal data, unless such information is prohibited by mandatory applicable law. The Supplier is entitled to collect anonymous and deidentified data of the use of the Services, that does not specify the Customer nor data subjects, and use it for analysing and developing the Services.

The Supplier shall, without undue delay, notify the Customer if any conflict with Applicable Laws is detected in the instructions.

4. Security and confidentiality

The Supplier shall implement and maintain the appropriate technical and organizational measures in accordance with article 32 of the GDPR.

The Supplier shall ensure that everyone with authorization to process Personal Data abides by appropriate non-disclosure commitments.

5. Personal Data Breaches

The Supplier shall without undue delay notify the Customer upon receiving information of a personal data breach affecting Personal Data.

The Supplier shall provide the Customer with the information necessary for the Customer to fulfil its obligations according to article 33–34 of the GDPR.

6. Data Protection Impact Assessments and Prior Consultations

The Supplier shall, upon the Customer’s request, assist the Customer in its performance of data protection impact assessments and prior consultations with supervisory authorities in accordance with article 35–36 of the GDPR.

7. Requests from Data Subjects

The Supplier shall, upon receipt of a request from a data subject, supervisory authority or other regarding Personal Data, promptly refer the request to the Customer.

8. Data Subjects’ Rights

The Supplier shall, if reasonably possible and with regard to the art of the processing, through technical and organizational measures, assist the Customer in responding to requests regarding Data Subjects’ rights in accordance with the GDPR.

9. Sub-processors

The Supplier shall have the right to engage subcontractors for the processing of Personal Data (“Sub-processors”).

The Supplier shall enter into written data processing agreements with its Sub-processors that ensure as a minimum the same commitments and obligations that the Supplier has according to this DPA.

The Supplier shall inform the Customer beforehand of new Sub-processors the Supplier intends to use in processing the Personal Data pursuant to the Terms of Service and this DPA. The Customer has the right to object to the use of a new Sub-processor. The Customer shall notify the Supplier of such objection within thirty (30) days of the Supplier’s notice to the Customer. If the Customer does not object within thirty (30) days of the Supplier’s notice to the Customer, the Customer shall be deemed to having accepted the use of the new Sub-processor.

In the event that the Customer’s opposition to such Sub-processor, in the Supplier’s opinion, prevents effective provision of the Supplier’s Services in accordance with the Terms of Service, the Supplier may suspend the Customer’s access to the Services without penalty or liability, with thirty (30) days’ notice.

The Supplier is fully liable toward the Customer for the Sub-processor’s actions and any failure by the Sub-processor to adhere to its data protection obligations when processing Personal Data.

A list of Sub-processors deemed approved when this DPA is concluded is attached in appendix A.

10. Transfer of Personal Data outside the EU/EEA

The Supplier may only transfer Personal Data outside the EU/EEA provided that the Supplier ensures that the transfer is allowed in accordance with Applicable Laws. This shall mean that the Supplier shall not transfer Personal Data to a country outside the EU/EEA unless the Supplier has ensured that (i) the transfer is based upon an adequacy decision published by the European Commission, or (ii) that the standard contractual clauses annexed to implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries apply, or (iii) that the transfer is otherwise allowed under the GDPR and Applicable Laws.

If the transfer mechanism used to ensure that the transfer is allowed in accordance with Applicable Laws would be declared invalid or illegal by the European Court of Justice, the European Commission or any other competent EU institution or national court or authority, the Supplier shall ensure that all processing of Personal Data outside the EU/EEA is based on another permitted transfer mechanism under Applicable Laws.

11. Audit

The Supplier shall provide the Customer with access to information that the Customer needs to verify that the Supplier complies with its obligations under this DPA.

The Supplier shall enable and contribute to inspections and audits that the Customer, with at least twenty (20) days’ notice conducts itself or through a third party (however not a competitor of the Supplier).

The audits may only be conducted at the Suppliers premises during normal office hours. The representatives of the Customer and all others assisting in the audit must sign conventional non-disclosure commitments.

The Supplier has the right to invoice the Customer for the Supplier’s costs (cost price) associated to the audit, unless the audit reveals a material breach by the Supplier of its obligations under this DPA.

12. Return or deletion

Upon termination of the Terms of Service, or upon the Customer’s request, the Supplier shall without undue delay, at the choice of the Customer, return all Personal Data to the Customer or delete the Personal data, and thereafter delete all copies of Personal Data, unless required by law to retain it.

13. Dispute resolution

The terms regulating governing law and dispute resolution in the Terms of Service shall apply to this DPA.

14. Liability

The terms regulating liability in the Terms of Service shall apply to this DPA.

15. Duration of the DPA

This DPA shall enter into force upon signing of the Terms of Service by the parties and remain in force as long as the Supplier processed Personal Data.

16. Compensation

The Supplier has the right to invoice the Customer for costs (cost price) incurred by the Supplier when assisting the Customer with data protection impact assessments, prior consultations, requests from data subjects and when deleting and returning Personal Data.

17. Miscellaneous

If the terms concerning the processing of Personal Data of the DPA and the Terms of Service are in conflict, the parties shall apply the terms of this DPA.

APPENDIX A

Subject matterThe subject matter of the processing of the Personal Data are set out in the Terms of Service and this DPA.
Nature and purpose of processingProcessing for the purpose of providing the Services in accordance with the Terms of Service and in accordance with the Customer’s instructions. The Supplier will process the personal data mainly according to the following:
  • Tracking of visitor ad impressions through the Customer’s Digital Property, using unique user identifier (“UUID”).
  • Aggregation of User Data and consequent deidentification, for statistics to be presented to the Customer within the Services.
Categories of data subjectsVisitors of the Customer’s Digital Property.
Categories of Personal Data
  • Visitor ad impressions
  • Visitor UUID
Retention periodsProcessing will take place during the Customer’s use of the Services, and for a limited period thereafter under this DPA.

The Customer has given the Supplier the following instructions for deletion:

  • The personal data shall be deleted on an ongoing basis, within ninety (90) days of collection or upon termination of the Terms of Service.
Sub-processors
  • Google Ireland Limited, Ireland, a subsidiary of Google LLC, USA. All data is stored in Belgium.
Transfers outside the EU/EEASee list of sub-processors.