Skip to content
Sign in Register Request a demo
Sign in Request a demo Register
Register

Advertiser Data Processing Terms

Parties and background

These Data Processing Terms (“Terms”) form an integral part of Agreement (“Agreement”) which governs the use of Services (as defined below) provided by Readpeak Oy (“Readpeak”) to the Customer, as defined below. 

In the course of providing the Service to the Customer pursuant to the Agreement, Readpeak may process personal data together with Customer as a joint controller in which case the Joint Controller Agreement applies. If and to the extent Readpeak processes Personal Data on behalf of the Customer as a Processor, the Data Processing Agreement applies.

Definitions

Advertiser means any advertiser, agency, network or other party that purchases and publishes advertisement campaigns on Publishers’ Media Sites using the Service. 

Campaign means advertisement campaign that Advertisers purchase and publish on Publisher’s Media Sites. 

Customer means Advertiser for which Readpeak is providing the Services.

Service means the services described in the Agreement provided by Readpeak.

Publisher means the media partner providing theMedia Sites.

Data Processing Agreement means the binding contract between controller and processor on the processing of personal data on behalf of the controller referred to in Article 28 of the EU GDPR or Article 28 of the UK GDPR.

Data Protection Laws means any applicable EU and national data protection legislation as amended from time to time, including but not limited to the EU GDPR, national legislation supplementing the EU GDPR, UK GDPR, and the instructions and orders of the data protection authorities in so far as those instructions and orders are binding.

EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Joint Controller Agreement means the agreement between joint controllers determining their respective responsibilities for compliance with Data Protection Laws referred to in Article 26 of the EU GDPR or Article 26 of the UK GDPR.

Media Sites mean all websites, applications, content platforms or other media properties owned or operated by Publisher or its Affiliates that are in the scope of the Agreement.

Personal Data, Data Subject, Controller, Joint Controller, Processor and Personal Data Breach shall have the meaning they are given in the GDPR.

Sub-processor means a data processor (as meant in Article 4(8) of the GDPR) engaged by Processor for carrying out specific processing activities on behalf of Controller.

UK GDPR means the United Kingdom General Data Protection Regulation.

Websites mean thewebsite(s), applications, content platforms or other media properties owned or operated by the Advertiser promoted in a Campaign.

Term and termination

These Terms shall become effective at the same time as the Agreement and continue to be effective until the Agreement has expired or has been terminated and the parties have completed all their obligations pursuant to the Agreement and these Terms.

With respect to the Processing of Personal Data under the Data Processing Agreement, the Processor shall upon termination or expiry of the Agreement delete all Personal Data of the Controller, unless and to the extent mandatory European Union or national law which Processor is subject to requires retention of such Personal Data.

In addition to processing Personal Data as a Joint Controller and a Processor, Readpeak processes Personal Data as an independent Controller in accordance with its Privacy Policy available at readpeak.com. 

JOINT CONTROLLER AGREEMENT

This joint controller agreement (”JCA”) governs the collection and use of Personal Data of users of Websites for the purpose of tracking users’ interaction with ads in the context of the Services provided by Readpeak (“Joint Processing”).

This JCA sets out the responsibilities between Readpeak and the Customer pursuant to Article 26 of the GDPR and/or the UK GDPR as described below. 

1. Scope of the Joint Processing

The Customer enables the collection of Personal Data from users of the Websites via the use of online advertising technologies provided by Readpeak.

Readpeak and the Customer shall be jointly responsible for the placement of Readpeak tag or implementation of similar technologies on Websites to enable the collection of Personal Data for the purposes of targeting advertising or measuring conversion. 

2. Means of Joint Processing

The Personal Data of users of Websites is collected and processed by means of online advertising technologies such as cookies and other similar technologies used in the Campaigns provided by Readpeak. 

The online advertising technology enables the tracking of user interaction with ads across Websites within a Campaign.

3. Obligations of the Customer

The Customer shall:

  1. inform users of Websites of the processing of their Personal Data in accordance with Article 13 and Article 26 of the EU GDPR and/or the UK GDPR;
  2. obtain valid consent of users of Websites for the use of cookies and similar technologies and for the processing of their Personal Data for ad targeting, and in particular, provide users with means to manage their consents and objections via a so-called consent management platform (CMP) certified with active status at the IAB Europe Transparency & Consent Framework (IAB TCF); 
    (a) list Readpeak in its CMP as a vendor and provide information on Readpeak’s purposes of use as communicated by Readpeak through so-called Global Vendor List;
    (b) communicate the legally relevant choices of the user to Readpeak by transmitting the IAB TCF Consent String to Readpeak;
    (c) respond to individual requests from the users concerning the processing of their Personal Data and the rights they have according to applicable Data Protection Laws;
  3. In case the Customer receives a complaint, notice or statement from a supervisory authority relating to the Joint Processing, to the extent permitted by applicable law, immediately forward such complaint, notice or statement to Readpeak.

    4. Obligations of Readpeak

Readpeak shall be responsiblethe following obligations:

  1. respect the choices made by the user as communicated to Readpeak by the Customer, and only process Personal Data related to users’ activity on Websites when there is a valid legal basis;
  2. inform users of the processing of their Personal Data in accordance with the EU GDPR and/or the UK GDPR and process Personal Data solely for the purposes set out in the relevant notice; and 
  3. respond to individual requests of users concerning the processing of their Personal Data and the rights they have according to applicable Data Protection Laws.

    5. Obligations of the parties 

Each party shall, on its own responsibility, carry out a data protection impact assessment required under Article 35 of the EU GDPR or the UK GDPR for the processing activities that constitute Joint Processing if this is required by applicable law.

Each party shall include Joint Processing in its respective records of processing activities. The parties shall provide each other with the necessary information upon request.

Each party shall implement and maintain appropriate technical and organizational measures for ensuring security of personal information. 

Each party shall provide reasonable assistance to the other party in the performance of its obligations under this JCA. Upon request, each party shall, without undue delay and to the extent reasonable and permitted by applicable law, provide the requesting party with information that the requesting party requires to comply with applicable Data Protection Laws.

If a party becomes aware of a violation of any provision of this JCA or of a data breach concerning Personal Data in relation to Joint Processing, it shall immediately notify the party or parties concerned.

6. Transfers of data outside the EU/EEA/UK

In case Personal Data is transferred from the EU/EEA to a data importer located in a country not subject to an adequacy decision pursuant to Article 45 of the EU GDPR, such transfers must be covered by the EU Standard Contractual Clauses (“EU SCCs”).

7. Liability

The parties are jointly and severally liable in the external relationship pursuant to Article 82 of the EU GDPR or Article 82 of the UK GDPR. In the internal relationship, each party shall be liable for the damage caused by a violation of the Data Protection Laws and/or this JCA which has taken place in its area of responsibility in accordance with Section 1 of this JCA. The parties shall indemnify each other against liability. For the sake of clarity, the joint responsibility shall only apply to Joint Processing and not the subsequent processing, if any, carried out by the parties as independent Controllers. 

DATA PROCESSING AGREEMENT 

This Data Processing Agreement (“DPA”) concerns the processing of Personal Data by Readpeak (“Processor”) on behalf of the Customer (“Controller”) for the purposes of providing the Service subject to the Agreement.

  1. Details of the processing

The subject matter, nature and purpose of processing, the types of personal data and data subjects, and duration of processing are defined in Description of processing.

2. General responsibilities of the Controller 

The Controller ensures that it has the right to transfer Personal Data to the Processor for the processing carried out by the Processor subject to this DPA. Controller authorises Processor to process the Personal Data in accordance with the Agreement and this DPA. 

3. General responsibilities of the Processor

Processor shall process Personal Data on Controller’s behalf, only in accordance with the Data Protection Laws and this DPA. Processor shall not process Personal Data for any other purposes than those specified in the Agreement and/or this DPA.

Processor shall process the Personal Data only on the documented instructions of the Controller, unless required to deviate from such instructions in order to comply with the Data Protection Laws. In such a case, Processor shall inform Controller of such requirement before processing of the Personal Data, unless the Data Protection Laws prohibits such notification. The parties acknowledge and agree that this DPA and the Agreement contain the instructions provided by Controller, with all possible amendments to the instructions being separately agreed in writing between the parties.

Processor notifies Controller without undue delay if, in Processor’s opinion, Controller’s instructions infringe Data Protection Laws. For the avoidance of doubt, the parties acknowledge and agree that Controller shall be responsible for ensuring that the instructions are in accordance with the Data Protection Laws.

Processor ensures that persons under its responsibility that are authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Where possible, Processor shall assist Controller in the fulfilment of Controller’s obligation to respond to requests for exercising the Data Subjects’ rights laid down in the Data Protection Laws, including Chapter III of the GDPR, taking into account the nature of processing and the information available to Processor.

Processor shall reasonably assist Controller, at the request of and at the expense of Controller, in ensuring compliance with Controller’s obligations pursuant to the Data Protection Laws, including Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Processor.

4. Security of data processing

Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the appropriate technical and organisational measures to ensure a level of security   appropriate to the risk shall be implemented.

The Controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following: a) pseudonymisation and encryption of personal data;b)the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and d)process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The Processor shall also evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the Controller shall provide the Processor with all information necessary to identify and evaluate such risks.

Furthermore, the Processor shall assist the Controller in ensuring compliance with the Controller obligations pursuant to Articles 32 GDPR, by e.g. providing the Controller with information concerning the technical and organisational measures already implemented by the Processor pursuant to Article 32 GDPR along with all other information necessary for the Controller to comply with the Controller’s obligation under Article 32 GDPR.

5. Personal Data Breaches

In the event of a Personal Data Breach, Processor shall notify Controller without undue delay but no later than in forty-eight (48) hours after Processor having become aware of the Personal Data Breach.

To the extent available to the Processor, the notification shall contain at least the following information: a) a description of the nature of the Personal Data Breach including, the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned; b) the name and contact details of the person responsible for Processor’s data protection matters; c) a description of likely consequences and/or realised consequences of the Personal Data Breach; and d) a description of the measures taken to address the Personal Data Breach and to mitigate its possible adverse effects. Where it is not possible to provide all the information at the same time, the information may be provided in phases without undue further delay.

Unless otherwise agreed, Controller is liable for notifying data protection authorities and Data Subjects of a Personal Data Breach, when applicable.

  1. Sub-processors

Controller gives Processor a general written authorisation to engage Sub-Processor(s) when fulfilling Processor’s contractual obligations provided such Sub-Processors provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws and ensure the protection of the rights of the Data Subject.

Processor shall impose same, corresponding or materially equivalent obligations as set out in this DPA on its Sub-Processors by way of a contract.  Should any Sub-Processor fail to fulfil its data protection obligations, Processor shall remain liable to Controller for the performance of any such Sub-Processors obligations.

Sub-Processors relevant to the processing of Personal Data subject to this DPA are specified in Description of processing. Processor shall inform Controller in advance of any intended changes concerning the addition or replacement of Sub-Processors and Controller shall have the right to object to such changes by notifying Processor in writing within twenty (20) business days after the receipt of Processor’s notice about the changes. Should the parties be unable to resolve such objection by Controller, Controller has the right to terminate the Agreement and this DPA with thirty (30) days’ notice, however subject to Processor enacting the change in Sub-Processors resulting in the objection.

  1. Transfers of Personal Data

Controller gives Processor a written authorization to the transfers of Personal Data outside the EU/EEA/UK specified in Description of processing provided that Processor ensures that any such transfers are conducted in accordance with the Data Protection Laws, e.g. by ensuring that the transfer is covered by an appropriate safeguard and necessary supplementary measures where applicable.

Processor shall inform Controller in advance of any intended new transfers and Controller shall have the right to object to such changes by notifying Processor in writing within twenty (20) business days after the receipt of Processor’s notice about the changes. Should the Parties be unable to resolve such objection by Controller, Controller has the right to terminate the Agreement and this DPA with thirty (30) days’ notice, however subject to Processor enacting the new transfer resulting in the objection.

  1. Audits and inspections

Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in the Data Protection Laws. 

Processor shall allow for, and contribute to, audits, including inspections, conducted by an auditor mandated by Controller in order to verify compliance of Processor with the DPA, however provided that: a) Controller notifies Processor of the audit or inspection by providing prior written notice as early as reasonably possible, however at least twenty-one (21) calendar days prior to the audit or inspection; b) any auditor used by Controller is a recognised, independent third party with proved experience and procedures in conducting such audits and inspections; and c) both Controller and the auditor enters into a confidentiality agreement with Processor.

In the event of an audit request directly from a relevant supervisory authority, Processor shall assist Controller in answering the request and organizing the audit. 

Controller shall bear all costs arising in connection with an audit or inspection meant in this Section 8. Notwithstanding the foregoing, if the audit or inspection reveals that Processor has not complied with its material obligations under this DPA or the Data Protection Laws, Processor shall bear a proportion of such costs equivalent with the severity of its non-compliance.

1. Description of processing – Content marketing services

  1. The subject matter and duration of the processing

Provision of the Service for the duration of the Agreement and up to one hundred eighty days after the Service is cancelled or this Agreement is terminated.

  1. The nature and purpose of the processing

Provide efficient ad targeting for Campaigns enabled through the Service.

  1. Type(s) of personal data

Data provided by the Controller, such as CRM data or segment data. 

  1. Categories of data subjects 

Customers of the Controller or users of Websites, meaning users who are exposed to or who have interacted with Campaigns. 

  1. Sub-processors authorized to process Personal Data
Sub-processorAddressDescription of processing
Amazon Web Services (AWS)One Burlington Plaza, Burlington Road, Dublin 4, Dublin, Ireland.Storing, processing, and visualizing data for logging ad traffic, ad fraud prevention, providing statistics/metrics on the performance of advertising campaigns and websites. 
  1. Data transfers

The hosting location is Frankfurt, Germany. In accordance with AWS DPA,  available at https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf AWS will not transfer data from selected region except as necessary to provide the services initiated by Customer, or as necessary to comply with the law or valid and binding order of a governmental body. Transfers of data, if any, will be subject to safeguards set out in the AWS DPA, such as EU SCCs.