Data Processing Agreement (DPA)

DATA PROCESSING TERMS

Parties and background

These Data Processing Terms (“Terms”) form an integral part of Agreement (“Agreement”) which governs the use of Services (as defined below) provided by Readpeak Oy to the Customer, as defined below. 

In the course of providing the Service to the Customer pursuant to the Agreement, Readpeak Oy may process personal data on behalf of the Customer as a Data Processor.

Definitions

Advertiser means any advertiser, agency, network or other party that purchases and publishes native advertisement campaigns on Publishers’ Media Sites using the Service. 

Campaign means native advertisement campaign that Advertisers purchase and publish on Publisher’s Media Sites. 

Customer means Advertiser or Publisher for which Readpeak is providing the Services.

Service means the services described in the Agreement provided by Readpeak.

Publisher means the media partner providing the Media Sites.

Data Processing Agreement means the binding contract between controller and processor on the processing of personal data on behalf of the controller referred to in Article 28 of the EU GDPR or Article 28 of the UK GDPR

Data Protection Laws means any applicable EU and national data protection legislation as amended from time to time, including but not limited to the EU GDPR, national legislation supplementing the EU GDPR, UK GDPR, and the instructions and orders of the data protection authorities in so far as those instructions and orders are binding.

EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

Media Sites mean all websites, applications, content platforms or other media properties owned or operated by Publisher or its Affiliates that are in the scope of the Agreement.

Personal Data, Data Subject and Personal Data Breach shall have the meaning they are given in the GDPR.

Sub-processor means a data processor (as meant in Article 4(8) of the GDPR) engaged by Processor for carrying out specific processing activities on behalf of Controller

UK GDPR means the United Kingdom General Data Protection Regulation.

Websites mean the website(s), applications, content platforms or other media properties owned or operated by the Advertiser promoted in a Campaign.

Term and termination

These Terms shall become effective at the same time as the Agreement and continue to be effective until the Agreement has expired or has been terminated and the Parties have completed all their obligations pursuant to the Agreement and these Terms.

For the Data Processing Agreement, the Processor shall upon termination of this DPA delete all Personal Data to Controller, unless and to the extent mandatory European Union or national law which Processor is subject to requires retention of such Personal Data.

Data Processing Agreement

This Data Processing Agreement concerns the processing of Personal Data by Readpeak (“Processor”) on behalf of the Customer (“Controller”) for the purposes of providing the Service subject to the Agreement.

  1. Details of the processing

The subject matter, nature and purpose of processing, the types of personal data and data subjects, and duration of processing are defined in Description of processing.

  1. General responsibilities of the Controller 

The Controller ensures that it has the right to disclose to the Processor the Personal Data for the processing carried out by the Processor subject to this Addendum. Controller authorises Processor to process the disclosed Personal Data in accordance with the Agreement and this DPA. 

  1. General responsibilities of the Processor

Processor shall process Personal Data on Controller's behalf, only in accordance with the Data Protection Laws and this DPA. Processor shall not process Personal Data for any other purposes than those specified in the Agreement and/or this DPA.

Processor shall process the Personal Data only on the documented instructions of the Controller, unless required to deviate from such instructions in order to comply with the Data Protection Laws. In such case, Processor shall inform Controller of such requirement before processing of the Personal Data, unless the Data Protection Laws prohibits such notification. The Parties acknowledge and agree that this DPA and the Agreement contain the instructions provided by Controller, with all possible amendments to the instructions being separately agreed in writing between the Parties.

Processor notifies Controller without undue delay if, in Processor's opinion, Controller’s instructions infringe Data Protection Laws. For the avoidance of doubt, the Parties acknowledge and agree that Controller shall be responsible for ensuring that the instructions are in accordance with the Data Protection Laws.

Processor ensures that persons under its responsibility that are authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Where possible, Processor shall assist Controller in the fulfilment of Controller's obligation to respond to requests for exercising the Data Subjects' rights laid down in the Data Protection Laws, including Chapter III of the GDPR, taking into account the nature of processing and the information available to Processor.

Processor shall reasonably assist Controller, at the request of and at the expense of Controller, in ensuring compliance with Controller's obligations pursuant to the Data Protection Laws, including Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Processor.

  1. Security of data processing

Processor shall implement technical and organisational measures to ensure an appropriate level of security of the Personal Data processing and to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. Processor's afore-mentioned security measures shall meet the requirements of the Data Protection Laws.

  1. Personal Data Breaches

In the event of a Personal Data Breach, Processor shall notify Controller without undue delay but no later than in forty-eight (48) hours after Processor having become aware of the Personal Data Breach.

To the extent available to the Processor, the notification shall contain at least the following information:

  1. a description of the nature of the Personal Data Breach including, the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned; 
  2. the name and contact details of the person responsible for Processor’s data protection matters;
  3. a description of likely consequences and/or realised consequences of the Personal Data Breach; and
  4. a description of the measures taken to address the Personal Data Breach and to mitigate its possible adverse effects.

Where it is not possible to provide all the information at the same time, the information may be provided in phases without undue further delay.

Unless otherwise agreed, Controller is liable for notifying data protection authorities and Data Subjects of a Personal Data Breach, when applicable.

  1. Sub-processors

Controller hereby gives Processor a general written authorisation to engage Sub-Processor(s) when fulfilling Processor's contractual obligations provided such Sub-Processors provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws and ensure the protection of the rights of the Data Subject.

Should any Sub-Processor fail to fulfil its data protection obligations, Processor shall remain liable to Controller for the performance of any such Sub-Processors obligations.

Processor shall impose same, corresponding or materially equivalent obligations as set out in this DPA on its Sub-Processors by way of a contract. 

Sub-Processors relevant to the processing of Personal Data subject to this DPA are specified in Description of processing. Processor shall inform Controller in advance of any intended changes concerning the addition or replacement of Sub-Processors and Controller shall have the right to object to such changes by notifying Processor in writing within twenty (20) business days after the receipt of Processor’s notice about the changes. Should the Parties be unable to resolve such objection by Controller, Controller has the right to terminate the Agreement and this DPA with thirty (30) days' notice, however subject to Processor enacting the change in Sub-Processors resulting in the objection.

  1. Transfers of Personal Data

Controller hereby gives Processor a general written authorization to transfer Personal Data outside the EU/EEA/UK provided that Processor ensures that any such transfers are conducted in accordance with the Data Protection Laws, e.g. by ensuring that the transfer is covered by an appropriate safeguard and necessary supplementary measures where applicable.

Transfers relevant to the processing of Personal Data subject to this DPA are specified in Description of processing. Processor shall inform Controller in advance of any intended new transfers and Controller shall have the right to object to such changes by notifying Processor in writing within twenty (20) business days after the receipt of Processor’s notice about the changes. Should the Parties be unable to resolve such objection by Controller, Controller has the right to terminate the Agreement and this DPA with thirty (30) days' notice, however subject to Processor enacting the new transfer resulting in the objection.

  1. Audits and inspections

Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and in the Data Protection Laws. 

Processor shall allow for, and contribute to, audits, including inspections, conducted by an auditor mandated by Controller in order to verify compliance of Processor with the DPA, however provided that:

  1. Controller notifies Processor of the audit or inspection by providing prior written notice as early as reasonably possible, however at least twenty-one (21)]calendar days prior to the audit or inspection;
  2. Any auditor used by Controller is a recognised, independent third party with proved experience and procedures in conducting such audits and inspections; and
  3. both Controller and the auditor enters into a confidentiality agreement with Processor.

In the event of an audit request directly from a relevant supervisory authority, Processor shall assist Controller in answering the request and organizing the audit. 

Controller shall bear all costs arising in connection with an audit or inspection meant in this Section 8. Notwithstanding the foregoing, if the audit or inspection reveals that Processor has not complied with its obligations under this DPA or the Data Protection Laws, Processor shall bear a proportion of such costs equivalent with the severity of its non-compliance.

Description of processing – Readpeak platform services

  1. The subject matter and duration of the processing;

            Usage of the Service. Duration of processing is the term of the Agreement.

  1. The nature and purpose of the processing;

           The supply of Services and enabling Controller to use the Services.

 

  1. Type(s) of personal data;

            End-users: IP address, Ad-placement ID, Ad-impression url, Ad-click url, Semantic context of Ad-impression
            Users of the platform: name, user ID, IP address, email address, phone number

  1. Categories of data subjects 

           End users, meaning users who are exposed to or interacted with ad-campain ads; users of the platform. 

  1. Sub-processors authorized to process Personal Data.
  1. Data transfers.

N/A

2022 © ReadPeak Oy