Data Processing Agreement

DATA PROCESSING AGREEMENT (DPA)

1 Background and purpose


1.1 This data processing agreement (“DPA”) forms an integral part of the Terms of Service (“Agreement”) which governs the use of Services (as defined in Section 2) provided by Readpeak Oy to the Customer, as defined below.

1.2 In the course of providing the Service to the Customer pursuant to the Agreement, Readpeak may process Personal Data on behalf of Customer. The purpose and scope of this DPA is to agree on the terms and conditions for the Processing of Personal Data by Readpeak on behalf of the Customer in connection with the Services. This DPA together with the Agreement forms a data processing agreement in the meaning of applicable Data Protection Laws.

2 Definitions

2.1 For the purpose of this DPA, unless expressly otherwise stated or evident in the context, the following capitalised terms shall have the following meanings, the singular (where appropriate) shall include the plural and vice versa:

“Controller” means the entity, which determines the purposes and means of the Processing of Personal Data.
“Customer” means Readpeak’s customer or other business partner for which Readpeak is providing the Services.
“Data Protection Laws” means applicable data protection regulations and legislation, including but not limited to the GDPR and the data protection or privacy laws of any other country.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“EU” means European Union.
“EEA” means the European Economic Area.
“GDPR” means the Regulation (EU) 2016/679 of the European parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data
and on the free movement of such data, and repealing Directive 95/46/EC.
“Personal Data” shall have the meaning set forth in GDPR.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Services” mean the services described in the Agreement and other services supplied by or on behalf of Readpeak.
“Standard Data Protection Clauses” has the meaning given to it in Section 5.4.
“Sub-processor” means another processor engaged by Readpeak in the Processing of Personal data and, where applicable, possible other Processor engaged by the Sub- processor of Readpeak.
“Supervisory authority”
shall have the meaning set forth in the GDPR.

2.2 For clarity, unless expressly otherwise stated, the applicable definitions provided in the Agreement shall be applied to this DPA. In case a definition provided in this DPA and a definition provided in the Agreement conflicts, for the purposes of this DPA the definition provided in this DPA shall prevail.

3 Processing of Personal data

3.1 Roles of the Parties

3.1.1 For the purposes of the Processing of Personal Data, the Customer shall be the Controller (or working on Controller’s behalf in such a case Processor as the case may be) and Readpeak shall be the Processor. There are also other parties involved in the provision of the Services (such as media publishers). However, Readpeak does not have an access to the personal data held and processed by such third parties and such processing is not in the scope of this DPA.

3.2 Subject matter, nature and purpose


3.2.1 For the purposes of performing the Services, Readpeak Processes Personal Data on behalf of the Customer.
3.2.2 The nature and the purpose of the Processing is to supply and enable the Services provided by Readpeak to the Customer. The Processing of Personal Data shall take place solely for the purposes defined herein and Readpeak shall not be entitled to use the Personal Data for any other purposes, unless otherwise stated in the Agreement.
3.2.3 Nothing in this DPA shall operate to transfer, assign or otherwise grant to Readpeak any right or interest to the Personal Data, unless otherwise stated in the Agreement.

3.3 Personal data and Data subjects

3.3.1 The  types of Personal Data considering the nature of the Services, consist of IP address, User ID, Ad-placement ID, Ad-impression url, Ad-click url, Sematic context of Ad-impression.
3.3.2 Personal Data may include also other type of Personal Data if required by the purpose of the Processing as agreed between the Parties.
3.3.3 The types of Data Subjects consist of Internet users of who see and/or click the advertisement. The Personal Data may concern also other categories of Data Subjects if required by the purpose of the Processing as agreed between the Parties.

3.4 Duration and termination of the Processing


3.4.1 This DPA become effective simultaneously with the Agreement and shall continue to be in effect until the Agreement is terminated. The duration of the Processing of Personal Data is conditional to the term of the Agreement. Certain Processing activities shall be conducted as long as such Processing is required for the supply of the Services.
3.4.2 If any Processing by Readpeak is required after termination of the Agreement, e.g. in order to transfer data back to the Customer such Processing shall be conducted in accordance with the provisions of this DPA.
3.4.3 In the event of termination of the Agreement, Readpeak shall delete the Personal Data, or if requested by the Customer in writing, return the Personal Data to the Customer in commonly used format as soon as practically possible after the end of the Agreement and shall be deleted thereafter from the systems of Readpeak.
3.4.4 If and to the extent it is required by law that any Personal Data need to remain in the possession of Readpeak, the Customer shall be notified thereof and shall be provided with copies of such data. In such case, Readpeak shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is processed only when necessary for the purpose(s) specified in the applicable laws requiring such storage and for no other purpose.
3.4.5 After the termination of the Agreement, Readpeak shall provide, upon the Customer’s request, the Customer with a written certification that it has fully complied with the Subsections from 3.3.3 to 3.3.4 above.
3.5 Instructions for Processing
3.5.1 The Personal Data shall be processed in accordance with Customer’s documented instructions for Processing of the Personal Data. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to Readpeak for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws.
3.5.2 Readpeak shall process the Personal Data only according to documented instructions given by the Customer, including with regard to transfers of Personal Data to a country outside the EU/EEA.
3.5.3 If Readpeak may not follow the instructions given by the Customer due to applicable compelling laws or it considers an instruction to infringe any law, Readpeak shall immediately inform the Customer of such matter.
3.6 General obligations of the Parties
3.6.1 Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws.
3.6.2 Parties shall comply with all applicable Data Protection Laws in the Processing of the Personal Data. In addition, Readpeak must adhere with good practices of the industry.
3.6.3 Readpeak shall implement appropriate technical and organisational measures for security of Processing in order to ensure an appropriate level of security as required by the Data Protection Laws and considering the Personal Data specified in Section 3.3, including the measures provided in the Section 6 below.
3.6.4 Readpeak shall provide reasonable assistance to the Customer in ensuring the compliance with the provisions on security of the Personal Data as set forth in the Data Protection laws.
3.6.5 Readpeak shall assist the Customer by appropriate technical and organisational measures in the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights under the Data Protection Laws.
3.6.6 Readpeak shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and the Data Protection Laws, in particular with the principles relating to Processing of Personal Data as laid down in the GDPR.

4 Subcontractors

4.1 Upon Customer’s request, Readpeak shall inform the Customer in writing of the Sub-processors used in the Services and the specific Processing activities they are engaged for. Readpeak shall also inform the Customer in writing of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes.

4.2 Where Readpeak engages a Sub-processor for Processing, Readpeak has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor, in particular regarding the provision of sufficient guarantees to implement appropriate technical and organizational measures in such amanner that the Processing will meet the requirements of the applicable Data Protection Laws.

4.3 Where a Sub-processor fails to fulfil its data protection obligations, Readpeak shall remain fully liable to the Customer for the performance of the Sub-processors obligations and any liabilities related thereto to the same extent Readpeak would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

5 Location and transfers of data

5.1 Readpeak may transfer to or process Personal Data in a non-EU/EEA country, which the EU Commission has not found to provide an adequate level of protection. In case Readpeak or Sub-processor engaged by Readpeak processes or in any way makes the Personal Data accessible outside the EU/EEA countries it must secure that such Processing is performed under appropriate safeguards and otherwise complies with the statutory requirements regarding the Processing of Personal Data outside the EU/EEA countries.

5.2 When applicable, Readpeak shall assist the Customer to enter into appropriate contractual arrangements with the recipient in a non-EU/EEA country for the transfer of Personal Data to the applicable third countries outside the EU/EEA as adopted and approved by the EU Commission or competent data protection regulatory authority in accordance with applicable Data Protection Laws (“Standard Data Protection Clauses”). Alternatively, the Customer may authorize Readpeak to enter into Standard Data Protection Clauses on its behalf.

5.3 Upon on the Customer’s request, Readpeak shall provide written information about the location(s) in which Personal Data is processed pursuant to this DPA.

6 Security of Processing

6.1 Readpeak shall implement and maintain at all times appropriate operational, administrative, physical and technical measures in accordance with common industry practice to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

6.2 Readpeak shall ensure that persons authorised to process the Personal Data have committed themselves to appropriate confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 Readpeak shall limit access to the Personal Data to personnel on a need-know-basis. The Personal Data and the persons accessing to any data shall be limited to what is necessary in relation to specific Processing activities.

7 Data breaches

7.1 In case of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data (“Data Breach”), Readpeak shall notify the Customer thereof in writing without undue delay after having become aware of it. The notification shall at least:
(a) describe the nature of the Data Breach, the affected Personal Data, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) communicate the name and contact details of a contact point where more information can be directly obtained in case such person is other than the contact person under the Agreement;
(c) describe the likely consequences of the Data Breach, in particular to the Personal Data; and
(d) describe the measures taken or proposed to be taken by Readpeak to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.2 Where, and in so far as, it is not possible to provide the information under the Section 7.1 at the same time without undue delay, the information may be provided in several parts within the time limit.

7.3 Upon the Customer’s request, Readpeak shall assist the Customer with reasonable effort to document an occurred Data Breach as required by Data Protection Laws.

7.4 Upon the Customer’s request, Readpeak shall assist the Customer with reasonable effort in reporting the Data Breach to the supervisory authority and to the data subjects in accordance with the Customer’s instructions.

8 Audit

8.1 The Customer or another auditor mandated by the Customer may, not more than once a year, audit the level of the data protection on and appropriateness of the Processing of Personal Data by Readpeak upon thirty (30) days’ prior written notice to ensure the compliance with this DPA and Data Protection Laws.

8.2 The auditor mandated by the Customer may not be direct or indirect competitor of Readpeak. Readpeak has a right to require the mandated auditor to enter into an appropriate confidentiality agreement prior to the audition.

8.3 Readpeak shall contribute to the aforementioned audits and make available all information required to complete the audits. The audits shall be performed during the normal working hours and shall not unreasonably disturb the operations of Readpeak.

8.4 Customer shall carry all costs relating to the audits and shall reimburse Readpeak for any reasonable costs and expenses that Readpeak may incur due to any such audit. Before the commencement of any such on-site audit, Customer and Readpeak shall mutually agree upon the scope, timing, and duration of the audit.

8.5 The Parties agree that Readpeak has the right to provide the Customer with an audit report covering the dataprocessing and especially the technical and organizational security measures at its own costs. In this case, the Customer agrees that the rights to audit Readpeak have been satisfied and that the Customer has no additional rights under this Section 8 to audit Readpeak provided that

a) the audit has been performed by a recognized, independent third party with proven experience in the field; and
b) the audit report is no older than twelve (12) month.

2020 © ReadPeak Oy