Adplorer Data Processing Addendum EU
May 1, 2022
BY ACCEPTING THIS DATA PROCESSING ADDENDUM OR ACCESSING OR USING THE SERVICE, YOU ARE AGREEING TO THE TERMS AND CONDITIONS OF THIS DATA PROCESSING ADDENDUM.
IF YOU ARE USING ANY SERVICE AS AN EMPLOYEE, AGENT, OR CONTRACTOR OF A CORPORATION, PARTNERSHIP OR SIMILAR ENTITY, THEN YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO SIGN FOR AND BIND SUCH ENTITY IN ORDER TO ACCEPT THE TERMS OF THIS AGREEMENT. THE RIGHTS GRANTED UNDER THIS AGREEMENT ARE EXPRESSLY CONDITIONED UPON ACCEPTANCE BY SUCH AUTHORISED PERSONNEL.
The Parties entered into a Service Agreement which requires that the Processor accesses and Processes Personal Data. This agreement together with its exhibit (together the “Data Processing Agreement” or “DPA“) specify the obligations of the Parties when Adplorer is acting as Processor.
Modifications to this Agreement: From time to time, Adplorer may modify this Data Processing Addendum (. Unless otherwise specified by Adplorer, changes become effective for Customer upon renewal of the then-current Subscription Term or entry into a new Service Order Form after the updated version of this DPA goes into effect. Adplorer will use reasonable efforts to notify Customer of the changes through communications via Customer’s Account, email or other means.
The “Effective Date” of this DPA is the date which is the earlier of (a) Customer’s initial access to any Service through any online provisioning, registration or order process or (b) the effective date of the first Service Order Form, as applicable, referencing this DPA.
This DPA is entered into by and between Adplorer GmbH & Co. KG (“Adplorer“or “Processor”) and the person or entity placing an order for or accessing the Service (“Customer” or “Controller”). Processor and Controller are individually referred to as “Party” and collectively as “Parties”. In consideration of the terms and conditions set forth below, the parties agree as follows:
1. Scope of contract and Distribution of Responsibilities
1.1 The Parties agree that, for Processing Personal Data, the Parties shall be Controller and Processor.
1.2 Processor shall Process Personal Data only on behalf of Controller and at all times only in accordance with this Data Processing Agreement.
1.3 Within the scope of the Service Agreement, each Party shall be responsible for complying with its respective obligations as Controller and Processor under Data Protection Laws.
2. Subject and duration of the contract
The subject matter and the duration of the contract are determined in their entirety according to the information given in the respective contractual relationship. The Processor processes personal data for the Controller as in Art.4 No. 2 and Art. 28 GDPR on the basis of this mandate.
3. Nature and purpose of the collection, processing or use of data and category of data subjects
(1) Type of data
The subject of the processing of personal data is the following types of data:
- Person Master Data
- Communication data
- Contract Master Data
- Customer history
- Contract settlement and payment data
- Planning and control data
- Behavioural data of people interacting with advertisements and customer websites
- Socio-demographic data of people interacting with advertisements and customer websites
(2) The purpose of the processing is to create, deliver, optimise and manage online marketing campaigns (e.g., search engine advertising and online banner advertising via Google AdWords and Bing Ads, as well as Facebook advertising) for Controllers of the Controller.
(3) Category of affected persons:
The categories of persons affected by processing include:
- Contact persons
- Persons interacting with advertisements
(4) The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the Controller and may only take place if the special requirements of Art. 44 et seq. GDPR are met.
4. Technical and organisational measures according to Art. 32 GDPR (Art.28 Abs.3 section 2 lit.c GDPR)
(1) The Processor must document the implementation of the technical and organisational measures set out prior to the award of the contract prior to processing, in particular with regard to the specific execution of the order, and hand them over to the Controller for review (see Annex 1). If accepted by the Controller, the documented measures become the basis of the contract.
(2) The Processor has to establish the security acc.to Art. 28 section 3 sentence 2 lit.c, 32 GDPR, in particular in conjunction with Art. 5 section 1, section 2 GDPR. Overall, the actions to be taken are data security measures and to ensure a level of protection appropriate to the level of risk with regard to the confidentiality, integrity, availability and resilience of the systems. In this context, the state of the art, the costs of implementation and the nature, scope and purpose of the processing as well as the different probability and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 section 1 GDPR must be taken into account.
(3) The technical and organisational measures are subject to technical progress and further development. In that regard, the Processor is allowed to implement alternative adequate measures. In doing so, the safety level of the specified measures must not be undershot. Significant changes must be documented.
5. Correction, blocking and deletion of data
(1) The Processor may not delete the data, which are processed in the order, on their own initiative or limit their processing. Insofar as an affected person directly addresses the Processor in this regard, the Processor will immediately forward this request to the Controller.
(2) Insofar as included in the scope of services, the deletion concept, right to be forgotten, rectification, data portability and information according to the Controller’s documented instructions are to be ensured by the Processor directly.
6. Quality assurance and other obligations of the Processor
In addition to compliance with the provisions of this order, the Processor has statutory obligations in accordance with Art. 28 to 33 GDPR; in this respect, it ensures in particular compliance with the following requirements:
- As Data Protection Officer of the Processor, Mr. David Okonek is authorised (+49 2234 999621, firstname.lastname@example.org). A change of the data protection officer is to be announced to the Controller immediately.
- The preservation of confidentiality in accordance with Art. 28 section 3 sentence 2 lit. b, 29, 32 section 4 GDPR. The Processor will use only employees who are committed to confidentiality and who have been previously familiarised with the data protection regulations that are relevant to them. The Processor and any person subordinated to the Processor who has access to personal data may process such data only in accordance with the instructions of the Controller, including the powers granted in this contract, unless they are legally obliged to process.
- The implementation and compliance with all technical and organisational measures required for this contract comply with Art. 28 section 3 sentence 2 lit. c, 32 GDPR. The Controller and the Processor work together with the supervisory authority on request to fulfil their tasks.
- Immediate information to the Controller about control actions and measures of the supervisory authority, insofar as they relate to this order. This also applies insofar as a competent authority has determined in the context of an administrative or criminal procedure with regard to the processing of personal data in the processing of orders by the Processor.
- Insofar as the Controller is subject to inspection by the supervisory authority, an administrative offence or criminal procedure, the liability claim of a data subject or a third party or any other claim in connection with order processing by the Processor, the Processor shall support him to the best of his ability.
- The Processor will regularly review internal processes and a technical and organisational measure to ensure that the processing within his area of responsibility complies with the requirements of applicable data protection law and ensures the protection of the data subject’s rights.
- Verifiability of the technical and organisational measures taken against the Controller within the scope of his control powers described in this agreement.
7. Sub-contractual relations
For the purposes of this regulation, subcontracting relationships are those services that directly relate to the provision of the main service. This does not include ancillary services provided by the Processor, e.g. as telecommunication services, postal / transport services, maintenance and user service as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Processor is obliged to take appropriate and legally compliant contractual agreements and control measures in order to ensure data protection and data security of the Controller’s data, even with outsourced ancillary services.
The Controller agrees to the commissioning of the following subProcessors under the condition of an agreement in accordance with Art. 28 sections 2-4 GDPR:
|Adplorer GmbH & Co. KG
||Richard-Wagner- Strasse 1-3, 50859 Köln,Germany||Support and software development|
|Hetzner Online GmbH||Industriestr. 25, 91710 Gunzenhausen, Germany||Provision of servers|
8. Control rights of the Controller
(1) The Controller has the right to carry out inspections in consultation with the Processor or have them carried out by examiners to be named in individual cases. He has the right to satisfy himself of the compliance of this agreement by the Processor in his business through spot checks, which are usually timely to register.
(2) The Processor shall ensure that the Controller can satisfy himself of the compliance with the obligations of the Processor in accordance with Art. 28 GDPR. The Processor undertakes to provide the Controller with the necessary information upon request and, in particular, to prove the implementation of the technical and organisational measures.
(3) The proof of such measures, which concern not only the concrete order, can be carried out alternatively by
- Compliance with approved codes of conduct in accordance with Art. 40 GDPR
- The certification according to an approved certification procedure according to Art. 42 GDPR
- Up-to-date certificates, reports or extracts from independent bodies (e.g. auditors, auditors, data protection officers, IT security departments, privacy auditors, quality auditors) and / or
- appropriate certification through IT security or privacy audit (for example, BSI Grundschutz).
(4) The Processor may assert a claim for compensation in order to allow controls by the Controller.
9. Notification in case of violations of the Processor
(1) The Processor shall assist the contracting authority in complying with the obligations on security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as set out in Articles 32 to 36 of the GDPR. These include:
- ensuring adequate levels of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the projected likelihood and severity of a possible breach of security due to security vulnerabilities, and enable the immediate detection of relevant injury events
- the obligation to report violations of personal data immediately to the Controller
- the obligation to support the Controller in providing information to the data subject and to provide all relevant information without delay
- the Controller’s support for their privacy impact assessment
- the support of the Controller in the context of prior consultations with the supervisory authority
(2) For services that are not attributable to a wrongdoing by the Processor, the Processor may claim a fee according to point 11.1.
10. Rights and obligations and authority of the Controller
(1) For the assessment of the admissibility of the processing in accordance with Art. 6 section 1 GDPR as well as for the protection of the rights of the persons concerned according to Art. 12 to 22 GDPR, the Controller is solely responsible. Nevertheless, the Processor is obliged to forward all such requests, if they are clearly directed exclusively to the Controller, to them immediately.
(2) Verbal instructions are confirmed immediately by the Controller (at least in text form).
(3) The Processor must inform the Controller immediately if he believes a directive violates data protection regulations. The Processor is entitled to suspend the execution of the corresponding instruction until it has been confirmed or changed by the Controller.
(4) The Controller informs the Processor immediately if he finds any errors or irregularities in the examination of the order results.
(5) The Controller is obliged to confidentially treat all acquired knowledge of business secrets and data security measures of the Processor within the framework of the contractual relationship. This obligation remains valid even after termination of this contract.
11. Deletion and return of personal data
(1) Copies or duplicates of the data are not created without the Controller’s knowledge. This does not include backup copies, to the extent necessary to ensure proper data processing, and data required to comply with statutory retention requirements.
(2) After conclusion of the contractually agreed work or sooner upon request by the Controller – at the latest upon termination of the service agreement – the Processor has to hand over to the Controller all documents, processing and utilisation results as well as data stocks which are in connection with the order relationship to be destroyed in accordance with data protection laws with prior consent, insofar as the data and documents are not subject to proof of orderly and proper provision of services or statutory retention periods. The same applies to test and scrap material. The Processor will inform the Controller upon request about the nature and the time of deletion.
(3) If additional costs arise due to the deletion or return of the data, the Controller must bear these costs. The Processor will estimate the amount of the costs in advance and inform the Controller. A settlement takes place only after written cost approval by the Controller.
12. Other agreements
(1) A fee for this order is not required. Insofar as the Controller requires support in accordance with section 4 for answering inquiries from interested parties, he shall reimburse the costs incurred as a result. Insofar as the Controller is exercising control rights in accordance with section 7, the amount of the fee to be agreed in advance shall be based on a fixed hourly rate of the employee assigned to the Processor for support. If the Controller issues instructions to the Processor in accordance with section 9, he shall be reimbursed for any costs arising from this instruction.
(2) The Controller agrees to pay an hourly rate of 80 € / h as compensation for the work of product managers or data protection officers and 120 € / h for the work of developers. The Processor will estimate the amount of the costs in advance and inform the Controller. A settlement takes place only after written cost approval by the Controller.
12.2. Contract duration
This agreement is dependent on the existence of a principal contract in accordance with section 1. The termination of the other termination of the main contract in accordance with section 1 also terminates this agreement. The right to isolated, extraordinary termination of this agreement and the exercise of legal rights of withdrawal specifically for the agreement remain unaffected.
12.3. Final provisions
(1) The law of the Federal Republic of Germany shall apply.
(2) Place of fulfilment and jurisdiction is Cologne.
(3) Should individual parts of this agreement be ineffective or lose their legal validity by a later circumstance, this does not affect the validity of the remaining provisions.
Technical and organisational measures according to Art. 32 GDPR
Adplorer takes the following technical and organisational measures to ensure that the level of protection for the processing of personal data, taking into account the state of the art and the costs incurred, is adequate to the risk:
1. Ensuring confidentiality
- Admission control
- Access is protected by a manual locking system.
- Documented key assignment to employees.
- If personal data is documented in physical form, it will be stored in lockable cabinets.
- Access control
- Access to workstations and data processing systems is password protected.
- To ensure high security standards when using passwords, a documented password concept is implemented.
- The office network is protected against unauthorised access by a hardware firewall.
- Data access control
- Task-related authorization concept.
- Access authorizations are managed by system administrators whose number is limited to the bare essentials.
- Unused access permissions are regularly deactivated or deleted.
- Media is deleted before reuse.
2. Ensuring integrity
- Restriction to reading rights
- Unless a data change to order fulfilment is necessary, users will only be granted reading rights.
- Data changes on the most important data processing systems are automatically logged.
- Relevant user activities are logged.
3. Ensuring availability
- Security updates are regularly performed on the workstations.
- The workstations use anti-virus software and SPAM filters.
- Careful selection of resilient servers.
- Daily required data is provided via the database server of the specialised hosting provider Hetzner Online GmbH. The provider meets high safety standards and is ISO27001 certified.
4. Procedures for regular reviews, evaluation and evaluation of the effectiveness of technical and organisational measures
- Privacy-friendly presets
- Privacy-friendly presets are taken into account in new software developments.
- Order control
- Adplorer has appointed a data protection officer.
- The persons entrusted with the fulfilment of the contract are instructed under data protection law.