Data Processing Addendum
This Data Processing Addendum (“DPA”) is incorporated by reference into the Terms and Conditions of the Publisher Program (“T&Cs”) and all current and future amendments and related orders by and between you (“Publisher” or “Controller”) and Iconpeak (“Company” or “Processor”), and collectively constitute the “Agreement”. This DPA is supplemental to the Agreement and sets out the terms governing the processing of Personal Data by Company on behalf of Publisher under the Agreement.
The purpose of this DPA is to ensure such processing is conducted in accordance with applicable laws, including the Data Protection Laws, and with due respect for the rights and freedoms of individuals whose Personal Data are processed. The term of this DPA shall follow the term of the Agreement.
1.1 Capitalized terms used but not otherwise defined herein shall have the same meaning as set forth in the Agreement.
1.2 “Data Protection Laws” means the General Data Protection Regulation (“GDPR”) (EU 2016/679) and all applicable legislation relating to data protection and privacy, including without limitation all local laws, regulations and secondary legislation, together with any national implementing laws, as amended or updated from time to time.
1.3 The terms “Controller”, “Data Subject”, “Personal Data”, “Processor” and “Processing” as used in this DPA have the meanings given in the GDPR.
2. Processing of Personal Data
2.1 Compliance with Data Protection Laws. Both parties will comply with all applicable requirements of the Data Protection Laws.
2.2 Details of the Processing. The subject matter and duration of processing, nature and purpose of processing, specific types of Personal Data that Company will process and categories of Data Subjects whose Personal Data will be processed are set forth in Schedule 1 (Scope of Processing).
2.3 Roles of the Parties. The parties acknowledge that, under the Data Protection Laws, Company is the data processor and Publisher is the data controller or processor, as applicable, of Personal Data.
2.4 Authorisation by Third Party Controller. If Publisher is a processor, Publisher warrants to Company that Publisher’s instructions and actions with respect to Personal Data, including its appointment of Company as another processor, have been authorised by the relevant controller.
2.5 Publisher Instructions. Publisher instructs Company to process Personal Data:
- a) in accordance with the Agreement and Schedule 1;
- b) to provide the Services and any related technical support;
- c) as further specified via Publisher’s use of the Services (including in the settings and other functionality of the Services) and any related technical support; and
- d) to comply with other reasonable instructions provided by Publisher where such instructions are consistent with the terms of the Agreement and this DPA.
2.6 Company’s Compliance with the Instructions. Company shall collect, process and use Personal Data only within the scope of Publisher’s instructions. Company may process Personal Data other than on the instructions of Publisher if it is required under applicable law to which Company is subject. Where Company is relying on applicable law as the basis for processing Personal Data, Company shall promptly notify Publisher of this before performing the processing required by the applicable law unless such applicable law prohibits Company from so notifying Publisher. If Company believes or becomes aware that any of Publisher’s instructions conflict with any Data Protection Laws, Company shall inform Publisher promptly and cease all processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Publisher issues new instructions with which Company is able to comply. If this provision is invoked, Company will not be liable to Publisher under the Agreement for any failure to perform the Services until such time as the Publisher issues new instructions in regard to the processing.
3. Publisher’s Obligations
- a) it has complied, and will continue to comply, with all statutory requirements imposed by the Data Protection Laws, including but not limited to having an adequate legal basis for processing Personal Data in accordance with the terms of the Agreement and this DPA;
- b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Company for processing in accordance with the terms of the Agreement and this DPA;
- c) it will inform Company comprehensively and without undue delay about any errors or irregularities related to statutory provisions on the processing of Personal Data.
4. Company’s Obligations
- a) implement appropriate technical and organizational measures to safeguard Personal Data, taking into account the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
- b) ensure that all persons who have access to and/or process Personal Data, including its personnel, contractors and Subprocessors to the extent applicable to their scope of performance, are subject to confidentiality obligations with respect to the Personal Data;
- c) comply with its obligations under the Data Protection Laws by providing an adequate level of protection to any Personal Data that is transferred;
- d) assist the Publisher, at Publisher’s cost and by appropriate technical and organizational measures considering the nature of processing, in fulfilling Publisher’s obligations to respond to Data Subjects’ requests under the Data Protection Laws, to the extent Publisher does not have access to the Personal Data necessary to respond to such requests through its use or receipt of the Services. For the avoidance of doubt, Publisher is solely responsible for responding to Data Subjects’ requests for access, correction, restriction, objection, erasure or data portability, as applicable, of that Data Subjects’ Personal Data;
- e) take reasonable measures to cooperate and assist Publisher in conducting a data protection impact assessment and related consultations with any supervisory authority, if Publisher is required to do so under the Data Protection Laws;
- f) notify Publisher without undue delay on becoming aware of a Personal Data breach affecting Personal Data, provided that such breach is not caused by Publisher or Publisher’s personnel or end users. At Publisher’s request, Company will promptly provide Publisher with all reasonable assistance necessary to enable Publisher to notify Personal Data breaches to competent authorities and/or affected Data Subjects, if Publisher is required to do so under the Data Protection Laws;
- g) make available to Publisher all information reasonably necessary to demonstrate Company’s compliance with this DPA. No more than once per year, Publisher may engage a mutually agreed upon third party to audit Company solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the GDPR. To request an audit, Publisher must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to firstname.lastname@example.org. The auditor must execute a written confidentiality agreement acceptable to Company before conducting the audit. The audit must be conducted during regular business hours, subject to Company’s policies, and may not unreasonably interfere with Company’s business activities. Any audits are at Publisher’s sole cost and expense; and
- h) upon termination or expiration of the Agreement, cease all processing of Personal Data subject to this DPA and delete or make available to Publisher for retrieval all relevant Personal Data in Company’s possession, except as otherwise prohibited, allowed or required by any applicable law. Company shall extend the protections of the Agreement and this DPA to any such Personal Data and limit any further processing of such Personal Data to only those limited purposes that require the retention.
5.1 Consent to Subprocessor Engagement. Company shall be entitled to engage third-party processors (“Subprocessors”) to fulfil its obligations defined in the Agreement only with Publisher’s written consent. Publisher hereby consents to Company appointing the third parties and affiliated companies listed at [*LINK WITH LIST OF SUBPROCESSORS*] as Subprocessors of Personal Data under this DPA.
5.2 Requirements for Subprocessor Engagement. Company will execute contracts imposing data protection obligations on its Subprocessors that are at least equivalent to those data protection obligations imposed on Company under this DPA. As between Publisher and Company, Company shall remain fully liable for all acts or omissions of any Subprocessor appointed by it pursuant to this Section 5.2.
5.3 Objection to New Subprocessors. If Company engages a new Subprocessor, Company will notify Publisher by updating its list of Subprocessors located on its website and informing Publisher of the change via email or the use of Company Platform. Publisher has the right to object to the engagement of new Subprocessors within 30 days after being notified, provided that the objection is based on reasonable grounds. If Publisher and Company are unable to resolve such objection, the parties will work together to find a mutually agreeable solution.
6. General Provisions
6.1 Except as stated in this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control as it relates to processing of Personal Data.
6.2 Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
6.3 The party agreeing to this DPA as Publisher represents that it is authorized to agree to and enter into this DPA for, and is agreeing to this DPA solely on behalf of, the Publisher.
6.4 Any claims brought under this DPA shall be subject to the Terms and Conditions of the Publisher Program, including but not limited to, the exclusion and limitations set forth in the Agreement.
Schedule 1 Details of the Processing
Details of Data Processing
1 Subject Matter: The subject matter of the data processing under this DPA is the provision of the Services and any related technical support to Publisher.
2 Duration: Personal Data will be processed for the duration of the Agreement, in accordance with its terms, except as otherwise required by applicable law.
3. Purpose: The purpose of the processing of Personal Data under this DPA is the provision of the Services and any related technical support to Publisher and the performance of Company’s obligations under the Agreement and any applicable order, or as otherwise agreed by the parties in mutually executed written form.
4. Nature of the Processing: Company provides the Services as described in the Agreement, which involve processing Personal Data upon the instruction of the Publisher in accordance with the terms of the Agreement and any applicable order.
5. Categories of Data Subjects: Personal Data relates to the following categories of data subjects:
- a) Employees, agents, advisors, representatives, consultants, partners of Publisher (who are natural persons); and/or
- b) Publisher’s end users.
6. Types of Personal Data: Identification and contact information, including name and email address, the extent of which is determined and controlled by the Publisher in its sole discretion; financial information; other Personal Data such as navigational data (including website usage information), system usage data, application integration data; and other information about Publisher’s end users, such as online identifiers, including IP address, cookie identifier, device identifier, and advertising identifier.
7. Sensitive and Special Categories of Personal Data: Publisher shall not send Company any Sensitive or Special Categories of Personal Data, as defined in the Data Protection Laws.