DATA PROCESSING AGREEMENT
Last Update: July 22nd, 2024
This Data Processing Agreement is between Azerion and you, the Seller, each a “Party” and collectively the “Parties” as specified under the Terms. By receiving the Pixel Services from Azerion, you agree to the provisions of this DPA.
WHEREAS:
A. Seller shall appoint Azerion as a processor for the processing of Processor Data for the provision of the Pixel Services and as detailed under Schedule 1.
B. In relation to the foregoing, each Party undertakes to comply with the applicable personal data protection legislation as well as any special law concerning the regime of information it processes within its activities.
C. All definitions used in Terms and Addendum apply mutatis mutandis to this DPA.
TERMS
1. Definitions
DPA: means this Data Processing Agreement;
Pixel Services: provision of Azerion Pixel under the Terms;
Processor Purposes: means the purposes for which Azerion processes Personal Data under this DPA on behalf of Seller as detailed under Schedule 1;
Processor Personal Data: means the Personal Data processed by Azerion under this DPA on behalf of Seller as detailed under Schedule 1;
Personal Data: any information relating to a Data Subject;
Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. References in this Agreement to ‘Process’ and ‘Processed’ shall be construed accordingly;
Supervisory Authority: means (a) an independent public authority which is established by a member state pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of EU Data Protection Laws.
2. Scope of DPA
2.1. This DPA sets out the framework for Processing of Personal Data in the context of the provision Pixel Services by Azerion. It defines the principles and procedures that Parties shall adhere to and establishes the mutual responsibilities between Parties and towards Data Subjects.
2.2. Seller shall comply with all the obligations imposed on a Controller under the EU Data Protection Laws. Parties acknowledge that certain EU Data Protection Law (such as the GDPR) may apply to Parties regardless of where Parties are established.
3. Data Processing Activities
Parties agree that Processor Purposes and the details regarding the means of Processing, the categories of Personal Data, categories of Data Subjects, duration of Processing are laid out in Schedule 1 of this DPA.
4. Processing of Processor Data by Azerion
4.1. Seller, as Controller, hereby instructs Azerion, as a Processor to Process the Processor Personal Data on behalf of Seller for Processor Purposes detailed under Schedule 1. The instructions of Seller are described in more detail in this DPA and, in certain cases, additionally in the Terms. Publisher can provide supplementary instructions or changed instructions in writing. Azerion may oppose such instructions of the Publisher if it deems that they are unlawful under the applicable data protection laws, including EU Data Protection Law. In that regard, if Seller disagrees with the opposition of Azerion, Azerion may terminate this DPA as well as the Terms without incurring any liability in connection therewith.
4.2. Azerion provides Seller with information about Processing of Processor Personal Data on behalf of Seller in Schedule 1. Seller affirms that the information provided has been sufficient for it to make an informed decision and determination of the purposes and means with regard to the Processing of Processor Personal Data.
4.3. Seller undertakes to inform Data Subjects about the involvement of Azerion, as a Processor, in Processing of Personal Data, the nature, scope and purposes of Processing of Publisher Personal Data by Parties, as well as all the other required information accurately and pursuant to Articles 13 and 14 GDPR.
5. Technical and Organizational Security Measures
Azerion shall implement and maintain the technical and organizational measures required pursuant to Article 32 GDPR in line with its security policy, including all organizational and technical security measures necessary to protect Processor Personal Data against unauthorized or accidental access, loss, alteration, disclosure, or destruction of Processor Personal Data, in particular where Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.
6. Sub Processors
6.1. Azerion is authorized to engage sub processors and other third parties for carrying out Processing of Processor Personal Data for Processor Purposes determined under this DPA. Publisher hereby gives its revocable general authorisation to engage such third parties provided that Azerion duly notifies Seller
and Seller has the opportunity to object to such changes. If Azerion cannot reasonably be asked to not make such changes, Azerion may terminate Terms without incurring any liability in connection therewith.
6.2. When engaging a sub processor, Azerion will ensure that the same data protection obligations as set out in this Data Processing Agreement and the Terms are imposed on that sub processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of EU Data Protection Law. For the avoidance of doubt, Azerion is required to impose similar provisions on any sub processors, but is not required to impose the obligations of this DPA verbatim or back-to-back.
6.3. Processing of Processor Personal Data may result in a transfer to a third country or an international organization. Each Party shall not transfer any Personal Data outside of the EEA unless it has a lawful basis for that transfer, including fulfilling any of the following conditions: (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR, including entering into Standard Contractual Clauses in the form approved by the EU Commission; or (iii) one of the derogations for specific situations in Article 49 GDPR applies to the transfer.
7. Deletion and Destruction of Processor Personal Data
7.1. On the expiration of the Terms or on the expiration of the applicable term for saving Processor Personal Data (to be determined by Seller), Azerion will, at the option of Seller: (i) delete all the Processor Personal Data from its systems (automated or otherwise) or the systems it uses to store data, or (ii) return the Processor Personal Data, in both cases without keeping any copies of the Processor Personal Data.
7.2. Azerion may derogate from the provisions in the above paragraphs insofar law requires storage of the Processor Personal Data, or as this is necessary in order to prove compliance with its obligations to Controller under this DPA.
8. Assistance
8.1. Azerion, taking into account the nature of Processing and the information available to itself, shall make commercially reasonable efforts to assist Seller in ensuring compliance with the obligations of Publisher under EU Data Protection Law vis-à-vis Data Subject such as the right to be provided with information about the Processing, the right of access, the right to rectification, the right to erasure, the right to a restriction of Processing, the right to data portability, or the right to object to automated individual decision making if any.
8.2. In the event a Data Subject directs any of the above requests to Azerion, Azerion shall make commercially reasonable efforts to refer Data Subject to Seller and otherwise not respond itself to the request, except if required by EU Data Protection Law.
8.3. Azerion will, taking into account the nature of Processing and the information available to Azerion, assist Seller in carrying out any data protection impact assessment or prior consultation as required by EU Data Protection Law.
8.4. Azerion can recover its costs, including out-of-pocket costs for assistance from outside advisors and sub processors, incurred in assisting Seller.
9. Audit Rights
9.1. To the extent Azerion deems required by EU Data Protection Laws in relation to Processing of Processor Personal Data, Azerion will allow for and contribute to audits, including inspections, conducted by Seller or another auditor mandated by Seller, provided such an audit or inspection can in principle only be done once a year. In that regard, Seller has the right, following an advanced notice of at least 20 (twenty) working days, to arrange to investigate the establishment(s) and/or systems of Azerion. Any mandated auditor should have demonstrable experience in performing such audits or inspections. The investigation shall not extend beyond what is necessary for the purpose as described in this paragraph and does not include systems owned by third-parties or sub processors.
9.2. Each Party shall bear its own costs associated with the investigation as referred to in paragraph 1 of this clause and Seller will bear the costs of the independent auditor if the investigation shows that Azerion has substantially complied with its obligations pursuant to this DPA.
9.3. Azerion will inform Seller if, in its opinion, an instruction in connection with the investigation referred to in this clause infringes EU Data Protection Law, for example if with such audit or inspection Seller or its mandated auditor would gain access to Personal Data other than Processor Personal Data processed on behalf of Seller.
9.4. Parties agree to handle any information related to inspections and requests for information confidential to the extent legally permitted.
9.5. Azerion can recover its costs, including out-of-pocket costs for assistance from outside advisors and sub processors, incurred in assisting Seller.
10. Data Breaches
10.1. In the event of a Data Breach, Azerion shall within 48 hours after it becomes aware of Data Breach, inform Seller, further to which Seller will – if necessary – immediately inform the relevant Supervisory Authority and/or Data Subjects.
10.2. Azerion will include in the report of the Data Breach, to the extent required by Art. 33 GDPR. Where certain information is not yet available, Azerion will report the information it has available, and straightaway gather – if reasonably possible – all additional information and provide it to Seller.
11. Contact Points
Seller shall submit the notifications due under this Addendum to the email address dpo@azerion.com. Seller shall promptly provide Azerion with the email address where it prefers Azerion to submit its notifications under this Addendum. In case Seller doesn’t provide any address, Azerion shall not be expected to make any notification not it shall be responsible any indirect or direct damages caused by such absence of notification.
12. Liability
The limitations of liability in Terms apply in all cases.
13. Miscellaneous
13.1. No amendment or modification of any provision of this Appendix 1 shall be effective unless in writing and signed by duly authorized representatives of the Parties.
13.2. In case of a conflict between the clauses of this Addendum and the Terms, the clauses of this Addendum shall prevail.
13.3. This Addendum shall expire simultaneously with the Terms.
13.4. This Addendum is governed by the laws of the Netherlands. Any disputes arising out of or in connection with this Addendum shall be brought exclusively before the competent court of Amsterdam, without prejudice to the possibilities of appeal.
SCHEDULE 1
DATA PROCESSING AGREEMENT
A. Service
Pixel Services under Terms
B. Duration of Processing
Duration of Terms
C. Nature and Purposes of processing
- Pixel Services: Processing via pixel and similar technologies for the purposes of determining the interest segments of end users based on the pages within Publisher domains visited to be shared with the Buyer partners of Publisher’s choice and providing reports to Publisher on insights of audiences who visit Publisher’s digital properties
D. Categories of Data Subjects
End users of the Seller’s Properties
E. Types of Personal Data
- Pixel Services: Online identifiers Processed pursuant to the Terms (such as IP addresses, user agent, HTTP header data, interest segments)