Data Processing Agreement
DATA PROCESSING AGREEMENT
- TERM A: JOINT CONTROLLERS TERMS (“JCT”)
- TERM B: CONTROLLER TO PROCESSOR TERMS (“CTPT”)
This Data Processing Agreement (hereafter the “DPA”) complements the ExoClick Terms and Conditions (the “T&C”), and any other applicable agreement with Advertisers, Publishers, and any other clients (collectively, the “Partner”), and is hereby incorporated into the agreement between ExoClick and the Partner for the provision of the relevant services (the “ExoClick Services”).
This DPA shall reflect the Parties’ agreement with regard to the Processing of Personal Data. In the course of providing the ExoClick Services, ExoClick may Process Personal Data on behalf or not of the Partner, therefore, the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith, and in accordance with the requirements of Data Protection Law.
“Consent” means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Under Term A of this DPA, ExoClick and the Partner act as Joint Controllers, and under Term B of this DPA, the Partner acts as Controller. The term “Controller” is considered a “Business “under the CPRA.
“Data Protection Law” means, to the extent applicable in the relevant jurisdiction(s) for the Services, (a) the GDPR and all laws and regulations, (b) the Constitutional Act 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights (“LOPDGDD”), (c) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), (d) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 (collectively, “CPRA”) and any regulations promulgated thereunder.
“Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier (e.g., a name, an identification number, location data, an online identifier) or to one or more factors specific to that natural person. For the purpose of this DPA, “Data Subject” refers to the natural persons whose Personal Data is processed as part of the provision of the relevant ExoClick Services.
“End User” means Data Subjects visiting and/or using Partners Platform.
“GDPR” means the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Joint Controller” means a Controller acting jointly with one or several others. They will jointly decide about data processing and the purposes of this data processing. Under Term A of this DPA, ExoClick and the Partner act as joint controllers.
“Partners Platform” means any domain name, website, software application, virtual world, or other digital platform owned, operated, or managed for the purpose of this DPA by the Partner.
“Personal Data” means any information identifying, relating to, describing, or is capable of being associated with, or can reasonably be linked with, an identified or identifiable natural person or household Processed in connection with the provision of the relevant ExoClick Services.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Processor” means a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller. Under Term A of this DPA, the processors that can be engaged either by ExoClick or the Partner are Processors, and under Term B of this DPA, ExoClick acts as a Processor.
“Processing” means any operation or set of operations that is performed on Personal Data or on sets of Personal Data, by the Controllers or Processors, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Law, but not limited to: the Spanish Data Protection Agency; the UK Information Commissioner’s Office; EU Member State supervisory authorities; the California Privacy Protection Agency; and U.S. state attorneys general.
2. Compliance with Law
Each Party shall comply and shall be able to demonstrate its compliance with its respective obligations under the Data Protection Law and in accordance with this DPA.
The Partner specifically acknowledges and agrees that its use of the Joint Controller and Controller-to-Processor Services is compliant with Data Protection Law.
A Party shall not disclose Personal Data to the other Party, except where the disclosing Party warrants to the other Party that this disclosure is compliant with Data Protection Law and that it has complied with any applicable requirement(s) of information, notification to, or of authorization or consent from the relevant public authority(ies) or the relevant Data Subjects, with respect to any Personal Data provided by the disclosing Party to the other Party. Each disclosing Party must retain evidence of compliance with any such requirements for the duration of the DPA and provide it promptly to the other Party upon request.
Nothing in this DPA shall prohibit or limit ExoClick’s rights to implement anonymization of Personal Data processed in connection with this agreement, and to the extent required under Data Protection Law, Partner hereby authorizes ExoClick to implement anonymization techniques in compliance with Data Protection Law. For the sake of clarity, data resulting from effective and compliant anonymization is not subject to this DPA and more generally to the Data Protection Law. However, they shall be subject to the confidentiality rules agreed in the T&C.
The Parties shall cooperate to comply with the Data Protection Law and to meet their obligations pursuant to this DPA.
The Parties shall keep appropriate documentation on the Processing activities carried out by each of them and on their compliance with the Data Protection Law and with this DPA with respect to the Joint Controller and Controller-to-Processor Services. For instance, Parties shall facilitate to the other Party, when applicable, the Record of Processing Activities, the Data Protection Impact Assessment, and the security measures they have implemented, among other documentation listed in Term A and Term B of this DPA.
In the event of an investigation, proceeding, formal request for information or documentation, or any similar event in connection with a data protection authority and in relation to the Joint Controller or Controller-to-Processor Services or to Personal Data, the Parties shall promptly and adequately deal with inquiries from the other Party that relate to the Processing of Personal Data under the DPA.
5. Data Protection Officers
ExoClick and the Partner appointed a data protection officer. ExoClick’s data protection officer (“ExoClick DPO”) may be reached at: firstname.lastname@example.org. The contact details of the Partner’s data protection officer must be communicated by email to ExoClick DPO after having accepted this DPA
The Common Terms (clauses 1 to 5) always apply when a Partner has ordered Services from ExoClick, regardless of the type of Services ordered. In addition, the application of the following Specific Terms (“Term A” and “Term B”) will depend on the status under which ExoClick operates and that is specified in the T&C or in any other applicable arrangement applying to the Service ordered by the Partner.
TERM A: JOINT CONTROLLERS TERMS (“JCT”)
Applies when Partner has ordered Services in which ExoClick and Partner act as Joint Controllers (the “Joint Controller Services”).
6. Scope of JCT
Following Article 26 of the GDPR, the Parties hereby determine their respective responsibilities for compliance with their obligations under GDPR.
For purposes of the CPRA, Partner shall be a “Business” and ExoClick shall be a “Third Party.”
7. Obligations of the Parties when acting as Joint Controllers
When Processing Personal Data as Joint Controllers under Term A of this DPA, each Party agrees that it shall:
- Comply with any requirements arising under Data Protection Law and not perform its obligations under this DPA and/or ask the other Joint Controller to perform its obligations in such a way as to cause the other Joint Controller to breach any of its obligations under Data Protection Law;
- Take into account all the data protection principles provided for in the Data Protection Law, including but not limited to the principles of purpose limitation, data minimization, accuracy, storage limitation, security, integrity and confidentiality, transparency, and protection of Personal Data by design and by default, in particular, it will mean to adopt the corresponding informative and consent clauses, to analyze any of the processing carried out and determine which protocols, contracts or any other measures should be implemented;
- Maintain a record of the Processing of the Personal Data under its responsibility;
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the Processing of the Personal Data that it carries out (including, for the Partner, concerning the Partners Platform), in particular, to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access;
- Take all the measures necessary to address any Personal Data Breach relating to the Personal Data it processes, mitigate its effects, prevent further Personal Data Breach and, when required, notify the competent data protection authority(ies) and the Data Subjects;
- Cooperate to the preparation of the required data protection impact assessments;
- Carry out any assessment, consultation, and/or notification to competent data protection authorities or Data Subjects, concerning the Processing it carries out
- Joint Controllers not established in the Union shall designate in writing a data protection officer or legal representative established in one of the Member States where the Data Subjects, whose personal data are processed about the offering of goods or services to them, or whose behavior is monitored; and
8. ExoClick’s Obligations
9. Obligations of the Partner
Partner shall be solely responsible, in accordance with and to the extent required by Data Protection Law for:
- providing the Data Subjects with all necessary information under the Data Protection Law, including in accordance with Articles 13 and 14 of the GDPR, in respect to the Processing of the Personal Data concerning the Joint Controller Services;
- collecting and documenting Consent or opt-out provisions, as applicable, obtained from Data Subjects;
- implementing choice mechanisms to request valid Consent from Data Subjects or opt-out provisions, as applicable, in compliance with Data Protection Law and, where applicable, with the specific requirements of the competent local supervisory authorities;
- where opt-out provisions are applicable, offering Data Subjects the right to opt-out of the sale and share of their Personal Data or use of the Personal Data for purposes of targeted advertising;
- complying with the requirements applicable to the validity period of the Consent collected and requesting Consent from the Data Subjects once this validity period has expired; and
- providing promptly to ExoClick, upon request and at any time, proof that a Data Subject’s Consent has been obtained by the Partner.
Furthermore, ExoClick reserves the right to audit Partner’s Consent collection mechanisms to ensure compliance with the applicable Data Protection Law. Such audits will involve a review of relevant Consent forms and documentation, with proper advance notice, no more than once a year, unless significant compliance concerns arise. Partner agrees to provide necessary cooperation and access.
TERM B: CONTROLLER TO PROCESSOR TERMS (“CTPT”)
Applies when Partner has ordered Services in which Partner acts as Controller and ExoClick acts as a Processor, processing Personal Data on behalf of Partner (the “Controller-to-Processor Services”).
10. Scope of CTPT
This CTPT shall apply only concerning the Processing of Personal Data carried out in the context of Controller-to- Processor Services ordered by the Partner, acting as a Controller or Business (as applicable), for which ExoClick is acting as a Processor or Service Provider (as applicable), and for which the subject-matter, the nature, and purpose, the type of Personal Data, categories of Data Subjects and duration of Processing are set out in Appendix 1 “Controller-to- Processor Services – Details of Processing of Personal Data”.
11. Obligations of the Partner
The Partner shall not provide Personal Data to ExoClick except as is necessary for the performance of the ExoClick Services and unless the Partner shall have given the necessary notices and obtained the necessary consents, in each case, from the applicable Data Subjects whose Personal Data is Processed by ExoClick according to the DPA. Partner shall, in its use of the ExoClick Services, Process Personal Data under the requirements of Data Protection Law and shall immediately notify ExoClick if Partner violates any Data Protection Law. The Partner’s instructions to ExoClick related to the Processing of Personal Data shall comply with the Data Protection Law. The Partner shall be solely responsible for ensuring the accuracy, lawfulness, and quality of the Personal Data and to ensure that the Processing entrusted to ExoClick has an adequate legal basis under Data Protection Law.
12. Obligations of ExoClick
Partner Instructions. ExoClick shall process Personal Data for the relevant Controller-to-Processor Services only on the documented instructions from Partner. Partner may not instruct ExoClick to process Personal Data in a manner not compatible with this DPA. ExoClick shall immediately inform Partner if ExoClick reasonably believes it is unable to follow Partner’s instructions, or if such instructions are not compatible with the T&C and with the DPA.
Inaccurate or Outdated Data. ExoClick shall inform Partner if ExoClick becomes aware that the Personal Data is inaccurate or has become outdated, and ExoClick shall cooperate on request with Partner to erase or rectify such data.
Personal Data Processing. To the extent required by applicable Data Protection Law, Partner shall only instruct ExoClick to Process Personal Data for those Business Purposes permitted under applicable Data Protection Law and shall disclose Personal Data to ExoClick only for the limited and specified purposes specified in the T&C and in this DPA. Partner reserves the right, upon reasonable notice, to take reasonable and appropriate steps to help ensure that ExoClick uses Personal Data transferred in a manner consistent with Partner’s obligations under applicable Data Protection Law, including reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
ExoClick shall not: (a) Sell or Share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than for the Business Purposes specified in the T&C and in this DPA; (c) retain, use, or disclose Personal Data outside of the direct business relationship between Partner and ExoClick; or (d) combine Personal Data it receives from Partner with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with Data Subjects, provided that ExoClick may combine Personal Data to perform a Business Purpose (except for “advertising and marketing services,” as defined under applicable Data Protection Law). ExoClick shall comply with applicable obligations and provide the same level of privacy protection as required by the applicable Data Protection Law and shall assist Partner through appropriate technical and organizational measures to comply with Data Protection Law requirements, taking into account the nature of the processing. ExoClick shall notify Partner if it decides that it can no longer meet its obligations under the applicable Data Protection Law.
Technical and Organizational Measures. ExoClick shall implement appropriate technical and organizational measures to ensure the security of the Personal Data, including protection against a Personal Data Breach. In complying with its obligations under this paragraph, ExoClick shall at least implement the technical and organizational measures specified in Appendix 2 “Security Schedule”. Partner hereby confirms to ExoClick that it considers that ExoClick’s technical and organizational measures as specified in Appendix 2 “Security Schedule” provide an appropriate level of security. ExoClick shall also assist Partner in complying with its obligations to the security of Processing Personal Data, including under Article 32 of the GDPR.
Personal Data Breaches. In the event of a Personal Data Breach relating to Personal Data processed by ExoClick, ExoClick shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. ExoClick shall also notify Partner without undue delay after having become aware of the breach and providing for the time necessary to provide relevant information, including e.g. a description of the nature of the breach (including, where possible, categories and approximate number of Data Subjects and Personal Data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. In the event of a Personal Data Breach relating to Personal Data processed by ExoClick, Partner shall be solely responsible for notifying Data Subjects and/or Regulatory Authorities as required by Data Protection Law, and ExoClick shall cooperate with and assist Partner to enable compliance with any request from a competent authority and/or affected Data Subjects, taking into account the nature of Processing and the information available to ExoClick. Before any such notification is made, Partner shall consult with and provide ExoClick an opportunity to comment on any notification made in connection with a Personal Data Breach. Nothing in this DPA shall be construed to require ExoClick to violate, or delay compliance with, any legal obligation it may have concerning a Personal Data Breach. ExoClick shall have no liability for the Personal Data Breach management and notification obligations described in this Term B unless the Personal Data Breach is caused by ExoClick’s breach of the security obligations of this DPA or other violation of Data Protection Law by ExoClick.
Access to Personal Data. ExoClick shall grant access to the Personal Data to members of its personnel only to the extent strictly necessary for the implementation, management, and monitoring in accordance with the T&C and the DPA. It shall ensure that persons authorized to process the Personal Data have committed themselves to one or several confidentiality agreements or are under an appropriate statutory obligation of confidentiality.
Data Subjects’ Rights. To the extent legally permitted, ExoClick shall promptly notify by email the designated data protection officer or legal representative of the Partner of any request it has received from a Data Subject to exercise the Data Subject’s rights, including the rights to knowledge/access; correction; deletion; restriction; objection; data portability; opt out of the Processing of and/or the Sale or Sharing of Personal Data; limit the use or disclosure of sensitive Personal Data; or any other request with respect to Personal Data of the applicable Data Subject, as set forth under applicable Data Protection Law. ExoClick shall not respond to the request itself. ExoClick shall reasonably assist the Partner by implementing appropriate technical and organizational measures, insofar as this is possible, in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights under Data Protection Law, taking into account the nature of the Processing. To the extent legally permitted, Partner shall be responsible for any costs arising from ExoClick’s provision of such assistance. Nothing in this clause shall require ExoClick to disclose or reveal any trade secrets.
Data Protection Impact Assessment. Upon Partner’s request, at Partner’s cost, and to the extent required under Data Protection Law, ExoClick shall assist Partner in complying with any required data protection impact assessment on Partner’s request, taking into account the information available to ExoClick. To the extent required under the GDPR or UK GDPR, ExoClick shall provide reasonable assistance to Partner in its cooperation or prior consultation with a Regulatory Authority in the performance of its tasks relating to this clause.
Sub-Processors. ExoClick may engage sub-Processors as set out in Appendix 1 “Controller-to-Processor Services – Details of Processing of Personal Data”. Partner provides ExoClick with general authorization to engage other sub-processors to carry out Processing for the relevant Controller-to-Processor Services. Upon written request from Partner, ExoClick shall inform Partner of any changes concerning the addition or replacement of sub-processors. If Partner objects to such changes on reasonable grounds within thirty (30) days from the notification by ExoClick to Partner, the Parties will discuss in good faith to find a mutually acceptable solution. If the Parties fail to agree, ExoClick may terminate the DPA in whole, or in part with respect only to the affected Controller-to-Processor Services. When engaging another Processor, ExoClick shall agree to binding on such Processor and setting out the same or more stringent data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement similar technical and organizational measures.
Processing Personal Data outside of the Partner’s Instructions. Notwithstanding the above, if applicable law or a binding decision from a competent authority requires ExoClick to process Personal Data outside of Partner’s instructions to provide the Controller-to-Processor Services, ExoClick shall inform Partner unless otherwise prohibited under applicable law.
Audit. Partner may request in writing, at reasonable intervals, that ExoClick makes available to Partner information regarding ExoClick’s compliance with its obligations under Term B of this DPA in the form of a copy of ExoClick’s most recent third-party audits or certifications.
Partner can request an on-site audit of ExoClick’ Processing activities described in Term B of this DPA by providing ExoClick with reasonable notice. Such on-site audit may only be conducted where (i) the information made available by ExoClick as set out above is insufficient, (ii) a Personal Data Breach has occurred or (iii) such audit is required by Data Protection Law or a Regulatory Authority.
The Parties shall agree on the scope, timing, and duration of the audit. The audit may not unreasonably interfere with ExoClick’s activities.
The Partner may only appoint a third-party auditor who is not a competitor of ExoClick. Such third-party auditor shall enter into a non-disclosure agreement with ExoClick and the Partner before carrying out the audit.
After the on-site audit, the Partner shall promptly share the results of such audit with ExoClick.
The Parties shall make available, upon request, to a Regulatory Authority, the information referred to in this clause, including the results of any audits.
Partner shall bear all costs related to audits.
Transfers of Personal Data. Any transfer of data to a third country or an international organization by ExoClick shall be done only based on documented instructions from the Partner in compliance with Chapter V of GDPR. The Partner agrees that where ExoClick engages a sub-Processor for carrying out specific Processing activities (on behalf of the Partner) and those Processing activities involve a transfer of Personal Data within the meaning of Chapter V of GDPR, ExoClick and the sub-Processor can ensure compliance with Chapter V of GDPR by using standard contractual clauses adopted by the European Commission under of Article 46(2) of GDPR, provided the conditions for the use of those standard contractual clauses are met.
Consequences of Termination. If Partner terminates a Controller-to-Processor Service, or if the DPA expires or terminates for any reason whatsoever, ExoClick shall, at the choice of the Partner, delete all Personal Data processed only for that Controller-to-Processor Service, or return all such Personal Data to Partner. ExoClick shall provide certification as applicable that copies of such Personal Data have been deleted, on request in writing from the Partner, without prejudice to any operational backups maintained by ExoClick for a reasonable period under industry standards. In case applicable law prohibits ExoClick from deleting the Personal Data, ExoClick warrants that it will continue to ensure compliance with the T&C and this DPA, and will only process such Personal Data to the extent and for as long as required by applicable law.
Controller-to-Processor Services – Details of Processing of Personal Data
1. Category of Data Subjects
Partner acknowledges and authorizes ExoClick’s use of the following entities as Sub-Processors, as applicable, concerning the relevant Controller-to-Processor Services:
Controller-to-Processor Services – Technical and Organizational Measures
The processing of the Personal Data of the Partner, by ExoClick, will be carried out following the regulations in force on the matter, applying the corresponding technical and organizational measures, by the type of data processed.
In accordance with the above, ExoClick guarantees that it has implemented all necessary measures for the processing of Personal Data owned by the Partner and, likewise, undertakes to carry out periodic verification controls, under the measures described below.