Biznes-Reklama Data Processing Agreement (hereinafter -"the DPA")


By using the opt-in check-box when registering on this Portal (hereinafter referred to as "the Portal") you declare that you agree to the following regulations.
By proceeding, you confirm that you have a business established in the territory of a member state of the European Economic Area or Switzerland, or that, for other reasons, you are subject to the territorial scope of the national implementations of the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, (General Data Protection Regulation; hereinafter – "the GDPR").
You further agree that if the aforementioned is not the case, this DPA between you (hereinafter "the Customer") and the Individual Entrepreneur Pavel V. Mozgovoy (hereinafter "the Service Provider") shall be void.
This DPA enters into force on 7 March 2019 if you have agreed to the DPA prior to or on such date, or on the date on which you agreed to the DPA, if such date is after 7 March 2019 (hereinafter “the DPA Effective Date”).
This DPA is an addition to the Biznes-Reklama Service Offer (https://mozgovoy.biz/oferta-biznes-reklama, hereinafter “the Effective Agreement”) or similar document applicable to the provision of the Service Provider's Services) (hereinafter “the Agreement”). In the event of a contradiction between these clauses and the terms of the Agreement, the terms and conditions under this DPA shall prevail.
This DPA is entered into by the Service Provider and the Customer (hereinafter jointly referred to as "the Parties") and supplement the Effective Agreement. This DPA will be effective, and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the Service Provider's Services), from the DPA Effective Date till the termination date of the Effective Agreement or till the date the Customer ceases to use the Service Provider's Services or till deletion of all the Customer's Personal Data by The Service Provider as described in this DPA.
If you are accepting this DPA on behalf of the Customer, you warrant that: (a) you have full legal authority to bind the Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of the Customer, to this DPA.


1. Introduction


This DPA reflect the Parties’ agreement on the terms governing the processing and security of the Customer's Personal Data in connection with the Data Protection Legislation and in connection with provision of the Service Provider's Services by the Service Provider to the Customer and the Customer’s use of the Additional Products.


2. Definitions


2.1. In this DPA:
“Additional Product” means a product, service or application (including but not limited to an advertising tracker or a web-counter) provided by the Service Provider or a third party that: (a) is not part of the Service Provider's Services; and (b) is accessible for use within the client interface of the Service Provider's Services or is otherwise integrated with the Service Provider's Services.
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a Party.
“Customer Personal Data” means personal data that is processed by the Service Provider on behalf of the Customer in the Service Provider’s provision of the Service Provider's Services or the Customer Personal Data processed by the Third Party Subprocessors when providing Additional Products.
“Data Protection Legislation” means, as applicable: (a) the GDPR; (b) the Federal Data Protection Act of 19 June 1992 (Switzerland), and/or (c) any other law, statute, regulation or legislative act applicable to the Customer Personal Data Processing.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Service Provider” means the Individual Entrepreneur Pavel V. Mozgovoy that is the party to the Agreement.
“Service Provider's Services” means the services provided by the Service Provider according to the Effective Agreement, in particular, related to the placement of Mobile Ads by the Customer.
“Subprocessors” means third parties authorised to have logical access to and process the Customer's Personal Data in order to provide parts of the Service Provider's Services or to participate (as designated by the Customer) in provision of the Service Provider's Services and any related technical support, or to provide any Additional Product.
“Third Party Subprocessors” has the meaning given in Section 9.1.
2.2. The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in this DPA have the meanings given in the GDPR.


3. Application of this DPA


3.1. This DPA shall only apply to the extent that the Data Protection Legislation applies to the processing of the Customer's Personal Data, including if:
(a) the processing is in the context of the activities of an establishment of the Customer in the European Economic Area; and/or
(b) the Customer's Personal Data is personal data relating to data subjects who are in the European Economic Area and the processing relates to the serving them with advertisement (either targeted or not), offering to them of goods or services or the monitoring of their behaviour in the European Economic Area.
3.2. This DPA shall only apply to the Service Provider's Services for which the Parties agreed to this DPA, in particular: (a) the Service Provider's Services for which the Customer clicked to accept this DPA; or (b) if the Effective Agreement incorporates this DPA by reference, the Service Provider's Services that are the subject of the Effective Agreement. This DPA shall also apply to the processing of the Customer's Personal Data where the Customer uses Additional Product.


4. Processing of Data


4.1. The Parties acknowledge and agree that:
(a) this DPA describes the subject matter and details of the processing of the Customer's Personal Data;
(b) The Service Provider is a processor of the Customer's Personal Data under the Data Protection Legislation;
(c) the Customer is a controller or processor, as applicable, of the Customer's Personal Data under the Data Protection Legislation; and
(d) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Customer's Personal Data.
If the Customer is a processor, the Customer warrants to the Service Provider that the Customer’s instructions and actions with respect to the Customer's Personal Data, including its appointment of the Service Provider as another processor, have been authorised by the relevant controller.
4.2. The Customer understands that the Service Provider's Services are aimed to provide the Customer with an opportunity of (i) serving targeted advertising to the users of the Internet and (ii) providing the Customer with statistical data of the Customer’s use of the Service Provider's Services. For this purpose, the Service Provider shall process the Customer's Personal Data as instructed by the Customer via the client interface of the Service Provider's Services, including but not limited to the cases where the Customer engages with the third party Subprocessor providing Additional Product (e.g. third-party tracker allowing the Customer to track the statistics of placement of advertising in the form of Mobile Ads), where the processing of the Customer's Personal Data would be required for the Customer to use such Additional Product. Therefore the Customer declares that the Customer exclusively processes the Customer's Personal Data for the purposes described above.
4.3. The Customer's Personal Data may include the device id’s, IP-addresses or other data which is determined by the Customer via the client interface of the Service Provider's Services or when using Additional Product.
4.4. The Customer's Personal Data shall concern the following categories of data subjects: (a) data subjects about whom the Service Provider collects personal data in its provision of the Service Provider's Services; and/or (b) data subjects about whom personal data is transferred to the Service Provider in connection with the Service Provider's Services or Additional Products by, at the direction of, or on behalf of the Customer. Depending on the nature of the Service Provider's Services, these data subjects may include individuals: (a) to whom advertising has been, or will be, directed; (b) who have visited specific websites or applications in respect of which the Service Provider provides the Service Provider's Services; and/or (c) who are customers or users of the Customer’s products or services.
4.5. By entering into this DPA, Customer instructs the Service Provider to process the Customer's Personal Data only in accordance with applicable law: (a) to provide the Service Provider's Services and any related technical support; (b) as further specified via the Customer’s use of the Service Provider's Services (including in the settings and other functionality of the Service Provider's Services) and any related technical support; (c) as documented in the form of the Effective Agreement and/or the Agreement, including this DPA; and (d) as further documented in any other written instructions given by the Customer and acknowledged by the Service Provider as constituting instructions for the purposes of this DPA.
4.6. The Service Provider shall comply with the Customer’s Instructions (hereinafter “the Customer’s Instructions”) unless applicable law requires other processing of the Customer's Personal Data by the Service Provider, in which case the Service Provider shall inform the Customer (unless that law prohibits the Service Provider from doing so on important grounds of public interest).
4.7. If the Customer uses any Additional Product, the Service Provider's Services may allow that Additional Product to access the Customer's Personal Data as required for the interoperation of the Additional Product with the Service Provider's Services.
4.8. The Service Provider may transfer the Customer's Personal Data outside the European Economic Area and Switzerland if it complies with the provisions on the transfer of personal data to third countries in the Data Protection Legislation and such transfer is required for the purposes of provision of the Service Provider's Services.


5. Data Protection.


5.1. The Service Provider shall implement all technical and organizational security measures as required under Art. 32 of the GDPR. The Service Provider may also (a) develop the technical and organizational measures as at its sole dutiful discretion and in accordance with the technical process to raise security, provided that the standard as required under Art. 32 of the GDPR is met, and that (b) copies of the Customer's Personal Data, in particular backup copies, aggregated data and cached copies are required to provide the Service Provider's Services. The Service Provider is permitted to implement other appropriate measures. By doing so, the security level in total must not fall below the security level of the measures determined. The Service Provider shall document significant changes.
5.2. The Service Provider shall only entrust personnel with the Processing of the Customer's Personal Data, which has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3. The Service Provider shall immediately inform the Customer of any relevant violations of any Data Protection Legislation or the provisions determined in this DPA by the Service Provider or any person contracted by the Service Provider insofar as the violation is connected to the Processing of the Customer's Personal Data pursuant to this DPA.


6. Assistance and Cooperation.


6.1. Taking into account the nature of the Processing, the Service Provider shall assist the Customer with appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject's rights laid down in the GDPR. The Service Provider shall assist the Customer in ensuring compliance with the obligations set by the GDPR taking into account the nature of Processing and the information available to the Service Provider.
6.2. If the Service Provider receives a request from a data subject in relation to the Customer's Personal Data, the Service Provider shall respond directly to the data subject’s request in accordance with the standard functionality of the tools used to process such request, or advise the data subject to submit his/her request to the Customer, and the Customer shall be responsible for responding to such request. The Customer shall also provide all reasonable and timely assistance to the Service Provider, to enable the Service Provider to respond to: (i) supervising authorities or data subjects’ requests to exercise any of the data subjects’ rights under the Data Protection Legislation; and (ii) any other correspondence, inquiry or complaint received from the data subject (or on the data subject’s behalf), supervising authority and other regulators, or competent authorities in connection with the Processing of the Customer's Personal Data under this DPA.
6.3. The Parties agree that each party shall (taking into account the nature of the processing and the information available to the Service Provider) assist the other Party in ensuring compliance with any obligations of each Party in respect of data protection impact assessments and other compliance with Data Protection Legislation.


7. Data Deletion


7.1. During the term of the DPA, if the functionality of the Service Provider's Services does not include the option for the Customer to delete the Customer's Personal Data, then the Service Provider shall comply with any reasonable request from the Customer to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Service Provider's Services and unless applicable law requires storage.
7.2. On expiry of the term of this DPA, the Customer shall instruct the Service Provider to delete all the Customer's Personal Data (including existing copies) from the Service Provider’s systems in accordance with applicable law. The Service Provider shall comply with this instruction as soon as reasonably practicable and within a maximum period of one hundred eighty (180) days, unless applicable law requires storage.


8. Customer’s Security Responsibilities and Assessment.


8.1. The Customer agrees that, without prejudice to the Service Provider’s obligations under Section 5 of this DPA:
(a) the Customer is solely responsible for its use of the Service Provider's Services, including:
(i) making appropriate use of the Service Provider's Services to ensure a level of security appropriate to the risk in respect of the Customer's Personal Data; and
(ii) securing the account authentication credentials, systems and devices the Customer uses to access the Service Provider's Services; and
(iii) engaging with any Third Party Subprocessors providing the Customer with any Additional Product, including entering into respective data processing agreements, and
(b) the Service Provider has no obligation to protect the Customer's Personal Data that the Customer elects to store or transfer outside of the Service Provider’s and its Subprocessors’ systems.
8.2. The Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Customer's Personal Data as well as the risks to individuals) the security measures implemented and maintained by the Service Provider as set out in Section 5 of this DPA provide a level of security appropriate to the risk in respect of the Customer's Personal Data.
8.3. The Service Provider shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down by the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. The following requirements apply to any audit: (i) the Customer must give a minimum ninety (90) days’ notice of the intention to audit; (ii) the Customer may exercise the right to audit no more than once in any calendar year; (iii) commencement of the audit shall be subject to an agreement with the Service Provider of a scope of work for the audit at least thirty (30) days in advance; (iv) the Service Provider may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial confidentiality; (v) the audit shall not include penetration testing, vulnerability scanning, or other security tests; (vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to the Customer; (vii) any independent auditor shall be required to sign such non-disclosure agreement as is reasonably required by the Service Provider prior to the audit; and (viii) the Customer shall compensate the Service Provider for its reasonable costs (including for the time of its personnel, other than the Customer’s relationship manager) incurred in supporting any audit. For the avoidance of doubt, nothing in this DPA shall require the Service Provider either to disclose to the Customer or its third party auditor, or to allow the Customer or its third party auditor to access: (i) any data of any other customer of the Service Provider or the Service Provider's Affiliate; (ii) any of the Service Provider's or the Service Provider Affiliate’s internal accounting or financial information; (iii) any trade secret of the Service Provider or the Service Provider's Affiliate; (iv) any information that, in the Service Provider's reasonable opinion, could: (a) compromise the security of any of the Service Provider or the Service Provider's Affiliate’s systems or premises; or (b) cause the Service Provider or any of the Service Provider's Affiliate to breach its obligations under the Data Protection Legislation or its security and/or privacy obligations to the Customer or any third party; or (v) any information that the Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of the Customer’s obligations under the Data Protection Legislation.


9. Subprocessors


9.1. The Customer specifically authorises the engagement of the Service Provider’s Affiliates as Subprocessors (“The Service Provider Affiliate Subprocessors”). In addition, the Customer generally authorises the involvement of any other third parties as Subprocessors (“Third Party Subprocessors”), in particular where such third party provides the Customer with Additional Product. In the latter case it is the Customer’s responsibility to enter into respective data processing agreement with such Third Party Subprocessor and allow involvement of such Subprocessor into the processing of the Customer's Personal Data subject to this DPA.
9.2. When engaging any Subprocessor (except for the Third Party Subprocessor), the Service Provider shall ensure that the Subprocessor only accesses and uses the Customer's Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA) and Data Protection Legislation; and that the Service Provider remain fully liable for all obligations subcontracted to, and all acts and omissions of the Subprocessor.
9.3. The Customer may object to any Subprocessor by terminating this DPA and the Effective Agreement immediately upon written notice to the Service Provider, on condition that the Customer provides such notice within ninety (90) days of becoming aware of the engagement of the new Subprocessor. This termination right is the Customer’s sole and exclusive remedy if the Customer objects to any new Subprocessor.


10. Liability


10.1. The Customer guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by the Customer and the Customer agrees that it shall be responsible for all costs associated with its compliance of such obligations. The Customer is responsible and liable for its acts and omissions under this DPA.
10.2. The Customer shall defend, indemnify and hold the Service Provider, its Affiliates, their officers, directors, employees, contractors and agents harmless from and against any and all third-party claims, demands, losses, damages or expenses, including reasonable attorneys’ fees and court costs, arising out of or in connection with any failure by the Customer to comply with the requirements under this DPA.


11. Effect of this DPA


11.1. If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Effective Agreement then, subject to the certain exceptions provided by this DPA, the terms of this DPA shall govern. Subject to the amendments in this DPA, the Effective Agreement remains in full force and effect.
11.2. This DPA shall not affect any other separate data processing agreement between the Service Provider and/or its Affiliate and the Customer in respect of any data processing arising out of the agreements other than the Effective Agreement.


12. Changes to this DPA


12.1. The Service Provider may change the DPA at any moment in case: (a) changes are required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency; or (b) changes do not: (i) result in a degradation of the security of the Customer's Personal Data; (ii) expand the scope of, or remove any restrictions on, the Service Provider Processing of the Customer's Personal Data; and (iii) otherwise have a material adverse impact on the Customer’s rights under this DPA, as reasonably determined by the Service Provider. Before changes will take effect the Service Provider informs the Customer at least thirty (30) days in advance (or shorter period as may be required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency) by either: (a) email; or (b) alerting the Customer via the client interface of the Service Provider. If the Customer objects to any such change, the Customer must terminate the DPA and the Effective Agreement (unless the Effective Agreement could be performed in the remaining part without existence of this DPA) and stop using the Service Provider's Services under the Effective Agreement. The Service Provider shall be entitled not to notify the Customer about editorial changes.

 

Effective Date: 07.03.2019

Publishing Date: 07.03.2019

Previous versions of the document: no

 

Расскажите друзьям: