Data Processing Agreement in accordance with Art. 28 GDPR
Between Advertiser – hereinafter referred to as the “Controller” and Avow GmbH, Grimmstrasse 23, 10967 Berlin, Germany – hereinafter referred to as the “Processor”
The Controller has selected the Processor to act as a service provider in accordance with Art. 28 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”).
This Data Processing Agreement, including all Annexes (hereinafter referred to collectively as the “Agreement”), specifies the data protection obligations of the parties from the underlying Advertiser Terms and Conditions and/or the Insertion Order (hereinafter referred to collectively as the “Principal Agreement”). The Processor guarantees the Controller that it will fulfil the Principal Agreement and this Agreement in accordance with the following terms:
- Scope and definitions
1.1 The following provisions shall apply to all services of data processing provided by the Processor on behalf of the Controller under Art. 28 GDPR, which the Processor performs on the basis of the Principal Agreement, including all activities which may involve the processing of personal data by the Processor on behalf of the Controller.
1.2 If this Agreement uses the term “data processing” or “processing” of data, this shall be generally understood to mean the use of personal data. Data processing or the processing of data shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.3 Reference is made to further definitions set forth in Art. 4 GDPR.
- Subject matter and duration of the data processing
2.1 The Processor shall process personal data on behalf and in accordance with the instructions of the Controller.
2.2 The data processing shall involve making available to the Controller certain end user tracking features to assist Controller with generation, selection and optimization of end users’ targeting decisions as well as the provision of a platform for the placement of targeted advertisements in mobile advertising inventory as agreed upon in the Principal Agreement.
2.3 The duration of this Agreement corresponds to the duration of the Principal Agreement.
- Nature and purpose of the data processing
The nature and purpose of the processing of personal data by the Processor is specified in the Principal Agreement. The Principal Agreement includes the activities and purposes of promoting the Controller’s campaigns via the Processor’s Media Partner network.
- Categories of data subjects
The categories of individuals affected by the processing of personal data under this Agreement (“data subjects”) include:
- App Users – both existing users and potential (new) users
- Controller employees (permanent staff, trainees, temporary workers, freelancers)
- Controller (external) supply partners
- Types of personal data
The following types of personal data shall be processed under this Agreement:
- Consumer personal data – Electronic communications data (e.g. IP address, device ID, advertising ID, web/app content accessed, information on the terminal device, operating system and browser used)
- Business partner data – External user login information consisting of: Email address, Name, Job Title
- Rights and duties of the Controller
6.1 The Controller is solely responsible for assessing the lawfulness of the data processing and for safeguarding the rights of data subjects and is hence a controller within the meaning of Art. 4 (7) GDPR.
6.2 The Controller is entitled to issue instructions concerning the nature, scale and method of data processing. Upon request by the Controller, the Processor shall confirm verbal instructions immediately in writing or in text form (e.g. by email).
6.3 Insofar as the Controller deems it necessary, persons authorized to issue instructions may be appointed. The Processor shall be notified of such in writing or in text form. In the event that the persons authorized to issue instructions change, the Controller shall notify the Processor of this change in writing or in text form, naming the new person in each case.
6.4 The Controller shall notify the Processor immediately of any errors or irregularities detected in relation to the processing of personal data by the Processor.
6.5 If the Controller is obliged to designate a representative under Art. 27 (1) GDPR, the Controller will inform the Processor of the name and the contact data of its representative via e-mail to firstname.lastname@example.org within two weeks after the conclusion of this Agreement. The representative shall be instructed to act as a contact point in addition to the Controller or in its place, in particular for supervisory authorities and data subjects, for all questions related to processing in order to ensure compliance with data protection regulations.
6.6 If the Controller is obliged to designate a Data Protection Officer under Art. 37 (1) GDPR, the Controller will inform the Processor of the name and the contact data of its representative via e-mail to email@example.com within two weeks after the conclusion of this Agreement.
- Duties of the Processor
7.1 Data processing
The Processor shall process personal data in accordance with this Agreement and/or the underlying Principal Agreement and in accordance with the Controller’s instructions. The Processor shall also process the personal data for fraud prevention, bot detection, ad security, ad verification services and service misuse prevention.
7.2 Data subjects’ rights
- The Processor shall, within its capabilities, assist the Controller in complying with the rights of data subjects, particularly with respect to rectification, restriction of processing, deletion of data, notification and information. If the Processor processes the personal data specified under Sect. 5 of this Agreement on behalf of the Controller and these data are the subject of a data portability request under Art. 20 GDPR, the Processor shall, upon request, make the dataset in question available to the Controller within the set time frame, otherwise within seven business days, in a structured, commonly used and machine-readable format.
- If so instructed by the Controller, the Processor shall rectify, delete or restrict the processing of personal data specified under Sect. 5 of this Agreement. The same applies if this Agreement stipulates the rectification, deletion or restriction of the processing of data.
- If a data subject contacts the Processor directly to have his or her data specified under Sect. 5 of this Agreement rectified, deleted or the processing restricted, the Processor shall forward this request to the Controller immediately upon receipt.
7.3 Monitoring duties
- The Processor shall ensure, by means of appropriate controls, that the personal data processed on behalf of the Controller are processed solely in accordance with this Agreement and/or the Principal Agreement and/or the relevant instructions.
- The Processor shall organize its business and operations in such way that the data processed on behalf of the Controller are secured to the extent necessary in each case and protected from unauthorized access by third parties.
7.4 Information duties
- The Processor shall inform the Controller immediately if, in its opinion, an instruction issued by the Controller violates legal regulations. In such cases, the Processor shall be entitled to suspend execution of the relevant instruction until it is confirmed or changed by the Controller.
- The Processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 GDPR to within its capabilities.
7.5 Location of processing
Any transfer of personal data outside the European Union or the European Economic Area may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled.
- Monitoring rights of the Controller
8.1 The Controller shall be entitled, after prior notification in good time and during normal business hours, to carry out an inspection of compliance with the provisions on data protection and the contractual agreements to the extent required, either himself or through third parties, without disrupting the Processor’s business operations or endangering the security measures for other Controller and at his own expense. Controls can also be carried out by accessing existing industry-standard certifications of the Processor, current attestations or reports from an independent body (such as auditors, external data protection officers or external data protection auditors) or self-assessments. The Processor shall offer the necessary support to carry out the checks.
8.2 The Processor shall inform the Controller of the execution of inspection measures by the supervisory authority to the extent that such measures or requests may concern data processing operations carried out by the Processor on behalf of the Controller.
9.1 The Controller authorizes the Processor to make use of other processors in accordance with the following subsections in Sect. 9 of this Agreement. This authorization shall constitute a general written authorization within the meaning of Art. 28 (2) GDPR.
9.2 The Processor currently works with the subcontractors specified in Annex 2 and the Controller hereby agrees to their appointment.
9.3 The Processor shall be entitled to appoint or replace other processors. The Processor shall inform the Controller in advance of any intended change regarding the appointment or replacement of another processor. The Controller may object to an intended change.
9.4 The objection to the intended change must be lodged with the Processor within 2 weeks after receipt of the information on the change. In the event of an objection, the Processor may, at its own discretion, provide the service without the intended modification or – if the provision of the service is unreasonable for the Processor without the intended modification – terminate this Agreement and the Principal Agreement without notice.
9.5 A level of protection comparable to that of this Agreement must always be guaranteed when another processor is involved. The Processor is liable to the Controller for all acts and omissions of other processors it appoints.
10.1 The Processor is obliged to maintain confidentiality when processing data for the Controller.
10.2 In fulfilling its obligations under this Agreement, the Processor undertakes to employ only employees or other agents who are committed to confidentiality in the handling of personal data provided and who have been appropriately familiarized with the requirements of data protection. Upon request, the Processor shall provide the Controller with evidence of the confidentiality commitments.
10.3 Insofar as the Controller is subject to other confidentiality provisions, it shall inform the Processor accordingly. The Processor shall oblige its employees to observe these confidentiality rules in accordance with the requirements of the Controller.
- Technical and organizational measures
11.1 The technical and organisational measures described in Annex 1 are agreed upon as appropriate. The Processor may update and amend these measures provided that the level of protection is not significantly reduced by such updates and/or changes.
11.2 The Processor shall observe the principles of due and proper data processing in accordance with Art. 32 in conjunction with Art. 5 (1) GDPR. It guarantees the contractually agreed and legally prescribed data security measures. It will take all necessary measures to safeguard the data and the security of the processing, in particular taking into account the state of the art, as well as to reduce possible adverse consequences for the affected parties. Measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability and resilience of systems and measures to ensure continuity of processing after incidents. In order to ensure an appropriate level of processing security at all times, the Processor will regularly evaluate the measures implemented and make any necessary adjustments.
12.1 In case of contradictions between the provisions contained in this Agreement and provisions contained in the Principal Agreement, the provisions of the Principal Agreement shall prevail.
12.2 Amendments and supplements to these provisions must be in writing or in text form and expressly declare that the provisions in this Agreement are being changed and/or supplemented. The foregoing also applies to the formal requirement itself.
12.3 This Agreement is exclusively subject to the laws of the Federal Republic of Germany.
12.4 In the event that access to the data which the Controller has transmitted to the Processor for data processing is jeopardized by third-party measures (measures taken by an insolvency administrator, seizure by revenue authorities, etc.), the Processor shall notify the Controller of such without undue delay.
12.5 The plea of a right of retention pursuant to Sect. 273 German Civil Code (Bürgerliches Gesetzbuch, BGB) with respect to the processed data and the associated storage medium is precluded.
Technical and organizational measures to ensure the security of processing
The Processor guarantees that the following technical and organizational measures have been taken:
A. Measures to ensure confidentiality
A.1. Physical access control
Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data storage media.
Description of physical access control:
- Door protection – Main office security
- In-Office security lockers for data storage equipment
- Control system for visitors
A.2. Logical access control
Measures to prevent unauthorized persons from processing or using data which is protected by data privacy laws.
Description of logical access control system:
- Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
- Limitation of the number of authorized employees
- Authentication procedures
- Logging of authentication attempts and aborting the logon process after a specific number of unsuccessful attempts
- Regularly updated antivirus and spyware filters
- Offboarding processes to prevent leavers from having access to company data
- Leveraging security features of third parties (Google) extensively such as 2 phase authentication and SSO
A.3. Data access control
Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage.
Description of data access control:
- Role-based access control to stored data
- Access to data is restricted based on roles and scope.
B. Measures to ensure integrity
B.1. Transmission control
Measures to ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted or made available using data communication equipment.
Description of transmission control:
- IP whitelists
- Transport processes with individual responsibility
- Authentication and authorization around data shared with partners via API’s
B.2. Transport control
Measures to ensure that the confidentiality and integrity of data is protected during transmission of personal data and transport of data carriers.
Description of transport control:
- Transmission of data via encrypted data networks or tunnel connections (VPN)
- Encryption methods that detect data changes during transport
- Use of VPN’s in office to datacentre communication
- Special validation logic for data files coming from partners
Subprocessors pursuant to Section 9
The Processor currently works with the following subcontractors and the Controller hereby agrees to their appointment:
Company: Everflow Technologies Inc.
Data processing activity: Provision of the performance marketing platform “Everflow”
Address: 530 Showers Drive Suite 7-302, Mountain View, CA 94040, USA
Contact information: firstname.lastname@example.org
Company: 24metrics GmbH
Data processing activity: Provision of a fraud detection tool
Address: Tieckstrasse 35, 10115 Berlin, Germany
Contact information: email@example.com
Company: Pipedrive OU
Data processing activity: Provision of CRM services
Address: Mustamäe tee 3a, Tallinn, Harjumaa 10615, Estonia
Contact information: firstname.lastname@example.org
Data processing activity: Provision of cloud services that encapsulate file storage, synchronization and collaboration
Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Contact information: email@example.com