Data Processing Agreement
Last Updated January 01, 2020
1. Definitions
1.1 “Data Protection Laws” refers to all applicable data protection and privacy regulations, including but not limited to the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable laws.
1.2 “Personal Data” refers to any information relating to an identified or identifiable natural person as defined by Data Protection Laws.
1.3 “Processing” means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, and deletion.
1.4 “Sub-Processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Purpose of Processing
The Processor agrees to process Personal Data only as necessary to provide digital advertising services, including:
Audience targeting and segmentation.
Ad delivery and tracking.
Measuring campaign performance and analytics.
Improving and optimizing advertising campaigns.
The Processor will not process Personal Data for any purposes other than those explicitly agreed upon by the Controller.
3. Roles and Responsibilities
3.1 Controller Responsibilities:
Ensure that the processing of Personal Data complies with applicable Data Protection Laws.
Provide clear instructions to the Processor on the processing of Personal Data.
Inform data subjects about their rights and how their data will be processed.
3.2 Processor Responsibilities:
Process Personal Data only in accordance with the Controller’s documented instructions.
Ensure that individuals processing the data are subject to confidentiality obligations.
Take appropriate technical and organizational measures to protect Personal Data.
4. Data Subject Rights
The Processor will assist the Controller in fulfilling its obligations to data subjects, including:
Responding to requests to access, correct, delete, or restrict the use of Personal Data.
Addressing objections to data processing or requests for data portability.
Providing information about automated decision-making processes, if applicable.
The Processor will notify the Controller promptly if it receives a request directly from a data subject and will not respond to such a request without the Controller’s authorization.
5. Sub-Processing
5.1 Authorization of Sub-Processors:
The Controller authorizes the Processor to engage Sub-Processors as necessary to provide the digital advertising services, provided that:
The Sub-Processor is bound by terms that offer at least the same level of protection for Personal Data as outlined in this Agreement.
The Processor remains fully liable for the actions or omissions of any Sub-Processor.
5.2 Current Sub-Processors:
The Processor maintains a list of current Sub-Processors, which is available upon request. The Controller will be notified of any new Sub-Processors before they are engaged.
6. Data Security
The Processor will implement and maintain appropriate technical and organizational measures to ensure the security of Personal Data, including:
Encryption and pseudonymization of Personal Data where appropriate.
Measures to ensure the confidentiality, integrity, and availability of data processing systems.
Procedures to restore access to Personal Data in the event of a security incident.
The Processor will regularly review and update its security practices to address evolving risks.
7. Data Breach Notification
In the event of a data breach involving Personal Data, the Processor will:
Notify the Controller without undue delay, and in any case within [Insert Timeframe, e.g., 24-48 hours] of becoming aware of the breach.
Provide the Controller with sufficient information to fulfill its reporting obligations under applicable Data Protection Laws.
Cooperate with the Controller in investigating and mitigating the effects of the breach.
8. International Data Transfers
The Processor will not transfer Personal Data outside the jurisdiction of the Controller without the Controller’s prior written consent. If such transfers occur, the Processor will ensure compliance with applicable Data Protection Laws, including the use of appropriate safeguards (e.g., Standard Contractual Clauses).
9. Data Retention and Deletion
The Processor will retain Personal Data only for as long as necessary to fulfill the purposes of processing or as required by applicable law. Upon termination of the Agreement or at the Controller’s request, the Processor will:
Delete or return all Personal Data to the Controller.
Delete all existing copies of the Personal Data, unless retention is required by law.
10. Audits and Compliance
The Processor will:
Make available all information necessary to demonstrate compliance with this Agreement and applicable Data Protection Laws.
Allow for and contribute to audits conducted by the Controller or an independent auditor, subject to reasonable notice and confidentiality obligations.
11. Indemnification
The Processor will indemnify the Controller for any damages, fines, or legal fees arising from the Processor’s failure to comply with this Agreement or applicable Data Protection Laws. Similarly, the Controller will indemnify the Processor for issues arising from the Controller’s breach of Data Protection Laws.
12. Term and Termination
This Agreement will remain in effect for the duration of the Processor’s services to the Controller. Upon termination, the Processor will ensure the secure return or deletion of all Personal Data as described in Section 9.
13. Governing Law
This Agreement will be governed by and construed in accordance with the laws of Jurisdiction.
14. Miscellaneous
14.1 Entire Agreement: This Agreement constitutes the entire understanding between the parties regarding data processing and supersedes any prior agreements.
14.2 Amendments: Any changes to this Agreement must be made in writing and signed by both parties.
14.3 Severability: If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect.