IPONWEB GmbH Data Processing Addendum

IPONWEB GmbH Data Processing Addendum

This Data Processor Addendum was updated on 29 January 2020.

  1. The terms and conditions in this Data Processing Addendum (“DPA“), are entered into between IPONWEB GmbH on behalf of itself and any Affiliates that are providing services to Customer (“IPONWEB“); and You (“Customer“), pursuant to the terms of the Agreement (defined below).
  2. This DPA together with the Agreement, constitute a legally binding agreement and governs Your use of the IPONWEB Services. Customer agrees that this DPA is like any written negotiated agreement signed by Customer and agrees to enter into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of any group companies or affiliates whom use the Services. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
  3. Background
    1. IPONWEB and Customer have entered into a master services agreement, together with one or more connected service orders and/or agreements (collectively the “Agreement“), pursuant to which IPONWEB has agreed to provide the Services.
    2. The parties wish to define their respective data protection obligations relating to the IPONWEB’s provision of Services to Customer.
  4. Details of the processing.
    1. The subject-matter of processing of personal data by IPONWEB is the personal data processing required to performance of the Services pursuant to the Agreement. The duration of the processing is for the Term of the Agreement; the nature and purpose of the Processing is to provide the Services under the Agreement, the types of personal data is information unique to internet user(s), used by advertisers to present advertising to that internet user(s) and categories of data subjects processed under this DPA are the aforementioned internet users. If the Agreement is materially deficient in respect of the subject matter of this Clause 4, the parties may supplement the Agreement with additional information.
  5. Data Protection Obligations
    1. Definitions: In this Clause, the following terms shall have the following meanings:
      • controller“, “processor“, “data subject“, “personal data“, “processing” (and “process“), “business”, “service provider” and “special categories of personal data” shall have the meanings given in Applicable Data Protection Law;
      • Applicable Data Protection Law” shall mean the EU General Data Protection Regulation (Regulation 2016/679), and the California Consumer Privacy Act of 2018 California Civil Code § 1798.100 et seq. (“California Consumer Privacy Act” or “CCPA”), together with any other laws applicable to the processing of personal data;
      • “personal data” as used herein shall also refer to “personal information” as that term is defined under Applicable Data Protection Law;
      • “data subject” as used herein shall also refer to “consumer” as that term is defined under Applicable Data Protection Law; and
      • subprocessor” shall mean a party appointed by a processor or service provider to process personal data on behalf of that processor or service provider.
    2. Relationship of the parties: Customer (as the controller in its own right or as the processor who acts under instruction from third party controller(s)) or another business appoints IPONWEB as a processor (or subprocessor, as the case may be) to process the personal data described in the Agreement (the “Data“) for the purposes described in the Agreement (or as otherwise agreed in writing by the parties) (the “Permitted Purpose“). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. If IPONWEB becomes aware that processing for the Permitted Purpose infringes Applicable Data Protection Law, it shall promptly inform Customer.
    3. Service provider limitations: Customer is a business and IPONWEB is a service provider as those terms are defined under the Applicable Data Protection Law. IPONWEB shall not: (a) sell personal data; (b) retain, use, or disclose personal data for any purpose other than for the Permitted Purpose; (c) retain, use, or disclose personal data for a commercial purpose other than for the Permitted Purpose; or (d) retain, use, or disclose personal data outside of the direct business relationship between IPONWEB and Customer. IPONWEB certifies that it understands these restrictions and will comply with them.
    4. Prohibited data: Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to IPONWEB for processing.
    5. International transfers: IPONWEB shall not transfer the Data outside of the European Economic Area (“EEA“) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.
    6. Confidentiality of processing: IPONWEB shall ensure that any person it authorises to process the Data (an “Authorised Person“) shall protect the Data in accordance with IPONWEB’s confidentiality obligations under the Agreement.
    7. Security: IPONWEB shall implement technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident“).
    8. Subcontracting: Customer consents to IPONWEB engaging third party organisations (“subcontractors”) to process the Data for the Permitted Purpose provided that: (i) IPONWEB maintains an up-to-date list of its subcontractors at iponweb.com/subprocessors which it shall update with details of any change in subcontractors at least 10 days’ prior to any such change; (ii) IPONWEB imposes data protection terms on any subcontractor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) IPONWEB remains liable for any breach of this Clause that is caused by an act, error or omission of its subcontractor. Customer may object to IPONWEB’s appointment or replacement of a subcontractor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, IPONWEB will either not appoint or replace the subcontractor or, if this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).
    9. Cooperation and data subjects’ rights: IPONWEB shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to IPONWEB, IPONWEB shall promptly inform Customer providing full details of the same.
    10. Data Protection Impact Assessment: IPONWEB shall and provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
    11. Security incidents: If it becomes aware of a confirmed Security Incident, IPONWEB shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. IPONWEB shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.
    12. Deletion or return of Data: Upon termination or expiry of the Agreement, IPONWEB shall (at Customer’s election) destroy or return to Customer all Data in its possession or control. This requirement shall not apply to the extent that IPONWEB is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, in which event IPONWEB shall securely isolate and protect from any further processing except to the extent required by such law until deletion is possible.
    13. Audit: Customer acknowledges that IPONWEB is audited against ISO 27001, standards by independent third party auditors. Upon request, IPONWEB shall supply a summary copy of its audit report(s) to Customer, which shall be subject to the confidentiality provisions of the Agreement. IPONWEB shall also respond to any written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year.