Data processing addendum
This Data Processing Addendum (“DPA”) is incorporated into, and is subject to the terms and conditions of, the Agreement between UPTMZ, part of the Adeptiv Group, and the customer entity that is a party to the Agreement (“Customer” or “you”).
- Definitions
- Data Subject is the person to whom the Personal Data relates.
- Special Category Data is Personal Data as referred to in Article 9(1) of the GDPR.
- Data Breach is a breach of security that results in the destruction, loss, modification or unauthorised disclosure of or unauthorised access to transmitted, stored or otherwise processed data.
- Service is the service that the Processor will provide under the Agreement.
- Personal Data is any data relating to an identified or identifiable natural person that is or will be processed by the Processor in any way whatsoever in the context of the Agreement.
- Sub-Processor is a party that processes Personal Data on the orders of the Processor.
- Data Processing Agreement is this Agreement.
- Processing is any act or series of acts related to the Personal Data.
- Controller is the customer entity that is party of the agreement, otherwise mentioned as customer, with the meaning given to the controller under data protection laws or if not defined thereunder, the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly.
- Data Processing
- The Processor undertakes to process Personal Data under the terms of this Data Processing Agreement on behalf of the Controller. The Processor will process the Personal Data in a proper and careful manner and in accordance with the GDPR and other applicable laws and regulations and/or codes of conduct concerning the Processing of Personal Data.
- The Controller guarantees that the Personal Data that it provides to the Processor complies with all applicable laws and regulations in the field of the protection of personal data and that these laws and regulations permit the provision of Personal Data to the Processor, and that the Processor is permitted to process the Personal Data.
- The Processor will process the Personal Data in a proper and careful manner and only to the extent necessary to provide the Service to the Controller. The categories of Personal Data that are given to the Processor and that may be processed for the execution of the Service are defined in Appendix 1.
- The Processor will only process the Personal Data on the orders of and according to the instructions of the Controller. The Processor will not process the Personal Data for its own or other purposes, except in accordance with the mandatory legal obligations imposed on it.
- The Processor will not store Personal Data made available to it under the Agreement for longer than is necessary (i) for the implementation of this Agreement; or (ii) to comply with a legal obligation resting on it.
- Confidentiality
- Unless otherwise required by law and/or a court order, the Processor is obliged to treat the Personal Data as confidential and to keep it strictly confidential.
- The Processor will ensure that those who act under its authority or on its instructions (employees and any third party) and who need to have access to the Personal Data comply with the duty of confidentiality set out in this article. The Processor will ensure that a non-disclosure agreement has been entered into or a non-disclosure clause has been agreed to by everyone involved in the Processing of this Personal Data.
- The Processor will immediately inform the Controller of any request for access to or disclosure of the Personal Data, or other kind of request for and communication of the Personal Data, that conflicts with the confidentiality obligation set out in this article.
- Security and the duty to report Data Breaches
- The Processor is responsible for ensuring that appropriate technical and organisational measures have been taken, maintained and, if necessary, adjusted to protect the Personal Data against loss, falsification, unauthorised distribution or access, or any other kind of unlawful Processing. Appendix 2 describes the security measures that the Processor has in any event taken at the time of entering into this Data Processing Agreement.
- The Processor is responsible for ensuring that its (own or contracted) employees who are involved in the Processing of the Personal Data are aware of and comply with the obligations of the Processor included in this Data Processing Agreement.
- In the event of a suspected or actual (i) Data Breach; (ii) violation of security measures; (iii) violation of the confidentiality obligation; or (iv) loss of Personal Data, the Processor will inform the Controller immediately, in any event no later than 36 hours after first discovering the incident, in accordance with the requirements set out in Appendix 3. The Processor will take all reasonably necessary measures to prevent or limit (further) unauthorised access, changes, and disclosure or otherwise unlawful Processing, and to stop and prevent in the future any breach of security measures, violation of the confidentiality obligation or further loss of personal data, without prejudice to any of the Controller’s right to compensation or to take other measures.
- At the Controller’s request, the Processor will cooperate in informing the competent authorities and the Data Subject(s).
- The Processor will reach agreements with Sub-Processors about reporting incidents to the Processor that will enable the Processor and Controller to fulfil obligations in the event of an incident as described in Article 4(3).
- Engaging Sub-Processors
- The Controller will give the Processor permission to engage the Sub-Processors listed in Appendix 4 for the Processing of Personal Data. If the intention is to engage new Sub-Processors or if changes may occur, then the Processor must inform the Controller of this in advance and give it the opportunity to object to the changes.
- The Processor is responsible for ensuring that the Sub-Processor in question accepts the same obligations as those that apply to the Processor as set out in this Data Processing Agreement.
- In the relationship between the Parties, the Processor is at all times the point of contact for the Controller. The permission given by the Processor does not affect the responsibility and liability of the Processor for the fulfilment of the Data Processing Agreement.
- Processing outside the European Economic Area
- The Processor will only transfer Personal Data to or make it accessible from a country outside the European Economic Area if it has taken appropriate safeguards. Appendix 5 contains an overview of Processing in non-EEA countries and the safeguards that have to be taken.
- Rights of Data Subjects
- Taking into account the nature of the Processing, and to the extent possible, the Processor will assist the Controller to comply with the obligations under the GDPR or other applicable regulations, within the statutory periods, in particular the rights of Data Subjects, including but not confined to the right of access, the right to rectification, the right to erasure (right to be forgotten), the right to restriction of processing, the right to data portability, and the right to object. The Processor will bear the reasonable costs associated with this.
- The Processor will immediately inform the Controller of written requests from the Data Subjects to the Processor, and will ask the Controller for further instructions in this respect.
- Assistance with the implementation of the data protection impact assessment and prior consultation
- Taking into account the nature of the Processing and the information available to the Processor, the Processor will assist the Controller to comply with the obligations under Article 35 of the GDPR (implementation of the data protection impact assessment) and Article 36 of the GDPR (prior consultation).
- Transfers and destruction of data
- In consultation with the Controller, the Processor will ensure that (i) all or a part of the Personal Data determined by the Controller and made available within the context of the Service is destroyed at all locations; (ii) all or a part of the Personal Data determined by the Controller and made available within the context of the Service is made available to a subsequent Service Provider; or (iii) the Controller will be given the opportunity to withdraw Personal Data or a part of the Personal Data made available by the Controller in the context of the Service.
- At the Controller’s request and within a reasonable period, the Processor is at all times obliged to destroy all transcripts and copies of the information originating from and/or generated by the Controller and concerning the Controller within the context of the Agreement.
- The Processor may depart from the provisions in the previous paragraphs insofar as a legal retention or other period applies to the Personal Data or insofar as it is necessary in order to be able to prove to the Controller compliance with its obligations.
- Right of inspection
- The Controller is entitled to check the Processor’s compliance with the provisions of this Data Processing Agreement, or to have this compliance checked, once per calendar year, after prior written notice and taking into account a period of ten working days.
- At the request of the Controller, the Processor will make available all information that is reasonably necessary to demonstrate compliance with the obligations set out in this Data Processing Agreement and will assist in making audits possible. This audit will be carried out by an independent third party who is appointed by the Controller, and who is bound by a duty of confidentiality.
- After consultation with the Controller, the Processor may opt to replace the audit with a Third-Party Declaration.
- The Controller bears the costs of the audit, with the exception of the costs related to the Processor’s staff members who supervise the audit. If it becomes apparent from the audit that the Processor has seriously and materially failed to comply with this Data Processing Agreement, the reasonable costs of the audit will be charged to the Processor.
- The Processor is aware of the Dutch Data Protection Authority’s independent monitoring powers and those of any other supervisory authorities to whose supervision the Controller is subject, and will give these supervisors access to the Personal Data and cooperate with an investigation with respect to the Personal Data processed pursuant to the Agreement. The Processor will inform the Controller immediately if it receives such a request from the Dutch Data Protection Authority.
- Liability
- For any damages resulting from the Processor failing imputably in the fulfilment of the obligations arising from this Data Processing Agreement, or the Processor acting in violation of laws and regulations, the Processor will be liable in accordance with the agreement made between the parties in the Agreement.
- Intellectual and other property rights to the Personal Data
- All intellectual and other property rights – including any copyrights and database rights – to the Personal Data, the file and/or the files related to the Personal Data are vested at all times in the Controller or its licensor(s).
- Duration, termination and amendments
- This Data Processing Agreement is a supplement to the Agreement and has the same term as the Agreement and terminates as soon as the Agreement terminates.
- The termination of this Data Processing Agreement will not release the Parties from their obligations arising from this Data Processing Agreement, which by their nature are deemed to continue even after termination.
- Amendments to this Data Processing Agreement are only valid if agreed between the Parties in writing.
- Final provisions
- Unless otherwise stipulated in the Agreement, this Data Processing Agreement is governed by Dutch law.
- Any disputes arising from or in connection with this Data Processing Agreement will be submitted exclusively to the competent court as set out in the Agreement.
Appendix 1 Overview of the categories of Personal Data to be processed
Purpose of the data processing activities
Kernel Works uses a portfolio of services and subprocessors / vendors:
- Google Ads datahub for insight details of a cross media device campaign
- Google Adwords Customer for targeting ads to customers using search, YouTube and Gmail
- Google Adwords Store for matching offline transactions with online ads
- DoubleClick Bid manager for programmatic purchase of customer segments
- DoubleClick Campaign Manager for media planning en reporting on digital marketing campaigns
- DoubleClick Search engine for search engine marketing campaigns
- Google Analytics 360 tools for analysing, tagging en optimisation of websites en for data visualisation, attributes and target group management
- Google Attribution 360 for conversion attributes insight reports on cross channel campaigns
- Google Data Studio for building enhanced dashboards and reports
- Google Optimize 360 for performing A/B tests
- Google Tag Manager for tag management on websites and apps
- Services of LinkedIN, YouTube, Twitter and other relevant social media
Catagories of processes personal data
Processor Service
Types of Personal Data
Ads Data Hub
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers
AdWords Customer Match
Names, email addresses, addresses and partner-provided identifiers
AdWords Store sales (direct upload)
Names, email addresses, phone numbers and addresses
DoubleClick Bid Manager
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; precise location data; client identifiers
DoubleClick Campaign Manager
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; precise location data; client identifiers
DoubleClick Data Platform
Online identifiers, including cookie identifiers and device identifiers
DoubleClick Search
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers
Google Analytics
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers
Google Analytics 360 (formerly known as Google Analytics Premium)
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers
Google Analytics for Firebase
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers
Google Attribution
Online identifiers, including cookie identifiers and device identifiers; client identifiers
Google Attribution 360
Online identifiers, including cookie identifiers and device identifiers; client identifiers
Google Data Studio
Data relating to individuals provided to Google via the service by (or at the direction of) Customer, including to create and collaborate on reports, graphs and charts
Google Optimize
Online identifiers, including cookie identifiers and internet protocol addresses; client identifiers
Google Optimize 360
Online identifiers, including cookie identifiers and internet protocol addresses; client identifiers
Google Tag Manager
Online identifiers, including cookie identifiers and internet protocol addresses
Google Tag Manager 360
Online identifiers, including cookie identifiers and internet protocol addresses
Facebook, LinkedIN, Twitter, YouTube
Data relating to individuals provided to Google via the service by (or at the direction of) Customer, including to create and collaborate on reports, graphs and charts
Mailchimp
Names, email addresses, phone numbers, addresses and partner-provided identifiers
Mailgun
Names, email addresses, phone numbers, addresses and partner-provided identifiers
Stripe
Names, email addresses, phone numbers, addresses and partner-provided identifiers
Retention period
Processor will only process personal data as long as there is a service agreement with the controller.
Category of data subjects
De persoonsgegevens die worden verwerkt hebben betrekking op het surfgedrag van klanten en prospects op websites en apps en op het gebruik van computers en systemen.
Personal data in register of DPA
UPTMZ is a processor and therefore processes data on behalf of the customer (controller). The controller is obligated to keep a register of data processing activities as well as mentioning the processing in the privacy statement.
Use of sensitive or special category of data
The processor will not process sensitive data but it may be so that sensitive data is gathered by accident. In that case the controller is contacted about maintaining a blacklist of registrations.
Appendix 2 Overview of security measures
UPTMZ is a part of the Adeptiv group. The Adeptiv group is ISO 9001 and ISO 27001 certified. An ongoing internal and external audit program will keep ISO 9001 and ISO 27001 up-to-date.
Appendix 3 Instructions in the event of Data Breaches
Question
What is the cause or suspected cause of the breach?
What are the consequences known so far and/or expected?
What is the solution or proposed solution?
What are the contact details for following up on the report?
How many people are known to have been involved in the breach? (If an exact number is not known, what are the minimum and maximum numbers of people whose data may have been involved in the breach?)
Describe the group of persons whose data was involved in the breach.
What kind or kinds of personal data were involved in the breach?
On what date did the breach take place?
During which period of time did the breach take place (if the exact date is not known)?
On what date and at what time did the Processor or the subcontractor engaged by it become aware of the breach?
Was the data encrypted, hashed or otherwise rendered incomprehensible or inaccessible to unauthorised persons?
Which measures have already been taken to stop the breach and to limit its consequences?
Databreaches can be sent to privacy@adeptiv.nl or you can contact the Data Protection Officer, hans Leemans, at h.leemans@adeptiv.nl .
Appendix 4 Overview of Sub-Processors
The Processor completes the overview below to indicate which Sub-Processors have been engaged in the collaboration:
- Social Media platforms
- DoubleClick
Appendix 5 Overview of transfers to countries outside the European Economic Area
The Processor will provide an overview of transfers to countries outside the European Economic Area as shown below. It indicates which third country this concerns, for which purpose the transfer takes place and which appropriate safeguards have been put in place pursuant to Article 46 of the GDPR.
As the EU-US privacy shield is declared invalid UPTMZ will make sure that the partners and subprocessor offer sufficient privacy measurements in standard contractual clauses.