DATA PROCESSING POLICY (DPP)

LAST UPDATED 19th February, 2019

The parties,

Kiosked Information Systems Ltd, a limited liability company incorporated and existing under the laws of Ireland with registration number 496096 (“the Processor”); and,

The signatory Publisher defined in the signature section of Kiosked Publisher Agreement (‘the Controller’);

hereinafter collectively referred to as ‘Parties’ and individually ‘Party´,

having regard to the fact that,

  • the Controller has access to the personal data of various users (hereinafter: ‘Data subjects’);
  • the Controller grants the Processor necessary rights to execute ad mediation data (RTB, real-time-bidding) processing in accordance with the Kiosked Publisher Service Agreement concluded between the Parties (hereinafter: ‘the Agreement’);
  • the Controller has determined the purpose of and the means for the processing of personal data as governed by the terms and conditions referred to herein;
  • the Processor has undertaken to comply with this data processing policy (hereinafter: ‘the Data Processing Policy’ or ‘PDD’) and to abide by the security obligations and all other aspects of the General Data Protection Regulation, GDPR (hereinafter: ‘GDPR’);
  • the Controller is hereby deemed to be the responsible party within the meaning of the GDPR;
  • the Processor is hereby deemed to be the Processor within the meaning of the GDPR;
  • where, provisions of the General Data Protection Regulation are meant;
  • the Parties, wish to lay down their rights and duties in writing in this Data Processing Policy.

have agreed as follows,

ARTICLE 1. SUBJECT MATTER, NATURE, AND PURPOSE OF PROCESSING

  1. The Processor undertakes to process personal data on behalf of the Controller in accordance with the conditions laid down in this Data Processing Policy. The processing will be executed exclusively within the framework of the Policy, and for all such purposes as may be agreed to subsequently.
  2. The Processor shall refrain from making use of the personal data for any purpose other than as specified by the Controller and what is necessary in order to deliver the services defined in the Kiosked Publisher Service Agreement. The Controller will inform the Processor of any such purposes which are not contemplated in this Data Processing Policy.
  3. All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the relevant Data subjects.

ARTICLE 2. TYPE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

2.1 Data subjects of this DPP are the individuals who visit a web page run by the Controller and on which the Processor helps to display online advertising through ad mediation logic.

2.2 The Processor receives and processes, together with its sub-processors such as hosting partners and advertising networks, necessary personal data of the data subject, in order to be able to execute ad mediation. This data falls roughly into two categories: “HTTP header data” and “clickstream data”. The former may include in-formation about browsers and devices of users, device identifiers, cookie information and the IP address from which the device accesses the service. The latter refers to the information that the data subject leaves behind while visiting a website and which stored as a form of log files. No sensitive personal data, as defined by the GDPR, will be collected or processed by the Processor. In some cases, advertising networks may become controllers for some personal data when they increase the efficiency of advertising.

ARTICLE 3. OBLIGATIONS

3.1 Both Parties shall comply with the applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the GDPR.

3.2 The Processor shall furnish the Controller promptly on request with details regarding the measures it has adopted to comply with its obligations under this Data Processing Policy and the GDPR.

3.3 The Processor’s obligations arising under the terms of this Data Processing Policy apply also to whomsoever processes personal data under the Processor’s instructions.

ARTICLE 4. TRANSMISSION OF PERSONAL DATA

4.1 The Processor may process the personal data in countries outside the European Union. In addition, the Processor may also transfer the personal data to a country outside the European Union provided that such country guarantees an adequate level of protection and it satisfies the other
obligations applicable to it pursuant to this Data Processing Policy and the GDPR.

4.2 Upon request, the Processor shall notify the Controller as to which country or countries the personal data will be processed in.

ARTICLE 5. ALLOCATION OF RESPONSIBILITY

5.1 The Processor shall only be responsible for processing the personal data under this Data Processing Policy, in accordance with the Agreement, and under the (ultimate) responsibility of the Controller.

5.2 Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Data Processing Policy.

ARTICLE 6. ENGAGING OF THIRD PARTIES OR SUBCONTRACTORS

6.1 The Processor is authorized within the framework of the Policy to engage and share the necessary data with third parties such as various advertising partners (DSPs and other
demand-side partners) and store log data for troubleshooting purposes, without the prior approval of the Controller being
required. Upon request of the Controller, the Processor shall inform the Controller about the third party/parties engaged.

6.2 The Processor shall ensure that such third parties will be obliged to comply with the provisions of this Policy and the GDPR.

ARTICLE 7. DUTY TO REPORT

7.1 In the event of a personal data breach, as referred to in the GDPR, the processor shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the personal data breach. The Processor will endeavor to ensure that the furnished information is complete, correct and accurate.

7.2 If and when required by law and/or regulation, the Processor shall cooperate in notifying the relevant authorities and/or Data subjects. The Controller remains the responsible party for any statutory obligations in respect thereof.

7.3 The duty to report includes, in any event, the duty to report the fact that a leak has occurred, including details regarding:
• the (suspected) cause of the personal data breach;
• the (currently known and/or anticipated) consequences thereof;
• the (proposed) solution;
• the measures that have already been taken.

ARTICLE 8. SECURITY

8.1 The Processor will maintain appropriate technical and organizational measures to protect personal data, considering: the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the personal data transmitted, stored or otherwise processed.

8.2 The Processor does not guarantee that the security measures are effective under all circumstances.

ARTICLE 9. HANDLING REQUESTS FROM INVOLVED PARTIES

Where a Data subject submits a request to the Processor to inspect, as stipulated by the GDPR, or to improve, add to, change or protect their personal data, as stipulated by the GDPR, the Processor will forward the request to the Controller and the request will then be dealt with by the Controller. The Processor may notify the Data subject hereof.

ARTICLE 10. NONDISCLOSURE AND CONFIDENTIALITY

10.1 All personal data received by the Processor from the Controller and/or compiled by the Processor within the framework of this Data Processing Policy is subject to a duty of confidentiality vis-à-vis third parties.

10.2 This duty of confidentiality will not apply in the event that the Controller has expressly authorized the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the instructions and the implementation of this
Data Processing Policy or if there is a legal obligation to make the information available to a third party.

ARTICLE 11. AUDIT

11.1 In order to confirm compliance with this Data Processing Policy, the Controller shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow the Processor’s reasonable security requirements, and will not interfere unreasonably with the Processor’s business activities.

11.2 The audit may be undertaken no earlier than two weeks after the Controller has provided written notice to the Processor.

11.3 The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.

11.4 The costs of the audit will be borne by the Controller.

ARTICLE 12. DURATION OF PROCESSING AND TERMINATION

12.1 This Data Processing Policy is entered into for the duration set out in the Kiosked Publisher Agreement, and in the absence thereof, for the duration of the cooperation between the Parties. Personal data will be processed by Processor for the duration of the Agreement and unless a longer period is agreed between the parties in the Agreement e.g. for storage service or in order to transfer the personal data to third parties. The Controller can always require Processor to stop processing of personal data.

12.2 The Parties shall provide their full cooperation in amending and adjusting this Data Processing Policy in the event of new privacy legislation.

ARTICLE 13. MISCELLANEOUS

13.1 This Data Processing Policy shall form an integral part of the Kiosked terms of use and Kiosked publisher agreements (“Agreements”). Therefore, all applicable parts of the Kiosked terms of use and Kiosked publisher agreements (including provisions on governing law and dispute resolution) shall apply also to this Data Processing Policy.

13.2 In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:

  1. the Kiosked Publisher Service Agreement;
  2. this Data Processing Policy;
  3. additional conditions, where applicable.

13.3 Logs and measurements taken by the Processor shall be deemed to be authentic, unless the Controller supplies convincing proof to the contrary.