DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) is hereby entered by and between Velis Media Ltd.
(“Company”) and you, a publisher using the Company’s services (“Publisher”). Each a “party” and
collectively, the “parties”.
This DPA forms an integral part of all agreements between the parties (“Publisher Agreement” or
“Agreement”) entered, accepted or signed by the Publisher as of May 25, 2018 (“Effective Date”) and to
the extent that EU Data Protection Law applies to the Processing of Personal Data under the Agreement,
including if:
(a) the Processing is in the context of the activities of an establishment of either party in the
European Economic Area (“EEA”); or
(b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the
offering to them of goods or services or the monitoring of their behavior in the EEA by or on
behalf of a party.
Notwithstanding the above, this DPA and the obligations hereunder do not apply to aggregated
reporting or statistics information a party may collect from end users or provide to the other party.
1. DEFINITIONS
1.1. “Publisher Data” means any and all data shared between the parties that may include, inter
alia, device information, IDs, events, and country level geo location data. The Publisher Data
includes, without limitation, data deemed as Personal Data and IDs all as detailed in Schedule 1
attached herein.
1.2. “Data Protection Law” means any and all applicable privacy and data protection laws and
regulations (including, where applicable, EU Data Protection Law) as may be amended or
superseded from time to time.
1.3. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and “Process”),
“Personal Data Breach”, “Special Categories of Personal Data” and “Supervisory Authority”
shall have the meanings given in EU Data Protection Law.
1.4. “EU Data Protection Law” means the (i) General Data Protection Regulation (Regulation
2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended
(e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or
succeeding (i) and (ii); (iv) any legislation replacing or updating any of the foregoing (v) any
judicial or administrative interpretation of any of the above, including any binding guidance,
guidelines, codes of practice, approved codes of conduct or approved certification mechanisms
issued by any relevant Supervisory Authority.
1.5. “ID” means online identifiers such as IPs, advertising IDs, cookies and agents.
1.6. “Security Incident” means any security breach relating any Personal Data elements leading to
the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
Personal Data within, Personal Data transmitted, stored or otherwise processed; including
without limitation the meaning assigned to it under section 12 of Article 4 of the GDPR.
2. RELATIONSHIP OF THE PARTIES
In relation to all Publisher Data, the Company acknowledges that, as between the parties, Publisher
is the Controller of Company Data, and that the Company, in providing the services is acting as a
Processor on behalf of the Controller. The subject-matter and duration of the Processing carried out
by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of
Personal Data and categories of Data Subjects are described in Schedule 1.
3. REPRESENTATIONS AND WARRANTIES
The Publisher represents and warrants that: (a) its Processing instructions comply with all applicable
Data Protection Laws, the Publisher acknowledges that, taking into account the nature of the
Processing, the Company is not in a position to determine whether the Publisher’s instructions
infringe applicable Data Protection Laws; and (b) the Publisher hereby warrants and represents that
as of the Effective Date it will comply with EU Data Protection Law, specifically with the lawful basis
for Processing Personal Data. The Company represents and warrants it shall process Personal Data,
as set forth under Article 28(3) of the GDPR and Schedule 1 attached herein, on behalf of the
Publisher, solely for the purpose of providing the service. Notwithstanding the above, in the event
required under applicable laws, the Company may Process Personal Data other than as instructed by
the Publisher, in such event the Company shall make best efforts to inform the Publisher of such
requirement unless prohibited under applicable law.
4. RIGHTS OF THE DATA SUBJECT
It is agreed that where either party receives a request from a Data Subject or an applicable authority
in respect of Personal Data Controlled or Processed by the other party, where relevant, the party
receiving such request will direct the Data Subject or the authority to the other party, as applicable,
in order to enable the other party to respond directly to the Data Subject’s request. Each party shall
reasonable cooperate and assist the other party in handling of a Data Subject’s or an authority’s
request, to the extent permitted under Data Protection Law.
5. SUB-PROCESSOR
The Publisher acknowledges that the Company may transfer Personal Data to and otherwise interact
with third party data processors (“Sub-Processor”). Publisher hereby, authorizes the Company to
engage and appoint such Sub-Processors to Process Personal Data, as well as permits each
Sub-Processor to appoint a Sub- Processor on its behalf. The Company may, continue to use those
Sub-Processors already engaged by the Company (as detailed in Schedule 2) and the Company may,
engage an additional or replace an existing Sub-Processor to process Personal Data provided that it
notifies the Publisher. The Company shall, where it engages any Sub-Processor impose, through a
legally binding contract between the Company and Sub-Processor, data protection obligations no
less onerous than those set out in this DPA on the Sub-Processor, in particular providing sufficient
guarantees to implement appropriate technical and organizational measures in such a manner that
the processing will meet the requirements of the GDPR.
6. TECHNICAL AND SECURITY MEASURES
Each party shall implement appropriate technical and organizational measures to protect the
Personal Data and its security, confidentiality and integrity and the Data Subject’s rights.
7. SECURITY INCIDENT
The Company will notify Publisher without undue delay upon becoming aware that an actual
Security Incident involving the Publisher Data in Company’s possession or control has occurred, as
Company determines in its sole discretion. Company’s notification of or response to a Security
Incident under this section 3 shall not be construed as an acknowledgment by the Company of any
fault or liability with respect to the Security Incident. The Company will, in connection with any
Security Incident affecting Publisher Data: (i) quickly and without delay, take such steps as are
necessary to contain, remediate, minimize any effects of and investigate any Security Incident and
to identify its cause (ii) co-operate with Publisher and provide Publisher with such assistance and
information as it may reasonably require in connection with the containment, investigation,
remediation or mitigation of the Security Incident; and (iii) immediately notify Publisher in writing of
any request, inspection, audit or investigation by a supervisory authority or other authority.
8. AUDIT RIGHTS
The Company shall make available, solely upon prior written notice and no more than once per year,
to a reputable auditor nominated by the Publisher, information necessary to reasonably
demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such
reputable auditor solely in relation to the Processing of the Publisher Data (“Audit”).
The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards
third parties). The Company may object in writing to an auditor appointed by the Publisher in the
event the Company reasonably believes, the auditor is not suitably qualified or independent, a
competitor of the Company or otherwise manifestly unsuitable (“Objection Notice”). In the event of
Objection Notice, the Publisher will appoint a different auditor or conduct the Audit itself.
The Publisher shall bear all expenses related to the Audit and shall make (and ensure that each of its
mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to
minimize) any damage, injury or disruption to the Company’s premises, equipment, personnel and
business while its personnel are on those premises in the course of such Audit. Any and all
conclusions of such Audit shall be confidential and reported back to the Company immediately.
9. DATA TRANSFER
Where EU Data Protection Law applies, neither party shall transfer to a territory outside of the EEA
unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU
Data Protection Law. Such measures may include (without limitation) transferring the Personal Data
to a recipient in a country that the European Commission has decided provides adequate protection
for Personal Data.
10. LIABILITY
Each party shall take out and maintain insurance policies to the value sufficient to meet their
respective liabilities under or in connection with this DPA.
11. GENERAL
In the event of any conflict or inconsistency between this DPA and the Company’s privacy policy, the
Company’s privacy policy shall prevail, provided only that the procedure prevailing through the
privacy policy shall not constitute as a breach or infringement of any Data Protection Laws. In the
event of inconsistencies between the provisions of this DPA and any other agreements signed
between the parties, including the Publisher Agreement, the terms of this DPA shall prevail. Nothing
in this DPA shall confer any benefits or rights on any person or entity other than the parties to this
DPA.
SCHEDULE 1
Details of Processing of Controller Personal Data
This Schedule 1 includes certain details of the Processing Personal Data as required by Article 28(3)
GDPR.
Subject matter and duration of the Processing of Personal Data
Processing carried out in connection with the provision of the services. The duration shall be for the
terms of the partnership with an additional period from the expiration of the partnership until deletion
of Publisher Data by the Company in accordance with the terms of this DPA.
The nature and purpose of the Processing of Personal Data
To provide the services and display advertisement on Publishers assets
The types of Personal Data Processed
IDs
The categories of Data Subject to whom the Personal Data relates
Users/Data Subject in the EEA.
SCHEDULE 2
Sub Processors
Company’s servers
Company’s advertisers