At Appnerve LLP (“Appnerve,” “we,” “us,” or “our”), we are committed to upholding the highest standards of data protection and privacy in all aspects of our operations. This Data Compliance Policy outlines our obligations, principles, and practices in relation to the collection, processing, transfer, and storage of personal data, in accordance with applicable data protection laws including the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and other relevant international regulations.

This policy establishes the framework by which Appnerve ensures transparency, accountability, and security in the handling of data across its services, platforms, and business relationships.

  1. Definitions

For the purposes of this Data Compliance Policy, the following definitions shall apply:

1.1 “Media Company”

Means the entity which determines the purposes and means of the Processing of Personal Data.

1.2 “Data Protection Laws”

Refers to all applicable laws and regulations governing the Processing of Personal Data, including but not limited to the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and any other relevant data protection legislation applicable to the parties.

1.3 “Data Subject”
Means an identified or identifiable natural person to whom the Personal Data relates.

1.4 “GDPR”

Refers to (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and (ii) the UK GDPR (as defined in the Data Protection Act 2018), as applicable.

1.5 “Personal Data”

Means any Customer Data that (i) relates to an identified or identifiable natural person and/or (ii) is otherwise protected as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.

1.6 “Processing”

Means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction.

1.7 “Processor”

Means the entity that Processes Personal Data on behalf of the Media Company.

1.8 “Sensitive Information”

Refers to any category of Personal Data that qualifies as sensitive data under applicable Data Protection Laws and requires heightened protections. This includes, but is not limited to, Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for unique identification), health data, sex life or sexual orientation data, and data relating to criminal convictions and offences.

1.9 “Services”

Means the services provided by the Agency to the Media Company under the applicable Agreement.

1.10 “Standard Contractual Clauses” or “SCCs”

Refers to the standard contractual clauses adopted by the European Commission pursuant to Decision (EU) 2021/914 for the transfer of Personal Data to processors located in third countries, as provided in Annex 1 of this Policy.

1.11 “Sub-processor”

Means any third-party Processor engaged by the Agency who Processes Personal Data on behalf of the Media Company.

1.12 “Supervisory Authority”

Means an independent public authority established by an EU Member State pursuant to the GDPR, or any regulatory body with similar authority under applicable Data Protection Laws.

1.13 “Third Country”

Means any country, territory, or international organization that is not recognized by the European Commission under Article 45 of the GDPR as providing an adequate level of data protection.

1.14 “Websites”

Means the digital properties, such as websites or applications, owned or operated by the Media Company or its partners, in relation to which the Agency provides the Services or collects and Processes Personal Data.

2. Scope of Processing

2.1. This Policy governs all Personal Data Processing activities conducted by the Media Company on behalf of the Agency, in accordance with Article 28 of the GDPR. Such Processing is carried out based on the principal Insertion Order and any additional agreements between the parties.

2.2. Unless otherwise specified, all references to “data processing” or “processing” within this Policy shall be interpreted as encompassing any operation or set of operations performed on Personal Data, whether by automated means or otherwise. This includes, but is not limited to:
collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other methods of making Personal Data available, alignment or combination, restriction, erasure, or destruction.

2.3. Additional definitions applicable to the interpretation of this Policy can be found in Article 4 of the GDPR, which outlines key terms relating to the Processing of Personal Data.

3. Subject Matter and Duration of the Data Processing

3.1. The Party shall process Personal Data solely on behalf of, and in accordance with, the documented instructions of the Media Company. No independent processing shall be undertaken by the Agency without prior written authorization from the Media Company.

3.2. The subject matter of the data processing includes, but is not limited to, the provision of services such as employee training or other operational activities as defined in the principal Insertion Order. These services shall be conducted within the scope agreed upon with the Media Company.

3.3. The duration of the data processing under this Policy shall align with the effective period of the principal Insertion Order, including any extensions or renewals, unless otherwise terminated in accordance with the terms of this Agreement.

4. Compliance with Data Protection Laws

4.1. Both parties shall fully comply with all applicable Data Protection Laws and the terms of this Agreement in the execution of their respective obligations under the principal Insertion Order.

4.2. The parties agree to cooperate and provide reasonable assistance to each other to ensure compliance with Data Protection Laws. In the event that either party suspects non-compliance by the other, they shall, subject to confidentiality requirements and applicable information disclosure policies, share relevant information to determine the cause of such non-compliance and implement appropriate corrective measures.

4.3. Where consent constitutes the lawful basis for processing Personal Data related to the Services or is required for the use of cookies or similar technologies on Data Subjects’ devices under Data Protection Laws, the Media Company shall be responsible for obtaining clear, specific, informed, unambiguous, and freely given consent from each Data Subject. This consent must cover the processing of Personal Data by the Agency or its media buying clients in accordance with this Agreement. Additionally, the Media Company shall ensure that its clients and any third-party service providers also obtain such consent where applicable.

4.4. The Agency shall provide the Media Company with clear, written instructions regarding the content and mechanisms necessary to ensure that the Websites display appropriate, clear, and concise privacy notices. These notifications must comply with Data Protection Laws by informing Data Subjects about the processing activities conducted by the Agency or its media buying clients, including the purposes of such processing and any other disclosures legally required to guarantee transparency.

5. Agency Personnel

5.1 Confidentiality Obligations

The Agency shall ensure that all personnel authorized to process Personal Data on its behalf—including employees, contractors, agents, and subcontractors—are subject to strict confidentiality obligations. These obligations shall be legally binding and enforceable, ensuring that Personal Data is not disclosed, accessed, or used for any purpose other than as strictly necessary to fulfill the Services under this Agreement.

5.2 Data Protection Training

The Agency shall provide appropriate and ongoing data protection and privacy training to all personnel with access to Personal Data. Training shall cover applicable Data Protection Laws, security policies, confidentiality obligations, data breach reporting protocols, and any specific obligations arising under this Agreement.

5.3 Access Control and Need-to-Know Principle

Access to Personal Data by Agency personnel shall be limited strictly to those who require it to perform their contractual duties (“need-to-know” basis). The Agency shall implement appropriate technical and organizational measures to enforce role-based access controls and prevent unauthorized or accidental access, modification, or disclosure of Personal Data.

5.4 Vetting and Background Checks

Where permitted by applicable laws, the Agency shall undertake reasonable background checks or vetting procedures on personnel who will process Personal Data, especially those with privileged or administrative access, to ensure their trustworthiness and reliability.

5.5 Monitoring and Accountability

The Agency shall maintain records of personnel authorized to process Personal Data, their access rights, and any relevant training completion. The Agency shall also implement monitoring measures to detect and respond promptly to any unauthorized or inappropriate access or processing activities by its personnel.

5.6 Sub-processor Personnel

The Agency shall ensure that any Sub-processors engaged comply with the same confidentiality and data protection obligations as set out in this section. The Agency shall remain responsible for any acts or omissions of its Sub-processors and shall ensure contractual flow-down obligations to protect Personal Data.

5.7 Reporting Data Breaches and Incidents

All personnel shall be trained and required to report any suspected or actual data breaches or security incidents involving Personal Data immediately to the Agency’s Data Protection Officer or designated privacy lead, to enable timely investigation, mitigation, and notification to the Media Company as per the terms of this Agreement and applicable Data Protection Laws.

6. Rights and Duties of the Media Company

6.1. Primary Responsibility and Legal Compliance

The Media Company shall be solely responsible for ensuring that the processing of Personal Data under this Agreement is carried out in compliance with applicable Data Protection Laws. As the Data Controller (as defined under Article 4(7) of the GDPR), the Media Company shall ensure that appropriate legal grounds for processing are established and that the rights and freedoms of Data Subjects are upheld.

6.2. Authority to Issue Instructions

The Media Company retains the right to issue binding instructions concerning the nature, scope, purpose, and method of processing Personal Data by the Agency. Any such instructions shall be communicated in writing or via electronic means (e.g., email). Verbal instructions must be promptly confirmed in writing or electronically for audit and compliance purposes.

6.3. Designation of Authorized Representatives

The Media Company may designate specific individuals authorized to issue instructions on its behalf. The Agency shall be notified of such designations in writing or via email. If the Media Company modifies such appointments, it must provide written or electronic notice to the Agency, including the identity and contact details of the newly appointed person(s).

6.4. Obligation to Report Irregularities

In the event the Media Company becomes aware of any non-compliance, errors, or irregularities in the Agency’s handling of Personal Data, the Media Company shall notify the Agency without undue delay and provide relevant details to support prompt investigation and remediation.

7. Duties of the Agency

7.1. Processing of Data

The Agency shall process Personal Data solely in accordance with this Agreement, the principal Insertion Order, and any written instructions provided by the Media Company. The Agency shall not process Personal Data for its own purposes or for any purposes not authorized by the Media Company.

7.2. Data Subject Rights

 7.2.1. The Agency shall assist the Media Company, to the extent reasonably possible, in enabling Data Subjects to exercise their rights under Data Protection Laws, including but not limited to the rights of access, rectification, erasure, restriction of processing, data portability, and objection. In the event that a Data Subject exercises their right to data portability under Article 20 of the GDPR, and the relevant Personal Data has been processed by the Agency on behalf of the Media Company, the Agency shall provide the Media Company with the relevant dataset in a structured, commonly used, and machine-readable format within a reasonable timeframe.

7.2.2. The Agency shall carry out any rectification, deletion, or restriction of Personal Data strictly in accordance with the Media Company’s documented instructions or as required by this Agreement.

7.2.3. If a Data Subject contacts the Agency directly regarding the exercise of any of their rights, the Agency shall promptly forward the request to the Media Company without responding directly to the Data Subject, unless specifically authorized to do so in writing by the Media Company.

7.3. Duties of Monitoring

7.3.1. The Agency shall implement appropriate internal controls to ensure that all Personal Data processed on behalf of the Media Company is handled in compliance with this Agreement, the principal Insertion Order, and applicable instructions.

7.3.2. The Agency shall maintain a secure operational environment and take all appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by Article 32 of the GDPR.

7.3.3. (Intentionally left blank to retain numbering consistency; may be used in future amendments.)

7.3.4. The Agency affirms that it has appointed a Data Protection Officer in accordance with Article 37 of the GDPR. The Data Protection Officer shall oversee the Agency’s data protection practices and serve as the point of contact for any data protection queries. The DPO may be contacted at: policy@appnerve.com

 7.4. Obligations to Provide Information

 7.4.1. The Agency shall inform the Media Company without undue delay if, in its opinion, any instruction from the Media Company infringes applicable Data Protection Laws. In such cases, the Agency may suspend execution of the instruction until it is confirmed, modified, or withdrawn by the Media Company.

7.4.2. The Agency shall provide reasonable assistance to the Media Company in meeting its obligations under Articles 32 to 36 of the GDPR, particularly with regard to data security, notification of personal data breaches, data protection impact assessments, and prior consultations with Supervisory Authorities, considering the nature of processing and the information available to the Agency.

7.5. Location of Data Processing

7.5.1. The Agency shall primarily carry out data processing activities within the Republic of Poland or other countries within the European Economic Area (EEA). Any transfer of Personal Data to a country outside the EEA (“Third Country”) shall only occur in accordance with Chapter V of the GDPR and subject to appropriate safeguards as required under Articles 44–49 of the GDPR.

7.6. Deletion of Personal Data After Completion of Services

7.6.1. Upon completion or termination of the principal Insertion Order, the Agency shall, at the choice of the Media Company, either return all Personal Data and any copies thereof to the Media Company or securely delete all such data, unless retention is required by applicable law. Where deletion is performed, the Agency shall document and confirm the deletion to the Media Company in accordance with data protection regulations.

8. Sub processing

8.1. General Authorization

The Media Company hereby grants the Agency general written authorization, within the meaning of Article 28(2) of the GDPR, to engage sub-processors in the performance of its obligations under this Agreement. The appointment of any such sub-processors shall be subject to the terms and safeguards set forth in this Section 8.

8.2. Existing Subprocessors

The Media Company acknowledges and agrees to the appointment of the sub-processors currently engaged by the Agency, as listed in Appendix 3 of this Agreement. These entities are authorized to process Personal Data in connection with the services provided under the principal Insertion Order.

8.3. Changes in Subprocessors

The Agency shall inform the Media Company in writing of any intended addition or replacement of a sub-processor. Such notification must be provided in advance and include sufficient information to allow the Media Company to assess the impact of the proposed change.

8.4. Right to Object

The Media Company may object to the appointment or replacement of a sub-processor by notifying the Agency in writing within fourteen (14) calendar days of receiving the notice. Should an objection be raised, the Agency may, at its discretion:

  • Continue the service without involving the proposed sub-processor;
  • Propose a reasonable alternative sub-processor and coordinate with the Media Company accordingly;
  • Or, if continuation without the proposed sub-processor is commercially or technically impracticable, and the parties fail to agree on an alternative within a reasonable time, either party may terminate this Agreement and the principal Insertion Order by giving one (1) month’s written notice, effective at the end of the relevant calendar month.
8.5. Equivalent Data Protection Obligations

Where the Agency engages a sub-processor for carrying out specific processing activities on behalf of the Media Company, the Agency shall ensure that the sub-processor is bound by a written agreement that imposes the same data protection obligations as those set out in this Agreement. This includes providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.

8.6. Liability for Subprocessors

The Agency shall remain fully liable to the Media Company for the performance of any sub-processor’s obligations. Any failure by a sub-processor to comply with applicable data protection obligations shall be deemed a breach by the Agency.

8.7. Confidentiality of Subprocessors

The Agency shall ensure that all sub-processors, as well as any of its own employees or agents who have access to Personal Data, are subject to appropriate confidentiality obligations. These obligations shall be legally binding and remain in effect beyond the termination of the Agreement.

8.8. Training and Documentation

The Agency shall ensure that all personnel authorized to process Personal Data have received adequate training in data protection and information security principles. Upon request by the Media Company, the Agency shall provide written confirmation that such personnel are bound by confidentiality obligations and have been appropriately trained.

8.9. Media Company Confidentiality Requirements

If the Media Company is bound by specific confidentiality provisions or statutory obligations, it shall inform the Agency accordingly. The Agency shall ensure that its sub-processors and employees comply with such additional confidentiality requirements as communicated by the Media Company.

9. International Transfers

9.1. Application of Standard Contractual Clauses (SCCs)

The Standard Contractual Clauses (“SCCs”) as referenced in Annex 1 of this Agreement shall apply exclusively to the transfer of Personal Data to a Third Country which does not benefit from an adequacy decision by the European Commission or another competent authority, and where no other lawful transfer mechanism (e.g., binding corporate rules or approved certification mechanisms) is in place. This includes direct transfers or onward transfers carried out by the Agency or its sub-processors.

9.2. Transfers under the UK GDPR

Where the applicable Data Protection Laws are those of the United Kingdom, the provisions of the UK International Data Transfer Addendum or other transfer tools under Article 46 of the UK GDPR, as approved by the UK Information Commissioner’s Office (ICO), shall apply to any transfers of Personal Data from the United Kingdom to a Third Country lacking an adequate level of protection, as determined by UK authorities.

9.3. Obligation to Implement Safeguards

In the event that the Agency or any sub-processor processes Personal Data in or transfers Personal Data to a Third Country without an adequacy decision, the Agency shall ensure that appropriate safeguards are implemented in accordance with Article 46 of the GDPR or UK GDPR (as applicable). These safeguards may include, but are not limited to:

  • Execution of the applicable SCCs;
  • Supplementary technical or organizational measures, where required by relevant authorities or judgments (e.g., in response to the Schrems II ruling);
  • Data protection impact assessments specific to cross-border transfers.
9.4. Notification of Change

The Agency shall promptly inform the Media Company of any changes in circumstances or requirements that may affect the legality of international data transfers under this Agreement, including changes in the laws of the Third Country or new guidance issued by supervisory authorities.

9.5. Data Subject Rights and Legal Remedies

The Agency shall ensure that Data Subjects whose Personal Data is transferred internationally under the SCCs or other lawful mechanisms shall have enforceable rights and effective legal remedies under applicable laws. The Agency shall also cooperate with supervisory authorities in the context of such transfers.

10. Audit Rights

10.1. Access to Audit Reports

Upon prior written request by the Media Company, the Agency agrees to cooperate and, within a reasonable timeframe, provide the Media Company with the following:

  1. a. A summary of recent and relevant audit reports or certifications (such as ISO/IEC 27001 or SOC 2) that demonstrate the Agency’s compliance with applicable EU Data Protection obligations under this Agreement, with all confidential and commercially sensitive information redacted;
  2. A written confirmation that the most recent audit has not identified any material vulnerabilities in the Agency’s data protection framework, systems, or practices. In cases where such vulnerabilities were identified, the Agency shall confirm that they have been fully addressed and remediated.
10.2. Independent External Audit

If the audit reports and confirmations provided under Section 10.1 are deemed insufficient to satisfy the Media Company’s data protection due diligence obligations under applicable Data Protection Laws, or if there are reasonable grounds to suspect material non-compliance, the Media Company may, subject to strict confidentiality, request a formal audit of the Agency’s data protection compliance program by an independent, qualified third-party auditor.

  1. Such an audit shall be conducted at the Media Company’s expense unless the audit reveals a material breach of this Agreement or of applicable Data Protection Laws, in which case the cost shall be borne by the Agency.
  2. The third-party auditor must be jointly approved by both Parties and must not be a direct or indirect competitor of the Agency.
  3. The Parties shall mutually agree upon the scope, timing, and duration of the audit. The audit shall be conducted in a manner that minimizes any disruption to the Agency’s operations.
10.3. Disclosure of Audit Results

The Agency shall provide the Media Company with access to the audit findings, including details of any identified compliance gaps and the corrective actions taken or planned. If requested, the Agency shall provide written evidence of the implementation of such corrective actions within a reasonable period.

11. Personal Data Breach

11.1. Notification Obligation

In the event that either party becomes aware of a Personal Data Breach affecting Personal Data processed under this Agreement, that party shall promptly notify the other party without undue delay. The notification shall, to the extent possible, include the following details:

a. A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected;

b. The categories and approximate number of Personal Data records concerned;

c. The name and contact details of a designated contact point for further information;

d. A description of the likely consequences of the Personal Data Breach; and

e. A description of the measures taken or proposed to be taken by the affected party to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

If it is not possible to provide all of the above information at the same time, the missing information may be provided in phases without undue further delay. Both parties shall cooperate in good faith to investigate the incident, mitigate its adverse effects, and fulfill any legal obligations, including notification requirements to Supervisory Authorities and, if necessary, Data Subjects.

11.2. Escalation and Regulatory Notification

Where a Personal Data Breach is likely to result in a risk to the rights and freedoms of natural persons, the party responsible for the breach shall notify the other party as well as the competent Supervisory Authority in accordance with Article 33 of the GDPR or any other applicable Data Protection Law. Such notification shall be made promptly and, where feasible, not later than seventy-two (72) hours after having become aware of the breach.

11.3. Record Keeping

The Agency shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, in accordance with Article 33(5) of the GDPR. These records shall be made available to the Media Company upon request, subject to reasonable confidentiality obligations.

11.4. Data Subject Communication

If a Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons, the party responsible shall, in consultation with the other party, communicate the breach to the affected Data Subjects without undue delay, in clear and plain language, and in accordance with Article 34 of the GDPR.

12. Security Measures

12.1. The Agency shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures shall take into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of the Processing of Personal Data, as well as the likelihood and severity of risks to the rights and freedoms of natural persons.

12.2. The measures implemented by the Agency shall include, where appropriate and without limitation:

a.The pseudonymization and encryption of Personal Data;

b. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

c. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

d. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

12.3. The Agency shall ensure that the persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that they receive regular training on data protection and information security.

12.4. The Agency shall take steps to ensure that any natural person acting under its authority who has access to Personal Data does not process them except on instructions from the Media Company, unless required to do so by Union or Member State law.

12.5. If the Agency becomes aware of circumstances that may compromise the effectiveness of the implemented technical or organizational measures, or that may give rise to unauthorized access, accidental loss, destruction, or disclosure of Personal Data, the Agency shall promptly notify the Media Company and propose appropriate mitigation steps.

12.6. Upon request, the Agency shall provide the Media Company with a detailed summary of the technical and organizational security measures currently in place, including documentation sufficient to demonstrate compliance with this section.

13. Liability & Indemnification

13.1. The Agency shall be liable to the Media Company for any direct loss, damage, or expense incurred as a result of any breach of this Agreement, including but not limited to non-compliance with applicable Data Protection Laws, caused by the Agency, its employees, agents, or any Sub-processors engaged on its behalf. Such liability shall also apply where the Agency fails to implement appropriate technical or organizational measures resulting in a Personal Data Breach. However, the Agency shall not be held liable to the extent that it demonstrates that it acted in accordance with lawful instructions issued by the Media Company and has otherwise fulfilled its obligations under this Agreement and the GDPR.

13.2. The Media Company agrees to indemnify and hold harmless the Agency against any and all liabilities, claims, damages, penalties, losses, or expenses (including reasonable legal fees) arising from or relating to: (a.) Any breach by the Media Company of its obligations under this Agreement or applicable Data Protection Laws;
(b.) Any unlawful or unauthorized instruction given by the Media Company to the Agency regarding the processing of Personal Data; (c.) Any failure by the Media Company to obtain necessary consents or legal basis for processing Personal Data under the applicable Data Protection Laws.

13.3. Neither party shall be liable for indirect, incidental, punitive, special, or consequential damages, including but not limited to loss of profit, revenue, data, or use, except where such damages result from gross negligence, willful misconduct, or a material breach of data protection obligations causing a Personal Data Breach.

13.4. The liability of each party under this Section shall be subject to the limitations permitted under applicable law, including the liability framework as defined under Article 82 of the GDPR, except where otherwise agreed in writing or required by law.

14. Miscellaneous

14.1. In the event of any conflict between the terms of this Agreement and the principal Insertion Order, the provisions of this Agreement shall prevail with respect to data protection and processing obligations.

14.2. Any amendments, modifications, or additions to this Agreement shall be valid only if made in writing and duly signed by both parties. Such modifications must explicitly reference the specific clauses being amended. Oral side agreements, including those made via telephone or informal conversation, shall not be valid and shall not form the basis for any future amendment of this Agreement.

14.3. This Agreement shall be exclusively governed by and construed in accordance with the laws of the Republic of Poland, without regard to its conflict of law provisions.

14.4. In the event that third parties, such as insolvency administrators, tax authorities, or judicial enforcement bodies, take measures that may threaten the Agency’s access to or control over Personal Data transmitted by the Media Company, the Agency shall immediately inform the Media Company. The Agency shall also take all reasonable measures to protect such data from unauthorized access, seizure, or disclosure.

14.5. The Agency reserves the right to amend this Agreement by providing the Media Company with written notice of the intended changes at least thirty (30) days in advance. Should the Media Company disagree with the proposed amendments, it must notify the Agency of its objection in writing within the notice period. In such a case, the Agency shall be entitled to terminate this Agreement and the related principal Insertion Order without liability by providing written notice prior to the effective date of the amendments.

Annex 1

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

In accordance with Article 49 of Regulation (EU) 2016/679, these Contractual Clauses (the “Clauses”) are established to provide sufficient safeguards to protect the privacy rights and fundamental freedoms of individuals when personal data is transferred by the data exporter to a data importer located in a third country that does not have an adequate level of data protection.

Clause 1
Definitions

For the purposes of these Clauses, the following terms shall have the meanings assigned to them below:

(a) The terms ‘personal data,’ ‘special categories of data,’ ‘processing,’ ‘controller,’ ‘processor,’ ‘data subject,’ and ‘supervisory authority’ shall have the meanings ascribed to them in Regulation (EU) 2016/679 of the European Parliament and Council dated 27 April 2016, concerning the protection of natural persons regarding personal data processing and free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation);

(b) ‘Data exporter’ refers to the controller who transfers the personal data;

(c) ‘Data importer’ means the processor that receives personal data from the data exporter for processing on the latter’s behalf, under the importer’s instructions and in compliance with these Clauses, and which is established in a third country lacking an adequate data protection regime as defined in Chapter 5 of Regulation (EU) 2016/679;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘Applicable data protection law’ refers to the legal framework safeguarding individuals’ fundamental rights and privacy regarding personal data processing, applicable to the data controller established in the Member State where the data exporter resides;

(f) ‘Technical and organizational security measures’ mean all appropriate measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, especially in scenarios involving data transmission over networks, as well as other unlawful forms of processing.

Clause 2
Transfer Details

The specifics of the data transfer, including any applicable special categories of personal data, are outlined in Appendix 1, which is incorporated as an essential part of these Clauses.

Clause 3
Rights of Third-Party Beneficiaries
  1. Data subjects have the right to enforce this Clause, along with Clauses 4(b) to (i), 5(a) to (e) and (g) to (j), 6(1) and (2), 7, 8(2), and 9 through 12, directly against the data exporter as third-party beneficiaries.
  2. In situations where the data exporter has ceased to exist or has been dissolved without a legal successor taking on its obligations, data subjects may exercise the rights outlined in this Clause, Clauses 5(a) to (e) and (g), 6, 7, 8(2), and 9 to 12 against the data importer. If a successor entity has legally assumed the data exporter’s responsibilities, the data subjects must direct their claims against that entity.
  3. Where both the data exporter and data importer have ceased to exist or become insolvent without a successor entity assuming their responsibilities, data subjects may enforce the rights in this Clause, Clauses 5(a) to (e) and (g), 6, 7, 8(2), and 9 to 12 against the sub-processor. However, such liability of the sub-processor is limited strictly to its own processing activities as defined by these Clauses.
  4. The parties agree that data subjects may be represented by associations or other legal entities if the data subjects explicitly consent and if such representation is permitted under applicable national law.
Clause 4
Responsibilities of the Data Exporter

The data exporter commits and guarantees the following:

(a) The processing and transfer of personal data, both previously and ongoing, fully comply with all applicable data protection laws. Where required, the data exporter has informed the relevant regulatory authorities in its Member State and confirms that such processing does not breach local legal requirements.

(b) The data exporter has provided, and will continue to provide throughout the duration of data processing, clear instructions to the data importer to handle the personal data solely on behalf of the data exporter and strictly in line with applicable data protection laws and these Clauses.

(c) The data importer has given adequate assurances regarding the technical and organizational security measures outlined in Appendix 2 of this agreement.

(d) After reviewing applicable data protection requirements, the data exporter confirms that these security measures are suitably designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, especially during data transmission, and against any other unlawful processing. These measures reflect an appropriate level of security relative to the risks, the nature of the data, current technological standards, and implementation costs.

(e) The data exporter will actively ensure that these security measures are consistently adhered to.

(f) In cases involving special categories of data, the data exporter has notified or will notify the data subjects either before or promptly after the transfer that their personal information may be transferred to a third country that does not provide adequate data protection as defined by Directive 95/46/EC.

(g) The data exporter agrees to forward any notifications received from the data importer or any sub-processor under Clauses 5(b) and 8(3) to the relevant data protection supervisory authority, should the data exporter decide to proceed with or resume the transfer.

(h) Upon request by data subjects, the data exporter will provide a copy of these Clauses (excluding Appendix 2), a summary of the security measures, and any sub-processing agreements required by these Clauses. Commercially sensitive information may be redacted if necessary.

(i) The data exporter ensures that any sub-processing activities comply with Clause 11 and that sub-processors offer a level of protection equivalent to that provided by the data importer under these Clauses, safeguarding data subjects’ rights accordingly.

(j) The data exporter confirms it will uphold all obligations detailed in Clauses 4(a) through 4(i).

Clause 5
Responsibilities of the Data Importer

The data importer agrees and guarantees the following:

(a) Personal data will be processed exclusively on behalf of the data exporter, strictly following its instructions and the terms set out in these Clauses. If the data importer is unable to comply for any reason, it will promptly notify the data exporter. In such cases, the data exporter has the right to suspend data transfers and/or terminate the agreement.

(b) The data importer confirms that it is not aware of any legal restrictions under its applicable laws that would prevent it from meeting the data exporter’s instructions or fulfilling its contractual obligations. Should any changes in applicable law arise that could significantly impact the assurances and responsibilities under these Clauses, the data importer will inform the data exporter immediately. The data exporter may then suspend data transfers or end the agreement.

(c) Before commencing processing of the transferred personal data, the data importer has implemented the technical and organizational security measures detailed in Appendix 2.

(d) The data importer will promptly inform the data exporter of:

(i) any legally binding request by law enforcement or other authorities to disclose personal data, unless prohibited by law (e.g., to protect the confidentiality of an ongoing investigation);

(ii) any unauthorized or accidental access to the personal data;

(iii) any direct requests from data subjects, without responding to such requests unless authorized by the data exporter.

(e) The data importer will promptly and adequately respond to all inquiries from the data exporter regarding the processing of the personal data and will comply with recommendations from supervisory authorities related to the processing.

(f) Upon the data exporter’s request, the data importer will allow audits of its data processing activities covered by these Clauses. Such audits may be conducted by the data exporter or by an independent inspection body with qualified personnel, bound to confidentiality, and if relevant, agreed with the supervisory authority.

(g) The data importer will provide data subjects, upon request, with a copy of these Clauses or any sub-processing agreement, excluding commercially sensitive information if necessary. Appendix 2 will be replaced by a summary of the security measures if the data subject cannot obtain a copy from the data exporter.

(h) The data importer confirms that it has informed the data exporter and obtained prior written approval before engaging any sub-processors.

(i) The data importer guarantees that any sub-processor will carry out processing in compliance with Clause 11.

(j) The data importer will promptly send the data exporter a copy of any sub-processor agreement concluded under these Clauses.

Clause 6
Liability
  1. It is agreed by the parties that any data subject who incurs harm due to a breach of the obligations set forth in Clause 3 or Clause 11 by any party or sub-processor has the right to seek compensation from the data exporter for the damages suffered.
  2. In cases where the data subject cannot seek compensation from the data exporter for breaches committed by the data importer or its sub-processor as described in Clause 3 or Clause 11—because the data exporter has ceased to exist legally, disappeared, or become insolvent—the data importer acknowledges that the data subject may bring a claim directly against the data importer as if it were the data exporter. This is subject to the exception where a successor entity has taken over all legal responsibilities of the data exporter by contract or operation of law; in such cases, the data subject’s claim shall be enforceable against the successor.

The data importer cannot evade its responsibilities by attributing breaches to a sub-processor.

  1. If a data subject is unable to claim against either the data exporter or the data importer due to their disappearance, dissolution, or insolvency, the sub-processor agrees that the data subject may pursue claims against the sub-processor directly, but only in relation to the sub-processor’s own data processing activities under these Clauses. This is valid unless a successor entity has assumed all legal duties of the data exporter or data importer by contract or operation of law, in which case the claim may be directed at the successor. The liability of the sub-processor is strictly limited to its own processing actions under the Clauses.
Clause 7
Mediation and Jurisdiction
  1. The data importer agrees that if a data subject asserts their third-party beneficiary rights or seeks compensation for damages under these Clauses, the data importer will respect the data subject’s choice to:

(a) resolve the dispute through mediation conducted by an independent mediator or, if applicable, by the relevant supervisory authority;

(b) bring the dispute before the courts of the EU Member State where the data exporter is based.

  1. The parties acknowledge that the data subject’s selection of either mediation or judicial proceedings shall not affect their substantive or procedural rights to pursue other legal remedies available under national or international law.
Clause 8
Cooperation with Supervisory Authorities
  1. The data exporter commits to submitting a copy of this agreement to the relevant supervisory authority upon request or whenever required by the applicable data protection regulations.
  2. Both parties acknowledge that the supervisory authority is entitled to carry out audits of the data importer and any sub-processors. These audits shall be conducted under the same scope and conditions as those applicable to audits of the data exporter under the relevant data protection laws.
  3. The data importer agrees to promptly notify the data exporter if any legislation applicable to it or to any sub-processor restricts or prevents such audits as described in paragraph 2. In this event, the data exporter retains the right to take appropriate actions as outlined in Clause 5(b).
Clause 9
Applicable Law

These Clauses shall be interpreted and governed by the law of the EU Member State where the data exporter is based.

If that jurisdiction does not recognize third-party beneficiary rights, then the governing law shall be that of another EU Member State which does grant such rights.
The Parties hereby agree that, in such a case, the governing law shall be the law of Poland.

Clause 10
Amendments to the Agreement

The parties agree not to alter or amend these Clauses.

However, they may include additional provisions related to business matters if necessary, provided that such additions do not conflict with the terms of these Clauses.

Clause 11
Sub-processing
  1. The data importer must not delegate any processing activities carried out on behalf of the data exporter under these Clauses without obtaining prior written approval from the data exporter. If the data importer receives consent to subcontract, it shall ensure this is done through a written agreement with the sub-processor that binds the sub-processor to the same obligations as the data importer under these Clauses (or by having the sub-processor complete and sign Appendix 3). Should the sub-processor fail to meet its data protection responsibilities under such agreement, the data importer remains fully accountable to the data exporter for fulfilling those obligations.
  2. The written contract between the data importer and the sub-processor must include a third-party beneficiary clause as described in Clause 3, applicable in situations where the data subject cannot claim compensation under paragraph 1 of Clause 6 against the data exporter or data importer because these entities have disappeared, ceased to exist, or become insolvent without a successor entity assuming their legal obligations. The sub-processor’s liability shall be limited to its own processing activities under these Clauses.
  3. The data protection provisions related to sub-processing agreements referenced in paragraph 1 shall be governed by the laws of the Member State where the data exporter is located.
  4. The data exporter shall maintain a register of all sub-processing agreements made under these Clauses and notified by the data importer as required under Clause 5(j). This register must be updated at least annually and be accessible to the data exporter’s supervisory authority.
Clause 12
Obligations Following the End of Personal Data Processing Services
  1. Upon the conclusion of data-processing services, the data importer and any sub-processor shall, as directed by the data exporter, either return all transferred personal data and any copies to the data exporter or securely delete all such personal data and provide certification of deletion to the data exporter. This obligation applies unless the data importer is legally prohibited from returning or erasing some or all of the personal data. In such cases, the data importer guarantees to maintain the confidentiality of the personal data and to cease any further active processing of it.
  2. Upon request from the data exporter or the relevant supervisory authority, the data importer and sub-processor shall make available their data-processing facilities for inspection or audit concerning the measures described in paragraph 1.

Appendix 1

to the Standard Contractual Clauses

This Appendix is an integral part of the Clauses and must be duly completed and signed by the parties involved.

Member States may add or specify additional information to this Appendix as required by their national procedures.

Data Exporter
The data exporter is identified as:

A digital advertising agency that delivers relevant video advertising services to the data importer. This is done either through its own application or by leveraging the services of other advertising networks, agencies, publishers, SSPs, or DSPs.

Data Importer
The data importer is:

An ad network, agency, advertiser, or DSP that engages the data exporter to provide video advertising services as stipulated under the Agreement.

Data Subjects

The personal data transferred may relate to the following groups of individuals:

  • Digital media entities and data provided by third-party contractors as outlined in the primary Insertion Order
  • Users accessing the data exporter’s websites, applications, or other designated properties
  • Users of web and mobile platforms
Categories of Data
The transferred personal data may include the following types:
  • Internet Protocol (IP) addresses
  • User identifiers (IDs)
  • Device information (including device ID, brand, model, network type, and service provider)
  • Advertising context data (such as app or web page metadata, domain names, and content categories)
  • Contact details (e.g., legal entity information of media partners)
  • Cookie data
  • Approximate location data (e.g., country and city level)
Frequency of Transfer

Whether Data is transferred on an ongoing, or continuous basis.

Nature of Processing

The processing activities include collecting, recording, organizing, structuring, storing, adapting, restricting, erasing, and destroying personal data.

Purpose(s) of the Data Transfer and Further Processing

To develop improved business strategies and enhance competitive advantage.

Retention Period

Personal data will be retained for the duration.

Transfers to (Sub-)Processors

Details regarding the subject matter, nature, and duration of processing by any (sub-) processors will be specified separately.

Appendix 2

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Each Party shall ensure that it implements and maintains compliance with appropriate technical and organizational security measures for the Processing of the respective Data. Accordingly, each Party will implement the following measures:

  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • Measures for user identification and authorization.
  • Measures for the protection of data during storage.
  • Measures for internal IT and IT security governance and management.
  • Measures for the protection of data during transmission.
  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing.