This Data Processing Agreement (“Data Processing Agreement” or “DPA”) entered into by and between Member (as defined under the Terms of Use (hereinafter referred to as “Client” or “you”) and Bucksense (as defined under the Terms of Use) (hereinafter referred to as “Bucksense”, “us” or “we”) forms an integral part of, and is subject to, Terms of Use Agreement (hereinafter referred to as “Terms of Use”).
Client and Bucksense are hereinafter jointly referred to as the “Parties” and individually as the “Party”. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms of Use. In the event of any conflict between this DPA and the Terms of Use, the terms of this DPA shall prevail.
This DPA only applies to the extent that the EU Data Protection Law applies to the Processing of Personal Data under this agreement, including if the Processing is carried out in the context of the activities of an establishment of either Party in the European Economic Area (“EEA”), and/or the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA.
“Controller” or “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
“Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Subject” means the individual to whom Personal Data relates, including End Users.
“End User” means the end user of an internet connected device, such as a visitor to a web page, a user of a mobile app, or a visitor on advertisement or campaign webpage.
“GDPR” or “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Personal Data” means any information relating to an identified or identifiable person as defined in Article 4.1 of the GDPR.
“Processing” (“Process”, “Processes” and “Processed”) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Sub-Processor” means any Data Processor engaged by the Processor. “Services” means services provided by the Bucksense in accordance with the Terms of Use.
Under this DPA and with respect to Personal Data, Client is Data Controller or Processor and Bucksense is engaged by Client as Processor or another Processor Sub-Processor) in respect to Personal Data, as applicable. The terms of DPA shall apply to either of the relations between the Parties regarding the Processing of Personal Data mentioned herein.
Within the scope of this DPA, Client hereby engages Bucksense to collect, process and/or use Personal Data on Client’s behalf. Bucksense will only Process Personal Data on your behalf and in accordance with your instructions. The instructions from the Client to Process Personal Data are the following: (i) Processing shall be carried out in accordance with this DPA, the Terms and Conditions and pursuant to the features and limitations of the applicable Services which Bucksense provides to Client; and (ii) Processing shall be carried out in compliance with other reasonable instructions provided by the Client, where such instructions are onsistent with the Terms of Use. Processing outside the scope of this DPA (if any) will require prior written agreement between Client and the Processor, and Client’s additional instructions for processing. Bucksense will be under no obligation to comply with instructions that Bucksense deems as violating applicable laws.
Bucksense uses the Personal Data solely to provide the Services in accordance with Terms of Use, in order to perform tracking services/serve End Users with interest–based advertising, as well as to measure the effectiveness of advertising campaigns and provide you with advertising reports. In that context, Bucksense – on your demand – may also combine Personal Data from different sources in order to improve Services and integrate Services with external platforms, all of which will be conducted on your behalf. Bucksense also processes Personal Data on your behalf and to serve your interests for the purposes of fraud prevention, bot detection, rating, analytics, viewability, ad security services. Bucksense may also process data based on the extracts of Personal Data in aggregated and non-identifiable forms, including for the purposes of testing, development, control and operation of the Services.
Bucksense may process the following information on your behalf: IP addresses, language information, session-based browsing behavior, header information, End User’s device-related data (type or model), operating system, carrier providing communication services to such device, geographical location, cookies, advertising identifiers, as well as other information we may receive from you or from third parties engaged by the Bucksense on your behalf, such as user’s interest’s information.
Without derogating from any of the obligations of the Client hereunder, the Client shall not provide Bucksense with any data regarding children, or any special categories of personal data, as defined under Article 9 of the GDPR, except as may otherwise be expressly agreed in writing between the Parties and in accordance with the applicable law.
Client is responsible for ensuring their own compliance with various laws and regulations, including the GDPR. To the extent required under the applicable law, you shall provide an appropriate notice to Data Subjects about the Processing of their Personal Data in connection with the use of Services under this DPA and under the End User Privacy Policy, and you shall receive and document the Data Subjects’ consent thereof to the extent required under the applicable law.
To the extent required under the applicable law, Client must also use commercially reasonable efforts to ensure that the End User is provided with clear and comprehensive information about cookies or other information on the End User’s device in connection with the use of Services by the Client and, if applicable, consents to their storing and accessing. To the extent required under the applicable law, Client shall inform the End User about third party cookies or other tracking technologies which may be placed on Client’s sites, specifying the purpose of these cookies and the type of data collected on the Client’s sites. Client shall also insert in its privacy policy a link to the Bucksense’s End User Privacy Policy and when legally compulsory, appropriate notice, consent and choice mechanisms that comply with relevant laws and regulations, including GDPR.
The Client acknowledge and agree that you retain sole responsibility for the lawfulness of the Processing and warrant to Bucksense that you are legally allowed to engage Bucksense to process Personal Data on your behalf, have provided all necessary notices and obtained all required consents from the Data Subjects (if apply) for the purposes of the Processing described in this DPA.
Bucksense shall provide Client, to the extent required by law, with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request, to the extent legally permitted. Bucksense shall notify Client via e-mail if he receives a request from a Data Subject in the subject of access to, correction, amendment, deletion of or objection to the processing of that Data Subject’s Personal Data.
Bucksense reserves the right to charge additional fees in relation to the cooperation with the Client in regard to DPA.
Pursuant to Article 28, Section 3(c) of the General Data Protection Regulation, the Bucksense shall take the measures required by the Article 32 of the GDPR.
Bucksense shall provide sufficient guarantees of implementation of the appropriate technical and organizational measures in a manner that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subject. Bucksense shall ensure that its personnel engaged in the Processing of Personal Data is informed of the confidential nature of the Personal Data, has received appropriate training on their responsibilities and is subject to obligations of confidentiality.
Bucksense shall ensure that access to Personal Data is limited only to those members of personnel who require that access in order to fulfil Bucksense’s obligations under the Terms of Use
Client authorizes Bucksense to appoint Sub-Processors in order to provide the Services.Bucksense may continue to use the Sub-Processors already engaged according to this DPA. A full list of such Sub-Processors is available upon the Client’s written request directed to the Bucksense.
Client hereby authorize the to subcontract the Processing to the Sub-Processors based outside of the European Economic Area (EEA) to the extent necessary to duly perform the Service(s), under the condition that the Sub-Processors will provide sufficient guarantees in relation to the required level of data protection, e.g. through a Privacy Shield certification according to the EU Commission Decision 2016/1250, or a subcontracting agreement based on the standard contractual clauses launched by virtue of the EU Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC or GDPR (the “Model Contract Clauses”), or based on other applicable transborder data transfer mechanisms.
If Bucksense becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to any Personal Data transmitted, stored, or otherwise Processed on Bucksense’s equipment or in Bucksense’s facilities (“Security Breach”), Bucksense will promptly notify the Client of the Security Breach; investigate the Security Breach and provide Client with all relevant information about the Security Breach; and take all commercially reasonable steps to mitigate the effects and minimize any damage resulting from the Security Breach.
To the extent that the applicable law requires you to be in a position to monitor the adequate Processing of Personal Data, you as the Client have the right to request an audit from the Bucksense to the extent necessary to review whether we as the Bucksense and our Sub-Processors are compliant with the any provisions of the Law, the terms of this DPA, and Client’s instructions.
If a verification is required by law and if the requirements can not be met by the provision of a certification, the Client can conduct, either alone or through an independent third party contractor selected by the user at his expense, a verification at the office of Bucksense.The audit will be scheduled in writing with Bucksense at least 30 days in advance and will be performed once a year at the latest. The Client will bear all costs and will assume responsibility for the verification and for any damages caused as a result and any control activity on the information systems of the suppliers of Bucksense will be planned and agreed with the suppliers. The Client will maintain the results of the audit in absolute confidentiality, use them exclusively for the specific control purposes and will not use the results for any other purpose, nor share them with third parties without explicit prior written confirmation of Bucksense. If you need to disclose the results of the audit to a competent authority, you will provide a written communication to Bucksense explaining the details and need for disclosure.
Client authorizes Bucksense to retain Personal Data for a period of 3 months from the date of its collection on Client’s behalf and for the purpose of serving its interests, including for fraud prevention, ad security services, reporting services, complaints or chargebacks handling. This data may be deleted from the Bucksense’s servers after this retention period and/or after the termination of Terms of Use or earlier, at your written request.
Client shall indemnify and hold Bucksense, its officers, directors, employees, contractors, and agents harmless from and against all claims, liabilities, administrative fines, suits, judgments, actions, investigations, settlements, penalties, fines, damages and losses, demands, costs, expenses, and fees including reasonable attorneys’ fees and expenses, arising out of or in connection with any claims, demands, investigations, proceedings, or actions brought by data subjects, legal persons (e.g., corporations and organizations), or supervisory authorities under the data protection laws that apply to Bucksense in respect of processing of Personal Data on behalf of Client through Services.
The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Terms of Use.
The DPA shall be governed by and interpreted in accordance with the laws of the State of New York. Any dispute arising out of or in connection with this DAP is hereby submitted to the sole and exclusive jurisdiction of the competent court of the State of New York.