ANNEX I – Data Protection Agreement
SPIDER AF is the processor, and the CLIENT is the controller. This document is for compliance with the requirements of Article 28 of the GDPR, to which the CLIENT is obliged.
- For the purpose of interpretation of this Agreement, the definitions set out in the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (“Regulation” or “GDPR”) shall apply.
- Notwithstanding, these terms and expressions shall have the following meaning:
- ‘Law’ or ‘applicable law’ shall mean the legislation of the European Union or of a Member State relating to Privacy and Protection of personal data applicable to the Parties;
- ‘processor’ shall mean the SPIDER AF, which corresponds to the entity which, as data processor, processes the personal data on behalf of the Controller, under contract with the Controller;
- ‘Controller’ shall be understood as the CLIENT, which corresponds to the entity that determines the purposes and means of the processing of personal data and on behalf of whom the SPIDER AF processes the personal data for the performance of specific processing operations of personal data under the Contract;
- ‘Further processor’ shall mean a processor that in the context of services contracted and provided to the SPIDER AF under the Contract performs specific personal data processing operations on behalf of the Controller, in accordance with the instructions of the latter, the conditions provided for in the contractual documents and the conditions set out in the present Agreement;
- ‘CLIENT’ shall mean a company which contracts the services provided by SPIDER AF.
-
- The purpose of this Agreement is to authorize and govern the processing of personal data by the SPIDER AF, as processor, in relation to the personal data for which the CLIENT is the data controller.
- The purpose of said processing of personal data on behalf of the CLIENT is to enable the SPIDER AF to comply with the obligations of the Contract, namely, for the purposes of use ad fraud prevention tool.
- By this Agreement, the CLIENT shall determine the scope, purposes and how the SPIDER AF may process personal data under the Contract and this Agreement.
- The processing operations will concern the personal data of the following data subjects:
- users;
- potential clients;
- clients;
- The SPIDER AF shall carry out the processing operations, better identified in Clause 5, of the following categories of personal data:
- IP, browser information, ad specific information, device information, timestamp;
- email, name, company name, title;
- API tokens or accesses to other third party services;
- The following special categories of personal data will be subject to processing by the SPIDER AF:
Racial origin
|
YES
☐
|
NO
☒
|
Ethnic origin
|
YES
☐
|
NO
☒
|
Political opinions
|
YES
☐
|
NO
☒
|
Religious beliefs
|
YES
☐
|
NO
☒
|
Philosophical beliefs
|
YES
☐
|
NO
☒
|
Trade union membership
|
YES
☐
|
NO
☒
|
Genetic data
|
YES
☐
|
NO
☒
|
Biometric data
|
YES
☐
|
NO
☒
|
Data concerning health
|
YES
☐
|
NO
☒
|
Data concerning a natural person's sex life
|
YES
☐
|
NO
☒
|
Data concerning a natural person's sexual orientation
|
YES
☐
|
NO
☒
|
- The categories of personal data identified in Clause 4 will be processed by the SPIDER AF on behalf of the CLIENT solely and exclusively for the purpose of carrying out the following data processing operations:
- The operation / set of operations on the personal data identified in Clause 4 is carried out:
By automated means | YES ☒ | NO ☐ |
Not by automated means | YES ☒ | NO ☐ |
- Identify the operations that will be carried out on the personal data identified in Clause 4:
Collection | YES ☒ | NO ☐ |
Recording | YES ☒ | NO ☐ |
Organisation | YES ☒ | NO ☐ |
Structuring | YES ☒ | NO ☐ |
Storage | YES ☒ | NO ☐ |
Adaptation | YES ☒ | NO ☐ |
Alteration | YES ☒ | NO ☐ |
Retrieval | YES ☒ | NO ☐ |
Consultation | YES ☐ | NO ☒ |
Use | YES ☒ | NO ☐ |
Disclosure by transmission | YES ☒ | NO ☐ |
Dissemination | YES ☐ | NO ☒ |
Otherwise making available | YES ☐ | NO ☒ |
Alignment | YES ☒ | NO ☐ |
Combination | YES ☐ | NO ☒ |
Restriction | YES ☒ | NO ☐ |
Erasure | YES ☒ | NO ☐ |
Destruction | YES ☒ | NO ☐ |
Others | YES ☐ | NO ☒ |
- data processing operations identified in this Clause, do not preclude other operations that may be indicated in accordance with the execution of the contracted services and under the terms of this Agreement
- Notwithstanding the instructions provided by CLIENT and its contractual obligations, SPIDER AF, within the scope of the execution of the Contract and the practices and uses of its industry, is authorized to exercise its own discretion in the selection and use of the means it deems necessary to pursue the object of the Contract, in accordance with this Agreement.
- CLIENT undertakes to:
- Allow access and/or make the personal data available to SPIDER AF in order to fulfil and execute the Contract, in compliance with this Agreement;
- Communicate its instructions concerning the processing operations to be carried out through a written notice;
- Maintain the lawful conditions on which the processing of personal data is based;
- Comply with its transparency obligations before the data subjects;
- Keep the personal data up-to-date;
- Comply with its legal obligations, in accordance with the applicable law;
- It shall keep a record of all processing activities under its responsibility in which it shall keep all information required by the applicable legislation;
- Inform SPIDER AF of any request for exercising rights and/or complaints lodged regarding personal data SPIDER AF is processing on behalf of CLIENT;
- CLIENT, directly or indirectly, has the right to audit the quality of the processing of personal data carried out by SPIDER AF, namely, to check whether the personal data:
- Are being processed according to its instructions;
- Are being processed in compliance with the applicable legislation; and
- Are being implemented all technical and organizational measures adequate for data protection.
- SPIDER AF undertakes to:
- Process only the identified personal data, as well as those collected during the execution of the provided services, solely and exclusively in accordance with the purposes of the Contract and this Agreement;
- Assure that the access to personal data is limited to its employees who need to have access to those personal data according to the need whom undertake, expressly and in writing, to guarantee confidentiality and to comply with the implemented security measures;
- Maintain confidentiality and duty of secrecy towards all personal data to which it has access to through this Agreement, even after its termination;
- Not use the personal data, which processing was entrusted to it, for purposes other than those that were clearly and explicitly identified in the Contract and/or in this Agreement, namely, not using them for its own purposes;
- Inform CLIENT of the existence of any request for the exercise of rights and/or complaints lodged regarding the personal data it processes on behalf of CLIENT, working together with CLIENT in responding to such requests for the exercise of rights by data subjects;
- Carry out data protection impact assessments on its processing activities and provide collaboration to the data protection impact assessments that the CLIENT carries out;
- Cooperate with supervisory authorities whenever notified to do so, and inform CLIENT of these obligations, unless the legislation explicitly states any hindrance or prohibition to the sharing of that information.
- In the event that the SPIDER AF considers that any of the CLIENT's instructions violate data protection legislation or any other legal provision, the SPIDER AF shall inform the CLIENT in writing, and may refuse to comply with said instruction, without such refusal constituting a breach of the Contract and/or Agreement.
- SPIDER AF may store personal data on behalf of the CLIENT only during the Contract’s duration.
- After the abovementioned period ends, SPIDER AF shall act in compliance with Clause 21 of this Agreement.
- The technical and organisational measures necessary to protect personal data shall offer an adequate level of security in regard to the risks that the processing represents, taking into account the state of the art and nature of the data that must be protected, are better explained in Appendix 1 (“Minimum Security Requirements”) of this Agreement. SPIDER Afs hall guarantee the minimum safety requirements.
- The technical and organisational measures shall protect all data against the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Notwithstanding Appendix 1, the SPIDER AF shall maintain an information security plan, which ensures in particular:
- The ability to ensure the ongoing confidentiality, integrity, availability of processing systems and services;
- The permanent resiliency of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing;
- The possibility of pseudonymisation and encryption of personal data.
- Within the technical and organizational measures that must be listed in the abovementioned information security plan and that must be applied to the processing operations and personal data, include, namely, those destined to:
- Control over who enters the facilities, through measures that prevent access from an unauthorized person into the facilities being used;
- Control data mediums, through measures that prevent the reading, copy, modification or mediums’ withdrawal by an unauthorized person;
- Prevent unauthorized data entries, as well as letting unauthorized people know, change or delete any computer data;
- Control the use, preventing unauthorized people from using the information systems;
- Measures that guarantee that authorized people can only access data for which they have permission to access;
- Guarantee that the people or entities to whom the computer data can be transferred to are verified;
- Prevent data from being read, copied, changed or deleted in an unauthorized way, either when they are being transmitted or during the transportation of the data medium.
- SPIDER AF shall implement the technical and organisational measures necessary for an efficient computer system and hardware protection against, namely, viruses, worms, Trojan horses and spyware and other malicious software.
- When, in fulfilment of its obligation under this Clause (3)(d) SPIDER AF updates or improves the technical and organisational measures implemented to ensure the security of the processing in order to stay compliant with the established requirements, SPIDER AF must inform CLIENT in writing of such updates and/or improvements within seventy-two hours after its implementation.
- CLIENT may, when it finds fitting or under its own criteria, request from SPIDER AF to demonstrate compliance with the obligations under this Clause, namely, the minimum requirements listed in Appendix 1.
- The SPIDER AF shall inform the CLIENT within forty-eight (48 hours of becoming aware of any security incident, whether or not in attempted form, and/or any personal data breach, using by default the notification form which follows as Appendix 2 ("Security Incidents and personal data breaches notification").
- This Clause’s obligations do not affect any legal obligation, namely, within the scope of information security and cybercrime.
- Any disclosure of personal data that may occur is prohibited, with the exception of:
- Communications of personal data instructed by CLIENT;
- When in compliance with the fulfilment of both Parties’ legal obligations;
- Other processors engaged by SPIDER AF, when within the terms under Clause 15; and,
- In the cases set out by the legislation.
- SPIDER AF will carry out personal data processing operations that will involve transfers outside the European Economic Area, namely to Japan under the Commission Implementing Decision (EU) 2019/419, of 23 January 2019, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information (EUR-Lex - 32019D0419 - EN - EUR-Lex).
- Here must be regarded, namely, the personal data stored in servers located outside the European Economic Area.
- Regarding International Data Transfers, the Parties must comply with the Standard Contractual Clauses that can be found below.
- The SPIDER AF can subcontract its obligations without the express written authorization of the CLIENT and will impose the same data protection obligations as set out in this Agreement, legislation and best practice on that Further Processor.
- The SPIDER AF shall make available to the CLIENT all documentation and information that may be required and, if necessary, access to its facilities where processing operations take place, to demonstrate compliance with the obligations set out in this Agreement and in the legislation, namely in the event of an audit and at the request of the CLIENT.
- SPIDER AF shall ensure access to the necessary documentation and, when necessary, to its facilities where the processing operations are carried out, as well as, to any of SPIDER AF’s workers involved in the data processing.
- The SPIDER AF is responsible for ensuring that its processors comply with the obligation set forth in the present Clause, guaranteeing that all necessary steps will be taken for that purpose.
- Pursuant to the provisions of Clause 7 (1) (h) of this Agreement and in order to exercise the rights provided for in the GDPR and/or applicable law through appropriate technical and organisational measures, the SPIDER AF shall, as the case may be, comply with its obligation (i) to respond to requests from data subjects to exercise the rights provided for in the GDPR, or, (ii) to collaborate with the CLIENT in responding to requests from data subjects to exercise such rights.
- The exercise of rights by the data subjects must be done through a written notice for that purpose.
- In accordance with the Contract, this Agreement shall become effective as of the date on which both Parties have signed it and shall have an identical duration to the Contract.
- With regard to this Agreement’s term, what is set in the Contract shall apply.
- With the Contract’s termination or term SPIDER AF shall return or delete all personal data in compliance with Clause (21) of this Agreement.
The User agrees in advance that Spider Labs may suffer irreparable damage as a result of a breach of these Terms, and accordingly, in addition to monetary damages and other remedies under the law, Spider Labs shall be entitled to seek specific performance or injunctive relief as a remedy for a breach or threatened breach of these Terms without providing a guarantee or other security, or presenting a ground for the damage.
- SPIDER AF is only liable for damages caused by the processing when:
- has failed to comply with obligations under the law directly applicable to it; or
- has not followed the lawful instructions of the controller.
- SPIDER AF’s liability is limited, regardless of the risks that may be covered by any insurance that SPIDER AF might have taken out.
- With the Contract’s term and/or termination, SPIDER AF shall return, or delete, as instructed by CLIENT, all personal data under its possession.
- The abovementioned obligation concerns all data mediums where data is stored.
- In case CLIENT instructs SPIDER AF to delete all data, SPIDER AF must give proof that a certified enterprise has attested to the data and/or data storage support erasure.
- In case CLIENT instructs SPIDER AF to return all data, SPIDER AF must provide a written statement in which it declares:
- It has deleted all personal data;
- Identifies which personal data were returned;
- In which data mediums the personal data were stored;
- Which format and/or formats will be used to return the data; and,
- It no longer has any data under its possession.
- If CLIENT happens not to instruct SPIDER AF in compliance with terms and conditions of this Clause, SPIDER AF shall have thirty (30) days after the term or termination of the Contract and/or this Agreement delete all data and/or the support in which they are stored, stating in writing the certified enterprise’s certificate that attests to the erasure of said data and/or supports.
- SPIDER AF is responsible for ensuring compliance with this Clause next to its data controllers, ensuring, as of now, to conduct all necessary diligences for this matter.
- This Clause does not apply to any documentation necessary for compliance with legal, judicial and/or administrative obligations and provisions SPIDER AF is bound by
- In case of any Act of God or Force Majeure, the Parties are exempt from fulfilling the obligations laid down in this Contract.
- Unless if physically impossible, the affected Party shall inform the other Party through a written notice within five (5) days, about the event, specifying its underlying causes, possible duration and consequences to the execution of the Contract.
- If conditions remain unchanged for thirty (30) days after the notice, any Party may terminate the Contract, with immediate effect, through a written notice to the other Party.
- In the event that the SPIDER AF uses the data for purposes other than those indicated, it will be considered for all purposes as the controller, guaranteeing the CLIENT against any and all claims by the data subjects.
- The abovementioned number does not interfere with any civil or criminal liability, on behalf of SPIDER AF, whether before CLIENT or before the data subjects.
- This Agreement prevails over any contrary provisions laid down in the Contract.
- The following shall form an integral part of this Agreement:
- Schedule 1 (“Minimum Security Requirements”).
- This Agreement, in conjunction with the abovementioned Schedule and the Standard Contractual Clauses, make up the full Agreement between both Parties and any change, modification or addendum to it will not produce any legal effects unless when in a written document signed by both Parties.
- This Agreement must be interpreted in compliance with the Contract.
- If any Party fails to exercise any of its right, it will not, and should not, be perceived as a waiver of such right.
- This Agreement shall be governed by the laws of Portugal.
- Both Parties agree that, in case a dispute arises from this Agreement and cannot be resolved amicably, it will be settled by the competent court of law in Porto, expressly renouncing any other.