Personal Data Processing Agreement
Processing of Personal Data for the Purpose of Company Services
1. General Obligations
The Parties agree to perform the service in compliance with applicable data protection laws, particularly the General Data Protection Regulation (GDPR).
Each Party is responsible for processing the personal data of the other Party’s personnel as part of the execution of this Agreement. In this regard, each Party ensures that its employees consent to the transmission of their personal data to the other Party or its duly authorized representatives, in accordance with applicable legal provisions.
2. Independent Data Controllers for the Use of internet users’ browsing information
The Parties acknowledge full awareness of their obligations under the applicable Personal Data Regulations as independent Data Controllers for the operations they each perform independently, in relation to their respective activities and processing of Personal Data.
Each Party guarantees to the other that it will comply, individually and separately, with the applicable Personal Data Regulation and will assume all responsibilities and obligations associated with its role as Data Controller under this IO unless one of these obligations is expressly assigned to the other Party in this IO. The Parties expressly agree that compliance with the Personal Data Regulation is an essential and determining condition of their engagement.
The Parties undertake to comply with the applicable Personal Data Regulation concerning transfers of Personal Data outside the European Economic Area, implement the required safeguards, and obtain any necessary prior authorizations, where required by local legislation and/or the competent Supervisory Authority.
It is expressly agreed that each Party, as a distinct and independent Data Controller, remains solely responsible for its own processing of Personal Data, for which it alone determines the purposes and means under this Agreement.
Each Party ensures that all required formalities with the competent authorities concerning its processing of Personal Data have been completed. Each Party undertakes to implement all necessary technical and organizational security measures to ensure the confidentiality and security of the Personal Data it processes as an independent Data Controller.
Each Party remains responsible for notifying the competent Supervisory Authority of any Personal Data Breach or security incident related to its processing of Personal Data. The Parties further agree to promptly take all appropriate corrective measures to address the causes of such a breach.
Where applicable, each Party agrees to cooperate with the other in fulfilling any legal, judicial, or administrative formalities (e.g., notification to the Supervisory Authority, notification to the affected individuals, filing of complaints, legal actions, etc.) required under this Agreement, including by providing any necessary information for this purpose.
3. Joint Controllers for Cookie Processing
This joint responsibility is limited to establishing the legal basis and managing user rights within the normative standards set by the IAB TCF policies by querying and respecting the data collected by the Partner’s Consent Management Platform (CMP).
Under this joint responsibility, the Partner undertakes to:
(i). Inform users of the use of third-party partners and the collection and use of data.
(ii). Include, where legally required, a link to its Privacy Policy and provide users with appropriate mechanisms for information and choice, in compliance with applicable laws and regulations. Implement a CMP to collect and store valid user consent and demonstrate that such consent was obtained, in compliance with applicable law and the IAB TCF. The Partner shall ensure that each applicable technical solution is updated as necessary to comply with developments in applicable personal data protection regulations and technical specifications.
(iii). Ensure that the collected data may be used and shared for the purposes specified herein, including ensuring that users are provided with legal and appropriate choice mechanisms and that they can exercise their rights accordingly.
(iv). Provide users with easily accessible and user-friendly conditions for withdrawing their consent.
(v). Manage requests related to data subject rights, including the right to access, rectify, erase, and restrict processing, ensuring that Company is informed and involved where necessary.
(vi). Ensure that data subjects can contact the Partner with any questions or requests concerning their personal data at the email address of its DPO, provided on its Properties.
The Parties expressly agree that any penalty or ruling issued by a court or Supervisory Authority against one Party due to that Party’s failure to meet its obligations under this Agreement or the Personal Data Regulation shall not apply to or be transferred to the other Party.