ADFOX Data Processing Agreement

By using opt-in check-box or by continuing the use of the ADFOX Service you declare that you agree to the following regulations. By proceeding, you confirm that you have a business established in the territory of a member state of the European Economic Area or Switzerland, or that, for other reasons, you are subject to the territorial scope of the national implementations of the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, (General Data Protection Regulation; hereinafter – "GDPR"). You further agree that if the aforementioned is not the case, this DPA between you and Yandex shall be void.

This DPA enters into force on 25 May 2018 if you have agreed to the DPA prior to or on such date, or on the date on which you agreed to the DPA, if such date is after 25 May 2018 (“DPA Effective Date”).

This DPA is an addition to the ADFOX Agreement regulating provision of the Processor Services (“Agreement”). In the event of a contradiction between these clauses and the terms of the Agreement, the terms and conditions under this DPA shall prevail.

This DPA is entered into by Yandex and Client and supplement the Agreement. This DPA will be effective, and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the Processor Services), from the DPA Effective Date till the termination date of the Agreement or till the date the Client ceases to use Processor Services or till deletion of all Client Personal Data by Yandex as described in this DPA.

If you are accepting this DPA on behalf of the Client, you warrant that: (a) you have full legal authority to bind Client to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of the Client, to this DPA.

1. Introduction

This DPA reflect the parties’ agreement on the terms governing the processing and security of Client Personal Data in connection with the Data Protection Legislation and in connection with provision of the Processor Services by Yandex to the Client and Client’s use of the Additional Products.

2. Definitions

2.1. In this DPA:

Additional Product” means a product, service or application (including but not limited to advertising code or counter) provided by Yandex or a third party that: (a) is not part of the Processor Services; and (b) is accessible for use within the Client interface of the Processor Services or is otherwise integrated with the Processor Services.

Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

Client Personal Data” means personal data that is processed by Yandex on behalf of Client in Yandex’s provision of the Processor Services or Client Personal Data processed by the Third Party Subprocessors when providing Additional Products.

Data Protection Legislation” means, as applicable: (a) the GDPR; (b) the Federal Data Protection Act of 19 June 1992 (Switzerland), and/or (c) any other law, statute, regulation or legislative act applicable to the Client Personal Data Processing.

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Yandex” means Yandex Group company that is the party to the Agreement.

Processor Services” means the ADFOX services provided by Yandex according to the Agreement, in particular, related to the management of placement of advertising by the Client or third parties on Client’s resources in the Internet, provision of statistics related to such services, but without limitation of the foregoing.

Subprocessors” means third parties authorised to have logical access to and process Client Personal Data in order to provide any Additional Product.

Third Party Subprocessors” has the meaning given in Section 9.1.

2.2. The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in this DPA have the meanings given in the GDPR.

3. Application of this DPA

3.1. This DPA will only apply to the extent that the Data Protection Legislation applies to the processing of Client Personal Data, including if:

(a) the processing is in the context of the activities of an establishment of Client in the European Economic Area; and/or

(b) Client Personal Data is personal data relating to data subjects who are in the European Economic Area and the processing relates to the managing of placement of advertisement by the Client or third parties served to such data subjects as allowed by the capabilities of the Processor Services, offering to them of goods or services or the monitoring of their behaviour in the European Economic Area.

3.2. This DPA will only apply to the Processor Services for which the parties agreed to this DPA, in particular: (a) the Processor Services for which Client clicked to accept this DPA; or (b) if the Agreement incorporates this DPA by reference, the Processor Services that are the subject of the Agreement; or (c) if the text of this DPA was communicated to the Client by other means (including but not limited to via email or via the Client interface of the Processor Services). This Agreement will also apply to the processing of Client Personal Data where the Client uses Additional Product.

4. Processing of Data

4.1. The parties acknowledge and agree that:

(a) this DPA describes the subject matter and details of the processing of Client Personal Data;

(b) Yandex is a processor of Client Personal Data under the Data Protection Legislation;

(c) Client is a controller or processor, as applicable, of Client Personal Data under the Data Protection Legislation; and

(d) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Client Personal Data.

If Client is a processor, Client warrants to Yandex that Client’s instructions and actions with respect to Client Personal Data, including its appointment of Yandex as another processor, have been authorised by the relevant controller.

4.2. The Client understands that the Processor Services are aimed to provide the Client with an opportunity of (i) managing of placement of advertisement by the Client or third parties served to the data subjects (users of the Internet) and (ii) providing Client with statistical data of the Client’s use of the Processor Services. For this purpose, Yandex will process Client Personal Data as instructed by the Client via Client interface of the Processor Services, including but not limited to the cases where the Client engages with the third party Subprocessor providing Additional Product (e.g. third-party advertising network or web-counter allowing the Client to track the statistics of placement of advertising), where the processing of the Client Personal Data would be required for the Client to use such Additional Product. Therefore the Client declares that the Client exclusively processes Client Personal Data for the purpose purposes described above.

4.3. Client Personal Data may include the IP-addresses or other data which is determined by the Client via Client interface of the Processor Services or when using Additional Product.

4.4. Client Personal Data will concern the following categories of data subjects: (a) data subjects about whom Yandex collects personal data in its provision of the Processor Services; and/or (b) data subjects about whom personal data is transferred to Yandex in connection with the Processor Services or Additional Products by, at the direction of, or on behalf of Client. Depending on the nature of the Processor Services, these data subjects may include individuals: (a) to whom advertising has been, or will be, directed; (b) who have visited specific websites or applications in respect of which Yandex provides the Processor Services; and/or (c) who are Clients or users of Client’s products or services.

4.5. By entering into this DPA, Client instructs Yandex to process Client Personal Data only in accordance with applicable law: (a) to provide the Processor Services and any related technical support; (b) as further specified via Client’s use of the Processor Services (including in the settings and other functionality of the Processor Services) and any related technical support; (c) as documented in the form of the Agreement, including this DPA; and (d) as further documented in any other written instructions given by Client and acknowledged by Yandex as constituting instructions for purposes of this DPA.

4.6. Yandex will comply with the Client’s Instructions (“Client’s Instructions”) unless applicable law requires other processing of Client Personal Data by Yandex, in which case Yandex will inform Client (unless that law prohibits Yandex from doing so on important grounds of public interest).

4.7. If Client uses any Additional Product, the Processor Services may allow that Additional Product to access Client Personal Data as required for the interoperation of the Additional Product with the Processor Services.

4.8. Yandex may transfer the Client Personal Data outside the European Economic Area and Switzerland if it complies with the provisions on the transfer of personal data to third countries in the Data Protection Legislation and such transfer is required for the purposes of provision of the Processor Services.

5. Data Protection.

5.1. Yandex shall implement all technical and organizational security measures as required under Art. 32 GDPR. Yandex may also (a) develop the technical and organizational measures as at its sole dutiful discretion and in accordance with the technical process to raise security, provided that the standard as required under Art. 32 GDPR is met, and that (b) copies of the Client Personal Data, in particular backup copies, aggregated data and cached copies are required to provide the Processor Services. Yandex is permitted to implement other appropriate measures. By doing so, the security level in total must not fall below the security level of the measures determined. Yandex will document significant changes.

5.3. Yandex shall only entrust personnel with the Processing of Client Personal Data, which has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.4. Yandex shall immediately inform the Client of any relevant violations of any Data Protection Legislation or the provisions determined in this DPA by Yandex or any person contracted Yandex insofar as the violation is connected to the Processing of Client Personal Data pursuant to this DPA.

6. Assistance and Cooperation.

6.1. Taking into account the nature of the Processing, Yandex shall assist Client with appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to requests for exercising the data subject's rights laid down in the GDPR. Yandex shall assist Client in ensuring compliance with the obligations set by the GDPR taking into account the nature of Processing and the information available to Yandex.

6.2. If Yandex receives a request from a data subject in relation to Client Personal Data, Yandex will respond directly to the data subject’s request in accordance with the standard functionality of that tools used to process such request, or advise the data subject to submit his/her request to Client, and Client will be responsible for responding to such request. The Client will also provide all reasonable and timely assistance to Yandex, to enable Yandex to respond to: (i) supervising authorities or data subjects’ requests to exercise any of the data subjects’ rights under the Data Protection Legislation; and (ii) any other correspondence, inquiry or complaint received from the data subject (or on the data subject’s behalf), supervising authority and other regulators, or competent authorities in connection with the Processing of the Client Personal Data under this DPA.

6.3. The parties agree that each party will (taking into account the nature of the processing and the information available to Yandex) assist the other party in ensuring compliance with any obligations of each party in respect of data protection impact assessments and other compliance with Data Protection Legislation.

7. Data Deletion

7.1. During the term of the DPA, if the functionality of the Processor Services does not include the option for Client to delete Client Personal Data, then Yandex will comply with any reasonable request from Client to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Processor Services and unless applicable law requires storage.

7.2. On expiry of the Term, Client shall instruct Yandex to delete all Client Personal Data (including existing copies) from Yandex’s systems in accordance with applicable law. Yandex will comply with this instruction as soon as reasonably practicable and within a maximum period of one hundred eighty (180) days, unless applicable law requires storage.

8. Client’s Security Responsibilities and Assessment.

8.1. Client agrees that, without prejudice to Yandex’s obligations under Section 5:

(i) making appropriate use of the Processor Services to ensure a level of security appropriate to the risk in respect of Client Personal Data; and

(ii) securing the account authentication credentials, systems and devices Client uses to access the Processor Services; and

(iii) engaging with any Third Party Subprocessors providing the Client with any Additional Product, including entering into respective data processing agreements, and

(b) Yandex has no obligation to protect Client Personal Data that Client elects to store or transfer outside of Yandex’s and its Subprocessors’ systems.

8.2. Client acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Client Personal Data as well as the risks to individuals) the security measures implemented and maintained by Yandex as set out in Section 5 provide a level of security appropriate to the risk in respect of Client Personal Data.

8.3. Yandex shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down by the GDPR and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client. The following requirements apply to any audit: (i) the Client must give a minimum ninety (90) days’ notice of the intention to audit; (ii) the Client may exercise the right to audit no more than once in any calendar year; (iii) commencement of the audit shall be subject to an agreement with Yandex of a scope of work for the audit at least thirty (30) days in advance; (iv) Yandex may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial confidentiality; (v) the audit shall not include penetration testing, vulnerability scanning, or other security tests; (vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to the Client; (vii) any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by Yandex prior to the audit; and (viii) the Client shall compensate Yandex for its reasonable costs (including for the time of its personnel, other than Client’s relationship manager) incurred in supporting any audit. For the avoidance of doubt, nothing in this DPA will require Yandex either to disclose to Client or its third party auditor, or to allow Client or its third party auditor to access: (i) any data of any other Client of Yandex or Yandex Affiliate; (ii) any Yande’s or Yandex Affiliate’s internal accounting or financial information; (iii) any trade secret of Yandex or Yandex Affiliate; (iv) any information that, in Yandex's reasonable opinion, could: (a) compromise the security of any Yandex or Yandex Affiliate’s systems or premises; or (b) cause Yandex or any Yandex Affiliate to breach its obligations under the Data Protection Legislation or its security and/or privacy obligations to Client or any third party; or (v) any information that Client or its third party auditor seeks to access for any reason other than the good faith fulfilment of Client’s obligations under the Data Protection Legislation.

9. Subprocessors

9.1. Client specifically authorises the engagement of Yandex’s Affiliates as Subprocessors (“Yandex Affiliate Subprocessors”). In addition, Client generally authorises the involvement of any other third parties as Subprocessors (“Third Party Subprocessors”), in particular where such third party provides the Client with Additional Product. In the latter case it is Client’s responsibility to enter into respective data processing agreement with such Third Party Subprocessor and allow involvement of such Subprocessore into the processing of Client Personal Data subject to this DPA.

9.2. When engaging any Subprocessor (except for the Third Party Subprocessor), Yandex will ensure that the Subprocessor only accesses and uses Client Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA) and Data Protection Legislation; and that Yandex remain fully liable for all obligations subcontracted to, and all acts and omissions of the Subprocessor.

9.3. Client may object to any Subprocessor by terminating this DPA and the Agreement immediately upon written notice to Yandex, on condition that Client provides such notice within ninety (90) days of becoming aware of the engagement of the new Subprocessor. This termination right is Client’s sole and exclusive remedy if Client objects to any new Subprocessor.

10. Liability

10.1. The Client guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by the Client and the Client agrees that it will be responsible for all costs associated with its compliance of such obligations. The Client is responsible and liable for its acts and omissions under this DPA.

10.2. The Client will defend, indemnify and hold Yandex, its Affiliates, their officers, directors, employees, contractors and agents harmless from and against any and all third-party claims, demands, losses, damages or expenses, including reasonable attorneys’ fees and court costs, arising out of or in connection with any failure by the Client to comply with the requirements under this DPA.

11. Effect of this DPA

11.1. If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, subject to the certain exceptions provided by this DPA, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.

11.2. This DPA will not affect any other separate data processing agreement between Yandex and/or its Affiliate and the Client in respect of any data processing arising out of the agreements other than the Agreement.

12. Changes to this DPA

12.1. Yandex may change the DPA at any moment in case: (a) changes are required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency; or (b) changes do not: (i) result in a degradation of the security of the Client Personal Data; (ii) expand the scope of, or remove any restrictions on, Yandex Processing of the Client Personal Data; and (iii) otherwise have a material adverse impact on Client’s rights under this DPA, as reasonably determined by Yandex. Before changes will take effect Yandex informs Client at least thirty (30) days in advance (or shorter period as may be required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency) by either: (a) email; or (b) alerting Client via the Client interface. If Client objects to any such change, Client must terminate the DPA and the Agreement (unless the Agreement could be performed in the remaining part without existence of this DPA) and stop using the Processor Services under the Agreement. Yandex shall be entitled not to notify Client about editorial changes.

Date: 25.05.2018