AUDIENCE DATA PROCESSING AGREEMENT (DPA)
Agreement on Contracted Data Processing for clients by and between Yandex Oy Limited Company - Moreenikatu 6, 04600 Mantsala, Finland (“Yandex”)
By using opt-in check-box you declare that you agree to the following regulations. By proceeding, you confirm that you have a business established in the territory of a member state of the European Economic Area or Switzerland, or that, for other reasons, you are subject to the territorial scope of the national implementations of the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, (General Data Protection Regulation; hereinafter – "GDPR"). You further agree that if the aforementioned is not the case, this DPA between you and Yandex shall be void.
This DPA enters into force on 25 May 2018 if you have agreed to the DPA prior to or on such date, or on the date on which you agreed to the DPA, if such date is after 25 May 2018.
If you are accepting this DPA on behalf of the Client, you warrant that: (a) you have full legal authority to bind the Client to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of the Client, to this DPA.
“Client Data” shall mean any kind of data provided by or in connection with the Client. Client Data can possibly contain personal data.
“Personal Client Data" shall mean any kind of Client Data which is personal data and which is processed by Yandex as part of the DPA. "Personal Data" shall have the meaning as defined in Art. 4 Sec. 1 of the GDPR.
"Processing" shall have the meaning as defined in Art. 4 (2) of GDPR, i.e. any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Data Controller" shall have the meaning as defined in Art. 4 (7) GDPR, i.e. the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
"Processor" shall have the meaning as defined in Art. 4 (8) of GDPR, i.e. a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.
"Instruction" shall mean all documented instructions you give to Yandex and that request Yandex to carry out a certain action in connection with Personal Client Data.
2.1 Subject matter of the Agreement: Yandex shall provide you with the services as described in this DPA and the Audience TOS and shall process Client Data as part of the performance of services pursuant to this DPA and the Audience TOS.
2.2 Subject matter, nature and purpose of the Data Processing: The services shall serve the purpose of (i) serving targeted advertising to the users of the Internet and (ii) providing you with statistical data of your use of the Audience Service. For this purpose, Yandex will collect Client Data in the form of Segments uploaded by you using Client Interface of the Audience Service. Client Data will be evaluated by the Processing software to make available the results of such Processing in the interface of the respective advertising platform, including but not limited to Yandex.Direct (https://direct.yandex.ru/), for the purposes of serving users of the Internet with targeted advertising.
2.3 Group of affected persons: users of the Internet.
2.4 Type of data: Data uploaded to the Audience Service which may include device_id’s, CRM data, MAC-addresses, but without limitation of the foregoing.
2.5 Duration and data deletion: This DPA is valid until and the duration of the Processing shall be equal to the term of providing you with respective advertising services connected with your use of the Audience Service or the services provided to you under the Audience TOS. The rights, benefits and obligations of this DPA shall commence with the first use of the Audience Service and shall terminate with termination of the agreed services under the Audience TOS.
2.6 With respect to the Processing of Personal Client Data as part of this DPA, you are the Controller (or Processor) and Yandex is the Processor (or sub-Processsor) within the meaning of GDPR. You are responsible for the compliance with GDPR.
2.7 Yandex performs the contractually agreed Processing of Personal Client Data on servers in Member States of the European Union or other signatories to the agreement on the European Economic Area or by Subcontractors for which Yandex ensures a reasonable level of protection of Personal Data including through the conclusion of standard contractual clauses for processors adopted by the Commission of the European Union.
2.8 Yandex will Process Personal Client Data on your behalf and on your Instructions as follows: (a) insofar as required with respect to the scope and type for the purpose of providing the services and for meeting the obligations from this DPA or Audience TOS, (b) pursuant to your Instructions, (c) insofar as required by applicable law.
3. YOUR RIGHTS AND OBLIGATIONS AND THE SCOPE OF THE AUTHORITY TO GIVE INSTRUCTIONS
3.1 You shall be responsible for the permissibility of the Processing of Personal Client Data as well as the protection of the rights of the data subject.
3.2 You can give Instructions obligating Yandex to perform a certain action with respect to the Personal Client Data. You will be able to give such Instructions through the Client Interface of the Audience Service. In case an Instruction is not possible through the Client Interface of the Audience Service and exceeds the Instructions agreed upon in the DPA ("Individual Instruction"), Yandex will notify you of the costs incurring for the performance of the Individual Instruction. Insofar as you will maintain the Instruction after such notification, you shall reimburse the costs related to such performance to Yandex. Yandex shall immediately inform you if, an Instruction infringes the GDPR or other Union or Member State data protection provisions and may raise an objection against the Individual Instruction within thirty (30) days of the receipt ("Objection") when Yandex has reasonable doubts on the lawfulness of the instruction (e.g. on consistency with the applicable data protection law). The Objection has the effect that Yandex does not have to execute the respective Individual Instruction. In such case, you are entitled to extraordinarily and without notice terminate the DPA in accordance with the provisions of the DPA.
3.3 You declare that you exclusively Process Personal Client Data (if existing) for the purpose of serving the users of the Internet with targeted advertising and receive statistic reports of your use of the Audience Service.
4. OBLIGATIONS OF YANDEX
4.1 Deletion, correction and blocking of data, deletion after termination of the Instruction: After your Instruction Yandex shall use appropriate technological measures to block the usage of such data or delete such data. You are also allowed to instruct Yandex to delete or block usage of your data via the Audience Service interface.
4.2 At your choice, Yandex shall delete or return all Personal Client Data to you based on your Instruction, and latest after the end of the provision of services relating to Processing, and deletes existing copies unless applicable law requires a continued storage of the Personal Client Data.
4.3 Technical and organizational measures: Yandex shall implement all technical and organizational security measures as required under Art. 32 GDPR. As a part of the DPA you shall not provide Yandex with data carriers for data storage.
4.4 Yandex may (a) develop the technical and organizational measures as at its sole dutiful discretion and in accordance with the technical process to raise security, provided that the standard as required under Art. 32 GDPR is met, and that (b) copies of Client Data, in particular backup copies, aggregated data and cached copies are required to provide the Audience service. Yandex is permitted to implement other appropriate measures. By doing so, the security level in total must not fall below the security level of the measures determined. Yandex will document significant changes.
4.5 Data confidentiality: Yandex shall only entrust personnel with the Processing of Personal Client Data, which has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.6 Other obligations: In addition to the general compliance with the provisions under this DPA, Yandex has the following obligations:
(a) Appointment – insofar as provided by the law – of a data protection officer.
(b) Performance of the control of the Instructions via regular reviews by Yandex with respect to the performance and/or execution of the DPA, in particular the compliance with and, if necessary, implementing of required adaption of regulations and measures for the performance of the Instruction.
4.7 Yandex shall immediately inform you of any relevant violations of any data protection regulations or the provisions of this DPA by Yandex or any person contracted by Yandex insofar as the violation is connected to the Processing of Personal Client Data pursuant to this DPA.
4.8 Assistance: Taking into account the nature of the Processing, Yandex shall assist you with appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR. Yandex shall assist you in ensuring compliance with the obligations pursuant to Art. 32 through 36 GDPR taking into account the nature of Processing and the information available to Yandex.
5. CONTROL RIGHTS AND REVIEW OF TECHNICAL AND ORGANIZATIONAL MEASURES
5.1. Yandex shall make available to you all information necessary to demonstrate compliance with the obligations laid down by the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. The following requirements apply to any audit: (i) you must give a minimum ninety (90) days’ notice of your intention to audit; (ii) you may exercise the right to audit no more than once in any calendar year; (iii) commencement of the audit shall be subject to an agreement with Yandex of a scope of work for the audit at least thirty (30) days in advance; (iv) Yandex may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial confidentiality; (v) the audit shall not include penetration testing, vulnerability scanning, or other security tests; (vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to you; (vii) any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by Yandex prior to the audit; and (viii) You shall compensate Yandex for its reasonable costs (including for the time of its personnel, other than your relationship manager) incurred in supporting any audit.
6.1 Subject to the following provisions, Yandex may not commission third parties with the Processing of Personal Client Data without your consent ("Data Sub-Processor") except as provided in clause 6.2.
6.2 Yandex may contract a subcontractor for the data Processing if the subcontractor is an affiliated enterprise ("Affiliated Data Sub-Processors") and if a data processing agreement pursuant to the requirements outlined in this paragraph are met. A legally separate enterprise that with respect to Yandex is a subsidiary and parent enterprise, controlled or controlling enterprise, member of a group, enterprises with cross-shareholdings, or party to an enterprise agreement shall constitute affiliated enterprises. A data Sub-Processor agreement requires that Yandex (a) ensures that the Affiliated Data Sub-Processors fulfil Yandex' duties and (b) assumes liability towards you for actions and/or omissions of the Affiliated Data Sub-Processors concerned as if these actions were taken by Yandex itself. In this context, Affiliated Data Sub-Processors may also reside outside the area of Member States of the European Union or other parties to the Agreement on the European Economic Area, if Yandex enters into appropriate guarantees as required by Art. 46 GDPR and passes down its own Processing obligations under this Agreement to any such sub-processor.
6.3 If the Data Sub-Processor provides the agreed performances outside the area of Member States of the European Union or other parties to the agreement on the European Economic Area, Yandex shall enter into appropriate guarantees as required by Art. 46 GDPR and passes down its own Processing obligations under this DPA to any such Data Sub-Processor.
6.4 Where Yandex engages Data Sub-Processor for carrying out specific processing activities on behalf of you, the same data protection obligations as set out in such contract shall be imposed by Yandex on that Data Sub-Processer by way of a Data Sub-Processor agreement, which in particular provides for sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where Data Sub-Processor fails to fulfil its data protection obligations, Yandex shall remain fully liable to you for the performance of Data Sub-Processor’s obligations.
6.5 Insofar as companies providing ancillary performances for Yandex in connection with the provision of services do not constitute Data Sub-Processors, Yandex will make reasonable efforts to establish an adequate contractual protection vis-à-vis such providers of ancillary performances in regard to the data security. In general, this applies to the provision of lines for telecommunication, electricity, cooling, maintenance, cleaning, review or rental of real estate. Section 6.4. shall apply accordingly.
7. STANDARD CONTRACTUAL CLAUSES
7.1. With respect to the transfer of Personal Client Data to a third country or international organization, any processing operation as described in this DPA shall also be subject to the EU Standard Contractual Clauses pursuant to European Commission Decision (“SCC”) which shall prevail over any conflicting clauses in this DPA.
8. CHANGES TO DPA
8.1. Yandex may change the DPA at any moment in case: (a) changes are required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency; or (b) changes do not: (i) result in a degradation of the security of Client Personal Data; (ii) expand the scope of, or remove any restrictions on, Yandex Processing of Client Personal Data; and (iii) otherwise have a material adverse impact on your rights under the DPA, as reasonably determined by Yandex. Before changes will take effect Yandex informs you at least thirty (30) days in advance (or shorter period as may be required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency) by either: (a) email; or (b) alerting you via the Client Interface. If you object to any such change, you must terminate the DPA and stop using the service as described in clause 2.5. of this DPA. Yandex shall be entitled not to notify you about editorial changes.