Yandex.Direct Data Processing Agreement
By using opt-in check-box you declare that you agree to the following regulations. By proceeding, you confirm that you have a business established in the territory of a member state of the European Economic Area or Switzerland, or that, for other reasons, you are subject to the territorial scope of the national implementations of the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, (General Data Protection Regulation; hereinafter – "GDPR"). You further agree that if the aforementioned is not the case, this DPA between you and Yandex shall be void.
This DPA enters into force on 25 May 2018 if you have agreed to the DPA prior to or on such date, or on the date on which you agreed to the DPA, if such date is after 25 May 2018 (“DPA Effective Date”).
This DPA is an addition to the Yandex.Direct Service Offer (https://yandex.ru/legal/oferta_direct or similar document applicable to the provision of the Processor Services) (“Agreement”). In the event of a contradiction between these clauses and the terms of the Agreement, the terms and conditions under this DPA shall prevail.
This DPA is entered into by Yandex and Customer and supplement the Agreement. This DPA will be effective, and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the Processor Services), from the DPA Effective Date till the termination date of the Agreement or till the date the Customer ceases to use Processor Services or till deletion of all Customer Personal Data by Yandex as described in this DPA.
If you are accepting this DPA on behalf of the Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of the Customer, to this DPA.
1. Introduction
This DPA reflect the parties’ agreement on the terms governing the processing and security of Customer Personal Data in connection with the Data Protection Legislation and in connection with provision of the Processor Services by Yandex to the Customer and Customer’s use of the Additional Products.
2. Definitions
2.1. In this DPA:
“Additional Product” means a product, service or application (including but not limited to advertising tracker or web-counter) provided by Yandex or a third party that: (a) is not part of the Processor Services; and (b) is accessible for use within the Client interface of the Processor Services or is otherwise integrated with the Processor Services.
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
“Customer Personal Data” means personal data that is processed by Yandex on behalf of Customer in Yandex’s provision of the Processor Services or Customer Personal Data processed by the Third Party Subprocessors when providing Additional Products.
“Data Protection Legislation” means, as applicable: (a) the GDPR; (b) the Federal Data Protection Act of 19 June 1992 (Switzerland), and/or (c) any other law, statute, regulation or legislative act applicable to the Customer Personal Data Processing.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Yandex” means Yandex Group company that is the party to the Agreement.
“Processor Services” means the services provided by Yandex according to the Agreement, in particular, related to the placement of Mobile Ads by the Customer.
“Subprocessors” means third parties authorised to have logical access to and process Customer Personal Data in order to provide parts of the Processor Services or to participate (as designated by the Customer) in provision of the Processor Services and any related technical support, or to provide any Additional Product.
“Third Party Subprocessors” has the meaning given in Section 9.1.
2.2. The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in this DPA have the meanings given in the GDPR.
3. Application of this DPA
3.1. This DPA will only apply to the extent that the Data Protection Legislation applies to the processing of Customer Personal Data, including if:
(a) the processing is in the context of the activities of an establishment of Customer in the European Economic Area; and/or
(b) Customer Personal Data is personal data relating to data subjects who are in the European Economic Area and the processing relates to the serving them with advertisement (either targeted or not), offering to them of goods or services or the monitoring of their behaviour in the European Economic Area.
3.2. This DPA will only apply to the Processor Services for which the parties agreed to this DPA, in particular: (a) the Processor Services for which Customer clicked to accept this DPA; or (b) if the Agreement incorporates this DPA by reference, the Processor Services that are the subject of the Agreement. This Agreement will also apply to the processing of Customer Personal Data where the Customer uses Additional Product.
4. Processing of Data
4.1. The parties acknowledge and agree that:
(a) this DPA describes the subject matter and details of the processing of Customer Personal Data;
(b) Yandex is a processor of Customer Personal Data under the Data Protection Legislation;
(c) Customer is a controller or processor, as applicable, of Customer Personal Data under the Data Protection Legislation; and
(d) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Customer Personal Data.
If Customer is a processor, Customer warrants to Yandex that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Yandex as another processor, have been authorised by the relevant controller.
4.2. The Customer understands that the Processor Services are aimed to provide the Customer with an opportunity of (i) serving targeted advertising to the users of the Internet and (ii) providing Customer with statistical data of the Customer’s use of the Processor Services. For this purpose, Yandex will process Customer Personal Data as instructed by the Customer via Customer interface of the Processor Services, including but not limited to the cases where the Customer engages with the third party Subprocessor providing Additional Product (e.g. third-party tracker allowing the Customer to track the statistics of placement of advertising in the form of Mobile Ads), where the processing of the Customer Personal Data would be required for the Customer to use such Additional Product. Therefore the Customer declares that the Customer exclusively processes Customer Personal Data for the purpose purposes described above.
4.3. Customer Personal Data may include the device id’s, IP-addresses or other data which is determined by the Customer via Customer interface of the Processor Services or when using Additional Product.
4.4. Customer Personal Data will concern the following categories of data subjects: (a) data subjects about whom Yandex collects personal data in its provision of the Processor Services; and/or (b) data subjects about whom personal data is transferred to Yandex in connection with the Processor Services or Additional Products by, at the direction of, or on behalf of Customer. Depending on the nature of the Processor Services, these data subjects may include individuals: (a) to whom advertising has been, or will be, directed; (b) who have visited specific websites or applications in respect of which Yandex provides the Processor Services; and/or (c) who are customers or users of Customer’s products or services.
4.5. By entering into this DPA, Customer instructs Yandex to process Customer Personal Data only in accordance with applicable law: (a) to provide the Processor Services and any related technical support; (b) as further specified via Customer’s use of the Processor Services (including in the settings and other functionality of the Processor Services) and any related technical support; (c) as documented in the form of the Agreement, including this DPA; and (d) as further documented in any other written instructions given by Customer and acknowledged by Yandex as constituting instructions for purposes of this DPA.
4.6. Yandex will comply with the Customer’s Instructions (“Customer’s Instructions”) unless applicable law requires other processing of Customer Personal Data by Yandex, in which case Yandex will inform Customer (unless that law prohibits Yandex from doing so on important grounds of public interest).
4.7. If Customer uses any Additional Product, the Processor Services may allow that Additional Product to access Customer Personal Data as required for the interoperation of the Additional Product with the Processor Services.
4.8. Yandex may transfer the Customer Personal Data outside the European Economic Area and Switzerland if it complies with the provisions on the transfer of personal data to third countries in the Data Protection Legislation and such transfer is required for the purposes of provision of the Processor Services.
5. Data Protection.
5.1. Yandex shall implement all technical and organizational security measures as required under Art. 32 GDPR. Yandex may also (a) develop the technical and organizational measures as at its sole dutiful discretion and in accordance with the technical process to raise security, provided that the standard as required under Art. 32 GDPR is met, and that (b) copies of the Customer Personal Data, in particular backup copies, aggregated data and cached copies are required to provide the Processor Services. Yandex is permitted to implement other appropriate measures. By doing so, the security level in total must not fall below the security level of the measures determined. Yandex will document significant changes.
5.3. Yandex shall only entrust personnel with the Processing of Customer Personal Data, which has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.4. Yandex shall immediately inform the Customer of any relevant violations of any Data Protection Legislation or the provisions determined in this DPA by Yandex or any person contracted Yandex insofar as the violation is connected to the Processing of Customer Personal Data pursuant to this DPA.
6. Assistance and Cooperation.
6.1. Taking into account the nature of the Processing, Yandex shall assist Customer with appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject's rights laid down in the GDPR. Yandex shall assist Customer in ensuring compliance with the obligations set by the GDPR taking into account the nature of Processing and the information available to Yandex.
6.2. If Yandex receives a request from a data subject in relation to Customer Personal Data, Yandex will respond directly to the data subject’s request in accordance with the standard functionality of that tools used to process such request, or advise the data subject to submit his/her request to Customer, and Customer will be responsible for responding to such request. The Customer will also provide all reasonable and timely assistance to Yandex, to enable Yandex to respond to: (i) supervising authorities or data subjects’ requests to exercise any of the data subjects’ rights under the Data Protection Legislation; and (ii) any other correspondence, inquiry or complaint received from the data subject (or on the data subject’s behalf), supervising authority and other regulators, or competent authorities in connection with the Processing of the Customer Personal Data under this DPA.
6.3. The parties agree that each party will (taking into account the nature of the processing and the information available to Yandex) assist the other party in ensuring compliance with any obligations of each party in respect of data protection impact assessments and other compliance with Data Protection Legislation.
7. Data Deletion
7.1. During the term of the DPA, if the functionality of the Processor Services does not include the option for Customer to delete Customer Personal Data, then Yandex will comply with any reasonable request from Customer to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Processor Services and unless applicable law requires storage.
7.2. On expiry of the Term, Customer shall instruct Yandex to delete all Customer Personal Data (including existing copies) from Yandex’s systems in accordance with applicable law. Yandex will comply with this instruction as soon as reasonably practicable and within a maximum period of one hundred eighty (180) days, unless applicable law requires storage.
8. Customer’s Security Responsibilities and Assessment.
8.1. Customer agrees that, without prejudice to Yandex’s obligations under Section 5:
(a) Customer is solely responsible for its use of the Processor Services, including:
(i) making appropriate use of the Processor Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data; and
(ii) securing the account authentication credentials, systems and devices Customer uses to access the Processor Services; and
(iii) engaging with any Third Party Subprocessors providing the Customer with any Additional Product, including entering into respective data processing agreements, and
(b) Yandex has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Yandex’s and its Subprocessors’ systems.
8.2. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the security measures implemented and maintained by Yandex as set out in Section 5 provide a level of security appropriate to the risk in respect of Customer Personal Data.
8.3. Yandex shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down by the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. The following requirements apply to any audit: (i) the Customer must give a minimum ninety (90) days’ notice of the intention to audit; (ii) the Customer may exercise the right to audit no more than once in any calendar year; (iii) commencement of the audit shall be subject to an agreement with Yandex of a scope of work for the audit at least thirty (30) days in advance; (iv) Yandex may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial confidentiality; (v) the audit shall not include penetration testing, vulnerability scanning, or other security tests; (vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to the Customer; (vii) any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by Yandex prior to the audit; and (viii) the Customer shall compensate Yandex for its reasonable costs (including for the time of its personnel, other than Customer’s relationship manager) incurred in supporting any audit. For the avoidance of doubt, nothing in this DPA will require Yandex either to disclose to Customer or its third party auditor, or to allow Customer or its third party auditor to access: (i) any data of any other customer of Yandex or Yandex Affiliate; (ii) any Yande’s or Yandex Affiliate’s internal accounting or financial information; (iii) any trade secret of Yandex or Yandex Affiliate; (iv) any information that, in Yandex's reasonable opinion, could: (a) compromise the security of any Yandex or Yandex Affiliate’s systems or premises; or (b) cause Yandex or any Yandex Affiliate to breach its obligations under the Data Protection Legislation or its security and/or privacy obligations to Customer or any third party; or (v) any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the Data Protection Legislation.
9. Subprocessors
9.1. Customer specifically authorises the engagement of Yandex’s Affiliates as Subprocessors (“Yandex Affiliate Subprocessors”). In addition, Customer generally authorises the involvement of any other third parties as Subprocessors (“Third Party Subprocessors”), in particular where such third party provides the Customer with Additional Product. In the latter case it is Customer’s responsibility to enter into respective data processing agreement with such Third Party Subprocessor and allow involvement of such Subprocessore into the processing of Customer Personal Data subject to this DPA.
9.2. When engaging any Subprocessor (except for the Third Party Subprocessor), Yandex will ensure that the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA) and Data Protection Legislation; and that Yandex remain fully liable for all obligations subcontracted to, and all acts and omissions of the Subprocessor.
9.3. Customer may object to any Subprocessor by terminating this DPA and the Agreement immediately upon written notice to Yandex, on condition that Customer provides such notice within ninety (90) days of becoming aware of the engagement of the new Subprocessor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
10. Liability
10.1. The Customer guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by the Customer and the Customer agrees that it will be responsible for all costs associated with its compliance of such obligations. The Customer is responsible and liable for its acts and omissions under this DPA.
10.2. The Customer will defend, indemnify and hold Yandex, its Affiliates, their officers, directors, employees, contractors and agents harmless from and against any and all third-party claims, demands, losses, damages or expenses, including reasonable attorneys’ fees and court costs, arising out of or in connection with any failure by the Customer to comply with the requirements under this DPA.
11. Effect of this DPA
11.1. If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, subject to the certain exceptions provided by this DPA, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
11.2. This DPA will not affect any other separate data processing agreement between Yandex and/or its Affiliate and the Customer in respect of any data processing arising out of the agreements other than the Agreement.
12. Changes to this DPA
12.1. Yandex may change the DPA at any moment in case: (a) changes are required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency; or (b) changes do not: (i) result in a degradation of the security of the Customer Personal Data; (ii) expand the scope of, or remove any restrictions on, Yandex Processing of the Customer Personal Data; and (iii) otherwise have a material adverse impact on Customer’s rights under this DPA, as reasonably determined by Yandex. Before changes will take effect Yandex informs Customer at least thirty (30) days in advance (or shorter period as may be required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency) by either: (a) email; or (b) alerting Customer via the Client interface. If Customer objects to any such change, Customer must terminate the DPA and the Agreement (unless the Agreement could be performed in the remaining part without existence of this DPA) and stop using the Processor Services under the Agreement. Yandex shall be entitled not to notify Customer about editorial changes.
Date: 25.05.2018