Demand Partner Data Processing Agreement

By using opt-in check-box or by continuing your performance under respective Demand Partner Agreement you declare that you agree to the following regulations. By proceeding, you confirm that you have a business established in the territory of a member state of the European Economic Area or Switzerland, or that, for other reasons, you are subject to the territorial scope of the national implementations of the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation; hereinafter – "GDPR"). You further agree that if the aforementioned is not the case, this DPA between you and Yandex shall be void.

This DPA enters into force on 25 May 2018 if you have agreed to the DPA prior to or on such date, or on the date on which you agreed to the DPA, if such date is after 25 May 2018.

This DPA is an addition to the Demand Partner Agreement (hereinafter – “Agreement”) which could be executed by and between you and Yandex in any form. In the event of a contradiction between these clauses and the Agreement, the terms and conditions under this DPA shall prevail.

If you are accepting this DPA on behalf of Demand Partner (“Customer” or “Client” depending on the wording of the Agreement) (hereinafter – “Demand Partner”), you warrant that: (a) you have full legal authority to bind Demand Partner to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of the Demand Partner, to this DPA.

Yandex and Demand Partner agree on complying with the following provisions with respect to Personal Data processed by the parties as part of the services provided by Yandex to Demand Partner under the Agreement (the “Services”).

1. Definitions

“Affiliate” means a corporation which directly controls or is controlled by or is under common control with the party thereto.

“Individual” means a natural person to whom Personal Data relates, also referred to as “Data Subject” pursuant to EU data protection laws and regulations.

“Yandex” means Yandex Group entity which is the party to the Agreement.

“Yandex Personal Data” means any Personal Data that Yandex transfers or makes available to Demand Partner, as part of the Services.

“Personal Data” means data about an identified or identifiable Individual, also referred to as “Personal Data” pursuant to EU data protection laws and regulations.

“Privacy Laws and Regulations” means the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the ePrivacy Regulation repealing Directive 2002/58EC (“EPR”) and all laws, rules and regulations applicable to the relevant party and relating to the Processing of Personal Data under or in relation to the Agreement including, where applicable and the equivalent of any of the foregoing in any relevant jurisdiction.

“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

2. Application of this DPA.

2.1 Application of Privacy Laws and Regulations. This DPA will only apply to the extent that the Privacy Laws and Regulations applies to the processing of Personal Data within the performance of the Agreement.

2.2 Application to the Services. This DPA will only apply to the Services for which the parties agreed to in the Agreement. The Demand Partner could accept this DPA either by (a) clicking in the special check-box in the Partner Interface, (b) if the Agreement incorporates this DPA by reference, or (c) if this DPA is communicated to the Demand Partner via Partner Interface or via email.

2.3. The terms of this DPA will prevail over any conflicting terms in the Agreement.

3. Processing

3.1. Scope and Roles. Each party to this DPA: (a) is an independent controller of Yandex Personal Data; (b) will individually determine the purposes and means of its processing of Yandex Personal Data; and (c) will comply with the obligations applicable to it under Privacy Laws and Regulations with respect to Yandex Personal Data. Nothing in this Section 3.1 shall modify any restrictions applicable to either party’s rights to use or otherwise process Yandex Personal Data under the Agreement. Also, notwithstanding the foregoing Demand Partner is allowed to process Yandex Personal Data solely for the purposes of responding to bid requests made by Yandex within performance of the Agreement and for the purposes of overall performance of the Agreement by Demand Partner.

3.2. Demand Partner’s Obligations. Demand Partner will: (1) process the Yandex Personal Data only in accordance with the terms of this DPA and terms of the Agreement; (2) without limiting the aforesaid or any other provision under this DPA – not merge any data containing device identifiable information (“DII”) with data containing personally identifiable information (e.g., name, telephone number, email address and government issued IDs) and will not otherwise re-identify the individuals who are the subjects of the DII for personalized advertising without obtaining the individuals’ prior (opt-in) consent; (3) ensure that all individuals engaged in the Processing of the Yandex Personal Data under the Agreement are subject to strict obligations of confidentiality, non-disclosure and non-use in relation to such Personal Data for the duration of their Processing of the Yandex Personal Data; (4) implement appropriate technical and organizational measures, as further provided in this DPA, to ensure a level of security appropriate to the risk involved in Processing the Yandex Personal Data pursuant to the Agreement and in accordance with good industry practice.

3.3. Use of Sub-Processors. Yandex acknowledges and agrees that Demand Partner may engage with third-party service providers in the use of the Sin performing the Agreement (“Sub-Processors”). All Sub-Processors to whom Demand Partner transfers Yandex Personal Data must enter into written agreements with Demand Partner or such other binding instruments that bind them by the same material obligations as stated in this DPA.

3.4. Objection. Demand Partner will provide Yandex with a written notice of Demand Partner’s engagement with any additional data processor that will directly or indirectly process any Yandex Personal Data. To ensure compliance with applicable Privacy Laws and Regulation, Yandex may object to any such additional Sub-Processor. If Yandex sends Demand Partner a written objection to the new Sub-Processor, Demand Partner will make commercially reasonable efforts to perform the Agreement without the use of such Sub-Processor. Yandex may terminate the Agreement upon a written notice to Demand Partner with immediate effect if Demand Partner is unable to perform the Agreement without the use of the Sub-Processor.

3.5. Responsibility and Liability. Demand Partner remains responsible and liable for all acts and omissions of all Sub-Processors as if they were its own and Demand Partner will ensure that each Sub Processor Demand Partner enters into an agreement which contains equivalent protections for the Yandex Personal Data as are contained in this DPA.

4. Assistance and Cooperation

4.1. Assistance in Compliance. Demand Partner will cooperate with Yandex and provide all necessary assistance to Yandex in connection with –

4.1.1. Any required notification to Yandex clients, supervising authorities or Individuals as applicable, taking into account the nature of Processing and the information available to Demand Partner.

4.1.2. Impact assessments and prior consultation that Yandex conducts;

4.1.3. Yandex’s GDPR-related demonstration of compliance;

4.1.4. Requests to exercise data subjects’ rights, complaints and inquiries pursuant to section 4 to this DPA;

If at Yandex’s discretion Demand Partner cannot provide sufficient assistance, Yandex may terminate this DPA and Agreement, or those portions of the Services which cannot be provided without the requested assistance.

4.2. Demand Partner Notices. Unless prohibited under applicable laws, Demand Partner will notify Yandex of:

4.2.1. Any violation by Demand Partner, or anyone on Demand Partner’s behalf of any provision under this DPA, Agreement or Privacy Laws and Regulations;

4.2.2. Any official competent supervisory proceedings regarding the Processing of the Yandex Personal Data conducted by Demand Partner;

4.2.3. Any legal or factual circumstances preventing Demand Partner from performing the Agreement or complying with the terms of this DPA; and

4.2.4. Any material changes impacting the technical and organizational security measures implemented by Demand Partner which cause such measures to fall short of Demand Partner’s data security obligations under this DPA.

4.3. Demand Partner’s Processing of Personal Data. Any use, disclosure, transfer or other processing of Personal Data without Yandex’s prior written permission or as permissive under this DPA or Agreement, including by way of permitting access to, use by, or any other processing by Demand Partner’s affiliates, agents, vendors, customers, partners and other third parties, is strictly prohibited.

5. Rights of Individuals

5.1. Inquiries, requests and complaints. Demand Partner will provide all reasonable and timely assistance to Yandex, to enable Yandex to respond to: (i) supervising authorities or Individuals requests for assistance in relation to any request from an Individual to exercise any of the Individual’s rights under Privacy Laws and Regulations; and (ii) any other correspondence, inquiry or complaint received from an Individual (or on an Individual’s behalf), supervising authority and other regulators, or competent authorities in connection with the Processing of the Yandex Personal Data under the Agreement or this DPA.

5.2. Information obligation. If any such communication related to the Processing of the Yandex Personal Data is made directly to Demand Partner, Demand Partner will promptly inform Yandex about such communication, provide Yandex all related details and will not respond to the communication unless specifically required by applicable Privacy Laws and Regulations or authorized by Yandex.

6. Demand Partner Personnel

6.1. Limitation of Access. Demand Partner will ensure that Demand Partner’s access to the Yandex Personal Data is limited only to those personnel who require such access to perform the Agreement.

6.2. Confidentiality. Demand Partner will impose appropriate contractual obligations upon its personnel engaged in the Processing of the Yandex Personal Data, including relevant obligations regarding confidentiality, data protection and data security. Demand Partner will ensure that its personnel engaged in the Processing of the Yandex Personal Data are informed of the confidential nature of the Yandex Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements.

7. Disclosures

7.1. Demand Partner may disclose the Yandex Personal Data if required by a subpoena or other judicial or administrative order, stock exchange or if otherwise required by law.

7.2. Demand Partner acknowledges that Yandex may disclose this DPA and any relevant privacy provisions in the Agreement to any supervisory authority, regulator or other competent authority, to the extent required under the applicable law.

8. Data Transfers

8.1. Transfers of Data Out of the European Economic Area and Switzerland. Either party may transfer Yandex Personal Data outside the European Economic Area and Switzerland if it complies with the provisions on the transfer of personal data to third countries in the applicable Privacy Laws and Regulations.

8.2. Sub-Processing Adequacy. Demand Partner will downstream the obligations for transferring Personal Data under this section 8, as required under applicable Privacy Laws and Regulations, by entering into an appropriate onward transfer agreements with all relevant Demand Partner’s agents, other data processors (as this term is referred to under the GDPR), or equivalents to agents or other data processors under applicable Privacy Laws and Regulations, to whom Demand Partner transfers the Yandex Personal Data.

8.3. Termination for Inadequacy. If Demand Partner is unable to provide an alternative measure to continue transferring Yandex Personal Data, then Yandex may terminate the DPA and Agreement, or those portions of the Service which cannot be provided without the transfer of the Yandex Personal Data, upon a written notice with immediate effect.

9. Security

9.1. Security Controls. Demand Partner will establish, implement, and maintain an information security program that includes administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of the Yandex Personal Data, pursuant to Demand Partner’s information security policy and in accordance with applicable Privacy Laws and Regulations, including without limitation safeguards related to: physical and environmental security measures, information transmission, periodic risk assessments, passwords, access control and authorization, responsibilities and accountability, encryption algorithms, secured software, web security, development and maintenance, incident management, fault and intrusion detection, training, Demand Partners’ security audits, secured information destruction and disposal, mitigation of vulnerabilities, back-up and business continuity, host services monitoring, employees confidentiality and background checks.

9.2. Additional Security Measures. Demand Partner will use its best efforts, upon Yandex’s written requests from time to time, to take additional steps to secure the Yandex Personal Data and provide Yandex with records and documentation related thereto.

9.3. Certification. Yandex may be satisfied with receiving Demand Partner’s in-effect information security certifications (e.g., ISO 27001 and SOC reports), risk assessments, vulnerability tests and penetration tests reports, and such other documentation that Yandex may request from Demand Partner to demonstrate Demand Partner’s current status of information security safeguards.

9.4. Monitoring and Consistency Requirement. Demand Partner will regularly monitor compliance with these safeguards. Demand Partner will not materially decrease the overall security of the Service during the term of the Agreement.

10. Policies and Audit

Demand Partner will permit and contribute to any data audits reasonably required by Yandex upon Yandex’s written request. Any on premise audits are subject to a thirty (30) days prior written notice, not more than once a year, during normal business hours and on Yandex expense. Notwithstanding, an audit following a Security Incident, as further defined below, on Demand Partner’s or on Demand Partner third parties’ information systems, will not be subject to the above limitations.

11. Security Breach Management and Notification

11.1. Breach Prevention and Management. Demand Partner will maintain security incident management policies and procedures in accordance with applicable Privacy Laws and Regulations and will, to the extent permitted by law, notify Yandex immediately of any actual or reasonably suspected unauthorized access to, acquisition of, or disclosure of the Yandex Personal Data, by Demand Partner or its Affiliates or agents of which Demand Partner becomes aware (a “Security Incident”).

11.2. Breach Notification and Mitigation. In the event that Demand Partner detects or in the event that facts justify the assumption that (i) Yandex Personal Data processed by Demand Partner on Yandex’s behalf has been unlawfully transmitted or (ii) third parties have gained access to such data or (iii) the integrity or confidentiality of Yandex Personal Data has been compromised in any other way, Demand Partner will give Yandex without undue delay written notification specifying the date and time, nature, and extent of the incident. The notice will also include a description of potential consequences and potential adverse effects of the incident. Furthermore, Demand Partner will inform Yandex about the measures it has taken in order to remediate the risks involved with the incident, to mitigate potential adverse effects and to prevent the occurrence of a similar incident in the future.

11.3. Remediation. Upon becoming aware of a Security Incident, Demand Partner will provide all such timely information and cooperation as Yandex may require in order for Yandex to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Privacy Laws and Regulations. Demand Partner will further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and will keep Yandex informed of all developments in connection with the Security Incident. Demand Partner will not notify any third parties of a Security Incident affecting the Yandex Personal Data unless and to the extent that: (i) Yandex has agreed to such notification, and/or (ii) notification is required to be made by Demand Partner under applicable Privacy Laws and Regulations and then, in each case, Demand Partner will keep Yandex informed of the status of such notification and any response from any such third parties, unless such notification is prohibited to Demand Partner under applicable laws or regulations.

12. Deletion of Personal Data

Upon termination or expiry of the Agreement, Demand Partner will (at Yandex’s election) destroy or return to Yandex all copies of the Yandex Personal Data (including all copies of the Yandex Personal Data) in its possession or control (including all back-ups and any Yandex Personal Data subcontracted to a third party for Processing). This requirement will not apply to the extent that Demand Partner is required by any applicable law to retain some or all of the Yandex Personal Data, in which event Demand Partner will isolate and protect the Yandex Personal Data from any further Processing except to the extent required by such law. Demand Partner will state in writing that it has completed the deletion of the Yandex Personal Data from its systems and send such confirmation Yandex without undue delay.

13. Deletion of Personal Data

If Demand Partner provides or otherwise makes available Personal Data to Yandex within performance of the Agreement, then the following terms of this section 13 will apply:

13.1. Evidence Obligations. At Yandex’s request, Demand Partner will provide supporting evidence, to demonstrate that: (i) Demand Partner collects, obtains and processes Personal Data lawfully, without violating any third parties’ rights, contractual obligations or Privacy Laws and Regulations; (ii) Demand Partner has all rights, consents, authorization and title to grant the rights and permissions to use the Personal Data under the terms of the Agreement; (iv) Processing and use of the Personal Data by Yandex and modification thereof by Yandex’s clients under the terms of the Agreement will not violate the Individuals’ rights and other third parties, including without limitation privacy, data protection, good-will, good name, publicity, confidentiality and intellectual property rights.

13.2. Disclosure Notification. Without limiting the aforesaid, Demand Partner confirms, and at Yandex’s request will demonstrate that all Individuals received appropriate disclosures and notifications, as required under Privacy Laws and Regulations, including for the use, distribution and trans-border transfer of Personal Data, which encompasses the use of the Personal Data under the terms of the Agreement. Where a third party provided the notices to the Individuals and received their consent, Demand Partner will bear sole responsibility to verify and will be able to demonstrate that the notices and consents were sufficient for the purposes of use under the terms of the Agreement and adequate pursuant to Privacy Laws and Regulations.

13.3. Termination Right. Without limitation to any rights and remedies available to Yandex under the applicable law, Yandex may terminate this Agreement upon a notice to Demand Partner with immediate effect, upon a failure by Demand Partner to meet any of the above representations and warranties.

14. Demand Partner Responsibilities and Indemnification

14.1. Demand Partner guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by Demand Partner and Demand Partner agrees that it will be responsible for all costs associated with its compliance of such obligations. Demand Partner is responsible and liable for its acts and omissions under this DPA.

14.2. Demand Partner will defend, indemnify and hold Yandex, its officers, directors, employees, contractors and agents harmless from and against any and all third-party claims, demands, losses, damages or expenses, including reasonable attorneys’ fees and court costs, arising out of or in connection with any failure by Demand Partner to comply with the requirements under this DPA.

15. Term and Termination

15.1. Term. This DPA is effective and will continue in force until the Agreement is expired or terminated, pursuant to the terms therein.

15.2. Termination. Yandex may terminate the Agreement if Demand Partner breaches the DPA and does not cure such breach within five (5) days after receiving a written notice by Yandex about the breach. Notwithstanding the forgoing, any Demand Partner confidentiality obligations under the Agreement and this DPA will survive the termination of this Agreement.

15.3. Other Data Processing Agreements. This DPA will not affect any other separate Data Processing Agreement between Yandex and/or its Affiliate and the Demand Partner in respect of any data processing arising out of the agreements other than the Agreement.

16. Miscellaneous

16.1. Yandex may change the DPA at any moment in case: (a) changes are required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency; or (b) changes do not: (i) result in a degradation of the security of Personal Data; (ii) expand the scope of, or remove any restrictions on, Yandex Processing of Personal Data; and (iii) otherwise have a material adverse impact on Demand Partner’s rights under this DPA, as reasonably determined by Yandex. Before changes will take effect Yandex informs Demand Partner at least thirty (30) days in advance (or shorter period as may be required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency) by either: (a) email; or (b) alerting Demand Partner via the Partner Interface available to Demand Partner. If Demand Partner objects to any such change, it must terminate the DPA and the Agreement (unless the Agreement could be performed in the remaining part without existence of this DPA) and stop using the Services under the Agreement. Yandex shall be entitled not to notify Demand Partner about editorial changes.


Date of publication: 24.05.2018