YANDEX.METRICA DATA PROCESSING AGREEMENT (DPA)
Agreement on Contracted Data Processing for customers by and between Yandex Oy Limited Company - Moreenikatu 6, 04600 Mantsala, Finland (“Yandex”)
By using opt-in check-box you declare that you agree to the following regulations. By proceeding, you confirm that you have a business established in the territory of a member state of the European Economic Area or Switzerland, or that, for other reasons, you are subject to the territorial scope of the national implementations of the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, (General Data Protection Regulation; hereinafter – "GDPR"). You further agree that if the aforementioned is not the case, this DPA between you and Yandex shall be void.
This DPA enters into force on 25 May 2018 if you have agreed to the DPA prior to or on such date, or on the date on which you agreed to the DPA, if such date is after 25 May 2018.
“Customer Data” shall mean any kind of data provided by or in connection with the customer. Customer Data can possibly contain personal data.
“Personal Customer Data" shall mean any kind of Customer Data which is personal data and which is processed by Yandex as part of the DPA. "Persoeenal Data" shall have the meaning as defined in Art. 4 Sec. 1 of the GDPR.
"Processing" shall have the meaning as defined in Art. 4 (2) of GDPR, i.e. any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Data Controller" shall have the meaning as defined in Art. 4 (7) GDPR, i.e. the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
"Processor" shall have the meaning as defined in Art. 4 (8) of GDPR, i.e. a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.
"Instruction" shall mean all documented instructions you give to Yandex and that request Yandex to carry out a certain action in connection with Personal Customer Data.
"IP Anonymization" shall mean the functionality by means of which you can instruct Yandex to delete the last octet of the IP addresses of your website of mobile app users.
2.2 Subject matter, nature and purpose of the Data Processing: The service shall serve the purpose of analysing the use of your website or mobile app by its users. For this purpose, Yandex will collect Customer Data concerning technical properties and the activities of your website or mobile app users on the basis of page views or mobile app use. Customer Data will be evaluated by the Processing software to create reports including, among other things, information on the time spent on the website or in the mobile app, approximate geographical origin, origin of the user traffic, exit pages and a course of use.
2.3 Group of affected persons: users of your website or mobile app.
2.4 Type of data: Data collected on the basis of page views or mobile app use concerning technical properties and the activities of your website or mobile app users. This, particularly, includes information on the time spent on the website or in mobile app and the interaction with your website or mobile app as well as the IP address of website or mobile app users and cookies information.
2.6 With respect to the Processing of Personal Customer Data as part of this DPA, you are the Controller (or Processor) and Yandex is the Processor (or sub-Processsor) within the meaning of GDPR. You are responsible for the compliance with GDPR.
2.7 Yandex performs the contractually agreed Processing of Personal Customer Data on servers in Member States of the European Union or other signatories to the agreement on the European Economic Area or by Subcontractors for which Yandex ensures a reasonable level of protection of Personal Data including through the conclusion of standard contractual clauses for processors adopted by the Commission of the European Union.
3. YOUR RIGHTS AND OBLIGATIONS AND THE SCOPE OF THE AUTHORITY TO GIVE INSTRUCTIONS
3.1 You shall be responsible for the permissibility of the Processing of Personal Customer Data as well as the protection of the rights of the data subject.
3.2 You can give Instructions obligating Yandex to perform a certain action with respect to the Personal Customer Data. You will be able to give such Instructions through the user interface of the service. This particularly includes the functionality of the IP Anonymization by means of which you instruct Yandex to delete the last octet of the IP addresses of your website users or mobile app users. In case an Instruction is not possible through the user interface of Yandex.Metrica service and exceeds the Instructions agreed upon in the DPA ("Individual Instruction"), Yandex will notify you of the costs incurring for the performance of the Individual Instruction. Insofar as you will maintain the Instruction after such notification, you shall reimburse the costs related to such performance to Yandex. Yandex shall immediately inform you if, an Instruction infringes the GDPR or other Union or Member State data protection provisions and may raise an objection against the Individual Instruction within 30 days of the receipt ("Objection") when Yandex has reasonable doubts on the lawfulness of the instruction (e.g. on consistency with the applicable data protection law). The Objection has the effect that Yandex does not have to execute the respective Individual Instruction. In such case, you are entitled to extraordinarily and without notice terminate the DPA in accordance with the provisions of the DPA.
3.3 You declare that you exclusively Process Personal Customer Data (if existing) for the purpose of tracking of a course the users use your website or mobile app and to create reports on the website activity.
4. OBLIGATIONS OF YANDEX
4.1 Deletion, correction and blocking of data, deletion after termination of the order: After your Instruction Yandex shall anonymize Personal Customer Data including by erasing the last octet of the IP-addresses of the users of your website or mobile app. This obliteration shall be completed before further analysing the IP-addresses as a part of the services.
4.2 At your choice, Yandex shall delete or return all Personal Customer Data to you based on your instruction, and latest after the end of the provision of services relating to Processing, and deletes existing copies unless Union or Member State law requires a continued storage of the Personal Customer Data.
4.3 Technical and organizational measures: Yandex shall implement all technical and organizational security measures as required under Art. 32 GDPR. As a part of the DPA you shall not provide Yandex with data carriers for data storage.
4.4 Yandex may (a) develop the technical and organizational measures as at its sole dutiful discretion and in accordance with the technical process to raise security, provided that the standard as required under Art. 32 GDPR is met, and that (b) copies of Customer Data, in particular backup copies, aggregated data and cached copies are required after the completed IP Anonymization to provide the service. Yandex is permitted to implement other appropriate measures. By doing so, the security level in total must not fall below the security level of the measures determined. Yandex will document significant changes.
4.5 Data confidentiality: Yandex shall only entrust personnel with the Processing of Personal Customer Data, which has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.6 Other obligations: In addition to the general compliance with the provisions under this DPA, Yandex has the following obligations:
- Appointment – insofar as provided by the law – of a data protection official.
- Performance of order control via regular reviews by Yandex with respect to the performance and/or execution of the DPA, in particular the compliance with and, if necessary, realising of required adaption of regulations and measures for the performance of the order.
4.7 Yandex shall immediately inform you of any relevant violations of any data protection regulations or the provisions determined in this DPA by Yandex or any person working for Yandex insofar as the violation is connected to the Processing of Personal Customer Data pursuant to this DPA.
4.8 Assistance: Taking into account the nature of the Processing, Yandex shall assist you with appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR. Yandex shall assist you in ensuring compliance with the obligations pursuant to Art. 32 through 36 GDPR taking into account the nature of Processing and the information available to Yandex.
5. CONTROL RIGHTS AND REVIEW OF TECHNICAL AND ORGANIZATIONAL MEASURES
5.1.Yandex shall make available to you all information necessary to demonstrate compliance with the obligations laid down by the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. The following requirements apply to any audit: (i) you must give a minimum thirty (30) days’ notice of your intention to audit; (ii) you may exercise the right to audit no more than once in any calendar year; (iii) commencement of the audit shall be subject to an agreement with Yandex of a scope of work for the audit at least ten (10) days in advance; (iv) Yandex may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial confidentiality; (v) the audit shall not include penetration testing, vulnerability scanning, or other security tests; (vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to you; (vii) any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by Yandex prior to the audit; and (viii) You shall compensate Yandex for its reasonable costs (including for the time of its personnel, other than your relationship manager) incurred in supporting any audit.
6.1 Subject to the following provisions, Yandex may not commission third parties with the Processing of Personal Customer Data without your consent ("Order Data Sub-Processor") except as provided in clause 6.2.
6.2 Yandex may contract a subcontractor for the data Processing if the subcontractor is an affiliated enterprise ("Affiliated Order Data Sub-Processors") and if a data processing agreement pursuant to the requirements outlined in this paragraph are met. A legally separate enterprise that with respect to Yandex is a subsidiary and parent enterprise, controlled or controlling enterprise, member of a group, enterprises with cross-shareholdings, or party to an enterprise agreement shall constitute affiliated enterprises. A data Sub-Processor agreement requires that Yandex (a) ensures that the Affiliated Order Data Sub-Processors fulfil Yandex' duties and (b) assumes liability towards the customers for actions and/or absence of actions of the Affiliated Order Data Sub-Processors concerned as if these actions were taken by Yandex itself. In this context, affiliated subcontractors may also have their seat outside the area of Member States of the European Union or other parties to the Agreement on the European Economic Area, if Yandex enters into appropriate guarantees as required by Art. 46 GDPR and passes down its own Processing obligations under this Agreement to any such sub-processor.
6.3 If the Order Data Sub-Processor provides the agreed performances outside the area of Member States of the European Union or other parties to the agreement on the European Economic Area, Yandex shall enter into appropriate guarantees as required by Art. 46 GDPR and passes down its own Processing obligations under this DPA to any such sub-processor.
6.4 Where Yandex engages Data Sub-Processor for carrying out specific processing activities on behalf of you, the same data protection obligations as set out in such contract shall be imposed by Yandex on that Data Sub-Processer by way of a Data Sub-Processor agreement, which in particular provides for sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where Order Data Sub-Processor fails to fulfil its data protection obligations, Yandex shall remain fully liable to you for the performance of Order Data Sub-Processor’s obligations.
6.5 Insofar as companies providing ancillary performances for Yandex in connection with the provision of services do not constitute Order Data Sub-Processors, Yandex will make reasonable efforts to establish an adequate contractual protection vis-à-vis such providers of ancillary performances in regard to the data security. In general, this applies to the provision of lines for telecommunication, electricity, cooling, maintenance, cleaning, review or rental of real estate. Section 6.4. shall apply accordingly.
7. STANDARD CONTRACTUAL CLAUSES
7.1. With respect to the transfer of Personal Customer Data to a third country or international organization, any processing operation as described in this DPA shall also be subject to the EU Standard Contractual Clauses pursuant to European Commission Decision (“SCC”) which shall prevail over any conflicting clauses in this DPA.
8. CHANGES TO DPA
8.1. Yandex may change the DPA at any moment in case: (a) changes are required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency; or (b) changes do not: (i) result in a degradation of the security of Customer Personal Data; (ii) expand the scope of, or remove any restrictions on, Yandex Processing of Customer Personal Data; and (iii) otherwise have a material adverse impact on your rights under the DPA, as reasonably determined by Yandex. Before changes will take effect Yandex informs you at least 30 days in advance (or shorter period as may be required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency) by either: (a) email; or (b) alerting you via the service interface. If you object to any such change, you must terminate the DPA and stop using the service as described in clause 2.5. of this DPA. Yandex shall be entitled not to notify you about editorial changes.