Personal Data Processing Agreement for Joint Data Controllers
The processing of personal data by joint data controllers requires that their respective responsibilities with regard to compliance with the obligations arising from the applicable privacy laws and regulations, including the European General Data Protection Regulation, are established in a transparent manner. Therefore, the Parties have agreed to enter the following terms.
The DPA forms an integral part of the Agreement. If and to the extent there is any conflict between this DPA and the Agreement, the DPA shall prevail.
1.DEFINITIONS
| Applicable Data Protection Law | means any and all applicable privacy and data protection laws and regulations (including without limitation, where applicable, the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); and (iii) any national or European data protection laws made under, pursuant to, amending, replacing or succeeding (i), (ii)) and as may be amended or superseded from time to time. |
| Security Incident | means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other Party (including Personal Data shared by the Parties). For clarity sake, any Personal Data Breach of the other Party’s Personal Data pertaining to the Agreement is a Security Incident. |
| Standard Contractual Clauses | means, in relation to the Processing of Personal Data pursuant to this DPA, the standard clauses for the transfer of Personal Data established in Third Countries, approved by the European Commission from time to time, the approved version of which in force at present is that set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard Contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-Agreementual-clauses-scc/standard-Agreementual-clauses-international-transfers_en. |
| Third Countries | means a country which is not part of the European Economic Area (“EEA”); and is not subject of a formal adequacy decision of the European Commission taken in accordance with Art. 25 (6) of Directive 95/46/EC of the European Parliament and the Council of the European Union or Art. 45 (3) of GDPR, recognizing that the country ensures an adequate level of protection of Personal Data. |
For the purposes of this DPA, the Parties agree that the following terms with a capital letter shall have the meaning given to them in the GDPR or in the Agreement.
2. PARTIES ROLES AND OBLIGATIONS
The Parties agree that they will each act as joint data Controllers for the processing of the End-users’ Personal Data undertaken in relation to the provisions of the Services under the Agreement (“Personal Data Processing”). The details of the Agreement and the Personal Data Processing are further defined in Schedule 1.
The Parties shall always comply with their respective obligations under the Agreement and the Applicable Data Protection Law, including when appointing a data processor and when transferring the Personal Data to a third country.
Parties agree to each appoint (i) at least one dedicated point of contact for data protection enquiries, whose contact details are provided in Schedule 1 and, if applicable (ii) a local representative for personal data matters.
Each Party shall assist the other Joint Controller, where possible, in meeting its (i) obligation to respond to requests from data subjects and (ii) obligations laid down in Articles 32 through 36 of the GDPR.
Each Party shall be individually and separately responsible for complying with the obligations that apply to it as joint Controller under the Applicable Data Protection Law.
3. DATA SUBJECTS’ INFORMATION AND CONSENT
Publisher, being an entity in direct contact with the Data Subjects, undertakes, on behalf of OPTI DIGITAL, to (i) inform Data Subjects of OPTI DIGITAL’s use of cookies and Processing of their Personal Data, and (ii) collect consent (or record absence thereof) and provide a possibility to object to Processing, subject to Publisher and OPTI DIGITAL using the Transparency & Consent Framework of the IAB for the purposes listed below.
4. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
Where EU Data Protection Law applies, neither Party shall transfer or permit any Personal Data disclosed by the other Party to be transferred to a Third Country, unless it has taken sufficient safeguard measures as are necessary to ensure the transfer complies with EU Data Protection Law. Such measures may include, without limitation, the transfer of Personal Data to a recipient that has executed the Standard Contractual Clauses, or any other legally permitted mechanism allowing such transfer (e.g. binding corporate rules), relying on specific data subject consent for the transfer or other exceptions under article 49 of the GDPR.
If and to the extent there is any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
5. DATA SUBJECT REQUESTS AND ENQUIRIES
It is agreed that where either Party receives a request from a Data Subject in respect of Personal
Data controlled by the other Party, such receiving Party will direct the Data Subject to the other Party, to enable such other Party to reply directly to the Data Subject’s request or enquiry. Both Parties agree to reasonably cooperate in good faith in order to ensure any Data Subject requests are processed in accordance with Applicable Data Protection Law.
6. TECHNICAL AND ORGANIZATIONAL MEASURES
Each Joint Controller shall implement appropriate technical and organizational measures to protect the Personal Data. If Publisher or OPTI DIGITAL suffers a Security Incident relating to Personal Data, each Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to agree on such actions as may be necessary to limit and remedy the negative consequences of the Security Incident.
Except where the DPA expressly provides that only one of the Joint Controllers is responsible for an obligation, each Joint Controllers shall restrict access to Personal Data only to persons who need the access to Personal Data for the purposes of the Agreement, provide those persons with relevant authorisations, offer relevant training on personal data protection and ensure confidentiality of Personal Data processed thereby, both during and after their employment or other cooperation with a Joint Controller.
7. TERM AND TERMINATION
The DPA shall be effective for the Term of the Agreement and as long as and until, after the termination of the Agreement, obligations still have to be fulfilled. It is terminated or expires when the Agreement is terminated or expires.
Upon termination or expiry of the Agreement, each Party shall cease to Process new Personal Data. The Parties agree that Personal Data already collected may continue to be processed as long as necessary to provide the Services contracted under the Agreement, including after the termination thereof, or if required under applicable laws. To that end, the DPA shall survive termination or expiry of the Agreement.
SCHEDULE 1
Description of Personal Data Processing Operations
- Parties to the Processing:
| Joint Controller 1 | Joint Controller 2 | |
| Entity | OPTI DIGITAL SA | Publisher of the website/app |
| Link to privacy policy | https://www.optidigital.com/privacy-policy/ | see Publisher’s website/app |
| Contact | dpo@optidigital.com | see Publisher’s website/app |
| Country | France | see Publisher’s website/app |
| IAB Vendor number | 915 | see Publisher’s website/app |
Purpose(s) of the Processing
| Purpose | Legal basis |
| Store and/or access information on a device | Consent |
| Use limited data to select advertising | Consent or legitimate interest as a legal basis |
| Create profiles for personalised advertising | Consent |
| Use profiles to select personalised advertising | Consent |
| Measure advertising performance | Consent or legitimate interest as a legal basis |
| Develop and improve services | Consent or legitimate interest as a legal basis |
| Deliver and present advertising and content | Legitimate interest |
Duration : The Processing shall be undertaken on a continuous basis during the term of the agreement signed between the Parties. Each Party shall retain the Personal Data and keep processing it as an independent controller after the term.
Data retention : The Personal Data may only be retained by each Party for a period of time necessary for the accomplishment of the purposes, as defined under the agreement. Each Party shall independently determine the retention periods applicable to each category of Personal Data.
Data Subjects : In each country, where the Applicable Data Protection Law applies, the Personal Data processed under the Agreement belongs to the following categories of Data Subjects: End Users of the Publisher’s Properties.
Categories of Personal Data: The Categories of Personal Data processed are:
- Data relating to connectivity (e.g., device, operating system, browser, settings, etc.)
- Data relating to usage data (e.g., browser history (e.g. referring sites) viewing history, interaction with content/ads history, deduced user profiles, shares, etc.)
- Identification data: (e.g., Cookies IDs, whether a Data Subject is believed to be a minor, etc.). For sake of clarity, “ID” includes: (i) a unique identifier stored on an End User’s device, or (ii) a unique identifier generated based on device information, or (iii) a resettable advertising identifier associated with a mobile device or an application.
- Data relating to privacy preferences
It is expressly confirmed that no directly identifiable data (e.g., name, email address, etc.), nor special or sensitive Personal Data is subject to the Processing.