Data Processing Terms and Conditions

These Data Processing Terms and Conditions and the included to it Schedule, form an integral part of the Publishers’ T&Cs” and reflect the agreement between Exit Bee acting as the Data Processor (“Processor” and/or “Data Processor”) and you, the Publisher acting as the Controller (“Controller” and/or “Data Controller”)(Each individually referred to as the “Party” and jointly referred to as the “Parties”)P with regard to the Processing of Personal Data i in the course of the provision of the  Services as defined in the Publishers’ T&Cs (the “Services”). Processor The Parties hereby agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. 

 

RECITALS

WHEREAS the Parties have agreed that the Controller will act as the sole Controller of the Personal Data. 

 

WHEREAS the Parties have agreed that it may be necessary for the Processor to Process certain Personal Data on behalf of the Controller.

 

WHEREAS in the light of this Processing, the Parties have agreed to these Data Processing Terms and Conditions to address the compliance obligations imposed upon the Parties pursuant to the Applicable Law.

 

WHEREAS the Parties agree that the provision of the Services under the Agreement may qualify as commissioned data Processing as per Art.. 28 of the General Data Protection Regulation 2016/679.

 

WHEREAS the Parties agree that these Data Processing Terms and Conditions shall render any and all other previous agreements entered into between the Controller and the Processor in relation to data processing under the Service, before the Term as defined in the Agreement, null and void.

  1. A. DEFINITIONS AND INTERPRETATION
Agreement Means the Publisher General Terms and Conditions .
Data Processing Terms and Conditions  Means these Data Processing Terms and Conditions including all schedules, notifications and all notices to these Terms and Conditions
Applicable Law Means the relevant data protection and privacy laws to which the Parties are subject, including the EU General Data Protection Regulation 2016/679
Data Subject Means the identified or identifiable Visitor/ User of the Publisher’s Website(s) (as both Visitor/User and Website are defined in the Agreement)  and described in Schedule 1 herein. 
Personal Data Means the information relating to an identified or identifiable natural person Data Subject, as defined in the EU General Data Protection Regulation 2016/679 and  other applicable legislation and described and agreed to in Schedule 1 herein.
Process,

Processing Activities

Or Processed

Means any operation or set of operations which is performed on Personal Data as defined under the General Data Protection Regulation 2016/679 and  other applicable legislation and is described and agreed to in Schedule 1 herein. 
Purpose Means the Services as agreed to in the Agreement and the associated Processing of Personal Data as described and agreed to  in Schedule 1 herein. 
Services Means the contracted Service offered by Processor as defined in the  Agreement. 
Data Processor  Exit Bee. 
Data Controller Publisher as defined in the Agreement.  
Data Breach Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Subcontractor (subprocessor) Subcontractor (subprocessor) means any third party engaged by the Data Processor to process any Personal Data relating to these Data Processing Terms and Conditions and described in Section 14 herein.
Model Clauses Model clauses means the standard contractual clauses for Processors as approved by the European Commission and available at http:/ec.europa.eu/justice/data-protection/international-transfers/files/clauses for personal data transfer processors c2010-593.doc (as amended or updated from time to time).

 

  1.       Legal nature of the provisions

 

(i) Data Controller hereby explicitly acknowledges that all  Processing Activities carried out, through the Data Controller’s Account in the Platform, are executed by the Data Processor on the Data Controller’s behalf and  all processing activities shall be valid and binding for the Data Controller, including the execution of these Data Processing Terms and Conditions .  

 

(ii) The Data Controller bears full responsibility for complying with its obligations pursuant to the Applicable Laws, the present Data Processing Terms and Conditions, as well as all for acts or omissions by its Authorized Users making use of the Data Controller Account.  

 

(iii) The Data Processor shall in no manner be liable for any acts or omissions by the Publisher’s Authorized Users acting on behalf of the Data Controller. 

 

APPOINTMENT

 

    1. The Processor is appointed by the Controller to Process the Personal Data defined in Schedule 1,for and on behalf of the Controller as is necessary to provide the Processing Services and in any case to Process the Personal Data as defined to in Schedule 1 herein. In cases where any Process instructed by the Controller, 
    2.  does not comply with the Applicable Law, or is not in line with the Service provided by the Processor ,the Processor reserves the right to refuse such instructions. The Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquires the Personal Data.

DURATION

    1. This Data Processing Terms and Conditions come into effect on the Start Date of the Initial Term defined in the Publisher Terms and Conditions and shall continue in full force and effect until the termination of the Agreement. 

DATA PROCESSING

    1. The Processor shall process Personal Data for the Purpose as described in the Agreement , as entered into between the parties, on behalf of the Controller and as summarized in Schedule 1 hereunder.
    2. The Personal Data will be Processed exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). In general, if the Data Processor transfers personal data and information outside the European Economic Area (the “EEA”)  it is committed to provide the Data Controller with the appropriate safeguards and measures provisioned in the Applicable Law for the transfer of data to a third country, (notwithstanding the reservations set in article 1.1. above). The Data Controller hereby authorizes Data Processor, if necessary to execute on its own behalf the appropriate EU Model Clauses with the sub-processors approved by Data Controller for the transfer of personal data outside the EEA for the purposes related the provision of the Services by the Data Processor. 

 

TECHNICAL AND ORGANIZATIONAL MEASURES

    1. The Processor shall establish data security in accordance with the Applicable Laws. The measures to be taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons, must be taken into account.
    2. The Processor has laid down the technical and organizational measures, in Schedule 2 of this Agreement which are approved by the Controller. 
    3. The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures from time to time. In so doing, the security level of the defined measures must not be reduced.

RECTIFICATION, RESTRICTION AND ERASURE OF DATA

    1. The Processor may not on its own authority rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of the Controller (unless this is required by law or the Processor’s Data Processing Terms and Conditions), 
    2. If a Data Subject should apply directly to the Processor to request the rectification, erasure or restriction of his Personal Data, the Processor must forward this request to the Controller without delay.

QUALITY ASSURANCE AND OTHER OBLIGATIONS OF THE PROCESSOR

    1. The Processor shall comply with all statutory requirements applicable when carrying out his obligations under the Agreement and these Data Processing Terms. In particular, the Processor ensures compliance with the following requirements:
      • The Processor has appointed a data protection officer, who shall perform such duties in compliance with the Applicable Laws. The data protection officer can be contacted via email on [email protected]
      • The Processor shall keep Personal Data logically separate to data Processed on behalf of any other third party
      • The Processor and any person acting under its authority shall process the Personal Data in accordance with the Data Processing Terms and Conditions and on documented instructions from the Controller (even via email), including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. It is hereby designated that the documented instructions also include any instructions provided by the Data Controller to the Data Processor electronically through the Data Controller Account.
      • The Processor entrusts only such persons (whether legal or natural) with the data Processing under the Data Processing Terms and Conditions who have given and undertaking to maintain confidentiality and have been informed of any special data protection requirements relevant to their work
      • The Processor and the Controller shall cooperate, on request, with the supervisory authority in performance of its tasks
      • The Processor shall inform the Controller immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to the Processing of the Controller’s data under the Data Processing Terms and Conditions this also applies if the Processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any civil or criminal law, or administrative rule or regulation regarding the Processing of personal data in connection with the Processing of the Controller’s data under this Agreement
      • The Processor shall undertake reasonable efforts to support the Controller if the Controller is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with this Agreement
      • The Processor shall periodically monitor the internal processes and the technical and organizational measures to ensure that Processing is in accordance with the requirements of applicable data protection laws and the protection of the rights of the Data Subject
      • The Processor shall verify the technical and organisational measures conducted as part of the Controller’s monitoring rights referred to Schedule 2 of these Data Processing Terms and Conditions, which the Data Controller acknowledges, by accepting these Data Processing Terms and Conditions, as appropriate technical and organizational measures to safeguard the personal data against any accidental or unlawful destruction, loss, alteration unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed, in breach of the Applicable Law.
      • In the event the Data Subject exercises any of its rights under the Applicable Law, towards the Data Processor, the Data Processor shall inform the Data Controller in the email provided in the Controller’s Account. The Data Processor shall not proceed to any action and shall not respond to the Data Subject unless:
  1. this is the Data Processor’s obligation under the Data Processor’s Applicable Law, or 
  2. it is explicitly instructed to do so in writing by the Data Controller; in that case, on condition that the response to these rights are related with the nature of the Services provided by the Data Processor to the Data Controller (otherwise the Data Processor shall inform the Data Controller that it- the Data Processor- is unable to respond). 
  3. It is the Data Controller’s obligation to decide whether, how and when to address those rights and (if necessary) to give to the Data Processor the appropriate instructions (subject to the nature of the Data Processor’s Services, as above) and shall hold harmless the Data Processor; Data Processor shall in no manner be liable for any damage caused as a result to the aforementioned delay or the error, or the fault, or unlawful act or omission the negligence from the of Data Controller’s part on the above.
  4. With the present, the Data Controller provides to the Data Processor a general written authorization to engage subprocessors for the processing of the personal data. The Data Controller hereby grants its specific permission to the Data Processor to engage the subcontractors listed in Schedule 1 herein. In order to appoint another subprocessor the Data Processor shall notify the Data Controller via updating the Data Processing Terms and Conditions. The Data Controller may provide via email reasonable and substantiated objections (based on data protection laws related grounds) to the proposed new subprocessor, within five (5) days from the date the notification was sent by the Data Processor otherwise the new subprocessor shall be deemed accepted by the Data Controller. If the Data Controller submits reasonable and substantiated objections as above, the Data Processor reserves the right to propose another subprocessor or assume itself (the Data Processor) the specific processing activity, or  if the Services, cannot be provided to the Data Controller without the appointment of that subprocessor, the Data Processor reserves the right to terminate the Agreement

MONITORING RIGHTS OF THE CONTROLLER

    1. The Controller has the right, after consultation with the Processor, to carry out up to one  regular audit/inspection within a 12 month period (following a written request to the Data Processor in order to mutually agree on the exact date of the audit)  or to have it carried out by an auditor to be designated in each individual case Non-regular audits are only permitted in case that this is instructed by a local Authority that has the lawful right to instruct such audits under the Controller’s Applicable Law and the Processor is obliged to accept such audit under the Controller’s Applicable Law (the Controller must provide written proofs of such right to the Processor).  The Controller has the right to convince itself of the compliance with the Data Processing Terms and Conditions by the Processor in its business operations by means of a check, that is to be communicated in advance and in good time. These rights of the Controller shall not extend to facilities which are operated by sub-processors, subcontractors or any third parties which the Processor may use to attain its Purpose and provide its Services. The Processor shall ensure that the Processing activities carried out by any sub-processors, subcontractors or any third parties which the Processor may use to attain its Purpose and provide its Services meet the requirements laid down in these Data Processing Terms and Conditions and in Applicable Law. 
    2. The Processor shall ensure that the Controller is able to verify compliance with the obligations of the Processor in accordance with the Applicable Laws. The Processor undertakes to provide to the Controller all necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures as mentioned in Schedule 2 within a reasonable timeframe
    3. Evidence of the implementation of any measures in this regard may also be presented in the form of up-to-date attestations, reports or extracts thereof from independent bodies (e.g. external auditors, internal audit, the data protection officer, the IT security department or quality auditors) or suitable certification by way of an IT security or data protection audit or by other measures provided by law

NOTIFICATIONS OF SECURITY BREACHES BY THE PROCESSOR

    1. The Processor shall assist the Controller in complying with the statutory obligations regarding the security and protection of personal data and shall make appropriate documentation in this regard. This includes, in particular, the obligation:
      • To ensure an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the Processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable and immediate detection of relevant infringement events
      • To notify the Controller in the most expedient time possible under the circumstances and without unreasonable delay and, where feasible, not later than seventy-two (72) hours after having become aware of any accidental, unauthorized, or unlawful destructions, loss, alteration, or disclosure of, or access to, Personal Data (“Security Breach” and/or “Data Breach”). In consultation with the Controller, the Processor shall take appropriate measures to secure the data and limit any possible detrimental effect on the Data Subjects
      • To cooperate with the Controller and provide the Controller with any information which the Controller may reasonably request relating to the Security Breach. The Processor shall investigate the Security Breach and shall identify, prevent and make reasonable efforts to mitigate the effects of any such Security Breach and, with the Controller’s prior agreement, to carry out any recovery or other action necessary to remedy the Security Breach
      • To assist the Controller by appropriate measures with regard to the Controller’s obligation to inform Data Subjects and competent authorities in case of a Security Breach. 
      • To assist the Controller with regard to the Controller’s obligation to provide information to the Data Subject concerned and to immediately provide the Controller with all relevant information in this regard.
      • If and to the extent Data Processor is referenced by name in any notification, public/regulatory communication or press release concerning a Security Breach of personal data, Data Processor shall be provided with an opportunity to review and approve such Communication for accuracy, such approval not to be unreasonably withheld. Any additional assistance which may be required by the Data Controller  shall be provided by the Data Processor subject to the Data Controller bearing any additional costs thereof.
      • The Data Processor shall promptly notify Data Controller if it makes a determination that it cannot comply with its obligations under these Data Processing Terms and Conditions, and  in such event, the Data Processor shall work with Data Controller and take all reasonable and appropriate steps to stop and remediate (if remediable) any processing until such time as the processing complies with the requirements of these Data Processing Terms and Conditions. Data Processor shall immediately cease (and request all Subcontractors to immediately cease) processing Personal Data if Data Controller determines that Data Processor has not or cannot correct any non- compliance in accordance with this article within a reasonable time frame.

CONTROLLER’S UNDERTAKINGS 

    1. The Data Controller hereby acknowledges, undertakes, represents and warrants that:
  1. Is fully and exclusively liable for legitimacy and compliance of the Personal Data being Processed by Data Processor under the present Data Processing Terms and Conditions with the Controller applicable legislation as well as the legislation governing the contractual relationship of the parties as set in the Agreement. 
  2. Shall comply with its obligations under Controller Applicable Law(s). The Data Controller will be the sole responsible to determine the lawfulness of the collection of Personal Data, as well as all other legal principles with regard to the lawful processing of the data (i.e. indicatively but not exhaustively, data minimization, data subjects rights, lawful legal basis, etc.) Data Processor does not determine, and does not control the collection, use and processing of such data by the Data Controller. Data Subjects can contact directly the Data Controller, for any issue with regard to their personal data and the exercise of their rights.
  3. the Data Subject has been lawfully informed from the Controller’s Privacy Policy for the identity of the Controller, the processing of his/her personal data, the purposes and lawful grounds of such Processing, the time frame of processing, the rights of the data subjects, as well as that the personal data are processed by the Data Processor on behalf of the Data Controller for the purposes and nature of the processing as described herein. Furthermore, the Data Controller understands and accepts that the Data Controller bears the responsibility to provide the Privacy Policy to the Data Processor. Data Processor does not (and is under no obligation to) review this Privacy Policy. 
    1. The Data Controller has implemented and applies appropriate technical and organisational measures and maintains the designated records of its processing activities (pursuant to the Applicable Law) as Data Controller, in order to ensure and to be able to demonstrate that the processing is carried out in compliance with the provisions of the Applicable Law and that the rights of the data subjects are protected.
    2. The Data Controller has adopted legitimate procedures and policies for the retention and deletion of the Personal Data hosted in the Data Controller Account, and that the Data Controller implements appropriate procedures to ensure compliance with the data subjects’ rights.
    3. Overall, the Data Controller is the sole responsible to set the scope for processing of the personal data in compliance with the applicable data protection laws, Data Controller being the Controller of those data. In case that a Data Controller has not complied with all applicable lawful data protection requirements and/or has any doubt whether it has lawfully collected that data or whether it is allowed to proceed with the usage of the Services, the Data Controller should refrain from ordering and/or using those services.
    4. The Personal Data may only be handled under this Data Processing Terms and Conditions, in alignment with the Agreement , and under the instructions issued by the Controller. Under these Data Processing Terms and Conditions , the Controller retains a general right of instruction as to the nature, scope and method of data Processing, which may be supplemented with individual instructions. 
    5. The Processor may only pass on information to third parties provided they render the Data Subject unidentifiable and for targeting or reporting purposes relating to the Presentation of Advertising Content as outlined in the Agreement or with the prior written consent of the Controller.

DELETION AND RETURN OF PERSONAL DATA

    1. Upon completion of the provision of the Service as laid down in the Agreement or when requested by the Controller, and within a reasonable time which shall not exceed 30 calendar days, the Processor must return to the Controller all documents in its possession and all work products and data produced, or deleted them in compliance with the Applicable Law with the prior consent of the Controller. The same applies to any test data. The deletion log must be presented upon request.
    2. Electronic documentation intended as proof of proper Personal Data Processing must be kept by the Processor beyond the termination of the relationship between the Parties and this Agreement, in accordance with relevant retention periods relevant to the Controller’s Term and renewal(s) of Term. The Processor may hand such documentation over to the Controller after expiry of the Agreement, upon request by the Controller.
    3. The Processor shall, to the extent legally permitted, promptly notify the Controller if the Processor receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making.
    4. Taking into account the nature of the Processing, the Processor shall assist Controller by appropriate technical and organizational measures, insofar as the right to be forgotten is possible, for the fulfilment of the Controller’s obligation to respond to a Data Subject’s request under the Applicable Law. The obligation to delete the Data Subject’s data shall, at all times, remain with the Controller. For the avoidance of doubt, the Processor will not undertake any data deletion efforts on behalf of the Controller.

PARTIES’ LIABILITY-INDEMNIFICATION

    1. The Controller will indemnify the Processor in respect of all liabilities, costs and expenses suffered or incurred by the Processor in its capacity as Processor of the Personal Data of the Controller arising from any Security Breach in the Data Processing or any negligent act or omission by the Controller in the exercise of the rights granted to it under the Applicable Law provided that:
      • The Processor, within reasonable time, notifies the Controller of any actions, claims or demands brought or made against it concerning any alleged Security Breach
      • The Processor will not compound, settle or admit to any actions, claims or demands without the consent of the Controller except by order of a court of competent jurisdiction
      • The Controller shall be entitled at its own cost to defend or settle any proceedings
      • The Processor shall not have acted of its own accord and independently of the instructions given to it by the Controller in its role as data processor in accordance with the provisions of this Agreement, except in specific situation as laid down in the Agreement
      • This indemnity shall exclude any loss that has arisen out of negligence or willful action, default or omission of the Processor, its employees, contractors, subcontractors or any other person outside the Controller’s control.
    2. The Processor’s right to claim damages shall be forfeited if the Processor fails to give written notice of any damages that may be sustained as aforesaid within ten (10) business days from the occurrence thereof or commences to make good such damages before written notice is given as aforesaid.
    3. The Data Processor shall be liable towards the Data Controller and any third party for the processing of Personal Data only to the extent the Data Processor has failed to comply with its obligations as a Data Processor pursuant to Applicable Law, as such obligations have been specified in these present Data Processing Terms and Conditions, or if the Data Processor exceeded or acted against the Data Controller’s lawful documented instructions, within the framework of the personal data processing it undertakes pursuant to the Data Processing Terms and Conditions. It is hereby specified that the Data Processor shall be liable only if its acts or omissions are negligent or fraudulent and directly linked to the damage caused. The Data Processor shall not be liable also in the event of force majeure or if it proves that it has no relation to the event causing the damage incurred by the Data Controller or any third party (including the data subject). The Data Processor reserves the right in any case to submit a claim against the Data Controller for any other direct damage caused to the Data Processor from a willful breach on behalf of the Data Controller of its legal and/or contractual obligations for the processing of data (towards the Data Processor, the data subject or third parties or the competent Authorities), including any court costs, reasonable attorney fees and/or administrative fines.
    4. Any liability of Processor towards the Controller for the breach of the terms hereof or the law or within the framework of their Agreement (including article 82 par.4 of the Data Protection Regulation where applicable), shall be limited to direct damages and, where the damage is due to light negligence of the Processor, Processor’s liability shall be limited to the amount equaling 50.000 EUR. This limitation is acknowledged by the parties as fair and lawful, taking into account the nature of the processing envisaged herein. Controller shall have the right to claim against the Processor for indirect damages and/or loss of profit.

 

SUB-PROCESSING

‘Sub-Processing’, in the meaning of the Data Processing Terms and Conditions , does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data Processing equipment. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Controller’s data, even in the case of outsourced ancillary services to Sub-Processors.

The Controller agrees to the commissioning of the following sub-processors on the condition of a contractual agreement in accordance with applicable data protection laws:

Sub-Processor Country Service
Amazon Web Services Ireland Secure Cloud Service Platform for Database Storage
Hetzner Online GmbH Germany Database Servers
Google Cloud Platform Ireland – Belgium Secure Cloud Service
Rackspace United Kingdom Managed Services – Google Cloud Platform Infrastructure
Redis St. Ghislain, Belgium  Google Cloud Service, Memorystore
Kubernetes St. Ghislain, Belgium Google Cloud Platform, Google Kubernetes Engine
Elasticsearch Frankfurt, Germany Amazon Web Services, Amazon Elasticsearch Service
MySQL St. Ghislain, Belgium Google Cloud Platform Cloud SQL for MySQL

 

    1. Additionally with what is referred to Section 7.1 case IV, Outsourcing to further Sub-Processors or changing any existing Sub-Processors is permissible provided the Processor maintains the same privacy and security standards. Informs the Controller of the identity of the Sub-Processor and the scope of the Sub-Processing with the renewal of the Data Processing Terms and the Controller does not object in writing or in text form within ten (10) business days from the update  by the Processor. The Controller shall not unreasonably object any required Sub-Processing. In addition, the following provisions apply:
      • The transfer of Personal Data to the Sub-Processor and the Sub-Processor’s commencement of the data Processing shall be in compliance with all requirements of the Data Processing Terms and Conditions
      • If the Sub-Processor provides the agreed service outside the EU/EEA, the Processor shall ensure compliance with Applicable Laws
      • The Processor shall impose on the Sub-Processor the same data protection obligation as set out in these Data Processing Terms and Conditions , in particular with regard to the provision of sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the Applicable Law.

With respect to each Sub-Processor, the Processor will before the Sub-Procesor first Processes any data of the Controller, carry out adequate due diligence to ensure that the Sub-Processor is capable of providing the level of protection for the Personal Data required by the Data Processing Terms and Conditions and shall ensure that the agreement between the Processor and the relevant Sub-Processor, include terms which offer at least the same level of protection for the Controller as those set out in the Data Processing Terms and Conditions t and meets the requirements of article 28(3) of the GDPR.

MISCELLANEOUS

With effect from 25 May 2018, upon the Controller’s request, the Processor shall provide the Controller with reasonable cooperation and assistance needed to fulfil the Controller’s obligation under the General Data Protection Regulation to carry out a data protection impact assessment related to the Controller’s use of the Processor’s Services, to the extent that the Controller does not otherwise have access to the relevant information, and to the extent such information is available to the Processor.

If any variation is required to the Data Processing Terms and Conditions as a result of a change in the Applicable Law, then either Party may provide written notice to the other party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations tothe Data Processing Terms and Conditions . The Parties will promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the relevant requirements.

Clauses and other headings in this Agreement are for convenience of reference only and shall not constitute a part of or otherwise affect the meaning or interpretation of the Data Processing Terms and Conditions . Schedules to the Data Processing Terms and Conditions shall be deemed to be an integral part of  the Data Processing Terms and Conditions to the same extent as if they had been set forth verbatim herein.

This Agreement, including the Schedules attached hereto constitute the entire agreement between the parties pertaining to the subject matter hereof and supersede all prior agreements (excluding the SAgreement), understandings, negotiations and discussions of the Parties.

The provisions of the Data Processing Terms and Conditions are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of the Data Processing Terms and Conditions shall remain in full force and effect. 

Any notice, letter or other communication contemplated by the Data Processing Terms and Conditions shall be communicated in writing via registered mail to the registered addresses of the Parties or via electronic mail, delivery and read receipt requested.

The provisions of this Data Processing Terms and Conditions shall endure to the benefit of and shall be binding upon the Parties and their respective successors and assigns.

The  Controller agrees to post conspicuously on each Website a privacy policy that complies with all Privacy Laws, and that discloses Publisher’s as well as Exit Bee’s and Exit Bee’s advertising clients’ practices with respect to data collection, use and disclosure (each, a “Privacy Policy”), including:  (a) the types/categories of Personal Data  being collected for targeting purposes as described in 4.3 , (b) the circumstances under which such Personal Data will be disclosed to or used by third parties, and the purposes therefor, and (c) the use of one or more third parties for ad serving activities. The Privacy Policy must: (i) be linked from each Publisher Site in connection with this Data Processing Terms and Conditions and the Agreement, (ii) direct end-users to an industry-wide mechanism for opting-out from receiving targeted advertising, such as the Digital Advertising Alliance opt-out page at http://aboutads.info/choices, and (iii) be consistent with the Exit Bee Privacy Policy.  Publisher must comply with all Privacy Laws with respect to obtaining required opt-in consent as may be required by the Privacy Laws of various countries or regions in connection with obtaining sufficient user permission to use cookies or the collection and use of any information obtained from Publisher’s end-users, or as to restoring cookies cleared or deleted by Publisher’s end-users.  Neither Publisher nor its agents (including without limitation Publisher’s CMP) shall decide, control, amend or restrict the legal bases, purposes or features (including special features) that Exit Bee relies on to process Personal Data including, but not limited to, under Version 2.0 of the IAB’s Transparency and Consent Framework.  In the event that any such decision, control, amendment or restriction is applied by Publisher, Exit Bee may, in its sole discretion, terminate the Data Processing Terms and Conditions.

 

 

 

SCHEDULE 1

 

Description of Processing Operations

The Purpose

 

Exit Bee is an ad network based on behavioural analysis and exit intent.

For more information on what data is collected and the security measure taken to protect this data refer to the Exit Bee Terms of Service: http://www.exitbee.com/terms and Privacy Policy: http://www.exitbee.com/privacy.

 

DETAILS OF PROCESSING
Subject matter of the Processing: Depending on how the Controller chooses to use the Service, the subject matter of Processing of personal data may cover the following types/categories of data:

      1. Device’s IP address (captured and stored in an anonymized format)
      2. Device screen resolution
      3. Device type (unique device identifiers), operating system, and browser type
      4. Geographic location
      5. Mouse events or finger events for mobile devices
      6. Keypresses
      7. Referring URL and domain
      8. Pages visited
      9. Date and time when website pages were accessed

The group of Data Subjects affected by the Processing of their personal data under the Agreement includes end-users of the Controller’s Websites.

 

SCHEDULE 2

 

Technical and Organizational Measures

 

The Processor warrants and undertakes in respect of all Personal Data that it Processes on behalf of the Controller that, at all times, it maintains and shall continue to maintain appropriate and sufficient technical and organizational security measures to protect such Personal Data or information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.

Such measures shall include, but are not limited to, physical access control, logical access control (i.e. non-physical access control measures such as passwords), data access control, data transfer control, input control, availability measures, and data separation; in particular at least the measures set out in the Exit Bee Privacy Policy: http://www.exitbee.com/privacy.

The Processor shall provide the Controller, upon request, with adequate proof of compliance (e.g. the relevant parts of the Processor’s agreements with its data center provider).

For more detailed information on the latest state of the art measures adopted by our hosting providers, please refer to the following links: https:/aws.amazon.com/security/ and https://cloud.google.com/security/