Data Processing Addendum

Team Internet AG (“Team Internet”) operates a traffic marketplace platform under the TONIC. brand, on which providers and/or intermediaries of goods and services (“Advertisers”) and suppliers of internet user traffic (“Publishers”) can meet (“Platform”). Advertisers and Publishers (hereinafter collectively “Customers”) using the Platform entered into an agreement with Team Internet, governing their usage of the Platform (“Agreement”). By using the Platform, Customers may process Personal Data relating to Internet users, such as website visitors or users of a mobile app. This Data Processing Addendum (“DPA”) reflect the parties’ agreement on the terms governing the processing and security of the Personal Data processed by Team Internet on behalf of the Customer and both parties’ commitment to comply with the applicable data protection law, in particular the requirements of the General Data Protection Regulation (“GDPR”).

1. Definitions

“Controller”, “Data Subject”, “Personal Data” and “Processor” as used in this Data Processing Addendum have the meanings given in the GDPR.

“Customer Personal Data” means Personal Data processed by Team Internet on behalf of Customer in Team Internet’s provision of the Traffic Marketplace Services.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (also known as “General Data Protection Regulation”).

“Platform” means the traffic marketplace platform under the TONIC. brand, on which providers and/or intermediaries of goods and services (“Advertisers”) and suppliers of internet user traffic (“Publishers”) can meet.

“Traffic Marketplace Services” means the services provided by Team Internet in the context of the provision of the Platform.

“Sub-Processor” means any Processor engaged by the Processor.

“User” means the end user of an internet connected device, such as a visitor to a web page, a user of a mobile app, or a user of an IoT device, or a visitor on advertisement or campaign webpage.

Capitalized terms used herein without definition shall have the meanings assigned to them in the Agreement.

2. Data Processing

2.1 Roles

Team Internet shall process Customer Personal Data on behalf of the Customer. The parties agree that, for the purposes of this DPA and with respect to Customer Personal Data, Customer shall be the Controller and Team Internet shall be a Processor. If Customer is a Processor, Team Internet shall be engaged by Customer as a Sub-Processor.

2.2 Subject-matter, Nature, Purpose and Duration of Processing

Team Internet operates a traffic marketplace platform, on which Advertisers are able to buy and Publishers are able to sell traffic. Publishers transfer data relating to Internet users, such as website visitors or users of a mobile app, to the Platform and via the Platform to Advertisers. Such data may include Personal Data. Advertisers bid on an impression and, if the bid is won, the Advertisers advertisement is instantly displayed to the respective user on the Publisher's website or via the Publisher’s mobile app.

Team Internet will process Customer Personal Data for the purpose of providing the Traffic Marketplace Services and any related technical support to Customer in accordance with the Agreement, this DPA and any instructions received from Customer according to this DPA.

The term of this DPA and of the processing shall correspond to the term of the Agreement.

2.3 Type of Personal Data and Categories of Data Subjects

By using the Platform, Advertisers and Publishers may process Personal Data relating to Internet users, such as website visitors or users of a mobile app.

Customer may submit Customer Personal Data to the Platform, the extent of which is determined and controlled solely by Customer, and which may include, but is not limited to, IP addresses, session-based browsing behavior, geolocation data and advertising, cookie and/or device identifiers.

Customer shall not transfer any special categories of Personal Data (as defined in the GDPR) to the Platform.

3. Compliance with Instructions

3.1

Team Internet will only process Customer Personal Data in accordance with Customer’s instructions and never for its own purposes. Customer instructs Team Internet to process Customer Personal Data in accordance with the Agreement, this DPA, in order to provide the features and functionalities of the Platform and the Traffic Marketplace Services, as further specified via Customer’s use of the Platform and the Traffic Marketplace Services or by further written instructions of the Customer. Customer also instructs Team Internet to (i) process Customer Personal Data on its behalf and in its interest for security and compliance purposes, including, but not limited to, to prevent fraud and to detect bots; and (ii) to aggregate and anonymize Customer Personal Data in order to be able to use it to analyze the usage of the Platform, to further develop and improve the Platform and Customer’s Platform usage experience and for compliance, security and fraud prevention purposes.

3.2

Customer shall, in its use or receipt of the Traffic Marketplace Services, process Personal Data in accordance with the requirements of the applicable data protection laws and regulations, including, but not limited to GDPR, and Customer will ensure (i) that its instructions for the processing of Personal Data shall comply with such data protection laws and regulations. Customer; and (ii) that it has, and will continue to have, the right to transfer, or provide access to, the Customer Personal Data to Team Internet for processing in accordance with the terms of the Agreement and this DPA, including the data subject’s explicit and demonstratable consent, if required.

3.3

Team Internet shall inform Customer without delay if it is of the opinion that an instruction violates applicable laws. Team Internet may suspend the implementation of the instruction until it has been confirmed or amended by Customer.

3.4

If Team Internet is obliged to process personal data in accordance with the law of the Union or the Member State to which Team Internet is subject, Team Internet shall inform Customer thereof in writing prior to the respective processing, unless the law prohibits such information for important reasons of public interest. In the latter case, Team Internet shall inform Customer immediately as soon as this is legally possible.

4. Technical and Organizational Measures

4.1

Team Internet shall implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access in compliance with the requirements of Art. 32 GDPR. Such measures include, but are not limited to, the measures described in Annex 1. Team Internet may update or modify the technical and organizational measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Platform and the Traffic Marketplace Services.

4.2

Team Internet shall impose appropriate contractual obligations upon its employees involved in the processing of Customer Personal regarding confidentiality, data protection and data security and Team Internet shall ensure that its employees have been duly trained on their responsibilities and obligations regarding confidentiality, data protection and data security and have executed written obligations to confidentiality and data protection, such obligations to survive termination/expiry of the employment relationship with Team Internet.

5. Data Subject Rights

5.1

Team Internet shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR (in particular access, correction, blocking or deletion). To the extent that the assistance of Team Internet is necessary for the protection of rights of a Data Subject by Customer, Team Internet shall take the necessary measures according to the instructions of Customer.

5.2

Team Internet may only provide information to third parties or to Data Subjects with the prior consent of Customer. It shall forward requests addressed directly to Team Internet to Customer without undue delay.

6. Further Obligations of Team Internet

6.1

Team Internet shall inform Customer immediately, at the latest within 48 hours, if it becomes aware of violations of the protection of Customer Personal Data.

6.2

Team Internet shall support Customer in complying with the obligations set out in Articles 32 to 36 GDPR, taking into account the type of processing and the information available to the Contractor. In particular, Team Internet shall support Customer in preparing and updating the records of processing activities with regard to the data processing performed by Team Internet on behalf of Customer, and, if necessary, in carrying out a data protection impact assessment. All necessary information and documentation must be made available to Customer immediately upon request.

6.3

If Customer is subject to inspection by a supervisory authority or if a Data Subject assert rights against Customer, Team Internet undertakes to support Customer to the necessary extent insofar as Customer Personal Data is affected.

6.4

Team Internet has appointed a competent and reliable person as data protection officer. Customer may contact the data protection officer directly (privacy@teaminternet.com) for any questions with regard to data processing and data protection.

7. Rights and Obligations of Customer

7.1

Customer shall be responsible for assessing the lawfulness of the data processing and for safeguarding the rights of Data Subjects.

7.2

Customer shall be entitled to monitor and audit compliance with the provisions on data protection and the contractual agreements at Team Internet to a reasonable extent itself or by third parties, in particular by obtaining information and inspecting the stored data and data processing programs. Team Internet shall, as far as necessary and possible, provide access and insight to the persons entrusted with the inspection. Team Internet shall provide necessary information, to demonstrate procedures and to provide evidence which is necessary for the performance of an inspection. Inspections at Team Internet's premises shall be carried out without avoidable disruptions to its business operations. Unless otherwise indicated for urgent reasons to be documented by Customer, inspections shall take place after reasonable advance notice and during business hours of Team Internet and not more frequently than every 12 months.

8. Sub-Processors

8.1

Team Internet may only use Sub-Processors with the prior consent of Customer. Customer consents to the usage of Sub-Processors according to the list of Sub-Processors, accessible via the Platform and upon request at any time.

8.2

Team Internet may remove or appoint suitable and reliable other Sub-processors as follows:

  • Team Internet will inform Customer by electronic means (via the Platform and/or by email) reasonably in advance of granting access to Customer Personal Data to a Sub-processor (except for Emergency Replacements as defined below) of any changes to the List of Sub-processors.
  • If Customer has a legitimate, material reason to object to Team Internet’s use of a new Sub-processor, Customer shall notify Team Internet thereof in writing within seven (7) days after receipt of Team Internet’s notice.
  • If Customer does not object during such time-period, the new Sub-processor(s) shall be agreed and consented to by Customer.
  • If Customer objects to the use of the new Sub-processor concerned, Team Internet shall take reasonable steps to address the objections raised by Customer. If such steps are not sufficient to eliminate the Customer’s reasonable objections, either Customer or Team Internet may terminate the Agreement with immediate effect to the extent that it relates to the Traffic Marketplace Services which require the use of the proposed Sub-Processor without bearing liability for such termination.
  • “Emergency Replacement” refers to a sudden replacement of a Sub-processor where such change is outside of Team Internet’s reasonable control (such as if the Sub-Processor ceases business, abruptly discontinues services to Team Internet, or breaches its contractual duties owed to Team Internet). In such case, Team Internet will inform Customer of the replacing Sub-Processor as soon as possible and the process to formally appoint the replacing Sub-Processor defined above shall be triggered.
8.3

Team Internet must carefully select its Sub-Processors and check before using them that they can comply with the agreements made between the Customer and Team Internet. In particular, Team Internet shall verify that all Sub-Contractors have taken the necessary technical and organizational measures to protect Customer Personal Data in accordance with Art. 32 GDPR.

8.4

Services used by Team Internet with third parties as a pure ancillary service in order to carry out its business activities shall not be considered sub-processing in the context of this DPA. This includes, for example, cleaning services, pure telecommunications services without concrete reference to services provided by Team Internet for the Customer, postal and courier services, transport services and security services.

8.5

The usage of Sub-Processors shall not affect Team Internet’s contractual and data protection obligations towards Customer. Team Internet shall be liable for any acts or omissions of its Sub-Processors as if they were its own acts or omissions.

9. Data Transfer to Third Countries

Customer Personal Data may also be processed by Team Internet in third countries without an adequate level of data protection (according to Art. 45 GDPR). The transfer of Customer Personal Data to such a third country by Team Internet is carried out on the basis of an adequacy decision in accordance with Art. 45 GDPR (e.g. EU – U.S. Privacy Shield) and/or on the basis of suitable guarantees in accordance with Art. 46 GDPR (e.g. Standard Contract Clauses issued by the Commission and concluded between Team Internet and the Sub-Processor in a third country).

10. Deletion and Return of Personal Data

10.1

Copies of the Customer Personal Data processed on behalf of Customer shall not be made without the knowledge of Customer. Excluded from this are backup copies insofar as they are necessary to guarantee proper data processing, as well as data which are necessary with regard to compliance with statutory retention obligations.

10.2

Customer instructs Team Internet to retain Customer Personal Data for a period of up to 3 calendar months from the date of its collection and to delete Customer Personal Data from the Platform during this period and/or on termination/expiry of the Agreement or earlier at any time, at Customer’s written request.

10.3

Documentations which serve as evidence for orderly and proper data processing shall be stored by Team Internet beyond the retention period and/or termination/expiry of the Agreement in accordance with the respective retention periods.

Annex 1

Technical and Organizational Measures

1. Confidentiality

1.1 Physical Access Control

Access to the data centers hosting the Platform is ensured by a separation system with logging. Furthermore, the entire site outside and inside the data centers is protected by video surveillance and 24/7 security personnel.

1.2 System Access Control

Access to the administration tools and customer accounts is secured by a password with minimum length and complexity. Remote access to the Platform always takes place via encrypted connections. The access of servers and clients to the Internet and the access to these systems via the Internet is also secured by firewalls. This also ensures that only the ports required for the respective communication can be used. All other ports are blocked accordingly. All employees are instructed to lock their IT systems when they leave them. Passwords are always stored in encrypted form. Team Internet implemented organizational measures in case employees leave the company (deletion of access).

1.3 Data Access Control

Team Internet’s authorization and access rights concept is strictly demand-oriented, access rights and every access are monitored and logged. Only employees that need to specific areas and data access to perform their roles are granted access to such areas and data (“principle of least privilege”). Team Internet applies a clean desk policy. Access to the database is restricted to a small group of administrators.

1.4 Separation Control

The Platform is used by several customers simultaneously (multitenancy) and guarantees a logical separation of the data of every customer. At the same time there is a physical separation of the systems according to function in development system, test system and productive system.

1.5 Pseudonymization and encryption

Administrative access to server systems is always via encrypted connections. In addition, data is stored on server and client systems on encrypted data carriers. The corresponding hard disk encryption systems are in use.

2. Integrity

Personal Data can be assigned to its origin at any time. The input, modification and deletion of Personal Data processed by Team Internet is always logged. Employees are obliged to always work with their own accounts. User accounts may not be shared with other persons.

All non-anonymized data has to be encrypted at rest. All workstations used to process data need to be using full-disk encryption and sufficient security protocols to ensure no unauthorized and unlogged modification to the data is possible. Non-anonymized IP data will be stored for a maximum of 90 days as far as required for audit purposes.

All data transfer outside of dedicated networks must ensure to use encryption either on the transport, application level or both.

All systems used to store, and process data need to be part of a patch management process, ensuring all software is kept updated and security protocols are regularly audited.