DPA All-in-One 2024

Please note that this Data Protection Agreement is no longer current. For the updated version, kindly refer to THIS LINK.

OPTI DIGITAL processes Personal Data within the framework of a commercial contract signed with Publisher (the “Contract”). Therefore, the Parties wish to define the specific obligations of the Data Processor in this Appendix (the “Data Protection Agreement”).

As such, the Parties agree as follows:

1. DEFINITIONS

The terms with a capital letter below shall have the same meaning as in the European General Data Protection Personal Data Legislation, or its applicable implementing national laws (altogether “Personal Data Legislation”) or in the Contract. 

“Data Controller” refers to “Publisher” (depending on the term used in the Contract).

“Data Processor” refers to OPTI DIGITAL.

2. DESCRIPTION OF THE PROCESSING

The processing activities subject to this Data Processing Agreement are described in Exhibit A.

3. DATA PROCESSOR’S OBLIGATIONS 

3.1 The Data Processor agrees to process the Personal Data only in accordance with the Data Controller’s documented instructions appearing herein and/or in the Contract, and/or any written instruction provided by the Data Controller to the Data Processor during the term of the Contract. 

If the Data Processor considers the instructions to be in violation of the Personal Data Legislation, it shall inform the Data Controller immediately. 

In the event that the Data Processor is required to proceed with the processing of Personal Data by virtue of a mandatory provision resulting from EU law or the law of a Member State to which it is subject, the Data Processor will inform the Data Controller of this legal obligation prior to processing the Data, except when the applicable law forbids such notice for important public interest reasons.

3.2 In the event of a transfer of Personal Data to a country that is not a Member State of the European Union nor a third party country benefiting from an adequacy decision of the EU Commission, or to an international organization, the Parties shall sign the Standard Contractual Clauses published by the European Commission (updated 2021 version):

• when the Data Processor is the exporter and the Data Controller is the importer :
  • Module 4 is applicable;
  • Clause 7 (docking clause) is included;
  • The optional paragraph in Clause 11 is not included;
  • Clause 17 : the Governing law is the one of the Contract;
  • Clause 18 : The competent courts are the ones of the Contract;
  • The SCCs Appendix I (Sections A and B) is completed by the Parties and attached to this Data Protection Agreement.
• when the Data Controller is the exporter and the Data Processor is the importer :
  • Module 2 is applicable;
  • Clause 7 (docking clause) is included;
  • Clause 9(a) : Option 2 is applied;
  • The optional paragraph in Clause 11 is not included;
  • Clause 17 : Option 1 is applied : the Governing law is the one of the Contract or, if the law of the Contract is not the law of an EU Member State, French law;
  • Clause 18(b) : The competent courts are the ones of the Contract or, if the courts of the Contracts are not in the EU, the French courts.
  • The SCCs Appendices I, II and III (all sections) are completed by the Parties and attached to this Data Protection Agreement.

3.3 The Data Processor ensures its staff authorized to process Personal Data : 

• is subject to an appropriate legal obligation of confidentiality. 
• receives the necessary training regarding the protection of Personal Data. 

3.4 Sub Processors 

Data Processor shall not provide access to the Personal Data of Data Controller to any third party, with the exception of the sub processors mentioned in Exhibit A.

Any addition or replacement of the Sub processors shall be notified to Data Controller with a 30-day prior notice. 

This notice must clearly indicate the outsourced processing activities as well as the Sub Processor’s identity, and the possibility of Personal Data being transferred outside the European Union or to an international organization. The Data Controller has a maximum period of fifteen (15) days from the date of the receipt of this information to raise written objections. 

If the Parties do not agree following objections raised by the Data Controller, the Data Processor will be granted the right to terminate the Contract without penalty.

The Sub Processor must comply with the obligations of the Contract and the Data Protection Agreement, and to process Personal Data only for the account and according to the Data Controller’s instructions. Consequently, the initial Data Processor agrees to sign a written contract with the Sub Processor – imposing on the Sub Processor equivalent obligations on the protection of Personal Data as outlined in the Contract and the Data Protection Agreement. 

If the Sub Processor does not fulfil his or her obligations regarding the protection of Personal Data, the Data Processor remains fully responsible to the Data Controller for the Sub Processor’s performance of its obligations.

3.5 Data subjects’ right to information

Given the nature of the Services, it is the responsibility of the Data Controller to provide information on the Personal Data processing to the Data Subjects. 

3.6 Exercise of the rights of Data Subjects

As far as possible, the Data Processor shall assist the Data Controller in fulfilling its obligation to respond to requests for the exercise of Data Subjects’ rights under the Personal Data Legislation.

When Data Subjects exercise their rights with the Data Processor, the Data Processor shall send these requests via email to the person designated by the Data Controller in Exhibit A or communicate by any other means that the Data Controller chooses. The Data Processor can respond directly to the Data Subject’s request only at the Data Controller’s instruction.

3.7 Notification of Personal Data breaches

The Data Processor notifies the Data Controller of all Personal Data breaches as soon as possible and, in any case, within seventy-two (72) hours after having become aware of it. This notification shall be accompanied by all available information enabling the Data Controller, if necessary, to notify the relevant supervisory authority or the Data Subjects of the breach, including :

1. A description of the nature of the Personal Data breach including, if possible, the categories and the approximate number of Data Subjects affected by the breach and the categories and approximate number of Personal Data records concerned.   
2. the name and contact information of the data protection officer or other point of contact from whom additional information can be obtained.
3. a description of the likely consequences of the Personal Data breach.
4. a description of the measures taken or how the Data Processor proposes to remedy the Personal Data breach, including if necessary, measures for mitigating any negative consequences.

If, insofar as it’s not possible to supply all the information at once, it may be communicated in increments without undue delay. 

The Data Processor agrees to actively collaborate with the Data Controller in order to meet their regulatory and contractual obligations. Only the Data Controller can inform the relevant supervisory authority of the Personal Data breach and provide information on this breach to the persons concerned; the Data Processor therefore refrains from making such notification and communication. 

3.8 Privacy impact assessment

Data Processor shall assist Data Controller in ensuring compliance with its obligations pursuant to Articles 35 and 36 of the GDPR, taking into account the nature of processing and the information available to the Data Processor.

3.9 Security Measures

Without prejudice to the provisions in the body of the Contract, the Data Processor shall implement all appropriate technical and organizational measures to protect Personal Data, taking into account the state of knowledge, implementation costs, nature, scope, context and the purposes of the processing as well as the risks, whose degree of probability and severity may vary to the rights and freedoms of natural persons in order to guaranty a level of security appropriate to the risk.

The Data Processor especially agrees to take all necessary precautions with respect to the nature of the Data and the risks encountered by its processing in order to preserve the security of the Data files and especially the prevention of any corruption, alteration, damage, accidental or unlawful destruction, loss, disclosure and/or access by any unauthorized third parties. 

The means implemented by the Data Processor for ensuring the security and confidentiality of the Data especially includes the following measures, to be outlined in Exhibit A. The Data Processor agrees to maintain these measures throughout the entire Contract period. 

3.10 Fate of the data

Upon termination of the Contract the Data Processor agrees, at Data Controller’s choice:

• to return all Personal Data and files to the Data Controller in a useable format and within the specific conditions specified by the Data Controller, or to send the Personal Data to another data processor designated by the Data Controller and then, 

and/or

• to destroy all Personal Data and manual or computerized files containing the information collected within a timeframe of two (2) months after its return, unless stipulated otherwise by community law or the law of a Member State of the European Union applicable to the processing covered by this agreement.

4. DATA CONTROLLER’S OBLIGATIONS 

The Data Controller agrees:

• To provide the Data Processor with the Personal Data listed in Exhibit A.
• To provide written instructions regarding the Data Processor’s processing of Data.
• Not to give to the Data Processor instructions which do not comply with the Personal Data Legislation.

5. COOPERATION IN THE EVENT OF AUDIT

Data Processor shall make available to Data Controller all information necessary to demonstrate compliance with Data Processor’s obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, conducted by Data Controller pursuant to the conditions laid down below.

• Data Processor shall keep records in a reasonable manner evidencing that it complies with its obligations pursuant to this DPA and will allow Data Controller to audit such evidence to verify its compliance, with a sixty (60) days prior written notice.  
• Such audit may be conducted by either Data Controller’s own staff or by a third-party auditor under contract with Data Controller, provided such third-party auditor is subject to a non-disclosure agreement. 
• All audits must be conducted remotely and shall be limited to five (5) business days.  
• The scope of any audits shall be mutually agreed in advance between the Parties acting reasonably and in good faith. 
• Such right shall not be exercised more than once a year.

 

EXHIBIT A – CHARACTERISTICS OF DATA PROCESSING

DESCRIPTION OF PROCESSING

Purpose of the processing	Provide the All-in-One Services as defined in the Contract
Nature of processing operations performed	Collection, analysis, storage, backup, deletion.
Types of Personal Data processed and retention time	IP Address: deleted after 30 daysUserAgent: deleted after 30 daysDevice: anonymized after 30 daysBrowser: anonymized after 30 daysCountry: anonymized after 30 daysVisited URL (publisher domain): deleted after 30 daysPrevious URL (referral domain): deleted after 30 days
Data Subject categories	Publisher’s websites visitors
Processing duration	Duration of the main contract with Publisher

SUBPROCESSORS

Subprocessor	Outsourced processing activities	Location of data(EEA or country with adequacy decision / outside EEA)	Transfer safeguards in place, if necessary	Opti Digital Services concerned
Google Cloud	Hosting	Depending on client(Belgium or Netherland for EU clients)	N/AEU Standard Contractual Clauses	All
Cloud Flare	CDN	Worldwide	EU-US Data Privacy Framework andEU Standard Contractual Clauses when necessary.Additional measures: https://www.cloudflare.com/trust-hub/gdpr/(https://www.cloudflare.com/cloudflare-customer-dpa/)	All