Global Data Processing Agreement (DPA)

1. Background and purpose

1.1 This Global Data Processing Agreement (“DPA”) is an annex to and forms an integral part of the service agreement or other written or electronic agreement (“Agreement”) which governs the Service provided by Smartly.io to Customer.

1.2 In the course of providing the Service to Customer pursuant to the Agreement, Smartly.io may process Customer Personal Data on behalf of Customer. This DPA describes the Parties’ rights and obligations with respect to the Processing of Customer Personal Data by Smartly.io on behalf of Customer in connection with the Services.

2. Definitions

2.1 For the purpose of this DPA, unless expressly otherwise stated or evident in the context, the following capitalised terms shall have the following meanings:

“CCPA” means the California Consumer Privacy Act as amended, replaced, or superseded from time to time (including without limitation by the California Privacy Rights Act), and any binding regulations promulgated thereunder.

“Customer Personal Data” means the Personal Data included in the Customer Content.

“Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.

“Data Protection Laws” means any constitution, law, statute, treaty, rule, regulation, ordinance, or other binding code or guidance issued by competent regulatory authorities—whether national, federal, state, provincial, municipal, local, foreign, international, multinational, or otherwise—that is applicable to Smartly.io’s processing of Customer Personal Data, in each case as updated, amended, or replaced from time to time.

“EEA” means the European Economic Area.

“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679), as amended, replaced, or superseded from time to time, together with any applicable data protection or privacy laws implementing or supplementing it.

“Sub-processor” means another processor engaged by Processor in the Processing of Personal Data and, where applicable, possible other Processor engaged by the Sub-processor of Smartly.io.

2.2 The terms “Personal Data”, “Data Subject”, “Processing”, “Controller”, and “Processor” as used in this DPA have the meanings given by the applicable Data Protection Laws or, absent an applicable definition or meaning in the applicable Data Protection Laws, the meanings provided in the GDPR.

2.3 The terms “Personal Data”, “Data Subject”, “Controller”, and “Processor” include “Personal Information”, “Consumer”, “Business”, and “Service Provider” respectively, as required by CCPA.

2.4 In addition, unless expressly otherwise stated, the applicable definitions provided in the Agreement shall be applied to this DPA.

3. Processing of Personal data

3.1 Roles of the Parties

3.1.1 For the purposes of the Processing of Customer Personal Data, Customer shall be either the Controller or the Processor on behalf of its end-clients, and Smartly.io shall be the Processor on behalf of Customer. With respect to Customer Personal Data that qualifies as Personal Information as defined in the CCPA, the Parties agree that Smartly.io acts as the Service Provider.

3.2 Subject matter, nature and purpose

3.2.1 The subject matter, nature and the purpose of the Processing is to supply and enable the Services provided by Smartly.io to Customer. The Processing of Customer Personal Data shall take place solely for the purposes defined herein and Smartly.io shall not be entitled to use the Customer Personal Data for any other purposes, unless otherwise stated in the Agreement. Customer hereby authorises Smartly.io to transfer Customer Personal Data to those Online Advertising Platforms and other third parties who are involved in the provision of the Services and to anonymize Customer Personal Data. 

3.2.2 Nothing in this DPA shall operate to transfer, assign or otherwise grant to Smartly.io any right or interest to the Customer Personal Data, unless otherwise stated in the Agreement.

3.3 Personal Data and Data Subjects

3.3.1 Customer may submit or make available Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion.

3.3.2 The types of Customer Personal Data processed by Smartly.io on Customer’s behalf consist of data of Customer’s end-users and/or consumer customers, such as Personal Data included in custom conversion data, Customer’s audiences or interactions between Customer and end-users submitted or made available by Customer via the Service.

3.3.3 Customer Personal Data may also include other types of Personal Data and/or concern other categories of Data Subjects if required by the purpose of the Processing as agreed between the Parties.

3.4 Duration and termination of the Processing

3.4.1 This DPA becomes effective simultaneously with the Agreement and shall continue to be in effect until the Agreement is terminated. 

3.4.2 Personal Data is processed for as long as necessary to provide the Service. If any Processing by Smartly.io is required after termination of the Agreement, e.g. in order to transfer data back to Customer such Processing shall be conducted in accordance with the provisions of this DPA.

3.4.3 In the event of termination of the Agreement, Smartly.io shall delete the Customer Personal Data, or if requested by Customer in writing, return the Customer Personal Data to Customer in commonly used format as soon as practically possible after the end of the Agreement and such Customer Personal Data shall be deleted thereafter from the systems of Smartly.io.

3.4.4 If and to the extent it is required by law that any Customer Personal Data need to remain in the possession of Smartly.io, Customer shall be notified thereof and shall be provided with copies of such data. In such case, Smartly.io shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is processed only when necessary for the purpose(s) specified in the applicable laws requiring such storage and for no other purpose.

3.4.5 Smartly.io shall provide, upon Customer’s written request, Customer with a written certification that it has fully complied with the Subsections from 3.4.3 to 3.4.4 above.

3.5 Instructions for Processing

3.5.1 The Customer Personal Data shall be processed in accordance with Customer’s documented instructions. This DPA and the Agreement are Customer’s complete documented instructions at the time of signature of the Agreement to Smartly.io for the Processing of Customer Personal Data. Any additional or alternate instructions must be agreed upon separately.

3.5.2 If Smartly.io may not follow the instructions given by Customer due to applicable compelling laws or it considers an instruction to infringe any law, Smartly.io shall immediately inform Customer of such matter.

3.6 General obligations of the Parties

3.6.1 Customer shall have sole responsibility for: (i) the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data; (ii) ensuring that it has established adequate lawful bases under Data Protection Laws to permit Smartly.io to lawfully Process Customer Personal Data as contemplated herein.

3.6.2 Each Party shall comply with all applicable Data Protection Laws in the Processing of the Personal Data and other actions under this DPA.

3.6.3 Except to the extent permitted by Data Protection Laws, Smartly.io: (i) will only retain, use, or disclose Customer Personal Data it Processes under this DPA for the purposes specified in the Agreement and within the direct business relationship between the Parties; (ii) will not sell or share (as prohibited in the CCPA or other applicable Data Protection Laws) to third parties the Customer Personal Data it processes on Customer’s behalf under this DPA; and (iii) will not combine Customer Personal Data with personal data that it receives from, or on behalf of, another person(s), or collects from its own interaction with the consumer. Smartly.io certifies that it understands and will comply with the restrictions of this section.

3.6.4 Smartly.io shall implement appropriate technical and organisational measures for the security of Processing as required by the Data Protection Laws and as further specified in Section 6 below.

3.6.5 Smartly.io shall reasonably assist Customer: (i) in ensuring the compliance with the provisions on security of the Customer Personal Data as set forth in the Data Protection Laws; (ii) by appropriate technical and organizational measures in the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights under the Data Protection Laws; (iii) in carrying out privacy and data protection impact assessments, related consultations of and other dealings with data protection authorities; and (iv) by making available to Customer all information necessary to demonstrate compliance with the Customer Personal Data related obligations in the Agreement and Data Protection Laws.

4 Sub-processors

4.1 Customer acknowledges and agrees that (a) Smartly.io’s Affiliates may be retained as Sub-processors; and (b) Smartly.io and its Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.

4.2 Upon Customer’s request, Smartly.io shall inform Customer in writing of the Sub-processors used in the Services and the specific Processing activities they are engaged for. Smartly.io shall also inform Customer in writing of any intended changes concerning the addition or replacement of Sub-processors, thereby giving Customer the opportunity to object to such changes. Customer may only object to such changes based on reasonable data protection concerns.

4.3 Smartly.io shall enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such Sub-processor.

4.4 Where a Sub-processor fails to fulfil its data protection obligations, Smartly.io remains liable for any acts or omissions of such Sub-processor as for its own.

5. Location and transfers of data

5.1 The provisions of Sections 5.2-5.3 shall apply to any transfers of Customer Personal Data processed under this DPA from the EU/EEA to countries that do not ensure an adequate level of data protection within the meaning of Data Protection Laws of the foregoing territories.

5.2 Smartly.io may transfer to or process Customer Personal Data in a non-EU/EEA country, which the EU Commission has not found to provide an adequate level of protection. In case Smartly.io or Sub-processor engaged by Smartly.io processes or in any way makes the Personal Data accessible outside the EU/EEA countries it must secure that such Processing is performed under appropriate safeguards and otherwise complies with the statutory requirements regarding the Processing of Personal Data outside the EU/EEA countries.

5.3 Upon Customer’s request, Smartly.io shall provide written information about the location(s) in which Personal Data is processed pursuant to this DPA.

6. Security of Processing

6.1 Smartly.io shall implement and maintain at all times appropriate operational, administrative, physical and technical measures in accordance with common industry practice to protect the Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed.

6.2 Smartly.io shall ensure that persons authorised to process the Customer Personal Data have committed themselves to appropriate confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 Smartly.io shall limit access to the Customer Personal Data to personnel on a need-know-basis.

7. Data breaches

7.1 In case of a Data Breach, Smartly.io shall notify Customer thereof in writing without undue delay after having become aware of it. The notification shall at least:

1. describe the nature of the Data Breach, the affected Customer Personal Data, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned;
2. communicate the name and contact details of a contact point where more information can be directly obtained in case such person is other than the contact person under the Agreement;
3.  describe the likely consequences of the Data Breach, in particular to the Customer Personal Data; and
4. describe the measures taken or proposed to be taken by Smartly.io to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.2 Where, and in so far as, it is not possible to provide the information under the Section 7.1 at the same time without undue delay, the information may be provided in several parts within the time limit.

7.3 Upon Customer’s request, Smartly.io shall assist Customer with reasonable effort in documenting an occurred Data Breach as required by Data Protection Laws and in reporting the Data Breach to the supervisory authority and to the Data Subjects in accordance with Customer’s instructions.

8. Audit

8.1 Customer or another auditor mandated by Customer may, once a year at most, audit the level of the data protection on and appropriateness of the Processing of Customer Personal Data by Smartly.io upon 14 working days’ prior written notice to ensure the compliance with this DPA and Data Protection Laws.

8.2 The auditor mandated by Customer may not be a direct or indirect competitor of Smartly.io. Smartly.io has a right to require the mandated auditor to enter into an appropriate confidentiality agreement prior to the audit.

8.3 Smartly.io shall contribute to the aforementioned audits and make available all information required to complete the audits. The audits shall be performed during the normal working hours and shall not unreasonably disturb the operations of Smartly.io.

8.4 Customer shall carry its own costs relating to the audits and shall reimburse Smartly.io for any reasonable costs and expenses that Smartly.io may incur due to any such audit. Before the commencement of any such audit, Customer and Smartly.io shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. 

8.5 The Parties agree that Smartly.io has the right to provide Customer with an audit report covering the data processing and especially the technical and organizational security measures at its own costs. In this case, Customer agrees that the rights to audit Smartly.io have been satisfied and that Customer has no additional rights under this Section 8 to audit Smartly.io provided that:

1. the audit has been performed by a recognized, independent third party with proven experience in the field; and
2. the audit report is no older than twelve (12) months.

9. Liability

9.1 Smartly.io’s total aggregate liability arising out of or related to this DPA (including without limitation claim back right under Art. 82 of the GDPR), whether in contract, tort or under any other theory of liability, is subject to the limitations of liability of the Agreement.