CMT Data Protection Agreement
This Data Processing Agreement (âDataProcessingAgreementâ, âDPAâ, âAgreementâ) entered into by and between Client (as defined under the Terms and Conditions) (hereinafter referred to as âClientâ or âyouâ) and Commerce Media Tech (as defined under the Terms and Conditions) (hereinafter referred to as âCommerce Media Techâ, âusâ or âweâ) is effective as of 25 May, 2018 and forms an integral part of, and is subject to, Terms and Conditions available at https://cm.tech/terms-and-conditions/, and/or to the Publisher Terms & Conditions available at https://cm.tech/publisher-terms-conditions/ (if applicable).
Client and Commerce Media Tech are hereinafter jointly referred to as the âPartiesâ and individually as the âPartyâ. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms and Conditions, and/or in the Publisher Terms & Conditions (if applicable). In the event of any conflict between this DPA and the Terms and Conditions, the terms of this DPA shall prevail.
This Agreement only applies to the extent that the EU Data Protection Law applies to the Processing of Personal Data under this Agreement, including if (a) the Processing is carried out in the context of the activities of an establishment of either Party in the European Economic Area (âEEAâ), and/or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA.
1.DEFINITIONS
âControllerâ or âData Controllerâ means the entity that determines the purposes and means of the Processing of Personal Data.
âProcessorâ or âData Processorâ means the entity which Processes Personal Data on behalf of the Data Controller.
âData Subjectâ means the individual to whom Personal Data relates, including End Users.
âEnd Userâ means the end user of an internet connected device, such as a visitor to a web page, a user of a mobile app, or a user of an IoT device, or a visitor on advertisement or campaign webpage.
âGDPRâ means Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (also known as âGeneral Data Protection Regulationâ).
âPersonal Dataâ means any information relating to an identified or identifiable person as defined in Article 4.1 of the GDPR.
âProcessingâ means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (âProcessâ, âProcessesâ and âProcessedâ shall have the same meaning).
âSub-Processorâ means any Data Processor engaged by the Processor.
âServicesâ means services provided by the Commerce Media Tech n accordance with the Terms and Conditions, and/or with thePublisher Terms & Conditions (if applicable).
2. PROCESSING OF PERSONAL DATA
2.1. Under this DPA and with respect to Personal Data, Client is Data Controller or Processor and Commerce Media Tech is engaged by Client as Processor or another Processor (Sub-Processor) in respect to Personal Data, as applicable. The terms of this Agreement shall apply to either of the relations between the Parties regarding the Processing of Personal Data mentioned herein.
2.2. Within the scope of this DPA, Client hereby engages Commerce Media Tech to collect, process and/or use Personal Data on Clientâs behalf.
2.3. Commerce Media Tech will only Process Personal Data on your behalf and in accordance with your instructions. The instructions from the Client to Process Personal Data are the following: (i) Processing shall be carried out in accordance with this DPA, the Terms and Conditions and pursuant to the features and limitations of the applicable Services which Commerce Media Tech provides to Client; and (ii) Processing shall be carried out in compliance with other reasonable instructions provided by the Client, where such instructions are consistent with the Terms and Conditions. Commerce Media Tech will be under no obligation to comply with instructions that Commerce Media Tech deems as violating applicable laws. Processing outside the scope of this DPA (if any) will require: (i) prior written agreement between Client and the Commerce Media Tech, and (ii) Clientâs additional instructions for processing.
2.4. Commerce Media Tech uses the Personal Data solely to provide the Services in accordance with Terms & Conditions, i.e. in order to perform tracking services / serve End Users with interestâbased advertising, as well as to measure the effectiveness of advertising campaigns and provide you with advertising reports. In that context, the Commerce Media Tech â on your demand â may also combine Personal Data from different sources in order to improve Services and integrate Services with external platforms, all of which will be conducted on your behalf. Commerce Media Tech also processes Personal Data on your behalf and to serve your interests for the purposes of fraud prevention, bot detection, rating, analytics, viewability, ad security services. Commerce Media Tech may also process data based on the extracts of Personal Data in aggregated and non-identifiable forms, including for the purposes of testing, development, control and operation of the Services.
2.5. Commerce Media Tech may process the following information on your behalf: IP addresses, language information, session-based browsing behavior, header information, End Userâs device-related data (such as the type or model of the device), operating system, wireless carrier providing communication services to such device, geographical location (geo-location) of the device, cookies, advertising identifiers of the device, as well as other information we may receive from you or from third parties engaged by the Commerce Media Tech on your behalf, such as non-precise device location based on the IP address, device specifications and userâs interestâs information. Client also authorizes Commerce Media Tech to store and use cookies or pixel tags on End Userâs device on behalf of the Client in order to perform Services. Additional information regarding the types of End Userâs data that may be collected or used by the Client through Services are specified inEnd User Privacy Policy.
2.6. Without derogating from any of the obligations of the Client hereunder, the Client shall not provide Commerce Media Tech with any data a) which by itself identifies an individual, such as name, address, phone number, email address; and b) regarding children, or any special categories of personal data, as defined under Article 9 of the GDPR, except as may otherwise be expressly agreed in writing between the Parties and in accordance with the applicable law. This type of data is not necessary to use the Commerce Media Tech Services.
2.7. Client is responsible for ensuring their own compliance with various laws and regulations, including the GDPR. To the extent required under the applicable law, you shall provide an appropriate notice to Data Subjects about the Processing of their Personal Data in connection with the use of Services under this DPA and under the End User Privacy Policy, and you shall receive and document the Data Subjectsâ consent thereof to the extent required under the applicable law.
2.8. To the extent required under the applicable law, Client must also use commercially reasonable efforts to ensure that the End User is provided with clear and comprehensive information about cookies or other information on the End Userâs device in connection with the use of Services by the Client and, if applicable, consents to their storing and accessing. To the extent required under the applicable law, Client shall inform the End User about third party cookies (or other tracking technologies) which may be placed on Clientâs site(s), specifying the purpose of these cookies (e.g., targeted advertising) and the type of data collected on the Clientâs site(s). Client shall also inform End Users of options to deactivate Commerce Media Tech cookies by including in its privacy policy a link to the Commerce Media Tech End User Privacy Policy and when legally compulsory, appropriate notice, consent and choice mechanisms that comply with relevant laws and regulations, including GDPR.
2.9. You acknowledge and agree that you retain sole responsibility for the lawfulness of the Processing and warrant to the Commerce Media Tech that you are legally allowed to engage the Commerce Media Tech to process Personal Data on your behalf, have provided all necessary notices and obtained all required consents from the Data Subjects (if apply) for the purposes of the Processing described in this DPA.
3. RIGHTS OF DATA SUBJECTS
3.1. Commerce Media Tech shall notify Client via e-mail if he receives a request from a Data Subject in the subject of access to, correction, amendment, deletion of or objection to the processing of that Data Subjectâs Personal Data. Commerce Media Tech shall not respond to any such Data Subject request without Clientâs prior written consent, except in order to confirm that the request relates to the Client.
3.2. To the extent that Client responds to any such Data Subject request, Commerce Media Tech shall provide Client, to the extent required by law, with commercially reasonable cooperation and assistance in relation to handling of a Data Subjectâs request, to the extent legally permitted.
3.3. Commerce Media Tech reserves the right to charge additional fees in relation to the cooperation with the Client in regard to this DPA.
4. COMMERCE MEDIA TECH PERSONNEL
4.1. Commerce Media Tech shall ensure that its personnel engaged in the Processing of Personal Data is informed of the confidential nature of the Personal Data, has received appropriate training on their responsibilities and is subject to obligations of confidentiality. Such obligations shall survive the termination of that individualâs engagement with the Commerce Media Tech.
4.2. Commerce Media Tech shall ensure that access to Personal Data is limited only to those members of personnel who require that access in order to fulfil Commerce Media Tech obligations under the Terms and Conditions.
5. SECURITY
5.1. Pursuant to Article 28, Section 3(c) of the General Data Protection Regulation, the Commerce Media Tech shall take the measures required by the Article 32 of the GDPR.
5.2. Commerce Media Tech shall provide sufficient guarantees of implementation of the appropriate technical and organizational measures in a manner that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subject.
5.3. Commerce Media Tech imposes appropriate contractual obligations upon its personnel that engages in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection and data security. Commerce Media Tech ensures that its applicable personnel has been properly informed of the confidential nature of the Personal Data, has received appropriate training and has executed written confidentiality agreements. Commerce Media Tech will further ensure that such confidentiality agreements will survive the termination of employment or another form of engagement of its personnel.
5.4. Only authorized persons, who are also obligated to keep confidential information confidential, including in particular Personal Data processed by Commerce Media Tech, employees and other persons employed by Commerce Media Tech or cooperating with Commerce Media Tech, are entitled to stay in the Commerce Media Tech area of Personal Data Processing. Access to the area of Data Processing is controlled with the use of the individual door entry cards. The area of Personal Data Processing is also protected 24 (twenty four) hours a day, 7 (seven) days a week by security guards.
5.5. Commerce Media Tech has Personal Data Protection Policy as well as other data protection documentation (with regard to IT systems included but not limited to: âIT Systems Continuity Procedure and BCAL & BIA & DRPâ, âBackup, disaster recovery and testing procedures (including re-execution of the right to be forgotten)â, âProcedure of granting and registering permissions in IT Systemsâ) implemented in its organization that ensures ongoing confidentiality, integrity, availability and resilience of processing systems and service.
5.6. Commerce Media Tech IT systems processing Personal Data ensure accountability of the operations performed on Personal Data by reporting information about the date, scope and person performing a given operation. Personal Data databases and systems are subject to periodic carrying out of backup copies. The Commerce Media Tech IT Administrator is responsible for making and testing backup copies.
5.7. Servers processing Personal Data are installed in the secure server room or entrusted to other providers, to whom processing of Personal Data was entrusted.
5.8. Commerce Media Tech has implemented security measures against unauthorized access and operation of malware: firewall protecting an access to the local network from the Internet (the Commerce Media Tech IT Administrator is responsible for firewall administration) and antivirus software (virus definition database is updated on an ongoing basis and as soon as new definitions are released by the software producer).
5.9. A typical pseudonymization in Commerce Media Tech shall replace the direct identifier of the data subject with CID and/or UID number. Commerce Media Tech processes also provide a standard approach to anonymization when publishing, including a set of standard anonymization plans. A standard anonymization plans as well as standard anonymization techniques on which these plans are built are specified in Commerce Media Tech procedures. Commerce Media Tech follows the steps of identifying the nature of information to publish and data source(s), assessing risk and specifying data anonymization, deriving non- identifying data from data source(s), reviewing/testing data provided are non-identifying and publishing.
5.10. Measures to ensure Personal Data protection at the time of their transfer consist of implemented verification and supervision procedure for the processors as well as SSP partners. Where it is necessary to carry out the verification questionnaire, the DPO directly, through the designated person or a person responsible for conducting an agreement with a potential processor/partner, requests the processor/partner to complete it. The DPO assesses the processor/partner on the basis of the completed questionnaire and informs the designated person of the verification outcome before the agreement can be concluded.
5.11. Specific technical and organizational measures taken by Commerce Media Tech to provide assistance to the Client consist of specific Commerce Media Tech procedures in force regarding especially finding information about Personal Data being processed in Commerce Media Tech systems, handling and notifying of Personal Data security incidents, handling the data subjectsâ requests. As an example in case of data subjectsâ requests the special employees have been designated for specific organizational units and data processing processes, whose task is to cooperate with the DPO on processing the applications of data subjects.
6. AUDIT RIGHT
6.1. To the extent that the applicable law requires you to be in a position to monitor the adequate Processing of Personal Data, you as the Client have the right to request an audit from the Commerce Media Tech to the extent necessary to review whether we as the Commerce Media Tech and our Sub-Processors are compliant with the following regulations: (i) any provisions of the Law, (ii) the terms of this DPA, and (iii) Clientâs instructions.
6.2. Commerce Media Tech may provide you with a copy of its most recent third-party audits or certifications issued by an independent, third-party auditor, as applicable, or any summaries thereof in order to fulfil your audit rights. If an audit is required by law and where its requirements cannot be fulfilled by the provision of such certification, you may conduct, either by yourself or through a third party independent contractor selected by you at your expense, an on-site audit of the Commerce Media Tech. Such audit may be conducted subject to the following terms: (i) the audit will be pre-scheduled in writing with Commerce Media Tech at least 30 days in advance and will be performed once a year at most; (ii) if applicable, all of your personnel performing the audit, whether employed or contracted by you, will execute a Commerce Media Tech standard non-disclosure agreement prior to the initiation of the audit, and a third party auditor will in addition execute a non-competition undertaking; (iii) you will undertake all necessary measures to ensure and verify that the auditors do not access, disclose or compromise the confidentiality and security of Personal Data other than Your Personal Data on Commerce Media Tech information and network systems; (iv) you will take all necessary measures to prevent any damage or interference with Commerce Media Tech or its service providersâ information and network systems; (v) you will bear all costs and assume responsibility and liability for the audit and for any failures or damage caused as a result thereof; and (vi) any audit activities on Commerce Media Tech third-party service providersâ information systems will be pre-scheduled and agreed on with the applicable providers; (vii) you will keep the audit results in strict confidentiality, use them solely for the specific purposes of the audit under this Section 6 and the GDPR will not use the results for any other purpose, or share them with any third party, without the Commerce Media Tech prior explicit written confirmation; (viii) If you are required to disclose the audit results to a competent authority, you will provide the Commerce Media Tech with a prior written notice, explaining the details and necessity of the disclosure, as well as provide all further necessary assistance to prevent such disclosure.
7. SECURITY BREACH MANAGEMENT AND NOTIFICATION
7.1. If Commerce Media Tech becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to any Personal Data transmitted, stored, or otherwise Processed on Commerce Media Tech equipment or in Commerce Media Tech facilities (âSecurity Breachâ), Commerce Media Tech will promptly: (i) notify the Client of the Security Breach; (ii) investigate the Security Breach and provide Client with all relevant information about the Security Breach; and (iii) take all commercially reasonable steps to mitigate the effects and minimize any damage resulting from the Security Breach.
8. SUBPROCESSING AND TRANSBORDER DATA TRANSFERS
8.1. Client authorizes Commerce Media Tech to appoint Sub-Processors in order to provide the Services.
8.2. Commerce Media Tech may continue to use the Sub-Processors already engaged by the Commerce Media Tech according to this DPA.
8.3. It is acknowledged and agreed by the Client that Commerce Media Tech uses the following Sub-Processors for the purpose of providing its Services:
| Sub-Processors | Services provided by Sub-Processors | Transborder data processing legal basis |
|---|---|---|
| Amazon Web Services Inc. | Cloud hosting services | A subcontracting agreement based on the standard contractual clauses launched by virtue of the EU Commission Decision |
| Freshworks Inc. | Help desk services | A subcontracting agreement based on the standard contractual clauses launched by virtue of the EU Commission Decision |
| Loggly Inc. | Analytical services | A subcontracting agreement based on the standard contractual clauses launched by virtue of the EU Commission Decision |
8.4. Commerce Media Tech may appoint new Sub-Processors and shall give notice of the appointment of any new Sub-Processor (for instance, as a part of this Agreement amendment), whether by general or specific reference to such Sub-Processor (e.g., by name or type of service), including relevant details of the Processing to be undertaken by the new Sub-Processor. If within seven (7) days from such notice Client notifies Commerce Media Tech of any objections in writing (on reasonable grounds) to the proposed appointment, the Commerce Media Tech shall not appoint the proposed Sub-Processor for the processing of Clientâs Personal Data until reasonable steps have been taken to address the objections raised by the Client and until the Client has been provided with a reasonable explanation of the steps undertaken. Where such steps are not sufficient to eliminate the Clientâs reasonable objections, either the Client or Commerce Media Tech may, by notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub-Processor without bearing liability for such termination.
8.5. Commerce Media Tech may integrate the Clientâs services with external service providersâ platforms for the purpose of providing its Services, on Clientâs behalf and for the purposes of serving the Clientâs interests, where such external service providers may be Sub-Processors, which Client hereby agrees to. A full list of such Sub-Processors is available upon the Clientâs written request directed to the Commerce Media Tech.
8.6. Notwithstanding the provisions above, you hereby authorize the Commerce Media Tech to subcontract the Processing to the Sub-Processors based outside of the European Economic Area (EEA) to the extent necessary to duly perform the Service(s), under the condition that the Sub-Processors will provide sufficient guarantees in relation to the required level of data protection, e.g. through a subcontracting agreement based on the standard contractual clauses launched by virtue of the EU Commission Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council or based on other applicable transborder data transfer mechanisms.
9. TERM AND RETENTION PERIOD
9.1. This DPA automatically supplements the agreement concluded by and between you and Commerce Media Tech under Commerce Media Tech Terms and Conditions when you create your Commerce Media Tech account.
9.2. Subject to the provision of section 9.3. below, Client authorizes Commerce Media Tech to retain Personal Data for a period of 3 months from the date of its collection on Clientâs behalf and for the purpose of serving its interests, including for fraud prevention, ad security services, reporting services, complaints or chargebacks handling. This data may be deleted from the Commerce Media Tech servers after this retention period and/or after the termination of Agreement (in accordance with point 9.3. below) or earlier, at your written request. If Client instructs Commerce Media Tech to delete such data during the above mentioned period such data will be no longer available to Client and can not be recovered by Client.
9.3. This Agreement shall continue in force until the termination of the agreement for Services concluded between you and Commerce Media Tech when you create your Commerce Media Tech account (the âTermâ). In particular this Agreement is subject to termination upon deletion of your Commerce Media Tech account (the âExpiry of the Termâ). On the Expiry of the Term, Clients hereby instructs Commerce Media Tech to delete all data subjects to this Agreement and processed by Commerce Media Tech on behalf of the Client, in particular End Usersâ Data, from Commerce Media Tech systems (including existing copies of it), within 3 months after expiration. After a period up to 3 months following such expiry, all the data will be deleted and no longer available to Client, which the Client acknowledges and agrees to. Client has nevertheless the right to retrieve such data within the abovementioned 3 months period following the Expiry of Term. The retrieving of the data is carried out in a manner agreed on between Commerce Media Tech and Client and only upon Clientâs request made no later than within the above mentioned maximum period of 3 months. Client acknowledges and agrees that Commerce Media Tech will not be responsible for storage, exporting or retrieving this data after the expiry of the period indicated above.
10. NOTICES AND CONTACT TO DATA PROTECTION OFFICER
10.1. If you wish to make any inquiries about this Agreement, please contact our data protection officer at dpo@cm.tech
11. LIMITATION OF LIABILITY
11.1. Client shall indemnify and hold Commerce Media Tech, its officers, directors, employees, contractors, and agents harmless from and against all claims, liabilities, administrative fines, suits, judgments, actions, investigations, settlements, penalties, fines, damages and losses, demands, costs, expenses, and fees including reasonable attorneysâ fees and expenses, arising out of or in connection with any claims, demands, investigations, proceedings, or actions brought by data subjects, legal persons (e.g., corporations and organizations), or supervisory authorities under the data protection laws that apply to Commerce Media Tech in respect of processing of Personal Data on behalf of Client through Services.
11.2. The liability of each party under this Agreement shall be subject to the exclusions and limitations of liability set out in the Terms & Conditions, and/or in the Publisher Terms & Conditions (if applicable).
12. GOVERNING LAW
12.1. This Agreement shall be governed by, and is construed in accordance with, the laws of the State of Poland, without giving any effect to any choice of law and provisions thereof that would cause the application of the laws of any other jurisdiction.