Advertisers DPA

DATA PROTECTION AGREEMENT

Affilae has always taken care of the protection of its customers’ data, our DPA (Data Protection Agreement) guarantees that we treat your collected data seriously and that we will continue to do so within the European legal framework to come.

TABLE OF CONTENTS

DEFINITIONS

1. DURATION

2. ROLE OF THE PARTIES

3. GENERAL OBLIGATIONS OF THE PARTIES

4. PARTIES’ PERSONNEL

5. CALL FOR SUBCONTRACTING

6. INFORMATION OF THE DATA SUBJECTS AND MANAGEMENT OF RIGHTS

7. COMPLIANCE COOPERATION

8. SECURITY MEASURES

9. BREACH OF PERSONAL DATA

10. MAINTAINING THE PROCESSING ACTIVITIES REGISTER

11. DATA TRANSFERS OUTSIDE THE EUROPEAN UNION

12. OWNERSHIP OF DATA

13. APPLICABLE LAW AND JURISDICTION

APPENDIX 1: DESCRIPTION OF TREATMENT

APPENDIX 2: APPLICABLE LAW AND JURISDICTION

WHEREAS:

AFFILAE allows the Advertiser to benefit from a management tool for its affiliation campaigns and the commissions paid to its Affiliates.

In order to use the Services, the Advertiser has accepted the general conditions of sale and use of AFFILAE (hereinafter the “Agreement”).

The Parties have decided to come together to define together the purposes and means of the processing of personal data detailed in Appendix 1.

The purpose of this Agreement, established in application of Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, is to jointly define the conditions under which the Parties undertake to implement the personal data processing operations defined in Appendix 1 according to the methods defined below.

As part of their contractual relationship, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, the aforementioned Regulation (EU) 2016/679 (hereinafter, “the European regulation on data protection“), the “Data Protection Act” Law No 78-17 of 6 January 1978 as amended and the regulations on industrial and intellectual property.

It is expressly understood that this Agreement has been the subject of negotiation between the Parties.

THE PARTIES HAVE THEREFORE AGREED TO THE FOLLOWING:

DEFINITIONS

For the purposes hereof, the following terms shall have the meaning given below:

• “Advertiser“: refers to any natural or legal person having accepted the general conditions of sale and use of AFFILAE and using its Services to manage its affiliation programmes.

• “Affiliates“: refers to any natural or legal person adhering to the affiliation programme offered by the Advertiser.

• “Public Authority“: refers to any legal person governed by public law or private law acting under delegation of public service and requiring access of any kind to the Data.

• “Cookies” or “Trackers“: refers to any file, pixel or script used by AFFILAE and implemented on the Website in order to collect the information necessary for the provision of the Services.

• “Data“: refers to all types of information and/or data to which the Parties have access within the framework of the contractual relationship, whatever the format or medium, whether Personal Data (defined below) or not (e.g. financial data, operators, users, partners, strategic, technical, professional, administrative, commercial, legal, accounting data, etc.)

• “Personal Data“: refers to any information relating to an identified natural person or who can be identified as such, either directly or indirectly by grouping together information, by reference to an identification number or to elements which are specific to them: name, address, telephone number, IP address, email address, vehicle registration number, professional number, username/login, password, connection data, etc.

• “Sensitive Data“: refers to the special categories of data of which the processing is, in principle, prohibited. This is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data and/or biometric data for the purpose of identifying a unique natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.

• “Internet Users“: refers to all people browsing the Advertiser’s Website.

• “Data Subject“: refers to all the persons whose personal data are subject to data processing.

• “Data Controller“: refers to the people who together determine the purposes and means of processing.

• “Services“: refers to the services provided by AFFILAE to the Advertiser under the Agreement.

• “Website“: refers to the Advertiser’s website.

• “Subcontractor“: refers to the person processing personal data on behalf of the controller. They act under the authority of the controller and on the instructions of the latter.

• “Terminal“: refers to the device used by the Internet user to browse the Advertisers’ Website and where Cookies may be deposited.

• “Processing“: refers to any operation relating to information, regardless of the process used (automated or non-automated). All forms of Data Processing are therefore covered, whether on computer media or otherwise (paper, video recording, audio, etc.). Regarding Personal Data in particular, it may be operations of collection, recording, organisation, storage, adaptation, modification, extraction, consultation/visualisation, dissemination or provision.

• “Personal data breach“: refers to a security breach that accidentally or unlawfully results in access to or destruction, loss, alteration or unauthorised disclosure of Personal Information transmitted, stored or processed.

1. DURATION

This Agreement enters into force upon signature and is concluded for the duration of the Agreement.

2. ROLE OF THE PARTIES

Under this Agreement, the Parties are required to act as co-controllers depending on the processing operations carried out and detailed in Appendix 1.

It is specified that the obligations provided for in this Agreement only apply to processing operations carried out by the Parties as joint managers.

3. GENERAL OBLIGATIONS OF THE PARTIES

3.1 Advertiser’s obligations

The Advertiser undertakes to:

• respect the principle of lawfulness of the processing provided for in Article 6 of the GDPR. In particular, the Advertiser undertakes to collect consent under the conditions specified below (Cookie Banner);
• process the data only for the sole purpose(s) of the processing indicated in Appendix 1;
• guarantee the confidentiality of the personal data processed within the framework of this Agreement;
• take into account, with respect to its tools, products, applications or services, the principles of data protection from the design stage and the protection of default data.
• oversee the processing, including performing audits and inspections on the other Party;
• ensure, beforehand and throughout the duration of the processing, compliance with the obligations provided for by the European data protection regulation on the part of the other Party;
• designate a contact person. This contact person must be endowed with the experience, competence, authority and means necessary to carry out his/her assignment;
• inform the Data Subjects in accordance with Articles 13 and 14 of the European Data Protection Regulation and the CNIL recommendation No 2020-092 of 17 September 2020;
• make the broad outlines of this Agreement available to Data Subjects on first request in addition to the information provided in Article 6.1 by adapting the following model:

The present processing of your data has been the subject of an agreement between AFFILAE and [__Advertiser__] each jointly responsible within the meaning of Article 26 of the European General Data Protection Regulation of 27 April 2016, which entered into force on 25 May 2018.  AFFILAE and [______ Advertiser ________] have thus jointly undertaken to inform you of the nature of this processing of the rights available to you and to implement the appropriate organisational and technical measures to ensure the security and confidentiality of your data.

• collaborate in good faith, in particular by communicating to any Party all the documents, data and information necessary or requested to ensure the compliance of the co-processed processing detailed in Appendix 1.

The Advertiser undertakes to collect free, informed, specific and unambiguous consent via a “cookie banner” in accordance with Article 4 of the GDPR and the recommendation of the CNIL No 2020-092 of 17 September 2020 (hereafter the “Cookie Banner”).

To this end, the Advertiser guarantees AFFILIAE that:

• The Cookie Banner does not disappear until the Internet User has expressly accepted or refused the deposit of Cookies on their Terminal;
• No Cookie or Tracker is deposited on the Internet User’s Terminal without their express prior consent. In particular, the Advertiser recognises that continuing to browse does not in any way constitute valid consent and prohibits any collection of Cookies based on such a basis;
• The period of validity of the consent to the deposit of Cookies is increased to six (6) months maximum. At the end of this period, the Advertiser undertakes to obtain the consent of the Internet User again to deposit Cookies on their Terminal;
• It has set up a fast and easily accessible device on its Website, allowing Internet Users to withdraw their consent to the deposit of Cookies at any time;
• The Cookie Banner contains the information listed in Article 7 of this Agreement as well as a reference to a confidentiality policy or a specific information notice and

3.2 Obligations of AFFILAE

AFFILAE undertakes to:

• guarantee the confidentiality of the personal data processed within the framework of this Agreement;
• take into account, with respect to its tools, products, applications or services, the principles of data protection from the design stage and the protection of default data;
• collaborate in good faith, in particular by communicating all the documents, data and information necessary or requested to ensure the compliance of the co-processed processing detailed in Appendix 1.

4.     PARTIES’ PERSONNEL

• Qualification of personnel

The Parties will assign sufficient and qualified teams to carry out the Assignments. These teams must be trained in personal data protection regulations.

• Staff non-subordination

In the context of the related Assignments and Processing as detailed in Appendix 1, it is hereby specified that the personnel of one of the Parties will not be in any way linked to the other Party, by any link of subordination. The only person authorised to take disciplinary and work organisation measures and, in general, to settle all problems relating to personnel management, is the Party for whose benefit the employment contracts have been concluded. Thus, the personnel of each of the Parties remains under their sole authority, direction and supervision.

5. CALL FOR SUBCONTRACTING

The Parties may call on one or more subcontractors to carry out specific processing activities in compliance with the purposes defined for the Processing defined in Appendix 1. In this case, the Parties undertake and ensure that the selected subcontractors present sufficient levels of guarantee to strictly comply with the applicable data protection law.

If the selected subcontractor(s) do not fulfil their data protection obligations, the Party that selected this subcontractor remains solely and fully responsible for these breaches.

In the event that the subcontractor is jointly selected by the Parties, the responsibility in the event of breach by this subcontractor of the obligations in terms of data protection will be shared.

6. INFORMATION OF THE DATA SUBJECTS AND MANAGEMENT OF RIGHTS

6.1. Personal information

It is the Advertiser’s responsibility to provide the Data Subjects with information relating to the processing operations detailed in Appendix 1, as well as the broad outlines of this Agreement in accordance with the provisions of Articles 13 and 26 of the GDPR.

In particular, the Advertiser undertakes to set up a “cookie banner” in accordance with the CNIL recommendation No 2020-092 of 17 September 2020 and notably mentioning:

• The precise purposes of the AFFILAE Tracers used on the Website;
• The cookie quality editor for AFFILAE, which must appear in its “cookie banner”;
• The right and the ability of the Internet User to oppose the deposit of these Cookies on their Terminal at any time using a dedicated button;
• The possibility of accepting or refusing the deposit of Cookies on their Terminal.

The Advertiser undertakes to provide, in addition to the information mentioned on the “cookie banner”, the following information and to adapt the model available below for this purpose:

“The personal information collected by AFFILAE on its own behalf and that of [Advertiser] in their capacity as joint managers is intended to measure the performance of its advertising campaigns and to calculate the amount of the commission of its affiliated partners. This information is kept in an active database for a period of 12 months, after which it will be deleted.

The information recorded can only be communicated to the subcontractors of AFFILAE and to our affiliated partners in order to calculate the amount of their commission.

You have a right of access, rectification, portability and erasure of your personal data, a right to define directives relating to the use of your post-mortem data or to limit the processing concerning you.

You can exercise these rights by writing to our Data Protection Officer by email at the address [insert email address of Advertiser’s DPO] or by mail at [insert postal address of the Advertiser’s DPO].

You can also object to the processing of data concerning you and have the right to withdraw your consent at any time. You have the right to file a complaint with a supervisory authority. ».

In the event that a data transfer outside the EU is made during processing, the following statement will be added:

“Some of these recipients are located outside the European Union. In this case, we made sure that:

• The country concerned has been the subject of an adequacy decision by the European Commission;
• Otherwise, the recipient has signed standard contractual clauses and we will be alerted to any request for access to your data from a public authority. ».

The costs relating to the provision of information to individuals will be shared by the Parties.

6.2. Rights management

The Parties help each other to respond to requests to exercise the rights of data subjects: right of access, rectification, erasure and opposition, right to limit processing, right to data portability, right not to be the subject of an individual automated decision (including profiling), right to organise what happens to their personal data, in particular after death.

The Advertiser will primarily ensure contact with the data subject so that they can exercise their rights, in particular by making a contact procedure available on their Website.

However, the data subject being able to exercise their rights over their Personal Data with regard to and against each of the Data Controllers, the Parties must communicate to each other any request to exercise the rights of a data subject as soon as possible and no later than two (2) days after receipt.

AFFILAE will also ensure the communication of the exercise of the rights of individuals to its partners that are recipients of Personal Data.

In the event of a request to exercise the rights of interest to both Parties, they agree within a maximum period of twenty (20) days from receipt of the request to follow up on the request.

The Party which refuses on its own to exercise the rights of the data subject must justify this refusal vis-à-vis the other Party and the data subject. They shall bear the costs incurred alone and shall alone assume any penalties resulting from the non-exercise of the rights of the data subject.

7. COMPLIANCE COOPERATION

The Parties shall use all necessary means to help each other in their compliance with data protection regulations.

When the performance of an impact assessment relating to data protection or the performance of the prior consultation of the supervisory authority are necessary for the processing operations carried out jointly, the Parties will work together to carry out these impact assessments. The costs incurred may be shared between the Parties.

The Parties shall communicate the name and contact details of the data protection officers appointed by them, or, failing that, their representative. These contact details appear in Appendix 1 and must be brought to the attention of the data subjects in the same way as the various mentions of information provided for in Articles 13 and 14 of the GDPR.

8. SECURITY MEASURES

The Parties undertake to implement the technical and organisational security measures detailed in Appendix 1 to ensure the security and confidentiality of the Data.

9. BREACH OF PERSONAL DATA

9.1 Notification to the CNIL services

The Parties undertake to notify each other as soon as possible of any Personal Data Breach that endangers or has consequences on the Personal Data collected to the email address of their DPO as specified in Appendix 1.

The Parties shall jointly notify any personal data breach within seventy-two (72) hours at the latest after becoming aware of it to the CNIL services unless the breach in question is not likely to give rise to a risk to the rights and freedoms of the data subjects.

When this notification cannot be made within the period of seventy-two (72) hours, the Parties will present legitimate and valid reasons for the delay.

The notification shall contain at least:

• a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects affected by the breach and the categories and the approximate number of personal data records concerned;
• the name and contact details of the data protection officer or other point of contact from whom additional information can be obtained;
• the description of the likely consequences of the personal data breach;
• a description of the measures taken or proposed by the controller to remedy the breach of personal data, including, where appropriate, measures to mitigate any negative consequences.

If it is not possible to provide all this information at the same time, it can be communicated in a staggered manner without undue delay.

The notification is accompanied by any useful documentation to enable the violation to be assessed.

Before sending, the notification made by one of the Parties is subject to validation by the other Party.

9.2 Communication to data subjects

The Parties also communicate the personal data breach to the data subjects as soon as possible, when this breach is likely to create a high risk for the rights and freedoms of a natural person.

The communication to the data subject will describe, in clear and simple terms, the nature of the personal data breach, and will contain:

• a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects affected by the breach and the categories and the approximate number of personal data records concerned;
• the name and contact details of the data protection officer or other point of contact from whom additional information can be obtained;
• the description of the likely consequences of the personal data breach;
• the description of the measures taken or proposed by the controller to remedy the breach of personal data, including, where appropriate, measures to mitigate any negative consequences.

The means and content of the communication will be determined jointly by the Parties.

10. MAINTAINING THE PROCESSING ACTIVITIES REGISTER

The Parties are responsible for maintaining the register of processing activities in their respective capacity as Data Controller.

11. DATA TRANSFERS OUTSIDE THE EUROPEAN UNION

As part of the processing referred to in Appendix 1, the Advertiser accepts and recognises that the data may be transferred to Affiliates located outside the European Union.

AFFILAE undertakes to:

• Ensure that the third country in which the Affiliate is established is a country which, according to the European Commission, has an adequate level of protection of Personal Data; or
• Conclude with the Affiliate:
  • The standard contractual clauses of the European Commission;
  • A Data Agreement providing that the latter undertakes to:
    • alert AFFILAE of any request for access to Data by a Public Authority within forty-eight (48) hours of said request;
    • when the law so provides, lodge any recourse allowing the said access request to be contested before the competent courts before giving access to the data;
    • allow AFFILAE to suspend its access to the Services within forty-eight (48) hours from the notification of the access request or the discovery of the access request;
  • Ensure that transfers made with the Affiliate fall within the exception regime referred to in Article 49 of the General Data Protection Regulations, if applicable.

AFFILAE undertakes to notify the Advertiser as soon as possible of any access request from a Public Authority of which it has been alerted by an Affiliate or which it has discovered by its own means.

12. OWNERSHIP OF DATA

The Parties agree that they will remain owners of their respective databases.

13.  APPLICABLE LAW AND JURISDICTION

This Agreement shall be governed by and interpreted in accordance with French law and any dispute arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the French courts, to which each of the parties irrevocably submits.

Before any contentious action, the Parties will seek, in good faith, to settle amicably their disputes relating to the validity, interpretation, execution or non-execution, interruption, termination or denunciation of this Agreement. as well as the partial or total cessation of the commercial relationship between the Parties, for some causes and on any basis whatsoever. The Parties will have to meet in order to compare their points of view and make any useful observations to enable them to find a solution to the conflict between them.

The Parties will endeavour to find an amicable agreement within 30 days of notification by one of them of the need for an amicable agreement, by registered letter with acknowledgement of receipt.

APPENDIX 1: DESCRIPTION OF THE JOINT TREATMENT

APPENDIX 2: DATA RECIPIENTS AND PROCESSOR