DATA PROTECTION AGREEMENT
Affilae has always taken care of the protection of its customers’ data, our DPA (Data Protection Agreement) guarantees that we treat your collected data seriously, and that we will continue to do so within the European legal framework to come.
TABLE OF CONTENTS
DEFINITIONS
1. DOCUMENTATION AND CONTRACTUAL HIERARCHY
2. DURATION
3. ROLE OF THE PARTIES
4. GENERAL OBLIGATIONS OF THE PARTIES
5. PARTIES’ PERSONNEL
6. CALL FOR SUBCONTRACTING
7. INFORMATION OF THE DATA SUBJECTS AND MANAGEMENT OF RIGHTS
8. COMPLIANCE COOPERATION
9. SECURITY MEASURES
10. BREACH OF PERSONAL DATA
11. MAINTAINING THE PROCESSING ACTIVITIES REGISTER
12. DATA TRANSFERS OUTSIDE THE EUROPEAN UNION
13. OWNERSHIP OF DATA
14. APPLICABLE LAW AND JURISDICTION
APPENDIX 1: DESCRIPTION OF TREATMENT
APPENDIX 2: DATA RECIPIENTS AND PROCESSOR
WHEREAS:
AFFILAE allows the Affiliate to join to participate in affiliate programmes allowing them to receive a commission, in particular in the event of click or sale carried out from a link or a promotional code published on their Website or social networks.
In order to benefit from the Services, the Affiliate has accepted the general conditions of sale and use of AFFILAE (hereinafter the “Agreement”).
The Parties have decided to come together to define together the purposes and means of the processing of personal data detailed in Appendix 1.
The purpose of this Agreement, established in application of Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, is to jointly define the conditions under which the Parties undertake to implement the personal data processing operations defined in Appendix 1 according to the methods defined below.
As part of their contractual relationship, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, the aforementioned Regulation (EU) 2016/679 (hereinafter, “the European regulation on data protection“), the “Data Protection Act” Law No 78-17 of 6 January 1978 as amended and the regulations on industrial and intellectual property.
It is expressly understood that this Agreement has been the subject of negotiation between the Parties.
THE PARTIES HAVE THEREFORE AGREED TO THE FOLLOWING:
DEFINITIONS
For the purposes hereof, the following terms shall have the meaning given below:
“Agreement“: refers to this data protection agreement and its Appendices according to the contractual hierarchy set out in Article 1.
“Affiliate“: refers to any natural or legal person that have accepted the general conditions of sale and use of AFFILAE and joined an affiliation programme in order to receive commissions.
“Public Authority“: refers to any legal person governed by public law or private law acting under delegation of public service and requiring access of any kind to the Data.
“Cookies” or “Trackers“: refers to any file, pixel or script used by AFFILAE and implemented on the Website in order to collect the information necessary for the provision of the Services.
“Data“: refers to all types of information and/or data to which the Parties have access within the framework of the contractual relationship, whatever the format or medium, whether Personal Data (defined below) or not (e.g. financial data, operators, users, partners, strategic, technical, professional, administrative, commercial, legal, accounting data, etc.)
“Personal Data“: refers to any information relating to an identified natural person or who can be identified as such, either directly or indirectly by grouping together information, by reference to an identification number or to elements which are specific to them: name, address, telephone number, IP address, email address, vehicle registration number, professional number, username/login, password, connection data, etc.
“Sensitive Data“: refers to the special categories of data of which the processing is, in principle, prohibited. This is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data and/or biometric data for the purpose of identifying a unique natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.
“Data Subject“: refers to all the persons whose personal data are subject to data processing.
“Website“: refers to the Affiliate’s website.
“Services“: refers to the services provided by AFFILAE to the Affiliate within the framework of the joint processing of personal data detailed in Appendix 1.
“Processing“: refers to any operation relating to information, regardless of the process used (automated or non-automated). All forms of Data Processing are therefore covered, whether on computer media or otherwise (paper, video recording, audio, etc.). Regarding Personal Data in particular, it may be operations of collection, recording, organisation, storage, adaptation, modification, extraction, consultation/visualisation, dissemination or provision.
“Data Controller“: refers to the people who together determine the purposes and means of processing.
“Subcontractor“: refers to the person processing personal data on behalf of the controller. They act under the authority of the controller and on the instructions of the latter.
“Personal data breach“: refers to a security breach that accidentally or unlawfully results in access to or destruction, loss, alteration or unauthorised disclosure of Personal Information transmitted, stored or processed.
1. DOCUMENTATION AND CONTRACTUAL HIERARCHY
The Agreement formed between the Parties consists in order of priority:
This Agreement;
Appendix 1;
Appendix 2.
In the event of a contradiction between one or more stipulations of the contractual documents making up the Agreement, the stipulations of the higher-ranking document shall prevail.
2. DURATION
This Agreement enters into force upon signature and is concluded for the duration of the Agreement.
3. ROLE OF THE PARTIES
Under this Agreement, the Parties are required to act as co-controllers depending on the processing operations carried out and detailed in Appendix 1.
It is specified that the obligations provided for in this Agreement only apply to processing operations carried out by the Parties as joint managers.
4. GENERAL OBLIGATIONS OF THE PARTIES
The Affiliate undertakes to:
respect the principle of lawfulness of the processing provided for in Article 6 of the GDPR.
process the data only for the sole purpose(s) of the processing indicated in Appendix 1;
guarantee the confidentiality of the personal data processed within the framework of this Agreement;
take into account, with respect to its tools, products, applications or services, the principles of data protection from the design stage and the protection of default data.
oversee the processing, including performing audits and inspections on the other Party;
ensure, beforehand and throughout the duration of the processing, compliance with the obligations provided for by the European data protection regulation on the part of the other Party;
designate a contact person. This contact person must be endowed with the experience, competence, authority and means necessary to carry out his/her assignment;
inform data subjects in accordance with Articles 13 and 14 of the European Data Protection Regulation;
make the broad outlines of this Agreement available to Data Subjects on first request in addition to the information provided in Article 6.1 by adapting the following model:
The present processing of your data has been the subject of an agreement between AFFILAE and [__Advertiser__] for our affiliation campaigns, each jointly responsible within the meaning of Article 26 of the European General Data Protection Regulation of 27 April 2016, which entered into force on 25 May 2018. AFFILAE and [______ Advertiser ________] have thus jointly undertaken to inform you of the nature of this processing of the rights available to you and to implement the appropriate organisational and technical measures to ensure the security and confidentiality of your data.
collaborate in good faith, in particular by communicating to any Party all the documents, data and information necessary or requested to ensure the compliance of the co-processed processing detailed in Appendix 1.
AFFILAE undertakes to:
guarantee the confidentiality of the personal data processed within the framework of this Agreement;
take into account, with respect to its tools, products, applications or services, the principles of data protection from the design stage and the protection of default data;
collaborate in good faith, in particular by communicating all the documents, data and information necessary or requested to ensure the compliance of the co-processed processing detailed in Appendix 1.
5. PARTIES’ PERSONNEL
Qualification of personnel
The Parties will assign sufficient and qualified teams to carry out the Assignments. These teams must be trained in personal data protection regulations.
Staff non-subordination
In the context of the related Assignments and Processing as detailed in Appendix 1, it is hereby specified that the personnel of one of the Parties will not be in any way linked to the other Party, by any link of subordination. The only person authorised to take disciplinary and work organisation measures and, in general, to settle all problems relating to personnel management, is the Party for whose benefit the employment contracts have been concluded. Thus, the personnel of each of the Parties remains under their sole authority, direction and supervision.
6. CALL FOR SUBCONTRACTING
The Parties may call on one or more subcontractors to carry out specific processing activities in compliance with the purposes defined for the Processing defined in Appendix 1. In this case, the Parties undertake and ensure that the selected subcontractors present sufficient levels of guarantee to strictly comply with the applicable data protection law.
If the selected subcontractor(s) do not fulfil their data protection obligations, the Party that selected this subcontractor remains solely and fully responsible for these breaches.
In the event that the subcontractor is jointly selected by the Parties, the responsibility in the event of breach by this subcontractor of the obligations in terms of data protection will be shared.
7. INFORMATION OF THE DATA SUBJECTS AND MANAGEMENT OF RIGHTS
It is the Advertiser’s responsibility to provide the Data Subjects with information relating to the processing operations detailed in Appendix 1, as well as the broad outlines of this Agreement in accordance with the provisions of Articles 13 and 26 of the GDPR.
In particular, the Affiliate undertakes to provide the following information by adapting the model below:
“The personal information collected by AFFILAE on its own behalf and that of [Affiliate] in their capacity as joint managers are intended to measure the performance of its affiliate links and to calculate the amount of its commission. This information is kept for a period of 12 months, after which it is deleted.
The information recorded can only be communicated to AFFILAE’s subcontractors, as well as to advertisers who provide affiliate links or other promotional tools available on our Website. It is specified that, when you click on one of these links or any other promotional tool, your navigation is likely to be traced by AFFILAE.
You have a right of access, rectification, portability and erasure of your personal data, a right to define directives relating to the use of your post-mortem data or to limit the processing concerning you.
You can exercise these rights by writing to our Data Protection Officer by email at the address [insert email address of Affiliate’s DPO] or by mail at [insert postal address of the Affiliate’s DPO].
You can also object to the processing of data concerning you and have the right to withdraw your consent at any time. You have the right to file a complaint with a supervisory authority“.
In the event that a data transfer outside the EU is made during processing, the following statement will be added:
“Your data is transferred outside of the European Union. The following guarantees have been put in place to secure this transfer:
The country concerned has been the subject of an adequacy decision by the European Commission;
Otherwise, we have signed standard contractual clauses;
We are committed to alert AFFILAE of any access request from a public authority within forty-eight (48) hours of receipt of said request and to appeal against this request before giving access to this authority to your data”.
Rights management
The Parties help each other to respond to requests to exercise the rights of data subjects: right of access, rectification, erasure and opposition, right to limit processing, right to data portability, right not to be the subject of an individual automated decision (including profiling), right to organise what happens to their personal data, in particular after death.
The Affiliate will primarily ensure contact with the data subject so that they can exercise their rights, in particular by making a contact procedure available on their Website.
However, the data subject being able to exercise their rights over their Personal Data with regard to and against each of the Data Controllers, the Parties must communicate to each other any request to exercise the rights of a data subject as soon as possible and no later than two (2) days after receipt.
AFFILAE will also ensure the communication of the exercise of the rights of individuals to its partners that are recipients of Personal Data.
In the event of a request to exercise the rights of interest to both Parties, they agree within a maximum period of twenty (20) days from receipt of the request to follow up on the request.
The Party which refuses on its own to exercise the rights of the data subject must justify this refusal vis-à-vis the other Party and the data subject. They shall bear the costs incurred alone and shall alone assume any penalties resulting from the non-exercise of the rights of the data subject.
8. COMPLIANCE COOPERATION
The Parties shall use all necessary means to help each other in their compliance with data protection regulations.
When the performance of an impact assessment relating to data protection or the performance of the prior consultation of the supervisory authority are necessary for the processing operations carried out jointly, the Parties will work together to carry out these impact assessments. The costs incurred may be shared between the Parties.
The Parties shall communicate the name and contact details of the data protection officers appointed by them, or, failing that, their representative. These contact details appear in Appendix 1 and must be brought to the attention of the data subjects in the same way as the various mentions of information provided for in Articles 13 and 14 of the GDPR.
9. SECURITY MEASURES
The Parties undertake to implement the technical and organisational security measures detailed in Appendix 1 to ensure the security and confidentiality of the Data.
10. BREACH OF PERSONAL DATA
10.1 Notification to the CNIL services
The Parties undertake to notify each other as soon as possible of any Personal Data Breach that endangers or has consequences on the Personal Data collected to the email address of their DPO as specified in Appendix 1.
The Parties shall jointly notify any personal data breach within seventy-two (72) hours at the latest after becoming aware of it to the CNIL services unless the breach in question is not likely to give rise to a risk to the rights and freedoms of the data subjects.
When this notification cannot be made within the period of seventy-two (72) hours, the Parties will present legitimate and valid reasons for the delay.
The notification shall contain at least:
a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects affected by the breach and the categories and the approximate number of personal data records concerned;
the name and contact details of the data protection officer or other point of contact from whom additional information can be obtained;
the description of the likely consequences of the personal data breach;
a description of the measures taken or proposed by the controller to remedy the breach of personal data, including, where appropriate, measures to mitigate any negative consequences.
If it is not possible to provide all this information at the same time, it can be communicated in a staggered manner without undue delay.
The notification is accompanied by any useful documentation to enable the violation to be assessed.
Before sending, the notification made by one of the Parties is subject to validation by the other Party.
10.2 Communication to data subjects
The Parties also communicate the personal data breach to the data subjects as soon as possible, when this breach is likely to create a high risk for the rights and freedoms of a natural person.
The communication to the data subject will describe, in clear and simple terms, the nature of the personal data breach, and will contain:
a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects affected by the breach and the categories and the approximate number of personal data records concerned;
the name and contact details of the data protection officer or other point of contact from whom additional information can be obtained;
the description of the likely consequences of the personal data breach;
the description of the measures taken or proposed by the controller to remedy the breach of personal data, including, where appropriate, measures to mitigate any negative consequences.
The means and content of the communication will be determined jointly by the Parties.
11. MAINTAINING THE PROCESSING ACTIVITIES REGISTER
The Parties are responsible for maintaining the register of processing activities in their respective capacity as Data Controller.
12. DATA TRANSFERS OUTSIDE THE EUROPEAN UNION
As part of the processing referred to in Appendix 1, the Parties undertake not to transfer the data outside the European Union.
However, in the event that the Affiliate is established in a country outside the European Union which does not benefit from an adequacy decision from the European Commission, the Affiliate acknowledges that the use of the Services constitutes a transfer of data outside the European Union within the meaning of Chapter 5 of the GDPR.
In this case, the Affiliate
Accepts and acknowledges that acceptance of this DPA constitutes unreserved acceptance of the standard contractual clauses annexed to Appendix 2 hereto;
Undertakes, in the event of a request for access to Data from a Public Authority and when local law allows it, to file any recourse allowing the validity of the request for access to be contested before granting a any access to the Data to the requesting Public Authority;
Undertakes to notify AFFILAE by email at contact@affilae.staging1.kaizen-developments.com of any request for access to Data from a Public Authority within forty-eight (48) hours from the said request and, in any event, before giving access to the data to the Public Authority. In the event that the Affiliate notifies AFFILAE of a request for access to Data from a Public Authority or abstains for any reason whatsoever from notifying such a request or such access to AFFILAE, the Affiliate accepts and acknowledges that AFFILAE may automatically terminate its access to the Services within forty-eight (48) hours from said notification or discovery of the request or access to Data from a Public Authority.
13. OWNERSHIP OF DATA
The Parties agree that they will remain owners of their respective databases.
14. APPLICABLE LAW AND JURISDICTION
This Agreement shall be governed by and interpreted in accordance with French law and any dispute arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the French courts, to which each of the parties irrevocably submits.
Before any contentious action, the Parties will seek, in good faith, to settle amicably their disputes relating to the validity, interpretation, execution or non-execution, interruption, termination or denunciation of this Agreement. as well as the partial or total cessation of the commercial relationship between the Parties, for some causes and on any basis whatsoever. The Parties will have to meet in order to compare their points of view and make any useful observations to enable them to find a solution to the conflict between them.
The Parties will endeavour to find an amicable agreement within 30 days of notification by one of them of the need for an amicable agreement, by registered letter with acknowledgement of receipt.
APPENDIX 1: DESCRIPTION OF TREATMENT
AFFILAE’s DPO contact details
Thomas PITROU
Tel : 003538.58.44.18.40
Mail : thomas@affilae.staging1.kaizen-developments.com
Main Purpose
Management of the affiliate campaign
Sub-purposes
Tracking management (impressions, clicks, conversions)
Management of Affiliate commissions
Statistics
Legal basis
Consent of Internet users
Categories of persons concerned
Internet users
Affiliates
Data Categories
Data relating to the Internet user (IP address, Country, UserAgent, FingerPrint)
Data relating to the user’s browsing path (LandingPage, Referrer, ClicsID, Date and time of clicks, impressions and conversions, Publisher)
Commission data (Profile, orderID, Amount, Commission).
The duration of the conversation
The data are kept for a period of 25 months then are archived, then deleted.
Transfers outside the EU
The data may be transferred outside the European Union when the Affiliate is established outside the European Union.
Transfer mechanisms
The standard contractual clauses available in Appendix 2 of the DPA.
In addition to these clauses, the Affiliate undertakes to notify AFFILAE within forty-eight (48) hours of any request for access to Data from a Public Authority and, when the law allows it, to file any recourse allowing to contest the validity of this request before granting any access to the said Public Authority to the Data.
Informational measures
Data subjects are informed via a notice inserted on the Affiliate’s website (Art. 6 of the Agreement).
Collection method consent of persons
Internet users consent to the collection of data via a cookie banner available on the site of advertisers who offer their programs to Affiliates.
Method of exercising rights
Internet users exercise their rights with the Affiliate.
Security measures set up by AFFILAE
Technical measures:
Software protection measures (Transport Layer Security, GCP, MongoCloud);
Personal data backup (Backup GCP, Backup MongoCloud).
Organizational measures:
Control of user access to databases.
APPENDIX 2: DATA RECIPIENTS AND PROCESSOR
Category of Subcontractor / Recipient 1
Data hosting
Company Name
MONGODB
Location
United States
Phone number
1-866-692-1371
Privacy Policy
Privacy Policy
E-mail adress
privacy@mongodb.com
Category of Subcontractor / Recipient 2
Data hosting, Analytics
Company Name
Google LLC
Google Cloud Platform
Google Workspace
Google Analytics
Location
United States
Phone number
N/A
Privacy Policy
Privacy Policy
E-mail adress
Privacy Help Center
Category of Subcontractor / Recipient 3
Marketing and transactional emails
DCompany Name
MAILGUN TECHNOLOGIES
Location
United States
Phone number
N/A
Privacy Policy
Privacy Policy
Email-Adress
privacy@mailgun.com
Category of Subcontractor / Recipient 4
Payment processor
Company Name
STRIPE
Location
United States
Phone number
1-866-692-1371
Privacy Policy
Privacy Policy
Email-Adress
Contact us
Category of Subcontractor / Recipient 5
Data hosting
Company Name
Amazon Web Services
Location
United States
Phone number
N/A
Privacy Policy
Privacy Policy
Email-Adress
Privacy Help Center
Category of Subcontractor / Recipient 6
CRM
Company Name
Pipedrive
Location
United States
Phone number
N/A
Privacy Policy
Privacy Policy
Email-Adress
dpo@pipedrive.com, privacy@pipedrive.com