ADDENDUM DATA PROCESSING

PLEASE NOTE: THIS IS A COPY OF THE PROCESSOR'S AGREEMENT.

This Data Processing Addendum, including Exhibit 1, (hereinafter : "Processor Agreement") is an addendum and forms part of the General Terms and Conditions of Service AdPage.io or other written or electronic agreement between AdPage. io and Customer for the purchase of Server Side Tracking services from AdPage.io (identified as "Services" or otherwise in the applicable agreement, and hereinafter defined as "Services") (hereinafter : the "Agreement") to shape the agreement between the Parties with respect to the Processing of Personal Data. Customer enters into this Processor Agreement on its own behalf and, to the extent required under applicable data protection laws and regulations. In the course of providing the Services to Customer under the Agreement, AdPage.io may process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to Personal Data, each acting reasonably and in good faith.

‍

HOW TO IMPLEMENT THIS PROCESSOR AGREEMENT:

1. This Processor Agreement consists of two parts: the main text of the Processor Agreement, Attachment 1 and the associated attachments.
2. This Processor Agreement is pre-signed on behalf of AdPage.io as the processor. Attachment I is pre-signed by AdPage.io as the data importer.
3. To complete this Processor Agreement, Customer must:Complete the information in the signature box in and sign on pages 5 and 19.Sign the document in the AdPage Tagging portal.

HOW THIS PROCESSOR AGREEMENT APPLIES

Unless otherwise expressly provided in the Agreement, this Processor Agreement shall become legally binding upon receipt by AdPage.io of the validly completed Processor Agreement at support@adpage.io.

For the avoidance of doubt, signing the Processor Agreement on page 5 shall be deemed as signing and accepting the Standard Contractual Clauses, including Exhibit II and Exhibit III. If the Customer signing this Processor Agreement is a party to the Agreement, then this Processor Agreement is an addendum to and part of the Agreement. In that case, AdPage.io is a party to this Processor Agreement.

IS AGREED AS FOLLOWS

1. Definitions and interpretation.

1.1 In this Processor Agreement, the following terms shall have the meanings set forth below:
‍

AdPage.io: is a trade name of AdPage BV (KVK: 75440482), whose registered address is: Velmolenweg 54 A 5404 LD, Uden The Netherlands. Also referred to as "Processor".

Agreement: means written or electronic agreement between AdPage.io and Customer for the purchase of Server Side Tracking services from AdPage.io.

Provisions: module two (Transfers between controller and processor) of the Model Contractual Clauses to Commission Implementing Decision (EU) 2021/914, as set out in Annex 1 to this processor agreement.

Customer: means the legal entity or Consumer with whom AdPage.io has entered into a legally binding agreement. Also referred to as "Controller".

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.

Customer Data: includes all data and information provided to AdPage.io by or for the Customer in order to provide Services.

Processor Agreement: is this Data Processing Addendum, including its attachments, as amended from time to time.

Data protection laws means all applicable laws relating to the protection of personal data or privacy in force from time to time in the European Economic Area and the United Kingdom, including (but not limited to) the EU GDPR, the UK GDPR and the UK Data Protection Act 2018, and any other applicable law relating to data protection or the privacy of individuals.

EU GDPR or "AVG" means EU General Data Protection Regulation 2016/679.Parties:Both AdPage.io and Customer.

Personal Data means any information relating to an identified or identifiable living individual that is processed by Processor on behalf of Controller as a result of, or in connection with, the provision of the Services under the Agreement, the details of which are set forth in Part B of Exhibit I to Schedule 1 to this Processor Agreement, which may be amended from time to time by mutual agreement between the Parties.

Processor: a natural or legal person, government agency, agency or other body that processes personal data on behalf of the Controller.

Service(s): Any Services made available to Customers through the AdPage.io online platform, plugins, third-party websites or any other Service offered by AdPage.io.

1.2 The terms "third country," "Member State," "data subject," "personal data breach," "processing" and "supervisory authority" shall have the same meaning as in the EU GDPR, and their corresponding terms shall be interpreted accordingly.

1.3 In case of conflict or ambiguity between:

1.3.1 a provision in the body of this Processor Agreement and a provision in Schedule 1, the provision in Schedule 1 shall prevail; and

1.3.2 any of the provisions of this Processor Agreement and the provisions of the Agreement itself, the provisions of this Processor Agreement shall prevail with respect to the subject matter of this Processor Agreement.

‍

BACKGROUND

(A) The client has a website or web shop and wants to achieve more leads and sales.

(B) AdPage.io is a provider of specialized analytics Server Side Tracking Services , and Customer desires to purchase AdPage.io 's services related to properly measuring the results of advertisements by using Proxy server.

(C) The parties have entered into an Agreement setting forth the legal framework under which AdPage.io will assist Customer and under which AdPage.io has agreed to provide the Services to Customer.

(D) The Services provided by AdPage.io under the Agreement enable AdPage.io to access and process Personal Data (as defined above) as a Processor on behalf of Customer (acting as a Controller).

(E) In order to ensure the secure, accurate and lawful processing of Personal Data by AdPage.io on behalf of Customer, the Parties have agreed to the terms set forth in this Data Processing Addendum.

‍

2. Role and obligations of the parties

2.1 Customer and AdPage.io agree and acknowledge that:

2.1.1. For the purposes of the Data Protection Laws, AdPage.io acts as Processor on behalf of the Customer (acting as Controller);

2.1.2 the processing of Personal Data by AdPage.io is governed by the Model Contractual Clauses (as set forth in Exhibit 1 of this Processor Agreement); and

2.1.3 for the purposes of the Model Contract Terms, the Customer is the data exporter and AdPage.io is the data importer;

2.1.4 it is the Customer's responsibility to enable pseudonymization of personal data. If pseudonymization is disabled, Adpage cannot guarantee that adequate additional measures have been taken to ensure essential equivalence with EU protection levels.

3. Deletion or return of personal data from the controller

3.1 Subject to Article 5.3 (Duration and Termination), AdPage.io's obligations set forth in Article 8.5 of the General Terms and Conditions of Service shall be fulfilled within 30 days of the end of the provision of the Services under the Agreement.

3.2 AdPage.io may retain Personal Data to the extent required by EU, UK or Member State law and only to the extent and for as long as required by EU, UK or Member State law and always on the condition that AdPage.io will safeguard the confidentiality of all such Personal Data and ensure that such Personal Data is processed only to the extent necessary for the purpose(s) specified in the relevant EU, UK or Member State law requiring its storage and for no other purpose.

4. Assistance provided in accordance with ANNEX 1.

4.1. AdPage.io will provide the assistance described in Articles 8.3, 8.6 and 10 of the Model Contract Terms at no additional cost to the Customer.

Term and termination

5.1 This Processor Agreement will take effect upon receipt by AdPage.io of the validly completed Processor Agreement at the email address and will terminate on the later of the following dates:

(i) the date the Agreement ends; or
(ii) the date AdPage.io stops processing Personal Data.

‍
5.2 Any provision of this Processor Agreement expressly or impliedly intended to take effect or remain in effect on or after termination of this Processor Agreement shall remain in full force and effect.

5.3 The termination or expiration of this Processor Agreement shall not affect the rights, remedies, obligations or liabilities of the Parties accrued up to the date of termination or expiration, including the right to seek damages in connection with any breach of this Processor Agreement that existed on or before the date of termination or expiration.

6. liability

6.1 Subject to clause 6.2, the liability of each Party in respect of any claims, losses, proceedings, actions or legal penalties arising out of or in connection with this Processor Agreement shall be governed by the terms of the Agreement and shall not be modified by this Processor Agreement.

6.2 Notwithstanding the foregoing, nothing in this Processor Agreement or the Agreement limits the liability of any Party with respect to its obligations under the Model Contract Terms.

7. miscellaneous

7.1 All notices to a Party under this Processor Agreement shall be in writing and shall be sent to the address at the beginning of this Processor Agreement or such other address as notified in writing by a Party.

7.2 The failure of a Party to exercise its rights under or in connection with this Processor Agreement shall not constitute a waiver of such rights or otherwise impair such rights.

7.3 This Processor Agreement may only be amended by a written agreement between the Parties.

7.4 If any provision of this Processor Agreement is declared void or unenforceable by a court or tribunal of competent jurisdiction, the remaining provisions of this Processor Agreement shall remain in effect unless the latter provisions are to be deemed inseparable from the void or unenforceable provision. In the event that the other provisions remain valid, both Parties shall use their best efforts to replace the void or unenforceable provision with a valid provision that reflects the original intent of the Parties as much as possible.

8. Applicable law

This Processor Agreement and any dispute or claim arising out of or in connection with this Processor Agreement (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the Netherlands. Each Party irrevocably agrees that the Court of Den Bosch in the Netherlands shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Processor Agreement (including non-contractual disputes or claims).

‍

Executed in two (2) originals, with each party acknowledging receipt of one (1) original copy.

PLEASE NOTE: THIS IS A COPY OF THE PROCESSOR'S AGREEMENT.

‍

ANNEX 1 - STANDARD CONTRACT PROVISIONS

SECTION I
Provision 1
Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, AVG) (1) for the transfer of personal data to a third country.

(b) The parties:

(i) the natural or legal persons and public institutions, bodies and agencies (hereinafter referred to as "entities") transferring the personal data referred to in Annex I.A ("data exporter"), and

(ii) the entities in a third country that receive the personal data from the data exporter, directly or indirectly through another entity that is also a party to these provisions, as listed in Annex I.A (hereinafter referred to as "data importer")

have agreed to these standard contract provisions (hereinafter referred to as "provisions").

(c) These provisions apply to the transfer of personal data as listed in Annex I.B.

(d) The Appendix to these provisions containing the annexes referred to therein is an integral part of these provisions.

‍

Determination 2

Effect and immutability of provisions

(a) These provisions shall lay down appropriate safeguards, including enforceable data subjects' rights and effective remedies, in accordance with Article 46(1) and 46(2)(c) of Regulation (EU) 2016/679 as well as, in relation to data transfers from controllers to processors and/or from processors to processors, standard contractual clauses in accordance with Article 28(7) of Regulation (EU) 2016/679, provided that they are not amended except to select the appropriate module(s) or to add or amend information in the Appendix. This does not mean that the parties may not incorporate the standard contractual clauses set out in these provisions into a broader agreement and/or add other clauses or additional safeguards, provided that they do not directly or indirectly contradict these provisions and do not infringe the fundamental rights or freedoms of the persons concerned.

(b) These provisions are without prejudice to the data exporter's obligations under Regulation (EU) 2016/679.

‍

Provision 3
Third-party beneficiaries

Data subjects may invoke and assert these provisions as third-party beneficiaries against the data exporter and/or data importer, with the following exceptions:

(i) Provision 1, Provision 2, Provision 3, Provision 6, Provision 7;

(ii) Provision 8 - module one: Provision 8.5, point (e) and Provision 8.9, point (b); Module two: Provision 8.1, point (b), Provision 8.9, points (a), (c), (d) and (e); Module three: Provision 8.1, points (a), (c) and (d) and Provision 8.9, points (a), (c), (d), (e), (f) and (g); Module four: Provision 8.1, point (b) and Provision 8.3, point (b);

(iii) Provision 9 - Module Two: Provision 9, items (a), (c), (d) and (e); Module Three: Provision 9, items (a), (c), (d) and (e);

(iv) Provision 12 - module one: Provision 12, items (a) and (d); Modules two and three: Provision 12, items (a), (d) and (f);

(v) Provision 13;

(vi) Provision 15.1(c), (d) and (e);

(vii) Provision 16(e);

(viii) Provision 18 - modules one, two and three: Provision 18(a) and (b); Module four: Provision 18.Point (a) does not affect the rights of data subjects under Regulation (EU) 2016/679.

‍

Determination 4
Interpretation

(a) Where in these provisions terms defined in Regulation (EU) 2016/679 are used, those terms shall have the same meaning as in that Regulation.

(b) These provisions shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These provisions shall not be interpreted in a manner inconsistent with the rights and obligations set forth in Regulation (EU) 2016/679.

‍

Provision 5
Hierarchy

In the event of a contradiction between these provisions and the provisions of related agreements between the parties that existed at the time these provisions were agreed upon or concluded thereafter, these provisions shall prevail.

‍

Provision 6
Description of retransmission(s)

The details of the transfer(s), and in particular the categories of personal data transferred and the purpose for which they are transferred, are specified in Annex I.B.

Provision 7 - Optional
Docking provision
(omitted)

‍

SECTION II - OBLIGATIONS OF THE PARTIES

Provision 8
Data protection safeguards

The data exporter warrants that it has made reasonable efforts to determine whether the data importer, through the implementation of appropriate technical and organizational measures, is able to fulfill its obligations under these provisions.

8.1. Instructions
(a) The data importer shall process the personal data only on the basis of written instructions from the data exporter. The data exporter may issue such instructions during the term of the agreement.
(b) The data importer shall immediately notify the data exporter if it is unable to comply with such instructions.

8.2. Purpose limitation
The data importer shall process the personal data only for the specific purpose of the transfer, as listed in Annex I.B, unless based on further instructions from the data exporter.

8.3. Transparency
Upon request, the data exporter shall make a copy of these clauses, including the Appendix completed by the parties, available free of charge to the data subject. To the extent necessary to protect trade secrets or other confidential information, including the measures and personal data described in Annex II, the data exporter may redact part of the text of the Appendix to these clauses before sharing a copy, but must provide a relevant summary in doing so if the data subject would otherwise be unable to understand its contents or exercise his/her rights. Upon request, the parties shall communicate to the data subject the reasons for the redaction, as far as possible without revealing the redacted information. This provision is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4. Accuracy
If the data importer learns that the personal data it has received are inaccurate or out of date, it shall promptly notify the data exporter. In this case, the data importer shall cooperate with the data exporter to delete or rectify the data.

8.5. Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. Upon completion of the provision of processing services, the data importer shall, at the option of the data exporter, erase all personal data processed on behalf of the data exporter and assure the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these provisions. In the event of any local law applicable to the data importer that prohibits the return or erasure of the transmitted personal data, the data importer warrants that it will continue to comply with these provisions and process the personal data only to the extent and for as long as required by such local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the term of the agreement if it has reason to believe that it is or has become subject to laws or practices that are inconsistent with the requirements under Clause 14(a).

8.6. Security of Processing
(a) The data importer and, during transmission, also the data exporter, shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, such data (hereinafter referred to as "personal data breach"). In assessing the appropriate level of security, the Parties shall give due consideration to the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risks to data subjects posed by the processing. In particular, the Parties shall consider using encryption or pseudonymization, including during transmission, where the purpose of the processing can be achieved in this way. With pseudonymization, the additional data for linking the personal data to a particular data subject remains under the exclusive control of the data exporter whenever possible. In fulfilling its obligation under this paragraph, the data importer shall implement at least the technical and organizational measures set forth in Annex II. The data importer shall conduct regular audits to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant its personnel access to the personal data only to the extent strictly necessary for the performance, management and follow-up of the agreement. He shall ensure that the persons authorized to process the personal data have undertaken to observe confidentiality or are bound by an appropriate legal obligation of confidentiality.

(c) In the event of a personal data breach involving personal data processed by the data importer under these clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. After becoming aware of the breach, the data importer shall also promptly notify the data exporter. Such notification shall include the details of a contact point from which more information may be obtained, a description of the nature of the breach where possible specifying the categories of data subjects and personal data records concerned and, approximately, the number of data subjects and personal data records concerned), its likely consequences and the measures proposed or taken to address the breach including, where appropriate, measures to mitigate any adverse effects. When and to the extent that it is not possible to provide all information simultaneously, the initial notification shall contain the information available at that time and further information, as soon as it becomes available, will be provided thereafter without delay.

(d) Taking into account the nature of the processing and the information available to it, the data importer shall cooperate with and assist the data exporter to enable it to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and affected data subjects.

8.7. Sensitive data
If the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying an individual, data concerning health, or data concerning a person's sexual behavior or sexual orientation, or data concerning criminal convictions and offenses (hereinafter referred to as "sensitive data"), the data importer shall apply the specific restrictions and/or additional safeguards set forth in Annex I.B.

8.8. Onward Transfers
The data importer shall provide the personal data to a third party only upon written instructions from the data exporter. In addition, the data will be provided to a third party located outside the European Union (4) (in the same country as the data importer or in another third country; hereinafter referred to as "onward transfer") only if the third party is bound by these provisions or agrees to be bound by them, pursuant to the appropriate module, or if:

(i) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 to which the onward transfer is subject;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Article 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or vindication of legal claims in the context of certain administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary to protect the vital interests of the data subject or of another natural person.Onward transfers may take place only if the data importer complies with all other safeguards under these provisions, in particular purpose limitation.

8.9. Documentation and compliance

(a) The data importer shall promptly and appropriately handle inquiries from the data exporter regarding processing under these provisions.

(b) The parties must be able to demonstrate compliance with these provisions. In particular, the data importer shall maintain appropriate documentation of the processing activities that have taken place under its responsibility on behalf of the data exporter.

(c) At the request of the data exporter, the data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set forth in these Provisions, to enable and contribute to audits of the processing activities covered by these Provisions at reasonable intervals or when there is evidence of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit itself or authorize an independent auditor to do so. Audits may include inspections of the data importer's premises or physical facilities and, where appropriate, shall be conducted with reasonable advance notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the appropriate oversight authority upon request.

Provision 9
Use of sub-processors
(a) The data importer has general consent from the data exporter to employ sub-processors from an agreed list. The data importer shall specifically notify the data exporter in writing at least [specify term] in advance of any intended changes to that list through the addition or replacement of sub-processors so that the data exporter has sufficient time to object to those changes before the sub-processor(s) are employed. The data importer shall provide the data exporter with the information it needs to exercise its right to object.

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by means of a written agreement that provides, in substance, for the same data protection obligations as those to which the data importer is bound under these clauses, including with respect to third party rights for data subjects (8). The parties agree that the data importer shall fulfill its obligations under clause 8.8 by complying with this clause. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is bound under these provisions.

(c) The data importer shall provide a copy of that agreement with the sub-processor and any subsequent amendments to the data exporter upon request by the data exporter. To the extent necessary to protect trade secrets or other confidential information, including personal data, the data importer may redact the text of the agreement before sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance by the sub-processor of its obligations under its agreement with the data importer. The data importer shall notify the data exporter of any breach by the sub-processor of its obligations under that agreement.

(e) The data importer shall agree on a third-party clause with the sub-processor whereby, in the event that the data importer has effectively disappeared, ceased to exist in law or gone bankrupt, the data exporter shall have the right to terminate the contract with the sub-processor and instruct the sub-processor to delete or return the personal data.

Provision 10
The rights of data subjects

(a) The data importer shall promptly notify the data exporter of any requests received from a data subject. It shall not itself respond to that request unless authorized by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to the requests of data subjects for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall determine in Annex II the appropriate technical and organizational measures, taking into account the nature of the processing on the basis of which the assistance is provided, as well as the scope and extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions of the data exporter.

Provision 11
Redress

(a) The data importer shall inform data subjects of a contact point authorized to handle complaints by an individual notice or on its website, in a transparent and easily accessible format. It shall handle complaints received from a data subject without delay.

(b) In the event of a dispute between an affected party and either party regarding compliance with these provisions, that party shall make every effort to resolve the matter amicably in a timely manner. The parties shall keep each other informed of such disputes and, where appropriate, cooperate to settle them.

(c) Where the data subject invokes a right for the benefit of third parties under clause 3, the data importer shall accept the data subject's decision to:

(i) lodge a complaint with the supervisory authority in the Member State where he/she normally resides or works, or the competent supervisory authority under Provision 13;

(ii) submit the dispute to the competent courts within the meaning of clause 18.

(d) The Parties accept that the individual may be represented by a non-profit body, organization or association under the conditions set forth in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall comply with a decision that is binding under applicable European Union/Member State law.The data importer agrees that the data subject's choice does not affect his/her substantive and formal rights to seek redress under applicable law.

Provision 12
Liability

(a) Each party shall be liable to the other party or parties for damages it causes to the other party or parties by violations of these provisions.

(b) The data importer shall be liable to the data subject and the data subject shall be entitled to obtain compensation for any material or immaterial damage caused to the data subject by the data importer or its sub-processor by violating the rights for the benefit of third parties under these provisions.

(c) Notwithstanding subparagraph (b), the data exporter shall be liable to the data subject and the data subject shall be entitled to obtain compensation for any damage, whether material or immaterial, caused to the data subject by the data exporter or the data importer (or its sub-processor) by violating the rights on behalf of third parties under these clauses. This does not affect the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, if applicable.

(d) The parties agree that if the data exporter is found liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to recover from the data importer that portion of the damages corresponding to the data importer's liability for the damages.

(e) Where multiple parties are responsible for damages caused to the data subject as a result of violations of these provisions, all responsible parties shall be jointly and severally liable and the data subject shall have the right to bring proceedings against those parties in court.

(f) The parties agree that if either party is found liable under subsection (e), such party shall be entitled to recover from the other party or parties the portion of damages corresponding to his/her share of liability for the loss.

(g) The data importer may not rely on the conduct of a sub-processor to avoid its own liability.

Provision 13
Supervision

(a) The supervisory authority overseeing the data exporter's compliance with Regulation (EU) 2016/679 with respect to data transfer, as specified in Annex I.C, shall act as the competent supervisory authority.

(b) The data importer agrees to submit to the jurisdiction of and cooperate with the competent supervisory authority in procedures aimed at ensuring compliance with these provisions. In particular, the data importer agrees to answer questions, submit to audits and comply with the measures established by the supervisory authority, including corrective and compensatory measures. He shall provide written confirmation to the supervisory authority that the necessary measures have been taken.

‍

SECTION III - LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Provision 14
Local laws and practices affecting compliance with the provisions
(a) The parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including requirements to provide personal data or measures allowing access by public authorities, will prevent the data importer from complying with its obligations under these provisions. This is on the understanding that laws and practices that respect the essence of fundamental rights and freedoms and do not go beyond what is necessary and proportionate in a democratic society to ensure any of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 do not contradict these provisions.

(b) The Parties declare that, in providing the guarantee referred to in paragraph (a), they have taken due account, in particular, of the following elements:

(i) the specific circumstances of the transmission, including the length of the processing chain, the number of actors involved and the channels used for transmission; intended further transmissions; the type of recipient; the purpose of processing; the categories and format of personal data transmitted; the economic sector in which the transmission takes place; the storage location of the transmitted data;

(ii) the laws and practices of the destination third country - including those that require disclosure of data to government authorities or permit access by such authorities - that are relevant in light of the specific circumstances of the transfer, and the applicable restrictions and safeguards (12);

(iii) any relevant contractual, technical or organizational safeguards established in addition to those under these provisions, including measures applied during the transmission and to the processing of the personal data in the country of destination.

‍

(c) The data importer warrants that it has made every effort to provide the data exporter with relevant information in performing the assessment under paragraph (b) and agrees to continue to cooperate with the data exporter to ensure compliance with these provisions.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the appropriate oversight authority upon request.

(e) The data importer agrees to notify the data exporter promptly if, after agreeing to these provisions and for the duration of the agreement, it has reason to believe that it is or has become subject to laws or practices that are inconsistent with the requirements under paragraph (a), including as a result of a change in the laws in the third country or a measure (such as a request for disclosure) that indicates an application of those laws in practice that is inconsistent with the requirements under paragraph (a). [For module three: The data exporter shall forward the notification to the controller].

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer comply with its obligations under these clauses, the data exporter shall promptly determine appropriate measures (e.g., technical or organizational measures to ensure reliability and confidentiality) to be implemented by the data exporter and/or the data importer to address the situation, [for module three:, in consultation with the controller where appropriate]. The data exporter shall suspend the data transfer if it considers that appropriate safeguards for that transfer cannot be guaranteed, or based on instructions from [for module three: the data controller or] the competent supervisory authority to that effect. In this case, the data exporter shall have the right to terminate the agreement insofar as it relates to the processing of personal data under these provisions. If more than two parties are involved in the agreement, the data exporter may exercise its right to terminate the agreement only with respect to the party involved, unless otherwise agreed by the parties. If the agreement is terminated pursuant to this provision, clause 16(d) and (e) shall apply.

‍

Provision 15
Obligations of the data importer in case of access by public authorities

15.1. Notification
(a) The data importer agrees to promptly notify the data exporter and, to the extent possible, the data subject (if necessary with the assistance of the data exporter) if it:

(i) receives from a public authority, including judicial authorities, a legally binding request for disclosure of personal data transmitted in accordance with these provisions under the law of the destination country; such notification shall include information on the personal data requested, the requesting authority, the legal basis for the request and the response given; or

(ii) has knowledge of direct access by public authorities to personal data transmitted under these provisions in accordance with the laws of the destination country; such notice shall include all information available to the data importer.

(b) If the data importer is prohibited by the laws of the country of destination from notifying the data exporter and/or the data subject, the data importer agrees to make every effort to be discharged from the prohibition in order to communicate as much information as possible as soon as possible. The data importer agrees to document these efforts in order to demonstrate them upon request by the data exporter.

(c) If permitted under the laws of the destination country, the data importer agrees to forward to the data exporter, at regular intervals during the term of the agreement, with as much relevant information as possible about the requests received (in particular, the number of requests, the type of data requested, the requesting authority(ies), whether any requests were contested and what the outcome was, etc.). [For module three: The data exporter shall forward the information to the controller].

(d) The data importer agrees to retain the information pursuant to paragraphs (a) through (c) for the duration of the agreement and to make it available to the competent supervisory authority upon request.

(e) Items (a) to (c) are without prejudice to the data importer's obligation under clause 14(e) and clause 16 to promptly notify the data exporter when it is unable to comply with these provisions.

15.2. Legality review and data minimization.

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful review, it concludes that there are reasonable grounds to believe that the request is unlawful under the laws of the destination country, applicable obligations under international law and principles of international comity. In these circumstances, the data importer shall avail itself of the remedies available to it. When contesting a request, the data importer shall take provisional measures to suspend the effects of the request until the competent court has ruled on its merits. He shall provide the requested personal data only when required to do so by the applicable procedural requirements. These requirements shall not affect the data importer's obligations under clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenges to the request for disclosure and, to the extent permitted under the laws of the destination country, to make the documentation available to the data exporter. It shall also make these documents available to the competent supervisory authority upon request. [For module three: The data exporter shall make the assessment available to the controller].

(c) The data importer agrees to provide the minimum amount of information permitted when responding to a request for disclosure, based on a reasonable interpretation of the request.

‍

SECTION IV - FINAL PROVISIONS

Provision 16
Non-compliance and termination
(a) The data importer shall promptly notify the data exporter if for any reason it is unable to comply with these provisions.

(b) If the data importer breaches or is unable to comply with these provisions, the data exporter shall suspend the transfer of personal data to the data importer until compliance is restored or the agreement is terminated. This is without prejudice to clause 14(f).

(c) The data exporter has the right to terminate the agreement, insofar as it relates to the processing of personal data under these provisions, when:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and the provisions are not reinstated within a reasonable time and in any case within one month of the suspension;

(ii) the data importer materially and continuously violates these provisions; or

(iii) the data importer fails to comply with a binding decision of a competent court or authority regarding its obligations under these provisions.

In such cases, it shall notify the competent supervisory authority [for module three: and the controller] of such non-compliance. Where more than two parties are involved in the agreement, the data exporter may exercise its right to terminate the agreement only with respect to the party involved, unless otherwise agreed by the parties.

(d) Personal data that have been transferred in accordance with point (c) prior to the termination of the agreement shall, according to the wishes of the data exporter, be immediately returned in full to the data exporter or deleted. The same applies to any copies of the data. The data importer shall assure the data exporter that the data have been deleted. Until the data has been erased or returned, the data importer shall continue to ensure compliance with these provisions. In case of any local law applicable to the data importer that prohibits the return or erasure of the transmitted personal data, the data importer warrants that it will continue to comply with these provisions and process the data only to the extent and for as long as required by such local law.

(e) Either party may withdraw its consent to be bound by these provisions where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that relates to the transfer of personal data to which these provisions apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applicable to the relevant processing under Regulation (EU) 2016/679.

Provision 17
Applicable law
‍Theseprovisions shall be governed by the law of one of the EU Member States, provided that such law provides for rights for the benefit of third parties. The parties agree that this is the law of the Netherlands.

Provision 18
Forum and jurisdiction
(a) Disputes arising from these provisions shall be settled by the courts of an EU Member State.

(b) The parties agree that these are the courts of the Netherlands.

(c) A data subject may also bring legal proceedings against the data exporter and/or the data importer in the courts of the Member State in which he/she is ordinarily resident.

(d) The parties agree to submit to the jurisdiction of such courts.

ANNEX IA.
LIST OF PARTIES
Data exporter(s):
Name: [Name]

Address: Name, position and contact details of contact person:Activities relevant to the data transmitted under these provisions: The receipt by the exporter of specialized analytics Server Side Tracking services from the importer relating to the proper measurement of advertising results using Proxy server as further set forth in the Agreement between the exporter and the importer.

PLEASE NOTE: THIS IS A COPY OF THE PROCESSOR'S AGREEMENT.

Data importer(s):
Name: AdPage BV
Address: Velmolenweg 54 A 5404 LD, Uden, The Netherlands

Name, position and contact details of contact person:

Activities relevant to the data transmitted under these provisions: The provision by the importer of specialized analytics Server Side Tracking services to the exporter relating to the proper measurement of advertising results using Proxy server as further set forth in the Agreement between the exporter and the importer.

‍

B. DESCRIPTION OF THE TRANSFER
Categories of data subjects whose personal data is transmitted
Customers, leads and website visitors of the Customer.

Categories of personal data transmitted

Data to be transferred to analyze and measure advertising results include:
- Website;
- Link tracking in URLs;
- User ID;
- IP address;
- Other identifiers (CRM, unique identifier, etc.);
- Other identifying data such as email address, first name, last name, phone number; and
- Pseudonymized data.

Sensitive data transmitted and applicable restrictions or safeguards

The Personal Data transmitted concern the following special data categories: [check mark]
◻ personal data revealing racial or ethnic origin;
◻ political opinions;
◻ religious or philosophical beliefs;
◻ trade union membership;
◻ genetic data;
◻ biometric data aimed at uniquely identifying a natural person;
◻ data on health;
◻ data on a natural person's sexual behavior or orientation.

The frequency of the doogifte

Data transmission is continuous depending on the use of the Services.

Nature of processing

The Personal Data transferred is subjected to the following processing activities:
- Data is pseudonymized and transmitted to Google Tag Manager Server Side;
- Filtered data is used to measure advertising results.

Purpose of data transfer and further processing

The purpose of the transfer and processing is necessary to perform the services of analysis and measurement of advertising results as instructed by Processor.

Period for which personal data will be kept or, if that is not possible, the criteria used to determine that period

Unless the data exporter instructs the data importer to return or delete the data sooner, all personal identifiers will be retained for a maximum of 6 (six) months. After this period, all personal identifiers will be irrevocably deleted.

Transfers to (sub)processors
The personal data may be transferred to subprocessors.Annex III contains a complete list of approved subprocessors.

C. COMPETENT SUPERVISORY AUTHORITY
In accordance with Clause 13, the competent supervisory authority is the Dutch Personal Data Authority, 2509 AJ The Hague, The Netherlands.

ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE DATA SECURITY

Taking into account the state of the art, implementation costs and the nature, scope, context and purposes of the processing, as well as the risk of varying degrees of probability and gravity to the rights and freedoms of natural persons, Adpage will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

- Measures for pseudonymization and encryption of personal data;
- Measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Measures to ensure that the availability of and access to personal data can be restored in a timely manner in the event of a physical or technical incident;
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

If enabled by the Consumer, Adpage will ensure that the data is pseudonymized before being shared with Google Tag Manager Sever Side.
‍Takinginto account Recommendations 01/2020 of the European Data Protection Board (EDPB) on measures complementing onward transfer instruments to ensure compliance with the level of protection of personal data in the Union, version 2.0, adopted June 18, 2021, it is considered that pseudonymization is a sufficient and effective complementary measure to ensure data security when the transfer takes place to a third country; if the processor first pseudonymizes the data in its possession and then transfers it to a third country for analysis, for example for the purpose of ad tracking.

The foregoing is justified under four conditions:

1. The data exporter transfers the personal data processed in such a way that the personal data can no longer be linked to a specific data subject, nor can it be used to single out the data subject in a larger group, without the use of additional data

2. Such additional data are held exclusively by the data exporter and are kept separately in a Member State or in a third country, geographical area or one or more specified sectors within a third country, or with an international organization for which the Commission has determined, pursuant to Article 45 of the AVG, that an adequate level of protection is ensured,

3. Any disclosure or unauthorized use of such additional data is prevented by appropriate technical and organizational safeguards, there is assurance that the data exporter has sole control over the algorithm or registry by which the data can be re-identified from the additional data, and

4. The controller, through a thorough analysis of the data in question and taking into account possible information in the possession of the public authorities of the receiving country, has determined that the pseudonymized personal data cannot be linked to an identified or identifiable natural person, even if such information is merged and compared with the personal data,

‍

It is the responsibility of the Controller to take appropriate measures to prevent the data from being aggregated, for example by using other third-party cookies or trackers.

Security measures for sub-processors are described in Appendix III.

APPENDIX III
LISTOF SUB PROCESSORS
The exporter has authorized the use of the following sub-processors:

1) Scaleway
Registered office: 8 rue de la Ville l'Evêque, 75008 Paris, France
VAT number: FR 35 433115904
Director publication: Arnaud Brindejonc de Bermingham
Hosted by: SCALEWAY SAS BP 438 75366 PARIS CEDEX 08 FRANCE

Scaleway offers choice in the world of cloud computing, allowing customers to choose where their customers' data resides, to choose which architecture works best for their business and to choose a more responsible way to scale.

Scaleway processes Personal Data to provide the services requested or authorized by the AdPage as an integral part of the contract for the provision of Scaleway's services entered into between the AdPage and Scaleway and governs cases where Scaleway processes Personal Data on behalf of the AdPage as a Data Processor within the meaning of the AVG.

Scaleway Data Processing Addendum can be found here. (last accessed January 10, 2023)

Terms and conditions of Scaleway can be found here. (last updated January 10, 2023)

Scaleway takes all necessary measures to protect personal data processed and carefully selects all its partners and service providers who may need access to customer data. Data is processed electronically and/or manually and in both cases Scaleway ensures an appropriate level of security, protection and confidentiality based on the sensitivity of the data, taking administrative, technical and physical measures to prevent loss or theft or unauthorized use, disclosure or modification of customer data.

‍

Scaleway's information systems security policy can be found here. (last accessed January 10, 2023)

Personal data is processed by Scaleway, its subcontractors and partners, to administer the contract and provide the services customers have requested or consented to.

Customer data may also be transferred to third parties who provide services or support and advice to Scaleway.

Upon request, they may also be disclosed to the persons and authorities who have access to personal data pursuant to applicable laws, regulations or provisions established by legally competent authorities.

AdPage will notify any new sub-processors or changes to the list of sub-processors in Appendix III of this Processor Agreement and provide you with an opportunity to object to such changes.

‍