Datenschutz-Bestimmungen

Letztes Update: Dienstag, 12. Juni 2018 10:53

TargetSpot Privacy Policy

PLEASE READ THIS PRIVACY POLICY CAREFULLY.

TargetSpot is a digital audio advertising platform.

This TargetSpot Privacy Policy explains to You, user of the TargetSpot Services (as defined below) or visitor of www.targetspot.com (hereafter the “WebSite”), which data are processed by TargetSpot (as defined below) when using TargetSpot’s Services (notably when audio Ads, video Ads and other Ads are served by TargetSpot through its advertising network on behalf of Publishers).

Modern information and communication technologies play a fundamental role in the activities of an organization like TargetSpot.

The TargetSpot Services include all services supplied by TargetSpot and its WebSite, in particular : digital audio advertising, enhancement and provision of multimedia content, communication between users, use of its technical tools (Passport Technologies, notably Campaign Manager: adserver.targetspot.com) and more generally, any other service proposed by TargetSpot. The TargetSpot Services include also communications intended for users, particularly administrative messages, newsletters pertaining to the TargetSpot Services and forums/blogs.

1. Identification of the WebSite and its operator

The WebSite and the TargetSpot Services are provided by TargetSpot Belgium SPRL, a company incorporated under Belgian law, with registered office at B-1070 Brussels, Boulevard International 55K, Belgium and registered with the Crossroads bank for enterprises under company number 0684.758.038, its affiliates, successors, parents, subsidiaries, assigns and licensors (“TargetSpot”). TargetSpot is mainly considered as a “Data Processor” in terms of data processing activities occurring in relation to the use of its TargetSpot Services (hereafter “TargetSpot”). This Privacy Policy does not apply to information that may be processed by third parties such as (1) the internet radio stations and other streaming services (hereafter the “Publishers” or the “Data Controllers”) in which TargetSpot Ads appear or (2) TargetSpot’s advertiser clients (for example, if you click on a TargetSpot Ad that is displayed on Your device when You use the services of a Publisher).

You can address Your question regarding the TargetSpot Privacy Policy and the processing of Your data to the following e-mail address: privacy@targetspot.com. This TargetSpot Privacy Policy applies to all the TargetSpot Services and to its Website.

2. What Personal Data TargetSpot collects - How TargetSpot uses Your Personal Data and on what legal basis?

A “Personal Data” is any information relating to an identified or identifiable natural person.

2.1 – Personal data of the Publisher processed by TargetSpot

By entering into some agreements with TargetSpot, the Publisher acknowledges that TargetSpot may process personal data relating to the Publisher. Information about how TargetSpot processes the Publisher’s personal data can be found in Appendix 1.

TargetSpot may also collect and process Personal Data to keep You posted on TargetSpot latest product or services releases, software updates and upcoming events by email. The legal basis for this processing is Your consent (email marketing “opt-in”). In addition, Your e- mail address may also be used to send You offers for products or services which may be of interest to You, as authorized by law (i.e. if You are a client of TargetSpot, have provided TargetSpot with Your email address in the framework of the purchase of a product or service, our email communications relate to analogous products or services as those already purchased, and You haven’t opted-out to receiving such communications – “soft opt-in”). If You don’t want to receive the TargetSpot newsletter, You can opt-to unsubscribe at anytime, free of charge and without having to provide any justification (“opt-out”).

TargetSpot may also send You a hard-copy newsletter at the postal address You provided TargetSpot with. The legal basis for this processing is the legitimate interests of TargetSpot, namely to market the TargetSpot Services to its users. You may always unsubscribe from those newsletters by following the guidelines included in those newsletters.

If You communicate Your phone number to TargetSpot, this means that You accept to receive a phone call from TargetSpot or from one of our affiliated partners. If You do not wish to receive such phone calls any longer, contact TargetSpot at privacy@targetspot.com.

TargetSpot also uses Your Personal Data to create, develop, operate, deliver, and improve its products, services, content as well as for other internal purposes such as auditing, data analysis, data reporting, payments and research. The legal basis for this processing is the legitimate interests of TargetSpot, namely to improve its products, services and content in order to serve its customers in the most appropriate way.

TargetSpot may use Your Personal Data to verify Your identity for accounting or reporting purposes or if required for the provision of the TargetSpot Services. The legal basis for this processing is the necessity to execute the agreement between You and TargetSpot for the provision of the TargetSpot Services as well as to comply with TargetSpot’s legal obligations.

TargetSpot may use Your Personal Data to send important notices, such as communications about subscriptions and changes to TargetSpot’s terms and conditions or policies. The legal basis for this processing is the necessity to execute the agreement between You and TargetSpot for the provision of the TargetSpot Services as well as to comply with TargetSpot’s legal obligations.

2.2 – Processing of personal data by TargetSpot on behalf of the Publisher

In the performance of TargetSpot Services, TargetSpot may process, on behalf of the Publishers, personal data relating to the listeners of the Publisher’s Streams or end-users of their radio station-services. In that case, TargetSpot acts as a processor on behalf of the Publishers (acting as a data controller) and Appendix 2 (which includes the necessary provisions to comply with Article 28 of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)) will apply.

The Publisher warrants that the Personal Data (as defined in Appendix 2) were collected in compliance with the applicable Data Protection Law (as defined in Appendix 2) and that it is entitled under the Data Protection Law to permit TargetSpot to process the Personal Data. This includes, without limitation, Publisher’s compliance with its obligations to process

Personal Data on the basis of a valid legal ground and to provide the mandatory information under Data Protection Law to the Data Subjects (as defined in Appendix 2). The Publisher further guarantees TargetSpot against any claim or complaint made by a listener of its Streams or end-users of its radio station service in relation with the TargetSpot Services and the processing of the Personal Data.

As Publishers’s Processor, TargetSpot shall only process Personal Data for the following purposes :

  • -  processing required to provide the TargetSpot Services in accordance with agreements existing between TargetSpot and the Publishers ;

  • -  processing to comply with order reasonable instructions provided by Publishers that are consistent with the terms of the agreement existing between TargetSpot and the Publisher. TargetSpot acts on behalf of and on instructions of the Publishers in carrying out all Processor responsibilities. TargetSpot shall process Personal Data in accordance with the requirements of the Data Protection Laws and Publishers will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws.

    3. Collection and use of non-Personal Data by TargetSpot

    TargetSpot also collects data in a form that does not, on its own, permit direct association with any specific individual. TargetSpot may collect, use, transfer, and disclose non-Personal Data for any purpose.

    Anonymous Information

    When You visit the WebSite or interact with TargetSpot Services, we may use automatic data collection technology that records non-personally identifiable information from Your browser or device. TargetSpot also may collect or receive other non-personally identifiable information from the WebSite, from TargetSpot Ads or from data aggregators, streaming services and other third parties. This information may include information about Your operating system, browser type and language, referring and exit pages and URLs, keywords, date and time, amount of time spent on particular pages, what sections of a website You visit, Your use of the WebSite and interactions with TargetSpot Ads and the streaming services on which the TargetSpot Ads appear, as well as other non-personally identifiable information associated with your IP address or device that is maintained by third party data aggregators (collectively, “Anonymous Information”).

    TargetSpot may collect and store details of how You use the TargetSpot Services. This data may be used to improve the relevancy of results provided by the TargetSpot Services.

    If TargetSpot does combine non-Personal Data with Personal Data, the combined data will be processed as Personal Data for as long as it remains combined, for the purposes set out in this TargetSpot Privacy Policy.

4. Protection of Personal Data - security measures

TargetSpot takes the security of Your Personal Data very seriously. TargetSpot implements policy, rules and security measures targeting the protection of Personal Data.

TargetSpot diligently updates, corrects and eliminate Personal Data that are inaccurate, incomplete or irrelevant.

TargetSpot warrants that, for persons acting under its authority, access to Personal Data and the possibilities for processing these Personal Data are limited to what is needed by these persons for the exercise of their duties.

TargetSpot informs persons acting under its authority of the provisions of European and Belgian Data Protection and Privacy laws, as well as any relevant requirements concerning protection of privacy in the processing of Personal Data.

TargetSpot ascertains compliance of programmes used for automatic processing of Personal Data and monitors the regularity of their application.

TargetSpot ascertains that any person who has access to Personal Data can only process such Personal Data on instructions of TargetSpot, except in the case of an obligation imposed by or in virtue of the law, a decree or a court order.

TargetSpot takes the necessary technical and organizational measures to safeguard against accidental or unauthorized destruction, accidental loss and modification, access or any other unauthorized processing of Personal Data.

These measures ensure an adequate level of protection in view, on one hand, of the state of techniques in the field and the costs entailed for the application of these measures and, on the other hand, of the nature of the Personal Data to be protected and the potential risks.

5. Duration of retention of Personal Data

The Personal Data collected will be erased six (6) months after You unsubscribed from the TargetSpot Services for which You have registered on the WebSite or TargetSpot technical tools and services, unless TargetSpot has a legal obligation (notably auditing, reporting, payments and accounting obligations) to retain some Personal Data for a longer period of time.

Some anonymised data may be kept thereafter exclusively for statistical purposes.

6. Your rights

You can ask to TargetSpot, by sending an e-mail to privacy@targetspot.com, whether TargetSpot processes some of Your Personal Data.

You can also access and help TargetSpot ensure Your contact information and preferences are accurate, complete and up to date by logging in Your TargetSpot User account, if applicable, through the Passport Campaign Manager Interface.

You can (i) ask TargetSpot to provide You with a copy of Your Personal Data, (ii) request that TargetSpot corrects Your Personal Data if it is inaccurate or, in some cases, delete Personal Data unless TargetSpot has a legal obligation to retain some Personal Data.

You also have the right to ask for the restriction of the processing or to object to the processing of Personal Data relating to You as well as the right to data portability (as the case may be). When applicable, You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent made prior to such withdrawal.

You can lodge a complaint with a supervisory authority (in particular in the Member State of the European Union of Your usual place of residence, place of work or the place where the violation occurred) if You consider that the processing of Personal Data related to You infringes the data protection legislation. 

Please note that access, modifications, corrections, deletion requests can be made usually through Your “TargetSpot User Account” or at privacy@targetspot.com. TargetSpot can request in some cases proof of Your identity (copy of identity card or passport) to be sure to respect Your Personal Data and not to send them to a wrong person.

Newsletters, e-mails that You receive will always include the possibility to unsubscribe from the receipt of any message in the future.

7. Others

This TargetSpot Privacy Policy shall not restrict the rights that TargetSpot may have with regard to any natural person in virtue of specific agreements or other piece of legislation.

TargetSpot may update its TargetSpot Privacy Policy from time to time. When TargetSpot updates its Privacy Policy, a notification will be posted on the WebSite at the occasion of Your connexion to the WebSite.

This WebSite contains content, services, advertising and other materials that link to web sites operated by third parties. TargetSpot has no control over those other web sites, and this Privacy Policy does not apply to them.

APPENDIX 1
Information notice on processing of Publisher’s personal data

By entering into some agreements with TargetSpot, the Publisher acknowledges that TargetSpot may process personal data relating to the Publisher.

1. Identification of the data controller

TargetSpot (as defined above) will act as the data controller.

2. Categories of personal data processed

The personal data processed by TargestSpot are collected through the creation of an Publisher account through the use of one of its technical tools (such as Passport Technologies). The following personal data will thus be processed by TargetSpot: username, first and last names, email address, password, birthdate, phone number, address, country and language, credit card information, VAT number, tax ID.

The following additional categories of personal data will be processed: operated Streams.

3. Use of the personal data

The personal data may be processed for the purposes of creating, identifying, verifying and managing the Publisher’s subscriptions, setting the preferred language, controlling the Publisher’s access rights, contacting and answering the Publisher’s queries, correcting assignments of access and functions, identifying use/misuse of TargetSpot Services and, more generally, for the purpose of providing TargetSpot Services and executing the agreement existing between Publisher and TargetSpot.

TargetSpot may process the personal data for direct marketing purposes, including by email (subject to the Publisher’s prior consent, unless TargetSpot has a legal right to do so).

4. Legal basis for the processing

TargetSpot relies on the necessity to execute the agreement existing between the Publisher and TargetSpot in order to process the Publisher’s personal data.

TargetSpot relies on the Publisher’s consent to send direct marketing communications unless TargetSpot has a legal right to do so.

5. Security measures

TargetSpot implements policy, rules and security measures for the protection of personal data.

TargetSpot diligently updates, corrects and eliminate personal data that are inaccurate, incomplete or irrelevant.

TargetSpot warrants that, for persons acting under its authority, access to personal data and the possibilities for processing these personal data are limited to what is needed by these persons for the exercise of their duties.

TargetSpot informs persons acting under its authority of the provisions of European and Belgian data protection and privacy laws, as well as any relevant requirements concerning protection of privacy in the processing of personal data.

TargetSpot ascertains compliance of programmes used for automatic processing of personal data and monitors the regularity of their application.

TargetSpot ascertains that any person who has access to personal data can only process such personal data on instructions of TargetSpot, except in the case of an obligation imposed by or in virtue of the law, a decree or a court order.

TargetSpot takes the necessary technical and organizational measures to safeguard against accidental or unauthorized destruction, accidental loss and modification, access or any other unauthorized processing of personal data.

6. Transfer or personal data

The Publisher acknowledges that TargetSpot may disclose personal data to its subcontractors for the above-mentioned purposes, both inside and outside the European Economic Area, namely its affiliates companies: TargetSpot Inc. ; TargetSpot France EURL ; TargetSpot Espana SL; TargetSpot GmbH. The Publisher acknowledges that this may involve transfers of personal data to countries that do not provide an adequate level of protection. Appropriate contractual measures will be taken to ensure the security of the Publisher’s

personal data in compliance with the applicable privacy and personal data protection legislation. A copy of those appropriate contractual measures can be provided upon request. TargetSpot will always choose a subcontractor that provides sufficient guarantees with regard to technical and organizational security measures concerning data processing.

7. Retention of personal data

The personal data collected will be erased six (6) months after the end of the Monetization Program, unless TargetSpot has a legal obligation to retain personal data for a longer period of time.

Some anonymised data may be kept thereafter exclusively for statistical purposes.

8. Rights of the Publisher

The Publishers are entitled to access the personal data relating to them, as collected and processed by TargetSpot as data controller, and request the modification or suppression of the Publisher’s personal data if it is incorrect or unnecessary. The Publisher also has the right to ask for the restriction of the processing or to object to the processing as well as the right to data portability (as the case may be). When applicable, the Publisher has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent made prior to such withdrawal.

The Publisher may exercise these rights by sending an email to TargetSpot at privacy@targetspot.com, together with a copy of her/his identity card or other identification document. In addition, the Individuals may object to the processing of such Publisher’s personal data for direct marketing purposes at any time, free of charge and without having to provide a justification by following the abovementioned procedure.

The Publisher also has a right to lodge a complaint with a supervisory authority (in particular in the Member State of the European Union of its usual place of residence, place of work or the place where the violation occurred) if the Publisher considers that the processing of its own Publisher’s personal data infringes the data protection legislation.

APPENDIX 2

Processing of personal data by TargetSpot on behalf of Publishers

1. Definitions
For the purposes of this Appendix, the following capitalized terms shall have the meaning

specified below :

(a) "Data Subject" shall mean the identified or identifiable individual whose Personal

Data is processed;

(b) "Data Protection Law" shall mean (i) any and all applicable laws implementing the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of

personal data and on the free movement of such data (as may be modified or replaced), including but not limited to the Belgian law of 8 December 1992 on the protection of individuals regarding the processing of personal data as amended, any directly applicable EU regulations (including but not limited to Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”) which is applicable as from 25 May 2018) as well as any delegated act in relation to the GDPR, Belgian laws and decrees executing the GDPR and (ii) any similar applicable legislations from countries outside of the European Union;

(c) "PersonalData"shallmean“personaldata”asdefinedintheDataProtectionLaw which is subject of the Processing, relating to the listeners of the Publishers’s Streams or an end-user of its radio station-service and including any other information directly related to and necessary for the carrying out of the Purposes;

  1. (d)  "Processing" shall mean the “processing” as defined in the Data Protection Law of the Personal Data of each Data Subject by TargetSpot on behalf of the Publishers, which includes the processing of the Personal Data by TargetSpot and the transfer of the Personal Data to the Publishers;

  2. (e)  "Purposes" shall mean the limited, specific and legitimate purposes of the Processing, namely the performance of the services;

  3. (f)  “Subprocessor” shall mean any person (excluding an employee of TargetSpot) appointed by or on behalf of TargetSpot to process Personal Data on behalf of the Publishers.

2. Qualification

For the avoidance of doubt, the Parties acknowledge that where Data Protection Law applies, the Publishers acts as the data controller and TargetSpot as the data processor of Personal Data to be processed. Accordingly, the Publishers remains solely responsible for determining the means and the purposes of TargetSpot's Processing of Personal Data under existing agreements between Publishers and TargetSpot.

3. Processing of Personal Data

TargetSpot agrees that any Processing of Personal Data by TargetSpot in respect of which TargetSpot acts as data processor on behalf of the Publishers shall be carried out in accordance with the Data Protection Law and the provisions of this Appendix.

Without prejudice to the independence of the Parties, the Personal Data shall only be processed in accordance with the instructions of the Publisher and solely for the Purposes, to the exclusion of any other purposes. The Publishers hereby generally instructs TargetSpot to process Personal Data for the Purposes and to the extent necessary to provide the Services in compliance with TargetSpot's obligations under the existing agreements between Publishers and TargetSpot.

Without prejudice to the independence of the Parties, TargetSpot represents and warrants that TargetSpot and any person acting under the authority of or on behalf of TargetSpot and having access to the Personal Data shall only process the Personal Data in accordance with

the instructions of the Publishers, except in case of a legal obligation, and in accordance with the Data Protection Law. To this end, TargetSpot shall inform and train all persons acting under its authority and having access to the Personal Data about the provisions of Data Protection Law.

The following Personal Data are processed on behalf of Publishers by TargetSpot when providing TargetSpot Services:

PERSONAL DATA

COOKIE_ID (USER_ID)

DEVICE ID

IP ADDRESS

Means of Collection

This is a randomly generated, unique, alphanumeric text string (identifier) set by placing a cookie in the browser. No further information about the user is stored on this identifier. The collection of the cookie_id information can be done in 3 ways.

1. Reading existing TargetSpot cookie in the browser

2. Random generation upon placing of cookie - if none is detected 

3. Received by the Data Controller upon ad call

Device IDs are not actively collected and are only used when proactively transferred by the Data Controller in the Call to TargetSpot. 

The IP Address can be collected by TargetSpot in 2 ways:

1. When the call to TargetSpot is made by the Controller in the browser. TargetSpot will use the browser header to obtain the IP Address

2. When the call to TargetSpot is not made in the browser, the Data Controller proactively transfers the IP address in the call itself.

Means of Processing

The cookie_id is used to identify campaigns eligible for delivery

The Device ID is used to identify campaigns eligible for delivery

The IP Address is used to identify campaigns eligible for delivery

The IP Address is cross checked with 

     

databases to determine Geographic Location and 'Real Person’ validation.

Means of Sharing

The cookie_id can not be accessed by other parties. It can be transmitted to Sub- processors in 3 ways:

1. Upon request for ad delivery; if no buyer_id (the cookie_id of the DSP's) is available, the cookie_id will be transmitted.

2. Forwarding to Sub- processor by means of Macro in VAST call

3. In the synchronization call to the Sub-processors (DSP's)

The Device ID can be transmitted to Sub- processors in 2 ways: 1. Upon request for ad delivery, by the DSP, the device_id will be transmitted

2. Forwarding to subprocessors by means of Macro in VAST call

The IP address can be transmitted to Sub- processors in 3 ways:

1. Upon request for ad delivery, by the DSP, the IP address will be transmitted

2. Forwarding to Sub- processors by means of Macro in VAST call

3. Request send to Brand verification tools with the sole aim of fraud detection

Means of Storing

The cookie_id is stored on servers separately from all other non-PII data points.

The Device ID is stored hashed and salted onto our data servers and is irreversibly anonymized

The IP Address is stored hashed and salted and is irreversibly anonymized

Place of Processing

TargetSpot owned Paris, Data center

TargetSpot owned Paris, Data center

TargetSpot owned Paris, Data center

Place of Storage

TargetSpot owned Paris, Data center

TargetSpot owned Paris, Data center

TargetSpot owned Paris, Data center

Retention Period of Storage

14 days

18 months

18 months

Purpose

The purposes of the cookie_id is:

1. In order to prevent over exposure of a particular campaign to the Data Subject, TargetSpot and the respective DSP perform frequency capping. The cookie_id is technically required for this purpose.

2. Allows for matching of the cookie_id to enable the Sub-processors’ purposes of processing, including and not limited to Frequency capping.

The purpose of the Device ID is:

In order to prevent over exposure of a particular campaign to the Data Subject, TargetSpot and the respective DSP perform frequency capping. The device id is technically required for this purpose, in case of cookieless environment.

The purpose of the IP Address is:

1. In order to delivery a campaign coming from the relevant country and in the relevant language to the Data Subject, TargetSpot uses the IP Address to determine the Data Subjects Geographic location.

2. In order to protect the advertisers for campaign delivery on ‘non human’ traffic, TargetSpot uses the IP Address to perform fraud detection and prevention.

3. TargetSpot uses the IP Address periodically to conduct technical troubleshooting

Legal Basis - Art 6 of GDPR

The cookie_id can be legitimately processed by:

-> Active Opt in (Art. 6(A))

The Device ID can be legitimately processed by:

-> Active Opt in (Art. 6(A))

The IP Address will be processed on:

-> Legitimate Interest (Art. 6(F))

 

-> Legitimate Interest (Art. 6(F)) 

-> Legitimate Interest (Art. 6(F)) 

 

4. Subprocessing – Onward transfer of Personal Data

TargetSpot shall not engage any Subprocessor without prior general or specific written authorisation of the Publisher. Where TargetSpot engages a Subprocessor for carrying out specific processing activities on behalf of the Publisher, the same data protection obligations as set out in this Appendix 1 shall be imposed on that Subprocessor by way of a written agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Where such Subprocessor fails to fulfil its obligations under Data Protection Law, TargetSpot shall remain fully liable to the Publisher for the performance of such Subprocessor's obligations.

The Publishers hereby specifically authorizes TargetSpot to engage the following Subprocessors and disclose Personal Data to its sub-contractors for the above-mentioned purposes, both inside and outside the European Economic Area, namely :

  • -  Supply Side Platforms Appnexus

    SpotX Adswizz Rubicon Triton

  • -  Demand Side Platforms The Trade Desk

  • -  Data Management Platforms Google

    Krux Claritas Bisnode Quantcast

  • -  Other Sub-Processors Dax (UK)

    RMS (DE) Mediamond (IT) TMX (NL)

    An updated of Subprocessors list is available on the Website.

    You acknowledge that this may involve transfers of Your Personal Data to countries that do not provide an adequate level of protection. Appropriate contractual measures will be taken

to ensure the security of Your Personal Data in compliance with the applicable privacy and personal data protection legislation. A copy of those appropriate contractual measures can be provided upon request. TargetSpot will always choose a subcontractor that provides sufficient guarantees with regard to technical and organizational security measures concerning data processing.

TargetSpot may also transmit Personal Data on the request of a judicial or administrative authority by virtue of applicable law.

The Publishers hereby further generally authorizes TargetSpot to engage any other Subprocessor provided that TargetSpot informs the Publishers of any intended changes concerning the addition or replacement of Subprocessors. The Publishers will have the possibility to object to such addition or replacement on the basis of objective grounds.

With respect to each Subprocessor, TargetSpot shall:

  1. (i)  carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Personal Data required by this Appendix;

  2. (ii)  ensure that the EU Standard Contractual Clauses regarding the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection (hereinafter the “EU Standard Contractual Clauses”) are at all relevant times signed between the Publisher and the Subprocessor if the engagement of such Subprocessor involves a transfer to a country located outside of the European Economic Area which does not ensure an adequate level of data protection and where no appropriate safeguard exists (hereinafter the “Restricted Transfer”). For the purposes of this obligation, the Publishers hereby grants to TargetSpot a mandate (proxy) to enter into EU Standard Contractual Clauses in the name and on behalf of the Publishers with the Subprocessors; and

  3. (iii)  provide to the Publishers for review such copies of the agreements with Subprocessors as the Publishers may request from time to time.

TargetSpot shall not communicate, disclose or transfer, either free of charge or in return for payment, the Personal Data to any other legal person or individual, except pursuant to the prior written instructions of the Publishers and except where such communication, disclosure or transfer: (i) is necessary to perform the TargetSpot Services or for the Purposes; or (ii) is required by any applicable law, regulation, or governmental authority in which case TargetSpot will, wherever possible, notify the Publishers promptly in writing prior to complying with any such request for communication, disclosure or transfer and shall comply with all reasonable directions of the Publishers with respect to such communication, disclosure or transfer.

5. Security

TargetSpot shall ensure – having regard to the state of technological development and the cost of implementing any such measures as well as the sensitive nature of the Personal Data to be processed – that appropriate technical and organizational measures are taken against accidental or unauthorized destruction, accidental loss, as well as against alteration of, access to and any other unauthorized processing of the Personal Data. Without limitation to the foregoing, TargetSpot shall, in particular, take adequate technical and organizational measures to:

i. ensure that access to the Personal Data is only granted to persons acting under its authority and strictly on a need-to-know basis;

  1. deny unauthorized persons access to data processing systems within which the Personal Data is processed (access control);

  2. prevent the use of data processing systems by unauthorized persons (access control);

  3. ensure that persons authorized to use a data processing system are only able to

    access the Personal Data to which their access privileges apply (access control);

  4. ensure that the Personal Data cannot be read, copied, modified or removed without the authorization of TargetSpot during electronic transfer or during transport or storage on data media and that it is possible to check and determine to whom communication of the Personal Data is made through data transfer facilities (checking the identity of any person who forwards the Personal Data and any person to whom

    the Personal Data is forwarded);

  5. ensure that the Personal Data is only processed in accordance with the Publisher’s

    instructions (instruction checking);

  6. ensure the reliability of any employee, agent or contractor of the Publisher or any

    Subprocessor and that they are subject to confidentiality obligations (reliability and

    confidentiality);

  7. ensure that the Personal Data is protected against accidental destruction or loss

    (availability checking);

  8. ensure that pseudonymisation and encryption of Personal Data are used where

    possible; and

  9. ensure that Personal Data processed for other purposes can be processed separately

    (separation checking).

Without prejudice to Clause 7, TargetSpot agrees to inform the Publisher in writing without delay and, in any case, within three (3) business days of any accidental or unlawful destruction or accidental loss or damage, alteration, unauthorized disclosure or access to the Personal Data.

6. Cooperation

TargetSpot shall provide in a prompt manner such co-operation as is reasonably necessary to enable the Publisher to ensure compliance with the Data Protection Law, including but not limited to providing co-operation where the Publisher must respond to requests for exercising the Data Subject's rights granted by Data Protection Law. In particular, TargetSpot shall:

(i) promptly notify the Publisher if TargetSpot or any Subprocessor receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and

(ii) ensure that TargetSpot and/or any Subprocessor only responds to such request upon express written instructions of the Publisher or as required by applicable laws to which TargetSpot and/or the Subprocessor is subject, in which case TargetSpot shall to the extent permitted by applicable laws inform the Publisher of that legal requirement before TargetSpot and/or the Subprocessor responds to the Data Subject’s request.

TargetSpot shall as soon as reasonably practicable and in any event in a manner that conforms to any time-scales set out in the Data Protection Law, provide the Publisher with a copy of the Personal Data that it processes, and/or correct or delete any inaccuracies in such Personal Data, as directed by the Publisher

7. Personal Data breach

In case of any Personal Data breach (defined by the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”), TargetSpot shall,

without delay, notify the Publisher of such breach. The notification must, at least, describe the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, describe the likely consequences of the Personal Data breach, describe the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Audit and inspection

TargetSpot shall, at the request of the Publisher, submit its equipment used for the Processing of Personal Data (if any) for audit of the Processing performed by TargetSpot. Such audit shall be performed by the Publisher or a third party (selected by the Publisher and reasonably acceptable to TargetSpot) to act on its behalf, at the Publisher’s expense, at TargetSpot’s offices or at another mutually agreed location during normal business hours upon fifteen (15) days prior written notice and shall make reasonable endeavors to avoid causing any damage, injury, or disruption in TargetSpot premises, equipment, personnel and business while its personal are on those premises in the course of such an audit or inspection. Audit reports shall only include detail sufficient to verify TargetSpot’s compliance with its obligations under this Appendix.

For the performance of the audit or inspection, the Publisher will give a list of authorized person(s) (“Authorized Person”). TargetSpot undertakes to give access to its premises to the Authorized Person provided that such Authorized Person:

(i) produces reasonable evidence of identity;
(ii)works during normal business hours of TargetSpot unless the audit needs to be conducted on an emergency basis.

9. Data Protection Impact Assessment

TargetSpot shall assist the Publisher with any relevant data protection impact assessment and prior consultations with supervisory authorities or other competent data privacy authorities that would be required under Articles 35 or 36 of the GDPR, subject to terms and conditions and fees to be agreed upon on a case-by-case basis.

10. Deletion or return of Personal Data

TargetSpot shall ensure that any copies of Personal Data in the possession of TargetSpot are promptly, and in any event within one month of the date of cessation of any services, returned to the Publishers or destroyed (at the Publisher’s option) upon the Publishers’s notice and/or when they are no longer required for the performance of TargetSpot’s obligations under the Monetization Program, whichever occurs first, and TargetSpot shall delete existing copies unless Data Protection Law requires storage of the Personal Data.

11. Liability

Without prejudice to Clause Error! Reference source not found., TargetSpot shall be liable for the Processing of the Personal Data which is consigned to it by the Publishers. TargetSpot undertakes to indemnify and hold harmless the Publishers, its directors and employees against any and all costs, charges, damages, expenses and losses (including costs incurred in recovering same), that are incurred by the Publishers as a result of any breach by

TargetSpot of any representation or warranty in this Appendix or the failure to comply with any of its obligations under this Appendix. Where a Subprocessor fails to fulfil its obligations under Data Protection Law, TargetSpot shall remain fully liable to the Publisher for the performance of such Subprocessor's obligations. TargetSpot’s total, aggregate liability to any Publisher for all claims arising under or relating to this Privacy Policy and Appendix 2 is however limited to the revenue share payments paid to this Publisher by TargetSpot in the one (1) month period immediately preceding the date of the claim. This Clause 11 sets out the entire financial liability of TargetSpot (including any liability for the acts or omissions of its employees, agents and sub-contractors) to the Publisher in respect of any breach of the obligations contained in this Appendix.

12. Modifications of the applicable Data Protection Law

TargetSpot may, by providing at least thirty (30) calendar days' written notice to the Publishers, make variations to or replace the template EU Standard Contractual Clauses and enter into amended or new EU Standard Contractual Clauses as per Clause 4, subsection (ii), where such variations or replacements are required as a result of any change in, or decision of a competent authority under, the Data Protection Law, to allow the Restricted Transfers referred to in Clause 4, subsection (ii), to be made (or continue to be made) in compliance with the Data Protection Law.

Last version updated on June 12, 2018