Last update: 2024-06-11

Personal Data Processing Agreement

This personal data processing agreement (the “DPA”) should be construed as an integral part of the Agreement. For the purpose of this DPA, “Data Controller” shall mean the Company, and “Data Processor” shall mean Metapic.

  1. Assignment and the purpose of this DPA

    The provisioning of the Service (as set out in the Agreement) will include processing personal data on behalf of Data Controller.

    The purpose of this DPA is to agree of the rights and obligations of the Parties as regards to the processing of certain personal data and other information under the Agreement and this DPA. The personal data shall be processed in accordance with the applicable data protection law, including the EU General Data Protection Regulation (“GDPR”) and any subsequent legislation replacing or supplementing the above.

    Data Processor shall, in its capacity as Data Processor, process personal data information on behalf of the Data Controller in accordance with this DPA and during the term of this DPA.

  2. The purpose and scope of the personal data processing

    The purpose of the processing of personal data is to enable Data Controller to advertise through Data Processor’s blog network.

  3. Categories of data subjects registered

    The following categories of data subjects may be included in relation to the processing under this DPA;

    • individuals who actively request redirection to the Company

  4. Categories of personal data

    The following categories of personal data may be processed under this DPA;

    • cookie ID
    • IP number
    • order number
    • photographs

  5. Obligations of Data Controller

    General

    Data Controller shall establish relevant procedures for its own business in, e.g. in order to:

    • validate that there exist legal grounds according to the data protection legislation to process personal data in accordance with the purpose stated in Section 2 above;
    • defend the data subjects’ right to information and transparency, and the right to deletion of data etc.;
    • report personal data incidents to the relevant supervisory authority; and
    • make sure that every person who works under Data Controller’s supervision, and who will receive access to the personal data, only processes the data in accordance with specified instructions, unless otherwise is stipulated according to imperative law.

    Information to Data Processor

    Data Controller shall immediately and in writing notify Data Processor of any and all circumstances that may arise which may involve the need to change the way in which Data Processor processes personal data.

  6. Obligations of Data Processor

    Security Measures

    Data Processor shall implement appropriate technical and organisational measures to ensure that personal data is processed in accordance with the requirements in the applicable data protection law, the conditions in the Agreement and this DPA. All security measures shall be at least equal to the level which the competent supervisory authority typically requires for equivalent processing activities. The measures shall be documented and submitted to Data Controller upon written request, without undue delay.

    Instructions

    Data Processor shall only process personal data on behalf of, and for the benefit of, the Data Controller. Furthermore, the process shall be for the purposes stated in Section 2 above and in accordance with the instructions provided by the Data Controller, and only in order to fulfil Data Processor’s its assignment in accordance with the Agreement.

    Data Processor shall ensure that every person who has access to the personal data covered by this DPA complies with the terms and conditions of this DPA, including the obligation to only process the personal data in accordance with the instructions given by the Data Controller, unless otherwise is stipulated according to imperative law.

    If Data Processor believes that the instructions given by Data Controller are in conflict with the applicable data protection legislation, Data Processor shall promptly inform Data Controller thereof.

    Transfer of personal data and use of sub-contractors

    Data Processor shall not engage sub-contractors to perform all or part of the processing of personal data (including access to), unless Data Controller has given its prior specific written approval. Such approval is hereby granted by Data Controller to sub-contractors acting as bloggers and to sub-contractors providing IT etc to Data Processor (a list of the latter category can be obtained at request).

    Data Processor shall enter into binding agreements with its sub-contractors, imposing on the sub-contractors at least the same obligations as Data Processor has under this DPA. Data Processor is fully responsible to Data Controller for the sub-contractors’ processing of personal data, including security measures applied.

    Localisation and transfer of personal data to third countries

    Data Processor undertakes to ensure that personal data are stored and processed only within EU/EES- the same applies to access to the personal data, e.g. in regard to service, support, maintenance, development, operation or similar, unless transfer is made to a Third Country or an international organization that the Commission has decided to ensure an adequate level of protection, or the sub-processor has been and continues to be certified under the EU-US Privacy Shield Framework for the Personal Data covered by this DPA.

    Obligation of Confidentiality and authorization

    Data Processor shall ensure that every person with permission to process personal data is under obligation of confidentiality in a binding agreement. The confidentiality undertaking shall apply to all information processed by Data Processor under this DPA. Access to personal data may only be granted to persons who need such access to the data in order to carry out their duties.

    Incident Reporting

    Data Processor shall promptly notify Data Controller of any security incidents where such incidents have resulted in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the personal data covered by this DPA. All such incidents shall be documented by Data Processor and the documentation shall be delivered to Data Controller at its written request and without any delay.

    If it is likely that a personal data security incident involves any risk related to the privacy of data subjects, Data Processor shall immediately after when Data Processor has gained knowledge of the security incident, take sufficient remedial actions in order to prevent or mitigate the security incident’s possible negative effects.

    In those cases where a security incident shall be reported to the supervisory authority, Data Processor shall promptly cooperate with Data Controller in gathering the relevant information that is requested and to cooperate with the supervisory authority.

    Assistance related to obligations towards data subjects

    Data Processor shall assist Data Controller in fulfilling its obligations towards data subjects and assist Data Controller to facilitate the exercise of data subjects’ rights such as the rights of correction and removal of data, data portability etc. in accordance with the applicable data protection legislation.

    Removal of personal data

    Should Data Controller during the term of the DPA inform Data Processor that certain personal data should be deleted, Data Processor shall make sure that the specific personal data are promptly to be destroyed, overwritten or otherwise deleted by Data Processor.

    When the Agreement has been terminated or otherwise expired, Data Processor undertakes to, return and/or delete or destroy all personal data covered by the Agreement and this DPA.

    Audits

    Data Processor shall make sure that Data Controller has the possibility to at Data Processor’s location(s), investigate that Data Processor, obey to all provisions according to this DPA, the Agreement and the applicable data protection legislation (e.g. in order to that all concerned data processors take suitable security measures in order to protect the personal data).

  7. Instructions to Data Processor

    Information security

    Data Processor is responsible for that the personal data always is treated with confidentiality and that it has established, implemented and maintained technical, physical, administrative and organizational security measures, that are suitable considering the risk that is associated with the processing of the personal data in regard to data subjects’ rights and freedoms, and for Data Controller’s business, all in accordance with Data Controllers instructions. Data Processor shall particularly ensure that the personal data is protected against any actual, suspected or anticipated threats to the security and integrity of personal data such as accidental or unlawful destruction, loss or change, unauthorized disclosure of or access to personal data and other personal data breaches.

    Access to information

    Data Processor shall ensure that each and every person working under its supervision only has access to such personal data on a need to know basis only and only in order to fulfil its obligations when providing the Service.

    Training

    Data Processor staff who handles personal data when providing the Service shall receive appropriate training regarding data protection, confidentiality and other demands of information security.

  8. Term

    This DPA shall remain in full force and effect as from the effective date of the Agreement up and until the end of the term of the Agreement.

  9. Applicable law and disputes

    This DPA shall be governed by and interpreted with the substantial laws of the country set forth the Agreement. Any disputes arising out of or in connection with this DPA shall be settled in accordance with the relevant provisions of the Agreement.