Data Processing Agreement

This Data processing Agreement is between Nordpar ApS, Amagerfælledvej 106, 2300 Copenhagen S, a private company with limited liability, established and with jurisdiction under the laws of the Denmark, business registration number 40071555 (hereinafter referred to as “Nordpar”), and client referred to as “Advertiser”. Nordpar and Advertiser are each a “Party” and together referred to as “Parties”.

Introduction

Nordpar’s software service assists Advertisers in gaining insights into, among other things, their affiliate marketing activities. In order to provide this service, Nordpar gathers data from its suppliers regarding individual transactions, clicks, and impressions, all of which are collected on behalf of the Advertiser.

Regarding the processing of personal data, the Advertiser is considered a controller as defined in Section 4 (7) of the General Data Protection Regulation (hereinafter referred to as “GDPR”).

Regarding the processing of personal data, Nordpar is considered a processor as defined in Section 4 (8) of the GDPR.

In accordance with the provisions of Section 28 (3) of the GDPR, the Parties intend to outline certain conditions in this Data Processing Agreement that govern their relationship in the context of the aforementioned activities conducted on behalf of and for the benefit of the Advertiser.

Objective of Personal Data Processing

1.1 Nordpar and Advertiser have entered into this Data Processing Agreement for the purpose of processing personal data in connection with the Terms and Conditions.

2.2 Nordpar is solely responsible for processing personal data under this Data Processing Agreement, in accordance with the legitimate instructions of Advertiser and under Advertiser’s direct (ultimate) responsibility. Nordpar bears no responsibility or liability for any other processing of personal data, including but not limited to data collection by Advertiser, processing for purposes not disclosed to Nordpar by Advertiser, processing by third parties, and/or for other purposes. The responsibility and liability for such processing activities lie solely with the Advertiser.

2.3 Advertiser is accountable and liable for the processing of personal data related to the Terms and Conditions and ensures that the processing complies with all applicable laws and does not violate any third-party rights. Advertiser agrees to indemnify and hold Nordpar harmless against any claims from third parties, including those from data protection authorities, arising from any failure to comply with this guarantee.

3.4 Nordpar commits to processing personal data solely for the purposes outlined in this Data Processing Agreement and/or the Term and Conditions. Nordpar will not utilize the personal data processed under this Data Processing Agreement for its own or third-party purposes without the express written consent from Advertiser, unless mandated by law. In such instances, Nordpar will promptly inform Advertiser of the legal requirement before processing, unless prohibited by law due to significant public interest considerations.

Technical and Organizational Security Measures

2.1 Nordpar will establish (or coordinate the establishment of) suitable technical and organizational measures to ensure a level of security commensurate with the associated risks. These measures will ensure an adequate level of security, considering the latest technological advancements and the costs of implementation, with regard to the risks associated with processing personal data and the sensitivity of the data to be safeguarded. Nordpar will, in any event, implement measures to safeguard personal data against accidental or unlawful destruction, accidental or intentional loss, alteration, unauthorized disclosure or access, or any other unlawful processing.

Confidentiality

3.1 Nordpar shall require employees involved in executing the Agreement to sign a confidentiality statement. This requirement shall apply regardless of whether such obligation is included in the employees’ employment agreements, stipulating that they must maintain strict confidentiality regarding Personal Data.

Sub-Processors

4.1 Nordpar is authorized to engage Sub-Processors for the processing of Personal Data based on Advertiser’s instructions, either wholly or partially.

4.2 If Nordpar intends to engage additional or replacement Sub-Processors, Nordpar shall notify Advertiser of such intended changes.

4.3 Nordpar shall impose the same data protection obligations as set forth in this Data Processing Agreement on each Sub-Processor, ensuring they provide sufficient guarantees to implement appropriate technical and organizational measures in compliance with the GDPR. Advertiser acknowledges that Nordpar may not always be able to directly negotiate data processing agreements with Sub-Processors.

Personal Data Processing outside the Europe Economic Area

5.1 Nordpar will only be permitted to transfer Personal Data outside the European Economic Area (EEA) if this is done in compliance with the GDPR.

Liability

6.1 With regard to the liability and indemnification obligations of Nordpar the stipulation in the Agreement regarding the limitation of liability applies.

6.2 Without prejudice to Article 6.1 of this Data Processing Agreement, Nordpar is solely liable for damages suffered by Advertiser and/or third party claims as a result of any Processing, in the event the specific obligations of Nordpar under the GDPR or the Data Processing Agreement are not complied with or in case Nordpar acted in violation of the legitimate instructions of Advertiser.

Personal Data Breach

7.1 Upon becoming aware of a Personal Data Breach affecting the Personal Data, Nordpar shall promptly notify Advertiser without undue delay.

7.2 Nordpar shall take all reasonable measures to prevent or mitigate the effects of the Personal Data Breach. Nordpar shall, to the extent feasible, provide all reasonable assistance requested by Advertiser to enable Advertiser to fulfill its legal obligations regarding the Personal Data Breach.

7.3 Nordpar shall, to the extent feasible, assist Advertiser with its notification obligations to the Data Protection Authority and/or the data subjects as stipulated in Sections 33 (3) and 34 (1) of the GDPR. However, Nordpar shall not be obligated to report a Personal Data Breach to the data protection authority and/or the data subjects.

7.4 Nordpar shall not be held responsible and/or liable for ensuring the timely and accurate fulfillment of the notification obligations to the relevant data protection authority and/or data subjects as specified in Sections 33 and 34 of the GDPR.

Cooperation

8.1 Nordpar will, considering the nature of the Processing and to the extent reasonably feasible, offer all necessary cooperation to the Controller in fulfilling its obligations under the GDPR, particularly in responding to requests from data subjects to exercise their rights, including but not limited to the right of access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction (Article 18 GDPR), data portability (Article 20 GDPR), and the right to object (Articles 21 and 22 GDPR).

8.2 Nordpar will promptly relay any complaint or request from a data subject regarding the Processing of Personal Data to the Advertiser, as the Advertiser is responsible for addressing such requests.

8.3 Nordpar will, considering the nature of the Processing and the available information, and to the extent reasonably feasible, provide reasonable cooperation to the Advertiser in fulfilling its obligations under the GDPR to conduct a data protection impact assessment (Articles 35 and 36 GDPR).

8.4 Nordpar reserves the right to charge Advertiser for any costs associated with the cooperation outlined in this Article 10.

Force Majeure

9.1. In the event of force majeure, Nordpar shall not be deemed in breach of the Terms and Conditions.

9.2. Force majeure events include, but are not limited to, illness-related absence of key personnel, interruptions in power supply, labor strikes, civil unrest, government actions, fires, natural disasters, floods, failures of Nordpar’s suppliers, failures of third parties engaged by Nordpar, internet connection interruptions (whether due to DDoS attacks or otherwise), hardware failures, network malfunctions, including telecommunications networks, and other unforeseeable circumstances.

9.3. If the force majeure event persists for a period of at least thirty (30) days, Nordpar reserves the right to terminate the Agreement without any obligation to provide compensation for such termination.

Deletion or Return of Personal Data

10.1. Upon termination of the contract, Nordpar shall, at the Advertiser’s discretion, either delete all personal data processed on behalf of the Advertiser and provide certification of such deletion, unless Union or Member State law mandates the retention of such personal data. Alternatively, Nordpar may maintain the personal data for an additional grace period of 12 months in the event that the Advertiser re-engages Nordpar’s software services. Throughout this period until the data is deleted or returned, Nordpar shall ensure continued compliance with this Data Processing Agreement.