This policy applies only to the personal data processed by ADventori using the tools and services made available to its clients. To view the policy on personal data collected via the site, click here. This policy supplements ADventori’s General Terms and Conditions, the definitions of which apply in full.
1. Responsabilities of the parties
ADventori provides its clients with tools and services for the purpose of optimizing their advertising campaigns.
These campaigns are defined, written and implemented by advertisers, who are ADventori’s clients (sometimes the clients of clients, etc.), and ADventori has no decision-making power with respect to their details. ADventori acts within the context of a contractual chain. Consequently, and based on factual elements and the applicable regulations (as interpreted in particular in Opinion 1/2010 of the Article 29 Data Protection Working Party of February 16, 2010), ADventori is a “processor” for the purposes of these campaigns, i.e. ADventori acts solely as a provider of means for its clients, who are the “data controllers”.
In this context, it is these “data controller” clients who determine:
– the type of personal data collected and processed;
– the legal basis on which such personal data is collected;
– whether or not any fully automated decisions are made on the basis of the personal data provided;
– the recipients or categories of recipients of personal data; and
– the countries to which personal data is sent.
ADventori makes every effort to notify its clients if they make a decision that does not comply with the applicable legislation, but the responsibility for any final choice lies entirely with the client.
Similarly, only our clients can provide the information and statements required under the applicable regulations.
It is accepted that the tool used to monitor and measure ADventori’s services does not make use of any personal data and is not therefore concerned by the regulations relating to the protection of personal data and this policy.
2. ADventori’s commitments
ADventori’s commitments include the following only. ADventori holds harmless its clients against any claims or actions by third parties in relation to personal data and undertakes to assume responsibility for any expenses, convictions, costs and legal fees that its clients may incur as a result of these proceedings, as they are incurred.
In general, ADventori undertakes to comply with the regulations relating to the protection of personal data.
a. Records of clients’ instructions
ADventori undertakes to keep, in an open format, a written record of its clients’ specific instructions for each campaign with regard to personal data. As an exception to the above, operations and processing of data resulting from the execution of this policy will be considered to automatically constitute instructions from the client.
b. Use of subcontracting
In general, ADventori may subcontract any aspect of the contractual relationship that does not involve personal data. If the services of a subcontractor are required to process personal data relating to the execution of this policy, ADventori will inform the client, who may not refuse its consent unless there are good reasons for doing so. Non-response on the part of the client within 15 days will be considered as tacit acceptance.
c. Accountability
ADventori has set up internal procedures for demonstrating its compliance with regulations in its capacity as processor. As such, ADventori agrees that clients may, on a reasonable basis, send specific questions and requests for documentation, upon 15 days’ written notice. These questions may concern only compliance with the regulations in force in the context of the execution of this policy. ADventori will respond within a reasonable period of not less than 1 month. As an exception to the above, ADventori is obliged to respond within the time limits imposed by the authorities in the event of an inspection or request on the part the CNIL (or similar authority).
ADventori undertakes to cooperate with clients in the event of an inspection or request for documentation on the part of the CNIL (or similar authority).
d. Privacy by design
ADventori has set up internal procedures for demonstrating compliance with the principle of taking data protection principles into account from the design stage, and of protecting data by default.
e. Security
ADventori declares that it has implemented a series of technical and organizational security measures aimed in particular at:
– guaranteeing the confidentiality, integrity, availability and resilience of the information systems processing personal data in accordance with the latest technological standards and this policy; and
– restoring, if necessary, the availability of and access to personal data in accordance with the state of the art and this policy.
In addition, ADventori implements a periodic procedure for testing, analyzing and evaluating the technical and organizational security measures employed.
f. Retention of personal data supplied by clients
ADventori stores the personal data supplied in the context of this policy within the European Union or in a country recognized by the European Commission as offering an adequate level of protection.
ADventori will hold the personal data provided by clients in accordance with the retention periods that they have themselves determined. Clients acknowledge that in the absence of written instructions, ADventori will hold the data retained for a maximum of 3 months from the end of the campaign in question. Clients will assume all the consequences of this period should they fail to provide written instructions. At the end of this period, ADventori will destroy the data in question.
g. Security breach procedure
ADventori is bound by a best efforts obligation in terms of computer security. However, in the event of a security breach, ADventori undertakes (1) to notify the client as soon as possible and provide the necessary information (on a reasonable basis and within the limits of ADventori’s confidentiality obligations); (2) to assist the client and, where applicable, the CNIL or any other public authority in this regard; and (3) to assist, in a reasonable manner, with the implementation of corrective measures.
ADventori will keep a record of security incidents for this purpose.
h. Assistance for clients with respect to the implementation of the rights referred to in EU Regulation 2016/679
ADventori undertakes to assist clients with respect to any written and precise request relating to the exercise of a right or an obligation referred to in EU Regulation 2016/679, and in particular:
– the implementation of data subjects’ rights (e.g. right to data portability, right to access and rectify data); and
– participation in a privacy impact assessment.
The parties acknowledge that if this assistance were to exceed more than one hour per week, then ADventori would be entitled to invoice the client for any excess time based on the hourly rate applicable on the day of the client’s request.
3. Client obligations
Client obligations include the following. Clients hold harmless ADventori against any claims or actions by third parties in this respect and undertake to assume responsibility for any expenses, convictions, costs and legal fees that the clients may incur as a result of these proceedings, as they are incurred.
In general, clients undertake to comply with the regulations relating to the protection of personal data.
a. CNIL formalities
Clients declare and guarantee that they have made all the necessary declarations and applications for authorization to collect, process, transfer and retain the personal data used or necessary for the execution of this policy.
b. Data processing records
Clients having appointed a data protection officer (Correspondant Informatique et Libertés) undertake to create, maintain and keep up to date a data processing record including all mandatory information. In any event, clients undertake to create, maintain and keep up to date a data processing record including all information mandatory under EU Regulation 2016/679.
c. Privacy impact assessments
Clients declare and guarantee that they will carry out a privacy impact assessment with respect to all data processing conducted in the context of this policy and meeting the criteria laid out in EU Regulation 2016/679 and/or concerned by the decisions of the CNIL.
d. Information provided to data subjects
Clients declare and guarantee that they will inform data subjects of all their rights and provide the information considered mandatory under the applicable regulations, and that they will obtain, where applicable, consent in accordance with the applicable regulations. Where appropriate, clients undertake to provide the necessary information and obtain the consent of data subjects in accordance with EU Regulation 2016/679, the French Data Protection Act resulting from the Order of December 3, 2018 and all applicable French regulations and, where applicable, to provide and/or obtain consent again in accordance with this regulation.
Clients will draw up and provide their General Terms and Conditions in accordance with the law, this policy and the regulations, particularly with respect to the protection of personal data. Clients also undertake to update their General Terms and Conditions to reflect any changes in the functionality of ADventori’s products and services and/or ADventori’s General Terms and Conditions.
e. Accountability
Clients will set up internal procedures for demonstrating their compliance with regulations in their capacity as data controllers.
f. Privacy by design
Clients will set up internal procedures for demonstrating compliance with the principle of taking data protection principles into account from the design stage, and of protecting data by default.
g. Security
Clients declare that they have implemented a series of technical and organizational security measures aimed in particular at:
– guaranteeing the confidentiality, integrity, availability and resilience of the information systems processing personal data in accordance with the latest technological standards and this policy; and
– restoring, if necessary, the availability of and access to personal data in accordance with the latest technological standards and this policy.
In addition, clients will implement periodic procedures for testing, analyzing and evaluating the technical and organizational security measures employed.
h. Personal data retention periods
As data controllers, clients undertake and guarantee that they will determine a retention period for each type of data and each purpose, in accordance with the regulations in force. Clients undertake to inform ADventori in writing without delay of these retention periods.
i. Data protection officer
Clients having decided to appoint a data protection officer will provide the contact details of the data protection officer on the date the contract is concluded with ADventori and will notify ADventori of any changes. These data protection officers will be ADventori’s point of contact for all questions relating to data protection regulations.
j. Associated data (considerations)
It should be pointed out, for information purposes, that personal data may be processed only for a specific purpose, of which data subjects must be informed. Consequently, ADventori cannot provide clients with any data, listings, logs or other elements covered by the regulations relating to the protection of personal data, unless they are also recipients of this data and guarantee compliance with all the obligations set out in point 2 of this policy. If such is the case, the parties must sign an agreement relating to this transfer of personal data in accordance with the applicable regulations.
© ADventori – January 2019