This Data processing Agreement is concluded between We Can Track B.V., a private company with limited liability, established and existing under the laws of the Netherlands, having its registered office in (1323 ME) Almere, the Netherlands, at Purcellstraat 92, registered with the Chamber of Commerce under 73567493 (hereinafter referred to as “We Can Track”), and Affiliate as defined in the Agreement.
We Can Track and Affiliate each a “Party” and together referred to as “Parties”.
- We Can Track helps affiliate publishers to gain a better overview of their sales performance. In order to do so, We Can Track collects, processes and matches session, click and sale data, collecting those from different sources on behalf of the affiliate publisher;
- Affiliate is a website owner who host the products and services of an advertiser;
- We Can Track and Affiliate concluded an Agreement regarding the use of We Can Track’s services and products, of which this Data Processing Agreement is a part;
- Where the personal data processing is concerned, Affiliate classifies as a controller within the meaning of Section 4(7) of the General Data Protection Regulation (“GDPR”);
- Where the personal data processing is concerned, We Can Track qualifies as a processor within the meaning of Section 4(8) GDPR;
- In accordance with the provisions of Section 28(3) GDPR, Parties wish to document a number of conditions in the present Data Processing Agreement which apply to their relationship in the context of the aforesaid activities on behalf of – and for the benefit of Affiliate.
AGREED AS FOLLOWS:
1.1 In this Data Processing Agreement, capitalized words and expressions, whether in single or plural, have the meaning specified as set out below:
appendix to this Data Processing Agreement which forms an integral part of it;
Data Processing Agreement
the present agreement;
Personal Data Breach
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, as referred to in Section 4(12) GDPR;
as well as conjugations of this verb: the processing of Personal Data as referred to in Section 4(2) GDPR;
the sub-contractor hired by We Can Track that Processes Personal Data in the context of this Data Processing Agreement on behalf of Affiliate, as referred to in Section 28(4) GDPR
1.2 The provisions of the Agreement (including the Terms of Service) apply in full to this Data Processing Agreement. In case provisions with regard to the Processing of Personal Data are included in the Agreement, the provisions of this Data Processing Agreement prevail.
2. Purpose of the Personal Data Processing
2.1 We Can Track and Affiliate have concluded the present Data Processing Agreement for the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of data subjects and the purposes of Processing, is included in Annex 1.
2.2 We Can Track is solely responsible for the Processing of Personal Data under this Data Processing Agreement, in accordance with the legitimate instructions of Affiliate and under the express (final) responsibility of Affiliate. For all other Processing of Personal Data, including but not limited to the collection of Personal Data by the Affiliate, Processing for purposes not reported to We Can Track by Affiliate, Processing by third parties and/or for other purposes, We Can Track is not responsible or liable. Responsibility and liability for these Processing activities rest exclusively with Affiliate.
2.3 Affiliate is responsible and liable for the processing of Personal Data in relation to the Agreement and guarantees that Processing is in compliance with all applicable legislation and does not infringe any rights of third parties. Affiliate will indemnify and hold harmless We Can Track against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee.
2.4 We Can Track undertakes to Process Personal Data only for the purpose of the activities referred to in this Data Processing Agreement and/or the Agreement. We Can Track will not use the Personal Data which it Processes under this Data Processing Agreement for its own or third-party purposes in any way without Affiliate’s express written consent, unless a legal provision requires We Can Track to do so. In such case, We Can Track shall immediately inform Affiliate of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
3. Technical and organisation security measures
3.1 We Can Track will implement (or arrange the implementation of) appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. We Can Track will in any case take measures to protect Personal Data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing.
3.2 We Can Track will provide a document which describes the appropriate technical and organizational measures to be taken by We Can Track. This document will be attached to this Data Processing Agreement as Annex 2. Affiliate acknowledges having taken cognizance of the relevant measures and by agreeing to this Data Processing Agreement during the account registration and login, Affiliate agrees with the measures taken by We Can Track.
4.1 We Can Track will require the employees that are involved in the execution of the Agreement to sign a confidentiality statement – whether or not included in the employment agreement with those employees – which in any case states that these employees must keep strict confidentiality regarding the Personal Data.
5. Sub Processors
5.1 We Can Track is entitled to outsource the Processing of Personal Data on the Affiliatet’s instructions to Sub Processors, either wholly or in part, which parties are described in Annex 3.
5.2 In case We Can Track wishes to engage other Sub Processors, We Can Track will inform Affiliate of any intended changes concerning the addition or replacement of the Sub Processors. Affiliate may object, duly motivated including reasonable detail supporting Affiliate’s concerns and in writing, to such changes within 14 working days after receiving such notification. We Can Track will then use commercially reasonable efforts to review and respond to Affiliate’s objection. .
5.3 We Can Track will impose the same data protection obligations as set out in this Data Processing Agreement on each Sub Processors, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Affiliate understand and acknowledges that We Can Track may not always be in the position to with Sub Processors about their data processing agreements.
5.4 Where a Sub Processor fails to fulfil its data protection obligations, We Can Track shall remain fully liable to We Can Track for the performance of the Sub Processor’s obligations.
6. Personal Data Processing outside the Europe Economic Area
6.1 We Can Track will only be permitted to transfer Personal Data outside the European Economic Area (EEA) if this is done in compliance with the GDPR.
7.1 With regard to the liability and indemnification obligations of We Can Track the stipulation in the Agreement regarding the limitation of liability applies.
7.2 Without prejudice to Article 7.1 of this Data Processing Agreement, We Can Track is solely liable for damages suffered by Affiliate and/or third party claims as a result of any Processing, in the event the specific obligations of We Can Track under the GDPR or the Data Processing Agreement are not complied with or in case We Can Track acted in violation of the legitimate instructions of Affiliate.
8. Personal Data Breach
8.1 We Can Track will notify Affiliate without undue delay upon We Can Track becoming aware of a Personal Data Breach affecting the Personal Data.
8.2 We Can Track will take all reasonable measures to prevent or limit the Personal Data Breach. We Can Track will, insofar as reasonable, provide all reasonable cooperation requested by Affiliate in order for Affiliate to comply with its legal obligations relating to the Personal Data Breach.
8.3 We Can Track will, insofar as reasonable, assist Affiliate with Affiliate’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) GDPR. We Can Track is never held to report a Personal Data Breach with the data protection authority and/or the data subject.
8.4 We Can Track will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant data protection authority and/or data subjects, as meant in Section 33 and 34 GDPR.
9.1 When so requested by Affiliate, We Can Track will enable Affiliate, or experts (including external experts) designated by Affiliate and who are bound by confidentiality, to inspect and audit the implementation of this Data Processing Agreement and, in particular, the security measures taken by We Can Track, at most once per calendar year, subject to a reasonable notice and with permission of We Can Track, to adequately monitor compliance with what has been agreed between the Parties. Such an audit will at all times be carried out in a manner that has as little effect as possible on the normal business operations of We Can Track. Affiliate will bear all the costs of this audit. All results and findings of the audit remain confidential and may not be shared or made public in any way.
9.2 The audit in Article 9.1 of this Data Processing Agreement, will only take place if Affiliate has requested and assessed similar audit reports availably at We Can Track and Affiliate provides reasonable argument that justify an audit initiated by Affiliate. Such an audit is justified when similar audit reports present at We Can Track give no or insufficient information about compliance with this Data Processing Agreement.
9.3 In case We Can Track is of the opinion that an instruction relating to the provisions of this Article 9 infringes the GDPR or other applicable data protection legislation, We Can Track will inform Affiliate immediately.
9.4 We Can Track is entitled to charge any possible costs that relate to the provisions of this Article 9 with Affiliate.
10.1 We Can Track will, taking into account the nature of the Processing and insofar as reasonably possible, provide all reasonable cooperation to Controller in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of data subjects, in particular the right of access (Section 15 GDPR), rectification (Section 16 GDPR), erasure (Section 17 GDPR), restriction (Section 18 GDPR), data portability (Section 20 GDPR) and the right to object (Section 21 and 22 GDPR).
10.2 We Can Track will forward a complaint or request from a data subject with regard to the Processing of Personal Data to Affiliate as soon as possible, as Affiliate is responsible for handling the request.
10.3 We Can Track, will taking into account the nature of Processing, the information available to We Can Track and insofar as reasonably possible, provide reasonable cooperation to Affiliate in fulfilling its obligation pursuant to the GDPR to carry out a data protection impact assessment (Section 35 and 36 GDPR).
10.4 We Can Track is entitled to charge any costs associated with the cooperation as referred to in this Article 10 with Affiliate.
11. Deletion or return of Personal Data
11.1 If this Data Processing Agreement and/or the Agreement end in any manner whatsoever, We Can Track will, unless mandatory law provides otherwise:
a. cease all use or other Processing of the Personal Data, unless Affiliate requests We Can Track to continue the Processing; and
b. ensure, within a period agreed between Affiliate and We Can Track, that all documents and/or other information carriers which contain and/or relate to Personal Data (including all copies in any form whatsoever) are:
(i) returned to Affiliate in a format specified by We Can Track; and/or
(ii) destroyed at Affiliate’s request.
ANNEX 1 OVERVIEW PERSONAL DATA
Subject matter and duration of the Processing of Company Personal Data
- The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and this Data Processing Agreement.
The categories of Personal Data
- Session, Click and Sales Data
- such as, online identifiers (including cookie identifiers, internet protocol addresses and device identifiers), client identifiers, advertiser identifiers, data source identifiers, URLs, action dates, sale information (including sale amount, commission and transaction status), currency information (including currency and exchange rate), processing status and processing date
- Results, such as
- Clicks report
- Transactions report
- Advertisers report
- Network report
- Network accounts report
- Status report
- Page performance
- Overview dashboard
The categories of Data Subject to whom the Personal Data relate
- (Website) visitors, users
The nature and purpose of the Processing of Personal Data
- Providing an overview of Affiliate’s sales performance
- Software development and improvement for the benefit of Affiliate
The obligations and rights of Affiliate
- The obligations and rights of Affiliate are set out in the Agreement and this Data Processing Agreement.
ANNEX 2 SECURITY MEASURES
Servers are only accessible through SSH keys.
User authorisation is heavily restricted. Only members of We Can Track B.V. that signed a Non Disclosure Agreement regarding confidential information (currently the Product Manager and Technical Lead) have access to the data.
Personal data such as IP addresses are by standard, if tracked at all, anonymised.
The Cloud solution encrypts database at rest with LUKS and in transit with SSL.
On top of that, sensitive user data such as login information, network API credentials are all encrypted using AES-256.
All requests and responses get transmitted through SSL.
Only members of We Can Track B.V. that signed a Non Disclosure Agreement regarding confidential information (currently the Product Manager and Technical Lead) have access to the production database. Access might be temporarily granted to an engineer with only relevant tables being accessible for fixing or improving the system.
Recoverability is managed by a Cloud solution. Backups are on transaction level this results us to be able restore the database to any given point in time for the previous 7 days.
Regular check-ups on data registration, user capacities and database scalability requirements.
ANNEX 3 OVERVIEW SUB PROCESSORS
Google Cloud Platform
Standard data protection clauses
Standard data protection clauses
Standard data protection clauses
Standard data protection clauses
Standard data protection clauses
Possible appropriate safeguards in accordance with the GDPR are:
- data processing agreement (art. 28(3) GDPR), in the event the sub processor is located in the EEA.
- transfers on the basis of an adequacy decision of the European Commission (art. 45 GDPR);
- transfers to organisations that are certified under the EU-US Privacy Shield;
- binding corporate rules (art. 46 and 47 GDPR);
- standard data protection clauses adopted by the European Commission (art 46 GDPR).