DATA PROCESSING AGREEMENT

between

Albacross Nordic AB

and

Customer

regarding processing of personal data through the Albacross Services

This DATA PROCESSING AGREEMENT (the “DPA”) is entered into by and between:

1) Albacross Nordic AB, a limited liability company incorporated under the laws of Sweden with corporate registration number 556942-7338 (“Albacross”); and
2) The the entity executing the Agreement (the “Customer”).

Each of Albacross and the Customer is referred to as a “Party” and together as the “Parties”.

BACKGROUND

(a) Albacross is a website analytics and advertising technology company specialised in B2B marketing and lead generation. Albacross has developed and provides a tracking code, which collects data from visitors to the Customers website when integrated on the website, Albacross also provides a service that enables the Customer to display advertising in relevant formats on sites from time to time enabling real time advertising auctions, as well as a service which identifies company-related visitors to the Customer’s website.

(b) Customer has entered into the agreement for supply of digital advertising services (the “Agreement”) with Albacross in order to use the services in its business operations, which forms the subject matter of the processing of Personal Data under this DPA.

(c) The Albacross’s tracking code, which collects data from visitors to the Customers website when integrated on the website, is a software as a service solution in which data processing is carried out (the “Service”), rendering the Customer the data controller, whilst Albacross qualifies as data processor under the applicable data protection laws. In light of the above, Albacross and Customer have agreed on the following terms and conditions set out in this written DPA concerning the processing of Personal Data under this DPA.

1. Definitions

Applicable Laws” shall mean all acts, laws, regulations, including but not limited to Data Protection Laws, applicable to each Party.

Data Protection Laws” shall mean the applicable national laws concerning data protection and, if applicable, the national laws implementing Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (ePrivacy Directive) and the subsequent directives and regulations such as the General Data Protection Regulation (Regulation no. 2016679) and their national implementations and related national legislation.

EEA” shall mean the European Economic Area.

EU” shall mean the European Union.

Personal Data” shall mean all information that is directly or indirectly referable to a natural living person such as name, email address, IP-address, location data etc.

Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

2. General Terms

  1. Albacross may under this DPA process Personal Data on behalf of the Customer according to the instructions of the Customer. The Personal Data is and shall remain the property of the Customer, and the Customer takes full responsibility for the Personal Data, including that such data does not infringe any third-party rights or in any other way violate Applicable Laws.
  2. This DPA is intended to constitute and shall be interpreted as a written data processing agreement between the Customer and Albacross pursuant to applicable Data Protection Laws.

3. The processing

  1. Albacross shall process the Personal Data relating to the categories of data subjects and shall consist of the processing operations as set out in Schedule 1.
  2. Albacross shall process the Personal Data for the purpose of providing the Service to the Customer.

4. Term of processing

  1. This DPA shall enter into force on the date of last signing and, subject to the below section 4.2, shall remain effective until the Agreement is terminated or expires.
  2. Upon the termination or expiry of the Agreement, without entering into a new data processor agreement replacing this DPA, the provisions of this DPA, subject to the discretion of the Customer, shall continue to apply as long as and to the extent Personal Data is processed by Albacross pursuant to the instructions of the Customer.

5. Albacross’s obligations

  1. Albacross may process Personal Data only for purposes necessary for the due performance of the Agreement and only in accordance with the Data Protection Laws applicable to Albacross and in accordance with the written instructions from the Customer as further detailed in Schedule 2 and as otherwise instructed by the Customer in writing from time to time. Albacross may not disclose any Personal Data to a third party without the prior written approval from the Customer or if otherwise required by law.
  2. If Albacross does not have sufficient instructions to enable Albacross to deliver the Services or otherwise fulfil its obligations, Albacross shall without delay inform the Customer hereof and specify the need for further instructions and await further written instructions from the Customer prior to continuing the relevant processing of the Personal Data.
  3. Albacross shall implement and maintain appropriate and adequate technical and organisational measures as set forth in Schedule 2 to ensure the security for the processed data. The measures shall as a minimum protect the processed data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed by Albacross. The measures shall take into account the particular risks associated with the processing of the Personal Data and the sensitivity of the Personal Data which is processed.
  4. Albacross undertakes to oblige all persons, including but not limited to its employees, who access the processed Personal Data in the course of the processing operations carried out by Albacross to comply with confidentiality obligations and access restrictions with regards to the processing of Personal Data. Albacross shall ensure that only such employees have access to Personal Data who have received training and/or instruction in the care and handling of Personal Data.
  5. Taking into account the nature of the processing, Albacross shall, at Customer’s cost upon Customer’s request in accordance with Customer’s written instructions, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising data subject’s rights under applicable Data Protection Laws.
  6. Albacross, taking into account the nature of processing and the information available to the processor, undertakes to assist the Customer, at Customer’s cost upon Customer’s reasonable request substantiating the necessity, in ensuring compliance with applicable Data Protection Laws with regards to the security of processing, notification to the data protection authority and communication to the data subjects of data breaches, data protection impact assessments and prior consultations with the data protection authority.

6. Notification

  1. Albacross shall immediately inform the Customer if, in its opinion, an instruction infringes or is contrary to applicable Data Protection Laws.
  2. Albacross shall notify the Customer without undue delay after becoming aware of a Personal Data Breach.
  3. In the event Albacross is required to disclose information, including but not limited to the processed Personal Data or information relating to the processing, according to Applicable Laws or the decisions of public authorities or courts, Albacross shall be obligated to inform the Customer thereof immediately, insofar permitted by Applicable Laws, and request confidentiality in conjunction with the disclosure of requested information.

7. Information and audit

  1. Albacross is obliged to, upon Customer’s reasonable request and at Customer’s cost, make available to the Customer all information necessary and strictly limited to the purpose of demonstrating compliance with the obligations of the data processor under applicable Data Protection Laws.
  2. Customer may, pursuant to the relevant provision of the Agreement but in any case notwithstanding what is set out in the Agreement once per calendar year at the cost of the Customer, carry out or mandate a third party auditor, which is not direct competitor to Albacross and acting under confidentiality undertaking, to carry out an audit strictly limited to verifying Albacross’s compliance with the obligations of data processors under applicable Data Protection Laws. The audit shall be carried out during Albacross’s normal working hours without disturbance to the normal operations of Albacross.

8. Subprocessors

  1. Customer hereby gives general written authorisation for Albacross to engage subprocessors for carrying out specific processing activities on behalf of the Customer. When engaging subprocessors, Albacross undertakes to ensure that the contract entered into between Albacross and any subprocessor shall impose, as a minimum, the same data protection obligations as set out in this DPA.
  2. Albacross shall notify the Customer of any intended changes concerning the addition or replacement of the subprocessors in Schedule 3, to which the Customer may object. If the Customer has made no such objection within ten (10) days from the date of receipt of the notification, the Customer is assumed to have made no objection.
  3. Albacross may transfer (including allowing access to) Personal Data to its subprocessors outside the EEA. The parties shall jointly take all reasonably required measures necessary for ensuring that such transfer is in accordance with Applicable Laws, which may include entering into model clauses for data transfer outside of the European Economic Area (EEA).

9. Warranty

  1. If and to the extent another legal entity than the Customer is the controller, independently or jointly, for all or part of the Personal Data processed by Albacross on behalf of the Customer under this DPA, the Customer warrants that it has necessary authority and mandate to enter into this DPA on behalf of such legal entity.
  2. The Customer warrants that the processing of Personal Data is carried out in accordance with Applicable Laws, including obtaining necessary licenses, permits or approvals for the processing and notifying the processing to competent authorities or data protection officials and informing the data subjects of the processing.

10. Limitation of liability

Unless caused by the gross negligence or intent of Albacross, Albacross shall in no event be liable to the Customer for any losses or damages, whether direct or indirect (including, without limitation, damages for loss of production, loss of data, loss of business or profit, loss of use, loss of goodwill or any indirect or consequential damages) arising out of or in connection with this DPA.

11. Indemnification

The Customer shall hold Albacross harmless and indemnify for third party claims, damages as well as administrative penalties or fines issued by courts or authorities if and to the extent Albacross is held liable by a competent court, authority or any other dispute resolution body for processing of personal that is contrary to the applicable Data Protection Laws, unless such liability has arisen as a consequence of Albacross’s failure to perform its obligations under this DPA.

12. Remuneration

Albacross is not entitled to additional remuneration on the basis of the provisions of this DPA and shall, unless otherwise agreed by the Parties, or in accordance with the Agreement.

13. measures upon completion of processing

  1. When the provisions of this DPA cease to be effective, Albacross shall, upon and in accordance with Controller’s request, delete all Personal Data or delete and return all Personal Data to the Customer, unless Applicable Laws require Albacross to store the Personal Data.

14. Assignment

  1. The Customer may only assign the rights or obligations under this DPA to a third-party with the prior written consent of Albacross.
  2. Albacross may assign its rights and obligations under this DPA to (i) any company within its group of companies, or (ii) a third party in case of a merger, joint venture or transfer of businesses or substantially all parts of businesses. Any such assignment of rights shall not be considered as Albacross engaging a subprocessor.

15. Entire Agreement

  1. This DPA shall supersede any prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof.
  2. Albacross is entitled to amend this DPA if it is necessary to comply with requirements of applicable Data Protection Laws. Such amendments enter into force at the latest thirty (30) days after Albacross has sent an amendment notice to the Customer, or such other time period which Albacross is obliged to adhere to according to Personal Data Laws and regulations or relevant authorities. Other alterations of and amendments to this DPA shall be made in writing and be signed by duly authorised representatives of the Parties to be binding.

16. Governing Law and Disputes

  1. This DPA shall be governed by and construed in accordance with the laws of Sweden, with the exclusion of its conflict of law rules.
  2. Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the SCC Institute). The place of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English, unless otherwise agreed.
  3. The Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply, unless the SCC Institute, taking into account the complexity of the case, the amount in dispute and other circumstances, determines, in its discretion, that the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply. In the latter case, the SCC Institute shall also decide whether the arbitral tribunal shall be composed of one or three arbitrators.
  4. The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from disclosing such information in order to safeguard in the best possible way his rights vis-à-vis the other Party in connection with the dispute, or if the Party is obliged to so disclose pursuant to statute, regulation, a decision by an authority or similar.

Schedule 1 – Processing of Personal Data

Type of Personal Data

The following types of Personal Data are processed by Albacross on behalf of the Customer under the DPA:

(a) IP address - ip v4 or v6;
(b) Location based on IP address;
(c) URL - including “Query String”;
(d) Referer/Origination-website for the visitor;
(e) UserAgent – including i.a. OS, browser and screen resolution;
(f) Domain from form input fields (e.g. albacross.com); and
(g) Fingerprint hash.

Categories of data subjects

Data subjects

The processed Personal Data concerns the following categories of data subjects:

(a) Visitors to the Customer’s website.

Processing operations

Processing operations

The following processing operations shall be carried out for the below specified purposes by Albacross under this DPA:

Processing operations: - collection of Personal Data via the Albacross tacking code; - extract information of location based on IP address; - crosschecking of Personal Data with the Albacross database with IP-addresses; and - erasure of the Personal Data if there is not a match with a company IP-address.

Purposes: - to identify which IP-address collected with the Albacross tracking code belongs to a company, and thereby identify what companies have visited the Customer’s website; and - to make accurate advertising to specific businesses based on the data.

Albacross may not process the Personal Data for any other purposes under this DPA and its schedules.

Schedule 2 – Instructions

1. Instructions for processing of the Processed Data on behalf of the Data Controller

Albacross shall comply with the instructions set forth below with respect to the processing of the Personal Data under this DPA.

2. Handling and processing of the Personal Data

Security

The premises used by Albacross shall be protected with adequate physical security measures, such as alarms for fires, water damage, burglary, etc. In addition, there should be procedures and equipment for example in the form of alarms, barriers, locks, etc. which control access to the premises. Albacross shall introduce necessary safety routines, such as (i) lock devices on computers and other equipment; (ii) entry control system; (iii) protection gear for power breaks as well as smoke and water damages; (iv) fire extinguishers; (v) safety locks; and (vi) marking of equipment etc.

The premises used by Albacross shall be protected with adequate physical security measures, such as alarms for fires, water damage, burglary, etc. In addition, there should be procedures and equipment for example in the form of alarms, barriers, locks, etc. which control access to the premises. Albacross shall introduce necessary safety routines, such as (i) lock devices on computers and other equipment; (ii) entry control system; (iii) protection gear for power breaks as well as smoke and water damages; (iv) fire extinguishers; (v) safety locks; and (vi) marking of equipment etc.

Albacross should create a safe IT-environment, which includes, but is not limited to (i) necessary safety routines for avoiding virus attacks or other threats that could be harmful to the IT-environment; (ii) an encryption system and/or other security measures with the purpose of avoiding tapping or revealing signals; (iii) necessary security routines for IT-equipment; (iv) a control system based on user authorization, which enables identification of user identity (through the usage of passwords or such) and prevents unauthorized use of or access to the processed Personal Data; (v) storage of processing history (log data), which shall be sorted out in accordance with Customer’s instructions; (vi) automatic back-up routines, including storage of back-up copies, which shall be sorted out in accordance with Customer’s instructions; as well as (vii) destruction or other means of eradication of all media that has contained Personal Data that no longer is used.

3. Data subjects’ requests

Albacross shall make it possible to log and trace processing of the Personal Data, including the disclosure and transfer of the Personal Data.

Albacross shall, subject to the provisions of this DPA, forward all requests from the data subjects to the Customer and shall only act upon the prior authorization and pursuant to the instruction of the Customer.

Subject to the above, Albacross shall rectify, block, delete, modify, or erase the processed Personal Data in accordance with Customer’s instructions.

Subject to the provisions of this DPA, Albacross shall not maintain the processed Personal Data for longer than is necessary taking into consideration the purpose of the processing.

Schedule 3 – Subprocessors

Customer approves that Albacross engages the following subprocessors.

Subprocessor Processing and Personal Data Country of processing Safeguards if processing outside of EU/EEA
Amazon Web Services 1. IP address - ip v4 or v6;
2. Location based on IP address;
3. URL - including “Query String”;
4. Referer/Origination-website for the visitor;
5. UserAgent – including i.a. OS, browser and screen resolution;
6. Domain from form input fields (e.g. @albacross.com); and
7. Fingerprint hash.
Ireland
Adform 1. IP address - ip v4 or v6
2. Cookies
Denmark