The COMPANY as the Processor undertakes to process personal data on behalf of the CLIENT, being the Controller, in accordance with the conditions laid down in this Data Processing Addendum. The processing will be executed exclusively within the framework of the SAAS GENERAL TERMS OF SERVICE, and for all such purposes as may be agreed to subsequently.
In order to perform the Services under the framework of the SAAS GENERAL TERMS OF SERVICE, andt o provide the Services effectively, the Processor may have access to personal data for which the Controller is responsible.The Processor must carry out the required processing of Personal Data in order to carry out the SERVICES indicated in SAAS GENERAL TERMS OF SERVICE.
This Data Processing Agreement is accessory to the main contract for the provision of the Services, so its duration is linked to the duration of the SAAS GENERAL TERMS OF SERVICE.
Generate Real time statistics based on website visitors in order for the Controller to know what`s happening on his website.
Device Information: IP address. Operating system version. Device, Country. Navigation level; Use ragent; User ID.
Device Information: device from which a visitor accesses the Publisher’s website. The information obtained is device model, operating system and version, the unique identifier of the device, and the mobile network.
Location information: IP address, time zone, and mobile service provider, allowing to get website visitors general location.
User Navigation Information: Information about the use of the Publisher’s website. Specifically, the frequency of use, the sections visited, use of specific functions, time spent in each section, scrolling done, etc.
Publishers may submit some personal information, such as visitor user ID on the Publisher’s website.
All the information collected allows to generate information regarding visitor`s interests (e.g. engagement to the media, favorite sections, contents, authors, etc. of the Publisher’s website or other similar parameters.Categories of Data Subject:Website(s) visitors.
The Controller, in addition to comply with any obligations provided in the SAAS GENERAL TERMS OF SERVICE, this Data Processing Agreement and the Regulation (EU) 2016/679 General Data ProtectionRegulation (GDPR) or other applicable regulation - must observe the following obligations in the performance of the following tasks:
A. Provide or make available to the Processor the data referred to in this document, as well as thenecessary instructions to carry out the processing of the data.
B. Provide the website`s visitor with the information regarding the processing of their data through the SOFTWARE. The information must comply with the content established in Articles 12 and 13 of theGDPR. MARFEEL will not be held responsible for the failure to comply or defective compliance with the obligation to inform.
C. Collect website`s visitor data using appropriate legal basis. The Client acknowledges that theSERVICES may involve the installation of tracking devices in the website`s visitor browser (such ascookies), so the Client shall comply with the rules on their use and installation. In this sense, the Clients hall provide clear and comprehensive information about the purposes of any cookie or similar technology that stores information (or accesses information stored) on website`s visitor’s devices,and obtain, where appropriate, their prior consent (which must be to the GDPR standard).Although Marfeel may provide support or assistance regarding the configuration and implementation of mechanisms to inform and obtain consent of website visitors in relation to said cookies,compliance with said obligations shall continue to be the responsibility of the Client. Any proposalmade by Marfeel in relation to the information and consent of the website visitors may only beconsidered as mere suggestions based on standard practices, and in no case as legal advice or anyother kind of advice on the matter. Marfeel cannot be held responsible for the decisions taken by theClient with the information provided by Marfeel, which will be taken at their own risk.
D. Respond to the request for exercising the data subject rights, such as the rights of access,rectification, deletion and opposition, limitation to the processing, portability of the data and not to be subject to automated individual decisions, in collaboration with the Processor.
E. Carry out, if appropriate, an assessment of the impact that the processing operations executed by the Processor have on the protection of personal data.
F. Ensure, before and during the processing, compliance with applicable regulations on data protection by the Processor.
G. Supervise the processing, including the performance of inspections and audits.
H. Communicate to the Processor any variation that may occur in the personal data provided, so that it can be updated.
A. The Processor shall refrain from making use of the personal data for any purpose other than as specified by the Controller. The Processor will only process the personal data on documented instructions from the Controller.If the Data Processor considers that compliance with an instruction from the Controller could mean a breach of data protection regulations, Processor will immediately inform the Controller of such circumstances. In this communication, the Processor will ask the Controller to amend, withdraw or confirm the instruction given, and may suspend compliance until there is a decision by the Controller.
B. All personal data processed on behalf of the Controller shall remain property of the Controllerand/or the relevant Data subjects. The Processor shall take no unilateral decisions regarding the processing of the personal data for other purposes, including decisions regarding the provision there of to third parties and the storage duration of the data.
C. The Processor will endeavor to take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration ordisclosure of personal data) in connection with the performance of processing personal data under this Data Processing Agreement.
Data collected on behalf of the Controller for the provision for the provision of the services described in the SAAS GENERAL TERMS OF SERVICE, will be pseudonymized, so that each Data Subject will be assigned a randomly-generated identification code and/or any other kind of pseudonymization technique in order to erase data that may directly or indirectly identify them particularly (e.g.anonymizing the last octet of the IP address).
D. The Processor shall warrant compliance with the applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the GDPR.
E. In the event of a security leak and/or the leaking of data, as referred to in article 34a of the GDPR, the Processor shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the leak. The Processor will endeavor that the furnished information is complete, correct and accurate. The duty to report includes in any event the duty to report the fact that a leak has occurred, including details regarding:
· the (suspected) cause of the leak;
· the (currently known and/or anticipated) consequences thereof;
· the (proposed) solution;
· the measures that have already been taken.
The Processor shall assist the Controller in relation to the obligation to notify personal data breaches in accordance with the RGPD (in particular, articles 33 and 34 of the RGPD) and any other applicable regulation, present or future, that modifies or complements such obligations.
F. Keep in writing, a record of processing activities carried out on behalf of the person in charge.
G. Not to communicate, disclose or transfer the personal data in its custody to third parties, not even for its conservation, unless it has the express authorization of the Controller. The Processor may communicate the data to other data processors.
H. Guarantee the adequate training in data protection of the employees authorized to process personal data. The Processor shall ensure that employees or other persons authorized to process the personal data under this Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
J. Assist the Controller:
a) in the performance of audits or inspections, carried out by the Controller or by another auditor authorized by the Controller. The audits may be carried out periodically, in a planned or "ad hoc" way, at the most, once a year, unless there are circumstances that justify its realization exceeding this limit, and after notifying the Controller with 45 calendar days period of notice, during the Processor's usual working hours.
b) in carrying out impact assessment on the protection of personal data of the processing operations to be carried out by the Data Processor and, where appropriate, in conducting prior consultations with the supervisory authority.
K. Delete or return all the personal data to the Controller after the end of the provision of services relating to processing and delete existing copies unless Union or Member State law requires storage of the personal data. Processor may keep a copy with the data duly blocked, while responsibilities may arise from the execution of the Services. Take reasonable measures to periodically review the data held, and erase or anonymize it for statistical purposes when it is no longer needed.
L. Make available to the Controller, at its request, all information necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement.
The Processor shall only be responsible for processing the personal data in accordance with theController’s instructions and under the (ultimate) responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor, and processing by third parties and / or for other purposes.
Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller willl defend,indemnify, and hold harmless the Processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Data ProcessingClause and/or related with the breach of this Data Protection Addendum by the Controller . For further information, consult the Opinion 2/2010 on behavioral advertising of the Working Group of article 29.
The Processor is authorized within the framework of the SERVICE Provision Agreement to engagethird parties, without the prior approval of the Controller being required. Prior to the engagement,the Processor shall inform the Controller about the third party/parties engaged.
The Processor shall in any event ensure that such third parties will be obliged to agree in writing tothe same duties that are agreed between the Controller and the Processor.
Currently, MARFEEL has entered into a contract with the following service providers:
● SCALEWAY, SAS located in France which guarantees a high level of security and availability of the information systems and that provides data hosting services.
● HETZNER ONLINE GMBH located in Germany which guarantees a high level of security and availability of the information systems and that provides data hosting services.
● OVH HISPANO S.L., located in Spain which guarantees a high level of security and availability of the information systems and that provides data hosting services.
The Processor may process the personal data in countries outside the European Union or theEuropean economic area, only with subcontractors that guarantee an adequate level of protection and it satisfies the other obligations applicable to it pursuant to this Data Processing Clause and the GDPR.
The Processor may transfer Personal data to its affiliates MARFEEL US, LLC., and MARFEEL COLOMBIA, S.A.S, located in the United States and in Colombia, respectively. Processor has subscribed Standard Contractual Clauses with its affiliates for the Transfer of Personal Data toProcessors Established in Third Countries approved by EC Commission Decision of 5 February 2010 or any successor clauses adopted in accordance with GDPR Article 28(8). Processor will ensure that data transfers to its affiliates outside the European Union will comply with the provisions stated in theGDPR.
1. The CLIENT is the sole responsible to determine its subjection to the California Consumer PrivacyAct of 2018 (“CCPA”). In case CCPA is applicable, the parties will be subject to the conditions set for thin this section.
2. This section reflects the Parties’ agreement in connection with CCPA and it shall apply to the extent that the CCPA applies to the CLIENT and only affects transactions of personal Information of consumers in California.
3. The PARTIES recognize that MARFEEL will act as CLIENT’s Service Provider (according to CCPA definition), so MARFEEL’s use or disclose of the Consumer Personal Information is limited to the specific purpose of performing the Services set forth in GENERAL TERMS OF SERVICE and in theOrder Form, on behalf of the CLIENT and those permitted under the CCPA for Service providers.
4. Each Party will be separately and individually responsible for complying with the CCPA with respect to the processing of Consumer Personal Information. The CLIENT warrants that, either it maintains an up-to-date and easily accessible privacy policy to Consumers which meets the requirements established by the CCPA, including the information regarding the mechanism toopt-out, or, when permitted, the transfer of data to MARFEEL, is based on an opt-in mechanism.
5. In the event that a Consumer has exercised the right to be excluded from the sale of his/her personal data to the CLIENT, it shall inform MARFEEL without undue delay. The CLIENT shall provide MARFEEL with all the necessary information to proceed with such use limitation.
6. MARFEEL may refuse to receive and use any Data if it reasonably believes that processing of suchData may infringe the CCPA, pose a risk of liability or harm to Consumers, MARFEEL or any ofMARFEEL’s agents or Customers.
7. MARFEEL may engage sub-providers to receive or transfer personal information as long as, when applicable: (i) each Subprovider warrants that it has the technical capability to receive, interpret, and comply with the CCPA and, if necessary for the performance of the applicable service, accurately re-transmit an “opt-out”; (ii) each such Subprovider is bound by a written agreement with MARFEEL that includes, and requires such Subprovider to comply with the obligations of MARFEEL as set for thin this section.
1. The parties agree that the processing of users located in the Federative Republic of Brazil(Hereinafter “Brazil”) shall be processed according to the following section and the Data ProcessingAgreement (DPA) found above of this document. In the event of any inconsistency between the DPAand this section, this section shall prevail.
2. The parties acknowledge that the CLIENT acts as a Controller (Controlador) of webpage user’spersonal data and that MARFEEL acts as a processor (Operador).
3. Personal data shall be processed by MARFEEL in accordance with the instructions imparted by theCLIENT. The CLIENT may verify the adherence of the instructions and the rules regulating MARFEEL.
4. MARFEEL does not collect any direct user identifiable information such as a name, e-mail address,etc. However, MARFEEL collects identifiers that, when used, may allow the identification of theindividual to whom the information in question may relate, such as online identifiers or location data.MARFEEL has implemented measures to prevent user identification.
5.MARFEEL, when acting as a processor, shall act according to the provisions of the LGPD and will beresponsible for any damages caused by the processing when it does not comply with the obligationsstated in Data Protection Legislation or when it has not followed the controller’s lawful instructions,in which case, MARFEEL will be deemed equivalent to the controller, except in cases of exclusion asprovided in LGPD.
6. The identity and contact details of the Data Protection Officer, for the purpose of Section II,Chapter VI of the LGPD are as follows:
E-mail: dpo@marfeel.com
Phone: +34 93 178 59 50
Address: Avenida Josep Tarradellas, 20-30, sixth floor. 08029 – Barcelona