Last Updated: 18.03.2025
This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions between Advertoria (the “Processor”) and the customer (the “Controller”) and applies to the processing of personal data by the Processor on behalf of the Controller.
1. Definitions
Terms used in this DPA shall have the meanings assigned to them in the GDPR (Regulation (EU) 2016/679).
2. Processing of Personal Data
2.1 Purpose
The Processor shall process personal data only for the purpose of providing the Services as described in the Terms and Conditions and in accordance with the Controller’s documented instructions.
2.2 Duration
This DPA shall remain in effect for the duration of the agreement between the parties for the provision of Services.
2.3 Categories of Data
The personal data processed may include, but is not limited to:
- Contact information (name, email, phone number)
- Professional information (job title, company)
- Content provided for advertorial creation
2.4 Data Subjects
The personal data processed may concern the following categories of data subjects:
- Controller’s employees
- Controller’s customers
- Controller’s marketing targets
3. Obligations of the Processor
3.1 Confidentiality
The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 Security
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Pseudonymization and encryption of personal data
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
- Regular testing, assessing, and evaluating the effectiveness of security measures
3.3 Sub-processors
The Processor shall not engage another processor without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors.
3.4 Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligation to respond to requests for exercising the data subject’s rights under the GDPR.
3.5 Data Breach
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach and shall assist the Controller in ensuring compliance with obligations related to the security of personal data.
3.6 Data Protection Impact Assessment
The Processor shall provide assistance to the Controller for any data protection impact assessments that may be required.
3.7 Return or Deletion of Data
At the choice of the Controller, the Processor shall delete or return all personal data to the Controller after the end of the provision of Services, and delete existing copies unless EU or Member State law requires storage of the personal data.
3.8 Audit
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
4. Obligations of the Controller
4.1 Lawful Instructions
The Controller shall ensure that instructions given to the Processor regarding the processing of personal data comply with the GDPR and other applicable data protection laws.
4.2 Lawful Basis
The Controller is responsible for ensuring that a lawful basis exists for the processing of personal data.
5. International Transfers
The Processor shall not transfer personal data to a third country or an international organization unless instructed to do so by the Controller or required to do so by EU or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before processing.
6. General Provisions
6.1 Governing Law
This DPA shall be governed by the laws of Finland.
6.2 Amendments
Any amendments to this DPA shall be in writing and signed by both parties.
6.3 Severability
Should any provision of this DPA be invalid or unenforceable, the remainder of this DPA shall remain valid and in force.
Contact Information
For any matters related to this DPA, please contact: Email: privacy@advertoria.com