Data Processing Agreement

This Data Processing Agreement is version no. 1, last updated 28.11.2022

1. Subject Matter and Duration of the Contract

(1) Subject matter
The subject matter of the Agreement regarding the processing of data is the execution of the services or tasks by the Supplier as follows:

  • Passendo shall make a marketing and ad-serving platform available to the Publisher, through which the Publisher can enrich email newsletters, websites and other mediums with advertisements, commercials and other marketing messages (including both targeted and untargeted marketing materials).
  • The Publisher will send these emails to its own customers and other people who have agreed to receive newsletters, advertisements and any other marketing materials (both targeted and general marketing materials) from the Publisher.
  • Passendo shall make an ‘exchange’ available to the Publisher, through which the Publisher can enrich its newsletters and advertisement letters etc. with campaigns, advertisements etc. from one or more of Passendo’s advertising customers.
  • If the recipients of these emails interact with the marketing messages contained within (e.g. by clicking on the advertisements), they will or might be directed to a webpage of the Advertiser’s choice. The Advertiser does not collect any personal data from the Passendo platform during this process.
  • On behalf of the Publisher, Passendo can match hashed email addresses or other hashed personal data (specified below herein) with hashed data from Passendo advertisers to improve the relevancy of the advertising for readers and the campaign targeting for advertisers. It is the Publisher’s responsibility to have gained consent from the data subject for the appropriate purposes.
  • Passendo makes campaign targeting and reporting based on matching one-way encrypted (therefore, anonymized) email addresses (using the SHA256 hashing technology) in segmented form from the Publisher with data segments collected on other platforms.


(2) Duration

The Contract is authorized for an unlimited period and can be cancelled by either Party at the end of each term provided notice is received at least 90 days before the end of the term. This does not prejudice the right to termination of other contracts between the parties with or without notice.

2. Specification of the Contract Details

(1) Nature and Purpose of the intended Processing of Data
Detailed description of the subject matter with regard to the nature and purpose of the services provided by the Supplier is as follows:

  • The Contract includes that Passendo, in connection with making an email ad server available to the Publisher, shall exclusively process general personal data specified below.

The undertaking of the contractually agreed processing of data shall be carried out exclusively within the territory of the member states of the European Union (EU) or within the territory of the member states of the European Economic Area (EEA). Each and every transfer of data to a state which is not a member state of either the EU or the EEA requires the prior agreement (i.e. direct and explicit consent) of the Publisher (as well as explicit and direct consent of the data subject) and shall only occur if the specific conditions of Article 44 et seq. of the GDPR have been fulfilled. The adequate level of protection (the appropriate safeguards) in such non-member state of the EU or EEA because it:

  • has been decided (approved) by the European Commission (Article 45 Paragraph 3 of the GDPR); or
  • is the result of adopted binding corporate rules (Article 46 Paragraph 2 Point b in conjunction with Article 47 of the GDPR); or
  • is the result of standard data protection clauses being signed between the Parties (Article 46 Paragraph 2 Points c and d of the GDPR); or
  • is the result of approved codes of conduct (Article 46 Paragraph 2 Point e in conjunction with Article 40 of the GDPR); or
  • is the result of an approved certification mechanism. (Article 46 Paragraph 2 Point f in conjunction with Article 42 of the GDPR); or
  • is established by other means relevant in accordance with the GDPR (e.g. Article 46 Paragraph 2 Point a, Paragraph 3 Points a and b of the GDPR).


Notwithstanding anything to the contrary sated in his Section 2, Passendo shall always act as a data processor (or sub-processor if applicable) on behalf of the Publisher (i.e. data controller or main data processor), and the Publisher acknowledges and agrees with this to the fullest possible extent, unless (i) otherwise agreed separately with the Publisher and/or (ii) derives from the applicable law, including the GDPR, and/or (iii) defined internally by Passendo’s various data protection and privacy policies as amended from time to time.

(2) Type of data
The type of personal data used is precisely defined here below. The subject matter of the processing of personal data comprises the following data types/categories (list/description of the data categories):

  • One-way hashed version of the email address, using the SHA256 or MD5 algorithm used as key;
  • A history of that user’s activity on the Passendo platform;
    • What newsletters were opened by that user;
    • Which campaigns were shown to the user at what point;
    • Which campaigns the user clicked at what point;
    • Any potential activity the user had with that campaign in third party systems (Post-click activity).


(3) Categories of data subjects

The categories of data subjects comprise:

  • The recipients of the email newsletters sent by Passendo’s Publishers.

3. Technical and Organisational Measures

(1) If requested by the Publisher before the commencement of processing personal data under this Contract, Passendo shall document the execution of the necessary technical and organisational measures, set out in advance of the awarding of the Contract, specifically with regard to the detailed execution of the Contract, and shall present these documented measures to the Publisher for inspection. Upon acceptance by the Publisher, the documented measures become the foundation of the Contract. If the inspection/audit by the Publisher shows the need for amendments, such amendments shall be implemented by mutual agreement between the Publisher and the Supplier without any unreasonable delay.
(2) The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 of the GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 of the GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 of the GDPR must be taken into account.
(3) The technical and organisational measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.
(4) Passendo makes campaign targeting and reporting based on matching one-way encrypted email addresses in segmented form from the Publisher with data segments collected on other platforms.

4. Rectification, Restriction and Erasure of Data

(1) The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Publisher, but only on documented instructions from the Publisher or if the applicable law demands so.
If a data subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the data subject’s request to the Publisher.
(2) Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Supplier in accordance with documented instructions from the Publisher without undue delay.

5. Quality Assurance and Other Duties of the Supplier

(1) In addition to complying with the rules set out in this Contract, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 of the GDPR; accordingly, the Supplier will do its best in order to ensure, in particular, compliance with the following requirements if required by the applicable law and in particular the GDPR:

  1. The appointed Data Protection Officer (DPO) (if such was appointed), who performs his/her duties in compliance with Articles 38 and 39 of the GDPR. The Publisher shall be informed of his/her contact details for the purpose of direct contact. The Publisher shall be informed immediately of any change of DPO. The Publisher shall be informed immediately of any change of DPO if any. His/Her current contact details are always available and easily accessible on the website of the Supplier or by other means.
  2. The Supplier may not be obliged to appoint a DPO. The Supplier, however, will designate an authorized person as the contact person on behalf of the Supplier.
  3. Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 of the GDPR. The Supplier entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Supplier and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Publisher, which includes the powers granted in this contract, unless required to do so by law.
  4. Implementation of and compliance with all technical and organisational measures necessary for this Contract in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 of the GDPR.
  5. The Publisher and the Supplier shall cooperate, on request, with the supervisory authority in the performance of its tasks.
  6. The Publisher shall be informed immediately of any inspections and measures conducted by the national or other local supervisory authority, insofar as they relate to this Contract. This also applies if the Supplier is under investigation or is party to an investigation by a competent authority in connection with infringements to any civil or criminal law, or administrative rule or regulation regarding the processing of personal data in connection with the processing of this Contract.
  7. Insofar, as the Publisher is subject to inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the Contract data processing by the Supplier, the Supplier shall make every effort to support the Publisher.
  8. The Supplier shall periodically monitor the internal processes and the technical and organizational measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject. The Publisher and the Supplier are both obligated to comply with relevant AML/CTF legal rules.
  9. Verifiability of the technical and organizational measures conducted by the Publisher as part of the Publisher’s supervisory powers referred to in item 7 of this Contract

6. Subcontracting

(1) Subcontracting for the purpose of this Contract is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal/transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and data security of the Publisher’s data, even in the case of outsourced ancillary services.
(2) The Supplier may commission subcontractors (additional contract processors) only after prior explicit written or documented consent from the Publisher.

  1. Subcontracting is not permitted if the applicable law or GDPR prohibits so.
  2. The Publisher agrees to the commissioning of the following subcontractors on the condition of a contractual agreement in accordance with Article 28 paragraphs 2-4 of the GDPR:
  3. Outsourcing to subcontractors or changing the existing subcontractor are permissible when:
    • the Supplier submits such an outsourcing to a subcontractor to the Publisher in writing or in text form with appropriate advance notice; and
    • the Publisher has not objected to the planned outsourcing in writing or in text form by the date of handing over the data to the Supplier; and
    • the subcontracting is based on a contractual agreement in accordance with Article 28 paragraphs 2-4 of the GDPR.


(3) The transfer of personal data from the Publisher to the subcontractor and the subcontractor commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved.
(4) If the subcontractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with the EU data protection regulations (i.e. the GDPR) by appropriate measures.
(5) Further outsourcing by the subcontractor:

  • is not permitted if it is prohibited by the applicable law or GDPR; or
  • requires the explicit and direct consent of the main Publisher (at the minimum in text form); and requires the explicit and direct consent of the Supplier (at the minimum in text form);


All contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.

7. Supervisory Powers of the Publisher

(1) The Publisher has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this Contract by the Supplier in his business operations by means of random checks, which are ordinarily to be announced in good time.
(2) The Supplier shall ensure that the Publisher is able to verify compliance with the obligations of the Supplier in accordance with Article 28 of the GDPR. The Supplier undertakes to give the Publisher the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.
(3) Evidence of such measures, which concern not only the specific Contract, may be provided by:

  • compliance with approved codes of conduct pursuant to Article 40 of the GDPR;
  • certification according to an approved certification procedure in accordance with Article 42 of the GDPR;
  • current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, data protection officer, IT security department, data privacy auditor, quality auditor);
  • a suitable certification by IT security or data protection auditing (e.g. according to the national data protection authority – Danish Data protection Authority) or ISO/IEC 27001 compliance.


(4) The Supplier may claim remuneration for enabling Publisher inspections.

8. Communication in the Case of Infringements by the Supplier

(1) The Supplier shall assist the Publisher in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include, but are not limited to:

  1. Ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
  2. The obligation to report a personal data breach immediately to the Publisher.
  3. The duty to assist the Publisher with regard to the Publisher’s obligation to provide information to the data subject concerned and to immediately provide the Publisher with all relevant information in this regard.
  4. Supporting the Publisher with its data protection impact assessment
  5. Supporting the Publisher with regard to prior consultation of the supervisory authority.


(2) The Supplier may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Supplier.

9. Authority of the Publisher to Issue Instructions

(1) The Publisher shall immediately confirm oral instructions (at the minimum in text form).
(2) The Supplier shall inform the Publisher immediately if he considers that an instruction violates data protection regulations (e.g. the GDPR). The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Publisher confirms or changes them.

10. Deletion and return of personal data

(1) Copies or duplicates of the data shall never be created without the knowledge of the Publisher, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
(2) After conclusion of the contracted work, or earlier upon request by the Publisher, at the latest upon termination of the Service Agreement, the Supplier shall hand over to the Publisher or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.
(3) Documentation which is used to demonstrate orderly data processing in accordance with the Contract shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Publisher at the end of the contract duration to relieve the Supplier of this contractual obligation.
(4) If the Service Agreement and/or the Contract are terminated, Passendo is obligated to delete the processed personal data immediately after the expiry of the period of notice.

11. General and Other Additional Provisions
Obligations of the Publisher (additional provisions).

The Publisher shall be responsible for ensuring that the processing of personal data in accordance with the Contract complies with the requirements of legislation that is applicable at any given time, including that the Publisher, if required by legislation, has obtained personal data through valid statements of consent. The Publisher is obligated to take sufficient organizational and security measures to prevent personal data covered by the Contract from being unintentionally or illegally destroyed, lost or deteriorated and to prevent that it becomes known by unauthorized persons, misused or otherwise processed in violation of the law. The Publisher shall ensure that Passendo, as part of the Contract, does not process personal data other than general personal data, as mentioned in section 3.1 of the Contract, unless otherwise agreed by the Parties.

Termination (additional provisions). The Contract shall remain in force as long as the Service Agreement is applicable. The Contract may only be applicable as long as the Service Agreement is applicable.
If the Service Agreement between the Publisher and Passendo is terminated, cancelled or is otherwise annulled, the Contract shall also be terminated.
The Contract is authorized for an unlimited period and can be cancelled by either Party at the end of each term provided notice is received at least90 days before the end of the term. This does not prejudice the right to termination of other contracts between the parties with or without notice.
The Contract may be terminated by both Parties in accordance with the same conditions as in the Service Agreement.
A breach of security at Passendo, which results in personal data covered by the Contract being compromised or leaked to a serious degree, and after a demand made by the Publisher, sufficient security measures at Passendo have not been implemented to, in part, limit the damage resulting from the breach of security and, in part, to prevent similar events, gives the Publisher the right to terminate the Service Agreement and the Contract with immediate effect.
If the processing of personal data covered by the Contract does not comply with legislation that is applicable at any given time, and this is due to conditions at the one Party, and the processing is not made legal within a reasonable time after a demand made by the other Party, the other Party may terminate the Service Agreement and the Contract with immediate effect.

Conflicts and disputes. In case of a conflict between the Contract and other agreements entered into between the Parties, including the Service Agreement, the provisions in the Contract take precedence.

Applicable law. The Contract (including every question regarding the applicability of the Contract) shall be governed by Danish law. The court of law is the city court of Copenhagen, Denmark.

Signatures. Two identical copies of the Contract shall be signed by the Parties, and each Party shall retain one copy. Each Party shall retain the Contract for five years after the Contract’s expiry.

APPENDIX
to the Data Processing Agreement
TECHNICAL AND ORGANISATIONAL MEASURES

12. Confidentiality (Article 32 Paragraph 1 Point b of the GDPR)

  • Physical access control

No unauthorized access to data processing facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems.

  • Electronic access control

No unauthorized use of the data processing and data storage systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media.

  • Internal access control (permissions for user rights of access to and amendment of data)

No unauthorized reading, copying, changes or deletions of data within the system, e.g. rights authorization concept, need-based rights of access, logging of system access events.

  • Isolation control

The isolated processing of data, which is collected for differing purposes, e.g. multiple Publisher support, sandboxing.

  • Pseudonymisation (Article 32 Paragraph 1 Point a of the GDPR; Article 25 Paragraph 1 of the GDPR)

The processing of personal data in such a method/way, that the data cannot be associated with a specific data subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.

13. Integrity (Article 32 Paragraph 1 Point b of the GDPR)

  • Data transfer control

No unauthorized reading, copying, changes or deletions of data with electronic transfer or transport, e.g.: encryption, virtual private networks (VPN), electronic signature;

  • Data entry control

Verification, whether and by whom personal data is entered into a data processing system, is changed or deleted, e.g.: logging, document management.

14. Availability and Resilience (Article 32 Paragraph 1 Point b of the GDPR)

  • Availability control

Prevention of accidental or wilful destruction or loss, e.g.: backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting procedures and contingency planning.

  • Rapid recovery (Article 32 Paragraph 1 Point c of the GDPR) (Article 32 Paragraph 1 Point c of the GDPR).

15. Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 of the GDPR)

  • Data protection management;
  • Incident response management;
  • Data protection by design and default (Article 25 Paragraph 2 of the GDPR);
  • Contract control


No third party data processing as per Article 28 of the GDPR without corresponding instructions from the Publisher, e.g.: clear and unambiguous contractual arrangements, formalized order management, strict controls on the selection of the service provider, duty of pre-evaluation, supervisory follow-up checks.

Do you have more questions?

Contact our Support Team support@passendo.com directly, to get them answered.

Do you have more questions?

Contact our Support Team support@passendo.com directly, to get them answered.

Want to see how secure in-email advertising can work for your company?

Book a demo to see you can use Passendo to create new revenue streams.