Free LIVE Webinar Cross-device attribution without cookies: accurate measurement for tomorrow’s marketing Register here





Data Processing Agreement


Annex No. 1 to the Terms and Conditions: Data Processing Agreement

By this document, we as a processor process the data collected by you as a data controller in accordance with applicable legislation, based on your instructions and on your behalf, in accordance with the purpose of the Agreement on provision of Roivenue Services and under the conditions set out herein. 

1. Introductory provisions 

1.1 Subject matter. These are the terms for the processing Incoming Data as well as other data that we will be receiving from you for the purpose of providing you with Roivenue Services in accordance with the Agreement on provision of Roivenue Services. 

1.2 Definitions. This Annex is using the same definitions as the Terms, including the subject of us, Roivenue s.r.o., and you, our Client, the contracting parties of the Agreement on provision of Roivenue Services. 

1.3 Types of data we process. For the purposes of the Agreement, we will generally process Incoming Data as both the data coming directly from you and from the analytical and marketing platforms such as Microsoft Ads, AdForm, Google Analytics, Meta, Google Ads etc. used by you. This list is not at all closed and its scope may vary regarding provided Roivenue Services. 

1.4 Personal Data processing. If you will be sending us Incoming Data or other data that you consider as personal data, this Annex is to that scope concluded as Data Processing Agreement within the meaning of Art. 28 et seq. of GDPR where you are a data controller, and we act as the processor with the meaning of GDPR.  

1.5 Non-personal data processing. If you are sending us data you consider as non-personal data, this Annex is to that scope concluded as non-personal data processing agreement and is subject to following terms.  

1.6 Part of the Agreement. This Annex is an integral part of the Terms and Conditions and therefore as well as the part of the Agreement we have concluded. 

1.7 Duration of provision. The processing will be happening during the Duration of provision of the Agreement.   

2. General terms for the processing of the data. 

2.1 Purpose. You are obliged to set the purpose for such data processing to which the data transfer is connected in line with the Agreement.  

2.2 Purpose limitation. There is no other Purpose for the data processing. You agree only to send us data that you want to process while receiving Roivenue Services that are being provided in accordance with the Agreement, only to the extent and for the period necessary to fulfil such Purpose. If it is ascertained other data exceeding the purpose has been provided, we will not process it and we are entitled to immediately remove it from our databases and storages without replacement. 

2.3 Processing only upon instructions. We are processing the data only upon your explicit instruction and on your behalf. The instruction may take place in a technical way, such as sending us string containing the information that we can start with the data processing. The processing is taking place under the conditions set out in the Agreement.  

2.4 No processing of special categories personal data. In no scenario you will instruct us to process data that could be deemed to fall within the scope of any of the special categories of personal data under the GDPR. If it is ascertained that any data that could be deemed to fall within this category has been provided, we have the right to not handle this personal data in any way and are entitled to remove it immediately from our databases and storage sites without replacement. You are obliged to compensate us any damage incurred because of this breach of your obligation according to this paragraph, including any penalties imposed on us by the data protection authorities. 

2.5 No profiling. The processing is carried out as automated activities performed by our Attribution Code in the form of collecting the provided data, their storage, combinations, filtering and evaluation. Such processing does not constitute Automated individual decision-making, including profiling of an individual data subject in accordance with Art. 22 of the GDPR. 

2.6 Information and transparency. Where required by the applicable legal regulation, you undertake to inform the data subjects that you utilize our Roivenue Services and that we are acting as a processor in processing for the purpose. Same applies for informing the original data controller if you act as a processor and you are including us as your sub-processor.  

2.7 Using of sub-processors. You grant us the right to engage other sub-processors, which could be regarded as other processors under the GDPR provided that such persons will perform activities in line with the Purpose and its limitations. You may always request the information of the current status of the sub-processors, and we agree to inform you the of any changes in these sub-processors. We ensure that our sub-processors are enabled to comply fully with the obligations under the Agreement and applicable privacy law and shall be in all cases fully responsible and liable for the consequences of the acts and omissions of its staff, agents and/or sub-processors giving rise to any non-compliance with the provisions of this Agreement.  

2.8 Storage and backups of the data. For the data provided in line with this Data Processing Agreement, we may use the allocated capacity of cloud storages to which we hold the rights. We are also entitled in line with the Agreement and provided Roivenue Services to store here backups of such provided data. If we find out that this allocated capacity is being used by you for any other content then for data provided in accordance with this Data Processing Agreement, we are entitled to immediately remove it from the cloud storage without compensation and consider such situation as breach of your obligations.  

2.9 Cookies and online identifiers. You are obliged to send us only the data from the cookies and other online identifiers that were gathered by you in compliance with the applicable legal regulations. This may include implemented Cookie Management Platform complying with the information obligation and/or functional active consent.  

2.10 Cooperation while complying to the data subject rights. We will provide you with reasonable cooperation in complying with your obligation to respond to requests by the data subject under the GDPR. We will also assist you in complying with your GDPR obligations within the scope corresponding to the provided data and our activities under the Agreement. However, you are not entitled to transfer the performance of your own obligations under the GDPR. 

3. Technical and organisational measures 

3.1 General security measures. We have in place measures to protect the provided data. These measures including access control and administration of the IT environment, pseudonymisation and encryption as well as security incident management are subject to our internal policies, and you can request their overview anytime during the Duration of provision. Irrespective of any other measures, we represent that we have adequate resources, experience and knowledge to enable properly perform the provisions of this Data Processing Agreement, including the provision of sufficient safeguards to implement appropriate technical and organisational measures for the processing of Personal Data so that the processing of Personal Data complies with the requirements set out in the applicable regulations. 

3.2 No transfer to third countries. We are using third-parties data storages and servers that are located within European Economic Area unless agreed otherwise. If you are from the EU, we will not transfer any data to third countries or to an international organization nor are obliged to do so by virtue of the legal regulations applicable to us.  

3.3 Confidentiality of employees and other processors. We ensure confidentiality by all our employees who, in the performance of their activities, come or could meet data that you are providing for the Purpose. This obligation of the Provider also applies if the Provider performs the processing using persons other than its employees, including other processors, if any.  

4. Responsibility & liability for the data 

4.1 Your responsibility for the data provided. As data controller, you bear full responsibility and liability for the accuracy, completeness, and currency of all personal data provided to us. We assume no responsibility for any damages or losses arising from inaccuracies, incompleteness, or outdatedness of the provided data. We shall not be held liable for any direct, indirect, incidental, special, or consequential damages resulting from the use or inability to use the provided personal data, unless such damages are caused by our wilful misconduct or gross negligence. 

4.2 Breach of your obligations. In the event of breach of your obligations arising from this Agreement or applicable legislation, you are fully liable for any sanctions, fines or other penalties imposed by the competent authorities. We shall not be liable for any consequences arising from such breaches unless they are caused by our wilful misconduct or gross negligence. 

4.3 Reimbursements. You are obliged to compensate us for any damages incurred because of breach of your obligations, no matter if arising the Agreement or from applicable legislation, including any penalties imposed on us by the competent authorities because of processing any data that you gathered in a noncompliant way before transferring it to us. 

5. Incident management 

5.1 Incident. Our technical and organisational measures include preventing change of the data and destruction or its loss, unauthorized transfer, unauthorised processing, as well as other misuse of such data. We also prevent any unauthorized or accidental access unless it is via your User Account happening on the purpose of lack of security on your side. If any of the above occurs in relation to the Personal Data, we will treat such situations as an “Incident”.  

5.2 Information obligation. If Incident occurs, we agree to inform you about it without delay so you can comply with the deadlines for their notification under the GDPR, if required. To the extent that we are technically able, we will also provide you with the necessary documentation so you can properly inform the data subject of the incident in accordance with Article 34(3) of the GDPR. 

5.3 Cooperation in investigation. While we will be investigating the Incident and its origin, you agree to cooperate with us in respect to any and all inquiries from any regulatory, government or the supervisory authority.  

6. Compliance verification 

6.1 General verification. You have the right to verify our compliance with the obligations under the Agreement by requesting any information relating to the provided data considered as personal. 

6.2 Inspections. We allow you to inspect our adopted technical and organizational measures for the purpose of the Agreement on any business day between 10:00 a.m. and 4:00 p.m. based on your prior notice given fifteen business days before the inspection. We agree to provide you with the assistance during this inspection. We undertake to provide the same cooperation in the inspection to the person authorised by you to carry out such inspection and to present such authorisation to us. Once you perform an inspection, you are not entitled to run another within next 3 months and you are also obliged to provide us with the final report from such inspection. 

6.3 Audit: notification and preparation. In case an Incident occurred, or you have reasonable grounds to suspect that there is a breach of our obligations in relation to the personal data processed, you have the right to audit us with respect to our compliance of the data processing with the GDPR and the Agreement. You need to prior notify us that you want to conduct such audit no later than in three days after the Incident occurred or from the moment you have those reasonable grounds. The prior notice needs to be given at least seven business days before the audit. The audit may be carried out by you as well as any other persons authorised by you. When notifying us about the audit, you need to provide us with the details of the persons carrying out the audit. We are not obliged or entitled to provide any information to persons other than those communicated in the notification, except for persons who are involved or participating in the audit by virtue of the exercise of public authority (e.g. persons authorised by the relevant supervisory authority, etc.). An audit may be conducted remotely, on-site or by sending our specific certification.  

6.4 Audit: process. During audit, we undertake to cooperate with the auditors and a) provide the requested information in our possession without further delay, b) secure the requested information from the other processor involved in the respective processing without further delay, c) provide them with the access to the available premises where personal data are processed under the provisions of the Agreement, d) allow inspection and testing of all available equipment and documentation used in connection with the processing of personal data, e) provide the auditors with other requested available information or documents if necessary to carry out the audit. 

6.5 Audit: final report. After audit, you are obliged to provide us with the conducted report on the provided audit including the results from the audit. You warrant us with the right and sufficient time to comment on this audit and that these comments will be considered and incorporated into the audit report, at a minimum, by attaching them to this audit report as a preparer’s statement.

Learn how we helped 100 top brands gain success