Data Protection Policy
These Data Protection Terms and Conditions form part of the agreement between the Media Company and the Advertiser (each as defined below) and govern the processing of Personal Data carried out in connection with the Services.
1. Definitions
1.1 Core terms. "Process / Processing", "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Personal Data Breach", and "Special Categories of Personal Data" have the meanings given to them in the applicable Data Protection Laws.
1.1.2 Data Protection Laws means the EU Data Protection Directive 95/46/EC (until 25 May 2018) and the GDPR (from 25 May 2018); laws implementing Directive 2002/58/EC (the ePrivacy Directive); the California Consumer Privacy Act, 2018 (CCPA); and any other applicable data protection or privacy laws.
1.1.3 EEA means the European Economic Area.
1.1.4 Personal Data means data provided by the Media Company to the Advertiser, including segment data (demographic, behavioural, contextual) or query string data.
1.1.5 Services means the services provided by the Advertiser to the Media Company under the Agreement.
1.1.6 Sites means the digital properties through which the Services are provided or Personal Data is collected.
1.1.7 Standard Contractual Clauses means the clauses for transferring personal data to third-country processors as approved by the European Commission.
1.1.8 Subprocessor means any Data Processor appointed by the Advertiser to process Personal Data on behalf of the Media Company.
2. Scope of Processing
2.1 The Media Company instructs the Advertiser to process Personal Data as needed to provide the Services.
2.2 The Advertiser may collect data about end users through cookies, browser cache, unique identifiers, web beacons, pixels, and similar tracking technologies.
3. Compliance with Data Protection Laws
3.1 Both parties agree to comply with applicable Data Protection Laws and these Terms.
3.2 The parties will provide reasonable assistance and cooperation to support compliance, exchanging information regarding potential non-compliance and taking remedial steps.
3.3 The Media Company is responsible for obtaining Data Subject consent for processing and cookie usage where required by law.
3.4 The Media Company ensures its Sites contain appropriate notifications describing Personal Data processing, its purposes, and the mechanisms for opt-out elections under the CCPA.
4. Advertiser Personnel
The Advertiser ensures that authorised personnel are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5. Security
The Advertiser implements appropriate technical and organisational measures for the processing of Personal Data, taking into account the costs of implementation; the nature, scope, context, and purposes of processing; and the severity of risk.
6. Subprocessing
6.1.1 Advertiser–Subprocessor agreements must include terms that are materially as protective as these Terms.
6.1.2 The Advertiser updates Subprocessor lists, giving the Media Company the opportunity to object on compliance grounds. The Media Company may terminate affected services within 30 days without liability.
6.2 The Advertiser remains fully liable for the performance of its Subprocessors.
7. Data Subject Rights
7.1 The Advertiser promptly notifies the Media Company of Data Subject requests made under Data Protection Laws.
7.2 The Advertiser cooperates to enable the Media Company to fulfil Data Subject rights (deletion, access, and so on).
7.3 If the Media Company's cooperation fails, the Advertiser may respond to well-founded requests, confirming its role and addressing access, rectification, erasure, or restriction requests.
8. Personal Data Breach
The Data Breaching Party must notify the Non-Data Breaching Party within 48 hours, providing breach details, investigation information, consequences, and remedial measures. Cooperation continues with updates and notification of supervisory authorities or Data Subjects where required.
9. Data Protection Impact Assessment
The Advertiser provides reasonable assistance with Data Protection Impact Assessments required under applicable laws.
10. Deletion or Return of Personal Data
10.1 The Advertiser deletes all copies of Personal Data after termination of the Agreement.
10.2 The Advertiser may retain Personal Data only as required by law, ensuring confidentiality and processing it only for the legally specified purposes.
11. Audit Rights
11.1 The Advertiser provides information demonstrating compliance and allows audits by the Media Company or its mandated auditors.
11.2 Auditors execute confidentiality agreements. The Media Company provides four weeks' notice, minimises disruption, and pays reasonable Advertiser costs unless a material breach is found.
11.3 The Advertiser immediately notifies the Media Company if audit instructions would violate Data Protection Laws.
12. International Transfers
12.1 Appropriate data-transfer mechanisms are implemented for Personal Data transferred outside the EEA.
12.2 For transfers to non-adequate jurisdictions, the Media Company instructs the Advertiser to either certify compliance under an approved framework (12.2.1) or sign EU-approved Standard Contractual Clauses (12.2.2).
13. General Terms
13.1 The parties promptly notify each other of Data Protection Law claims or complaints from Data Subjects.
13.2 If changes in Data Protection Law require service modifications, the parties negotiate in good faith. Either party may terminate without liability if the changes cause material harm.
13.3 These Terms prevail over other agreements regarding data protection obligations.
13.4 Invalid provisions are severable; the remaining Terms stay valid and enforceable.
13.5 The Advertiser may revise these Terms by publishing them on its website. The Media Company may reject changes within 30 days, after which the Advertiser may terminate without liability.
Nina Data Ltd · Tammasaarenkatu 1, 00180 Helsinki, Finland · sales@ninadata.io