Data Processing Addendum for Publishers

Last updated : 10.02.2023

The terms of this Data Processing Addendum for Publishers (“DPA”) apply whereby Adtelligent Inc. (“ADTELLIGENT”) and you (“Publisher”), and forms part of all agreements between the parties relating to the subject matter of this Addendum (each, an “Agreement”). This Addendum is effective as of the date on which the Addendum is signed or otherwise adopted by both parties (“Effective Date”).

The terms in this Addendum shall only apply to the extent Adtelligent collects or otherwise processes Data (including Personal Data) protected or otherwise regulated by European Data Protection Law. Capitalized terms used in this Addendum shall have the meaning given to them in the main body of the Agreement unless otherwise defined in this Addendum.

These Terms shall be incorporated into the Agreement and shall be binding on the Parties.

1. CONFLICT

1.1 In the event of any conflict between the provisions of the Agreement and the provisions of this DPA, the provisions of this DPA shall take precedence.

2. DEFINITIONS AND INTERPRETATION

2.1 In this DPA, the following terms shall have the meanings set out below:

Adequacy Mechanism” has the meaning described in clause 4.1 hereof.

Controller” means the entity that determines the purposes and means of the processing of Personal Data.

Data” has the meaning given to it in clause 3.1 hereof.

Demand Partners” means Adtelligent’s media buying clients, including but not limited to advertisers, demand side platforms, ad exchanges, agencies, agency trading desks, and ad networks.

European Data Protection Law” means as applicable to a party in its Processing of Data: (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“); and (v) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 the (together, “UK Privacy Law“); in each case, as may be amended, superseded or replaced from time to time.

Europe” means, for the purposes of this DPA, the European Economic Area (EEA), the United Kingdom, and Switzerland.

Personal Data” means any information relating to an identified or identifiable natural person to the extent that such information is protected as “personal data” under applicable European Data Protection Law.

Privacy Requirements” means: (i) European Data Protection Law, as applicable to Publisher, Adtelligent, its Demand Partners, and their respective processing of Data hereunder; and (ii) any applicable self-regulatory codes, rules or guidelines, including without limitation, the rules, codes, and guidelines of the European Interactive Digital Advertising Alliance (EDAA), the Network Advertising Initiative (NAI), and IAB Transparency and Consent Framework (TCF) (in each case, as amended, superseded or replaced).
“Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce (as may be amended, superseded or replaced).

Publisher Property” has the meaning given to it in the Agreement or, if not set forth in the Agreement, means the websites, mobile applications and/or other digital media properties owned or operated by the Publisher and accessible through the Adtelligent Services or via which Personal Data used in connection with the Adtelligent Services is collected.

Services” has the meaning given to it in the Agreement or if not set forth in the Agreement, means Adtelligent’s online advertising services, products, and features described in Adtelligent Terms of Service

Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK Privacy Law applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

Tracking Technologies” means technologies used to store or gain access to data stored on a user’s device, including (as applicable), cookies, mobile SDKs, browser cache, unique identifiers, web beacons, pixels and/or similar tracking technologies.

Privacy Statement” means the Adtelligent Privacy Statement available at https://adtelligent.com/privacy-policy/ (as updated or amended from time to time).

Standard Contractual Clauses” means Module 1 (Controller to Controller) of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914.

UK Addendum” means the International Data Transfer Addendum (version B1.0) to the EU Commission Standard Contractual Clauses issued by UK Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded or replaced from time to time.

The terms “data subject“, “processing” (and “process“) shall have the meanings given to them in European Data Protection Law.

3. DATA PROTECTION
3.1 Scope of processing

Unless otherwise and separately agreed between the parties, the parties agree and understand that: (i) in connection with the Adtelligent Services, Adtelligent may collect or otherwise receive data (including Personal Data) about or related to end users of the Publisher Properties as more particularly described in Annex A of this Addendum (collectively, “Data”); (ii) Adtelligent and its Demand Partners use Tracking Technologies in order to collect certain Data; and (iii) Adtelligent (and its Demand Partners) may process the Data for the purposes set for by the Agreement and for any other purposes described in the Privacy Statement (“Permitted Purposes”).

3.2 Relationship of the parties

The parties acknowledge that to the extent the Data is Personal Data, each party shall process such Data as a Controller and, in the case of Adtelligent, only for the Permitted Purposes.

3.3 Requesting Consent

Neither Adtelligent nor its Demand Partners have any direct relationship with any data subject visiting the Publisher Properties or viewing ads delivered to the Publisher Properties via Adtelligent Services. Accordingly, in each case where consent is the lawful basis for processing Personal Data and/or required for use of Tracking Technologies pursuant to the Privacy Requirements, Publisher agrees that it shall be responsible for obtaining all necessary consents from the relevant data subjects on behalf of Adtelligent and applicable Demand Partners to lawfully permit Adtelligent and all applicable Demand Partners to: (i) collect, process and share Data via the Adtelligent Services for Permitted Purposes; and (ii) use Tracking Technologies in order to collect Data in connection with the performance of the Adtelligent Services. Publisher represents and warrants that it shall, at all times maintain and make operational on Publisher Properties a mechanism for obtaining and recording such consent and that enables such consent to be withdrawn, in accordance with applicable Privacy Requirements. Adtelligent is registered with and supports the IAB Transparency and Consent Framework (the TCF 2.0.).

3.4 Notice Requirements

Publisher agrees that it is responsible for ensuring that all data subjects are appropriately notified about the data collection and use practices taking place on the Publisher Properties via Adtelligent Services. Publisher represents and warrants that it shall conspicuously post, maintain and abide by a publicly accessible privacy notice within all Publisher Properties from which the Data is collected that satisfies the requirements of the Privacy Requirements and the Agreement (including this Addendum). Without prejudice to the generality of the foregoing, such notice shall at a minimum include the following information: (i) a statement that data may be collected for advertising purposes; (ii) a description of the type of Personal Data collected by Adtelligent and its Demand Partners and the purposes of processing thereof, including for delivering ads across the Publisher Properties over time; (iii) a description of the categories of individuals who will have access to the Personal Data; (iv) the identity of the Controller(s) of the Data; (v) a link to or description of how to access a relevant choice mechanism; and/or (vi) any other information required to comply with the information and transparency requirements of applicable Privacy Requirements. The Privacy Statement, its explanation of the Data Adtelligent collects and how Adtelligent Services use it, may assist you in complying with your notification obligations under this Addendum.

3.5 Prohibited Data Sharing

Publisher shall not include or launch on any Publisher Property any of Adtelligent Services if such Publisher Property is directed at or likely to be accessed by any data subject that is deemed a child under applicable Privacy Requirements of the country in which the child resides. Publisher shall inform Adtelligent in writing prior to launching on any of such Publisher Properties any of the Adtelligent Services or pass to Adtelligent or its Demand Partners any Personal Data of any data subject that is deemed a child under applicable European Data Protection Law.

3.6 Noncompliance

If Publisher is unable to comply with its consent and notice obligations under the Agreement (including this Addendum) in respect of the Data on any of its Publisher Properties, Publisher shall promptly notify Adtelligent, and the Publisher Property in question will be removed from the Adtelligent Services.

3.7 Co-operation and Data Subject Rights

The parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) and co-operation to enable the other party to comply with its obligations under the Privacy Requirements, including in order to enable the other party to respond to: (i) any request from a data subject to exercise any of its rights under European Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) in relation to the Data; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data (“Correspondence”). Each party shall promptly inform the other if it receives any Correspondence directly from a data subject in relation to the Data. Subject to obligations of confidentiality and polices on disclosure of information, where a party has a concern that the other party has not complied with this Addendum, the parties agree to exchange information to ascertain the cause of such non-compliance and take reasonable steps to remediate.

4. DATA TRANSFERS
4.1 Standard Contractual Clauses

Subject to clause 4.2 hereof, the parties agree that when the transfer of Personal Data from Publisher (as exporter) to Adtelligent (as importer) is a Restricted Transfer and European Data Protection Law applies, the transfer shall be subject to the Standard Contractual Clauses, which shall be deemed incorporated into and shall form part of this Addendum, as follows:

(a) in relation to transfers of Personal Data protected by the GDPR, the Standard Contractual Clauses shall apply, completed as follows: (i) in Clause 7, the optional docking clause will apply, (ii) in Clause 11, the optional language will not apply; (iii) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of Ireland; (iv) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (v) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex A to this Addendum; and (vii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex B to this Addendum;

(b) in relation to transfers of Personal Data protected by UK Privacy Law, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, but as modified and interpreted by Part2: Mandatory Clauses of the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this Addendum. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes A and B of this Addendum and Table 4 in Part 1 shall be deemed completed by selecting “neither party”; and

(c) in relation to transfers of Personal Data protected by the Swiss DPA, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex A are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland,

4.2 Adequacy Mechanisms

The terms of the Standard Contractual Clauses will not apply where and to the extent Adtelligent (as data importer) and the applicable transfer of Personal Data are covered by an alternative, suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data (provided that it is deemed legally valid in jurisdictions subject to European Data Protection Law), including any U.S. – EU cross-border data transfer program which supersedes the Privacy Shield (an “Adequacy Mechanism”). Where an Adequacy Mechanism applies, Adtelligent shall process the Personal Data in compliance with the Adequacy Mechanism and the Standard Contractual Clauses shall not apply.

4.3 Alternative Transfer Mechanisms

The parties agree that if European Data Protection Law no longer allows the lawful transfer of Personal Data under the Standard Contractual Clauses and/or a relevant regulator or court of competent jurisdiction requires the parties to adopt additional measures (“Additional Measures“) or an alternative data export solution (“Alternative Transfer Mechanism“) to enable the lawful transfer of Data outside of Europe and such requirements are not satisfied by an Adequacy Mechanism in line with clause 4.2 above (if applicable), both parties agree to cooperate and agree any Additional Measures or Alternative Transfer Mechanism that may be required (but only to the extent such Additional Measures or Alternative Transfer Mechanism extend to the territories to which Data is transferred).

4.4 It is not the intent of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement, including this Addendum, the Standard Contractual Clauses shall prevail to the extent of such conflict.

5. MISCELLANEOUS PROVISIONS
5.1 Contact

Publisher shall notify Adtelligent of an individual within its organization authorized to respond from time to time to inquiries regarding the Data and shall deal with such inquiries promptly. The individual within Adtelligent authorized to respond from time to time to inquiries regarding the Data and who shall deal with such inquiries promptly can be contactable here: legal@adtelligent.com.

5.2 Changes in Law

In the event that there is a change in the Privacy Requirements that apply to the processing of Data, that would, in the reasonable opinion of a party, require changes to the Adtelligent Services, the means by which the Adtelligent Services are provided or used and/or terms and conditions of this Addendum, that party reserves the right (acting reasonably) to request such changes; provided that, to the extent possible, the party requesting the change will provide at least thirty (30) days prior notice (including by email or via Publisher account on the Adtelligent Platform) of such changes and agrees to discuss such changes in good faith. If the requested changes will cause material harm to any party (which includes for the avoidance of doubt, causing a party to be in breach of European Data Protection Law) or materially alter any party’s provision or use (as applicable) of the Adtelligent Services, such party may terminate the Agreement for the affected Adtelligent Services upon written notice without liability for such termination.

5.3 Indemnity

Publisher shall indemnify Adtellignt against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by Adtelligent arising out of or in connection with the breach of the Privacy Requirements by the Publisher, its employees or agents, provided that Adtelligent gives to the Publisher prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle it.

5.4 Security

Both parties shall implement appropriate technical and organizational measures to protect the copy of the Data in their possession or control (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data.

5.5 General

With effect from the effective date, this Addendum is part of, and incorporated into the Agreement. To the extent there are any prior agreements with regard to the subject matter of this Addendum, this Addendum supersedes and replaces such prior agreements. This Addendum shall survive termination or expiry of the Agreement. Upon termination or expiry of the Agreement Adtelligent continue to process the Data provided that such processing complies with the requirements of this Addendum and the Privacy Requirements. This Addendum may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This Addendum may be executed via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes.

ANNEX A

Description of the Transfer

1. List of Parties

Controller/ Data exporter:

Name:See Agreement
Address:See Agreement
Contact person’s name, position and contact details:See Agreement
Activities relevant to the data transferred under these Clauses:See the Description of Data Transfer
Signature and date:  See Agreement
Role (controller/processor):Controller

Controller / Data importer:

Name:Adtelligent, Inc.
Address:16192 Costal Hwy, City of Lewes, County of Sussex, 19958, DE, USA
Contact person’s name, position and contact details:DPO, contactable at legal@adtelligent.com
Activities relevant to the data transferred under these Clauses:See the Description of Data Transfer
Signature and date:  See Agreement
Role (controller/processor):Controller
2. Description of Data Transfer

Defined terms are as set out in the Data Processing Addendum agreed between the parties.

Categories of data subjects:End users of the Publisher Properties or end users viewing ads delivered to the Publisher Properties;
Publisher employees and other personnel authorized to use Adtelligent Services.
Categories of personal data:  
End Users
Identifiers: cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.,); IP address, data that could be used for fingerprinting, latitude and longitude;
Demographic information: location, age range, gender, other Publisher-specified demographics (tied to an identifier);
User-agent or such device information;
Behavioral data: frequency of identifiers visiting and viewing Publisher Sites and viewing and taking actions with respect to advertising.

Publisher Personnel:
Contact details (name, email, telephone) and professional details (role).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:  NA
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):  
End Users – Continuous
Publisher Personnel – Only where required to facilitate communication between the parties.
Nature of the processing:  Receipt, storage, use, and processing for the purpose of the Adtelligent Services provision and business relationships.
Purpose(s) of the data transfer and further processing:  
End Users: For the Permitted Purposes (as defined in this Addendum)
Publisher Personnel: For business relationship and account management purposes.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Until necessary for the provision of the Adtelligent Services
3. Competent Supervisory Authority

The competent supervisory authority will be (i) for Personal Data protected by the GDPR, , determined in accordance with Clause 13 of the Standard Contractual Clauses; (ii) for Personal Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (“FDPIC”); and (iii) for Personal Data protection by UK Privacy Law, the Information Commissioners Office (the “ICO”).

Annex B

Technical and Organisational Measures

Version 1.5 as of June 24, 2022

1. Confidentiality

1.1. Physical Access Control

Procedures applied:
  1. Establishment of secure areas
  2. Securing of access paths
  3. Determination of access authorisations for
    − employees of the company
    − external parties (maintenance staff, visitors, etc.)
    − authentication of persons with access authorisation
    − monitoring of access
Measures for physical access control:

a) Definition/classification of security zones
b) Implementing of protection against access

  • Fences
  • Identity checks by the gatekeeper/reception
  • A security fence surrounds entire land area/building with a permanently staffed perimeter guard house.
  • Video surveillance
  • Biometric
  • Mandatory access authentication (via key, chip card etc.) for all persons
  • Securing all building shafts
  • Use of electronic physical access control
    c) Securing zones/rooms by means of safety glass
    d) Determining individuals with authorised access by means of roles and groups
    e) Administration and documentation of personal physical access authorisations by means of organisational regulations regarding system access authorisations for the business area
    f) Accompanying of visitors and external personnel
  • Monitoring visitors (accompaniment, visitor ID, signing in)
  • Regulations regarding cleaning staff (careful selection, cleaning during office hours, requiring data secrecy, signing in etc.)
  • Careful selection of security staff
  • Regulations regarding maintenance personnel (accompaniment, prior registration, proof of identity, signing in etc.)
    g) Monitoring of the zones/rooms outside of office hours by means of
  • video surveillance
  • alarm system (connected to police/fire department/external security firm/central office/gatekeeper)
1.2 System Access Control

Procedures applied
Determination of access authorisations for

  • employees of the company
  • authentication of persons with access authorisation
  • monitoring of access
  • access to PC work stations and mobile computers like laptops
Measures for system access control

a) Protection of access to all data processing systems by means of user authentication
b) Availability of boot passwords (Desktop and Notebooks) (login password)
c) Wi-Fi security control with password policy for Wi-Fi passwords (min. 20 characters, upper-case and lower-case letters, numbers and non-alphanumeric character etc.)
d) Login credentials are managed within a password manager
e) Strict authentication for highest-level protection by means of use of mechanisms that require possession and knowledge for authentication
f) Simple authentication (user name/password) for high-level protection

  • Requirements for the passwords (such as using at least 8 characters, at least 1 upper-case letter, at least 1 number)
  • Expiration of the password (after 90 days)
    g) Authentication data is solely transmitted in an encrypted form (Active Directory)
    h) Blocking of access in the case of failed attempts/inactivity and procedure for resetting blocked access identifiers
  • Secure procedure for resetting blocked access
  • Blocking a user’s access after long periods of inactivity
    i) Determination of authorised persons
  • The existence of role concepts (predefined user profiles)
  • Always assigning access rights individually (personally)
  • The circle of authorised persons is to be reduced to the minimum number required for operation of the company
  • Regularly reviewing individual authorisations to assess whether they are necessary
    j) Administration and documentation of personal means of authentication and access authorisations
  • A process for the application, approval, allocation and resetting of means of authorisation and access is established, described and in use
  • A responsible person is named for the allocation of access authorisations
  • Absence substitution rules
    k) Measures at the user’s workplace
  • When there are more than 15 (fifteen) minutes of inactivity at the workstation or the terminal, the password-protected screen saver is automatically activated by means of the operating system’s own mechanisms
  • Workstations and terminals will be locked by employees against unauthorised use during temporary absence from the workstation during temporary absence
1.3. Data Access Control
Procedures applied
  1. Determination of the data access and usage authorisations enabling access to data by individuals via automated devices
  2. Determination of the data access authorisations enabling access to data via automated devices for the data areas
  3. Authentication of the individuals authorised to access and use the data
  4. Implementation of data access control
  5. Implementation of a use control for data processing systems
Measures for data access control

a) Existence of regulations and procedures governing the creation, alteration and erasure of authorisation profiles or user roles
b) Use of passwords and defined password rules
c) Authorised individuals can only access data that is established in their individual authorisation profiles
d) Limitation of the scope of authorisations to the absolute minimum necessary for the performance of the relevant tasks or functions (in terms of logistics, timeframes etc.)
e) Administration and documentation of personal physical data access authorisations

A process for the application, approval, allocation and resetting of means of authorisation and access is established, described and in use

Authorisations are tied to a personal user identifier and to an account

If the foundation for an authorisation ceases to apply (e.g. due to a change in function), this authorisation is to be immediately withdrawn

The process is to be documented and the documentation saved for 12 months. (Admin zone & Member zone)
f) Suitable measures have been implemented in order to prevent any single person being assigned a combination of various roles or rights of access which results in his or her acquiring an excessive degree of power
g) All transactions where data are read, entered, changed and deleted are logged (user identifiers, transaction details) and archived in an audit-proof form for at least 6 months
h) Secure storage of data media

1.4. Data Separation Control
Procedures applied
  1. Monitoring for compliance with regulations and measures
  2. Verification and permanent adjustment of the effectiveness of regulations and measures
  3. Determination of a data protection officer
Measures for data separation control

a) Implementation and documentation of the separation of functions
b) Availability of guidelines and operating instructions
c) Availability of procedural documentation
d) Implementation of regulations governing programming
e) Regulations governing system and program reviews
f) There are technical and organisational regulations and measures for ensuring separate processing
g) And/or there are technical and organisational regulations and measures for storing data and/or data media with different contractual purposes
h) Implementation of a coordination and control system

1.5. Pseudonymisation
Procedures applied
  1. Assessing whether the specific data processing can also take place without direct reference to individual persons.
  2. Assessing which options for pseudonymisation are available.
Measures for pseudonymisation

a) Pseudonymized user ID
b) Separate pseudonymized data storage

Integrity
2.1. Transfer Control
Procedures applied
  • Specification of the bodies to which data may be forwarded by using data transfer facilities.
  • Documentation in such a manner as to render possible the identification of any ‘third parties’
  • Specification of the parties authorised to transmit or transport the data
  • Specification of areas in which data media may be located
  • Securing of areas in which data media are located
  • Authentication of persons and companies authorised to transport the data
Measures for transfer control

a) Encryption of data transmitted between clients and servers
b) A regulation is in place for the preparation of copies
c) Back-end transmissions

  • Connection to the back-end systems is protected
  • Connections between back-end systems is protected
  • Data requiring a high level of protection are encrypted
  • Data leaving the protected area (e.g. a data centre) is encrypted

d) Secure storage of data

  • Data are encrypted and stored in a database of reliable processors
  • Data are also encrypted and stored in a backup

e) Regulations governing consignments

  • There are packaging and forwarding instructions for the transportation of personal data by way of data storage devices
  • It is mandatory to encrypt personal data before it is transferred

f) Procedure for collection and disposal

  • The destruction of data storage devices is regulated to take place in a manner that conforms with data protection and is to be recorded
  • The destruction of documents is regulated to take place in a manner that conforms with data protection and is to be recorded and stored for 9 (nine) months

g) Procedure for erasure/destruction of data in accordance with data protection legislation

h) Systems can only be accessed from outside of the company network by means of secured VPN access.

2.2. Input Control
Procedure applied

Documentation of the data entry process, with the possibility of subsequently verifying the data entries made

Measures for input control

a) Traceability of any entering, altering and erasure of data through the use of individual user names (not user groups)

3. Availability and resilience
Procedures applied
  1. Development of a concept of back-up policy
  2. Development of a disaster recovery plan
  3. Development of a concept to counteract overloading and external attacks
Measures for availability and resilience

a) Back-up concept

  • There is a backup concept
  • Backups occur daily
  • Regular checks are carried out to verify that it is possible to restore the backup

b) There is a disaster recovery plan in place which lists and defines the steps to be initiated and the individuals (particularly on the side of the client) who are to be notified of the incident.

c) Storage of data back-ups in fire- and waterproof data security cabinets by reliable processors

d) Regular checking of the condition and labelling of data media used for data back-ups

e) Availability and regular testing of emergency generators and overvoltage protection devices

f) Permanent monitoring of operational parameters

g) Devices for monitoring the temperature and humidity in server rooms held by reliable processors
h) Fire and smoke alarms

i) Alarms signalling any unauthorised access to server rooms

4. Process for regularly testing, assessing and evaluation
4.1. Privacy Management
Procedures applied
  1. Development of a concept for regular verification of the technical and organisational measures
  2. Determining an evaluation schedule
  3. Definition of the required human and organizational responsibilities
Measures for testing, assessing and evaluation

a) Selecting a data protection officer
b) Determining auditing schedules and procedures
c) Monitoring execution
d) Evaluating the findings
e) If necessary, adjusting the TOMs

4.2. Incident Response Management
Procedures applied
  1. Determining a concept for providing incident response management
  2. Determining an incident response plan
  3. Determining an incident response team
Measures for incident response management

a) Determining possible cases of data breaches
b) Describing the process that is to take place in case of a data breach
c) Describing the responsibilities

4.3. Data protection-oriented default settings
Procedure
  1. Determining which data are strictly necessary
  2. Determining measures for reducing unnecessary data
Last updated : Feb 10, 2023
Adtelligent Inc
16192 COASTAL HWY,
LEWES,
Sussex, DE,
19958 United States
© Adtelligent Inc. 2024 All Rights Reserved