LAST UPDATED 21st March, 2023
Kiosked Data Processing Policy (this document) is a policy and an agreement between Kiosked (“the Processor”), and a publisher (“the Controller”) using Kiosked’s monetization services. This document outlines Kiosked’s standard procedures regarding data processing.
The Processor: Kiosked Information Systems Ltd, a limited liability company incorporated and existing under the laws of Ireland with registration number 496096 (“the Processor”); and,
The Controller: the signatory Publisher defined in the signature section of Kiosked Publisher Agreement (‘the Controller’);
hereinafter collectively referred to as ‘Parties’ and individually ‘Party',
having regard to the fact that,
2.1 Data subjects of this DPP are the individuals who visit a web page run by the Controller and on which the Processor helps to display online advertising through ad mediation logic.
2.2 The Processor receives and processes, together with its sub-processors such as hosting partners and advertising networks, necessary personal data of the data subject, in order to be able to execute ad mediation. This data falls roughly into two categories: “HTTP header data” and “clickstream data”. The former may include in-formation about browsers and devices of users, device identifiers, cookie information and the IP address from which the device accesses the service. The latter refers to the information that the data subject leaves behind while visiting a website and which is stored as a form of log files. No sensitive personal data, as defined by privacy laws such as the GDPR, CCPA, or VCDPA, will be collected or processed by the Processor. In some cases, advertising networks may become controllers for some personal data when they increase the efficiency of advertising.
3.1 Both Parties shall comply with the applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the GDPR, CCPA and VCDPA.
3.2 The Processor shall furnish the Controller promptly on request with details regarding the measures it has adopted to comply with its obligations under this Data Processing Policy and any applicable laws and regulations.
3.3 The Processor’s obligations arising under the terms of this Data Processing Policy apply also to whomever processes personal data under the Processor’s instructions.
4.1 The Processor may process the personal data in countries outside the European Union. In addition, the Processor may also transfer the personal data to a country outside the European Union provided that such country guarantees an adequate level of protection and it satisfies the other obligations applicable to it pursuant to this Data Processing Policy and any applicable laws and regulations.
5.1 The Processor shall only be responsible for processing the personal data under this Data Processing Policy, in accordance with the Agreement, and under the (ultimate) responsibility of the Controller.
5.2 Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Data Processing Policy.
6.1 The Processor is authorized within the framework of the Policy to engage and share the necessary data with third parties such as various advertising partners (such as demand-side-platforms and other demand-side partners) and store log data for troubleshooting purposes, without the prior approval of the Controller being required. Upon request of the Controller, the Processor shall inform the Controller about the third party/parties engaged.
6.2 The Processor shall use reasonable effort to ensure that such third parties will be obliged to comply with the provisions of this Policy and applicable laws and regulations such as the GDPR, CCPA and VCDPA.
7.1 In the event of a personal data breach, the processor shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the personal data breach. The Processor will endeavour to ensure that the furnished information is complete, correct and accurate.
7.2 If and when required by law and/or regulation, the Processor shall cooperate in notifying the relevant authorities and/or Data subjects. The Controller remains the responsible party for any statutory obligations in respect thereof.
7.3 The duty to report includes, in any event, the duty to report the fact that a leak has occurred, including details regarding:
• the (suspected) cause of the personal data breach;
• the (currently known and/or anticipated) consequences thereof;
• the (proposed) solution;
• the measures that have already been taken.
8.1 The Processor will maintain appropriate technical and organizational measures to protect personal data, considering: the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the personal data transmitted, stored or otherwise processed.
8.2 The Processor does not guarantee that the security measures are effective under all circumstances.
Where a Data subject submits a lawful request to the Processor to inspect, or to improve, add to, change or protect their personal data, the Processor will forward the request to the Controller and the request will then be dealt with by the Controller. The Processor may notify the Data subject hereof.
10.1 All personal data received by the Processor from the Controller and/or compiled by the Processor within the framework of this Data Processing Policy is subject to a duty of confidentiality vis-à-vis third parties.
10.2 This duty of confidentiality will not apply in the event that the Controller has expressly authorized the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the instructions and the implementation of this Data Processing Policy, or if there is a legal obligation to make the information available to a third party.
11.1 In order to confirm compliance with this Data Processing Policy, the Controller shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow the Processor’s reasonable security requirements, and will not interfere unreasonably with the Processor’s business activities.
11.2 The audit may be undertaken no earlier than two weeks after the Controller has provided written notice to the Processor.
11.3 The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
11.4 The costs of the audit will be borne by the Controller.
12.1 This Data Processing Policy is entered into for the duration set out in the Kiosked Publisher Agreement, and in the absence thereof, for the duration of the cooperation between the Parties. Personal data will be processed by the Processor for the duration of the Agreement and unless a longer period is agreed between the parties in the Agreement e.g. for storage service or in order to transfer the personal data to third parties. The Controller can always require the Processor to stop processing personal data.
12.2 The Parties shall provide their full cooperation in amending and adjusting this Data Processing Policy in the event of new privacy legislation.
13.2 In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:
13.3 Logs and measurements taken by the Processor shall be deemed to be authentic, unless the Controller supplies convincing proof to the contrary.