Last Modified: 21.05.18

This Data Processing Agreement (“DPA“) is hereby entered by and between Hoopla Digital Ltd. (“Company” or “Hoopla Digital”) and the Agency and/or Advertiser (“Advertiser”) which forms an integral part of the binding Standard Terms and Conditions signed between the parties (“Standard Terms and Conditions” or “Terms and Conditions”). Each a “party” and collectively, the “parties“. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Terms and Conditions.


This DPA applies to the extent that EU Data Protection Law applies to the Processing of Personal Data under the Terms and Conditions, including if: (a) the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”); or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behaviour in the EEA by or on behalf of a party. Notwithstanding the above, this DPA and the obligations hereunder do not apply to aggregated reporting or statistics information a party may collect from end users or provide to the other party.


Each party shall Process Personal Data in compliance with applicable Data Protection Law. Without derogating from the general or specific terms herein, the Advertiser hereby warrants and confirms that as of May 25, 2018 it will be compliant with EU Data Protection Law. This DPA is entered into and becomes a binding part of the Standard Terms and Conditions upon Advertisers’ signature on the Insertion Order and in no event, no later than 25th May 2018.


1.1. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.

1.2. “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall have the meanings given in EU Data Protection Law.

1.3. “Company Data” means data collected and shared with the Advertiser subject to the Terms and Conditions / Advertiser Agreement and for the purpose of providing the service, including without limitations, IDs.

1.4. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.

1.5. “ID” means online identifiers such as IPs, Cookie IDs and Advertising IDs (AAID and IDFA).

1.6. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.



The parties agree and acknowledge that under the performance of their obligations set forth in the Standard Terms and Conditions, and with respect to the Processing of Personal Data, the Company is the Data Controller and the Advertiser is the Data Processor on behalf of Company. Each party shall be individually and separately responsible for complying with the obligations that apply to it subject to the Data Protection Law. The subject-matter and duration of the Processing carried out by the Advertiser, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are all as described in Annex A.



The Advertiser is responsible for and shall comply with applicable Data Protection Law with regards to the Processing of Personal Data and agrees that it shall:

3.1. Only act on the written instructions of the controller (unless required by law to act without such instructions)

3.2. Treat all Company Data processed by it on behalf of the Company as confidential and ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Subject to Company’s sole disclosure, delete all the Company Data following the completion of the Processing, and delete existing copies unless applicable laws requires storage of such.

3.4. Provide the Company with reasonable resources and assistance as are required by the Company pursuant to Articles 32 to 36 of the GDPR.

3.5. Not access or transfer outside the EEA any Personal Data without the prior written consent of the Company.

3.6. Make available to the Company at its request all information necessary to demonstrate compliance with the obligations herein and under Article 28 of the GDPR, including without limitation, provide the Company with a written description of the technical and organisational methods employed by Advertiser and its Sub- Processors (if any) for the Processing of Personal Data.



The Advertiser will notify the Company without undue delay, and, in any event within forty-eight (48) hours, upon becoming aware that an actual Security Incident has occurred. The Advertiser will, immediately provide the Company with reasonably needed information with respect to the Security Incident, such as: a description of the cause and nature of the Security Incident, the measures being taken to contain, investigate and remediate the Security Incident, the likely consequences and risks for the Company and its Data Subjects as a result of the Security Incident. Notwithstanding the above, the Advertiser shall (i) immediately and without delay, take necessary steps to contain, remediate, and minimise any effects of the Security Incident and to identify its cause; (ii) cooperate with the Company and provide the Company with applicable assistance; and (iii) immediately notify the Company in writing of any inspection, audit or investigation by a Supervisory Authority.



The Company has implemented appropriate technical and organisational measures to protect the Personal Data as detailed here. The Advertiser shall implement and maintain the technical and organisational measures and take all other measures required pursuant to Article 32 of the GDPR including all organisational and technical security measures necessary to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of Company Data, and in any event, with respect to the Company Data the security measures implemented are at least as strict as the Company’s.



The Advertiser may engage with Sub-Processors as notified in writing to Company prior to this DPA. In the event the Advertiser requires to engage with additional or replace an existing Sub-Processor to process Personal Data, it shall notify the Company in writing of any intended use or replacement of a Sub-Processor within thirty (30) days of the engagement or replacement, in

which the Company reserves the right to disapprove. The Advertiser shall only use a Sub-Processor that has provided sufficient guarantees to implement appropriate technical and organisational as set forth in this DPA and applicable laws. Further, the Advertiser shall impose, through a legally binding agreement with the Sub-Processor, the same data protection obligations as set out in this DPA. Advertiser shall remain fully liable to the Company for the performance of the Sub-Processor’s obligations.



Upon reasonable request of the Company, the Advertiser will submit its data processing files and documentation as reasonably needed by the Company for the purpose of auditing or inspecting the Advertiser to ensure compliance with this DPA (“Audit”). The Audit will be conducted (i) by the Company or any independent or impartial inspection agents or auditors agreed between the parties; and (ii) by providing reasonable notice and during regular business hours. The request will be subject to the extent permitted under applicable law.


The Advertiser shall defend, indemnify and hold the Company harmless on demand from and against any and all actual or alleged claims and damages incurred by the Advertiser as a result of Advertiser’s (including without limitation any Sub-Processors) unauthorised or unlawful Processing, or accidental loss, disclosure, destruction or damage to any of the Company Data. The Advertiser shall be liable for and shall indemnify the Company from and against all damages which the Company may suffer consequent upon any breach of applicable Data Protection Law.



In the event of a conflict between the terms and conditions of this DPA and the Standard Terms and Conditions, this DPA shall prevail. Except as set forth herein all of the terms and conditions of the Standard Terms and Conditions shall remain in full force and effect.







Subject Matter: Processing carried out for the purpose of providing the services as detailed in the Standard Terms and Conditions and specifically for the purpose of placing advertisement

Categories of data: The Personal Data of the Data Subjects in the EEA.

Types of Personal Data: IDs.

Special categories of data: N/A

Duration: Solely for the purpose of providing the service and shall be deleted by Advertiser thereafter.