YANDEX.METRICA DATA PROCESSING AGREEMENT (DPA)
Agreement on Contracted Data Processing for customers by and between Intertech Services AG- Werftestrasse 4, 6005 Luzern, Switzerland (“Yandex”)
By using opt-in check-box you declare that you agree to the following regulations. By proceeding, you confirm that you have a business established in the territory of a member state of the European Economic Area or Switzerland or United Kingdom, or that, for other reasons, you are subject to the territorial scope of the national implementations of the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, (General Data Protection Regulation; hereinafter – "GDPR") or data protection laws of Switzerland or United Kingdom. You further agree that if the aforementioned is not the case, this DPA between you and Yandex shall be void.
This DPA enters into force on 25 May 2018 if you have agreed to the DPA prior to or on such date, or on the date on which you agreed to the DPA, if such date is after 25 May 2018.
This DPA is an addition to the Terms of Use of Yandex.Metrica (https://yandex.com/legal/metrica_termsofuse) In the event of a contradiction between these clauses and the Terms of Use of Yandex.Metrica, the terms and conditions under this DPA shall prevail.
1. DEFINITIONS
“Customer Data” shall mean any kind of data provided by or in connection with the customer. Customer Data can possibly contain personal data.
“Personal Customer Data” shall mean any kind of Customer Data which is personal data and which is processed by Yandex as part of the DPA. "Instruction" shall mean all documented instructions you give to Yandex and that request Yandex to carry out a certain action in connection with Personal Customer Data.
“IP Anonymization” shall mean the functionality by means of which you can instruct Yandex to delete the last octet of the IP addresses of your website of mobile app users.
“Personal Data”, "Processing”, “Data Controller”, “Processor” shall have the meaning as defined in GDPR.
2. GENERAL
2.1 Subject matter of the Agreement: Yandex shall provide you with the service as described in this DPA and the Terms of Use of Yandex.Metrica and shall process Customer Data as part of the performance of services pursuant to this DPA and the Terms of Use of Yandex.Metrica.
2.2 Subject matter, nature and purpose of the Data Processing: The service shall serve the purpose of analysing the use of your website or mobile app by its users. For this purpose, Yandex will collect Customer Data concerning technical properties and the activities of your website or mobile app users on the basis of page views or mobile app use. Customer Data will be evaluated by the Processing software to create reports including, among other things, information on the time spent on the website or in the mobile app, approximate geographical origin, origin of the user traffic, exit pages and a course of use.
2.3 Group of affected persons: users of your website or mobile app.
2.4 Type of data: data about the device, including the version of its operating system and location; anonymized IP address, advertising identifiers GAID (for Android) and IDFA (for iOS), information about user behavior in the your mobile application/ website, other data provided by you on your initiative to Yandex.
2.5 Duration and data deletion: The duration of the Processing is described in the Terms of Use of Yandex.Metrica. This DPA is valid until you stop using the service using the delete function in the service interface as stated under: https://yandex.com/support/metrica/general/my-counters.html#delete-counter. The rights, benefits and obligations of this DPA shall commence with the initiation of the service and shall terminate with termination of the agreed services under the Terms of Use of Yandex.Metrica.
2.6 With respect to the Processing of Personal Customer Data as part of this DPA, you are the Controller (or Processor) and Yandex is the Processor (or sub-Processsor) within the meaning of GDPR. You are responsible for the compliance with GDPR.
2.7 Yandex can perform the contractually agreed Processing of Personal Customer Data by Subcontractors for which Yandex ensures a reasonable level of protection of Personal Data including through the conclusion of standard contractual clauses adopted by the Commission of the European Union.
2.8 Yandex will Process Personal Customer Data on your behalf and on your Instructions as follows: (a) insofar as required with respect to the scope and type for the purpose of providing the services and for meeting the obligations from this DPA or Terms of Use of Yandex.Metrica, (b) pursuant to your following Instructions, (c) insofar as required by Union or Member State Law.
3. YOUR RIGHTS AND OBLIGATIONS AND THE SCOPE OF THE AUTHORITY TO GIVE INSTRUCTIONS
3.1 You shall be responsible for the permissibility of the Processing of Personal Customer Data as well as the protection of the rights of the data subject.
3.2 You can give Instructions obligating Yandex to perform a certain action with respect to the Personal Customer Data. You will be able to give such Instructions through the user interface of the service. This particularly includes the functionality of the IP Anonymization by means of which you instruct Yandex to delete the last octet of the IP addresses of your website users or mobile app users. In case an Instruction is not possible through the user interface of Yandex.Metrica service and exceeds the Instructions agreed upon in the DPA ("Individual Instruction"), Yandex will notify you of the costs incurring for the performance of the Individual Instruction. Insofar as you will maintain the Instruction after such notification, you shall reimburse the costs related to such performance to Yandex. Yandex shall immediately inform you if, an Instruction infringes the GDPR or other Union or Member State data protection provisions and may raise an objection against the Individual Instruction within 30 days of the receipt ("Objection") when Yandex has reasonable doubts on the lawfulness of the instruction (e.g. on consistency with the applicable data protection law). The Objection has the effect that Yandex does not have to execute the respective Individual Instruction. In such case, you are entitled to extraordinarily and without notice terminate the DPA in accordance with the provisions of the DPA.
3.3 You declare that you exclusively Process Personal Customer Data (if existing) for the purpose of tracking of a course the users use your website or mobile app and to create reports on the website activity.
4. OBLIGATIONS OF YANDEX
4.1 Deletion, correction and blocking of data, deletion after termination of the order: After your Instruction Yandex shall anonymize Personal Customer Data including by erasing the last octet of the IP-addresses of the users of your website or mobile app. This obliteration shall be completed before further analysing the IP-addresses as a part of the services.
4.2 At your choice, Yandex shall delete or return all Personal Customer Data to you based on your instruction, and latest after the end of the provision of services relating to Processing, and deletes existing copies unless Union or Member State law requires a continued storage of the Personal Customer Data.
4.3 Technical and organizational measures: Yandex shall implement all technical and organizational security measures as required under Art. 32 GDPR. As a part of the DPA you shall not provide Yandex with data carriers for data storage.
4.4 Yandex may (a) develop the technical and organizational measures as at its sole dutiful discretion and in accordance with the technical process to raise security, provided that the standard as required under Art. 32 GDPR is met, and that (b) copies of Customer Data, in particular backup copies, aggregated data and cached copies are required after the completed IP Anonymization to provide the service. Yandex is permitted to implement other appropriate measures. By doing so, the security level in total must not fall below the security level of the measures determined. Yandex will document significant changes.
4.5 Data confidentiality: Yandex shall only entrust personnel with the Processing of Personal Customer Data, which has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.6 Other obligations: In addition to the general compliance with the provisions under this DPA, Yandex has the following obligations:
- Appointment – insofar as provided by the law – of a data protection official.
- Performance of order control via regular reviews by Yandex with respect to the performance and/or execution of the DPA, in particular the compliance with and, if necessary, realising of required adaption of regulations and measures for the performance of the order.
4.7 Yandex shall immediately inform you of any relevant violations of any data protection regulations or the provisions determined in this DPA by Yandex or any person working for Yandex insofar as the violation is connected to the Processing of Personal Customer Data pursuant to this DPA.
4.8 Assistance: Taking into account the nature of the Processing, Yandex shall assist you with appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR. Yandex shall assist you in ensuring compliance with the obligations pursuant to Art. 32 through 36 GDPR taking into account the nature of Processing and the information available to Yandex.
5. CONTROL RIGHTS AND REVIEW OF TECHNICAL AND ORGANIZATIONAL MEASURES
5.1.Yandex shall make available to you all information necessary to demonstrate compliance with the obligations laid down by the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. The following requirements apply to any audit: (i) you must give a minimum thirty (30) days’ notice of your intention to audit; (ii) you may exercise the right to audit no more than once in any calendar year; (iii) commencement of the audit shall be subject to an agreement with Yandex of a scope of work for the audit at least ten (10) days in advance; (iv) Yandex may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial confidentiality; (v) the audit shall not include penetration testing, vulnerability scanning, or other security tests; (vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to you; (vii) any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by Yandex prior to the audit; and (viii) You shall compensate Yandex for its reasonable costs (including for the time of its personnel, other than your relationship manager) incurred in supporting any audit.
6. SUBCONTRACTOR
6.1 Subject to the following provisions, Yandex may not commission third parties with the Processing of Personal Customer Data without your consent ("Order Data Sub-Processor") except as provided in clause 6.2.
6.2 Yandex may contract a subcontractor for the data Processing if the subcontractor is an affiliated enterprise ("Affiliated Order Data Sub-Processors") and if a data processing agreement pursuant to the requirements outlined in this paragraph are met. A legally separate enterprise that with respect to Yandex is a subsidiary and parent enterprise, controlled or controlling enterprise, member of a group, enterprises with cross-shareholdings, or party to an enterprise agreement shall constitute affiliated enterprises. A data Sub-Processor agreement requires that Yandex (a) ensures that the Affiliated Order Data Sub-Processors fulfil Yandex' duties and (b) assumes liability towards the customers for actions and/or absence of actions of the Affiliated Order Data Sub-Processors concerned as if these actions were taken by Yandex itself. In this context, affiliated subcontractors may also have their seat outside the area of Member States of the European Union or other parties to the Agreement on the European Economic Area, if Yandex enters into appropriate guarantees as required by Art. 46 GDPR and passes down its own Processing obligations under this Agreement to any such sub-processor.
6.3 If the Order Data Sub-Processor provides the agreed performances outside the area of Member States of the European Union or other parties to the agreement on the European Economic Area, Yandex shall enter into appropriate guarantees as required by Art. 46 GDPR and passes down its own Processing obligations under this DPA to any such sub-processor.
6.4 Where Yandex engages Data Sub-Processor for carrying out specific processing activities on behalf of you, the same data protection obligations as set out in such contract shall be imposed by Yandex on that Data Sub-Processer by way of a Data Sub-Processor agreement, which in particular provides for sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where Order Data Sub-Processor fails to fulfil its data protection obligations, Yandex shall remain fully liable to you for the performance of Order Data Sub-Processor’s obligations.
6.5 Insofar as companies providing ancillary performances for Yandex in connection with the provision of services do not constitute Order Data Sub-Processors, Yandex will make reasonable efforts to establish an adequate contractual protection vis-à-vis such providers of ancillary performances in regard to the data security. In general, this applies to the provision of lines for telecommunication, electricity, cooling, maintenance, cleaning, review or rental of real estate. Section 6.4. shall apply accordingly.
7. STANDARD CONTRACTUAL CLAUSES
7.1. If you are located in a country that does not provide an adequate level of data protection under the GDPR and/or data protection laws of Switzerland or United Kingdom, transfer of Personal Customer Data from Yandex to you is governed by this section.
You and Yandex (hereinafter – Parties) hereby conclude the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) (module four) (“SCC”).
7.2. The Parties agree to include Clause 7 (docking clause) in the SCC.
7.3. For the purposes of Clause 17 of the SCC, the Parties choose the option 1 and specify it as follows:
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Switzerland.
7.4. The Parties agree to specify Clause 18(b) of the SCC as follows:
Any dispute arising from these Clauses shall be resolved by the courts of Switzerland.
7.5. The term ’member state’ used in the SCC is not interpreted by the Parties in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCC.
7.6. The Parties agree that the SCC also protect the data of legal entities until the entry into force of the revised FADP.
7.7. Annex I is attached to this DPA.
8. CHANGES TO DPA
Yandex has the right to amend this DPA from time to time and is obliged to notify you of any material changes to this DPA, unless the changes are necessary to comply with the requirements of applicable data protection legislation. Materiality of changes is determined at the discretion of Yandex.
Annex I
A. List of parties
Data exporter:
| 1. | Name: | Intertech Services AG |
| Address: | Werftestrasse 4, 6005 Luzern, Switzerland | |
| Contact person’s name, position and contact details: | Alfred Alexander De Cuba, Authorized representative, alexdecuba@yandex-team.ru | |
| Activities relevant to the data transferred under these Clauses: | Rendering of Yandex.Metriсa and/or AppMetrica services | |
| Signature and date: | N/A | |
| Role (controller/processor): | Processor |
| 1. | Name: | Intertech Services AG |
| Address: | Werftestrasse 4, 6005 Luzern, Switzerland | |
| Contact person’s name, position and contact details: | Alfred Alexander De Cuba, Authorized representative, alexdecuba@yandex-team.ru | |
| Activities relevant to the data transferred under these Clauses: | Rendering of Yandex.Metriсa and/or AppMetrica services | |
| Signature and date: | N/A | |
| Role (controller/processor): | Processor |
Data importer:
| 1. | Name: | The relevant party to the Terms of Use of Yandex.Metrica |
| Address: | N/A | |
| Contact person’s name, position and contact details: | N/A | |
| Activities relevant to the data transferred under these Clauses: | Rendering of Yandex.Metriсa and AppMetrica services | |
| Signature and date: | N/A | |
| Role (controller/processor): | Controller |
| 1. | Name: | The relevant party to the Terms of Use of Yandex.Metrica |
| Address: | N/A | |
| Contact person’s name, position and contact details: | N/A | |
| Activities relevant to the data transferred under these Clauses: | Rendering of Yandex.Metriсa and AppMetrica services | |
| Signature and date: | N/A | |
| Role (controller/processor): | Controller |
B. Description of transfer
Categories of data subjects whose personal data is transferred: Data importer’s end-users, whose data processed at the data importer’s discretion.
Categories of personal data transferred:
Personal data of end users: data about the device, including the version of its operating system and location; anonymized IP address, advertising identifiers GAID (for Android) and IDFA (for iOS), information about user behavior in the data importer’s mobile application/ website, other data provided by the data importer or on its initiative to exporter.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): The data is transferred on a continuous basis.
Nature of the processing: Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.
Purpose(s) of the data transfer and further processing: The data exporter transfer personal data to data importer for the purpose of provision of the Yandex.Metriсa and/or AppMetrica services in accordance with Terms of Use of Yandex.Metrica.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The period of provision of the Yandex.Metriсa and/or AppMetrica services to data importer plus the time for the deletion of personal data according to the applicable legislation.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Data exporter makes all the operations required to render Yandex.Metriсa and/or AppMetrica services to data importer. The data importer processes the personal data until the DPA and Terms of Use of Yandex.Metrica is valid and until the processing is required to render Yandex.Metriсa and/or AppMetrica services.