General Conditions for Privacy and Personal Data Protection

These General Conditions for Privacy and Personal Data Protection Policy shall apply to the processing of personal data by the Partner acting on its own behalf and as Publisher and/or Advertiser for Naspek International S.A. (Harrenmedia). Partner’s provision of the Service to Harrenmedia entails the transmission and processing of data retrieved, sent and received by and from its partners (including Harrenmedia) and their Data Subjects, clients and other third parties. Such data may constitute Personal Data (as defined below). Therefore, the parties agree to comply with the following provisions.

1. Definitions.

1.1.“Data Protection Laws” means any applicable data protection or privacy laws or regulations as may be amended or superseded from time to time, including but not limited to: the EU General Data Protection Regulation (“GDPR”) as implemented by countries within the EEA and in the USA; and/or other laws or regulations that are similar, equivalent to, successors to, or that are intended to or implement the laws or regulations applicable to Partner in relation to the transmission and processing of Personal Data under or in relation to the Agreement.

1.2. “Controller”, “Data Subject”, “Personal Data”, “Processor” “Processes/Processing” shall each have the meanings given in the applicable Data Protection Laws.

1.3.“Partners Privacy Policy” means the privacy policy available at Harrenmedia’s official website.

1.4.“Service” means Partner and/or its Affiliates’ proprietary technology and/or services for enabling and optimizing publishers and/or advertisers' ability to sale and purchase advertising inventory on certain mobile applications and mobile/desktop websites, including via programmatic auction (if applicable) and any kind of mailings and all sorts of messaging.

1.5. “Data Subjects” means a human end-Data Subject accessing a mobile/web application/ website or receiving all sorts of mailings of any kind and all sorts of messaging.

2. Definitions.

3. Harrenmedia warrants that its Partners warranted to Harrenmedia that they have provided adequate notices to and obtained valid consents from Data Subjects (or their partners warranted them that they had done it), in each case, to the extent necessary for Partner to Process their Personal Data, including, without limitation for direct marketing activities and international transfers of Personal Data outside of the EEA. Harrenmedia will not knowingly, cause Partner to violate the Harrenmedia’s Privacy Policy or Data Protection Laws, in connection with Partner performing the Service under the Agreement.

4. Partner will Process Personal Data in accordance with the Harrenmedia’s Privacy Policy that shall be in compliance with Data Protection Laws of which Harrenmedia provide warranty herein.

5. Each party will limit access to Personal Data to those personnel who require such access only as necessary to fulfil such party’s obligation under the General Conditions for Privacy and Personal Data Protection Policy.

6. Each party will maintain appropriate administrative, physical, organizational and technical safeguards aimed at maintaining an appropriate level of security.

7. Each Party will provide other Party with all necessary assistance in connection with communications from, or requests made by Data Subjects in relation to their rights under Data Protection Laws, and supervisory authorities, in each case as they relate to Data Subject Personal Data.

8. Each Party to the best extent possible will provide the other Party assistance in complying with the Data Protection Laws.

9. Clauses for Controller to Processor (Processor to Sub-Processor) relationships:

9.1 Obligations:

Between Partner and Harrenmedia as Controller (or Processor) is sharing Personal Data. Therefore, the Partner will comply with the requirements of the Data Protection Laws as a Processor (or Sub- Processor) and will be responsible for notifying of any Data breach whatsoever occur which influence execution of Agreement between the Parties.

9.1.1. Paragraphs 10.1.2 – 10.1.5 shall apply if and to the extent that the Processor processes any Personal Data on the Controller’s behalf when performing its obligations under the Agreement.

9.1.2. Each party acknowledges that:

9.1.2.1. Processor shall only Process Personal Data for the following permitted purpose in relation to advertising campaigns:

(1) For fraud detection purposes including creating fraud reports to be shared with publishers and/or advertisers;

(2) For reporting purposes including reports to be shared with publishers and/or advertisers or for reporting to Controller;

(3) For determining performance of campaigns distributed through publisher’s and/or advertiser’s inventory or network and billing purposes.

9.1.2.2. The processing shall continue for the duration of Agreement between the publisher or advertiser and Harrenmedia.

9.1.2.3. The processing concerns: clicks, actions and impressions data, IP Address, device identifiers, http headers, publisher details (such as site ID, partner ID, advertiser and publisher name), campaign details (such as campaign ID, creative ID) and such other data sets.

9.1.3. The Processor shall:

9.1.3.1. Process the Personal Data only to the extent necessary for the purposes of the Agreement and otherwise in accordance with the documented instructions of the Controller;

9.1.3.2. Not process the Personal Data in any country outside the European Economic Area other than in accordance with the terms of the Model Contract Clauses. If the Processor is required by applicable laws to transfer the Personal Data outside of the European Economic Area, the Processor shall execute appropriate documentation as required under Data Protection Laws (unless the Processor is barred from making such notification under the relevant applicable law).

9.1.3.3. Ensure that all persons authorised by it to process the Personal Data are committed to confidentiality or are under a statutory obligation of confidentiality under applicable law;

9.1.3.4. Have at all times during the term of the Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data, with particular regard to its accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access;

9.1.3.5. Where the Processor does engage another Processor, substantially similar obligations to those set out in these General Conditions for Privacy and Personal Data Protection Policy shall be imposed by the Processor on the other Processor in a written contract;

9.1.3.6. Cease processing the Personal Data immediately upon the termination or expiry of Agreement or, if sooner, on cessation of the contractual activity to which it relates and, at the Controller’s election, delete or return all Personal Data to the Controller, and delete all existing copies unless applicable law requires their retention;

9.1.3.7. Processor shall not retain Personal Data for longer than necessary to meet the permitted purposes hereunder or use the same for any purposes other than such permitted purposes.

9.1.3.8. If requested by Controller, Processor shall without delay, rectify the Personal Data, to ensure it remains accurate, complete and current or delete the same upon notification by Controller to honour any Data Subject’s request. Controller agrees to notify Processor of such requests immediately.

9.1.3.9. Make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in these General Conditions for Privacy and Personal Data Protection Policy, and reasonably assist in audits, including inspections, conducted by the Controller or its representative to determine Processor’s compliance with its obligations hereunder. Processor shall have audit rights to determine Controller’s compliance with Data Protection Laws and Controller shall make available to the Processor all information reasonably necessary to demonstrate such compliance. Any audit will be conducted upon provision of reasonable notice and during regular working hours;

9.1.3.10. At the earliest opportunity, and in any event within 48 hours after having become aware, notify the Controller of any unauthorised or unlawful processing of any Personal Data to which this clause applies and of any loss or destruction or other damage and shall take such steps consistent with good industry practice to mitigate the detrimental effects of any such incident on the Data Subjects and cooperate with the Controller in dealing with such incident and its consequences; and

9.1.4. Where the Processor intends to or replace other Sub- Processors, it shall first inform the Controller of the intended change, and shall implement appropriate data processing terms with such new Processors.

9.1.5. The Processor acknowledges that the Controller is under certain record keeping obligations under the Data Protection Laws, and agrees to provide the Controller with all reasonable assistance and information required by the Controller to satisfy such record keeping obligations.

9.2. MODEL CONTRACT CLAUSES:

The Model Contract Clauses require setting out more detail about what data is being transferred and why, as well as how the Processor must keep that data secure.

9.2.1. Description of Partner’s data Processing for Harrenmedia

9.2.1.1.Harrenmedia is the Data Controller (or Processor).

9.2.1.2. Partner is the Data Processor (or Sub-Processor).

9.2.1.3. The types of data being transferred are Personal Data, which does not include special categories of data.

9.2.1.4. Partner will be carrying out the tasks in relation to that data as set out in General Conditions for Privacy and Personal Data Protection Policy.

9.2.2. Description of Partner’s security measures

9.2.2.1. Restriction of access to data centres, systems and server rooms as necessary to ensure protection of Personal Data.

9.2.2.2. Monitoring of unauthorised access.

9.2.2.3. Written procedures for employees, contractors and visitors covering confidentiality and security of information.

9.2.2.4. Restricting access to systems depending on the sensitivity/criticality of such systems.

9.2.2.5. Use of password protection where such functionality is available.

9.2.2.6. Maintaining records of the access granted to which individuals.

9.2.2.7. Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.

9.2.2.8. Providing Anonymization (encryption, Pseudonymization) measures where applicable and required by Data Protection Laws.

9.2.3. Liability and Payment of Compensation

9.2.3.1. Without prejudice to the provisions of the Agreement, Harrenmedia shall defend, indemnify and hold Partner harmless and keep Partner indemnified, on demand from and against any and all damages incurred by Partner as a result of Harrenmedia’s and/or its employees or representatives unauthorised and/or unlawful data transfer or processing, or accidental loss, disclosure, destruction or damage to any Partner Data obtained from (or held by Harrenmedia or its personnel on behalf of) Partner, save where such loss, disclosure, destruction or damage was carried out or incurred at the Partner’s request. Harrenmedia shall be liable for and shall indemnify Partner and its employees and agents from and against all damages (including non-material damage) which Partner may suffer consequent upon breach of applicable Data Protection Laws, recklessness or wilful default of Harrenmedia, its employees or agents. In no event shall Harrenmedia’s total liability to Company under these General Conditions for Privacy and Personal Data Protection Policy exceed €1,000.00.

9.2.3.2. Notwithstanding the provisions of the Agreement, Partner shall defend, indemnify and hold Harrenmedia harmless and keep Harrenmedia indemnified, on demand from and against any and all actual or alleged claims and damages incurred by Harrenmedia as a result of Partner’s and/or its employees or representatives (including without limitation any affiliates) unauthorised and/or unlawful data transfer or processing, or accidental loss, disclosure, destruction or damage to anyof)incurred atand its employees and agents from and against all damages (including non-material damage) which Harrenmedia may suffer consequent upon any breach of Applicable Data Protection Law, recklessness or wilful default of Partner, its employees or agents.