Webgains Data Processing Agreement with Merchants – 24/04/18

Effective date 24/04/18

Personal Data Processing Agreement

on behalf of

the Merchant / Advertiser

contracting from time to time with Webgains

(hereinafter referred to as: ’Merchant’ or ‘Controller’)


Webgains Ltd, Third Floor

21 Farringdon Road

London, EC1M 3HA

(hereinafter referred to as: ‘Webgains’ or ‘Processor’)

either one, or both, as the case may be, referred to ‘Party’ or ‘Parties’

By ticking the box “I agree to the Personal Data Processing Agreement” the parties execute the following contract about processing of personal data by the processor on behalf of the Merchant.


This Personal Data Processing Agreement (hereinafter “Agreement”) details the parties’ obligations associated with Webgains processing of personal data (hereinafter “Personal Data”) on behalf of Merchant as controller, in connection with the Commission Statement and General terms for Merchants from time to time executed between the Parties (together the ‘Merchant Contract’). Its regulations shall apply to any and all personal data processing activities associated with the Merchant Contract, in whose scope Processor’s employees process Controller’s Personal Data on behalf of Merchant.

  1. Subject matter / type, purpose and scope of Personal Data processing

(1) The Subject matter of this Agreement is the processing of personal data by the Processor, on behalf of, and under instructions from, Merchant. The duties of the Parties’ under this Agreement are derived from the Merchant Contract, to which this Agreement and individual instructions are an Addendum. In the light of the above, according to the principles of the EU-General Data Protection Regulation no. 2016/679 (hereinafter ‘GDPR’) Webgains takes the position of a Processor, whilst Merchant takes the position of a Controller

(2) Nature and Purpose of the intended Processing of Data as well as the relevant Personal Data and group of affected persons are specified in Annex 1 hereto.

  1. Processor’s obligations

 (1) The Processor shall only process Personal Data within the framework of this Agreement and under the Controller’s specific instructions. The Processor will not process the Controller’s Personal Data in a manner which contradicts these requirements.

(2) Section 1 is restricted by Union or Member State law to which the Processor is subject. In this case the Processor has the duty to inform the Controller prior to processing data, unless it contradicts public interest, such as fiscal or commercial reporting obligations.

(3) The Controller or an authorised representative shall submit the instructions via e-mail or via the online ticketing system on the Webgains platform. Verbal instructions shall promptly be confirmed by e-mail or the same ticketing system.

(4) The Processor shall not correct, delete or block Personal Data, except if corresponding instructions have been issued, or if the deletion is done on the basis of clause 14 of this Agreement (termination of this Agreement). Client/user applications for correction, deletion or blocking of Personal Data shall promptly be forwarded to the Controller which in turn shall give instructions to the Processor without delay.

(5) Data processing will take place exclusively within an EU/EEA-member state and the United Kingdom (should it be no longer part of the EU). Any processing in a third country requires consent by the Controller. If consent is given, security standards have to be ensured.

(6) The Processor will maintain a record of all categories of processing activities carried out on behalf of the Controller, containing all information enumerated in Article 30, Sec. 2 GDPR. The Processor shall make all information, required for record maintenance available to the Controller on demand, based on a reasonable notice.

  1. Persons eligible to issue instructions

(1) If instructions or notifications under this Agreement are to be issued towards the other party, such instructions or notifications are to be addressed to the reference persons specified in the Merchant Contract, and failing that, to the persons responsible for carrying out the Merchant Advertising Program on the Webgains Platform (i.e. for Webgains, the Account manager).

(2) Each of the parties may change the specified contact persons by sending a notice in in writing, by e-mail to the other party or the Webgains online ticketing system. Such changes shall become effective immediately upon receipt of the notice of change.

  1. Rights and obligations of the Controller

(1) The Controller shall be solely responsible for evaluating the legal admissibility under the provisions of the GDPR as carried out under this Agreement.

  1. Employees of the Processor bound by instructions and to secrecy

(1) The Processor warrants that all employees involved in processing Controller’s Personal Data shall not be allowed to process Personal Data outside the scope of this Agreement and the Merchant Contract.

(2) Processor shall take steps to ensure that all contracted staff complies with the statutory provisions on Personal Data protection.

(3) Furthermore, Processor warrants that any person entitled to process Personal Data on behalf of Controller has undertaken a confidentiality commitment or is subject to an appropriate statutory obligation to confidentiality.

  1. Appointment of a DPO – Personal Data protection contact

(1) The Processor appoints – as far as he is obligated to do so by the GDPR –  a Data Protection Officer, whose contact details is shown on the Processors’ website retrievable under webgains.com/en/privacy.

(2) If the Controller is not established in one of the Member states of the European Union/EEA, he shall designate a representative in the EU as required in Article 27, sec.1 GDPR, and disclose it in appropriate manners.

  1. Inquiries of data subjects

The Processor shall inform the Controller by e-mail of any receipt of inquiries or requests which are made by a Data Protection Supervisory Authority with regard to the object of this Agreement. The Processor shall take appropriate measures to provide any information for the exercise of the rights of the data subjects, as stipulated in Art. 12a et seq. GDPR.  Where a data subject asserts claim for rectification, erasure or access against Processor, the Processor shall forward the data subject’s claim without undue delay to the Controller. The Controller shall take all necessary steps under the GDPR without delay. The Parties shall support each other, where possible, and based upon Controller’s instructions insofar as agreed upon.

  1. Sub-contractors

(1) The Processor is authorized to engage subcontractors (additional processors)  processing Personal Data. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of subcontractors, thereby giving the Controller the opportunity to object to such changes. If Controller does not object within 7 days, consent is implicitly granted. Should the Controller object such change – such objection to be made by specifying the grounds thereof – the Parties will discuss in good faith reasonable measures to make available to Controller a change in services avoiding the use of Personal Data by the objected new sub-processor. If parties do not find an agreement on these measures within 60 days of Webgains having received the objection, then either Party may terminate this Agreement and the Merchant Contract with a 60 days notice.

(2) In case of sub-contracting the Processor shall select the sub-contractor with due diligence, and shall design the contractual agreements in a manner which ensures that they observe the Personal Data protection requirements in the contractual relations between the Controller and the Processor.

(3) The Processor shall make available to Controller the current list of Sub-processors for the Services as enumerated in Annex 2 of this contract under  www.webgains.com/en/privacy/subcontractors

(4) Ancillary services are excluded from a consent-requirement. This covers in particular telecommunication-services, including user support, maintenance services, auditing services and disposal of data carriers. They may be appointed by Webgains on discretionary basis.

  1. Definition of technical and organisational measures

(1) The Processor has been chosen based on the expectation, that he will take the appropriate technical and organisational measures for his sphere of responsibility, in order to ensure compliance with the Personal Data protection provisions.

(2) The Processor will ensure confidentiality, integrity, availability and sufficient capacity of Personal Data processing systems. In the event of physical or technical incidents he promptly restores access to and availability of Personal Data by using encryption for Personal Data transmission and storage. The Processor will take the appropriate technical and organisational measures for his sphere of responsibility, following the rules enumerated in Annex 3.

(3) On request the Processor shall confirm compliance with the defined security measures, enumerated in Annex 3, provided by an independent auditor (IT-security, data protection officer, auditor or similar) in writing, by fax, or e-mail.

(3) The technical and organisational measures are subject to technical progress and further development. Insofar, the Processor reserves the right to implement alternative adequate measures and to reasonably update from time to time Annex 3.

  1. Processor’s control and notification obligations

(1) Should the Processor be of the opinion that an instruction of the Controller violates the GDPR or other Personal Data protection provisions, the Processor shall notify the Controller immediately thereof. The Processor shall have the right to suspend implementation of the relevant instructions until the Controller has either confirmed or changed it, as the case may be.

(2) Should the Processor be of the opinion that the instructions given by the Controller to comply with Personal Data protection regulations are insufficient, the Processor shall notify the Controller immediately thereof and the Controller shall immediately take all measures to comply to the GDPR.

  1. Notification of infringements by the Processor

(1) The Processor will notify the Controller without undue delay after becoming aware of a Personal Data breach in his own organization.

(2) In case of a Personal Data breach subject to notification by the Controller to the supervisory authority, the Processor shall notify with undue delay if the event of loss or unlawful disclosure or access of Personal Data cannot be excluded. The Parties shall cooperate in good faith to reach compliance with GDPR without undue delay.

(3) In the event of a real or suspected violation of Personal Data protection, such as loss, deletion, unlawful change of or access to significant amount of Personal Data (‘data breaches’) the affected Party shall notify the other Party immediately thereof in writing. The notice shall describe in clear and plain language the nature of the data breach, including its likely consequences. The Processor shall document any personal data breaches and ensures their availability by request on behalf of the Controller, in case the Controller’s Personal Data is concerned.

  1. Monitoring rights by the Controller

(1) The Controller has the right to conduct (directly or trough a mandated professional auditor) audits, once every calendar year,  on the Processor’s compliance with the statutory provisions about data protection and on the adherence to this Agreement, also at the Supplier’s place of business, in particular by obtaining information and by inspecting the stored data and the data processing programs at the Processor’s premises. The Controller shall give written notice of 20 working days of such inspection or audit.

(2) The parties agree that the Data Protection Officer of the Processor will be commissioned by the Controller with such an audit prior to mandate someone else. As far as the audit report of the Data Protection Officer of the Processor seems insufficient or incomplete, the Controller may order another auditor to conduct controls.

(3) During the audit, the Processor is obligated to provide information and to cooperate accordingly. The Processor will assist the Controller, in particular, in the event of data protection checks by the supervisory authority, to the extent that data processing under this Agreement is concerned.

  1. Duration of the Agreement, termination rights

(1) This Agreement shall have a duration equal to the Merchant Contract.

(2) Either Party may terminate this Agreement and, consequently the Merchant Contract, at any time if the other Party commits a serious violation of this Agreement or the GDPR provisions and fails to cure such breach within 30 days of receipt of a notice by the non-defaulting Party

  1. Performance of orders/ termination of the contractual relationship

(1) Upon termination of this Agreement, the Processor shall immediately cease from processing personal Data on behalf of the Controller. Upon request the Processor will deliver to the Controller a copy of the Personal Data in his possession. The Processor reserves the right to archive the Personal Data according to statutory regulations or for the scope of demonstrating its services under the Merchant Contract.

  1. Annexes

The following Annexes constitute integral parts of this Agreement.

  • Annex 1: Description of the Contractor’s duties,
    incl. description of the nature of the Personal Data and the group of affected persons
  • Annex 2: List of Sub-processors
  • Annex 3: Data security requirements

Annex 1

Personal Data and the purpose of their processing by Webgains  on behalf of the Merchant:

The list shall state the extent, the nature and purpose of any con­templated collection, processing and use of Personal Data, the type of data, and the circle of data subjects.

Type of Personal Data

 IP AddressOrder DetailsTransaction ID

Data subjects

 Customer Visitor

Purpose of processing and use of Personal Data

 Provision of Services according to main contract Controlling

Annex 2: List of Sub-processors

  • Experian Information Solutions, Inc. (41st Parameter) – Fraud detection and prevention;
  • Afilias Technologies Limited (Device Atlas) – Fingerprinting for all visits and transactions);
  • Tech Essence Ltd – Tracking solution;
  • Neory GmbH –  Container tag solution;
  • Amazon Web Services, Inc. – Hosting service;
  • OVH – Hosting service;
  • Pulsant Ltd – Hosting service;
  • Periscope, Inc. – Enterprise reporting tool.

Annex 3

Implemented technical and organisational measures according to Article 32 GDPR:

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the Personal Data processed under this agreement. Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures shall ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

  1. IT Security governance process

The Processor shall implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

  1. Technical and organisational measures to ensure security of processing

The Processor shall implement the following technical and organisational measures to ensure Personal Data security. He shall monitor their adherence through monitoring organisational measures:

Objective: confidentiality

No natural person – employee or third party – shall take notice of the Personal Data under this agreement unless permitted to do so.

1   Admittance Control:

Admittance control for external persons will be implemented e.g. by the following points:
  • Documentation and registration of access and departure of external persons / visitors
  • Central reception area (reception, door keeper)
  • Visitor passes are handed out
  • External persons are only allowed on the premises when accompanied by staff members
  • Authorization permits will be withdrawn immediately after expiration of authorization
Admittance control for staff members will be implemented e.g. by the following points:
  • Documentation of access and departure of staff members
  • Code-keypad with a regularly changing code
  • Chip-cards with functions for keeping record
Implementation of authorization regulation for computer room / server room
Implementation of authorization access-measures to computer / server room
Use of lockable containers for employees
Key policy (locked doors, handing-over of keys only to authorized persons; use and storage of a master key)
Security areas / measures for property protection (e.g. protection of windows, property surveillance)


2   Access Control:

Identification measures for users for access to Personal Data processing systems, i.e. identification via keyword, via password or biometric identification means
Implementation of Password Policy

  • Individual password – assigned by the user himself
  • Of sufficient complexity to be unguessable, scored by the Webgains platform
  • Allocation by the user
  • Expiration after predetermined time interval (at the latest after 6 months)
  • Further checks required after failed attempts, with account speed restrictions after repeated failures
  • No passing on to third parties
  • Regulations for absence (vacation, illness etc.)
Immediate blocking of access to Personal Data protection systems with retirement of staff members
Evaluation of access rights on a regular basis, at least once per year
Automatic activation of password-protected screensaver (time intervals of 5 to 15 minutes, depending on abuse risk)
Protection of internal networks against attacks from the outside by implementing Firewalls, encryption, VPN etc.

3   Access Authorization Control:

Implementation of user profiles, i.e. access authorization regulations
Specified authorization regulations for reading, changing and deletion of Personal Data
Assignment of authorization for employees and assistants according to the minimization principle; Access to applications and system components shall only be allowed when necessary for the employees’ concrete activity
Establishment of an Authorization Concept

  • Implementation of administrator rights
  • Administration of authorization regulations by system administrator
Separation of test and production mode
Configuration of the IT components to ensure deactivation, once the components aren’t necessary to perform the contractual tasks. Annual review of the proper configuration
Disposal of Personal Data carriers and spoilage according to up-to-date Personal Data protection principles and state of the art technology (DIN 66399:2012) or assignment of a service provider specialized on the spoilage of data carriers using the same security level. Data carriers scheduled to spoilage shall be subject to safe storage and transport.
Written regulation for measures regarding the copying of Personal Data
Deactivation of USB ports and other portable media on working stations where Personal Data of Client can be accessed
Implementation of measures against unauthorized data flows (restriction of USB ports, Data-Leakage-Detection/Prevention/Protection Software, etc.)

4   Purpose Control:

Implementation of authorization concept specifying access rights
Multi-client capable database

Objective: integrity

Supplier shall insure that IT processes and systems continually comply with the codified specifications. Personal data shall remain intact, complete and up-to-date.

5   Controls of Transfer Processes:

Documentation of data receivers, transport paths, persons authorized for transfer of data and data that has been
Encryption of Personal Data prior transfer in case of unsecure transmission paths

6   Input Control:

All Personal Data entries are logged by means of audit-proof, written access rights
Logging of Personal Data entries, changes and erasure of personal Personal Data
Access rights to logged data are in place
Regulations concerning the erasure of logged data are in place


 Objective: availability

7   Control of Data Availability:

Formalized approval process for the implementation of new Personal Data processing systems and the implementation of substantial changes to the former system
All systems powered via an uninterruptible power supply (UPS)
Automatic fire and smoke detectors
Fire-Extinguishers in Server Rooms
Back up of databases

  • Concept for conservation of status quo
  • Storage of backup copies in a safe place (stock removal)
  • Compilation of backup copies in adequate intervals according to generation principle
Reconstruction of databases

  • Test runs

Objective: capacity

 8   Control of Accordance with Client’s instructions:

Control of compliance with Personal Data protection measures by Supplier and obligation to inform Client about data security incidents
All staff members of Supplier working with personal data of the Client are contractually obliged to comply with Personal Data protection principles
Supplier’s instructions to its employees who have access to personal data, regarding the processing of the personal data regarding the processing

9  process to ensure regular examination

Implementation of a system to ensure the principle of accountability and IT security governance
Incident-Response Management
measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed, e.g. by:

  • Informational separation of powers with and among Controllers
  • Reduction of possibilities to access personal data
  • Preference of automated processing (not decision processes), which lead to attention of processed Personal Data being unnecessary and the restriction of processing operations
  • Implementation of automated routines regarding restriction of processing and deletion  of Personal Data
  • Procedures of pseudonymizing and anonymization
  • Procedures on control of processes regarding change of procedures
Far reaching procedures of pseudonymizing and encryption of Personal Data
Notification of Personal Data breaches
Monitoring of the implemented measures on a regular basis, at least once a year
Safe and sufficient default settings of the servers to ensure a secure restart of the server system within the planned timeframe