Tietosuojaseloste

Henkilötietolaki (523/1999) 10 §

1. Rekisterinpitäjä

Performission Oy AB, Laivanvarustajankatu 10 G 85 00140 Helsinki
Y-tunnus 2774366-4

2. Yhteyshenkilö rekisteriä koskevissa asioissa

Niklas Holmström niklas@vanha.performission.demolink.fi

3. Rekisterit

Markkinointirekisteri.

Keräämme Google Analyticsin ja HubSpotin avulla tietoa siitä missä sivustolla vierailet ja kuinka kauan vietät aikaa. Tämän tiedon perusteella emme voi yhdistää Google Analyticsin tai HubSpotin tallentamia tietoja sinuun.

4. Henkilötietojen käsittelyn tarkoitus

Henkilötietoja voidaan käyttää uutiskirjeiden lähettämiseen, asiakkuuden hoitamiseen ml. myyntityö ja sivuston personointiin.

Saatamme myös kohdistaa sinulle kohdistettua mainontaa muilla verkkosivustoilla. Emme tässä tapauksessakaan tiedä kuka olet, vaan tiedämme vain mitä olet sivustollamme tehnyt.

5. Rekisterin tietosisältö

Rekisteri voi pitää sisällään seuraavat tiedot: Nimi, sähköpostiosoite, puhelinnumero, rekisteriin liittymisen sijainti ja ajankohta, kieli, aikavyöhyke, IP-osoite, Google Analytics ID-tunniste ja sivustokäyttäytyminen.

6. Säännönmukaiset tietolähteet

Rekisteri koostetaan Performission.fi verkkopalvelun kautta niistä kävijöistä, jotka täyttävät sivustolla lomakkeen.

7. Tietojen säännönmukaiset luovutukset

Performission ei luovuta asiakastietoja kolmansille osapuolille ellei kyseessä ole lainvoimainen viranomaisen vaatimus.

8. Tietojen säilytys

Kaikkia henkilötietoja säilytetään vahvan suojamuurin takana eikä tietoihin ole pääsyä kenelläkään muulla kuin Performissionilla.

9. Evästeiden käyttö

Performission käyttää verkkosivustossaan evästeitä, joiden avulla seurataan kävijäliikennettä ja kehitetään sivustoa. Näiden evästeiden perusteella yksittäistä henkilöä ei voi tunnistaa.

10. Rekisterin suojauksen periaatteet

Rekisteri on suojattu ja sen käyttöoikeus edellyttää henkilökohtaista käyttäjätunnusta ja salasanaa, jotka myönnetään vain rekisterinpitäjän henkilökuntaan kuuluvalle, jonka asemaan ja tehtäviin mainittu käyttöoikeus liittyy. Rekisteriä ei säilytetä paperisena tulosteena.

11. Tietojen päivittäminen

Rekisteriin kuuluva voi kieltää tietojensa hyödyntämisen ja kieltäytyä tiedotteiden vastaanottamisesta klikkaamalla niissä olevaa peruutuslinkkiä tai ottamalla yhteyden rekisterin ylläpitäjään.

12. Henkilötietojen poistopyyntö

Voit pyytää rekisterinpitäjää poistamaan kaikki sinuun liittyvät tiedot Performissionin rekistereistä ottamalla yhteyttä rekisterinpitäjään.

Data Processing Terms

These Data Processing Terms (“DPT”) that include the Standard Contractual Clauses adopted by the European
Commission, as applicable, reflect the parties’ agreement with respect to the terms governing the Processing of
Personal Data under the Advertiser Terms of Service (“Principal Agreement”) entered into by and between: (i)
Performission Oy Ab (as defined under the Principal Agreement) (hereinafter referred to as “Vendor”) acting on
its own behalf and as agent for each Vendor Affiliate; and (ii) Demand Partner (as defined under the Principal
Agreement) (hereinafter referred to as “Company”) acting on its own behalf and as agent for each Company
Affiliate. The DPT is an amendment to the Principal Agreement and is effective upon is incorporation, which
incorporation is specified in the Principal Agreement. Upon its incorporation into the Principal Agreement, the
DPT will from an integral part of, and will be subject to, the Principal Agreement.
Vendor and Company are hereinafter jointly referred to as the “parties” and individually as the “party”.

The terms used in the DPT shall have the meanings set forth in the DPT. Capitalized terms not otherwise
defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the
terms of the Principal Agreement shall remain in full force and effect. Except where the context requires
otherwise, references in the DPT to the Principal Agreement are to the Principal Agreement as amended by, and
including, the DPT.
In connection with the Services, the parties anticipate that Vendor, each Vendor Affiliate, each Contracted
Processor and/or each Subprocessor may process outside of the European Economic Area (“EEA”) and United
Kingdom, certain Company Personal Data in respect of which any Company Group Member may be a
Controller, as applicable, under applicable EU Data Protection Laws. The parties have agreed to enter into the
DPT in order to ensure that adequate safeguards are put in place with respect to the protection of such Company
Personal Data as required by EU Data Protection Laws.
Data Processing Terms
In the course of providing the Services to Company pursuant to the Principal Agreement, Vendor and each
Vendor Affiliate may Process Company Personal Data on behalf of any Company Group Member. Vendor
agrees to comply with the following provisions with respect to any Company Personal Data submitted by or for
any Company Group Member to Vendor or collected and processed by or for any Company Group Member
using Vendor’s services.
The parties agree that the obligations under the DPT that are specific to the GDPR shall not apply until the
GDPR has come into full force and effect.
1. Definitions
1.1 In the DPT, the following terms shall have the meanings set out below and cognate terms shall be
construed accordingly:
1.1.1 “Adequate Country” means a country or territory that is recognized under EU Data
Protection Laws as providing adequate protection for Company Personal Data;
1.1.2 “Applicable Laws” means (a) European Union or Member State laws with respect to any
Company Personal Data in respect of which any Company Group Member is subject to EU
Data Protection Laws; and (b) any other applicable law with respect to any Company Personal
Data in respect of which any Company Group Member is subject to any other Data Protection
Laws;
1.1.3 “Company Affiliate” means an entity that owns or controls, is owned or controlled by or is or
under common control or ownership with Company, where control is defined as the
possession, directly or indirectly, of the power to direct or cause the direction of the
management and policies of an entity, whether through ownership of voting securities, by
contract or otherwise;
1.1.4 “Company Group Member” means Company or any Company Affiliate;
1.1.5 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on
behalf of a Company Group Member pursuant to or in connection with the Principal
Agreement;
1.1.6 “Contracted Processor” means Vendor or a Subprocessor;
1.1.7 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the
data protection or privacy laws of any other country;
1.1.8 “EEA” means the European Economic Area;
1.1.9 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic
legislation of each Member State and as amended, replaced or superseded from time to time,
including by the GDPR and laws implementing or supplementing the GDPR;
1.1.10 “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons
with regard to the processing of personal data and on the free movement of such data);
1.1.11 “Restricted Transfer” means:
1.1.11.1 a transfer of Company Personal Data from any Company Group Member to a
Contracted Processor; or
1.1.11.2 an onward transfer of Company Personal Data from a Contracted Processor to a
Contracted Processor, or between two establishments of a Contracted Processor,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the
terms of data transfer agreements put in place to address the data transfer restrictions of Data
Protection Laws) in the absence of the Standard Contractual Clauses to be established under
section 8.5.2 or 14 below;
1.1.12 “Services” means the services and other activities to be supplied to or carried out by or on
behalf of Vendor for Company Group Members pursuant to the Principal Agreement;
1.1.13 “Standard Contractual Clauses” means the contractual clauses set out in Exhibit 1,
amended as indicated in that Exhibit and under section 15.4;
1.1.14 “Subprocessor” means any person (including any third party and any Vendor Affiliate,
but excluding an employee of Vendor or any of its sub-contractors) appointed by or on
behalf of Vendor or any Vendor Affiliate to Process Personal Data on behalf of any
Company Group Member in connection with the Principal Agreement; and
1.1.15 “Vendor Affiliate” means an entity that owns or controls, is owned or controlled by or is
or under common control or ownership with Vendor, where control is defined as the
possession, directly or indirectly, of the power to direct or cause the direction of the
management and policies of an entity, whether through ownership of voting securities, by
contract or otherwise.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”,
“Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as
in the GDPR, and their cognate terms shall be construed accordingly.
1.3 The word “include” shall be construed to mean include without limitation, and cognate terms shall be
construed accordingly.
2. Details of Processing of Company Personal Data
2.1 Subject-Matter and Nature of the Processing. The subject-matter of Processing of Company
Personal Data by Contracted Processor is the provision of the Services to any Company Group Member
that involves the Processing of Company Personal Data. Company Personal Data will be subject to
those Processing activities as may be specified in the Principal Agreement.
2.2 Duration of the Processing. Company Personal Data will be Processed for the duration of the
Principal Agreement.
2.3 Purpose of the Processing. Company Personal Data will be Processed for purposes of providing the
Services set out and otherwise agreed to in the Principal Agreement.
2.4 Types of Personal Data. Online identifiers, including cookie identifiers, internet protocol addresses
and device identifiers, Company identifiers.
2.5 Categories of Data Subjects. Company Personal Data will concern the following categories of Data
Subjects:
2.5.1 Data Subjects about whom Vendor and each Vendor Affiliate collect personal data in its
provision of the Services; and/or
2.5.2 Data Subjects about whom personal data is transferred to Vendor and/or Vendor Affiliate
in connection with the Services by, at the direction of, or on behalf of any Company
Group Member.
Depending on the nature of the Services, these Data Subjects may include individuals: (a) to whom
online advertising has been, or will be, directed; (b) who have visited specific websites or applications
in respect of which Vendor and/or Vendor Affiliate provide the Services; and/or (c) who are customers
or users of Company Group Member’s products or services.
3. Status of the parties
3.1 Each party warrants in relation to Company Personal Data that it will comply with EU Data Protection
Laws. As between the parties, the Company shall have sole responsibility for the accuracy, quality, and
legality of Company Personal Data and the means by which the Company acquired Company Personal
Data.
3.2 Each party shall appoint an individual within its organization authorized to respond from time to time
to enquiries regarding the Company Personal Data and each party shall deal with such enquiries
promptly.
4. Authority
Vendor warrants and represents that, before any Vendor Affiliate Processes any Company Personal
Data on behalf of any Company Group Member, Vendor’s entry into the DPT as agent for and on
behalf of that Vendor Affiliate will have been duly and effectively authorised (or subsequently ratified)
by that Vendor Affiliate.
5. Processing of Company Personal Data
5.1 Vendor and each Vendor Affiliate shall:
5.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data;
and
5.1.2 not Process Company Personal Data other than on the relevant Company Group Member’s
documented instructions unless Processing is required by Applicable Laws to which the
relevant Contracted Processor is subject, in which case Vendor or the relevant Vendor
Affiliate shall to the extent permitted by Applicable Laws inform the relevant Company Group
Member of that legal requirement before the relevant Processing of that Personal Data.
5.2 Each Company Group Member:
5.2.1 instructs Vendor and each Vendor Affiliate (and authorises Vendor and each Vendor Affiliate
to instruct each Subprocessor) to:
5.2.1.1 Process Company Personal Data; and
5.2.1.2 in particular, transfer Company Personal Data to any country or territory,
as reasonably necessary for the provision of the Services and consistent with the Principal
Agreement; and
5.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively
authorised to give the instruction set out in section 5.2.1 on behalf of each relevant Company
Affiliate.
5.3 Section 2 of the DPT sets out certain information regarding the Contracted Processors’ Processing of
the Company Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent
requirements of other Data Protection Laws). Nothing in Section 2 confers any right or imposes any
obligation on any party to the DPT.
6. Vendor and Vendor Affiliate Personnel
Vendor and each Vendor Affiliate shall take reasonable steps to ensure the reliability of any employee,
agent or contractor of any Contracted Processor who may have access to the Company Personal Data,
ensuring in each case that access is strictly limited to those individuals who need to know / access the
relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and
to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor,
ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory
obligations of confidentiality.
7. Security
7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and
purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms
of natural persons, Vendor and each Vendor Affiliate shall in relation to the Company Personal Data
implement appropriate technical and organizational measures to ensure a level of security appropriate
to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
7.2 In assessing the appropriate level of security, Vendor and each Vendor Affiliate shall take account in
particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
8. Subprocessing
8.1 Each Company Group Member authorises Vendor and each Vendor Affiliate to appoint (and permit
each Subprocessor appointed in accordance with this section 8 to appoint) Subprocessors in accordance
with this section 8 and any restrictions in the Principal Agreement.
8.2 Vendor and each Vendor Affiliate may continue to use those Subprocessors already engaged by
Vendor or any Vendor Affiliate as at the date of the DPT, including, but not limited to Amazon Web
Services, OVH and Hetzner Online as third party data center operators, and affiliates, publishers, ad
media, media buyers, ad networks, demand side platforms (DSP), supply side platforms (SSP),
outsourced marketing, business, engineering, customer support and traffic providers to support the
performance of the Services.
8.3 Each Company Group Member grants a general authorization: (a) to Vendor to appoint other Vendor
Affiliates as Subprocessors, and (b) to Vendor and each Vendor Affiliate to appoint third party data
center operators, and affiliates, publishers, ad media, media buyers, ad networks, demand side
platforms (DSP), supply side platforms (SSP), outsourced marketing, business, engineering, customer
support and traffic providers to support the performance of the Services. For the avoidance of doubt,
the above general authorization constitutes each Company Group Member’s prior written consent to
the subprocessing by Vendor and each Vendor Affiliate for purposes of Clause 11 of the Standard
Contractual Clauses.
8.4 Vendor will maintain a list of Subprocessors in the Company’s Interface on the Vendor’s domain and
will add the names of new and replacement Subprocessors to the list prior to them starting subProcessing
of Company Personal Data. If the Company has a reasonable objection to any new or
replacement Subprocessor, it shall notify Vendor of such objections in writing within ten (10) days of
the Subprocessor’s inclusion on the list and the parties will seek to resolve the matter in good faith. If
Vendor is reasonably able to provide the Services to Company in accordance with the Principal
Agreement without using the Subprocessor and decides in its sole discretion to do so, then Company
will have no further rights under this clause 8.4 in respect of the proposed use of the Subprocessor. If
Vendor requires use of the Subprocessor in its sole discretion and is unable to satisfy Company as to
the suitability of the Subprocessor or the documentation and protections in place between Vendor and
the Subprocessor within ninety (90) days from the Company’s notification of objections, the Company
may within thirty (30) days following the end of the ninety (90) day period referred to above, terminate
the applicable Insertion Order(s) with at least thirty (30) days written notice, solely with respect to the
service(s) to which the proposed new Subprocessor’s Processing of Company Personal Data relates. If
Company does not provide a timely objection to any new or replacement Subprocessor in accordance
with this clause 8.4, Company will be deemed to have consented to the Subprocessor and waived its
right to object. Vendor and each Vendor Affiliate and may use a new or replacement Subprocessor
whilst the objection procedure in this clause 8.4 is in process.
8.5 With respect to each Subprocessor, Vendor or the relevant Vendor Affiliate shall:
8.5.1 ensure that the arrangement between on the one hand (a) Vendor, or (b) the relevant Vendor
Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand the
Subprocessor, is governed by a written contract including terms which offer at least the same
level of protection for Company Personal Data as those set out in the DPT and meet the
requirements of article 28(3) of the GDPR, and shall remain liable to the Company for the
performance of Subprocessor’s obligations;
8.5.2 if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual
Clauses are at all relevant times incorporated into the agreement between on the one hand (a)
Vendor, or (b) the relevant Vendor Affiliate, or (c) the relevant intermediate Subprocessor;
and on the other hand the Subprocessor, or before the Subprocessor first Processes Company
Personal Data procure that it enters into an agreement incorporating the Standard Contractual
Clauses with the relevant Company Group Member(s) (and Company shall procure that each
Company Affiliate party to any such Standard Contractual Clauses cooperates with their
population and execution); and
8.6 Vendor and each Vendor Affiliate shall ensure that each Subprocessor performs the obligations under
sections 5.1, 6, 7, 9, 11 and 13.1, as they apply to Processing of Company Personal Data carried out by
that Subprocessor, as if it were party to the DPT in place of Vendor.
9. Data Subject Rights
Taking into account the nature of the Processing, Vendor and each Vendor Affiliate shall assist each
Company Group Member by implementing appropriate technical and organisational measures, insofar
as this is possible, for the fulfilment of the Company Group Members’ obligations, as reasonably
understood by Company, to respond to requests to exercise Data Subject rights under the Data
Protection Laws (including access, rectification, restriction, deletion or portability of Company
Personal Data, as applicable). If such request is made directly to Vendor or any Vendor Affiliate,
Vendor shall promptly inform Company and shall advise Data Subjects to submit their request to
Company. Company shall be solely responsible for responding to any Data Subject request. Company
shall reimburse Vendor for the costs arising from this assistance.
10. Personal Data Breach
Vendor shall notify Company without undue delay upon Vendor or any Subprocessor becoming aware
of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient
information to allow each Company Group Member to meet any obligations to report or inform Data
Subjects of the Personal Data Breach under the Data Protection Laws.
11. Data Protection Impact Assessment and Prior Consultation
Vendor and each Vendor Affiliate shall provide reasonable assistance to each Company Group Member
with any data protection impact assessments, and prior consultations with Supervising Authorities or
other competent data privacy authorities, which Company reasonably considers to be required of any
Company Group Member by article 35 or 36 of the GDPR or equivalent provisions of any other Data
Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking
into account the nature of the Processing and information available to, the Contracted Processors.
12. Deletion or return of Company Personal Data
12.1 Other than to the extent required to comply with EU Data Protection Law, following termination or
expiry of the Principal Agreement, Vendor and each Vendor Affiliate shall promptly delete and procure
the deletion of all copies of the Company Personal Data. If Vendor is unable to delete Company
Personal Data for technical or other reasons, Vendor will apply measures to ensure that Company
Personal Data is blocked from any further Processing.
12.2 Subject to section 12.3, Company may in its absolute discretion by written notice to Vendor within 10
days from the termination or expiry of the Principal Agreement require Vendor and each Vendor
Affiliate to (a) return a complete copy of all Company Personal Data to Company by secure file
transfer in such format as is reasonably notified by Company to Vendor; and (b) delete and procure the
deletion of all other copies of Company Personal Data Processed by any Contracted Processor.
12.3 Each Contracted Processor may retain Company Personal Data to the extent required by Applicable
Laws and only to the extent and for such period as required by Applicable Laws and always provided
that Vendor and each Vendor Affiliate shall ensure the confidentiality of all such Company Personal
Data and shall ensure that such Company Personal Data is only Processed as necessary for the
purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
13. Audit rights
13.1 Subject to sections 13.2 and 13.3, Vendor and each Vendor Affiliate shall make available to each
Company Group Member on request all information necessary to demonstrate compliance with the
DPT, and shall allow for and contribute to audits, including inspections, by any Company Group
Member or an auditor mandated by any Company Group Member in relation to the Processing of the
Company Personal Data by the Contracted Processors.
13.2 Information and audit rights of the Company Group Members only arise under section 13.1 to the
extent that the Principal Agreement does not otherwise give them information and audit rights meeting
the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the
GDPR).
13.3 Company or the relevant Company Affiliate undertaking an audit shall give Vendor or the relevant
Vendor Affiliate reasonable notice of any audit or inspection to be conducted under section 13.1 and
shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid
causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Contracted
Processors’ premises, equipment, personnel and business while its personnel are on those premises in
the course of such an audit or inspection. A Contracted Processor need not give access to its premises
for the purposes of such an audit or inspection:
13.3.1 to any individual unless he or she produces reasonable evidence of identity and authority;
13.3.2 outside normal business hours at those premises, unless the audit or inspection needs to be
conducted on an emergency basis and Company or the relevant Company Affiliate
undertaking an audit has given notice to Vendor or the relevant Vendor Affiliate that this is the
case before attendance outside those hours begins; or
13.3.3 for the purposes of more than one audit or inspec