Henkilötietolaki (523/1999) 10 §

1. Rekisterinpitäjä

Performission Oy AB, Laivanvarustajankatu 10 G 85 00140 Helsinki
Y-tunnus 2774366-4

2. Yhteyshenkilö rekisteriä koskevissa asioissa

Niklas Holmström niklas@vanha.performission.demolink.fi

3. Rekisterit

Markkinointirekisteri.

Keräämme Google Analyticsin ja HubSpotin avulla tietoa siitä missä sivustolla vierailet ja kuinka kauan vietät aikaa. Tämän tiedon perusteella emme voi yhdistää Google Analyticsin tai HubSpotin tallentamia tietoja sinuun.

4. Henkilötietojen käsittelyn tarkoitus

Henkilötietoja voidaan käyttää uutiskirjeiden lähettämiseen, asiakkuuden hoitamiseen ml. myyntityö ja sivuston personointiin.

Saatamme myös kohdistaa sinulle kohdistettua mainontaa muilla verkkosivustoilla. Emme tässä tapauksessakaan tiedä kuka olet, vaan tiedämme vain mitä olet sivustollamme tehnyt.

5. Rekisterin tietosisältö

Rekisteri voi pitää sisällään seuraavat tiedot: Nimi, sähköpostiosoite, puhelinnumero, rekisteriin liittymisen sijainti ja ajankohta, kieli, aikavyöhyke, IP-osoite, Google Analytics ID-tunniste ja sivustokäyttäytyminen.

6. Säännönmukaiset tietolähteet

Rekisteri koostetaan Performission.fi verkkopalvelun kautta niistä kävijöistä, jotka täyttävät sivustolla lomakkeen.

7. Tietojen säännönmukaiset luovutukset

Performission ei luovuta asiakastietoja kolmansille osapuolille ellei kyseessä ole lainvoimainen viranomaisen vaatimus.

8. Tietojen säilytys

Kaikkia henkilötietoja säilytetään vahvan suojamuurin takana eikä tietoihin ole pääsyä kenelläkään muulla kuin Performissionilla.

9. Evästeiden käyttö

Performission käyttää verkkosivustossaan evästeitä, joiden avulla seurataan kävijäliikennettä ja kehitetään sivustoa. Näiden evästeiden perusteella yksittäistä henkilöä ei voi tunnistaa.

10. Rekisterin suojauksen periaatteet

Rekisteri on suojattu ja sen käyttöoikeus edellyttää henkilökohtaista käyttäjätunnusta ja salasanaa, jotka myönnetään vain rekisterinpitäjän henkilökuntaan kuuluvalle, jonka asemaan ja tehtäviin mainittu käyttöoikeus liittyy. Rekisteriä ei säilytetä paperisena tulosteena.

11. Tietojen päivittäminen

Rekisteriin kuuluva voi kieltää tietojensa hyödyntämisen ja kieltäytyä tiedotteiden vastaanottamisesta klikkaamalla niissä olevaa peruutuslinkkiä tai ottamalla yhteyden rekisterin ylläpitäjään.

12. Henkilötietojen poistopyyntö

Voit pyytää rekisterinpitäjää poistamaan kaikki sinuun liittyvät tiedot Performissionin rekistereistä ottamalla yhteyttä rekisterinpitäjään.

Data Processing Terms

These Data Processing Terms (“DPT”) that include the Standard Contractual Clauses adopted by the European
Commission, as applicable, reflect the parties’ agreement with respect to the terms governing the Processing of
Personal Data under the Advertiser Terms of Service (“Principal Agreement”) entered into by and between: (i)
Performission Oy Ab (as defined under the Principal Agreement) (hereinafter referred to as “Vendor”) acting on
its own behalf and as agent for each Vendor Affiliate; and (ii) Demand Partner (as defined under the Principal
Agreement) (hereinafter referred to as “Company”) acting on its own behalf and as agent for each Company
Affiliate. The DPT is an amendment to the Principal Agreement and is effective upon is incorporation, which
incorporation is specified in the Principal Agreement. Upon its incorporation into the Principal Agreement, the
DPT will from an integral part of, and will be subject to, the Principal Agreement.
Vendor and Company are hereinafter jointly referred to as the “parties” and individually as the “party”.

The terms used in the DPT shall have the meanings set forth in the DPT. Capitalized terms not otherwise
defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the
terms of the Principal Agreement shall remain in full force and effect. Except where the context requires
otherwise, references in the DPT to the Principal Agreement are to the Principal Agreement as amended by, and
including, the DPT.
In connection with the Services, the parties anticipate that Vendor, each Vendor Affiliate, each Contracted
Processor and/or each Subprocessor may process outside of the European Economic Area (“EEA”) and United
Kingdom, certain Company Personal Data in respect of which any Company Group Member may be a
Controller, as applicable, under applicable EU Data Protection Laws. The parties have agreed to enter into the
DPT in order to ensure that adequate safeguards are put in place with respect to the protection of such Company
Personal Data as required by EU Data Protection Laws.
Data Processing Terms
In the course of providing the Services to Company pursuant to the Principal Agreement, Vendor and each
Vendor Affiliate may Process Company Personal Data on behalf of any Company Group Member. Vendor
agrees to comply with the following provisions with respect to any Company Personal Data submitted by or for
any Company Group Member to Vendor or collected and processed by or for any Company Group Member
using Vendor’s services.
The parties agree that the obligations under the DPT that are specific to the GDPR shall not apply until the
GDPR has come into full force and effect.
1. Definitions
1.1 In the DPT, the following terms shall have the meanings set out below and cognate terms shall be
construed accordingly:
1.1.1 “Adequate Country” means a country or territory that is recognized under EU Data
Protection Laws as providing adequate protection for Company Personal Data;
1.1.2 “Applicable Laws” means (a) European Union or Member State laws with respect to any
Company Personal Data in respect of which any Company Group Member is subject to EU
Data Protection Laws; and (b) any other applicable law with respect to any Company Personal
Data in respect of which any Company Group Member is subject to any other Data Protection
Laws;
1.1.3 “Company Affiliate” means an entity that owns or controls, is owned or controlled by or is or
under common control or ownership with Company, where control is defined as the
possession, directly or indirectly, of the power to direct or cause the direction of the
management and policies of an entity, whether through ownership of voting securities, by
contract or otherwise;
1.1.4 “Company Group Member” means Company or any Company Affiliate;
1.1.5 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on
behalf of a Company Group Member pursuant to or in connection with the Principal
Agreement;
1.1.6 “Contracted Processor” means Vendor or a Subprocessor;
1.1.7 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the
data protection or privacy laws of any other country;
1.1.8 “EEA” means the European Economic Area;
1.1.9 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic
legislation of each Member State and as amended, replaced or superseded from time to time,
including by the GDPR and laws implementing or supplementing the GDPR;
1.1.10 “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons
with regard to the processing of personal data and on the free movement of such data);
1.1.11 “Restricted Transfer” means:
1.1.11.1 a transfer of Company Personal Data from any Company Group Member to a
Contracted Processor; or
1.1.11.2 an onward transfer of Company Personal Data from a Contracted Processor to a
Contracted Processor, or between two establishments of a Contracted Processor,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the
terms of data transfer agreements put in place to address the data transfer restrictions of Data
Protection Laws) in the absence of the Standard Contractual Clauses to be established under
section 8.5.2 or 14 below;
1.1.12 “Services” means the services and other activities to be supplied to or carried out by or on
behalf of Vendor for Company Group Members pursuant to the Principal Agreement;
1.1.13 “Standard Contractual Clauses” means the contractual clauses set out in Exhibit 1,
amended as indicated in that Exhibit and under section 15.4;
1.1.14 “Subprocessor” means any person (including any third party and any Vendor Affiliate,
but excluding an employee of Vendor or any of its sub-contractors) appointed by or on
behalf of Vendor or any Vendor Affiliate to Process Personal Data on behalf of any
Company Group Member in connection with the Principal Agreement; and
1.1.15 “Vendor Affiliate” means an entity that owns or controls, is owned or controlled by or is
or under common control or ownership with Vendor, where control is defined as the
possession, directly or indirectly, of the power to direct or cause the direction of the
management and policies of an entity, whether through ownership of voting securities, by
contract or otherwise.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”,
“Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as
in the GDPR, and their cognate terms shall be construed accordingly.
1.3 The word “include” shall be construed to mean include without limitation, and cognate terms shall be
construed accordingly.
2. Details of Processing of Company Personal Data
2.1 Subject-Matter and Nature of the Processing. The subject-matter of Processing of Company
Personal Data by Contracted Processor is the provision of the Services to any Company Group Member
that involves the Processing of Company Personal Data. Company Personal Data will be subject to
those Processing activities as may be specified in the Principal Agreement.
2.2 Duration of the Processing. Company Personal Data will be Processed for the duration of the
Principal Agreement.
2.3 Purpose of the Processing. Company Personal Data will be Processed for purposes of providing the
Services set out and otherwise agreed to in the Principal Agreement.
2.4 Types of Personal Data. Online identifiers, including cookie identifiers, internet protocol addresses
and device identifiers, Company identifiers.
2.5 Categories of Data Subjects. Company Personal Data will concern the following categories of Data
Subjects:
2.5.1 Data Subjects about whom Vendor and each Vendor Affiliate collect personal data in its
provision of the Services; and/or
2.5.2 Data Subjects about whom personal data is transferred to Vendor and/or Vendor Affiliate
in connection with the Services by, at the direction of, or on behalf of any Company
Group Member.
Depending on the nature of the Services, these Data Subjects may include individuals: (a) to whom
online advertising has been, or will be, directed; (b) who have visited specific websites or applications
in respect of which Vendor and/or Vendor Affiliate provide the Services; and/or (c) who are customers
or users of Company Group Member’s products or services.
3. Status of the parties
3.1 Each party warrants in relation to Company Personal Data that it will comply with EU Data Protection
Laws. As between the parties, the Company shall have sole responsibility for the accuracy, quality, and
legality of Company Personal Data and the means by which the Company acquired Company Personal
Data.
3.2 Each party shall appoint an individual within its organization authorized to respond from time to time
to enquiries regarding the Company Personal Data and each party shall deal with such enquiries
promptly.
4. Authority
Vendor warrants and represents that, before any Vendor Affiliate Processes any Company Personal
Data on behalf of any Company Group Member, Vendor’s entry into the DPT as agent for and on
behalf of that Vendor Affiliate will have been duly and effectively authorised (or subsequently ratified)
by that Vendor Affiliate.
5. Processing of Company Personal Data
5.1 Vendor and each Vendor Affiliate shall:
5.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data;
and
5.1.2 not Process Company Personal Data other than on the relevant Company Group Member’s
documented instructions unless Processing is required by Applicable Laws to which the
relevant Contracted Processor is subject, in which case Vendor or the relevant Vendor
Affiliate shall to the extent permitted by Applicable Laws inform the relevant Company Group
Member of that legal requirement before the relevant Processing of that Personal Data.
5.2 Each Company Group Member:
5.2.1 instructs Vendor and each Vendor Affiliate (and authorises Vendor and each Vendor Affiliate
to instruct each Subprocessor) to:
5.2.1.1 Process Company Personal Data; and
5.2.1.2 in particular, transfer Company Personal Data to any country or territory,
as reasonably necessary for the provision of the Services and consistent with the Principal
Agreement; and
5.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively
authorised to give the instruction set out in section 5.2.1 on behalf of each relevant Company
Affiliate.
5.3 Section 2 of the DPT sets out certain information regarding the Contracted Processors’ Processing of
the Company Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent
requirements of other Data Protection Laws). Nothing in Section 2 confers any right or imposes any
obligation on any party to the DPT.
6. Vendor and Vendor Affiliate Personnel
Vendor and each Vendor Affiliate shall take reasonable steps to ensure the reliability of any employee,
agent or contractor of any Contracted Processor who may have access to the Company Personal Data,
ensuring in each case that access is strictly limited to those individuals who need to know / access the
relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and
to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor,
ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory
obligations of confidentiality.
7. Security
7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and
purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms
of natural persons, Vendor and each Vendor Affiliate shall in relation to the Company Personal Data
implement appropriate technical and organizational measures to ensure a level of security appropriate
to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
7.2 In assessing the appropriate level of security, Vendor and each Vendor Affiliate shall take account in
particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
8. Subprocessing
8.1 Each Company Group Member authorises Vendor and each Vendor Affiliate to appoint (and permit
each Subprocessor appointed in accordance with this section 8 to appoint) Subprocessors in accordance
with this section 8 and any restrictions in the Principal Agreement.
8.2 Vendor and each Vendor Affiliate may continue to use those Subprocessors already engaged by
Vendor or any Vendor Affiliate as at the date of the DPT, including, but not limited to Amazon Web
Services, OVH and Hetzner Online as third party data center operators, and affiliates, publishers, ad
media, media buyers, ad networks, demand side platforms (DSP), supply side platforms (SSP),
outsourced marketing, business, engineering, customer support and traffic provider