This data processing addendum (hereinafter the “Addendum”) forms an inseparable part of terms of
service of Adact platform (hereinafter the “Services”) by and between the Company and the Client
(hereinafter the “Principal Agreement”) as defined in the Principal Agreement.
    1.1 For the purposes of this Addendum, unless expressly otherwise stated or evident in the context,
    the following capitalised terms shall have the following meanings, the singular (where
    appropriate) shall include the plural and vice versa, and references to Sections shall be
    references to sections of this Addendum. Capitalised terms not otherwise defined shall heave
    the meaning given to them in the Principal Agreement.
    (a) “Controller” means the entity which determines the purposes and means of the
    Processing of Personal Data;
    (b) “Data Protection Laws” means applicable data protection legislation, such as the
    GDPR, and laws implementing or supplementing the GDPR;
    (c) “Data Subject“ means an identified or identifiable natural person; an identifiable natural
    person is one who can be identified, directly or indirectly, in particular by reference to
    an identifier such as a name, an identification number, location data, an online identifier
    or to one or more factors specific to the physical, physiological, genetic, mental,
    economic, cultural or social identity of that natural person;
    (d) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the
    (e) “Personal Data Breach” means breach of security leading to the accidental or unlawful
    destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data
    transmitted, stored or otherwise processed;
    (f) “Personal Data” means any information relating to a Data Subject which is sent to the
    Company, is accessed by the Company or is otherwise Processed by the Company on
    the Client’s behalf in relation to the Services;
    (g) “Processing“ means any operation where the Company or its Sub-processors process
    Personal Data, whether or not by automated means, such as collection, recording,
    organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
    disclosure by transmission, dissemination or otherwise making available, alignment or
    combination, restriction, erasure or destruction;
    (h) “Processor” means the entity which Processes Personal Data on behalf of the
    (i) “Standard Contractual Clauses” means the standard contractual clauses which are
    adopted by the European Commission or by a supervisory authority in accordance with
    Data Protection Laws;
    (j) “Sub-processor” has the meaning set out in Section 5.1;
    (k) “Technical and organisational measures” means those measures aimed at protecting
    Personal Data against accidental or unlawful destruction or accidental loss, alteration,
    unauthorised disclosure or access, in particular where the processing involves the
    transmission of data over a network, and against all other unlawful forms of processing.
    2.1 For the purpose of provision of the Services under the Principal Agreement, the Company will
    process the Client’s Personal Data. To the extent that such information includes Personal Data
    in respect to which the Client is the Controller, by this Addendum, the Client appoints the
    Company as Processor of such Personal Data, subject to the terms and conditions set forth in
    this Addendum.
    3.1 The categories of Data Subjects and the types of Personal Data processed for the purpose of
    providing Services are stipulated in Appendix 1 to this Addendum.
    3.2 The Company agrees to Process Personal Data in accordance with the documented instructions
    of the Client issued from time to time (including with regard to transfers of Personal Data to a
    third country or an international organisation), unless required to deviate from such instructions
    in order to comply with Data Protection Laws to which the Company is subject (in such case,
    the Company shall inform the Client of such requirement before processing Personal Data,
    unless the Data Protection Laws prohibit such notification).
    3.3 The Company shall notify the Client if it considers that an instruction from the Client under
    Section 3.2 is in breach of the Data Protection Laws, and the Company shall be entitled, but not
    obliged to suspend execution of the relevant instruction until the Client confirms such instruction
    in writing.
    3.4 The Client shall be responsible for requests made by Data Subjects seeking to exercise their
    rights under the Data Protection Laws and shall handle them in accordance with the Data
    Protection Laws. The Client shall immediately notify the Company of such request if complying
    with it requires action from the Company. Accordingly, the Company shall immediately notify
    the Client if it receives such request from a Data Subject under the Data Protection Laws, and
    shall, at the Client’s request and cost, assist the Client, insofar as this is possible, by providing
    such information to the Client as the Client may reasonably require, and within the time period
    reasonably specified by the Client in complying with the rights and rightful requests of the Data
    Subjects, or with notices served by the relevant supervisory authority or any other law
    enforcement or regulatory authority.
    3.5 Taking into account the nature of the Processing, the Company shall implement and maintain
    appropriate Technical and organisational measures in order to ensure a level of security
    appropriate to the risk and protect the Personal Data, and at the Client’s request and cost, assist
    the Client in ensuring compliance with the obligations pursuant to articles 32 to 36 of the GDPR,
    taking into account the nature of processing and the information available to the Company.
    3.6 The Company may transfer Personal Data to a country outside of the European Union or
    European Economic Area if:
    (a) the Personal Data is transferred to a country approved by the European Commission
    as providing an adequate level of protection for the Personal Data;
    (b) the transfer is made pursuant to Standard Contractual Clauses; or
    (c) other appropriate legal data transfer mechanisms are used.
    3.7 The Company shall inform the Client without undue delay if the Company becomes aware of
    any Personal Data Breach.
    4.1 The Client shall have the right, once in every twelve (12) months upon the provision of twelve
    (12) business days’ prior written notice to audit the Company’s operations relevant to the
    performance of this Addendum. If the date proposed by the Client is not suitable for the
    Company, the Client can appoint another date that cannot be later than five (5) business days
    from the original date. The Client is responsible for the costs of the audit. However, should the
    audit reveal any violation or breach of this Addendum by the Company or its Sub-processor, the
    Company shall compensate the Client for the costs arising from the audit and remedy the
    4.2 The audit must be performed on a business day during the working hours of the Company and
    it must not unreasonably disturb the Company’s course of business or jeopardise the
    confidentiality of any third party’s information in the Company’s possession. The Company
    undertakes to cooperate in good faith with the Client and provide the Client with such information
    relating to this Addendum that the Client may reasonably request in order to demonstrate that
    it has acted in compliance with the Data Protection Laws.
    5.1 If the Company uses subcontractors for the provision of the Services and such subcontractor is
    provided by the Company with Personal Data in respect to which the Client is Data Controller
    (hereinafter the “Sub-processor”), the Company shall ensure that such Sub-processors comply
    with the terms of this Addendum, inter alia including the obligation to implement Technical and
    organisational measures in such a manner that the Processing will meet the requirements of
    the Data Protection Laws.
    5.2 The Client hereby authorises the Company to appoint sub-processors in accordance with this
    Section 5. The Company shall ensure that Sub-processors are bound by written agreements
    that require them to provide at least the level of data protection required from the Company by
    this Addendum. The Company shall inform the Client of any intended changes concerning the
    addition or replacement of Sub-processors, thereby giving the Client the opportunity to object
    to such changes. If, within 7 (seven) days of receipt of the notice, the Client notifies Company
    in writing (the notice must be reasoned) of any objections to the proposed appointment, the
    Company shall not appoint that proposed Sub-processor until reasonable steps have been
    taken to address the objections raised by the Client and the Client has been informed about
    taken steps. If the Client and the Company are not able to resolve appointment of a sub processor within a reasonable period, the Company shall have the right to terminate the
    Addendum and the Principal Agreement without prior notice.
    6.1 The Company undertakes that all its personnel processing Personal Data are bound by the duty
    of confidentiality.
    6.2 If the Company engages a Sub-processor to perform its engagement, it shall ensure that the
    Sub-processor and its personnel are bound by the duty of confidentiality.
    7.1 This Addendum shall apply during such time period as the Company Processes Personal Data
    on behalf of the Client. The termination of Personal Data Processing takes place on the first of
    the following events taking place:
    (a) the Client requests the Company to delete or return the Personal Data and stop
    Processing thereof;
    (b) the Company’s obligation to provide Services to the Client ceases permanently due to
    termination or expiration of the Principal Agreement;
    7.2 Upon termination of the Personal Data Processing, the Personal Data shall, at the Client’s
    discretion, either be returned to the Client, to the extent possible, or be deleted unless any
    applicable law (including EU law or national law) to which the Company is subject requires
    retention of the Personal Data.
    7.3 Obligations which by their nature (e.g. duty of confidentiality) should survive termination or
    expiration of the Addendum, shall so survive.
    8.1 Each Party agrees to give written notice to the other Party, without undue delay, of any claim
    made against itself in connection with the processing of Personal Data under this Addendum.
    8.2 To the extent due to the Company’s or its Sub-processor’s fault, the Company shall be liable for
    damage caused to the Client as a consequence of Processing contrary to the provisions of this
    Addendum and in respect of which the Client has had to pay compensation to the Data Subject
    or pay administrate fines awarded by relevant authorities. Liability of the Company is limited
    pursuant to Section 10 of the Principal Agreement.
    9.1 The governing law and dispute resolution are regulated in the Principal Agreement.
    10.1 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this
    Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either
    (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’
    intentions as closely as possible or – should this not be possible – (ii) construed in a manner as
    if the invalid or unenforceable part had never been contained therein. The foregoing shall also
    apply if this Addendum contains any omission.
    10.2 Any amendments to this Addendum shall be made in writing and be signed by duly authorised
    representatives of the Parties.
    10.3 In case of any conflict between the terms of this Addendum and the Principal Agreement, the
    provisions of this Addendum shall prevail.

Appendix 1

      • Employees of the Client and other individuals who have been granted access to the Platform by the Client.
      • Data subjects who participate in the marketing campaigns organised by the Client using the Platform.
    • Name, surname, email, password
    • Any personal data collected and processed in connection with the Campaign organized by then Client. Depending on the Campaign, the types of personal data can be, but are not limited to the participant’s name, surname, email, phone number