DATA PROCESSING ADDENDUM
TO THE TERMS OF SERVICE
This data processing addendum (hereinafter the “Addendum”) forms an inseparable part of terms of
service of Adact platform (hereinafter the “Services”) by and between the Company and the Client
(hereinafter the “Principal Agreement”) as defined in the Principal Agreement.

1. DEFINITIONS
   1.1 For the purposes of this Addendum, unless expressly otherwise stated or evident in the context,
   the following capitalised terms shall have the following meanings, the singular (where
   appropriate) shall include the plural and vice versa, and references to Sections shall be
   references to sections of this Addendum. Capitalised terms not otherwise defined shall heave
   the meaning given to them in the Principal Agreement.
   (a) “Controller” means the entity which determines the purposes and means of the
   Processing of Personal Data;
   (b) “Data Protection Laws” means applicable data protection legislation, such as the
   GDPR, and laws implementing or supplementing the GDPR;
   (c) “Data Subject“ means an identified or identifiable natural person; an identifiable natural
   person is one who can be identified, directly or indirectly, in particular by reference to
   an identifier such as a name, an identification number, location data, an online identifier
   or to one or more factors specific to the physical, physiological, genetic, mental,
   economic, cultural or social identity of that natural person;
   (d) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the
   Council;
   (e) “Personal Data Breach” means breach of security leading to the accidental or unlawful
   destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data
   transmitted, stored or otherwise processed;
   (f) “Personal Data” means any information relating to a Data Subject which is sent to the
   Company, is accessed by the Company or is otherwise Processed by the Company on
   the Client’s behalf in relation to the Services;
   (g) “Processing“ means any operation where the Company or its Sub-processors process
   Personal Data, whether or not by automated means, such as collection, recording,
   organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
   disclosure by transmission, dissemination or otherwise making available, alignment or
   combination, restriction, erasure or destruction;
   (h) “Processor” means the entity which Processes Personal Data on behalf of the
   Controller;
   (i) “Standard Contractual Clauses” means the standard contractual clauses which are
   adopted by the European Commission or by a supervisory authority in accordance with
   Data Protection Laws;
   (j) “Sub-processor” has the meaning set out in Section 5.1;
   (k) “Technical and organisational measures” means those measures aimed at protecting
   Personal Data against accidental or unlawful destruction or accidental loss, alteration,
   unauthorised disclosure or access, in particular where the processing involves the
   transmission of data over a network, and against all other unlawful forms of processing.
2. BACKGROUND AND PURPOSE
   2.1 For the purpose of provision of the Services under the Principal Agreement, the Company will
   process the Client’s Personal Data. To the extent that such information includes Personal Data
   in respect to which the Client is the Controller, by this Addendum, the Client appoints the
   Company as Processor of such Personal Data, subject to the terms and conditions set forth in
   this Addendum.
3. PROCESSING OF PERSONAL DATA
   3.1 The categories of Data Subjects and the types of Personal Data processed for the purpose of
   providing Services are stipulated in Appendix 1 to this Addendum.
   3.2 The Company agrees to Process Personal Data in accordance with the documented instructions
   of the Client issued from time to time (including with regard to transfers of Personal Data to a
   third country or an international organisation), unless required to deviate from such instructions
   in order to comply with Data Protection Laws to which the Company is subject (in such case,
   the Company shall inform the Client of such requirement before processing Personal Data,
   unless the Data Protection Laws prohibit such notification).
   3.3 The Company shall notify the Client if it considers that an instruction from the Client under
   Section 3.2 is in breach of the Data Protection Laws, and the Company shall be entitled, but not
   obliged to suspend execution of the relevant instruction until the Client confirms such instruction
   in writing.
   3.4 The Client shall be responsible for requests made by Data Subjects seeking to exercise their
   rights under the Data Protection Laws and shall handle them in accordance with the Data
   Protection Laws. The Client shall immediately notify the Company of such request if complying
   with it requires action from the Company. Accordingly, the Company shall immediately notify
   the Client if it receives such request from a Data Subject under the Data Protection Laws, and
   shall, at the Client’s request and cost, assist the Client, insofar as this is possible, by providing
   such information to the Client as the Client may reasonably require, and within the time period
   reasonably specified by the Client in complying with the rights and rightful requests of the Data
   Subjects, or with notices served by the relevant supervisory authority or any other law
   enforcement or regulatory authority.
   3.5 Taking into account the nature of the Processing, the Company shall implement and maintain
   appropriate Technical and organisational measures in order to ensure a level of security
   appropriate to the risk and protect the Personal Data, and at the Client’s request and cost, assist
   the Client in ensuring compliance with the obligations pursuant to articles 32 to 36 of the GDPR,
   taking into account the nature of processing and the information available to the Company.
   3.6 The Company may transfer Personal Data to a country outside of the European Union or
   European Economic Area if:
   (a) the Personal Data is transferred to a country approved by the European Commission
   as providing an adequate level of protection for the Personal Data;
   (b) the transfer is made pursuant to Standard Contractual Clauses; or
   (c) other appropriate legal data transfer mechanisms are used.
   3.7 The Company shall inform the Client without undue delay if the Company becomes aware of
   any Personal Data Breach.
4. AUDIT RIGHTS
   4.1 The Client shall have the right, once in every twelve (12) months upon the provision of twelve
   (12) business days’ prior written notice to audit the Company’s operations relevant to the
   performance of this Addendum. If the date proposed by the Client is not suitable for the
   Company, the Client can appoint another date that cannot be later than five (5) business days
   from the original date. The Client is responsible for the costs of the audit. However, should the
   audit reveal any violation or breach of this Addendum by the Company or its Sub-processor, the
   Company shall compensate the Client for the costs arising from the audit and remedy the
   breach.
   4.2 The audit must be performed on a business day during the working hours of the Company and
   it must not unreasonably disturb the Company’s course of business or jeopardise the
   confidentiality of any third party’s information in the Company’s possession. The Company
   undertakes to cooperate in good faith with the Client and provide the Client with such information
   relating to this Addendum that the Client may reasonably request in order to demonstrate that
   it has acted in compliance with the Data Protection Laws.
5. USE OF SUBCONTRACTORS
   5.1 If the Company uses subcontractors for the provision of the Services and such subcontractor is
   provided by the Company with Personal Data in respect to which the Client is Data Controller
   (hereinafter the “Sub-processor”), the Company shall ensure that such Sub-processors comply
   with the terms of this Addendum, inter alia including the obligation to implement Technical and
   organisational measures in such a manner that the Processing will meet the requirements of
   the Data Protection Laws.
   5.2 The Client hereby authorises the Company to appoint sub-processors in accordance with this
   Section 5. The Company shall ensure that Sub-processors are bound by written agreements
   that require them to provide at least the level of data protection required from the Company by
   this Addendum. The Company shall inform the Client of any intended changes concerning the
   addition or replacement of Sub-processors, thereby giving the Client the opportunity to object
   to such changes. If, within 7 (seven) days of receipt of the notice, the Client notifies Company
   in writing (the notice must be reasoned) of any objections to the proposed appointment, the
   Company shall not appoint that proposed Sub-processor until reasonable steps have been
   taken to address the objections raised by the Client and the Client has been informed about
   taken steps. If the Client and the Company are not able to resolve appointment of a sub processor within a reasonable period, the Company shall have the right to terminate the
   Addendum and the Principal Agreement without prior notice.
6. CONFIDENTIALITY
   6.1 The Company undertakes that all its personnel processing Personal Data are bound by the duty
   of confidentiality.
   6.2 If the Company engages a Sub-processor to perform its engagement, it shall ensure that the
   Sub-processor and its personnel are bound by the duty of confidentiality.
7. TERM AND TERMINATION
   7.1 This Addendum shall apply during such time period as the Company Processes Personal Data
   on behalf of the Client. The termination of Personal Data Processing takes place on the first of
   the following events taking place:
   (a) the Client requests the Company to delete or return the Personal Data and stop
   Processing thereof;
   (b) the Company’s obligation to provide Services to the Client ceases permanently due to
   termination or expiration of the Principal Agreement;
   7.2 Upon termination of the Personal Data Processing, the Personal Data shall, at the Client’s
   discretion, either be returned to the Client, to the extent possible, or be deleted unless any
   applicable law (including EU law or national law) to which the Company is subject requires
   retention of the Personal Data.
   7.3 Obligations which by their nature (e.g. duty of confidentiality) should survive termination or
   expiration of the Addendum, shall so survive.
8. CLAIMS AND DAMAGES
   8.1 Each Party agrees to give written notice to the other Party, without undue delay, of any claim
   made against itself in connection with the processing of Personal Data under this Addendum.
   8.2 To the extent due to the Company’s or its Sub-processor’s fault, the Company shall be liable for
   damage caused to the Client as a consequence of Processing contrary to the provisions of this
   Addendum and in respect of which the Client has had to pay compensation to the Data Subject
   or pay administrate fines awarded by relevant authorities. Liability of the Company is limited
   pursuant to Section 10 of the Principal Agreement.
9. APPLICABLE LAW AND DISPUTES
   9.1 The governing law and dispute resolution are regulated in the Principal Agreement.
10. MISCELLANEOUS
    10.1 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this
    Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either
    (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’
    intentions as closely as possible or – should this not be possible – (ii) construed in a manner as
    if the invalid or unenforceable part had never been contained therein. The foregoing shall also
    apply if this Addendum contains any omission.
    10.2 Any amendments to this Addendum shall be made in writing and be signed by duly authorised
    representatives of the Parties.
    10.3 In case of any conflict between the terms of this Addendum and the Principal Agreement, the
    provisions of this Addendum shall prevail.
    

---

Appendix 1

• CATEGORIES OF DATA SUBJECTS AND TYPES OF PERSONAL DATA
  • CATEGORIES OF DATA SUBJECTS AND TYPES OF PERSONAL DATA
    • Employees of the Client and other individuals who have been granted access to the Platform by the Client.
    • Data subjects who participate in the marketing campaigns organised by the Client using the Platform.
  • TYPES OF PERSONAL DATA
  • Name, surname, email, password
  • Any personal data collected and processed in connection with the Campaign organized by then Client. Depending on the Campaign, the types of personal data can be, but are not limited to the participant’s name, surname, email, phone number