Data Processing Agreement


Pursuant to Article 28 of Regulation EU 2016/679 dated 27 April 2016 (hereinafter, the “Regulation”), the advertiser indicated in the IO (hereinafter, the “Client”)



  1) the Client and Tangoo S.r.l., with registered office in Milan, via Lentasio 9, 20122, VAT number 02143630685 (hereinafter, the “Company”) have entered into a contract, concerning digital advertising services, better described in the IO and the related GC, of which this document is an integral and substantial part (hereinafter referred to as the “Contract”); 2) the Client acts as Data Controller with reference to the personal data processed in order to implement the Contract and indicated more precisely in Annex 1 (hereinafter the "Personal Data"); 3) Pursuant to Article 28 of the Regulation, the Data Processor is optionally designated by the Data Controller and, if appointed, is identified among subjects who, due to experience, capacity and reliability, provide the appropriate guarantee of full compliance with the applicable provisions on processing, including security; 4) The tasks entrusted to the Data Processor must be specified in writing by the Data Controller, and the Data Processor must comply with the instructions given by the Data Controller, who, also through periodic checks, ensures that they are strictly observed; 5) The Client has found that – and the Company guarantees that – the Company, by virtue of its experience, capacity, and reliability, can provide sufficient guarantees regarding compliance with the applicable provisions on protection of personal data, including security, as required by the Applicable Law, as defined below; 6) It is the intention of the Client, as Data Controller, to appoint the Company, who accepts, as an external Data Processor.  

Given the above, the Client hereby



  The Company as the External Data Processor for the processing of Personal Data to be carried out according to the Contract and in the manner and within the limits specified below.   
  1. Definitions
In this letter of appointment (hereinafter, the "Appointment" or “DPA”) the terms whose first letter is written in capital letters have the same meaning as defined by the Applicable Law. The following words have the following meanings: "Applicable Law" the Regulation, as well as any other data protection legislation applicable in Italy, already in force or that will enter into force after this Appointment comes into force, including the provisions of the Italian Data Protection Authority (Garante per la protezione dei dati personali) issued in implementation of the Regulation and/or any other data protection legislation applicable in Italy;  "Security Measures" are measures intended to protect personal data from accidental or illegal destruction or loss, alteration, disclosure or unauthorized access, as provided for in art. 32 of the Regulation; "Sub-supplier" (or “Sub-Processor”), natural or legal persons who carry out their business for the Company by dealing with Personal Data belonging to the Client.  
  1. Obligations of the Parties
2.1 Obligations of the Company 2.1.1 Processing purposes  The Company, as Data Processor, is committed to:   i. Processing the Personal Data for the exclusive purpose of executing the Contract, and within the limits of what it was established by it, while strictly adhering to the instructions given by the Client;   ii. Only processing the Personal Data that is strictly required for a correct and full implementation of the agreements referred to in the preliminary remarks above, or to fulfil legal obligations;   iii. Making sure that its employees and Sub-Processors have access and only process the Personal Data that is strictly required for a full and correct implementation of the agreements referred to in the preliminary remarks above, or to fulfil legal obligations;   iv. Processing the Personal Data in a lawful manner, according to fairness and in full compliance with the Applicable Law.   2.1.2 Security measures  The Company undertakes to correctly implement the Security Measures and any other security measure prescribed by the Applicable Law, taking into account the state of the art and the costs of implementation.    Furthermore, based on new solutions provided by technical and technological progress and taking into account the nature of the data and the characteristics of the processing, the Company undertakes to implement Security Measures, in order to minimize the potential risks of destruction or voluntary or accidental loss of Personal Data, unauthorized access or processing in violation of the law.    2.1.3 Authorized persons The Company agrees to:   i. Instruct, according to article 29 of the Regulation, those responsible for processing operations (hereinafter “Authorized Persons”), choosing among its employees who, by experience, capacity, and training, can ensure compliance with Applicable Law;   ii. Give to the Authorized Persons detailed operational instructions in writing regarding the methods for carrying out the processing entrusted to them as well as to strictly monitor the exact fulfilment of the instructions received;   iii. Implement physical, technical and organizational measures to ensure that each Authorized Person may have access only to Personal Data that may be processed based on his/her authorization profile;   iv. Draft and update a list of Authorized Persons, annually checking the scope of processing allowed for each of them.   2.1.4 Rights of the data subjects  The Company must ensure the effective exercise of the rights recognized by the Applicable Law to the Data Subjects, by undertaking to promptly notify the Client of any request to exercise such rights presented by one of the Data Subjects and to enclose a copy of the request.   The Company undertakes to cooperate with the Client to ensure that the requests for exercising the rights abovementioned, including requests for objection to processing, are met within the times and according to the law and, more generally, to ensure full compliance with the Applicable Law.    2.1.5 Data communication  The Company cannot exercise independent control of the Personal Data, and refrains from disclosing or communicating the Personal Data to third parties, unless expressly authorized by the Contract, or by the Client in writing, and in any case in compliance with the provisions of the privacy policy provided to the Data Subject and with the consents, if expressed, in relation to the different purposes of processing.  In the event the means of processing shall require a transfer of Personal Data outside the territory of the European Economic Area (EEA), the Client undertakes to ensure that such transfer takes place in accordance with the safeguards set out in Chapter V of the Regulations when providing the Company with its instructions.   2.1.6 Sub-Processors If the Company intends to entrust one or more Sub-Processors in whole or in part with the execution of the Contract, it must inform the Client if its Sub-supplier will process Personal Data of which the latter is the Controller. In this case, the Client may directly appoint the authorized Sub-Processor as its own external Data Processor. Alternatively, with this Act, the Client authorizes the Company from now on, with a general authorization, to appoint one or more sub-suppliers with a DPA substantially equivalent to this Act, pursuant to art. 28. 2 of the Regulation. To obtain the complete list of the Sub-Processors referred to in this paragraph, the Client may request the Company an extract from its Register as a Data Processor and/or related attached documents.   In this regard, the Client recognizes and accepts that the ADV Services, as defined in the Contract, are to be consider other Processors of the Client and not Sub-Processors.    2.2 Obligations of the Controller 2.2.1 The Controller declares and guarantees that any form of collection of personal data processed under this DPA: a) follows the submission of a clear and complete privacy policy, simple to understand but at the same time compliant with Applicable Law, and that:   i. it is easily understandable by the data subjects;   ii. identifies the methods for collecting and processing the personal data obtained; b) offers to the data subjects the opportunity to remain excluded from such collection and use of such personal data, in accordance with the Applicable Law; c) provides, where necessary, for the obtaining of all the consents of the data subjects, to which the personal data refer, as required by the Applicable Law.   2.2.2 Considering the previous article 2.2.1, in particular the Data Controller warrants and expressly declares that: (a) those affected by the processing have given/will give consent to the Client, where applicable, to the processing of their data through a free, specific, informed and unambiguous manifestation of will, for each purpose referred to in the processing under this DPA;  (b) The data shall be collected in each case pursuant to an appropriate legal basis, as well as in accordance with fairness and lawfulness and for purposes corresponding to those for which they are processed under this DPA.   
  1. Audit
The Company acknowledges that, in compliance with art. 28 of the Regulations, the Client may periodically assess the activities carried out, in order to verify compliance with the organizational, technical and security measures prescribed by the Applicable Law or issued by the Client as Controller.    The Client will also have the right to access offices, computers and other IT systems / documents of the Company and its Sub-Processors, where this is deemed necessary to verify that the Company or its Sub-Processor acts in compliance with the obligations agreed in virtue of this DPA.    In the event of access to the Company's or Sub-Processor's premises by the Client, it will be required to give the Company written notice of at least 7 working days. The Client expressly recognizes and accepts that any costs of any verification referred to in this article will be at its sole expense.   Nothing contained in this DPA presupposes Company's consent to disclosure to the Client, as well as Client's access to:  (i) internal accounting or financial data of the Company;  (ii) Company's trade secrets;  (iii) information which, on the basis of reasonable objections raised by the Company, could: (A) compromise the security of the Company's systems or offices; or (B) entail the violation of the obligations of the Company as per the Applicable Law or of its obligations regarding security and / or confidentiality towards the Client or third parties; or  (iv) information to which the Client (or any external auditors appointed by the latter) seek to access for reasons beyond the duty of good faith in fulfilling the obligations of the Client as set out in the Applicable Law.  
  1. Statements and guarantees of the Company 
The Company states and ensures that it is aware of the obligations assumed under the Applicable Law as a result of the appointment as Data Processor, and to have the required experience, skills and professionalism to perform this function.   The Company declares that it has not identified the figure of the Data Protection Officer (DPO or DPO), as it is not subject to the obligation of designation provided for in Article 37 of the Regulation.  
  1. Fee 
Without prejudice to what was established in the Contract, the Company will carry out its function as Data Processor without payment, unless otherwise agreed with the Client.  
  1. Duration
This Appointment takes effect starting from the validity date of the Contract and will remain in force until the date on which the Contract is terminated, regardless of the cause for termination.   If the Contract is terminated for whatever reason, the Company will return the Personal Data in its possession to the Client and will delete any copies thereof. Upon the Client's request and at its full discretion, the Company must alternatively delete the Personal Data in its possession, giving written confirmation to the Client without delay, unless the retention of data is required by law.  
  1. Applicable law and jurisdiction
Any interpretation of this Act is subject to the Italian law (including the Regulation) and the Parties, by mutual agreement, consider the Court of Milan to be competent for any dispute.   By signing the IO, the Client accept and signs the present DPA where required by the Services supplied by the Company, as provided for in the GC.    


Description of the processing

Data Subjects The personal data processed concern the following categories of data subjects:
  • Client and Prospect of the Controller
  Data categories The personal data processed concern the following data categories:
  • Browsing data
  • Other Data whose processing is required by the ADV Services selected via the IO
  Special categories of data (if applicable) The personal data processed concern the following special data categories There is no processing of special categories of data.   Processing operations The personal data processed fall under the following basic processing activities:
  • Purpose of the processing: The purpose of the processing is the execution of the digital advertising Contract between the Parties.
  • Nature of the processing: The nature of the processing is mandatory for the execution of the Contract.