10X the revenue

Terms of processing of personal data through the platform

1. Subject of the Terms

1.1. The Subject of these Terms is the processing of personal data through the PLATFORM, whereby the company Telum d.o.o., Sv. Vinka Paulskog 14a, 23000 Zadar, OIB: 69522639296 acts in the capacity of processor (hereinafter referred to as “Processor”), while the Client acts in the capacity of controller (hereinafter referred to as “Controller”) in the sense of the General Terms, as defined by the Applicable Law.

1.2. The provisions specified below, as well as the processing of personal data will be applied only in the event that the Processor processes Personal Data on behalf of the Controller, on the basis of the General Terms and the agreed terms of cooperation, i.e. throughout the duration of use of the PLATFORM.

2. Definitions

2.1. For the purpose of applying these Terms, the following terms have the following meaning:

2.1.1. “Processing System” implies notes on the data and selected options of the configuration of the PLATFORM, which are chosen by the Controller and are implemented in the user account on the PLATFORM. This term particularly encompasses the following items: (i) categories of Personal Data that are processed as part of the service of the PLATFORM, (ii) input channels of Personal Data, and (iii) other data on selected options and configuration of the PLATFORM. Records on the items listed above are stored within the user account on the PLATFORM and are accessible in an appropriate manner to the Controller and the Processor. The Processing System makes up an integral part of these Terms;

2.1.2. “Examinee” implies the User as defined by the General Terms, i.e. a natural person who visits the webpages of the Controller, and who is identified or identifiable;

2.1.3. “Personal Data” implies any data that refer to an individual who is identified or identifiable (Examinee). An individual who is identifiable is a person who can be identified directly or indirectly, particularly by means of an identifier such as a name, identification number, location data, online identifier, or by means of one or more factors that are characteristic for the physical, physiological, genetic, mental, economic, cultural, or social identity (in accordance with the definition in the Applicable Law) processed by the Processor on behalf of the Controller when enabling the services of the PLATFORM. The categories of Personal Data that are processed as part of the service of the PLATFORM will be defined as part of the Processing System;

2.1.4. “Processing” implies any procedure or a set of procedures that are conducted on personal data or sets of personal data, be it by using automated or non-automated means such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, in accordance with the Applicable Law. The Processing of Personal Data, on the basis of the General Terms and agreed terms of cooperation, is also listed as part of the Processing System;

2.1.5. “Personal Data Breach” includes any violation of security or privacy that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. For the avoidance of any doubt, the aforementioned includes any kind of violation caused by the employee or subcontractor of the Processor or any other person who acts on behalf of the Processor (e.g. consultants and the like);

2.1.6. “Third Country” is a country that is not a member of the European Union (EU) and/or the European Economic Area (EEA).

2.2. Other phrases, definitions and terms defined in the General Terms section are also appropriately applied in these Terms.

3. Purpose of Personal Data Processing

3.1. The purpose of Personal Data Processing that is the Subject of these Terms is the execution of service of the PLATFORM, i.e. enabling the use of service of the PLATFORM on part of the Controller for the purpose of marketing, communications, sales and internal statistics.

4. Responsibilities of the Controller

4.1. The Controller implements appropriate technical and organisational measures so as to ensure and be able to prove that the Processing is conducted in accordance with the Applicable Law.

4.2. The Controller has the option to connect to Facebook ads and Google Analytics accounts to enable cost import from Facebook ads campaigns to Google Analytics.

5. Responsibilities of the Processor

5.1. The Processor will process Personal Data exclusively in accordance with the General Terms, with these Terms, and in accordance with the needs and instructions of the Controller, which are substantially contained as part of the Processing System, unless particular Processing is required by the Applicable Law. In that case, the Processor will have informed the Controller of the aforementioned legal obligation prior to the Processing, unless this right prohibits such reporting due to important reasons of public interest.

5.2. The Processor will keep Personal Data confidential and ensure that the persons who are authorised to process Personal Data have committed themselves to confidentiality or are under appropriate legal obligation of confidentiality.

5.3. The Processor will undertake and implement all necessary measures in accordance with Article 6 of these Terms (Security of Processing).

5.4. The Processor will maintain records of Personal Data Processing in the sense of Article 30, Paragraph 2 of the GDPR.

5.5. The Processor will appoint a Data Protection Officer, provided that the presuppositions from Article 37 of the GDPR have been fulfilled.

5.6. While taking into account the nature of the Processing, the Processor will assist the Controller through appropriate technical and organisational measures, to the extent possible, so as to fulfil the obligation of the Controller in terms of responding to requests for the exercise of rights of the Examinee that are defined by the Applicable Law.

5.7. The Processor will assist the Controller in ensuring compliance with the obligations in accordance with the Applicable Law, while taking into account the nature of the Processing and the information available to the Processor.

5. Responsibility for the content

5.8. At the choice of the Controller, the Processor will delete or return all Personal Data to the Controller following the end of provision of service of the PLATFORM, and delete existing data unless there is an obligation of storing Personal Data, in accordance with the law of the Union or the law of the member country.

5.9. The Processor will make available to the Controller all information that are necessary to prove compliance with the obligations defined in this Article 5 of these Terms, and allow supervision by the Controller or another auditor authorised by the Controller. In this respect, the Processor will immediately inform the Controller if, in their opinion, a particular instruction infringes the Applicable Law or other relevant regulations of an EU member state on the protection of personal data.

5.10. The Processor will alter the provisions of the General Terms and/or these Terms which are required for compliance with the obligations in the Applicable Law.

5.12. The Processor will not use, share, or store any of the Facebook user data that becomes available while connecting to Facebook API. The Processor will just store the Access Token for the sole purpose of importing Facebook cost from Facebook ads campaigns to Google Analytics. The Processor will delete Access Token immediately after The Controller deletes the connection to Facebook ads from the PLATFORM interface.

6. Security of processing

6.1. While taking into account the state of the art, the costs of implementation, and the nature, scope, context and purpose of the Processing, as well as the risks of varying likelihood and severity posed to the rights and freedoms of natural persons, the Processor will have implemented appropriate technical and organisational measures prior to undertaking any kind of Processing, so as to ensure a level of security that is adequate to the risk, which includes, among other things, the following where necessary:

6.1.1. the pseudonymisation and encryption of Personal Data;

6.1.2. the ability to ensure ongoing confidentiality, integrity, availability and resilience of the Processing System;

6.1.3. the ability to establish in a timely manner the availability and access to Personal Data in the event of a physical or technical incident;

6.1.4. a process for regular testing, assessment, and evaluation of effectiveness of technical and organisational measures for ensuring security of the Processing.

6.2. When assessing the appropriate level of security, particular account will be taken of the risks posed by the Processing, especially the risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data that are transmitted, stored, or otherwise Processed.

6.3. The Controller and the Processor will take steps to ensure that any natural person, who acts on behalf of the Controller or the Processor and therefore has access to Personal Data, does not process the aforementioned data except in the manner defined by these Terms, the Applicable Law, and in accordance with the initial instructions and wishes of the Controller in terms of the configuration of the PLATFORM. An exception is made in the event that this person is obliged to do so according to the law of the European Union or the law of the EU member state.

6.4. The Processor will notify the Controller within 24 (twenty-four) hours should they learn of any kind of Personal Data Breach. Such notification is to be sent to the contact address of the Controller, which is used in standard communication for the purposes of the PLATFORM, concurrently with sending a copy to [email protected]. When and to the extent at which it is not possible to simultaneously provide all information on the Personal Data Breach, the remaining information can be delivered in phases, but without undue further delay.

7. Subcontractors of the Processor

7.1. By using the services of the PLATFORM, the Controller is aware of the fact that the Processor uses subcontractors for the purpose and functionality of the PLATFORM, and that there is a possibility that additional subcontractors would have to be employed or existing ones changed. The Controller consents to the employment of these subcontractors as sub-processors.

7.2. In order to ensure maintaining a high level of protection of personal data and security of the PLATFORM, the Processor will make the decision on the selection of individual sub-processors carefully and by applying a high standard of professional diligence. The Processor will not subcontract any Personal Data Processing without entering into a written agreement with the sub-processor, which will contain the obligations of protection of personal data as specified in these Terms.

7.3. If the Controller disagrees with the subcontracting of Processing on part of the Processor, the Controller can terminate any kind of cooperation with the Processor in relation to the services of the PLATFORM.

8. Supervision and audit

8.1. The Controller has the right to supervise, autonomously or by appointing an independent third person (who is not a competitor of the Processor, and upon acceptance by the Processor), whether the Processor adheres to the obligations specified in these Terms, and whether they act in accordance with initial requirements and instructions of the Controller. The Processor will cooperate with and assist the Controller or a third person performing the audit, insofar that they will provide the requested information, submit the requested documentation, and enable access to business premises, IT systems and other tools needed for effective supervision over the adherence to the provisions of these Terms.

8.2. The Processor will ensure that the Controller has equal rights in relation to all selected sub-processors. The Processor can offer alternative solutions for supervision, e.g. an audit conducted by an independent third person, which can or do not have to be accepted by the Controller.

8.3. The supervision specified in this Article must be announced to the Processor no later than 30 days prior to its exercise, and must be conducted on the basis of the framework plan, on which the Controller and the Processor will have agreed before the supervision is conducted. In the event that they fail to agree on the framework plan, the Controller has the right to define it autonomously.

8.4. The Processor will enable a supervisory authority, competent for data protection at the level of the Republic of Croatia or the EU, to conduct supervision in business premises of the Processor.

8.5. In the event that any authority, competent for data protection or another (supervisory) authority, initiates a review of Personal Data Processing on part of the Controller, or that an Examinee submits a complaint against the Controller, on the subject of Processing that is presumed to have been executed by the Processor, the Processor will assist the Controller by providing documentation and other information related to the Processing, so as to enable the Controller to satisfy the competent authorities in their supervision and to respond to any complaint.

9. Additional protective measures

9.1. Notification: The Processor will continuously and timely provide the Controller with all current information on Processing, which the Controller can reasonably request when required for the fulfilment of their obligations according to the Applicable Law.

9.2. Personal Data Breaches: Upon request of the Controller, the Processor will cooperate with the Controller and provide information on the nature, circumstances, and causes of Personal Data Breach. The Processor will undertake all actions required to prevent further losses or limit the repercussions of Personal Data Breach in another manner. The Processor will conduct professional forensic and security verification and audit in relation to Personal Data Breach. Personal Data Breach will be resolved in accordance with the Applicable Law and the instructions that may be given to the Processor by the Controller.

9.3. Obligation of cooperation to ensure the rights of the Examinee: Should the Controller request this, the Processor will do the following without any additional costs for the Controller or the Examinees:

9.3.1. immediately deliver to the Controller a copy of Personal Data in an intelligible form, and/or

9.3.2. in accordance with the decision of the Controller, enable them access to Personal Data at any moment, and/or

9.3.3. immediately modify, correct, block or delete Personal Data in a manner specified by the Applicable Law.

9.4. Management of requests and complaints of public entities: depending on what is permitted by the Applicable Law, in the event that the Processor receives a request or complaint of the Competent Authority concerning any type of Personal Data, they will inform the Controller of this without delay, with indication of the Competent Authority in question, the scope of the request, and the basis specified in the request or the complaint. In this respect, the Processor will refer without delay the request or complaint of the Competent Authority to the Controller so that the Controller could respond to the request or complaint of the Competent Authority following consultations with the Processor, unless otherwise specified by the Applicable Law or another law applicable to these Terms.

General terms and conditions Leadidol platform

1.Subject of the General Terms of Use

1.1.These General Terms and Conditions (hereinafter referred to as “General Terms”) define the terms and manner of use of the LEADIDOL PLATFORM (hereinafter referred to as “PLATFORM”) as services provided to the user by the company Telum d.o.o., Sv. Vinka Paulskog 14a, 23000 Zadar, OIB: 69522629296 (hereinafter referred to as “Telum”) on the basis of the Agreement concluded between the Client and the company Telum d.o.o., Sv. Vinka Paulskog 14a, 23000 Zadar, OIB: 69522639296.

1.2.These General Terms are binding for Telum and the Client, who accepts the General Terms with the aim of using the PLATFORM, by which they become an integral part of the Agreement between Telum and the Client.

2.Definitions

2.1.Client as a term primarily includes a legal or natural person who entered a contractual relationship with Telum with the aim of using the services of the PLATFORM. However, said term also includes any legal or natural person who uses the services of the PLATFORM directly or indirectly.

2.2.PLATFORM is defined as service as specified above, and represents a software solution that is used for the attribution of profit, generated through the webpage of the Client, defining the correct source of profit and, if necessary, additional input of campaign costs that are not standardly integrated with Google Analytics. If necessary, PLATFORM can be used as a simple CRM.

2.3.User as a term that stands for natural persons who visit Client’s webpages.

2.4.Terms is an act in the sense of Article 28, Paragraph 3 of the General Data Protection Regulation (GDPR), which substantially regulates the relationship between the Client as the Controller and Telum as the Processor with regards to the processing of personal data of the User through the platform – Terms of Processing of Personal Data through the PLATFORM.

2.5.Applicable Law refers to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and to the Act on the Implementation of the General Data Protection Regulation, Official Gazette of the Republic of Croatia (Narodne novine) no. 42/2018.

2.6.Ticketing System stands for the user interface on the PLATFORM that serves as a channel for receiving notifications of technical issues and errors on the PLATFORM, and through which Telum processes received notifications of technical issues and other enquiries.

3.Manner of use of the PLATFORM

3.1.PLATFORM is a software solution that is adaptable to the needs of individual Clients, i.e., the nature of the services they provide, in accordance with its purpose. Before the usage of the PLATFORM takes place, the PLATFORM is adapted to the specific type of services and the costs systematisation of the Client as the specific marketing, communications and sales methods required by the services of the Client.

3.2.For this purpose, the Client is obligated to provide Telum with detailed instructions, regarding at least the following items:

3.2.1.The data the Client requires to be collected through the PLATFORM (considering the functions of the PLATFORM, the mandatory personal data are the following: name, surname and e-mail address),

3.2.2.Services or products the Client wishes to input into the transactions on the PLATFORM,

3.2.3.The Google Analytics ID in which revenue and expense data should be entered.

3.3.Depending on the instructions of the Client, Telum will open a separate user account for the Client on the PLATFORM, and configure it in accordance with the needs of the Client. Afterwards, Telum will assist the Client with the subsequent adjustment of the user account on the PLATFORM and, if necessary, provide the Client with technical support.

3.4.Telum ensures that the instructions and clarifications for using the PLATFORM are found within the user account and that they are accessible to the Client at any time during the use of the PLATFORM.

3.5. The Client has the option to connect to Facebook ads and Google Analytics accounts to enable cost import from Facebook ads campaigns to Google Analytics.

4.Responsibility for the use of the PLATFORM

4.1.The Client is held responsible for the use of the PLATFORM in accordance with these General Terms and in the manner defined by the Terms, the Agreement and mutual understanding between Telum and the Client during the establishment of the user account of the Client. Thus, the Client will compensate Telum for any damage occurring from the use of the user account in a manner that is not in accordance with these General Terms, Terms and the Agreement.

4.2.The Client will be held responsible to Telum for any damage occurring in the event that the Client enters unauthorised data into the user account on the PLATFORM, as well as the processing of the personal data for which they do not have a legal basis in accordance with the Applicable Law. The Client is not authorised to collect other data through the PLATFORM, apart from the ones that are registered in the initial settings of the user account of the PLATFORM – or in the subsequent modifications of initial settings – as a required set of data for the purpose for which the Client uses the PLATFORM.

4.3.The Client is not authorised to modify in any way the basic settings of the PLATFORM so as to enter into it or use it for the processing of data for which the PLATFORM is not intended (e.g., storage of the IP address of the User). The Client will be held responsible to Telum for any damage occurring from such actions on part of the Client.

5.Responsibility for the content

5.1.Telum does not influence/intervene in any way the creation, filtering, acquiring and recording of the content advertised through the PLATFORM, and does not have supervision over the source of the stated content.

5.2.By using the PLATFORM, the Client accepts, acknowledges and is made aware that Telum does not and will not hold any responsibility for any content (in terms of texts, images, webpages, and similar content) which are advertised with the use of the PLATFORM, through the Clients or any other third party.

5.3.By using the PLATFORM, the Client accepts their sole responsibility for all content (in terms of texts, images, webpages, and similar content) on which the PLATFORM is being used.

5.4.In the event of becoming aware of any kind of content that could be contrary to the positive legal regulations of the Republic of Croatia and any other positive regulations for which the Client is held responsible and, furthermore, if such contents could represent a breach of agreement and of these General Terms, the Client will immediately and without delay inform Telum of this, in which case Telum is authorised to eliminate such content from the system of the PLATFORM without delay or approval of the Client or any other third party. If it is unclear whether any content is contrary to the positive legal regulations as specified in the above sentence, Telum is authorised to assess, single-handedly and in good faith, whether such content is contrary to the positive legal regulations or not, and to remove said content. The Client thereby renounces all claims towards Telum of contractual or non-contractual, civil law or criminal law nature.

5.5.Upon knowledge of advertising of any kind of content that would be contrary to the positive legal regulations of the Republic of Croatia and any other positive legal regulations for which the Client is held responsible, at which Telum arrived in a different manner than the one specified in Paragraph 5.4 of these General Terms, Telum is authorised to remove the contents in question from the system of the PLATFORM, single-handedly and without any further agreement or approval of the Client or any other third party. If it is unclear whether any content is contrary to the positive legal regulations as specified in the above sentence, Telum is authorised to assess, single-handedly and in good faith, whether such content is contrary to the positive legal regulations or not, and to remove said content. The Client thereby renounces all claims towards Telum of contractual or non-contractual, civil law or criminal law nature.

5.6.Telum is not held responsible to completely or partially compensate for any kind of damage that can occur to the Client, the User, or any other third party from, or in any way related to the use of the system of the PLATFORM by the Client, and for any kind of actions on part of the Client with the use or misuse of its content, as well as for any kind of damage that can occur to the Client, the User, or any other third party in relation to the use or misuse of the content found on the PLATFORM.

6.Technical support

6.1.Telum provides continuous technical support to the Client throughout the duration of use of the service of the PLATFORM via the Ticketing System and the email address [email protected].

6.2.Immediately upon receiving the notification of error in the operation of the PLATFORM, or any other enquiry received in relation to one of the two aforementioned channels, Telum will proceed to process the enquiry. Any error in the operation of the PLATFORM will be removed within 24 hours. If the error in the operation of the PLATFORM is of such nature that it cannot be removed within 24 hours from the receipt of the notification, Telum will inform the Client of this in an appropriate manner, and communicate the causes and further steps.

7.Protection of personal data

7.1.Since the PLATFORM serves to process a set of personal data of the User adapted to the needs of the Client, the PLATFORM is adapted to the system of protection of personal data as prescribed by the Applicable Law.

7.2.Since Telum is the Processor and the Client is the Controller for the purpose of execution of service of the PLATFORM, the Terms are to be found in Addendum 1 of these General Terms. The Terms especially regulate, among other things, the subject and duration of processing, the nature and purpose of processing, the type of personal data and the category of the Data subject, and the obligations and rights of the Controller.

7.3.In accordance with the Applicable Law, Telum will only be held responsible for the damage that occurs to the Client, the User, or any other third party due to violation of Terms and these General Terms on part of Telum.

7.4.Since the Client collects personal data of the User through the Telum PLATFORM, the Client is obliged to inform the Users in an appropriate way of the personal data which are collected in this manner, pursuant to Article 13 and 14 of the General Data Protection Regulation. Telum will in no way be held responsible or liable to compensate the damage that occurs to the Client, the User, or any other third party should the Client fail to provide the User with an appropriate notification of the data processed through the PLATFORM, in accordance with the Applicable Law.

8.Final provisions

8.1.These General Terms and Terms will be made available to the Clients upon contracting the service of the PLATFORM, be it through an online channel or in some other manner.

8.2.These General Terms enter into force on 1 January 2022, the day of their publication.

8.3.All amendments and supplements to these General Terms and Terms will be made available in an equal manner to the Clients, who will be appropriately informed of the nature of the amendment. All amendments and supplements of these General Terms and Terms will be applied to the Clients in an equal and appropriate manner.

8.4.In the event that certain provisions of these General Terms and Terms are recognised as legally invalid and ineffective, the obligations defined by these General Terms and Terms will continue to be executed in the remaining part, and the contracting parties will immediately proceed with the replacement of such provision with a legally valid provision.

 

Addendum 1
Terms of processing of personal data through the platform

1.Subject of the Terms

1.1.The Subject of these Terms is the processing of personal data through the PLATFORM, whereby the company Telum d.o.o., Sv. Vinka Paulskog 14a, 23000 Zadar, OIB: 69522639296 acts in the capacity of processor (hereinafter referred to as “Processor”), while the Client acts in the capacity of controller (hereinafter referred to as “Controller”) in the sense of the General Terms, as defined by the Applicable Law.

1.2.The provisions specified below, as well as the processing of personal data will be applied only in the event that the Processor processes Personal Data on behalf of the Controller, on the basis of the General Terms and the agreed terms of cooperation, i.e. throughout the duration of use of the PLATFORM.

2.Definitions

2.1.For the purpose of applying these Terms, the following terms have the following meaning:

2.1.1.“Processing System” implies notes on the data and selected options of the configuration of the PLATFORM, which are chosen by the Controller and are implemented in the user account on the PLATFORM. This term particularly encompasses the following items: (i) categories of Personal Data that are processed as part of the service of the PLATFORM, (ii) input channels of Personal Data, and (iii) other data on selected options and configuration of the PLATFORM. Records on the items listed above are stored within the user account on the PLATFORM and are accessible in an appropriate manner to the Controller and the Processor. The Processing System makes up an integral part of these Terms;

2.1.2.“Examinee” implies the User as defined by the General Terms, i.e. a natural person who visits the webpages of the Controller, and who is identified or identifiable;

2.1.3.“Personal Data” implies any data that refer to an individual who is identified or identifiable (Examinee). An individual who is identifiable is a person who can be identified directly or indirectly, particularly by means of an identifier such as a name, identification number, location data, online identifier, or by means of one or more factors that are characteristic for the physical, physiological, genetic, mental, economic, cultural, or social identity (in accordance with the definition in the Applicable Law) processed by the Processor on behalf of the Controller when enabling the services of the PLATFORM. The categories of Personal Data that are processed as part of the service of the PLATFORM will be defined as part of the Processing System;

2.1.4.“Processing” implies any procedure or a set of procedures that are conducted on personal data or sets of personal data, be it by using automated or non-automated means such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, in accordance with the Applicable Law. The Processing of Personal Data, on the basis of the General Terms and agreed terms of cooperation, is also listed as part of the Processing System;

2.1.5.“Personal Data Breach” includes any violation of security or privacy that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. For the avoidance of any doubt, the aforementioned includes any kind of

2.1.6.“Third Country” is a country that is not a member of the European Union (EU) and/or the European Economic Area (EEA).

2.2.Other phrases, definitions and terms defined in the General Terms section are also appropriately applied in these Terms.

3.Purpose of Personal Data Processing

3.1.The purpose of Personal Data Processing that is the Subject of these Terms is the execution of service of the PLATFORM, i.e. enabling the use of service of the PLATFORM on part of the Controller for the purpose of marketing, communications, sales and internal statistics.

4.Responsibilities of the Controller

4.1.The Controller implements appropriate technical and organisational measures so as to ensure and be able to prove that the Processing is conducted in accordance with the Applicable Law.

4.2. The Controller has the option to connect to Facebook ads and Google Analytics accounts to enable cost import from Facebook ads campaigns to Google Analytics.

5.Responsibilities of the Processor

5.1.The Processor will process Personal Data exclusively in accordance with the General Terms, with these Terms, and in accordance with the needs and instructions of the Controller, which are substantially contained as part of the Processing System, unless particular Processing is required by the Applicable Law. In that case, the Processor will have informed the Controller of the aforementioned legal obligation prior to the Processing, unless this right prohibits such reporting due to important reasons of public interest.

5.2.The Processor will keep Personal Data confidential and ensure that the persons who are authorised to process Personal Data have committed themselves to confidentiality or are under appropriate legal obligation of confidentiality.

5.3.The Processor will undertake and implement all necessary measures in accordance with Article 6 of these Terms (Security of Processing).

5.4.The Processor will maintain records of Personal Data Processing in the sense of Article 30, Paragraph 2 of the GDPR.

5.5.The Processor will appoint a Data Protection Officer, provided that the presuppositions from Article 37 of the GDPR have been fulfilled.

5.6.While taking into account the nature of the Processing, the Processor will assist the Controller through appropriate technical and organisational measures, to the extent possible, so as to fulfil the obligation of the Controller in terms of responding to requests for the exercise of rights of the Examinee that are defined by the Applicable Law.

5.7.The Processor will assist the Controller in ensuring compliance with the obligations in accordance with the Applicable Law, while taking into account the nature of the Processing and the information available to the Processor.

5.8.At the choice of the Controller, the Processor will delete or return all Personal Data to the Controller following the end of provision of service of the PLATFORM, and delete existing data unless there is an obligation of storing Personal Data, in accordance with the law of the Union or the law of the member country.

5.9.The Processor will make available to the Controller all information that are necessary to prove compliance with the obligations defined in this Article 5 of these Terms, and allow supervision by the Controller or another auditor authorised by the Controller. In this respect, the Processor will immediately inform the Controller if, in their opinion, a particular instruction infringes the Applicable Law or other relevant regulations of an EU member state on the protection of personal data.

5.10.The Processor will alter the provisions of the General Terms and/or these Terms which are required for compliance with the obligations in the Applicable Law.

5.11. The Processor will not share any of the Google user data that becomes available while connecting to Google API. The Processor will use and store email, name and surname while connecting to Google API for the purpose of creating LeadIdol user account. The Processor will store the access_token, id_token, refresh_token, token_type and expires_at for the sole purpose of importing Facebook cost from Facebook ads campaigns to Google Analytics. The Processor will delete access_token, id_token, refresh_token, token_type and expires_at immediately after The Controller deletes the connection to Google Analytics from the PLATFORM interface.

5.12. The Processor will not use, share, or store any of the Facebook user data that becomes available while connecting to Facebook API. The Processor will just store the Access Token for the sole purpose of importing Facebook cost from Facebook ads campaigns to Google Analytics. The Processor will delete Access Token immediately after The Controller deletes the connection to Facebook ads from the PLATFORM interface.

6.Security of processing

6.1.While taking into account the state of the art, the costs of implementation, and the nature, scope, context and purpose of the Processing, as well as the risks of varying likelihood and severity posed to the rights and freedoms of natural persons, the Processor will have implemented appropriate technical and organisational measures prior to undertaking any kind of Processing, so as to ensure a level of security that is adequate to the risk, which includes, among other things, the following where necessary:

6.1.1.the pseudonymisation and encryption of Personal Data;

6.1.2.the ability to ensure ongoing confidentiality, integrity, availability and resilience of the Processing System;

6.1.3.the ability to establish in a timely manner the availability and access to Personal Data in the event of a physical or technical incident;

6.1.4.a process for regular testing, assessment, and evaluation of effectiveness of technical and organisational measures for ensuring security of the Processing.

6.2.When assessing the appropriate level of security, particular account will be taken of the risks posed by the Processing, especially the risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data that are transmitted, stored, or otherwise Processed.

6.3.The Controller and the Processor will take steps to ensure that any natural person, who acts on behalf of the Controller or the Processor and therefore has access to Personal Data, does not process the aforementioned data except in the manner defined by these Terms, the Applicable Law, and in accordance with the initial instructions and wishes of the Controller in terms of the configuration of the PLATFORM. An exception is made in the event that this person is obliged to do so according to the law of the European Union or the law of the EU member state.

6.4.The Processor will notify the Controller within 24 (twenty-four) hours should they learn of any kind of Personal Data Breach. Such notification is to be sent to the contact address of the Controller, which is used in standard communication for the purposes of the PLATFORM, concurrently with sending a copy to [email protected]. When and to the extent at which it is not possible to simultaneously provide all information on the Personal Data Breach, the remaining information can be delivered in phases, but without undue further delay.

7.Subcontractors of the Processor

7.1.By using the services of the PLATFORM, the Controller is aware of the fact that the Processor uses subcontractors for the purpose and functionality of the PLATFORM, and that there is a possibility that additional subcontractors would have to be employed or existing ones changed. The Controller consents to the employment of these subcontractors as sub-processors.

7.2.In order to ensure maintaining a high level of protection of personal data and security of the PLATFORM, the Processor will make the decision on the selection of individual sub-processors carefully and by applying a high standard of professional diligence. The Processor will not subcontract any Personal Data Processing without entering into a written agreement with the sub-processor, which will contain the obligations of protection of personal data as specified in these Terms.

7.3.If the Controller disagrees with the subcontracting of Processing on part of the Processor, the Controller can terminate any kind of cooperation with the Processor in relation to the services of the PLATFORM.

8.Supervision and audit

8.1.The Controller has the right to supervise, autonomously or by appointing an independent third person (who is not a competitor of the Processor, and upon acceptance by the Processor), whether the Processor adheres to the obligations specified in these Terms, and whether they act in accordance with initial requirements and instructions of the Controller. The Processor will cooperate with and assist the Controller or a third person performing the audit, insofar that they will provide the requested information, submit the requested documentation, and enable access to business premises, IT systems and other tools needed for effective supervision over the adherence to the provisions of these Terms.

8.2.The Processor will ensure that the Controller has equal rights in relation to all selected sub-processors. The Processor can offer alternative solutions for supervision, e.g. an audit conducted by an independent third person, which can or do not have to be accepted by the Controller.

8.3.The supervision specified in this Article must be announced to the Processor no later than 30 days prior to its exercise, and must be conducted on the basis of the framework plan, on which the Controller and the Processor will have agreed before the supervision is conducted. In the event that they fail to agree on the framework plan, the Controller has the right to define it autonomously.

8.4.The Processor will enable a supervisory authority, competent for data protection at the level of the Republic of Croatia or the EU, to conduct supervision in business premises of the Processor.

8.5.In the event that any authority, competent for data protection or another (supervisory) authority, initiates a review of Personal Data Processing on part of the Controller, or that an Examinee submits a complaint against the Controller, on the subject of Processing that is presumed to have been executed by the Processor, the Processor will assist the Controller by providing documentation and other information related to the Processing, so as to enable the Controller to satisfy the competent authorities in their supervision and to respond to any complaint.

9.Additional protective measures

9.1.Notification: The Processor will continuously and timely provide the Controller with all current information on Processing, which the Controller can reasonably request when required for the fulfilment of their obligations according to the Applicable Law.

9.2.Personal Data Breaches: Upon request of the Controller, the Processor will cooperate with the Controller and provide information on the nature, circumstances, and causes of Personal Data Breach. The Processor will undertake all actions required to prevent further losses or limit the repercussions of Personal Data Breach in another manner. The Processor will conduct professional forensic and security verification and audit in relation to Personal Data Breach. Personal Data Breach will be resolved in accordance with the Applicable Law and the instructions that may be given to the Processor by the Controller.

9.3.Obligation of cooperation to ensure the rights of the Examinee: Should the Controller request this, the Processor will do the following without any additional costs for the Controller or the Examinees:

9.3.1.immediately deliver to the Controller a copy of Personal Data in an intelligible form, and/or

9.3.2.in accordance with the decision of the Controller, enable them access to Personal Data at any moment, and/or

9.3.3.immediately modify, correct, block or delete Personal Data in a manner specified by the Applicable Law.

9.4.Management of requests and complaints of public entities: odepending on what is permitted by the Applicable Law, in the event that the Processor receives a request or complaint of the Competent Authority concerning any type of Personal Data, they will inform the Controller of this without delay, with indication of the Competent Authority in question, the scope of the request, and the basis specified in the request or the complaint. In this respect, the Processor will refer without delay the request or complaint of the Competent Authority to the Controller so that the Controller could respond to the request or complaint of the Competent Authority following consultations with the Processor, unless otherwise specified by the Applicable Law or another law applicable to these Terms.