Dataguidelines
Guidelines for collection and processing of personal data
Preamble
These Guidelines set out the rights and obligations of JP/Politikens Hus ("JPPOL") and the advertisers and the media agencies ("Purchaser") when processing personal data in connection with the placement of Advertisement on digital services and platforms owned by JPPOL. These Guidelines apply to all activities relating to the placement of Advertisement by the Purchaser on JPPOL's digital services and platforms.
These Guidelines have been designed to set out the parties' respective responsibilities and ensure compliance with their obligations under the GDPR when the parties jointly determine the purposes and the means of processing of personal data in connection with the Purchaser's placement of Advertisement on JPPOL's digital services and platforms.
When the Purchaser purchases Advertisement space from JPPOL, the Purchaser is responsible for complying with its obligations under these Guidelines. The Purchaser must inter alia ensure that its subsidiaries and customers comply with these Guidelines. Any use of third-party technology by the Purchaser must also comply with these Guidelines.
These Guidelines shall take priority over any similar provisions contained in other agreements between the parties.
Definitions
”Advert” or ”Advertisement” means a commercial message for publication and dissemination through digital channels.
“JPPOL-user" means a user of any digital service provided by JPPOL.
“JPPOL-data” means all data elements or data segments controlled or delivered by JPPOL (also known as first-party data), i.e. via the data platform 'Relevance'.
”JPPOL-sites” are all news sites and apps wholly or partly owned by JPPOL, including, but not limited to, ekstrabladet.dk, politiken.dk, jyllandsposten.dk, finans.dk.
”personal data" and "data controller" shall have the same meaning as defined in the Articles 4(1) and 4(8) GDPR.
Joint Controllership
Pursuant to Article 26 GDPR, where two or more controllers jointly determine the purposes and means of processing of personal data, they shall be joint controllers.
Where two or more parties are joint controllers, they shall in a transparent matter determine their respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 GDPR, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject.
The arrangement referred to in Article 26(1) GDPR shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
Irrespective of the terms of the arrangement referred to in Article 26(1) GDPR, the data subject may exercise his or her rights under the GDPR in respect of and against each of the controllers.
The allocation of responsibilities between the parties does not prejudice the supervisory authority's competence to carry out its tasks and powers independently in relation to each party.
Whereas JPPOL allows the Purchaser to collect and process personal data of JPPOL-users via first- or third-party technology on JPPOL-sites, JPPOL exerts a decisive influence over the collection and transmission of the personal data of JPPOL-users to the Purchaser, and thereby jointly with the Purchaser determines the means and purposes of the processing. Therefore, the parties agree that they are joint controllers in relation to the Purchaser's collection and transmission of personal data of JPPOL-users on JPPOL-sites. As for the means and purposes of the subsequent processing, they are determined solely by the Purchaser.
These Guidelines are drafted to determine the parties' respective rights and obligations pursuant to Article 26 GDPR.
Allocation of Responsibilities
When JPPOL sells Advertisement space on JPPOL-sites, JPPOL allows for the Purchaser to collect and process personal data of JPPOL-users. This is made possible by JPPOL's embedding of the Purchaser's first- or third-party technology on JPPOL-sites, thereby making it possible for the Purchaser to place Adverts on JPPOL-sites, which allows for the Purchaser to collect personal data of JPPOL-users.
When placing Adverts on JPPOL-sites, the Purchaser makes use of first- or third-party technologies to collect and process personal data for the purpose of delivering personalised Adverts and measurement of such Adverts' efficiency. The Purchaser may also process the personal data in order to create profiles of JPPOL-users. It is solely the Purchaser which determines the means and purpose(s) of the personal data processing after transmission of personal data to the Purchaser.
JPPOL is responsible for ensuring that the processing of personal data of JPPOL-users has a valid legal basis and that JPPOL-users receives information about the processing activity.
The Purchaser is responsible for ensuring that the additional elements of the processing of personal data occurs in compliance with the GDPR and the Danish Data Protection Act, including that the general principles in Article 5 GDPR as well the remaining rights of the data subjects pursuant to Chapter III GDPR are complied with.
Principles and Lawfulness of Processing
JPPOL is responsible for establishing a valid legal basis for the parties' processing of personal data and being able to demonstrate this before the supervisory authority. This applies to both the collection and processing which takes place on JPPOL-sites, where the Purchaser in connection with the placement of Adverts - either by first- or third-party technologies - obtains and processes personal data as well as the Purchaser's subsequent processing.
To comply with its obligation pursuant to Clause 5.1, JPPOL has implemented a Consent Management Platform ("CMP"), which adheres to IAB's Transparency and Consent Framework ("IAB TCF") policies, by which JPPOL can obtain consent from JPPOL-users and propagate this consent to the Purchaser.
The Purchaser is obligated to the widest extent to make use of first- or third-party technologies which adhere to IAB's TCF policies and are able to receive and read the consent information generated by JPPOL's CMP ("consent string"). By default, consent is required for the processing of personal data for all purposes. However, processing may also be based on the legitimate interests for purposes that do not involve profiling and delivery of personalised Adverts to users. The users' consent shall be respected; processing of personal data of JPPOL-users may not occur without a legal basis.
Upon request, the Purchaser shall inform JPPOL of all purposes for which personal data is processed along with all the technologies used for the processing by the Purchaser. This allows JPPOL to establish the necessary legal basis for processing.
The parties are each responsible for complying with the general principles relating to processing of personal data in Article 5 GDPR in relation to the parties' individual areas of responsibility under these Guidelines.
In connection with the placement of Advertisement on JPPOL-sites, the Purchaser may solely process personal data for the following purposes, which follow IAB's TCF, and on the basis of the relevant legal basis in connection with the technical delivery, personalisation, and measurement of Adverts. If the Purchaser makes use of a legal basis other than consent, the Purchaser must account for such use pursuant to Clause 5.7. IAB's TCF policies and purposes can be found here: https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/
| Purpose | Purposes under IAB's TCF | Legal basis | Alternative legal basis |
|---|---|---|---|
| 1 | Store and/or access information on a device | Consent | |
| 2 | Select basic ads | Consent | Legitimate interests |
| 3 | Create a personalised ads profile | Consent | |
| 4 | Select personalised ads | Consent | |
| 5 | Create a personalised content profile | Prohibited | Prohibited |
| 6 | Select personalised content | Prohibited | Prohibited |
| 7 | Measure ad performance | Consent | Legitimate interests |
| 8 | Measure content performance | Consent | Legitimate interests |
| 9 | Apply market research to generate audience insights | Consent | Legitimate interests |
| 10 | Develop and improve products | Consent | Legitimate interests |
| Special purpose | Special purposes | ||
| 1 | Ensure security, prevent fraud, and debug | Legitimate interests | |
| 2 | Technically deliver ads or content | Legitimate interests | |
| Feature | Features | ||
| 1 | Match and combine offline data sources | Information to the data subject – depends on other purpose(s) | |
| 2 | Link different devices | Information to the data subject – depends on other purpose(s) | |
| 3 | Receive and use automatically sent device characteristics for identification | Information to the data subject - depends on legal basis for special feature #2 | |
| Special feature | Special features | ||
| 1 | Use precise geolocation data | Consent | |
| 2 | Actively scan device characteristics for identification | Consent |
If the Purchaser processes personal data on the basis of legitimate interests, the Purchaser is obligated to perform an assessment of these legitimate interests prior to the processing for the selected purpose(s) pursuant to article 6(1)(f) GDPR. The Purchaser shall provide its assessment to JPPOL upon request.
Notwithstanding the purposes listed in Clause 5.6, the Purchaser may not collect personal data, including, but not limited to, cookie IDs, in relation to the placement of Advertisement on JPPOL-sites, which are enriched with JPPOL-data. As such, JPPOL-data may not be copied to the Media Agency's own systems or attempted used on other sites than JPPOL-sites. This limitation applies regardless of purchase method and channel.
Notwithstanding the purposes listed in Clause 5.6, the Purchaser may not process special categories of personal data as specified in Article 9(1) GDPR.
Rights of the Data Subject
The parties are each responsible for complying with the data subjects' rights pursuant to Articles 13-22 GDPR.
Taking into account the nature of the processing for which JPPOL is a joint controller, whereas JPPOL does not have access to the personal data processed by the Purchaser after its transmission to the Purchaser, JPPOL is solely responsible for complying with the obligation to provide the data subjects with the information referred to in Articles 13-14 GDPR.
The Purchaser shall provide JPPOL with all information relating to its processing of personal data necessary for JPPOL to comply with its obligation pursuant to Clause 6.2.
The Purchaser is responsible for complying with the remaining rights of the data subject pursuant to Articles 15-22 GDPR.
If either party receives a request or enquiry from a data subject relating to one or more matters falling within the other party's area of responsibility pursuant to Clauses 6.2 and 6.3, both parties are obligated to remit this request or enquiry to the other party as soon as possible, and no later than 72 hours after having received the request or enquiry.
The parties are responsible for assisting each other insofar as this is relevant and necessary for each party to comply with its obligations towards the data subjects.
Security of Processing and Documentation of Compliance with GDPR
Each party is responsible for ensuring that the processing of personal data under each party's area of responsibility takes place in compliance with the GDPR (see Article 24 GDPR), the Danish Data Protection Act, and these Guidelines. The parties must be able to demonstrate compliance with this Clause.
Each party is responsible for ensuring that the processing takes place in compliance with the principles of data protection by design and default pursuant to Article 25 GDPR.
Each party is responsible for ensuring compliance with Article 32 GDPR on security of processing. This entails that the parties, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Each party shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing under each party's area of responsibility and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:
- Pseudonymisation and encryption of personal data;
- The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Having regard to the processing activity, the parties shall implement appropriate data protection policies, if such policies are reasonable.
Use of Sub-processors and further Sub-processors
Each party is entitled to engage another processor (a sub-processor) in relation to the joint processing activity.
Each party shall meet the requirements in Article 28 GDPR when engaging a sub-processor. The parties are therefore inter alia obligated to:
- Only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject;
- Ensure that processing by a processor is governed by a valid contract;
- Ensure that processing by a sub-processor is governed by a valid contract.
Each party shall upon request notify the other party if the party has engaged a processor (or sub-processors) for carrying out processing of personal data.
If a party has engaged a processor (and further sub-processors), the party shall upon request send to the other party a copy of the contract between the party and the processor along with any amendments. Commercial provisions unrelated to the processing of personal data shall not be sent to the other party.
Records of Processing Activities
Each party is responsible for ensuring compliance with Article 30 GDPR on records of processing activities. This entails that each party shall maintain a record of the processing activities which the parties are jointly responsible for.
The basis for these records of processing activities is the processing of personal data by the Purchaser in connection with Advertisement on JPPOL-sites, which is made possible by first- and third-party technologies implemented by the Purchaser in the Advertisements that allow for the collection and processing of personal data of JPPOL-user. This occurs either through the technical implementation of the Purchaser's first- or third-party technologies on JPPOL-sites or by JPPOL's delivery of Advertisement through JPPOL's own systems (adserver), where the Purchaser has implemented technologies that collects and processes personal data on JPPOL-users.
Notification of Personal Data Breach
Each party is responsible for complying with Article 33 GDPR on notification of a personal data breach to the supervisory authority.
The parties agree that the party whose security measures have been affected by a personal data breach shall notify the supervisory authority of the breach.
The parties shall assist each other in notifying the supervisory authority of the personal data breach, including producing the information which - pursuant to Article 33(3) - shall be contained in a notification to the supervisory authority.
Communication of a Personal Data Breach to the Data Subject
The parties agree that the party, who has notified a personal data breach to the supervisory authority pursuant to Clause 10.2, is also responsible for complying with Article 34 GDPR on communication of a personal data breach to the data subject.
The parties shall assist each other in communicating a personal data breach to the data subjects, including procuring the information which - pursuant to Article 34(2) GDPR - must be contained in a communication to the data subject.
Data Protection Impact Assessment and Prior Consultation
The Purchaser is responsible for complying with the requirements set out in Article 35 GDPR. This entails that the Purchaser prior to the processing operation shall assess, whether the envisaged processing operation, given the employed technology and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. If this is the case, the Purchaser must carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
The Purchaser is also responsible for complying with Article 36 GDPR. This entails that the Media Agency shall consult the supervisory authority prior to the processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
JPPOL shall make available to the Purchaser all information necessary for the Purchaser to comply with its obligations pursuant to Clause 12.1 and 12.2.
Transfer of Personal Data to Third Countries of International Organisations
Each party is entitled to decide whether personal data may be transferred to third countries or international organisations.
Each party shall upon request make the other party aware of any transfers of personal data to third countries or international organisations performed by the party.
Each party is responsible for ensuring compliance with the requirements in Chapter V GDPR in relation to any transfers of personal data to third countries or international organisations.
Complaints
Each party is responsible for handling enquiries and potential complaints from data subjects pertaining to infringements of the GDPR, the Danish Data Protection Act or these Guidelines which fall within the individual party's area of responsibility.
If either party receives an enquiry or complaint, which must rightly be handled by the other party, the receiving party shall remit the enquiry or complaint to the other party as soon as possible.
If either party receives an enquiry or complaint, part of which must be handled by the other party, the receiving party shall remit this part of the enquiry or complaint to the other party as soon as possible.
When a party remits a complaint or enquiry to the other party, the sending party shall notify the data subject of the essence of these Guidelines.
Notification of the Other Party
Each party shall notify the other party concerning matters of substantive importance for the joint processing of personal data and for the joint controllership as set out in these Guidelines.
Entry into Force and Duration
These Guidelines are accepted by the Purchaser upon placing an order for Advertisement space from JPPOL and shall apply from the date of delivery of the purchased Advertisement space on JPPOL-sites.
The allocation of responsibilities between the parties pursuant to these Guidelines shall apply for the duration of the processing of personal data.
Termination
Any breach of these Guidelines shall constitute a substantial breach of contract between the parties. In the case of a substantial breach of contract, JPPOL has the right to terminate the cooperation between the parties with immediate effect under the ordinary rights of default under Danish law.
JPPOL may suspend or terminate the cooperation with the Purchaser upon reasonable suspicion of non-compliance with these Guidelines, until that time where such suspicion has been confirmed or disconfirmed by JPPOL.
Each party shall indemnify the other party from any direct or indirect loss, claims, damage suffered by the party, and/or action brought against the party arising from (i) the party's non-compliance with its obligation under these Guidelines, (ii) the party's non-compliance with obligations following from data protection law, and (iii) the party's negligent acts or omissions resulting in the other party's non-compliance with data protection law.
Dispute Resolution, Choice of Law, and Choice of Forum
Any dispute arising out of or in connection with this contract, including any disputes regarding the existence, validity, or termination thereof, shall be settled by mediation administrated by The Danish Institute of Arbitration in accordance with the rules on mediation adopted by The Danish Institute of Arbitration and in force at the time when such proceedings are commenced.
If the mediation proceedings are terminated without a settlement, the dispute shall be settled by arbitration administrated by The Danish Institute of Arbitration in accordance with the rules of arbitration procedure adopted by The Danish Institute of Arbitration and in force at the time when such proceedings are commenced.
February 2021