Exhibit 2 - Data Transfer Agreement

This data transfer agreement (the ”Agreement”) constitutes an appendix to the Partner Agreement entered into by Adtraction AB and the contracting party (the “Partner”) (individually referred to as “Party” and collectively as “Parties”).

WHEREAS the Parties have entered into a business relationship regarding affiliate marketing in accordance with the Partner Agreement and therefore intend to facilitate the free flow of data thereof whilst maintaining the applicable safeguards in data protection. This Agreement is supplemental to the provisions laid out in the Partner Agreement. 

WHEREAS the Parties in the course of the business relationship will Process Personal Data. The Processing will primarily pertain to the Personal Data collected on the Partner´s website. In addition, the Parties will Process Personal Data as is customary in the course of communication between two business partners.

THEREFORE, in consideration of the foregoing premises and the mutual undertakings herein contained, the Parties hereby agree as follows.

1. Definitions
1.1 The following capitalised terms, regardless of being written in singular or plural form, shall in this Agreement be attributed to the definition laid out below.

Collaborator means with respect to a Party, any third party that controls, is controlled by, or is under common control with that Party, including affiliate and subsidiary. For the purpose of this definition, “control” (including, with correlative meaning, the terms “controlled by” and “under the common control”) means the actual power, either directly or indirectly through one or more intermediaries, to direct or cause the direction of the management and policies of such party.

Controller shall be construed in accordance with the definition provided in Article 4(7) of the GDPR.

Data Protection Law means the GDPR including national implementing legislation relating to privacy and data protection as applicable from time to time.

Effective Date means the latest of the dates of the respective signatures of the Parties to this Agreement.

GDPR means the General Data Protection Regulation (2016/679).

Joint Controllership shall be construed in accordance with the definition provided in Article 26 of the GDPR. 

Partner Agreement means the agreement entered into by the Parties to which this Agreement is an Appendix. 

Personal Data shall be construed in accordance with the definition provided in Article 4(1) of the GDPR.

Processing (including "Process") shall be construed in accordance with the definition provided in Article 4(2) of the GDPR.

Processor of Personal Data shall be construed in accordance with the definition provided in Article 4(8) of the GDPR. 

Services means the affiliate marketing services exchanged between the Parties under the scope of the Partner Agreement.

Transferred Data means the Personal Data transferred by one Party to the other Party pursuant to the provision of the Services.

1.2 The headings herein shall not affect the interpretation of the Agreement.

2. Controllership

2.1 The Parties agree that, for the purposes of Data Protection Law, the Parties are each independent Controllers with respect to the Personal Data shared under this Agreement. For avoidance of doubt, the Parties agree that neither of them assumes the role of being a Processor of Personal Data unless specifically agreed upon separately. 
2.2 If the performance of Services give rise to any Joint Controllership between the Parties under Data Protection Law, such situation shall, notwithstanding the above, otherwise not affect the interpretation of the provisions under this Agreement or the Parties’ obligations thereof.
2.3 Nothing in this Agreement shall be construed as any determination of controllership under Data Protection Law of each Party vis-à-vis its Collaborator(s) respectively. 

3. Representations and warranties

3.1 Each Party in its capacity as a Party disclosing Transferred Data represents and warrants to the other Party that, to disclosing Party’s knowledge, the sharing of Transferred Data is in accordance with Data Protection Law and it has taken such reasonable actions as the disclosing Party reasonably believes to be required under Data Protection Law to enable such transfer in compliance with Data Protection Law.
3.2 Each Party in its capacity as a Party receiving Transferred Data represents and warrants to the other Party that it and, if applicable, its Collaborator(s) shall:

(i) Process the Transferred Data in accordance with Data Protection Law.
(ii) Process the Transferred Data only as reasonably is necessary for the provision of Services and for purposes compatible under applicable Data Protection Law.
(iii) Not transfer the Transferred Data to any third party (including, for clarity, any subcontractors) in a manner incompatible with the purpose(s) for which it was Processed as of the date it was transferred and, if the transfer is to a recipient outside the European Economic Area, not further transfer the Transferred Data unless the transfer is to a country subject to adequacy decision by the European Commission or made pursuant to an approved transfer mechanism under Data Protection Law.
3.3 Each Party represents and warrants  to the other Party that it and, if applicable, its Collaborator(s) have in place and shall maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Further, each Party shall provide a level of security appropriate to the risk represented by the Processing and the nature of the Transferred Data.

4. Data minimisation

Each Party acknowledges that, pursuant to applicable Data Protection Laws, each Party is under an obligation to ensure that the Personal Data they Process and which the disclosing Party discloses is limited to only that which is necessary for the purposes of the Processing. The disclosing Party shall accordingly, notwithstanding any other provision of this Agreement, use commercially reasonable efforts to transfer only that Transferred Data which is required to facilitate the Services.

5. Data transferred from the Partner to Adtraction

5.1 When a visitor clicks on an Adtraction-link, or equivalent, posted on a Partner’s website, or similar, the visitor is redirected to an advertiser’s website. A cookie is placed in the visitor’s browser in connection to the click so that Adtraction can monitor which Partner the click is generated from. This cookie contains GUID (Globally Unique Identifier) and is called at_gd (Adtraction GUID).
5.2 The Partner thereby transfers data to Adtraction that is always transmitted through a click on the internet, a so-called HTTP request.
5.3 Adtraction does not collect all data received from such a HTTP request but the following information is collected:

  • IP address
  • Date and time of the enquiry
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status / HTTP status code
  • Quantity of data transferred in each case
  • The website from which the request comes
  • Browser
  • Operating system and its interface
  • Language and version of the browser software.

5.4 Most of the information does not constitute personal data but e.g. information regarding an IP address might be considered personal data.
5.5 The purpose of Adtraction´s process of the Personal Data transferred to Adtraction is for Adtraction to be able to fulfil its obligations under the Partner Agreement.
5.6 All Personal Data transferred to Adtraction will be deleted 12 months after Adtraction received the Personal Data (date of collection).

6. Cooperation and assistance

6.1 Each Party shall provide the other with such assistance as may be reasonably requested to ensure that each Party complies with their obligations under applicable Data Protection Law.  For clarity, such assistance may include cooperating in response to requests from data subjects or supervisory authorities, the provision of information relating to Transferred Data.
6.2 Where Adtraction collects Personal Data using cookies or other similar technology placed on the Partner’s website, the Partner shall assist Adtraction with providing the data subjects with information according to Article 13 of the GDPR. The Partner undertakes to ensure that the information meets the requirements of GDPR.
6.3 For Adtraction’s use of cookies and other similar technologies according to clause 5.1 above, the Partner shall collect consents from the data subjects by placing a cookie banner on the Partner’s website. 
6.4 Each Party must state in the respective integrity policy how Personal Data is collected and processed with regards to the Services.

7. General provisions

7.1 Each Party shall perform its obligations under these clauses at its own cost.
7.2 The Party receiving Transferred Data shall hold the other Party harmless and shall indemnify the other Party in respect of damages and costs, with exclusion of losses that are indirect or consequential, which may be incurred by the receiving Party due to processing carried out by the receiving Party in breach of applicable laws, including but not limited to the GDPR, or this Agreement.
7.3 The Agreement is supplemental to the Partner Agreement and the provisions therein concerning, inter alia, indemnification and dispute resolution likewise apply to this Agreement.
7.4 The Agreement including any rights or obligations hereunder may not be assigned or otherwise transferred by either Party without the prior written consent of the other Party.
7.5 Amendments to this Agreement are only valid if established in writing and duly signed by each Party.

8. Duration

This Agreement gains effect when the Partner effectively has entered into the Partner Agreement and its provisions shall remain in full force and effect whenever a Party is Processing Transferred Data.