Version 1.0. Released: 1 July 2022.

This PRIVACY COMPLIANCE AGREEMENT (herein, the "Agreement") BETWEEN:

  • Adform A/S a company registered in Denmark with its registered offices Silkegade 3B, stuen & 1st floor, DK-1113 Copenhagen ("Adform"); and
  • [Company name] a company registered in [Country] (company registration no. [ No.]) whose registered office is at [Address] (the "Client").

- Client and Adform individually also "Party" and jointly "Parties" -

BACKGROUND

(A) The subject of this Agreement is the collection and processing of Service Data (as defined below) in connection with certain online advertising services provided by the Adform to the Client as specified in a separate agreement (hereinafter the “Main Contract”). The performance of the Main Agreement may involve the processing of personal data (as defined in Applicable Data Protection Law).


(B) This Agreement shall govern the rights and obligations of the Parties with respect to the collection, processing and use of personal data in order to ensure compliance with Applicable Data Protection Law.


(C) Both Parties agree that, to the extent that the provision of the services under the Main Agreement involve the processing of Personal Data, the Parties will be Joint Controllers for certain processing activities within the meaning of Art. 26 GDPR, as further defined in this JCA. The Parties enter into this JCA in order to satisfy the legal requirements as Joint Controllers and to set forth both Party´s rights and obligations.


(D) Whereas one of the contracting party acts as an agency for the end client (advertiser), the agency acknowledges and undertakes to ensure the terms of this agreement, in particular the joint controllership processing and compliance requirements, including, but not limited to, requirements to make necessary changes in the advertiser’s privacy policy and/or Consent Management Platform, are reflected and passed down to the advertiser.

IT IS AGREED:

A. GENERAL

1. Definitions. In this Agreement, the terms listed below shall have the meanings assigned to them:

(a) "Adform Tags" " means cookies, tracking pixels, SDKs and similar tracking technology that is (i) proprietary to Adform, (ii) provided to the Client by Adform under the Main Agreement and (iii) used to provide the Services.

(b) “Adform Data” sshall mean the Adform third party cookie IDs or such similar third-party IDs that are generated or assigned by Adform and are not Client specific.

(c) "CMP" means a company or other entity offering a consent management platform and registered as an active CMP within the IAB TCF.

(d) "Client Data" shall mean the data defined in Annex 2, section 1.

(e) "Client Data Processing" shall mean the processing activities carried out by Adform as a data processor (Art. 28 GDPR) under section C of this Agreement and as further described in Annex 2.

(f) "Digital Properties" means websites, mobile applications and other digital properties owned, controlled or managed by the Client through which personal data is collected and used for the purposes of the Main Agreement.

(g) "End User" means a person accessing Client Digital Properties.

(h) "Applicable Data Protection Law" means any or each of

           (i) the General Data Protection Regulation (EU) 2016/679) (the "GDPR");

           (ii) the e-Privacy Directive EC 2002/58 as amended by Directive EC 2009/136; and

           (iii) any European or national data protection laws enacted on the basis of, in substitution for or in extension of (i) or (ii).

           (iv) the California Consumer Privacy Act (the “CCPA”) as it may be updated from time to time.

(i) "GVL" means the Global Vendor List of the IAB TCF.

(j) "IAB TCF" means the Transparency and Consent Framework of IAB Europe in its current version.

(k) ID Fusion” means the proprietary feature or graph developed by Adform, which, when enabled by the Client (at its own choice), permits the processing of each and every type of online identifiers for the purpose of deriving inferences about the connection of the IDs among themselves.

(l) "Joint Data Processing" shall mean the joint data processing carried out by the Parties under section B of this Agreement and as further described and selected in Annex 1, irrespective of whether such activities are supported, or carried out, by data processors acting on behalf of a Party.

(m) "Purpose(s)" shall mean the Purposes defined in Annex 1, section 2.

(n) "Services" shall mean the Adform services provided under the Main Agreement.

(o) "Service Data" shall mean all data (which might be personal data) collected by Adform via the Client Digital Properties for the purpose of the Services and which is further specified in Annex 1 Section 1 and Annex 2 Section 1 to this JCA.

(p) The terms "personal data", "special categories of personal data", "collection", "processing" and "transmission" have the meaning as defined, or presupposed, in the GDPR. Unless explicitly stated otherwise, definitions agreed upon between the Parties in other documents or agreements are not applicable to this Agreement.

2. Subject Matter

2.1 Scope. The Parties enter into this Agreement to ensure that the each of the Parties complies with Applicable Data Protection Law when providing and/or using the Services. This Agreement shall replace all existing agreements between the Parties on the same subject matter, in particular any prior data processing agreements (Art. 28 GDPR) and all other agreements concerning compliance requirements under Applicable Data Protection Law.


2.2 Joint Controller (Art. 26 GDPR). If and to the extent Joint Data Processing activities are carried out by the Parties under the Main Agreement, the Parties are joint controllers (Art. 26 GDPR). Sections A and B of the Agreement apply to the Joint Data Processing. In the event of a conflict, Section B prevails over Section A.


2.3 Processor (Art. 28 GDPR). If and to the extent Adform carries out Client Data Processing under the Main Agreement, Adform is a data processor and the Client is a data controller (Art. 28 GDPR). Sections A and C of the Agreement apply to the Client Data Processing. In the event of a conflict, Section C prevails over Section A.


2.4 Agency. If the Client is an agency entering into this Agreement for the benefit of third party advertising customers, the Client (i) represents that it has been authorized by its customers to conclude this Agreement and (ii) that it has all rights necessary to ensure the proper performance of this Agreement. In between Adform and the Client, the Client remains responsible for the fulfilment of the obligations contained in this Agreement.


2.5 Individual Controllers. With respect to data processing that is neither within the scope of the Joint Data Processing nor the Client Data Processing both Parties are independent data controllers.


2.6 Applicability of the Main Agreement. Unless otherwise stipulated in this Agreement, the Main Agreement shall govern all the aspects in regards to the subject matter of the Services agreed to be provided by Adform.

B. Joint Data Processing

1. Roles of the Parties

1.1 Joint responsibility. The Parties are jointly responsible for the Joint Data Processing (Art. 26 GDPR). The Parties shall determine the purposes and/or the means regarding the Joint Data Processing as joint controllers as set out in this section B.

1.2 Disclosure The Parties shall make available to the data subjects the essence of this Agreement as it relates to the Joint Data Processing.

2. Scope of Joint Data Processing

2.1 The Parties agree that the collection of the Service Data and the transfer of the Service Data to the Vendor for the Purpose constitutes the "Joint Data Processing". There are two spheres within which the Parties each ensure that the currently applicable data protection laws are complied with:

2.2 Client’s Sphere: The Client will implement the Adform Tags according to the technical specifications as per the Main Agreement and subject to the obligations contained in this Agreement. The Client shall ensure that no Adform Tag is set on the Digital Properties, and no Service Data are collected during the use of Digital Properties, before the data subject has given its consent to set the Adform Tag and has been informed about the setting of the Adform Tag and the collection of data associated with the Adform Tag, in accordance with Applicable Data Protection Law. Further, the Client is responsible for any storage of Service Data on its IT systems.

2.3 Adform’s Sphere: Adform will ensure that the transfer to and the storage of Service Data on its IT systems is protected by sufficient technical and organizational measures. Further, Adform will ensure technically that only the agreed Service Data is collected and processed through the Adform Tag for the Purposes.

3. Obligations of Client

3.1 Information and transparency. In its Digital Properties, the Client shall provide information in an easily accessible and meaningful manner and in accordance with Applicable Data Protection Law about the Joint Data Processing. This information shall include a link to Adform's privacy policy. Adform shall provide the information required to fulfil these obligations. Information about the Joint Data Processing will reflect the choices made by the parties in Annex A concerning the applicability of purposes to the Services.


3.2 Legal basis. The Client enables End-Users to consent and as applicable, to object to the Joint Data Processing in accordance with the available legal basis indicated by Adform for each relevant Purpose. In any case, the Client shall obtain consent for the use of the Adform Tags in accordance with Applicable Data Protection Law. If, according to the GVL and in accordance with the IAB TCF, Adform gives the Client the option to carry out certain processing operations on the basis of consent as well as on the basis of legitimate interests, the choice of the legal basis is made by the Client.


3.3 GVL. Adform may provide the information referred to in paragraph 6.1 and 6.2 via the GVL.


3.4 Disclosure. Client shall make available to the data subjects the essence of this Agreement as it relates to the Joint Data Processing. The Parties shall cooperate in good faith to agree on the exact content and form. Adform may provide the Client with a standard text to support the Client in fulfilling its obligation. Consent


3.5 Consent Requirements. If and to the extent the Client obtains consent for the Joint Data Processing, the consent must
(a) be voluntary, specific, informed and unambiguous;
(b) not be pre-condition for access to a service or the performance of a contract;
(c) identify Adform as the recipient of the data;
(d) contain an easily recognisable reference to the option to refuse consent; and
(e) be obtained again in accordance with the applicable legal requirements of Applicable Data Protection Law, or the IAB TCF (if applicable); whichever time is shorter.


3.6 Documentation and proof. The Client shall document each consent and, on reasonable request of Adform, provide Adform with evidence of the consent without undue delay either in the form of a signal in a bid request or upon separate request (email shall suffice).

4. Obligations of Adform

Adform shall:

(a) process the data collected in the course of Joint Data Processing only for the Purposes;

(b) not subject data subjects to a decision based on automated processing including profiling (scoring) which produces legal effects in relation to the data subject or significantly affects him/her in a similar way (Art. 22 GDPR).

5. IAB TCF

5.1 Compliance. If the Client supports IAB TCF, the Client undertakes to comply with all applicable regulations, specifications as well as terms and conditions governing the IAB TCF during the term of this Agreement.

5.2 Effect. Provided that the Client supports the IAB TCF and subject to the Client's fulfilment of its obligations under Clause B.6.1 at all times, the Client fulfils its obligations under Clauses B.3.1, 3.2, B.3.5 and B.3.6 by using a CMP with valid registration of the IAB in accordance with the applicable regulations of the IAB TCF and the information provided by Adform via the GVL.

TCF changes. At the time of signing of this Agreement, Adform supports the IAB TCF 2.0 (available at https://iabeurope.eu/tcf-2-0/). Adform shall give due notice (not less than six months in advance) if it intends to change to another consent and transparency framework or to a successor version of the IAB TCF 2.0. In such a case and to the extent applicable, the provisions contained in this Agreement related to the IAB TCF shall apply mutatis mutandis to the successor version or other consent and transparency framework. To the extent that the use of another consent and transparency framework or a successor version of IAB TCF requires changes or amendments to the provisions of this Agreement, the Parties will discuss in good faith to amend this Agreement as required.

5.3 Non-TCF CMP. If Client uses a Non-TCF CMP instead, the Client has to ensure compliance with this JCA, in particular provided that at all times Client fulfils its obligations under Clauses B.3.1, B.3.2, B.3.5 and B.3.6.
.5.

6. Data Subject Rights

6.1 Requests. Data subjects can exercise data subject rights under Applicable Data Protection Law with regard to the Joint Data Processing against any Party. The Client shall immediately forward any data subject inquiries from End-Users regarding the Joint Data Processing to Adform. The Client shall not answer to data subject inquiries regarding the Joint Data Processing without prior consultation of Adform.


6.2 Contact person. The Client will name itself in its privacy policy or within another suitable and legally permissible place as the contact person for the exercise of the rights of data subjects.


6.3 Withdrawal and objection. The Client will inform Adform immediately about any withdrawal of a consent concerning the Joint Data Processing as well as any objection against the Joint Data Processing.


6.4 Support. Adform is free to use standardised or automated methods to enable End-Users to exercise data subject rights. The Client shall use reasonable commercial endeavours to support such methods (e.g. by integrating a corresponding tool or opt-out link into the Digital Properties).

7. Data security and data protection, other obligations

7.1 Data security. Both Parties maintain appropriate technical and organisational security measures in their respective areas of responsibility to ensure a level of protection appropriate to the risk (Art. 32 GDPR).
Reporting and notification obligations. Should a personal data breach occur with one Party, this Party will inform the other Party immediately. The Parties will subsequently cooperate with each other to minimize the impact of the personal data breach, and/or to remedy the personal data breach. Adform shall fulfil any notification obligations arising from Art. 33 and 34 GDPR in the context of Joint Data Processing.


7.2 Records of Processing Activities. The Parties shall each keep separate records of processing activities with respect to the Joint Data Processing. Each Party shall allow the other Party to consult the part of its records of processing activities relating to the Joint Data Processing.


7.3 Information. If a claim is made against one of the Parties, alleging that the Joint Data Processing is unlawful in whole or in part, this Party shall inform the other Party without undue delay.


7.4 International Data Transfers. Adform shall not transfer Client Data outside of the European Economic Area without prior written approval of the respective Party and unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. The Parties agree to comply with the transfer requirements as set forth in the latest version of the Standard Contractual Clauses and as it may be amended from time to time. Data transfer may however occur in the context of cookie matching partners where data transfer may occur as a result of the Adform Cookie ID matching. A list of our cookie matching partners can be found hear https://site.adform.com/privacy-center/adform-cookies/.

8. Liability

8.1 External. The Parties are jointly and severally liable in relation to affected data subjects for any damage caused in the course of Joint Data Processing by processing that does not comply with Applicable Data Protection Law. A Party shall be exempted from liability if it proves that it is in no way responsible in any way for the circumstance by which the damage occurred (Art. 82 GDPR).
8.2 Liability between the PartiesWith respect to the liability between the Parties, the Main Agreement shall apply.

C. CLIENT DATA PROCESSING AGREEMENT

1. Scope of Data processing

1.1 Relationship. The Client appoints Adform as a processor to process the Client Data for the purposes of Client Data Processing as described in this Agreement (or as otherwise agreed in writing by the parties). Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law. If Adform becomes aware that the Client Data Processing infringes Applicable Data Protection Law, it shall promptly inform the Client.
1.2 Instructions. Adform processes Client Data exclusively in accordance with the Client´s instructions. The Parties agree that the Main Agreement and this section C, together with the settings made by the Client when using the Services, shall constitute the Client´s instructions. Details on the data processing, including the nature of data processing, the type of data being processed and the categories of data subjects concerned, are described in Annex B (Data Processing Activities) to the Agreement.
1.3 IP addresses. Adform may anonymize IP addresses directly at the source (IPv4: replacing the last octet of an IPv4 address with a fixed string, IPv6: deleting the last 24 bit of the prefix; deleting the Interface Identifier or another anonymisation method). IP address data, which has been anonymized in accordance with this clause, does not constitute personal data and shall not be subject to this Agreement.

2. Processor Obligations

2.1 Technical and organisational security measures. Adform shall implement technical and organisational security measures necessary to protect the Client Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Client Data (a "Security Incident"), in compliance with the Applicable Data Protection Law. An overview of such technical and organisational measures which have been implemented as of the effective date is set out in https://site.adform.com/privacy-center/corporate-privacy/physical-organisational-and-it-security-measures. As technical and organisational measures are subject to technological development, Adform is entitled to implement alternative measures provided they do not fall short of the level of data protection set out by the Applicable Data Protection Law. Upon request by the Client, Adform shall demonstrate which technical and organisational measures it has implemented. Such demonstration may be made by presenting current certification or a report such as by an internal or external data protection officer, a privacy auditor, the IT security department or a suitable certification by an IT security or privacy audit (e.g. ISO 27001) (“Audit Report”).
2.2 Access. Adform will ensure that only such personnel within its organisation that have a need to know will access and work with Client Data, and that such personnel is subject to adequate confidentiality obligations or are under a statutory obligation of confidentiality.
2.3 International Data Transfers. Adform shall not transfer Client Data outside of the European Economic Area without prior written approval of Client and unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.
2.4 Cooperation and data subjects' rights. Adform shall provide reasonable and timely assistance to the Client (at the Client's expense) to enable the Client to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Client Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Adform, Adform shall promptly inform the Client providing full details of the same. Upon request, Adform shall provide the Client with contact details of the individual(s) to approach with privacy-related queries.
2.5 Data Protection Impact Assessment. Adform shall provide reasonable cooperation to the Client (at the Client's expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
2.6 Security incidents. If Adform becomes aware of a confirmed Security Incident, Adform shall inform the Client without undue delay, however at least within 48 hours, and shall provide reasonable information and cooperation to the Client so that the Client can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Adform shall further take any such reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep the Client aware of all material developments in connection with the Security Incident.
2.7 Deletion or return of Data. Upon termination or expiry of this Agreement or the Main Agreement, as appropriate, Adform shall (at the Client's election) destroy or return to the Client all Client Data in its possession or control. This requirement shall not apply to the extent that Adform is required by applicable law to retain some or all of the Client Data, or to Client Data it has archived on backup systems, which Client Data Adform shall securely isolate and protect from any further processing except to the extent required by such law.
2.8 Confidentiality of processing. Adform shall ensure that any person it authorises to process the Client Data shall protect the Client Data in accordance with the Adform's confidentiality obligations under this Agreement and the Main Agreement.
2.9 Audit. The Client acknowledges that Adform is regularly audited against ISO 27001 and, as the case may be, other industry standards by independent third party auditors. Upon request, Adform shall supply a summary copy of its audit report(s) to the Client, which reports shall be subject to the confidentiality provisions of this Agreement and the Main Agreement. Adform shall also respond to any written audit questions submitted to it by the Client. The Client shall not exercise this right more than once per year unless specific circumstances require an additional audit. Client shall have the option to conduct on site audits of Adform's information security procedures, services and support delivery centres ("Data Premises") through the Client or an independent third-party auditor as authorized by Client, who shall be bound to strict confidentiality obligations, so far as the Data Premises are relevant to Client Data processed by Adform under this Agreement. Such an on-site audit of the Data Premises shall only be conducted:
(a) In case of a Security incident according to Clause 2.6 of Section C;
(b) An audit has been requested by competent supervisory authorit
(c) Adform did not provide Client with sufficient proof of compliance with technical and organisational measures subject to Art. 32 GDPR.
(d) Applicable Data Protection Law allows Client to conduct such an audit.

Provided that the above conditions are met and unless mandatory Applicable Data Protection Law requires more frequent audits, Client is only allowed to do an audit once in any 12 months. For the avoidance of doubt, any auditor selected by Client must be qualified for its role and can not be a direct or indirect competitor of Adform. Adform requires Client to provide at least sixty (60) days advance notice of any audit, unless mandatory Applicable Data Protection Law or a competent supervisory authority require a shorter notice. Save as otherwise provide above, the time frame, the frequency and scope of any audits shall be mutually agreed between the Parties prior to any audit and take place within Adform's ordinary business hours. To avoid repetitive audits or minimize the effort required for an audit, the Parties agree to act in good faith and to use and share the certifications in place and the audits reports. Client will bear the costs of any audit unless such audit reveals a material breach of Adform of this Agreement, in which case, Adform will bear its own expense.

2.10 Subcontracting. The Client consents to Adform engaging third party sub-processors to process Client Data provided that: (i) Adform maintains an up-to-date list of its sub-processors available at https://site.adform.com/terms-and-conditions/adform-affiliates-and-third-party-subprocessors/ which it shall update with details of any change in sub-processors at least 10 days' prior to any such change; (ii) Adform imposes data protection terms on any sub-processor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) Adform remains liable for any breach of this clause that is caused by an act, error or omission of a sub-processor. The Client may object to the Adform's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Adform will either not appoint or replace the sub-processor or, if this is not possible, the Client may suspend or terminate this Agreement or the Main Agreement (without prejudice to any fees incurred by the Client prior to suspension or termination).”

3. Client Obligations

3.1 No Directly Identifiable Data.The Client shall not transfer to, make available for, submit, or grant to Adform access to any directly identifiable Personal Data (i.e. data that is not pseudonymous). If Adform comes into possession of or gets access to directly identifiable Personal Data from Client, Client shall cease any such transfer or submission without undue delay. Adform reserves the right to block any transfer or submission of directly identifiable data, and to delete any such data from its systems, in its sole discretion.
3.2 Information.The Client shall inform Adform as soon as reasonably possible of any legitimate inspection or audit by any competent supervisory authority, which relates to the Client Data Processing.
3.3 Data Subject Requests. The Client shall inform Adform as soon as reasonably possible about any request from a data subject to enforce their rights under the Applicable Data Protection Law that is related to the Client Data Processing.
3.4 Warranty. The Client warrants to Adform that any Client Data it provides to Adform for Client Data Processing has been collected in accordance with Applicable Data Protection Law. The Client further warrants to Adform that Client Data may legally be processed in the manner necessary to deliver the Services in accordance with the Main Agreement and this Agreement.

4. Term, Termination

This Agreement will be in force for as long as Adform processes personal data on behalf of Client in accordance with this Agreement or the Main Agreement. In case of termination or expiry of the Main Agreement or this Agreement, this section C shall continue to be in force until all Client Data has been destroyed or returned to the Client.

ANNEX 1

JOINT PROCESSING

1. Categories of data. The Joint Data Processing applies to the collection of Adform IDs and their transfer to Adform, which are used by Adform to enable and support the facilitation of personalised advertising campaigns, ad selection and delivery processes.

 

If the ID Fusion feature is enabled by the Client (at Client’s choice), the Joint Data Processing also includes the collection and transfer to Adform of Client’s 1st Party IDs used for the operation and enhancement, respectively training of the ID-Fusion feature. Where it is not, 1st party IDs are subject to the processing activities described in Annex 2.

2. Purposes:

2.1 Reading and accessing the End-User Device in the context of Adform Data (IAB Purpose 1)
2.2 Simple advertisement selection or contextual advertisement (IAB Purpose 2)
2.3 Technically deliver advertisements (IAB Special Purpose 2)
2.4 Creation of a Personalized Advertising Profile (IAB Purpose 3)
2.5 Selecting personalized advertisements (IAB Purpose 4)
2.6 Match and combine offline data sources (IAB Feature 1)
2.7 Receive and automatically sent device characteristics for identifications (IAB Feature 3)

3. Processing operations.

In addition to the collection and transfer of the online identifiers, the following processing may occur activities occur:

3.1 Audience Extension, i.e. use Client Data to calculate similar audiences from data received by Adform from third party partners (subject to Client ´s choice) as configured by Client;
3.2 Cross-Device, i.e. the probabilistic determination of IDs that belong to the same user;
3.3 Collecting information about interactions with Client websites, apps and other Digital Properties

The Joint Data Processing ends with the completion of the transfer of the data to Adform and any processing of data after the transfer to Adform occurs under the sole controllership of Adform.

Such processing activities occur in the context of the following purposes:

a. Measure advertisement performance (IAB Purpose 7)
b. Fraud prevention and security (IAB Special Purpose 1)
c. Develop and Improve products (IAB Purpose 10)

In addition to the description in this Annex, the descriptions of the IAB TCF v2.0 policy apply (IAB Europe Transparency & Consent Framework Policies – IAB Europe). In the event of a conflict, this Annex takes precedence.

ANNEX 2

DATA PROCESSING OPERATIONS

1. Client Data defined as: 
1.1. Using standard pixels/scripts, the following types of personal data are processed: 1st Party IDs, part of the IP address, location derived from the full IP address (or if in-app the location transmitted by the App), the URL of the web page, technical browser and device information and timestamp. In addition, the script/pixel allows the Client to feed additional variables to Adform's platform by using predefined variable names such as “Sales Value”, “Product Name”, “OrderID”, etc. that allow the Client to transmit data e.g. about the products being seen/visited or bought (Sale Confirmation webpage). 
1.2. Using the Adform Software Development Kit (SDK) for App Download and Event Tracking or similar third-party tracking tools from Mobile Measurement Partners (MMPs) the following types of data is processed: Mobile advertising ID, app download data (e.g. app store identifiers, app starts, custom events).).
1.3. No special categories of personal data or other sensitive information are processed by Adform for the Client.
2. Processing operations. Client Data is used by Adform, subject to Client's choice and/or use of the respective Adform Service, to perform the following processing activities for Client: 
2.1. Bid Optimization, i.e. use Client Data to decide on which impressions from different exchanges a bid may be issued;
2.2. Statistical Location Data, i.e. enriching Client Data with aggregate statistical location-based data;
2.3. Audience Management and segmentation of Client Data, i.e. the categorization of Client Data into segments as a data management tool;

2.4 Ad Serving, i.e. the delivery and optimization of Ads on third party properties and the collection of information about interactions with Ads;
 
For the following processing operations Adform acts as a sole controller:
a. Measure advertisement performance (IAB Purpose 7)
b. Fraud prevention and security (IAB Special Purpose 1) 
c. Develop and Improve products (IAB Purpose 10)
Data Subjects affected by the Processing of Client Data through Adform are End-Users of digital properties including websites and mobile apps owned or controlled by the Client; customers of the Client.

TO ENSURE THE SECURITY OF THE DATA