European Funds Smart Growth logo Znak barw RP European Union European Regional Development fund logo

Data Protection Agreement

This Data Processing Agreement forms part of the Agreement with Publisher and is made and entered into by and between Yieldbird Sp. z.o.o., on behalf of itself and its subsidiaries, (herein referred to as “Yieldbird”), and the Publisher (herein referred to as “Publisher”).


  1. “Agreement” means agreement between Yieldbird and Publisher on the basis of which Yieldbird can obtain access to Personal Data.
  2. “CCPA” means the California Consumer Privacy Act of June 28, 2018.
  3. “Data Protection Agreement” means this Data Protection Agreement
  4. “GDPR” means the European Union General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  5. “Resident” means a consumer within the meaning of CCPA, meaning an individual who is a California resident as defined in Section 17014, Title 18, of the Code of California Laws, whether or not identified, including by any unique identifier.
  6. “LGPD” means the Brazilian Personal Data Protection Act titled “Lei Geral de Proteção de Dados” in force since 16 August 2020
  7. Other definitions beginning with a capital letter shall have the meaning given to them in the Agreement or in Terms and Conditions of Placement Monetization. Definition in the Agreement shall prevail.


  1. The Parties undertake and agree to provide their representatives and persons employed by them (irrespective of the legal grounds for employment, e.g. civil law contracts), whose Personal Data will be disclosed to the other Party of the Agreement as the data administrator in connection with the conclusion and implementation of the Agreement, with the information known to the disclosing Party and indicated in Article 14 of GDPR.
  2. Whereas as part of the Placement monetization Yieldbird (who is the processor) is processing of Personal Data entrusted by the Publisher (who is the Personal Data administrator), the Parties hereby regulate issues on entrusting the processing of Personal Data herein, subject to Section 8.


  1. Under this Data Protection Agreement, the Publisher entrusts to Yieldbird the processing of Website user's Personal Data to the extent specified in Schedule A (the “Personal Data”), in order to perform Placement monetization by redirecting the data gathered by the Publisher via the cookie technology to Partners and RTB Platforms (as defined in Agreement with Publisher). The scope of the Personal Data is permanent and necessary to provide the services, so it is not subject to modification.
  2. Yieldbird may process the entrusted Personal Data solely within the scope and for the purpose necessary to provide services specified in the Agreement. Yieldbird will process Personal Data only during the term of the Agreement.
  3. The Personal Data processed in connection with the performance of the Agreement may be a subject to GDPR. Yieldbird is obligated to process the Personal Data in accordance with the GDPR other applicable laws and provisions hereof.


  1. Yieldbird hereby represents that it has the infrastructure resources, experience, knowledge and qualified personnel that allow it to perform this Agreement properly and in accordance with applicable laws and regulations. In particular, the Processor represents that it is familiar with the principles of Personal Data processing and protection arising under GDPR.
  2. Yieldbird is obligated to:
    1. process the Personal Data in accordance with the GDPR, Polish regulations adopted to enable the application of the GDPR, other applicable laws and the Agreement.
    2. apply all technical and organizational measures adequate to the risk level securing the Personal Data in accordance with the principles specified in Article 32 of the GDPR;
    3. assist the Controller in fulfilling the obligations set forth in Articles 32–36 of the GDPR, while taking into account the nature of processing and information available to Yieldbird;
    4. process the Personal Data only on documented instructions from the Publisher, unless it is required to do so by the applicable EU or local law; in such a case, Yieldbird informs the Publisher of such a legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
    5. assist the Publisher by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of GDPR;
    6. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    7. after the termination of the Agreement, depending on the Publisher's request – delete or return the Personal Data and remove copies thereof, unless the mandatory provisions of law provide otherwise,
    8. provide access to the Personal Data only to the persons who, due to the scope of their tasks, have been authorized by Yieldbird to process such data and solely for the purposes of performance of the duties arising out of the Agreement and also take measures to ensure that any natural person acting under Yieldbird's authorization that has access to Personal Data, processes such data only upon the Publisher's instructions, unless such processing is required by applicable national or EU law;
    9. keep a written register (including an electronic register) of all the categories of processing activities performed on behalf of the Publisher;
    10. provide the Publisher upon its justified request with all the information necessary to demonstrate the Publisher's compliance with the obligations arising from applicable legal regulations, in particular from the GDPR, and also provide information on security measures applied and identified threats and incidents in the personal data protection area;
    11. inform the Publisher immediately if Yieldbird believes that the instructions issued to him represent a violation of GDPR or other national or EU data protection regulations;
    12. inform the Publisher without unnecessary delay (provided that this does not result in a violation of any provisions of law) of any proceedings, especially administrative or court proceedings concerning Yieldbird's processing of personal data entrusted by the Publisher, of any administrative decision or ruling handed down to Yieldbird concerning the processing of personal data entrusted to Yieldbird;
    13. only store Personal Data for the period defined by the Publisher and update, correct, change, anonymize, restrict processing or delete the specified personal data according to the Publisher's guidance.


  1. The Publisher hereby gives consent to sub-entrustment by Yieldbird and Yieldbird is entitled to further entrust the processing of Personal Data to sub-processors, that are or will be Partners or RTB Platforms. The list of sub-processors is available at the address Yieldbird will inform the Publisher of any intended change in the list of sub-processors in the manner accepted for communication under the Agreement. The Publisher may object to such a change within the next 7 days.
  2. Yieldbird warrants that it will use only sub-processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Yieldbird will ensure that the obligations imposed on sub-processors are at least the same obligations that are imposed on Yieldbird herein.
  3. The Publisher acknowledges that the object to change the list of sub-processors may result in Yieldbird's inability to perform the Agreement further, about which Yieldbird will inform the Publisher immediately.
  4. Yieldbird may authorize persons acting on its behalf, including sub-processors, to process Personal Data on the Publisher's behalf, which includes issuing Personal Data processing instructions to these entities on the Publisher's behalf.

6. [AUDIT]

  1. Yieldbird will provide the Publisher with the information necessary for the performance of its duties related to entrusting the processing of Personal Data. Yieldbird will enable the Publisher to carry out audits, including inspections, of the outsourcing of the processing of Personal Data and will ensure cooperation in this respectThe audit may be performed on business hours, prior to minimum 14 days' notice.
  2. The Publisher must ensure that the persons performing the audit activities are obliged to keep confidential any information they obtain in connection with the performance of the audit that constitutes Yieldbird's trade secret. The Publisher must ensure that the persons performing audit activities audit are not employed, are not partners, shareholders or members of corporate bodies of entities performing activities competitive to Yieldbird's business activity.
  3. To the extent necessary to conduct the audit, Yieldbird will cooperate with the Publisher and its authorized auditors, in particular to grant them access to rooms and documents containing personal data and information on the processing of personal data, ICT infrastructure and IT systems, and grant them access to the persons having knowledge about the processing of personal data carried out by the Yieldbird, subject to the requirement to ensure continuity of the activities related to the Yieldbird's current business activity.
  4. After the audit, the Publisher's representative will draw up a post-audit report, which will be signed by the representatives of both Parties. Yieldbird undertakes, within a reasonable period of time agreed upon with the Publisher, to comply with the post-audit recommendations contained in the report aimed at resolving deficiencies and improving the security of Personal Data processing. The Publisher, in agreement with Yieldbird, issues any post-audit recommendations regarding necessary security measures to be implemented, taking into consideration all implementation costs.
  5. .Each Party will incur its own costs of the audit, regardless of its result, in particular, Yieldbird is not obligated to reimburse the Publisher for any costs related to the audit, irrespective of its results.


  1. Yieldbird may convey (transfer) Personal Data to a third country outside the European Economic Area – in particular to Partners and RTB Platforms (hereinafter referred to as “Sub-Processors”). Such transfer takes place provided that an adequate level of protection of Personal Data is ensured, which will be identified in particular by:
    1. cooperation with further entities processing Personal Data in countries for which an appropriate decision of the European Commission has been issued
    2. Personal Data are entrusted under an agreement based on standard contractual clauses issued by the European Commission by Decision NO 2021/914.


  1. The Parties are obliged to protect confidential information, regardless of the form in which it is transferred and processed, which is understood as information such as:
    1. personal data, including special categories of personal data (as defined in Article 9.1 GDPR)
    2. information constituting a trade secret (within the meaning of the Act of 16 April 1993 on Combating Unfair Competition);
    3. information requiring protection due to its importance for the Parties' interests, including all technical, financial and commercial data, materials and documents or other information, whether recorded in writing or in any other way, recorded in any form and on any medium, concerning the Party or its clients, contractors, suppliers, as well as information concerning services, pricing policy, sales, remuneration of employees received by the other Party during the term of the Agreement, or which it learned or to which it had access or come into its possession in connection with the talks and negotiations and which are not publicly known.
    4. In particular, the Parties warrant that:
      1. any confidential information provided, made available or disclosed by the other Party will be protected and kept secret in a manner consistent with the applicable legal regulations and provisions of the Agreement;
      2. the obtained confidential information will be used and applied only for the purposes for which it was provided, made available or disclosed;
      3. confidential information in its possession will not be transferred or disclosed to any third party, directly or indirectly (subject to the exceptions provided for in the Agreement), without the other Party's prior written consent given in writing;
      4. they will protect confidential information at its own expense by exercising the highest level of diligence.
    5. The Parties undertakes not to copy or otherwise reproduce confidential information provided by the other Party or parts thereof, except where this is necessary for the purpose for which it was provided or for any other purpose closely linked to the cooperation of the Parties. Any copies or reproductions of confidential information recorded on any information carriers, including electronic media, made in such a case will remain the property of the Party providing confidential information and will be handed over, destroyed or effectively removed from the information carriers upon its request.
    6. Confidential Information may be provided only to the authorized employees of the Party that received confidential information, persons employed by that Party under civil law contracts, Processor’s subcontractors, who will be involved in the performance of the Agreement for the Controller because of the scope of their duties or the tasks assigned to them and who will be expressly informed in advance about the confidential nature of the information and about the confidentiality obligations under the Agreement and will undertake to observe the confidential information protection principles including security procedures resulting from the applicable provisions of law and the Main Agreement. The Parties will be released from the obligation to keep confidential information secret if the obligation to disclose confidential information results from mandatory provisions of law or a decision or final non-appealable ruling of a relevant court or authority. A Party is obliged to notify the other Party immediately of becoming aware of any such obligation. In such a case, the Party obligated to disclose confidential information will be obliged to:
      1. disclose only the portion of the confidential information that is required by law;
      2. take all possible steps to ensure that the disclosed confidential information will be treated in a confidential manner and used only to the extent that is justified by the purpose of its disclosure.
    7. The confidentiality obligation does not expire after the end of the Agreement and is not limited in time. In the event the above provision turns out invalid or ineffective, the confidentiality obligation will last for 10 years of the date of expiry of the Main Agreement, regardless of the reason.


  1. Yiledbird is required to implement and apply procedures designed to detect breaches of Personal Data protection and to implement appropriate remediation measures.
    1. After becoming aware of a breach of Personal Data protection, Yieldbird will report it to the Publisher without undue delay, providing information about the circumstances of the breach and potential threats to Personal Data protection.
    2. Yieldbird will take all reasonable measures without undue delay to curtail and remedy any adverse effects of the breach.
    3. Yieldbird is not be entitled or obliged to report the breach to:
      1. data subjects; or
      2. regulatory authority.


  1. If, under the Agreement, the Publisher processes and entrusts Yieldbird with the Residents' Personal Data, the Publisher will inform Yieldbird about it.
  2. In the case of processing Residents' Personal Data, Yieldbird also undertakes not to collect, store, use or disclose such data, except in cases necessary to achieve the Publisher's business purpose as defined in this Agreement or otherwise permitted by CCPA.
  3. Yieldbird shall not sell Residents' Personal Data.


  1. Yieldbird is only liable for damages suffered by the Publisher or data subjects as a result of Yieldbird's processing of the Personal Data in contradiction with the Agreement or the provisions of law directly imposing on Yieldbird in that respect.
  2. The Publisher shall be obliged to present relevant information and notifications on Personal Data processing to the Website users, in accordance with GDPR, CCPA or LGPD and other applicable legal regulations. For this purpose, the Publisher may add to the information published by him a link provided by Yieldbird with a list of Sub-processors at the following address:
  3. The Publisher declares that the Personal Data entrusted to Yieldbird and its trusted Sub-Processors (indicated at are legally processed by the Publisher according to the requirements of the GDPR, in particular based on one of the legal grounds legalizing the processing specified in the GDPR, as well as in accordance with the relevant provisions of the Act of 16 July 2004 Telecommunications Law (Journal of Laws 2004 No. 171 item 1800), providing legal preservation of information, or receiving an access to information that is already stored in Website user's telecommunication terminal device.
  4. Yieldbird shall not be liable for damages resulting from failure to comply with the CCPA or LGPD requirements, which have arisen as a result of Publisher's acts or omissions, in particular if Publisher has not informed Yiedbird that it processes Residents' data.
  5. Publisher will indemnify and hold harmless Yieldbird against all losses, fines, and regulatory sanctions arising from any claim by a third party (including any supervisory authority) arising out of Publisher's negligence, wilful misconduct, and bad faith in connection with any breach of Data Protection Agreement by Publisher.


  1. If Publisher is natural person, Yieldbird shall be the controller of the Publisher's own personal data.
  2. Publisher's own personal data shall be processed in particular:
    1. in order to perform the Agreement and fulfill statutory obligations related to its performance, resulting primarily from the provisions of relevant legal provisions, including accounting and tax regulations – the legal basis is the necessity to conclude and perform the Agreement (Article 6 section 1 letter b of GDPR and fulfillment of Yieldbird legal obligations (Article 6 section 1 letter c of GDPR)
    2. in order to implement Yieldbird's legitimate interests pertaining to the processing of personal data for direct marketing purposes and the possibility of establishing or seeking possible claims or defense against such claims by GDPR – the legal basis for data processing is the legitimate interest of GDPR (Article 6 section 1 point f of GDPR).
  3. Publisher's own personal data may be transferred to Yieldbird capital group companies and other entities providing services to Yieldbird related to the performance of the Agreement, such as internet advertising monetization services (in particular Google Inc. its affiliates, including for auditing purposes), accounting services, occupational health and safety services, business travel services, correspondence registration, recording of business equipment, telephone call settlement, corporate telephone directory maintenance, as well as entities that provide IT systems and services, postal operators and couriers, training providers, banks and other entities providing payment services, entities providing legal services (including tax and debt collection), entities providing medical or sports services, insurers, entities providing document archiving services. Moreover, the data may be transferred to other entities with which Yieldbird cooperates, including in particular subcontractors, customers and other suppliers and contractors. The Publisher's personal data may also be transferred to authorized bodies to the extent required by the applicable law.
  4. Publisher's personal data shall be processed until the Agreement is terminated. The period of personal data processing may be extended each time for a period of limitation of claims, if the processing of personal data is necessary to seek possible claims or defend against such claims by Yieldbird. After this period, the data shall be processed only to the extent and for the time required by law.
  5. Publisher shall have the right to access the data and demand their rectification, deletion, processing restrictions, the right to transfer personal data and object to the processing of data.
  6. Publisher shall also have the right to object to the processing of personal data for reasons related to their special situation.
  7. Publisher shall also have the right to lodge a complaint with the supervisory body dealing with the protection of personal data, if they consider that the processing of personal data violates the provisions of GDPR.
  8. Providing personal data by Publisher shall be necessary for the conclusion and implementation of the given agreement with Yieldbird.


  1. This Data Protection Agreement is concluded for a definite term and will cease to apply upon the end of the Agreement
    1. On the ending date of the Agreement, Yieldbird will, in accordance with the Publisher's instructions, return or destroy, in a manner agreed upon separately with the Publisher, all personal data and copies thereof, unless the applicable national or EU law requires such personal data do be stored.
    2. Any disputes related to this Data Protection Agreement will be resolved by a court of jurisdiction, in accordance with the Agreement.

The schedules to this Agreement constitute an integral part hereof. List of schedules:

  1. Schedule A Scope of entrustment of personal data and contact details of the Parties

Yieldbird may amend this Data Protection Agreement unilaterally by giving Publisher notice by e-mail at least 14 days' prior the amendment. Any amendment to this Agreement may not cause the Data Protection Agreement to conflict with GDPR, CCPA or LGPD.

Scope of entrustment of personal data and contact details of the Parties

  1. Nature and purpose of the processing: Providing monetization of Placements (advertising space in Publisher's Websites)
  2. Categories of data subjects: Publisher's Website users
  3. Type of personal data: IP number and geolocation data collected through cookie technologies placed on the Publisher's Services
  4. Area where personal data will be processed: EEA