Sign In
Book a Demo
Menu Menu
Products
Partner Platform
SaaS Solution for running profitable affiliate campaigns
Lead Distribution
Automated solution that validates & distributes leads in real-time
Solutions
iGaming & Casino
Tailored solution for iGaming&Casino affiliate programs
Resources
Blog
Latest IREV news and actual articles from partner marketing sphere.
Affiliate Marketing Glossary
The A to Z library with explanations for all affiliate marketing terms you will encounter on your journey to growing your affiliate business.
Company
About Us
Learn more about the company and people behind it
Career
Check out our open positions. We are actively hiring!
Contact Us
Get in touch with us if you have any questions
Sign In
Book a Demo
Copyright © 2025 IREV. All rights reserved.
photo17
Terms and Conditions Privacy Policy Cookies Policy Data Control and Processing Policy
photo18

Data Control and Processing Policy

Contents

  1. SECTION I
  2. SECTION II – OBLIGATIONS OF THE PARTIES
  3. SECTION III – LOCAL LAWS AND PUBLIC AUTHORITY ACCESS
  4. SECTION IV – FINAL PROVISIONS
  5. APPENDIX
  6. ANNEX I
  7. ANNEX II
  8. ANNEX III

Clause 1: Purpose and Scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b) The Parties:

(i) The natural or legal person(s), public authority/ies, agency/ies, or other body/ies transferring the personal data, as listed in Annex I.A. (hereinafter “data exporter”), and

(ii) The entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter “data importer”)

have agreed to these standard contractual clauses (hereinafter: “Clauses”).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2: Effect and Invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3: Third-Party Beneficiaries

  1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii) Clause 9(a), (c), (d) and (e);

(iv) Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e); and

(viii) Clause 18(a) and (b).

  1. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4: Interpretation

  1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
  2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

© These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5: Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6: Description of the Transfer(s)

  1. The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
  2. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall subsequently be provided without undue delay.
  4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

Clause 8: Data Protection Safeguards

8.1 Instructions

  1. The data exporter confirms it has ensured the data importer can meet its obligations under these Clauses through appropriate technical and organizational measures.
  2. The data exporter informs the data importer that it processes data as per the controller’s instructions, which will be provided before processing begins.
  3. The data importer must process personal data only as instructed by the controller, as conveyed by the data exporter, without conflicting with the controller’s instructions.
  4. If the data importer cannot comply with these instructions, it must notify the data exporter immediately. The data exporter will then inform the controller.
  5. The data exporter guarantees that it has required the data importer to follow the same data protection obligations as outlined in the contract or legal agreement between the controller and the data exporter.

8.2 Purpose Limitation

The data importer will process personal data only for the specific purposes detailed in Annex I.B., unless further instructions are provided by the controller through the data exporter.

8.3 Transparency

Upon request, the data exporter will provide a copy of these Clauses to the data subject at no cost. If necessary, confidential information may be redacted, but a meaningful summary must be provided. The reasons for redactions should be given upon request, without disclosing the redacted content.

8.4 Accuracy

If the data importer discovers that the personal data it has received is inaccurate or outdated, it must inform the data exporter promptly and cooperate to correct or delete the data.

8.5 Duration of Processing and Data Erasure/Return

The data importer will process personal data only for the period specified in Annex I.B. After the processing services end, the data importer must delete or return all personal data as instructed by the data exporter, and confirm this action. If deletion or return is prohibited by local law, the data importer must continue to protect the data and only process it as required by law. The data importer must also notify the data exporter if it believes it is subject to any conflicting laws or practices.

8.6 Security of Processing

  1. Both the data importer and, during transmission, the data exporter must implement appropriate security measures to protect personal data from breaches, including unauthorized access, loss, or alteration. The level of security should consider current technology, costs, processing nature, scope, and risks to the data subject. Encryption or pseudonymization should be used where appropriate.
  2. The data importer will limit data access to personnel strictly necessary for fulfilling the contract and ensure they are bound by confidentiality.
  3. In the event of a data breach, the data importer must take immediate measures to address the breach and mitigate its effects. The data importer must notify the data exporter and, if feasible, the controller, providing details about the breach, including its nature, potential consequences, and actions taken.
  4. The data importer must assist the data exporter in complying with data breach notification requirements under EU Regulation 2016/679, ensuring the controller and supervisory authority are informed as necessary.

8.7 Sensitive Data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward Transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, or if:

(i) The onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) The third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;

(iii) The onward transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory, or judicial proceedings; or

(iv) The onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all other safeguards under these Clauses, in particular purpose limitation.

Sure, here is the continuation with the same approach:

8.9 Documentation and Compliance

  1. The data importer shall promptly and adequately deal with inquiries from the data exporter that relate to the processing under these Clauses.
  2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.
  3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
  4. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
  5. The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority on request.

Clause 9: Use of Sub-Processors

  1. The data importer has the data exporter’s general authorization for the engagement of sub-processors from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to object to such changes before the engagement of the concerned sub-processor(s).
  2. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter) that involve the transfer of personal data within the scope of these Clauses, it shall do so by way of a written contract that provides the same level of protection for the personal data as provided under these Clauses, including by ensuring that the data subject can enforce their rights against the data importer. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses and Regulation (EU) 2016/679.
  3. The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing the copy.
  4. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any breach by the sub-processor of its obligations under that contract.
  5. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11: Redress

  1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints or requests from data subjects.
  2. In case of a dispute between a data subject and one of the Parties concerning the processing of personal data under these Clauses, the Party shall use its best efforts to resolve the issue amicably in a timely fashion.
  3. The data importer agrees that data subjects may lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects about this mechanism and that they can also make a complaint to the competent supervisory authority under Clause 13.
  4. The data importer agrees that data subjects may have the right, under certain conditions, to invoke binding arbitration and that the arbitration decision shall be final and binding on the data importer.

Clause 12: Liability

  1. Each Party shall be liable to the other Party for any damages it causes the other Party by any breach of these Clauses.
  2. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
  3. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject if the data importer or its sub-processor fails to fulfil its obligations under these Clauses.
  4. The Parties agree that if one Party is held liable under paragraphs (a) and (c), it shall be entitled to claim back from the other Party that part of the compensation corresponding to its responsibility for the damage.
  5. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13: Supervision

  1. The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
  2. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to inquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

Clause 14: Local Laws Impacting Compliance

  1. The Parties confirm they have no reason to believe that the laws or practices in the destination country prevent the data importer from fulfilling its obligations under these Clauses. This assumption is based on the understanding that laws respecting fundamental rights and freedoms, and that are necessary and proportionate in a democratic society, do not conflict with these Clauses.
  2. The Parties have considered several factors in making this warranty:
  1. Specific circumstances of the data transfer, such as processing chain length, actors involved, data recipient types, processing purposes, data categories, and storage location.
  2. Relevant local laws and practices in the destination country, including those requiring disclosure to public authorities.
  3. Any additional contractual, technical, or organizational safeguards applied to protect the data.

(c) The data importer guarantees that it has provided all relevant information to the data exporter to assist in this assessment and will continue cooperating to ensure compliance. The assessment is documented and can be shared with the supervisory authority upon request.

(d) The data importer must promptly inform the data exporter if it becomes subject to laws or practices that could affect its ability to meet the obligations under these Clauses. The data exporter must then inform the controller.

(e) If such a notification is received or if the data exporter suspects the data importer cannot comply with these Clauses, the data exporter must identify appropriate measures, such as technical or organizational changes, to address the situation. If no adequate safeguards can be ensured, the data exporter may suspend the data transfer or terminate the contract, as applicable.

Clause 15: Data Importer’s Obligations Regarding Public Authority Access

15.1 Notification of Public Authority Requests

  1. The data importer must inform the data exporter and, where possible, the data subject if it receives a legal request from a public authority for the disclosure of personal data or if it becomes aware of any unauthorized access by public authorities.
  2. If the data importer is legally prohibited from notifying the data exporter or data subject, it must make its best efforts to obtain permission to provide as much information as possible, as quickly as possible. These efforts must be documented.
  3. Where allowed, the data importer must regularly inform the data exporter about the number and types of requests received, the authorities making the requests, and the outcomes. This information will be passed on to the controller.
  4. The data importer must preserve all information related to such requests and make it available to the supervisory authority if required.

15.2 Legal Review and Data Minimization

  1. The data importer must review the legality of any disclosure request and challenge it if there are reasonable grounds to believe it is unlawful under local or international law. It must seek interim measures to suspend the effects of the request during the challenge process and refrain from disclosing data until legally obligated to do so.
  2. The data importer must document its legal assessments and any challenges to requests and make these documents available to the data exporter and the supervisory authority, where permissible.
  3. The data importer must disclose only the minimum amount of information required by the request, interpreting it as narrowly as possible.

Clause 16: Non-Compliance and Termination

  1. The data importer must immediately notify the data exporter if it cannot comply with these Clauses for any reason.
  2. If the data importer breaches or cannot comply with these Clauses, the data exporter must suspend data transfers until compliance is restored or the contract is terminated. This is subject to Clause 14(f).
  3. The data exporter may terminate the contract (regarding personal data processing) if:
  1. The data transfer is suspended due to non-compliance, and compliance is not restored within a reasonable period, not exceeding one month.
  2. The data importer is in significant or repeated breach of these Clauses.
  3. The data importer fails to comply with a binding decision from a court or supervisory authority related to its obligations under these Clauses.

In such cases, the data exporter must inform the controller and relevant supervisory authority. If the contract involves multiple parties, termination applies only to the non-compliant party unless agreed otherwise.

  1. Upon contract termination under Clause 16(c), the data importer must, at the data exporter’s discretion, immediately return or delete all transferred personal data, including any copies. The data importer must certify the deletion. If local laws prevent data return or deletion, the data importer must continue to comply with these Clauses and only process the data as required by law.
  2. Either party can withdraw from these Clauses if the European Commission issues a decision under Article 45(3) of Regulation (EU) 2016/679 covering the data transfer, or if this regulation becomes part of the legal framework in the data importer’s country. This does not affect other applicable obligations under the regulation.

Clause 17: Governing Law

These Clauses are governed by the law of an EU Member State that allows third-party beneficiary rights. The parties agree on the law of the Grand Duchy of Luxembourg.

Clause 18: Forum and Jurisdiction

  1. Any disputes arising from these Clauses will be resolved by the courts of an EU Member State.
  2. The parties agree that the courts of Luxembourg City will have jurisdiction.
  3. Data subjects may also bring claims against the data exporter or importer in the courts of their habitual residence.
  4. The parties agree to submit to the jurisdiction of these courts.

A. LIST OF PARTIES

Data exporter(s):

Name: The entity identified as “Client” in the DPA.

Address: The address for Client associated with its IREV account or as otherwise specified in the DPA or the Agreement.

Contact person’s name, position, and contact details: The contact details associated with Clients account, or as otherwise specified in the DPA or the Terms and Conditions.

Activities relevant to the data transferred under these Clauses: The activities specified in Section 1.3 of the DPA.

Signature and date: By using the Services to transfer Client Data to Third Countries, the data exporter will be deemed to have signed this Annex I.

Role (controller/processor): Controller

Data importer(s):

Name: “IREV” as identified in the DPA.

Address: The address for IREV specified in the DPA or the Agreement.

Contact person’s name, position, and contact details: The contact details for IREV specified in the DPA or the Terms and Conditions.

Activities relevant to the data transferred under these Clauses: The activities specified in Section 1.3 of the DPA.

Signature and date: By transferring Client Data to Third Countries on Client’s instructions, the data importer will be deemed to have signed this Annex I.

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

  1. Categories of data subjects whose personal data is transferred: Described in Section 1.3 of the DPA.
  2. Categories of personal data transferred: Described in Section 1.3 of the DPA.
  3. Sensitive data transferred (if applicable): Sensitive personal data might be included as described in Section 1.3 of the DPA.
  4. Frequency of the transfer: Personal data is transferred in accordance with Client’s instructions as described in Section 12 of the DPA.
  5. Nature of the processing: Described in Section 1.3 of the DPA.
  6. Purpose(s) of the data transfer and further processing: To provide the Services.
  7. Retention period: Determined by the data exporter in accordance with the DPA.
  8. For transfers to (sub-) processors: The subject matter, nature, and duration of processing are described in Section 1.3 of the DPA.

C. COMPETENT SUPERVISORY AUTHORITY

The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

TECHNICAL AND ORGANISATIONAL MEASURES

  1. Description of measures: The technical and organizational measures, including certifications, to ensure security are described in the DPA.
  2. For transfers to (sub-) processors: The specific technical and organizational measures are described in the DPA.

ADDITIONAL CLAUSES

The Limitations of Liability section of the Agreement (usually Section 11) is an additional clause pursuant to Clause 2 of these Clauses.