Ad Network Solutions B.V. GDPR Data Policy
(hereinafter “Policy”)

Introduction

Ad Network Solutions B.V., is a company incorporated under Dutch law, having its registered address situated at Keizersgracht 203 4, 1016 DS Amsterdam, the Netherlands and bearing company number 88337367 (hereinafter the “Company”). The Company is an online marketing network that liaises between affiliates and advertisers to achieve maximum sales results for all parties through strong relationships and the power of technology.

Definitions related to the General Data Protection Regulation:

Term	Definition
Data Controller	the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor	the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Data Subject	refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person's physical, physiological, genetic, mental, economic, cultural or social identity
Data Subject	means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller;
GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council Directive 95/46/EC (General Data Protection Regulation).
Personal Data Breach	is 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Personal Identifiable Information (“PII” or “Personal Data”)	means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing	any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Principles relating to processing of Personal Data

As per the GDPR, the Company complies with the 7 principles involving Personal Data as per article 5 of the GDPR:

1. Personal Data shall be:

   • a) processed lawfully, fairly and in a transparent manner in relation to the Data Subject (‘lawfulness, fairness and transparency’);
   • b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with account creation purposes (‘purpose limitation’);
   • c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
   • d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
   • e) Storage limitation. All Personal Data collected is kept for no longer than is necessary for the purposes for which the Personal Data are processed;
   • f) processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2. The Company has developed guidelines for its employees and all its staff to ensure that its data processing and securing measures follow GDPR obligations. In addition, ongoing corporate training and awareness programmes for all the employees and staff who are involved with the processing of Personal Data is being given.

3. Any data access requests that any employee and/or staff receives, should be forwarded immediately to their immediate manager.

Rights of the Data Subject

Data Subjects have the following rights via the GDPR:

Right	Timeframe for completing the requested action
Right to Information	Information about Personal Data collected is displayed instantaneously when creating an account.
Right of Access	Information about all Personal Data collected can be obtained within 1 month from the date that the request is submitted.
Right to rectification	All inaccurate Personal Data will be corrected within 1 month from receiving the request.
Right to be forgotten (or right to erasure)	Unless required by Union or Member State law, all Personal Data will be erased within a maximum of 2 business days.
The Right to restrict processing	Without undue delay
The Right to Object	The Company will no longer process the Personal Data as soon as it obtains the objection.
Right to withdraw consent	Without undue delay
Right to object to automated processing	Without undue delay
Right to Data Portability	One month from the date that the request is submitted

A Data Subject Access Request (“DSAR”) can be made by a Data Subject or their legal representative, and such request must be made in writing. In general, verbal requests for Personal Data held about a Data Subject are not valid DSARs. In the event a DSAR is made verbally to a staff member of the Company, further guidance should be sought from the Data Protection Officer (hereinafter “DPO”) or the appointed privacy professional.

How can a Data Subject make a request in line with a DSAR?

A DSAR can be made via any of the following methods:

• Email;
• Post; or
• Domain email website - www.gotzha.com.

DSARs made online must be treated like any other DSAR when they are received, though the Company must not provide personal information via social media channels. In addition, the Company is not required to respond to requests for information unless it is provided with sufficient details to satisfy itself as to the identity of the Data Subject making the request.

How long can a Company take to answer a DSAR?

The Company must provide a response to Data Subjects requesting access to their data within 30 calendar days of receiving the DSAR, unless Dutch Law specifically dictates otherwise. Should the Company require more time, the Data Subject or his or her legal representative must be notified in writing.

The Company has the right to charge a fee for the processing of repetitive and excessive Data Subject Access Requests (as defined under the GDPR). In doing so, the Company will justify the charge and prove that the requests are excessive and repetitive in line with this Policy.

When dealing with a DSAR, the Company should take the following steps:

• Register the request and provide an acknowledgment to the Data Subject;
• Verify the request was made by the Data Subject or his/her legal representative;
• Provide the required information to the Data Subject. If required, the DPO may be consulted for advise;
• In case a Data Processor is involved in the processing of Personal Data, and the Personal Data is shared with the Data Processor, the latter must be informed of the need to take the required actions related to the DSAR. Such actions usually arise when the rights to rectification, erasure or objection are exercised.

Are there exemptions when answering a DSAR?

The Company should not normally disclose the following types of information in response to a DSAR:

• Information about other Data Subjects – A DSAR may cover information that relates to other Data Subject/s other than the Data Subject. Access to such Personal Data will not be granted unless the Data Subjects involved consent to the disclosure of their Personal Data.
• Publicly available information – The Company is not required to provide copies of documents that are already in the public domain.
• Opinions given in confidence or protected by copyright law – The Company does not have to disclose Personal Data held in relation to a Data Subject that is in the form of an opinion given in confidence or protected by copyright law.
• Privileged documents – Any privileged information held by the Company need not be disclosed in response to a DSAR. In general, privileged information includes any document that is confidential (e.g., a direct communication between a client and his or her lawyer) and is created for the purpose of obtaining or giving legal advice.

Finally, it is up to the DPO who/which can advise on the decision as to whether a document can be shared or not.

Personal Data breach notification

In the case of a Personal Data breach, the Data Controller shall without undue delay and not later than 72 hours after having become aware of it, notify such to the supervisory authority, unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of the Data Subject. When the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.

The Data Processor shall notify the Data Controller without undue delay after becoming aware of a Personal Data breach. The notification shall at least contain:

1. Description of the nature of the Personal Data Breach including where possible the categories and approximate number of Data Subjects concerned;
2. Communicate the nature and contact details of the DPO;
3. Describe the likely consequences of the Personal Data breach;
4. Describe the measures taken/proposed to be taken by the Data Controller to address the Personal Data breach including measures to mitigate its possible adverse effects.

When the Personal Data breach is likely to result in a high risk to the rights of a Data Subject, the Data Controller shall communicate the said breach to the Data Subject without undue delay. Such notification shall be written in a clear and plain language.

Such communication is not needed if any of the below actions are met:

1. Data Controller has implemented appropriate technical measures to safeguard any Personal Data;
2. Data Controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialise;
3. It would involve disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the Data Subjects are informed in an equally and effective manner.

If the Data Controller has not already communicated the Personal Data breach to the Data Subject, the supervisory authority having considered the likelihood of that Personal Data breach resulting in a high risk, may require it to do so or may decide that any of the conditions mentioned in the above paragraph are met.

Addressing compliance to the GDPR.

The Company adheres to the following measures to ensure the GDPR is complied with:

1. The legal basis for processing Personal Data is clear;
2. A DPO is appointed with specific responsibility for data protection in the organisation;
3. All employees involved in handling Personal Data understand their responsibilities for following good data protection practices;
4. Training in data protection has been provided to all employees and staff;
5. Rules regarding processing Personal Data are followed;
6. There is a clear way for Data Subjects to exercise their individual rights regarding Personal Data;
7. Privacy by design is employed for all or new updated processes.

Should you wish to access the full text of the GDPR, you may do so by accessing the following site: www.gdpr-info.eu