CodeFuel and Publisher Compliance with EU Data Protection Laws

European Union (EU) data protection law regulates the transfer of personal data to countries outside the European Economic Area (EEA). With respect to the various products and services that CodeFuel offers to its partners, such personal data may include data about partners of CodeFuel or their end users, and end users of CodeFuel. On a practical level, compliance with EU data protection laws means that personal data collected and processed in connection with the services provided by CodeFuel to its partners and end users can be transferred to and processed outside of the EEA.

The following clauses, which form an integral part of CodeFuel agreements which contain a link to this page (the “Agreement”), are based on the standardized contractual clauses approved by the European Commission to ensure that any personal data leaving the EEA will be transferred in compliance with EU data protection laws and meet the requirements of the EU Data Protection Directive 95/46/EC.

A reference to “Partner” in the clauses below may mean a Publisher or Advertiser depending on your title under the Agreement which incorporates these clauses. To the extent that you are a Publisher, you acknowledge and agree that the flow of data from you to CodeFuel and nature of the relationship between you and CodeFuel characterizes you as the “Data Exporter” and CodeFuel as the “Data Importer”. To the extent that you are an Advertiser, you acknowledge and agree that the flow of data and the nature of the relationship between you and CodeFuel characterizes CodeFuel as the “Data Exporter” and you as the “Data Importer”.

Contractual Data Transfer Clauses:

The parties represent and warrant that CodeFuel and Partner are both considered Data Controllers as such terms are defined under applicable EU law.

1. Obligations of Data Exporter

(a) Data Exporter shall undertake and ensure that (a) all end users have been informed of, and have given their consent to, CodeFuel’s use, process, and transfer of Personal Data as described in CodeFuel’s Privacy Policy located at, as required by all applicable data protection legislation; (b) it has obtained clear and unambiguous consent from all end users that Personal Data may be transferred or stored outside the European Economic Area and/ or outside the country where Data Exporter or its end users are located; (c) Personal Data has been and will continue to be collected, processed and transferred by it in accordance with the relevant provisions of the applicable data protection legislation; (d) it has used reasonable efforts to determine that Data Importer has implemented sufficient Technical and Organisational Security Measures (as defined below) and those measures are appropriate to protect Personal Data and that it is able to satisfy its legal obligations under these clauses; and (e) it will properly respond to enquiries from the authority concerning processing of the Personal Data by Data Importer, unless the parties have agreed that the Data Importer will so respond, in which case the Data Exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the Data Importer is unwilling or unable to respond. Responses will be made within a reasonable time. To the extent that CodeFuel is a Data Exporter, the Data Importer acknowledges and agrees CodeFuel does not have a direct relationship with end users and such indirect relationship is established through CodeFuel’s publishers. As such, Data Importer agrees that CodeFuel’s compliance with Sections 1(a) and (b) as Data Exporter are satisfied through contractual obligations between CodeFuel and its publishers which reflect the above.

2. Obligations of Data Importer

(b) Data Importer undertakes and agrees that: (a) it will process Personal Data in accordance with the relevant data protection legislation applicable to a data controller and it has no reason to believe that the legislation applicable to it prevents it from fulfilling its obligations in regard to the processing of Personal Data; (b) it has in place appropriate Technical and Organisational Security Measures to protect the Personal Data and to provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected; (c) it will deal properly with reasonable inquiries from Data Exporter or from the law enforcement authority relating to its processing of the Personal Data (including submitting its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the Data Exporter (or any independent or impartial inspection agents or auditors, selected by the Data Exporter and not reasonably objected to by the Data importer) to ascertain compliance with the undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the Data Importer, which consent or approval the Data Importer will attempt to obtain in a timely fashion; (d) it will have in place procedures so that any third party it authorises to have access to Personal Data, including data processors, will respect and maintain the confidentiality and security of the Personal Data. Any person acting under the authority of Data Importer, including a data processor shall be obligated to process the Personal Data only on instructions from SData Importer. Subsection 2(f) does not apply to persons authorised or required by law or regulation to have access to the Personal Data; (e) it will process the Personal Data for purposes described hereunder and in the Agreement, and has the legal authority to give the warranties and fulfil the undertakings set out in these sections; (f) it will not disclose or transfer Personal Data to a third party data controller located outside the European Economic Area (EEA) unless such transfer is approved hereunder or it notifies Data Exporter about the transfer and: (i)the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses (or similar clauses) or another data transfer agreement approved by a competent authority in the EU.

In the event that Data Importer is in breach of its obligations under Section 2, then Data Exporter may temporarily suspend the transfer of personal data to Data Importer until the breach is repaired or terminate the Agreement immediately.

3. Notification

The parties will promptly notify each other about (i) any legally binding request for disclosure of Personal Data by a law enforcement authority unless otherwise prohibited and (ii) any request received directly from an end user and respond to such request to the extent reasonably possible and with the information reasonably available to it if the other party is unwilling or unable to respond.

4. CodeFuel Collection

Without derogating from the foregoing, Partner represents and warrants that it has obtained the relevant consents and authority for the collection by and transfer to CodeFuel and CodeFuel’s partners and third party service providers, including, without limitation, the Web Search Provider and other advertising partners, of information (including, without limitation, search terms and IP addresses) collected from end users of Partner in accordance with CodeFuel’s privacy policy located at

5. Miscellaneous.

All capitalized terms that are not defined in this clauses shall have the same meaning as set forth in the relevant Agreement between you and CodeFuel. For the purpose of these clauses: (a) “Personal Data” means any data related to individual or identifies an individual or may with reasonable effort identify an individual, and (b) “Technical and Organizational Security Measures” means measures aimed at protecting Personal Data against accidental, unauthorized or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing.

Last Updated: February 26, 2017