• About

    Welcome to the future of marketing measurement and optimization

    MMM labs icons  (1)
    We bring together advanced econometrics and intuitive technology to help brands and agencies optimise every marketing dollar
    MMM labs icons  (14)
    Our mission is to revolutionize MMM by empowering businesses with trusted, open-source code
    MMM labs icons  (15)
    Meet the leaders driving innovation in marketing measurement and analytics
  • Resources

    News, trends, events, and more

    MMM labs icons  (5)
    Stay updated with the latest trends and insights in our blogs
    MMM labs icons  (4)
    Explore a variety of analytics webinars with tips & tricks, best practices and new ideas
    MMM labs icons  (3)
    Explore the future of marketing measurement
    MMM labs icons  (2)

    Explore our ever-expanding ecosystem of free white papers

Data Processing Agreement

Annex No. 1 to the Terms and Conditions

 By this document, we as a processor process the data collected by you as a data controller in accordance with applicable legislation, based on your instructions and on your behalf, in accordance with the purpose of the Agreement on provision of MMM Labs Services and under the conditions set out herein.

1. Introductory provisions

1.1. Subject matter. These are the terms for the processing of Incoming Data as well as other data that we will be receiving from you for the purpose of providing you with MMM Labs Services in accordance with the Agreement on provision of MMM Labs Services.

1.2. Definitions. This Annex is using the same definitions as the Terms, including the subject of us, a contracting party from the ScanmarQED Group, and you, our Client, the contracting parties of the Agreement on provision of MMM Labs Services.

1.3. Types of data we process. For the purposes of the Agreement, we will generally process Incoming Data consisting of aggregated marketing, media and sales data delivered by you, your media agencies and your vendors, and aggregated data exported from advertising and analytical platforms used by you (such as Microsoft Ads, AdForm, Google Analytics, Meta, Google Ads and similar). The Incoming Data is typically aggregated, time-series and modelling-related (e.g. media spend, GRPs, impressions, clicks, sales volumes, distribution, pricing, panel and macroeconomic indicators). This list is not closed and its scope may vary regarding provided MMM Labs Services.

1.4. Personal Data processing. MMM Labs Services are designed to operate on aggregated, non-personal data. If, however, you will be sending us Incoming Data or other data that you consider as personal data, this Annex is to that scope concluded as Data Processing Agreement within the meaning of Art. 28 et seq. of GDPR where you are a data controller, and we act as the processor with the meaning of GDPR.

1.5. Non-personal data processing. If you are sending us data you consider as non-personal data, this Annex is to that scope concluded as non-personal data processing agreement and is subject to the following terms.

1.6. Part of the Agreement. This Annex is an integral part of the Terms and Conditions and therefore as well as the part of the Agreement we have concluded.

1.7. Duration of provision. The processing will be happening during the Duration of provision of the Agreement, including any model build, refresh, validation and reporting cycles agreed under the relevant Agreement.

2. General terms for the processing of the data

2.1. Purpose. You are obliged to set the purpose for such data processing to which the data transfer is connected in line with the Agreement. The typical Purpose for MMM Labs Services is the development, calibration, refresh, validation and use of marketing-mix and related econometric and machine learning algorithms and the related advisory and reporting outputs.

2.2. Purpose limitation. There is no other Purpose for the data processing. You agree only to send us data that you want to process while receiving MMM Labs Services that are being provided in accordance with the Agreement, only to the extent and for the period necessary to fulfil such Purpose. If it is ascertained other data exceeding the purpose has been provided, we will not process it, and we are entitled to immediately remove it from our databases and storages without replacement.

2.3. Processing only upon instructions. We are processing the data only upon your explicit written instruction and on your behalf. The instruction may take place in a technical way (such as data uploads to our intake environment) or by way of an agreed scope of work, brief or model specification. The processing is taking place under the conditions set out in the Agreement.

2.4. No processing of special categories personal data. In no scenario will you instruct us to process data that could be deemed to fall within the scope of any of the special categories of personal data under the GDPR. If it is ascertained that any data that could be deemed to fall within this category has been provided, we have the right to not handle this personal data in any way and are entitled to remove it immediately from our databases and storage sites without replacement. You are obliged to compensate us any damage incurred because of this breach of your obligation according to this paragraph, including any penalties imposed on us by the data protection authorities.

2.5. No profiling. The processing is carried out as automated activities performed by our MMM Labs modelling code and tooling in the form of collecting the provided data, their storage, transformation, combination, statistical/econometric modelling and evaluation. Such processing is performed on aggregated data and does not constitute automated individual decision-making, including profiling of an individual data subject in accordance with Art. 22 of the GDPR.

2.6. Information and transparency. Where required by the applicable legal regulation, you undertake to inform the data subjects that you utilize our MMM Labs Services and that we are acting as a processor in processing for the Purpose. The same applies for informing the original data controller if you act as a processor and you are including us as your sub-processor.

2.7. Using of sub-processors. You grant us the right to engage other sub-processors, including other entities related to ScanmarQED Group, which could be regarded as other processors under the GDPR provided that such persons will perform activities in line with the Purpose and its limitations. You may always request the information of the status of the sub-processors, and we agree to inform you of any changes in these sub-processors. We ensure that our sub-processors are enabled to comply fully with the obligations under the Agreement and applicable privacy law and shall be in all cases fully responsible and liable for the consequences of the acts and omissions of its staff, agents and/or sub-processors giving rise to any non-compliance with the provisions of this Agreement.

2.8. Storage and backups of the data. For the data provided in line with this Data Processing Agreement, we may use the allocated capacity of cloud storages to which we hold the rights. We are also entitled in line with the Agreement and provided MMM Labs Services to store here backups of such provided data, as well as model inputs, intermediate datasets and model outputs to the extent necessary to deliver, refresh, validate and reproduce the modelling work. If we find out that this allocated capacity is being used by you for any other content than for data provided in accordance with this Data Processing Agreement, we are entitled to immediately remove it from the cloud storage without compensation and consider such situation as breach of your obligations.

2.9. Cooperation while complying to the data subject rights. We will provide you with reasonable cooperation in complying with your obligation to respond to requests by the data subject under the GDPR. We will also assist you in complying with your GDPR obligations within the scope corresponding to the provided data and our activities under the Agreement. However, you are not entitled to transfer the performance of your own obligations under the GDPR.  

2.10. Cooperation upon termination of the Agreement. Upon termination or expiration of the Agreement, upon your written request, we shall within 30 days, either (i) return your Personal Data and any copies thereof in a commonly used, machine-readable format, if possible, or (ii) permanently destroy all such Personal Data and certify to you that such action took place; however, we may retain Personal Data to the extent and for such period as required by applicable law or a binding judicial or administrative order, and we may further retain aggregated, anonymised or model-derived outputs that no longer permit identification of any data subject.  

3. Technical and organisational measures

3.1. General security measures. We have in place measures to protect the provided data. These measures including access control and administration of the IT environment, encryption as well as security incident management are subject to our internal policies, and you can request their overview anytime during the Duration of provision. Irrespective of any other measures, we represent that we have adequate resources, experience and knowledge to enable properly perform the provisions of this Data Processing Agreement, including the provision of sufficient safeguards to implement appropriate technical and organisational measures for the processing of Personal Data so that the processing of Personal Data complies with the requirements set out in the applicable regulations.

3.2. Confidentiality of employees and other processors. We ensure confidentiality by all our employees who, in the performance of their activities, come or could meet data that you are providing for the Purpose. This obligation of the Provider also applies if the Provider performs the processing using persons other than its employees, including other processors, if any.

4. Responsibility & liability for the data

4.1. Your responsibility for the data provided. As data controller, you bear full responsibility and liability for the accuracy, completeness, and currency of all data provided to us. We assume no responsibility for any damages or losses arising from inaccuracies, incompleteness, or outdatedness of the provided data. We shall not be held liable for any direct, indirect, incidental, special, or consequential damages resulting from the use or inability to use the provided personal data, unless such damages are caused by our wilful misconduct or gross negligence. For the avoidance of doubt, the modelling outputs delivered as part of MMM Labs Services are based on the data and assumptions you provide and do not constitute investment, financial or legal advice.

4.2. Breach of your obligations. In the event of breach of your obligations arising from this Agreement or applicable legislation, you are fully liable for any sanctions, fines or other penalties imposed by the competent authorities. We shall not be liable for any consequences arising from such breaches unless they are caused by our wilful misconduct or gross negligence.

5. Incident management

5.1. Incident. Our technical and organisational measures include preventing change of the data and destruction or its loss, unauthorized transfer, unauthorised processing, as well as other misuse of such data. We also prevent any unauthorized or accidental access unless it is via your User Account happening on the purpose of lack of security on your side. If any of the above occurs in relation to the Personal Data, we will treat such situations as an “Incident”.

5.2. Information obligation. If an Incident occurs, we agree to inform you about it without delay so you can comply with the deadlines for their notification under the GDPR, if required. To the extent that we are technically able, we will also provide you with the necessary documentation so you can properly inform the data subject of the incident in accordance with Article 34(3) of the GDPR.

5.3. Cooperation in investigation. While we will be investigating the Incident and its origin, you agree to cooperate with us in respect to any and all inquiries from any regulatory, government or the supervisory authority.

6. Compliance verification

6.1. General verification. You have the right to verify our compliance with the obligations under the Agreement by requesting any information relating to the provided data considered as personal.

6.2. Inspections. We allow you to inspect our adopted technical and organizational measures for the purpose of the Agreement on any business day between 10:00 a.m. and 4:00 p.m. CEST based on your prior notice given fifteen business days before the inspection. We agree to provide you with the assistance during this inspection. We undertake to provide the same cooperation in the inspection to the person authorised by you to carry out such inspection and to present such authorisation to us. Once you perform an inspection, you are not entitled to run another within next 3 months and you are also obliged to provide us with the final report from such inspection.

6.3. Audit: notification and preparation. In case an Incident occurred, or you have reasonable grounds to suspect that there is a breach of our obligations in relation to the personal data processed, you have the right to audit us with respect to our compliance of the data processing with the GDPR and the Agreement. You need to prior notify us that you want to conduct such audit no later than in three days after the Incident occurred or from the moment you have those reasonable grounds. The prior notice needs to be given at least seven business days before the audit. The audit may be carried out by you as well as any other persons authorised by you. When notifying us about the audit, you need to provide us with the details of the persons carrying out the audit. We are not obliged or entitled to provide any information to persons other than those communicated in the notification, except for persons who are involved or participating in the audit by virtue of the exercise of public authority (e.g. persons authorised by the relevant supervisory authority, etc.). An audit may be conducted remotely, on-site or by sending our specific certification.

6.4. Audit: process. During audit, we undertake to cooperate with the auditors and a) provide the requested information in our possession without further delay, b) secure the requested information from the other processor involved in the respective processing without further delay, c) provide them with the access to the available premises where personal data are processed under the provisions of the Agreement, d) allow inspection and testing of all available equipment and documentation used in connection with the processing of personal data, e) provide the auditors with other requested available information or documents if necessary to carry out the audit.

6.5. Audit: final report. After audit, you are obliged to provide us with the audit report. You will provide us with the right and sufficient time to comment on this audit and that these comments will be considered and incorporated into the audit report, at a minimum, by attaching them to this audit report as a preparer’s statement.

Untitled design (21)-3