Skip to main content

Data Processing Agreement

Data Processing Agreement (DPA) — Meier Media B.V.

This Data Processing Agreement has been drawn up in accordance with Article 28 of the General Data Protection Regulation (AVG/GDPR) and forms an integral part of the agreement between Meier Media B.V. and the Controller.

Last updated: April 2026

Article 1 — Definitions

The following definitions are used in this Data Processing Agreement:

  • GDPR (AVG): the General Data Protection Regulation (Regulation (EU) 2016/679), referred to in Dutch as the Algemene Verordening Gegevensbescherming (AVG).
  • Data Subject: the identified or identifiable natural person to whom the Personal Data relate.
  • Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  • Personal Data: any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • Processing: any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying data.
  • Controller: the client who determines the purposes and means of the Processing of Personal Data and who has entered into an agreement with Meier Media to which this Data Processing Agreement applies.
  • Processor: Meier Media B.V., having its registered office in Rotterdam, registered with the Dutch Chamber of Commerce (KVK) under number 80869246, with its place of business at Schiedamse Vest 154, 3011BH Rotterdam, the Netherlands, which processes Personal Data on behalf of the Controller.
  • Sub-processor: a third party engaged by the Processor to carry out (part of) the Processing of Personal Data.
  • Main Agreement: the agreement between the Controller and the Processor under which the Processor provides Services, including but not limited to media buying intelligence, marketing cost optimisation and media deal sourcing.
  • Supervisory Authority: the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or any other competent supervisory authority within the meaning of the GDPR.

Article 2 — Subject Matter

2.1. This Data Processing Agreement relates to the Processing of Personal Data that the Processor carries out on behalf of the Controller in the context of the Main Agreement.

2.2. The Processing concerns the following categories of Personal Data:

  • Contact details of employees and contact persons of the Controller (name, email address, telephone number, job title);
  • Data relating to media buying and marketing (campaign data, budget information, performance data);
  • Communication data (email correspondence, call notes, meeting minutes);
  • Financial and administrative data (invoicing data, payment data);
  • Other Personal Data processed in the context of the Services.

2.3. The categories of Data Subjects include:

  • Employees and contact persons of the Controller;
  • Clients and business relations of the Controller, insofar as their data are processed in the context of the Services;
  • Other natural persons whose Personal Data are provided to the Processor.

2.4. The Processing is carried out for the purpose of: analysing and optimising media buying, sourcing media inventory, negotiating with media suppliers, reporting on results achieved, and performing other Services as described in the Main Agreement.

Article 3 — Obligations of the Controller

3.1. The Controller warrants that the content, use and instruction for the Processing of Personal Data as referred to in this Data Processing Agreement are not unlawful and do not infringe on any right of third parties.

3.2. The Controller is responsible for compliance with the GDPR and other applicable privacy legislation with respect to the purposes and means of the Processing as determined by the Controller.

3.3. The Controller shall ensure that it has a valid legal basis for the Processing of the Personal Data provided to the Processor.

3.4. The Controller shall inform the Processor without delay of any changes to the nature or scope of the Personal Data being processed, the categories of Data Subjects or the purposes of the Processing.

3.5. The Controller shall indemnify the Processor against all claims from Data Subjects and third parties related to the instructions given by the Controller, unless the Processor demonstrates that the fact giving rise to the claim is attributable to the Processor.

Article 4 — Obligations of the Processor

4.1. The Processor shall process the Personal Data only on the basis of documented instructions from the Controller, unless the Processor is required to do so by Union or Member State law. In that case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such notification on important grounds of public interest.

4.2. The Processor shall not process the Personal Data for its own purposes or the purposes of third parties.

4.3. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection legislation.

4.4. The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.5. The Processor shall take all measures required under Article 32 of the GDPR. Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the Processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures are further described in Appendix A to this Data Processing Agreement.

4.6. The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects regarding the exercise of their rights as set out in Chapter III of the GDPR (right of access, rectification, erasure, restriction, data portability, objection).

4.7. The Processor shall assist the Controller in meeting its obligations under Articles 32 to 36 of the GDPR (security, Data Breach notification obligation, data protection impact assessment and prior consultation).

4.8. Upon termination of the processing services, the Processor shall, at the choice of the Controller, delete all Personal Data and remove existing copies, unless Union or Member State law requires storage of the Personal Data. The Processor shall inform the Controller of any statutory retention obligations.

4.9. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Article 5 — Sub-processors

5.1. The Processor shall not engage a Sub-processor without prior specific or general written authorisation from the Controller.

5.2. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. The Controller shall have fourteen (14) days after notification to raise an objection.

5.3. If the Controller objects to a proposed Sub-processor, the Parties shall consult to reach a mutually acceptable solution. If no solution is reached, the Controller shall be entitled to terminate the Main Agreement with a notice period of thirty (30) days.

5.4. When the Processor engages a Sub-processor, the Processor shall impose on the Sub-processor, by way of a contract, the same data protection obligations as set out in this Data Processing Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that the Processing meets the requirements of the GDPR.

5.5. Where the Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

5.6. Upon request of the Controller, the Processor shall provide a current list of Sub-processors, including their name, place of establishment and the nature of the processing activities performed by them.

Article 6 — Disclosure of Personal Data

6.1. The Processor shall not disclose Personal Data to third parties unless on the basis of documented instructions from the Controller, under a statutory obligation, or with prior written consent of the Controller.

6.2. The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) or to an international organisation, unless:

  • The European Commission has decided that the third country in question ensures an adequate level of protection;
  • Appropriate safeguards have been provided in accordance with Article 46 of the GDPR, such as Standard Contractual Clauses (SCCs);
  • The Controller has given explicit written consent for the transfer.

6.3. If the Processor is required by Union or Member State law to disclose Personal Data, the Processor shall inform the Controller of that legal requirement prior to disclosure, unless that law prohibits such notification on important grounds of public interest.

Article 7 — Security

7.1. The Processor shall implement appropriate technical and organisational measures to protect the Personal Data against loss, unauthorised access, alteration, disclosure or any other form of unlawful Processing, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the Processing.

7.2. The security measures shall include at minimum the measures described in Appendix A to this Data Processing Agreement.

7.3. The Processor shall regularly evaluate the effectiveness of the technical and organisational measures and adjust them where necessary to continue to ensure an appropriate level of security.

7.4. The Controller shall be entitled, upon prior written notice and at its own expense, to have an audit carried out to verify compliance with the security measures. The audit shall be conducted in a manner that minimises disruption to the Processor's business operations.

Article 8 — Data Breach Notification

8.1. The Processor shall notify the Controller without undue delay, and where feasible within twenty-four (24) hours after becoming aware of a Data Breach.

8.2. The notification to the Controller shall include at least:

  • The nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
  • The name and contact details of the contact person at the Processor where more information can be obtained;
  • A description of the likely consequences of the Data Breach;
  • A description of the measures proposed or taken by the Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.3. Where, and insofar as, it is not possible to provide all information at the same time, the information may be provided in phases without undue delay.

8.4. The Processor shall provide the Controller with all cooperation that may reasonably be required in fulfilling the Controller's notification obligations to the Supervisory Authority (Article 33 GDPR) and to the Data Subjects (Article 34 GDPR).

8.5. The Processor shall document all Data Breaches, including the facts relating to the Data Breach, its effects and the corrective measures taken, and shall make this documentation available to the Controller and the Supervisory Authority upon request.

Article 9 — Confidentiality

9.1. The Processor shall treat all Personal Data it processes under this Data Processing Agreement as strictly confidential.

9.2. The Processor shall ensure that all persons who have access to the Personal Data, including employees, contractors and Sub-processors, are bound by an obligation of confidentiality, whether contractual or by virtue of a statutory obligation.

9.3. The obligation of confidentiality shall not apply to information that the Processor is required to disclose by virtue of a statutory obligation or court order, provided that the Processor notifies the Controller in advance, to the extent legally permitted.

9.4. The obligation of confidentiality shall remain in force after termination of this Data Processing Agreement and the Main Agreement.

Article 10 — Intellectual Property

10.1. The Personal Data provided by the Controller to the Processor shall remain the property of the Controller. The Processor shall not acquire any intellectual property rights with respect to the Personal Data.

10.2. All systems, methods, tools, software and other resources used by the Processor for the Processing of Personal Data, which have been developed by or on behalf of the Processor, shall remain the exclusive property of the Processor, unless otherwise agreed in writing.

10.3. The Controller shall not be permitted to copy, modify, reverse-engineer or make available to third parties the systems, methods or tools of the Processor.

Article 11 — Liability

11.1. The liability of the Processor under this Data Processing Agreement shall be subject to the liability provisions set out in the Main Agreement and the General Terms and Conditions of Meier Media B.V.

11.2. The Processor shall only be liable for damage resulting from Processing that is in breach of the obligations specifically directed at the Processor under the GDPR, or that is in breach of the instructions of the Controller.

11.3. The Processor shall not be liable for damage arising from instructions of the Controller, incorrect or incomplete data provided by the Controller, or failure by the Controller to comply with its obligations under the GDPR.

11.4. The Controller shall indemnify the Processor against all claims from Data Subjects, Supervisory Authorities and third parties arising from the Controller's acts or omissions in breach of the GDPR or this Data Processing Agreement.

11.5. In accordance with Article 82 of the GDPR, any controller or processor involved in the Processing shall be liable for damage caused by Processing that infringes the GDPR. A Processor shall be liable for damage caused by Processing only where it has not complied with the obligations of the GDPR specifically directed at processors, or where it has acted outside of or contrary to the lawful instructions of the Controller.

Article 12 — Term and Termination

12.1. This Data Processing Agreement shall enter into force at the time the Main Agreement is concluded and shall remain in force for as long as the Processor processes Personal Data in the context of the Main Agreement.

12.2. Upon termination of the Main Agreement, for whatever reason, this Data Processing Agreement shall terminate by operation of law, provided that the provisions that by their nature are intended to survive termination (including in any event the provisions on confidentiality, liability and the return or destruction of Personal Data) shall remain in force.

12.3. After termination of the Data Processing Agreement, the Processor shall delete all Personal Data and remove existing copies within thirty (30) days, unless Union or Member State law requires storage of the Personal Data. The Processor shall confirm the deletion in writing to the Controller.

12.4. The Controller may, prior to deletion, request the return of the Personal Data in a commonly used machine-readable format. The Processor shall cooperate with such request at the hourly rates applicable at that time.

Article 13 — Dissolution

13.1. Either Party shall be entitled to dissolve this Data Processing Agreement with immediate effect by means of a written notice, if:

  • The other Party fails to fulfil a material obligation under this Data Processing Agreement and such breach is not remedied within thirty (30) days after written notice of default;
  • The other Party is declared bankrupt, applies for or obtains a suspension of payment, or otherwise loses the free disposal of its assets;
  • Performance of the Data Processing Agreement becomes permanently impossible.

13.2. Dissolution of this Data Processing Agreement shall not automatically result in dissolution of the Main Agreement, unless the ground for dissolution also constitutes a ground for dissolution of the Main Agreement.

13.3. Upon dissolution of this Data Processing Agreement, the provisions of Articles 12.3 and 12.4 shall apply mutatis mutandis with respect to the return and deletion of Personal Data.

Article 14 — Miscellaneous Provisions

14.1. This Data Processing Agreement shall be governed exclusively by Dutch law.

14.2. Disputes arising from or in connection with this Data Processing Agreement shall in the first instance be submitted to the competent court in the district of Rotterdam.

14.3. In the event of a conflict between the provisions of this Data Processing Agreement and the Main Agreement or the General Terms and Conditions, this Data Processing Agreement shall prevail insofar as it concerns the Processing of Personal Data.

14.4. Amendments to or supplements to this Data Processing Agreement shall only be valid if agreed in writing by both Parties.

14.5. If any provision of this Data Processing Agreement is found to be null and void or voidable, this shall not affect the validity of the remaining provisions. The Parties shall consult to replace the null or voided provision with a provision that most closely reflects the purpose and intent of the original provision.

14.6. The Processor may not transfer this Data Processing Agreement to a third party without prior written consent of the Controller.

Appendix A — Security Measures

The Processor has implemented the following technical and organisational security measures to protect the Personal Data:

A.1 Physical Access Control to Buildings and Facilities

  • Physical access security to office premises by means of locks and/or electronic access control systems;
  • Restricted access to server rooms and data storage facilities to authorised personnel only;
  • Visitors are registered and escorted.

A.2 System Access Control

  • Individual user accounts with strong passwords and multi-factor authentication (MFA);
  • Automatic locking of workstations after a period of inactivity;
  • Role-based access control (RBAC) — access to Personal Data is granted on a need-to-know basis;
  • Periodic review and revocation of access rights upon change of role or termination of employment.

A.3 Data Separation

  • Logical separation of Personal Data from different clients;
  • Separate storage environments for production and test data;
  • No use of real Personal Data in test or development environments.

A.4 Encryption

  • Encryption of Personal Data in transit (TLS 1.2 or higher);
  • Encryption of Personal Data at rest (AES-256 or equivalent) where appropriate;
  • Secure management of cryptographic keys.

A.5 Logging and Monitoring

  • Logging of access to systems and Personal Data;
  • Monitoring for unauthorised access attempts and suspicious activities;
  • Retention of log files for an appropriate period for audit and investigation purposes.

A.6 Backup and Recovery

  • Regular backups of Personal Data;
  • Storage of backups at a physically separate location or in a geographically separated data centre;
  • Periodic testing of recovery processes to ensure the integrity and availability of data.

A.7 Awareness and Training

  • Periodic awareness training for employees on data protection and information security;
  • Instructions for employees on recognising and reporting security incidents and Data Breaches;
  • Confidentiality agreements for all employees who have access to Personal Data.

A.8 Incident Management

  • A documented incident response plan for handling security incidents and Data Breaches;
  • Assignment of responsibilities for managing incidents;
  • Procedures for the timely notification of Data Breaches to the Controller and, where applicable, to the Supervisory Authority and Data Subjects.

A.9 Vendor Management

  • Assessment of the security measures of Sub-processors prior to engagement;
  • Contractual obligations for Sub-processors to implement appropriate security measures;
  • Periodic evaluation of the security practices of Sub-processors.

Contact Details

Meier Media B.V.

  • Schiedamse Vest 154, 3011BH Rotterdam, the Netherlands
  • KVK number: 80869246
  • Email: contact@meiermedia.agency
  • Website: meiermedia.agency