By using Cookie Handler, as the “Controller” agree to the DPA below with Cookie Handler (the “Processor”). The agreement outlines how Cookie Handler will process personal data on your behalf in compliance with the EU General Data Protection Regulation (GDPR) and other applicable EU data protection laws.

Cookie Handler Data Processing Agreement (DPA)

Parties and scope of the DPA

Controller: The party that signs up for and uses the Cookie Handler service (referred to as “you” or “Controller”). This is the data controller determining the purposes and means of processing personal data collected via Cookie Handler on your websites or apps.

Processor: Cookie Handler, a cookie management SaaS platform provided by WODS.Agency ÖU, headquartered at Harju maakond, Tallinn, Lasnamäe linnaosa, Sepapaja tn 6, 15551, Estonia, which will process personal data on behalf of the Controller.

Purpose of the agreement: This Data Processing Agreement (hereinafter “DPA”) is required by the GDPR whenever an EU-based processor (Cookie Handler) handles personal data on behalf of a controller. It ensures both parties comply with their obligations under the GDPR in relation to such processing. This DPA applies to all users of Cookie Handler’s services (Free and Paid plans) worldwide, reflecting that Cookie Handler is subject to GDPR for all processing it undertakes. In agreeing, the Controller consents to these terms even if not established in the EEA, so that GDPR-level protections will govern the data processing.

Relationship to main service terms: This DPA is an addendum to the Cookie Handler Terms of Service (the “Main Agreement”). In case of conflict between this DPA and the Main Agreement on data protection matters, this DPA will prevail. This DPA does not create additional services or fees; it governs how personal data is handled in the context of the services you use.

Duration: This DPA becomes effective once you accept it (by checking the acceptance box and finalizing your registration) and remains in effect as long as we process personal data for you. It will automatically terminate upon deletion of your account and cessation of services, subject to the terms on data deletion.

Subject matter, nature, and purpose of processing

Subject matter: Cookie Handler will process certain personal data of your end-users as necessary to provide our cookie consent management and compliance service to you. This includes collecting, storing, and transmitting information related to users’ cookie preferences and consents on your digital properties, as described below.

Nature of processing: The processing involves automated collection and storage of data via the Cookie Handler scripts on your site/app, logging of user consent decisions (when a user accepts or rejects certain categories of cookies), and subsequent use of that data to determine cookie loading and to provide you with compliance records and analytics. We may also perform maintenance and troubleshooting that involves accessing the data, strictly as needed to support the service.

Purpose of processing: We process data only for the purpose of providing the Cookie Handler service to you, in accordance with your configuration and instructions. This includes:

• Consent banner display & logging: Presenting cookie consent banners to your users and recording their consent choices. The consent log includes details like a consent ID or user identifier, timestamp, and consent preferences. This helps you demonstrate that each user’s consent (or refusal) was captured, meeting GDPR’s requirement that controllers be able to prove consent.
• Preference management: Remembering a user’s cookie settings on subsequent visits (by storing a consent identifier or cookie on the user’s browser) so that their preferences are respected without asking repeatedly (until consent needs renewal).
• Compliance reporting: Providing you with dashboards or reports showing aggregate consent statistics and enabling you to export consent records. This supports your compliance audits and responses to regulatory inquiries by having an accessible record of consents.
• Support & improvement: Using the data in a minimal way to troubleshoot issues or improve the functionality of the consent management platform. For example, we might review logs to debug a problem for you or to ensure our banner works properly across devices. Such processing is also under your instructions as part of service support.

Cookie Handler will not process personal data for any independent purpose (such as marketing or analytics of its own) and will not sell or share the personal data with third parties except as needed to fulfil our obligations to you, or as required by law (in which case you will be informed, unless prohibited by law).

Types of personal data processed

We aim to limit the personal data processed to what is necessary for the above purposes. Typically, the data may include:

• Online identifiers: such as a unique consent ID, geo location and device identifier. The consent ID might be a randomly generated token assigned to a user’s browser to record their preferences.
• Cookie consent records: A record of the user’s consent decision for each category of cookies (Necessary, Preferences, Statistics, Marketing) along with timestamp of the action. This may be linked to the identifier above.
• Browser and device information: Such as browser type, OS, and device type, which may be logged as part of the consent record (to help you demonstrate, for example, from which device a consent was given, or to troubleshoot banner display issues). This is generally not used to identify individuals, but it can be considered personal data when combined with other identifiers.
• Email/account info (Controller personnel only): Note that this DPA primarily covers data from your end-users. In operating the Cookie Handler service, we might also process contact details of your personnel (like the email of your account administrator) for account management and support. That aspect is governed by our Privacy Policy and the main agreement, not by this DPA which focuses on end-user data.

We do not intentionally process special categories of personal data (listed in Article 9(1) GDPR). You, as Controller, should not use Cookie Handler to collect or send such sensitive data. If our service inadvertently receives any sensitive personal data, we will treat it as personal data and protect it, but we rely on you to avoid including such data in the use of our service.

Categories of data subjects

The personal data processed relates to individuals who interact with your website or app where Cookie Handler is implemented. This typically includes:

• Your website/app visitors: Any end-user (data subject) who is presented with the Cookie Handler consent banner on your site/app and either gives or withholds consent. These could be your customers, site visitors, or users of your services.

We do not have a direct relationship with these individuals (you do, as the Controller), but we protect their data per this DPA and GDPR requirements.

Controller’s obligations and responsibilities

This section outlines what you, the Controller, agree to do under this DPA and GDPR:

• Lawful instructions: You will ensure that your use of Cookie Handler (and your instructions to us) comply with applicable data protection laws. You instruct Cookie Handler to process personal data only for the purposes listed in Section 2, and in accordance with the features you enable or configurations you set in the service. Any additional processing outside the scope of this DPA requires prior agreement. We (the Processor) will only act on your documented instructions unless required by EU or Member State law – in such a case, we will inform you before processing, unless the law forbids it.
• Lawful basis & consent: You are responsible for determining and documenting the legal basis for processing your end-users’ personal data. In most cases for cookie data, the basis will be consent (as required by GDPR and the ePrivacy Directive for non-essential cookies). You must obtain valid consent through the Cookie Handler banner or another compliant mechanism before we process non-essential cookie data. The consent must meet GDPR standards (freely given, specific, informed, unambiguous, and as applicable, documented). Cookie Handler facilitates this but you must configure it in a compliant way (e.g. not pre-ticking boxes, providing clear information in your cookie policy, etc.). If you choose to rely on an alternative legal basis (like legitimate interests for certain types of cookies), you are responsible for ensuring that basis is valid and for handling any necessary assessments (e.g. Legitimate Interest Assessments).
• Transparency: You will provide an appropriate privacy notice or cookie policy to your users, in accordance with the GDPR, that explains Cookie Handler’s role in the processing of personal data. For example, your privacy policy or cookie policy should mention that you use Cookie Handler as a cookie management service provider which will process users’ cookie preferences and certain personal data in order to record and respect their choices. We will provide you with any information about our service that you reasonably need for your privacy notices.
• Data subject rights: As a controller, you are responsible for handling any requests from data subjects (your end-users) to exercise their GDPR rights (access, rectification, erasure, objection, etc.). When such requests relate to data processed by Cookie Handler, you will instruct us as needed and we will assist. For example, if a user asks you to delete their data, you can either use the Cookie Handler interface (if available) to erase that user’s consent record or ask us to do so via support channels – we will comply promptly with such documented requests.
• Data accuracy: If you become aware that any personal data we process is inaccurate or has changed (for example, a user withdraws consent), it is your responsibility to either update it via our tools (if possible) or notify us so we can correct or delete the data. We rely on you to pass us accurate data and to update us if circumstances change.
• Security measures on your side: You should implement appropriate security measures when accessing or using Cookie Handler, such as protecting your admin login credentials, using our service’s security features, and ensuring that any data you download from our service is stored safely. You must promptly inform us if you detect any security incident or breach related to data processed by Cookie Handler so we can cooperate on mitigation.
• Compliance and accountability: You will fulfil your obligations as a controller under GDPR (Article 24), meaning you will implement appropriate technical and organizational measures to ensure and demonstrate that processing is performed in accordance with the GDPR. Cookie Handler shall aid you when possible, but you are responsible for overall compliance. If needed, you will conduct a Data Protection Impact Assessment (DPIA) for your use of Cookie Handler (we will assist by providing information). You should also ensure that any processing instructions you give us are permitted; if you are outside the EEA and not subject to GDPR, note that Cookie Handler’s operations will still apply GDPR standards to the data.
• Controller’s warranty: By agreeing to this DPA, you warrant that you have the authority to bind your organization to these terms and that your use of the Cookie Handler service (including the personal data you instruct us to process) does not violate any applicable law or rights of any data subject. You also confirm that, if required (for example, if you are outside the EU but targeting EU users), you have complied with any obligations to appoint an EU representative or other local requirements under the GDPR, and that you will inform us if our cooperation is needed to facilitate that compliance.

Cookie Handler’s obligations as processor

Cookie Handler, as the Processor, adheres to the obligations set out in the GDPR. We commit to:

• Process data only on instructions: We will process personal data only on your documented instructions. This DPA, together with your configurations within the Cookie Handler platform and any written instructions you provide, constitute your complete and final instructions to us. We will not process the data for any other purpose or outside the scope of this DPA without your consent. If EU or Portuguese law requires us to process data beyond your instructions (for example, responding to a court order), we will inform you in advance (unless legally forbidden) so you have an opportunity to object or seek relief. Importantly, per GDPR, our staff cannot access or use your data except as directed by you.
• Confidentiality: We ensure that any person we authorize to process personal data (including our employees, contractors, and subprocessors) is under an appropriate obligation of confidentiality. This means they are legally or contractually bound to keep personal data secret and secure, and they are trained on privacy duties. Only personnel who need access to your data to perform the services will have such access. This confidentiality obligation continues even after the termination of their employment or engagement.
• Security of processing: We implement and maintain appropriate technical and organizational measures to protect personal data, as required by the GDPR. These measures are designed to ensure a level of security appropriate to the risk of the data being processed. Key security practices include encryption, access control, data minimization, resilience/backups, and testing/audit. These measures are continually evaluated and updated in light of technical development and regulatory requirements.

Assistance with Data Subject Rights: Taking into account the nature of the processing and the information available to us, we will assist you in fulfilling your obligation to respond to requests from data subjects exercising their rights. This includes access & portability, rectification, erasure, restriction/objection, and notifications as described in the full policy.

Record of Processing Activities: We maintain a record of our processing activities carried out on behalf of controllers. This record includes information such as the categories of processing done for clients, any data transfers, a general description of technical and organizational security measures, etc. We will make relevant excerpts of this record available to you upon request, to assist in your documentation and compliance needs.

Data Breach Notification: If we become aware of a personal data breach relating to data we process for you, we will notify you without undue delay (generally as soon as possible, and in any case promptly enough to allow you to comply with any regulatory reporting timelines). Our notification to you will include a description of the nature of the breach, contact details, likely consequences, and measures taken to address it. We will provide this information in phases if not all details are immediately available, as permitted by the GDPR.

Use of Subprocessors

Cookie Handler may engage subprocessors (other companies) to assist in providing the services. For example, we might use cloud hosting providers, data center services, email service providers, or other vendors. We adhere to the GDPR requirements regarding subprocessors and will provide notification of changes and safeguards as required.

International Data Transfers

Cookie Handler is committed to complying with GDPR Chapter V (Articles 44-49) regarding transfers of personal data to third countries or international organizations. We will rely on adequacy decisions, Standard Contractual Clauses, or other appropriate safeguards, and apply supplementary measures when necessary.

Assistance with Compliance and DPIAs

We will assist you in ensuring compliance with your obligations under GDPR Articles 32 to 36, including providing information for DPIAs and supporting audits and inspections as described in the full DPA.

Order of Precedence

In case Standard Contractual Clauses (for international transfers) or other GDPR-mandated terms are incorporated between you and us, and those clauses conflict with this DPA, those clauses shall prevail solely to the extent of the conflict, unless this DPA provides greater protection to personal data, in which case the greater protection shall apply.

Final Provisions

Return or Deletion of Data: Upon termination or expiration of our Main Agreement (or earlier upon your request), Cookie Handler will, at your choice, return and/or delete all personal data processed on your behalf. After termination, we will permanently delete personal data from our active systems. We will also delete personal data from backups within a reasonable timeframe, except as required for legal compliance.

Confidentiality of Agreement: The terms of this DPA (and any audit reports or documentation shared under it) are confidential between the parties. Both parties agree not to disclose the terms or related information to any third party, except as required by law or to professional advisors under a duty of confidentiality, or as needed to demonstrate compliance (for example, you may share the existence of this DPA with regulators as proof of a required contract).

Liability and Indemnity: Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Main Agreement (Cookie Handler Terms of Service). However, no limitation of liability applies to any breach by either party of the data protection laws to the extent such liability cannot be limited under applicable law.

Governing Law and Jurisdiction: This DPA is governed by and shall be construed in accordance with the laws of Portugal. The parties agree that any dispute or claim arising out of or in connection with this DPA (including non-contractual disputes or claims) shall be subject to the exclusive jurisdiction of the competent courts of Portugal.

Changes to this DPA: We may update this DPA from time to time. If we update the DPA, we will notify you in advance and provide the new terms. If you object, you have the right to terminate the service. Continued use after the effective date of changes constitutes acceptance.

Entire Agreement and Severability: This DPA, together with the Main Agreement and any Standard Contractual Clauses entered into (if applicable), forms the entire agreement between the parties with respect to the subject matter of data processing. In case any provision of this DPA is found invalid or unenforceable, the remainder of the DPA shall remain in effect.

Contact Information: Each party shall maintain accurate contact information for notices relating to this DPA. For Cookie Handler, you can reach us at: support@cookiehandler.io. For you, we will use the contact details you provided in your account or DPA acceptance form.

By accepting this DPA, both parties acknowledge their legal obligation to comply with its terms. This ensures that personal data handled via Cookie Handler is protected in line with GDPR and that both you (Controller) and Cookie Handler (Processor) have a clear, binding agreement on data processing, as required by GDPR Article 28.