PREAMBLE AND INTRODUCTORY REMARKS
This Shopamine Data Processing Agreement and its Annexes (hereinafter: the “DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by the Provider (as the Processor) on behalf of the Merchant (as the Controller) in connection with the use of the Shopamine Services by the Merchant, whereby all bolded terms are further defined below.
This DPA is supplemental to, and forms an integral and indispensable part of the Agreement, which applies to all Shopamine Services.
In case of any conflict or inconsistency between the terms and clauses of this DPA and the terms and clauses of the Agreement, this DPA will take precedence over the terms and clauses of the Agreement to the extent of such conflict or inconsistency.
Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
All enquiries regarding this DPA may be directed at firstname.lastname@example.org.
1 THE APPLICATION OF THIS DPA
1.1 This DPA shall be deemed as validly concluded between:
- APPOTEKA, razvoj spletnih aplikacij, d.o.o., company reg. no.: 3497623000, Kamniška 41, 1000 Ljubljana, Slovenia, the owner and supplier of the Shopamine Services (hereinafter: “we”, “us”, “our”, “Provider” or “Processor”) who can be reached at email@example.com and;
- the legal entity that shall be identified as the registered user of the Shopamine Services (hereinafter: “you”, “your”, “Merchant” or “Controller”) that is bound to the Master ServiceAgreement (hereinafter: “Master Service Agreement” or “Agreement”) and this DPA. The aforementioned also relates to any and all Permitted Personnel and Merchant Affiliates of the Merchant.
- whereby the Processor and Controller may be hereinafter jointly referred to as the Parties.
1.2. Before your use of the Services, you are asked to dully review, understand and get acquainted with the content of both this DPA and the Agreement.
1.3. Any reference to this DPA includes its Annexes and any individually concluded amendments to this DPA and its annexes, whereby such individually concluded amendments between the Parties shall be deemed as replacing this DPA and the annex or their respective parts, as the case may be.
1.4. The Provider may host the list of ApprovedSubprocessors from Annex 2 online and communicate this to the Merchant by including it at the end of this document, whereby it shall be deemed that the online list included herein represents the last version of the ApprovedSubprocessors (with the exception of any individually concluded amendments that had been concluded by the Parties to Annex 2) and shall have legal effect.
2.1 We may make changes to this DPA at any time by notifying you of the change by email and proposing the addition of an amendment at the end of this DPA. Unless stated otherwise, any change shall take effect from the date of the added amendment to this DPA. You are responsible for ensuring you are familiar with the last version of this DPA.
3.1. In this DPA:
Master Service Agreement (also called Agreement or Terms) shall mean the underlying agreement that has been entered into by the parties when the Controller had set up his Shopamine account and duly agreed to be bound by the Agreement, whereby the Agreement governs the setting-up, use and access to the Shopamine Services and under which certain Personal Data need to be processed for the provision of the ShopamineServices in accordance with this DPA.
Applicable legislation shall mean but not be limited to the European Union’s General Data Protection Regulation (2016/679) (hereinafter: “GDPR”) as well as any and all applicable EU and national laws and other statutes, rules, regulations and codes, as they may apply to the use and the consequences of use of the Shopamine Services by the Merchant in the country where the Merchant or his legal entity is established or operates or where the End Customer or other effected natural persons reside, as amended, replaced or superseded from time to time. Applicable legislation shall also mean but not be limited to any and all USA equivalents of such laws (e.g. the California Consumer Privacy Act (CCPA), the Telemarketing and the Children’s Online Privacy Protection Act (COPPA), as well as other relevant EU directives (e.g. the Electronic Communications Directive 2002/58/EC (the ePrivacy Directive), codes of conduct and industry standards, as amended, replaced or superseded from time to time.
Shopamine Services (also called Services or Service) shall mean the Shopamine website located at https://www.shopamine.com/ as well as the related APIs and any associated websites or mobile applications hosted, owned or operated by Shopamine that form part of the Shopamine software product or products.
Shopamine Data Processing Agreement (also called DPA) shall mean this legal agreement under which the Provider shall be deemed as the Processor and you shall be deemed as the Controller of any and all Personal Data that shall be sent, transmitted, transferred or otherwise processed by the Provider directly in connection with the performance of the Service. This DPA forms a supplemental, integral and indispensable part of the Agreement and your use of the Shopamine Services, whereby this DPA is subject to the provisions of Article 28 of the GDPR.
Consent shall mean any freely given, specific, informed and unambiguous indication of the Data subject's (i.e. End Customers') wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her, as provided for by Article 4 of the GDPR or by any other relevant Applicable legislation.
Merchant Affiliate shall mean in respect of the Merchant and his legal entity, any other legal entity or private person controlling the Merchant or being controlled by the Merchant, or acting under the direct influence or instructions of the Merchant, whereby “being controlled by” shall mean the possession, directly or indirectly, solely or jointly with another person, of power to direct or cause the direction of the management or policies and cations of a legal or natural person (whether through the ownership of securities, other shareholders, partnership or ownership interest, by establishing total or partial identity of individuals in management, by contract or otherwise).
Controller shall mean the legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, as provided for by Article 4 of the GDPR or by any other relevant Applicable legislation. Please note, that even in the event that you are not in fact the Controller of the Personal Data that you are using or wish to use in connection with the Service, you expressly warrant and represent to the Provider, that you have the necessary legal grounds and have obtained the required consent for the processing of the Personal Data of the End Customers in connection with your use of the Service from the actual Controller of said Personal Data.
Controller Personal Data shall mean any End Customer Personal Data or any other Personal Data, for which the Controller may be deemed as the “controller” under Applicable legislation and that the Provider or Subprocessor shall Process pursuant to or in connection with the Agreement and this DPA.
Data processing (also Processing) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In the context of this DPA, the Provider shall Process the End Customer Data for which the Merchant is deemed as the Controller in order to provide the Service, as outlined below.
End Customer (also Data Subject) shall mean a natural person whose Personal Data is processed in connection with the Service. End Customers are generally Merchant website/store visitors and consumers, who buy products from the Merchant on his website/store (whereby the Merchant website/store is hosted or developed with the Service or inside the Shopamine ecosystem) or other individuals, whose personal data was processed (i.e. added, stored, shown and otherwise processed) in connection with the Service by the Controller or his Affiliates.
European Economic Area (also called EEA) shall mean the EU Member States as well as Iceland, Liechtenstein, and Norway.
Provider shall mean APPOTEKA, razvoj spletnih aplikacij, d.o.o., company reg. no.: 3497623000, Kamniška 41, 1000 Ljubljana, Slovenia and its employees. In the context of this DPA, the Provider shall be deemed as the Processor of Personal Data.
Provider Affiliate shall mean in respect of the Provider and its legal entity, any other legal entity or private person controlling the Provider or being controlled by the Provider, or acting under the direct influence or instructions of the Provider, whereby “being controlled by” shall mean the possession, directly or indirectly, solely or jointly with another person, of power to direct or cause the direction of the management or policies and cations of a legal or natural person (whether through the ownership of securities, other shareholders, partnership or ownership interest, by establishing total or partial identity of individuals in management, by contract or otherwise).
Personal Data shall mean any information relating to an identified or identifiable natural person (i.e. End Customer or Data subject), whereby an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as provided for by Article 4 of the GDPR or by any other relevant Applicable legislation.
Personal Data Breach shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, as provided for by Article 4 of the GDPR or by any other relevant Applicable legislation.
Processor shall mean a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as provided for by Article 4 of the GDPR or by any other relevant Applicable legislation. In the context of this DPA, the Provider shall be deemed as the Processor of Personal Data.
Processing shall mean an operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Party shall mean either the Merchant or the Provider whereby the term also includes that Party’s permitted assigns. The term “parties” shall mean both the Merchant and the Provider.
Person includes an individual, a body corporate, an association of persons (whether corporate or not), a trust, a government department, or any other entity.
Personnel includes officers, employees, contractors, and agents of the Merchant (or Merchant Affiliates).
Special categories of personal data shall mean personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Start Date shall mean the date on which the Merchant duly registered his account for using the Services and accepted the Agreement and this DPA (or alternatively, the date when a physical contract for the use of the Services is entered into between the parties).
Subprocessor (or Approved Subprocessor) shall mean any person (including any third party and any Provider Affiliate, but excluding an employee of the Provider or any of its subcontractors) appointed by or on behalf of the Provider or any Provider Affiliate to ProcessPersonal Data on behalf of the Provider in connection with the Agreement. The provider may host the list of ApprovedSubprocessors from Annex 2 of this DPA online, whereby it shall be deemed that the online list represents the last version of said list (with the exception of any individually concluded amendments that the Parties have entered into in relation to said annex, whereby such amendments shall be deemed as replacing this annex or its relevant parts).
Standard contractual clauses shall mean the latest standard data protection clauses for the transfer of Personal Data to Processors established in countries outside of the EEA, where an adequate level of data protection with regards to the GDPR is not ensured on a national and systemic level, as described in Article 46 of the GDPR.
You (also your, Merchant, Controller) shall mean the legal entity that duly registered its account for using the Services and which thereby concluded the Agreement and this DPA as described above. The term also includes any and all Permitted Merchant Personnel, or Merchant Affiliates. In the context of this DPA the Merchant shall be deemed as the Controller of Personal Data.
3.2. Words in the singular include the plural and vice versa. Non-bold terms or uncapitalized terms may still hold the meaning of the corresponding term that has been described above.
3.3. A reference to the Applicable legislation or statute includes references to regulations, orders or notices made under or in connection with such legislation, statute or regulations and all amendments, replacements or other changes to any of them.
4 CONTRACTUAL INTENT AND TERM
4.1. The Parties seek to implement this DPA in order to achieve compliance with the requirements of the Applicable legislation as it pertains to the Processing of Personal Data and especially Article 28 of the GDPR, which forms the basis under which this DPA is drafted and construed.
4.2. Notwithstanding any other provision relating to the term of this DPA, this DPA will take effect on the Start Date and shall remain in force until the Provider has deleted or returned all End Customer Personal Data to the Controller, whereby it shall be deemed as automatically terminated.
5. PROCESSING OF CONTROLLER PERSONAL DATA
5.1. Permitted scope of Processing.
The Provider shall:
- Process Controller Personal Data in order to provide the Service as stated in the Agreement or on the basis of relevant documented instructions of the Controller, which shall be deemed as contained herein unless otherwise provided to the Provider in writing,
- comply with any and all Applicable legislation in the Processing of Controller Personal Data,
- Process Controller Personal Data if Processing is required under the Applicable legislation to which the Provider or relevant Contracted Processor is subject, in which case the Provider shall, to the extent permitted under the Applicable legislation, inform the Controller of that legal requirement before the relevant Processing of such Personal Data takes place.
5.2. For the avoidance of doubt, the Provider shall only use the Controller Personal Data to provide the Service and shall not keep, retain, disclose, make available to third parties, sell or otherwise use the ControllerPersonal Data for any purpose other than for providing the Service under the Agreement as further described in Annex 1 (or any individually concluded amendments to the annex that have been entered into by the Parties, whereby such individually concluded amendments shall be deemed as replacing this annex or its relevant parts).
5.3. The Controller instructs the Provider and each Provider Affiliate (and authorizes the Provider and each Provider Affiliate to instruct each Subprocessor) to:
- Process Controller Personal Data as necessary for the provision of the Service as specified in Annex 1 or any individually concluded amendments.
- transfer Controller Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with the Agreement if such territory is in the EEA, as specified in sections 8 and 14.
5.4. The Controller warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 5.3. for all Controller Personal Data and on behalf of each relevant Controller Affiliate.
5.5. Annex 1 to this DPA sets out certain information regarding the Contracted Processors'Processing of the Controller Personal Data as required by Article 28 of the GDPR (and, possibly, equivalent requirements of other Applicable Legislation). The Controller may propose reasonable amendments to Annex 1 by written notice to the Provider from time to time if the Controller considers this as reasonably necessary in order to meet his requirements, whereby such proposals shall only have legal effect if an individually concluded amendment to Annex 1 is concluded between the Provider and Controller.
6. Provider and Provider Affiliate Personnel
6.1. The Provider and each Provider Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Controller Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable legislation in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
7. Security and the keeping of records
7.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Provider and each Provider Affiliate shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32 of the GDPR.
7.2. The list of technical and organizational measures that the Provider and each Provider Affiliate offers the Controller under this DPA is included in Annex 3 (or any individually concluded amendments that had been concluded by the Parties in relation to said annex).
7.3. Prior to concluding the Agreement and this DPA, the Controller is required to review and analyze the contents of Annex 2 and Annex 3 with regards to the technical and organizational measures and other security commitments which the Provider (or his Subprocessors) offers in connection with the provision of the Service.
7.4. In assessing the appropriate level of technical and organizational measures and other aspects of data security, the Provider and each Provider Affiliate shall take into account the particular risks that are presented by ProcessingPersonal Data and in particular the risk of a Personal Data Breach. The Controller understands and agrees that it is his sole responsibility to consider if the technical and organizational measures and other aspects of data security from Annex 2 and Annex 3 meet his security needs and obligations with regards to ControllerPersonal Data and the Applicable legislation before choosing to use the Service and registering an account (i.e. concluding the Agreement and this DPA). Should any part of Annex 2 or Annex 3 be found as unsatisfactory by the Controller, the Parties shall conclude separate amendments to this DPA or Annex 2 or Annex 3.
7.5. Regarding the aforementioned, the Controller understand and agrees, that he is solely responsible for his use of the Service, and is asked to put in place and maintain his own technical and organizational measures, which must include industry level best practises such as:
- making copies (i.e. backing up) all Controller Personal Data prior to use with the Service,
- practicing safe and secure usage of the Service and the user account / password of of the Merchant user accounts (secure keeping of account authentication credentials),
- securing systems and devices which are used to access or interact with the Service.
7.6. The Provider and Provider Affiliates take no responsibility regarding the processing, storage and protection of Controller Personal Data outside of the Service and the subsystems connected to the Service (which includes, but is not limited to, the access and storage of Controller Personal Data on the servers of the Controller or a third party (such as an approved Subporcessor), the transferring of Controller Personal Data to third parties, the distribution of account authentication credentials to third parties, etc.).
7.7. The Controller understands and agrees that by concluding the Agreement and this DPA, the technical and organizational measures from Annex 2 and Annex 3 shall be deemed as appropriate with regards to the risk posed to the Data Subjects and the Controller Personal Data. Should the Controller require additional technical and organizational measures (or safeguards) to be put in place by either the Provider or his Subprocessors, he shall contact the Provider so that individually concluded amendments can be entered into by the Parties in relation to the annexes or this DPA.
7.8. The Provider shall, to the best of his ability, keep records (i.e. log files) regarding the Processing of Controller Personal Data, and shall ensure that the records are sufficient to meet the communicated compliance requirements of the Controller. The Provider shall also provide said records to the Controller upon his written request.
8.1. The Controller specifically authorizes and generally agrees with the Provider and each Provider Affiliate appointing and engaging Subprocessors in accordance with this section 8 in accordance with any restrictions from the Agreement, this DPA and its annexes.
8.2. The Provider and each Provider Affiliate may also continue to use those Subprocessors already engaged by the Provider or any Provider Affiliate at the Start Date, whereby the Provider and Provider Affiliate shall be in each case and as soon as practicable required to ensure, that the obligations set out in this section 8 are met by such Subprocessors.
8.3. The list of Subprocessors including details regarding their location and Processing functions is set out in Annex 2, whereby an expanded version of the list may be made available by the Provider and communicated to the Controller upon request. If no amendments are requested by the Controller prior to the Star date, it shall be deemed that the online list represents the last version of the list from Annex 2 and shall have legal effect.
8.4. Regarding the Processing and subprocessing of Controller Personal Data, the Provider and any Provider Affiliate shall only appoint and engage Subprocessor through the conclusion of a data processing agreement containing all necessary data protection obligations, which shall offer the same level of data processing protection that can be found in this DPA, to the extent applicable to the nature of the Services provided by such Subprocessors.
8.5. Ten (10) business days prior to any Processing being carried out by a newly appointed Subprocessor, the Provider shall add such newly engaged Subprocessor to the online list of Subprocessors from Annex 2 and notify the Controller about this either via his account email address or through the Service. The Parties hereby agree, that such method of notification is adequate with regards to the Controller’s right to be notified prior to Subprocessor engagement.
8.6. Should the Controller or Controller Affiliate oppose the engagement and appointment of a new Subprocessor, he shall notify the Provider within ten (10) business days from when the above mentioned notification had been received. After that, Processing by the Subprocessor shall be deemed as accepted by the Controller or Controller Affiliate.
8.7. Should the Controller or Controller Affiliate oppose the engagement and appointment of a new Subprocessor and notify the Provider regarding this (even after the expiration of the period from the previous two points), all data processing by such newly appointed Subprocessor shall cease and the parties shall seek to find an applicable solution in good faith, whereby the Parties may conclude a separate amendment to Annex 2 (i.e. including additional safeguards or other requirement) or try to adapt the Service so that such Subprocessor is not used in connection with Controller Personal Data. If the parties cannot agree on an applicable solution regarding the objection in a reasonable timeframe, the Provider or Controller may terminate the Agreement in accordance with its provisions.
8.8. The Provider may be held liable for obligations subcontracted to the Subprocessors, including in connection with their acts and omissions.
9. Data Subject Rights
9.1. Taking into account the nature of the Processing, the Provider and each Provider Affiliate shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the obligations of the Controller to respond to requests to exercise Data Subject rights under the GDPR and the Applicable legislation.
9.2. The Provider shall:
- promptly notify the Controller if the Provider or any Contracted Processor receives a request from a Data Subject under the GDPR and the Applicable legislation in respect of Controller Personal Data (if such notification is duly transferred to the Provider, which is the obligation of the Contracted Processor); and
- ensure that he does not respond to such request himself and does so only upon the documented instructions of the Controller or the relevant Controller Affiliate, notwithstanding situations in which the Provider may be required to respond on their own to such request under the GDPR or the Applicable legislation, in which case the Provider shall, to the extent permitted by the GDPR or Applicable legislation, try to inform the Controller of such legal requirement beforehand.
10. Personal Data Breach
10.1. The Provider shall notify the Controller without undue delay upon the Provider or any Subprocessor becoming aware of a Personal Data Breach affecting the Controller Personal Data, providing the Controller with sufficient information to allow him to meet any obligations to report or inform the Data Subjects of the Personal Data Breach under the Applicable legislation.
10.2. The Provider shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
11. Data Protection Impact Assessment and Prior Consultation
11.1. The Provider and each Provider Affiliate shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which the Controller reasonably considers to be required under Article 35 or 36 of the GDPR or equivalent provisions of any other Applicable legislation, in each case solely in relation to the Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Provider and the Contracted Processors.
12. Deletion or return of Controller Personal Data
12.1. Subject to points 12.2 and 12.3 the Provider and each Provider Affiliate shall promptly and in any event within 15 (fifteen) business days of the date of termination of the Agreement (i.e. termination by either the Controller or the Provider under the applicable clauses of the Agreement) delete and procure the deletion of all copies of those Controller Personal Data that are listed as being stored in Annex 1, thereby permanently removing all copies and instances of such data in the Provider's systems. By notifying the Provider prior to termination of the Agreement, the Controller and Provider may also arrange for the transfer of such data to the Controller prior to deletion.
12.2. The Provider and each Contracted Processor may retain Controller Personal Data to the extent required by Applicable legislation and only to the extent and for such period as required by the Applicable legislation and always provided that the Provider and each Provider Affiliate shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable legislation requiring its storage and for no other purpose.
13. Audit rights
13.1. Subject to sections 13.2 to 13.4, the Provider and each Provider Affiliate shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections by the Controller or an auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Provider or the Contracted Processors.
13.2. Information and audit rights of the Controller only arise under section 13.1 to the extent that the Agreement does not otherwise give information and audit rights meeting the relevant requirements of the Applicable legislation (including Article 28 of the GDPR).
13.3. The Controller or the relevant Controller Affiliate undertaking an audit shall give the Provider or the relevant Provider Affiliate a notice at least fourteen (14) business day prior to any audit or inspection being conducted under this section 13 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Provider’s or Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. The Provider or a Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of identity and authority;
- outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and the Controller or the relevant Controller Affiliate undertaking an audit has given notice to the Provider or the relevant Provider Affiliate that this is the case before attendance outside those hours begins; or
- for the purposes of more than one audit or inspection, in respect of the Provider or each Contracted Processor, in any calendar year, except for any additional audits or inspections which:
a) the Controller or the relevant Controller Affiliate undertaking an audit reasonably considers necessary because of genuine concerns as to Provider's or the relevant Provider Affiliate’s compliance with this DPA; or
b) the Controller is required or requested to carry out by the Applicable legislation, a supervisory authority or any similar regulatory authority responsible for the enforcement of Applicable legislation in any country or territory.
13.4. The Provider shall, upon request also provide the Controller or the mandated auditor with documentation of implemented technical and organizational measures to ensure an appropriate level of security, and other information necessary to demonstrate the Provider's or the relevant Provider Affiliate’s or the Contracted Processor’s compliance with its obligations under this DPA and relevant Applicable legislation, but shall provide access to information concerning the Provider's or the relevant Provider Affiliate’s or the Contracted Processor’s other information subject to confidentiality obligations.
14. Transfer of Controller Personal Data to Countries Outside of the EEA
14.1. Transfer of Controller Personal Data to countries located outside of the EEA (if not previously mentioned hereunder) by transfer, disclosure or provision of access to data, may only occur in case of documented instructions from the Controller or Controller Affiliate.
14.2. An exception to the previous point are data transfers to USA based ICT/SAAS (i.e. cloud storage / analytics / marketing service providers) Subprocessors from Annex 2 (or any concluded amendment to said annex) despite the fact that the data is actually hosted on the Subprocessors's servers within the EEA, as such hosting may lead to data processing that may be treated as a data transfer to “third-countries” under Applicable legislation, since certain holders of public authority in the United States may, in certain extremely rare cases, access, inspect or otherwise process such data.
14.3. By entering into this DPA, the Controller thereby grants the Provider the authority to enter into Standard contractual clauses on behalf of the Controller or the relevant Controller Affiliate, as they may be laid down by the European Commission or the applicable supervisory authority from time to time, in order to secure a valid legal basis for the transfer, disclosure or provision of access to data by Subprocessors outside of the EEA or international organizations, whereby any such Subprocessors shall be approved in accordance with the procedure stipulated in section 8. of this DPA. If the Controller is not the actual controller of the relevant Controller Personal Data, the Controller shall ensure such authorisation from the actual controller. Upon request, the Provider shall provide the Controller with a copy of such Standard contractual clauses or state such other valid legal basis (and implemented safeguards) for each transfer.
15. General Terms
15.1 Governing law and jurisdiction
Without prejudice to any applicable Standard contractual clauses which may have been entered into on the basis of this DPA:
- with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity, the parties to this DPA hereby agree to submit to the the laws of the Republic of Slovenia, whereby the Controller or Controller Affiliate consents to the exclusive jurisdiction of the courts located in the Republic of Slovenia whereby the place of venue shall be Ljubljana, Slovenia; and
- whereby the aforementioned laws, courts and venues shall also be used regarding all non-contractual or other obligations arising out of or in connection with this DPA.
15.2. Order of precedence
With regard to the subject matter of this DPA and in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
Under or in connection with the Agreement, this DPA or any Standard contractual clauses and other legal agreements for data transfers which may have been concluded in connection with this DPA and regardless of the type of liability, the parties hereby agree, that the total combined liability of the Provider and the Provider Affiliates towards the Controller, the Controller Affiliates or towards both, shall be limited to the total amount that had been paid by the Controller to the Provider in connection with the provision of the Service.
The aforementioned shall not affect each party’s liability to Data subjects under the GDPR or Applicable legislation or any Standard contractual clauses which may have been concluded in connection with this DPA so that such limitation of liability or liability cap would directly breach the GDPR or the Applicable legislation.
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
15.5. Conclusion and final provisions
No amendment to the terms and conditions of this DPA shall be valid unless made in writing and signed by authorized representative(s) of each party.
This DPA shall be binding upon the parties and their respective successors, assigns, subsidiaries and affiliates.
The online version of this DPA that had been valid and available at the time when the Controller registered his user account and agreed to the terms of the Agreement, shall be deemed as the valid and concluded version of this DPA.
- ANNEX 1: DATA PROCESSING INSTRUCTIONS REGARDING THE PROCESSING OF CONTROLLER PERSONAL DATA IN CONNECTION WITH THE SERVICE
- ANNEX 2: LIST OF APPROVED SUBPROCESSORS
- ANNEX 3: LIST OF TECHNICAL AND ORGANIZATIONAL MEASURES OFFERED BY THE PROVIDER AND PROVIDER AFFILIATES FOR THE PROTECTION OF CONTROLLER PERSONAL DATA
ANNEX 1: DATA PROCESSING INSTRUCTIONS REGARDING THE PROCESSING OF CONTROLLER PERSONAL DATA IN CONNECTION WITH THE SERVICE
This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) of the GDPR and together with the DPA serves as a set of data processing instructions, that have been given to the Provider by the Controller in connection with the provision of the Service:
Method and purpose of data collection
In order to provide the Service as it is set out in the Agreement:
a) the Controller or End Customers may input Controller Personal Data directly into the Service himself/themself;
b) Controller Personal Data may be entered into the Service by partners, affiliates, contractors of the Controller or other persons and entities that are authorized or instructed to do so by the Controller.
In both cases outlined above, the Provider is therefore instructed by the Controller under this DPA to collect, store and process the entered data, so that the Controller may use the Service in connection with relevant and consenting End Customers, whose data is processed for the provision of the Service.
Legal Grounds for Processing
The Provider and Provider Affiliates shall only process End Customer Data on the basis of this DPA.
The Controller expressly warrants to the Provider, that he obtained the required consent (or has met the requirements of other valid legal grounds) for the processing of the Personal Data of any and all End Customers/Data Subjects prior to entering into/integrating or using them in any other way in connection with the Service.
Categories of Data Subjects
The categories of Data Subjects whose Personal Data may be Processed under this DPA are End Customers (i.e. individuals who offer/enter their Personal Data to the Controller or his Controller Affiliates and other partners in relation to his online store/website and the Service) or other Data Subjects that the Merchant or Merchant Affiliates enter into or integrate with the Service.
Personal Data types and the subject-matter, nature and purpose of Processing
Subject to the use of the Service by the Controller, the following Processing may be carried out by the Provider or his Subprocessors in order to provide each sought after or implemented feature of the Service:
Personal Data type* / Other information
Subject-matter and nature of processing
Purpose of processing / Duration of processing
Merchant website visitor / End Customer data that is required for the provision of the Service
Basic information on End Customers and website visitors: Account registration or other forms: (name and surname);
Store checkout data: End Customers's contact information (e-mail address, telephone number);
Other Store checkout data: Information about the End Customers' purchases and invoices issued (date and place of purchase, purchased items, prices of purchased items, total purchase amount, payment / delivery method, delivery address / billing address, order number and date, coupons used, order status);
Website analytics data: Data on the use of the Merchant's website / online store by visitors / End Customers (IP address, browser used and language version, dates and times of visits to the Merchant's online store, pages or URLs visited, time spent on each page, number of pages visited, total time spent visiting the website, settings set on the website);
Data linked to online identifiers of Merchant website visitors / End Customers: The list of basic cookies that come with the Shopamine service is available at: www.shopamine.com/cookies).
- Necessary for offering the core features of the Service (i.e done automatically when data is entered into the Service): collection, recording, organization, structuring, cloud storage, storage (back-up), deletion, making available, segmentation, transmission.
- Manual (by the Provider or its Subprocessors and based on the request of the relevant Merchant): storage (back-up),
adaptation, alteration, retrieval, deletion, making available, segmentation, transmission.
- Situational (i.e. executing Data Subject rights, etc.): disclosure by transmission, dissemination or otherwise making available, restriction, erasure, destruction, storage (back-up).
- Feature based (i.e. when the Controller requests that certain features use the data (whereby the Merchant is responsible for obtaining consent or having other valid legal grounds): combination, profiling, segmentation, storage (back-up), making available, transmission.
Processing of the relevant data is necessary for the provision of the Service (e.g. processing data for store checkout and other selected features, etc.).
Data hosting (primarily by the subcontractor, see Annex 2, and exceptionally by the Provider for backup purposes when requested).
Certain types of processing are also necessary for the performance of various other features of the Service and the normal provision of the Service (i.e. manually correcting mistakes, processing data in order to offer support to the Controller, etc.).
The duration of processing is limited to the time necessary to execute the processing (i.e. provide the Service), whereby the data are never processed after they have been deleted. The Provider is obliged under this DPA to destroy all copies of personal data in 15 business days after termination of the Agreement (i.e. after receiving an account or data deletion request from the Merchant) (see Timescales for the keeping of Personal Data and the duration of the Processing below).
Data of employees or representatives of the Merchant for setting up the user account / invoicing / recordkeeping and administration
Names, surnames, email addresses (business or personal), signature, residency information, credit card information and other data that might be legally required to enter into the Master Service Agreement, communicate and issue invoices to a Merchant.
- Necessary for offering/ the Service to the Merchant and pursuing the Providers contractual rights (i.e communication with the Merchant, invoicing, etc.): collection, recording, organization, structuring, cloud storage, storage (back-up), deletion, making available, segmentation, transmission.
- Manual (by the Provider or its Subprocessors): storage (back-up),
adaptation, alteration, retrieval, deletion, making available, segmentation, transmission.
- Situational (i.e. executing Data Subject rights, etc.): disclosure by transmission, dissemination or otherwise making available, restriction, erasure, destruction, storage (back-up).
- Feature based (i.e. when the Controller requests that certain features use the data (i.e. if the Merchant wants the data of his employees to be entered into a CRM system of the Provider): combination, profiling, segmentation, storage (back-up), making available, transmission.
Processing of the relevant representative / employee data for setting up the account, communicating with, troubleshooting, offering support, invoicing, record keeping and other necessary/lawful purposes of the Provider in relation to the provision of the Service to the Merchant.
Data hosting for troubleshooting/support communications, record keeping, invoicing and administrative purposes (primarily by the subcontractor, see Annex 2, and exceptionally on the processor's own backup servers).
Certain types of processing are also necessary for the performance of various other features of the Service and adding features/upgrades/integrations to the service upon the request of the Merchant.
The duration of processing is limited to the time necessary to execute the processing (i.e. provide the Service), whereby the data are never processed after they have been deleted. The Provider is obliged under this DPA to destroy all copies of personal data in 15 business days after termination of the Agreement (see Timescales for the keeping of Personal Data and the duration of the Processing below).
Timescales for the keeping of Personal Data and the duration of the Processing
The Provider shall keep (i.e. store in cloud storage that is provided to him by the subprocessor that is described below in Annex 2 or situationally in back-up storage, see above) the Personal Data for as long as it is necessary to fulfill the purposes for processing and shall delete and procure the deletion of all copies of stored Personal Data within within 15 (fifteen) business days of the date of termination of the Agreement (i.e. termination of the Master Service Agreement by either the Controller or the Provider under point 12.1 of this DPA or after receiving an account or data deletion request from the Merchant).
The processing shall continue for the duration of Controller’s use of the Service, whereby most Processing takes place instantly after initiation by the Controller via the Merchant dashboard.
Entities involved in the Processing
Personal Data shall mainly be processed via automatic means by the Service algorithms and software systems (i.e. automatic storage of applicable data, transmission of data, making data available, combining data, etc., see above). Provider’s personnel shall manually process Personal Data upon Controller’s request or when performing job related tasks that require the processing of data (i.e. fulfilling requests, necessary upkeep and monitoring of system and functions, troubleshooting, development of the Service upon the request of the Controller).
ANNEX 2 - LIST OF APPROVED SUBPROCESSORS
The following Subprocessors are hereby approved by the Controller in relation to the provision of the Service under this DPA.
Should the Controller choose to add additional integrations/systems/features to the Service by contacting the Provider or opting to include them through his Merchant account panel (or elsewhere in the Service), this may mean that additional subprocessors that are currently not listed on this list, shall need to be engaged by the Provider in order to fulfill such request. In such situations, the Provider and Controller shall conclude an individual amendment to this DPA or this Annex 2 when necessary, as set out in section 8 of this DPA.
Please note: In light of recent case law and new requirements regarding the processing of personal data of EU citizens outside of the EEA (Schrems II), the Provider and Merchant shall each take special care in examining the individual aspects of any potential processing that is related to the provision of the Service and that might be carried out by the USA based Subprocessors that are listed below, as well as their technical and organizational measures for the protection of personal data prior to the conclusion of the Agreement and this DPA (i.e. prior to the Start Date). The Controller is thereby asked to assess whether he deems such USA based processors as appropriate in relation to his specific needs and potential local legal requirements, and to contact the Controller firstname.lastname@example.org if additional safeguards need to be put in place prior to the conclusion of the Agreement and this DPA (i.e. prior to the Start date).
In accordance with this DPA, the Provider is instructed by the Controller to transfer Personal Data to the following listed Subprocessors, so that they may perform the following activities / processing:
(Name, legal entity type, head office)
Location of data processing
Activities/processing purpose/data being processed**
RO-MA RDS, računovodstvo, davki, svetovanje, d.o.o.
Babškova pot 19A, Lavrica, 1291 Škofljica,
Company reg. no.: 2244918000
Accounting services (only data on employees or representatives as well as other Merchant data that does not fall under the scope of personal data shared/processed).
XENYA inženiring, proizvodnja in trgovina, d.o.o.
Celovška cesta 172, 1000 Ljubljana
Company reg. no.:: 5591872000
Data hosting provider (Merchant website visitor / End Customer data that is required for the provision of the Service).
340 South Lemon Avenue Suite 1537 Los Angeles, CA 91789,
The Chargebee – ERP system is used for invoicing (only data on employees or representatives as well as other Merchant data that does not fall under the scope of personal data shared/processed).
19505 52Nd Ave W Ste A Lynnwood, WA 98036,
The Intercom system offers us a way to communicate with our users through online messages for communication/support purposes (only data on employees or representatives as well as other Merchant data that does not fall under the scope of personal data shared/processed).
25 1st St Fl 2, Cambridge, Massachusetts, 02141,
The services of HubSpot may be used should the Merchant decide to include applicable functionalities/addons to his service plant in relation to inbound marketing, sales, and customer service integrations.
*Other potential service providers/systems that might be integrated with the website / store of the merchant upon request. Please see a list of all potential integrations at:
Marketing platforms, ERP systems, CRM systems, payment gateways (generally used in connection with Merchant website visitor / End Customer data that is required for the provision of the Service).
**Feel free to contact the Controller at email@example.com prior to the conclusion of the Agreement and this DPA (i.e. the Start Date) as well as after this date, if additional safeguards need to be put in place or if you require a more fleshed out list that includes potential Subprocessor data retention timescales, more information on implemented safeguards and other information.
ANNEX 3 - DATA PROCESSING INSTRUCTIONS REGARDING THE PROCESSING OF CONTROLLER PERSONAL DATA IN CONNECTION WITH THE SERVICE
ANNEX 3: LIST OF TECHNICAL AND ORGANIZATIONAL MEASURES OFFERED BY THE PROVIDER AND PROVIDER AFFILIATES FOR THE PROTECTION OF CONTROLLER PERSONAL DATA
1. PHYSICAL ACCESS CONTROL
The entrance to the common areas and the office is under supervision, with the key to the entrance of the office being held only by the head of the office, the director and any other supervising employees.
Cabinets, desks and other office furniture in which personal data carriers are kept and which are located outside the protected areas (corridors, common areas) are locked. The keys are kept by the employee who supervises the individual cabinet or desk at a designated place. Leaving keys in their locks is not allowed.
Access to the protected premises is allowed only during regular working hours, whereby access at a different time is only allowed with the permission of the responsible person (supervising employee).
Cabinets and desks containing personal data carriers are locked in protected rooms at the end of working hours or after the completion of work after working hours, while computers and other hardware are switched off and physically locked or locked through software. Leaving keys in their locks is not allowed.
Employees ensure that persons who are not employed by the company (e.g. other Merchants, maintenance staff, business partners, etc.) do not enter the protected premises unattended or without the knowledge / presence of the responsible person.
2. PROTECTION OF DATA CARRIERS CONTAINING PERSONAL DATA DURING WORKING HOURS
Personal data carriers are not left in visible places (e.g. on desks) in the presence of persons who do not have the right to inspect them.
Data carriers containing sensitive or special types of personal data shall not be stored outside secure premises.
Data carriers containing personal data may be removed from the premises of the company only with the permission of the supervising employee, whereby the supervising employee shall be deemed to have given permission by engaging a certain associate in a task which includes the processing of personal data outside the protected premises.
In the premises, which are intended for performing business with external collaborators and others, data carriers which contain personal data and computer displays are placed in such a way that external collaborators do not have access to them.
3. HARDWARE AND SOFTWARE PROTECTION
Measures related to the organization:
- Determined appropriate access to databases based on job tasks and responsibilities,
- Adopted records of processing
- Adopted an internal data protection security policy
- Adopted a dedicated Data Protection Policy
Measures related to human resources:
- Dedicated Chief Security Officer
- Regular employee training
- Use of dedicated VPN system for remote work situations
Measures related to network protection:
- Separate networks for development, other office tasks and guests
- Separate network accesses based on employee credentials and tasks
Measures related to hardware protection:
- Implemented specialized work stations and remote work computers
- Use of anti-virus software
- Use of employee log-in
Measures related to software protection:
- Use of anti-virus software
- Use of employee log-in
- Use of separated development environments
- Use of “dummy data”
- Implemented code reviews
**Feel free to contact the Controller at firstname.lastname@example.org prior (or even after) the Start Date in order to obtain a full list of protective measures and technical and organizational measures from the Data Protection Policy of the Provider or a particular Subprocessor.