Data Processing Agreement

1. Introduction

1.1 This Data Processing Agreement (”DPA”) complements the main agreement (”Merchant Agreement”) between Customer and Supplier regarding service provision. The DPA governs how personal data is handled in connection with the Merchant Agreement.

Unless data protection laws require otherwise, the Customer acts as the sole point of contact for the Supplier under this DPA. This applies even if the data pertains to other controllers (e.g., affiliated companies or those designated by the Customer and approved by the Supplier). The Customer is responsible for:

1.1.1 Coordinating, reviewing, and sending instructions or requests to the Supplier.

1.1.2 Sharing any information, notifications, or reports received from the Supplier with relevant parties.

1.2 Precedence: This Data Processing Agreement (DPA) governs all matters related to personal data processing. In case of any conflict between the DPA and the Main Agreement regarding personal data, the DPA takes precedence.

1.3 Legality: This DPA complies with the General Data Protection Regulation (”GDPR”) requirement for a written agreement between the data controller (Customer) and data processor (Supplier).

1.4 Term: This DPA runs alongside the Main Agreement and automatically terminates when the Main Agreement ends.

2. Definitions

2.1 “Customer” means the entity that has entered into a contract with Supplier and is defined as the “customer” in the Main Agreement. The Customer shall, for the purpose of this DPA, include, where applicable, also entities within Customer´s group of companies.

2.2 “Controller” means the party that determines the purposes and means of Processing Personal Data, acting alone or with others.

2.3 “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data that is Processed under the Data Processing Agreement.

2.4 “Data Protection Laws” means the applicable laws that aim at protecting the fundamental rights and freedoms of individuals, and specifically their privacy. They include Customer’s national legislation, where applicable, and Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”)”).

2.5 “Data Subject” means an identified or identifiable natural person, as defined under Data Protection Laws.

2.6 “Instructions” means written instructions for the Processing of Personal Data by Customer. Such instructions are provided in this Data Processing Agreement, but may be updated or modified from time to time by separate written instructions from the Customer.

2.7 “Personal Data” means any piece of information that refers to an identified or identifiable natural person, as defined under Data Protection Laws.

2.8 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, as defined under Data Protection Laws.

2.9 “Processor” means a party that Processes Personal Data on Controller’s behalf.

2.10 “Subcontractor” means any third party which Processor engages to carry out its obligations under this Data Processing Agreement in accordance with Section 6, and which through this engagement Processes Personal Data for which Customer is Controller.

2.11 “Supplier” is the SHOPLAB entity identified as such in the Main Agreement.

2.12 “Transfer” means a cross-border transfer of Personal Data to territories outside the EU in accordance with Section 11.

3. Processing of Personal Data

3.1 Purpose and categories of Processing and types of Personal Data processed: The nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects covered under this Data Processing Agreement are specified in Appendix 1.

3.2 Controller: Without affecting any of the foregoing, Customer is Controller for Personal Data Processed by Supplier under this Processing Agreement. Customer is responsible for ensuring that all Personal Data Processed hereunder is collected legally and for the accuracy and quality of the Personal Data.

3.3 Processor: Supplier and its Subcontractors are Processors for the Processing of Personal Data under the Main Agreement and shall only process Personal Data on behalf of Customer and in accordance with Customer’s Instructions. Supplier is responsible for ensuring that the Subcontractors it engages will only Process Personal Data in accordance with the Data Processing Agreement and Data Protection Laws.

3.4 Instructions: The Customer is responsible for providing clear instructions regarding how personal data should be processed. The Supplier will only process the data according to these instructions and this agreement.
If the Supplier believes the instructions might violate data protection laws, the Supplier will notify the Customer promptly. The Supplier won’t be obligated to carry out any instructions that could lead to a data breach, in their reasonable judgment. However, they are not required to independently investigate or research whether instructions comply with the law.

Controller’s original Instructions to Processor regarding the object and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects are listed in Appendix 1.

3.5 Remuneration: Without affecting Supplier´s obligations under Data Protection Laws, Supplier is entitled to remuneration on a time and material basis for any added work caused by amended Instructions by Customer (or additional work otherwise caused) pursuant to section 3.4 or other added work not expressly undertaken by Supplier herein.

4. Supplier’s personnel

4.1 Confidentiality: Supplier is responsible for ensuring that Supplier’s and its Subcontractors’ personnel who Process Personal Data for which Customer is the Controller shall maintain secrecy; have received suitable training on Personal Data and are bound by non-disclosure undertakings. The obligation of confidentiality shall remain in force after termination of this Data Processing Agreement.

4.2 Restricted access: Supplier is responsible for ensuring that only personnel of Supplier (and Subcontractors) who need access to Personal Data in order to fulfill Supplier’s undertakings under the Main Agreement (and this Data Processing Agreement) shall have access to the Personal Data.

5. Protection of Personal Data

5.1 Technical and organizational measures: The Supplier shall take the technical and organizational measures for the protection of the Personal Data that are appropriate with regard to the sensitivity of the Personal Data; the particular risks that exist; existing technical capabilities and the costs of implementing the measures. Personal Data shall be protected from any type of unauthorized Processing such as change, destruction or unauthorized access and dissemination. Supplier, accordingly, undertakes to take measures in accordance with Article 32 of the GDPR. The Supplier shall be prepared to comply with a competent authority’s decision on measures in compliance with security requirements set out under Data Protection Laws.

5.2 Rights of Data Subjects: Supplier shall notify Customer without undue delay, if Supplier receives a request from a Data Subject regarding his or her rights, such as information, correction or deletion of the Data Subject’s Personal Data. Supplier shall not respond to such a request without Customer’s written consent, except for the purpose of notifying the Data Subject that the request has been received and forwarded to Customer. Supplier shall assist Customer in managing Data Subjects’ inquiries and rights, unless Supplier is prevented from doing so by law or by official decision.

5.3 Supplier shall assist Customer in fulfilling its duties as a Controller of Personal Data to respond to requests regarding Data Subjects, pursuant to administrative procedures and measures adopted and applied by Supplier for such purpose. Supplier shall further render assistance to Customer, and perform measures, as required under Article 28 (3) (a)-(h) of the GDPR.

5.4 Official communications: Supplier shall notify Customer without delay if a government authority contacts Supplier regarding Personal Data Processed hereunder, unless bound by law not to provide such a notification. At Customer’s request, Supplier shall, to a reasonable extent, assist Customer with such official communication, and otherwise provide information in order that Customer may respond to the same within reasonable time. Supplier is not entitled to respond on Customer’s behalf or act in Customer’s name.

5.5 Remuneration. Supplier is entitled to compensation on a time and material basis for work performed assisting Customer to fulfill its obligations in relation to Data Subjects and authorities regarding Data Protection, unless otherwise expressly provided under Data Protection Laws.

6. Subcontractors

6.1 Use of Subcontractors: The Supplier may engage Subcontractors for the Processing of Personal Data hereunder subject to what is otherwise stipulated in this Section 6, and only for the purposes specified in Appendix 1. The Subcontractors currently appointed are listed in Appendix 1.

6.2 Contractual obligation: Supplier is responsible for ensuring that all Processing of Personal Data performed by a Subcontractor is governed by a written agreement with the Subcontractor that corresponds to the requirements of this Data Processing Agreement.

6.3 Change in Subcontractors: Supplier has the right to terminate the agreement with Subcontractors and/or engage new appropriate and reliable Subcontractors, provided that the rules in Section 6 are applied. Before engaging a new Subcontractor, Supplier shall notify Customer in writing of the engagement and shall endeavor, where this is possible, to provide such notice not less than fourteen (14) days prior to the engagement in question. Customer is entitled to object to the engagement, provided that Supplier is notified in writing of the objection within ten (10) days of receipt of Supplier’s notice.

6.4 Resolution of objections: If Customer has objected to a Subcontractor in accordance with the above, the parties shall discuss various activities in order to resolve the situation. If the parties cannot agree on a solution within reasonable time, which shall not exceed thirty (30) days, then each party shall be entitled to terminate the Main Agreement and this Processing Agreement by notifying the other party in writing to this effect. Customer acknowledges and accepts that its objection to the appointment of a Subcontractor may adversely affect Supplier´s ability to perform its undertakings under the Main Agreement (including availability, wholly or partly, of the services to be provided by Supplier thereunder). Supplier is under no obligation to refund any payments made in advance (if any) under the Main Agreement.

6.5 Supplier’s responsibility: Supplier is responsible for the Subcontractor’s Processing of Customer´s Personal Data and is fully responsible for Subcontractors engaged under the Data Processing Agreement.

6.6 List of Subcontractors: Supplier shall maintain a list of all Subcontractors who process Personal Data under the Data Processing Agreement and shall provide Customer with a copy of the list upon request.

7. Audits

7.1 Customer’s right to perform an audit: Supplier shall provide Customer and Customer’s independent auditors with access to such information and Supplier’s premises as may reasonably be necessary for Customer to be able to verify that Supplier fulfills its obligations under this Data Processing Agreement and Data Protection Laws.

7.2 Unless otherwise required by a government authority or Data Protection Laws, Customer shall, by giving reasonable prior written notice (at least thirty (30) days), inform Supplier that it wishes to conduct an audit. The Customer and any persons conducting an audit, must enter into adequate confidentiality undertakings prior to such audit and must furthermore adhere to Supplier´s security requirements at the site where the audit shall be conducted. The audit must furthermore, in so far as possible, be conducted so as not to disturb Supplier´s business operations or jeopardize the security of information belonging to other customers. Notwithstanding the foregoing, Customer will primarily rely on applicable existing audit reports or other available verification, if any, to confirm Supplier’s compliance hereunder and to avoid unnecessary repetitive audits; and, unless required by Data Protection Laws, audits will not be made more than once in any twelve-month period. An audit shall not grant Customer access to trade secrets or proprietary information unless required to comply with Data Protection Laws (and Supplier will never be obliged, with regard to any information request or audit, to provide access to any price or other commercial information).

7.3 Audit results: If an audit has shown that Supplier or a Subcontractor has not fulfilled its obligations according to the Data Processing Agreement, then Supplier shall promptly manage and correct this.

7.4 Remuneration: Without affecting Supplier´s obligations under Data Protection Laws, Supplier reserves the right to charge, on a time and material basis, for work performed assisting the Customer in performing an audit.

8. Incidents and data breaches

8.1 Incident management: Subject to its adopted administrative procedures and quality management system, Supplier shall evaluate and act upon events suspected to result in unauthorized access or Processing of Personal Data (“Incidents”). If there is a risk that the Incident may lead to unplanned or illegal deletion, loss, alteration or release of Personal Data to unauthorized persons, then Supplier shall promptly notify Customer of the Incident and shall provide all reasonably relevant information related to the Incident. Supplier shall develop appropriate steps to manage the Incident and mitigate its effects and shall, where appropriate, cooperate with Customer in order to protect Personal Data and with the aim of restoring the confidentiality, privacy and availability of the Personal Data.

8.2 Data Breach: Supplier shall notify Customer without undue delay after becoming aware of a Data Breach under this Data Processing Agreement. The notification shall be made in accordance with Art. 33 of the GDPR. The Supplier shall promptly investigate the Data Breach and take measures to reduce the damage, identify the basic problem and prevent it from happening again. Customer shall be updated with relevant information related to the Data Breach and Supplier’s work, while the work is proceeding, and Supplier shall cooperate with Customer, as appropriate, in order to reduce the damage and to protect the privacy of Data Subjects.

9 Return and deletion of Personal Data

9.1 Return and deletion: Within thirty (30) days of expiration of the Main Agreement, Supplier shall delete all Personal Data Processed by Supplier under this Data Processing Agreement, including Personal Data managed in backups and the like. Alternatively, Supplier shall, upon Customer’s written request (to be provided promptly upon expiration of the Main Agreement), return all such Personal Data.

10. Liability and Limitation of Liability

10.1 Damages and penalties: Supplier is only liable for claims and damages from a Data Subject or a third party and administrative penalties from an authority targeting Customer or otherwise, where Supplier or a Subcontractor has failed to fulfill its obligations under the Data Processing Agreement and/or relevant Data Protection Laws. Customer shall indemnify Supplier with respect to any claims and damages from a Data Subject or a third party and administrative penalties from an authority caused by Customer.

10.2 Limitation of liability: Supplier’s aggregate liability under this Data Processing Agreement shall under no circumstances exceed fifty (50) percent of the remuneration received under the Main Agreement during a period of six (6) months immediately preceding the occurrence of the event upon which liability is based.

11. Transfer of Personal Data

11.1 The processing activities concerning Personal Data, which include storage, are to be conducted as specified herein and further detailed in Appendix 1, highlighting the roles of Subcontractors. It is recognized that the Supplier, either independently or through Subcontractors, is required to perform services from locations beyond the European Economic Area (EEA) as part of the service delivery. This may occur directly or via onward transfer by the Supplier, acting on its own or through authorized Subcontractors located outside the EEA.

The Customer, for itself and on behalf of other Controllers mentioned herein who are established within the EEA, grants explicit written consent, mandate, authorization, and instruction to the Supplier to undertake transfers of Personal Data outside the EEA in the course of providing services under the Main Agreement from non-EEA locations as elaborated below.

Additionally, the Supplier or its Subcontractors are permitted to process Personal Data outside the EU/EEA under certain conditions:

11.1.1 If the recipient is recognized by the EU Commission to provide an adequate level of data protection (e.g., through certification, a framework, or other arrangements).

11.1.2 If the Supplier or its Subcontractor has implemented appropriate safeguards in accordance with Article 46 of the GDPR.

11.1.3 If the transfer and the rights and freedoms of the data subjects are safeguarded through approved Binding Corporate Rules as per Article 47 of the GDPR.

11.1.4 If the transfer and the rights and freedoms of the data subjects are ensured through the use of Standard Contractual Clauses, supplemented, where necessary, with appropriate measures in line with EU recommendations or guidelines (including those issued by the European Data Protection Board; EDPB).

Data Processors are authorized to transfer Personal Data to third countries for the limited purposes stipulated under this Data Processing Agreement (DPA). Details about these transfers, including information on the relevant Subcontractors, are provided in Appendix 1. It is important to note that the Subcontractor details are pertinent only to the standard System. Should the Customer opt for Third Party Services, additional details regarding the relevant Subcontractors for those services will be furnished to the Customer.

 

APPENDIX 1

Data Subjects

Processing involves these categories of data subjects:
Customer Data (including Members, Suppliers), Order Data, Authorized users of the System, Members, Suppliers or other individuals registered in the data controller’s applicable systems.

Customer Data: Name, Surname, Street Name, Street Number, Care of Name, Care of Surname, Postal Code, Province, Region, State, Country, Telephone Number, E-mail, Date of birth, Personal Identification Number, Gender, IP-adress, Information regarding previous purchases, Activities by the data subjects and Other personal information that is stored in the System.

Order Data: Products, Quantities, Prices, Total Order Value, Shipping Options

Authorized users: Name, Surname, E-mail, IP-adress, Password, Activities by the data subjects

Product Data: Images, Video

Sensitive personal data under article 9 GDPR and other personal information which may be regarded as sensitive from an integrity perspective may not be processed in the System and the Controller is not allowed to import or store such data unless these instructions are explicitly amended in writing and signed by both Parties.

Uploaded Images / Video

This DPA acknowledges that images uploaded by Controller through our services may constitute ”personal data” as defined by the General Data Protection Regulation (GDPR).

Reasoning: The GDPR defines personal data as any information relating to an identified or identifiable natural person. This includes not only traditional identifiers like names and addresses, but also ”indirect identifiers” such as photos and videos. With advancements in facial recognition and other image processing technologies, uploaded images can readily be used to identify individuals, especially when combined with other available information.

Implications: This classification means that the same data protection principles and requirements outlined in the GDPR apply to uploaded images as they do to other forms of personal data. This includes obligations such as:

1. Obtaining clear and informed consent from individuals before processing their image data.
2. Respecting individuals’ rights to access, rectify, erase, or restrict the processing of their image data.

Nature and purpose of the processing

Personal data will mainly be imported from external sources or by the data controller, but can also in some cases be fetched from external service providers.

Customer is the party that decides on the purpose of the Processing of Personal Data under the Main Agreement. The purpose of the Processing of Personal Data by Supplier is limited to:

Providing the agreed services such as the provision of software services, support and other services in accordance with the Main Agreement;

1. Implementing, managing and monitoring any underlying infrastructure required to provide services under the Main Agreement and to fulfill the stipulated technical and organizational requirements for the protection of Personal Data;

2. Communicating with Customer and Customer’s personnel;

3. Implementing Customer’s Instructions in accordance with Section 3.4; and

4. Handling service problems, Incidents or Data Breaches.

The duration of the processing

Personal data will be processed for the term of the Main Agreement. The data controller shall set specific retention periods for specific and different categories of personal data.

Security Measures

The Supplier shall take the technical and organizational measures for the protection of the Personal Data that are appropriate with regard to the sensitivity of the Personal Data; the particular risks that exist; existing technical capabilities and the costs of implementing the measures. Personal Data shall be protected from unauthorized processing such as change, destruction or unauthorized access and dissemination.
Supplier, accordingly, undertakes to take all measures stipulated in Article 32 of the GDPR, including: 1) the pseudonymisation and encryption of personal data; 2) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 3) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and 4) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

The technical and organizational measures we have implemented are summarized below.

Technical security measures

    • Separation of data: Customer data is separated by using logical separation or logical identifiers, tagging information to clearly identify ownership and ensuring that customer data can only be accessed by that customer.
    • Encryption: Data transfers to and from SHOPLAB are protected using encryption following the current established practice. At rest, data is encrypted where technically feasible, at least using disk-level encryption.
    • Testing: Regular and independent vulnerability- and penetration testing and regular security updates and patches.
    • API endpoints: Public API endpoints are protected with secret API keys to prevent unauthorized access to the system and all and any data stored within it.
    • Access: Private Administration access (Console, Web GUI) is protected with IAM service.

Organizational measures

    • Change control: SHOPLAB maintains a structured change management process to ensure that changes are reviewed and tested before being deployed to production. Roll-back measures are in place in the event of any unintended behavior.
    • Secure testing: SHOPLAB maintains separate production and testing environments.
    • Risk management: SHOPLAB shall have documented processes and routines for handling risks within its operations. Also periodically assess the risk related to information systems and processing, storing and transmitting information.

Physical Access control

    • Access to systems and personal data is restricted only to those who need access to provide SHOPLAB to the customers on a need-to-know-basis.
    • User authentication to protect access to data processing systems.

Subcontractors

SHOPLAB primarily uses Amazon Web Services (“AWS”) as their hosting provider responsible for processing and storing Personal Data.

 

Subcontractor

Country of Jurisdiction

Processing Jurisdiction(s)

Processing Description

Sendinblue GmbH

Germany

Belgium, France

Marketing and status updates to system users.

BunnyWay, informacijske storitve d.o.o.

Slovenia

EU

Image Content delivery network, Storage, Stream

Cloudflare

USA

EU

Content delivery network and Web Application Firewall.

Amazon Web Services
EMEA SARL

Luxembourg

Austria, Denmark, England, Finland, France, Germany, Ireland, Italy, Poland, Spain, Sweden

Processing, sending, receiving and storing, both short and long term, in databases and in file storage.

 

© 2024 Shoplab Sweden AB – All rights reserved