Data Processing Addendum
Effective date: January 01, 2020
This Data Processing Addendum (“DPA“) including its Exhibit attached hereto, forms a part of Terms and Conditions Agreement between ECOMBIX Oy (“Company“, “we“) and the customer (“Customer“) for the purchase of online services (“Services“) from ECOMBIX Oy and reflect the parties agreement with regards to Processing of Personal Data.
The terms “Personal Data“, “Controller“, “Data Subject“, “Processor” and “Processing” shall have the meaning given to them the Regulation 2016/679 of the European Parliament.
1. “Customer Data” means any Personal Data that Company processes on behalf of Customer via the Service.
2. “Data Protection Laws” means all Personal Data protection and processing laws that apply to Customer Data, including data protection laws and regulations applicable to a party’s processing of Customer Data under Terms and Conditions Agreement, including, where applicable, EU Data Protection Law and Non-EU Data Protection Laws.
3. “EU Data Protection Law” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“); and (ii) in respect of the United Kingdom (“UK“) any applicable national legislation that replaces or converts in domestic law the GDPR.
4. “Non-EU Data Protection Laws” means the California Consumer Privacy Act (“CCPA“); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA“).
5. “Security Incident” means any breach of security that leads to destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data in systems managed by Ecombix Oy.
6. “Service Data” means any data relating to the Customer’s use, support and/or operation of the Service which Customer generates using the Service.
Ⅱ. Roles and Responsibilities
1. Parties’ roles. The parties acknowledge and agree that with regard to the processing of Customer Data, Customer is Data Controller and Company is Data Processor acting on behalf of Customer, as further described in Exhibit A.
2. Purpose limitation. Company shall process Customer Data only in accordance with Customer’s instructions as set forth in this DPA, as necessary to comply with applicable law.
3. Prohibited data. This DPA will not apply to sensitive data. In no case Company will be liable for sensitive data voluntarily provided by the Customer, whether in connection with a Security Incident or otherwise.
4. Customer compliance. Customer represents and warrants that (i) it has all notices and policies required to inform Data Subject about the Processing and their rights provided by Data Protection laws; (ii) it has collected all consents and confirmations required for processing of Customer Data by Company pursuant to this DPA; and it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any processing instructions it issues to Company.
5. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data.
1. Security Measures. Company shall maintain and implement appropriate organizational and technical security measures designed to protect Customer Data from Security Incidents and preserve the security and confidentiality of Customer Data.
2. Confidentiality of processing. Any person who is authorized by Company to Process Customer Data (including employees, contractors) shall be bound by non-disclosure obligation.
3. Updates of security. Customer is solely liable to review the information made available by Company regarding security making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws.
4. Customer acknowledges that the security measures adopted by Company may update or modify the adopted security measures provided that it will not lower the overall security of the Service provided to Customer.
Ⅳ. Audits and reports
Company shall respond to all requests for information made by Customer to confirm our compliance with this DPA. This includes but not limited to provision of information regarding security measures implemented, conducting of due diligence, and answering to audit questionnaires, provided that Customer shall not exercise this right more than once per calendar year. Such request can be sent to firstname.lastname@example.org.
Customer Data is processed at Company’s operating offices and in any other places where the parties involved in the Processing are located. It may be necessary to transfer collected Personal Data to countries outside of the European Union for Processing purposes.
Ⅵ. Retention and Deletion of Data
Customer Data shall be processed and stored for as long as required for performance of the contract between Company and Customer until such a contract has been fully performed or terminated. Upon expiration of the contract, Customer Data shall be deleted, unless it should be retained according to applicable Data Protection Laws, or due to request from authorized authority, prosecution body or court.
Ⅶ. Data Subject Rights and Cooperation
1. Data subject requests. Company shall provide reasonable assistance to Customer when it comes to compliance with its Customer Data protection obligations. It includes assistance in responding to Data Subject requests made under Data Protection Laws. If Data Subject request will be received by Ecombix Oy, it shall be redirected to Customer. Company shall not respond to such request unless we receive Customer’s prior authorization, or we will be legally required to do so. For avoidance of doubt, nothing in this DPA shall prohibit, prevent or restrict us from responding to Data Subject request where we are Data Controller in relations with such Data Subject.
2. Official requests and court orders. If data protection authority, court or other legal body entitled by Data Protection Laws demand from Company Customer Data, we shall attempt to redirect such request to the Customer. Due to this Customer’s contact information may be disclosed to respective authority. If the request made by data protection authority, court or other entitled legal body and such request cannot be redirected, then Customer shall be promptly informed about the response given by the Company to respective authority.
3. Data protection impact assessment. Company shall reasonably assist Customer in conducting of data protection impact assessment by providing of all reasonably requested information regarding the service to allow Customer to carry out procedures required by Data Protection Laws.
Ⅷ. Specific Terms
1. If Customer Data originating from and protected by the laws of California, the following shall apply. The definitions of: “Data Controller” includes “Business”; “Data Processor” includes “Service Provider”; “Data Subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under CCPA.
2. Company’s obligations regarding Data Subject requests apply to Consumer’s rights under the CCPA.
3. For the California consumers, Company may de-identify or aggregate Customer Data as part of performing the Service specified in this DPA and the Agreement.
4. Any claims brought under or in connection with this DPA shall be subject to Terms of Service.
5. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by Company in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Company’s liability under Terms and Conditions Agreement as if it were liability to the Customer under the Agreement.
1. This DPA shall continue to be effective (1) for the term of carrying of Processing of Customer Data by Company or (2) until termination of contractual relationships between the parties shall remain in effect for as long as Company carries out Customer Data processing operations on behalf of Customer or until termination of Terms and Conditions Agreement.
2. This DPA shall replace all previous data processing agreements, clauses or similar documents concluded between Company and Customer in connection with Service.
3. Except for any changes made by this DPA, the Terms and Conditions Agreement remains unchanged and in full force and effect.
5. No one other than a party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms.
6. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Terms and Conditions Agreement, unless required otherwise by applicable Data Protection Laws.
EXHIBIT A – Details of Data Processing
1. Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
2. Purpose of processing: Customer Data shall be processed for the following purposes: Processing is required to fulfill Terms and Conditions Agreement; (ii) Processing initiated by the Customer while using Service; and (iii) Processing is required to comply with specific requests made by the Customer (send by email or by creating of support tickets) that are consistent Terms and Conditions Agreement.
3. Nature of the processing: Company provides software allowing synchronize the process of products listings upload, order and shipment, and refund between Customers web marketplace accounts and online shops, as more particularly described in the Terms and Conditions Agreement.
4. Duration of processing: Company will process Customer Data as outlined in Section VI of this DPA.
5. Categories of data subjects: Customer’s clients.
6. Types of Customer Data: By synchronizing of the process of products listings upload, order and shipment, and refund Customer third party accounts shall redirect to Service certain Personal Data. The extent of such Customer Data is typically controlled and determined by Customer through third party services. It includes following types of personal data (1) Identification and contact data (name, surname, address, phone number, email address); (2) financial information (credit card details, account details, payment information); (3) product order details and (4) communication (messages). For avoidance of doubts, Company does not collect or process any Sensitive Data in connection with the provision of the Service.
7. Processing Operations: Customer Data will be processed in accordance with the Terms and Conditions Agreement, this DPA and may be subject to the following processing activities:
- Storage and other processing necessary to provide, maintain and improve the Service provided to Customer pursuant to the Agreement; and/or
- Disclosures in accordance with the Agreement and/or as compelled by applicable law.
Security Incident response. Upon becoming aware of a security incident, Company shall: (i) notify Customer within 48 hours from becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Security Incident.