Annex – Agreement Data Privacy Policy easySales

The Parties acknowledge and agree that the Supplier administers the easySales Platform (ES) and provides for the benefit of the User the intermediation of services contracted by the User related to the sale of the User's Products. To this end, the User determines and indicates through this Agreement to the Supplier the personal data that will be processed by the Supplier in order to carry out the sales process through the easySales Platform. The processing of these personal data will be carried out during the ES Terms and Conditions, and in order to fulfill the object of the ES Terms and Conditions. The Parties declare and guarantee that regarding the personal data of the Customers, the User will have the quality of DATA CONTROLLER, while the Provider will be qualified as DATA PROCESSOR, in accordance with the applicable legal provisions, in particular with GDPR, ie Regulation (EU) 2016 / 679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation). The definitions in the GDPR will apply accordingly.

1 Art. 28 (3) S.1 of GDPR Object and duration, type and purpose of data processing, personal data types and categories of data subjects
  1. Data Controller authorizes and requires the Data Processor:
    • to process personal data in all legitimate and relevant purposes related to the provision of the Services by the Data Processor authorized by the data controller accordingly;
    • to process personal data to the extent necessary to comply with legal obligations of the Data Controller or the person authorized by the Data Controller, including the disclosure of Personal Data to the competent local authorities, hereby;
    • to transfer personal data to subcontractors in accordance with this.
  2. The object of the Agreement, the nature and purpose of the data processing, the types of personal data and the categories of data subjects are set out in Annex A, an integral part of this Agreement.
  3. Unless otherwise agreed, this Agreement enters into force on the Date of Signing, as defined in the ES Terms and Conditions and will apply as long as the Data Processor processes personal data in the name and on behalf of the Data Controller. For the avoidance of doubt, termination of the Contract (for any reason) will result in automatic termination of this Agreement.
2 Art. 28 (3) a), S.3 of GDPR Data processing based on instructions; Obligation to inform
  1. The Data Processor will process personal data only on the basis of written instructions from the Data Controller, including in respect of transfers of personal data to a third country or an international organization (as set out in Annex B ), unless required to do otherwise by EU or Member State law applicable to the Data Processor. In this case, the Data Processor will notify the Data Controller of that legal requirement before processing, provided that such notification is not prohibited by law for important reasons of public interest. At the Signing Date, all these instructions are contained in the ES Terms and Conditions document.
  2. The Data Processor will inform the Data Controller without delay if, in his opinion, an instruction issued by the Data Controller violates the provisions of the GDPR or any other applicable provisions in the field of data protection.
  3. For the avoidance of doubt, the Data Processor is not hereby responsible for providing legal or compliance advice to the Data Controller, or of any other kind, or for performing legal / compliance / analysis or opinions of any kind for the Data Controller.
  4. The Parties do not hereby consider the processing of data of a special nature or for identification purposes, which are excluded from the category of personal data subject to this agreement.
  5. The Data Controller retains responsibility for the lawfulness of the collection of personal data (including for verification of validity and purpose) and their provision to the Data Processor under the agreement, including compliance with and obtaining any authorization / permission, including prior, that may be imposed. (necessary) by a normative or corporate act in this respect.
3 Art. 28 (3) b) of GDPR Confidentiality commitment
  1. In the execution of this agreement, the Data Processor shall ensure that it will involve, as persons authorized to process personal data, only persons who are bound by a confidentiality contract or who are subject to an appropriate statutory obligation of confidentiality.
  2. The Data Processor will work with due diligence to ensure that its employees / contractors authorized to process personal data know all legal requirements applicable to the Data Protection Agreement and that it does not disclose personal data processed to unauthorized third parties, namely that the data are not used / operated by the Data Processor other than what is authorized under the current Agreement.
4 Art. 28 (3) c) of GDPR Security of processing / Technical and organizational measures in accordance with art. 32 of the GDPR
  1. The Data Processor shall take all necessary technical and organizational measures in accordance with Article 32 of the GDPR. These measures are set out in detail in Annex 3.
  2. Technical and organizational measures (TOM) are conditioned by technological progress and development. During this Agreement, the Data Processor shall adapt the TOMs at all times in accordance with the requirements of this Agreement and in accordance with technological advances. The level of security of TOMs, as set out in this Agreement and Annex C, shall not be diminished during this Agreement, compared to versions existing at the date of implementation of the amendments.
  3. The Data Processor undertakes:
    • to document in writing, including in electronic format, the adjustments / modifications made to the technical and organizational measures, which could have a significant impact on the guaranteed level of security, and
    • to bring these adjustments / modifications to the attention of the Data Controller, without undue delay.
    Following such notified changes, Annex 3 will be considered updated.
  4. At the prior request of the Data Controller, the Data Processor will contribute to the creation and / or updating of records on the processing activities of the Data Controller, insofar as they concern any data processing activities carried out through the Data Processor. At the request of the Data Controller, the Data Processor will provide the necessary information and documentation.
5 Art. 28 (3) d) of GDPR Granting of other authorized persons (Sub processors)
  1. Hereby, the Data Controller confirms the general approval, in accordance with art. 28 (2) of the GDPR, given to the Data Processor, to contract other persons empowered for the total or partial execution of the processing operations according to the present; The Data Processor shall inform the Data Controller of any planned changes related to the addition or replacement of other subprocessors. The notification will be made in writing, including in electronic format. The Data Controller will be able to send any opposition within 1 (one) week of receiving the information regarding these changes, providing the justification for this.
  2. At the time of concluding the Agreement, the subcontractors declared by the Data Processor, in the light of the provisions of art. 5.1, acting as proxies for the Data Processor with respect to this Agreement, are those included in the list in Annex 2, an integral part of this Agreement. By signing this Agreement, the Data Controller agrees with the contracting of these authorized persons (subcontractors) by the Data Processor, with the same rigor used for contracting the entities in Annex 2.
  3. Any transfers to third-party countries (including granting access to personal data processed in the name and on behalf of the Data Controller) carried out either by the Data Processor itself or by the subsequent subcontractor, are subject to prior written approval, including in electronic format, by the Data Controller. By signing this Agreement, the Data Controller agrees to make transfers to third countries, to the subcontractors provided in art. 5.2.
6 Art. 28 (3) e) of GDPR Obligations for cooperation and assistance
  1. The Data Processor will assist The Data Controller by all available means and reasonable from an economical perspective and by appropriate technical and organizational measures in order for the Data Controller to meet the obligation to respond to requests to exercise the rights by subject persons, as provided in Chapter III of the GDPR (art. 12 - 23 of the GDPR). The Data Controller shall bear the costs of providing assistance by the Data Processor to the Data Controller in the situations covered by this article.
  2. The direct communication of the Data Processor with the data subject will take place only with the prior written consent of the Data Controller. The Data Processor shall send to the Data Controller all written requests regarding the rights of the data subjects, without unjustified delays.
6 Art. 28 (3) f) of GDPR Assistance for ensuring compliance with the obligations of the Data Controller
  1. The Data Processor shall provide assistance to the Data Controller for ensuring compliance with the obligations in accordance with art. 32 - 36 of the GDPR, taking into account the nature of the processing and the information available to the Data Processor. The Data Controller shall bear the costs of providing assistance by the Data Processor to the Data Controller in the situations covered by this article.
  2. Subject to art. 28 (3) f) of the GDPR, the Data Processor shall assist the Data Controller in carrying out an assessment of the impact on data protection in accordance with art. 35 of the GDPR and, if applicable, also at the time of consultations with the supervisory authority in accordance with art. 36 of the GDPR. At the written request of the Data Controller, the Data Processor will provide all the necessary and requested information and documentation, taking into account the nature of the processing and the information available to the Data Processor.
  3. The Data Processor shall inform the Data Controller of any breach of the security of personal data, within a maximum of 24 (twenty-four) hours from the moment it becomes aware of such a situation and will provide the Data Controller with at least the following information:
    1. nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of records of personal data concerned;
    2. the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;
    3. the probable consequences of the breach of the security of personal data, according to the assessment of the Data Processor;
    4. the measures taken by the Data Processor or proposed by the Data Processor to be taken by the Data Collector in order to remedy the breach of personal data security, including, where appropriate, measures to mitigate its possible negative effects.
  4. Where and to the extent that it is not possible to provide all the information at the same time, it may be provided in several stages without undue delay.
  5. In case of specific developments made by the Data Processor at the request of the Data Controller on the systems / applications used in the processing of personal data, the Data Processor will provide assistance and support to the Data Controller to ensure compliance with the obligation provided by art. 25 of the GDPR (Data protection from the moment of conception and subsequently implicit). The Data Processor shall take into account, in particular, its instruments, products, applications or services, the principles applicable to protection of data from the moment of conception and implicitly. The respective costs will be covered by the Data Controller.
8 Art. 28 (3) g) of GDPR Deletion and recovery of personal data
  1. To the extent provided by mandatory legal provisions or following the written request of the Data Collector, upon termination of the Agreement, the Data Processor will return the personal data to the Data Controller (including existing copies), unless the applicable law allows / requires the storage / processing of such data by the Data Processor (subject to the principle of minimizing the data processing) or if the Data Processor provides the Data Controller the justification for keeping them (ex. to protect a certain right of the Data Processor).
9 Art. 28 (3) h) of GDPR Demonstration of compliance with the obligations and contribution to audits execution
  1. At the specific request of the Data Controller and in compliance with all the principles of art. 7.1 above, the Data Processor shall make available to the Data Controller all the information at its disposal considered reasonable by the Data Processor to support the Data Controller in demonstrating compliance with the obligations provided by art. 28 of the GDPR. The Data Processor will allow and contribute to the audits, including inspections, carried out by the Data Controller or another auditor mandated by the Data Controller. The audits, including inspections, shall be carried out without affecting in any way the activity of the Data Processor and without impeding in any way the observance and fulfillment of the obligations of security and confidentiality that it has assumed in its relations with other natural and legal persons or which it considers to be in accordance with the law. The Data Controller shall submit any audit request and audit plan at least 30 days prior to its conduct and the Parties shall jointly agree on the planning of the audit / inspection. The costs of any audit / inspection will be fully borne by the Data Controller.
  2. The Data Controller shall provide the Data Processor with a copy of any audit / inspection report made under this Agreement, without delay, as soon as such report / audit is completed.
  3. The Data Controller undertakes not to mandate for the audit / inspection a competitor of the Data Processor, otherwise the Data Processor may validly refuse the audit / inspection.
10 Additional obligations
  1. In case of data security breaches or complaints submitted to the supervisory authority (and also communicated to the Data Processor) regarding the processing of personal data subject to this, or measures / sanctions imposed on the Data processor following inspections or other measures taken by the supervisory authorities with regard to the data covered by this, the Data Controller shall be notified without delay. The Data Controller will offer to the Data Processor all the support in solving these events, within 24 hours at the request of the Data Processor.
  2. Where required by law, the Data Processor shall designate in writing a person responsible for data protection in accordance with art. 37 of the GDPR and, if applicable, a representative, in accordance with art. 27 of the GDPR. The contact details of the person designated as responsible for data protection will be communicated to the Data Controller.
  3. In accordance with art. 30, the Data Processor has the obligation to keep records regarding all categories of processing activities carried out in the name and on behalf of a Data Controller.
  4. The Data Controller will not disclose (in any online or offline media) and will not provide to any third party, any announcement / communication / news regarding the execution of this Agreement, including any incident / event related (eg security incident) without that the Parties consult each other beforehand and agree on the text, the wording of the communication and any other details concerning such communication.
11 Other provisions
  1. If the fulfillment of the purpose of the Agreement, as provided for in section 1 of this Agreement, by the Data Processor is endangered as a result of the filing of an action for bankruptcy or in the event of its bankruptcy; or if they should benefit from the insolvency law of any state or country; or if it should make a cession in favor of his creditors; or in the event that a judicial administrator, custodian or other judicial representative has been appointed in respect of its estate; or as a result of other events or measures taken by third parties, the Data Processor shall notify the Data Controller without delay. The Data Processor shall without delay inform all parties involved that the right to dispose of the data resides exclusively with the Data Controller.
  2. The Parties will maintain the confidentiality of all trade secrets and data security measures of which they become aware in the contractual relationship (including in the implementation of this Agreement). Trade secrets are all (but not limited to) business-related aspects, circumstances and activities that are not generally accessible, but are accessible to a limited group of people. Data security measures represent all technical and organizational measures taken by a Contracting Party in accordance with Annex 3. This obligation of confidentiality shall remain in force for 2 (two) years after the termination of this Agreement.
  3. The liability of the Parties for violations of data protection obligations is regulated by art. 82 of the GDPR.
  4. In the event of any contradiction or discrepancy between this Agreement and the ES Terms and Conditions, the provisions of this Agreement shall prevail. Moreover, the provisions of the standard contractual clauses / standard data protection clauses will prevail, if applicable.
  5. If any provision of this Agreement is or becomes invalid, the other provisions will remain in effect and will not be affected.
  6. Unless otherwise specified, any amendment to this Agreement, including its termination and this clause, shall be made in writing by agreement of the Parties. Exceptionally, if the Data Processor considers at any time that there are arguments to argue that the relationship between the Parties, with respect to the processing of Data, is one in which the Parties have qualities other than those specified in this Agreement, the Parties commit to reflect such a situation by concluding an addendum to this, which should reflect at the contractual level the factual situation, in accordance with the provisions of the GDPR.
  7. The parties expressly agree that the Data Processor will be entitled to process the Customer Data, for the purposes and under the conditions mentioned in the information note from easy-sales.com.
  8. Either Party shall have the right to unilaterally terminate the Agreement for good cause, in the event of repeated serious breaches of any data protection provision of this Agreement, without eliminating or limiting in any way the liability of the Party that has breached its obligations under this Agreement or imposed by the requirements and provisions of the GDPR.
  9. This Agreement shall be governed by and construed in all respects in accordance with the substantive law of the State in which the Data Processor is established, excluding any conflict-of-law that may provide that the law of another jurisdiction shall apply. The competent courts of Bucharest shall have exclusive jurisdiction over the settlement of all disputes arising out of or in connection with this Agreement.
  10. All data processing contracts / similar acts / agreements - if any - that exist between the Parties on this date (including any specific data processing clauses in the Main Agreement) will automatically cease to have effect and will be replaced by this Agreement from Signing date.

Annex A to the Agreement on the processing of personal data:

Object (of this Agreement)
  • Data Controller
 Authorized Seller
  • Data Processor
 Provide online intermediation services by ES for the benefit of the Seller; ES acts as a commercial agent of the Seller.
Type / Categories of personal data
  • Categories of personal data
Personal data:
  • surname and first name,
  • mobile phone,
  • delivery address,
  • e-mail address
  • shopping history
  • AWBs
  • Invoices
  • Special categories of personal data
 NOT APPLICABLE
Persons Buyers of Products (Customers)
Nature and purpose of processing
  • Processing operations
  • Technical support for placement and implementation of orders resulting from the purchase of Products;
  • Technical support regarding the completion / status of Orders;
  • Technical support in AWB generation;
  • Technical support in generating invoices for Products;
  • Technical support for collection of the price of the Products;
  • Technical support for operations on completed orders - cancellation, replacement (modification), return
  • Technical support for answering questions and complaints from customers;
  • Technical support in documenting Customer feedback,
  • Support and maintenance.
  • Nature of processing
The following forms / types of processing of personal data apply and are the subject of the contract between the Parties (art. 4 no. 2 of the GDPR)
  • adaptation or modification,
  • recovery,
  • consultation,
  • use
  • disclosure by transmission,
  • dissemination or provision,
  • alignment or combination,
  • restriction,
  • deletion or destruction,
  • other type of processing:

Annex B to the Agreement on data processing - List of subcontractors contracted

Subcontractor
 Place of processing Date of contract for data processing Description of security measures implemented in respect of transfers to Countries Third parties (art. 44 GDPR) Link to information note on personal data processing
Document archiving / storage services (including cloud storage service providers), Amazon Web Services Inc, 410 Terry Avenue North, Seattle, WA 98109-5210, DOOR. Frankfurt - https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf https://aws.amazon.com/agreement/
Automated Email Forwarding Services, Amazon Web Services Inc, 410 Terry Avenue North, Seattle, WA 98109-5210, USA. Frankfurt - https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf https://aws.amazon.com/agreement/
Billing Services, Amazon Web Services Inc, 410 Terry Avenue North, Seattle, WA 98109-5210, USA. Frankfurt - https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf https://aws.amazon.com/agreement/

Annex C to the Agreement on data processing: Technical and organizational measures of the Data Processor in accordance with art. 32 GDPR

Considering

  • the latest technology
  • implementation costs
  • nature, scope, context and
  • purposes of the processing and
  • the changing probability and severity of the risk to the rights and freedoms of natural persons,

The Data Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

When assessing the appropriate level of security, special attention shall be paid to the risks associated with the processing performed in the name and on behalf of the Data Controller (in accordance with Annex 1). This is due, in particular, to the risk of unauthorized destruction, loss, alteration or disclosure or unauthorized access, either accidentally or illegally, to personal data which are transmitted, stored or otherwise processed, especially if it may lead to physical, material or immaterial damage.

DETAILS OF RISKS AND, CORRELATIVELY, OF SECURITY MEASURES WILL BE DETAILED

Therefore, the Data Processor will take in particular the following measures:

I. Measures to ensure confidentiality * (art. 32 (1) b) of the GDPR)

  1. 1Ensuring control of access to the premises where personal data is processed
    • Unauthorized persons do not have physical access to surroundings, buildings, offices where personal data processing systems are located
    • Exceptions include third parties whose object of activity is the audit of facilities while third parties are supervised.
  2. 2. Ensuring control of access to the system in which the personal data of the Data Controller is processed
    • All personal data processing systems are password protected, including for remote access, to prevent unauthorized access to these systems,
    • There is a user management system that can be authenticated based on a unique identifier
    • Each user is assigned a password for authentication,
    • There is a management system implemented to ensure users' rights to the personal data processing,
    • The system is configured in order to ensure a minimum control on the personnel who has access to perform its duties,
    • A solution is implemented for logging access to critical systems
    • An access deactivation procedure is implemented when an employee leaves the company
  3. Ensuring access control for administering the system in which personal data is processed
    • All data processing systems are password protected, including for remote access, to prevent unauthorized access to these systems,
    • There is a user management system in place that can be authenticated on based on a unique identifier
    • Each user is assigned a password for authentication,
    • There is a management system implemented to ensure users' rights to the personal data processing,
    • The system is configured to be assigned a minimum control to staff who have access to perform their duties,
    • A solution for logging access to critical systems is implemented
    • A procedure for disabling access is implemented when an employee leaves company

II. Measures to ensure data integrity * (art. 32 (1) b) of the GDPR)

  1. Measures to ensure data integrity * (art. 32 (1) b) of the GDPR)
    • Data transmitted between ES systems shall be transmitted via the SSL communication protocol
    • Data transmitted are encrypted during transmission between ES systems
  2. Data entry control

    Measures to ensure the possibility of verification and determination at a later stage whether and by whom personal data were entered, modified or deleted in / from data processing systems:

    • Login of actions undertaken by the user in the ES interface
    • There is a system for logging all requests for registration and sending personal information

III. Measures to ensure availability and resilience of data * (Art. 32 (1) b) c) of GDPR)

  • Personal data are saved in backups to be restored in the shortest time
  • Recovery procedures were designed in case of Disaster
  • Procedures have been designed in order not to allow the deletion of personal data without the consent of authorized personnel

IV. Measures to ensure the limitation of the purpose of processing personal data

  • Control methods have been implemented that allow only to authorized personnel the modification of personal data