Privacy Policy | Web Store | Privacy Statement (for GDPR)



When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, address and email address.
When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.
Email marketing (if applicable): With your permission, we may send you emails about our store, new products and other updates.


How do you get my consent?
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only.
If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no.

How do I withdraw my consent?
If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at anytime, by contacting us at or mailing us at:
Nahkatehtaankatu 2 OULU FI 90130


We may disclose your personal information if we are required by law to do so or if you violate our Terms of Service.


Our store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you.
Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.

If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover.
PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also want to read Shopify’s Terms of Service ( or Privacy Statement (


In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.
However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.
For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.
In particular, remember that certain providers may be located in or have facilities that are located a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.
As an example, if you are located in Canada and your transaction is processed by a payment gateway located in the United States, then your personal information used in completing that transaction may be subject to disclosure under United States legislation, including the Patriot Act.
Once you leave our store’s website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our website’s Terms of Service.

When you click on links on our store, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.


To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with a AES-256 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, we follow all PCI-DSS requirements and implement additional generally accepted industry standards.


Here is a list of cookies that we use. We’ve listed them here so you that you can choose if you want to opt-out of cookies or not.
_session_id, unique token, sessional, Allows Shopify to store information about your session (referrer, landing page, etc).
_shopify_visit, no data held, Persistent for 30 minutes from the last visit, Used by our website provider’s internal stats tracker to record the number of visits
_shopify_uniq, no data held, expires midnight (relative to the visitor) of the next day, Counts the number of visits to a store by a single customer.
cart, unique token, persistent for 2 weeks, Stores information about the contents of your cart.
_secure_session_id, unique token, sessional
storefront_digest, unique token, indefinite If the shop has a password, this is used to determine if the current visitor has access.


By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority in your state or province of residence and you have given us your consent to allow any of your minor dependents to use this site.


We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.
If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.


If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Privacy Compliance Officer at or by mail at
[Re: Privacy Compliance Officer]
Nahkatehtaankatu 2

OULU FI 90130



26 March 2018

This Data Processing Addendum (this "DPA") applies to all customers using Nosto’s Service and / or any Additional Services (“Customer”, “you). This DPA should be read carefully in order to understand your rights and responsibilities, as well as ours.

By accessing or using the Service you acknowledge and agree that you have read, understood, and agree to be bound by this DPA. We may update this DPA from time to time; by continuing to use the Service after Nosto publishes notice of a modification on you thereby accept the modification. If you do not agree with the terms outlined in this DPA, you should immediately discontinue using the Service.

This DPA includes Sections 1, 2 and 3 and shall be considered an integral part of Nosto’sTerms of Use (available at, as updated from time to time) between the Customer and Nosto, or any other agreement between the Customer and Nosto governing Customer's use of the Service provided by Nosto (the "Service Agreement").

1. Effectiveness.

  1. For the avoidance of doubt, this DPA applies only to Nosto Service purchased from Nosto and does not apply to a service the Customer purchases from any seller of record other than Nosto.

  2. The Customer represents and warrants to Nosto that he or she has the legal authority to bind and lawfully enter the Customer into the Service Agreement.

  3. This DPA will terminate automatically upon termination of the Service Agreement or Terms of Use (as the case may be), or as earlier terminated pursuant to the terms of this DPA.

Data Processing Terms

  1. Definitions. Unless otherwise defined in the Service Agreement, all capitalized terms used in this DPA will have the meanings outlined below:

    1. "Nosto Infrastructure" is defined as Nosto and its service providers and / orsubcontractor’s data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within Nosto’s control and are used to providethe Services.

    2. "Nosto Security Standards" is defined as the security standards attached to this DPA as Section 2.

    3. "Customer Data" is defined as the "personal data" (as defined in Regulation) that is processed within Nosto Infrastructure under the Customer’s accounts.

    4. "Regulation" is defined as Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

    1. "EEA" is defined as the European Economic Area.

    2. "Processing" has the meaning given to it in the Regulation and "process", "processes"

      and "processed" will be interpreted accordingly.

    3. "Standard Contractual Clauses" is defined as agreement pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under the Regulation forming part of this DPA.

  2. Data Processing

    2.1. Scope and Roles. This DPA applies when Customer Data is processed by Nosto and its subcontractors. ln this context, Customer shall act as "controller", Nosto shall act as"processor" and Nosto’s subcontractor(s) shall act as “Sub-processor” with respect toCustomer Data (as each term is defined in the Regulation). Notwithstanding the foregoing, Nosto shall act as the data controller with respect of the personal data we may have collected from you during registration or provision of support services, if any.

    2.2. Details of the Data Processing. The details of the data processing such as subject- matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are specified in the Section 3 “Data Processing Details”.

    2.3. Compliance with Applicable Laws. Each party will comply with laws, rules and regulations applicable to it and binding on it in the performance of this DPA, especially including Regulation. As controller, the Customer shall be liable that it has the necessary rights and that it has obtained the necessary consents from the data subjects for Nosto’s (and its Sub-processors) processing of personal data. The Customer shall also be liable for drafting the relevant privacy statement and cookie policy or otherwise informing the data subjects of the processing of personal data in accordance with the Regulation. By using the Service, you represent and warrant that you have informed

and obtained necessary consents from your employees and the end user of your Online Store needed for the processing of their personal data.

  1. 2.4. Special Categories of Personal Data. Customer hereby acknowledges and agrees that sending or storing any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life orsexual orientation “Special Categories of Personal Datain the Service is strictly forbidden. By using the Service, you represent and warrant that you will not send or store any Special Categories of Personal Data in the Service.

  2. 2.5. Instructions for Data Processing. Nosto (and its subcontractors) will process Customer Data only in accordance with Customer's documented instructions, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law to which the processor is subject, in which case Nosto shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The parties agree that this DPA is Customer's complete and final instructions to Nosto in relation to processing of Customer Data. Processing outside the scope of this DPA (if any) will require prior written agreement between Nosto and Customer on additional instructions for processing, including agreement on any additional fees Customer will pay to Nosto for carrying out such instructions. Customer may terminate this DPA, including the Service Agreement, according to the provisions set forth in Terms of Use if Nosto declines to follow instructions requested by Customer that are outside the scope of this DPA.

  3. 2.6. Access or Use. Nosto will not access or use Customer Data, except as necessary to provide the Service as defined in Service Agreement applicable between Nosto and Customer. Nosto may also use statistical, aggregated or otherwise anonymized data collected by the Service, provided that such data will not be directly or indirectly identifiable to the Customer or its customers.

  4. 2.7. Disclosure. Nosto will not disclose Customer Data to any government, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If a law enforcement agency sends Nosto a demand for Customer Data, Nosto will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Nosto may provide the Customer's basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Nosto will give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy unless Nosto is legally prohibited from doing so.

  5. 2.8. Nosto Personnel. Nosto restricts its personnel from processing Customer Data without authorization as described in the Section 2 “Nosto Security Standards. Nosto will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

  6. 2.9. Customer Controls. The Service provides the Customer with controls to enable the Customer to delete or block Customer Data as described within the Service. Nosto makes available a number of features and functionalities that the Customer may elect to use. The Customer is responsible for properly (a) configuring and using the Service, (b) using the controls available in connection with the Service, and (c) taking such steps as the Customer considers adequate to maintain appropriate security, protection,

deletion and backup of Customer Data. The Customer may use these control as Nosto’sassistance by appropriate technical and organizational measures for the fulfilment of the Customer's obligation as a controller under the Regulation to respond to requests for exercising the data subject's rights.

2.10. Assistance with Prior Consultation and Security of Processing. The information made available by Nosto under Section 2 “Nosto Security Standards” isintended to assist the Customer in complying with the Customer’s obligations underthe Regulation articles 32 and 36, taking however into account the nature of processing and the information available to Nost0.

2.11. Customer Indemnification. You agree to indemnify and hold Nosto (and our subsidiaries, officers, directors, employees) harmless from any claim or demand,including reasonable attorneys’ fees, made by any third party due to or arising out ofyour breach of the above sub-section 2.3 and 2.4 of the Section 1 “Data ProcessingTerms”.

  1. Transfers of Personal Data

    3.1. Regions. While providing the Service to the Customer, Nosto uses third party serviceproviders and subcontractors (“Sub-processors”) located in USA. Therefore, it is necessary for Nosto to transfer Customer Data to Sub-processors based on either the Data Processing Agreements which incorporate the Standard Contractual Clauses or by abiding to the EU-USA Privacy Shield. By accepting the Terms of Use and / or the Service Agreement, the Customer authorizes Nosto to enter into the required Data Processing Agreement(s), including where applicable the Standard Contractual Clauses, with Sub-processors on behalf of the Customer. Nosto has implemented technical and organizational precautions defined in this DPA to protect the security and integrity of Customer Data processed by Nosto Infrastructure.

    3.2. Application of Standard Contractual Clauses. The Standard Contractual Clauses will apply to Customer Data that is transferred, either directly or via onward transfer, to Sub-processor located in USA. The Standard Contractual Clauses will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the EEA. Notwithstanding the foregoing, the Standard Contractual Clauses will not apply: if Sub-processor in question has adopted an alternative recognized compliance standard for the lawful transfer of personal data (such as Privacy Shield) outside the EEA.

  2. Security Responsibilities of Nosto

    1. 4.1. Nosto is responsible for implementing and maintaining the technical and organizational measures for the Facilities as described in the Nosto Security Standards and clause 3.2 of the Section 1 Data Processing Terms designed to help the Customer secure Customer Data against unauthorized processing and accidental or unlawful loss, access or disclosure.

    2. 4.2. The technical and organizational measures include the following:

      1. (i) Nosto has implemented and will maintain measures to ensure the physical security of the Facilities as set out in clause 1.2. of the Section 2 Nosto Security Standards;

      2. (ii) Nosto has implemented and will maintain measures to ensure the security of the Nosto Infrastructure as set out in clause 1.1 of the Section 2 Nosto Security


  1. (iii) Nosto has implemented and will maintain measures to control access rights for Nosto employees and contractors in relation to the Nosto Infrastructure as set out in clause 1.1 of the Section 2 Nosto Security Standards. The Customer has implemented and will maintain measures to control access rights to Customer Data;

  2. (iv) and Nosto will process Customer Data in accordance with the Customer's instructions as described in clause 2.5 of the Section 1 Data Processing Terms.

  1. Audit rights of the Customer

    1. 5.1. Nosto shall make available to the Customer all information necessary to demonstrateNosto’s compliance with its obligations set out in this DPA and in the Regulation.

    2. 5.2. Nosto will use best endeavors to enter into contractual arrangement with Nosto’s Sub- processors which entitle the Customer to contribute to audits, including inspections, with respect to Nosto Infrastructure. Notwithstanding the foregoing, the Customer acknowledges and agrees that Nosto cannot guarantee that the Customer will beentitled to audit Nosto’s Sub-processors (or their Sub-processors) directly. Accordingly, upon the Customer’s request (and at the Customer’s sole cost) Nosto may engage independent external auditors to audit that the processing of personal data within Nosto Infrastructure complies with its data protection obligations. To prove compliance with its obligations, Nosto will provide the report to the Customer subject to separate non-disclosure agreement. To the extent not covered by the independent audit reports, the Customer or an external auditor mandated by the Customer may audit Nosto’scompliance with the data protection obligations under this DPA. For the sake of clarity, in no event shall Nosto’s competitor to be qualified to audit Nosto or Nosto Infrastructure.

    3. 5.3. The Parties shall agree on the time and other details of the audit at least 30 business days before the audit or inspection. The audit or inspection shall be conducted so that the time, work, costs and the harm caused to Nostos business is minimized (including but not limited to any harm to Nostos customers, partners, Sub-processors and vendors). Nosto confidentiality obligations towards third parties shall be respected. All Customer’s representatives or external auditors participating in the Audit shall signseparate confidentiality agreements.

    4. 5.4. Nosto shall correct reported deficiencies without undue delay. Only if the audit reveals material deficiencies in Nosto’s performance, Nosto shall bear its own costs for the audit.

  2. Security Breach Notification

    1. 6.1. If Nosto becomes aware of either (a) any unlawful access to any Customer Data stored on Nosto's equipment or in Nosto Infrastructure; or (b) any unauthorized access to such equipment or facilities, where in either case such access results in loss, disclosure, or alteration of Customer Data (each a “Security Incident"), Nosto will promptly: (a) notify the Customer of the Security Incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

    2. 6.2. Customer agrees that:
      (i) an unsuccessful Security Incident will not be subject to this clause 4. An

unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Nosto Infrastructure or Facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents; and

(ii) Nosto's obligation to report or respond to a Security Incident under this clause 4 is not and will not be construed as an acknowledgement by Nosto of any fault or liability of Nosto with respect to the Security Incident.

6.3. Notification(s) of Security Incidents, if any, will be delivered to one or more of the Customer's administrators by any means Nosto selects, including via email. It is the Customer's sole responsibility to ensure the Customer's administrators maintain accurate contact information on the Nosto management console at all times.

7. Sub-processing.

7.1. Authorized Sub-processing. The Customer agrees that Nosto may use Sub- processors to fulfil its contractual obligations under this DPA and / or Service Agreement or to provide certain services on its behalf, such as providing support services. The section 3 “Data Processing Details” lists Sub-processors that are currently authorized by Nosto to access Customer Data. Nosto will inform at least 14 days before Nosto authorizes and permits any new Sub-processors to access Customer Data. The Customer hereby consents to Nosto's use of Sub-processors described in the clause 5 of the Section 1 Data Processing Terms. Except as set forth in this DPA, or as the Customer may otherwise authorize, Nosto will not permit any Sub-processors to access Customer Data.

7.2. Sub-processors Obligations. When Nosto authorizes any Sub-processors as described in the above clause 5.1 of the Section 1 Data Processing Terms:




Nosto will restrict the subcontractor's access to Customer Data only to what is necessary to maintain or to provide the Service to the Customer in accordance with the Service Agreement and Nosto will prohibit the Sub-processor from accessing Customer Data for any other purpose;

Nosto will impose appropriate contractual obligations in writing upon the subcontractor that are no less protective than this DPA, including relevant contractual obligations regarding confidentiality, data protection, data security and audit rights; and

Nosto will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processors that cause Nosto to breach any of Nosto's obligations under this DPA.

8. Duties to Inform. Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Nosto, Nosto will inform the Customer without undue delay. Nosto will, without undue delay, notify all relevant parties in such action (e.g. creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is the Customer's property and area of responsibility and that Customer Data is at Customer's sole disposition.

9. Nondisclosure. The Customer agrees that the details of this DPA are not publicly known

and constitute Nosto's Confidential Information under the confidentiality provisions of the Service Agreement. lf the Service Agreement does not include a confidentiality provision protecting Nosto’s Confidential Information and the Customer and Nosto or its affiliates do not have a non-disclosure agreement in place covering this DPA, then the Customer will not disclose the contents of this DPA to any third party except as required by law.

10. Entire Agreement; Conflict. Except as amended by this DPA, the Agreement will remain in full force and effect. Unless otherwise namely stated in the Service Agreement, in case of a conflict between the Service Agreemen and / or Terms of Use available at and this DPA, the terms of this DPA will control.

Nosto Security Standards

1. lnformation Security Program. Nosto will maintain an information security program in accordance with article 32 of the Regulation (including the adoption and enforcement of internal policies and procedures) designed to (a) help the Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Nosto Infrastructure, and (c) minimize security risks, including through risk assessment and regular testing. Nosto will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures:

(a) the pseudonymization and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

1.1. Security of Nosto Infrastructure

  1. 1.1.1. Data Center and Secure environment. All servers are hosted by Amazon Web Services (AWS) which is among the biggest cloud computing providers and has long track record running data centers reliably and securely. AWS manages data center infrastructure, physical security and continuity as a data center provider. For more details, see AWS security whitepaper. Service is being run in virtual private cloud (VPC) where access to each subsystem is limited with firewall and accessing them requires VPN connection with TOTP multi-factor authentication. Accessing AWS resources via API’s requires authentication toAWS IAM with access key and secret access key. Authentication to IAM using username and password requires TOTP multifactor authentication.

  2. 1.1.2. Access to Nosto Infrastructure. The Nosto Infrastructure Network will be accessible to Nosto Personnel, contractors and any other persons as necessary to provide the Services (such as Sub-processors). Nosto will maintain access controls as described in clause 1.1.1. of the Nosto Security Standards and policies to manage what access is granted to the Nosto Infrastructure from each network connection and for each user. Access permissions are limited to minimal resources and actions as required by job responsibilities.

  3. 1.1.3. Auditing. Audit logging of the Nosto Infrastructure is done on multiple levels, including activities performed by Nosto Personnel, Customers or system components. Attempts to do modifications to audit configuration occurring while the audit collection functions are operating are logged. These logs are forwarded to a remote and centralized logging system where they can be monitored. Logs are saved in dedicated database cluster that is replicated for redundancy and availability. Configuration changes to AWS resources are tracked; these logs include detailed information about API calls to AWS resources.

1.2. Physical Security

  1. 1.2.1. Physical Access Controls. Access to Nosto facilities (the "Facilities") does not grant any access to Nosto Infrastructure. Physical barrier controls are used to prevent unauthorized entrance to the Facilities. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Visitors at the Facilities are continually escorted by authorized employees or contractors.

  2. 1.2.2. Unlimited Employee and Contractor Access. Nosto provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Nosto or its affiliates.

1.2.3. Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Nosto also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including motion detection devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged.

2. Continued Evaluation. Nosto will conduct periodic reviews of the security of its Nosto Infrastructure and adequacy of its information security program as measured against industry security standards and its policies and procedures. Nosto will continually evaluate the security of its Nosto Infrastructure and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

Data Processing Details

Subject matter of the processing

The subject matter of the data processing under this Addendum is the Customer Data.

Duration of the processing

As between Nosto and the Customer, the Customer (as a controller) has the obligation to determine the duration of the data processing under this Addendum.

After the end of the provision of the Services, the Customer shall delete the Customer Data using the controls available in connection with the Service or request Nosto to delete the Customer Data or have the Customer Data returned by Nosto at Customer ́s cost.

Nature of the processing

"The Service analyzes the behavior of visitors in the Customer's Online Store in order to provide the visitors with meaningful purchase recommendations. Depending on the feature set used by the Customer, these recommendations may be displayed onsite or through emails or Facebook and Instagram."

Purpose of the processing

The purpose of the data processing under this Addendum is the provision of the Services initiated by the Customer.

Type of personal data

First name, last name, email address, user agent (browser), IP address, events, viewed products, order events, cart content, liked products, disliked products, external campaign attributions, clicked recommendations, order information, phone number, zip code, country code, sent emails.

Categories of the data subjects

The data subjects include the Customer’s customers.


Amazon Web Services, Inc.; SendGrid, Inc.

Shopify GDPR


April 20, 2018


Please note that this document is provided for informational purposes only. Its contents may be subject to change over time. The information in this whitepaper does not modify existing contractual arrangements and may not be construed as legal advice.


Table of contents

Disclaimer 1

Table of contents 2

Introduction 4

Terms 4

Global GDPR application 5

Who does the GDPR apply to? 5 Shopify 5 Merchants and partners 5 Buyers 6

What data does the GDPR apply to? 6

Controller vs. processor status 6

Processor obligations 8 Subprocessing 9 Data protection impact assessments 9 Personal data breach reporting 9 Appointment of a Data Protection Officer 10

Controller obligations 10 Facilitating requests 10 Posting a privacy notice 10 Complying with marketing and cookie regulations 11 Obtaining consent to process children’s data 11

Legal basis for processing 11

Data transfers 13

Within EEA 14 EEA to Canada 14 United States 14 Disclosures to third parties 15 Shopify ecosystem 16 App Store disclosures 16

Data subject rights 16

Erasure 17 Timing 17


Scope 18 Access 18 Data portability 19 Rectification 19 Automated decision-making 20

Data protection and security 21

Organisational measures 21 Technological measures 22 Monitoring and logging 22 Security controls 22 Security standards and certifications 23

Contractual agreements and data processing addenda 23

Shopify plans 23 Shopify Plus plans 24

Accountability and transparency 24 FAQ 25

What do I do if I have more questions about the GDPR or my local privacy laws? 25

Who can I contact for more information on Shopify’s practices? 25

If I use Shopify to host my store, does my business comply with GDPR? 25

Will Shopify sign Standard Contractual Clauses? 26



Shopify is working to make sure that it will comply with the European Union’s General Data Protection Regulation (GDPR) when it takes effect on May 25, 2018, and to make sure that its merchants will also be in a position to comply in relation to their use of Shopify. This whitepaper presents Shopify's approach to GDPR preparation and compliance.


BCRs: ​Binding Corporate Rules.
Buyer:​ Person visiting a store hosted by Shopify.
Controller:​ Party that determines how and for what purposes personal data is processed.
DPIA: ​Data Protection Impact Assessment.
EEA:EuropeanEconomicArea.EEAcountriescurrentlyincludeAustria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
GDPR: ​General Data Protection Regulation.
NDA: ​Non-disclosure Agreement
Partner: ​Party that creates Shopify stores on behalf of merchants.Personal data:​ Any information relating to an identified or identifiable person.
PIPEDA:​ Personal Information Protection and Electronic Documents Act.Processor:​ Party that processes personal data on behalf of the controller.


Global GDPR applicationWho does the GDPR apply to?


The GDPR applies to any company that handles the personal data of residents in the European Economic Area (EEA). Because Shopify works with merchants who serve buyers in the EEA, and serves buyers in the EEA directly, the GDPR applies to these elements of its business.

However, because Shopify believes strongly in data protection and privacy, it will give all of its merchants and partners the ability to offer their buyers the rights afforded by the GDPR to control their personal data, wherever they live. Additionally, Shopify will provide tools and processes for its merchants to fulfill GDPR-related requests from their buyers regardless of the buyer’s location.

Merchants and partners

Separate from the way in which the GDPR applies to Shopify, the regulation also applies to Shopify’s merchants and partners who operate in the EEA or offer goods or services to residents of the EEA.

While Shopify is working to make sure that its own operations will comply with the GDPR, and to provide its merchants and partners with the tools to help its merchants comply with the GDPR, each merchant is ultimately responsible for ensuring that their business complies with the laws of the jurisdictions in which they operate or have buyers.

Using Shopify does not guarantee that a merchant or partner complies with the GDPR.



The GDPR also gives certain rights to identified or identifiable persons (referred to as ​data subjects), including buyers visiting stores belonging to Shopify merchants. These include the right to request:

  • Deletion (erasure​) of their personal data

  • Correction (rectification)of their data

  • Access to their data

  • An export of their data in a common (​portable)format

    This topic is discussed more fully in the ​Data subject rights​ section.What data does the GDPR apply to?

    The GDPR generally applies to the collection and processing of personal data. Under the GDPR, personal data means any information relating to a data subject. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

  • Name

  • Identification number

  • Location data

  • Online identifier (such as IP address or cookie ID)1

    Controller vs. processor status

    The GDPR separates data protection responsibilities into two categories: controllers and processors.

    Controller:​ The party that determines for what purposes and how personal data is processed.2

    1 General Data Protection Regulation, Article 4(1).2 General Data Protection Regulation, Article 4(7).


Processor:​ The party that processes personal data on behalf of the controller.3

Under the GDPR, in most cases the merchant collects information from their buyers as a controller. Generally, Shopify acts as a processor for the merchant with respect to such buyer personal data (or, if the merchant acts as a processor, Shopify acts as a subprocessor):

The one exception is for buyers with whom Shopify has a direct existing relationship. For example:

  • Buyers who use Shopify's Frenzy flash-sale app to access a merchant's store

  • Buyers who use Shopify Pay, which allows the buyer to store their payment information with Shopify for use across different Shopify stores

  • Buyers who use Shopify’s Arrive app to track the status of orders made from a merchant’s store

    Although in such cases the merchant may also separately be a controller of the buyer’s personal data, Shopify processes the personal data of these buyers as a controller, as indicated in the following diagram:

    3 General Data Protection Regulation, Article 4(8).


Processor obligations

To comply with the GDPR, generally the processor may only process personal data when authorised to do so by the controller.

Where Shopify is a processor for a merchant, it processes personal data on documented instructions from merchants. For example, when a merchant clicks ​Fulfill items,they give Shopify the instruction to process the data necessary to perform that action.4

Similarly, when a merchant selects a particular payment processor, or installs an application through the Shopify app store, they give Shopify the instruction to transmit data to the relevant party.

The GDPR also places several other responsibilities on the processor, discussed below:

4 See section 2.2.1 of Shopify's Data Processing Addendum:



Processors must notify and obtain consent from their controller when transmitting personal data to a subprocessor. Shopify uses a number of subprocessors to provide the service, including to:

  • Store platform data

  • Operate the forums and other portions of Shopify's website

  • Respond to and manage support inquiries

    When a merchant signs up for the Shopify service, they consent to allow Shopify to use subprocessors. A list of subprocessors is available upon request.

    Data protection impact assessments

    Shopify is formalising the process for conducting data protection impact assessments (DPIAs) any time a change in processing procedure occurs that is likely to result in a high risk to individuals’ privacy rights. Shopify will help answer reasonable questions a merchant has about Shopify’s processing activities.

    Personal data breach reporting

    Processors must notify the controller after becoming aware of a personal data breach resulting from a breach of the processor’s security.

    Shopify is committed to ensuring that its incident response program meets the requirements of the GDPR. The specifics of breach notification are handled through a merchant's contract with Shopify.


Appointment of a Data Protection Officer

Processors must appoint a Data Protection Officer if they conduct certain types of personal data processing.

Shopify’s Data Protection Officer can be reached at ​ should consider whether they also need to appoint a Data Protection Officer.5

Controller obligations

Under the GDPR, the controller has the following responsibilities:

Facilitating requests

Controllers are obligated to help data subjects exercise their rights.6Shopify’s merchants can do this by forwarding buyer requests to Shopify,

asdetailedintheDatasubjectrights​sectionofthisdocument.Posting a privacy notice

When personal data is collected from a data subject, controllers must provide certain minimum information about the intended processing of the personal data, as well as information about how to contact and identify the controller.7

Merchants are responsible for providing this information to their buyers. Shopify provides this information in the Shopify Privacy Policy where it is

5 General Data Protection Regulation, Article 37.
6 General Data Protection Regulation, Article 12(2).7 General Data Protection Regulation, Article 13.


a controller, and encourages merchants to provide this information in their own privacy policies.8

Complying with marketing and cookie regulations

Controllers are responsible for making sure that they comply with marketing and cookie regulations in the jurisdictions in which they operate.

Merchants with EU buyers should make sure that they obtain appropriate consent for the use of cookies—the ePrivacy Directive generally requires some form of consent in order to use tracking technologies.9

All merchants should similarly make sure that their email marketing practices comply with applicable e-marketing or anti-spam requirements.

Obtaining consent to process children’s data

When offering goods or services online directly to children under 16 years of age, the controller is responsible for obtaining verifiable consent from the child's parents for processing their data.10

Merchants are responsible for assessing whether they need to obtain a higher level of consent for certain buyers.

Legal basis for processing

Personal data cannot be processed except under a recognized legal basis (unless an exemption applies). The GDPR sets out a list of possible legal

8 Shopify’s Privacy Policy:​.
9 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Will be replaced by the ePrivacy Regulation.
10 General Data Protection Regulation, Article 8. Individual member states may lower the age of consent.


bases under which personal data may be processed. These reasons include:

  • Consent

  • Contractual obligations

  • Legal obligations

  • The public’s interests

  • Legitimate interests of the controller or third party, balanced

    against the rights of the data subject11

    Consent ​of the data subject means the data subject has agreed to the processing of their personal data with a clear affirmative action.12
    This agreement must be:

  • Freely given

  • Specific

  • Informed

  • Unambiguous

    Merchants, as controllers of their buyers’ personal data, are responsible for ensuring they have a proper legal basis for doing so, including keeping evidence of consent when processing is based on consent.13

    As its merchants’ processor, Shopify is not responsible for the merchants’ legal bases but only processes buyers’ personal data on behalf of and on the instructions of the merchant. In certain cases, however, the law may additionally require consent for certain types of processing (for example, when placing or retrieving cookies on a device). In such cases, the merchant is also responsible for obtaining appropriate consent.

    11 General Data Protection Regulation, Article 6.
    12 General Data Protection Regulation, Article 4(11).13 General Data Protection Regulation, Article 7(1).


Upon request, Shopify will provide merchants with any reasonable information they require to obtain consent (for example, information about the categories of cookies placed when a buyer visits a storefront).

Data transfers

Personal data of residents of the EEA can only be transferred to recipients outside the EEA if the recipient has adequate protections in place. These protections may include:

  • Adherence to domestic laws that have been deemed adequate by the European Commission

  • Negotiated agreements (such as the EU-U.S. Privacy Shield)

  • Contractual protections

  • Approved sets of internal policies (Binding Corporate Rules)

  • Approved codes of conduct or certifications

    Shopify has protections for personal data in every step of its data flow, as described below. The following diagram illustrates Shopify's data transfer structure:


Within EEA

EEA personal data is received and initially processed by Shopify's Irish entity, Shopify International Ltd.

EEA to Canada

Data is exported from the EEA to Shopify’s Canadian parent entity, Shopify Inc. This export takes place within Shopify’s corporate structure.

Data within Shopify Inc. is protected under PIPEDA, Canada’s private

sector privacy legislation, which is considered adequate under the GDPR.14

United States

Shopify Inc. uses a combination of data centers and cloud service providers to store this personal data in the United States and Canada.

When personal data is transferred to the United States, it is either done so through the EU-U.S. and Swiss-U.S. Privacy Shield, for Shopify’s own storage, or through contractual data protection addenda (DPAs) with third-party service providers. The EU-U.S. and Swiss-U.S. Privacy Shields are also considered adequate under the GDPR. Shopify’s Privacy Shield certification statement can be found on

14 P​ ursuant to the European Commission’s adequacy decision 2002/2/EC​.Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539), online at: 15699250815.
15 See:​​.


Additionally, Shopify is in the process of applying for approval of Binding Corporate Rules (BCRs) by the Irish Data Protection Commissioner. After they are approved, Shopify will rely on these BCRs to protect the personal data that is transferred between Shopify’s corporate entities worldwide.

Disclosures to third parties

Shopify will never independently sell personal data for commercial purposes. However, Shopify does disclose personal data to third parties or allow third parties to access personal data to help provide services—for example, to:

  • Store platform data

  • Operate the forums and other portions of Shopify's website

  • Respond to and manage support inquiries

    Additionally, Shopify may provide personal data, where permitted, to prevent, investigate, or respond to:

  • Potential fraud

  • Illegal conduct

  • Physical threats

  • Violations of any agreements with Shopify

    Shopify also provides information to third parties when legally required to do so. Where Shopify believes it is legally required to provide information, and not legally prohibited from disclosing the existence of the legal order, it will notify the data subject and give the data subject a chance to seek a protective order.

    More information on when Shopify discloses personal data will soon be provided on Shopify's website under the heading Guidelines for Legal Requests for Merchant or Buyer Data.


Shopify ecosystem

If a merchant agrees to use a third-party service provider such as a payment processor, a sales channel, or an app that is not controlled by Shopify, the respective service provider’s use of personal data is controlled by the merchant’s agreement with the provider. Shopify is not responsible for the data practices of these third-party service providers, and merchants should carefully evaluate these service providers as they would any third party.

Shopify recognises that it might be difficult for some merchants to obtain enough information from these service providers to conduct a careful evaluation. Shopify is working with these providers to make sure that they make information available to merchants about their data practices.

App Store disclosures

Similarly, Shopify is requiring all apps on the Shopify App Store to post disclosures about how the app handles personal data, but Shopify is not responsible for any app’s data collection or use, or for how the merchant uses the app. The merchant is responsible for reviewing these disclosures and to ensure that their use of the app complies with the laws of the jurisdictions in which the merchant operates or where it has buyers.

Data subject rights

The GDPR provides data subjects (in this case, buyers) with certain rights over their personal data. Generally, data subject requests must be addressed within one month, unless they are exceptionally complex or numerous.16 The following rights are granted to data subjects:

16 General Data Protection Regulation, Article 12(3).



Data subjects have the right to request that their personal data be erased in certain circumstances.

If a merchant receives a request from a buyer to delete their personal data, before forwarding the request to Shopify, the merchant should:

  • Verify that the requester is the same as the data subject (that is, the requester is not asking to erase someone else’s personal data)

  • Confirm there is no legal reason to preserve this data

    If both conditions are satisfied, the merchant should forward the request to Shopify, either through Shopify's support system, or by

    After a request is received, Shopify will ensure that the relevant personal data is erased. If erasing it is impossible, Shopify will let the merchant know to what degree it is impossible, and why.

    In addition to contacting Shopify, the merchant should also work with any relevant third parties to make sure that they delete or anonymise the personal data.


    Personal data cannot be erased from Shopify while it is:

  • Associated with a pending order

  • Associated with an order made fewer than 180 days before the

    request (the usual window in which a buyer can make a chargeback).


If the buyer’s personal data cannot be erased for this reason, the merchant should re-submit the deletion request after the appropriate time has passed.


When processing a request for erasure, Shopify will anonymise the personal data of the buyer, but keep non-personal data such as revenue information and order details. Order details that are retained include the gateway used to process payment, time of sale, amount paid, currency, subtotal, shipping cost, taxes added, shipping method, item quantity, item name, SKU, and payment method.

If no data erasure requests are received, Shopify will keep data for the lifetime of a store, and purge personal data within 90 days after a store is closed.


Controllers must, upon request, explain to data subjects how their personal data is processed and provide access to this personal data.

If merchants cannot export data sufficient to fulfill the request from their admin, they can forward the request to Shopify. Similar to a request for erasure, if a buyer requests access to their personal data, the merchant should first validate the identity of the requester.

The merchant can then reach out to Shopify, either through Shopify's supportsystem,

When Shopify receives the request, it will:
Confirm whether personal data about a buyer is being processed

by Shopify


  • Confirm what categories of data are being processed by Shopify

  • Provide the buyer with the relevant information from Shopify


    Data portability

    Controllers who process data using automation must, in limited circumstances, provide data subjects with their personal data upon request. This data must be provided in a commonly used and machine-readable format.

    Merchants may export some data directly from their store’s admin page. Many data types can be exported to common formats such as Excel or CSV with one click:

  • Transaction histories

  • Payouts

  • Product lists

  • Customer lists

    In addition, if a merchant contacts Shopify to request copies of processed data, Shopify will make the data available in a common format.


    Data subjects have the right to correct incomplete or inaccurate personal data held or processed by a controller.17

    Shopify’s platform allows a merchant to change customer records directly from their store admin.18

    17 General Data Protection Regulation, Article 16.18 However, current orders cannot be modified.


Automated decision-making

Data subjects have the right to object to processing based solely on automated decision-making (which includes profiling), when that decision making has a legal effect on the data subject or otherwise significantly affects them.19 An example of a legal effect is a decision that impacts an individual’s legal or civil rights, or their rights under a contract. Examples of significant effects include decisions that have a financial impact on individuals, or impact their employment.

Shopify does not currently engage in fully automated decision-making that has a legal or otherwise significant effect using buyer data.

Services that include elements of automated decision-making are highlighted in the table below:


Implementation details

Temporary blacklist of IP addresses associated with repeated failed transactions

Persists for a small number of hours.

Temporary blacklist of credit cards associated with blacklisted IP addresses

Persists for a small number of days.

Data protection and security

Under the GDPR, controllers and processors are required to implement appropriate technical and organisational measures.20

19 General Data Protection Regulation, Article 21.
20 General Data Protection Regulation, Article 25, 32.


Shopify has implemented many of the controls and processes identified in the GDPR, including:

  • Anonymising and encrypting personal data

  • Ensuring confidentiality, integrity, availability, and resilience of

    processing systems

  • Restricting who may access personal data

  • Ensuring availability and access to personal data in the event of a

    physical or technical incident

  • Performing regular testing, assessments, and evaluation of

    technical and organisational security measures

    Organisational measures

    Shopify has a robust, cross-functional data protection program that is integrated with its information security program and includes several teams across the organisation. In particular, the data protection program includes a designated Data Protection Officer, who reports to senior management, as well as individuals from:

  • Internal Security

  • Legal

  • Legal Operations

  • Production Security

  • Processing Integrity

    Technological measuresMonitoring and logging

    Controllers—and where applicable, their representative—must maintain records of the personal data processing activities for which they are responsible.


Shopify maintains system and application logs relating to events and access to certain systems used for the processing of personal data. These logs are stored on log servers for approximately a month, and then moved to offsite backup locations, where they remain available for at least 12 months.

Security controls

Shopify encrypts data sent to and from merchants and buyers using the HTTPS protocol.

Shopify also encrypts any sensitive stored information, and salts and hashes merchant and buyer passwords using bcrypt.

Merchants can also set up additional security features. An account holder can take the following actions from their Shopify admin:

  • Enable multi-factor authentication for staff

  • Define, to a certain extent, what personal data is collected from


  • View certain activity logs, including recent login activity by staff

  • Set role-based permissions for staff accounts

    Security standards and certifications

    Shopify and all online stores powered by Shopify are Level 1 PCI-DSS compliant.21

    Shopify uses third-party data centers with industry-standard certifications. Examples include:

    21 See:​.


  • Tier III

  • ISO 27001PCI-DSS

    SOC reports for all facilities, which include physical protections, can be provided to merchants on request under an appropriate NDA.

    Contractual agreements and data processing addenda

    Shopify’s Terms of Service, Data Processing Addendum, Privacy Policy, and Acceptable Use Policy can be found online at

    Shopify plans

    For merchants whose relationship with Shopify is governed by Shopify's online Terms of Service, Shopify has automatically incorporated a Data Processing Addendum, which will apply to its processing of personal data. Just as Shopify is not able to negotiate its Terms of Service, it is not able to negotiate this Data Processing Addendum.

    Shopify Plus plans

    For Shopify Plus merchants, their negotiated contract will govern their relationship with Shopify. Merchants can sign a Data Processing Addendum to address their needs. Shopify Plus merchants that have not already signed a Data Processing Addendum with Shopify and would like to do so should reach out to their Merchant Success Managers. Shopify Plus merchants that do not sign a Data Processing Addendum will be


governed by Shopify’s ​online Data Processing Addendum (which is incorporated by reference into our online Terms of Service).

Accountability and transparency

Shopify is compiling data for a transparency report, to be released at the end of 2018.


Will Shopify sign Standard Contractual Clauses?

No. As described in the ​Data transfers section of this document, Shopify has structured its data flows so that merchants transfer data to Shopify's Irish affiliate within Europe. For that reason, Standard Contractual Clauses are not appropriate, as they are approved for transfers between a European party and a non-European party.

In addition, regarding transfers directly to Shopify Inc., Shopify would rely in such cases on the European Commission’s adequacy decision regarding Canada’s privacy law, which extends to Shopify Inc. as a Canadian corporation.



JUDGE.ME REVIEWS Privacy Policy for GDPR

Information about this Data Processing

This Data Processing Addendum (DPA) is addressing Article 28 GDPR.

Please download this Data Processing Addendum (DPA) if you need it as part of your GDPR compliance efforts. The DPA is pre-signed and can be signed by you as the Client party. If you have any questions or comments, we are happy to help:

You can send your signed version directly to:


This Data Protection Addendum ("DPA") forms part of the Terms of Service between: (i) LLC ("Provider"); and

(ii) __________________________________ ("Client") acting on its own behalf to reflect the parties’ agreement with regard to the Processing of Personal Data.

In the course of providing the Services to the Client pursuant to the Agreement, may process Personal Data on behalf of the Client and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.


In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

"Applicable Laws" means (a) European Union or Member State laws with respect to any Client Personal Data subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Client Personal Data subject to any other Data Protection Laws;

"Client Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of a the Client pursuant to or in connection with the Terms of Service;

"Contracted Processor" means Provider or a Sub-processor;
Data Protection Laws" means EU Data Protection Laws and, to the extent applicable,

the data protection or privacy laws of any other country;

"EEA" means the European Economic Area;

"EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

"GDPR" means EU General Data Protection Regulation 2016/679; "Restricted Transfer"​ ​means:

a transfer of Client Personal Data to a Contracted Processor; or
an onward transfer of Client Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a

Contracted Processor,

in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses;

"Services" means the services and other activities to be supplied to or carried out by or on behalf of the Provider for the Client pursuant to the Terms of Service;

"Standard Contractual Clauses" means the agreement executed by and between Client and LLC pursuant to the European Commission’s decision (C(2010)593) on Standard Contractual Clauses for the transfer of personal data to

processors established in third countries which do not ensure an adequate level of data protection;

"Sub-processor" means any person (including any third party and any Provider Affiliate, but excluding an employee of the Client or any of its sub-contractors) appointed by or on behalf of the Client to Process Personal Data on behalf of the Client in connection with the Terms of Service.

The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.


Legal Authority. Client signatory represents to Provider that he or she has the legal authority to bind Client and is lawfully able to enter into contracts (e.g., is not a minor).

Termination.This Addendum will terminate upon the earliest of: (i) termination of the Agreement as permitted hereunder or by the Provider’s Terms and Conditions (and without prejudice to the survival of accrued rights and liabilities of the parties and any obligations of the parties which either expressly or by implication survive termination); (ii) as earlier terminated pursuant to the terms of this Addendum or (iii) as agreed by the parties in writing.

Processing of Personal Data

The parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the Data Controller, Provider is a Data Processor and that Provider will engage Sub-processors pursuant to the requirements set forth in Section “Sub-processors” below.

1.1 Provider shall:

  1. 1.1.1 comply with all applicable Data Protection Laws in the Processing of Client Personal Data; and

  2. 1.1.2 not Process Client Personal Data other than on the Client’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Provider shall to the

extent permitted by Applicable Laws inform the Client of that legal requirement before the relevant Processing of that Personal Data.

1.2 Client Shall
1.2.1 instructs Provider and authorises Provider to instruct each Sub-processor to:

  1. Process Client Personal Data; and

  2. in particular, transfer Client Personal Data to any country or territory,

as reasonably necessary for the provision of the Services and consistent with the Terms of Service; and

  1. 1.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 1.2.1.

  2. 1.2.3 In addition, Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Personal Data provided by the Client shall not contain information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric, data concerning health or data concerning an individual's sex life or sexual orientation ("Special Categories of Data").

1.3 Provider’s Processing of Personal Data.




Provider shall only Process Client Personal Data for the purpose of the provision of the Services under the Agreement and in accordance with Client’s documented instructions which are consistent with the terms of the Agreement, unless Processing is required by Data Protection Laws to which Provider (or the applicable sub-processor) is subject, in which case Provider shall to the extent permitted by the Data Protection Laws inform Client of that legal requirement before the relevant Processing of that Client Personal Data.

This Addendum and the Agreement are Client’s complete and final instructions to Provider for the Processing of Client Personal Data. Any additional or alternate instructions must be agreed upon separately.

The following are deemed instructions of the Client to Provider: The processing of Client Personal Data (i) in accordance with the Agreement and this Addendum, including without limitation with the transfer of Client Personal Data to any country or territory; and (ii) to comply with other documented instructions provided by Client where such instructions are consistent with the terms of the Agreement.

to this Addendum sets out certain information regarding the Contracted

1.4 Exhibit A
Processors' Processing of the Client Personal Data as required by article 28(3) of the

GDPR and, possibly, equivalent requirements of other Data Protection Laws. Client may make reasonable amendments to Exhibit A by written notice to Provider from time to time as Client reasonably considers necessary to meet those requirements. Nothing in Exhibit A, including as amended pursuant to this section 1.3, confers any right or imposes any obligation on any party to this Addendum.

Provider Personnel

Provider shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Client Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.


Appointment of Sub-processors.For the purpose of the appointment of Sub-processors, Client acknowledges and agrees that Provider may engage third-party Sub-processors in connection with the provision of the Services, including without limitation the Processing of Client Personal Data.

List of Current Sub-processors and Notification of New Sub- processors.When requested by the Client, the Provider shall make available to Client an up-to-date list of all Sub-processors used for the processing of Client Personal Data.

Objection Right for New Sub-processors.Provider shall give Client prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. If, within 14 days of receipt of that notice, Client notifies Provider in writing of any objections (on reasonable grounds) to the proposed appointment, then (i) Provider shall work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and (ii) where such a change cannot be made within 14 days from Provider's receipt of Client's notice, notwithstanding anything in the Agreement, Client may by written notice to Provider with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor.

Sub-processing Agreement; Liability.Provider has or shall enter into a written agreement with each Sub-processor (the “Sub-processing Agreement”) containing data protection obligations not less protective than those in the Agreement and/or this Addendum with respect to the protection of Client Personal Data to the extent applicable to the nature of the Services

provided by such Sub-processor. Provider shall be liable for the acts and omissions of its Sub-processors to the same extent Provider would be liable if performing the services of each Sub-processor directly under the terms of this Addendum.

Copies of Sub-Processor Agreements. Provider shall provide to Client for review copies of the Sub-processor agreements as Client may reasonably request from time to time. The parties agree that all commercial information may be removed by the Provider beforehand.


Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider shall in relation to the Client Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

In assessing the appropriate level of security, Provider shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

Data Subject Rights

Taking into account the nature of the Processing, Provider shall assist Client by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client's obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.

Provider shall:

  • promptly notify Client if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data; and

  • ensure that the Contracted Processor does not respond to that request except on the documented instructions of Client or as required by Applicable Laws to which the Contracted Processor is subject, in which case Provider shall to the extent permitted by Applicable Laws inform Client of that legal requirement before the Contracted Processor responds to the request.

    Personal Data Breach

    Personal Data Breach notification. Provider shall notify Client without undue delay upon Provider or any Sub-processor becoming aware of a Personal Data Breach affecting Client

Personal Data, providing Client with sufficient information to allow Client to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

Personal Data Breach mitigation. Provider shall cooperate with Client and take such reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Data Protection Impact Assessment and Prior Consultation

Provider shall provide reasonable assistance to Client with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Client reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

Return or Destruction of Personal Data

Return or Deletion.Subject to the provisions of the Section below, at Client’s election, made by written notice to Provider following 30 days of the date of cessation of any Services involving the Processing of Client Personal Data (the "Cessation Date"), Provider shall, and shall procure that all Sub-processors: (a) return a complete copy of all Client Personal Data to Client in such format and manner requested by Client and reasonably acceptable to Provider; and (b) delete and procure the deletion of all other copies of Client Personal Data Processed by Provider or any Sub-processor. Provider shall comply with any such written request within 30 days of the Cessation Date.

Retention of Copies.Provider and each Sub-processor may retain Client Personal Data to the extent required by applicable European Union law or the law of an EU Member State and only to the extent and for such period as required by such laws and always provided that Provider shall ensure the confidentiality of all such Client Personal Data and shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in such law requiring its storage and for no other purpose.

Notification.Provider shall provide written certification to Client that it and each Sub-processor has fully complied with this section within 14 days of the Cessation Date.

Audit rights

  1. 1.1 Subject to sections 1.2 to 1.4, Provider shall make available to Client on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Client or an auditor mandated in relation to the Processing of the Client Personal Data by the Contracted Processors.

  2. 1.2 Information and audit rights of the Client only arise under this section to the extent that the Principal Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).

  3. 1.3 Client undertaking an audit shall give Provider reasonable notice of any audit or inspection to be conducted under section 1.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:

    1. 1.3.1 to any individual unless he or she produces reasonable evidence of identity and authority;

    2. 1.3.2 outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Client undertaking an audit has given notice to Provider that this is the case before attendance outside those hours begins; or

    3. 1.3.3 for the purposes of more than 1 audit or inspection, in respect of each Contracted Processor, in any calendar year, except for any additional audits or inspections which:

      1. Client undertaking an audit reasonably considers necessary because of genuine concerns as to Provider's compliance with this Addendum; or

      2. Client is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory,

    where Client undertaking an audit has identified its concerns or the relevant requirement or request in its notice to Provider of the audit or inspection.

Restricted Transfers

  1. 1.1 Subject to section 1.3, the Client (as "data exporter") and each Contracted Processor, as appropriate, (as "data importer") hereby enter into the Standard Contractual Clauses (Article 26(2) of Directive 95/46/EC) in respect of any Restricted Transfer from the Client to that Contracted Processor.

  2. 1.2 The Standard Contractual Clauses shall come into effect under section 1.1 on the later of:

    1. 1.2.1 the data exporter becoming a party to them;

    2. 1.2.2 the data importer becoming a party to them; and

    3. 1.2.3 commencement of the relevant Restricted Transfer.

  3. 1.3 Section 1.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.

General Terms

Governing law and jurisdiction. Without prejudice to clauses on Mediation and Jurisdiction and Governing Law of the Standard Contractual Clauses:

  • the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

  • this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms of Service.

    Order of precedence. Nothing in this Addendum reduces Provider's obligations under the Terms of Service in relation to the protection of Personal Data or permits Provider to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Terms of Service. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

    Subject to the above, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Terms of Service and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.


Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Indemnification; Limitation of Liability

If one party is held liable for a violation of this Addendum or, if applicable, any provision of the Standard Contractual Clauses, committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred in accordance with the provisions of the "Indemnification" Section of the Agreement. Each party’s liability, taken together in the aggregate, arising out of or related to this Addendum and/or the Standard Contractual Clauses, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement. For the avoidance of doubt, Provider’s total liability for all claims from the Client or any third party arising out of or related to the Agreement and this Addendum shall apply in the aggregate for all claims under both the Agreement and this Addendum.

EXECUTED by and on behalf of:
Provider Name: Peter-Jan Celis: Founder & CEO



This Exhibit A includes details of the Processing of Client Personal Data as required by Article 28(3) GDPR.

The scope of processing data subjects' personal data is information related to the purchase and review. Additionally we process personal data about the client to enable certain functions or support.

We process data subjects’ personal data that is provided by your platform, website or you directly. We use sub-processors to facilitate our services. We are not processing special categories of personal data.

The purpose of processing of the data subjects' personal data is to facilitate the provision of provider's services.

The duration of the processing of the client’s personal data are set out in the Terms of Service and this Addendum.

Personal data of the following categories of data subjects is processed:

  • Client's customers and other client’s end-users (website visitors)

  • Client and Client’s representatives

    The following types of personal data is processed:

  • Client's customers

    • Name, Email

    • Review content

    • Order, fulfillment information

    • Email event information

    • IP for location information

  • Client and Client’s representatives

  • Name, email and phone number (for providing customer support)

  • Admin email address (to send notifications)

  • Email info, that is sender name, email address (to send email on behalf of you)

  • Facebook user access token (for social push)


  1. Personnel. Data Importer’s personnel will not process customer data without authorization. Personnel are obligated to maintain the confidentiality of any customer data and this obligation continues even after their engagement ends.

  2. Data Privacy LLC

    Attn: Peter-Jan Celis
    PO Box 7403
    Jackson, WY 83002 (U.S.A.)

  3. Technical and Organization Measures. The Data Importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:

    1. 3.1. Organization of Information Security.
      A. Security Roles and Responsibilities. The Data Importer has appointed Linh Dam as the security officer responsible for coordinating and monitoring the security rules and procedures.
      B. Duty of Confidentiality. The Data Importer's personnel with access to customer data are subject to confidentiality obligations.

    2. 3.2. Risk Management. The Data Importer conducts regular testing and monitoring of the effectiveness of its safeguards, controls, systems. The Data Importer implements measures, as needed, to address vulnerabilities discovered in a timely manner.

    3. 3.3. Storage. The Data Importer's database servers are hosted in a data center operated by a third party vendor, that has been qualified per the Data Importer's vendor management procedure. The Data Importer maintains complete administrative control over the virtual servers, and no third-party vendors have logical access to customer data.

    4. 3.4. Asset Management. The Data Importer maintains an inventory of all media on which customer data is stored. Access to the inventories of such media is restricted to authorized personnel.

    5. 3.5. Software Development and Acquisition: For the software developed by Data Importer, Data Importer follows secure coding standards and procedures.

    6. 3.6. Third Party Provider Management: In selecting third party providers who may gain access to, store, transmit or use customer data, Data Importer conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.

    7. 3.7. Human Resources Security. The Data Importer informs its personnel about relevant security procedures and their respective roles, as well as of possible

consequences of breaching the security rules and procedures. Such

consequences include disciplinary and/or legal action.

  1. 3.8. Data Recovery Procedures.

    i. On an ongoing basis, the Data Importer maintains multiple copies of customer data from which it can be recovered.

    ii. The Data Importer stores copies of customer data and a data recovery procedures in a different place from where the primary computer equipment processing the customer data is located.

    iii. The Data Importer has procedures in place governing access to copies of customer data.

    iv. The Data Importer has anti-malware controls to help avoid malicious software gaining unauthorized access to customer data.

  2. 3.9. Information Security Incident Management.
    a. Record of Breaches. The Data Importer maintains a record of security

    breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.

    b. Record of Disclosure. The Data Importer tracks disclosures of customer data, including what data has been disclosed, to whom, and at what time.



Asiakas: Rekisterinpitäjä – Unifaun: Henkilötietojen käsittelijä tai Asiakas: Henkilötietojen käsittelijä – Unifaun: Henkilötietojen alikäsittelijä
1.1 Tämä Henkilötietojen käsittelijäsopimus on kiinteä osa sopimusta, täydennettynä tarvittaessa Unifaunin yleisillä ehdoilla (”Palvelusopimus”), joka on allekirjoitettu yhtäältä Unifaun AB:n, Ruotsin Y-tunnus 556546-3717, tai jonkin sen tytäryhtiön kuten Unifaun Oy:n, Suomen Y-tunnus 2304024-0, Unifaun ApS:n, Tanskan Y-tunnus 34708584, Unifaun AS:n, Norjan Y-tunnus 816269032 tai Unifaun Sp.z.o.o:n, Puolan Y-tunnus 7010419247, (”Unifaun”), sekä toisaalta sellaisen osapuolen (”Asiakas”) välillä, joka on ostanut tai tilannut, tai jonka odotetaan ostavan tai tilaavan Unifaunin kehittämiä ja/tai tarjoamia kuljetusjärjestelmäpalveluja, online-palveluja, ohjelmistoja, aputoimintoja ja ohjausta (”Palvelu”).
1.2 Mikäli Palvelusopimuksen voimassaoloaika päättyy, myös tämän Henkilötietojen käsittelysopimuksen voimassaolo päättyy ilman erillistä irtisanomista.
1.3 ”Rekisterinpitäjä-”, ”Henkilötietojen käsittelijä-”, ”Rekisteröity-”, ”Käsittely-”, ”Henkilötieto-”, ”Valvontaviranomainen-” ja ”Henkilötietojen tietoturvaloukkaus” -käsitteillä on tässä Henkilötietojen käsittelysopimuksessa sama määritelmä kuin Euroopan parlamentin ja neuvoston tietosuoja-asetuksessa (EU) 2016/679 (”GDPR”).
1.4 Palvelua tarjotessaan Unifaun voi käsitellä Asiakkaan puolesta tietoja, jotka voivat suoraan tai epäsuoraan viitata luonnolliseen henkilöön. Tällaiset tiedot katsotaan Henkilötiedoiksi, joilla on erityinen lakisääteinen suoja. Päätöksen Henkilötietojen Käsittelyn tarkoituksesta ja välineistä tekee Asiakas. Tässä yhteydessä Asiakas toimii Rekisterinpitäjänä ja Unifaun Henkilötietojen käsittelijänä. Sovellettava lainsäädäntö vaatii kirjallisen sopimuksen laatimista Henkilötietojen käsittelijän käsitellessä Henkilötietoja Rekisterinpitäjän puolesta. Osapuolet ovat tätä taustaa vasten sopineet solmivansa tämän Henkilötietojen käsittelysopimuksen.
1.5 Mikäli Asiakas toimii Henkilötietojen käsittelijänä ja Unifaun tämän alihankkijana (”Henkilötietojen alikäsittelijä”), sovelletaan luvussa 6 mainitut asiat.
2.1 Pystyäkseen tarjoamaan Palvelua ja säilyttämään Palvelusopimuksen mukaisen palvelutason, joidenkin Henkilötietojen siirtäminen Unifaunille on välttämätöntä, kuten myös Unifaunille kyseisten tietojen käsitteleminen tämän Henkilötietojen käsittelysopimuksen mukaisesti. Pystyäkseen suorittamaan Palvelun Unifaunin tulee voida siirtää Henkilötiedot tarvittaessa ulkopuoliselle (mm. kuljettajille).
2.2 Mikäli Asiakas ei kirjallisesti anna muita ohjeita Unifaunille, Unifaun käsittelee tämän Henkilötietojen käsittelysopimuksen mukaisesti seuraavia Rekisteröityjen ja Henkilötietojen kategorioita alla mainittua tarkoitusta varten.
2.3 Rekisteröidyt: palvelun käyttäjä, lähettäjä, vastaanottaja, mahdolliset muut lähetyksen osalliset, Asiakkaiden ja toimittajien kuljetus- ja hallintohenkilöstö.
2.4 Henkilötiedot: nimi, osoite, puhelinnumero, sähköpostiosoite, henkilötunnus (jos sitä erityisesti vaaditaan).
2.5 Tarkoitus: Palvelun tarjoaminen Asiakkaalle.
3.1 Asiakas antaa täten Unifaunille oikeuden käyttää Asiakkaan Henkilötietojen käsittelyssä toista Henkilötietojen käsittelijää (”Alikäsittelijä”) Palvelun suorittamiseksi. Tällöin Unifaun tulee varmistaa Alikäsittelijän kanssa tekemässään kirjallisessa sopimuksessa (”Alikäsittelijän sopimus"), että tämän Henkilötietojen käsittelysopimuksen mukaiset Unifaun velvollisuudet siirretään Alikäsittelijälle kuin kyseinen Alikäsittelijä olisi tämän Henkilötietojen käsittelysopimuksen osapuoli. Unifaun vastaa Asiakkaalle Alikäsittelijän suorittamasta Asiakkaan Henkilötietojen Käsittelystä Alikäsittelijän sopimuksen mukaisesti.
3.2 Unifaun tulee tiedottaa asiakkaalle kirjallisesti etukäteen, mikäli se aikoo käyttää Alikäsittelijää. Asiakkaan on siinä tapauksessa ilmoitettava kahdenkymmenen (20) työpäivän kuluessa kirjallisesti Unifaunille, jos Asiakas vastustaa Alikäsittelijän käyttöä. Mikäli Asiakas vastustaa Alikäsittelijän käyttöä, osapuolten on kaikin mahdollisin tavoin pyrittävä löytämään yhteinen ratkaisu tilanteeseen. Mikäli Alikäsittelijän käyttöä ei vastusteta, Unifaunilla on oikeus käyttää Alikäsittelijää ilman Asiakkaan lisähyväksyntää.
3.3 Mikäli Asiakkaan näkemyksestä Alikäsittelijä käsittelee Henkilötietoja puutteellisesti, tai mikäli Alikäsittelijä ei jollain muulla tavoin täytä Alikäsittelijän sopimuksen mukaisia velvoitteitaan, Asiakkaalla on oikeus kirjallisesti vaatia Unifaunia välittömästi ja omalla kustannuksellaan purkamaan Alikäsittelijän kanssa tekemänsä sopimuksen sekä varmistamaan, ettei Alikäsittelijällä ole enää hallussaan kyseisiä Henkilötietoja. Mikäli Unifaun ei ole samaa mieltä Asiakkaan esittämistä puutteista, osapuolten on toimittava yhdessä järjestääkseen pikaisesti neuvottelu Valvontaviranomaisen kanssa. Alikäsittelijän sopimus säilyy voimassa siihen saakka, kunnes Valvontaviranomainen on antanut päätöksensä. Valvontaviranomaisen ratkaisu toimii ohjeena kysymyksen jatkokäsittelyssä osapuolten kesken.
4.1 Unifaun sitoutuu pysymään ajan tasalla ja noudattamaan lakeja, asetuksia ja määräyksiä, jotka ovat kulloinkin voimassa sopimuskumppanina olevan Unifaun-yhtiön valtiossa, mukaan lukien asianomaisten Valvontaviranomaisten antamat määräykset luonnollisten henkilöiden perusoikeuksien ja vapauksien suojasta sekä erityisesti Rekisterinpitäjiin ja Henkilötietojen käsittelijöihin sovellettavasta luonnollisten henkilöiden Henkilötietojen suojasta Henkilötietojen Käsittelyssä, mukaan lukien direktiivin 95/46/EY ja 25. toukokuuta 2018 voimaan tulevan GDPR:n täytäntöönpanosta johtuva lainsäädäntö, asetukset ja määräykset.
4.2 Unifaun ja sen johdolla työskentelevät henkilöt saavat käsitellä Henkilötietoja ainoastaan Asiakkaan antamien ohjeiden mukaan.
4.3 Edellyttäen, ettei Rekisteröidyn koskemattomuutta vaaranneta, eikä Unifaun määrittele uusia tarkoituksia tai keinoja Käsittelylle, Unifaunilla on oikeus kehittää ja parantaa palvelujaan ilman, että niiden katsotaan olevan Asiakkaan ohjeiden vastaisia. Unifaunilla on aina oikeus ilman Asiakkaan lupaa kehittää ja parantaa palvelujaan tunnistamattomien tietojen avulla.
4.4 Mikäli Asiakkaan antama ohje on Unifaunin mukaan ristiriidassa GDPR:n, muun EU-oikeuden tai EU:n jäsenvaltion kansallisen lainsäädännön kanssa, Unifaunin on välittömästi informoitava siitä Asiakkaalle. Osapuolten on jommankumman vaatimuksesta toimittava yhdessä järjestääkseen pikaisesti ohjetta koskeva neuvottelu Valvontaviranomaisen kanssa. Valvontaviranomaisen ratkaisu toimii ohjeena kysymyksen jatkokäsittelyssä osapuolten kesken. Unifaunilla on oikeus pidättäytyä Käsittelystä Valvontaviranomaisen lausuntoa odottaessaan.
4.5 Mikäli Unifaun velvoitetaan pakottavan lainsäädännön perusteella käsittelemään Henkilötietoja muulla kuin Asiakkaan ohjeistamalla tavalla, Unifaunin on ilmoitettava tästä velvoitteesta Asiakkaalle ennen Käsittelyä.

4.6 Osapuolet sitoutuvat 7. kohdan mukaiseen salassapitovelvollisuuteen, joka koskee Unifaunin Palvelua suorittaessaan saamia Henkilötietoja ja niiden Käsittelyä.
4.7 Unifaun sitoutuu ryhtymään tarpeellisiin suojatoimiin GDPR:n 32 artiklan mukaisesti. Unifaun ryhtyy tarpeellisiin teknisiin ja organisatorisiin toimenpiteisiin Henkilötietojen suojaamiseksi luvattomalta pääsyltä, tuhoamiselta ja muuttamiselta noudattaen GDPR:n 28 (3) artiklaa. Unifaunin on Asiakkaan pyynnöstä informoitava Asiakasta tehdyistä teknisistä ja organisatorisista toimenpiteistä.
4.8 Tässä Henkilötietojen käsittelysopimuksessa esitetyn lisäksi Unifaun sitoutuu käsittelyn luonteen huomioiden auttamaan Asiakasta mahdollisuuksiensa mukaan asianmukaisilla teknisillä ja organisatorisilla toimenpiteillä siten, että Asiakas pystyy täyttämään velvollisuutensa ja vastaamaan Rekisteröidyn pyyntöön käyttää GDPR:n III luvun mukaisia oikeuksiaan. Asiakkaan on korvattava työ Unifaunille kyseisenä ajankohtana voimassa olevan Unifaun hinnaston mukaan.
4.9 Unifaun sitoutuu Asiakkaan pyynnöstä, Käsittelyn luonne ja Unifaunin saatavilla olevat tiedot huomioiden, auttamaan Asiakasta täyttämään GDPR:n 32–36 artiklojen mukaiset velvollisuutensa. Asiakkaan on korvattava työ Unifaunille kyseisenä ajankohtana voimassa olevan Unifaun hinnaston mukaan.
4.10 Unifaun sitoutuu Asiakkaan valinnasta riippuen joko poistamaan tai palauttamaan Asiakkaalle kaikki Henkilötiedot 90 päivän kuluessa siitä, kun käsittelypalvelujen tarjoaminen on päättynyt, sekä poistamaan olemassa olevat kopiot, ellei EU:n tai EU:n jäsenvaltion kansallinen lainsäädäntö vaadi Henkilötietojen säilyttämistä. Jos Asiakkaalla on jo Henkilötiedot hallussaan, palauttaminen on mahdotonta tai vaatii suhteettoman suuren panostuksen, tai Henkilötietojen on pysyttävä luottamuksellisina lakisääteisistä tai sovituista salassapitovelvoitteista johtuen, tiedot on sen sijaan poistettava samassa määräajassa.
4.11 Unifaunin tulee antaa Asiakkaalle kaikki tarpeelliset tiedot, jotka osoittavat, että GDPR:n 28 artiklan mukaiset velvollisuudet on täytetty, sekä mahdollistaa ja tukea tarkastuksia, mukaan lukien Asiakkaan itsensä tai tämän valtuuttaman tilintarkastajan suorittamat tarkastukset.
4.12 Unifaunin on tarvittaessa autettava Asiakasta luovuttamaan Valvontaviranomaisen, muun viranomaisen tai Rekisteröidyn Asiakkaalta pyytämiä tietoja. Asiakkaan on korvattava työ Unifaunille kyseisenä ajankohtana voimassa olevan Unifaun hinnaston mukaan.
4.13 Unifaun sitoutuu ilmoittamaan Asiakkaalle Valvontaviranomaisen jokaisesta Henkilötietojen Käsittelyä koskevasta pyynnöstä tai määräyksestä, paitsi jos ilmoittaminen on nimenomaan kielletty laissa, kuten esimerkiksi käynnissä olevan rikostutkimuksen vaatiman salassapidon johdosta. Mikäli Rekisteröity, Valvontaviranomainen tai muu ulkopuolinen taho pyytää Unifaunilta Asiakkaan Henkilötietojen Käsittelyä koskevia tietoja, Unifaunin on ilmoitettava pyynnöstä kirjallisesti Asiakkaalle.
4.14 Unifaunin on mahdollisimman pian, mutta viimeistään 24 tunnin sisällä mahdollisen tietoturvaloukkauksen havaitsemisesta, ilmoitettava Asiakkaalle loukkauksesta. Asiakkaalle annettavan ilmoituksen yhteydessä Unifaunin on toimitettava Asiakkaalle kaikki tarvittavat tiedot, jotka mahdollistavat loukkauksen raportoinnin Valvontaviranomaiselle, sekä autettava loukkauksen tutkimisessa niin pitkälle kuin Asiakas kohtuudella voi vaatia, sekä yhteistuumin Asiakkaan kanssa ryhdyttävä kohtuullisiin toimenpiteisiin uusien loukkauksien ehkäisemiseksi.
4.15 Asiakkaalla on oikeus omalla kustannuksellaan tai ulkopuolisen tahon kautta tarkastaa, että Unifaun noudattaa tätä Henkilötietojen käsittelijäsopimusta. Tällaiset tarkastukset on tehtävä tavalla ja aikana, mikä ei häiritse Unifaunin muuta toimintaa enemmän kuin on välttämätöntä. Unifaunilla on oikeus vaatia, että tarkastuksen suorittavat ennalta nimetyt henkilöt, joilla on tarvittava osaaminen tarkastuksen suorittamiseen, sekä jotka pystyvät tarkoituksenmukaisesti hyödyntämään sen tuloksia. Unifaunilla on oikeus vastustaa kolmannen osapuolen suorittamaa tarkastusta, jos se voi johtaa liikesalaisuuksien vaarantumiseen, tai jos kyseistä osapuolta voidaan muusta kohtuullisesta syystä pitää sopimattomana. Mikäli Asiakas havaitsee olennaisia puutteita Unifaunin Asiakkaan lukuun tehtävässä Henkilötietojen Käsittelyssä, eikä Unifaun korjaa puutetta 30 päivän kuluessa Asiakkaan kirjallisesta kehotuksesta, Asiakkaalla on oikeus päättää Palvelusopimus ja tämä Henkilötietojen käsittelijäsopimus välittömin vaikutuksin. Jos suoritettu tarkastus ei osoita muuta kuin pienehköjä puutteita

Unifaunin tämän Henkilötietojen käsittelysopimuksen mukaisten velvollisuuksien täyttämisessä, Unifaunilla on oikeus saada kohtuullinen korvaus tarkastuksen aiheuttamista kuluista.
4.16 Unifaunin on korvattava Asiakkaalle vahingot tai kulut, jotka aiheutuvat Unifaunin tai tämän käyttämän Alikäsittelijän suorittamasta Käsittelystä. Palvelusopimuksen ja Unifaunin yleisten ehtojen sisältämiä vastuurajoituksia sovelletaan myös tähän Henkilötietojen käsittelysopimukseen.
4.17 Unifaun ei tämän Henkilötietojen käsittelysopimuksen puitteissa ole velvollinen käsittelemään arkaluontoisia Henkilötietoja, kuten rotua, etnistä alkuperää, poliittisia mielipiteitä, uskonnollista tai filosofista vakaumusta, ammattiyhdistyksen jäsenyyttä, taikka geneettisiä tietoja tai biometrisia tietoja luonnollisen henkilön yksiselitteiseksi tunnistamiseksi, terveystietoja tai luonnollisen henkilön sukupuolielämää tai seksuaalista suuntautumista koskevia tietoja.
5.1 Asiakas sitoutuu pysymään ajan tasalla ja noudattamaan kulloinkin voimassa olevaa Henkilötietoja koskevaa lainsäädäntöä ja seuraamaan sen päivityksiä sopimuskumppanina olevan Unifaun-yhtiön valtiossa.
5.2 Asiakkaan vastuulla on muun muassa informoida Rekisteröityjä Unifaunin Asiakkaan ohjeistuksen mukaan suorittamasta Käsittelystä, hankkia tarvittaessa Rekisteröityjen suostumus, arvioida Käsittelyn laillisuutta ja luvallisuutta, sekä tarvittaessa ilmoitettava Käsittelystä Valvontaviranomaiselle.
5.3 Asiakkaan on viipymättä informoitava Unifaunille Käsittelyssä tapahtuvista muutoksista, jotka vaikuttavat Unifaunin tämän Henkilötietojen käsittelysopimuksen mukaisiin velvollisuuksiin ja oikeuksiin. Asiakkaan on samoin informoitava Unifaunille ulkopuolisen tahon, mukaan lukien Valvontaviranomaisen, Rekisteröidyn, tai Kolmannen Osapuolen (määritelty kohdassa 6.1) ryhtymisestä toimenpiteisiin Käsittelyn johdosta.
5.4 Asiakkaalla on oikeus päivittää tätä Henkilötietojen käsittelijäsopimusta tarpeellisin osin 5.3 kohdan mukaisten muutosten johdosta. Mikäli muutoksesta aiheutuu Unifaunille lisäkuluja, Asiakkaan on korvattava Unifaunin lisäkulut.
5.5 Asiakkaan on korvattava Unifaunille lisäkulut, jotka johtuvat muutoksista tai lisäyksistä Unifaunin Käsittelyn ohjeistukseen.
5.6 Asiakas vastaa siitä, että Unifauniin ei Käsittelyn johdosta aiheudu vahinkoa tai kuluja, jotka johtuvat Asiakkaan, Kolmannen Osapuolen (määritelty kohdassa 6.) tai muun Asiakkaan puolella olevan tahon toimenpiteestä.
6.1 Mikäli ulkopuolinen taho (”Kolmas Osapuoli”) toimii Rekisterinpitäjänä, Asiakas toimii Kolmannen Osapuolen Henkilötietojen käsittelijänä ja Unifaun toimii Asiakkaan alikäsittelijänä (”Henkilötietojen alikäsittelijä”), tulee Unifaunin Käsitellä Henkilötietoja vain sellaisten ohjeiden mukaisesti, jotka Asiakas on saanut Kolmannelta Osapuolelta ja jotka ovat Unifaunin saatavilla, sekä Asiakkaan aika ajoin Kolmannen Osapuolen lukuun antamien dokumentoitujen lisäohjeiden mukaisesti. Muilta osin Henkilötietojen käsittelijäsopimusta sovelletaan Asiakkaan ja Unifaunin välillä.
7.1 Mikäli Unifaunin tämän Henkilötietojen käsittelysopimuksen mukainen Asiakkaan luovuttamien Henkilötietojen Käsittely aiheuttaa Unifaunille velvollisuuden siirtää Henkilötiedot kolmanteen maahan (EU:n ja/tai ETA:n ulkopuolella) tai kansainväliseen organisaatioon, jossa ei sovelleta riittävää suojatasoa, Asiakkaan tehtävänä on jokaisen siirron yhteydessä huolehtia GDPR:n 46 artiklan mukaisiin asianmukaisiin toimenpiteisiin ryhtymisestä.

Unifaunilla ei ole milloinkaan velvollisuutta siirtää Henkilötietoja kolmanteen maahan, mikäli tällaisiin asianmukaisiin suojatoimenpiteisiin ei ole ryhdytty ennen siirtoa.
8.1 Unifaun sitoutuu olemaan luovuttamatta Henkilötietoja ulkopuoliselle taholle tai muulla tavoin olemaan asiattomasti paljastamatta tämän Henkilötietojen käsittelysopimuksen mukaisia Henkilötietojen Käsittelyä koskevia tietoja.
8.2 Unifaunin tulee varmistaa, että Henkilötietoja luvanvaraisesti käsittelevät henkilöt ovat sitoutuneet noudattamaan vastaavaa salassapitoa kuin Unifaun tämän Henkilötietojen käsittelysopimuksen mukaan noudattaa.
8.3 Unifaunin tämän kohdan 8 mukainen salassapitovelvoite ei koske tietoja, joita Unifaun luovuttaa Valvontaviranomaisen, muun viranomaisen tai tuomioistuimen määräyksestä, tai Rekisteröityä koskevia tietoja, joiden luovuttamiselle Unifaun on saanut Rekisteröidyn suostumuksen.
8.4 Tämän kohdan 8 mukainen salassapitovelvoite säilyy voimassa myös tämän Henkilötietojen käsittelysopimuksen päättymisen jälkeen.

Go to full site