DATA PROCESSING AGREEMENT

(hereinafter referred to as: the “DPA”)

by and between:

Saleor Commerce sp. z o.o.

with the registered seat in Wroclaw, ul. Tęczowa 7, 53-601 Wroclaw, Poland, entered into Register of Entrepreneurs kept by District Court for Wroclaw-Fabryczna in Wroclaw, VIth Commercial Division National Court Register under the number: 833006, REGON: 385757319, NIP: 8971877170, nominal share capital (entered to register): PLN 330,650.00

further referred to as “SALEOR COMMERCE

and

the Customer within the meaning of Terms of Use available at saleor.io/legal

further referred to as the “CUSTOMER

SALEOR COMMERCE and the CUSTOMER are jointly referred to as the "Parties" and each a "Party"

This DPA forms a part of the Agreement within the meaning of the Terms of Use between SALEOR COMMERCE and the CUSTOMER and is concluded on the Effective Date within the meaning of section 2.2. of the Terms of Use according to the provisions of the Terms of Use.

This DPA does not apply to the processing of Personal Data by a natural person (consumer) in the course of a purely personal or household activity.

PREAMBLE

Whereas:

  1. the Parties have concluded the Agreement on providing Services, hereinafter referred to as: "Agreement", under which SALEOR COMMERCE is obliged to provide Services within the meaning of the Terms of Use;
  2. due to the activities carried out by SALEOR COMMERCE under the Agreement SALEOR COMMERCE may have access to the personal data, Controller of which within the meaning of art. 4 (7) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as: “Regulation” or “GDPR”) is the CUSTOMER;
  3. pursuant to art. 28 of GDPR the CUSTOMER intends to entrust SALEOR COMMERCE with the processing of personal data in the scope and purpose related to the activities carried out by SALEOR COMMERCE under the Agreement;

the Parties agree as follows:

  1. Entrusting the processing of personal data

    1. According to art. 28 of GDPR the CUSTOMER entrusts SALEOR COMMERCE personal data for processing, on terms and for the purpose set out in this DPA.
    2. SALEOR COMMERCE undertakes to process the personal data entrusted to SALEOR COMMERCE in accordance with this DPA, the Regulation and other provisions of generally applicable law that protect the rights of the data subjects.
    3. SALEOR COMMERCE declares that SALEOR COMMERCE applies security measures, in particular SALEOR COMMERCE has implemented appropriate safeguard measures (i.e. technical and organizational measures) that meet the requirements of the Regulation and protect the rights of data subjects whose processing has been entrusted to SALEOR COMMERCE under this DPA.

  2. The type of data and categories of data subjects, the scope, nature and purpose of the data processing

    1. In connection with the services to be provided under the Agreement, SALEOR COMMERCE as the data processor may have access to the personal data described in Appendix 1 to this DPA, hereinafter referred to as: "Personal Data".
    2. SALEOR COMMERCE as the data processor will process the Personal Data solely in order to fulfil the Agreement and for its duration.

  3. Statements of Parties

    1. In order to avoid any doubts, the CUSTOMER and SALEOR COMMERCE agree that SALEOR COMMERCE:

      1. shall not decide about the purposes and means of processing of Personal Data entrusted by the CUSTOMER;
      2. is not entitled to own or create any copies of documents containing Personal Data entrusted by the CUSTOMER, including records or paper, or electronic databases containing the Personal Data, other than justified by the purpose and scope related to the performance of the Agreement;
      3. processes the Personal Data entrusted to SALEOR COMMERCE pursuant to this DPA only at the documented request of the CUSTOMER;
      4. informs the CUSTOMER, prior to commencing processing, about the obligation of processing, if such an obligation arises from the provisions of law, unless these provisions prohibit such information on important grounds of public interest;
      5. immediately informs the CUSTOMER if an instruction issued to SALEOR COMMERCE in its opinion infringes Regulation or other applicable data protection provisions;
      6. may not use the Personal Data for its own purposes, not related to the implementation of this DPA and the Agreement;
      7. subject to the exceptions and restrictions according to the Terms of Services SALEOR COMMERCE may rectify, delete or restrict the processing of entrusted Personal Data only at the request of the CUSTOMER.

  4. Obligations of SALEOR COMMERCE

    1. SALEOR COMMERCE undertakes, before starting the processing of entrusted Personal Data, to take technical and organizational measures required on the basis of Art. 32 of GDPR, i.e. ensuring a level of security appropriate to the risk associated with the processing of Personal Data.
    2. SALEOR COMMERCE undertakes to exercise due diligence in the processing of entrusted Personal Data.
    3. SALEOR COMMERCE undertakes to oblige all persons who will process the entrusted Personal Data in order to implement the DPA to keep the Personal Data in secret, both during employment relationship or any other relationship with SALEOR COMMERCE, as well as and after its termination.
    4. After the provision of services under the Agreement is completed, SALEOR COMMERCE, at the choice of the CUSTOMER, deletes / returns Personal Data to the CUSTOMER and removes all existing copies thereof, unless the provisions of applicable law requires the storage of personal data.
    5. As far as possible and to the necessary extent, SALEOR COMMERCE assists the CUSTOMER in fulfilling its obligation to respond to requests of the data subject for exercising the data subject's rights laid down in Chapter III of the GDPR and fulfill the obligations specified in Art. 32-36 of the GDPR. The assistance services provided by SALEOR COMMERCE under this provision shall be calculated by SALEOR COMMERCE per hour on the basis of hourly rates stipulated in the Agreement.

    6. SALEOR COMMERCE, after finding a personal data breach or having justifiable suspicion of such a breach, reports it to the CUSTOMER, no later than within 48 hours after finding the breach. As far as possible, the information about the breach should contain at least:

      1. description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects, and the categories and approximate number of entries of personal data affected by the breach;
      2. the name and contact details of the data protection officer (if applicable) or another contact point from which more information can be obtained;
      3. description of the potential risks associated with a breach of personal data protection;
      4. description of measures taken or proposed by SALEOR COMMERCE to remedy an infringement of personal data protection, including, where appropriate, measures to minimize its potential adverse effects.

  5. Right of control

    1. The CUSTOMER has the right to control whether the measures applied by SALEOR COMMERCE by processing and securing the entrusted Personal Data meet the provisions of the DPA. The CUSTOMER’s right to control concerns only the entrusted Personal Data. By conducting any controlling activities the CUSTOMER shall take into consideration the nature of processing of Personal Data under this DPA and the Agreement.
    2. The CUSTOMER shall exercise the right of control only in justified cases, especially in case of a personal data breach concerning entrusted Personal Data or its reasonable suspicion, and only during SALEOR COMMERCE’s working hours and only after making a prior appointment by SALEOR COMMERCE, in each case at least 14 calendar days before. The assistance services provided by SALEOR COMMERCE during exercising of the right of control under this provision shall be calculated by SALEOR COMMERCE per hour on the basis of hourly rates stipulated in the Agreement.
    3. From the control activities, the Parties will each time prepare an inspection report, which will be signed by authorized representatives of the Parties.
    4. SALEOR COMMERCE undertakes to eliminate the misconducts found during the inspection.
    5. SALEOR COMMERCE provides the CUSTOMER with all information necessary to demonstrate compliance with the obligations specified in Art. 28 of the GDPR.

  6. Further entrusting of data processing. Transfer of Personal Data outside the European Economic Area

    1. SALEOR COMMERCE declares that SALEOR COMMERCE will not entrust the Personal Data for further processing to third parties without prior consent of the CUSTOMER expressed in e-mail information.
    2. Without prior consent of the CUSTOMER expressed in e-mail information SALEOR COMMERCE declares that SALEOR COMMERCE will not transfer Personal Data to a third country (outside the European Economic Area).
    3. By a contract between SALEOR COMMERCE and another processor engaged in accordance with the paragraph 6.1 above data protection obligations ensuring the same level of personal data protection as set out in this DPA shall be imposed on that other processor.

  7. The Liability of SALEOR COMMERCE and the Parties

    1. SALEOR COMMERCE is responsible for making available or using Personal Data contrary to the DPA.
    2. The Parties undertake to inform the other Party immediately, not later than within 3 days, about any proceedings, in particular administrative or court proceedings, regarding the processing of entrusted Personal Data, and about any administrative decision or ruling regarding the processing of Personal Data, addressed to the Party, as well as any planned (if such information is available) or performed inspections, or controls regarding the Personal Data, in particular, conducted by inspectors authorized by the President of the Data Protection Office or another supervisory authority competent in the field of data protection, so that the participation of the Party in any of the above mentioned proceedings is possible. This section applies only to Personal Data entrusted by the CUSTOMER under this DPA.

  8. Duration of the DPA, remuneration

    1. This DPA shall apply from the Effective Date within the meaning of section 2.2. of the Terms of Use for the duration of the Agreement. Termination of the Agreement by the Parties due to any reason results in the automatic termination of this DPA.
    2. Subject to provisions of clauses 4.5. and 5.2. of this DPA for performing of the obligations under this DPA SALEOR COMMERCE is not entitled to additional remuneration and all its activities under this DPA are carried out as part of the remuneration provided for in the Agreement.

  9. Privacy policy

    1. The Parties undertake to keep confidential all information, data, materials, documents and personal data, received from the oth Party and from the persons cooperating with the other Party, and data obtained in any other way, intended or accidental, in ora written or electronic form ("Confidential Data").
    2. The Parties declare that due to the obligation to keep Confidential Data in secret, such Confidential Data will not be use disclosed or made available without the other Party's consent expressed in e-mail notification for purposes other than performance this DPA, unless the disclosure of information is required by applicable law or this DPA.

  10. Miscellaneous

    1. The law applicable to this DPA is the law of Poland. In matters not settled in this DPA, the provisions of the applicable law, in particular the GDPR will apply.
    2. No modification of this DPA shall be valid unless made according to the provisions of the Terms of Use, in particular Section 13.5. and 13.6. of the Terms of Use.
    3. The competent court for the settlement of all disputes arising from the DPA shall be the court for the seat of the SALEOR COMMERCE.
    4. The DPA comes into force on the Effective Day.
    5. The DPA constitutes the entire agreement between the Parties with respect to the subject matter of this DPA and supersedes all prior agreements and understandings, both oral and written, between the Parties with respect to the subject matter of this Agreement.

    6. Addresses for delivery and contact under this DPA:

      1. if to the CUSTOMER, to: the addresses in Saleor Commerce Order in accordance with Section 13.5. of the Terms of Use;
      2. if to SALEOR COMMERCE, to: the address and data according to Section 13.5. of the Terms of Use.
    7. In the event of a conflict between the Agreement or the Terms of Use and this DPA, the provisions of this DPA shall prevail to the extent of such conflict.

Appendixes:

  1. Appendix 1 to the DPA – Description of the type of data, categories of data subjects, the scope, nature and purpose of the data processing

APPENDIX 1 to the Data Protection Agreement (DPA)

Description of the type of data, categories of data subjects, the scope, nature and purpose of the data processing

Categories of data subjects: The Personal Data may concern individuals about whom Personal Data is provided to SALEOR COMMERCE as processor via the Services by (or at the direction of) the CUSTOMER or CUSTOMER’s end users

The Personal Data may concern the following categories of data subjects:

  • contractors of the CUSTOMER
  • clients of the CUSTOMER
  • others suppliers, partners, employees, consultants, contractors, agents, and end users of the CUSTOMER
Type of data: The Personal Data concern the following type of data:
  • non-sensitive data (other personal data than special categories of data, e.g. name, e-mail)
Categories of data: The Personal Data concern the following categories of data: any Personal Data provided to SALEOR COMMERCE as processor via the Services, in particular:
  • name, surname of Customer’s clients
  • origin
  • geolocation data
  • financial transaction history
  • stored payment method(s)
  • email addresses
  • telephone numbers
  • order histories
  • browsing session histories
  • passwords
  • data related to the bank account number, name of the bank
  • birthdate
Processing operations: The Personal Data will be subject to the following basic processing activities: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use for providing Services under the Agreement, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and any other activities necessary for or connected with providing Services under the Agreement
Nature of the data processing: The Personal Data will be processed only in electronic form

Let's get started

Contact us to become the next business
to grow big with Saleor.

Get in touch