Data Processing Addendum
Last updated 03 January 2024
This Data Processing Addendum (“DPA”) supplements and forms part of the Manage Your eCommerce Customer Terms and Conditions available atwww.manageyourecommerce.com/terms-and-conditions,as updated from time to time between Customer and Manage Your eCommerce, or other agreement between Customer and Manage Your eCommerce governing Customer’s use of the Service Offerings (the “Agreement”) when the GDPR applies to your use of the Manage Your eCommerce Services to process Customer Data. This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and Manage Your eCommerce as the Service Provider.
All capitalised terms not defined in this DPA shall have the meanings outlined in the Terms.
Definitions - For this DPA:
- “Data Protection Legislation” means all applicable laws and regulations relating to the processing of personal data and privacy and any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated.
- “EEA” means the European Economic Area.
- “Terms” means the terms and conditions which apply to you as a customer of the Service the current version of which is contained on the Manage Your eCommerce website, or other written or electronic agreements between Manage Your eCommerce and Customer setting out the provision and use of the Service.
- The terms “Controller”, “Processor”, “Personal Data”, “processing”, “special categories of data” and “Data Subject” have the meanings given to them in the GDPR.
Applicability of DPA
- Applicability:This DPA applies to any processing of Personal Data which Manage Your eCommerce carries out on behalf of the Customer in the course of providing the Service under the Terms.
Roles and Responsibilities
- Roles of the Parties. As between Manage Your eCommerce and Customer, Customer is the Controller of the Personal Data described inAnnex A(the “Client Data”) and Manage Your eCommerce shall process the Client Data as a Processor acting on behalf of Customer.
- Customer Obligations
- Customer shall comply at all times with the Data Protection Legislation and all other applicable laws relating to privacy and data protection in respect of its use of the Service, its use of the Client Data, and any processing instructions it issues to Manage Your eCommerce;
- Customer warrants and represents that it has obtained and/or has in place, all necessary consents, approvals and/or valid legal basis to lawfully transfer, or provide access to, the Client Data to Manage Your eCommerce for this DPA and the provision of the Service by Manage Your eCommerce; and
- Customer acknowledges that Manage Your eCommerce is reliant on Customer for directions as to the extent to which Manage Your eCommerce is entitled to use and process the Client Data.
- Manage Your eCommerce may process Client Data for any or all of the purposes set out; and shall only process Client Data by the lawful, documented instructions by Customer (including the instructions of any users accessing Manage Your eCommerce with permission given by Customer) as set out in the Terms, this DPA or otherwise agreed in writing. If a legal requirement prevents Manage Your eCommerce from complying with such instructions or requires Manage Your eCommerce to disclose the Client Data to a third party Manage Your eCommerce shall, unless such legal requirement prohibits it from doing so, inform Customer of the relevant legal requirement before carrying out the relevant processing activities.
- Aggregated and anonymized Client Data.Customer acknowledges and agrees that Manage Your eCommerce may use, share or otherwise process the Client Data (in aggregated or otherwise anonymized form only) for its business purposes.
- Security:Manage Your eCommerce shall take reasonable steps to implement appropriate technical and organisational measures to protect the Client Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (a “Security Incident”).
- Confidentiality obligations:Manage Your eCommerce shall ensure that any personnel that it authorises to process the Client Data shall be subject to a duty of confidentiality.
- Security Incident: Manage Your eCommerce shall notify the Customer of a Security Incident within a reasonable timeframe and without undue delay. Manage Your eCommerce shall make reasonable efforts to identify the cause of the Security Incident and to take such steps as Manage Your eCommerce deems necessary and reasonable to mitigate the effects of such Security Incident, to the extent such efforts are within Manage Your eCommerce’s reasonable control. Where this relates to data for which Manage Your eCommerce is a processor, Manage Your eCommerce shall, taking into account the nature of processing and the information available to the processor, make reasonable efforts to assist the controller in ensuring compliance with the obligations under the Data Protection Legislation.
- Sub-processors: Customer agrees that Manage Your eCommerce may engage Manage Your eCommerce affiliates and third-party sub-processors (collectively, “Sub-processors”) to process Client Data on Manage Your eCommerce’s behalf provided that:
- Objection to Sub-processors: For up to thirty (30) days from when Manage Your eCommerce updates its list of Sub-processors (the “Objection Period”), Customer may object to Manage Your eCommerce’s appointment or replacement of a Sub-processor provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall cooperate in good faith to resolve and if such resolution cannot be reached during the Objection Period, then Manage Your eCommerce, at its discretion, will either not appoint or replace the Sub-processor or, will permit Customer to suspend or terminate the affected Service (without prejudice to any fees incurred by Customer before suspension or termination, subject to this action being requested within the objection period).
- International transfers:To the extent that Manage Your eCommerce transfers any Client Data originating from the UK to a country that has not been designated by the UK government as providing an adequate level of data protection, it shall put in place the appropriate standard contractual clauses which have been approved by the UK government and set out in the Annex to that decision, or such other measures as are necessary to ensure such transfer complies with the Data Protection Legislation. The customer authorises transfers of Client Data to such destinations outside of the UK subject to such appropriate safeguards having been put in place.
- Assistance: Manage Your eCommerce shall, taking into account the nature of the processing, provide reasonable assistance to Customer to meet its obligations in responding to requests from data subjects exercising their rights, conducting data protection impact assessments and consulting with competent supervisory authorities.
- Provision of information and reports: Manage Your eCommerce shall make information about its security architecture and processes applicable to the Service on Manage Your eCommerce’s Security web page (accessible via https://www.manageyourecommerce.com/security-and-reliability), or as otherwise made reasonably available by Manage Your eCommerce. Manage Your eCommerce shall make available to Customer at Customer’s expense information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by a supervisory authority or an auditor authorised by Customer provided always such inspections and/or audits shall be carried out on reasonable notice, at reasonable intervals and during normal business hours of Manage Your eCommerce and upon production of appropriate identity evidencing authority. The customer undertakes to ensure avoidance or disruption (or at least minimise disruption, where avoidance is not possible) to the day-to-day operations of Manage Your eCommerce’s business and/or damage or injury to Manage Your eCommerce’s equipment, premises and personnel. Any materials produced during such audits or inspections will be Manage Your eCommerce’s confidential information and may not be disclosed without Manage Your eCommerce’s prior written consent, except as required by applicable law.
Return/Deletion of Data
- Upon termination or expiry of the Terms, Manage Your eCommerce shall delete or return to Customer the Client Data (including copies) in Manage Your eCommerce’s possession by the procedures and timeframes specified in the Terms.
- The parties confirm that this DPA forms part of and is attached to the Terms. Except as modified by this DPA, the Terms shall remain in full force and effect.
- Any claims brought under this DPA shall be subject to the Terms, including but not limited to the exclusions and limitations of liability outlined in the Terms.
- About the processing of Client Data, in the event of any conflict or inconsistency between the terms of this DPA and the Terms, the terms of this DPA shall prevail.
- Manage Your eCommerce may amend, replace or vary the terms of this DPA and/or its Annexes (if necessary) to reflect any changes in the Client Data being processed and/or to reflect any changes in the Data Protection Legislation or a new requirement under such law.
- This DPA may be signed in two or more original counterparts in English (subject to any mandatory legal requirement which requires otherwise), which shall together constitute the same instrument.
- This DPA shall be interpreted, construed and enforced by English law and shall be subject to the exclusive jurisdiction of the English Courts.
- In the event any provision of this DPA is determined to be illegal, unenforceable or void, such provision shall be severed and all other provisions of this DPA shall continue in full force and effect. The parties hereby undertake to cooperate to replace the illegal, unenforceable or void provision as soon as possible with a new provision that accomplishes a permissible result and achieves an economic effect as similar as possible to the result attempted to be accomplished by the illegal, unenforceable or void provision.
- Data Processing Description: This Annex A forms part of the Agreement and describes the processing that the processor will perform on behalf of the controller.
- Controller: The controller is the entity entering into an agreement with Manage Your eCommerce for the provision of Manage Your eCommerce’s order processing and retail management services, referred to as “Customer” in the DPA.
- Processor: The processor is Manage Your eCommerce Limited, a company established in the United Kingdom, which provides order management and retail management software and related services (“Services”) to Customers.
- Data subjects:
- The personal data to be processed concern the following categories of data subjects.
- Consumers/end users of Customer: past, present and potential consumers and end users of Customer whose Personal Data is submitted to the Services.
- Categories of data: The personal data to be processed concern the following categories of data.
- Contact data: such as names, email addresses, shipping/billing addresses, phone numbers, and contact details.
- Sales data: such as details of the transactions undertaken through the Services, products/services purchased, date/time, payment amount/method, cancellations, returns, exchanges, communications with controllers etc.
- Financial or payment information.
- Marketing preferences and communications.
- Any other data that consumers/end users have provided to Customer which are processed through the Services, the extent of which is determined and controlled by Customer or consumer/end-user in their sole discretion.
- Special categories of data: The personal data to be processed concern the following special categories of data:
- Manage Your eCommerce does not intentionally collect or process any special categories of data in the provision of its Services. Under the Terms, Customer agrees not to provide (or permit any user to provide) any special categories of data to Manage Your eCommerce for processing unless agreed to in writing first.
- Processing operations: The personal data will be subject to the following basic processing activities:
- The provision, operation and delivery of the Services.
- Product and service development and improvement.
- Assessing and managing Manage Your eCommerce’s performance of the Services.
- Helping Customers use the Services more effectively.
- Any other purposes under Customer’s Terms with Manage Your eCommerce.
Hopefully, this has made things clearer for you. As mentioned earlier, if there is anything you are unsure about regarding the policies or terms stated here, please don’t hesitate to contact us at [email protected]