Data processing agreement

Last updated: January 25, 2022

This Data Processing Agreement (“DPA”) forms an integral part of the Service Agreement which governs the use of the Service provided by Upsy.  In the Service Agreement, Customer and Upsy have agreed on the Service where Upsy is a Processor of Personal Data on behalf of Customer. This DPA sets out the conditions under which Upsy may Process Personal Data on behalf of Customer and what measures are required to protect Personal Data.

Terms used in this DPA shall have the meaning given in the Service Agreement or in the General Data Protection Regulation (679/2016, “GDPR”) of the EU, together with all laws implementing or supplementing the same and any other applicable data protection or privacy laws (“Data Protection Legislation”).

1. Processing of Personal Data

Customer is a Controller of the Personal Data and shall be solely responsible for ensuring that it has lawful basis for Processing the Personal data. Customer shall also be responsible for fulfilling other obligations of a Controller, as set out in Data Protection Legislation, including among others the provision of information to Data Subjects on the Processing of their Personal Data. 

Upsy shall Process Personal Data in accordance with Data Protection Legislation, the Service Agreement, and written instructions of Customer. If the written instructions provided by Customer infringe Data Protection Legislation, Upsy shall notify Customer without undue delay. Instructions which deviate from stipulations of the Service Agreement or which impose additional restrictions shall require Upsy’s written approval.

If Upsy receives any communications or requests from Data Subjects or competent data protection authorities concerning the Processing of Personal Data on behalf of Customer, Upsy shall inform Customer and direct such communications and requests to Customer, unless prevented from doing so under Data Protection Legislation. Upsy shall not respond to such communications or requests without consulting Customer first, unless otherwise required under Data Protection Legislation.

Upsy shall also, to a reasonable extent, assist Customer in fulfilling its other obligations concerning the Personal Data Processed by Upsy on behalf of Customer. Such other obligations may include assisting Customer in implementing appropriate technical and organizational measures, carrying out data protection impact assessments and requesting prior consultation from the competent data protection authorities, as well as assisting Customer in fulfilling requests made by Data Subjects in relation to their rights under Data Protection Legislation. Upsy shall impose adequate contractual obligations regarding confidentiality and security upon its personnel which have been authorized to Process Personal Data.

Purpose and Scope of Processing

Upsy only Processes Personal Data in order to provide the Service to Customer as agreed in the Service Agreement. Purpose for Processing Personal Data is to assist the end users of Customer’s website when they are browsing Customer’s online store and to create anonymous analytics data.

Categories of Personal Data and Data Subjects

Processed Personal Data includes the following categories: interaction and purchase data (e.g. basket content, timestamp) of the end users of Customer’s website and a related session ID. Data Subjects, whose Personal Data is Processed are the end users of Customer’s website and online store.

Time limits for erasure of Personal Data

Processed Personal Data will be Processed only as long as it is necessary for the purpose of assisting the end user of Customer when using Customer’s website. Session IDs expire after twelve (12) hours, after which any interaction or purchase data cannot be connected to an individual session ID.

2. Security of Personal Data

Upsy shall make sure that appropriate technical and organizational measures have been implemented in accordance with Data Protection Legislation to ensure appropriate security of Personal Data Processed by Upsy on behalf of Customer. These measures may include, as appropriate, the pseudonymisation and encryption of Personal Data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services, the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, and regularly testing, assessing and evaluating the effectiveness of the implemented technical and organisational measures.

3. Personal Data Breaches

Upsy shall inform Customer without undue delay if Upsy has noticed a data breach concerning the Personal Data controlled by Customer. In the event of a Personal Data breach, Upsy shall deliver Customer with the information as required under Data Protection Legislation and provide Customer with the necessary and reasonable assistance in resolving the situation.

4. Audits

Upsy agrees to allow Customer or an independent third party appointed by Customer to conduct audits to ensure that Upsy is complying with this DPA and Data Protection Legislation. Upsy shall, upon reasonable written notice by Customer, provide necessary documentation to Customer or the independent third party appointed by Customer. To the extent such documentation is not deemed sufficient to verify compliance with this DPA and Data Protection Legislation, Upsy shall, upon Customer’s reasonable written notice, provide necessary access and allow inspection at the Upsy’s premises. Customer shall bear all direct costs related to such audits and inspections.

5. Sub-Processing and transfers of Personal Data Outside EU / EEA

Customer hereby gives its consent to Upsy’s use of Sub-processors specified at the website of Upsy at the given time, for the Processing of Personal Data on behalf of Customer. If Upsy intends to change or add new Sub-processors, Upsy notifies Customer in advance of such changes and gives Customer an opportunity to object to such changes for a justified reason. Insofar as Customer does not object within fourteen (14) days after receipt of the notification, Customer’s right to object to the corresponding engagement lapses.

If Customer objects to such change or addition in Upsy’s Sub-processors, both Parties shall have the right to terminate the Service Agreement by thirty (30) days prior written notice. Upsy shall ensure that its Sub-processors also implement appropriate technical and organizational measures as required by Data Protection Legislation and that such Sub-processors are bound by data protection obligations at least as extensive as the ones agreed herein. Upsy remains fully liable to Customer in case a Sub-processor used by Upsy fails to fulfil its obligations under Data Protection Legislation.

Upsy may transfer Personal Data outside the EU/EEA upon and subject to the terms and conditions set out herein. If Upsy transfers Personal Data as a data exporter to a country outside the EU/EEA, which is not recognized by the European Commission to have an adequate level of protection in accordance with Data Protection Legislation, Upsy agrees to enter into supplementary agreement with the data importer containing the standard contractual clauses for the transfer of Personal Data to third countries as set forth in the European Commission Decision of 4 June 2021 (or any such standard contractual clauses amending or replacing the European Commission Decision of 4 June 2021). In such cases, Upsy shall implement necessary supplementary measures to ensure that the level of protection of Personal Data is not undermined as a result of the transfer. For the sake of clarity, Upsy shall not be responsible for transfers of Personal Data where Customer itself transfers Personal Data as a data exporter or instructs a third party to transfer Personal Data as a data exporter to a data importer outside the EU/EEA.

6. Term

Upon termination or expiry of the Service Agreement, Upsy shall return or delete Personal Data controlled by Customer in accordance with Section 2 of this DPA, unless Upsy is obligated by law to further store the Personal Data. This DPA shall be applicable during the validity of the Service Agreement and until all Personal Data held by Upsy is deleted or returned to Customer.

7. Liability

Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Service Agreement.

Upsy will not be liable under the Service Agreement for any claim brought by a Data Subject arising from any action or omission by Upsy to the extent that such action or omission resulted directly from Customer’s instructions or Customer’s failure to comply with its obligations under the Data Protection Legislation.

Notwithstanding the limitation of liabilities set forth in the Service Agreement and this DPA, if a Party has in accordance with Article 82 paragraph 4 of the GDPR, paid compensation for the damage suffered by a Data Subject, this Party shall be entitled to claim back from the other Party involved in the same Processing that part of the compensation corresponding to their part of responsibility for the damage in accordance with the GDPR.