Roistat Data Processing Addendum

This Roistat Data Processing Addendum (“Agreement”) forms part of, and is subject to the provisions of, the Roistat Terms of Service (“Terms of Service”). Capitalized terms not defined here have the meanings set forth in the Terms of Service. The following definitions apply solely to this Data Processing Addendum: a. the terms “Controller”, “data subject”, “personal data”, “process,” “processing” and “Processor” have the meanings given to these terms in Data Protection Law. b. “Data Protection Law” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR and the e-Privacy Directive 2002/58/EC, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time. c. “GDPR” means the EU General Data Protection Regulation 2016/679. d. “Sub-Processor” means an entity engaged by Roistat to process Your Controlled Data. We, the Processor, technically operate a website and/or online shop on our systems located in countries including the US on behalf of you, the Controller. We may also be an independent Controller for some personal data relating to you or your End Users. Please see our Privacy Policy and Terms of Service for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a Controller, you acknowledge and confirm that this Data Processing Addendum does not create a joint-Controller relationship between you and us. If we provide you with personal data controlled by us, such as in any access to data regarding your End Users’ interactions with Your Site, you receive that as an independent data Controller and are responsible for compliance with EU Data Protection Law in that regard. The Processor shall process personal data for the Controller in terms of Data Protection Law and in terms of Article 4(2) and Article 28 of the GDPR based on this Agreement. The contractually stipulated service shall be performed exclusively in a Member State of the European Union or in a contracting state of the Agreement on the European Economic Area. Any relocation of the service or parts thereof to another country shall only take place if the specific requirements of Article 44 and subsequent Articles of the GDPR are met (e.g. adequacy decision by the Commission, standard data protection clauses, approved codes of conduct). We are a certified member of the EU- US privacy shield. The processing of personal data by the Processor for the Controller, which is located in the USA is carried out within the framework of these adequacy decisions.

1. Type and Purpose of Processing, Type of Personal Data and Categories of Data Subjects:

Type of processing (in accordance with the definition in Article 4 No. 2 of the GDPR): Processing is the collection, storage, use of personal data and other operations or set of operations on personal data which are necessary for the operation of the respective website and/or online shop. Type of personal data (in accordance with the definition in Articles 4 No. 1, 13, 14 and 15 of the GDPR):
  • Name
  • Company
  • Postal address
  • Phone Number
  • Email Address
  • Contact information the extent of which is determined and controlled by End User in its sole discretion
  • Order details
  • IP address
  • Information submitted through the Roistat Contact form
  • System (website) usage data and application integration data
  • Other electronic data submitted, stored, sent or received via respective website and/or online shopv
Categories of data subjects (in accordance with the definition in Article 4 No. 1 of the GDPR): Data subjects are users of the respective website and/or online shop. Data subjects also include individuals attempting to communicate with or transfer personal data to the End User.

2. Rights, Duties and Powers of Instruction of the Controller

The Controller shall alone be responsible for assessing the lawfulness of processing pursuant to Article 6(1) of the GDPR and other Data Protection Laws and for safeguarding the rights of data subjects in accordance with Articles 12-22 of the GDPR and other Data Protection Laws. Nevertheless, the Processor shall be obligated to forward to the Controller all such inquiries without undue delay insofar as they are recognizably intended for the Controller exclusively. Modifications of the subject of processing and changes in procedures are to be coordinated between the Controller and the Processor and defined in writing or in a documented electronic format. The Controller shall generally issue all orders, partial orders and instructions in writing or in a documented electronic format. Verbal instructions are to be confirmed in writing or in a documented electronic format without undue delay. The Controller shall be entitled to convince itself adequately of the Processor's adherence to technical and organizational measures taken by the Processor and with the obligations defined herein prior to commencement of the processing and on a regular basis thereafter, as set down in Section 4 hereof. The Controller shall notify the Processor without undue delay if the Controller finds errors or irregularities when reviewing the results of the processing. The Controller shall be obligated to treat all knowledge of business secrets and data security measures of the Processor obtained thereby within the framework of the contractual relationship confidentially. This obligation shall remain in effect even after the Termination of this Agreement. For the avoidance of doubt, Controller’s instructions for the processing of personal data shall comply with the Data Protection Law.

3. Controller's Authorized Issuers, Processor's Authorized Recipients

The Controller's authorized issuers of instructions and communication channel for this Agreement shall be:
  • The Processor's authorized recipients of instructions and the communication channel to be used for instructions shall be:
  • If contact persons are changed or hindered for an extended period, the other Party shall be notified of the successors or substitutes without undue delay, generally in writing or electronically. Instructions are to be preserved for the effective term thereof and for three full calendar years thereafter.

4. Duties of the Processor

The Processor shall process personal data exclusively within the bounds of the agreements reached by the Parties and the Controller's instructions, unless it is obligated to conduct processing otherwise by the laws of the EU or of the Member States to which the Processor is subject (e.g. investigations by law enforcement and state security authorities) or other Data Protection Laws; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Article 28(3) Sentence 2 character a of the GDPR). The Processor hereby warrants that all measures stipulated herein in connection with the processing of personal data under this Agreement will be taken in accordance with this Agreement. The Processor hereby warrants that the data processed for the Controller will be kept strictly separate from other data. The data storage media originating from or used for the Controller shall be specially labelled. The arrival, departure and ongoing use thereof shall be documented. The Processor shall be required to participate to a necessary extent and provide the Controller with reasonable assistance to the extent possible in safeguarding the rights of data subjects in accordance with Articles 12-22 of the GDPR and other Data Protection Laws, in compiling records of processing activities and in necessary impact assessments by the Controller (namely, Article 28(3) Sentence 2 character “e” and “f” of the GDPR). The Processor shall provide the necessary information in this regard without undue delay in each case to the Controller. The Controller informs the Processor in writing immediately after conclusion of this Agreement, which office of the Controller shall be addressed. The Processor shall inform the Controller without undue delay if, in its opinion, an instruction issued by the Controller violates statutory provisions (including Article 28(3) Sentence 3 of the GDPR) and otherwise infringes the Data Protection Law. The Processor shall be entitled to delay performance of the relevant instruction until it is confirmed or amended by the Controller's after review. The Processor shall be required to modify, delete or restrict processing of personal data arising from the contractual relationship if the Controller makes such request by means of an instruction unless such is opposed by legitimate interests of the Processor. The Processor may not provide personal data arising from the contractual relationship to third parties or the data subjects without the prior instruction or approval from the Controller. The Processor hereby warrants that it will participate as far as necessary in this monitoring in a supportive fashion. The Processor hereby confirms that it is familiar with the data protection provisions of the Data Protection Law applicable to the commissioned processing. It also hereby agrees to observe secrecy rules of relevance for this Agreement which are incumbent upon the Controller. As far as the Controller has to observe corresponding special secrecy rules, he informs the Processor in writing immediately after conclusion of this Agreement, which secrecy rules are concerned. The Processor hereby agrees to maintain confidentiality in connection with the processing of personal data in accordance with this Agreement. This duty shall continue to be binding after the termination of this Agreement. The Processor hereby warrants that it will make employees engaged in performance of the processing familiar with the respective data protection provisions applicable to them prior to the commencement of their activity and that such employees will be obligated in suitable fashion to maintain secrecy for the period of the activity thereof and after termination of the employment relationship (Article 28(3) Sentence 2 character “b” and Article 29 of the GDPR). The Processor shall monitor compliance with the provisions of Data Protection Law. All correspondence related to this agreement are to be directed to .

5. Processor's Notification Duties in the Event of Disruptions in Processing and Breaches of the Protection of Personal Data:

The Processor shall notify the Controller by posting on without undue delay of disruptions and violations by the Processor or the persons employed by it of provisions of Data Protection Law or the provisions of the Agreement, as well as of the suspicion of data protection violations or irregularities in the processing of personal data. This shall apply above all with respect to possible notification and communication obligations of the Controller in accordance with Article 33 and Article 34 of the GDPR. The Processor hereby warrants that it will adequately assist the Controller with its obligations in accordance with Article 33 and Article 34 of the GDPR (Article 28(3) Sentence 2 character “f” of the GDPR). Notifications on behalf of the Controller under Articles 33 or 34 of the GDPR may only be executed by the Processor after prior instruction pursuant to Section 4 of this Agreement.

6. Relationships with Subcontractors (Article 28(3) Sentence 2 character d of the GDPR)

The Processor may engage third parties and/or subcontractors for the processing of personal data under this Agreement. The Processor is responsible for these third parties and/or subcontractors and shall impose upon the third parties and/or subcontractors the same conditions, duties and responsibilities as mentioned in this Agreement. Upon written request by Controller, the Processor is to provide information regarding the obligations of its sub-processors relevant to data protection at any time. The provisions of this Section 6 shall mutually apply if the Processor engages a sub-processor in a country outside the European Economic Area (“EEA”) not recognized by the European Commission as providing an adequate level of protection for personal data. If, in the performance of this Agreement, Processor transfers any personal data to a sub-processor located outside of the EEA, Processor shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.

7. Technical and Organizational Measures in Accordance with Article 32 of the GDPR (Article 28(3) Sentence 2 character “c” of the GDPR)

Processor shall take the appropriate technical and organizational measures to adequately protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. A level of security adequate to the risk for the rights and freedoms of natural persons affected by the specific processing shall be ensured. To this end, without limiting the generality of foregoing, the protective goals of Article 32(1) of the GDPR, such as the confidentiality, integrity and availability of systems and services and the resilience thereof with regard to the nature, scope, context and purposeof the processing shall be taken into account so that the risk is mitigated in a lasting manner through appropriate technical and organizational measures. Upon written request from the Controller, and no more than once per calendar year, the Processor will make available to the Controller all information necessary to demonstrate compliance with its obligations under the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Any reviews of information, audits, or inspections conducted pursuant to this Section shall be at the Controller’s sole expense.

8. Data Subject Requests

Processor will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the processing, to enable Controller to respond to any request from data subjects seeking to exercise their rights under the Data Protection Law with respect to personal data (including access, rectification, restriction, deletion or portability of personal data,asapplicable),totheextentpermittedbythelaw. IfsuchrequestismadedirectlytoProcessor, Processor will promptly inform Controller and will advise data subjects to submit their request to the Controller. Controller shall be solely responsible for responding to any data subjects’ requests. Controller shall reimburse Processor for the costs arising from this assistance.

9. Data Transfers

Controller acknowledges and agrees that, in connection with the performance of the services under this Agreement, personal data may be transferred outside the EEA. The Standard Contractual Clauses pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, will apply with respect to personal data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Law).

10. Liability

The Processor is responsible for the implementation of the measures as set out in this Data Processing Addendum. The Processor is not liable if these measures turn out to be insufficient. The Controller indemnifies the Processor against claims of third parties, including data protection authorities, ensuing for any reason whatsoever from the Processing of Personal Data as set out in this Data Processing Addendum. Any liability of the Processor on account of imputable failure to perform the agreement or on any other ground, is governed by the limitation of liability as agreed upon in the Roistat Terms of Service.

11. Confidentiality

Processor shall ensure that any personnel whom Processor authorizes to process personal data on its behalf is subject to confidentiality obligations with respect to that personal data. The undertaking to confidentiality shall continue after the termination of the Agreement.

12. Deletion or Retrieval of Personal Data

Other than to the extent required to comply with Data Protection Law, following termination or expiry of the Agreement, Processor will delete all personal data (including copies thereof) processed pursuant to this Agreement. If Processor is unable to delete personal data for technical or other reasons, processor will apply measures to ensure that personal data is blocked from any further processing.

13. General Provisions

In case of any conflict, this Agreement shall take precedence over the regulations of the Terms of Service. Where individual provisions of this Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Agreement shall not be affected. Personal Data will be Processed for the duration of the Agreement and always subject to time limits and periods imposed by Data Protection Law.

14. Parties to this Agreement

This Agreement is an amendment to and forms part of the Terms of Service. Upon the incorporation of this Agreement into the Terms of Service (i) Controller and the Processor that are each a party to the Terms of Service are also each a party to this Agreement, and (ii) to the extent that Processor is not the party to the Terms of Service, Processor is a party to this Agreement, but only with respect to this Section 14 of the Agreement. The legal entity agreeing to this Agreement represents that it is authorized to agree to and enter into this Agreement for, and is agreeing to this Agreement solely on behalf of, the Controller.
Узнайте, какие возможности Roistat будут полезны именно вашему бизнесу