This Data Processing Addendum (“DPA”) amends and supplements the Merchant User Agreement (“Agreement”) entered into between you, the user, together with any company or other business entity you are representing, if any (collectively, “Merchant”), and Big Cartel, LLC (“Big Cartel”) and is hereby incorporated by reference into the Agreement. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement. If there is any inconsistency or conflict between this DPA and the Agreement as it relates to data protection, this DPA will govern. This DPA applies only to the extent Merchant uses the Software and/or Services to collect personal data from residents of the European Economic Area (“EEA”) or Switzerland.
“Merchant Personal Data” means Personal Data originating in the EEA or Switzerland and Processed by Big Cartel on behalf of Merchant in provision of the Software and/or Services.
“Data Subject” means the individual to whom Merchant Personal Data relates.
“Controller to Processor Standard Clauses” means the standard clauses for the transfer of Personal Data to Processors established in third countries approved by the European Commission from time to time, the approved version of which in force at present is that set out in the European Commission’s Decision 2010/87/EU of 5 February 2010, available here.
“Data Protection Legislation” means as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it.
“Personal Data” means any information that relates to a Data Subject, including but not limited to a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the Data Subject.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Merchant Personal Data.
“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Merchant Personal Data transmitted, stored or otherwise Processed.
The terms “controller,” “data subject,” “personal data,” “processor,” and “supervisory authority” as used in this DPA will have the meanings ascribed to them in the GDPR.
2. Processing of data
2.1 Purpose of Processing
The purpose of data Processing under this Agreement is the provision of the Software and/or Services pursuant to the Agreement.
2.2 Processor and Controller Responsibilities
The parties acknowledge and agree that: (a) Big Cartel is a processor of Merchant Personal Data under the Data Protection Legislation; (b) Merchant is a controller of Merchant Personal Data under the Data Protection Legislation; and (c) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of Merchant Personal Data.
2.3 Merchant Instructions
Merchant instructs Big Cartel to Process Merchant Personal Data: (a) in accordance with the Agreement; and (b) to comply with other reasonable written instructions provided by Merchant where such instructions are consistent with the terms of the Agreement. Merchant will ensure that its instructions for the Processing of Merchant Personal Data shall comply with the Data Protection Legislation. Merchant shall have sole responsibility for the accuracy, quality, and legality of Merchant Personal Data and the means by which Merchant obtained the Merchant Personal Data.
2.4 Big Cartel’s Compliance With Merchant Instructions
Big Cartel shall only Process Merchant Personal Data in accordance with Merchant’s instructions and shall treat Merchant Personal Data as confidential information. Big Cartel may Process Merchant Personal Data other than on the written instructions of Merchant if it is required under applicable law to which Big Cartel is subject. In this situation, Big Cartel shall inform Merchant of such requirement before Big Cartel Processes the Merchant Personal Data unless prohibited by applicable law. If Big Cartel believes or becomes aware that any of Merchant’s instructions conflict with any Data Protection Legislation, Big Cartel shall inform Merchant immediately.
3. Security; Privacy Impact Assessments
3.1 Big Cartel Personnel
Big Cartel shall ensure that its personnel engaged in the Processing of Merchant Personal Data are informed of the confidential nature of the Merchant Personal Data, and are subject to obligations of confidentiality and such obligations survive the termination of that individual’s engagement with Big Cartel.
Big Cartel will implement appropriate technical and organizational measures to safeguard Merchant Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.3 Data Privacy Impact Assessments
Big Cartel will take reasonable measures to cooperate and assist Merchant in conducting a data protection impact assessment and related consultations with any supervisory authority, if Merchant is required to do so under Data Protection Legislation.
4. Data Subject Rights
4.1 Assistance with Merchant’s Obligations
To the extent Merchant, in its use or receipt of the Software and/or Services, does not have the ability to correct, amend, restrict, block or delete Merchant Personal Data, as required by Data Protection Legislation, Big Cartel shall promptly comply with reasonable requests by Merchant to facilitate such actions to the extent Big Cartel is legally permitted and able to do so.
4.2 Notification Obligations
Big Cartel shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of Merchant Personal Data relating to such individual. Big Cartel shall not respond to any such Data Subject request relating to Merchant Personal Data without Merchant’s prior written consent except to confirm that the request relates to Merchant. Big Cartel shall provide Merchant with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request, to the extent legally permitted and to the extent Merchant does not have access to such Merchant Personal Data through its use or receipt of the Software and/or Services.
5.1 General Authorization
Merchant generally authorizes the use of subprocessors to Process Merchant Personal Data in connection with fulfilling Big Cartel’s obligations under the Agreement and/or this DPA.
5.2 New Subprocessors
When Big Cartel engages any new subprocessor to process Merchant Personal Data, Big Cartel will inform Merchant of the engagement via email to the email address on file for Merchant’s account and give Merchant the opportunity to object to such subprocessor.
5.3. Big Cartel Obligations
Big Cartel will remain liable for the acts and omissions of its subprocessors to the same extent Big Cartel would be liable if performing the services of each subprocessor directly under the terms of this DPA. Big Cartel will contractually impose data protection obligations on its subprocessors that are at least equivalent to those data protection obligations imposed on Big Cartel under this DPA.
6. Data Transfers
6.1 Governing Terms
When a Merchant located in a Member State of the EEA or Switzerland transfers or discloses Personal Data to Big Cartel, such transfers will be governed by the Controller to Processor Standard Clauses. For purposes of the Controller to Processor Standard Clauses, (i) the Merchant located in the EEA or Switzerland will be referred to as the “Data Exporter” and (ii) Big Cartel will be referred to as the “Data Importer.” Annex 1 to this Agreement shall apply as Appendix 1 of the Controller to Processor Standard Clauses.
7. Security Breach
7.1 Notification Obligations
In the event Big Cartel becomes aware of any Security Breach, Big Cartel will notify Merchant of the Security Breach without undue delay. The obligations in this Section 7 do not apply to incidents that are caused by Merchant or Merchant’s personnel or end users or to unsuccessful attempts or activities that do not compromise the security of Merchant Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
7.2 Manner of Notification
Notification(s) of Security Breaches, if any, will be delivered to one or more of Merchant’s business, technical or administrative contacts by any means Big Cartel selects, including via email. It is Merchant’s sole responsibility to ensure it maintains accurate contact information on Big Cartel’s support systems at all times.
8. Term and Termination
8.1 Term of DPA
This DPA will remain in effect until, and automatically expire upon, deletion of all Merchant Personal Data as described in this DPA.
8.2 Deletion of Merchant Data
Big Cartel shall delete or return Merchant Personal Data to Merchant after the end of the provision of Software and Services under the Agreement and shall delete all existing copies thereof, except to the extent that Big Cartel is required under Data Protection Legislation to keep a copy of the Merchant Personal Data.
9.1 Audit Rights
No more than once per year, Merchant may engage a mutually agreed upon third party to audit Big Cartel solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the GDPR. To request an audit, Merchant must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to firstname.lastname@example.org. The auditor must execute a written confidentiality agreement acceptable to Big Cartel before conducting the audit. The audit must be conducted during regular business hours, subject to Big Cartel’s policies, and may not unreasonably interfere with Big Cartel’s business activities. Any audits are at Merchant’s sole cost and expense.
9.2 Separate Service
Any request for Big Cartel to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Merchant shall reimburse Big Cartel for any time spent for any such audit at rates mutually agreed to by the parties, taking into account the resources expended by Big Cartel. Merchant shall promptly notify Big Cartel with information regarding any non-compliance discovered during the course of an audit. Big Cartel will reasonably cooperate with Merchant, at Merchant’s expense, to assist Merchant in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of Processing and the information available to Big Cartel.
10. Limitation of Liability
Big Cartel’s liability for breach of its obligations in this DPA are subject to the limitation of liability provision in the Agreement.
ANNEX 1: APPENDIX 1 TO THE CONTROLLER TO PROCESSOR STANDARD CLAUSES
The data exporter is: The Merchant who has agreed to the Merchant User Agreement and uses Big Cartel’s Software and/or Services to collect Personal Data from individuals residing in the EEA or Switzerland.
The data importer is: Big Cartel
The personal data transferred concern the following categories of data subjects: Individuals who purchase goods from Merchant or interact with Merchant’s Big Cartel-powered website or mobile application.
Categories of data
The personal data transferred concern the following categories of data: Names, contact information, payment information, purchase history.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data: None
The personal data transferred will be subject to the following basic processing activities: Storage, marketing in accordance with the Merchant’s direction, and order processing.