- INTRODUCTION This data processing agreement (Data Processing Agreement) is a legal agreement in connection with the provision of service that forms an integral part of and applies in addition to the existing Service Contract concluded by and between the User as defined in such contract and Orderchamp B.V. in connection with the provision of specific services. Any capitalized words used in this Data Processing Agreement shall have the meaning attributed to it in the Service Contract unless specifically defined in this Data Processing Agreement. Orderchamp reserves the right to make, at its sole discretion, make any changes to this Data Processing Agreement as long as these do not materially impact the rights of the User. Orderchamp shall notify the User of any such changes.
GENERAL DESCRIPTION OF PROCESSING ACTIVITIES
- Details of processing
Orderchamp offers services to the User consisting of an online platform that functions as a B2B Marketplace. User can be a Supplier and/or Retailer on this platform and has control over specific data relating to identified or identifiable individuals (Personal Data) which it will process through the services offered by Orderchamp.
Orderchamp can process Personal Data on behalf of the User for the purpose of providing the Services under the Service Contract to the User. It may further process personal data for any other purpose pursuant to a specific instructions it receives from the user.
- Categories of data subjects
The personal data of the following data subjects will be processed by Orderchamp: Employees and other persons who have an account to access and use the Platform Customers
- Categories of personal data
- Name (first and/or last)
- Contact information (email address, home address, phone number)
- Date of Birth
- IP Address
- Geographical data
- Bank account details
- Duration of processing activities
Orderchamp shall process the Personal Data for the duration of the Services or until the User requests Orderchamp to cease the processing of Personal Data.
- Details of processing
Both Orderchamp and the User are familiar with the General Data Protection Regulation and shall use its best efforts to comply with all statutory requirements of the GDPR in the processing of personal data. User hereby instructs Orderchamp, in its capacity as processor, to process the personal data of the User as specified in the description above. Orderchamp hereby accepts this instructions and in that respect covenants and agree to comply with the terms as specified in this Data Processing Agreement.
- Processing of Personal Data
Orderchamp shall process Personal Data only on the documented instructions of the User. If Orderchamp is required to process Personal Data in compliance with the law of the European Union or a Member State to which Orderchamp is subject, it will inform the User of such legal requirement prior to such processing, unless such law of the European Union or a Member State to which Orderchamp is subject prohibits it from doing so.
Orderchamp may engage the sub-processors as described in Annex 1 of this Data Processing Agreement and any other processors to process Personal Data on Customer’s behalf. Orderchamp shall inform the User of any intended changes concerning the addition or replacement of (sub-) processors that process Personal Data of the User and give the User the opportunity to object to such changes.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Orderchamp shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Orderchamp shall take into account the risks that are presented by the processing, in particular in relation to a personal data breach.
- Data Subject Requests
Orderchamp shall promptly notify the User if it receives a request from an individual with respect to Personal Data, including but not limited to information access requests, information rectification requests, requests for blocking, erasure, or portability of Personal Data and shall not respond to any such requests unless expressly authorized to do so by the User or unless required under a law of the European Union or a Member State to which Lightspeed is subject. Orderchamp shall ensure that it has implemented technical and organizational measures to assist Customer in fulfilling its obligation to respond to any such requests from an individual with respect to Personal Data processed.
- Personal Data Breach
Orderchamp shall notify the User without undue delay upon becoming aware of a Personal Data breach affecting Personal Data, providing the User with sufficient information to allow the User to meet any obligations to report or inform data subjects of the Personal Data Breach under the data protection laws. Orderchamp shall cooperate with the User and take reasonable commercial steps as are directed by the User to assist in the investigation, mitigation and remediation of each such Personal Data breach.
- Data Protection Impact Assessment
Orderchamp shall provide reasonable assistance to the User with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which the User reasonably considers to be required by article 35 or 36 of the GDPR.
- Audit Rights
Subject to this section, Orderchamp shall make available to the User, once a year, upon a reasonable request all information necessary to demonstrate compliance with this Data Processing Agreement, and shall allow for and support audits, including inspections, by the User or an auditor mandated by the User in relation to the processing of the Personal Data provided that such audit. Information and audit rights of the User only arise under this section to the extent that the Data Processing Agreement does not otherwise give them information and audit rights meeting the relevant requirements of data protection law.
- Data Transfers
Orderchamp may only subcontract (part of the) Services to third parties if Orderchamp ensures that such third parties are bound in writing to the same obligations. Orderchamp shall only transfer or authorize the transfer of Personal Data to countries outside the EU and/or the European Economic Area (EEA) if it ensures that the Personal Data is adequately protected in accordance with the requirements under GDPR.
Orderchamp shall hold Personal Data in strict confidentiality and require employees and any other person under its authority who will be provided access to or will otherwise process Personal Data are held to the same level of confidentiality in accordance with the requirements of the Data Processing Agreement (including during the term of their employment or engagement and thereafter).
Orderchamp shall not disclose Personal Data to any third party or unauthorized persons, unless the User has given its prior written consent to such disclosure and subject to the obligations under this Data Processing Agreement.\
- Third Party Inquiries
Orderchamp shall promptly inform the User if: (i) it receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the processing of Personal Data under this Data Processing Agreement, except where Orderchamp is otherwise prohibited by law from making such disclosure; or (ii) it intends to disclose Personal Data to any competent public authority. In case of inspection or audits by a competent governmental authority relating to the processing of Personal Data, Orderchamp shall make available its relevant processing systems, facilities and supporting documentation to the relevant competent public authority for an inspection or audit if this is necessary to comply with applicable laws. In the event of any inspection or audit, each party shall provide all reasonable assistance to the other party in responding to that inspection or audit. If a competent public authority deems the processing of Personal Data under this Data Processing Agreement unlawful, the parties shall take immediate action to ensure future compliance with applicable data protection law.
- Non-compliance by Orderchamp
In the event that (i) Orderchamp is unable to comply with the material obligations stated in this Agreement, where any obligation required by law is considered material, or (ii) Orderchamp becomes aware of any circumstances or changes in applicable data protection law that is likely to have a substantial adverse effect on Orderchamp’s ability to meet its obligations under the Agreement, Orderchamp shall promptly notify the User to this effect, and the User shall then be entitled, at its option, to (i) suspend all transfers of Personal Data until such time that the non-compliance is remedied, (ii) require Orderchamp to cease processing relevant Personal Data until such time that the non-compliance is remedied, and/or (iii) immediately terminate this Agreement.
- Termination of processing
Upon termination or expiration of the Services for whatever reason, or upon request by the User, Orderchamp shall immediately cease to process Personal Data and shall promptly return to the User all such Personal Data, or delete the same, in accordance with such instructions as may be given by User at that time, unless it is required to store the Personal Data under a law of the European Union or a Member State to which Orderchamp is subject or unless explicitly agreed otherwise with the User.
The User hereby gives Orderchamp permission to engage the following sub-processors on Orderchamp’s behalf:
|Name sub-processor||Description of processing||Country of establishment|
|Google LLC||Hosting of data||United States|
|Zendesk Inc.||Customer support||United States|
|Hotjar Ltd||User behavioral analytics||Malta|
|Segment.io Inc.||Data pipelining||United States|
|Sendgrid, Inc.||Email Service Provider||United States|
|Drip (Avenue 81, Inc.)||Email Service Provider||United States|
|Mixpanel||User behavioral analytics||United States|