Data Processing Terms
These Data Processing Terms, next just (“Terms”), form part of the Terms of Service between santal.at s.r.o. and Merchants (described below) regarding Almirio’s services. These Terms are binding between Almirio and Merchants and establish a data processing agreement. If there is a conflict between these Terms and the Agreement, these Terms will regulate. If you do not agree to these Terms, do not apply or use the Service (both defined below).
1. Definitions
- Capitalized terms not otherwise defined herein have the same meaning as stated in the Agreement.
- “Agreement” means the Terms of Service entered into by Almirio and the Merchant respecting the use of Almirio’s Service.
- “Data Protection Laws” means (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the security of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and any applicable national implementing or supplementing laws including the UK Data Protection Act 2018 (where applicable); (b) the e-Privacy Directive 2002/58/EC and any applicable national implementing laws; and (c) the e-Privacy Regulation 2017/003; in each case as amended, re-enacted, consolidated or replaced sometimes.
- “Data Subject”, “Controller”, “Processor”, “Supervisory Authority” and “Processes” have the definition given in the GDPR.
- “Model Clauses” means the Standard Contractual Clauses (Controller to Processor) as presented in the Commission Decision of 5 February 2010 (C (2010) 593), as amended, updated or replaced from time to time.
- “Merchant” is any person, be it natural person or legal entity, that uses Almirio’s Service to perform orders and/ or deliver its products to recipients, including the Merchant’s clients.
- “Parties” means the Merchant and Almirio.
- “Personal Data” means Personal Data that is subject to the GDPR and any national legislation implementing the GDPR including the UK Data Protection Act 2018 (where applicable), including Personal Data of Merchants of Almirio who are given services and goods in the EEA and the UK (the “GDPR Countries”);
- “Service” means print-on-demand services provided by Almirio to Merchants including printing for personal use or outsourcing the printing and distributing of products to Merchant’s clients, as well as design, warehousing and fulfillment, merchandising, branding, and other services that
- Almirio may grant in accordance with the requests of the Merchant.
- “Third Countries” means all countries abroad of the European Economic Area (“EEA”), with exception of countries approved as providing enough protection for Personal Data by the European Commission from time to time, which at the date of this Agreement include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay.
2. Subject of the Terms
- These Terms control the relationship between Almirio and the Merchant in respect of any giving out of Personal Data by Almirio on behalf of the Merchant.
- To the extent that Almirio Processes Personal Data on behalf of the Merchant, the Merchant is the Controller and Almirio is the Processor, only processing this Personal Data on behalf of the Merchant.
- The Merchant hereby sets and instructs Almirio to process the Personal Data as prescribed by the-above mentioned Terms, including with regard to the transfer of Personal Data to a Third Country or international organization.
3. Details of Processing
- To the extent that Almirio Processes Personal Data on behalf of the Merchant, next Processing details apply:
- Categories of Data Subjects. Merchant’s clients (end users of Almirio’s Services) and Merchant’s potential clients or other end users of Almirio’s Services, whose personal data Merchant has approved Almirio to Process.
- Type of Personal Data. Personal Data involving the Merchant’s clients and any Personal Data in the Merchant’s printing matter (where applicable) and Personal Data exposed during the use of any Almirio Services, as well as name, email address, phone number, shipping address and other data about the Merchant’s clients.
- Nature and purpose of processing. Almirio procedures Data in harmony with these Terms in demand to provide the Merchant with the Service and then ensure fulfilment of the responsibilities set out in the Agreement between the Merchant and Almirio to the extent this includes the processing of Personal Data. Almirio only has entree to the Personal Data that has been provided by the Merchant and uses that Personal Data in agreement with the Merchant’s instructions as set out in these Terms.
- Period of processing. Data will be managed for the length of the Agreement.
4. Obligations of the Merchant
- The Merchant approves that it has obeyed and continues to obey with the Data Protection Laws, including those established in Clause 4(b).
- The Merchant confirms that the Personal Data transferred to Almirio has been composed by the Merchant on a legal official basis and Merchant has gained any essential consents or given any necessary notices as prearranged by the Data Protection Laws, and that the Merchant is authorized to provide the Personal Data to Almirio.
- The Merchant approves that these Terms involve enough instructions to Almirio regarding the processing of Personal Data, as well as their extent and purpose.
- If necessary (reasonably), the Merchant may provide Almirio with extra instructions regarding the processing of Personal Data other than those prescribed by these Terms. Such further instructions for Almirio must be reasonable to perform, correctly documented and in obedience with the Data Protection Laws and also, must be accepted by Almirio.
- The Merchant will be responsible for the correctness of the Personal Data, updating them and in case of any changes in the Personal Data Merchant shall inform Almirio.
- Almirio will not be answerable for any claims or complaints from Data Subjects, regarding any action taken by Almirio as a result of acting in accordance with instructions received from the Merchant. Additional, the Merchant agrees to insure and hold Almirio harmless on demand from and against all costs, expenses, claims, liabilities, damage or loss (including far-reaching losses, loss of reputation and loss of profit and all interest, penalties and legal and other professional costs and expenses) incurred by Almirio arising directly or indirectly from a breach of this Clause 4.
5. Obligations of Almirio
- Almirio will only process the Personal Data on behalf of the Merchant and shall always follow the Merchant’s orders arranged by these Terms, or as otherwise provided to Almirio in writing in agreement with Clause 4(e); if Almirio cannot offer such compliance for whatever reason (including if the instruction disturbs the Data Protection Laws), it agrees to inform the Merchant as soon as reasonably practicable, of its inability to fulfill instruction.
- Almirio has applied suitable technical and organizational measures specified in Schedule 1 (Technical and Organisation Security Measures) of these Terms and shall continue to obey them through the term of these Terms and the Agreement.
- Almirio inspects and guarantees that all of Almirio’s authorized personnel involved in the Processing of Data under these Terms have devoted themselves to confidentiality obligations or are under a proper statutory responsibility of confidentiality.
- Further obligations of Almirio are arranged in Clauses 6 to 9.
6. Assistance to the Merchant
- In view of the nature of the processing, Almirio will offer all reasonable help to the Merchant with the running of technical or organizational procedures, for the fulfilment of the Merchant’s requirements as the Controller in relation to:
- Any requirements from the Data Subjects in respect of access to, or rectification, erasure, restriction, portability, blocking or deletion of their Personal Data that Almirio processes on behalf of the Merchant. In the event that a Data Subject sends such a request directly to Almirio, Almirio will promptly forward such request to the Merchant
- The investigation of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data belonging to the Merchant or any accidental or unauthorised access or any other event affecting the integrity, availability or confidentiality of the Personal Data belonging to the Merchant (a “Data Breach”) and the notification to the relevant Supervisory Authority and Data Subjects regarding such Data Breach (where required); further, Almirio shall promptly notify the Merchant of any Data Breach
- Where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
7. Sub-processors and Data Transfer
- For Almirio to be able to meet its obligations prescribed by the Agreement and to administer and provide the Service, the Merchant hereby grants Almirio general written authorization to engage sub-processors. Merchant can obtain the list of current sub-processors engaged by Almirio by entering the registered account email address in the section below. The list will include the identities of sub-processors, provided services and country of location.
- Merchant will be notified about the appointment or any intended changes concerning the addition or replacement of Almirio’s sub-processors in this section of Almirio’s website. This notification will appear 10 (ten) days prior to the engagement of the sub-processor. During this period the Merchant can object to the appointment or replacement of the sub-processor by sending a written notice to privacy@almirio.com, providing reasonable grounds for objection (for example, in case of possible infringement of Data Protection Laws). If Merchant does not object, Almirio may proceed with the appointment or replacement.
- Almirio hereby confirms that its sub-processors are contractually or otherwise in a binding form required to comply with data processing obligations which are no less onerous on the relevant sub-processor than the obligations on Almirio as prescribed by these Terms.
- Where Almirio processes, accesses, and/or stores Personal Data in any Third Country, Almirio shall:
- comply with the data importer’s obligations set out in the Model Clauses, which are hereby incorporated into and form part of these Terms with the processing details set out in Clause 3 (Details of Processing) and the technical and organisational security measures set out in Schedule 1 (Technical and Organisational Security Measures) applying for the purposes of Appendix 1 and Appendix 2, respectively, of the Model Clauses, and the Merchant will comply with the Data Exporter’s obligations in the Model Clauses
- The Merchant acknowledges and agrees that Almirio may appoint an affiliate or third- party subcontractor to Process the Merchant’s Personal Data in a Third Country, provided that it ensures that such Processing takes place in accordance with the requirements of the Data Protection Laws. The Parties agree that Personal Data may be transferred to an affiliate or third-party subcontractor that is certified to process such data under the Privacy Shield Program. Alternatively, the Merchant grants Almirio a mandate to execute the Model Clauses with the processing details set out in Clause 3 (Details of Processing) and the technical and organisational security measures set out in Schedule 1 (Technical and Organisational Security Measures) applying for the purposes of Appendix 1 and Appendix 2, respectively, of the Model Clauses, with any relevant subcontractor or affiliates it appoints on behalf of the Merchant.
8. Audit
- Upon the Merchant’s written request, Almirio shall provide sufficient information to demonstrate compliance with the obligations laid down in these Terms and Data Protection Laws. This information shall be provided to the extent that such information is within Almirio’s control and Almirio is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
- If information provided upon the Merchant’s request in the Merchant’s reasonable judgement is not sufficient to confirm Almirio’s compliance with these Terms, then Almirio agrees to allow for and contribute to data processing audits.
- Such audits are allowed to be carried out by an independent third party with good market reputation, provided that it has sufficient experience and competence to carry out data processing audits, and election of such auditor must be mutually agreed by both the Merchant and Almirio.
- The timing and other practicalities related to any such audit or inspection are determined by Almirio, and any such information and assistance are provided only at the expense of the Merchant. Almirio reserves the right to charge the Merchant for any additional work or other costs incurred in connection with such audits. The Merchant may request such audit no more than once every 2 years.
- The auditor will have to sign a confidentiality agreement, which includes an obligation not to disclose business information in its audit report, and the final report will also have to be provided to Almirio.
9. Return and deletion of Data
At the choice of the Merchant, Almirio will delete or return all Personal Data to the Merchant after the end of the Agreement, and shall delete existing copies, unless an applicable law requires Almirio to store such Personal Data.
10. Governing Law
These Terms are governed by the laws of the Slovak republic and are subject to the dispute resolution procedure as prescribed by the Agreement.
11. Modifications
Almirio reserves the right, at its discretion, to modify these Terms. In case of material changes, Almirio will notify the Merchant in writing, giving the Merchant the right to terminate the Agreement.
Schedule 1
Technical and Organisational Security Measures
Almirio shall take, among others, the following technical and organizational measures to ensure physical security of Personal Data and control system entry, access, transfer, input, availability and separation of Personal Data:
1. to establish the identity of the authorized persons and prevent unauthorized access to Almirio’s premises and facilities in which the Personal Data are processed:
– All entrances are secured or locked and can only be accessed with the appropriate key / chip card / internal digital keys;
– Premises are protected by an alarm system;
– All visitors are required to identify themselves and are signed-in by authorized staff;
– Video monitoring of premises;
– Visitors are accompanied by Almirio’s personnel at all times;
– Trained security guards are stationed in and around the building 24/7,
2. to prevent unauthorized access to the data processing systems:
– Use of state-of-the-art anti-virus software that includes e-mail filtering and malware detection;
– Use of firewalls;
– During idle times, user and administrator PCs are locked;
– Users are required to setup complex passwords and 2FA in all systems as possible;
– Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above these least privileges requires appropriate authorization;
– Starter, mover & leaver housekeeping processes in place which covers access rights depends on job duties;
– RSA/ed25519 2-factor authentication in place for most critical remote connections;
– Vulnerability scanning and remediation in place;
– Data centre and website penetration testing programme in place.
3. to prevent unauthorized activities in the data processing systems outside the scope of any granted authorizations:
– User and administrator access to the network is based on a groupe-based/ role-based access rights model. There is an authorization concept in place that grants access rights to data only on a “need to know” basis;
– Administration of user rights through system administrators or system owners;
– IT governance & controls audits undertaken regularly by external 3rd party;
– Internal control audits undertaken regularly.
4. to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons under their electronic transmission or during their transport or recording on data carriers and to guarantee that it is possible to examine and establish where personal data are or have had to be transmitted by data transmission equipment: