Last modified: November 21, 2019

This Privacy Policy (the “Policy”) explains how GhostMonitor Inc. (“GhostMonitor”, “Company,” “we,” or “us”) collects, stores, uses, and discloses personal information from our users (“you”, “user”) in connection with the website located at www.recart.com (the “Website”). 

Please read and make sure you understand this Policy and the Data Protection Addendum attached to the present Policy as Annex 1 (hereinafter: “Addendum”) which forms an inseparable part of the present Policy and the Policy shall be construed in a manner of the provisions of the Addendum. If you do not agree with this Policy, the Addendum or our practices, you may not use our Website or our services (the "Services"). This Policy may change from time to time and is incorporated into our Website Terms of Use. Your continued use of our Website and Services constitutes your acceptance of those changes. We encourage you to review this Policy periodically.

Please note that the present Policy only applies to the data processing relationship between GhostMonitor and you either as a natural person, or as a legal entity’s representative. In relation to users as natural person located within the European Union (“EU”) member countries, according to the provisions of the GDPR, GhostMonitor shall be deemed as data controller. 

By using the Services of GhostMonitor - as described under section 2.3 of the present Policy – you as our user shall be deemed as a data controller and GhostMonitor shall be considered as a data processor. The rights and obligations regarding to that relationship between you as data controller and GhostMonitor as data processor is governed by the Addendum attached to the present Policy as Annex1.

GhostMonitor may from time to time handle personal data collected from individuals located within the European Union (“EU”) member countries. Consistent with the regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”) GhostMonitor grants the enhanced data protection for the individuals located within the EU. Our adherence to the GDPR regarding the personal data collected from individuals located within the EU is detailed in this Policy. 

Furthermore, GhostMonitor complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, onward transfer and retention of personal data transferred from EU member countries and Switzerland to the United States, respectively. GhostMonitor has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield principles (“Privacy Shield Principles”) of:

  • Notice
  • Choice
  • Accountability of onward transfer
  • Security
  • Data integrity and purpose limitation
  • Access
  • Recourse, enforcement and liability

Our adherence to each of these principles is detailed in this Policy. If there is any conflict between the terms of the Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. If you want to learn more about the Privacy Shield program or view GhostMonitor’s certification, please visit https://www.privacyshield.gov.

GhostMonitor is under the jurisdiction as well as the investigatory and enforcement powers of the US Federal Trade Commission for purposes of the EU-US Privacy Shield framework and the Swiss-US Privacy Shield Framework. 

  1. What does this Privacy Policy cover?

This Policy covers GhostMonitor’s treatment of information that GhostMonitor gathers when you are accessing GhostMonitor's Website as a user and when you use GhostMonitor Services. Also, this Policy covers GhostMonitor’s treatment of your information that GhostMonitor shares with GhostMonitor’s business partners. This Policy does not apply to the practices of third parties that GhostMonitor does not own or control (such as third-party websites that you may access from the Website), or to individuals that GhostMonitor does not employ or manage.

2. What information does GhostMonitor collect?

The information we gather from users enables GhostMonitor to personalize and improve our services and to allow our users to set up accounts on the Website. While we are providing our Services, we receive certain data from third parties (e.g. Facebook) about the customers of our users. We collect the following types of information from our users and their customers:

2.1 Information You Provide to Us:

We receive and store any information you enter on our Website or provide to us in any other way. The types of information collected include, without limitation, your full name, email address, mailing address, phone number, password, contact information and content consumed on the Website, including, but not limited to content uploaded and shared. Some of this information is not mandatory but is necessary to use all of our functions.

In addition, we collect the following financial data: account holder name, bank name, account number, currency of account. For taxation reasons, we need to collect Tax ID (US: tin: SSIN/EIN), citizenship, country of residence. In some cases, we’ll need to ask for a government ID, Green Card, or other proof of address or proof of residency status as regulated by taxation law.

2.2 Information Collected Automatically:

We receive and store certain types of information whenever you interact with our Website or Services. GhostMonitor automatically receives and records information on our server logs from your browser including your IP address, unique device identifier, browser characteristics, domain and other system settings, search queries, device characteristics, operating system type, language preferences, referring URLs, actions taken on our Website, page requested, content consumed (e.g., viewed, uploaded, and shared), dates and times of Website visits, and other information associated with other files stored on your device. 

2.3 Information we receive from third parties:

By providing our Services we receive and collect certain personal data on the customers of our users that is provided to us by third parties (e.g. Facebook). If the provisions of the GDPR shall apply, in that relationship regarding to the personal data of your customers you shall be deemed as data controller, and therefore you are responsible to comply with the provisions of the GDPR. Please note, that in such case the data processing relationship between the data controller and the data processor shall be governed by a written contract, and such written contract shall satisfy the requirements of Article 28 of the GDPR. In order to facilitate your compliance with the provisions of the GDPR, GhostMonitor provides you a written contract on data processing, therefore, the data processing relationship between you, as a data controller and GhostMonitor, as a data processor shall be governed by the Addendum attached to the present Policy as Annex1 (especially section 6 of the Addendum), which shall form an integral part of the present Policy.

3. What About Cookies?

The Company collects mainly anonymous data from the Website, such as searches. The anonymized data can include user session data such as IP address, web browser type, the time spent on the page by the user, and user-clicked buttons. The Company processes anonymous data in order to improve the page, to bring it to perfection. During this procedure GhostMonitor can incorporate “cookies”, which collect the visitor’s first level domain name, the date and the exact time of access. The “cookie” alone can’t be used to reveal the identity of the visitor. The “cookie” is a file, which is sent to the browser of the visitor and stored on the hard drive of visitor. Cookies don’t damage the computer of the visitor. The browser can be set to indicate when a cookie is received, so the visitor can decide to accept the so-called cookie or not. The Company does not use cookies to collect or manage any information that would allow the identification of the user. Please see our cookie policy by visiting the following link in order to find out how our cookies work.

4. How Does GhostMonitor Use My Information?

We may use your information, including your personal information - based on diverse purposes as well as the legal basis of the processing - as follows:

4.1. We process the following personal data for the purpose and on the legal basis of the performance of the contract, product and service fulfillment:

  • Full name
  • Email address
  • Mailing address 
  • Phone number 
  • Financial data: account holder name, bank name, account number, currency of account

The information you provide is used for purposes such as responding to your requests for certain products and services, customizing the content you see, communicating with you about specials, sales offers, and new features, and responding to problems with our services. It is also used to fulfill and manage payments or requests for information, or to otherwise serve you, provide any requested services and administer sweepstakes and contests.

4.2. We process the following personal information based on your consent (as the legal basis of this processing) for marketing purposes, to deliver coupons, mobile coupons, newsletters, receipt messages, e-mails, and mobile messages. We also send marketing communications and other information regarding services and promotions based on your consent and administer promotions:

  • Full name
  • Email address
  • Mailing address 
  • Phone number (optional)

You shall always have the right to withdraw your consent at any time.

4. 3. We process personal data for the purpose and on the legal basis of compliance with legal obligations to prevent fraudulent transactions, monitor against theft and otherwise protect our customers and our business. We also process personal data for the purpose and on the legal basis of legal compliance and to assist law enforcement and respond to subpoenas. 

This means that in some cases the data processing is stipulated by the applicable laws and we have an obligation to process and keep this data for the required time. This includes employment data, billing data, data which is necessary to assist law enforcement etc.

4.4. We process the following personal data for the purpose and on the legal basis of the legitimate interests of the Company, to improve the effectiveness of the Website, our Services, and marketing efforts, to conduct research and analysis, including focus groups and surveys and to perform other business activities as needed, or as described elsewhere in this Policy:

  • IP address
  • browser information
  • password
  • contact information
  • content consumed on the Website
  • unique device identifier
  • browser characteristics
  • domain and other system settings
  • search queries
  • device characteristics
  • operating system type
  • language preferences
  • referring URLs
  • actions taken on our Website
  • page requested
  • content consumed (e.g., viewed, uploaded, and shared)
  • dates and times of Website visits
  • other information associated with other files stored on your device

Where it is feasible we anonymize personal data or use non-identifiable statistical data. We do not collect personal data in advance and store it for potential future purposes unless required or permitted by the applicable laws.

For collecting anonymously the above-mentioned data and making statistics and analysis we may use the following software and programs:

4.5. Cookies: GhostMonitor may use automatically collected information and cookies information to: (a) remember your information so that you will not have to re-enter it during your visit or the next time you visit the Website; (b) provide custom, personalized advertisements, content, and information; (c) monitor the effectiveness of our marketing campaigns; and (d) monitor aggregate usage metrics such as total number of visitors and pages viewed.

4.6. Data integrity and purpose limitation: GhostMonitor will only collect and retain personal data which is relevant to the purposes for which the data is collected, and we will not use it in a way that is incompatible with such purposes unless such use has been subsequently authorized by you. We will take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current. We may occasionally contact you to determine that your data is still accurate and current. To secure your personal information processed we save your personal information to backup archives in every 24 hours. The data stored in our backup archives will be deleted in every half a year.  


5. How Long We Retain Your Personal Data?

We will retain your personal data for so long as it is needed to fulfill the purposes outlined in this Policy or until you withdraw your consent, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). When we have no longer or no legal basis to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. 

6. Will GhostMonitor share any of the information it receives?

Information about our users is an integral part of our business, and we may share such information with our affiliated entities. Except as expressly described below, we neither rent nor sell your information to other people or nonaffiliated companies unless we have your permission.

6.1 Third Party Service Providers

We may share certain personal information with third party vendors who supply software applications, web hosting and other technologies for the Website and the Services. We will only provide these third parties with access to information that is reasonably necessary to perform their work or comply with the law. Those third parties will never use such information for any other purpose except to provide services in connection with the Website and the Services. We may also share aggregated or de-identified information, which cannot reasonably be used to identify you. We may also request data process service for processing the personal data. During the service of data process, the data processor shall abide under the present Policy, relevant legislations in force, furthermore the provisions of the existing contracts of the GhostMonitor.

6.2 List of Third Party Service Providers:

Based on the adequacy decisions by the Commission of the European Union regarding third countries like United States (Privacy Shield) ensure an adequate level of data protection. Due to the fact that our service providers Amazon Web Services Inc., MongoDB Inc., Intercom, Inc., Google LLC., Segment.io Inc., Hull.io Inc. and LogRocket Inc. have their registered seat in the United States and they comply with the EU-US Privacy Shield Framework (and in case of Amazon Web Services Inc., MongoDB Inc., Intercom, Inc., Google LLC., Segment.io Inc. and LogRocket Inc. with the Swiss-US Privacy Shield Framework too), therefore transfer of your personal data to the aforementioned service providers can take place without any specific authorization.

6.3 Transfer of Personal Data collected from individuals located within the EU: 

If we transfer personal data collected from individuals located within the EU to a third-party acting as a data processor, and such third-party agent processes your personal information in a manner inconsistent with the GDPR or – having a registered seat in the United States of America – with the Privacy Shield Principles, we may be responsible under the rules of the GDPR and / or under Privacy Shield Principles. 

We only transfer personal data collected from individuals located within the EU only with the consent of the individuals to a third-party having a registered seat outside the EU or the United States of America acting as a data processor without the appropriate safeguards set out in the GDPR, or when it is necessary for the performance of the contract. GhostMonitor will make every effort to ensure that the personal data transferred is safe and secure and that the personal data is processed in a manner consistent with the GDPR.

6.4 GhostMonitor may release your information

(a) in response to subpoenas, court orders or legal process, to the extent permitted and as restricted by law; 

(b) when disclosure is required to maintain the security and integrity of the Website, or to protect any user’s security or the security of other persons, consistent with applicable laws; 

(c) when disclosure is directed or consented to by the user who has input the personal information; or 

(d) in the event that we go through a business transition, such as a merger, divestiture, acquisition, liquidation or sale of all or a portion of its assets, your information will, in most instances, be part of the assets transferred.

6.5 Opt-In for Promotions

We do not share personally identifiable information with other third-party organizations for their marketing or promotional use without your consent or except as part of a specific program or feature for which you will have the ability to opt-in.

6.6 With Your Consent

Except as set forth above, you will be notified when your information may be shared with third parties and will have the option of preventing the sharing of this information.

6.7 Data retention and aggregated data processing

Please note that we may retain certain personal information after your account has been terminated. We reserve the right to use your information in any aggregated data collection after you have terminated your account, however we will ensure that the use of such information will not identify you personally.

6.8 Accountability for onward transfer

GhostMonitor will not transfer personal data originating in the EU or Switzerland to third parties unless such third parties have entered into an agreement in writing with us requiring them to provide at least the same level of privacy protection to your personal data as required by the GDPR and / or Privacy Shield Principles. We acknowledge our liability for such data transfers to third parties.

By registration on the Website you give your express consent to the transfer of the personal data as detailed above.

7. Is information about me secure?

We take commercially reasonable measures to protect all collected information from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Please understand that you can help keep your information secure by choosing and protecting your password appropriately, not sharing your password and preventing others from using your computer. Please understand that no security system is perfect and, as such, we cannot guarantee the security of the Website, or that your information won’t be intercepted while being transmitted to us. If we learn of a security systems breach, then we may either post a notice, or attempt to notify you by email and will take reasonable steps to remedy the breach.

8. Children's Privacy

Our Website is not directed to children under 16 and we do not knowingly collect personal information from children under 16. If we learn that we have collected personal information of a child under 16 we will take steps to delete such information from our files as soon as possible. If you are aware of anyone under 16 using the Website, please contact us at gdpr@recart.com

9. Links to Third Party Sites and Services

This Website may contain links to third party websites operated by individuals or companies unrelated to us. Please be aware that we are not responsible for the privacy practices of such third party websites and services. We provide links to these websites for your convenience only and you access them at your own risk. We recommend that you review the privacy policies and terms of use posted on and applicable to such third party websites prior to utilizing them.


10. Your Privacy Rights

10.1 Access and Retention:

If you have a Website account, you can log in to view and update your account information. You have the right to obtain confirmation of whether or not we are processing personal data relating to you, have communicated to you such data so that you could verify its accuracy and the lawfulness of the processing and have the data corrected, amended or deleted where it is inaccurate or processed in violation of the Privacy Shield Principles.

We encourage you to contact us at gdpr@recart.com with your questions or concerns, or to request edits to your personal information, or to have it removed from our database. Requests to access, change or remove your personal data will be handled within 30 days. 

10.2 Additional Rights for EU Territory:

If you are from the territory of the EU, you may have the right to exercise additional rights available to you under applicable laws, including:

(a) Right of Erasure: In certain circumstances, you may have a broader right to erasure of personal information that we hold about you – for example, if it is no longer necessary in relation to the purposes for which it was originally collected. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.

(b) Right to Object to Processing: You may have the right to request GhostMonitor to stop processing your personal information and/or to stop sending you marketing communications.

(c) Right to Restrict Processing: You may have the right to request that we restrict processing of your personal information in certain circumstances (for example, where you believe that the personal information, we hold about you is inaccurate or unlawfully held).

(d) Right to Data Portability: In certain circumstances, you may have the right to be provided with your personal information in a structured, machine readable and commonly used format and to request that we transfer the personal information to another data controller without hindrance.

If you would like to exercise such rights, please contact us at gdpr@recart.com. We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.

For any complaints that we can’t resolve directly, please contact our Recart Technologies Limited Liability Company (registered seat: 1136 Budapest, Pannónia utca 32., Hungary; company registration number: 01-09-281497; e-mail address: gdpr@recart.com).

You also have the right to complain to the EU Data Protection Authority about our collection and use of your personal data. For more information, please contact your local EU Data Protection Authority.

11. Recourse, Enforcement and Liability

11.1 GhostMonitor is committed to protecting your personal data as set forth in this Policy. If you think we are not in compliance with our Policy, or if you have any question or if you wish to take any other action concerning this Policy, contact us at gdpr@recart.com. You can also contact us at our contact office at 251 Little Falls Drive, City of Wilmington, County of New Castle, Delaware 19808, USA. We will investigate your complaint, take the appropriate action and report back to you within 30 days. In addition, if you are from the territory of the EU, you also have the right to complain to the EU Data Protection Authority about our collection and use of your personal data. For more information, please contact your local EU Data Protection Authority.

11.2 If your personal data in question was transferred from the EU or Switzerland to the United States and you are not satisfied with our response, we have further committed to refer unresolved Privacy Shield complaints to the dispute resolution procedures of the EU Data Protection Authorities. GhostMonitor will cooperate with the appropriate EU Data Protection Authorities during investigation and resolution of complaints concerning personal data that is transferred from the EU to the United States brought under Privacy Shield. For complaints involving personal data transferred from Switzerland, we commit to cooperate with the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) and comply with the advice given by the FDPIC. Complaints regarding processing of personal data pertaining to data subjects located in the EU and Switzerland may be reported by the individual to the relevant Data Protection Authority. 

11.3 In compliance with the Privacy Shield Principles, GhostMonitor commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield Policy should first contact us at gdpr@recart.com. GhostMonitor has further committed to cooperate with the panel established by the EU data protection authorities (“DPAs”) and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.

These recourse mechanisms are available at no cost to you. Damages may be awarded in the accordance with the applicable law.

You may be able to invoke binding arbitration under certain conditions with the arbitrational mechanism of the American Arbitration Association, if you are not satisfied with the above recourse mechanism. The arbitration is available to you to determine, for residual claims, whether GhostMonitor has violated its obligations under the Principles as to you, and whether any such violation remains fully or partially unremedied.

Your decision to invoke the binding arbitration option is entirely voluntary. The arbitral decisions will be binding on all parties to the arbitration.

12. Modifications to this Policy

We will modify this Policy if our privacy practices change. We will notify you of such changes by posting the modified version on our Website and indicating the date it was last modified, and, if the changes are significant, we will provide a more prominent notice (including by email in certain instances). The date this Policy was last modified is at the top of this page. Please periodically review this Policy so that you are familiar with the current Policy and aware of any changes.


13. Questions

If you have any questions concerning this Policy or the Services, please contact us at gdpr@recart.com. You can also contact us at our contact office at 251 Little Falls Drive, City of Wilmington, County of New Castle, Delaware 19808, USA.

ANNEX 1

DATA PROCESSING ADDENDUM

This Data Processing Addendum (hereinafter: “Addendum”) forms an inseparable part of the Privacy Policy of GhostMonitor Inc. (a private limited company operating under the laws of Delaware; registration number: 6088550; address: 251 Little Falls Drive, City of Wilmington, County of New Castle, Delaware 19808, USA; hereinafter: “Data Processor”). By accepting the terms of the Privacy Policy, the present data processing addendum shall govern the data processing relationship between the Data Processor and the user of the Website (hereinafter: “Data Controller”).

Preamble

In connection with the personal data collected from individuals located within the European Union (“EU”) member countries, in accordance with the Article 28 (Processor) of the General Data Protection Regulation 2016/679 of the European Union, the Parties are obliged to record in writing their rights and obligations regarding their data processing relationship.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Terms not otherwise defined herein shall have the meaning given to them in the Privacy Policy. Except as modified below, the terms of the Privacy Policy shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an amendment to the Privacy Policy. Except where the context requires otherwise, references in this Addendum to the Privacy Policy are to the Privacy Policy as amended by, and including, this Addendum.

  1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1.“Applicable Laws” means European Union or Member State of the European Union laws with respect to any Data Controller Personal Data in respect of which Data Controller is subject to EU Data Protection Laws; 

1.1.2. “Contracted Processor” means Data Processor or a Subprocessor;

1.1.3. “Data Controller Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Data Controller in connection with the Privacy Policy; 

1.1.4. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5. “European Representative” means Recart Technologies Limited Liability Company (registered seat: 1136 Budapest, Pannónia utca 32., Hungary; company registration number: 01-09-281497, being Data Controller’s subsidiary;

1.1.6. GDPR” means EU General Data Protection Regulation 2016/679;

1.1.7. “Services” means the services and other activities to be supplied to or carried out by or on behalf of Data Processor for Data Controller pursuant to the Privacy Policy;

1.1.8. “Subprocessor” means any person (including any third party but excluding an employee of Data Processor or any of its sub-contractors) appointed by or on behalf of Data Processor to Process Personal Data in connection with the Terms and Conditions of the Data Processor.

1.2. The terms, "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in Article 4 of the GDPR, and their cognate terms shall be construed.

1.3. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.


2. Processing of Data Controller Personal Data

2.1. Data Processor shall:

2.1.1. comply with all applicable Data Protection Laws in the Processing of Data Controller Personal Data; and

2.1.2. not process Data Controller Personal Data other than on the Data Controller’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform the Data Controller of that legal requirement before the relevant Processing of that Personal Data. 

2.2. Data Controller shall instruct Data Processor to: 

2.2.1. process Data Controller Personal Data and

2.2.2 in particular, transfer Data Controller Personal Data to any country or territory,

as reasonably necessary for the provision of the Services and consistent with the Principal Agreement.

2.3. Attachment 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Data Controller Personal Data as required by Article 28(3) of the GDPR. The Data Processor may make reasonable amendments to Attachment 1 by written notice to the Data Controller from time to time as Data Processor reasonably considers necessary to meet those requirements.  Nothing in Attachment 1 confers any right or imposes any obligation on the Parties to this Addendum.


3. Data Processor

3.1. Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Data Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Data Controller Personal Data, as strictly necessary for the purposes of the Privacy Policy, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.


4. Security

4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. 

4.2. In assessing the appropriate level of security, Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.


5. Subprocessing

5.1. Data Controller authorizes Data Processor to appoint Subprocessors in accordance with this section 5 and any restrictions in the Privacy Policy or the Terms of Use.

5.2. Data Processor may continue to use those Subprocessors already engaged as at the date of the present Addendum, subject to Data Processor in each case as soon as practicable meeting the obligations set out in section 5.4.

5.3. Data Processor shall give Data Controller prior written notice by updating the Privacy Policy of the appointment of any new Subprocessor, including the details of the Processing to be undertaken by the Subprocessor. 

5.4. With respect to each Subprocessor, Data Processor shall:

5.4.1. before the Subprocessor first Processes Data Controller Personal Data (or, where relevant, in accordance with section 5.2., carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Data Controller Personal Data required by the Privacy Policy; and

5.4.2. ensure that the arrangement between on the one hand (a) Data Processor, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Data Controller Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR.

5.5. Data Processor shall ensure that each Subprocessor performs the obligations set out in this Addendum, as they apply to Processing of Data Controller Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Data Processor.

6. Data Controller Personal Data 

6.1. The Parties state that by providing the Services Data Processor uses personal data of the customers of the Data Controller obtained from third parties. According to Article 12, section (1) of the GDPR the Data Controller is obliged to inform its customers that during the data process of the Data Controller certain personal data are being collected from third parties.

6.2. Having regard to the ascertainments under section 6.1 the Parties agree that Data Controller is solely obliged to inform its customers by providing the necessary information prescribed by section 14 of the GDPR. 

6.3. DATA PROCESSOR HEREBY EXCLUDES ANY AND ALL LIABILITY REGARDING THE INFORMATION REGULATED BY THE PRESENT SECTION OF THE CUSTOMERS OF THE DATA CONTROLLER AND EXCLUDES ANY LIABILITY FOR ANY FINANCIAL AND/OR NON-MATERIAL LOSS AND/OR DAMAGE, CONSEQUENTUAL LOSS AND/OR DAMAGES, AND LOSS OF PROFIT MAY OCCUR BECAUSE OF THE FAILURE OF THE DATA CONTROLLER TO PERFORM ITS OBLIGATION TO INFORM ITS CUSTOMERS AND/OR FAILED TO PERFORM ITS OBLIGATION AS REQUIRED BY SECTION 14 OF THE GDPR. 

6.4. DATA CONTROLLER IS OBLIGED TO REIMBURSE AND INDEMNIFY DATA PROCESSOR IF ANY FINANCIAL AND/OR NON-MATERIAL LOSS AND/OR DAMAGE, CONSEQUENTUAL LOSS AND/OR DAMAGE, AND LOSS OF PROFIT OCCUR AT THE DATA PROCESSOR DUE TO THE INFRINGEMENT OF ANY OF THE OBLIGATION PRESCRIBED IN THE PRESENT SECTION 6. 

6.5. IN CASE DATA CONTROLLER INFRINGES ANY OF ITS OBLIGATION PRESCRIBED BY THE PRESENT SECTION, SUCH OMISSION OF THE DATA CONTROLLER SHALL BE DEEMED AS A MATERIAL BREACH AND DATA PROCESSOR HAS THE RIGHT TO TERMINATE THE CONTRACT CONLCUDED BETWEEN THE DATA CONTROLLER AND THE DATA PROCESSOR WITHOUT NOTICE.

7. Data Subject Rights

7.1. Taking into account the nature of the Processing, Data Processor shall reasonably assist the Data Controller by implementing appropriate technical and organizational measures required by the GDPR for the fulfilment of the Data Controller’s obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.2. Data Processor shall:

7.2.1. promptly notify Data Controller if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Data Controller Personal Data; and

7.2.2. ensure that the Contracted Processor does not respond to that request except on the documented instructions of Data Controller or as required by Applicable Laws to which the Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform Data Controller of that legal requirement before the Contracted Processor responds to the request.


8. Personal Data Breach

8.1. Data Processor shall notify Data Controller without undue delay upon Data Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Data Controller Personal Data, providing Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8.2. Such notification shall contain the following information:

8.2.1. describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;

8.2.2. communicate the name and contact details of Data Processor’s data protection officer or other relevant contact from whom more information may be obtained;

8.2.3. describe the likely consequences of the Personal Data Breach; and

8.2.4. describe the measures taken or proposed to be taken to address the Personal Data Breach.

8.3. Data Processor shall co-operate with Data Controller and take such reasonable commercial steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.


9. Data Protection Impact Assessment and Prior Consultation

9.1. Data Processor shall provide assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Data Controller reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Data Controller Personal Data by and taking into account the nature of the Processing and information available to, the Contracted Processors.


10. Deletion or return of Data Controller Personal Data

10.1. Subject to sections 10.2 and 10.3 Data Processor shall promptly and in any event within 15 (fifteen) calendar days of the date of cessation of any Services involving the Processing of Data Controller Personal Data (the "Cessation Date"), or by anytime upon written request of the Data Controller, delete and procure the deletion of all copies of those Data Controller Personal Data.

10.2. Subject to section 10.3, Data Controller may in its absolute discretion by written notice to Data Processor within 3 (three) calendar days of the Cessation Date, or by anytime upon written request of the Data Controller require Data Processor to (a) return a complete copy of all Data Controller Personal Data to Data Controller by secure file transfer in such format as is reasonably notified by Data Controller to Data Processor; and (b) delete and procure the deletion of all other copies of Data Controller Personal Data Processed by any Contracted Processor. Data Processor shall comply with any such written request within 15 (fifteen) calendar days of the Cessation Date.

10.3. Each Contracted Processor may retain Data Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Data Controller Personal Data and shall ensure that such Data Controller Personal Data is only Processed as necessary for the purposes specified in the Applicable Laws requiring its storage and for no other purpose. 


11. Audit rights

11.1. Subject to sections 11.2, Data Processor shall make available to Data Controller on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Data Controller or an auditor mandated by Data Controller in relation to the Processing of the Data Controller Personal Data by the Contracted Processors.

11.2. Data Controller undertaking an audit shall give Data Processor a detailed notice of any audit or inspection to be conducted under section 11.1 and shall make reasonable endeavors to avoid causing or, if it cannot avoid, to minimize any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. 


12. Indemnification and penalty

12.1. Data Processor shall indemnify Data Controller solely for any and all loss, damage, payments, deficiencies, fines, judgements, liabilities, costs and expenses resulting from Data Processor’s or a Subprocessor’s incompliance with or infringement of the provisions of this Addendum or the requirements of the GDPR.

12.2. Data Processor shall within 30 (thirty) calendar days of the written notice of the Data Controller indemnify Data Controller for the losses described in section 12.1. 


13. General Terms

13.1. Governing law and jurisdiction

13.1.1. Having regard to Article 27(1) of the GDPR and the European Representative of the Data Controller the Parties to this Addendum hereby stipulate the exclusive competence of the competent Hungarian court regarding any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity.

13.1.2. This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by and construed in accordance with the laws of Hungary.

13.2. Order of precedence

13.2.1. Nothing in this Addendum reduces Data Processor’s obligations under the Privacy Policy in relation to the protection of Personal Data or permits Data Processor to Process or permit the Processing of Personal Data in a manner which is prohibited by the Privacy Policy. 

13.2.2. Subject to section 13.2.1, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the Parties, including the Privacy Policy and including agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

13.3. Changes in Data Protection Laws, and modification of the Contract

13.3.1. Data Processor is entitled to modify the present Addendum and the Privacy Policy unilaterally in case of the amendment of the Applicable Law or the GDPR or if the protection of the personal data processed by the Data Processor requires so or if unilateral amendment is permitted by the provisions of this Addendum. 

13.4. Severance

Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

This Addendum is entered and becomes a binding and inseparable part of the Privacy Policy with effect from the date first set out above.

ATTACHMENT 1

DETAILS OF PROCESSING OF DATA CONTROLLER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Data Controller Personal Data as required by Article 28(3) GDPR.

  1. Subject matter and duration of the Processing of Data Controller Personal Data

The personal data related to the customers of the Data Controller until these personal data are necessary to provide the services, prescribed by law or necessary for the legitimate interest of the Data Processor. 

2. The nature and purpose of the Processing of Data Controller Personal Data

Personal data regarding the customers of the Data Controllers made available by third parties are used to provide the services of the Data Processor.

3. The types of Data Controller Personal Data to be Processed

Personal data of the Data Controller’s customers made available by third parties.

4. The categories of Data Subject to whom the Data Controller Personal Data relates

The customers of the Data Controller who left non-purchased items in their virtual carts on the webshop of the Data Controller. 

5. The obligations and rights of Data Controller

The obligations and rights of Data Controller are set out in the Privacy Policy and in this Addendum.

Did this answer your question?