Personal Data Processing

The current addendum to the Terms and Conditions for the usage of services provides the specific rules concerning the processing of the personal data sent by the Beneficiary, in the role of Operator, to, in the role of Provider.

Based on:

  • Regulation (EU) 2016/679 in regards to individuals protection pertaining to personal data processing and freedom of movement of this data (from now on known as “GDPR”);
  • Law 287/2009 (The New Civil Code);

Parties agree to the following:

1. The terms of the current addendum, will be interpreted according to art. 4 of GDPR

2. Processing objective and specific instructions:

2.1. Processing objective

Personal data processing is done for the purpose of providing the services stated in Terms and Conditions available on the website and for statistical purposes. Data transfer to third parties will be done only following written instructions, within the confines and instructions received from the Operator, according to art. 9.

2.2. Specific instructions

By the current addendum, the Beneficiary empowers the Provider to:

  • Collect, process and host personal data, mentioned in article 5, received directly from the Operator by integration of the codes provided by the Provider inside of the Operator’s website, and use this data with the purpose of profiling the users of the Operator’s website.
  • Communicate in the name of the Operator with his visitors or clients, according to actions and/or profiling, as appropriate, by:
    1. Sending automated emails triggered by profiling
    2. Displaying automated pop-ups on the Operator’s website, triggered by profiling
    3. Displaying push notifications, triggered by profiling (automated or manual)
    4. Sending automated SMS triggered by profiling
    5. Displaying dynamic products onsite
    6. Delivering personalized ads via: Facebook & Instagram Dynamic Ads, Facebook & Instagram Lookalike, Google Programmatic Remarketing

3. Duration of processing

Personal data processing will be done in accordance with the Operator’s instructions, but the period cannot exceed the duration of the Terms and Conditions.

4. The nature and purpose of processing

In accordance with both the Terms and Conditions between the two parties, and the objective of processing from art. 2, personal data processing is done for communication and marketing services purposes required by the Operator, such as:

  • Sending automated emails
  • Displaying automated pop-ups on the Operator’s website
  • Displaying push notifications
  • Sending automated SMS
  • Displaying dynamic products onsite
  • Delivering personalised ads via Google, Facebook and Instagram

Even if most of the communications done by the provider are based on information obtained from profiling the Operator’s users, they don’t have any judicial effects and it doesn’t affect it in any significant way. However, the Operator can input new actions and he is the one that has to make sure that the sent messages can’t be interpreted as effects required by art. 22 of GDPR.

5. Types of personal data processed according to this addendum

5.1. General personal data

The personal data provided by the Operator and processed according to this addendum are, as appropriate, according to the level of integration of the service:

  • Email
  • Phone number
  • First name
  • Surname
  • Sex
  • Date of birth
  • Town
  • County
  • IP address (down to possible location)
  • Browser
  • Order ID
  • User’s actions on the Operator’s website, together with the actions performed by the Operator towards the user such as: discount code, discount value, shipping costs, order value, ordered products’ price, product variation, products, device, OS, IP location, timestamps about viewed pages, viewed page, category, brand, click on picture, mouseover cart, mouseover price, scroll up & down, add to cart, remove from cart, variation selection, add to wishlist, comment, Facebook Like, Help page visit, cart products’ IDs, price categories, promotion tag, in email action, in push notification action, in SMS action, in pop-up action.
5.2. Special personal data/belonging to vulnerable groups (i.e. minors) is not intended for the collection of special personal data or personal data belonging to vulnerable groups and we caution the Operators against using it to that effect.

However, it is possible that the Operator, if he has activities in a certain field, to be technically capable of using parts of the Provider services without the Provider being aware.

We remind you that the Operator has the duty to analyze and choose the appropriate legal basis on which he stands on when he processed personal data, including the ones sent to to be process by it, in its role of Provider to the Operator.

6. Groups of targeted persons

The groups of persons targeted are visitors, registered users and clients of the Operator’s website, as appropriate, accordingly to the chosen service.

7. The ground of a binding mandatory contract; the binding nature of an agreement

According to art. 28, paragraph (3) of Regulation (EU) 12016/679 the contract is mandatory for the contracting parties.

8. The privacy of personal data

8.1. The Provider has the obligation, for the entire period of the contract and after its closure, for 5 years, not to share personal data and/or confidential information that could be considered personal data, that it acquired during the contract duration.

8.2. The Provider has the obligation, for the entire period of the contract, to provide training for the employees concerning personal data processing and the privacy of this data.

8.3. The Provider has the obligation, during the entire period of the contract, to implement and monitor the activity of the instruments and procedures associated internally with the privacy of personal data, owned by the Operator.

The Provider has the obligation to:

a. not copy, reproduce, share and divulge, completely or partially, to any individual or judicial person, any processed personal data and/or parts related to these, except those mentioned in this contract in art. 9, statutory to a compulsory regulatory document or a written consent, including in electronic format, from the Operator;

b. Not to reuse personal data and any information and/or document containing personal data and whereof took note in implementation of the contract, in any way and for any other reason not stated in the current contract, in self interest, a third party interest, free or burdensome.

8.4. The Provider is allowed to disclose/ divulge certain personal data, including confidential information, when required by authorities, public institutions, legal institutions, or a legally licensed third party, due to a legal obligation or other statutory circumstances.

9. Subcontractors (secondary providers)

9.1. In case the Provider is the one processing the data through other providers recruited by him (from now on known as “Secondary Providers”), this operation will take effect under this article.
9.2. According to this article the Operator agrees to authorize the Provider to process his data through the following secondary providers:
  • Hetzner Online GmbH (Germany) - hosting services
  • Amazon Web Services EMEA SARL - email marketing services
  • ANY MEDIA DEVELOPMENT SRL (România) - SMS sending services
  • OneSignal (USA) - push notifications services, the company is EU-US Privacy Shield certified
  • Other providers that, for privacy reasons, cannot be disclose, but are part of EU, EEA or a country with proper protection acknowledged by the European Commission directive and has security standards at least as high of those offered by the Provider according to art. 28, paragraph (4) of GDPR.
9.3. For future Secondary Providers, the Provider gets a general authorization to subcontract any other Provider from EU, EEA or a country with proper protection acknowledged by the European Commission directive, based on a similar contract, informing the Operator and giving him the possibility to object, within 5 working days.

10. Data security

The Provider has established internally the implementation of proper organizational and technical security measures. The measures stated at art. 10 are included in the Internal Security Policies.

10.1. Data security breach and the technical assistance mechanism

Dependent on the objective of the provided services, according to art. 4 of the current contract, the Provider will assist the Operator, in terms of giving notice, in the shortest time possible, without groundless delays and if possible not later than 2 working days from the discovery of a data security breach, breach that occured in the information system of the Provider and/or during the processing of data made by the Provider for the Operator, as follows:

a. The Provider will take all possible measures, technically speaking, to identify the cause and to stop in the shortest time possible the circumstance that lead to a data security breach;

b. The Provider will save and/or hold to all technical information possible, in order to prove the data security breach circumstance, the ways and the causes in which it took place and the effects on the personal data, and also the point of view of the persons that had their personal data breached, if possible, from a technical perspective;

c. The Provider will take all the possible technical measures to remedy any future identical and/or similar data security breach circumstance, if technical possible;

d. The Provider will gather all the information stated at article 10.1. Paragraph a to c and will immediately provide them to the Operator;

e. The Provider doesn’t replace the Operator, solely responsible to notify the national supervisory authority.

Considering the fact that the Operator is solely responsible to notify the national supervisory authority and/or the individuals targeted, the Provider will support the Operator in accomplishing these obligations as follows:

e.1. Will promptly reply any solicitation from the Operator and/or from the national supervisory authority, in the time frame required by the authority and/or within 2 working days, in relation to the Operator;

e.2. Will provide the Operator and/or the national supervisory authority all the needed information and/or appliances to be verified, in case of an audit, within the time frame requested by the authority and/or within 2 working days, in relation to the Operator;

e.3. Will carry out, at the Operator’s request, the operation of notifying the targeted individuals, via email; any other form of communication imposed by the authority will be done solely by the Operator and at the Operator expense, except if the Provider is found responsible.

10.2. Operator - Provider partnership

a. The provider acts according to the Operator instructions as stated in art. 2, under his leadership, and processes personal data as they are acquired by the Operator. The gathering of personal data by the Provider is done on behalf of the Operator, on the basis of this contract.

b. In the partnership with the Operator, the Provider does not establish the reasons or the way the personal data is processed, even when he advises the Operator about different processing methods.

c. The Operator has the sole responsibility of establishing the legal ground and, if necessary, get the consent of the targeted individuals in order to process the personal data that represent the entity of the current contract or the use of another legal ground, including when the Provider collects personal data on behalf of the Operator.

d. In all circumstances in which the Operator has to carry out an obligation, such as informing a targeted person about a data security breach, the Provider is not accountable for the inactions of the Operator.

e. The Operator and the Provider are establishing the responsibilities concerning personal data protection (eg. confidentiality and processing security), according to the access and control over the data, from both a legal and a technical point of view.

f. If the Provider defies GDPR, by establishing the reasons and means of personal data processing and/or breaching them, the Provider is considered an operator only when it comes to that processing.

11. Data protection officer

If you have any questions about the GDPR Best practices guide, you can contact us at: SRL

Attn: Data Protection Officer

Address: 49th Nicolae Caramfil St., 1st Floor, District 2,


077190, Romania


The Operator can appoint o data protection officer for his account.

12. Rights

12.1. The operator has the following right:

a. To decide if he will allow or not the subcontracting of secondary providers by the Provider according to art. 9;

b. To receive information or to check, directly or through a mandated auditor, whether the Provider applies the proper technical and organizational measures, so that the processing abides to the GDPR policies and assures rights protection of the targeted persons; the verification will happen after an up front notification, written, including via email, sent 10 days ahead of the actual verification;

c. To be assisted by the Provider in order to carry out his obligation to reply to requests regarding the specific rights of the targeted person.

12.2. The Provider has the following right:

a. To recruit secondary providers, exceeding the general authorization stated at art. 9, paragraphs 2 and 3, only when he has obtained the Operator’s approval

b. To cover the general costs for assisting the Operator in the circumstances stated at art. 10.1.e, 12.1.b, 12.1.c.

c. To use statistical information containing only anonymized data, resulted from the services provided according to the current contract and/or the Provider’s services in general, in his own purposes of research, analysis and promotion of the Provider’s services.

13. Obligations

13.1. The Provider has the following obligations:

a. To act only on the legal instructions of the Operator and to inform the Operator, within 5 days if, according to the Provider, any instruction is an infringement on the GDPR and/or other legal provision concerning personal data processing;

b. To process personal data only through the services stated in the current contract according to the Operator’s legal instructions and requests, according to this contract, its addendum and regulatory documents in effect;

c. To abide confidentiality of personal data and information that could be personal data and take note of, during this contract implementation;

d. To establish, by mutual consent with The Operator, the specific terms of achieving processing activities coming from the contract and to abide to the deadlines for the processing activities agreed upon with the Operator;

e. To inform the Operator about the stage and course of processing activities, through any means of communication agreed upon between the parties;

f. To aid the operator according to art. 10.1 of the current contract;

g. To sent to the Operator any request that needs to be dealt with by the Operator (eg. demand, intimation, complaint etc.), concerning personal data collected and processed by the Provider, according to the commercial agreement between parties, within maximum 5 days from receiving it;

h. To delete or give back to the Operator all personal data, after closure of services connected to the processing and deleting existing copies, within 24 months;

i. To provide the Operator all necessary information in order to prove the obligations requested by his duty, as stated by GDPR;

j. To allow audits, including inspections, done by the Operator or other mandated representative and to provide all necessary information.

13.2. The Operator has the following obligations:

To abide, on his own, the regulations of GDPR in his duty as Operator, concerning personal data processing by the Provider, on his behalf.

14. Liability

14.1. The Provider is responsible for the damage caused by the processing if he didn’t abide by his GDPR obligations and according to the partnership rules stated at art. 10.2 of the current contract.
14.2. The Provider is responsible for the damage caused by the processing if he acted outside or against the legal instructions of the Operator.
14.3. If the Provider recruited a secondary provider that didn’t abide by the personal data obligations, the Provider is solely responsible towards the Operator concerning the accomplishment of the obligations of the secondary provider.
14.4. Exemption of liability

The Operator agrees to exempt the Provider of any liability for any damage caused by the following:

a. Breach of contract due to events that exceed any liability of the Provider;

b. Breach of contract due to any actions of the Operator;

c. Abidance of the Operator’s instructions or breach of the Operator’s instructions justified before via a notifications about its illegality;

d. Lack or vitiation of agreement of targeted persons.

15. Force majeure / Fortuitous event

No party is responsible for damage caused by events provided with evidences of lack of liability, such as entries issued by authorities that state the intervention of a force majeure event.

16. Final directives

The current contract is servient to the judicial circumstance of the Terms and Conditions to the degree and within the limits of the objectives related to personal data processing, as stated in art. 2.1 and is applied prevalently to the Terms and Conditions, that contains commune law norms.