Personal Data Processing Agreement

This Annex to the Terms and Conditions of Use of theMarketer services provides the specific rules regarding the processing of personal data by theMarketer, as the Empowered Person/Proxy for the Beneficiary, as the Controller.

For the aspects related to the processing of personal data by the Provider as controller, these are detailed in the information to data subjects available at https://www.themarketer.com/privacy-policy under the provisions of:

• Regulation (EU) 2016/679 on the protection of natural entities with regard to the processing of personal data and on the free movement of such data ("GDPR") and the Romanian primary and secondary national legislation implementing the GDPR;
• Law 287/2009 (New Civil Code);

The parties agree the followings:

2.1. Object of processing

The processing of personal data is carried out for the purpose of providing services in accordance with the Terms and Conditions available on theMarketer website, specific settings and implementations made by each individual Beneficiary and statistical purposes. The transfer of data to third countries will only be carried out on the basis of a written instruction, within the limits and in compliance with the instruction received from the Controller, as per Article 9.

2.2. Specific instructions

The Beneficiary hereby authorizes the Empowered Person, as appropriate to the specific settings and implementations made by each Beneficiary, to:

• Collect, process and host the personal data specified in Article 5 received from the Controller directly by embedding the codes provided by the Empowered Person on the Controller's website, and use such data for the purpose of providing theMarketer services to the Controller.
• Communicate on behalf of the Controller with the Controller's visitors or customers, based on actions and/or profiling, as appropriate, through automated personalized messages sent through channels authorized by the Controller (e.g. Email, SMS, push messages, website section or other).

The processing of personal data will be done according to the Controller's instructions, but the period may not exceed the duration specified in the Terms and Conditions.

In accordance with the Terms and Conditions between the two parties, as well as with the purpose of processing set out in Article 2, the processing of personal data is carried out for the purposes of theMarketer communication, marketing and marketing services set by the Controller, such as:

• automatic sending emails
• automatic display of pop-ups on the Controller's website
• push notification display in browser
• automatic SMS sending
• display of products in a dynamic section of the site
• the conduct of the Controller's loyalty programme in accordance with the terms set by the Controller
• communication with customers via chat/video call, if this facility is allowed and activated by the Controller.

Even though most of the communications made by the Empowered person are based on the information from the profiling of the Controller's users, they have no legal effect and do not affect it to any significant extent. In any case, the Controller may also introduce new actions and it is only the Controller who must ensure that the messages sent cannot be interpreted as having the effects required by Article 22 of GDPR.

5.1. General personal data

Personal data made available by the Controller, processed under this agreement may be, as appropriate, depending on the level of integration with theMarketer service chosen:

• email
• phone number
• last name
• first name
• sex
• date of birth
• city
• county
• IP address (including possible location based on it)
• browser
• Order ID
• user’s actions on the Controller's website, including those sent by the Controller to the User, such as: discount code, discount value, shipping cost, order status, total order value, individual price of products ordered, product variations, products, device, OS, estimated IP location, timestamps related to page visit, page visit, category visit, brand visit, click on picture, scroll up, scroll down, add to cart, remove from cart, select variation, add to favorites, remove from favorites, comment, visited help page, product IDs in cart, price categories, order completion, keywords searched for or other technical data from user actions such as action in email, action in push notification, action in sms, action in pop-ups, action in landing pages;
• in the case of the use of chat system provided by the Empowered Person, the content of communications between Controllers and data subjects.

5.2. Personal data of a special nature/belonging to vulnerable categories of data subjects (e.g. minors)

TheMarketer service is not intended for the collection of special data or data of vulnerable categories of data subjects and we warn the Controllers not to use it for this purpose.

However, it is possible that the Controller, if it is active in a specific field, may technically be able to use parts of the Empowered Person’s services without the Empowered Person’s knowledge.

We remind you that it is the responsibility of the Controller to analyze and choose the appropriate legal basis on which it relies when processing personal data, including those sent to theMarketer for processing by theMarketer as Controller.

The categories of data subjects are visitors, registered users of the Controller's website and/or customers of the Controller, as appropriate, depending on the chosen service, the Controller's settings or the specific implementation on the website. It is the responsibility of the Controller to analyze how the implementation of the Empowered person's services is only for the desired target group.

According to Article 28 para. (3) of Regulation (EU) 2016/679, the contract is binding on the contracting parties.

8.1. The Empowered person undertakes not to pass on any personal data and/or confidential information, which may be personal data, of which he has become aware during the performance of the contract, throughout the duration of the contract and after its termination.

8.2. The Empowered person undertakes to ensure that, throughout the duration of the contract, staff authorized to process personal data are trained in the confidentiality of such data.

8.3. The Empowered person undertakes to implement and monitor the implementation of the mechanisms and procedures for ensuring the confidentiality of the Controller's personal data internally throughout the duration of the contract.

The Empowered person undertakes:

a. not to copy, reproduce, distribute or disclose, in whole or in part, to any natural or legal entity, any of the personal data processed and/or related matters, with the exceptions mentioned in this contract in Article 9, provided by a mandatory normative deed or with the express written consent, including in electronic format, of the Controller;

b. not to re-use personal data or information and/or documents containing personal data of which it has become aware in the performance of the contract in any way or for any other purpose not provided by this contract, neither for its own benefit nor for the benefit of another third party, neither free of charge nor for consideration.

8.4. By way of exception, the Empowered person has the right to disclose certain personal data, including confidential information, as appropriate, at the request of an authority, public institution or court, or other third party authorized by law, by virtue of a legal obligation or other condition laid down by law. It also has the right to use anonymous statistical data in accordance with the Terms and Conditions.

9.1. Where processing is carried out by the Empowered person, through other empowered persons recruited by the Empowered person (hereinafter referred to as "secondary empowered persons"), the processing shall be carried out on the basis of this Article.

9.2. On the basis of this article, the Controller understands to authorize the Empowered person to process its data through the following secondary empowered persons:

• Hetzner (Germany) - for hosting services
• Amazon Web Services EMEA SARL and Sendgrid (USA) - email marketing services
• Vonage (USA) and SendSms.ro (Romania) - for SMS sending services
• Google Firebase, Ireland - for push notification services

and other collaborators that, for reasons of confidentiality, we cannot mention, but all are from EU, EEA or country with adequate level of protection recognized by decision of the European Commission (Art. 45 GDPR) or other appropriate safeguards, including standard data protection clauses (Art. 46 (2) GDPR) and have security standards at least at the level of those provided by the Empowered person in accordance with Art. 28 (4) of GDPR.

9.3. For future secondary empowered persons, the Empowered person shall receive a general authorization to subcontract with any other Empowered person of EU, EEA or country, with an adequate level of protection recognized by a decision of the European Commission or other appropriate safeguards, under a similar contract, informing the Controller and giving him the opportunity to object within 5 working days.

The empowered person has established the implementation of appropriate internal organizational and technical security measures. The measures referred to in point 10 are centralized in the Internal Security Policy.

10.1. Data security breach and the technical assistance mechanism

Depending on the scope of the provided services, according to Article 4 of this contract, the Empowered person shall assist the Controller in notifying the Controller as soon as possible, without undue delay, of a breach of data security, a breach occurring in the computer systems of the Empowered person and/or in the processing carried out by the Empowered person for the Controller, as follows:

a. The Empowered person shall take all technically possible measures to identify the cause and to remedy the situation that has led to a data breach as soon as possible;

b. The Empowered person shall save and/or capture all possible technical information in order to prove the data breach occurred, the conditions and causes under which it occurred and the effects on both personal data and the data subjects whose personal data have been affected, as far as technically possible;

c. The Empowered person will take all technical measures possible to remedy a possible future identical and/or similar data breach situation, as appropriate and to the extent technically feasible;

d. The Empowered person shall centralize all the information referred to in 10.1(a-c) and make it available to the Controller without delay;

e. The Empowered person shall not replace the Controller, who is solely responsible for notifying the national supervisory authority.

To the extent that the Controller is obliged to notify the national supervisory authority and/or data subjects, the Empowered person shall assist the Controller in accomplishing these obligations, as follows:

e.1. respond promptly to any request received from the Controller and/or the national supervisory authority within the time limit imposed by the authority and/or within 2 working days in relation to the Controller;

e.2. provide the Controller and/or the national supervisory authority with all necessary information and/or devices to be checked in the event of an inspection in relation to the Controller;

e.3. shall, at the request of the Controller, send the notification to the data subjects by email; any other form of communication required by the authority shall be carried out exclusively by the Controller and at the Controller's expense, unless the Empowered person is found to be at fault.

10.2. Cooperation between the Controller and the Empowered person

a. The Empowered person acts on the instructions given by the Controller pursuant to Article 2, under his authority and processes the personal data of data subjects as obtained by the Controller. Where the Empowered person collects personal data under this contract, it does so only on behalf of the Controller.

b. In the relationship with the Controller, the Empowered person never determines the purposes or means of processing personal data, nor the specific categories of data subjects, nor when advising the Controller on various means of processing.

c. It is the sole responsibility of the Controller to determine the legal basis for each processing operation, to select the category of data subjects, to inform them adequately and, where appropriate, to obtain the consent of the data subjects to the processing of personal data covered by this contract or to use another legal basis, including where the Empowered person collects personal data on behalf of the Controller.

d. In all situations where the Controller is the one who is required to perform an obligation, such as, for example, informing the data subject of a personal data breach, the Empowered person cannot be held liable for the Controller's inactions within the scope of that obligation.

e. The Controller and the Empowered person shall delineate their responsibilities for ensuring the protection of personal data (e.g. ensuring confidentiality or security of processing), depending on the actual access to and control over the data, both contractually and technically.

f. If the Empowered person infringes the GDPR by determining the purposes and means of the processing of personal data and/or by failing to comply with them, the Empowered person shall be deemed to be a controller only in respect of that processing.

The Data Protection Officer of theMarketer is: Alina Ionciu

theMarketer International SRL

For the attention of: Data Protection Officer at theMarketer

Address: Str. Badea Cartan 66, Sector 2, Bucharest, Office 3, zone II, Room 2, Bl. 40, Sc.A, Et.5, Ap.26

Email: iam@themarketer.com

The Controller has the possibility to nominate a data protection officer in his account on theMarketer platform.

12.1. The Controller has the following rights:

a. to decide whether or not to allow the sub-contracting of Secondary empowered persons by the Empowered person under the conditions of Article 9;

b. to receive information or verify, directly or through a mandated auditor, how the Empowered person implements appropriate technical and organizational measures so that the processing complies with the requirements of the GDPR and the protection of the data subject's rights is ensured; the verification will take place on the basis of a prior written notification, including by email, sent 10 working days before the verification;

c. to receive assistance from the Empowered person in accomplishing his obligation to respond to requests concerning the exercise by the data subject of his specific rights.

12.2. The Empowered person has the following rights:

a. to recruit Secondary empowered persons, which exceed the general and special authorization provided by Articles 9.2 and 9.3, only if it has received approval from the Controller;

b. to cover the costs of providing assistance to the Controller in the situations referred to in Articles 10.1.e, 12.1.b and 12.1.c.

c. to use statistical information containing only anonymized data resulting from the activities performed under this contract and/or the whole activity of the Empowered person for its own research, analysis and promotion of the Empowered person's services.

13.1. The Empowered person has the following obligations:

a. to act only on the basis of lawful instructions received from the Controller and to inform the Controller within 5 days if, in the opinion of the Empowered person, an instruction violates GDPR and/or any other legal provision relating to the processing of personal data;

b. to process personal data exclusively through the services covered by this contract in accordance with the legal instructions and requirements of the Controller, in accordance with this contract, its annexes and in accordance with the relevant regulations in force;

c. to comply with the confidentiality of personal data and information that may be given to him/her in the course of the performance of this contract;

d. to establish, by mutual consent with the Controller, the specific deadlines for carrying out the processing activities arising from the contract and to comply with the deadlines for carrying out the processing activities established by the Controller;

e. to inform the Controller about the status and progress of the processing activities by any means of communication agreed between the parties;

f. to assist the Controller in accordance with Article 10.1. of this contract, including with regard to requests from data subjects;

g. to forward to the Controller any request received (e.g. request, referral, complaint, etc.) in relation to personal data that has been collected and processed by the Empowered person under the trading contract between the parties;

h. to delete or return to the Controller all personal data after the termination of the provision of the services related to the processing and to remove the existing copies within a maximum of 3 months.

i. to provide the Controller all information necessary to demonstrate compliance with its obligations under the GDPR;

j. to allow audits, including inspections, to be carried out by the Controller or other mandated auditor and to contribute to them with the necessary information.

13.2. The Controller has the following obligations:

• To independently comply with the GDPR in its capacity as Controller in relation to personal data processed by the Empowered person on its behalf;
• To implement how to comply with GDPR in its specific case through the customized implementation of the services of the Empowered person;
• To receive requests from data subjects and to modify or delete their data in the Controller's account related to the provision of the Services.

14.1. The Empowered person shall be liable for any damage caused by the processing if it has not complied with its obligations under the GDPR specifically and in accordance with the rules of cooperation set out in Article 10.2 of this contract.

14.2. The Empowered person shall be liable for damage caused by the processing if he acts outside or contrary to the lawful instructions of the Controller

14.3. If the Empowered person has recruited a secondary empowered person and the secondary empowered person fails to comply with its data protection obligations, the Empowered person shall remain fully liable to the Empowered person for the performance of the secondary empowered person's obligations.

14.4. Disclaimer. The Controller agrees to indemnify and hold the Empowered person harmless from any and all liability for damages arising from:

a. failure to perform the contract due to events beyond any liability of the Empowered person;

b. failure to comply with the contract due to actions of the Controller;

c. compliance with the Controller's instructions or failure to comply with the Controller's instructions justified in advance by a notice of illegality;

d. lack or vitiation of the consent of data subjects.

No party shall be liable for damage caused by events for which it proves that it is in no way responsible, such as documents issued by the authorities attesting to the occurrence of a force majeure event.

This contract is dependent on the legal status of the Terms and Conditions to the extent of the objects involving the processing of personal data as referred to in Article 2.1 and shall apply in priority to the Terms and Conditions, which contain rules of general law.