GDPR Best Practice Guide

This document is intended to inform our Customers about our relationship with theMarketer.com in terms of personal data protection, with details about the technical aspects of our activity and the necessary actions regarding the protection of personal data.

Please note that during the use of theMarketer.com services, the Customer is the Controller of the personal data and theMarketer.com is the Empowered person.

theMarketer.com acts within the limits of the law in force and in compliance with the instructions of the Customers, in the role of Empowered Person according to the "Personal Data Processing Agreement" of the Terms and Conditions established under Article 28 of EU Regulation 679/2016 (GDPR). This document is only intended to explain these rules, as well as other GDPR-related obligations in a language that is accessible to theMarketer.com's customers.

Data processed from a Customer is not shared in any form with the data of any other Customer, unless expressly requested by the Customer.

Each theMarketer.com Customer must, prior to contracting any theMarketer.com service, carry out an internal personal data protection assessment and, if necessary, a personal data protection impact assessment, in order to be compatible with the personal data protection legislation in force. The Customers must apply internally the General Data Protection Regulation (applicable from 25 May 2018) or other applicable local legislation.

The Customers should be aware that each Customer and theMarketer.com must enter into an agreement that stipulates the rules for data processing by theMarketer.com as the Customer's Authorised Person, as controller. This is the role of the "Personal Data Processing Agreement" and the Terms and Conditions and it contains details about duration, actions required, data processing period and data retention period, categories of data processed, rules that apply to the data processing process, transfer of data to authorized third countries, purposes and methods of processing and transfer.

Each of our Customers must properly inform the data subjects of the processing of personal data, including the processing made through theMarketer.com services. Information should be given at the latest at the time of collection.

For the specific situation of using theMarketer.com services, the following information should be included, if not already included:

• Identity and contact details of the Data Controller;
• Contact details of the Data Protection Officer (DPO), if applicable;
• The specific rights of data subjects covered by the GDPR (e.g. right of access, right of rectification, right to the erasure of data, restriction of processing, portability, right to withdraw consent, right to address a personal data authority) and the procedure required to exercise these specific rights (e.g. reply within 30 days); the Customers should check whether updates are necessary in this respect;
• The mechanism used for processing, including Empowered Person; the Customers should check if updates are required;
• Informing data subjects about the use of cookies on the site, to provide information related to Empowered Persons, including theMarketer.com;
• The obligation to obtain consent for such processing at the time you visit the site, such as first-party cookies; if the user does not give consent, the processing may not be permitted;
• You have an obligation to unsubscribe customers who choose not to receive further communications from theMarketer.com or who object to profiling information (see details in the article under point 4);
• If you use the chat service, properly inform customers about the use or storage of the content of communications.
• If you use the Loyalty Program, the email addresses of users who place an order are automatically captured with the subscriber status for the Loyalty Program, so that they can receive automatic transactional emails. We recommend that you do not include product blocks in these emails so that the emails are not considered commercial.

The following information could be used as a template to add the required information in the Privacy Policy or other information document according to Art. 13 GDPR. Please adapt and complete the text below according to the services implemented or used by theMarketer, in accordance with current legislation:

• In order to profile, analyze, and send personalized communications and offers, we use theMarketer.com, a provider of automated marketing services.
• These activities do not have any legal or other similar significant effect on users. The only consequence of using these services is for users to receive discounts and personalized marketing offers or to participate in loyalty programs. The user can opt out of being profiled or receiving commercial communications with no effect other than not receiving these discounts or personalized marketing offers.
• For the purpose of processing activities and interaction with the site, theMarketer.com shall automatically collect and store the following personal data as appropriate: email, phone number, last name, first name, gender, date of birth, city, county, IP address (including location estimation), as well as other technical data automatically obtained from browsing our website (browser, discount code, discount amount, product variations, device, operating system, page visit, category visit, brand visit, click on picture, scroll up, scroll down, add to cart, remove from cart, add to favorites, remove from favorites, etc).
• The categories of persons concerned are visitors, registered users or customers of the site, as appropriate, depending on the service chosen.
• If the Loyalty Program is used (which includes information such as: the order, the value of the order, the category from which the order was placed, the brand from which the order was placed, the discount received, and the products ordered), the email addresses and other provided data of users who place an order are automatically captured with the status of a subscriber to the Loyalty Program. This ensures that users may receive automatic transactional emails and/or SMS messages. These emails contain information regarding the client’s status, the number of points, and the benefits they have within the loyalty program. We expressly state that the emails/SMS messages sent in this manner are transactional in nature, not promotional, and are directly related to the transaction made by the client on the website. No product advertisements may be included in these emails, as they do not have a commercial nature. To unsubscribe from the Loyalty Program, the client simply needs to select the "unsubscribe" option in the received email or send an email to… (please enter the contact email address for your online shop here).
• Cookies: this site must use first-party cookies and may give theMarketer.com access to this information. This cookie is placed by this website and can therefore only be used in connection with this website. Consequently, a link between the internal monitoring of users of this site and monitoring on other sites is not technically possible with this cookie.
• When a client places an order and subscribes to the newsletter, they are automatically subscribed to the SMS channel without any further formalities.
• To unsubscribe from communications sent by theMarketer.com (email, SMS or Loyalty Program), click the "unsubscribe" button in the email footer or send an email to... (please enter the contact email address for your online shop here).

For one of your Customers to stop receiving communications from theMarketer.com, all you have to do is:

• Log in to your theMarketer.com account and go to the Subscribers section;
• Search for the customer's email address;
• Here, you have several options: Turn off emails, Turn off SMS, Turn off the Loyalty System, Turn off monitoring, and Delete profile.

Commercial communications are sent only to users approved by the Customer and only to the contact details provided by the Customer. The communication is made by theMarketer.com, on behalf of the Customers. Depending on the Customer's settings, the Customer's domain or the domain provided for this purpose by theMarketer.com may be used.

The Customers are solely responsible and have the obligation to obtain and prove the validity of the legal basis, such as for example consent and legitimate interest.

The processing of personal data for marketing purposes (e.g. newsletters, campaigns, email marketing, user analysis on the website) may be done on the basis of consent (Article 6(1)(a) GDPR) or for legitimate interest purposes (Article 6(1)(f) GDPR). In the case of the legitimate interest option, Customers must document their choice internally, by analyzing the interest, the legitimacy of the interest and the balance (proportion) between their interest and the rights of data subjects.

Acceptance must be obtained in accordance with the regulations in Art. 2 para. (11), Art. 6 para. (1) letter a), Art. 7 and Art. 8 of the GDPR.

As this is an online environment, consent must be given by the actual data subject and must be freely given, specific, informed, clear and demonstrable. Substantial, forced, conditional, false or unclear consent will not be considered valid, therefore, Customers may be in breach of personal data protection rules. A transparent and easily accessible privacy policy or privacy notice on the website or location of the data collected is mandatory.

Customers should be aware of the age restrictions when it comes to minors under Article 8 of the GDPR.

The customers are required to verify that they have the appropriate legal basis for the following categories of site users and to properly implement the scripts provided by theMarketer.com in connection with:

• Users registered for an account on the site or
• Users who have purchased on the website or
• Users who have subscribed to the newsletter or
• Users who have subscribed to other forms of communication (SMS, push notifications, etc.) or
• Users/visitors of the site.

The Customers should be aware of age restrictions when it comes to minors under Art. 8 of GDPR and should not collect any kind of data that could be included in special categories of data, such as personal data that could reveal race or ethnicity, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the purpose of identifying a natural person, health data or data related to the sex life or sexual orientation of a natural entity.

The Customers have full control over the data processed by the Data Processor and responsibility for the documented and lawful instructions issued in relation to the Empowered Person, as set out in the Personal Data Processing Agreement.

Data confidentiality is a basic principle. The Customers, in their role as Operators, should set their own limitations on the privacy of personal data, which limitations will be duly observed by theMarketer.com in its role as data processor.

The Customers should check and inform theMarketer.com if they have special rules regarding the privacy of personal data.

theMarketer.com ensures, internally, the appropriate level of confidentiality of personal data through the use of various tools compatible with the privacy requirements regulated in Article 28 of GDPR..

The security measures taken internally by theMarketer.com to protect personal data accessed on behalf of its Customers are governed by the Personal Data Processing Agreement.

The Customers should check and inform theMarketer.com if they have special data security rules.

The Customers should implement the Double Authentication Facility (2FA) for access to their account for theMarketer.com services.

There will be no transfer of data to third countries (non-EU, non-EEA countries or countries that do not have an adequate level of protection recognized by the European Commission or Standard Contractual Clauses), except for the situations included in this document or the Personal Data Processing Agreement, the Customer's consent to the transfer and the transfer is made in accordance with the set of rules stipulated in Articles 44-48 of GDPR.

If you have any questions about this GDPR Best Practice Guide, please contact us at:

• The Marketer International SRL
• Email: iam@themarketer.com