Data Processing Agreement
This Data Processing Agreement (“DPA”) forms an electronic agreement between Retail Rocket and Customer, the parties, signed the Engagement letter and thus entered into the agreement on providing online marketing services specified in Engagement letter (hereafter be referred to as: “Agreement” and “Services”, correspondingly) on processing of the personal data.
Customer enters into this DPA on behalf of itself, and Retail Rocket will in the context of the Services provided to Customer (a) process personal data of which Customer is data controller on behalf of Customer (“Customer” in this regard shall mean the final client/the final user) and Retail Rocket acts as data processor; (b) on behalf of Customer store and/ or have access to information stored within the terminal equipment of an internet user (hereinafter referred to as the placement or accessing of “Cookies”) or (c) send solicited commercial electronic messages on behalf of Customer;
1. Subject matter of the Data Processing Agreement
1.1. This DPA applies exclusively to (a) the processing of personal data of which the Customer is data controller, (b) the storing and/or accessing of Cookies on behalf of Customer for the purpose of rendering the Services, and (c) the sending of solicited commercial messages in the scope of the Services provided under the Agreement on behalf of Customer.
1.2. In this DPA the terms ‘data controller’, ‘data processor’, ‘personal data’ and ‘processing’ will have the meaning as given in the Article 4 of the Regulation (EU) 2016/679, of 27th of April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinunder referred to as General Data Protection Regulation or GDPR).
1.3. The Customer is responsible for the compliance with the applicable legislation of data protection, especially, the General Data Protection Regulation. The Customer guarantees that the personal data that will be provided to Retail Rocket for the provision of the Services have been collected according to the applicable laws and that it is authorised to facilitate the mentioned data to Retail Rocket for the processing according to what is established in DPA.
2. Rights and obligations
2.1. With regards to the processing of personal data in the light of the Services, the Customer is the Controller and Retail Rocket is the Processor.
2.2. As the Controller, the Customer will determine the means for and purposes of the processing of personal data. The main purpose of the processing of personal data will be to provide the Services as set forth in the Consent to Personal Data Processing (Consent to Personal Data Processing in this regard shall mean the Consent to Personal Data Processing with the end-Customer as set forth in Article 6 (1) of GDPR) which shall determine the details about the processing of personal data, which may be amended and/or updated in writing.
2.3. As the Processor, Retail Rocket agrees to only process the personal data on behalf of Customer and only for the purposes as solely determined by Customer and as needed to provide the Services, except as required to comply with a legal obligation to which the Processor is subject, or to follow instructions of the Controller. Retail Rocket will not transfer the personal data to a third party, unless the law to which the Processor is subject to forces them to do so, or the Customer has given instructions to do so in accordance with the provisions of the GDPR.
2.4. Retail Rocket shall be allowed to exercise by the instructions of the Controller under the requirements of GDPR in the selection and use of such means as it considers necessary to pursue the purposes determined by Customer.
2.5. Retail Rocket will process the personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by law to which the Processor is subject to; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Retail Rocket shall immediately inform the Controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
2.6. The Customer shall guarantee Retail Rocket the availability of evidence confirming the collection of the user’s Consent to Personal Data Processing received by the Customer in accordance with applicable laws and submit it at any time to Retail Rocket at the request of the latter. In the event that any claim is made against Retail Rocket for infringement of data privacy rights of any third party arising directly from the provision of the Services under the Agreement, the Customer will, at its own expense, conduct and/or supervise any ensuing litigation and all negotiations for a settlement of the claim. The Customer will bear the costs of any payment to be made in settlement or as a result of an award in a judgement against Retail Rocket in the event of litigation.
3. Security
3.1. Retail Rocket shall take technical and organisational measures appropriate to ensure the security of the processing of personal data. These measures can include:
(a) measures to ensure that the personal data can be accessed only by authorized personnel for the purposes set forth in Appendix 1 to DPA;
(b) appropriate measures to protect the personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access or disclosure;
(c) measures to identify vulnerabilities with regard to the processing of personal data in systems used to provide services to Customer.
3.2. Retail Rocket ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3. Retail Rocket takes all measures required pursuant to Article 32 of the GDPR.
3.4. Taking into account the nature of the processing, Retail Rocket assists the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of GDPR.
3.5. Retail Rocket assists the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor.
3.6. Retail Rocket makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the controller.
4. Data Transfers
4.1 Customer agrees that if the Services entail any (planned) permanent or temporary transfers of personal data to a country within the European Economic Area that such transfer of personal data is allowed and authorized.
4.2. Retail Rocket is authorised by the Customer to transfer personal data to the companies of its group which are established within the European Economic Area and the U.S.A. and provide services in assistance of the activities subject to the Services, and to these ends, is authorised to transfer the data to Retail Rocket’s authorized sub-processor within European Economic Area and the U.S.A. as set forth in Appendix 2.
5. Contracting with Sub-Processors
5.1. Customer agrees and authorizes by the adhering to the terms of this DPA that Retail Rocket may subcontract to any third party part of its activities consisting of the processing of the personal data or requiring personal data to be processed within the scope of the provision of the Services including those services that are related or that are needed for the rendering of the same.
5.2 Retail Rocket shall not subcontract any other processor without the prior written specific or general authorization of the Customer. In case of general written authorization Retail Rocket will inform the Customer about every desired change concerning the addition or replacement of other processors, giving the Customer the possibility to object against these changes, within a period of 15 (Fifteen) days.
5.3. Retail Rocket shall ensure that the sub-processor is bound by the obligations of Retail Rocket under the same data protection agreement, and shall supervise compliance thereof.
5.4 The engagement of sub-processors will be subject to what is established in Article 28.4 of the General Data Protection Regulation.
6. Records of processing activities
6.1. Customer shall maintain a record of processing activities under its responsibility. This record shall contain the information set forth in Article 30 (1), a-g of the General Data Protection Regulation.
7. Returning or Destruction of Personal Data
7.1. Upon termination of DPA, the personal data submitted to the Services shall be retained to inactive status within 180 (one hundred eighty) days and deleted with all existing copies upon the expiration of this period unless the Customer for its choice and upon its written request asks for: 1) earlier deletion of such personal data of the Customer within this period; 2) return all personal data of the Customer with or without provision the Customer with the copies of the personal data of the Customer. However, Retail Rocket can maintain a properly secured copy of the data, insofar that liabilities might arise out the execution of the performance of services or unless the storage of such personal data is required by the virtue of the applicable legislation.
7.2. Retail Rocket shall notify all third parties involved with the processing of the personal data of the termination of the DPA, and of the destruction of the personal data, and shall ensure that all such third parties shall destroy the personal data.
7.3. With due regard to Article 17 of the GDPR, Retail Rocket shall also proceed to erase personal data, if a data subject has requested the Customer to erase these data.
8. Placement and accessing of Cookies
8.1. If in the context of the Services, Cookies are placed or accessed by Retail Rocket or a third party engaged by Retail Rocket on behalf of Customer, then Customer is solely responsible for compliance with all applicable legislation and regulations.
Customer will therefore:
(a) provide the internet user with clear and comprehensive information (which information may wholly or partly be provided by Retail Rocket on behalf of Customer), in accordance with the applicable legislation and regulations, at least about the use of Cookies and similar technology (HTML5,..) (hereinafter “Cookies”); the purposes of placement and accessing of the Cookies; type of cookies; the processing of the data obtained by means of the Cookies by Customer and by Retail Rocket or a third party engaged by Retail Rocket as data processors for the provision of Services to Customer; and the purposes of such processing pursuant to the provisions of the General Data Protection Regulation. The Customer has a clear Privacy Statement, Disclaimer and Cookie statement.
(b) obtain (prior) consent (using the “opt in” method) of the internet user for the placement and accessing of the Cookies by Retail Rocket or a third party engaged by Retail Rocket, and for the processing of data obtained by such means for the purposes of which has been informed pursuant to the section 8.1.a above.
(c) To provide the user with information as to how to revoke its consent and to eliminate the Customer´s Cookies and those of third parties (Retail Rocket and/or a third party engaged by Retail Rocket).
8.2. Customer shall immediately notify Retail Rocket in writing, in the event a user revokes its consent validly granted for the purpose to discontinue the use of the personal data and remove the Cookies.
9. The Sending of solicited Commercial Electronic Messages
9.1. If in the context of the Services, Retail Rocket will be sending solicited commercial electronic messages on behalf of Customer, then Customer (as material sender) is solely responsible for compliance with all applicable legislation and regulations.
Customer will therefore:
(a) obtain the prior (freely given, specific and well-informed) consent from the recipient of the electronic message, which consent shall be registered, and ensure that adequate measures are taken to proof that such consent was obtained; and
(b) provide the necessary information as required by the applicable legislation and (self)regulations; and
(c) offer a right to object including an e-mail address of Customer where such right can be exercised, if applicable, at the moment of obtaining the electronic contact details of the recipient (‘customer’) and/or in any subsequent commercial electronic message send by Retail Rocket on behalf of Customer; and provide an easy and free mechanism for the user to exercise the right to revoke its consent including an e-mail address of Customer to this effect.
The Customer shall immediately notify Retail Rocket in writing, in the event any of the users receiving the electronic messages exercises its right of opposition or has revoked its consent, to discontinue sending the electronic messages to such user.
The Customer shall be solely responsible that the solicited electronic message comply prior to being sent, with the requirements related to content and information to be included in the same required by the applicable legislation and regulations, being required to this effect, among others, to identify the e-mail clearly as “commercial communication,” and provide the identification information of the Customer as material sender.
10. Cooperation with the supervisory authority
10.1. The Customer and Retail Rocket, and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.
11. Notification of a personal data breach to the supervisory authority
11.1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 (seventy two) hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 33 of the GDPR.
12.Duration and Termination
12.1.The duration of the data processing under this DPA is until the termination of the Services provided in accordance with the Agreement concluded between Retail Rocket and the Customer plus the period from the expiry of the Agreement until deletion of the Personal Data by Retail Rocket in accordance with the terms of this DPA.
12.2.The termination of the Agreement on any grounds will cause the automatic termination of this Data Processing Agreement.
Appendix 1: Personal data that will be processed in the scope of the Services and the purposes for which these data will be processed
1. Purposes of processing personal data
Retail Rocket processes personal data to improve website visitors’ shopping experience by adjusting the product recommendations based on each visitor’s interests and browsing history.
2. For the personal data processing purposes Retail Rocket uses the following Cookies
| Cookie Name | Purpose of the Cookie |
| rcuid | Unique user identifier |
| rrpuid | Unique user identifier for A/B testing of product recommendations |
| rr-VisitorSegment | Segment of a user in an A/B test |
| rrpusid | Unique session identifier, used for tracking different people using the same device |
| rrlpuid | Visitor identifier received from the Customer |
| rrrbt | This cookie stores a sign that a visitor is a robot (e.g. automated search engine crawler) |
| rrviewed | Numeric identifiers of ten recently viewed products |
| rr-viewItemId | Numeric identifier of the last viewed product |
| rrbasket | Numeric identifiers of ten recently added to cart products |
| rr-addToBasketItemId | Numeric identifier of the last added to cart product |
| rr-RecomAddToCartItemId | Numeric identifier of the last added to cart product from a block of Retail Rocket recommendations |
| rr-RecomItemId | Numeric identifier of a product that was clicked through a block of Retail Rocket recommendations |
| rr-MethodName | Algorithm name that generated a recommendation of a product that was clicked through a block of Retail Rocket recommendations |
| rr-subFormLastView | This cookie stores a sign that the exit email acquisition popup was shown for the first time |
| rrmailid | Unique identifier of the Retail Rocket email that a visitor clicked through |
| rrutmsource | This cookie stores the value of the most recent utm_source URL parametr |
3. For the personal data processing purposes Retail Rocket may track the following visitor actions
- Any page view
- Product category page view
- Product page view
- Add to cart event
- Purchase
- Internal website search
- Email newsletter subscription
- Product recommendation blocks clicks
- Clicks in emails sent by Retail Rocket
- Interactions with Retail Rocket website widgets
4. For the personal data processing purposes Retail Rocket may use Browser Local Storage (also known as HTML5 Local Storage) to store data on the following visitor actions
- Any page view
- Product category page view
- Product page view
- Add to cart event
- Purchase
- Internal website search
- Email newsletter subscription
- Product recommendation blocks clicks
- Clicks in emails sent by Retail Rocket
- Interactions with Retail Rocket website widgets
This information is stored in retailRocketEvents string in JSON format. Each event is stored for 24 hours it occurred.
Appendix 2: The list of the authorized Sub-processors.
| 1. Entity | 2. Address, including jurisdiction | 3. Task(s) | 4. Transfer of Solution |
| Retail Rocket Iberia, SL | Edificio K2M. C/ Jordi Girona, 1. Planta 2, 08034 Barcelona, España. | Website Personalisation. Triggered Emails. Smart Opt‐In Form. Email Personalisation. | Appropriate country |
| Retail Rocket Germany GmbH | Horbeller Str. 31, 50858 Cologne, Germany | Website Personalisation. Triggered Emails. Smart Opt‐In Form. Email Personalisation. | Appropriate country |
| Retail Rocket Netherlands B.V. | Laan van Vredenoord 33, 2289 DA Rijswijk, the Netherlands | Website Personalisation. Triggered Emails. Smart Opt‐In Form. Email Personalisation. | Appropriate country |
| Amazon Services Europe S.à.r.l. | 5, Rue Plaetis, L-‐2338 Luxembourg | Object storage infrastructure service. Executes code in response to events and automatically manages computer resources. Global content delivery network (CDN) service. | Appropriate country |
| Google Netherlands BV | Claude Debussylaan 34/15EETAGE 1082 MD Amsterdam, The Netherlands | Data analytics. Mail Server | Appropriate country |
| Hetzner Online GmbH | Industriestr. 25, 91710 Gunzenhausen Germany | Hosting services | Appropriate country |
| Baker Tilly Business Consulting Services S.A. | Patmou & Olympou, Marousi 151 23 Athens Greece | Data Protection Officer (DPO) | Appropriate country |
| Pipedrive UK Limited | Hogarth House, 136 High Holborn, London, England, WC1V 6PX | CRM | Appropriate country |
| Sailplay, Inc. | 401 Park Ave South, 9th Floor New York, NY 10016 (USA) | CRM, Loyalty, Campaigns, Analytics. | Standard Contractual Clauses (SCC) |
| Vodafone Libertel B.V. | Avenue Ceramique 300, 6221 KX, Maastricht, The Netherlands | Telephone communications | Appropriate country |