loopingo GmbH, Nymphenburger Str. 12, 80335, Munich, Germany (hereinafter referred to as "Marketer" or "Contractor") maintains a virtual platform for the distribution of customer incentives (loopingo Monetise and loopingo Uplift). The store operator (hereinafter also referred to as "Client") would like to participate in the mediation platform and will place a so-called marketer widget on its website for this purpose. In doing so, personal data may be transferred to the marketer for the purpose of selecting and displaying coupons.
Upon conclusion of the usage agreement via loopingo Monetise and / or loopingo Uplift, Marketer and the store operator conclude this agreement on commissioned processing pursuant to Art. 28 para. 3 DSGVO. A separate signature of this order processing agreement is not required.
Within the scope of the usage agreement concluded between the parties regarding loopingo Monetise and / or loopingo Uplift (hereinafter referred to as "Main Agreement"), it is necessary that the Contractor, as a processor within the meaning of Art. 4 No. 8 DSGVO, handles personal data for which the Client is the controller within the meaning of Art. 4 No. 7 DSGVO (hereinafter referred to as "Client Data"). This Agreement specifies the rights and obligations of the Parties under data protection law in connection with the Contractor's handling of Client Data for the purpose of implementing the Main Agreement.
The Contractor shall process the personal data during the term of the Principal Contract on behalf of and only in accordance with the instructions of the Principal. The nature and purpose of the processing as well as the type of personal data and the categories of data subjects are specified in Annex 1 shall be laid down. Any processing of personal data deviating from or going beyond this, in particular for its own purposes, is prohibited for the Contractor.
3.1 The Client's instructions shall generally be given in writing or text form (e.g. e-mail). Deviating from this, (remote) verbal instructions may be given which are subsequently confirmed in writing or text form.
3.2 The Contractor shall be obliged to carry out the Client's instructions without delay or, if applicable, in compliance with a reasonable deadline set by the Client and, in particular, to correct, delete or block personal data without delay on the Client's instructions and to confirm this in writing upon request.
3.3 If the Contractor is of the opinion that an instruction of the Client violates this Agreement, the GDPR or other data protection provisions of the EU or the Member States, it shall notify the Client thereof without undue delay. The Contractor shall be entitled to suspend the execution of the instruction until the Client confirms or amends the instruction.
3.4 Insofar as the Contractor is obliged by the law of the Union or the Member States to which the Contractor is subject to process the personal data even without instructions from the Client, the Contractor shall notify the Client of the reason for the processing and the relevant legal requirements in good time before the processing, unless the law in question prohibits such notification due to an important public interest.
4.1 The Client shall be responsible externally, i.e. vis-à-vis third parties and the data subjects, for the lawfulness of the processing of the Client Data and for safeguarding the rights of the data subjects.
4.2 The Client is obliged to treat as confidential all knowledge of the Contractor's trade and business secrets (in particular with regard to technical and organisational data security measures) obtained within the framework of the contractual relationship. This obligation shall remain in force even after termination of this contract.
4.3 Insofar as the Contractor wishes to defend itself by legal means against a claim for damages pursuant to Art. 82 of the GDPR, against a threatened or already imposed fine pursuant to Art. 83 of the GDPR or other sanctions within the meaning of Art. 84 of the GDPR, the Client shall allow the Contractor to disclose details of the commissioned processing including issued instructions for the purpose of defence.
5.1 Insofar as a data subject directly contacts the Contractor in exercising its rights under Chapter 3 of the GDPR (Articles 12 to 23 of the GDPR), taking into account Part 2, Chapter 2 of the German Federal Data Protection Act (Sections 32 to 37 of the German Federal Data Protection Act), the Contractor shall immediately forward this request to the Principal. The Contractor shall support the Client in a reasonable manner with appropriate technical and organisational measures in fulfilling its obligation to respond to such requests to exercise the rights of the data subject specified in Chapter 3 of the GDPR.
5.2 The Contractor shall assist the Client in complying with the obligations referred to in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the Contractor.
5.3 If the Contractor becomes aware of a personal data breach within the meaning of Art. 4 No. 12 of the GDPR ("data protection incident") with regard to the processed Client Data, it shall report this to the Controller without delay. Within the scope of the notification pursuant to Art. 33 (2) DSGVO, the Contractor shall inform the Principal, if possible, of the time as well as the type and extent of the incident, the IT system affected, the persons affected, the time of discovery, all conceivable adverse consequences of the data security incident and the measures taken as a result.
5.4 The Contractor shall inform the Client without delay if the Client's rights to the personal data at the Contractor are significantly affected by measures of third parties or by other events.
5.5 The Contractor shall be obliged to surrender all Client data at the Client's request. Data carriers received from the Client shall be marked separately and managed on an ongoing basis. Copies and duplicates of the personal data may only be made with the prior consent of the Client, unless they are used for the proper execution of this Agreement or the respective project order or to comply with statutory retention obligations.
5.6 If a legal obligation exists, the Contractor shall appoint a data protection officer (Art. 37 et seq. DSGVO) and shall inform the Client of his contact details and, if applicable, the change of data protection officer at least in text form for the purpose of direct contact.
6.1 The Contractor shall take all measures necessary pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk of the Processing. These measures shall include, in particular, the ability to ensure the confidentiality, integrity, availability and resilience of the systems on a permanent basis and to restore the availability of and access to personal data rapidly in the event of a physical or technical incident. The contractor shall regularly review, assess and evaluate the effectiveness of the technical and organisational measures to ensure the security of the processing and document the results.
6.2 The Contractor warrants that, prior to the commencement of the processing of the Client Data, it will implement the technical and organisa Annex 2 of this Agreement prior to the commencement of the Processing of the Principal Data and will maintain and, if necessary, adapt them to the state of the art and the risk of the Processing.
6.3 The Contractor shall ensure that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
7.1 The Contractor shall grant the Client a right of inspection to check the data processing and compliance with this Agreement or the respective project order. In particular, the Contractor shall provide the Client with all information to prove compliance with the obligations set out in this contract and shall enable the performance of checks including inspections. The inspection activities may also be carried out by a third party bound to secrecy, provided that the third party is not a competitor of the contractor.
7.2 The Parties agree that the Principal shall conduct an inspection pursuant to Clause 7.1 by instructing the Contractor to submit, at its option, a suitable attestation, report or report extracts from independent bodies (e.g. auditor, audit, data protection officer, information security officer, data protection auditor or quality auditor) or a suitable certification by an IT security or data protection audit - e.g. in accordance with ISO 27001 or BSI-Grundschutz - ("audit report"). In justified exceptions, the contracting authority may conduct independent inspections.
7.3 The Contractor undertakes to support the implementation of the controls. This includes the granting of all required access, information and inspection rights. The same applies to public inspections by the competent supervisory authority in accordance with the applicable data protection regulations.
7.4 The Client shall inform the Contractor in good time (as a rule at least four weeks in advance) of all circumstances connected with the performance of the inspection. As a rule, the Client may carry out one inspection per calendar year. This does not affect the Client's right to carry out further inspections in the event of special occurrences.
8.1 The Contractor may establish subcontracting relationships with further processors (subcontractors). The Contractor currently employs the sub Annex 3 designated subcontractors. The Client agrees to their commissioning. The contractor shall always inform the client of any intended change with regard to the use or replacement of subcontractors, giving the client the opportunity to object to such changes within two weeks, whereby this may not be done without good cause under data protection law. If the Client does not raise any justified objections within two weeks of notification of the change, the change shall be deemed to have been approved by the Client. The contractor shall inform the client of the significance of his conduct at the beginning of the period. In the event of an objection, the Contractor may, at its own discretion, provide the service without the intended change or - if the provision of the service without the intended change is unreasonable for the Contractor - discontinue the service vis-à-vis the Client within two weeks of receipt of the objection and terminate the main contract without notice and with immediate effect.
8.2 If the commissioning of a sub-service provider is associated with a transfer of the Client Data to a country outside the European Union (EU) or the European Economic Area (EEA) ("Third Country"), the requirements set out in Clause 9 shall also apply.
8.3 The Contractor shall ensure that the data protection obligations agreed in this Agreement also apply to the sub-service provider and, in accordance with Article 28(4) of the GDPR, shall oblige the sub-service provider accordingly by way of a contract or other legal instrument under Union law or the law of the Member State concerned prior to commencement of the activities, whereby in particular sufficient guarantees must be provided that the appropriate technical and organisational measures are implemented in such a way that the processing is carried out in accordance with the requirements of the GDPR.
10.1 The Contractor shall return all Client data to the Client after completion of the provision of the Processing Services and in particular after termination of the contractual provision of services (in particular in the event of termination or other termination of the main contract) and subsequently delete it (incl. existing copies) in accordance with data protection requirements. Data carriers received from the Client shall be returned to the Client or destroyed in compliance with an appropriate level of protection. The same applies to test and reject material. This shall not apply if there is an obligation to store the personal data under Union law or the law of the Member States.
10.2 Documentation and protocols which serve as proof of orderly and proper data processing or legal retention periods shall be retained beyond the end of the contract in accordance with the respective retention periods.
The term and termination of this contract shall be governed by the provisions on the term and termination of the main contract. Termination of the main contract shall automatically result in termination of this contract. An isolated termination of this contract is excluded.
Insofar as no special provisions are contained in this contract, the provisions of the main contract shall apply. In the event of contradictions between this contract and provisions from other agreements, in particular from the main contract, the provisions from this contract shall take precedence.
Checkout marketing by providing the "loopingo Monetise Integration" (widget) based on JavaScript for integration on websites of the client.
The JavaScript code snippet has the following structure:
loopingo does not set any cookies on the customer's device during this process.
For clarification: The commissioned processing is limited to the personalisation of vouchers and the playout of personalised vouchers to the browser of the data subject. If the data subject interacts with the widget and selects a voucher, the related processing is carried out under loopingo's own responsibility.
Configuration
Customer data
Customers who place orders in the principal's webshop.
loopingo Uplift campaigns by providing the "loopingo Uplift Integration" (widget) based on JavaScript for integration on websites of the client.
Once the purchase has been completed, loopingo also sets a cookie on the customer's device during this process. The cookie supports the control of loopingo Uplift campaigns (e.g. returning customers who already had an active campaign will see this campaign again). The cookie contains a hashed value of the e-mail address.
The following data is transferred to loopingo:
Type of personal data:
Customers who place orders in the client's webshop and have activated a loopingo Uplift premium together with the order.
For clarification: The commissioned processing is limited to the personalization of vouchers and the playout of personalized vouchers to the browser of the data subject. If the data subject interacts with the widget and selects a voucher, the related processing is carried out under loopingo's own responsibility.
Measures to ensure that those authorised to use the data processing procedures can only access the personal data subject to their access authorisation:
Measures to ensure that those authorised to use the data processing procedures can only access the personal data subject to their access authorisation:
Measures to prevent unauthorised persons from using the data processing equipment and procedures:
Measures to prevent unauthorised persons from accessing the data processing equipment with which personal data are processed:
Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorised persons during electronic transmission or during their transport or storage on data media, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment:
Measures to ensure that it is possible to check retrospectively whether and by whom personal data can be entered, modified or removed in data processing systems:
Measures to ensure that personal data is protected against accidental destruction or loss (the information relates to the contractor's own IT systems):
Measures to ensure that personal data processed on behalf of the principal can only be processed in accordance with the principal's instructions:
Measures that enable the control of data protection processes and demonstrably ensure compliance with data protection requirements:
Measures that ensure that personal data are processed in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to appropriate technical and organisational measures.enable control of data protection processes and demonstrably ensure compliance with data protection requirements: