Free cookie consent management tool by TermsFeed Update cookies preferences

Agreement on commissioned data processing

Preamble:

loopingo GmbH, Nymphenburger Str. 12, 80335, Munich, Germany (hereinafter referred to as "Marketer" or "Contractor") maintains a virtual platform for the distribution of customer incentives (loopingo Monetise and loopingo Uplift). The store operator (hereinafter also referred to as "Client") would like to participate in the mediation platform and will place a so-called marketer widget on its website for this purpose. In doing so, personal data may be transferred to the marketer for the purpose of selecting and displaying coupons.

Upon conclusion of the usage agreement via loopingo Monetise and / or loopingo Uplift, Marketer and the store operator conclude this agreement on commissioned processing pursuant to Art. 28 para. 3 DSGVO. A separate signature of this order processing agreement is not required.

1. subject matter of the contract

Within the scope of the usage agreement concluded between the parties regarding loopingo Monetise and / or loopingo Uplift (hereinafter referred to as "Main Agreement"), it is necessary that the Contractor, as a processor within the meaning of Art. 4 No. 8 DSGVO, handles personal data for which the Client is the controller within the meaning of Art. 4 No. 7 DSGVO (hereinafter referred to as "Client Data"). This Agreement specifies the rights and obligations of the Parties under data protection law in connection with the Contractor's handling of Client Data for the purpose of implementing the Main Agreement.

2. the nature and purpose of the processing, the type of personal data, the categories of data subjects, the duration of the processing operation

The Contractor shall process the personal data during the term of the Principal Contract on behalf of and only in accordance with the instructions of the Principal. The nature and purpose of the processing as well as the type of personal data and the categories of data subjects are specified in Annex 1 shall be laid down. Any processing of personal data deviating from or going beyond this, in particular for its own purposes, is prohibited for the Contractor.

3. rights of the principal to issue instructions


3.1 The Client's instructions shall generally be given in writing or text form (e.g. e-mail). Deviating from this, (remote) verbal instructions may be given which are subsequently confirmed in writing or text form.

3.2 The Contractor shall be obliged to carry out the Client's instructions without delay or, if applicable, in compliance with a reasonable deadline set by the Client and, in particular, to correct, delete or block personal data without delay on the Client's instructions and to confirm this in writing upon request.

3.3 If the Contractor is of the opinion that an instruction of the Client violates this Agreement, the GDPR or other data protection provisions of the EU or the Member States, it shall notify the Client thereof without undue delay. The Contractor shall be entitled to suspend the execution of the instruction until the Client confirms or amends the instruction.

3.4 Insofar as the Contractor is obliged by the law of the Union or the Member States to which the Contractor is subject to process the personal data even without instructions from the Client, the Contractor shall notify the Client of the reason for the processing and the relevant legal requirements in good time before the processing, unless the law in question prohibits such notification due to an important public interest.

4. obligations of the principal

4.1 The Client shall be responsible externally, i.e. vis-à-vis third parties and the data subjects, for the lawfulness of the processing of the Client Data and for safeguarding the rights of the data subjects.

4.2 The Client is obliged to treat as confidential all knowledge of the Contractor's trade and business secrets (in particular with regard to technical and organisational data security measures) obtained within the framework of the contractual relationship. This obligation shall remain in force even after termination of this contract.

4.3 Insofar as the Contractor wishes to defend itself by legal means against a claim for damages pursuant to Art. 82 of the GDPR, against a threatened or already imposed fine pursuant to Art. 83 of the GDPR or other sanctions within the meaning of Art. 84 of the GDPR, the Client shall allow the Contractor to disclose details of the commissioned processing including issued instructions for the purpose of defence.

5. obligations of the contractor

5.1 Insofar as a data subject directly contacts the Contractor in exercising its rights under Chapter 3 of the GDPR (Articles 12 to 23 of the GDPR), taking into account Part 2, Chapter 2 of the German Federal Data Protection Act (Sections 32 to 37 of the German Federal Data Protection Act), the Contractor shall immediately forward this request to the Principal. The Contractor shall support the Client in a reasonable manner with appropriate technical and organisational measures in fulfilling its obligation to respond to such requests to exercise the rights of the data subject specified in Chapter 3 of the GDPR.

5.2 The Contractor shall assist the Client in complying with the obligations referred to in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the Contractor.

5.3 If the Contractor becomes aware of a personal data breach within the meaning of Art. 4 No. 12 of the GDPR ("data protection incident") with regard to the processed Client Data, it shall report this to the Controller without delay. Within the scope of the notification pursuant to Art. 33 (2) DSGVO, the Contractor shall inform the Principal, if possible, of the time as well as the type and extent of the incident, the IT system affected, the persons affected, the time of discovery, all conceivable adverse consequences of the data security incident and the measures taken as a result.

5.4 The Contractor shall inform the Client without delay if the Client's rights to the personal data at the Contractor are significantly affected by measures of third parties or by other events.

5.5 The Contractor shall be obliged to surrender all Client data at the Client's request. Data carriers received from the Client shall be marked separately and managed on an ongoing basis. Copies and duplicates of the personal data may only be made with the prior consent of the Client, unless they are used for the proper execution of this Agreement or the respective project order or to comply with statutory retention obligations.

5.6 If a legal obligation exists, the Contractor shall appoint a data protection officer (Art. 37 et seq. DSGVO) and shall inform the Client of his contact details and, if applicable, the change of data protection officer at least in text form for the purpose of direct contact.

6. security of processing

6.1 The Contractor shall take all measures necessary pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk of the Processing. These measures shall include, in particular, the ability to ensure the confidentiality, integrity, availability and resilience of the systems on a permanent basis and to restore the availability of and access to personal data rapidly in the event of a physical or technical incident. The contractor shall regularly review, assess and evaluate the effectiveness of the technical and organisational measures to ensure the security of the processing and document the results.

6.2 The Contractor warrants that, prior to the commencement of the processing of the Client Data, it will implement the technical and organisa Annex 2 of this Agreement prior to the commencement of the Processing of the Principal Data and will maintain and, if necessary, adapt them to the state of the art and the risk of the Processing.

6.3 The Contractor shall ensure that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

7. control rights of the principal

7.1 The Contractor shall grant the Client a right of inspection to check the data processing and compliance with this Agreement or the respective project order. In particular, the Contractor shall provide the Client with all information to prove compliance with the obligations set out in this contract and shall enable the performance of checks including inspections. The inspection activities may also be carried out by a third party bound to secrecy, provided that the third party is not a competitor of the contractor.

7.2 The Parties agree that the Principal shall conduct an inspection pursuant to Clause 7.1 by instructing the Contractor to submit, at its option, a suitable attestation, report or report extracts from independent bodies (e.g. auditor, audit, data protection officer, information security officer, data protection auditor or quality auditor) or a suitable certification by an IT security or data protection audit - e.g. in accordance with ISO 27001 or BSI-Grundschutz - ("audit report"). In justified exceptions, the contracting authority may conduct independent inspections.

7.3 The Contractor undertakes to support the implementation of the controls. This includes the granting of all required access, information and inspection rights. The same applies to public inspections by the competent supervisory authority in accordance with the applicable data protection regulations.

7.4 The Client shall inform the Contractor in good time (as a rule at least four weeks in advance) of all circumstances connected with the performance of the inspection. As a rule, the Client may carry out one inspection per calendar year. This does not affect the Client's right to carry out further inspections in the event of special occurrences.

8. subcontracting relationships

8.1 The Contractor may establish subcontracting relationships with further processors (subcontractors). The Contractor currently employs the sub Annex 3 designated subcontractors. The Client agrees to their commissioning. The contractor shall always inform the client of any intended change with regard to the use or replacement of subcontractors, giving the client the opportunity to object to such changes within two weeks, whereby this may not be done without good cause under data protection law. If the Client does not raise any justified objections within two weeks of notification of the change, the change shall be deemed to have been approved by the Client. The contractor shall inform the client of the significance of his conduct at the beginning of the period. In the event of an objection, the Contractor may, at its own discretion, provide the service without the intended change or - if the provision of the service without the intended change is unreasonable for the Contractor - discontinue the service vis-à-vis the Client within two weeks of receipt of the objection and terminate the main contract without notice and with immediate effect.

8.2 If the commissioning of a sub-service provider is associated with a transfer of the Client Data to a country outside the European Union (EU) or the European Economic Area (EEA) ("Third Country"), the requirements set out in Clause 9 shall also apply.

8.3 The Contractor shall ensure that the data protection obligations agreed in this Agreement also apply to the sub-service provider and, in accordance with Article 28(4) of the GDPR, shall oblige the sub-service provider accordingly by way of a contract or other legal instrument under Union law or the law of the Member State concerned prior to commencement of the activities, whereby in particular sufficient guarantees must be provided that the appropriate technical and organisational measures are implemented in such a way that the processing is carried out in accordance with the requirements of the GDPR.

9. transfer of client data to third countries

9.1 The contractually agreed data processing shall generally take place in a member state of the European Union (EU) or in a contracting state of the Agreement on the European Economic Area (EEA). Any transfer of the Client Data to a country outside the EU/EEA ("Third Country") shall only take place if the special requirements of Art. 44 et seq. DSGVO are fulfilled.

9.2 The Client hereby authorises the Contractor to conclude, on behalf of the Client, the standard contractual clauses for the transfer of personal data to processors in third countries pursuant to Commission Decision 2010/87/EU of 5.2.2010, OJ 2010 L 39, with a sub-service provider to whom Client Data are to be transferred for processing in a third country.

10. return and deletion of client data

10.1 The Contractor shall return all Client data to the Client after completion of the provision of the Processing Services and in particular after termination of the contractual provision of services (in particular in the event of termination or other termination of the main contract) and subsequently delete it (incl. existing copies) in accordance with data protection requirements. Data carriers received from the Client shall be returned to the Client or destroyed in compliance with an appropriate level of protection. The same applies to test and reject material. This shall not apply if there is an obligation to store the personal data under Union law or the law of the Member States.

10.2 Documentation and protocols which serve as proof of orderly and proper data processing or legal retention periods shall be retained beyond the end of the contract in accordance with the respective retention periods.

11 Term and termination

The term and termination of this contract shall be governed by the provisions on the term and termination of the main contract. Termination of the main contract shall automatically result in termination of this contract. An isolated termination of this contract is excluded.

12. priority clause

Insofar as no special provisions are contained in this contract, the provisions of the main contract shall apply. In the event of contradictions between this contract and provisions from other agreements, in particular from the main contract, the provisions from this contract shall take precedence.

Attachments

Annex 1: Description of the data processing
1- Checkout Marketing
Nature and purpose of the data processing:

Checkout marketing by providing the "loopingo Monetise Integration" (widget) based on JavaScript for integration on websites of the client.

The JavaScript code snippet has the following structure:

  • The first block up to email is there to ensure that the ad playout remains unique(order_id / token), to track redemptions(voucher_code) and to reconcile an advertising objection (email).
    The latter is only sent to our servers in a hashed form.
  • The second block of countrybis order_amount is for the auction and goes encrypted to our servers. This allows us to deliver more relevant results to customers. This data is not critical in terms of data protection without further context.
  • The third block of first_namebis birthday never leaves the browser. It is purely for the convenience of the customer, when we can pre-fill this data for specific offers.

loopingo does not set any cookies on the customer's device during this process.

For clarification: The commissioned processing is limited to the personalisation of vouchers and the playout of personalised vouchers to the browser of the data subject. If the data subject interacts with the widget and selects a voucher, the related processing is carried out under loopingo's own responsibility.

Type of personal data:

Configuration

Last name
Description
Required
Validation/ Options
token
Authentication
true
string
is_test
Setting for live or test environment
true
boolean

Customer data

Last name
Description
Required
Validation/ Options
order_id
Order number
(displayed to the customer)
true
string
voucher_code
Used
voucher code
false
string
email
Customer email
true
Valid Email
first_name
Name
false
string
last_name
Last name
false
string
city
City
false
string
Street
Street
false
string
home_number
House number
false
string
birthday
Birthday
false
string
country
Country
(invoicing address)
true
ISO3166 ALPHA-2
(DE, AT, CH)
postal_code
Postcode (invoicing address)
true
string
gender
Gender (invoicing address)
true
male|female
order_amount
Order amount
in EUR (Without currency symbols)
true
string
Last name
Required
Description
Validation/ Options

token

Authentication

true

String

is_test

Setting for live or test environment

true

boolean

Last name
Required
Description
Validation/ Options

order_id

Order number (displayed to the customer)

true

String

voucher_code

Voucher code used

false

String

Email

Customer email

false

String

first_name

Name

false

String

last_name

Last name

false

String

city

City

false

String

street

Street

false

String

home_number

House number

false

String

birthday

Birthday

false

String

country

Country (billing address)

true

ISO3166 ALPHA-2
(DE, AT, CH)

postal_code

Postcode (invoicing address)

true

String

gender

Gender (invoicing address)

true

Strmale|femaleing

order_amount

Order value in EUR (without currency symbol)

true

String

Categories of persons concerned:

Customers who place orders in the principal's webshop.

2- loopingo Uplift
Nature and purpose of the data processing:

loopingo Uplift campaigns by providing the "loopingo Uplift Integration" (widget) based on JavaScript for integration on websites of the client.

Once the purchase has been completed, loopingo also sets a cookie on the customer's device during this process. The cookie supports the control of loopingo Uplift campaigns (e.g. returning customers who already had an active campaign will see this campaign again). The cookie contains a hashed value of the e-mail address.

The following data is transferred to loopingo:

Type of personal data:

Last name
Description
Required
Validation/ Options
order_id
Order number
(displayed to the customer)
true
string
email
Customer email
true
Valid Email
order_amount
Order amount
in EUR (Without currency symbols)
true
string
Categories of persons concerned:

Customers who place orders in the client's webshop and have activated a loopingo Uplift premium together with the order.

For clarification: The commissioned processing is limited to the personalization of vouchers and the playout of personalized vouchers to the browser of the data subject. If the data subject interacts with the widget and selects a voucher, the related processing is carried out under loopingo's own responsibility.

Segregation control / earmarking control

Measures to ensure that those authorised to use the data processing procedures can only access the personal data subject to their access authorisation:

  • Individual access rights for each user, central administration and control
  • Access authorisations are granted on a task-related basis and according to the need-to-know principle.
  • Regular review of access authorisations. Authorisations that are no longer required are withdrawn immediately
  • Data on mobile IT systems are encrypted (complete system, hardware encryption).
  • Recording access to the IT system
Access control

Measures to ensure that those authorised to use the data processing procedures can only access the personal data subject to their access authorisation:

  • Individual access rights for each user, central administration and control
  • Access authorisations are granted on a task-related basis and according to the need-to-know principle.
  • Regular review of access authorisations. Authorisations that are no longer required are withdrawn immediately
  • Data on mobile IT systems are encrypted (complete system, hardware encryption).
  • Recording access to the IT system
Access control/encryption

Measures to prevent unauthorised persons from using the data processing equipment and procedures:

  • Access to externally hosted/operated IT systems is specially secured (encryption, VPN)
  • Sealing off the network against unwanted access from outside (firewall)
  • Access to IT systems only possible with user ID and individual (secure) password
  • Data carriers are encrypted
  • Data carriers are encryptedScreen lock on workstations, automatic lock in case of prolonged absence
  • Access authorisations are documented
1. confidentiality (Art. 32(1)(b) GDPR) and encryption (Art. 32(1)(a) GDPR)
Access control

Measures to prevent unauthorised persons from accessing the data processing equipment with which personal data are processed:

  • Entrance doors are kept locked at all times.
  • Visitors/externs are accompanied or picked up and supervised at all times.
  • The outside door is always locked and only opens with an electronic door opener, the office door is also locked outside office hours and keys are only issued to selective staff.
  • Reception staff at the entrance
  • Our servers are operated in external data centres (hosting). There, the respective provider guarantees access control.
Appendix 2: Technical and organisational measures
2. integrity (Art. 32 para. 1 lit. b) DSGVO)
Transfer control

Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorised persons during electronic transmission or during their transport or storage on data media, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment:

  • Data storage and processing takes place on IT systems in the data centre. Connection between clients and server is especially secured (encryption, VPN).
  • Bringing and using private data carriers is prohibited. Only encrypted company data carriers may be used.
  • Visitors do not have access to the company LAN/WLAN.
  • Electronic signature
Input control

Measures to ensure that it is possible to check retrospectively whether and by whom personal data can be entered, modified or removed in data processing systems:

  • Automated logging of data entry, modification or deletion
  • Logging of failed access attempts
  • Logging the activities of the system administrator and all users
  • Logging of all activities on the server
  • Securing the log data against loss or alteration
3. availability and resilience (Art. 32(1)(b) GDPR), rapid recoverability (Art. 32(1)(c) GDPR).
Availability control

Measures to ensure that personal data is protected against accidental destruction or loss (the information relates to the contractor's own IT systems):

  • Data security concept
  • Versioned data and system backups according to backup schedule (daily/weekly)
  • Hard disk mirroring (RAID), backup data centre
  • Malware protection
  • Security-relevant updates and patches are applied regularly and promptly.
  • Uninterruptible power supply at the hosting provider
4. procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR, Art. 25(1) GDPR)
Order control

Measures to ensure that personal data processed on behalf of the principal can only be processed in accordance with the principal's instructions:

  • Contractors are carefully selected.
  • Regular control of the contractors
Data protection management

Measures that enable the control of data protection processes and demonstrably ensure compliance with data protection requirements:

  • A competent person has been appointed as data protection officer.
  • Employees are regularly trained and sensitised in data protection and are instructed on the confidentiality of data.
5. pseudonymisation (Art. 32 para. 1 lit. a) DSGVO, Art. 25 para. 1 DSGVO)

Measures that ensure that personal data are processed in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to appropriate technical and organisational measures.enable control of data protection processes and demonstrably ensure compliance with data protection requirements:

  • Emails from the client's customers with advertising objections are only stored hashed.
Annex 3: Subcontractor
Last name
Address/Country
Order content
Security concept/
Options
Hetzner Online
GmbH
Germany, EU
Server infrastructure and backup data storage
Hetzner TOM
Twilio
Ireland Ltd
Ireland, EU
Email service Sendgrid for email dispatch via Email API
Sendgrid
Security Policy
Twilio, Inc
USA
Subcontractor of Twilio Ireland Ltd.
Sendgrid
Security Policy

Name: Hetzner Online GmbH
Address/country: Germany, EU
Contract content: Server infrastructure and backup data storage Security concept :Hetzner TOM

Name: Hetzner Online GmbH
Address/Country: Ireland, EU
Order Content: Email service Sendgrid for email dispatch via Email API
Security Concept: Sendgrid Security Policy

Name: Twilio, Inc
Address/Country: USA
Contract content: Server infrastructure and backup data storage Security concept: Sendgrid Security Policy

Loopingo logo

Coupon marketing where everyone wins!

Made with ❤️.

loopingo GmbH
Freibadstrasse 30
81543 Munich/Germany

Services
UpliftCheckout MarketingPricingCase StudiesHelpFor agenciesDocumentation
About loopingo
About usCareerJournal / PressContact
Copyright © 2021 loopingo. All rights reserved.
ImprintPrivacy PolicyT&CAd Policy
Services
UpliftCheckout MarketingPricingCase StudiesHelpFor agenciesDocumentation
About loopingo
About usCareerJournal/PressContact
Loopingo logo

Coupon marketing where everyone is a winner!

Made with ❤️

loopingo GmbH
Freibadstraße 30
81543 Munich/Germany

Copyright © 2021 loopingo. All rights reserved.
ImprintPrivacy PolicyT&CAd Policy