This Data Processing Agreement (“DPA”) forms an integral part of the Ecomlad Terms and Conditions, available at the website https://www.ecomlad.com/terms-of-service/ (“Ecomlad Terms and Conditions”), between: (i) applicable Ecomlad Company as described in the Terms and Conditions (“Ecomlad”) acting on its own behalf and as agent for each Ecomlad’s affiliate; and (ii) User, as defined in the Ecomlad Terms and Conditions. By using the Services, User accepts the terms of this DPA.
This DPA sets out the additional terms, requirements and conditions on which Ecomlad will process Personal Data when providing services under the Ecomlad Terms and Conditions and shall come into force simultaneously with Terms and Conditions whenever updated by Ecomlad accordingly. This DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) for contracts between controllers and processors.
This website is owned and operated by Ecomlad, LLC. (“Company,” “we,” or “us”).
Definitions and interpretation: The following definitions and rules of interpretation apply in this DPA. Definitions:
Affiliate: any entity controlling, controlled by, or under common control with a party, where “control” is defined as: (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.
Alternative Transfer Solution: a solution, other than the Model Contract Clauses, that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the GDPR (for example, the EU-U.S. Privacy Shield).
Authorised Persons: the persons or categories of persons that User authorises to give the Ecomlad personal data processing instructions either nominated by User or with ostensible or actual authority.
Business Purposes: the Services described in the Ecomlad Terms and Conditions.
Data Protection Legislation: all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679) and, to the extent applicable, the data protection or privacy laws of any other country.
Data Subject: an individual who is the subject of Personal Data.
Model Contract Clauses: the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.
Personal Data: means any information relating to an identified or identifiable natural person that is processed by the Ecomlad as a result of, or in connection with, the provision of the services under the Ecomlad Terms and Conditions; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing, processes and process: either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
This DPA is subject to the terms of the Ecomlad Terms and Conditions and is incorporated into the Ecomlad Terms and Conditions. Interpretations and defined terms set forth in the Ecomlad Terms and Conditions apply to the interpretation of this DPA.
The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
A reference to writing or written includes email.
In the case of conflict or ambiguity between any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail.
Duration of DPA
This DPA will take effect as stipulated in the recitals above and shall remain in effect until, and expire in accordance with clause 12.
Personal data types and processing purposes
The User retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Ecomlad.
Annex 1 describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which the Ecomlad may process to fulfil the Business Purposes of the Ecomlad Terms and Conditions.
Processing of Data
Ecomlad and User Responsibilities. If the Data Protection Legislation applies to the processing of User Personal Data, the parties acknowledge and agree that:
If the Data Protection Legislation applies to the processing of User Personal Data and User is a processor, User warrants to Ecomlad that User’s instructions and actions with respect to that User Personal Data, including its appointment of Ecomlad as another processor, have been authorized by the relevant controller.
Ecomlad will take into account the nature of the processing, assists the User by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Data Protection Legislation.
Ecomlad will assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of processing and the information available to the processor.
Scope of Processing
User’s Instructions. By entering into this DPA, User instructs Ecomlad to process User Personal Data only in accordance with applicable law: (a) to provide the Services and related technical support; (b) as documented in the form of the Ecomlad Terms and Conditions, including this DPA; and (d) as further documented in any other written instructions given by User and acknowledged by Ecomlad as constituting instructions for purposes of this DPA.
Ecomlad’s Compliance with Instructions. Ecomlad will comply with the instructions described in Section 5.1 (User’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Ecomlad is subject requires other processing of User Personal Data by Ecomlad, in which case Ecomlad will inform User (unless that law prohibits Ecomlad from doing so on important grounds of public interest) via the User email address.
Ecomlad will ensure that all employees:
Ecomlad must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data. Technical and organisational measure are specified in the Annex 2.
Ecomlad must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
Personal Data Breach
Ecomlad will promptly and without undue delay notify User if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Ecomlad will restore such Personal Data at its own expense.
Ecomlad will immediately and without undue delay notify User if it becomes aware of:
Where Ecomlad becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide User with the following information:
Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Ecomlad will reasonably co-operate with User in User’s handling of the matter in accordacne with Data Protection Legislation.
Ecomlad will not inform any third party of any Personal Data Breach without first obtaining User’s prior written consent, except when required to do so by law.
Ecomlad agrees that User has the sole right to determine:
Cross-border transfers of personal data
Data storage and processing facilities. User agrees that Ecomlad may, subject to Section 9.2 (Transfers of Data out of the EEA), store and process User Data in the United States of America and any other country in which Ecomlad or any of its subprocessors maintains facilities.
Transfers of Data out of the EEA.
Disclosure of Confidential Information containing Personal Data. If User has entered into Model Contract Clauses as described in Section 9.2 (Transfers of Data out of the EEA), Ecomlad will, notwithstanding any term to the contrary in the applicable agreement, ensure that any disclosure of User’s Confidential Information containing personal data, and any notifications relating to any such disclosures, will be made in accordance with such Model Contract Clauses.
Consent to subprocessor engagement. User specifically authorizes the engagement of Ecomlad’s Affiliates as subprocessors. In addition, Ecomlad generally authorizes the engagement of any other third parties as subprocessors (“Third Party Subprocessors”). If User has entered into Model Contract Clauses as described in Section 10.2 (Transfers of Data out of the EEA), the above authorizations will constitute User’s prior written consent to the subcontracting by Ecomlad of the processing of User Data if such consent is required under the Model Contract Clauses.
Information about subprocessors. Information about subprocessors is available in Annex 1 (as may be updated by Ecomlad from time to time in accordance with this DPA).
Requirements for subprocessor engagement. When engaging any subprocessor, Ecomlad will:
Opportunity to object to subprocessor changes:
Complaints, data subject requests and third party rights
Ecomlad shall take such technical and organisational measures as may be appropriate, and promptly provide such information to User as User may reasonably require, to enable User to comply with:
Ecomlad shall notify User immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
Ecomlad must notify User within 24 hours if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
Ecomlad will give User its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
Ecomlad must not disclose the Personal Data to any Data Subject or to a third party other than at User’s request or instruction, as provided for in this Agreement or as required by law.
Term and termination
This DPA will remain in full force and effect so long as:
Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Ecomlad Terms and Conditions in order to protect Personal Data will remain in full force and effect.
Ecomlad’s failure to comply with the terms of this DPA is a material breach of the Ecomlad Terms and Conditions. In such event, User may terminate the Ecomlad Terms and Conditions effective immediately on written notice to the Ecomlad without further liability or obligation.
If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Ecomlad Terms and Conditions obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation, they may terminate relations with Ecomlad Terms and Conditions on written notice to Ecomlad.
Data return and destruction
Where it is applicable under legislation at User’s request, the Ecomlad will give User a copy of or access to all or part of User’s Personal Data in its possession or control in the format and on the media reasonably specified by User.
On termination of relations with Ecomlad for any reason Ecomlad will securely delete or destroy or, if directed in writing by User, return and not retain, all or any Personal Data related to this DPA in its possession or control.
If any law, regulation, or government or regulatory body requires the Ecomlad to retain any documents or materials that the Ecomlad would otherwise be required to return or destroy, it will notify User in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
Ecomlad will certify in writing that it has destroyed the Personal Data within no more than 90 (ninety) days after it completes the destruction, unless Data Protection Legislation requires storage.
Where it is applicable under legislation Ecomlad will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for User in accordance with Data Protection Legislation, including but not limited to, the access, control and security of the Personal Data, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures (Records).
Ecomlad will ensure that the Records are sufficient to enable User to verify the Ecomlad’s compliance with its obligations under this DPA and the Ecomlad will provide User with copies of the Records upon request.
User may, prior to the commencement of processing, and at regular intervals thereafter, audit the technical and organizational measures taken by Ecomlad. For such purpose, User may:
Ecomlad shall, upon User’s written request and within a reasonable period of time, provide User with all information necessary for such audit, to the extent that such information is within User’s control and User is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
Ecomlad may object in writing to an auditor appointed by User to conduct any audit under this clause if the auditor is, in Ecomlad’s reasonable opinion, not suitably qualified or independent, a competitor of Ecomlad, or otherwise manifestly unsuitable. Any such objection by Ecomlad will require User to appoint another auditor or conduct the audit itself.
The User warrants and represents that the Ecomlad’s expected use of the Personal Data for the Business Purposes and as specifically instructed by User will comply with the Data Protection Legislation.
Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to: email@example.com
Clause 17.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
Subject matter of processing: Ecomlad’s provision of the Services and related technical support to User.
Duration of Processing: Personal Data will be Processed for the duration of the DPA.
Nature of Processing: Ecomlad will process User Personal Data submitted, stored, sent or received by User via the Services for the purposes of providing the Services and related technical support to Ecomlad in accordance with the DPA.
Personal Data Categories: Contact Information, the extent of which is determined and controlled by the User in its sole discretion, and other Personal Data such as navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end users via the Service.
Data Subject Types: Personal data submitted, stored, sent or received via the Services may concern the following categories of data subjects: end users including User’s employees; and any other person who transmits data via the Services.
Ecomlad and Ecomlad Affiliates may engage third party suppliers to provide other services such as facilities management, maintenance and security services from time to time.
This Annex forms an integral part of the DPA and describes the technical and organizational security measures implemented by Ecomlad. Ecomlad may update or modify these security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
Transmission Control : Ecomlad makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. Ecomlad HTTPS implementation uses industry standard algorithms and certificates.
Ecomlad Services are designed to ensure redundancy and seamless failover. The server instances that support the Services are also architected with a goal to prevent single points of failure. This design assists Ecomlad operations in maintaining and updating the Services applications and backend while limiting downtime.