Data Processing Agreement

Table of Contents

Last Updated: October 1, 2024

1. Preamble

This Data Processing Agreement ("DPA") is a part of the agreement between commercetools and Customer that governs the provision of the Service to Customer (“Agreement”). It applies where commercetools processes Personal Data on behalf of Customer for the provision of the Service. Capitalized terms that are not defined in this DPA have the meaning described in the Agreement or any applicable Data Protection Law. In the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall prevail.

commercetools may process Personal Data relating to Customer´s access to and use of the Service, such as while creating accounts (e.g. credentials) and using the Service (e.g. log files). Such processing is governed under commercetools Privacy Policy (sec. IV).

Customer acknowledges that Processing of Personal Data under this DPA may be subject to various applicable Data Protection Laws, whether or not explicitly mentioned in this DPA. Customer is responsible for verifying that this DPA complies with the applicable Data Protection Law relevant to the use of the Service and will inform commercetools about any discrepancies between this DPA and requirements under any applicable Data Protection Law before Processing takes place.

2. Definitions

commercetools means the commercetools entity that is a signatory to the Agreement and providing the Service.

Controller means the entity which determines the purpose and means of the processing of Personal Data. It shall have the same meaning as “controller” under the GDPR and other equivalent terms under applicable Data Protection Law (e.g., ”Business” as defined under the CCPA).

Data Protection Law means, to the extent applicable, data protection and data privacy laws and regulations as  they may be amended or replaced from time to time, such as the EU General Data Protection Regulation (GDPR), UK GDPR (GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended), the California Consumer Privacy Act of 2018, Cal. Civ. Code 1748.100 et seq. (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), the Australian Privacy Act 1988 (ACT), the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA), the Privacy Act 2020 of New Zealand (2020 Act), and the Australian Privacy Principles (APPs).

Data Processor or Processor means the entity that processes Personal Data on behalf of the Customer. It shall have the same meaning as “processor” under the GDPR and other equivalent terms under applicable Data Protection Law (e.g. “Service Provider” as defined under the CCPA).

Data Subject means the identified or identifiable natural person or household to whom Personal Data relates.

Documented Instruction is any directive given by the Customer to commercetools concerning the Processing of Personal Data in accordance with the Agreement (including this DPA), together with the use of the Service.

Personal Data means any information relating to an identified or identifiable natural person and shall have the meaning of “personally identifiable information”, “personal information”, “personal data” or equivalent terms as such defined under applicable Data Protection Law.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.  It shall have the meaning of other equivalent terms under applicable Data Protection Law  (e.g. “Security Incident”” as defined under the CCPA).

Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restricted Transfer means (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA that is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to a country that is not the subject of adequacy regulations under section 17A of the United Kingdom Data Protection Act of 2018 and (iii) where the Swiss Federal Act on Data Protection applies, a transfer of Personal Data from Switzerland to a country that is not subject to an adequacy determination by the Swiss Federal Data Protection and Information Commissioner.

SCCs means the standard contractual clauses for international transfers annexed to the European Commission’s implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, published on June 4, 2021, including as incorporated into the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK Transfer Addendum), if applicable.

Sub-Processor means any Data Processor engaged by commercetools to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.

3. Roles and Scope of Processing Activities

3.1. Roles of the parties

As between the parties, Customer is the Controller of Personal Data and commercetools shall process Personal Data only as a Processor acting on behalf of or on the instruction of Customer. 

3.2. Details of Processing

The subject matter and purpose of the Processing are determined in the Agreement and this DPA. Details of Processing, in particular the type of Personal Data and categories of Data Subjects, are as set out in Annex 1.

3.3. Instructions

commercetools shall process Personal Data only on lawful Documented Instructions from the Customer, except where required otherwise by applicable Data Protection Law. In such a case, commercetools shall inform Customer of that legal requirement before the Processing takes place, unless the law prohibits this. Subsequent instructions may also be given by the Customer throughout the duration of Processing and shall be documented accordingly.

commercetools shall promptly inform the Customer if, in commercetools´ opinion, Documented Instructions given by Customer infringe applicable Data Protection Law. commercetools has the right to postpone the execution of any such instruction until Customer has confirmed the compliance of this instruction with the relevant data protection provisions.

4. Confidentiality, Security and Personal Data Breach Response

4.1. Confidentiality

commercetools shall grant access to Personal Data only to the extent strictly necessary for implementing, managing and monitoring of the Service. commercetools shall ensure that persons authorized to Process Personal Data are under a contractual or statutory obligation of confidentiality.

4.2. Security

commercetools has implemented appropriate technical and organizational measures as set out here: https://commercetools.com/toms to protect Personal Data from Personal Data Breaches and preserve the security and confidentiality of Personal Data. In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the Data Subjects. Such technical and organizational measures are subject to technical progress and further development. Accordingly, commercetools reserves the right to modify the technical and organizational measures provided that the security of the Service is not degraded. 

4.3. Personal Data Breach Response

commercetools shall notify Customer without undue delay after becoming aware of a Personal Data Breach. Such notification shall contain at least (a) a description of the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned; (b) the name and contact details of the data protection officer or other contact point at commercetools where more information can be obtained; (c) a description of the likely consequences of the Personal Data Breach and (d) a description of any measures already taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where and insofar as it is not possible to provide all this information at the same time as the initial notification, commercetools shall provide further information as it becomes available without undue delay. 

5. Sub-Processors

5.1. Authorized Sub-Processors

Customer acknowledges and agrees that commercetools may engage Sub-Processors to process Personal Data in connection with the provision of the Service.  The Sub-Processors currently engaged by commercetools are set out here: https://commercetools.com/subprocessors.

5.2. Changes to Sub-Processors

commercetools shall inform Customer in writing, which may be an email, of any intended changes of Sub-Processors at least 6 weeks in advance. If, within 4 weeks of receiving such notice, Customer does not provide written notice to commercetools of any reasonable objections to the proposed change, Customer will be deemed to have accepted the change. If the parties are not able to resolve a reasonable objection and commercetools continues to appoint such Sub-Processor, the Customer will be entitled to terminate the affected Service that cannot be provided without the use of the rejected Sub-Processor without any liability as a result of such termination. commercetools shall have no liability for such termination and such termination shall not constitute a termination for breach.

5.3. Sub-Processor Obligations

commercetools shall conduct appropriate due diligence and security reviews prior to engaging Sub-Processors. commercetools shall enter into a written agreement with each third-party Sub-Processor that obligates the Sub-Processor to comply with terms that are at least as restrictive as those imposed on commercetools under this DPA and the Agreement. Where a Sub-Processor fails to fulfill such obligations, commercetools shall notify Customer of any such failure. commercetools shall remain fully liable to Customer for the performance of that Sub-Processor’s obligations. 

6. Cooperation

6.1. Requests from Data Subjects and Authorities

To the extent that Customer is unable to independently access the relevant Personal Data within the Service and, taking into account the nature of the processing, commercetools will assist Customer in responding to requests by (a) Data Subjects to exercise their rights under applicable Data Protection Law and (b) applicable data protection authorities relating to the processing of Personal Data.

In the event that any such request is made directly to commercetools, commercetools shall not respond to such communication directly without Customer's prior authorization, unless legally required to do so. If commercetools is required to respond to such a request, commercetools shall promptly notify Customer and provide a copy of the request unless legally prohibited from doing so.

Taking into account the nature of processing and the information available to the commercetools, commercetools shall further assist Customer with regards to Customer´s obligations under applicable Data Protection Law.

6.2. Data Protection Impact Assessments

Taking into account the nature of processing and the information available to the commercetools, commercetools shall provide assistance to enable the Customer to carry out data protection impact assessments and consultations with data protection authorities as required by applicable Data Protection Law. 

7. Term and Return or Deletion of Data

7.1. Term

This DPA and SCC (if applicable) shall terminate simultaneously and automatically with the termination or expiration of the Service provided under the Agreement.

7.2. Deletion of Data

Upon termination of the Service or expiration of the term, subject to applicable Data Protection Law, commercetools will promptly delete Personal Data. Prior to such deletion, Customer may export Customer Data (including Personal Data) in supported formats. Alternatively, Customer may request from commercetools a copy of Customer Data (including Personal Data) prior to deletion, in which case commercetools will make a copy of such Personal Data reasonably available to Customer. Upon Customer's request commercetools will confirm in writing the deletion or return of all Personal Data.

8. Security Reports and Audits

At the Customer’s written request and within reasonable intervals but no more than once every 12 months or if there are indications of material non-compliance, commercetools shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits.

Customer may choose to conduct the audit by itself or by an independent auditor. At Customer's written request, commercetools shall make available to Customer or Customer’s independent auditor then available information regarding commercetools’s compliance with the obligations in this DPA in the form of the third-party certifications or reports. Audits may also include inspections at the commercetools offices and shall, where appropriate, be carried out with reasonable written notice.

Customer shall disclose to commercetools any written audit report created, including any findings of noncompliance discovered as a result of the audit.

9. International Transfers

9.1. Data Regions

Depending on the Service provided under the Agreement and as further described in the Documentation, commercetools’s data regions are located in the EU, USA or Australia. Customer Data (including Personal Data) will be processed in the data region selected by Customer. commercetools will not migrate Customer’s Data in the Service environment to another data region without Customer’s prior consent which shall not be unreasonably withheld. commercetools may access and process Personal Data remotely from other countries as necessary to maintain, secure, or perform the Service, and for technical support subject to applicable Data Protection Laws.

9.2. Data Transfer Mechanism

Any Restricted Transfer shall be only done on the basis of Documented Instruction and commercetools agrees to abide by and process Personal Data originating from the EEA (European Economic Area), the United Kingdom and Switzerland in compliance with the applicable SCCs and applicable Data Protection Law.

9.2.1. Transfer from EEA 

With respect to Restricted Transfers from Customer to commercetools, the SCC Module Two applies where Customer is a Controller and commercetools is a Processor. Such SCC are incorporated into this DPA and apply to the transfer. With respect to a Restricted Transfer from commercetools to a Sub-Processor, Module Three applies where both commercetools and the Sub-Processor are Processors; The following shall apply for both SCC Modules:

(a) In Clause 7, the optional docking clause does not apply;

(b) In Clause 9(a) of Modules Two and Three, Option 2 applies, and the period for prior notice of subprocessor changes is set forth in Section 4 of this DPA;

(c) in Clause 11(a), the optional language does not apply;

(d) in Clause 17, Option 2 applies with the governing law being that of  the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Germany;

(e) in Clause 18(b), disputes will be resolved before the courts in Munich, Germany;

(f) Annex I of the SCCs is completed with the information in Annex 1 to this DPA;

(g) Annex II of the SCCs is completed with the information as set forth in above Section 4.2 ; and

(h) Annex III of the SCCs is completed with the information in the Sub-Processors list (above Section 5).

The parties acknowledge that Customer may provide a general consent to onward sub-processing by commercetools. Accordingly, Customer provides a general consent to commercetools, pursuant to Clause 9 of the SCCs, to engage onward Sub-Processors. Such consent is conditional on commercetool’s compliance with the requirements set out in Section 5.

9.2.2. Transfer from UK

Where a Restricted Transfer is made from the UK, the UK Transfer Addendum is incorporated into this DPA and applies to the transfer. The UK Transfer Addendum is completed with the information provided under Section 9.2.1., Section 5 (Sub-Processors list), Section 4.2 (technical and organizational measures) and Annex 1 to this DPA; and both “Importer” and “Exporter” are selected in Table 4.

9.2.3. Transfer from Switzerland

Where a Restricted Transfer is made from Switzerland, the SCCs are incorporated into this DPA and apply to the transfer as modified under Section 9.2.1., except that (a) in Clause 13 of the SCC, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner if the Restricted Transfer is governed by the Swiss Federal Act on Data Protection; (b) references to “Member State” in the SCCs refer to Switzerland, and data subjects located in Switzerland may exercise and enforce their rights under the SCCs in Switzerland; and (c) references to the “General Data Protection Regulation,” “Regulation 2016/679,” and “GDPR” in the SCCs refer to the Swiss Federal Act on Data Protection (as amended or replaced).

9.2.4. Transfer from Australia

If commercetools processes Personal Data in Australia, such data may be transferred to and stored in a country that is not Australia (on a temporary or permanent basis). The Customer acknowledges and agrees (a) that commercetools is authorized to give Personal Data, in accordance with this DPA, to a third party who is not in Australia or a third party who may transfer and store the Personal Data outside Australia the (Overseas Recipient); (b) that while commercetools takes reasonable steps to ensure that an Overseas Recipient does not breach the APPs, an Overseas Recipient is not bound by the APPs and subclause 8.1 of the APPs does not apply to the disclosure of Personal Data to an Overseas Recipient. Subclause 8.1 of the APPs requires commercetools to ensure that Overseas Recipients comply with the APPs unless, in accordance with subclause 8.2 of the APPs, Customer agrees otherwise and (c) that if an Overseas Recipient handles Personal Data in breach of the APPs, the data subject may not be able to seek redress under the Act.

9.2.5. Transfer from New Zealand

If commercetools processes Personal Data in New Zealand, such Personal Data may be transferred to and stored in a country that is not New Zealand. The Customer acknowledges and agrees that commercetools is authorized under the 2020 Act to give Personal Data, in accordance with this DPA, also to a third party who is not in New Zealand or a third party who may transfer and store the Personal Data outside New Zealand.

9.2.6. Transfer from Canada

If commercetools processes Personal Data in Canada, such Personal Data may be transferred to and stored in a country that is not Canada. The Customer acknowledges and agrees that commercetools is authorized under PIPEDA but also under other provincial privacy laws applicable within the jurisdiction of Canada to give Personal Data, in accordance with this DPA, also to a third party who is not in Canada or a third party who may transfer and store the Personal Data outside Canada.

10. Additional Provisions for CCPA Compliance

If CCPA is applicable, Customer as Business has appointed commercetools as a Service Provider (“Business" and “Service Provider” as defined in the CCPA) to collect and process Personal Data of California residents. “Business”, “Collect”, “Process”, “Sell”, “Service Provider”, whether or not capitalized, shall have the meanings given to them in §1798.140 of the CCPA.

Both parties shall comply with their respective CCPA obligations. Specifically, the parties agree that (a) commercetools acts solely as a Service Provider in relation to the collection and processing of Personal Data of California residents and, in accordance with the provisions of this DPA, only upon Customers Documented Instructions and within the purpose as outlined in above sec 3.2 and 3.3 (“Business Purpose”); (b) commercetools will not sell Personal Data of California residents it collects pursuant to this DPA and the Agreement, and the parties acknowledge and agree that Customer does not sell Personal Data of California residents to commercetools in connection with the Service; (c) commercetools will not retain, use, or disclose Personal Data for any purpose other than for the Business Purpose or as required or permitted under applicable law, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Service.

11. General

11.1. Conflict

This DPA supersedes any conflicting or inconsistent provisions in the Agreement related to data protection and, in the event of ambiguity, this DPA will prevail. The Agreement, as amended and modified by this DPA, otherwise remains in full force and effect.

11.2. Liability and Damages

Each party's liability to the other party for one or more breaches of this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Neither party limits or excludes any liability that cannot be limited or excluded under applicable law.

11.3. Notices

All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email. Notices by email to commercetools shall be sent to privacy@commercetools.com. Notices by email to Customer shall be sent to the email address set out in the Order Form. Either party may update its address by notice to the other. commercetools may also send operational notices to Customer by email or through the Service.

11.4. Governing Law

This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Law.

Annex 1 - Processing Details

1. Subject matter

The subject matter of the data processing under the DPA is the Personal Data.

2. Duration

The duration of the processing under the DPA is determined by the Agreement. 

3. Purpose

The purpose of the processing under the DPA is the provision of the Services by commercetools to Customer as specified in the Agreement.

4. Nature of the Processing

commercetools is providing Services (SaaS/Software as a Service) as specified in the applicable Order Form and the Agreement. These Services may include the processing of Personal Data by commercetools as determined by Customer by sending API requests to the Service or as determined in the configuration of the Services which may include, but is not limited to:

  • Collection and storage of Customer´s customers sign-ups and purchases

  • Collection of usage data, if necessary

  • Processing of purchase data and Customer´s customer data

5. Categories of Data Subjects

  • Customer´s customers and prospects

  • Employees of Customer

  • Service partners

  • Contact persons

6. Categories of Personal Data

Personal Data that is submitted to the Services by Customer, which may include, but is not limited to:

  • Employees of Customer and Customer´s customers master data

  • Communication data (e.g. phone or email)

  • Purchase data

7. Special Categories of Personal Data

Except as may be set out in the Documentation, Customer is contractually prohibited from sending special categories of Personal Data, as defined in the Agreement under “Prohibited Data”, to the Service.