Data Processing Policy

EC Shops Oü, a company registered in Estonia with company number 14375896, whose registered office is at Harju Maakond, Kesklinna Linnaosa, Kiriku Tn 6, Tallinn, 10130 (the “Processor”); and

EC Shops Oü Client (the “Controller”), person or company that have accepted EC Shops Oü Terms and Conditions, which include this Data Processing Policy, for the usage of EC Shops services of Ecommerce.


For the purposes of this Agreement, the terms “data subject”, “personal data”, “processing” and “personal data breach” have the meanings given to them in the GDPR. References to “Articles” are references to articles of the GDPR.

“Data Protection Law” means the GDPR, the Data Protection Act 2018 and any applicable national privacy legislation from time to time in force;

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

“Services” means the services provided by the Processor to the Controller under this Agreement;

"Services Agreement" means the agreement between EC Shops Oü and Controller Company;

“Supplied Personal Data” means any personal data the Controller supplies to the Processor, or copies thereof, including in particular the data listed in Schedule 1.


This Agreement concerns the processing of personal data by the Processor on behalf of the Controller, as described in clause 3 and Schedule 1.

This Agreement is made under Article 28 of the GDPR, to ensure that the Processor complies with its obligations under Data Protection Law.

Nothing in this Agreement will relieve the Processor of its own direct obligations and liabilities under Data Protection Law, whether as a processor or a controller.


Subject to clause 3.2, the Processor shall process the Supplied Personal Data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or international organisation.

The Processor may process the Supplied Personal Data without instructions from the Controller where the Processor is required to do so by law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the relevant law prohibits the Processor from informing the Controller on important grounds of public interest.

The Controller’s instructions to the Processor shall comply with Data Protection Law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Law or any other applicable law.

The Controller confirms that the Supplied Personal Data has been collected and disclosed in accordance with Data Protection Law and that the Controller and its directors, employees and consultants will only provide the personal data which is necessary for the Processor to provide the Service to the Controller.

The Controller and Processor will each take steps to ensure that any natural person acting under its respective authority does not process Supplied Personal Data except on the Controller’s documented instructions (unless he or she is required to do so by applicable law).

Details of Processing

The subject-matter, duration, nature and purpose of the processing, as well as the categories of personal data being processed and of data subjects, are set out in Schedule 1 of this Agreement.

The Processor may transfer Supplied Personal Data outside the European Economic Area only as permitted by Articles 44 to 49 GDPR.

Confidentiality and Security of Processing

The Processor will ensure that all persons authorised to process Supplied Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor will take all measures required under Article 32 of the GDPR to guarantee security of processing, including implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In assessing the appropriate level of security, the Processor will consider:

  • the state of the art and costs of implementation;
  • the nature, scope, context and purpose of the processing; and
  • the risk to the rights and freedoms of natural persons.

Notification of Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Supplied Personal Data (a “Breach Notification”).

The Processor shall, where possible, include the following information in a Breach Notification, provided that doing so does not cause undue delay:

  • the nature of the personal data breach including, where possible, the categories and approximate number of data subjects and data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained; and
  • the likely consequences of the personal data breach.

When considering what information to provide along with a Breach Notification, the Processor shall take into account the nature of processing and the information available to it.

Use of Sub-Processors

The Processor shall not engage another processor (a “Sub-Processor”) to process the Supplied Personal Data without prior specific or general written authorisation from the Controller.

Pursuant to this Agreement the Controller generally authorises the Processor to engage Sub-Processors to process Supplied Personal Data, subject to the Processor meeting the obligations in clause 7.3 and 7.6.

If the Processor intends to make any changes concerning the addition or replacement of a Sub-Processor, the Processor shall give prior written notice to the Controller of the identity of a potential Sub-Processor (and its processors, if applicable).

The Controller may object to the use of any potential Sub-Processor. If the Controller wishes to object, it shall notify the Processor of the objection in writing within 7 days of receiving the notification from the Processor.

Where the Controller has objected pursuant to paragraph 7.5, the Processor shall not appoint that proposed Sub-Processor until the Processor has taken reasonable steps to address the objections raised by the Controller and has provided a written explanation of the steps to take.

Before engaging a Sub-Processor to process Supplied Personal Data (or otherwise in accordance with clause 3), the Processor shall ensure that the relationship between the Processor and the Sub-Processor is governed by a written contract pursuant to which:

  • the Sub-Processor is subject to data protection obligations equivalent to those set out in this Agreement and compliant with Article 28 GDPR;
  • the Sub-Processor provides sufficient guarantees that it will implement appropriate technical and organisational measures to meet the requirements of Data Protection Law; and
  • if the Sub-Processor fails to fulfil its data protection obligations, the Processor remains fully liable to the Controller for the performance of the Sub-Processor’s obligations.

Assisting the Controller

Taking into account the nature of processing, the Processor will, insofar as this is possible, assist the Controller in responding to data subject requests made under Data Protection Law (in particular, under Articles 12 to 23 of the GDPR), by implementing appropriate technical and organisational measures.

Where the Processor (or any of its Sub-Processors as applicable) receives a request from a data subject under any Data Protection Law in relation to Supplied Personal Data, the Processor shall:

  • promptly notify the Controller of the request; and
  • not respond to that request except on the documented instructions of the Controller or as required under Data Protection Law (in which case the Processor shall, to the extent permitted by Data Protection law, inform the Controller of that legal requirement before the Processor responds to the request.

Taking into account the nature of the processing and the information available to the Processor, the Processor will assist the Controller in complying with the Controller’s obligations under Articles 32 to 36 of the GDPR (security of processing, personal data breach notification and data protection impact assessments).

The Processor’s obligation to assist the Controller as set out in clause 8 is subject to both parties agreeing the scope, method, timing and reasonable fees chargeable by the Processor for such assistance and on the basis that the parties will work in good faith to minimise the disruption to the Processor’s business in providing such assistance.

Information, Audits & Inspections

Subject to clause 9.2, following a written request from the Controller, the Processor will, as applicable:

  • make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this Agreement in relation to the Processor’s processing of Supplied Personal Data; and
  • allow for and contribute to audits and inspections conducted by the Controller or its mandated auditors.

The Controller shall give the Processor reasonable notice of any inspection or audit and shall make reasonable endeavours to avoid (and ensure that its mandated auditors avoid) causing damage or excessive disruption to the Processor’s business.

End of Contract Provisions

Subject to clause 10.3, the Processor shall, at the sole discretion and on the written instruction of the Controller, delete or return all Supplied Personal Data after the end of the provision of Services. The Processor shall also procure the deletion or return of all Supplied Personal Data held by its Sub-Processors.

Subject to clause 10.3, the Processor shall comply with an instruction given under clause 10.1 promptly and in any event within 7 days of the date of cessation of any Services involving the Supplied Personal Data

The Processor and its Sub-Processors may retain Supplied Personal Data if required to do so under Data Protection Law.

Details of Processing

Subject matter: The subject matter of the processing of Supplied Personal Data by the Processor is the performance of the Services and as further instructed by the Controller under clause 3.

Duration: The Processor will process Supplied Personal Data for the duration of this Agreement, unless otherwise agreed upon in writing.

Nature and purpose: The Processor will process Supplied Personal Data as necessary to perform the Services pursuant to this Agreement and as further instructed by the Controller under clause 3.

Categories of personal data: The Supplied Personal Data may include, but is not limited to the following categories of personal data:

  • First and last name;
  • Contact information;
  • Date of birth;
  • Communications from Customers;
  • Purchase History; and
  • Information collected about customer's use of their browser.

Categories of data subjects: The Supplied Personal Data may include, but is not limited to the following categories of data subjects:

  • Prospects; 
  • Customers; 
  • Business Partners;
  • Employees; and
  • Freelancers.