Data Processing Policy

EC Shops Oü, a company registered in Estonia under company number 14375896, whose registered office is at Harju Maakond, Kesklinna Linnaosa, Kiriku Tn 6, Tallinn, 10130 (the "Processor"); and

EC Shops Oü customer (the "Controller"), person or company that has accepted the EC Shops Oü Terms and Conditions, which include this Data Processing Policy, for the use of e-commerce services, web pages or other by ECShops.


For the purposes of this Agreement, the terms "data subject", "personal data", "processing" and "personal data breach" have the meanings given to them in the RGPD (or GDPR for its acronym in English). References to "Articles" are references to GDPR articles.

"Data Protection Law" means the GDPR, the Data Protection Law of 2018 and any applicable national privacy legislation from time to time;

"RGPD" means Regulation 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons in relation to the processing of personal data and the free circulation of said data, and by which Directive 95/46 / EC (General Data Protection Regulation) is repealed;

"Services" means the services provided by the Processor to the Controller under or attached to this Agreement;

"Service Agreement" means the agreement between EC Shops Oü and the Controller;

"Provided personal data" means any personal information that the Controller provides to the Processor, or copies thereof, including in particular the data listed in Annex 1.


This Agreement refers to the processing of personal data by the Processor on behalf of the Controller.

This Agreement is made in accordance with Article 28 of the RGPD, to ensure that the Processor complies with its obligations under the Data Protection Law.

Nothing in this Agreement shall relieve the Processor of its own direct obligations and responsibilities under the Data Protection Act, either as a processor or controller.


The Processor will process the Personal Data provided only in accordance with the Controller's documented instructions, including with respect to transfers of personal data to a third country or international organization.

The Processor may process the Personal Data provided without instructions from the Controller when the Processor is required to do so by law. In such event, the Processor will inform the Controller of that legal requirement prior to processing, unless relevant law prohibits the Processor from informing the Controller for important reasons of public interest.

The Controller's instructions for the Processor must comply with the Data Protection Law. The Processor will immediately inform the Controller if, in its opinion, an instruction violates the Data Protection Act or any other applicable law.

The Controller confirms that the Personal Data provided has been collected and disclosed in accordance with the Data Protection Act and that the Controller and its directors, employees and consultants will only provide the personal data that is necessary for the Processor to provide the Service to the Controller.

The Controller and the Processor will take steps to ensure that any natural person acting under their respective authority does not process the Personal Data supplied, except in documented instructions from the Controller (unless required to do so by applicable law).

Processing details

The subject, duration, nature and purpose of the processing, as well as the categories of personal data that are processed and of the interested parties, are set out in Annex 1 of this Agreement.

The Processor may transfer the Personal Data provided outside the European Economic Area only as permitted by Articles 44 to 49 of the GDPR.

Confidentiality and processing safety

The Processor will ensure that all persons authorized to process the supplied Personal Data are subject to confidentiality obligations or are under an appropriate legal obligation of confidentiality.

The Processor will take all measures required under Article 32 of the GDPR to ensure the security of the processing, including the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk. In assessing the appropriate level of security, the Processor will consider:

  • state of the art and implementation costs;
  • the nature, scope, context and purpose of the processing; and
  • the risk to the rights and freedoms of natural persons.

Notification of breach of personal data

The processor will notify the controller without undue delay after becoming aware of a personal data breach affecting the personal data supplied (a "notice of breach").

The processor shall, where possible, include the following information in a Notice of Default, provided that doing so does not cause undue delay:

  • the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and data records in question;
  • the name and contact details of the data protection officer or other contact point where further information can be obtained; and
  • the possible consequences of the violation of personal data.

When considering what information to provide in conjunction with a Notice of Default, the Processor will take into account the nature of the processing and the information available.

Use of subprocessors

The Processor will not contract with another processor (a "Sub-Processor") to process the Personal Data provided without prior specific or general written authorization from the Controller.

Pursuant to this Agreement, the Controller generally authorizes the Processor to involve Sub-Processors to process the Personal Data supplied, provided that the Processor complies with its obligations.

If the Processor intends to make any changes related to the addition or replacement of a Subprocessor, the Processor shall notify the Controller in writing of the identity of a potential Subprocessor (and its processors, if applicable).

The Controller may object to the use of any potential Sub-Processor. If the Controller wishes to object, it will notify the Processor of the objection in writing within 7 days of receiving the notification from the Processor.

When the Controller has objected in a timely manner, the Processor will not appoint that proposed Sub-Processor until the Processor has taken reasonable steps to address the objections raised by the Controller and has provided a written explanation of the next steps.

Before engaging a Sub-Processor to process the Personal Data provided, the Processor will ensure that the relationship between the Processor and the Sub-Processor is governed by a written agreement under which:

  • the Subprocessor is subject to data protection obligations equivalent to those established in this Agreement and that comply with Article 28 GDPR;
  • the Subprocessor offers sufficient guarantees that it will implement appropriate technical and organizational measures to comply with the requirements of the Data Protection Law; and
  • If the Sub-processor does not comply with its data protection obligations, the Processor remains fully responsible to the Controller for the fulfillment of the Sub-processor's obligations..

Assist the controller

Taking into account the nature of the processing, the Processor, to the extent possible, will assist the Controller in responding to requests from data subjects made under the Data Protection Act (in particular, in accordance with Articles 12 to 23 of the RGPD), through the implementation of the techniques and organizational measures.

When the Processor (or any of its Sub-Processors, as applicable) receives a request from a data subject under any Data Protection Law in relation to the Personal Data Provided, the Processor shall:

  • immediately notify the controller of the request; and
  • not respond to that request, except in documented instructions from the Controller or as required by the Data Protection Law (in which case, the Processor shall, to the extent permitted by the Data Protection Law, inform the Controller of that legal requirement before the Processor responds to the request).

Taking into account the nature of the processing and the information available to the Processor, the Processor will help the Controller to comply with the Controller's obligations under Articles 32 to 36 of the GDPR (security of processing, notification of personal data breach and impact assessments data protection).

The Processor's obligation to assist the Controller is subject to both parties agreeing to the scope, method, timing and reasonable fees charged by the Processor for such assistance and on the basis that the parties will work in good faith to minimize disruption to the process, processor's business by providing such assistance.

Information, audits and inspections

Upon a written request from the Controller, the Processor, as applicable:

  • make available to the Controller all the information necessary to demonstrate compliance with the obligations established in this Agreement in relation to the processing of Personal Data supplied by the Processor; and
  • allow and contribute to audits and inspections carried out by the Controller or its mandatory auditors.

The Controller will reasonably notify the Processor of any inspection or audit and will use reasonable efforts to avoid (and ensure that its mandated auditors avoid) causing undue damage or disruption to the Processor's business.

End of contract provisions

The Processor shall, in its sole discretion and following written instructions from the Controller, delete or return all Personal Data supplied after the end of the provision of Services. The Processor will also seek the elimination or return of all Personal Data supplied in the possession of its Sub-Processors.

The Processor shall comply with an instruction promptly and, in any case, within 7 days after the date of cessation of any Service involving the Personal Data supplied.

The Processor and its Sub-processors may retain the Personal Data provided if required by the Data Protection Law.

Details of processing

Subject: The subject of the processing of the Personal Data supplied by the Processor is the performance of the Services and according to the additional instructions of the Controller.

Duration: The Processor will process the Personal Data provided during this Agreement, unless otherwise agreed in writing.

Nature and purpose: the Processor will process the Personal Data provided as necessary to perform the Services in accordance with this Agreement and as directed by the Controller.

Categories of personal data: the personal data provided may include, among others, the following categories of personal data:

  • Name and surname;
  • Contact information;
  • Date of Birth;
  • Customer communications;
  • Shopping history; and
  • Information collected about the client's use of your browser.

Categories of data subjects: The Personal Data provided may include, among others, the following categories of data subjects:

  • Perspectives;
  • Customers;
  • Business partners;
  • Employees; and
  • Autonomous Collaborators