This notice was last updated on October 8, 2022.
Shaeps (‘We’, ‘Us’, or the ‘Company’) has created this Data Processing Policy to let you know how We comply with the EU privacy shield framework.
Shaeps, and / or one or more of Shaeps’s affiliates (collectively, “Shaeps”), and you may enter into one or more agreements (collectively, the “Agreements”), pursuant to which Shaeps may receive Personal Information (as defined below) for the purpose of providing certain services (the “Services”), including but not limited to those agreements accessible via e.g. shaeps.com (‘Site’), Our online store and any website or other online point of presence, mobile application, service or feature through which any product or service available are syndicated, offered, merchandised, advertised, or described (‘Sites’).
Solely to the extent that the Personal Information received by Shaeps pursuant to the Agreements is covered by the European General Data Protection Regulation (the “GDPR”), Shaeps agrees to Process (as defined below) such Personal Information as required by this Data Processing Agreement (this “DPA”).
Acting as a data processor and a data controller
Personal Information that is transferred to Shaeps falls into two categories: 1) Personal Information regarding personnel from Shaeps’s customers, such as name, email address, and telephone number; and 2) Personal Information from customers’ end users that Shaeps processes on behalf of its customers, such as end user name, address, and transaction information. In the case of the latter category, Shaeps acts as a data processor and processes such information only under the instructions of its customers. This information is controlled by Shaeps’s customers.
Because the requirements of the Privacy Shield program vary depending on whether Shaeps is acting as a processor on behalf of its customers or as a data controller, meaning that Shaeps makes independent decisions about how that information will be used, Shaeps’s policies and practices are described separately below.
Acting as a data processor on behalf of its customers
When Shaeps acts as a processor on behalf of its customers, the following policies apply to all data processing operations concerning the processed Personal Information.
- Use of Personal Information: Shaeps will process the Personal Information only for the purposes requested by the customer.
- Access and correction: Shaeps will assist the customer (the controller) in responding to individuals exercising their rights under the Principles.
- Agents and service providers: Shaeps will not transfer Personal Information to third parties except where permitted or required by the customer and then in accordance with the applicable laws.
- Notice and choice: Because the Personal Information is under the control of Shaeps’s customers, appropriate notice and choice to the individual are provided by Shaeps’s customers. As the data processor, Shaeps typically does not have a direct relationship with the customers’ end users.
- Acting as a data controller
Shaeps may receive Personal Information from customers regarding their employees.
Any Personal Information sent to Us may be used by Shaeps and its agents for the following purposes: communications, fulfilling transactions, analytics, and marketing – or (i) in accordance with your instructions as documented in the Agreements, respectively (ii) as needed to comply with law. The duration of the Processing will be the same as the duration of the relevant Agreements, except as otherwise agreed to in writing by the parties.
If We intend to use your information for a purpose that is materially different from these purposes or if We intend to disclose it to a third party (a non-agent) not previously identified, We will notify you and offer you the opportunity to opt out of such uses and/or disclosures where it involves non-sensitive information or opt-in where sensitive information is involved.
Disclosures to affiliates and third parties
Shaeps is authorized to transfer Personal Information to subprocessors for purposes of providing the Services.
Personal Information may be disclosed:
- To Our affiliates for the purposes described in this DPA.
- We sometimes contract with other companies and individuals to perform functions or services on Our behalf such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, auditing and other services.
- To third parties, to permit them to send you marketing communications, consistent with your choices.
- To a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of Our business, assets or stock (including in connection with any bankruptcy or similar proceedings).
- We are responsible for ensuring that Our agents, service providers and other third parties to whom We disclose your Personal Information process the information in a manner consistent with Our obligations.
Shaeps will ensure that persons authorized to process Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
We use reasonable physical, electronic, and administrative safeguards to protect your Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Information and the risks involved in the processing that information.
Shaeps will notify you without undue delay via agreed upon channels, whenever Shaeps learns that there has been a personal data breach (as defined in the GDPR). Taking into account the nature of Processing and the information available to Shaeps, Shaeps will assist you at your request in complying with your notification obligations regarding personal data breaches as required by the GDPR. Shaeps reserves the right to charge a reasonable fee to you for such requested assistance, to the extent permitted by applicable law.
Data integrity and purpose limitation
We limit the collection and use of Personal Information to the information that is relevant for the purposes of processing and will not process Personal Information in a way that is incompatible with the purposes for which the information has been collected or subsequently authorized by you. We take reasonable steps to ensure the personal information is reliable for its intended use, accurate, complete, and current to the extent necessary for the purposes for which We use the Personal Information.
Access to personal data
You can ask to access, review and correct Personal Information that We maintain about you by sending a written request to Us as per the ‘contact Us’ section below. Further more, you may request a list of subprocessors. Upon receival of this list of subprocessors you have 30 days to object to a listed subprocessor; if no objection is received, the subprocessor is deemed to be accepted by you. If you make an objection on reasonable grounds and Shaeps is unable to modify the Services to prevent disclosure of Personal Information to the new subprocessor, you will have the right to terminate the relevant Processing.
Enforcement and dispute resolution
If you have any questions or concerns, please write to Us at the address listed below. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the Privacy Shield Principles of applicable laws.
Disclosures required by law
We may need to disclose Personal Information in response to lawful requests by public authorities for law enforcement or national security reasons or when such action is necessary to comply with a judicial proceeding or court order, or when otherwise required by law.
Return or disposal
At your discretion, Shaeps will destroy all Personal Information to you after the end of the provision of the Services, unless applicable law requires storage of the Personal Information.
Severability and conflicts
In the event any provision of this DPA is held to be invalid or unenforceable by any court of competent jurisdiction, such holding will not invalidate or render unenforceable any other provision herein. This DPA is expressly incorporated into and amends each of the Agreements. In the event of any conflict or inconsistency between the terms of this DPA and the Agreements, the terms of this DPA prevail. Notwithstanding the foregoing, this DPA shall not replace any comparable or additional rights relating to Processing contained in your Agreement (including any existing Data Processing Agreement in your Agreement), if applicable. In the event of any conflict or inconsistency between the terms of this DPA and the Agreements, on the one hand, and the terms of any framework or data transfer agreement entered into pursuant to sections herein, the terms of such framework or data transfer agreement prevail.
We reserve the right to modify, amend or discontinue, temporarily or permanently, this Data Processing Policy or any features or portions thereof at any time without prior notice and without incurring any obligation to you. The ‘last updated’ legend at the top of this Data Processing Policy indicates when it was last revised. Any changes will be effective upon the posting of such changes on the Site, and you are responsible for informing yourself of all applicable changes or notices. You should refer regularly to the Site, to review the current Data Processing Policy. Your continued use of a service after Shaeps’ posting of any changes will constitute your acceptance of such changes or modifications.