Last updated: 25.02.2021

This Data Processing Agreement (the "DPA") is made between the Company and the Customer and forms an integral part of the Terms of Use (the "Terms") available at The parties agree that the Company is the Data Processor and the Customer is the Data Controller.

Data Processor and Data Controller hereinafter each referred to as the "Party" and together as the "Parties".

The Data Processor and the Data Controller agree as follows:

1.1. "Applicable Privacy Law" means all laws, statutes, regulations, ordinances, codes, rules, guidance, orders, or any other legal entitlement issued by any governmental body governing the collection, use, transfer, and disclosure of Personal Data.

1.2. "Affiliated Companies" means any legal entities controlling, controlled by, or under common control with Data Controller.

1.3. "Data Controller" means the party that has authority over the processing of Personal Data, determining the purpose for its use and the manner that it is processed.

1.4. "Data Processor" means the party that processes Personal Data on behalf of, and under the instruction of, the Data Controller.

1.5. "Data Protection Authority" means the official body that ensures compliance with the Applicable Privacy Law within its applicable jurisdiction.

1.6. "Data Subject" means the directly or indirectly identified or identifiable person to whom the Personal Data relates.

1.7. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

1.8. "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

1.9. "Personal Data" means any information regulated by Applicable Privacy Law provided by the Data Controller, including information concerning an identified or identifiable individual, such as name, address, age, gender, income, family status, health records, etc.

1.10. "Processing", "processes" and "process" mean either any activity that involves the use of Personal Data or as the Applicable Privacy Law may otherwise define processing, processes, or process. It includes any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring Personal Data to third parties.

1.11. "Standard Contractual Clauses" ("SCC") means contractual clauses established by the European Commission concerning the international transfer of Personal Data, as set out in the Annex to Commission Decision 2010/87/EU.

1.12. "Sub-processor" means third-party data processor engaged by the Data Processor, who has or potentially will have access to, or processes Personal Data.

2.1. The subject matter, duration, nature, and purpose(s) of the processing of Personal Data, as well as the type of Personal Data and categories of Data Subjects, are specified in Schedule A.

2.2. The Data Processor shall refrain from processing Personal Data that is beyond the scope set forth in Schedule A.

2.3. In case the Data Processor receives additional information that is not needed to fulfill the Terms, it must inform the Data Controller immediately and stop the processing of the additional Personal Data.

3.1. The Data Processor shall process the Personal Data only on the instructions from the Data Controller and for no other purpose than the purpose(s) defined in Schedule A.

3.2. The Data Processor shall inform the Data Controller if, in its opinion, an instruction infringes the GDPR or the Applicable Privacy Law. The processing of the Personal Data required in said instruction shall be delayed.

3.3. If the Data Processor is required to transfer Personal Data to a law enforcement agency, it shall inform the Data Controller of that legal requirement before processing the Personal Data, unless that law prohibits such information on important grounds of public interest.

4.1. The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Technical and organizational security measures are listed in Schedule B.

4.2. In assessing the appropriate level of security, the Data Processor shall take into account the risks that are presented by Processing Person Data, in particular risks arising from a Data Breach.

5.1. The Data Processor shall ensure that all employees with access to the Personal Data, are legally bound by confidentiality obligations during and after the termination of the DPA, including after the termination of their employment.

5.2. The Data Processor shall provide access to Personal Data to its employees on a need-to-know basis only and shall make sure that the employees are aware and compliant with the Terms, the DPA, Data Controller's written instructions, and the Applicable Privacy Law.

5.3. The Data Processor shall train its employees involved in the processing of the Personal Data to comply with the Applicable Privacy Law and with the requirements established in this DPA.

6.1. Data Controller authorizes Data Processor to appoint (and permit each Sub-processor appointed in accordance with this Clause 6 to appoint) Sub-processors in accordance with this Clause 6 and any restrictions in the Terms.

6.2. The Data Controller hereby grants general written authorization to the Data Processor to engage an additional or replace existing Sub-processors for the processing of the Personal Data under the Terms. Upon request of the Data Controller, the Data Processor will provide a list of such Sub-processors. The Data Controller has the right to object to any Sub-processor. The objection shall be made by written communication within 10 business days after receipt of the requested list of Sub-processors. The Data Processor shall use reasonable efforts to replace the Sub-processor.

6.3. Where the Data Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this DPA shall be imposed on the Sub-processor by way of a written contract. The Sub-processor in particular shall provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Applicable Privacy Law.

7.1. The Data Processor shall assist the Data Controller in fulfilling its obligations concerning the requests to exercise Data Subject rights under the GDPR and the Applicable Privacy Law.

7.2. The Data Processor shall promptly transfer to the Data Controller any request received from the Data Subjects and shall inform the Data Subjects that they can direct their requests directly to the Data Controller. The Data Processor will only handle the requests of the Data Subjects according to the Data Controller's instructions.

8.1. The Data Processor shall notify the Data Controller on Data Breach without undue delay. The notification shall include:

8.1.1. Description of the Data Breach, including, if possible, the categories of data and records concerned, the category and number of Data Subjects affected;

8.1.2. Likely consequences of the Data Breach;

8.1.3. Measures taken or proposed to address and/or mitigate the effects of the Data Breach.

8.2. The Data Processor shall, without undue delay, take all urgent measures as are agreed by the Parties or necessary under the Applicable Privacy Law, to investigate, mitigate and remedy the Data Breach and to protect the Personal Data.

8.3. Parties need the prior approval of the other Party to include and identify them in the breach notifications. Parties should not delay or withhold the approval without a reasonable cause.

9.1. Upon request, the Data Processor shall assist the Data Controller to comply with its obligations under the Applicable Privacy Law when related to the processing of the Personal Data.

9.2. The Data Processor shall make available to the Data Controller all information necessary to comply with its obligations under the DPA and the Applicable Privacy Law.

9.3. The Data Processor shall notify the Data Controller of any requirements from an official authority as soon as possible.

10.1. Upon prior notice and no more than once a year, the Data Controller has the right to conduct an audit to verify the Data Processor's compliance with the DPA.

10.2. The Data Processor shall make available to the Data Controller documentation necessary to demonstrate compliance with this DPA and Applicable Privacy Law, in particular, to provide information about appropriate technical and organizational measures that have been implemented. Such documentation can be a current attestation, reports or expert reports from independent bodies (auditors, DPO, accountant), certifications from an IT security or data protection audit, or a certification approved by the Data Protection Authority.

10.2.1. The Data Controller can do more than one yearly audit in case of a Data Breach or a security incident.

10.2.2. The Data Controller shall schedule the audit with the Data Processor at least 2 weeks in advance.

10.2.3. Both Parties shall agree upon the scope, the timing, and the duration of the audit.

10.3. The audit might be carried out by the Data Controller directly or by a third-party auditor appointed by the Data Controller.

10.4. The Data Controller has the right to object the use of a particular third-party auditor.

11.1. The Data Processor shall maintain a record of all categories of processing activities carried out on behalf of the Data Controller. The records shall be in writing, including in electronic form.

12.1. The Data Processor shall promptly and in any event within ninety (90) days of the date of this DPA termination, return or irrevocably delete or remove the Personal Data, unless storage of the Personal Data is required by law.

12.2. The Data Processor may retain Personal Data to the extent required by Applicable Law and only to the extent and for such period as required by Applicable Privacy Law and always provided that Data Processor shall ensure the confidentiality of such Personal Data and shall ensure that such Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Privacy Law requiring its storage and for no other purpose.


13.1. The Data Processor may transfer or otherwise process Personal Data outside the European Economic Area ("EEA") without obtaining the Data Controller's prior written consent.

13.2. The Data Processor may only process, or permit the processing, of Personal Data outside the EEA under the following conditions:

13.2.1. the Data Processor is processing Personal Data in a territory in relation to which the European Commission has made an adequacy decision; or

13.2.2. the transfer is governed by a framework approved by the European Commission to which the Data Processor is officially certified; or

13.2.3. the Parties have executed Standard Contractual Clauses.

13.3. If the transfer requires the execution of the SCC, the unchanged version of the SCC shall be deemed incorporated by reference hereto as Schedule C. For the purposes of the SCC, Data Controller is the data exporter, Data Processor is the data importer, and the governing law is as stipulated in the Terms. For the purposes of Appendix 1 to the SCC (i) data subjects, categories of data shall be those defined in Schedule A to this DPA; (ii) no special categories of data will be transferred; (iii) processing operations will be processing activities necessary for the provision of services described in the Terms For the purposes of Appendix 2 technical and organizational security measures will be measures defined in Schedule B to the DPA.

14.1. This Clause 14 is applicable to the processing of the Personal Information of Consumers. The terms "Personal Information" and "Consumer" shall have the meanings stipulated in the California Consumer Privacy Act of 2018, as amended from time to time ("CCPA").

14.2. The Data Processor shall not retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the services specified in the Terms.

14.3. The Data Processor shall not retain, use, or disclose Personal Information for a commercial purpose other than providing the services specified in the Terms.

14.4. The Data Processor shall not retain, use, or disclose Personal Information outside of the direct business relationship between the Data Processor and the Data Controller.

14.5. The Data Processor shall refrain from selling Personal Information, as the term "sell" is defined in the CCPA.

14.6. The Data Processor certifies that it understands the restrictions in Clauses 14.2 – 14.5 hereof and will comply with them.

15.1. This DPA will be effective as of the date of Terms acceptance by the Data Controller.

15.2. This DPA will remain in force and effect so long as the Terms remain in effect. Termination of this DPA shall not affect Parties' accrued rights and obligations at the date of termination and the provisions of Clause 12 (Return and Deletion of Personal Data) hereof.

16.1. Should any provision of this DPA be or become, either in whole or in part, void, ineffective or unenforceable, then the validity, effectiveness, and enforceability of the other provisions of this DPA shall remain unaffected thereby.

16.2. Any such invalid, ineffective or unenforceable provision shall, to the extent permitted by law, be deemed replaced by such valid, effective and enforceable provision as most closely reflects the economic intent and purpose of the invalid, ineffective or unenforceable provision regarding its subject-matter, scale, time, place and scope of application.

16.3. The aforesaid rule shall apply mutatis mutandis to fill any gap that may be found to exist in this DPA.

17.1. Parties explicitly declare that this DPA and the documents referred to herein constitute the entire agreement between Parties and supersede any prior draft, agreements, undertakings, understandings, conditions, and arrangements, notwithstanding any conflicting order of precedence, of any nature between the Parties, whether or not in writing, in relation to the subject-matter of this DPA.

18.1. The DPA shall be governed by law as stipulated in the Terms.

18.2. The Parties hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.

19.1. In the case of conflict or ambiguity between:

19.1.1. any provision of the DPA and any provision of the Terms, the provisions of the DPA shall prevail;

19.1.2. any provision contained in the body of the Terms and any provision contained in the Schedules, the provisions in the body of the Terms shall prevail;

19.1.3. any provision of the Terms and any executed SCC, the provisions of the executed SCC shall prevail.
Schedule A – Details of Personal Data Processing

This Schedule includes certain details of processing of Personal Data by Data Processor as required by Applicable Privacy Law.
Schedule B - Technical and Organisational Security Measures

Data Processor will, as a minimum, implement the following types of security measures:

Physical access control, password security procedures, encryption of data, internal policies and procedures, remote storage; anti-virus/firewall systems.

Last updated: 25.02.2021
Stellen Sie sicher, dass Ihre Kunden den Kauf abschließen – erstellen Sie einen vertrauenswürdigen Checkout in der Domain Ihres Shops, fügen Sie Anreize, Motivatoren und Countdown hinzu.
Wählen Sie die für Sie geeignete Verkehrsplattform aus. Checkify sendet Checkout-Ereignisse an Google, Facebook, TikTok, Pinterest, Snapchat, Twitter, Taboola und Outbrain.
Benutzerdefinierte Formulare
Holen Sie sich noch mehr Macht und Kontrolle über die Checkout-Seite mit anpassbaren Versandadressenformularen: Fügen Sie Felder nach Belieben hinzu oder entfernen Sie sie und richten Sie sie auf die jeweilige geografische Region aus.
Verbinden Sie Checkify Checkout und akzeptieren Sie Stripe- und PayPal-Zahlungen ohne die zusätzlichen Gebühren der Shopify-Plattform.
Learn more →