Data Processing Agreement under Article 28 of the European Regulation 2016/679

Last update: January 21, 2025

A Data Processing Agreement (DPA) is a contract between a company (the data processor) and a service provider (the data processor) that stipulates how personal data is to be processed. It defines the responsibilities of both parties, ensuring data protection in accordance with privacy laws. Mumble S.r.l. will process data owned by the Merchant in order to provide account management services, App maintenance, and IT service and support.

This personal data processing agreement (hereinafter, “Agreement”) supplements the Shoppy Service Terms and Conditions available at this link as updated from time to time, or other agreement between Merchant and Mumble governing Merchant’s use of the Services (the “Terms”).

This Agreement is entered into between Merchant as the Data Controller (hereinafter, in addition to the definitions contained in the Terms, also “Data Controller”), as defined in the Agreement, and Mumble S.r.l., with registered office at Via Tacito 17 – 41123 – Modena (MO), VAT No. 03525740365, as the Data Processor (hereinafter, in addition to the definitions contained in the Terms, also “Data Processor”), hereinafter, jointly the “Parties” or severally the “Party”).

Whereas

  • according to Art. 28 of the EU Reg. No. 2016/679 (hereinafter “Regulation” or “GDPR”), the Data Controller may propose a natural person, a legal person, a public administration and any other entity, association or body as the Data Processor, which shall be selected from among entities that, due to their experience, capacity and reliability, provide suitable guarantees of full compliance with the applicable provisions on processing, including security profiles;
  • the Data Processor must present sufficient guarantees to put in place appropriate technical and organizational measures so that the processing meets the requirements of the Regulations and guarantees the protection of the rights of the data subject;
  • the Processor must carry out the processing in accordance with the instructions given by the Controller;
  • the Data Controller shall allow the Data Processor and anyone acting under its authority access only to the personal data whose knowledge is necessary to perform the tasks assigned to them;
  • with this Agreement, the Data Controller intends to appoint Mumble as Data Processor pursuant to Article 28 GDPR.

1. Privacy roles

  1. The Data Controller, who is responsible for decisions regarding the purposes and methods of personal data processing, designates Mumble as the Data Processor for the purposes and processing operations indicated in Section 2 – Scope of Processing of this document, carried out within the framework of the contractual agreements in force. 
  2. In any case, the Data Controller entrusts the Data Processor with all – and exclusively – the personal data processing operations necessary to fully execute the Terms.

2. Scope of the Data Processor’s processing activities

Personal data

  • Biographical data: first name, last name;
  • Contact data: address, e-mail address, phone number;
  • Browsing data: IP address, geolocation, information about the operating system used;
  • Usage Data: information generated in the context of using the Platform and App, such as e.g. log data, data related to registrations made, interaction processes, performance indicators, data related to navigation flows and feature usage, user ID and device ID;
  • Data related to service requests: content of the request

Data subjects

  • Merchant’s App Visitors
  • Merchant’s App Customers

Purpose

  • Account Management
  • App Maintenance
  • IT assistance and support

Nature of data processing

  • Collection
  • Registration
  • Organization
  • Structuring
  • Storage
  • Consultation 
  • Use
  • Transmission

3. Data Processor duties

  1. The Data Processor, to the extent of its competence, is obliged under the law and this Agreement, for itself and its employees and for anyone cooperating with its activity, to comply with the provisions of the Regulations, the applicable national sector legislation, and the provisions and/or authorizations and/or guidelines of the Privacy Authority if and insofar as applicable. The Data Processor shall perform the processing functional to the tasks assigned to him/her in accordance with this Agreement and the purposes for which the data are collected. Should the need arise for processing on personal data different and exceptional than that normally performed, the Data Processor undertakes to inform the Data Controller in advance and in good time, who may object.
  2. The Data Processor, taking into account the state of the art and the cost of implementation, as well as the nature, object, context and purposes of the processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, shall implement appropriate organizational and technical measures to ensure a level of security appropriate to the risk and to protect the personal data received as provided for in Article 32 of the GDPR. The Data Processor is authorized to implement alternative measures or establish alternative data storage locations provided that the security level of the chosen measures or locations is deemed, in all respects, adequate.
  3. Where the Data Processor discloses personal data covered by this agreement to its personnel, the Data Processor shall ensure that such personnel:
    1. has committed to confidentiality or is subject to a legal obligation of confidentiality, and;
    2. processes the Data Controller’s personal data following the instructions of the Data Controller in compliance with the obligations contained in this Agreement.

4. Data Controller’s duties

  1. The Data Controller undertakes to take all appropriate and necessary actions and will be responsible for the consequences of any unsuitable use of the Service by the Data Controller employees and, in particular, for the confidential storage of the names and passwords for access to the Service.
  2. The Data Controller guarantees that the personal data and/or special categories of personal data transmitted by him/her to the Data Processor are collected in compliance with every requirement of the current legislation on the processing of personal data, including the identification of the correct condition of lawfulness. The Data Controller declares that the personal data transferred by him/her to the Data Processor are accurate, relevant and not in excess of the purposes identified in this agreement. The Data Controller acknowledges that it is the responsibility of the Data Controller to comply with any applicable additional duties and obligations in order to make the transfer of personal data to the Processors and Sub-Processors lawful in accordance with the applicable legal provisions on the protection of personal data.
  3. The Data Controller remains responsible for the processing of information implemented through application procedures developed according to its specifications and/or through its own IT or telecommunications tools. The Data Processor, at the request of the Data Controller, assists the latter in the procedures before the Privacy Authority or the judicial authority in relation to the activities falling within its competence.

5. Sub-processors

The Data Controller agrees that, exclusively for the provision of the Service, the Data Processor may use Sub-Processors to process personal data conferred by the Data Controller. Sub-Processors will be bound by a legal agreement containing the same obligations identified in this Agreement in relation to the protection of personal data processed, including the adoption of appropriate technical and organizational measures.

6. Obligations of cooperation and assistance

  1. The Parties undertake to cooperate in good faith to ensure compliance with the provisions of this Agreement. The Data Processor shall ensure assistance towards the Data Controller in the event of the exercise of the data subject’s rights, in the management of any security incidents and personal data breaches in order to mitigate the possible adverse effects resulting from them. 
  2. The Data Processor also ensures cooperation with the supervisory authorities, including by taking appropriate technical and organizational measures to ensure compliance with these obligations.

7. Data transfer

  1. To the extent that the Regulation is applicable and there is no Adequacy Decision, Data Controller and Data Processor agree to sign the Standard Contractual Clauses identified by the European Commission. On this point, the Data Controller expressly authorizes the signing of the Model Contractual Clauses, allowing the Data Processor to sign the Model Contractual Clauses with countries outside the European Economic Area on behalf of the Data Controller.
  2. Data Controller acknowledges its responsibility with respect to complying with any applicable additional duties and obligations in order to make the transfer of personal data to Data Processors and Sub-Processors lawful under the applicable provisions of the law on personal data.

8. Return and deletion of data

  1. Upon completion of the entrusted processing operations, as well as upon termination for any cause of the processing by the Data Processor or of the relationship underlying the Service, the Data Controller may, at its discretion, instruct the Data Processor to: i) return to the Data Controller the personal data subject to processing or ii) provide for their complete destruction, except only in cases where retention of the data is required by law or other purposes.
  2. In case no preference is expressed within six months after the termination of the relationship, the Data Controller states that it instructs the Data Processor to automatically delete the data subject to this processing.

9. Data breach

  1. The Data Controller acknowledges and agrees that the Data Processor will not be held liable in the event of a personal data breach that is not attributable to the Data Processor’s willful misconduct or gross negligence.
  2. In the event that the Data Processor becomes aware of a personal data breach, it shall:
    1. take all appropriate measures to contain and mitigate the personal data breach, including notifying the Data Controller without undue delay. The Data Processor reserves the right to determine the measures to be put in place to comply with the applicable legal provision;
    2. cooperate with the Data Controller to investigate: the nature, categories and approximate number of data subjects involved, the categories and approximate number of personal data involved, and the likely consequences of such breach in a manner commensurate with the seriousness of the breach and its overall impact on the Data Controller and the provision of the Service under this Agreement;
    3. where the applicable data protection legal provisions require notification to the relevant supervisory authorities and data subjects of a personal data breach, the Data Processor shall comply with the instructions of the Data Controller who alone shall have the right to determine the measures to comply with the applicable provisions and remedy any risk, including (i) determining to whom any notification should be addressed under the applicable legal provisions (ii) determining the content of the notice referred to in the preceding paragraph, as well as any remedial remedies, including the nature and recipients thereof.

10. Duration

  1. This appointment will have the same duration as the Terms. Should the latter lapse or become ineffective and for any reason whatsoever, this appointment will also automatically lapse without the need for notice or revocation, and the Data Processor will no longer be entitled to process Data Controller’s data.
  2. It is understood that this Agreement does not entail any remuneration for the Data Processor, the activities to be performed by the Data Processor under this appointment having already been taken into account in the determination of the remuneration under the Agreement.