This Data Processing Agreement (DPA) applies where egenta s.r.o. processes personal data on behalf of a B2B client in connection with EasyMarketplace.eu services.
This DPA is intended to satisfy the requirements of Article 28 GDPR where the client acts as controller and egenta s.r.o. acts as processor.
1. Parties and roles
Controller: the B2B client identified in the applicable commercial agreement, order form, statement of work or onboarding document.
Processor: egenta s.r.o., Varšavská 715/36, 120 00 Praha 2 - Vinohrady, Czech Republic, Company ID (IČO): 05594481.
For certain activities, such as invoicing, accounting, legal compliance, internal client management and business administration, egenta s.r.o. may act as an independent controller.
2. Subject matter
The subject matter of processing is the processing of personal data necessary to provide marketplace management, operational support, customer message handling, order support, returns coordination, marketplace account support, SaaS or related B2B services to the client.
3. Duration
Processing will continue for the duration of the service relationship and any post-termination period necessary for data export, deletion, legal compliance, dispute management or agreed transition assistance.
4. Nature and purpose of processing
Processing may include collection, access, consultation, organization, storage, retrieval, use, transmission, disclosure by transmission, alignment, combination, restriction, deletion and return of personal data.
The purposes may include:
- marketplace account operational support;
- customer message management;
- order, return and support coordination;
- catalog, SKU, offer and listing operations;
- reporting and performance monitoring;
- technical support and SaaS operation;
- client onboarding and service administration;
- troubleshooting, security and audit support.
5. Categories of data subjects
Depending on the agreed services, data subjects may include:
- client employees, directors, contractors and authorized users;
- marketplace customers and end customers;
- customer service contacts;
- suppliers, carriers, logistics contacts and return recipients;
- marketplace or platform support contacts;
- other individuals whose data is included in client-provided systems or communications.
6. Categories of personal data
Personal data may include:
- names, business roles and contact details;
- marketplace account user details;
- customer names, addresses, email addresses and phone numbers;
- order references, return references and shipment information;
- customer service messages and complaint details;
- product questions and support communications;
- technical identifiers, logs and access records;
- other personal data made available by the client for service delivery.
The client must not provide special categories of personal data unless expressly agreed in writing and unless appropriate safeguards are implemented.
7. Processor obligations
egenta s.r.o. shall:
- process personal data only on documented instructions from the client, unless required by law;
- ensure that persons authorized to process the data are bound by confidentiality obligations;
- implement appropriate technical and organizational measures;
- assist the client, taking into account the nature of processing, with data subject requests where reasonably possible;
- assist the client with security, breach notification, data protection impact assessments and consultations where required and reasonably applicable;
- delete or return personal data after the end of services, unless retention is required by law or necessary for legal claims;
- make available information reasonably necessary to demonstrate compliance with this DPA;
- notify the client if, in its opinion, an instruction infringes GDPR or other applicable data protection law.
8. Client obligations
The client shall:
- ensure that it has a valid legal basis to process and disclose personal data to egenta s.r.o.;
- provide lawful, clear and documented processing instructions;
- ensure that data subjects receive required privacy notices;
- ensure that only necessary personal data is provided;
- comply with marketplace, consumer, employment, tax and data protection obligations applicable to its business;
- maintain appropriate account access controls and permissions;
- avoid providing special categories of personal data unless necessary and expressly agreed.
9. Security measures
egenta s.r.o. shall implement appropriate technical and organizational measures considering the nature, scope, context and purposes of processing. Measures may include:
- role-based access control and least privilege access;
- secure credential handling;
- encryption in transit where supported;
- password protection and multi-factor authentication where available;
- confidentiality commitments;
- restricted internal access to client data;
- backup and recovery processes where applicable;
- logging and monitoring appropriate to the service;
- secure deletion or return procedures;
- incident response procedures.
More details are described in Annex 2 of this DPA.
10. Subprocessors
The client authorizes egenta s.r.o. to use subprocessors necessary to provide the services, including hosting, email, CRM, support, cloud, analytics, security and operational providers.
egenta s.r.o. shall ensure that subprocessors engaged to process personal data on behalf of the client are bound by written obligations providing an appropriate level of data protection.
The subprocessors are listed in Annex 3 and updated from time to time. The client may object to a new subprocessor on reasonable data protection grounds.
11. International transfers
Where processing involves transfer of personal data outside the European Economic Area, egenta s.r.o. shall use an appropriate transfer mechanism under GDPR, such as an adequacy decision, EU Standard Contractual Clauses, supplementary measures where required, or another lawful mechanism.
12. Personal data breach
egenta s.r.o. shall notify the client without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the client.
The notification shall include information reasonably available to egenta s.r.o. and reasonably necessary for the client to comply with its own breach notification obligations.
13. Data subject requests
If egenta s.r.o. receives a request directly from a data subject relating to client-controlled personal data, it will, where legally permitted and reasonably possible, forward the request to the client or advise the data subject to contact the client.
egenta s.r.o. shall not respond on behalf of the client unless instructed to do so.
14. Audits
Upon reasonable written request, egenta s.r.o. shall provide information necessary to demonstrate compliance with this DPA. Audits must be reasonable, proportionate, subject to confidentiality, limited to relevant processing activities and must not compromise security, confidentiality or other clients' data.
15. Return or deletion
At the end of the services, the client may request return or deletion of personal data processed on its behalf. egenta s.r.o. may retain copies where required by law, necessary for legal claims, backup integrity or legitimate business administration, provided such data remains protected and is not processed for other purposes.
16. Liability and order of precedence
Liability under this DPA is subject to the liability provisions of the applicable commercial agreement, unless prohibited by mandatory law.
If there is a conflict between this DPA and the commercial agreement concerning personal data processing, this DPA prevails for data protection matters.
Annex 1 - Processing details
Subject matter: marketplace operations, customer support, account support, catalog, order, return, reporting, SaaS and related B2B services.
Duration: duration of the service relationship plus required retention or transition period.
Nature of processing: collection, access, consultation, storage, use, organization, disclosure, deletion and return.
Purpose: delivery of agreed B2B marketplace services.
Categories of data subjects: client personnel, marketplace customers, support contacts, suppliers, carriers and other individuals included in client-provided systems.
Categories of personal data: identity, contact, order, return, shipment, support, communication, technical and account access data.
Special categories: not expected and not permitted unless expressly agreed in writing.
Annex 2 - Technical and organizational measures
- access control and least privilege permissions;
- multi-factor authentication where available;
- password and credential security;
- confidentiality obligations;
- encrypted website traffic using TLS;
- secure hosting provider controls;
- restricted access to client files and systems;
- staff awareness of confidentiality and data protection;
- logging and monitoring to maintain security, troubleshoot issues and detect abuse;
- periodic review and removal of access rights that are no longer needed;
- website form spam and abuse mitigation controls;
- backup and recovery where applicable, with periodic testing or review of recovery procedures where appropriate;
- incident escalation process;
- subprocessor due diligence;
- data minimization and deletion practices.
Annex 3 - Subprocessors
The following subprocessors may process personal data on behalf of egenta s.r.o. in connection with EasyMarketplace.eu, website operation or B2B services:
- Vercel Inc. (United States) — website hosting and infrastructure; US transfers under the EU-U.S. Data Privacy Framework and/or EU Standard Contractual Clauses.
- Web3Forms — contact-form handling and delivery. [confirm legal entity, country and DPA]
- Calendly LLC (United States) — meeting scheduling (link-out); US transfers under EU Standard Contractual Clauses.
- [Email provider] — business email and communication. [confirm entity/country]
No analytics, advertising, CRM or cookie-consent providers are enabled at launch; any such provider is added to this Annex before it goes live.
Contact
For data processing questions, contact sales@easymarketplace.eu.
