Data Processing TermsEffective: October 29, 2021
These Data Processing Terms (“Terms”) are a binding part of the Terms of Service between Awkward. Styles and its affiliated companies and Merchants concerning Awkward Styles services. If the Terms of Service and these Terms are in conflict, these Terms control. If you do not agree with the Data Processing Terms, please discontinue use of Awkward Styles Services.
- Capitalized terms not otherwise deﬁned herein shall have the same meaning as set forth in the Agreement.
- "Agreement" means the Terms of Service entered into by Awkward Styles and the Merchant regarding the use of Awkward Styles Service.
- "Controller to Processor Clauses" means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor); [and (ii) in respect of transfers subject to the UK GDPR, the standard contractual clauses for the transfer of Personal Data to data processors established in third countries set out in the Commission Decision of 5 February 2010, or any equivalent clauses issued by the relevant competent authority of the UK, in each case as amended, updated or replaced from time to time.
- "Data Subject", "Controller", "Processor", "Personal Data", "Personal Data Breach", "Supervisory Authority" and “Processes” have the meanings given in the GDPR.
- "Data Protection Laws" means (a) the General Data Protection Regulation 2016/679 (the “GDPR”); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018 (“DPA”), the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (together with the DPA, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of personal data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
- "Merchant" means any person, be it legal entity or natural person, that uses Awkward Styles Service to execute orders and/ or deliver its products to recipients, including the Merchant's customers.
- "Parties" means Awkward Styles and the Merchant.
- "Processor to Processor Clauses" means, as relevant, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor), or any equivalent clauses issued by the relevant competent authority of the UK in respect of transfers of Personal Data from the UK, in each case as in force and as amended, updated or replaced from time to time.
- "Service" means print-on-demand services oﬀered by Awkward Styles to Merchants including printing for personal use or outsourcing the printing and delivering of products to Merchant’s customers, as well as branding, warehousing and fulﬁllment, design, merchandising, and other services that Awkward Styles may provide in accordance with the requirements of the Merchant.
- “Third Countries” means, in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the European Economic Area, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii)] 1 in relation to Personal Data transfers subject to the UK GDPR, any country outside of the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time.
2. Subject of the Terms
- These Terms govern the relationship between Awkward Styles and the Merchant in respect of any processing of Personal Data by Awkward Styles on behalf of the Merchant.
- To the extent that Awkward Styles Processes Personal Data on behalf of the Merchant, the Merchant is the Controller and Awkward Styles is the Processor and shall only process this Personal Data on behalf of the Merchant.
- The Merchant hereby appoints and instructs Awkward Styles to process the Personal Data as prescribed by these Terms, including with regard to the transfer of Personal Data to a Third Country or international organization.
3. Processing Details
3.1 To the extent that Awkward Styles Processes Personal Data on behalf of the Merchant, the following Processing details apply:
- Details of the data exporter and the data importer shall be set out in the Agreement between Awkward Styles and the Merchant.
- Categories of Data Subjects. Merchant’s customers (end users of Awkward Styles’s Services) and Merchant's potential customers or other end users of Awkward Styles's Services, whose personal data Merchant has authorized Awkward Styles to Process.
- Type of Personal Data. Personal Data relating to the Merchant's customers and any Personal Data in the Merchant’s printing content (where applicable) and Personal Data revealed during the use of any Awkward Styles Services, including name, email address, phone number, shipping address and other information about the Merchant's customers.
- Nature and purpose of processing. Awkward Styles processes Data in accordance with these Terms in order to provide the Merchant with the Service and otherwise ensure fulﬁlment of the obligations set out in the Agreement between the Merchant and Awkward Styles to the extent this involves the processing of Personal Data. Awkward Styles only has access to the Personal Data that has been provided by the Merchant and uses such Personal Data in accordance with the Merchant's instructions as set out in these Terms.
- Duration of processing. Data will be processed for the duration of the Agreement.
- No sensitive Personal Data will be processed (unless provided in any printing content).
- For transfers to (sub-) processors, the subject matter, nature and duration of the processing will be provided on a case-by-case basis.
4. Merchant Obligations
- The Merchant warrants that it has complied and continues to comply with the Data Protection Laws, including those as set out in Clause 4(b).
- The Merchant conﬁrms that the Personal Data transferred to Awkward Styles has been collected by the Merchant on a valid lawful basis and Merchant has obtained any necessary consents or given any necessary notices as prescribed by the Data Protection Laws, and that the Merchant is entitled to provide the Personal Data to Awkward Styles.
- The Merchant conﬁrms that these Terms contain suﬃcient instructions to Awkward Styles regarding the processing of Personal Data, as well as the scope and purposes thereof.
- If reasonably necessary, the Merchant may provide Awkward Styles with additional instructions regarding the processing of Personal Data other than those prescribed by these Terms. Such additional instructions must be reasonable for Awkward Styles to carry out, properly documented and in compliance with the Data Protection Laws and must also be accepted by Awkward Styles.
- The Merchant shall be responsible for the accuracy of the Personal Data and keeping it up to date and shall inform Awkward Styles in case of any changes in the Personal Data.
- Awkward Styles shall not be liable for any claims or complaints from Data Subjects regarding any action taken by Awkward Styles as a result of acting in accordance with instructions received from the Merchant. Further, the Merchant agrees that it will indemnify and hold harmless Awkward Styles on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Awkward Styles arising directly or indirectly from a breach of this Clause 4.
5. Obligations of Awkward Styles
- To the extent that Awkward Styles Processes Personal Data on behalf of the Merchant, Awkward Styles shall always follow the Merchant's written instructions prescribed by these Terms, or as otherwise provided to Awkward Styles in writing in accordance with Clause [4(e)]; unless required to Process such Personal Data by applicable law to which Awkward Styles is subject; in such a case, Awkward Styles shall inform the Merchant of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
- Awkward Styles shall immediately inform the Merchant if, in its opinion, a Processing instruction infringes Data Protection Laws.
- Awkward Styles shall implement the appropriate technical and organizational measures specified in Schedule 1 (Technical and Organization Security Measures).
- Awkward Styles shall ensure that its personnel authorized to Process Personal Data under these Terms have committed themselves to conﬁdentiality obligations or are under an appropriate statutory obligation of confidentiality.
6. Merchant Assistance
- Considering the nature of the Processing, Awkward Styles will provide all reasonable assistance to the Merchant, insofar as possible, for the fulﬁlment of the Merchant's obligations as the Controller in relation to:
- Any requests from Data Subjects in respect of access to, or rectiﬁcation, erasure, restriction, portability, blocking or deletion of their Personal Data in accordance with Data Protection Laws that Awkward Styles processes on behalf of the Merchant. In the event that a Data Subject sends such a request directly to Awkward Styles, Awkward Styles will promptly forward such request to the Merchant;
- The investigation of any Personal Data Breach in relation to the Personal Data Processed on behalf of the Merchant and, if applicable, the notiﬁcation to the relevant Supervisory Authority and Data Subjects regarding such Personal Data Breach (where required); further, Awkward Styles shall notify the Merchant of any Personal Data Breach without undue delay after becoming aware of a Personal Data Breach; and
- Where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
7. Sub-processors and Data Transfer
- For Awkward Styles to be able to meet its obligations prescribed by the Agreement and to administer and provide the Service, the Merchant hereby grants Awkward Styles general written authorization to engage sub-processors. Merchant can obtain the list of current sub-processors engaged by Awkward Styles by contacting the registered account email address in the section below. The list will include the identities of sub-processors, provided services and country of location.
- Merchant will be notified about the appointment or any intended changes concerning the addition or replacement of Awkward Styles's sub-processors in this section of Awkward Styles's website. This notification will appear 10 (ten) days prior to the engagement of the sub-processor. During this period the Merchant can object to the appointment or replacement of the sub-processor by sending a written notice to firstname.lastname@example.org, providing reasonable grounds for objection (for example, in case of possible infringement of Data Protection Laws). If Merchant does not object, Awkward Styles shall proceed with the appointment or replacement.
- Awkward Styles hereby conﬁrms that its sub-processors are contractually or otherwise in a binding form required to comply with data processing obligations which are no less onerous on the relevant sub-processor than the obligations on Awkward Styles as prescribed by these Terms.
- The Merchant acknowledges and agrees Awkward Styles may appoint an affiliate or third-party subcontractor to Process the Merchant’s Personal Data in a Third Country, in which case Awkward Styles shall execute the Processor to Processor Clauses, if applicable and available, with any relevant subcontractor (including affiliates) it appoints on behalf of the Merchant.
- Where Awkward Styles Processes Personal Data in any Third Country and is acting as a data importer, Awkward Styles shall comply with the data importer’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of these Terms. The Merchant shall comply with the data exporter’s obligations in such Controller to Processor Clauses:
- For the purposes of Annex I of the Controller to Processor Clauses, the Parties agree that the processing details set out in Clause 3 shall apply.
- for the purposes of Annex II of such Controller to Processor Clauses, the technical and organisational security measures set out in Schedule 1 (Technical and Organisation Security Measures) shall apply; and
- for the purposes of: (i) Clause 9 of such Controller to Processor Clauses, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in 7B shall apply; (ii) Clause 11(a) of such Controller to Processor Clauses, the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be the location of the data exporter (iv) Clause 17, Option 1 is deemed to be selected and the governing law shall be Latvia unless otherwise expressly agreed between the Parties; (v) Clause 18, the competent courts shall be Latvia unless otherwise expressly agreed between the Parties.
- Upon the Merchant's written request, Awkward Styles shall provide suﬃcient information to demonstrate compliance with the obligations laid down in these Terms and Data Protection Laws. This information shall be provided to the extent that such information is within Awkward Styles's control and Awkward Styles is not precluded from disclosing it by applicable law, a duty of conﬁdentiality, or any other obligation owed to a third party.
- If information provided upon the Merchant's request in the Merchant's reasonable judgement is not suﬃcient to conﬁrm Awkward Styles's compliance with these Terms, then Awkward Styles agrees to allow for and contribute to data processing audits.
- Such audits are allowed to be carried out by an independent third party with good market reputation, provided that it has suﬃcient experience and competence to carry out data processing audits, and election of such auditor must be mutually agreed by both the Merchant and Awkward Styles.
- The timing and other practicalities related to any such audit or inspection are determined by Awkward Styles, and any such information and assistance are provided only at the expense of the Merchant. Awkward Styles reserves the right to charge the Merchant for any additional work or other costs incurred in connection with such audits. The Merchant may request such audit no more than once every 2 years.
- The auditor will have to sign a conﬁdentiality agreement, which includes an obligation not to disclose business information in its audit report, and the ﬁnal report will also have to be provided to Awkward Styles.
9. Deletion and Return of Data
At the choice of the Merchant, Awkward Styles will delete or return all Personal Data to the Merchant after the end of the Agreement, and shall delete existing copies, unless an applicable law requires Awkward Styles to store such Personal Data.
10. Governing Law
These Terms are governed by the laws of California and are subject to the dispute resolution procedure as prescribed by the Agreement.
Awkward Styles reserves the right, at its discretion, to modify these Terms. In case of material changes, Awkward Styles will notify the Merchant in writing, giving the Merchant the right to terminate the Agreement.
Technical and Organisational Security Measures
Awkward Styles shall take, among others, the following technical and organizational measures to ensure physical security of Personal Data and control system entry, access, transfer, input, availability, and separation of Personal Data:
- to establish the identity of the authorized persons and prevent unauthorized access to Awkward Styles’s premises and facilities in which the Personal Data are processed:
- All entrances are secured or locked and can only be accessed with the appropriate key / chip card / internal digital keys;
- Premises are protected by an alarm system;
- All visitors are required to identify themselves and are signed-in by authorized staff;
- Video monitoring of premises;
- Visitors are accompanied by Awkward Styles’s personnel at all times;
- Trained security guards are stationed in and around the building 24/7,
- 2. to prevent unauthorized access to the data processing systems:
- Use of state-of-the-art anti-virus software that includes e-mail filtering and malware detection;
- Use of firewalls;
- During idle times, user and administrator PCs are locked;
- Users are required to setup complex passwords and 2FA in all systems as possible;
- Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above these least privileges requires appropriate authorization;
- Starter, mover & leaver housekeeping processes in place which covers access rights depends on job duties;
- 3. to prevent unauthorized activities in the data processing systems outside the scope of any granted authorizations:
- User and administrator access to the network is based on a group-based/ role-based access rights model. There is an authorization concept in place that grants access rights to data only on a “need to know” basis;
- Administration of user rights through system administrators or system owners;
- IT governance & controls audits undertaken regularly by external 3rd party;
- Internal control audits undertaken regularly.