Data Protection Terms
LAST UPDATED: March 30, 2022
These Data Protection Terms set forth the data protection terms that apply to the Happy Returns Merchant Terms and Conditions available at https://happyreturns.com/merchant-terms, as updated from time to time between Merchant and Happy Returns, or such other agreement between Merchant and Happy Returns governing Merchant’s use of the Happy Returns Services (collectively, the “Agreement”). In the event of a conflict between the provisions of the Agreement and the provisions of these Data Protection Terms, the Parties agree that the provisions of these Data Protection Terms shall control the interpretation of the Agreement and the Parties obligations under the Agreement. Unless otherwise defined in these Data Protection Terms, all capitalized terms used in these Data Protection Terms will have the meanings given to them in the Agreement.
These Data Protection Terms are effective as of the later of (i) the effective date specified in the Agreement or (ii) the effective date stated in the notice posted or provided to you in connection with these Data Protection Terms. We may amend these Data Protection Terms from time to time. The revised version will be effective at the time we post it on our website, unless otherwise noted. If our changes reduce your rights or increase your responsibilities, we will attempt to notify you by sending you an email to the last email address you provided to us and/or posting a notice on our website. You agree to promptly notify us of any changes in your email address. Any material changes to these Data Protection Terms will be effective upon the earlier of the dispatch of the email notice to you or the date of posting of notice of the changes on our website and shall be evidenced by a new “Last Updated” date shown above.
I. Data Protection terms
1. Definitions
For these Data Protection Terms, the following definitions shall apply.
a. "Controller" (also known as "Data Controller") means an entity that determines the purposes and means of Processing Personal Data. In the event such term (or a similar term addressing similar functions) is already defined in the applicable Data Protection Laws, then "Controller", as used herein, shall have the meaning provided in such applicable Data Protection Law, including the meaning of a "Business", as applicable, as defined in the California Consumer Privacy Act of 2018 (“CCPA”).
b. “Customer” means Merchant’s customers who use the Services and, for the purposes herein, are data subjects.
c. "Customer Data" means the Personal Data of the Customers that Happy Returns Processes in connection with the Services.
d. "Data Protection Laws" means any data protection laws, regulations, directives, regulatory requirements, and codes of practice applicable to the provision of the Agreement, including any amendments thereto and any associated regulations or instruments. (e.g., which may include, without limitation, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act 2018, Cal. Civ. Code § 1798.100 et seq, as amended by the California Privacy Rights Act of 2020 (“CCPA”), and its implementing regulations, the Australian Privacy Act 1988 (Cth), the Personal Information Protection and Electronic Documents Act (Canada), the Personal Data (Privacy) Ordinance (Cap.486) (Hong Kong), the Brazilian General Data Protection Law, Federal Law no. 13,709/2018, and the Personal Data Protection Act 2012 (Singapore)).
e. "Personal Data" means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
f. “Process" or "Processed" or "Processing" means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.
2. Compliance with Data Protection Laws
With regard to any Personal Data Processed by either Party in connection with the Agreement, the Parties will respectively each be a Controller with respect to such Processing. Each Party agrees to comply with the requirements of the Data Protection Laws applicable to Controllers with respect to the provision of the Services and otherwise in connection with the Agreement, including with respect to any Personal Data provided by Merchant to Happy Returns pursuant to the Happy Returns Privacy Statement. For the avoidance of doubt, Happy Returns and Merchant each have their own, independently determined privacy policies or statements, notices, and procedures for the Personal Data they Process and are each a Controller (and not joint controllers). In complying with the Data Protection Laws, each Party shall, without limitation:
a. implement and maintain at all times all appropriate security measures in relation to the Processing of Personal Data;
b. maintain a record of all Processing activities carried out under the Agreement; and
c. not knowingly do anything or knowingly permit anything to be done which might lead to a breach by the other Party of the Data Protection Laws.
3. Merchant Notice to Customers.
In the event Merchant elects not to use Happy Returns’ online return and exchange service for accepting returns through a hosted web service, Merchant agrees to present the Happy Returns privacy policy (https://www.privacypolicy.happyreturns.com/en-us) to its Customers prior to sharing any Personal Data of its Customers with Happy Returns.
4. Cross Border Data Transfers
The Parties may transfer Customer Data Processed under the Agreement outside the country where it was collected as necessary to provide the Services. If the Parties transfer Customer Data protected under these Data Protection Terms to a jurisdiction for which the applicable regulatory authority for the country in which the data was collected has not issued an adequacy decision (an “Adequacy Decision”), such party will ensure that appropriate safeguards have been implemented for the transfer of Customer Data in accordance with the applicable Data Protection Laws. The Parties each agree:
a. Happy Returns is located in a country that has not received an Adequacy Decision in the European Union, Switzerland, the Europeans Economic Area, and/or their member states and the United Kingdom, therefore, with respect to Merchant’s data transfers to Happy Returns, the Parties each agree that (i) to the extent applicable, Merchant’s signing of the Agreement will be deemed to be signature and acceptance of the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR (“EU Transfer Clauses”) by Merchant, as the data exporter and in the role of controller; (ii) to the extent applicable, Happy Return’s signature of the Agreement will be deemed to be signature and acceptance of the EU Transfer Clauses by Happy Returns, as the data importer and in the role of controller; and (iii) the Parties shall be subject to the Module 1 provisions of the EU Transfer Clauses. In the event the European Commission revises and thereafter publishes new EU Transfer Clauses (or as otherwise required or implemented by the European Commission) or the UK Secretary of State (or other applicable UK authorized body) approves and issues UK standard contractual clauses or other similar contractual mechanism (“UK Clauses”) to be used instead of the EU Transfer Clauses to legitimize Personal Data transfer outside the United Kingdom, the Parties agree that, respectively, such new EU Transfer Clauses or UK Clauses will supersede the present EU Transfer Clauses or UK Clauses, as applicable, and that they will take all such actions required to effect the execution of the new EU Transfer Clauses or UK Clauses, as applicable. The EU Transfer Clauses (Module 1) will be incorporated into the Agreement by reference and will be considered duly executed between the Parties upon entering into force of the Agreement subject to the following details:
1. In case of any transfers of Personal Data from Switzerland, subject exclusively to the Swiss Federal Act on Data Protection and other data protection laws of Switzerland (“Swiss Data Protection Laws”); or the United Kingdom, general and specific references in the SCC to: (a) Regulation (EU) 2016/679 or EU or Member State Law, shall have the same meaning as the equivalent reference in, respectively, the UK GDPR, the Data Protection Act 2018 and other data protection laws of United Kingdom (“UK Data Protection Laws”), or the Swiss Data Protection Laws; and (b) “Member State” or “EU Member State” or “EU” shall be read as references to, respectively, Switzerland, or United Kingdom;
2. in accordance with Clause 13 (Supervision) the competent Supervisory Authority shall be: (i) the National Commission for Data Protection (CNDP) in Luxembourg, or (ii) the Information Commissioner's Office where the data exporter is established in the United Kingdom or falls within the territorial scope of application of the UK Data Protection Laws, or (iii) the Swiss Federal Data Protection and Information Commissioner where the data exporter is established in Switzerland or falls within the territorial scope of application of the Swiss Data Protection Laws, insofar as the relevant data transfer is governed by Swiss Data Protection Laws;
3. option 1 of Clause 17 (Governing law) shall apply and the laws of Luxembourg (or where the data exporter is established in the United Kingdom, of the United Kingdom) shall govern the EU Transfer Clauses;
4. in accordance with Clause 18 (Choice of forum and jurisdiction), the courts of Luxembourg (or where the data exporter is established in the United Kingdom, of the United Kingdom) will resolve any dispute arising out of the EU Transfer Clauses; and
5. the Parties agree that the details required under the EU Transfer Clauses Appendix are as set forth on Attachment 1.
Attachment 1
To the Controller Terms for the Services
Appendix to the EU Transfer Clauses
Annex I.
A. List of Parties
Data Exporter
· Name and Address: The data exporter is the Merchant and the address is as provided in the Agreement
· Contact person’s name, position and contact details: as provided in the Agreement
· Activities relevant to the data transferred under the Standard Contractual Clause: as provided in the Agreement
· Signature and date: please see the “Cross Border Transfers” section of these Data Protection Terms
· Role (controller/processor): controller
Data Importer
· Name and Address: The data importer is Happy Returns and the address is as provided in the Agreement
· Contact person’s name, position and contact details: as provided in the Agreement
· Activities relevant to the data transferred under the Standard Contractual Clause: as provided in the Agreement Signature and date: please see the “Cross Border Transfers” section of these Data Protection Terms
· Role (controller/processor): controller
B. Description of Transfer
Data Subjects Whose Personal Data is Transferred
The Personal Data transferred concern the following categories of data subjects:
· The data exporter’s customers.
Categories of Personal Data Transferred
The Personal Data transferred may include the following categories of data:
· customer name, payment amount, shopping history, account details, payment card details, post code, country code, address, email address, fax, phone, shipping details, IP Address, location, and any other data received by Happy Returns under the Agreement
Sensitive Data Transferred (if appropriate) and Applied Restrictions or Safeguards
The Personal Data transferred concern the following categories of sensitive data:
The transfer of sensitive data is not anticipated.
Applicable restrictions and safeguards:
· Not applicable.
The frequency of the transfer:
Data exporter will transfer the data for the term set forth in the Agreement.
Nature of the Processing
As set forth in the Agreement.
Purpose(s) of the Transfer(s)
The transfer is made for the following purposes:
· Performance of the Services provided by data importer to data exporter in accordance with the Agreement.
· To comply with laws applicable to the data importer.
· As set forth in Schedule 1, the Data Protection Terms
The Period for which the Personal Data will be Retained, or, if that is not Possible, the Criteria Used to Determine that Period
The data importer only retains the Personal Data for as long as is necessary with regards the relevant purpose(s) it was collected for (please see purposes above). To determine the appropriate retention period for Personal Data, the data importer considers the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of the Personal Data, the purposes for which the Personal Data is Processed and whether such purposes can be achieved through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
For transfers to (Sub-) Processors, also Specify Subject Matter, Nature and Duration of the Processing
The data importer may share Personal Data with third-party service providers that perform services and functions at the data importer’s direction and on its behalf. These third-party service providers may, for example, provide an element of the Services provided under the Agreement such as customer verification, transaction processing or customer support, or provide a service to the data importer that supports the Services provided under the Agreement such as storage. When determining the duration of the processing undertaken by the third-party service providers, the data importer applies the criteria provided above in this Annex I.
C. Supervisory Authority
In accordance with Clause 13(a) of the EU Transfer Clauses, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Schedule 1 shall act as competent supervisory authority.
Annex II: Technical and Organizations Measures
Including Technical and Organizational Measures to Ensure the Security of the Data
1. Pseudonymization, Encryption and the Protection of Data During Transmission.
Happy Returns encrypts data in transit and at rest.
2. Regular Testing, Assessment and Evaluating Effectiveness of Technical and Organizational measures.
Happy Returns periodically assesses and evaluates the effectiveness of its technological and organizational measures.
3. User Identification and Authorization.
Happy Returns restricts access to its network and any in-scope applications through use of unique corporate network account IDs and passwords for user identification and authentication.
4. Physical Security of Locations Where Personal Data is Processed.
Happy Returns’ safety and security policies and processes are designed to ensure appropriate safety and security practices, including physical security, in accordance with applicable laws, regulations and partner requirements
5. IT Governance and Management; Certification and Assurance of Processes and Products.
Happy Returns promotes a strong security philosophy across the company and has procedures, policies and practices in place designed to support Happy Returns in managing technology and information security risks and identifying, protecting, detecting, responding to and recovering from information security threats.
6. Data Minimization.
Our policies require technical controls that data elements collected and generated are those which are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Happy Returns’ privacy impact assessment processes ensure compliance with these policies.
7. Data Quality and Retention.
Happy Return’s monitors data quality, issues and remediations, as necessary, and upon expiration of applicable retention periods, data and information is disposed, deleted, or destroyed.
8. Accountability.
Happy Returns engages in data privacy and security practices that are aligned to industry standards and designed to engage stakeholder collaboration and partnership in awareness and compliance with company policies and controls. Happy Returns complies with accountability obligations of applicable Data Protection Laws.
9. Data Subject Rights.
Happy Returns ensures data subject rights are fulfilled, including access, correction and erasure, as applicable, except where Happy Returns has a legal, regulatory obligation or other legitimate business purpose for which such request cannot be completed.
10. Processors.
Happy Returns contractually requires its service providers, processors, and their subprocessors to put in place comprehensive data security and privacy standards throughout the processing chain.