Technical and organizational measures

Security of Personal Data

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk for the Personal Data of the Customer, including as appropriate:

  • Pseudonymization and encryption;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to Personal Data of the Customer in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
  • A backup and restore procedure for Personal Data;
  • Implementation of an access control system applicable to all users which have access to the IT system of the Processor;
  • Use of authentication credentials;
  • Traffic to and from the IT system is monitored and controlled by firewall and antivirus applications, or other unauthorized access detection systems, which are appropriately configured and regularly updated, in accordance with the updates available from the developer;
  • User may not disable or bypass the security settings, nor can they install or deactivate unauthorized software applications.

In assessing the appropriate level of security, the Processor shall take into account all the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

Physical security

  • Any rooms and areas in which physical elements or components of the IT infrastructure are located or terminals which allow any access, are restricted to unauthorized personnel. Adequate technical measures (e.g., systems for detection and alerting of unauthorized access, card access gates and access point blocking systems) or organizational measures (e.g., security agents) will be implemented, for the purpose of preventing any unauthorized personnel to access such areas and/or access points.

Human resources management

  • The Processor shall ensure that all its employees understand their duties and obligations with respect to the processing of Personal Data.

Policies and procedures

  • The Processor has implemented internal policies and procedures with respect to processing of Personal Data.

Personal Data Breach

  • The Processor ensures that it has implemented appropriate technical measures for the detection of a Personal Data Breach and that it has implemented a Personal Data Breach response policy, which ensures an effective response to any incidents related to Personal Data.

Personal Data of the Customer

Category of Data Subjects

  • Consumers, clients of the Customer;
  • Contact persons and/or legal representatives, in case of clients of the Customer which are legal entities.

Types of Personal Data

  • Identification data (first name, surname);
  • Contact data (delivery address, email address, telephone number);
  • Comments from orders (if applicable).

Processing Operations

☒collecting;   ☐registration;   ☐organizing;   ☒structuring;   ☒storage;   ☐adaptation   or   modification; extraction; ☐consultation; ☐use; ☒disclosure by transmission, dissemination or placement disposition in any other way; ☐alignment or combination; ☐restriction; ☐deletion or destruction.

Nature and purpose of Processing

Processing operations are performed by automatic means. Purpose of processing:

  • Sending orders, including all personal data related to it, to couriers agreed by the Parties, for


  • Storing data regarding the orders for consultation by the Customer;

Processing Time

Processing will take place during the validity period of the DPA.