VERSION 1.0 — Article 28 GDPR Last Updated: 17 July 2026
This Data Processing Addendum ("DPA") forms part of the Eurodrop Terms of Service and applies whenever a Seller uses Platform features under which Eurodrop processes personal data on behalf of the Seller, in particular the shop broadcast / messaging feature ("Covered Features"). By activating a Covered Feature, the Seller accepts this DPA.
1.1. Controller: the Seller (as identified in the Seller's account). 1.2. Processor: [LEGAL ENTITY NAME], reg. No. [•], Latvia ("Eurodrop"). 1.3. For all other processing described in the Privacy Policy (e.g., operating the Platform, KYBC, DAC7), Eurodrop acts as an independent controller; this DPA does not apply to that processing.
| Element | Description |
|---|---|
| Subject matter | Sending messages via the Eurodrop bot to the Seller's own past buyers; storing and managing the Seller's messaging base |
| Duration | For as long as the Seller uses the Covered Features, plus deletion periods in Section 9 |
| Nature | Storage, organisation, transmission of messages, erasure |
| Purpose | Enabling the Seller to communicate with its own past buyers (service messages and, where lawful, direct marketing) |
| Categories of data subjects | The Seller's past buyers who submitted order enquiries to that Seller |
| Categories of personal data | Telegram identifiers (ID, name, username); enquiry history reference; opt-out status. No special categories (Art. 9 GDPR) may be processed under this DPA. |
3.1. The Seller warrants that it has a valid legal basis for each broadcast. For direct marketing by electronic means this means, under the ePrivacy rules and the Latvian Information Society Services Law: (a) prior opt-in consent of the recipient; or (b) the "soft opt-in" exception: the Seller obtained the contact in the context of a sale of its own goods/services, markets only its own similar goods/services, and every message contains a clear, free, and easy opt-out.
3.2. The Seller must not upload contact lists obtained outside the Platform into the Covered Features. The messaging base is limited to buyers who contacted that Seller through the Platform.
3.3. The Seller is responsible for the content of its messages and for honouring opt-outs immediately.
3.4. The Seller must inform its buyers of the processing (the Platform's enquiry flow includes a notice for this purpose; the Seller must not disable or contradict it).
Eurodrop shall: (a) process personal data only on the Seller's documented instructions (given via the Covered Features' interface), including with regard to transfers, unless required otherwise by Union or Member State law — in which case Eurodrop informs the Seller before processing, unless the law prohibits it; (b) inform the Seller immediately if, in Eurodrop's opinion, an instruction infringes the GDPR or other data-protection law, and suspend execution of manifestly unlawful instructions (e.g., broadcasts to recipients who have opted out); (c) ensure that persons authorised to process the data are bound by confidentiality; (d) implement the technical and organisational measures in Annex 1; (e) respect the sub-processing conditions in Section 5; (f) taking into account the nature of the processing, assist the Seller by appropriate technical and organisational measures in responding to data-subject requests (Chapter III GDPR), including built-in opt-out handling; (g) assist the Seller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA), taking into account the nature of processing and information available to Eurodrop; (h) at the Seller's choice, delete or return all personal data after the end of the Covered Features, and delete existing copies unless Union or Member State law requires storage; (i) make available to the Seller information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits as described in Section 7.
5.1. The Seller gives general written authorisation for the sub-processors in Annex 2 (currently: Cloudflare, Inc. — hosting/infrastructure; Telegram — message transport). 5.2. Eurodrop will inform Sellers of intended additions or replacements at least [14] days in advance via the Platform, giving the Seller the opportunity to object; if the Seller objects on reasonable data-protection grounds and no solution is found, the Seller may stop using the Covered Features. 5.3. Eurodrop imposes on each sub-processor, by contract, data-protection obligations equivalent to this DPA and remains fully liable to the Seller for the sub-processor's performance.
Transfers outside the EU/EEA occur only with appropriate safeguards under Chapter V GDPR (adequacy decision, EU–U.S. Data Privacy Framework certification, or Standard Contractual Clauses), as described in the Privacy Policy, Section 5.
Eurodrop makes available compliance documentation (including summaries of security measures and sub-processor lists). Where this is insufficient, the Seller may, at its own cost, once per 12 months and on [30] days' notice, conduct or mandate an audit limited to the processing under this DPA, during business hours, without disrupting operations, subject to confidentiality.
Eurodrop notifies the Seller without undue delay after becoming aware of a personal data breach affecting the Seller's data under this DPA, providing the information reasonably required for the Seller's obligations under Articles 33–34 GDPR, and cooperates in remediation.
9.1. Upon deactivation of a Covered Feature or termination of the Seller's account, Eurodrop deletes the Seller's messaging base within [30] days, except data Eurodrop must retain under Union or Member State law (retained only for that purpose and period). 9.2. Opt-out records may be retained in suppressed form solely to honour the opt-out.
10.1. Liability follows Art. 82 GDPR and the Terms of Service (Section 14), to the extent permitted by mandatory law. 10.2. In case of conflict between this DPA and the Terms regarding processing on behalf of the Seller, this DPA prevails.
| Sub-processor | Role | Location | Safeguard |
|---|---|---|---|
| Cloudflare, Inc. | Hosting / infrastructure (Workers, KV) | USA / global | EU–U.S. DPF certification; SCCs |
| Telegram | Message transport / Mini App delivery | [per Telegram's terms] | [assess and complete — see lawyer note] |
Template — must be reviewed by a qualified Latvian lawyer, in particular the qualification of Telegram in the transport chain and the transfer safeguards applicable to it. A Latvian-language version should be prepared for Latvian-resident Sellers.
Compliance-oriented template based on EU & Latvian law (DSA, P2B, GPSR, DAC7, GDPR, ePrivacy, EAA, Rome I/Brussels Ia). Not legal advice; review by a qualified Latvian lawyer and complete every [•] before relying on it.