Conditions for the Processing of Personal Data

In accordance with applicable data protection laws, the Provider, acting as a processor or sub-processor, performs processing of personal data for the Customer, acting as a controller or processor, according to the instructions of the Customer.

Subject-matter of processing, categories of data subjects and type of personal data

  1. The subject-matter of the processing is the personal data of the Recipients submitted to the Service by the Customer or processed by the Provider on its behalf, especially identification data, addresses, contact details, information about the Recipient’s transactions within its relationship with the Customer, information about Recipient’s actions within the Customer’s website, content of the Messages, Recipient’s activity relating to the received Messages and, where applicable, other data provided by the Customer to the Provider and relating to the Recipient (hereinafter the ”personal data”)
  2. The extent to which the Recipient’s personal data is processed in each particular case shall always be determined solely by the Customer.

Nature, purpose and means of the processing

  1. The Provider processes personal data by automated means using statistical methods for the purpose of creating individualized Messages for the Recipients, sending Messages to the Recipients, receiving communications from the Recipients, evaluating business campaigns’ results and identifying non-human interactions with Messages.

Duration of the processing

  1. The processing of personal data by the Provider will be performed for the term of the Agreement, while content of any messages will be deleted immediately after sending these messages and meta-data will be processed for the duration of 30 days after sending of these messages. The Provider undertakes to perform its obligations regarding the protection of personal data for the entire term of the Agreement, unless it is apparent from the provisions of the Agreement that they should continue to be in effect after its expiry.
  2. The personal data will be erased by the Provider upon the Customer’s instruction, but no later than 30 days after the Customer‘s request or termination of the Agreement, whichever occurs earlier. Until that time, the Customer is entitled to download a copy of the personal data.
  3. The Customer may choose to use “Strict privacy” mode for individual sending domains. In case the sending domain is set for a strict privacy mode the Provider will not store any personal information for messages sent from this domain in its systems and all personal information will be fully anonymized after message meta-data is relayed to the Customer.

Representations of the Customer

  1. The Customer represents and warrants that, as a controller or processor of the personal data of the Recipients, he fulfils all of its obligations under applicable data protection laws for the term of the Agreement, in particular:
    1. processes personal data on the basis of proper titles and has a valid legal title for the processing of personal data of the Recipients for the purpose, to the extent, by means and in the manner specified by the Customer in accordance with these Conditions for the processing of personal data;
    2. informs the Recipients about the processing of their personal data, to the extent required by applicable data protection laws;
    3. enables the Recipients to exercise their rights under applicable data protection laws;
    4. stores the personal data for no longer than necessary for the purposes for which the personal data is processed, provided such determinations are within Customer’s control;
    5. fulfils all its other obligations under applicable data protection laws;
    6. within 24 hours of receiving, the Customer will send the Provider by automated means via the Omnivery Services interface information about any withdrawals of the Recipient’s consent to the processing of personal data, objections to the processing of personal data, revocations of consent to the sending of the Marketing Messages and other acts affecting the possibility of processing the Recipient’s personal data according to the Agreement, and will always respect these;
    7. within 24 hours of receiving the information from the Provider that Recipient’s consent to the processing of personal data has been withdrawn, any objections to the processing of personal data were made, consent to the sending of Marketing Messages has been withdrawn or any other acts affecting the processing of personal data of the Recipients according to the Agreement were made, responds adequately to these and always respects these;
    and undertakes to perform these obligations throughout the duration of the Agreement in accordance with applicable laws. Annex No. 1 to these Conditions for the processing of personal data contains a general manual for the processing of personal data, which does not bind the Customer but may be used when processing the Recipient’s personal data.
  2. Should damage (material or non-material) be incurred by the Provider as a result of non-compliance with the Customer’s obligations under the laws on personal data protection, the Customer undertakes to fully compensate the Provider for this damage. For the purpose of this provision the damage incurred by the Provider means in particular:
    1. compensation for damage (material or non-material) to data subjects defined in the laws on personal data protection and
    2. fines imposed by The Office for Personal Data Protection or other administrative authority.

General principles of personal data processing and Provider obligations

  1. The Provider in connection with the processing of personal data shall:
    1. processes personal data solely on the basis of the Customer’s instructions made via the interfaces of the Omnivery Services provided or other means, including transfer of personal data to a third country or to an international organization, unless such processing is already required by the applicable laws, which apply to the Provider; in such case the Provider informs the Customer of this legal requirement prior to processing, unless the legislation prohibits this disclosure for the important reasons of public interest;
    2. not process personal data obtained for the purpose of providing the Services for Provider’s own purposes;
    3. ensure that persons authorized to process personal data are bound by contractual duty of confidentiality or subject to statutory duty of confidentiality;
    4. not engage any other processor without prior specific or general written authorisation of the Customer;
    5. promptly notify the Customer in writing if, in opinion, it determines that: (i) it can no longer meet its obligations under applicable data protection laws; or (ii) an instruction from Customer infringes data protection laws;
    6. taking into account the nature of the processing, assists the Customer through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Recipient’s rights;
    7. assist the Customer in ensuring compliance with the Customer’s obligations to ensure appropriate level of processing security and to report personal data security breaches to supervisory authority and, where applicable, to the Recipients, to assess the impact on the protection of personal data and to conduct previous consultations with the supervisory authority when taking into account the nature of the processing and data available to the Provider;
    8. in accordance with the Customer’s decision, either erase or return all personal data to the Customer upon termination of the Services connected with processing of the personal data and delete existing copies unless the applicable laws require the personal data to be stored; and
    9. provides the Customer with all the information necessary to demonstrate that the obligations set forth in these Conditions for the processing of personal data have been met and allows audits, including inspections, performed by the Customer or other auditor authorized by the Customer and contributes to such audits;
    whereas the Provider’s activities stipulated in letters f), g) and i) will be paid according to the prices for the provision of the Consultancy Support Services provided in the Specification.
  2. In relation to the processing of personal data, the Provider shall keep records of all categories of processing activities performed for the Customers, which include:
    1. the name and contact details of the Provider, the Customer and where applicable, of the Provider’s or the Customer’s representative, and the data protection officer;
    2. the categories of processing carried out on behalf of the Provider;
    3. where applicable, transfers of personal data to a third country or an international organisation; and
    4. a general description of the technical and organizational security measures.
    The Provider undertakes to make the records available to the Customer upon written request by the Customer.
  3. The Customer specifically agrees with the involvement of other processors which will assist the Provider as subprocessors with providing Services under the Agreement, including providers assisting with sending of electronic messages and validating of contact details of Recipient, while respecting the conditions described in Art. 28 (2) and (4) of the GDPR. The list of current subprocessors is available at https://omnivery.com/legal/gdpr. The Customer further agrees that the Provider may engage other subprocessors and replace current subprocessors within the scope of above written authorization granted by the Customer by this provision. The Provider will inform the Customer about any intended changes of subprocessors, by which the Customer will be given the opportunity to object to engagement of a new subprocessor. Intended changes will be published within the list of subprocessors described above at least 1 month before the intended effect of such changes, with which the Customer agrees. In case of any objections against the engagement of new subprocessor are made before the change takes effect, the Provider will inform the Customer whether it is possible to provide the Services to the Customer without engagement of this subprocessor, and if not, both the Customer and the Provider may terminate the Agreement with the effect from the day preceding the day of engagement of the new subprocessor.
  4. The Provider acquires no title, rights, or interest in personal data provided to the Provider pursuant to the Agreement. All personal data remains the exclusive property of the respective data controller.

Personal data security

  1. The Provider has adopted and maintains such technical and organizational measures as to prevent unauthorized or accidental access to personal data, modification, destruction or loss of personal data, unauthorized transmissions, other unauthorized processing or any other misuse of personal data.
  2. The Provider has in particular adopted and is maintaining the following measures to ensure a level of security:
    1. the pseudonymisation of personal data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services – the measures put in place and their correct functioning will be regularly monitored;
    3. the ability to restore the availability and access to personal data in a timely manner and in the event of physical or technical incidents;
    4. the process of regular testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing;
    5. multi-level firewall;
    6. antivirus protection and unauthorized access control;
    7. encrypted data transfer via IT technologies;
    8. access to personal data only for the Provider’s authorized persons;
    9. servers with personal data locked in the server room; and
    10. backups of data transferred to another location by encrypted transmission with the access of the Provider’s authorized persons only.
  3. The Provider may allow the Customer to access the Customer’s data, including the Recipient’s personal data, through the API. In this case, the Customer is required to ensure that only the authorized personnel can access the API. The Provider is not responsible for any data loss or privacy violation in the event of API being misused and in the event of data misuse after being available via the API.
  4. In the event the Provider detects any personal data breaches, the Provider will report them to the Customer without an undue delay.

Special provisions for agency Customers

  1. In case the Customer is an advertising agency or another company (hereinafter the “Agency”) which requires provision of the Services under this Agreement for its individual clients (hereinafter for the purposes of this article the “Client”), the following provisions of this Article will apply. However, these provisions will not apply in cases where both the Agency and the Clients together form a single natural or legal person; in such case, the Agency (Clients) will, as the Customer, fully comply with the other articles of these Conditions for the processing of personal data.
  2. The controller of personal data of the Recipients is always the Client, with the Agency acting as a processor and the Provider acting as another person involved in the processing of personal data.
  3. The Agency is obliged to ensure that obligations of the Customer under the Conditions for the processing of personal data are fulfilled by and with regards to each of its Clients. The Agency is liable to the Provider for the proper performance of the obligations under this article by and with regards to its Clients.
  4. The Agency declares that it has the permission of the Client as a personal data controller to engage the Provider, as another person involved in the processing of personal data, in the processing of personal data. At the same time, the Agency represents that a contract concluded between the Client as a personal data controller and the Agency as a personal data processor complies with legal requirements for a contract between the controller and the processor of personal data and as a processor always complies with this legislation. The Agency is entitled to use these provisions of the Conditions for the processing of personal data for setting up the contractual relationship with the Client.
  5. The provisions of these Conditions for the processing of personal data governing the relationship between the Provider and the Customer shall apply equally to the relationship between the Provider and the Agency.

Final provisions

  1. This current version of the Conditions for the processing of personal data is valid and effective from February 1st, 2026.

Conditions for the Processing of Personal Data

Annex No. 1 – Recommendations for the implementation by the personal data controller

Below are recommendations for implementation by the personal data controllers (i.e. entrepreneurs) in the area of personal data protection and protection of data subjects (i.e. recipients) against unsolicited Marketing Messages on their part.

It is always necessary to ensure that personal data (including those processed in Marketing Messages and cookies) are processed on the basis of the applicable and most appropriate legal grounds, ensuring the legality processing.

The following sections of this Annex are therefore designed in a way that the appropriate legal ground for the processing is identified and that any specifics of processing in relationships between the controller and the data subject are described.

This information is not a legal advice, but only basic informative recommendations for persons processing personal data. Completeness or correctness of this information is not guaranteed.

Part A – Personal Data

In the areas of “general” processing of personal data, i.e. not in connection with the sending of the Marketing Messages or with the collection of so-called cookies (see below), the general rules on the processing of personal data apply.

In order for personal data to be processed in accordance with the applicable data protection laws, it is necessary to:

  1. define the purpose and means of the processing (depending on the particular case);
  2. define the legal ground on which the processing will be based (in particular the performance of a contract with the data subject, or if the processing cannot be subsumed under performance of a contract, the legal ground would be the legitimate interest of the controller, or if the previous two legal grounds cannot be used, the consent to the processing of personal data will be a legal ground for the processing);
  3. fulfil any additional obligations associated with the appropriate legal ground (assessment of the legitimacy of the interest in the case of processing on the basis of a legitimate interest, information about the possibility to withdraw consent, etc.);
  4. fulfil the information obligation towards the data subject (see below); and
  5. fulfil other general obligations with regards to the processing of personal data (in particular keeping the relevant documentation, defining the organisational and technical measures for the protection of personal data, etc.).

Legal grounds for the processing

Primarily, all processing of personal data relating to the business activity of the controller will be performed on the basis of performance of the contract with the data subject (processing necessary for the sale of goods and provision of services).

For sending of Marketing Messages (which is not a processing necessary for the performance of the contract), which will be identical for all data subjects or defined on the basis of the transaction history of the data subjects, a legitimate interest of the controller may be used. The legal ground of legitimate interest may also be used for processing of cookies necessary for delivery of Messages and verification of its delivery.

On the other hand, in the case the performing advanced analytics or other personal data operations that by their nature differ from plain “direct marketing” was to be performed, it would be necessary to obtain the prior consent of the subject to processing of personal data for these purposes – such consent may for example be a condition for inclusion into controller’s discount or loyalty program.

However, it is necessary to point out that the boundary where only legitimate interest can be used instead of consent to processing is not clearly defined (it depends on the reasoning and justification of such processing by the controller) and it cannot be guaranteed that certain processing could be performed on the basis of a legitimate interest.

In any case, the data controller must inform the subject about obtaining his or her personal data, irrespective of the legal basis used for processing (performance of the contract, legitimate interest of the controller, consent of the subject). If the consent is used, provision of the consent cannot be enforced.

Content of the information obligation

Where personal data are collected from data subjects, data subjects must be informed of the following:

  1. the identity and the contact details of the controller and, where applicable, of the controller‘s representative;
  2. the contact details of the data protection officer, where applicable;
  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing (in this case the performance of the contract, the legitimate interest or the consent of the data subject);
  4. legitimate interest of the controller (in the case of processing based on legitimate interest);
  5. the recipients or categories of recipients of the personal data, if any, i.e. in this case the processor;
  6. the period for which the personal data will be stored;
  7. the existence of the right to request from the controller the access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  8. the right to withdraw consent to processing (in the case of processing based on consent);
  9. the right to lodge a complaint with a supervisory authority;
  10. where applicable, the fact that the controller intends to transfer personal data to a third country and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 of the GDPR, or the second subparagraph of Article 49(1) of the GDPR, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
  11. the fact that the processing of the data is necessary for entering into a contract (in the case of processing necessary for performance of the contract);
  12. the fact that automated decision making, including profiling, as referred to in Article 22 (1) and (4) of the GDPR is performed and, at least in these cases, the meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In the case where processing is based on the legitimate interest of the controller, the data subject has to be explicitly informed, clearly and separately from any other information, about the right to object to the processing.

Please note that the rights of data subject include, for example, the right to request from the controller access to personal data relating to the data subject, their rectification, erasure or restriction, and the right to object to processing. It is always necessary to appropriately respond to a request by the data subject to exercise these rights. Under specific conditions, for example, it may be necessary to terminate the processing of the personal data for certain purposes or to completely erase the personal data.

Part B – Marketing Messages

In relation to the sending of Marketing Messages, it is necessary to ensure compliance with the applicable data protection laws and the general regulation on sending Marketing Messages.

Regarding the applicable data protection laws, the forms of processing of personal data are in this context the act of sending a Marketing Messages to the subject’s contact information as well as all previous and subsequent analyses of the behaviour and possible demographic characteristics of the subject, including the collection of data itself (both based on information from the subject or on its tracking on the website).

All these forms of processing mentioned above, however distinct from each other, are directed towards one common goal, namely Marketing Messages in relation to the subject. For this reason, it is useful not to divide this purpose to base it on a common legal ground (the combinations of personal data obtained for different purposes is very problematic). An appropriate legal ground may be the legitimate interest of the controller in supporting his/her business and addressing the subjects (its recipients), or the subject’s consent in the case of a more advanced analysis of the behaviour of data subjects and the monitoring of their behaviour.

The following consequences are associated with using the legitimate interest:

  1. the duty to internally assess the legitimacy of interest and to have such assessment available;
  2. the obligation to inform data subjects; and
  3. the right of the data subject to object to the processing and the obligation of the controller to explicitly inform the data subject about that right.

Furthermore with regard to the general regulation on sending Marketing Messages, which is aimed at preventing the sending of unsolicited Marketing Messages, it can generally be noted that in order to ensure compliance with the applicable legislation, relatively strict conditions have to be met. Therefore, it is not possible to send to data subjects:

  1. any unsolicited messages sent by the email and / or SMS to the recipient without complying with applicable legal requirements, i.e. in practice especially without its prior consent obtained through the double-opt in method (by filling in the form on the website and at the same time by confirming the interest in sending these commercial communications through clicking on a link in an email or through sending a verification SMS);
  2. any Marketing Messages that do not contain the mandatory content of the Marketing Messages in the article “VII. Compulsory content of Messages” of the Terms and are not in compliance with the article “V. Spam prevention” of the Terms;
  3. any Marketing Messages in the case, where the data subject has refused to use its data for the purpose of sending Marketing Messages or after the subject has refused to consent to use of its electronic contact for the purposes of sending Marketing Messages or the subject has informed the controller that he or she does not agree with any further sending of Marketing Messages;
  4. any Marketing Messages when it relates to products or services that are not provided by the controller or which are not similar to the products or services in connection with the sale of which the controller has obtained an email address or telephone number of the subject, unless the subject has given a prior consent.

Part C – Cookies

At the moment, cookies necessary for delivery of Messages and verification of its delivery can be processed in opt-out mode. This means that it is possible to store them in the end device of the subject and further process them without the explicit consent of the data subject, but the data subject must be informed of this fact and allowed to refuse such processing without any significant deterioration of the service (or its parts, which are not dependent on cookies).

In the case of cookies the above-described rules on objections to processing apply accordingly, including the “do not track” requests. However, an implementation of the opt-in mode in the future is considered.

In the case that cookies are eligible to be assigned to an identifiable data subject (e.g. when monitoring registered data subjects), the laws on personal data protection also apply. It is then necessary to comply with all obligations relating to the protection of personal data (Part A), including the legal ground for processing, fulfilment of the duty to inform and handle the “do not track” requests.