Data Processing Agreement (DPA)

Last updated: September 13, 2025

This Data Processing Agreement ("DPA") governs the processing of personal data by third-party processors on behalf of DrakCards, operating www.drakcards.com ("Site"), a German-based business selling Pokémon-related products (graded cards, plush toys, figures, books, games, card accessories, and binders).

 

1. Definitions

  • Controller: DrakCards, responsible for determining the purposes and means of processing personal data.
  • Processor: The third-party service provider processing personal data on behalf of DrakCards.
  • Personal Data: Any information relating to an identified or identifiable natural person (e.g., customers’ name, email, address).
  • Processing: Any operation performed on personal data (e.g., collection, storage, use).

 

2. Scope and Purpose

This DPA applies to all personal data processed by the Processor on behalf of DrakCards for:

  • Order processing (e.g., via Shopify for payments, cart management).
  • Shipping (e.g., DHL, FedEx for delivery).
  • Analytics (e.g., Google Analytics for Site usage).
  • Marketing (e.g., Facebook Pixel for ads, newsletters with consent).

 

3. Details of Processing

3.1 Categories of Data Subjects

  • Customers purchasing Pokémon products.
  • Users browsing the Site or subscribing to newsletters.

 

3.2 Types of Personal Data

  • Contact details: Name, email, phone (including WhatsApp).
  • Billing/shipping: Address, city, postal code, country.
  • Payment info: Processed securely via third-party gateways (e.g., PayPal); DrakCards does not store full card details.
  • Usage data: IP address, browser type, pages visited, time spent.

 

3.3 Purpose of Processing

  • Fulfill orders, process payments, and deliver products.
  • Provide customer support (e.g., returns, inquiries).
  • Analyze Site usage to improve functionality.
  • Send marketing communications (with consent).
  • Comply with legal obligations (e.g., tax retention).

 

3.4 Duration

  • Order data: Retained for 10 years per German tax law.
  • Analytics data: Up to 26 months (Google Analytics default).
  • Marketing data: Until consent withdrawal or 2 years of inactivity.

 

4. Obligations of the Processor

4.1 Compliance with Instructions

The Processor shall:

  • Process personal data only on DrakCards’ documented instructions, unless required by EU or Member State law.
  • Notify DrakCards if instructions violate GDPR or BDSG.

 

4.2 Confidentiality

  • Ensure personnel are bound by confidentiality obligations.
  • Limit access to personal data to authorized staff only.

 

4.3 Security Measures

The Processor shall implement technical and organizational measures, including:

  • Encryption (e.g., HTTPS, secure storage).
  • Access controls (e.g., role-based access, two-factor authentication).
  • Regular security audits and intrusion detection.
  • Data minimization and pseudonymization where feasible.
  • Incident response with breach notification to DrakCards within 72 hours (GDPR Art. 33).

 

4.4 Sub-Processors

  • The Processor may engage sub-processors (e.g., Shopify’s payment gateways) listed in Annex I.
  • DrakCards must be notified of new sub-processors and may object within 10 days.
  • Sub-processors must comply with equivalent GDPR obligations.

 

4.5 Data Subject Rights

The Processor shall assist DrakCards in responding to data subject requests (e.g., access, rectification, erasure) within one month, including via Shopify’s dashboard or privacy apps (if installed).

 

4.6 Data Transfers

  • For transfers outside the EEA (e.g., to the US), the Processor shall comply with Standard Contractual Clauses (SCCs) per European Commission Decision 2021/914 (Module 2).
  • Safeguards include encryption and SCCs (referenced in DrakCards’ Privacy Policy).

 

4.7 Audits and Inspections

  • The Processor shall allow DrakCards or an auditor to conduct compliance audits with reasonable notice.
  • Provide records of processing activities to the Bavarian State Office for Data Protection Supervision upon request.

 

4.8 Data Deletion or Return

  • Upon contract termination, the Processor shall delete or return all personal data, except where required by law (e.g., tax retention).
  • Certify deletion in writing to DrakCards.

 

5. Obligations of DrakCards

  • Ensure lawful basis for processing (e.g., contract performance, consent).
  • Provide clear instructions to the Processor.
  • Include SCCs in this DPA for non-EEA transfers.
  • Respond to data subject requests via info@drakcards.com or Shopify tools.

 

6. Liability

  • Each party is liable for GDPR violations caused by its actions.
  • The Processor shall indemnify DrakCards for breaches of this DPA, subject to German law (§ 521 BGB).
  • EU/EEA consumer protections (e.g., GDPR Art. 82) apply to data subjects.

 

7. Governing Law and Jurisdiction

  • Governing Law: German law, per GDPR Art. 46.
  • Jurisdiction: Courts of [Insert city once address is provided], Germany, unless mandatory EU consumer laws apply.
  • EU customers may use the EU Online Dispute Resolution platform (http://ec.europa.eu/odr).

 

8. Contact Information

Data Controller:

  • Name: DrakCards
  • Address: [Insert registered business address once available]
  • Email: info@drakcards.com
  • Phone/WhatsApp: +49 176 32949109

Data Processor: [To be specified, e.g., Shopify Inc., 151 O’Connor Street, Ottawa, Canada; privacy@shopify.com]

ANNEX I: List of Sub-Processors

  • Shopify Inc.: Hosting, payments, cart management.
  • PayPal: Payment processing.
  • Google Analytics: Site usage analytics.
  • Facebook Pixel: Marketing and ad tracking.
  • DHL/FedEx: Shipping.
  • [Additional sub-processors as notified by the Processor.

ANNEX II: Technical and Organizational Measures

The Processor shall implement:

  • Encryption: HTTPS for data transmission, AES-256 for storage.
  • Access Controls: Role-based access, strong passwords, two-factor authentication.
  • Security Monitoring: Firewalls, intrusion detection, regular vulnerability scans.
  • Data Minimization: Process only necessary data for specified purposes.
  • Incident Response: Breach notification within 72 hours, incident logging.
  • Training: GDPR compliance training for personnel.
  • Backups: Secure, encrypted backups with restricted access.