Standard Contractual Clauses (SCCs)

DrakCards
Last updated: September 13, 2025

This document incorporates the European Commission’s Standard Contractual Clauses (SCCs) for the transfer of personal data from DrakCards, operating www.drakcards.com ("Site"), a German-based business selling Pokémon-related products (graded cards, plush toys, figures, books, games, card accessories, and binders), to third-party data processors outside the European Economic Area (EEA).

 

SECTION I: General Provisions

Clause 1: Purpose and Scope

(a) These SCCs ensure that personal data transfers from DrakCards (data exporter) to third-party processors (data importer) outside the EEA comply with GDPR requirements.
(b) The SCCs protect the rights and freedoms of data subjects, including customers purchasing Pokémon products.
(c) The parties agree to these clauses to safeguard personal data during processing for order fulfillment, shipping, analytics, and marketing (with consent).

 

Clause 2: Effect and Invariability

(a) These SCCs are binding and cannot be modified except to add details in Annexes.
(b) They do not exempt parties from GDPR or other applicable laws.

 

Clause 3: Third-Party Beneficiaries

Data subjects (e.g., customers) may enforce Clauses 1, 3, 6, 7, 8, 9(c), 10–12, and 14–18 as third-party beneficiaries against the data exporter (DrakCards) or importer.

 

Clause 4: Interpretation

(a) Terms (e.g., “personal data,” “processing”) have the same meaning as in GDPR.
(b) These SCCs are read in conjunction with GDPR and BDSG.

 

Clause 5: Hierarchy

In case of conflict, these SCCs prevail over other agreements between DrakCards and the data importer, unless otherwise required by law.

 

SECTION II: Obligations of the Parties

Clause 6: Description of the Transfer

Details are specified in Annex I. Transfers involve customer data for order processing, shipping, analytics, and marketing.

 

Clause 7: Data Protection Safeguards

(a) Data Importer: Agrees to process data in accordance with GDPR and these SCCs, implementing technical and organizational measures (Annex II).
(b) Data Exporter: Ensures data minimization and lawful processing before transfer.

 

Clause 8: Data Subject Rights

(a) The data importer must assist DrakCards in fulfilling data subject requests (e.g., access, rectification, erasure) within GDPR timelines (one month, extendable).
(b) Requests can be made via info@drakcards.com or Shopify’s privacy tools (if implemented).

 

Clause 9: Transparency

The data importer must notify DrakCards of any data subject requests or legal demands for data disclosure, unless prohibited by law.

 

Clause 10: Accountability

(a) Both parties maintain records of processing activities and make them available to supervisory authorities (e.g., Bavarian State Office for Data Protection Supervision).
(b) DrakCards may audit the data importer’s compliance upon reasonable notice.

 

SECTION III: Local Laws and Obligations

Clause 11: Local Laws Affecting Compliance

The data importer warrants that local laws (e.g., in the US) do not prevent GDPR compliance. If conflicts arise, the importer notifies DrakCards promptly.

 

Clause 12: Sub-Processors

(a) The data importer may engage sub-processors (e.g., Shopify’s payment gateways) listed in Annex III, subject to GDPR-compliant agreements.
(b) DrakCards must be notified of sub-processor changes and may object within 10 days.

 

SECTION IV: Final Provisions

Clause 13: Supervision

The competent supervisory authority is the Bavarian State Office for Data Protection Supervision (or the data subject’s local authority).

 

Clause 14: Governing Law

These SCCs are governed by German law, per GDPR Art. 46.

 

Clause 15: Jurisdiction

Disputes are resolved in the courts of [Insert city once address is provided], Germany, unless mandatory EU consumer laws apply.

 

Clause 16: Termination

(a) DrakCards may terminate the SCCs if the data importer breaches obligations.
(b) Data must be deleted or returned upon termination, per GDPR.

 

ANNEX I: Description of the Transfer

A. List of Parties

  • Data Exporter:
    • Name: DrakCards
    • Address: [Insert registered business address once available]
    • Contact: info@drakcards.com, +49 176 32949109
    • Role: Data Controller
  • Data Importer: [Third-party processor, e.g., Shopify Inc.]
    • Address: [Processor’s registered address, e.g., 151 O’Connor Street, Ottawa, Canada for Shopify]
    • Contact: [Processor’s contact, e.g., privacy@shopify.com]
    • Role: Data Processor

 

B. Description of Transfer

  • Data Subjects: Customers purchasing Pokémon products (e.g., graded cards, plush toys).
  • Categories of Data: Name, email, address, phone, payment info, IP address, browsing behavior.
  • Sensitive Data: None.
  • Purpose: Order processing, shipping (e.g., DHL, FedEx), analytics (e.g., Google Analytics), marketing (e.g., Facebook Pixel, with consent).
  • Frequency: Continuous for active customers.
  • Retention: Order data (10 years for tax purposes), analytics (26 months), marketing (until consent withdrawal).

 

C. Competent Supervisory Authority

  • Bavarian State Office for Data Protection Supervision (or data subject’s local authority).

 

ANNEX II: Technical and Organizational Measures

The data importer implements:

  • Encryption: HTTPS for data transmission, encrypted storage.
  • Access Controls: Role-based access, strong passwords, two-factor authentication.
  • Security Monitoring: Regular audits, intrusion detection.
  • Data Minimization: Only necessary data processed.
  • Incident Response: Breach notification within 72 hours, per GDPR Art. 33.
  • Employee Training: GDPR compliance training for staff.

Specific measures depend on the processor (e.g., Shopify’s security: https://www.shopify.com/legal/privacy).

 

ANNEX III: List of Sub-Processors

  • Shopify Inc.: Hosting, payments, cart management.
  • PayPal: Payment processing.
  • Google Analytics: Site usage analytics.
  • Facebook Pixel: Marketing and ad tracking.
  • DHL/FedEx: Shipping.
  • [Additional sub-processors as notified by the data importer.]

Additional Notes

  • Implementation: DrakCards must sign SCCs with each processor (e.g., Shopify’s DPA includes SCCs: https://www.shopify.com/legal/dpa). Contact processors to confirm.
  • VAT Update: When charging VAT, update invoices: “Prices include VAT at [X]%. Umsatzsteuer-ID: [Insert VAT ID].”
  • Compliance: Consult a data protection lawyer to finalize SCCs and ensure GDPR/BDSG compliance, especially since no DPAs are currently in place.

For questions:

  • Email: info@drakcards.com
  • Phone/WhatsApp: +49 176 32949109
  • Address: [Insert registered business address once available]