Data Processing Terms
These Data Processing Terms ("Terms") form part of the Terms of Service ("Agreement") or other agreement between Printful Inc. and its affiliated companies and subsidiaries ("Printful") and Merchants regarding Printful's services. These Terms are binding between Printful and Merchants and constitute a data processing agreement. If you do not agree to these Terms, do not use the Site and the Service.
1.1. The capitalized terms not otherwise defined herein shall have the same meaning as set forth in the Agreement.
1.2. "Agreement" means an agreement entered into by Printful and the Merchant regarding the use of Printful's Service.
1.3. "Data" means the personal data of the recipients of the Merchant's products, including the Merchant's customers, as well as personal data of the Merchant's representatives, which via the use of Printful's Site and Service is provided to Printful by the Merchant.
1.4. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. "Merchant" means any person, be it legal entity or natural person, that uses Printful's Service to execute orders or deliver its products to recipients, including the Merchant's customers.
1.6. "Parties" means Printful and the Merchant.
1.7. "Printful" means Printful Inc. and its affiliated companies and subsidiaries.
1.8. "Service" means print-on-demand services offered by Printful to Merchants that want to outsource the printing and delivering of their products to their customers, as well as other services offered by Printful to Merchants, including branding, warehousing and fulfillment, design, and merchandising services.
1.9. "Site" means www.printful.com.
1.10. The terms "Personal Data", "Data Subject", "Controller", "Processor" and "Supervisory Authority" used in these Terms have the meanings given in the GDPR.
2. Subject of the Terms
2.1. These Terms govern the agreement between Printful and the Merchant in respect of processing of Data transferred to Printful by the Merchant.
2.2. The Merchant acquires Data and via the use of Printful's Site and Service provides Data to Printful. The Merchant is a Controller of this Data and Printful as the Processor only processes this Data on behalf of the Merchant.
2.3. The Merchant hereby instructs Printful to process the Data as prescribed by these Terms, including the transfer of such Data to any country as may be reasonably necessary for the provision of the Service or otherwise for the compliance with the Agreement or applicable law.
3. Details of Processing
3.1. Categories of Data Subjects. Printful, on behalf of the Merchant, processes the Personal Data of the Merchant's customers and the Merchant's representatives that are registered under the Merchant's Printful account.
3.2. Type of Personal Data. Printful processes the following information received from Merchants that might contain Personal Data: name, email address, phone number, shipping information, Content shared with Printful, and other information about the Merchant's customers and representatives shared with Printful.
3.3. Nature and purpose of processing. Printful processes Data in accordance with these Terms in order to provide the Merchant the Service and otherwise ensure fulfilment of the obligations set out in the Agreement between the Merchant and Printful if such fulfilment involves the processing of Personal Data. Printful only has access to the information that has been provided by the Merchant and uses such information in accordance with the Merchant's instructions.
3.4. Duration of processing. Data will be processed for the duration of the Agreement.
4. Rights and obligations of Printful and the Merchant
4.1. Both Parties shall ensure that Data processing under these Terms is carried out in accordance with all applicable laws and regulations in respect of data protection, including the GDPR, and Parties shall comply with their respective obligations as a Controller or Processor laid down by the GDPR.
4.2. The Merchant is responsible for the legality of processing the Data. The Merchant confirms that the Data transferred to Printful has been obtained by the Merchant on lawful basis as prescribed by the GDPR and other applicable laws and regulations in respect of data protection, and that the Merchant is entitled to provide the Data to Printful and other recipients.
4.3. The Merchant shall not submit to Printful any Personal Data that is not necessary for the use of the Service, and any Personal Data if the Merchant has no lawful basis and/or no valid purpose for processing such Personal Data.
4.4. The Merchant confirms that these Terms contain sufficient instructions to Printful regarding the processing of Data, as well as the scope and purposes thereof.
4.5. If reasonably necessary, the Merchant may provide Printful with additional instructions regarding the processing of Data other than those prescribed by these Terms. Such additional instructions must be reasonably enforceable, properly documented and in compliance with applicable laws and regulations regarding data protection, and must also be accepted by Printful.
4.6. Printful shall not be liable for any claims or complaints from Data Subjects regarding any action taken by Printful as a result of acting in accordance with instructions received from the Merchant.
4.7. The Merchant shall be responsible for the accuracy of Data and keeping it up to date and shall inform Printful in case of any changes in the provided Data.
4.8. Printful shall process the Data on behalf of the Merchant and shall always follow the Merchant's instructions prescribed by these Terms, the Agreement or otherwise provided to Printful in accordance with these Terms.
4.9. Printful confirms that the processing is performed in compliance with the requirements prescribed by the GDPR and other applicable laws and regulations in respect of data protection, Printful has implemented appropriate technical and organizational measures and while processing the Data ensures the protection of the Data Subjects' rights.
5.1. For Printful to be able to meet its obligations prescribed by the Agreement and to administer and provide the Service, the Merchant hereby authorizes Printful to engage sub-processors and transfer the Data to such sub-processors.
5.2. When processing the Data on behalf of the Merchant, Printful uses sub-processors that provide us with different services such as hosting and server co-location services, postal and courier delivery services, and our financial and legal advisors, among others.
5.3. Printful hereby confirms that it uses only such sub-processors that are able to guarantee that they have implemented appropriate technical and organizational measures in accordance with the GDPR and other applicable laws and regulations regarding data protection.
5.4. Printful hereby confirms that our sub-processors are contractually or otherwise in a binding form required to comply with the same data processing obligations as prescribed by these Terms.
5.5. Printful may transfer the Data to sub-processors that are located outside the European Economic Area ("EEA"). Printful confirms that the Data are transferred only to such sub-processors outside the EEA that are located in a territory that has been acknowledged by the European Commission as ensuring an adequate level of protection, or otherwise is able to provide appropriate safeguards and always provided that enforceable rights and effective legal remedies are available for Data Subjects.
6. Assistance to the Merchant
6.1. Considering the nature of the processing, Printful will assist the Merchant with the provision of technical or organizational measures, insofar as possible, for the fulfilment of the Merchant's obligations as the Controller in relation to:
Any requests from the Data Subjects in respect of access to, or the rectification, erasure, restriction, portability, blocking or deletion of their Personal Data that Printful processes on behalf of the Merchant. In the event that a Data Subject sends such a request directly to Printful, Printful will promptly forward such request to the Merchant; and
The investigation of Personal Data breaches and the notification to the Supervisory Authority and Data Subjects regarding such Personal Data breaches; and
Where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
7. Personal Data Security
7.1. By taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Printful shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the respective risk.
7.2. Printful monitors and ensures that all of Printful's authorized personnel involved in the Processing of Data provided to us have committed themselves to confidentiality obligations.
7.3. Printful confirms that rights of access to its authorized personnel are always provided only to the minimum extent necessary for fulfilment of the obligations arising from the Agreement.
8.1. Upon the Merchant's written request, Printful shall provide sufficient information to demonstrate compliance with obligations laid down in these Terms and applicable laws and regulations. This information shall be provided to the extent that such information is within Printful's control and Printful is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
8.2. If information provided upon the Merchant's request in the Merchant's reasonable judgement is not sufficient to confirm Printful's compliance with these Terms, then Printful agrees to allow for and contribute to data processing audits.
8.3. Such audits are allowed to be carried out by an independent third party with good market reputation, provided that it has sufficient experience and competence to carry out data processing audits, and election of such auditor must be mutually agreed by both the Merchant and Printful.
8.4. The timing and other practicalities related to any such audit or inspection are determined by us and any such information and assistance are provided only at the expense of the Merchant, and we reserve the right to charge the Merchant for any additional work or other costs incurred by us in connection with the Merchant using such rights. The Merchant has rights to request the audit once every 2 years.
8.5. The auditor will have to sign a confidentiality agreement, which includes an obligation not to disclose business information in its audit report, and the final report will also have to be provided to Printful.
9. Return and deletion of Data
9.1. Unless otherwise required by applicable law, Printful has no obligation to store the Merchant's Data after termination of the contractual relationship with Printful and deletion of the Merchant's account.
9.2. At the choice of the Merchant, Printful will delete or return all the Data to the Merchant after the end of the contractual relationship relating to the processing of Data, and shall delete existing copies, unless an applicable law requires the Merchant to store such Data.
10. Governing Law
These Terms are governed by the laws of the State of California and are subject to the dispute resolution procedure as prescribed by the Agreement.
Printful reserves the right, at its discretion, to modify these Terms at any time. The Merchant shall be responsible for reviewing and becoming familiar with any such modifications. Use of the Service by the Merchant following such notification constitutes the Merchant's acceptance of the changes in these Terms.