Material Exchange

Data Processing Agreement

Issued on: June 1st, 2020 | Last modified: May 31st, 2023

young girl with curly hair

Data Processing Agreement

Issued on: June 1st, 2020 | Last modified: May 31st, 2023

If you have determined that you qualify as a data controller under the GDPR, and need a data processing agreement we want to help make it as much available and simple as possible for you.

It is considered that you have agreed with our GDPR compliant Data Processing Agreement (“DPA“), by agreeing with MP or DSP Terms & Conditions.

Data Processing Agreement

Material Exchange Ventures AB (“MEV“) and the counterparty, being Brands, Buyers, Material Suppliers, Manufacturers and others (“User“) confirm and agree that with regard to the processing of User personal data MEV acts as a processor, while User acts as a controller based on an agreement for the Services provided by MEV which you have entered into by agreeing with the MP or DSP Terms & Conditions (“Terms“).

This DPA forms part of the Terms into which it is incorporated by reference. This DPA will be effective, and will replace and supersede any previously applicable terms relating to their subject matter (including any data processing amendment, agreement or agreement relating to the Services), from the date on which User clicked to agree or the parties otherwise agreed to this DPA (“DPA Effective Date“). All of the definitions used in the Terms fully correspond to the meaning of the terms used in this DPA.

If you are agreeing with this DPA on behalf of User, you warrant that:

a) you have full legal authority to bind User to this DPA;

b) you have read and understand this DPA; and

c) you agree, on behalf of User, to this DPA.

If you do not have the legal authority to bind User, please do not agree with this DPA.


In performance of the Terms Processor processes personal data for which User is the controller within the meaning of Art. 4 no. 7 of the General Data Protection Regulation (EU) 2016/679 (“GDPR“) (“User Data“). This DPA specifies the data protection-related rights and obligations of the parties in connection with the handling of User Data by Processor in performance of the Terms.


Processor shall process User Data exclusively on behalf of and on documented instruction of the User within the meaning of Art. 28 GDPR (processing).

The details of the processing operations provided by Processor to User as a commissioned data processor (e.g., the nature and purpose of the processing, the type of personal data and categories of data subjects) are specified in Schedule 1 to this DPA. Any other or additional processing of User Data by Processor is prohibited, including any processing of User Data for Processor’s own purposes. Any changes in data processing procedures are subject to the mutual agreement of User and Processor and must be documented in writing or in a documented electronic format.

The User is obliged to ensure that the processing operations delegated to the Processor based on his instructions are not contrary to the applicable legislation.


User is responsible that the processing activities to be carried out under the Terms and this DPA, has been, and will continue to, be lawful, fair and transparent in relation to the data subjects, as set out in Schedule 1. User is also the sole party responsible for complying with rights of data subjects under Art. 12 through Art. 22 GDPR.


Processor shall process User Data exclusively in compliance with the provisions of this DPA and the instructions of User, unless Processor is required to process User Data otherwise under European law or the law of any other state to which Processor is subject (e.g. in connection with investigations by criminal prosecutors or national security agencies). In such case, Processor shall inform User of such legal requirements prior to the start of processing, unless that law prohibits such information on important grounds of public interest.

The User’s instructions are provided in this DPA and the Terms. User may give specifications to such instructions provided in this DPA and the Terms as well as further instructions. Such instructions shall generally be given by User in writing, unless the urgency or other specific circumstances require another (e.g. oral, electronic) form. Instructions in another form than in writing or in electronic form shall be documented in appropriate form.

Processor shall comply with instructions of User. User shall have the right to specify a reasonable deadline for complying with instructions in a particular case and Processor may use commercially reasonable efforts to comply with such deadline.

If in the reasonable opinion of Processor an instruction of User violates the terms of this DPA or applicable data protection law, Processor shall inform User thereof. Processor may suspend the execution of the instruction until confirmation or amendment of the instruction by the User.

If an instruction by the Processor modifies or terminates any provisions in this DPA, such instruction shall be permitted only if the relevant provisions are revised in written or text form in accordance with section 2.2 of this DPA.


Processor shall process User Data in compliance with the provisions of this DPA and User’s instructions in accordance with section 2.1, of this DPA unless an exception with the meaning of Art. 28 (3) lit. a) GDPR applies.

Processor shall make no copies or duplicates of User Data except with the knowledge of User, to the extent that and as long as such copies or duplicates are not necessary to ensure proper data processing, proper performance of services under the Terms (including data backup), or compliance with statutory retention obligations.

User shall ensure compliance with the technical and organizational measures set forth in section 9 of this DPA.

Processor shall cooperate on and reasonably assist User with keeping records of processing activities and performing any required data protection impact assessments to the extent necessary (Art. 28 (3) 2 lit. e) and f) GDPR). User shall refund all costs which exceed those for 5 hours per year arising for Processor from such assistance.

If User is obliged to provide any government agency, data subject, or other person with information about User Data or their collection or use, Processor shall assist User with providing such information. User shall refund all costs which exceed those for 5 hours per year arising for Processor from such assistance.

Processor may use information obtained from the contractual relationship together with information from other Users for Processor’s own analysis purposes. When doing so, Processor shall process no personal User Data obtained from User within the scope of the contractual relationship. The analyses do not allow the identification of individual Users or User Data.


Processor agrees to maintain confidentiality when processing User Data on behalf of User and shall in particular not disclose the User Data processed to any third parties unless authorized by User. The only exceptions are data transfers to authorized subprocessors. This duty of confidentiality shall survive and continue in effect after termination of the DPA to the extent required by the GDPR.

Processor shall ensure that persons authorized by the Processor to process the User Data on behalf of the User have committed themselves to confidentiality beyond the term of this DPA or are under a statutory obligation of confidentiality and that such persons process such User Data in compliance with the User’s instructions. The Processor will further instruct such persons regarding the applicable statutory provisions on data protection. The Processor shall ensure that access to the User Data is limited to those persons who need access to such data to meet the Processor’s obligations under this Agreement and only to such part or parts of the data as is necessary for performance of that person’s duties.


Processor can engage subprocessors for processing User Data with the general written authorisation of User given by this DPA.

Processor shall inform the User of any new subprocessing agreement executed before the new subprocessor gains access to User Data. User may object to the involvement of a new subprocessor in writing within fifteen (15) days after being informed.

User acknowledges that an objection against a new subprocessor may lead to delay or non-performance of services under this DPA. Additionally, increased costs may occur for Processor due to an objection. These shall be compensated for with an increased remuneration from User.

If Processor intends to engage a subprocessor in a third country, the subprocessor must fulfil the requirements of Art. 44 et seq. GDPR (e.g., adequacy decision of the European Commission, Privacy Shield certification, standard data protection clauses, approved code of conduct).

The rights and obligations of User and Processor under this DPA shall be agreed accordingly in the DPA between the Processor and any subprocessor.

Processor shall in particular have derived control obligations towards the subprocessors and may exercise the rights of the User described in this DPA. Processor shall audit compliance with the subprocessor’s contractual obligations on a regular basis in appropriate form, document the results of the audit, and make the audit report available to User upon demand.


User is responsible for handling and responding to requests or claims of data subjects for information, rectification, restricted processing, or erasure of User Data or for processing any other claims brought under chapter III or VIII of the GDPR (“Data Subject Requests“). If a data subject contacts the Processor directly for purposes of information, rectification, erasure, or restricted processing of User Data related to the subject, Processor shall forward such request to User and shall make no contact with the data subject (except for the reply that the request is forward to User) unless specifically instructed to do so by User. Processor shall provide no information to any data subjects except on prior instruction from or with the prior consent of User.

Processor shall provide User with reasonable assistance for processing Data Subject Requests.

User shall refund Processor all reasonable costs which exceed those for 5 hours per year arising from or related to the assistance pursuant to sections 11.1 and 11.2.


Processor is obliged to implement the technical and organizational measures as specified in Schedule 2 before processing the User Data on behalf of the User notably to ensure the security of the User Data. Processor shall maintain the level of security of those measures in effect during the term of this DPA. The protective objectives of Art. 32 (1) GDPR, such as confidentiality, integrity, availability of systems and services, and their resilience taking into account the nature, scope, context, and purpose of data processing, shall be taken into consideration in such a way that risks are mitigated by appropriate technical and organizational measures on a sustained basis.

User has examined and confirmed that the measures set forth in Schedule 2 for the processing of User Data are appropriate and in accordance with User’s duties arising from the applicable data protection laws.

Processor is entitled to implement alternative adequate technical and organizational measures, provided that they do not undercut the level of security of the technical and organizational measures specified in Schedule 2.

Processor shall follow the procedure described in Schedule 2 for the regular review, assessment, and evaluation of the effectiveness of technical and organizational measures to ensure that User Data is processed in conformity with data protection law.


Processor shall notify User without undue delay if Processor becomes aware of a violation of the protection of personal data (“Data Breach“).

In the event of a Data Breach, Processor shall support User and to a reasonable extent in investigating the matter, taking remedial action, and notifying the appropriate parties, including measures required for compliance with legal obligations (e.g., Art. 33, 34 GDPR). In particular, Processor shall take all reasonable steps without undue delay to minimize or eliminate any risks for the integrity or confidentiality of User Data, to secure User Data, and to prevent or mitigate as much as possible any adverse consequences for data subjects. Processor shall provide no notifications in accordance with Art. 33 or 34 of the GDPR for User except upon prior written instruction by the User.


The Processor shall provide the User with appropriate information (e.g. certificates, audit reports and other results of inspections) to demonstrate compliance with the obligations set out in this DPA.

If the User has reasonable grounds to suspect that this information is insufficient to demonstrate compliance with the obligations set out in these DPA, the Processor shall facilitate, and support audits carried out by the User or another auditor commissioned by the User. Audits may be carried out by appointment (generally thirty days in advance) during normal business hours without disruption to the business of the Processor and in accordance with the safety rules of the Processor. Costs of any such audit shall be borne by User.


Processor is prohibited from actively processing User Data after this DPA has terminated unless it has a legal basis for processing. Processor will erase or hand over User Data to User after the termination of the DPA as requested by User, to the extent this is possible without infringing the Processor’s own statutory obligations or state law require storage of the Personal Data. Processor may decide to delete or anonymize the Personal Data to the extent possible, without violating its own legal obligations that require the storage of Personal Data. On the other hand, data that has been anonymized shall not be considered as personal data in the sense of the GDPR and the Processor can retain this data.

The provisions of sections 12.1 of this DPA shall also apply to copies of User Data (including, archiving and backup copies) in any systems of Processor, including test data and discarded data.

For each deletion and destruction of User data, the processor must prepare a written protocol, which must be presented to the User immediately upon request.


The Party is responsible for all damages resulting from or related to its failure to fulfil its obligations under this DPA and/or the failure of persons/entities engaged/hired by that Party, including but not limited to employees and/or sub-processors.

The Party is obliged to compensate the other Party for damages in case of demands, fines and/or measures submitted against or imposed on the Party by third parties, including Data Subjects and the Commissioner due to violations of this DPA committed by the other Party, as well as by entities/persons engaged/hired by the other Party, including, but not limited to employees and/or sub-processors.

None of the Parties shall be liable for damages in any form (including penalties and fines, costs or other losses) suffered by the other Party, its employees or a third party to whom the other Party is liable in accordance with any legal relationship, unless the other Party proves that the damage is a direct consequence of gross negligence on the part of the first Party. In no event shall either Party be liable for any damages or lost profits arising in any way from this DPA. Therefore, lost profits or other damages based on lost future profits or lost benefits/savings will not be subject to compensation by either of the Parties. The Parties expressly release each other from all accusations or claims for damages from the above causes. If, for any reason, the liability of any of the Parties is declared by a final court decision, its liability will be limited by the amount of compensation that is equal to the paid fee. This limitation of liability shall not apply if either of the Parties proves that the damage is a direct consequence of the intent or gross negligence of the other Party.


The Processor agrees that the potential transfer of the Personal Data to third countries may only be carried out to the countries which have been recognized by the European Union to ensure an adequate level of protection.

If the Processor wishes to transfer Personal Data to a country that is not covered in Article 14.1 of this DPA, data transfer is also free in this case, but the Processor is obliged to first fulfil the conditions for such a transfer in accordance with the GDPR, i.e ensure the implementation of adequate legal mechanisms for the transfer of data to countries that are not covered by Art. 14.1.


The term of this DPA shall correspond to the term of the Terms. If in doubt, any termination of the Terms shall also result in termination of this DPA, and any termination of this DPA shall also result in termination of the Terms.


Any modification, amendment, or termination of this DPA, including any modification or termination of this clause requiring written form, must be in written form.

Each of the parties will comply with the data protection laws applicable to its respective activities under this DPA, including the guidance (e.g., working papers) published by the EU Data Protection Board. Should any binding decision or order by a privacy regulator or court of competent jurisdiction or guidance by the EU Data Protection Board (or its successor) require changes to this DPA and/or the way in which Processor handles Personal Data hereunder, then the parties shall mutually implement such changes.

In the event of any conflicts between this DPA and other agreements between the parties, including, without limitation, the Terms, the provisions of this DPA shall prevail.

Schedule 1:


Purpose of data processing, type of data and categories of data subjects are governed by the provisions of the Terms. They include inter alia the following:

  • Categories of data subjects
    • Individuals within the User being Brands, Buyers, Material Suppliers, Manufacturers, Sales Representatives, and others.
  • Purpose of data processing
    • Registration on the OM and the usage of the OM.
    • Registration on the DSP and the usage of the DSP.
  • Type of personal data
    • Name;
    • Last name;
    • E-Mail adress;
    • Phone number;
    • Company;
    • Company role;
    • Country;
    • City;
    • Post code;
    • Photo;
    • Username;
    • If necessary your personal e-mail address and your mobile phone number;
    • Details of transactions you carry out and of the fulfilment of your orders, including licensing of software.

Schedule 2:



Physical access management

MEV is taking the following measures to prevent unauthorised persons from gaining access to the data processing equipment used to process personal data.

Access control

MEV is taking the following measures to prevent unauthorized parties from using data processing systems and procedures.

Data access management

MEV is taking the following measures to ensure that the persons authorised to use the data processing procedures have exclusive access to the personal data subject to their access authorisation and that unauthorised reading, copying, alteration or removal is excluded.

Data separation management

MEV is taking the following measures to ensure that data collected for different purposes will be processed separately: functional separation; compliance with recordkeeping obligations/periods and subsequent erasure of data that have been made available; separate IT networks for different processing purposes.


The processing of personal data is carried out in such a way that the data can no longer be attributed to a specific data subject without the need for additional information, provided that this additional information is kept separately and is subject to appropriate technical and organisational measures.

Other measures include zero knowledge encryption.


Data transfer management

MEV is taking measures to ensure that during electronic transfer, migration, or storage on data carriers personal data cannot be read, copied, modified or removed without authorization.

Data input management

MEV is taking measures to ensure that it can be reviewed and determined later on who input, modified, or removed data:


Availability management

MEV is taking measures to ensure that personal data are protected against accidental destruction or loss.

Fast recovery of data

MEV is taking measures to ensure the fast recovery of systems after downtimes, so as to allow availability of personal data and access to personal data to be restored quickly after a physical or technical incident. There must be an emergency plan for fast recovery measures.


Regular review, assessment and evaluation

MEV is taking measures to verify on a regular basis that its technical and organizational measures for secure data processing are effective.

Contract compliance management

MEV is taking measures to ensure that data will be processed only in accordance with Client’s instructions.