General Data Protection Regulation (GDPR)

As a partner of bol, you are responsible for processing the personal data of your customers, including those who buy from you via bol. Since May 25, 2018, this means, among other things, that you have a duty to comply with the GDPR. This is your own responsibility.

When a bol customer places an order with you, you receive that customer's personal data. This data is what you need to fulfill the purchase agreement and the associated after-sales obligations you enter into with your bol customers, such as name, shipping address, and in some cases, a phone number (only if provided by the customer and necessary, for example, to schedule a delivery appointment). You may not retain this customer data longer than necessary to execute the agreement. After the agreement has been executed, you may only retain the data necessary to comply with tax legislation.

When a customer places an order with you via bol, you only receive the data strictly necessary to fulfill the purchase agreement and after-sales obligations. You receive the following data via your seller account:

• First and last name
• Shipping address
• Phone number (only if provided by the customer and necessary, for example, for a delivery appointment)

You may only use this data for:

• Processing and shipping the order
• After-sales obligations such as returns, complaint handling, and warranty
• Legal obligations such as retention requirements for tax authorities

The use of customer data for other purposes, such as marketing, profiling, or sharing with third parties without a valid reason, is expressly prohibited.

If you have customer data processed by an ecosystem, such as an integrator, you are obliged to conclude a Data Processing Agreement (DPA). A DPA is an agreement in which you agree with the ecosystem partner on how customer data will be processed, secured, and stored. This is mandatory under the GDPR.

Why is this important?

As a partner, you remain responsible for processing customer data, even if you engage another party. With a DPA, you ensure that this party complies with the GDPR. For more information on data processing agreements, you can consult the website of the Dutch Data Protection Authority: autoriteitpersoonsgegevens.nl/verwerkersovereenkomst.

Rights of data subjects

bol customers always retain their rights under the GDPR, such as:

• Right to access their data
• Right to rectification of inaccurate data
• Right to erasure of data
• Right to object to certain forms of processing

Partners are obliged to handle these carefully and cooperate when customers or bol request it.

You are responsible for the secure processing of customer data. This means you must take appropriate measures to prevent personal data from falling into the wrong hands. When secured personal data is not properly protected and thus accessible, we call this a data breach.

What can you do to prevent data breaches?

• Use strong, unique passwords for your seller account
• Where possible, use two-factor authentication (2FA) to further secure your account
• Share customer data with third parties only if necessary and a Data Processing Agreement (DPA) has been concluded

Reporting a data breach

If you do experience a data breach involving personal data of bol customers (for example, due to theft, loss, or unauthorized access), you are obliged to report this immediately to bol via Partnerservice. In addition, you may also need to report the data breach to the Dutch Data Protection Authority (AP) and possibly to the affected customer(s), depending on the severity of the breach and its potential consequences. Inform yourself about this obligation via autoriteitpersoonsgegevens.nl.

If you operate as a partner outside the European Economic Area (EEA) and receive personal data from bol customers, additional rules apply to protect customer privacy. If the European Commission has not adopted an adequacy decision for the country in which you are established, the transfer of customer data is governed by the Standard Contractual Clauses (SCCs). These SCCs are part of bol's Conditions of Use Professional Sales via bol, which you agree to when using the platform.

This means that:

• as a partner, you are obliged to process customer data securely and in accordance with the GDPR.
• you may only retain this data for as long as strictly necessary to execute the agreement and comply with legal obligations (such as tax legislation).
• you must conclude a Data Processing Agreement (DPA) with parties who process customer data on your behalf.
• you must ensure that parties who process customer data on your behalf comply with the same privacy rules as you.
• if a government from your country requests customer data you received via bol, you should not simply hand it over. According to the SCCs, you are obliged to first inform bol (insofar as the law permits) and together assess if and how this should be handled.

More information

More information about GDPR can also be found on the website of the industry association Thuiswinkel.org. Should you have any further questions about the above, you can, of course, contact our Partnerservice.