Skip to main content

General Terms and Conditions of Shelly Integrator API

(in force as of 20 November 2024, last amended 26 June 2026)

I. Introduction

Art.1. (1) Shelly Europe Ltd. provides Shelly Integrator Application Programming Interface (Shelly Integrator API) - a cloud-to-cloud API for integration, control and device status updates collection from Shelly devices under the terms and conditions set forth below.

(2) Shelly Integrator API enables Integrators to manage devices across single or multiple Shelly user accounts. It is designed for large-scale deployments and industrial use cases involving a big number of devices. Upon permission of the Shelly account user, the Service allows centralized streaming of status data from many shelly accounts to a single point for data ingest. Basic control over the devices is also possible.

(3) We also have Privacy Policy and may have other legal statements and conditions applicable to various activities on Shelly Integrator API, including but not limited to terms and conditions that may apply to your use of Shelly Integrator API, (Special documents). All the foregoing is incorporated herein by reference, and shall, together with these General Terms and Conditions of using Shelly Integrator API ("the Terms") govern your access to and use of Shelly Integrator API and are a binding agreement between Shelly Europe Ltd. and the entity you represent ("You" or "Your"). If any of the Special documents are inconsistent with these General Terms and Conditions, those Special documents shall prevail.

Art. 2. Contact data with Shelly Europe Ltd. during business days from 09:00 until 17:00 CET:

tel: +359 2 988 6954

Open a ticket https://support.shelly.cloud/en/support/home

II. Definitions

Art.3. The following words and expressions when commencing with a capital letter (including when used with a definitive article and/or used in plural) shall have the meaning and content stated herein unless the context requires otherwise:

  1. "Service Provider/Us/We/Shelly Europe" - shall mean the company which owns the Shelly Integrator API -- Shelly Europe Ltd., a company registered according to the laws of Republic of Bulgaria, entered in the Bulgarian Commercial Register and the Register of NPLE at the Registry Agency under UIC: 202320104, having its seat of management in the city of Sofia, Lozenets district, 1407, 51 Cherni Vrah Blvd., Building 3, floor 2 and 3.

  2. Integrator - a legal entity/organization who have obtained a license for use of Shelly Integrator API on its behalf and processes data accessed through the Shelly Integrator API exclusively for the pursuit of its legitimate business interests, including the provision of services or functionalities to its customers in relation to its own products or solutions

  3. "Shelly Smart Control" - is a digital service branded Shelly Smart Control, accessible via Shelly Smart Control App (Shelly App) or online via https://control.shelly.cloud/#/login, that allows remote access, control and monitoring of Shelly devices and the appliances to which these are attached.

  4. Shelly Integrator API - a cloud-to-cloud API for integration, control device status updates and data collection from Shelly devices. API is set of defined rules and protocols that allow different software components to communicate with each other by exposing functionality or data from a system to be used by other software, system, etc. via structured requests and responses. Shelly Integrator API is intended for cloud-to-cloud use only, not cloud to app.

  5. "Shelly Devices" shall mean any smart device branded „Shelly", "Loqed" or "Powered by Shelly" in all models and modifications.

  6. Shelly App User - any person (irrespective individual or legal entity) who has registered an Account with Shelly Smart control App and uses the application outside his trade, business, craft or profession.

  7. Personal Data - has the meaning given to the definition in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

  8. Suggestions - means all suggested improvements to the Shelly Integrator API that You provide to us.

III. Subject Matter

Art.4. (1) These Terms govern the relations between Shelly Europe and each Integrator regarding the use of Shelly Integrator API.

(2) The present Terms do not govern the relationship between the Integrator and the Shelly App User. Any agreements, services, or obligations between them are solely their responsibility.

Art. 5. (1) These Terms are mandatory for the Integrator.

(2) By filing and submitting a registration form and accessing the Shelly Integrator API, the Integrator declares that it has read, accepts and is obliged to comply with these Terms unconditionally. The Integrator is further obliged to comply with all other conditions imposed by the law, even if not mentioned in these Terms.

(3) In case the Integrator disagrees with these Terms, it shall not access and use Shelly Integrator API.

Art. 6. (1) Shelly Europe shall not be liable if the Integrator has not read these Terms.

(2) Shelly Europe shall not be liable for any damages and/or losses arising from non-compliance on the part of the Integrator of the provisions of these Terms and the applicable law.

IV. Access to Shelly Integrator API

Art.7. (1) The access to Shelly Integrator API and usage of its functionalities require filing a Shelly Integrator API access request.

(2) By filing the Shelly Integrator API access request the Integrator provides the following data:

  1. Company name.
  2. Company email address.
  3. Country of registration or operation.
  4. Contact person names.
  5. Contact email.
  6. Contact phone number.
  7. Solution type - energy metering, power metering, load shedding, energy generation and usage balancing, industrial automation, other.
  8. Voluntary provided information regarding the Use case.
  9. What kind of API will be used - Integrator API or Cloud Control API.

(3) The API access request is submitted on behalf of, or for the benefit of the Integrator. In this case, the person submitting the request acknowledges that has the legal right and/or authorization to bind the Integrator with these Terms. He/she may be asked to provide additional registration details, such as the official documentation certifying the existence of the legal entity/organization, etc.

Art.8. (1) The Integrator is responsible for ensuring that all details provided to Us are correct, complete and up-to-date.

(2) Shelly Europe shall not be liable for any loss or damage that may occur for the Integrator due to the provision of incorrect, incomplete or false data (for example inability to access and use Shelly Integrator API, to receive customer support etc.).

Art.9. (1) Shelly Europe will notify the Integrator once the request is satisfied by sending an email or if additional information is required. The email contains authentication information about how to obtain valid JSON Web Token (JWT) and token credentials. These credentials serve as identification of the Integrator. The acquired JWT access token will be valid 24 hours and must be used for issuing WSS connection.

(2) Shelly Europe reserves the right to reject access requests at its sole discretion, particularly in cases of incomplete, inaccurate, or unverifiable information.

Art.10. (1) The Integrator is solely responsible for securely storing and protecting its assigned tag and token credentials. It must take all reasonable measures to prevent unauthorized access, disclosure, or use of these credentials, and agrees to notify Us immediately if suspect any compromise or misuse.

(2) To the extent permitted by applicable law the Integrator takes responsibility for all activities that occur under his assigned tag and token credentials. The Integrator should take all necessary steps to ensure that they will be kept confidential and secure and should inform Us immediately if has any reason to believe that his credentials become known to anyone else, or if they are being, or is likely to be used in an unauthorised manner. The Integrator must immediately notify Shelly Europe in case of breach of security or unauthorized use of his-her credentials.

V. Using Shelly Integrator API

Art.11. (1) The Shelly Integrator API is provided to enable the Integrator to enhance the functionality of his services by integrating with Shelly Integrator API. Shelly Integrator API is a cloud-to-cloud API integration that enables the Integrators to request access to the devices of Shelly App Users upon Shelly App User's permission and register them to Integrator's service.

(2) The right to use Shelly Integrator API is provided by Shelly Europe for an indefinite period and is available free of charge. The use of the Shelly Integrator API shall remain in effect unless and until terminated by the Integrator or Shelly Europe as provided herewith.

(3) To share a device each Shelly App user shall be logged in with their existing Shelly account, select which device they want to share with the Integrator and choose what additional access rights to provide the Integrator -- read or read and control.

(4) The Shelly App user has full control over access permissions and can grant, extend, or revoke an Integrator's access at any time through the Shelly App interface without prior written notice то the Integrator or Shelly Europe. If access is revoked, the Integrator will immediately lose the ability to access the device through Shelly Integrator API.

Art.12 (1) To successfully integrate with Shelly Integrator API, each Integrator is required to establish and maintain an open WebSocket connection to our cloud infrastructure. Upon initiating the connection, the Integrator must authenticate using a valid JWT issued by Shelly Europe. Failure to authenticate correctly will result in immediate termination of the connection.

(2) Shelly Europe's systems communicate via structured HTTPS requests and persistent WebSocket connections. As part of the integration, Integrator's system must be capable of both sending and receiving such communications reliably.

(3) Shelly Integrator API sends real-time event notifications over the WebSocket connection. These events may include, but are not limited to: device state changes (e.g., online/offline, status updates), device settings changes (e.g., configuration updates), command execution events (e.g., command sent, acknowledged, executed) or errors, etc.

(4) The Integrator is responsible for implementing appropriate listeners and handlers to process these event messages in real time. The Integrator is responsible to route, manage, store and process the data on his own.

(5) The Integrator must ensure that his systems remain responsive to events and acknowledgments over WebSocket and HTTP interfaces. In case of repeated timeouts, failures, or improper handling of events, we reserve the right to suspend or throttle your access to protect Shelly Integrator API stability and our cloud stability.

Art.13 Shelly Europe is allowed to set and enforce limits on Integrator's use of the Shelly Integrator API (e.g. limiting the number of API requests that the integrator may make or the number of devices that may be accessed) in its sole discretion and without prior notice.

Art.14. Shelly Europe uses reasonable care and skill to keep the Shelly Integrator API operational and provides the Integrator with the experience that is normally expected for this type of service. However, Shelly Integrator API features and their availability may change from time to time such as but not limited:

  1. may experience temporary interruptions due to technical difficulties, maintenance or testing, or necessary updates of the Shelly Integrator API.

  2. To improve Integrator experience and optimize Shelly Integrator API constantly, Shelly Europe reserves the right to provide replacement, modified and updated versions of the Shelly Integrator API to change, suspend or discontinue any of the Shelly Integrator API' functionalities without prior notice to You. After a new version of the Shelly Integrator API is released, Shelly Europe does not guarantee that older versions will continue to be usable. In addition, Shelly Europe may stop (permanently or temporarily) providing any features within the Shelly Integrator API. Shelly Europe shall not be held liable for any loss or damages occurred because of replacement, modification, and updated version, including but not limited to the unavailability or the lack of support to previous version(s) of the Shelly Integrator API.

VI. Rights and Obligations of the Integrator and Shelly Europe

Art.15. (1) The right to use Shelly Integrator API is non-transferable, and non-assignable. The Integrator may not assign sublicense, transfer, or otherwise grant access to their credentials or related privileges to any third party without prior written consent from Shelly Europe. Any unauthorized transfer or sharing of access credentials may result in the suspension or termination of the Integrator's access.

Art. 16. (1) The Integrator is obliged:

  1. not to use in any way that could damage Shelly Integrator API, Shelly App Users, Shelly devices or Shelly Europe's and its affiliates general business.

  2. not to use their access for any unauthorized activities, including but not limited to: accessing, modifying, or using Shelly App User's data beyond the agreed service scope, sharing access credentials with unauthorized third parties, using Shelly App user's data for marketing or personal gain without lawful justification, selling personal data, scrape, build databases or otherwise create copies of any data accessed or obtained using Shelly Integrator API, except as necessary to enable an intended usage scenario for its Use case.

  3. not to use Shelly Integrator API and/or its functionalities for any unlawful purpose or any purpose prohibited under this clause.

  4. not to input, submit, transmit, disclose or otherwise make available any data accessed, received or derived through Shelly Integrator API to any artificial intelligence, machine learning or generative AI system, model, service or tool, nor to use any such data for the purpose of training, developing, fine-tuning, evaluating, prompting or operating (including by way of inference) any such system, model, service or tool [save with Shelly Europe's prior written consent and subject to compliance with applicable data protection laws]

  5. not to use any "deep-link", "robot", or other automatic or manual device, software, program, code, algorithm or methodology, to access, copy or monitor any portion of Shelly Integrator API, its website or in any way reproduce or circumvent the navigational structure or presentation of the Shelly Integrator API.

  6. not to gain or attempt to gain unauthorized access to any portion or features of Shelly Integrator API, Shelly App users devices, or any other system or network connected to them, by hacking, "password-mining" or using any other illegitimate method of accessing data.

  7. not to probe, scan or test the vulnerability of Shelly Integrator API, its website or any network connected to Shelly Integrator API or the website, nor breach the security or authentication measures of Shelly Integrator API or any network connected to it.

  8. not to use any device, technology or method to interfere or attempt to interfere with the proper functioning of Shelly Integrator API and its features or any transactions occurring on Shelly Integrator API, or with any other person's use of Shelly Integrator API, such as computer virus and/or malware/malicious software.

  9. not to take any action that would cause an unreasonably or disproportionately large load on the infrastructure of the Shelly Integrator API, its website or our systems or networks, or any systems, or networks connected to the website, to the Portal or to us or similar attack.

  10. not to use Shelly Integrator API or its website:

    • i. to harass, abuse, or threaten others or otherwise violate any person's legal rights.
    • ii. to violate any of the Shelly Europe's intellectual property rights or any third-party rights.
    • iii. to perpetrate any fraud, including but not limited to engage in or create any unlawful gambling, sweepstakes, or pyramid scheme.

(2) Shelly Europe has the right at its solo discretion to suspend, prohibit or limit access to Shelly Integrator API and/or some of its features temporarily or permanently by a specific Integrator or in general case of an established or assumed abuse by the Integrator or third parties of these Terms, the applicable law or any third party rights, as well as in compliance with an order of a competent authority and/or in fulfillment of a statutory obligation and in cases of unusually high traffic and other technical grounds. Shelly Europe shall not be liable for any eventual or sustained loss or damages to the Integrator that may occur as a result of such actions, nor is Shelly Europe obliged to provide any explanation or enter into any correspondence with the Integrator.

Art. 17 (1) The Integrator is obliged to settle his/her relations with an Internet provider of the local and mobile network and the services and settings of the operator necessary for the operation of the Shelly Integrator API.

(2) Shelly Europe shall not be liable for the improper functioning of Shelly Integrator API when it is due to lack of or low quality of the Internet connection.

Art.18. The Integrator is responsible for establishing, implementing, and maintaining appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of all data accessed, received, or derived using Shelly Integrator API. This includes, but is not limited to:

  1. ensuring secure access to the Shelly Integrator API and associated systems (e.g., use of HTTPS, authentication via secure credentials or tokens).

  2. preventing unauthorized access, disclosure, or alteration of data.

  3. safeguarding stored data, logs, and backups using industry-standard encryption and access controls.

  4. monitoring for and responding to security incidents or breaches in a timely manner.

The Integrator shall promptly notify Shelly Europe of any actual or suspected security breach related to data accessed through Shelly Integrator API and cooperate fully in any related investigation or mitigation efforts.

Art.19 (1) By using Shelly Integrator API, the Integrator acknowledges that acts as independent data controller concerning any personal data they access, collect, or process. The Integrator is solely responsible for determining the purposes and means of the processing of personal data within its own services and shall ensure that all such processing complies with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), where applicable and must be able to demonstrate compliance with applicable data protection laws.

(2) The Integrator further represents and warrants that it has obtained all necessary rights, consents, and legal bases to collect, process, and transfer such data through Shelly Integrator API in connection with the services it provides to its own users or customers.

(3) To the extent required by data protection laws applicable to the parties processing of personal data under these Terms, the parties agree to be bind by Controller-to-Controller data protection terms hereto as Exhibit 1. Nothing in the Agreement shall be construed as creating a joint controller or processor-subprocessor relationship between the Integrator and Shelly Europe.

(4) Any misuse of Shelly Integrator API, including unauthorized access, data breaches, or non-compliance with data protection obligations, may result in immediate suspension or termination of the Integrator's licenses granted herein.

VII. License for use of the Shelly Integrator API

Art.20. Subject to and in consideration of your full compliance with the Terms, Shelly Europe grants to the Integrator for the entire term of Your use of the Shelly Integrator API and throughout the world the non-exclusive, revocable, personal, worldwide, royalty-free, non-assignable non-sublicensable license to use the Shelly Integrator API solely for the purpose of integrating his service with Shelly Integrator API.

Art.21. If the Integrator provides any Suggestions to Us, We will be entitled to use the Suggestions without restriction. The Integrator hereby irrevocably assigns to Us all right, title, and interest in and to the Suggestions and agrees to provide Us any assistance we require to document, perfect, and maintain our rights in the Suggestions.

VIII. Intellectual Property and Confidentiality

Art.22. (1) Shelly Europe has and retains all its rights over the intellectual property on or related in some way to the Shelly Integrator API, including but not limited to its software, design, interface, code, content, functionalities, logos, graphic images or inscriptions, commercial symbols, dynamic symbols, texts and/or multimedia Content, documentation, and any related materials, etc. irrespective of whether these are its own or received by way of contractual licenses or in any other manner.

(2) All Shelly trademarks, service mark, trade names, logos, domain names, and any other features of the Shelly brand (Shelly Brand Features) are sole intellectual property of Shelly Europe or Shelly Europe has all rights on their use. These Terms do not grand the Integrator any rights to use any Shelly or its Brand Features, whether for commercial and non-commercial purposes.

(3) Nothing in these Terms shall be deemed permission on the part of Shelly Europe to the Integrator to reproduce, copy, recompile, disassemble, reverse engineer, create derivative works or modify in any other manner any part of Shelly Integrator API, including by entering any external content thereto.

Art.23. (1) The use of Shelly Integrator API is licensed, not sold or transferred to the Integrator, and Shelly Europe retains ownership of all copies.

(2) You may be given access to certain non-public information, software, and specifications relating to Shelly Integrator API ("Confidential Information"), which is confidential and proprietary to Shelly Europe. You may use Confidential Information only as necessary in exercising your rights granted under these Terms. You may not disclose any Confidential Information to any third party without Shelly Europe's prior written consent. You agree that you will protect any Confidential Information from unauthorized use, access, or disclosure in the same manner that you would use to protect your own confidential and proprietary information.

Art.24. (1) Shelly Integrator API is intended exclusively for commercial use by the Integrator. Each Integrator may only use the Shelly Integrator API to perform legitimate business activities. Any unauthorized use of Shelly Integrator API is strictly prohibited.

(2) To protect the legitimate interests of Shelly Europe, the Integrator shall:

  1. refrain from any actions that could harm the reputation, integrity, or functionality of Shelly Integrator API.

  2. not engage in any competitive activities, including developing or promoting services that directly compete with Shelly Integrator API.

  3. not misuse the Shelly Integrator API in a way that violates applicable laws, regulations, or contractual obligations.

Art. 25. In case of violation of art.24 by Integrator Shelly Europe shall have the right to suspend or terminate access and seek indemnification for the suffered thereof damages and losses.

IX. Limitation of Liability

Art.26. (1) The Integrator is solely responsible for his use of Shelly Integrator API and for any direct, indirect, incidental, special, punitive or consequential loss or damages, including any loss of business or profit, arising out of any use, or inability to use, that may occur to him, or any third party including but not limited Shelly App Users. THE ACCESS AND USE OF SHELLY INTEGRATOR API ARE AT THE INTEGRATOR'S SOLE RISK AND IS PROVIDED "AS IS," "AS AVAILABLE." SHELLY EUROPE MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES ON MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THE SHELLY INTEGRATOR API, INCLUDING REGARDING THE UNINTERRUPTED AVAILABILITY, ERROR-FREE OPERATION, OR FITNESS FOR A PARTICULAR PURPOSE.

(2) The Integrator will exercise and rely solely on his own skill and judgment within the use of Shelly Integrator API. Any access, management or control of Devices maintained by the Integrator are the sole responsibility of the Integrator and for any consequences thereof - for any direct, indirect, incidental, special, punitive or consequential loss or damages, including any loss of business or profit, arising out of any use, or inability to use, that may occur, including the use of those actions by Shelly App User, other users of services, employees, agents, consultants, directors, officers, representatives, consultants, etc. The Integrator shall at his own expenses and risks ensure that his use of Shelly Integrator API complies with all applicable legal requirements.

(3) Shelly Europe shall not be held liable for any loss or damages that may occur for the Integrator or any third party including but not limited Integrator's customers, employees, agents, consultants, directors, officers, representatives, consultants, partners, etc. in case any malfunctions of the Shelly Integrator API occur or the Shelly Integrator API became fully or partially unusable, or Shelly device is damaged due to improper control, maintained by the Integrator causing harmful behavior of the configuration.

(4) Shelly Europe shall not be liable for any damages, losses, or liabilities arising from:

  1. any unauthorized access to a Shelly app User's devices resulting from Integrator's failure to protect their credentials or implement adequate security measures.

  2. any actions, modifications, or data processing activities performed by the Integrator while accessing a Shelly App user's device, as each Integrator is solely responsible for their use of Shelly Integrator API.

  3. any consequences that arise from Shelly App User's granting Integrators with read or read and control access to their devices.

(5) Shelly Europe has no liability to the Integrator, nor any obligation to provide compensation in connection with internet or other service outages or failures that are caused by third parties or events beyond Shelly Europe's control.

(6) Shelly Europe makes no representations, warranties or guarantees, whether express or implied that Shelly Integrator API will operate without defect, interruption or error, and no compensation can be claimed in case of direct or indirect damage of any kind caused by a failure of Shelly Integrator API or arising from use of Shelly Integrator API, including but not limited to indirect, incidental, punitive, exemplary, special or consequential damages, loss or leakage of data, loss of customers, loss of turnover, damage to image or loss of opportunity of any kind.

(7) Shelly Europe shall not be in default in the event of delay or non-performance due to a case of force majeure usually recognized by jurisprudence, for example in the event of a natural or climatic disaster, conflict involving the armed forces, act of terrorism, riot, epidemic, embargo, flood, shortage of energy or raw materials, cut-off or restriction of the Internet networks, etc. The case of force majeure suspends the obligations of Shelly Europe whose performance is thus prevented.

(8) The limitation of liability contained in these Terms shall apply to the fullest extent permitted by the applicable laws.

X. Indemnity

Art.27. The Integrator undertakes to defend, indemnify and hold Us and our affiliates harmless from and against all liabilities, damages, claims, actions, costs and expenses (including without limitation legal fees), in connection with or arising from the use or misuse of Shelly Integrator API, unauthorized access, Your breach of these Terms, or Yours conduct or actions. We may, if necessary, participate in the defence of any claim or action and any negotiations for settlement. No settlement (neither court nor contractual) which may adversely affect our rights or obligations including settlement of any claim that involves any commitment, including payment of money, shall be made without our prior written approval.

XI. Termination

Art.28. (1) The terms of using Shelly Integrator API will continue to apply until terminated by either the Integrator or Shelly Europe in the cases provided for in these Terms.

(2) The Integrator may terminate his agreement with Shelly Europe at any time by sending a notice to support@shelly.cloud The notice shall consist of information regarding the Integrator's credentials and email address. Upon receiving a valid termination request, We will review, respond to, and take the necessary actions to complete the termination within one (1) month from the date of receipt.

(3) Shelly Europe may terminate the agreement with the Integrator at any time for any reason, including, but not limited to: (i) The Integrator has violated these Terms or (ii) The Integrator create risk or possible legal exposure for Shelly Europe or Shelly App users; or (iii) our provision of Shelly Integrator API to the Integrator is no longer commercially viable iv.) misuse of access privileges is detected, data breaches, or non-compliance with data protection obligations v) an Integrator engages in fraudulent activities. vi) at our discretion with immediate effect without prior notice and stating any reasons, such termination shall not give rise to any liability for compensation, damages, or penalties vii) in all cases specified in the current Terms.

(4) Nothing in this section shall affect our rights to change, limit or stop the provision of Shelly Integrator API without prior notice.

(5) In the event of termination of our relationship, Shelly Europe shall permanently suspend all rights of use and access to Shelly Integrator API as of the date of termination and you will immediately stop using Shelly Integrator API. All licenses granted herein immediately expire and You must cease use of Shelly Integrator API.

XII. Personal Data

Art.29. (1) Upon filing an API access request, grounds for collection and processing personal data may arise and personal data might be processed. The purpose of the processing of the provided personal data is providing the use of Shelly Integrator API and the basis for the processing is the fulfilment of our contractual and pre-contractual obligations and our obligations under applicable law. We process your personal data when you access the Website for the purposes of the legitimate interests pursued by Us.

(2) We enable You to get acquainted, in an easy and user-friendly manner, with our Privacy Policy.

XIII. Marketing

Art.30. (1) Shelly Europe may provide Integrators with access to news, offers, and posts for engagement and knowledge-sharing.

(2) You may subscribe to our newsletter, and We will send You commercial messages regarding all commercial activities offered on Shelly Integrator API, including but not limited to new services, new Shelly Integrator API functionalities/features or promotional campaigns. We may also send you marketing information based on our legitimate interest.

(3) You are entitled to subscribe or unsubscribe from receiving such messages at any time by clicking on the unsubscribe link in the message.

(4) Shelly Europe reserves the right to contact the Integrator to request information about their use of Shelly Integrator API, including integration details and business use cases. We may prepare and publish a success story or case study for marketing and promotional purposes.

XIV. Miscellaneous

Art.31. (1) These Terms may be amended or modified unilaterally by Shelly Europe at any time at its sole discretion or if the amendments have been imposed by virtue of legal acts entered into force, and without an explicit prior notification to the Integrator. Such amendments shall be effective and binding upon the Integrator 14 days from the date of their publishing on Shelly Integrator API website.

(2) The Integrator, on his responsibility should read these Terms regularly and familiarize himself with the amendments (if any). Integrator's continued use of Shelly Integrator API and its functionalities following the implementation of amendments will constitute binding acceptance of those amendments.

Art.32. If any provision of these Terms is deemed as abolished, invalid or unenforceable, such provision shall be considered as severable, and shall not affect the validity and enforceability of the other provisions.

Art.33. Shelly Europe has the right to transfer all or part of its rights and obligations for service to its affiliates.

Art.34. All disputes arising out of the implementation of or in connection with these Terms shall be settled by mutual negotiation. In event of failure to reach a mutual agreement by negotiation, all disputes shall be governed and construed in accordance with the laws of Republic of Bulgaria. You agree to submit to the exclusive jurisdiction of the competent Bulgarian court all disputes, controversies or disagreements which may arise, in relation to these Terms.


Exhibit 1 — Controller-to-Controller Data Protection Terms

Shelly Europe and the Integrator have entered into an agreement for the provision of Shelly Integrator API (as amended from time to time, the "Agreement").

These Controller-to-Controller data protection terms ("Controller Terms") are entered into by Shelly Europe and the Integrator and supplement the Agreement. These Controller Terms will be effective and replace any previously applicable terms relating to their subject matter, from the Agreement's effective date.

These Controller Terms reflect the parties' agreement on the processing of Personal data.

I. Definitions

Art.1. In these Controller Terms, the following terms and expressions, when first capital letter (including when used in plural) shall have the meanings assigned to them in this article 1, unless the context otherwise requires no matter if used in plural or in singular:

  1. "Controller Terms" means this Controller-to-Controller data protection terms and all schedules.

  2. "The agreement" -- the General terms and conditions of Shelly Integrator API.

  3. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

  4. "EU Data Protection Laws" means the GDPR and laws implementing or supplementing the GDPR.

  5. "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

  6. "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

  7. "EEA" means the European Economic Area.

  8. "Affiliates" means any entity, any other entity that directly or indirectly controls, is controlled by, or is under common control with such entity. For the purposes of this definition, "control" means the direct or indirect ownership of more than 50% of the voting securities or other ownership interests of an entity, or the ability to direct the management or policies of such entity, whether through ownership, contract, or otherwise.

  9. "Data Incident" means any unauthorized access, acquisition, disclosure, alteration, loss, destruction, or misuse of personal data or other confidential information, whether accidental or intentional, that compromises the security, integrity, or confidentiality of such data. This includes, but is not limited to, data breaches, security vulnerabilities, system intrusions, or any event that may result in the unlawful or unintended processing of data.

The terms, "Commission", "Controller", "Data subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", "Third country" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

II. Purpose and Scope

Art.2. (1) Shelly Europe Ltd. provides Shelly Integrator Application Programming Interface (Shelly Integrator API) - a cloud-to-cloud API for integration, control and device status updates collection from Shelly devices under the terms and conditions of the Agreement.

(2) Shelly Integrator API enables Integrators to manage devices across single or multiple Shelly user accounts. It is designed for large-scale deployments and industrial use cases involving a big number of devices. Upon permission of the Shelly account user, the Service allows centralized streaming of status data from many shelly accounts to a single point for data ingest.

(3) The Integrator, as an independent business entity, will process personal data of Shelly account users.

(4) This Controller Terms governs the sharing of personal data between the Parties as independent controllers under the GDPR. In the event of conflict between the terms of the Agreement and this Controller Terms, the terms of the Controller Terms will take precedence regarding matters specifically related to the processing of personal data.

(5) The Parties acknowledge that they do not process personal data on behalf of each other and act as separate controllers determining their own purposes and means of processing. Each party will comply with the obligations applicable to it under the Data Protection Laws.

III. Processing of Personal Data

Art.3. In connection with the use of the Shelly Integrator API, the following categories of personal data may be shared between the Parties, subject to the permissions granted by the Shelly account user and solely for the purpose of enabling the integration and management of Shelly devices:

  1. Account Identification Data -- Shelly account user's e-mails;

  2. Device-Linked Metadata:

    • Device names or labels assigned by the user (e.g., "Living Room Sensor");
    • Device location data;
  3. Usage and Status Data:

    • Real-time and historical device status (e.g., on/off states, temperature readings, power consumption, etc.);
    • Time-stamped activity logs generated through use of the devices.
  4. Control interaction data:

    • Records of commands or settings initiated by the user or through the Integrator's interface;

(3) The parties shall not use the personal data for purposes other than those specified under these Controller Terms, including, but not limited to, the following profiling End-consumers for targeted advertising, selling or sharing data with third parties, unsolicited direct marketing, automated decision-making, disclosing data for competitor analysis, whether during or after the term of these Controller Terms.

(4) The Parties shall comply with all applicable Data Protection Laws.

Art.4. (1) Each Party shall ensure that it has valid legal ground for processing personal data.

(2) Both Parties shall maintain transparent privacy policies informing Data subjects of the nature and purpose of data processing.

V. Personnel Education

Art.5. (1) Each Party shall take reasonable steps to ensure the reliability of any employee, its Processors or sub-processors which may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Personal data, as strictly necessary for the purposes of these Controller Terms, and to comply with Applicable Laws in the context of that individual's duties to the relevant Party, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

(2) Each Party must ensure that employees and other parties who have access to personal data are authorized to process personal data on behalf of that Party. If such authorization expires or is withdrawn, access to the personal data must cease without undue delay.

(3) Each Party shall only authorize persons who need access to the personal data to fulfil their obligations under the Agreement, these Controller Terms and any other processing that is necessary to fulfil obligations to which the Party is subject.

(4) Each Party must ensure that persons authorized to process personal data on behalf of the Party are subject to obligations of confidentiality either by agreement or applicable law. The obligations of confidentiality shall survive the duration of these Controller Terms and/or employment relationship.

VI. Security and Data Breaches

Art.6. (1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data subjects, each Party shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk and to protect personal data against unauthorized access, loss, alteration, or disclosure.

(2) In assessing the appropriate level of security, each Party shall take account of the risks that are presented by processing, in particular from a Personal data breach. Security measures shall include but are not limited to: encryption of personal data in transit and at rest, access control and authentication mechanisms, regular security assessments and audits, incident response and breach notification procedures.

(3) Each Party shall carry out risk assessments to ensure that an appropriate security level is maintained at all times. The Party must ensure regular testing, analysis and assessment of the security measures, in particular with regard to ensuring sustained confidentiality, integrity, availability and robustness in processing systems and services, and the ability to quickly restore the availability of personal data in the event of an incident.

Art.7. (1) The Parties shall notify each other immediately and without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data or any Security incident, providing each other with sufficient information to allow themselves to meet any obligations to report or inform Data Subjects and/or the competent Supervisory Authority of the Personal data breach under the Data protection laws.

(2) The Parties shall cooperate and take reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach/Privacy incident.

(2.i) In the event of a Personal Data Breach or Security Incident if the Party has reasons to believe that such have occurred, the relevant Party shall notify the other Party immediately after becoming aware of the Security Incident/Personal Data Breach.

(2.ii) Such notification must be sent by email to the contact data of each party with the subject: "Service Provider's name/ Security Incident". This notification must include:

  • A description of the nature of the Security Incident/ Personal Data Breach, including to the extent possible, the categories and numbers of Data Subjects affected, and the categories and numbers of Personal Data records concerned.
  • The contact details of the appointed responsible persons or other relevant contact from whom information may be obtained;
  • A description of the likely consequences of the Security Incident/Personal Data Breach and
  • A description of the measures taken or proposed by the Party to address the Security Incident/Personal Data Breach, including, where appropriate, the actions taken to mitigate any adverse consequences.

(2.iii) The Parties agree and warrant that they will cooperate with each other so that each of them will be able to meet its obligation to notify Supervisory Authorities and/or the Data subjects of a Security Incident as required by the Data protection laws.

(2.iv) Each Party shall bear the full cost of the remedial actions taken in response to the Security Incident/Personal Data Breach.

(2.v) The Parties undertake and ensure that they regularly monitor the state of data protection and the relevant best practices and technologies for the maintenance of implemented technical and organizational measures in order to ensure a level of protection corresponding to the risks presented throughout the duration of these Controller Terms.

VII. Data Subject Rights

Art.8. (1) Each Party is responsible for responding to data subject requests related to the data it controls, including: right of access (Art. 15 GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction of processing (Art.18), right to data portability (Art. 20 GDPR), right to object and automated individual decision-making (Art. 21 GDPR).

(2) If a Party receives a data subject request concerning data controlled by the other Party, it shall forward the request within 5 days as of receipt.

(3) The Parties shall provide reasonable assistance to each other in ensuring compliance with data subject rights.

VIII. Data Protection Impact Assessment and Prior Consultation

Art.9. If requested the Parties shall provide reasonable assistance to each other with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which a Party reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to processing of personal data by, and taking into account the nature of the processing and information available to.

IX. Deletion of Personal Data

Art.10. (1) Each Party shall retain the shared personal data only for as long as necessary for the specified purposes in accordance with their own Privacy policies.

(2) Upon termination of these Controller Terms, both Parties shall securely delete any remaining shared data unless legal obligations require further retention.

X. Cooperation and Audit Rights

Art.11. (1) The Parties shall cooperate in good faith to ensure GDPR compliance, including providing necessary information upon request. This includes providing reasonable assistance in responding to inquiries, requests, audits or investigations from supervisory authorities, and to data subject requests where appropriate.

(2) If an audit reveals a breach in the obligations in the applicable Data Protection Law or these Controller Terms, the Party must rectify the breach as soon as possible. The other Party may require this Party to temporarily stop all or part of the processing activities until the breach has been rectified.

(4) Each Party shall pay its own costs associated with the audit. If an audit reveals significant breaches of the obligations under applicable Data Protection Law or these Controller Terms, this Party shall pay for the other's Party reasonable costs accrued from the audit.

(5) Both Parties shall assist each other in responding to regulatory investigations and data protection impact assessments. The Parties shall notify each other immediately and without undue delay upon receiving a request, starting a regulatory investigation, etc. from a competent supervisory authority regarding the processing of personal data under the Agreement and these Controller Terms. Such notification shall include sufficient information to enable both Parties to coordinate their response, fulfill any reporting obligations, and, where necessary, inform Data Subjects and/or the competent supervisory authority.

XI. Data Transfers Outside the EEA

Art.12. (1) The Parties acknowledge that Personal Data may be transferred between them in their respective capacities as independent Data Controllers, including transfers to or from jurisdictions within and outside the European Economic Area ("EEA"). Each Party shall ensure that any such transfer of Personal Data complies with applicable data protection laws, including the GDPR, and shall not cause the other Party to be in breach of its obligations under those laws.

(2) Transfer to Third countries or international organizations may only take place if there are the necessary guarantees of an adequate level of data protection in accordance with the applicable Data Protection Laws. Such transfers shall be made on the basis of:

  1. A valid adequacy decision by the European Commission pursuant to Article 45 GDPR, confirming that the recipient country ensures an adequate level of data protection; or

  2. In the absence of such a decision, appropriate safeguards in accordance with Article 46 GDPR, including the use of the European Standard Contractual Clauses adopted by the European Commission, as updated or replaced from time to time (Appendix № 1). For the purposes of the EU SCCs, Shelly Europe is the data exporter, and the Integrator is the data importer.

(3) Each Party agrees to provide reasonable cooperation, upon request, to enable the lawful transfer of Personal Data, including the execution of additional safeguards or documentation as required. Transfers shall be suspended or adjusted as necessary when the legal basis for the transfer is no longer valid or adequate safeguards cannot be ensured.

(4) If the Integrator transfers data without complying with the applicable Data Protection Laws, the Integrator shall be fully liable for the transfer and any resulting adverse consequences. This includes, but is not limited to, regulatory fines, penalties, claims, or any other legal or financial liabilities imposed due to non-compliance. The Integrator shall indemnify and hold Shelly Europe Ltd. and/or its affiliates, its and/or subsidiaries and/or their representatives harmless from any damage arising from such unauthorized data transfer.

XII. Liability and Indemnification

Art.13. (1) Each Party shall be responsible for its own compliance with GDPR and Data protection laws.

(2) If a Party reasonably believes that the other Party or its Processors/Sub-processors do not comply with its obligations under the Agreement and/or the Controller Terms, the Party shall have the right to suspend or terminate all or any part of these Controller Terms, effective on the date on which the Processor is so notified by the Controller, which notification shall be sent by registered mail, return receipt requested.

(3) The Integrator shall be liable in full for any and all damage suffered by Shelly Europe and/or its affiliates, its and/or subsidiaries and/or their representatives as a result of personal data breaches due to reasons related to the Integrator or its Processors/Sub-processors' data processing activities. In the event that administrative sanctions are imposed and/or damages are paid to Data Subjects due to a failure by the Integrator to comply with its obligations under these Controller Terms and/or its obligations under the Data Protection Laws, the Integrator shall be liable to reimburse Shelly Europe and/or its subsidiaries and/or their representatives in full for the administrative sanctions and damages paid by them.

(4) The Integrator shall indemnify and hold harmless Shelly Europe, its affiliates, subsidiaries and their representatives from and against any and all actions or claims by third parties -- including Data Subjects, and from and against any administrative fines imposed on Shelly Europe by a supervisory authority for an alleged breach of Applicable Data Protection Law caused by the failure of the Integrator or any of its Sub-Processors to comply with the data processing obligations under these Controller Terms or the applicable law.

XIII. Term and Termination

Art.14. (1) These Controller Terms may be terminated:

  1. Upon termination of the Agreement.

  2. By mutual consent of the Parties.

  3. Unilaterally by a Party upon written notification with immediate effect, if that Party reasonably believes that the other Party or its Processors/Sub-processors do not comply with obligations under these Controller Terms.

  4. Shelly Europe may terminate these Controller Terms upon written notice if the Integrator: (i) fails to correct a material breach of its obligations under these Controller Terms within fifteen (15) days after receipt of written notification of such material breach; (ii) ceases to carry on business as a going concern; or (iii) initiates a bankruptcy, reorganization or insolvency proceeding, or has such a proceeding initiated against it, makes an assignment for the benefit of creditors, or consents to the appointment of a trustee.

(2) Upon termination of these Controller Terms for any reason or cause whatsoever, each Party shall securely delete or return shared data unless legally required to retain it.

XIV. Miscellaneous

Art.15. All disputes arising out of the implementation of or in connection with these Controller Terms shall be settled through negotiations between the parties. When the Parties fail to achieve an agreement through negotiations, all disputes related to the present contract (agreement) shall be settled in accordance with the Bulgarian Law by the jurisdiction of the competent Bulgarian court.

Art.16. (1) These Terms may be amended or modified unilaterally by Shelly Europe at any time at its sole discretion or if the amendments have been imposed by virtue of legal acts entered into force, and without an explicit prior notification to the Integrator. Such amendments shall be effective immediately and shall be binding upon the Integrator 14 days from the date of their publishing on Shelly Integrator API website. Amendments may have retroactive effect.

(2) The Integrator, on his responsibility should read these Controller Terms regularly and familiarize himself with the amendments (if any). Integrator's continued use of Shelly Integrator API and its functionalities following the implementation of amendments will constitute binding acceptance of those amendments.

Art.17. If any provision of these Controller Terms is deemed as abolished, invalid or unenforceable, such provision shall be considered as severable, and shall not affect the validity and enforceability of the other provisions.

Art.18. Shelly Europe has the right to transfer all or part of its rights and obligations for service to its affiliates.


Appendix 1 — Standard Contractual Clauses

STANDARD CONTRACTUAL CLAUSES

Section I

Clause 1 — Purpose and scope

  • (a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country.

  • (a) The Parties:

    • (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter "entity/ies") transferring the personal data, as listed in Annex I.A. (hereinafter each "data exporter"), and
    • (ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each "data importer")

    have agreed to these standard contractual clauses (hereinafter: "Clauses").

  • (b) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

  • (c) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2 — Effect and invariability of the Clauses

  • (a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

  • (b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3 — Third-party beneficiaries

  • (a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

    • (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
    • (ii) Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b);
    • (iii) Clause 9 - not applicable to controller to controller module.
    • (iv) Clause 12 - Module One: Clause 12(a) and (d);
    • (v) Clause 13;
    • (vi) Clause 15.1(c), (d) and (e);
    • (vii) Clause 16(e);
    • (viii) Clause 18 - Modules One: Clause 18(a) and (b);
  • (d) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4 — Interpretation

  • (a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

  • (e) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

  • (f) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5 — Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6 — Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 — Docking clause (Optional)

  • (a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

  • (b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

  • (c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

Section II — Obligations of the Parties

Clause 8 — Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:

  • (i) where it has obtained the data subject's prior consent;
  • (ii) where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
  • (iii) where necessary in order to protect the vital interests of the data subject or of another natural person.

8.2 Transparency

  • (b) In order to enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:

    • (i) of its identity and contact details;
    • (ii) of the categories of personal data processed;
    • (iii) of the right to obtain a copy of these Clauses;
    • (iv) where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore pursuant to Clause 8.7.
  • (g) Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.

  • (h) On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

  • (i) Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.3 Accuracy and data minimisation

  • (a) Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.

  • (j) If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.

  • (k) The data importer shall ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.

8.4 Storage limitation

The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymisation2 of the data and all back-ups at the end of the retention period.

8.5 Security of processing

  • (a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter "personal data breach"). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

  • (b) The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

  • (l) The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  • (m) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.

  • (n) In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.

  • (o) In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.

  • (p) The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.

8.6 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person's sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter "sensitive data"), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.

8.7 Onward transfers

The data importer shall not disclose the personal data to a third party located outside the European Union3 (in the same country as the data importer or in another third country, hereinafter "onward transfer") unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:

  • (i) it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
  • (ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;
  • (iii) the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;
  • (iv) it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;
  • (v) it is necessary in order to protect the vital interests of the data subject or of another natural person; or
  • (vi) where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.8 Processing under the authority of the data importer

The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.

8.9 Documentation and compliance

  • (a) Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.

  • (q) The data importer shall make such documentation available to the competent supervisory authority on request.

Clause 9 — Use of sub-processors

Module One: Transfer controller to controller — not applicable.

Clause 10 — Data subject rights

  • (a) The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request.4 The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.

  • (r) In particular, upon request by the data subject the data importer shall, free of charge:

    • (i) provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i);
    • (ii) rectify inaccurate or incomplete data concerning the data subject;
    • (iii) erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.
  • (s) Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.

  • (t) The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter "automated decision"), which would produce legal effects concerning the data subject or similarly significantly affect him / her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject's rights and legitimate interests. In this case, the data importer shall, where necessary in cooperation with the data exporter:

    • (i) inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and
    • (ii) implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.
  • (u) Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.

  • (v) The data importer may refuse a data subject's request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.

  • (w) If the data importer intends to refuse a data subject's request, it shall inform the data subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.

Clause 11 — Redress

  • (a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

  • (b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

  • (x) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

    • (i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
    • (ii) refer the dispute to the competent courts within the meaning of Clause 18.
  • (y) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

  • (z) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

  • (a) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12 — Liability

  • (a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

  • (b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

  • (c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

  • (d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

  • (e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13 — Supervision

  • (a) Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

    Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

    Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

  • (f) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

Section III — Local Laws and Obligations in Case of Access by Public Authorities

Clause 14 — Local laws and practices affecting compliance with the Clauses

  • (a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

  • (g) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

    • (i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
    • (ii) the laws and practices of the third country of destination-- including those requiring the disclosure of data to public authorities or authorising access by such authorities -- relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards5;
    • (iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
  • (h) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

  • (i) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

  • (j) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]

  • (k) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15 — Obligations of the data importer in case of access by public authorities

15.1 Notification

  • (a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

    • (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
    • (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
  • (l) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

  • (m) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

  • (n) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

  • (o) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

  • (a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

  • (p) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]

  • (q) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

Section IV — Final Provisions

Clause 16 — Non-compliance with the Clauses and termination

  • (a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

  • (r) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

  • (s) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

    • (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
    • (ii) the data importer is in substantial or persistent breach of these Clauses; or
    • (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

    In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

  • (b) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

  • (c) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17 — Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Republic of Bulgaria.

Clause 18 — Choice of forum and jurisdiction

  • (a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

  • (d) The Parties agree that those shall be the courts of Republic of Bulgaria.

  • (e) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

  • (f) The Parties agree to submit themselves to the jurisdiction of such courts.

Appendix to the Clauses

Explanatory note:

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

Annex I

A. List of Parties

Data exporter(s):

  1. Name: Shelly Europe Ltd. (As set forth in the Agreement)
    • Address: As set forth in the Agreement
    • Contact person's name, position and contact details: As set forth in the Agreement
    • Activities relevant to the data transferred under these Clauses: Shelly Europe's provision of services pursuant to the Agreement.
    • Signature and date: As set forth in the Agreement
    • Role (controller/processor): Controller

Data importer(s):

  1. Name: The party identified as the "Integrator" in the Agreement
    • Address: As set forth in the Agreement
    • Contact person's name, position and contact details: As set forth in the Agreement
    • Activities relevant to the data transferred under these Clauses: As set forth in the Controller Terms
    • Signature and date: As set forth in the Agreement
    • Role (controller/processor): Controller

B. Description of Transfer

Categories of data subjects whose personal data is transferred:

Data subjects -- Shelly App users, including the controller's representatives and contact-persons.

Categories of personal data transferred:

Data related to the use of a Shelly device.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

No special or sensitive categories of personal data will be processed.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous basis.

Nature of the processing:

Cloud based SaaS delivered via API access.

Purpose(s) of the data transfer and further processing:

To provide the Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

For the term of the Agreement between Shelly Europe and the Integrator.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

Not applicable.

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13:

Commission for Personal Data Protection, Sofia 1592, Blvd. "Prof. Tsvetan Lazarov" No. 2, Republic of Bulgaria.

Annex II — Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data

The Integrator implements and maintains the following security measures to ensure confidentiality, integrity and availability of personal data (PD):

1. Information Security Program and Organization

  1. The Integrator maintains and will continue to maintain a documented Information Security Program that includes policies, procedures, and controls, including the Information Security Policy.
  2. The security of the personal data is a responsibility of the Integrator: it is responsible for the implementation and operation of the technical and operational security measures described in this document; and

2. Human Resources Security

  1. The Integrator conducts reasonable and appropriate background checks on all Integrator's staff in accordance with applicable laws and regulations as a part of the hiring process.
  2. The Integrator's staff access to personal data is bound by confidentiality and non-disclosure agreements.
  3. The Integrator conducts security awareness and data protection training for all its staff at least once per year.
  4. The Integrator has a formal disciplinary process in place to take action against employees who have committed an information security breach.

3. Physical Security Controls

  1. The Integrator's servers is hosted in data centers with a defined and protected physical perimeter, strong physical controls including but not limited to access control mechanisms, controlled delivery and loading areas, surveillance, security guards, uninterrupted power supply or fire protection in accordance with SOC 2, ISO/IEC 27001 or equivalent standards.
  2. The Integrator ensures that access to corporate facilities is tightly controlled to ensure only authorized personnel are allowed access.

4. Access Controls

  1. The Integrator maintains a formal access control policy and employs an access management system to control the Integrator's staff access to personal data.
  2. Access to highly sensitive systems such as data centers is controlled by secure log-on procedures.

5. Suppliers

  1. The Integrator performs due diligence on its subcontracted suppliers that access, process or store personal Data to ensure that suppliers maintain adequate physical, technical, organizational, and administrative controls based on the risk appropriate to their services provided.

6. Operational System Security and Encryption

  1. The Integrator maintains a formal software development life cycle that includes secure coding practices based on OWASP recommendations and related standards and will perform both manual and automated code reviews before the code is released into a production environment.
  2. The Integrator performs an external penetration test of applications on an annual basis to assess the security of the service.
  3. The Integrator maintains an isolated production environment that includes commercial-grade network management controls such as, but not limited to, load balancer, firewall, and intrusion detection system.
  4. The Integrator services supports the latest recommended secure cipher suites and protocols to encrypt all traffic in transit.
  5. The Integrator encrypts personal data at rest.

7. Incident Response and Breach Notification

  1. The Integrator maintains procedures that ensure an appropriate response to security incidents addressing monitoring, investigation, response, and notification.

8. Business Continuity and Disaster Recovery

  1. The Integrator stores personal data redundantly at multiple locations in its hosting provider's data centers to ensure availability. The Integrator maintains backup and restoration procedures, which will allow recovery from a major disaster.
  2. The Integrator maintains a business continuity/disaster recovery plan ("BC/DR Plan"). The BC/DR Plan provides for the restoration of access to personal data, a continuation of operations during a range of short-term and long-term disaster events. The BC/DR Plan covers re-establishment of information technology environment(s) following an unplanned event impacting the data center, infrastructure, data or systems.
  3. The BC/DR Plan and related procedures are tested at least annually.

9. Personal Data Protection

  1. The Integrator maintains compliance with relevant legislation and contractual requirements including Data Protection Laws.

All rights reserved! Shelly Europe Ltd.


  1. Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295 of 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision [...].
  2. This requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone, in line with recital 26 of Regulation (EU) 2016/679, and that this process is irreversible.
  3. The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union's internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.
  4. That period may be extended by a maximum of two more months, to the extent necessary taking into account the complexity and number of requests. The data importer shall duly and promptly inform the data subject of any such extension.
  5. As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.