Ekomi Plugin's Terms and Conditions

Data Minimisation

is a principle that states that data collected and processed should not be held or further used unless this is essential for reasons that were clearly stated in advance to support data privacy. In the General Data Protection Regulation (GDPR), this is defined as data that is:

  • Adequate
  • Relevant

Limited to what is necessary for the purposes for which they are processed.

Privacy (and Data Protection) by design and by default is written into Article 25 of the EU GDPR.

Privacy by Design

states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any department that processes personal data, must ensure that privacy is built in to a system during the whole life cycle of the system or process. Up to now, tagging security or privacy features on at the end of a long production process would be fairly standard.

Privacy by Default

means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user. In addition, any personal data provided by the user to enable a product’s optimal use should only be kept for the amount of time necessary to provide the product or service. If more information than necessary to provide the service is disclosed, then “privacy by default” has been breached.

Consent & Legal basis

In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis,” the GDPR explains in Recital 40. In other words, consent is just one of the legal bases you can use to justify your collection, handling, and/or storage of people’s personal data. Article 6 states five other justifications.GDPR categorizes the data roles as follows:




As data controller, you’re responsible for the relationship with the data subject. You may instruct a third party (like Adyen) to process the data but it’s your job to set the purpose (or objectives) and legal basis for the processing.

All third parties have to abide by the terms agreed by the data controller and the data subject. To be sure of this, the data controller must have Data Processing Agreements (DPA) with each one. Our DPA has been designed to protect you; it’s strongly aligned with payment transactions, so it proves you’re compliant with GDPR (at least from a payments perspective).

  1. Processing is necessary to satisfy a contract to which the data subject is a party.
  2. You need to process the data to comply with a legal obligation.
  3. You need to process the data to save somebody’s life.
  4. Processing is necessary to perform a task in the public interest or to carry out some official function.
  5. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

Roles:GDPR categorizes the data roles as follows:




As data controller, you’re responsible for the relationship with the data subject. You may instruct a third party (like eKomi) to process the data but it’s your job to set the purpose (or objectives) and legal basis for the processing.

All third parties have to abide by the terms agreed by the data controller and the data subject. To be sure of this, the data controller must have Data Processing Agreements (DPA) with each one.So if the personal data of the data subject is pulled and processed by us, the how and what has to be agreed between the data controller and us and ensure that the data owner has set the Legal requirements with the data subject.