This Data Protection Addendum (hereinafter referred to as the "Addendum" or the "DPA") forms part of the License agreement regarding the use of the application of the Provider by the suppliers of products and/or services (hereinafter referred to as the "Agreement" or the “Principal Agreement”) between: (i) the Provider (hereinafter referred to as the "Provider" or the "Processor") and (ii) the supplier of products and/or services (the "supplier of products and/or services" or the "Controller").
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
1. Definitions
1.1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1. "Controller Personal Data" means any Personal Data processed by the Processor on behalf of the Controller pursuant to or in connection with the DPA;
1.1.2. "Processor" means the Provider or a Subprocessor;
1.1.3. "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the applicable data protection or privacy laws of any other country;
1.1.4. "EU Data Protection Laws" means the GDPR and laws implementing or supplementing the GDPR;
1.1.5. "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.6. "Subprocessor" means any person contracted by the Provider to Process Personal Data on behalf of the Controller in connection with the Principal Agreement and the DPA; and
1.2. The terms, "Processor", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. The subject-matter of the processing of the Controller Personal Data
2.1.The purpose of this DPA is to define the conditions in which the Processor will carry out, on the Controller's behalf, the processing of the Controller Personal Data.
2.2. The Processor will process on the Controller's behalf the Controller Personal Data, namely the personal data of the clients (hereinafter also referred to as the “ clients” or the "data subjects" ) that are ordering products and/or services to the Controller through the solution of the Provider.
2.3. As part of their contractual relations, the parties shall undertake to also comply with the EU Data Protection Laws, as and if the case may be.
3. Duration of the processing
The Processor will process on the Controller's behalf the Controller Personal Data during the validity period of the Principal Agreement.
4. Description of the processing
4.1. The nature of the Controller Personal Data processing
The Controller Personal Data will be collected, organized, structured, stored, consulted, used and disclosed, including by transmission.
4.2. The Controller Personal Data will be processed by the Processor for the purpose of concluding a contract between the client and the Controller regarding the products and/or services ordered by the client and in order to perform such contract as well as for the direct marketing communications purposes, as the case may be, as mentioned in the present DPA and/or otherwise agreed by the Processor.
4.3. The Controller Personal Data that will be processed by the Processor are the personal data provided by the data subjects when using the solution of the Provider and ordering products/and or services to the Controller [e.g. Name, surname, (delivery) address, phone no., email address, (geo)location data, IP addresses, as well as any other data the ordering clients have provided, except credit card details which will be captured directly by payment processors via a PCI compliant iFrame, in case the controller decided to accept online payments and consequently activated the PCI compliant direct communication via API with its merchant account opened with one of the API compliant merchant account providers,]
4.4. The clients that are ordering products and/or services to the Controller through the solution of the Provider are the category of the data subjects whose personal data will be processed.
4.5. The Processor will processes the Controller Personal Data according with the ones mentioned in the present DPA as well as on other documented instructions from the Controller; For the sake of clarity, for the purpose of the present DPA the “documented instructions from the Controller” means the present DPA, any instructions that can be performed through the settings of the application of the Processor and any other instructions previously agreed by the Processor. The Controller may terminate this DPA if the Processor declines to follow instructions of the Controller, without any penalty for any Party. To the maximum extent permitted by the legal regulations in force the Processor shall not be liable in any way, in case an instruction infringes the GDPR or other Union or Member State data protection provisions
4.6. The Processor will process the Controller Personal Data for the purpose of concluding a contract between the client and the Controller regarding the products and/or services ordered by the client and in order to perform such contract as well as for the direct marketing communications purposes, as follows:
4.6.1. The Processor, on the Controller's behalf, will collect from the clients the Controller Personal Data also for the purpose of concluding a contract between the client and the Controller
4.6.2. The Processor, on the Controller's behalf, will store the collected Controller Personal Data for the Controller into a database.
4.6.3. The Processor, on the Controller's behalf, will send communications to the clients on browser's web screen or on native app screen, via email (and via SMS if technically possible and at the request of the Controller) regarding information about confirmation or reject of the order or about the missed orders and about the delivery of the order and/or any other important and necessary details regarding the order, as the case may be, which include full order details including Controller Personal Data.
4.6.4. The Processor, on the Controller's behalf, will we perform reports and store orders history data, including Controller Personal Data related to those orders (or uploaded by the Controller, if technically possible, as the case may be).
4.6.5. The Processor, on the Controller's behalf, if technically possible and only with an approval or a request or with an documented instruction from the Controller, will send /make available/facilitate the access to the Controller 's clients full order data, including Controller Personal Data, for other data processors acting on behalf of the Controller and/or 3rd parties relevant for the acceptance or the fulfilment/processing of the clients orders.The Controller is fully responsible for assuring that the additional entities to whom he will documented instruct us to give access to orders details, including Controller Personal Data, will comply with the GDPR , as the case may be. Such access (sending /making available/facilitating the access) that a Controller may require or may approve or may documented instruct the Processor, may include but it's not limited to:
i. sending additional notification emails, some of them containing client's order details , including Controller Personal Data for further processing related to the order fulfilment;
ii. connecting 3rd party software for receiving the order details via API's, including Controller Personal Data for further processing related to the order fulfilment, as the Controller may require or may approve or may documented instruct the Processor, such as: order delivery software and/or riders, POS systems, printing solutions, loyalty platforms, PCI compliant payment gateways, analytics tools, billing and/or accounting software, messaging solutions that the Controller use, etc.
iii. granting multi-user access to additional employees, representatives, partners or collaborators of the Controller to the admin area of the Controller, especially to the order's history or client's list including access to Controller Personal Data.
4.6.6. The Processor, on the Controller's behalf, will send to the Clients direct marketing communications, as and if the case may be. For sending such direct marketing communications the Controller is fully responsible for assuring that the consent from clients for performing such communication was properly obtained, in full compliance with GDPR and other applicable regulations.
4.6.7. The Processor, on the Controller's behalf, will process the requests of the Clients (requests to exercise Data Subject rights), especially the “unsubscribe request” from the direct marketing communications and the request to erase the personal data, all of them solely in relation with the data base with the Controller Personal Data that the Processor keeps on the Controller's behalf, and in case of the request to erase the personal data, the Processor will inform the Controller about such requests and will take reasonable steps to inform the other Processors of the Controller (namely the ones to which the Processor - with an approval or a request or with an documented instruction from the Controller – has facilitated the access via API or email and the Partner of the Controller that had access in the admin area of the solution) which are processing the personal data, that the data subject has requested the erasure of any links to, or copy or replication of, those personal data.
4.6.8. The Processor, on the Controller's behalf, will delete at the request of the Controller the Controller Personal Data indicated by the Controller.
4.6.9. The Processor, on the Controller's behalf, will delete at the termination of the Agreement, the database with the Controller Personal Data that the Processor keeps on the Controller's behalf.
5. Security of Processing
5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate and necessary, the measures referred to in Article 32(1) of the GDPR.
5.2. In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
6. Subprocessing
6.1. The Controller grant to the Processor through the present DPA the general written authorization in order that the Processors to engage any Subprocessors for processing the Controller Personal Data, respecting EU Data Protection Laws and without fulfilling any previous formality.
6.2. Without affecting the generality of the foregoing and for the sake of clarity, the Controller agree that the Processor will process the Controller Personal Data also through the following Subprocessors, as follows:
6.2.1. The information regarding the accounts and/or the payment cards of the clients will be transmitted to the respective parties that are processing the payments, in order to process the payments.
6.2.2. Additionally, the following information, will be transmitted to the following categories of Subprocessors, for the following purposes and processing:
6.2.2.1. The client details, namely : last name, first name, email address, phone number, delivery address (if relevant), provided together with the details of the order, on the electronic way (excluding the details of the payment card, if the client have chosen the online payment process) will be (re)transmitted through email messenger operators (at the moment of the present version being Sendgrid Inc. and/or Peaberry Software Inc. d/b/a Customer IO and/or Amazon SES service from Amazon.com Inc.) to the Controller and back to the client email address, in order to process the order and in order to offer to the client the relevant notifications regarding the information about confirmation or rejection of the order or about the missed orders and about the delivery of the order.
6.2.2.2. If possible, the client details, namely : last name, first name, email address, phone number, delivery address (if relevant), provided together with the details of the order, on the electronic way (excluding the details of the payment card, if the client have chosen the online payment process) will be (re)transmitted through SMS messenger operators (at the moment of the present version being Twilio Inc.) to the Controller and back to the client, by SMS, in order to process the order and in order to offer to the client the relevant notifications regarding the information about confirmation or rejection of the order or about the missed orders and about the delivery of the order.
6.2.2.3. If the client have chosen the online payment method, the client contact details, namely: last name, first name, email address, phone number, delivery address (if relevant) provided together with the details of your order, on the electronic way, will be transmitted along with: order session originating IP, card holder name, card expiration date, card number Cvv (if required); which may be directly captured via the iFrame of the relevant payment processors (at the moment of the present version being Spreedly Inc.) in full compliance with the PCI regulations, in order to process the payment to the supplier of products and/or services related to your order and in order to offer you the relevant notifications regarding the information about confirmation or rejection of the order or about the missed orders and about the delivery of your order.
6.2.2.4. As well as, the Controller Personal Data will be sent in order to be stored by the data storage providers (at the moment of the present version being Amazon)
7. Transfers of the Controller Personal Data to third countries
The Controller grant to the Processor through the present DPA the general written authorization in order that the Processors to transfer the Controller Personal Data to third countries to be processed by the Subprocessors, respecting EU Data Protection Laws and without fulfilling any previous formality.Without affecting the generality of the foregoing and for the sake of clarity, the Controller agree that the Processor will transfer the following Controller Personal Data to the following countries, which may be considered third countries according with the GDPR, as follows:
A. Last name, first name, email address, phone number, delivery address (if relevant) will be sent to Sendgrid Inc, based in Denver Colorado- USA, in order to process the order and in order to offer to the client the relevant notifications regarding the information about confirmation or rejection of the order or about the missed orders and about the delivery of the order.
B. Last name, first name, email address, phone number, delivery address (if relevant) will be sent to Peaberry Software Inc. d/b/a Customer IO based in New York – USA, in order to process the order and in order to offer to the client the relevant notifications regarding the information about confirmation or rejection of the order or about the missed orders and about the delivery of the order.
C. Last name, first name, email address, phone number, delivery address (if relevant) will be sent to Twilio Inc. in San Francisco, California - USA, in order to process the order and in order to offer to the client the relevant notifications regarding the information about confirmation or rejection of the order or about the missed orders and about the delivery of the order.
D. Last name, first name, email address, phone number, and delivery address (if relevant) Order session originating IP, as well as any other data the ordering clients have provided (except credit card information), will be sent to Amazon.com Inc. in Oregon – USA , in order to be stored and/or in order to process the order and in order to offer to the client the relevant notifications regarding the information about confirmation or reject of the order or about the missed orders and about the delivery of the order.
E. If the controller decided to accept online payments and consequently activated the PCI compliant direct communication via API with its merchant account opened with one of the API compliant merchant account providers then the client’s last name, first name, email address, phone number, delivery address (if relevant), will be sent along with order session originating IP, card holder name, card expiration date, card number, Cvv (if required) which will be captured directly bythe PCI compliant API of Spreedly Inc. based / in Durham North Carolina USA, in order to process the order and in order to offer to the client the relevant notifications regarding the information about confirmation or rejection of the order or about the missed orders and about the delivery of the order.
8. Personal Data Breach
8.1. The Processor shall notify Controller without undue delay upon Processor or any Subprocessor becoming aware of a Controller Personal Data Breach affecting Controller Personal Data, providing Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
8.2. The Processor shall co-operate with Controller and take such reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Other obligations of the Processor
The Processor:
a) processes the personal data only according with the present DPA and on the documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the Processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest
b) ensures that persons authorized to process the Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) takes all measures regarding Security of Processing as mentioned in the DPA;
d) respects the conditions referred to in the present DPA for engaging another processor;
e) taking into account the nature of the processing, assists the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights
f) assists the Controller in ensuring compliance with the obligations regarding Security of Processing and Prior consultation taking into account the nature of processing and the information available to the processor;
g) at the choice of the Controller, deletes or returns all the Controller Personal Data after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
h) makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this article and allow for and contribute to necessary and reasonably audits, including inspections, conducted by the controller or another auditor mandated by the Controller.
i) shall inform the Controller about the impossibility to comply with the instructions and the Beneficiary shall be entitled to suspend or cease the DPA without any penalty for any Party.
10. Other obligations of the Controller
The Controller will:
A. Document, in writing, any instruction bearing on the processing of data by the Processor
B. Ensure, before and throughout the processing, compliance with the obligations set out in the General Data Protection Regulation on the Processor's part, as and if applicable.
11. General Terms
11.1. The terms used in the present DPA will have the meaning defined in the DPA, in the GDPR and in the Agreement, unless the context otherwise requires or it is otherwise provided herein.
11.2. In the event of any conflict or inconsistency between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement, in relation with the processing of the Controller Personal Data, the provisions of this Addendum shall prevail.
11.3. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.