Data Processing Agreement
Data Processing Addendum to the Service Agreement ("Service Agreement") by and between the Partner as set out in the Service Agreement -"hereinafter the "Data Controller" - and Quandoo UK Ltd., WeWork Waterloo, 10 York Road, London, SE1 7ND, United Kingdom - hereinafter the "Data Processor" – each a "Party", jointly the "Parties"
1. Scope
Data Processor is a provider of restaurant reservation and other related services, including reservation related communication to the diner as well as access to a database to manage restaurant reservations and data pertaining to such reservations (the "Database") (jointly the "Services").
Data Processor is wholly owned by Quandoo GmbH, KulturBrauerei, Schönhauser Allee 36, 10435 Berlin, who acts as a further, additional processor for all essential data processing. Appropriate inter-company data sharing agreements have been entered into to cover this relationship between the Data Processor and Quandoo GmbH.
Data Controller owns a restaurant and has subscribed to Data Processor's Services upon entering into the Service Agreement. Regarding the provision of the Services, Data Processor processes personal data entered by the Data Controller in the Database on behalf of the Data Controller.
This Data Processing Addendum (the "Addendum") contains the Parties' obligations regarding data protection, which arise in connection with the processing of data by the Data Processor on behalf of the Data Controller.
2. Description of the processing
Data Processor processes the personal data of Data Controller as follows:
2.1 Object, Purpose and Type of processing
The object and purpose of the processing is the provision of the Database to enable the Data Controller to manage reservation requests and store data related to diners within the Database, as well as the provision of the Services. Data Processor sends certain communication on behalf of the Data Controller via E-mail or SMS to the diner regarding the status of the respective reservation.
2.2 Duration of processing
The term of this Addendum shall match the term of the Service Agreement.
2.3 Type of data
The following types/categories of data are included in the processed data:
- First and last name
- E-mail address
- Phone number
- Reservation details
- Special remarks or requests as entered by the Data Controller
- Name and e-mail address of Data Controller's employees if added to grant access to the Database.
2.4 Categories of affected persons
The following persons are affected by the data processing:
- Diners
- Employees of Data Controller
3. Data Controller's Rights and Obligations
3.1. Data Controller and Data Processor are each responsible for compliance with and shall each comply with the applicable data protection laws regarding the data to be processed. In particular, with respect to Data Controller, Data Controller agrees that:
3.1.1 it has exclusive control and responsibility for determining what personal data Data Processor may process in connection with the Service Agreement and this Addendum, and for providing clear instructions in writing to Data Processor;
3.1.2. it is responsible for ensuring that data subjects have been provided with sufficient information, in accordance with all applicable data protection laws, regarding the processing of their personal data; and
3.1.3 it is responsible for ensuring that there is a legal basis for the processing of personal data of the data subjects, including obtaining all necessary consents when required, in accordance with data protection laws.
3.2. Data Controller shall promptly inform Data Processor if it discovers any errors and/or irregularities regarding the applicable data protection laws during the effective period of the data processing.
4. Data Processor's Obligations
4.1. Data Processor shall process data only within the scope of Data Controller's instructions as contractually agreed:
4.1.1 Processing by Data Processor shall be completed according to instructions from Data Controller. This Addendum and the Service Agreement generally contain the instructions of Data Controller. However, Data Controller reserves the right to issue reasonable additional instructions on the nature, extent and method of data processing in writing. Where Data Processor is not able or not willing to comply with these additional instructions, Data Processor has the right to terminate this Addendum and the Service Agreement by giving the Data Controller written notice.
4.1.2 The processing of personal data by Data Processor and Sub-processors shall take place (i) within the territory of the European Union or EEA and (ii) within the territories of third countries offering a level of data protection which is sufficiently comparable to EU law or (iii) where the processing of personal data is based on contractual safeguards such as the EU standard contractual clauses or binding corporate rules. Any other transfer to a third country requires prior consent and a respective instruction from Data Controller, as well as compliance with the statutory requirements for data transfer to a third country. An exception shall be made where Data Processor is obliged by law to transfer data to the third country. In this case, Data Processor shall notify Data Controller of such legal requirements before the start of the processing (provided that the relevant law does not prohibit such communication). If a Sub-processor is to be engaged, these requirements shall apply in addition to the provisions in section 8.
4.1.3. Data Processor will notify Data Controller in writing (e-mail to the e-mail address as specified in the Service Agreement is sufficient) if they believe an instruction issued by Data Controller is in violation of legal provisions. Data Processor is entitled to suspend the execution of the respective instructions until such time as Data Controller has confirmed or modified them in writing to Data Processor.
4.1.4. Data Processor processes the data exclusively for the purposes of the Service Agreement and within the framework of the instructions. Data Processor may not use the data for its own purposes or pass it on to third parties, unless required by a legal obligation.
4.2. Data Processor shall design its internal processes to ensure compliance with the specific requirements of data protection within Data Processor's area of responsibility and the protection of the rights of the data subjects affected. Data Processor shall implement the technical and organizational measures as stipulated in Section 5 herein to adequately protect the data from misuse and loss.
4.3. Data Processor shall appoint a data privacy officer if required to do so by law.
4.4. Data Processor entrusts only such employees with the data processing outlined in this Addendum who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work.
4.5. Data Processor shall promptly inform Data Controller in the event of data breaches related to the processing of Data Controller's data under this Addendum.
4.6. Data Processor and Data Controller shall cooperate with any supervisory authorities with jurisdiction over the matters set out in this Addendum. Insofar as Data Controller is subject to an inspection by a supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the data processing by Data Processor, Data Processor shall provide all reasonable cooperation to Data Controller at the expense of the Data Controller.
4.7. Within 30 days after expiry of this Addendum and/or upon request of Data Controller, Data Processor shall delete all personal data that was provided under this Addendum.
4.8. Data Processor shall assist Data Controller in complying with the obligations concerning the security of the processing of personal data, reporting requirements for data breaches to the relevant authority or data subjects, data protection impact assessments and prior consultations.
4.9. Data Processor may claim reasonable compensation for support services which are not included in the description of the Services, particularly data protection impact assessments and prior consultations, and which are not attributable to failures on the part of Data Processor.
5. Technical-organizational measures
5.1 Data Processor shall observe the principles of proper data processing and shall carry out all agreed measures in relation to the contractual handling of personal data of Data Controller. Data Processor separates the processed data from other data inventory. Data Processor shall take the appropriate contractually agreed and technical-organizational measures required by law and thus ensure that data processing is in accordance with the statutory requirements and protection of the rights of the persons concerned. The measures must particularly include adequate data security controls to ensure a level of protection appropriate to the risk in relation to confidentiality, integrity, availability and resilience of the system and must consider best practice, implementation costs and the nature, scope and purpose of the processing, as well as the different probability of occurrence and the severity of the risk for the rights and freedoms of natural persons. The technical-organizational measures described in Appendix 1 form part of this Addendum and are bindingly agreed.
5.2 The technical-organizational measures may be adjusted by Data Processor in the course of the contractual relationship, depending on technical and organizational development. Data Processor may implement alternative adequate measures for this purpose. In this respect, the safety level of the alternative measures must be at least as high as that of the specified measures.
6. Data Controller's Right of Inspection
6.1. Upon no less than 30 business days' notice and no more than once per contractual year, Data Controller shall be entitled to assure itself of the adequateness of the technical and organizational measures taken by Data Processor on Data Processor's premises during the regular business hours, without interrupting the business operations and subject to the prior conclusion of a non-disclosure agreement. Data Controller shall reimburse Data Processor for any time expended for any such on-site audit. Before the commencement of any such on-site audit, Data Controller and Data Processor shall mutually agree upon the scope, timing and duration of such audit, in addition to the reimbursement rate for which Data Controller shall be responsible.
6.2. Data Controller agrees that, in deviation of section 6.1 above, Data Processor may make available for Data Controller's review copies of certifications or reports demonstrating Data Processor's compliance with prevailing data security standards applicable to the processing of Data Controller's personal data.
7. Rights of data subjects
7.1 Data Controller is exclusively responsible for the fulfilment of the affected persons' statutory rights, including without limitation information on, disclosure, deletion or marking/blocking and transfer of their personal data. Data Processor may not decide on or fulfil requests addressed to them by affected persons, unless requested by Data Controller.
7.2 If a data subject contacts Data Processor directly, Data Processor shall promptly forward the request to Data Controller. If, under the provisions of the data protection law, Data Controller is obliged to provide an individual with information on the collection, processing or use of the personal data, Data Processor shall assist Data Controller in the provision of this information provided Data Controller has requested Data Processor to do so in writing and shall reimburse Data Processor for the costs incurred.
8. Sub-processors
8.1. Data Controller acknowledges and agrees that Data Processor may engage Sub-processors in connection with the provision of the Services.
8.2. As a condition to permitting Sub-processors, Data Processor will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection as those in this Addendum.
8.3. A current list of Sub-processors is accessible via our Subprocessors page. Data Controller expressly permits the engagement of the Sub-processors as set out on the aforementioned homepage. Data Processor may update this list from time to time. Data Controller is obliged to review the list continuously. Consent to the engagement of any new Sub-processor shall be deemed given if Data Controller does not contradict to the engagement of any new Sub-processor via e-mail notification to dataprotection@quandoo.com until latest two weeks before the go-live date as specified on the aforementioned homepage.
8.4. Data Controller has the right to contradict to the engagement of any new Sub-processor for important reasons only and shall state those reasons in the abovementioned notification to Data Processor. Data Processor has the right to terminate this Addendum as well as the Service Agreement in this case.
8.5. Data Processor shall be liable for the acts and omissions of its Sub-processors to the same extent Data Processor would be liable if performing the services of each Sub-processor directly under the terms of this Addendum.
9. Liability
9.1 In accordance with the legal regulations and statutory rules, the Data Processor is liable to the Data Controller for any and all damages caused by its own culpable violation of this Addendum, or the violation of statutory obligations under data protection requirements, caused by the Data Controller, its employees or third parties acting on its behalf, when providing the contractual services. The Data Processor is not liable if it can prove that it has processed the data provided by the Data Controller exclusively in accordance with the Data Controller's instructions and the obligations in terms of applicable data protection laws specifically imposed on the Processor.
9.2 The Data Controller shall indemnify and hold harmless the Processor from all claims asserted against it by third parties, based on the Data Controller's culpable breach of this Addendum or applicable data protection requirements.
9.3 The Data Controller's liability towards the Data Processor extends to fines imposed on the Data Processor, insofar as these are based on the Data Controller's breach of data protection obligations. If, as a result of such a breach of duty by the Data Controller a fine is imposed on the Data Processor, the Data Controller shall indemnify the Data Processor against the fine whereby the amount of the indemnification is based on the liability quota in the individual case. The Data Controller is liable for the amount equal to its share of responsibility for the violation sanctioned by the fine. The burden to prove that the sanctioned violation is not based on the Data Controller's breach of duty and that the Controller is not responsible for the violation, lies with the Data Controller.
9.4 The aforementioned liability of the Data Controller according to section 3 is subject to the Data Processor's immediate notification to the Data Controller, in writing, of any event triggering liability, the Data Processor's inability/failure to recognize the alleged violation, and the Data Processor conducting any disputes, judicial or extrajudicial, only by mutual consent with the Data Controller. In particular, the Data Controller may demand that the Data Processor calls the courts to check the issued penalty notices, whereby the Data Controller is liable to reimburse the Data Processor the costs and expenses incurred for such process in the amount of the statutory fees.
10. Miscellaneous
10.1. In the event that Data Controller's data is endangered due to a levy of execution or confiscation, insolvency proceedings or any other similar events, Data Processor shall promptly notify Data Controller.
10.2. Any modifications and or amendments of this Addendum must be made in writing and signed by both Parties.
10.3. Should any provision of this Addendum be or become invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. The ineffective or unenforceable provision shall be replaced by a provision which comes closest to its meaning and purpose.
10.4. In the event of a conflict between the Service Agreement and this Addendum, this Addendum shall prevail.
10.5. This Addendum shall be governed by and construed in accordance with the laws of England and Wales, and the courts of London shall have exclusive jurisdiction.
Appendix 1 to the Addendum: Technical and organisational measures
Description of the technical and organisational security measures implemented by the Data Processor:
1. Entry Control
Measures to prevent unauthorized persons from gaining access to data processing systems processing or using personal data
☒ Alarm system
☒ Automatic entry control system
☒ Locking system with code barrier
☐ Biometric locking system
☐ Light barriers / motion detectors
☒ Key rule (key issuing etc.)
☐ Logging of visitors
☐ Careful selection of guard personnel
☒ Visitor pass
☒ Protection of building trays
☒ Chip card/transponder locking system
☒ Manual locking system
☐ Video surveillance of entrances
☒ Safety locks
☒ Person control by porter/at the entrances
☐ Careful selection of cleaning staff
☐ Compulsory wearing of authorization permits
2. Access Control
Measures to prevent data processing systems from being used without authorization
☒ Assignment of user permissions
☒ Password assignment
☒ Authentication with username and password
☒ Housing locks
☒ Locking external interfaces (USB etc.)
☒ Key rule (key issuing etc.)
☐ Logging of visitors
☒ Careful selection of guard personnel
☐ Use of intrusion detection systems
☒ Encryption of contents of smartphones
☒ Use of anti-virus software
☐ Use of a hardware firewall
☒ Creating user profiles
☐ Authentication with biometric procedures
☒ Assignment of user profiles to IT systems
☒ Use of VPN technology
☒ Safety locks
☒ Person control by porter/at the entrances
☐ Careful selection of cleaning staff
☐ Compulsory wearing of authorization permits
☒ Encryption of mobile data carriers
☐ Use of centralized smartphone administration software (e. g., for external deletion of data)
☒ Encryption of data carriers in laptops/notebooks
☒ Use of a software firewall
3. Permission Control
Measures to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage
☒ Creating an authorization concept
☒ Number of administrators reduced to the "most necessary"
☒ Logging of access to applications, in particular when entering, changing and deleting data
☒ Physical deletion of data carriers before reuse
☒ Use of shredders or service providers (where possible with data protection label)
☒ Encryption of data carriers
☒ Rights management by system administrator
☒ Password guideline including password length and password change
☒ Secure storage of data carriers
☒ Proper destruction of data carriers (EN 15713 or DIN 32757)
☒ Logging of destruction
4. Transmission Control
Measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged
☒ Use of leased lines or VPN tunnels
☐ Encryption of e-mails
☐ Documentation of the recipients of data and of the time periods of the planned transfer and of agreed clearance periods
☐ With physical transport: careful selection of transport personnel and vehicles
☒ Transfer of data in anonymized or pseudonymized form
☐ Creating an overview of regular polling and transfer processes
☐ With physical transport: safe transport containers/packagings
5. Input Control
Measures to ensure that it is possible to check and establish whether and by whom personal data have been inputted into data processing systems, modified or removed
☒ Logging of the input, modification and deletion of data
☒ Comprehensibility of input, modification and deletion of data by individual users (not user groups)
☒ Assignment of rights to input, modify and delete data on the basis of an authorization concept
☐ Create an overview with which applications which data can be entered, changed and deleted
☐ Storage of forms from which data has been transferred to automated processing
6. Job Control (only if subcontractors are instructed)
Measures to ensure that, in the case of commissioned processing of personal data, the data are processed strictly in accordance with the instructions of the principal or »Controller«
☒ Selection of the subcontractor under due diligence (in particular regarding data security)
☒ Written instructions to the subcontractor (e. g. by a contract on Data Processing on Behalf)
☒ Subcontractor has appointed a data protection officer
☒ Effective control rights against the subcontractor agreed
☐ Penalty for violations
☒ Prior examination and documentation of the technical and organizational measures taken by the subcontractor
☒ Obligation of subcontractor's employees to data secrecy
☒ Ensure the destruction of data after completion of the order
☐ Ongoing review of the subcontractor and its activities
7. Availability Control
Measures to ensure that personal data are protected from accidental destruction or loss
☒ Uninterruptible power supply (UPS)
☒ Devices for monitoring temperature and humidity in server rooms
☒ Fire and smoke alarm systems
☐ Alarm message for unauthorized access to server rooms
☐ Testing data recovery
☒ Storage of data backup in a safe, remote location
☐ In flood areas: server rooms above the water level
☒ Air conditioning in server rooms
☒ Protection sockets in server rooms
☒ Fire extinguishers in server rooms
☒ Creating a backup & recovery concept
☐ Creating an emergency plan
☒ Server rooms not under sanitary facilities
8. Separation Requirement
Measures to ensure that data collected for different purposes are processed separately
☒ Physically separate storage on specific systems or volumes
☒ Creation of an authorization concept
☐ Providing the data records with purpose attributes/data fields
☒ Definition of Database permissions
☐ Logical client separation (software side)
☐ Encryption of records processed for the same purpose
☒ With pseudonymized data: separation of the assignment file and storage on a separate, secure IT system
☒ Separation of the productive and test system