Data Processing Agreement
to the Quandoo for Restaurants Service Terms ("Service Terms") by and between the Partner as set out in the Service Terms - hereinafter the "Data Controller" - and Quandoo Singapore Pte. Limited (UEN 201425226R), 77 Robinson Road #27-01, Robinson 77 Singapore (068896) - hereinafter the "Data Processor" - each a "Party" , both the "Parties"
1. Scope
Data Processor is a provider of restaurant reservation and other related services, including reservation related communication to the diner as well as access to a database to manage restaurant reservations and data pertaining to such reservations (the "Database") (collectively the "Services").
Data Processor is wholly owned by Quandoo GmbH, KulturBrauerei, Schönhauser Allee 36, 10435 Berlin, who acts as a further, additional processor for all essential data processing. Appropriate inter-company data sharing agreements have been entered into to cover this relationship between the Data Processor and Quandoo GmbH.
Data Controller owns a restaurant and has subscribed to Data Processor's Services in accordance with the Service Terms entered into and which this Data Processing Addendum forms part of. In connection with the provision of the Services, Data Processor processes personal data entered by the Data Controller in the Database on behalf of the Data Controller.
This Data Processing Addendum (the "Addendum") contains the Parties' obligations regarding data protection, which arise in connection with the processing of data by the Data Processor on behalf of the Data Controller. In this Addendum, "data" and "personal data" shall have the meaning given to "personal data" in the Personal Data Protection Act 2012 of Singapore including as may be amended, modified, supplemented, substituted or replaced from time to time (collectively "Singapore DP Laws") and whereby such data or personal data as so defined is provided by Data Controller to Data Processor for processing pursuant to the Service Terms and/or this Addendum.
2. Description of the processing
Data Processor processes the personal data received from Data Controller as follows:
2.1 Object, Purpose and Type of processing
The object and purpose of the processing by the Data Processor, and the provision of the Database by the Data Controller to the Data Processor, is to enable the Data Controller to manage reservation requests and store data related to diners within the Database, as well as the provision of the Services by the Data Processor to the Data Controller. Data Processor may from time to time send certain communication on behalf of the Data Controller via E-mail or SMS to the diner regarding the status of their respective reservation(s) with Data Controller.
2.2 Duration of processing
The term of this Addendum shall match the term of the Service Terms.
2.3 Type of data
The following types/categories of data are included in the processed data:
• First and last name
• E-mail address
• Phone number
• Reservation details
• Special remarks or requests as entered by the Data Controller
• Name and e-mail address of Data Controller's employees if added to grant access to the Database.
2.4 Categories of affected persons
The following persons are affected by the data processing:
• Diners
• Employees of Data Controller
3. Data Controller's Rights and Obligations
3.1 Data Controller shall be responsible for compliance with and shall comply with the applicable Singapore DP Laws and all other data protection laws outside Singapore as may be applicable (collectively "Non-Singapore DP Laws") regarding the data to be processed. In particular, with respect to Data Controller, Data Controller agrees, undertakes, warrants and represents to Data Processor that Data Controller:
3.1.1 has exclusive control and responsibility for determining what personal data Data Processor may receive and process in connection with the Service Terms and this Addendum, and for providing clear instructions in writing to Data Processor on the requirements and handling of such receipt and processing;
3.1.2. is responsible for ensuring that all relevant individuals whose personal data is received, used, processed and/or otherwise handled in the performance of the Services ("data subjects") have been provided with sufficient information, in accordance with all applicable data protection laws, regarding the receipt, use, processing and handling of their personal data; and
3.1.3 is responsible for ensuring that there is a permitted legal basis for the receipt, use, processing and handling of personal data of the data subjects as required or contemplated in connection with the Services, including obtaining all necessary consents when required, in accordance with all applicable Singapore DP Laws and Non-Singapore DP Laws.
3.2 Data Controller shall promptly inform Data Processor if it discovers any errors and/or irregularities arising under any applicable Singapore DP Laws and Non-Singapore DP Laws during the effective period of the data processing pursuant to this Addendum or otherwise in connection with the provision of the Services.
4. Data Processor's Obligations
4.1 Data Processor shall process data from Data Controller only within the scope of Data Controller's instructions as contractually agreed as follows:
4.1.1 Processing by Data Processor of data shall be completed according to instructions from Data Controller. This Addendum and the Service Terms generally contain the instructions of Data Controller. However, Data Controller reserves the right to issue reasonable additional instructions on the nature, extent and method of data processing in writing. Where Data Processor is not able or not willing to comply with these additional instructions, Data Processor has the right to terminate this Addendum and the Service Terms with immediate effect by giving the Data Controller written notice.
4.1.2 The processing of personal data by Data Processor and Sub-processors shall take place:
(i) within the territory of the European Union or EEA; or
(ii) within the territories of countries with laws offering a level of data protection which is sufficiently comparable to Singapore DP Laws and Non-Singapore DP Laws, including EU law; or
(iii) within territories other than those under section 4.1.2(i) or section 4.1.2(ii) above, provided the personal data is transferred by Data Processor to a recipient for such processing in any of such territories who is -
(a) bound under a contract to provide a standard of protection of that personal data which is sufficiently comparable to the standard under Singapore DP Laws and which expressly specifies all the territories in which the processing of such personal data will take place; or
(b) a data intermediary (as defined under Singapore DP Laws) under the Asia-Pacific Economic Cooperation Privacy Recognition for Processors System or the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System; or
(iv) within any other territory or country other than those under section 4.1.2(i), section 4.1.2(ii) or section 4.1.2(iii) above, only with and subject to the prior consent of and in accordance with the instruction from Data Controller, as well as compliance with any applicable statutory requirements for data transfer to such territory or country. Provided that where Data Processor is obliged by law to transfer data to such territory or country, Data Processor shall notify Data Controller of such legal requirements before the start of the processing (provided that the relevant law does not prohibit such communication). If a Sub-processor is to be engaged, these requirements shall apply in addition to the provisions in section 8.
4.1.3 Data Processor will notify Data Controller in writing (e-mail to the e-mail address as specified during subscription is sufficient) if they believe that acting on or performing an instruction issued by Data Controller is in violation of any applicable Singapore DP Laws or Non-Singapore DP Laws. Data Processor is entitled to suspend the execution of the said instruction until such time as Data Controller has confirmed or modified them in writing to Data Processor such as to avoid the said violation.
4.1.4 Data Processor processes the data exclusively for the purposes as set out in the Service Terms and within the framework of the Data Controller's instructions. Data Processor may not use the data from Data Controller for its own purposes or pass it on to third parties, unless required by a legal obligation.
4.2 Data Processor shall design its internal processes to ensure compliance with the specific requirements of data protection within Data Processor's area of responsibility for the protection of the rights of the data subjects affected, in accordance with its obligations under this Addendum. Data Processor shall implement the technical and organizational measures as stipulated in Section 5 herein to adequately protect the data from misuse and loss.
4.3 Data Processor shall appoint a data protection officer if required to do so by Singapore DP Laws.
4.4 Data Processor entrusts only such employees with the data processing outlined in this Addendum who have been bound to confidentiality and have previously been familiarized with the provisions of Singapore DP Laws relevant to their work.
4.5 Data Processor shall promptly inform Data Controller in the event that it is aware of or has reason to believe that any breach/es of Singapore DP Laws has or have occurred in relation to the processing of personal data received from Data Controller under this Addendum.
4.6 Data Processor and Data Controller shall cooperate with any supervisory authorities with jurisdiction over the matters set out in this Addendum. Insofar as Data Controller is subject to an inspection by a supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the data processing by Data Processor, Data Processor shall provide all reasonable cooperation to Data Controller at the expense of the Data Controller.
4.7. Within 30 days after termination or expiry of this Addendum and/or upon request of Data Controller, Data Processor shall delete all personal data that was provided by Data Controller to Data Processor under this Addendum, unless otherwise required by any applicable law.
4.8. Data Processor shall assist Data Controller in complying with the obligations concerning the security of the processing of personal data, reporting requirements for data breaches to the relevant authority or data subjects, data protection impact assessments and prior consultations.
4.9. Data Processor is entitled to and may claim from Data Controller reasonable compensation for support services which are not included in the description of the Services, particularly data protection impact assessments and prior consultations, and which are not attributable to failures on the part of Data Processor.
5. Technical-organizational measures
5.1 Data Processor shall observe the principles of proper data processing and shall carry out all agreed measures in relation to the contractual handling of personal data received from Data Controller. Data Processor separates such processed data from other data inventory. Data Processor shall take the appropriate technical-organizational measures as may be contractually agreed and/or required by law and thus ensure that data processing is in accordance with its statutory obligations as data intermediary under Singapore DP Laws and Non-Singapore DP Laws, including EU law. The measures must particularly include adequate data security controls to ensure a level of protection appropriate to the risk in relation to confidentiality, integrity, availability and resilience of the system and must consider best practice, implementation costs and the nature, scope and purpose of the processing, as well as the different probability of occurrence and the severity of the risk for the rights and freedoms of natural persons. The technical-organizational measures described in Appendix 1 form part of this Addendum and are bindingly agreed.
5.2 The technical-organizational measures may be adjusted by Data Processor in the course of the contractual relationship with Data Controller, depending on technical and organizational development. Data Processor may implement alternative adequate measures for this purpose. In this respect, the safety level of the alternative measures must be at least as high as that of the specified measures.
6. Data Controller's Right of Inspection
6.1 Subject to written notice of no less than 30 business days' and no more than once per contractual year, Data Controller shall be entitled to assure itself of the adequateness of the technical and organizational measures taken by Data Processor on Data Processor's premises during the regular business hours of Data Processor, without interrupting the business operations and subject to the prior conclusion and execution of a non-disclosure agreement by Data Controller with Data Processor. Data Controller shall reimburse Data Processor for any time expended for any such on-site audit. Before the commencement of any such on-site audit, Data Controller and Data Processor shall mutually agree upon the scope, timing and duration of such audit, in addition to the reimbursement rate for which Data Controller shall be responsible.
6.2 Data Controller agrees that, alternatively to section 6.1 above, Data Processor may instead make available for Data Controller's review copies of certifications or reports demonstrating Data Processor's compliance with prevailing data security standards applicable to the processing of personal data received from Data Controller.
7. Rights of data subjects
7.1 Data Controller is solely and exclusively responsible for the fulfilment of and compliance with all statutory rights of all data subjects and other applicable persons under Singapore DP Laws and Non-Singapore DP Laws, including without limitation requests for information on, disclosure, deletion or marking/blocking and transfer of their personal data. Data Processor may not decide on or fulfil requests by such data subjects or other persons, unless requested or approved by Data Controller.
7.2 If a data subject contacts Data Processor directly with any request or enquiry regarding his personal data, Data Processor shall promptly forward the request or enquiry to Data Controller. If, under the provisions of the applicable Singapore DP Laws or Non-Singapore DP Laws, Data Controller is obliged to provide an individual or a data subject with information on the collection, processing or use of personal data received from Data Controller, Data Processor shall assist Data Controller in the provision of this information provided Data Controller has requested Data Processor to do so in writing and shall reimburse Data Processor for the costs incurred.
8. Sub-processors
8.1 Data Controller acknowledges and agrees that Data Processor may engage Sub-processors in connection with the provision of the Services.
8.2 As a condition to permitting Sub-processors, Data Processor will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection as those in this Addendum.
8.3 A current list of Sub-processors is accessible via our Subprocessors page. Data Controller expressly permits the engagement of the Sub-processors as set out on the aforementioned homepage, as Data Processor may amend or update from time to time. Data Controller is obliged to review the list continuously. Consent to the engagement of any new Sub-processor shall be deemed given if Data Controller does not contradict to the engagement of any new Sub-processor via e-mail notification to dataprotection@quandoo.com until latest two weeks before the go-live date as specified on the aforementioned homepage.
8.4 Data Controller has the right to object to the engagement of any new Sub-processor for material reasons only and shall state those reasons in the abovementioned notification to Data Processor. Data Processor has the right to terminate this Addendum as well as the Service Terms in this case.
8.5 Data Processor shall be liable for the acts and omissions of its Sub-processors to the same extent Data Processor would be liable if performing the services of each Sub-processor directly under the terms of this Addendum.
9. Liability
9.1 The Data Processor is liable to the Data Controller for any and all damages caused by its own culpable violation of this Addendum, or the violation of statutory obligations under applicable Singapore DP Laws, caused by the Data Processor, its employees or third parties acting on its behalf, when providing the Services. The Data Processor is not liable if it can prove that it has processed the data provided by the Data Controller exclusively in accordance with the Data Controller's instructions and the obligations in terms of applicable Singapore DP Laws specifically imposed on the Data Processor in its capacity as data intermediary.
9.2 The Data Controller shall indemnify and hold harmless the Data Processor from and against any and all liabilities, damages, penalties, fines, losses and/or expenses arising from and/or proceedings, actions and/or claims asserted against it by third parties based on, the Data Controller's breach of this Addendum and/or contravention of applicable requirements and/or obligations under Singapore DP Laws and/or Non-Singapore DP Laws.
9.3 The Data Controller's liability towards the Data Processor extends to fines imposed on the Data Processor, insofar as these are based on the Data Controller's breach of data protection obligations. If, as a result of such a breach of duty by the Data Controller a fine is imposed on the Data Processor, the Data Controller shall indemnify the Data Processor against the fine whereby the amount of the indemnification is based on the liability quota in the individual case. The Data Controller is liable for the amount equal to its share of responsibility for the violation sanctioned by the fine. The burden to prove that the sanctioned violation is not based on the Data Controller's breach of duty and that the Data Controller is not responsible for the violation, lies with the Data Controller.
9.4 The aforementioned liability of the Data Controller according to section 9.3 above is subject to the Data Processor's immediate notification to the Data Controller, in writing, of any event triggering liability, the Data Processor's inability/failure to recognize the alleged violation, and the Data Processor conducting any disputes, judicial or extrajudicial, only by mutual consent with the Data Controller. In particular, the Data Controller may demand that the Data Processor calls the competent courts and/or regulatory authorities to check any issued penalty notices, for which the Data Controller is liable to pay or reimburse the Data Processor, the applicable statutory fees, penalties, levies, damages, liabilities and/or costs and expenses arising from or incurred in connection with such process.
10. Miscellaneous
10.1 In the event that data received from Data Controller is endangered due to a levy of execution or confiscation, insolvency proceedings or any other similar events, Data Processor shall promptly notify Data Controller.
10.2 Where this Addendum provides for either Party to issue notice or request to the other Party, such notice or request (as the case may be) shall be issued in writing and in accordance with the applicable provisions of the Service Terms on the giving of a notice or request, unless otherwise expressly stated in this Addendum in relation to any specific notice or request.
10.3 Any and all modifications and or amendments to this Addendum must be made in writing and signed by both Parties for them to be valid and effective.
10.4 Should any provision of this Addendum be or become invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. The ineffective or unenforceable provision shall be replaced by a provision which comes closest to its meaning and purpose.
10.5 In the event of a conflict between the Service Terms and this Addendum, this Addendum shall prevail.
10.6 This Addendum shall be governed by and construed in accordance with the laws of Singapore, and the courts of Singapore shall have exclusive jurisdiction over any dispute or difference arising from or under this Addendum.
Appendix 1 to the Addendum: Technical and organisational measures
Description of the technical and organisational security measures implemented by the Data Processor:
1. Entry Control
Measures to prevent unauthorized persons from gaining access to data processing systems processing or using personal data
☒ Alarm system
☒ Automatic entry control system
☒ Locking system with code barrier
☐ Biometric locking system
☐ Light barriers / motion detectors
☒ Key rule (key issuing etc.)
☐ Logging of visitors
☐ Careful selection of guard personnel
☒ Visitor pass
☒ Protection of building trays
☒ Chip card/transponder locking system
☒ Manual locking system
☐ Video surveillance of entrances
☒ Safety locks
☒ Person control by porter/at the entrances
☐ Careful selection of cleaning staff
☐ Compulsory wearing of authorization permits
2. Access Control
Measures to prevent data processing systems from being used without authorization
☒ Assignment of user permissions
☒ Password assignment
☒ Authentication with username and password
☒ Housing locks
☒ Locking external interfaces (USB etc.)
☒ Key rule (key issuing etc.)
☐ Logging of visitors
☒ Careful selection of guard personnel
☐ Use of intrusion detection systems
☒ Encryption of contents of smartphones
☒ Use of anti-virus software
☐ Use of a hardware firewall
☒ Creating user profiles
☐ Authentication with biometric procedures
☒ Assignment of user profiles to IT systems
☒ Use of VPN technology
☒ Safety locks
☒ Person control by porter/at the entrances
☐ Careful selection of cleaning staff
☐ Compulsory wearing of authorization permits
☒ Encryption of mobile data carriers
☐ Use of centralized smartphone administration software (e. g., for external deletion of data)
☒ Encryption of data carriers in laptops/notebooks
☒ Use of a software firewall
3. Permission Control
Measures to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage
☒ Creating an authorization concept
☒ Number of administrators reduced to the "most necessary"
☒ Logging of access to applications, in particular when entering, changing and deleting data
☒ Physical deletion of data carriers before reuse
☒ Use of shredders or service providers (where possible with data protection label)
☒ Encryption of data carriers
☒ Rights management by system administrator
☒ Password guideline including password length and password change
☒ Secure storage of data carriers
☒ Proper destruction of data carriers (EN 15713 or DIN 32757)
☒ Logging of destruction
4. Transmission Control
Measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged
☒ Use of leased lines or VPN tunnels
☐ Encryption of e-mails
☐ Documentation of the recipients of data and of the time periods of the planned transfer and of agreed clearance periods
☐ With physical transport: careful selection of transport personnel and vehicles
☒ Transfer of data in anonymized or pseudonymized form
☐ Creating an overview of regular polling and transfer processes
☐ With physical transport: safe transport containers/packagings
5. Input Control
Measures to ensure that it is possible to check and establish whether and by whom personal data have been inputted into data processing systems, modified or removed
☒ Logging of the input, modification and deletion of data
☒ Comprehensibility of input, modification and deletion of data by individual users (not user groups)
☒ Assignment of rights to input, modify and delete data on the basis of an authorization concept
☐ Create an overview with which applications which data can be entered, changed and deleted
☐ Storage of forms from which data has been transferred to automated processing
6. Job Control (only if subcontractors are instructed)
Measures to ensure that, in the case of commissioned processing of personal data, the data are processed strictly in accordance with the instructions of the principal or »Controller«
☒ Selection of the subcontractor under due diligence (in particular regarding data security)
☒ Written instructions to the subcontractor (e. g. by a contract on Data Processing on Behalf)
☒ Subcontractor has appointed a data protection officer
☒ Effective control rights against the subcontractor agreed
☐ Penalty for violations
☒ Prior examination and documentation of the technical and organizational measures taken by the subcontractor
☒ Obligation of subcontractor's employees to data secrecy
☒ Ensure the destruction of data after completion of the order
☐ Ongoing review of the subcontractor and its activities
7. Availability Control
Measures to ensure that personal data are protected from accidental destruction or loss
☒ Uninterruptible power supply (UPS)
☒ Devices for monitoring temperature and humidity in server rooms
☒ Fire and smoke alarm systems
☐ Alarm message for unauthorized access to server rooms
☐ Testing data recovery
☒ Storage of data backup in a safe, remote location
☐ In flood areas: server rooms above the water level
☒ Air conditioning in server rooms
☒ Protection sockets in server rooms
☒ Fire extinguishers in server rooms
☒ Creating a backup & recovery concept
☐ Creating an emergency plan
☒ Server rooms not under sanitary facilities
8. Separation Requirement
Measures to ensure that data collected for different purposes are processed separately
☒ Physically separate storage on specific systems or volumes
☒ Creation of an authorization concept
☐ Providing the data records with purpose attributes/data fields
☒ Definition of Database permissions
☐ Logical client separation (software side)
☐ Encryption of records processed for the same purpose
☒ With pseudonymized data: separation of the assignment file and storage on a separate, secure IT system
☒ Separation of the productive and test system