Karma and Merchant have entered into an agreement regarding Karma’s provision of the Services (the “Main Agreement”) of which this data processing agreement (“DPA”) shall form an integral part. All capitalized terms herein shall have the same meaning as set forth in the Terms of Service for Merchants unless otherwise stated herein.
1. Background and purpose
1.1 As part of the Main Agreement Merchant will be processing personal data on behalf of Karma.
1.2 Karma is the data controller and Merchant is the data processor in relation to the personal data processed under this DPA (the “Included Personal Data”). The Included Personal Data is described in the document in Schedule 1 (the “Instruction”).
1.3 This DPA governs the conditions for Merchant’s processing of, and access to, personal data on behalf of Karma in accordance with the General Data Protection Regulation (EU) 2016/679 (”GDPR”) and other applicable data protection legislation (”Applicable Legislation”).
1.4 The DPA comprises of this document and the Instruction. In the event of any contradictions between this document and the Instruction or the Main Agreement, this document shall take precedence.
1.5 All terms defined in Article 4 of GDPR shall have the same meaning in the DPA, unless expressly stated otherwise.
2. Merchant’s Obligations
2.1 Scope of processing. Merchant shall only process Included Personal Data in accordance with the DPA, the Main Agreement and its applicable amendments, the GDPR, Applicable Legislation and Karma’s instructions, unless further processing is required under applicable EU or member state law to which Merchant is subject. In such case Merchant shall inform Karma of this legal obligation unless such disclosure is prohibited by law.
2.2 Security. Merchant shall implement appropriate technical and organizational measures to secure, in particular, Included Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, as required pursuant to Article 32 in the GDPR.
2.3 Subprocessors. Karma hereby gives Merchant a general authorization to engage other processors to process Included Personal Data (“Subprocessors”). Merchant shall notify Karma at firstname.lastname@example.org of any intended addition or replacement of its Subprocessors. If Karma has not objected within ten (10) days from the notice, Karma is assumed to have approved the engagement. Subprocessors listed in Karma’s List of approved subprocessors are already approved by Karma and do not require prior notification. If Merchant engages Subprocessors, Merchant shall enter into a subprocessor agreement with the same obligations as in this DPA, with the exception that the Subprocessor may not retain another Subprocessor without Karma’s prior written approval. Merchant shall maintain an updated list of Subprocessors and shall submit a copy of the list to Karma upon request. In the event the Subprocessor fails to fulfil its obligations under the Subprocessor agreement, Merchant shall bear full liability to Karma for the performance of the Subprocessors’ work, undertakings, and obligations.
2.4 Third country transfers. Merchant may, by itself or through its Subprocessors, transfer Included Personal Data to third countries, provided that prior to commencing such transfer or provision of access, Merchant meets the requirements and undertakings which follow from the GDPR, which may include entering into EU Standard Contractual Clauses.
2.5 Requests from data subjects. Merchant shall implement appropriate technical and organisational measures to assist Karma to fulfil its obligation to respond to requests by data subjects to exercise their rights under Chapter III in the GDPR, such as the right of access, deletion, correction, and data portability.
2.6 Request of information. If a data subject, a supervisory authority or other third party requests information from Merchant regarding processing of Included Personal Data, then Merchant shall immediately notify Karma of the request and the Parties shall jointly agree on suitable actions. Merchant is not entitled to represent Karma or otherwise act on Karma’s behalf towards a data subject, authority or other third party.
2.7 Assistance and personal data breach. Merchant shall assist Karma to fulfil its obligations pursuant to Articles 32 to 36 in the GDPR, especially regarding security of processing and personal data breach. Merchant shall notify Karma without undue delay and within twenty-four (24) hours after Merchant has learned of a personal data breach.
2.8 Return of information. Merchant shall upon termination of the DPA or upon notice from Karma delete all Included Personal Data processed under the DPA, unless Merchant is required to retain the Included Personal Data pursuant to national law or EU law.
2.9 Audits by Karma. Merchant shall make available to Karma upon Karma’s request, all information necessary to demonstrate that Merchant is fulfilling its obligations under the DPA, the GDPR and Applicable Legislation. Merchant shall also enable and assist in audits, including inspections, which are conducted by Karma or by a third party authorised by Karma, at Karma’s cost.
2.10 Inspection by supervisory authority. Merchant shall enable inspections performed by authorised supervisory authorities to ensure a correct processing of Included Personal Data. Merchant shall comply with any decisions submitted by a supervisory authority regarding the security measures required to meet the security requirements set out in the GDPR and Applicable Legislation.
3.1 In addition to any confidentiality obligations provided for in the Main Agreement, Merchant undertakes not to disclose Included Personal Data or other information on the processing of Included Personal Data to any third party without express instruction from Karma. This Section does not apply, however, to information which is disclosed to Subprocessors for the purpose of enabling these to fulfil their obligations under a Subprocessor agreement, information which is generally known (due to other reasons than a breach of the DPA), information which Merchant is required to disclose under mandatory legislation or under a decision or ruling of a court of competent jurisdiction or another competent authority. In the latter case, Merchant shall inform Karma thereof immediately and request confidentiality in conjunction with the disclosure of requested information.
3.2 Merchant shall ensure that each Subprocessor, employee or third party that is given access to Included Personal Data is subject to at least the same obligation of confidentiality as set forth in this Section 3.
3.3 The obligation of confidentiality pursuant to this Section 3 shall apply without limitation in time.
Merchant shall not receive compensation for measures which it takes in respect of processing of Included Personal Data in accordance with the DPA.
The DPA shall remain in force for as long as Merchant processes personal data on behalf of Karma.
6. Liability and indemnification
6.1 Merchant shall compensate Karma for any loss which Karma, a data subject, another natural or legal person, or a public authority incurs as a result of Merchant’s processing of Included Personal Data in contravention with the Instruction, the DPA, the GDPR or Applicable Legislation.
6.2 Any limitation of liability in any other agreement between the Parties shall not apply to any liability under this DPA.
7.1 This DPA shall supersede any prior agreements, arrangements and understandings between the Parties and constitutes the entire agreement between the Parties relating to the subject matter hereof.
7.2 All changes and amendments to the DPA shall be made in writing.
7.3 Neither Party shall be entitled to assign its rights and/or obligations under the Agreement, in whole or in part, without the prior written consent of the other Party.
7.4 Any dispute, controversy or claim arising out of or in connection with the DPA shall be settled in accordance with the dispute resolution clause in the Main Agreement.
All processing of Included Personal Data by Merchant on behalf Karma shall be done in accordance with this Instruction.
Categories of data subjects
Categories of personal data and the nature and purpose of the processing
Access to Customer’s name for the purpose of identifying a Customer in order for Merchant to provide the food ordered by Customer and fulfill its obligations under the Main Agreement.
Access to food preferences, which may include dietary needs, in order for Merchant to provide food ordered by Customer and fulfill its obligations under the Main Agreement.
Access and storage of email address (subject to Customer giving its consent) in order for Merchant to promote its services to Customer through newsletters or similar.
Access to data on how often a Customer visits restaurants connected to Karma and whether the Customer has visited Merchant’s restaurant before, in order for Merchant to receive Customer insights.
Retention period or criteria for data retention
Merchant may process and store Included Personal Data, with the exception of email addresses, during the term of the Main Agreement. Merchant shall delete any stored personal data in accordance with Section 2.8 of the DPA within five (5) business days after termination of the Main Agreement.
Email addresses shall be deleted when a Customer unsubscribes to Merchant’s newsletter or similar, or otherwise withdraws its consent to receiving promotion material.