Data processing

PROCESSING OF PERSONAL DATA

This addendum („Addendum) is concluded &incirc;between:

  • Ebriza Software SRL, with its registered office &incirc;in Aleea Valeriu Bologa, no. 3, SC5, Cluj Napoca, Cluj County, tax identification number (CIF) 34933438, registration number with the Trade Register J12/2344/2017, („Ebriza”); and
  • A natural or legal person who uses the Ebriza platform and services for purposes within his/her commercial, industrial or production, artisanal or liberal activity („Beneficiary”)

Hereinafter referred to collectively as the „Parties” and, individually, as the „Party”.

WHEREAS

a. The Ebriza Platform is a software-as-a-service software program, dedicated to the HoReCa industry (hotels, restaurants, cafes), as well as to other types of individuals or legal entities, conducting business in other industries related or not to the HoReCa industry („Platform”);

b. The Platform is exclusively owned and operated by EBRIZA, and the Beneficiary uses the Ebriza Platform for purposes within its activity;

c. The Beneficiary has agreed to the general terms and conditions of use of the Platform („Contract”);

d. In the execution of the Contract, the Beneficiary processes personal data as an operator, and Ebriza processes personal data as a person authorized by the operator, within the meaning of the applicable legislation;

e. The Parties have decided, by mutual agreement, to supplement the Contract with the following contractual clauses, by concluding this Additional Act, in order to meet the obligations regarding the protection of personal data imposed by the applicable legislation.

THE FOLLOWING ARE AGREED

1. DEFINITIONS

Personal Data means any information regarding an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

Data Subject means the natural person whose personal data are processed, as referred to in Annex 1;

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available. in any other way, alignment or combination, restriction, erasure or destruction;

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

Processor means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Subprocessor means any processor designated by the processor to process personal data;

Personal Data Breach means a breach of security which leads, accidentally or unlawfully, to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Relevant Personal Data means personal data processed by the processor on behalf of the controller, as described in Annex 1;

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

Applicable Legislation means Law no. 677 of 21/11/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data, as amended and supplemented, GDPR, any law implementing the GDPR or regulating the protection of personal data in Romania, as well as any statutory guides or codes of practice issued by the competent authorities;

Supervisory Authority means an independent public authority established by a Member State pursuant to Article 51 of the GDPR, as well as any other regulatory authority responsible for enforcing the applicable legislation on the protection of personal data;

Restricted State means a state outside the European Union and the European Economic Area, which the European Commission has not recognized as having an adequate level of protection, within the meaning of Art. 45 of the GDPR;

Standard Contractual Clauses means the standard clauses issued by the European Commission, in accordance with art. 46 of the GDPR, for the transfer of personal data to countries outside the European Union and the European Economic Area, which the European Commission has not recognized as having an adequate level of protection, within the meaning of art. 45 of the GDPR;

Services means the services provided by the parties in the performance of the Contract.

2. QUALITIES OF THE PARTIES IN THE PROCESSING OF PERSONAL DATA

2.1. In the Processing of Relevant Personal Data, Ebriza has the capacity of Authorized Person („Authorized Person”), and the Beneficiary has the capacity of Operator („Operator”).

2.2. The Parties will Process Relevant Personal Data in accordance with the obligations provided for in this Additional Act. Separate from the obligations provided for in this Additional Act, each of the Parties will comply with its own obligations imposed by the Applicable Legislation.

3. PROCESSING OF PERSONAL DATA

3.1. The Processor shall process the Relevant Personal Data of the Data Subjects only for the purposes set out in Annex 1, and shall not otherwise Process the Relevant Personal Data except on the basis of documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless the Processor is required to do so by Applicable Law. In the latter case, to the maximum extent permitted by law, the Processor shall notify the Controller of this legal obligation prior to the Processing.

3.2. The Operator instructs the Processor and authorizes the Processor to instruct each Subcontractor to Process the Relevant Personal Data and to transfer the Relevant Personal Data to any third country, as necessary for the provision of the Services and the execution of the Contract.

4. THE PERSONNEL OF THE PROCESSOR

4.1. The Processor shall take reasonable steps to ensure compliance with the Applicable Law by each employee or collaborator who may have access to the Relevant Personal Data, ensuring in each case that access is strictly limited to persons who need to access the Relevant Personal Data, and that all such persons have received appropriate training in the field of Personal Data protection.

4.2. The Authorized Person shall ensure that all persons referred to in paragraph (1) are informed of the confidential nature of the Relevant Personal Data, are aware of the obligations of the Authorized Person as resulting from this Additional Act and from the provisions of the Applicable Legislation and that they have undertaken to respect confidentiality or have an appropriate statutory obligation of confidentiality.

5. USE OF SUBCONTRACTORS BY THE AUTHORIZED PERSON

5.1. The Operator authorizes the Authorized Person to use Subcontractors, under the conditions provided for in this Additional Act, in connection with the Processing of Relevant Personal Data.

5.2. The Authorized Person shall ensure that each Subcontractor is capable of ensuring the level of protection of Relevant Personal Data as required in this Additional Act including, without limitation, by providing sufficient guarantees to implement appropriate technical and organizational measures, in a manner that ensures the Processing in accordance with the requirements of the GDPR and this Additional Act.

5.3. The Processor shall enter into a contract with each Subcontractor and shall include in the contract with each Subcontractor obligations similar to those provided for in this Addendum incumbent on the Processor with regard to the Subcontractor's personnel, the security of the Processing of Relevant Personal Data and transfers to Restricted States, as well as with regard to the provision of sufficient guarantees for the implementation of appropriate technical and organizational measures, so that the processing meets the requirements of the Applicable Legislation.

5.4. The Data Processor shall inform the Operator of any planned changes regarding the addition or replacement of Subcontractors, the Operator having the right to object, on reasonable grounds, to the Subcontractor used by the Data Processor.

6. RIGHTS OF DATA SUBJECTS

6.1. The Data Processor shall assist the Operator and implement appropriate technical and organizational measures to assist the Operator in fulfilling the obligations arising from the exercise by Data Subjects of their rights regarding the protection of Personal Data.

6.2. The Data Processor shall notify the Operator and cooperate with it regarding any request by a Data Subject to exercise a right recognized by the Applicable Legislation in relation to the Relevant Personal Data.

7. SECURITY OF PERSONAL DATA

7.1. Taking into account the current state of development, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risk with varying degrees of probability and severity for the rights and freedoms of Data Subjects, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to this risk, including, inter alia, where applicable:

a. pseudonymization and encryption of personal data;

b. the ability to ensure the continued confidentiality, integrity, availability and resilience of the processing systems and services;

c. the ability to restore the availability of and access to the Relevant Personal Data in a timely manner in the event of a physical or technical incident;

d. a process for periodic testing, evaluation and assessment of the effectiveness of the technical and organizational measures to ensure the security of the processing.

7.2. When assessing the appropriate level of security, particular account shall be taken of the risks presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the Relevant Personal Data transmitted, stored or otherwise processed.

8. PERSONAL DATA BREACH

8.1. The Processor shall notify the Controller without undue delay, but not later than 24 hours after the Processor has become aware of a Personal Data Breach in relation to the Relevant Personal Data.

8.2. The notification referred to in paragraph (1) shall at least:

a. describe the nature of the Personal Data Breach in relation to  with the Relevant Personal Data, including, where possible, the categories and approximate number of Data Subjects concerned, as well as the categories and approximate number of the Relevant Personal Data records concerned;

b. communicate the name and contact details of the data protection officer
or another contact point from which further information can be obtained;

c. describe the likely consequences of the Personal Data Breach in relation to the Relevant Personal Data;

d. describe the measures taken or proposed to be taken to remedy the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.

8.3. The Processor shall take immediate steps to investigate the Personal Data Breach in relation to the Relevant Personal Data and to identify, prevent and mitigate its effects as much as possible.

8.4. The Processor shall cooperate with the Controller and take reasonable steps in accordance with the Controller's documented instructions to address the Personal Data Breach in relation to the Relevant Personal Data.

9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

9.1. The Data Processor, taking into account the nature of the Processing and the information at its disposal, shall assist the Data Controller in ensuring compliance with the obligations set out in Articles 35 and 36 of the GDPR relating to the data protection impact assessment and prior consultation.

10. DELETION OR RETURN OF RELEVANT PERSONAL DATA

10.1. Upon termination of the provision of the Services involving the Processing of Relevant Personal Data, the Operator may request the Processor (i) to return to the Operator a copy of all Relevant Personal Data and to delete all copies of the Relevant Personal Data Processed by the Processor and/or (ii) to delete all Relevant Personal Data and to delete all copies of the Relevant Personal Data Processed by the Processor. The Processor shall act in accordance with the instructions received from the Operator, without undue delay.

10.2. By way of exception to the provisions of paragraph (1), the Processor may keep a copy of  Relevant Personal Data, to the extent that it is subject to a legal obligation in this regard and for the storage period imposed by the relevant applicable legislation.

11. INFORMATION TO THE OPERATOR AND AUDIT

11.1. The Processor shall inform the Operator if, in its opinion, an instruction infringes the GDPR or other provisions of national or Union law relating to the protection of personal data.

11.2. The Processor shall provide the Operator with the information necessary to demonstrate compliance with the obligations set out in this Addendum and the Applicable Legislation, and shall allow and contribute to audits, including inspections, carried out by the Operator or another auditor mandated by the Operator. The Operator or the mandated auditor undertakes to assume confidentiality obligations towards the Authorized Person necessary to protect the confidentiality of the information of the Authorized Person and third parties that may be obtained by the Operator or the mandated auditor during the audit.

12. TRANSFER OF PERSONAL DATA

12.1. The Processor shall not Process Relevant Personal Data and shall not allow any Subcontractor to Process Relevant Personal Data in a state outside the European Economic Area or in a territory that has not been designated by the European Commission as ensuring an adequate level of protection, without ensuring that such Processing is accompanied by appropriate safeguards regarding the rights of the relevant Data Subjects, including by concluding Standard Contractual Clauses with any person in that state or territory to whom the Processor or the Subcontractor transfers Relevant Personal Data.

13. DURATION

13.1. This Addendum shall enter into force on the date of its signing and shall terminate on the later of the following dates (i) the date of termination of the Contract or (ii) the date of termination of the last Services provided under the Contract.

13.2. The provisions of this Addendum shall apply from the date of signing to all Relevant Personal Data Processing carried out by the Processor or by a Subcontractor thereof, regardless of whether such Processing began before the signing of this Addendum.

13.3. The obligations imposed on the Processor with respect to the Processing of Relevant Personal Data shall continue to have effect even after the termination of this Addendum.

14. GENERAL CLAUSES

14.1. The Parties agree that this Additional Act shall be governed by Romanian law and any disputes in connection with this Additional Act shall be subject to the jurisdiction of the courts of Romania.

14.2. In the event of any inconsistency between the provisions of this Additional Act and any other understanding between the Parties, including the provisions of the Contract, this Additional Act shall prevail with respect to matters related to the protection obligations regarding the Personal Data of a Data Subject.

14.3. In the event that the obligations of the Parties need to be modified as a result of changes in the Applicable Legislation or as a result of the issuance by the European Commission or the Supervisory Authority of standard contractual clauses, including in the event of the modification or adoption of new Standard Contractual Clauses regarding the transfer to Restricted States, the Parties undertake to modify this Addendum accordingly, by concluding a new addendum.

14.4. In the event that a provision of this Addendum is null and void or unenforceable, in whole or in part, the nullity or unenforceability shall strictly affect the provision or the null and void or unenforceable part of the provision in question, the remainder of this Addendum remaining in force and valid.