QSR INTERNATIONAL – DATA PROTECTION ADDENDUM
This Data Protection Addendum (Addendum) forms part of the End User License Agreement as updated from time to time (Agreement) for QSR Software and Services, which is the basis for the agreement between QSR International, LLC or one of its Affiliates (QSR) and Customer.
This Addendum shall apply to Personal Data that QSR or a QSR Affiliate processes in the course of providing the Cloud Services to Customer under the Agreement.
Customer enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Customer Affiliates, if and to the extent QSR processes Personal Data for which such Customer Affiliates qualify as the Controller.
1. DATA PROCESSING TERMS
In this Addendum, unless the context otherwise requires, the following terms have the meaning set out below.
Applicable Laws means, to the extent binding on any party, all laws, rules and/or regulations applicable to the Agreement (as amended) or the activities contemplated thereunder, including, without limitation, any applicable Data Protection Laws;
Customer Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where “control” is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
Customer Group Member means Customer or any Customer Affiliate;
Customer Personal Data means any Personal Data Processed by a Processor on behalf of a Customer Group Member pursuant to or in connection with the Agreement;
Data Protection Laws means all laws, regulations, binding legislative and regulatory requirements and codes of practice relating to data protection and the Processing of Personal Data, which apply to either party or the Services, which may include:
- the Australian Privacy Act 1988 (Cth);
- the EU GDPR;
- the UK GDPR;
- the UK Data Protection Act 2018;
- the Privacy and Electronic Communications Directive (EU) 2002/58/EC;
- the Privacy and Electronic Communications (EC Directive) Regulations 2003;
- the Japanese Act on the Protection of Personal Information 2003;
- the California Consumer Privacy Act of 2018; and
- any laws that implement, replace, extend, re-enact, consolidate or amend any of the foregoing.
EEA means the European Economic Area;
EU GDPR means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016;
GDPR means the EU GDPR and/or UK GDPR (as applicable);
Processor means any QSR Group Member which processes Customer Personal Data;
QSR Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with QSR International, LLC; and
QSR Group Member means QSR International, LLC or any QSR Affiliate.
Restricted Transfer means:
- a transfer by any Customer Group Member of Customer Personal Data stored in the EEA or UK to a Processor or Subprocessor located in a third country; or
- a transfer by a Processor of Customer Personal Data stored in the EEA or UK to a QSR Affiliate or Subprocessor, or to another establishment of the Processor, located in a third country, in each case, where such transfer would be prohibited under Article 46 of the GDPR in the absence of the Standard Contractual Clauses to be established under Clause 9(a) below;
Services means the services and other activities to be supplied to or carried out by or on behalf of QSR for the relevant Customer Group Members pursuant to the Agreement;
Standard Contractual Clauses means the standard data protection clauses approved for use by the European Commission for the purposes of Article 46(2) of the GDPR for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, or any new standard contractual clauses replacing or amending the existing standard contractual clauses approved for use by the European Commission or the UK, as applicable, from time to time;
Subprocessor means any person (including any third party and any QSR Affiliate, but excluding an employee of QSR) appointed by or on behalf of QSR to Process Customer Personal Data in connection with the Agreement;
UK means the United Kingdom;
UK GDPR means the UK version of the GDPR as it forms part of the law of each applicable jurisdiction of the United Kingdom pursuant to the European Union (Withdrawal) Act 2018;
The terms, "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" (or equivalent terms) shall have the meanings set out in, and will be interpreted in accordance with, such Data Protection Laws as are applicable from time to time.
- The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
- A reference to a statute or statutory provision includes all subordinate legislation made under that statute or statutory provision from time to time, and is a reference to it amended, extended or re-enacted from time to time.
- Unless the context otherwise requires, words and expressions defined in the Agreement shall have the same meaning where used in this Addendum except where they are inconsistent with or replaced by the amendments set out in this Addendum.
- Nothing in this Addendum reduces QSR's or any QSR Affiliate’s obligations under the Agreement in relation to the protection of Personal Data or permits QSR or any QSR Affiliate to Process Personal Data in a manner which is prohibited by the Agreement.
3. STATUS OF PARTIES
- Customer and its relevant Customer Group Members shall be Controllers of the Customer Personal Data and, a reference to Customer shall be deemed to be a reference to the relevant Customer Group Member that is the Controller of the relevant Customer Personal Data in respect of the relevant Processing.
- Except to the extent expressly provided otherwise in the Agreement, QSR shall be the Processor of Customer Personal Data on behalf of Customer.
- In relation to obligations which this Agreement purports to impose on QSR, where QSR is not the Processor it shall procure the performance of those obligations by the relevant QSR Affiliate. In relation to obligations which this Agreement purports to impose on a Customer Group Member, where the Customer is not the relevant Customer Group Member it shall procure the performance of those obligations by the relevant Customer Affiliate.
4. CUSTOMER OBLIGATIONS
- Customer and each relevant Customer Group Member shall comply with all Data Protection Laws in connection with the Processing of Customer Personal Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws and the terms of this Agreement.
- Customer (on its own behalf and on behalf of each relevant Customer Group Member) warrants, represents and undertakes, that:
- all data sourced by Customer for use in connection with the Services, prior to such data being provided to or accessed by QSR for the performance of the Services under this Agreement, shall comply in all respects (which shall include Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; and
- all instructions given by it to QSR in respect of Customer Personal Data shall at all times be in accordance with Data Protection Laws.
5. PROCESSING OF CUSTOMER PERSONAL DATA
- The Processor shall:
- comply with all applicable Data Protection Laws and the terms of this Agreement in the Processing of Customer Personal Data; and
- not Process Customer Personal Data other than on the relevant Customer Group Member’s documented instructions unless Processing is required by Applicable Laws to which the relevant Processor is subject, in which case the Processor shall, to the extent permitted by Applicable Laws, inform the relevant Customer Group Member of that legal requirement before the relevant Processing of that Customer Personal Data.
- The Customer, on its own behalf and on behalf of each relevant Customer Affiliate:
- instructs the Processor (and authorises the Processor to instruct each Subprocessor) to:
- Process Customer Personal Data; and
- in particular, transfer Customer Personal Data to any country or territory (subject to clause 7 being complied with),as reasonably necessary for the provision of the Services and consistent with the Agreement; and
- warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in clause 5(b)(i) on behalf of each relevant Customer Affiliate.
- Schedule 1 sets out certain information regarding the Processor’s Processing of the Customer Personal Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws).
6. QSR AND QSR AFFILIATE PERSONNEL
The Processor shall take reasonable steps to ensure that any employee, agent or contractor of any of them who may have access to the Customer Personal Data is subject to confidentiality undertakings or professional or statutory obligations of confidentiality and only Processes the Customer Personal Data on instructions from Customer.
QSR shall, and shall where it is not the Processor, procure that the relevant QSR Affiliate implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise Processed in accordance with Data Protection Laws, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. The standard security measures that the Contracted Processor shall implement shall include those measures set out in the Standard Security Measures.
9. INTERNATIONAL DATA TRANSFERS
- The Customer, on its own behalf and on behalf of each relevant Customer Affiliate authorises the Processor to appoint (and permit each Subprocessor appointed in accordance with this clause 8 to appoint) Subprocessors in accordance with this clause 8 and any restrictions in this Agreement.
- The Processor may continue to use the following Subprocessors:
- Google Analytics
- EA Send Mail
- Microsoft Azure
- QSR shall, at least 14 days before appointing any new Subprocessor, provide notice to the Customer via the MyQSR portal, including full details of the Processing to be undertaken by the Subprocessor. If Customer notifies QSR in writing of any objections (on reasonable grounds) to the proposed appointment, QSR must not disclose any Customer Personal Data to the proposed Subprocessor except with the prior written consent of Customer.
- With respect to each Subprocessor, QSR shall:
- ensure that the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Agreement and meet the requirements of Article 28(3) of the GDPR; and
- if that arrangement involves a Restricted Transfer, ensure that the provisions of clause 9 are complied with.
10. DATA SUBJECT RIGHTS
- In relation to Restricted Transfers QSR shall:
- ensure that the Standard Contractual Clauses are: (a) incorporated into the agreement between the Processor (as "data exporter") and the Subprocessor (as "data importer"); or (b) entered into directly between the Subprocessor and the relevant Customer Group Member(s); and
- Consider if any supplementary measures are required in order to ensure Customer Personal Data receives the level of protection required under the GDPR in the third country and to implement such measures as are appropriate.
11. PERSONAL DATA BREACH
- Taking into account the nature of the Processing, the Processor shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the relevant Customer Group Members' obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.
- The Processor shall:
- promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
- not respond to that request except on the documented instructions of Customer or the relevant Customer Affiliate.
12. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
- The Processor shall notify Customer without undue delay upon the Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow each relevant Customer Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws.
- The Processor shall provide reasonable assistance to Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and the information available to the Processor.
The Processor shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, as required under Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.
13. DELETION OR RETURN OF CUSTOMER PERSONAL DATA
14. AUDIT RIGHTS
- Subject to clause 11(b), the Processor shall at Customer’s written request and option promptly and in any event within 30 days of the date of cessation of any Services involving the Processing of Customer Personal Data: (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to QSR; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by any Processor.
- Each Processor may retain Customer Personal Data to the extent and for such period as required by Applicable Laws and always provided that the Processor shall hold such Customer Personal Data secure in accordance with clause 5 and ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
- The Processor shall make available to each Customer Group Member on request all information reasonably required to demonstrate compliance with the obligations under Article 28 of the GDPR (or equivalent obligations under Data Protection Laws).
- Subject to clause 14(c), the Processor shall allow for and contribute to audits, including inspections, by any Customer Group Member or an auditor mandated by any Customer Group Member in relation to the Processing of the Customer Personal Data by the Processors.
- Information and audit rights of the Customer Group Members only arise under clause 14(b) to the extent that compliance cannot be adequately demonstrated in accordance with clause 14(a) or the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, Article 28(3)(h) of the GDPR), provided that such rights shall be subject to equivalent restrictions to those in the Agreement (including as to frequency, timing and minimising disruption).
Where a provision requires the Processor to assist Customer or a Customer Group Member with compliance with their obligations under Data Protection Laws, such assistance shall be provided at no additional cost where this can reasonably be accommodated within the standard provision of the Services. Otherwise, the associated costs shall be agreed between the parties in accordance with the change control or Addendum procedure applicable under the Agreement.
16. ORDER OF PRECEDENCE
With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
Details of Processing of Customer Personal Data
This Schedule 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
1. Subject matter and duration of the Processing of Customer Personal Data
The subject matter of the Processing of the Customer Personal Data is set out in the Agreement. Processing of the Customer Personal Data by the Processor shall be for the term of the Agreement, provided that Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).
2. The nature and purpose of the Processing of Customer Personal Data
The Processing of Customer Personal Data is QSR's provision of the applicable services under the Agreement, which shall involve performance on behalf of the relevant Customer Group Member of the tasks and activities set out in the Agreement for the purpose of providing those Services.
3. The types of Customer Personal Data to be Processed
The Processor may Process any or all of the following types / categories of Personal Data, and any additional types of Customer Personal Data, as set out in the Agreement and as relevant in the context of the Services.
4. The categories of Data Subject to whom the Customer Personal Data relates
- Personal Data, including personal details, family details, lifestyle and social circumstances, financial details, employment and education details, goods or services, visual images, personal appearance and behaviour, geolocation data: and
- Sensitive Personal Data / other categories of Personal Data, including information relating to physical or mental health data, genetic data or biometric data, criminal offences and alleged offences and proceedings, racial or ethnic origin, religious or philosophical beliefs, trade union membership, sex life or sexual orientation.
The categories of Data Subjects includes any or all of the following individuals: Customer Group Member customers and clients, research participants, Customer Group Member advisers, consultants and other professional experts, Customer Group Member employees and staff, Customer Group Member QSRs and services providers, complainants and enquirers who contact Customer Group Members, and / or individuals captured by CCTV images, including staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance.
5. The obligations and rights of Customer and Customer Affiliates
The obligations and rights of Company and Company Affiliates are set out in the Agreement (as varied).