DATA PROCESSING AGREEMENT 

EU CUSTOMERS

The terms of this exhibit shall govern the processing of Personal Data (as defined by General Data Protection Regime (EU) 2016/679 (“GDPR”)) that Customer and/or Franchisees (as applicable) transfer to Deliverect for the provision of Deliverect Direct, Dispatch (including when Customer or Franchisee use Deliverect for couriers app), or DfRS (only when Personal Data comes from Customer’s direct online sales channels, including apps/websites) (collectively the “Services”) (“Customer Personal Data”) for Customers located in the European Economic Area or the United Kingdom. All undefined, capitalized terms will have the meaning given to them in the FSA. The terms, “Third Country”, “Member State”, "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in GDPR. References to “Franchisees” in this exhibit are only applicable to the extent that Customer has Franchisees that have signed an opt-in agreement to become a party to the FSA, otherwise, references to “Franchisees” can be disregarded and not applicable.

  1. Scope. Customer and Franchisee instructed Deliverect to Process Customer Personal Data, to the extent that such processing is done in and required for the performance of the FSA or the provision of the Services hired by Customer under the FSA. Deliverect acknowledges that Customer Personal Data cannot be used by Deliverect outside of the scope of this data processing agreement. 

  2. Roles of the Parties. Deliverect is the Processor of Customer Personal Data processed in connection with the Services (as set forth above), and Customer and/or Franchisees (as the case may be) are the Controller of such Customer Personal Data.

  3. Deliverect’s Privacy & Cookie Policy. Customer and Franchisees agree to the terms of Deliverect Privacy and Cookie Policy available at www.deliverect.com/en/privacy-and-cookie-notice.

  4. Data Protection Laws. Customer, Franchisees, and Deliverect shall comply with the GDPR and/or the applicable data protection laws in the performance of the FSA. Customer and Franchisee warrant and guarantee that the terms and instructions given to Deliverect regarding the processing of Customer Personal Data are not contrary to GDPR or any data protection laws, or to the legal rights of Data Subjects and that all Customer Personal Data transferred by Customer or Franchisees to Deliverect is lawfully collected and transmitted and may lawfully be used, processed, stored and transferred for the purpose of the performance of the FSA and the provision of the Services. Deliverect shall inform Customer if, in Deliverect’s opinion, the Processing instructions from the Customer infringe GDPR. 

  5. Representations and Warranties.

    1. Of Customer and Franchisees: Customer and Franchisee represent and warrant that they have appropriate legal basis to collect, process, and share Customer Personal Data with Deliverect. 

    2. Of Deliverect: Deliverect warrants and guarantees that (a) it shall refrain from processing Customer Personal Data other than on Customer’s or Franchisee’s documented instructions, (b) it shall not use Customer Personal Data for any other purpose other than for the performance of the FSA and the provision of the Services, and (c) except for the Affiliates insofar as Deliverect deems this necessary or useful to fulfill its Processing obligations or to perform the FSA or provide the Services, shall not transfer Customer Personal Data to a Third Country or an international organization, unless required to do so by Union or Member State Law to which Deliverect is subject and provided Deliverect informs Customer or Franchisees upfront of that legal requirement, unless that law prohibits such information on important grounds of public interest. If Customer Personal Data processed under the FSA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the Personal Data is adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

  6. Technical and Organizational Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Deliverect warrants that it shall, in relation to Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security reasonably appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. Deliverect shall implement appropriate security measures (technical, logical and organizational), and confirms that, to its best knowledge, these measures provide an appropriate security level, taking into account the state of the art and the security threats that are known or should reasonably be known by Deliverect. Deliverect shall ensure that persons authorized to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  7. Sub-Processors. Customer and Franchisees hereby gives a general authorization to Deliverect to engage (or disclose any Customer Personal Data to) any Sub-Processor, insofar as Deliverect deems this necessary or useful to fulfill its Processing obligations or to perform its obligations under the FSA, being understood that Deliverect shall remain liable towards Customer for the performance of each Sub-Processor. Deliverect shall ensure that each Sub-Processor performs all the obligations under the FSA, as they apply to Processing of Customer Personal Data carried out by that Sub-Processor, as they apply to Deliverect. 

  8. Processes to Comply with Rights of Data Subject Rights. Taking into account the nature of the Processing, Deliverect shall assist Customer and/or Franchisees by implementing appropriate technical and organizational measures for the fulfillment of Customer's obligations to respond to requests to exercise Data Subject rights under Data Protection Laws (including right of access to its personal data and a right to request corrections). 

  9. Data Breach. Deliverect shall notify Customer and Franchisees (if applicable) within forty-eight (48) hours upon discovery, of any unauthorized access to, acquisition or disclosure of Customer Personal Data, or a breach of security or confidentiality with respect to Customer Personal Data in Delivererect’s control or possession (“Data Security Incident ''). Deliverect shall cooperate with Customer and Franchisees (if applicable) and assist in the investigation, mitigation and remediation of each Data Security Incident, taking into account the information and technical means available to Deliverect. Customer and Franchisee will reasonably reimburse Deliverect for any expenses specifically made upon Customer’s and/or Franchisee’s request, if the Data Security Incident is not attributable to Deliverect. 

  10. Data Protection Impact Assessments. Deliverect shall provide reasonable assistance to Customer and Franchisees with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to the Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to Deliverect. 

  11. Deletion of Customer Personal Data. Deliverect shall, at the request of Customer or Franchisee, return or delete and procure the deletion of all copies of Customer Personal Data. Deliverect may however retain certain Customer Personal Data to the extent required by Data Protection Laws, EU or Member State Laws, and for such period as required under Data Protection Laws, EU or Member State Laws. 

  12. Audits. Deliverect shall make available to Customer and Franchisees on request all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, by Customer, Franchisee, or an auditor mandated by Customer or Franchisee in relation to the Processing of Customer Personal Data by Deliverect. The cost of any such audits or inspections shall be borne by Customer and/or Franchisee respectively.  

  13. Description of Data Processing

    1. Categories of Data Subjects: Deliverect will process data from end users and clients of Customer and/or Franchisees, and/or from couriers of Customer and Franchisees that may be assigned to provide delivery services in connection with Dispatch and Deliverect for couriers app. 

    2. Types / Categories of Personal Data: Name, email address, phone number, address, order details, and geo-location.

    3. Subject matter, nature and purpose of the Processing: To provide the Services for the benefit of Customer.

    4. Duration of the Processing: The duration of the FSA or as otherwise required under applicable law.