Data Sharing Addendum

This Data Sharing Addendum (“Addendum“), forms an integral part of, and is subject to the Terms of Service (“Terms“) entered into by and between you (“Restaurant“) and Tabit Technologies Pty Ltd ABN 15 665 107 497 (the “Company“) and shall be effective as of the date of acceptance by Restaurant. Capitalized terms not otherwise defined herein shall have the meanings given to them in the Terms.

Whereas, each party serves as a separate independent Controller (defined below) with respect to Personal Data (defined below) of Restaurant’s end users and employees; and

Whereas, the parties wish to set forth the respective responsibilities and duties toward one another and toward Data Subjects (defined below) with respect to their position as independent Controllers of Personal Data;

Now therefore, the parties wish to set forth the respective responsibilities and duties toward one another and toward Data Subjects (defined below) with respect to their position as independent Controllers of Personal Data;

1. Definitions. 

In addition to capitalized terms defined elsewhere in this Addendum, the following terms shall have the meanings set forth below:

    • Applicable Law” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR“), laws implementing or supplementing the GDPR, and/or any privacy and data protection laws applicable to the parties.
    • Controller to Controller Standard Clauses” means the standard clauses for the transfer of Personal Data to Controllers established in third countries approved by the European Commission from time to time, the approved version of which in force at present is that set out in the European Commission’s Decision 2004/915/EC of 27 December 2004, available at: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32004D0915&from=EN
    • The terms “Controller“, “Data Subject“, “Personal Data“, “Personal Data Breach“, “Processor“, and “Processing” shall have the meanings ascribed to them in the GDPR.

2. Relationship Between the Parties.

    • The parties agree that each will act as a Controller with respect to Personal Data. It is acknowledged that each is a separate, independent Controller of the Personal Data disclosed under the Terms. Personal Data disclosed under the Terms will not be Processed by the parties as joint Controllers as referred to in Article 26 of the GDPR. Each party shall be independently responsible for compliance with its obligations as a Controller under Applicable Law.
    • Prior to disclosing or providing access to any Personal Data to Company, Restaurant shall ensure that it has (a) provided notice to the Data Subjects that their Personal Data will be disclosed to the Company, (b) obtained any necessary consents or authorizations required to permit Company to process the Personal Data freely, as contemplated herein, and (c) remain responsible for the transmission of any Personal Data to the Company.
    • The Controller to Controller Standard Clauses shall apply to the extent the receiving party Processes Personal Data in countries outside of the European Economic Area that do not provide an adequate level of data protection as determined by the European Commission or other adequate authority as determined by the EU. The Controller to Controller Standard Clauses shall be incorporated herein upon execution of this Addendum by the parties. Schedule A to this Addendum shall apply as Annex B of the Controller to Controller Standard Clauses.

3. Processing of Personal Data.

    • Neither party will disclose any Personal Data to the other party other than as permitted under the Terms, this Addendum, and under Applicable Law.
    • With respect to Personal Data shared in the context of the Terms, each party shall Process such Personal Data (i) in accordance with the terms of the Terms, this Addendum and Applicable Law and (ii) for the sole purpose of complying with its obligations under the Terms.
    • Each party represents and warrants that it shall only share Personal Data with the other party in compliance with Applicable Law and its obligations under the Terms and this Addendum.
    • Unless otherwise agreed in writing and in advance, neither party shall share any Personal Data with the other party that contains any Special Categories of Personal Data (in accordance with Article 9 of the GDPR), or (ii) contains Personal Data relating to children under age 16 or any other age requiring parental consent, as provided by Applicable Law.

4. Processing of Personal Data. 

Each party shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Personal Data, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR.

5. Personal Data Breach.

    • Each party shall notify the other party without undue delay upon becoming aware of a Personal Data Breach.
    • In the event of a Personal Data Breach, the parties shall cooperate in good faith in connection with the investigation, mitigation, and remediation of such Personal Data Breach and for the purpose of complying with each party’s obligations under Applicable Law.

6. Third Party Processors. 

Each party may transfer Personal Data to and otherwise interact with third-party data Processors. Each party agrees that if it transfers Personal Data or otherwise interacts with a third-party data Processor, it will enter into a separate contractual arrangement with each such Processor to ensure compliance with its obligations under Applicable Law and hereunder.

7. Personal Data Breach.

    • Each party shall assist the other party, to the extent reasonably requested, for compliance with any of such other party’s statutory obligations concerning requests to exercise Data Subject rights under Applicable Law (e.g., for access, rectification, deletion of Personal Data, etc.).
    • When a Data Subject whose Personal Data is being Controlled by both parties submits a written request to either party to inspect his or her Personal Data, such party shall:
    • promptly, and in any event within two (2) days of receiving such request, inform the other party of such request; and
    • provide the Data Subject with other party’s name and address for further inquiries.

8. Retention, Deletion or Return of Personal Data.

Subject to Applicable Law, each party will retain Personal Data only for as long as necessary to satisfy the purposes for which it was provided to such party, or to the extent required by Applicable Law.

9. Indemnity.

Notwithstanding anything to the contrary in the Terms, Restaurant shall indemnify and hold Company harmless against all claims, actions, third party claims, losses, damages and expenses incurred by Company and arising directly or indirectly out of or in connection with a breach of this Addendum and/or Applicable Law by Restaurant.

10. General Terms.

    • This Addendum shall terminate automatically upon the termination of the Terms, provided however, that each party’s obligations under this Addendum will apply for as long as such party has access to the other party’s Personal Data.
    • Governing Law and Jurisdiction.
      • The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity.
      • This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms.
    • Order of Precedence.
      • Nothing in this Addendum shall detract from either party’s obligations under the Terms in relation to the protection of Personal Data or permit either party to Process (or permit the Processing of) Personal Data in a manner that is prohibited by the Terms.
      • In the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Terms and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail. In the event of inconsistencies between the provisions of this Addendum and the Controller to Controller Standard Clauses (to the extent these apply), the Controller to Controller Standard Clauses shall prevail.
    • Changes in Data Protection Laws.
      • Either party may, by at least thirty (30) calendar days’ prior written notice to the other party, request in writing any variations to this Addendum if they are required as a result of any change in, or decision of a competent authority under Applicable Law in order to allow Personal Data to be Processed (or continue to be Processed) without breach of Applicable Law.
      • If the proposed changes are not acceptable to the other party, the parties shall discuss the issue in good faith in order to reach a solution that is satisfactory to both parties.
    • Severance. Should any provision of this Addendum be held invalid or unenforceable, the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained herein.

Schedule A

ANNEX B

DESCRIPTION OF THE TRANSFER

Data subjects. The personal data transferred concern the following categories of data subjects: Employees and customers of the Restaurant.

Purposes of the transfer(s). The transfer is made for the following purposes: To provide and improve the System and Services as defined in the Terms

Categories of data The personal data transferred concern the following categories of data:

Personal Data related to employees of the Restaurant, including:

  • Registration data – name, phone number, email address, photos
  • Facial recognition data – biometric data concerning faces of employees
  • Usage information – data relating to employees’ usage of the System and Services
  • Automatically collected data – IP addresses, device IDs, geo-location, and usage history

Personal Data related to customers of the Restaurant including:

  • Registration data – name, address, phone number, email address
  • Facial recognition data – biometric data concerning faces of employees
  • Preference data – customer food, cuisine, and ordering preferences
  • Automatically collected data – IP addresses, device IDs, geo-location, and browsing and purchase history

Recipients The personal data transferred may be disclosed only to the following recipients or categories of recipients: Personal data may be transferred to service providers of the Company who assist the Company in provision of the Services described in the Terms.

Sensitive data (if appropriate) The personal data transferred concern the following categories of sensitive data: Personal data transferred may include data of customers relating to their health, such as allergy information.

Biometric data relating to the faces of employees used for facial recognition.

Biometric data relating to the faces of employees used for facial recognition.

Not applicable

Additional useful information (storage limits and other relevant information)

Not applicable

Contact points for data protection enquiries

Data Importer

Data Explorer

Tabit Technologies Pty Ltd

Contact details as provided during the registration process.

  

Last updated: 

17/02/2025

Revision:

19

© 2024 Tabit. All Rights Reserved

Powered by: Bluedot - Brands & Digital