Data Processing Agreement

Last updated: 8 December 2021

AGREEMENT DATED on the date when you agree to this agreement, Terms and Conditions, and Privacy Policy

BETWEEN:(1) You (hereinafter “Company"); and

(2) Practi Technologies Ltd, UK Private limited Company, Company number 09829987 Registered office address: Interchange Atrium Building The Stables Market, Chalk Farm Road, Atrium Building / Practi, London, England, NW1 8AH (the "Processor").

BACKGROUND

(A) This Agreement is to ensure there is in place proper arrangements relating to personal data passed from Company to the Processor.

(B) This Agreement is compliant with the requirements of Article 28 of the General Data Protection Regulation.

(C) The parties wish to record their commitments under this Agreement.

IT IS AGREED AS FOLLOWS:

1. DEFINITIONS AND INTERPRETATION

In this Agreement:

"Data Protection Laws" means all laws, regulations and regulatory guidance containing rules for the protection of individuals with regard to the Processing of Personal Data, including without limitation security requirements for and the free movement of Personal Data, European Directive 2002/58/EC (as amended or updated from time to time), the GDPR and any national legislation and/or binding regulations implementing or made pursuant to them ;

"Data" means personal data passed under this Agreement as detailed on the website;

“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as may be amended from time to time;

"Services" means the services indicated and provided to you in connection with this DPA.

The terms, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. DATA PROCESSING

Company is the Controller for the Data and the Processor is the Processor for the Data. The Processor is a wholly owned subsidiary of Just Eat Takeaway.com. The Processor agrees to process the Data only in accordance with Data Protection Laws, on behalf of the Controller and in particular on the following conditions:

1. the Processor shall only process the Data (i) on the written instructions (such as the subject of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects) from Company in Annex A to this DPA (ii) only process the Data for completing the Services. The Processor shall inform the Controller if the Processor is for any reason unable to carry out an written instruction given by the Controller;

2. the Processor shall ensure that all employees and other representatives accessing the Data are (i) aware of the terms of this DPA and (ii) have received comprehensive training on Data Protection Laws and related good practice, and (iii) are bound by a commitment of confidentiality;

3. Company and the Processor have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, complying with Data Protection Laws, details of those measures are set out in Annex B to this DPA;

4. the Processor shall not involve any third party in the processing of the Data without the consent of the Controller. Such consent may not be withheld without reason. If the Controller has reasonable grounds for objecting to
the use of new or additional third-party, it should immediately notify the Processor of this in writing within 5 business days of receipt of the Processor notifying the Controller of its planned change. Should the Controller object and this objection is not unreasonable, the Processor will make reasonable efforts to make changes in the Services available to the Controller or to recommend a commercially reasonable alteration in the Controller’s configuration or the Controller’s use of the Services in order to avoid Data being processed by the new or different third party to whom/which an objection has been made, without thereby placing an unreasonable burden on the Controller. If the Processor is unable to make this alteration available within a reasonable period, namely not exceeding ninety (90) days, the Controller may terminate the part of the Agreement affected, albeit solely in respect of those Services that cannot be provided by the Processor without the use of the new or different third party against whom/which an objection has been made by means of a written notification sent to the Processor;

5. taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of Company` obligation to respond to requests from individuals exercising their rights laid down in Data Protection Laws – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc. Processor shall promptly notify the Controller if it receives a request from a Data Subject under Data Protection Laws in respect to the Data and ensures it does not directly respond to such request except on written instructions from Controller or as required by Data Protection Laws;


6. the Processor shall notify the Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Data. In such an event, the Processor shall assist the Controller in the investigation, mitigation and remediation of each such Personal Data Breach. The Processor shall provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7. the  Processor shall notify the Controller without undue delay of of any legally binding request for disclosure of Data by a law enforcement body, unless
this notification is otherwise prohibited, such as for example a prohibition under criminal law aimed at preserving the confidentiality of a law enforcement investigation.

8. The Processor shall reasonably assist the Controller in demonstrating compliance with this DPA and the obligations pursuant to Articles 28 GDPR – security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the national regulator, taking into account the nature of processing and the information available to the Processor ;

9. the Processor may not transfer or authorize the transfer of EU residents Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Controller. If Data Processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. If Data subject to this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area which is not subjected to an adequacy decision under Data Protection Legislation, such data transfer will be governed by adequate measures to protect your data, such as organizational and legal measures via for instance intercompany data protection agreement and approved applicable European Commission standard contractual clauses, which are hereby incorporated by reference into this DPA.

10. At the Controller’s choice safely delete or return the Data at any time. Where the Processor is to delete the Data, deletion shall include destruction of all existing copies unless otherwise a legal requirement to retain the Data. Upon request by Company the Processor shall provide certification of destruction of all Data ;

‍Liability
11. Any liability arising from or associated with this DPA is in keeping with, and is solely governed by, the liability provisions set forth in or otherwise applicable to the Agreement.

Term and Termination
‍12. The term of this DPA is the same as that of the Agreement in question.


General
1. This DPA represents the entire understanding of the Parties relating to necessary legal protections arising out of their Controller to Pprocessor relationship under Data Protection Laws.

2. The other terms and conditions of the Agreement continue to apply in unaltered form. In the event of any discrepancy between this DPA and the Agreement as regards privacy and data protection, the provisions of this DPA shall take precedence.

3. The invalidity or unenforceability of any provision of this DPA shall not have any effect on the validity or enforceability of the other provisions of this Addendum.

4. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the Agreement at such other address as notified from time to time by the Parties changing address.

5. This DPA is subject to English law and the exclusive jurisdiction of the English Courts.


CONTACT US
‍Talk to us on 020 3608 4840

or email us: ukpos.support@justeattakeaway.com

Become a partner
ukpos.demo@justeattakeaway.com

Practi Ltd (registration number 09829987)
71-75 Shelton Street
Covent Garden
London
WC2H 9JQ