Orderlord - Data Processing Agreement ("Agreement")

This Agreement was last modified on July 3, 2018.


1. Scope and subject matter of the agreement
This Data Processing Agreement (“DPA”) is an agreement between LiveDispatcher s.r.o., a limited liability company with registered seat at Krásnohorská 22, 851 07 Bratislava, the Slovak Republic, Business Registration No.: 45 355 517, registered with the Commercial register of District Court Bratislava I, Section: Sro, Insert No.: 64082/B (“Orderlord”, “Processor”, “we,” “us,” or “our”) and you or the entity you represent (“Customer”, “Controller”, “you” or “your”). This DPA supplements the Orderlord Terms of Service (“TOS”) available at https://orderlord.com/tos, as updated from time to time between Customer and Orderlord. Unless otherwise defined in this DPA, all capitalised terms used in this DPA will have the meanings given to them in Section 2 of this DPA.
2. Definitions
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data Protection Laws means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their Member states, applicable to the Processing of Personal Data under the DPA.
GDPR means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Non-adequate country means a country that is deemed not to provide an adequate level of protection for Personal Data within the meaning of Regulation (EU) 2016/679.
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’).
Personal Data Breach means the unauthorized acquisition, access, use or disclosure of Personal Data.
Personnel means all employees, directors, contractors, sub-contractors, representatives, agents and/or the employees of such contractors, sub-contractors, representatives and agents.
Process or Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
Services means the services provided to the Customer under the TOS.
Sub-processor or Sub-contractor means a third party sub-contractor engaged by the Processor which, as part of the sub-contractor’s role of delivering the Services, Processes Personal Data of the Customer.
Technical and Organisational Measures means those measures aimed to ensure a level of security appropriate to the risk of Processing.
3. Term and application of this DPA
3.1 This DPA shall be valid and effective as of the day the Customer accepts the TOS and it shall continue in force until the termination of Services either by Customer or Orderlord pursuant to TOS.
3.2 This DPA shall apply to:
a) all Personal Data provided from the effective date of this DPA by the Customer to Orderlord for Processing;
b) all Personal Data otherwise received by Orderlord for Processing on Customer's behalf in relation to the Services.
4. Customer Instructions
4.1 The Customer acting as Controller instructs Orderlord to carry out Processing of Personal Data as further specified herein.
4.2 When carrying out Processing, Orderlord will act only on the basis of documented instructions of the Customer and perform the Processing of Personal Data only for the purposes determined by the Customer.
4.3 The Customer warrants that Personal Data that will be processed by Orderlord under this DPA have been collected by the Customer in accordance with Data Protection Laws and the Processing of the Personal Data may be delegated to Orderlord accordingly. Notably, the Customer has an obligation to assess the lawfulness of the processing of Personal Data stored on Orderlord management delivery system.
4.4 The control of Personal Data remains with the Customer, and as between the Customer and Orderlord, the Customer shall at all times remain the Controller for the purposes of the Processing, the TOS and this Data Processing Agreement.
5. Categories of Personal Data and purpose of the Personal Data Processing
5.1 In order to perform the Services, the Customer authorizes and requests that Orderlord Processes the following Personal Data which are uploaded by Customer into Orderlord delivery management system:
a) contact details of Customers’ clients: name, address, GPS coordinates of address, e-mail and phone number, which are necessary for processing of orders (including notification of clients about the order status);
b) e-mails of Customer’s clients in order to inform clients about Customers’ promotions or events;
c) order details: these include, in addition to the details of clients under point (a) and (b) above, note about a client, ordered food, time of placing the order, expected time of delivery, time of cancellation of the order, time of skipping the order (if applicable) and actual time of delivery, details about the ordered food (description, price, discount, delivery fee, tip for the driver, payment method) for purpose of providing an overview about each order and generation of financial and statistical reports.
d) details of Customer’s drivers: name, phone number, photo, GPS location, e-mail and time of last online access, which are necessary for managing drivers.
6. Categories of Data Subjects
6.1 Data subjects include clients of the Customer and Customer’s employees, contractors or partners. Data subjects may also include individuals attempting to communicate or transfer any Personal Data while using the Services.
7. Non-disclosure and confidentiality
7.1 Orderlord will keep Personal Data confidential and will not disclose Personal Data in any way to any third party without the prior written approval of Customer, except where: (i) disclosure is necessary for the performance of Services or the performance of the Processing; or (ii) subject to Orderlord’s obligations related to inquiries and incidents in this DPA, where Personal Data need to be disclosed to a competent public authority to comply with a legal obligation.
7.2 Orderlord will provide its Personnel with access to Personal Data only to the extent necessary to perform the Processing. Orderlord will ensure that any Personnel it authorizes to have access to Personal Data processed by or on behalf of Orderlord, will respect and maintain the confidentiality and security of such Personal Data.
8. Responsibility of Orderlord
8.1 Orderlord shall Process Personal Data solely for the provision of the Services, and agrees to:
a) Process and use Personal Data for the purposes set forth in this DPA or only on documented instructions from the Customer and for no other purpose except with the express prior written consent of the Customer, or
b) Not divulge Personal Data to third parties except to those of its Personnel who are engaged in the Processing of the Personal Data and are subject to the binding obligations or except as may be required by any law or regulation;
c) Implement appropriate Technical and Organizational Measures to safeguard the Personal Data from unauthorized or unlawful Processing or accidental loss, destruction or damage, having regard to the state of technological development and the cost of implementing any measures. Such measures shall ensure a level of security appropriate to the harm that might result from unauthorized or unlawful Processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected;
d) Inform the Customer, as soon as possible, in the event of the exercise by Data Subjects of any of their rights under the Data Protection Laws in relation to the Personal Data, and, if necessary, assists the Customer in complying with the obligation to respond to those requests.
8.2 Orderlord shall maintain the records of Processing activities as required by Data Protection Laws.
9. Cross Border and Onward Data Transfer
9.1 Orderlord shall not transfer Personal Data to any Non-adequate country or make such Personal Data accessible from any such Non-adequate country without fulfilment of the legal requirements of transfer Personal Data to a Non-adequate country according to Data Protection Laws and without prior notification of Customer.
9.2 If Orderlord uses a Sub-processor based in a Non-adequate country, Orderlord will enter into an agreement with the Sub-processor in accordance with the EU model contract. Orderlord will provide a copy of the agreement with the Sub-processor to Customer, immediately upon request of Customer.
9.3 In case of breach of any of the foregoing warranties, Customer may terminate this DPA with immediate effect.
9.4 Orderlord uses trusted third parties listed below to provide its Services such as cloud computing services providers and cloud communications platform providers.
Amazon Web Services Inc., with registered seat at 410 Terry Avenue North, Seatlle, WA 98109-5210, USA
DigitalOne LLC, with registered seat at 101 Avenue of the Americas 10th Floor New York, NY 10013, USA
EuroSMS s.r.o., with registered seat at Račianska 71, 831 02, Bratislava, Slovakia
Twillio Inc., with registered seat at 645 Harrison Street 3rd Floor San Francisco, CA 94107 USA
9.5 Orderlord uses trusted partner listed below to provide its Services such as external delivery service.
OTL Omega Telematics and Logistics ltd., with registered seat at Premiere House, Wing B, 2nd Floor, Borehamwood WD6 1JH, UK
10. Sub-processing
10.1 Orderlord shall not subcontract any of its processing operations performed on behalf of the Customer under this DPA and the TOS without the prior consent of the Customer.
10.2 Where Orderlord subcontracts its obligations under the DPA, with the consent of the Customer, it shall do so only by way of a written agreement with the Sub-processor which imposes the same obligations on the Sub-processor as are imposed on Orderlord under this DPA. Where the Sub-processor fails to fulfil its data protection obligations under such written agreement Orderlord shall remain fully liable to the Customer for the performance of the Sub-processor’s obligations under such agreement.
10.3 The Customer as Controller may request that Orderlord audit the Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Controller in obtaining a third-party audit report concerning Sub-processor’s operations) to ensure compliance with such obligations. The Controller also will be entitled, upon written request, to receive copies of the relevant terms of Orderlord’s agreement with Sub-processors that may process Personal Data, unless the agreement contains confidential information, in which case Orderlord may provide a redacted version of the agreement.
11. Technical and Organizational Measures
11.1 When Processing Personal Data on behalf of Customer in connection with the Services, Orderlord shall ensure that it implements and ensures compliance with appropriate Technical and Organizational Measures for the Processing of such data. Accordingly, Orderlord will implement the following measures designated to:
  • deny unauthorised persons access to data-processing equipment used for processing Personal Data (equipment access control);
  • prevent the unauthorised reading, copying, modification or removal of data media (data media control);
  • prevent the unauthorised input of Personal Data and the unauthorised inspection, modification or deletion of stored Personal Data (storage control);
  • prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);
  • ensure that persons authorised to use an automated data-processing system only have access to the Personal Data covered by their access authorisation (data access control);
  • ensure that it is possible to verify and establish to which individuals Personal Data have been or may be transmitted or made available using data communication equipment (communication control);
  • ensure that it is subsequently possible to verify and establish which Personal Data have been put into automated data-processing systems and when and by whom the input was made (input control);
  • prevent the unauthorised reading, copying, modification or deletion of Personal Data during transfers of those data or during transportation of data media (transport control);
  • ensure that installed systems may, in case of interruption, be restored (recovery);
  • ensure that the functions of the system perform, that the appearance of faults in the functions is reported (reliability) and that stored Personal Data cannot be corrupted by means of a malfunctioning of the system (integrity); and
  • encrypt all Customers’ passwords to Orderlord delivery management system.
11.2 No person will be appointed by Orderlord to Process Personal Data unless that person: (i) is competent and qualified to perform the specific tasks assigned to him by Orderlord; (ii) has been authorized by Orderlord; and (iii) has been fully instructed by Orderlord in the procedures and statutory regulations relevant to the performance of the obligations of Orderlord under this DPA, in particular the limited purpose of the Personal Data Processing.
12. Audit Rights
12.1 The Customer may audit Orderlord’s compliance with the terms of the Agreement and this DPA up to once per year.
12.2 If a third party is to conduct the audit, such third party must be mutually approved by both parties and must execute a written confidentiality agreement acceptable to Orderlord before conducting the audit.
12.3 To request an audit, the Customer must submit a detailed audit plan at least 4 weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Orderlord will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Orderlord’s security, privacy, or employment policies).
12.4 The audit reports are confidential information of the parties under the terms of the DPA. Any audits are to be performed at the Customer's expense.
12.5 Any request for Orderlord to provide assistance with an audit is considered a separate service if such audit assistance requires the use of different or additional resources. Orderlord will seek the Customer's written approval and agreement to pay any related fees before performing such audit assistance.
13. Incident Management and Breach Notification
13.1 Orderlord evaluates and responds to incidents that create suspicion of unauthorized access to, or handling of, Personal Data
13.2 The Customer is informed of such incidents and, depending on the nature of the activity, defines escalation paths and response teams to address those incidents. Orderlord will work with the Customer and with the appropriate technical teams to respond to the incident. The goal of the incident response will be to restore the confidentiality, integrity, and availability of the Services environment, and to establish root causes and remediation steps.
13.3 Orderlord operations staff is instructed on responding to incidents where handling of Personal Data may have been unauthorized.
13.4 Orderlord shall notify the Customer without undue delay after becoming aware of a Personal Data breach. Orderlord shall promptly investigate any security breach and take reasonable measures to identify its root cause(s) and prevent a recurrence. As information is collected or otherwise becomes available, unless prohibited by law, Orderlord will provide Customer with a description of the security breach, the type of data that was the subject of the breach, and other information Customer may reasonably request concerning the affected persons. The parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected persons.
14. Obligation after the termination of Personal Data Processing services
14.1 The parties agree that on the termination of the Services, Orderlord will anonymize any Personal Data that belong to Customer and that are stored in the Orderlord delivery management system, unless applicable laws prevent all or part of this Personal Data from anonymization. In that case, Orderlord warrants it will not actively Process those Personal Data anymore and it will keep those Personal Data confidential.
15. Governing law
15.1 This DPA (and any further rules, polices, or guidelines incorporated by reference) shall be governed and construed in accordance with the laws of Slovakia, without giving effect to any principles of conflicts of law.