General Data Protection Regulation Addendum

This General Data Protection Regulation Addendum (“DPA“) forms part of the Terms of Service available at us.qrdigicard.com/terms, or, if applicable, any other separate written agreement (the “Agreement“), by and between QR DigiCard, Netspot USA LLC., (“QR DigiCard“) and the Customer named in the Agreement, pursuant to which Customer has purchased a subscription to access and use the Service (as defined in the Agreement). The parties intend this DPA to be an extension of the Agreement that will outline certain requirements for QR DigiCard’s processing of certain personal data provided or made available by Customer, or collected or otherwise obtained by QR DigiCard, in the course of providing services to Customer.

  1. Definitions.
    1. Data Protection Legislation” means all applicable laws relating to privacy and the processing of personal data that may exist in any relevant jurisdiction where QR DigiCard conducts business.  Data Protection Legislation includes, but is not limited to, European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)).
    2. Good Industry Practice” means, in relation to any activity and under any circumstance, exercising the same skill, expertise and judgement and using facilities and resources of a similar or superior quality as would be expected from a person who: (a) is skilled and experienced in providing the services in question, seeking in good faith to comply with his contractual obligations and seeking to avoid liability arising under any duty of care that might reasonably apply; (b) takes all proper and reasonable care and is diligent in performing his obligations; and (c) complies with all applicable legislation and any applicable industry standards including any recognized industry quality standards and applicable law.
    3. data controller“, “data processor“, “subprocessor“, “data subject“, “personal data“, “processing“, and “appropriate technical and organizational measures” shall be interpreted in accordance with Directive 95/46/EC, or other applicable Data Protection Legislation, in the relevant jurisdiction.
    4. standard contractual clauses” shall mean the model controller-to-processor contract for the transfer of personal data to third countries issued by the European Commission on the basis of Article 26(4) of Directive 95/46/EC pursuant to Decision 2010/87/EU.
  1. Scope. The parties agree that, as between the parties, Customer is a data controller and that QR DigiCard is a processor in relation to personal data that QR DigiCard processes on behalf of Customer in the course of providing the services under the Services Agreement (the “Services“). The subject-matter of the data processing, the types of personal data processed, and the categories of data subjects will be defined by, and/or limited to that necessary to carry out the Services described in, the Services Agreement.  The processing will be carried out until the date QR DigiCard ceases to provide the Services to Customer.  The categories of data subjects  and personal data are set forth on Appendix 1 hereto.
  2. Data Protection. In respect of personal data processed in the course of providing the Services, QR DigiCard shall adhere to the following requirements:
  1. QR DigiCard will process the personal data only in accordance with the written instructions from Customer and only in compliance with Data Protection Legislation. Such instructions may be specific or of a general nature as set out in this DPA, the Services Agreement, or as otherwise notified by Customer to QR DigiCard in writing from time to time. The nature and purposes of the processing shall be limited to that necessary to carry out such instructions, and not for QR DigiCard’s own purposes, or for any other purposes except as required by law. If QR DigiCard is required by law to process the personal data for any other purpose, QR DigiCard will inform Customer of such requirement prior to the processing unless prohibited by law from doing so.
  2. QR DigiCard will process the personal data only to the extent, and in such manner, as is necessary for the provision of the Services. QR DigiCard may only correct, delete or block the personal data processed on behalf of Customer as and when instructed to do so by Customer.
  3. QR DigiCard will implement and maintain appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected and as a minimum shall be in accordance with the Data Protection Legislation and Good Industry Practice. Such measures shall include, as appropriate:
    1. the pseudonymisation and encryption of personal data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  4. QR DigiCard will not give access to or transfer any personal data to any third party (including any affiliates, group companies or subcontractors) without giving Customer prior notice and an opportunity to object to Customer via an update to us.qrdigicard.com/subprocessors; notwithstanding the foregoing, the sub-contractors listed on us.qrdigicard.com/subprocessors as of the date of this DPA are deemed pre-approved by Customer, subject to the conditions contained herein. Where Customer does not object in good faith on grounds related to data protection to QR DigiCard engaging a subcontractor to carry out any part of the Services, QR DigiCard must ensure the reliability and competence of such third party, its employees or agents who may have access to the personal data processed in the provision of the Services, and must include in any contract with such third party provisions in favor of Customer which are substantially equivalent to those in this DPA and the Services Agreement and as are required by applicable Data Protection Legislation. For the avoidance of doubt, where a third party fails to fulfil its obligations under any sub-processing agreement or any applicable Data Protection Legislation, QR DigiCard will remain fully liable to Customer for the fulfilment of its obligations under this DPA and the Services Agreement.
  5. QR DigiCard will take reasonable steps to ensure the reliability and competence of any QR DigiCard personnel who have access to the personal data.QR DigiCard will ensure that all QR DigiCard personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this DPA.
  6. QR DigiCard will take all reasonable steps to assist Customer in meeting Customer’s obligations under applicable Data Protection Legislation, including Customer’s obligations to respond to requests by data subjects to exercise their rights with respect to personal data, adhere to data security obligations, respond to data breaches and other incidents involving personal data, conduct data protection impact assessments, and consult with supervisory authorities. QR DigiCard will promptly inform Customer in writing if it receives: (i) a request from a data subject concerning any personal data; or (ii) a complaint, communication, or request relating to Customer’s obligations under Data Protection Legislation.
  7. QR DigiCard will not retain any of the personal data for longer than is necessary to provide the Services.  At the end of the Services, or upon Customer’s request, QR DigiCard will securely destroy or return (at Customer’s election) the personal data to Customer.
  8. With regard to personal data related to data subjects located in the European Economic Area, Customer hereby gives consent to the processing of such personal data in the United States by QR DigiCard, provided that
    1. QR DigiCard will take such steps as may reasonably be required by Customer on an ongoing basis to ensure there is adequate protection for such personal data in accordance with applicable Data Protection Legislation; and
    2. QR DigiCard will process such data in accordance with pursuant to either the standard contractual clauses.  For the purposes of the descriptions in the standard contractual clauses and only as between Customer and QR DigiCard, Customer agrees that Customer is a data controller and “data exporter” and QR DigiCard is the data processor and “data importer” under the standard contractual clauses. Additionally, Appendixes 1 and 2 of this DPA will take the place of Appendixes 1 and 2 of the standard contractual clauses respectively.
  9. QR DigiCard will allow Customer and its respective auditors or authorized agents to conduct reasonable audits and inspections during the term of the Services Agreement, solely to allow Customer to verify that QR DigiCard is processing personal data in accordance with its obligations under this DPA, the Services Agreement, and applicable Data Protection Legislation.
  10. If QR DigiCard becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by QR DigiCard in the course of providing the Services under the Services Agreement (a “Security Breach“),
    1. it shall within 72 hours and without undue delay notify Customer and provide Customer with: a detailed description of the Security Breach; the type of data that was the subject of the Security Breach; the identity of each affected person, and the steps QR DigiCard takes in order to mitigate and remediate such Security Breach, in each case as soon as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information Customer may reasonably request relating to the Security Breach); and
    2. take action immediately, at its own expense, to investigate the Security Breach and to identify, prevent and mitigate the effects of the Security Breach and, with the prior written approval of Customer, to carry out any recovery or other action necessary to remedy the Security Breach.
  11. QR DigiCard shall comply at all times with, and assist Customer in complying with its applicable obligations under, Data Protection Legislation. QR DigiCard shall provide any information requested by Customer to demonstrate compliance with the obligations set out in this DPA. QR DigiCard shall not perform its obligations under the Services Agreement or this DPA in such a way as to cause Customer to breach any of its obligations under applicable Data Protection Legislation.
  12. QR DigiCard will notify Customer immediately if, in QR DigiCard’s reasonable opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation.

Appendix 1: Subject Matter and Details of the Data Processing

Data exporter

The data exporter is Customer.

Data importer

The data importer is QR DigiCard, Netspot USA LLC.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

  • the Customer
  • individual contacts of Customer
  • any other data subjects whose data may be processed from time to time pursuant to the Agreement and this DPA.

Categories of data

The personal data transferred concern the following categories of data (please specify):

  • First and last name
  • Email address
  • Telephone number
  • Mailing or other address information
  • IP address
  • Photographs and/or video of data subjects
  • Social media profiles
  • Date of birth

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify): 

  • Gender pronoun choice

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):  As described in the Agreement.

Appendix 2: Overview Of QR DigiCard’s Technical And Operational Security Measures

QR DigiCard adopts an Information Security Management Systems (ISMS) as a framework for continuous improvement of security. 

This ISMS includes (but is not limited to):

Policies

QR DigiCard has and periodic reviews the Information Security Policies as the major guidelines for security practices. This includes Risk Management, Data Classification, Access Control, Software Development and Data Breaches.

Awareness

Awareness on security and compliance is fundamental and provided to all users. Some users may have additional specific awareness, relevant for their function.

Access control

Access is granted on a need-to-know basis and only a small number of users can access production systems where information from Customers is stored. Authentication to production systems is made with 2-factor Authentication as a standard.

Audit logging

Relevant audit logs are maintained, including access to sensitive information (including personal data). The logs are kept in separate infrastructure and only accessed by Security team.

Data Breaches

Processes are defined to handle Data Breaches. These processes include notification to relevant stakeholders, according to type of incident and applicable legislation.

Network security

QR DigiCard implemented several security measures to protect our infrastructure from external and internal threats. This includes encryption, firewalls, IDS and other cloud provider specific. Access to production systems is made in secure mode and encryption in transit is a default. Sensitive information is also encrypted at rest.

Physical Security

QR DigiCard uses data centers managed by cloud providers and delegates all physical security to them, after a due diligence.

Business Continuity

QR DigiCard has several technical implementations to assure business continuity of its service. Those include backups, resilient and redundant infrastructure and a Disaster Recovery Plan.

Development

Development is made using a secure development methodology that includes peer review and secure coding and testing.

Continuous improvement and review 

QR DigiCard security posture is based on a continuous improvement process that includes periodic review of security controls effectiveness.