Data Processing Addendum
This Data Processing Addendum (“Agreement” or “Addendum”) is effective since the Customer contracts Smart Order’ Services (“Addendum Effective Date”) and forms part of the Terms of Services of Smart Order’ Services available at https://smartorder.ai/resources/terms-of-service/ (“Principal Agreement”) between:
– CUSTOMER (hereinafter also referred as the “Controller”) acting on its own behalf.The term “Customer” refers to either: a) the person who registers for a Customer Account on his/her own behalf; or b) the organisation, where the person registers for a Customer account on behalf of an organisation.
– Hong Kong Smart Order Technology Co., Limited (hereinafter also referred as the “Processor”) acting on its own behalf.Hereinafter referred individually as the “Party” or jointly as the “Parties”.
1. Definitions
In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
“Sub - processor”: Any third - party to whom the Processor may subcontract any of its processing activities under this DPA.
“Processing/Processed/Process”: Any operation or set of operations which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data Controller/ Controller”: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Data Processor/ Processor”: The natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
“Data Subject”: An identified or identifiable natural person.
“Personal Data”: Any information relating to an identified or identifiable natural person.
“Guest”, means any individual person who rent a room or a property.
“Erasure” means the removal or destruction of Personal Data such that it cannot be recovered or reconstructed.
“Special Categories of Personal Data”: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Unless otherwise defined herein, the terms and expressions used herein have the same meaning with the Principal Agreement.
2. Data Processing Terms
2.1 The Controller is responsible for providing any necessary notices to, and obtaining any necessary consents from, Data Subjects whose Personal Data is provided by the Controller to the Processor for Processing pursuant to this Addendum. The Controller acknowledges that the Service are not intended or designed for the Processing of Sensitive Information, and the Controller agrees not to provide any Sensitive Information through the Service.
2.2 In the course of providing the Services, the Processor will process Controller personal data on behalf of the Controller as per the terms of this Addendum. The Processor agrees to comply with the following provisions with respect to any Controller personal data.
2.3 The Processor shall maintain all the technical and organizational measures to comply with the requirements set forth in the Addendum.
2.4 The Controller shall be responsible for the source and content of Personal Data, and be careful in judging the legitimacy of the source and content of the data. The Controller shall be solely responsible for all results and liabilities caused by the content of Personal Data violating laws and regulations, departmental rules or national policies.
3. Processing of Controller Personal Data
3.1 The categories of Personal Data, the types of Data Subjects, and purposes for which the Personal Data are being processed are the following:
a) Controller Personal data that will be processed:• Guest: Personal and Transactional Data collected
b) Purposes: The Processor shall only process Controller Personal Data for the purposes of the Principal Agreement, namely:• to provide Smart Order’ Services to the Controller• to allow the Controller the management of Guests which rent properties
3.2 For the purposes set out in section above, the Controller hereby authorizes the Processor to transfer Controller Personal Data to the appropriate recipients in the Third Countries which ensure an adequate level of Data Protection. The Controller may request, at any time, a list of the aforementioned recipients.
3.3 In particular, if Controller utilize the technical services of Smart Order to provide services to others, should separately agree with them on a Data Processing Agreement and Privacy Policy or similar legal documents in accordance with relevant legal requirements.
3.4 The Processor shall take adequate protective measures to safeguard the security of Personal Data, but since Processor processes the data in full accordance with Controller's instructions, as the party in full control of the Personal Data, shall be subject to the necessary compliance obligations.
4. Reliability and Non–Disclosure
The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Controller personal data, ensuring in each case that access is strictly limited to those individuals who require access to the relevant Controller Personal Data.
5. Personal Data Security
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of Controller Personal Data security appropriate to the risk, including but not limited to:
5.1.1. Pseudonymization or encryption, where appropriate;
5.1.2. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
5.2. In assessing the appropriate level of security, the Processor shall take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed.
6. Sub-Processing
6.1. As of the Addendum Effective Date, the Controller hereby authorises the Processor to engage with Sub-Processors to ensure the optimal provision of Smart Order’ Services.
6.2. The Data Controller may request, at any time, information regarding the identity of the aforementioned Sub-Processors. In case where the Data Controller express his or her disagreement regarding the Sub-Processors engaged with the Processor, the Data Controller may stop using Smart Order’ Services.
7. Data Subject Rights
7.1. The Controller is responsible for handling any requests or complaints from Data Subjects with respect to their Personal Data processed by the Processor under this Addendum.
7.2. The Processor shall promptly notify the Controller if it receives a request from a Data Subject, the Supervisory Authority and/or other competent authority under any applicable Data Protection Laws with respect to Controller Personal Data, however, prior authorized consent is not required under such circumstances.
8. Personal Data Breach
8.1. The Processor shall notify the Controller without undue delay and, in any case, within forty-eight (48) hours upon becoming aware of or reasonably suspecting a Personal Data Breach. The Processor will provide the Controller with sufficient information to allow the Controller to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
8.1.1. Describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
8.1.2. Communicate the name and contact details of the Processor’s Data Protection Officer, Privacy Officer or other relevant contact from whom more information may be obtained;
8.1.3. Describe the estimated risk and the likely consequences of the Personal Data Breach; and
8.1.4. Describe the measures taken or proposed to be taken to address the Personal Data Breach.
At Controller’s request, Processor will provide reasonable assistance and cooperation with respect to any notifications that Controller is legally required to send to affected Data Subjects and regulators. Processor may charge a reasonable fee for such requested assistance.
8.2 Although have taken reasonable and effective security measures in accordance with the requirements of relevant laws and regulations, the Processor cannot guarantee information security under certain circumstances due to technical limitations and possible malicious means. The systems and networks may be affected by factors beyond Processor's control and problems may occur. Therefore, the Controller shall take proactive measures to protect the security of Personal Data.
9. Erasure of Controller Personal Data
The Processor shall, within 30 working days after the termination of any service involving the processing of Controller's personal data, promptly delete and cause the deletion of all copies of the Controller's personal data, unless there are legal requirements to retain the data (such as tax or accounting regulations).
10. General Terms
Subject to this section, the parties agree that this Addendum shall terminate automatically upon termination of the Principal Agreement or expiry or termination of all service contracts entered into by the Processor with the Controller, pursuant to the Principal Agreement, whichever is later.
The parties fully agree and acknowledges the Processer shall amend or update the Addendum from time to time.