Data Processing Addendum
In the course of providing its services to Customer, RTM UK may Process Personal Data or Non-Personal Data on behalf of Customer. The parties acknowledge that the Services are not designed to require the processing of Personal Data, and that any Processing of Personal Data by RTM UK is incidental and limited to the extent such data is included within Customer-provided datasets (including advertising platform data, analytics data, or CRM data), and is processed solely for the purpose of providing the Services. This Data Processing Addendum (“DPA”) reflects the parties’ agreement with regard to the Processing of Personal Data, in accordance with the requirements of Data Protection Legislation. This Data Processing Addendum (“DPA”) is incorporated by reference as part of the master services agreement (or other agreement for the purchase of RTM UK’s services, hereinafter collectively “Agreement”) between Customer and RTM UK.
This DPA reflects the parties’ agreement with regard to the Processing of Personal Data, in accordance with the requirements of Data Protection Legislation. This DPA shall not replace any additional rights relating to Processing of Personal Data previously negotiated by Customer in the Agreement. This DPA will terminate automatically upon termination of the Agreement, or as earlier terminated pursuant to the terms of this DPA.
This DPA consists of two parts:
Data Processing Terms
Standard Contractual Clauses
DATA PROCESSING TERMS
1. DEFINITIONS
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Protection Legislation” means all laws and regulations, including laws and regulations applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the individual to whom the Personal Data pertains.
“Non-Personal Data” means information that does not identify an individual directly. It includes data that has been anonymized or aggregated to the extent that it no longer relates to an identifiable person. This type of data is typically used for statistical, analytical, or research purposes, and it is devoid of any personal identifiers such as names, addresses, or specific locations that could tie it back to an individual.
“Personal Data” means “personal data,” “personally identifiable information” or an equivalent term, as defined by applicable Data Protection Legislation to the extent such data or information is accessed, collected, stored, transmitted, processed, hosted, used, handled, or disposed of by RTM UK in connection with the Agreement.
“Personal Data Breach” means a failure of RTM UK’s security controls leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in RTM UK’s possession, custody or control, to the extent the breach materially compromises the confidentiality, security or integrity of the Personal Data.
“Processing” means any operation or set of operations which is performed by or on behalf of RTM UK in connection with the Agreement upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller; where the entity Processes the Personal Data pursuant to the Controller’s instructions and solely to provide the Services.
“Services” shall mean RTM UK’s customer experience and RTM UK platform, provided as SaaS, and any required, usual, appropriate or acceptable activities relating to the Services, including without limitation to (a) carry out the Services or the business of which the Services are a part, (b) carry out any benefits, rights and obligations relating to the Services, (c) maintain records relating to the Services, or (d) comply with any legal or self-regulatory obligations relating to the Services. “Sub-processor” means any Processor engaged by RTM UK or an RTM UK Affiliate.
“Users” shall mean Customer’, Customer’s Affiliates’ and Customer’s contractors’ employees, entitled to use the Services under the Agreement.
2. DATA PROCESSING
2.1. The parties acknowledge and agree that with regard to the Processing of Personal Data,
RTM UK is the Processor; and
Customer and/or the Customer Affiliate which, determines the purposes and means of the Processing of Personal Data, is the Controller.
2.2. The parties shall each comply with their respective obligations under the Data Protection Legislation. Customer shall, in its use of the Services, Process Personal Data or Non-Personal Data in accordance with the requirements of Data Protection Legislation. Customer acknowledges that it determines the nature and scope of any Personal Data shared with RTM UK and is responsible for ensuring that such disclosure is compliant with applicable Data Protection Legislation.
2.3. Customer’s instructions for the Processing of Personal Data or financial data shall comply with Data Protection Legislation. RTM UK shall inform Customer immediately if, in RTM UK’s opinion, an instruction from Customer violates Data Protection Legislation.
2.4. RTM UK shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for purposes of (i) Processing for business purposes, in accordance with the Agreement; (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer, as further set out in RTM UK’s published privacy policies. Such Processing is limited to what is necessary to provide the Services and, where applicable, includes incidental access, retrieval, aggregation, and analysis of Personal Data contained within Customer-provided datasets. RTM UK does not independently determine the purposes or means of Processing and does not require Personal Data for the standalone operation of its platform. RTM UK agrees that it shall not sell any Personal Data or any Non-Personal Data.
2.5. RTM UK shall take reasonable steps to instruct and train any of its and/or its Sub-processors’ employees who have access to Personal Data to maintain the confidentiality and security of the Personal Data and shall limit access to Personal Data on a need-to-know basis in case any Personal Data is processed. RTM UK shall ensure that access to Personal Data is restricted to personnel who require such access for the provision of the Services and that such personnel are subject to appropriate confidentiality obligations.
3. DATA SUBJECTS’ RIGHTS REQUESTS
3.1. RTM UK shall, to the extent legally permitted, promptly notify Customer if RTM UK receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“DSR Request”).
3.2. Taking into account the nature of the Processing, RTM UK shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a DSR Request under Data Protection Legislation.
3.3. To the extent Customer, in its use of the Services, does not have the ability to address a DSR Request, RTM UK shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such a DSR Request, to the extent RTM UK is legally permitted to do so and the response to such DSR Request is required under Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from RTM UK’s provision of such assistance.
4. DATA PROTECTION IMPACT ASSESSMENTS
RTM UK shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with a competent data protection supervisory authority, required under Data Protection Legislation, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, RTM UK
5. PERSONAL DATA BREACH NOTIFICATION
5.1. RTM UK shall notify Customer without undue delay, and, in any event, within seventy-two (72) hours, after becoming aware of a Personal Data Breach. RTM UK shall provide Customer with sufficient information to allow Customer to meet any obligations to notify regulators and/or affected individuals of the Personal Data Breach.
5.2. RTM UK shall make reasonable efforts to identify the cause of a Personal Data Breach and take those steps as RTM UK deems necessary and reasonable in order to remediate the cause of such a Personal Data Breach to the extent the remediation is within RTM UK’s reasonable control.
5.3. The obligations herein shall not apply to incidents that are caused by Customer.
6. SECURITY AND OTHER SUPPLEMENTARY MEASURES
RTM UK shall maintain technical and organizational measures designed to protect the security (including protection against unauthorized access, unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data. Such measures shall include, as appropriate and proportionate to the nature of the Processing, access controls, authentication mechanisms, encryption in transit and/or at rest (where applicable), logging and monitoring of access, and role-based access restrictions.
7. DELETION OR RETURN OF PERSONAL DATA
7.1. RTM UK shall delete the Personal Data upon termination/expiry of the Agreement as specified in the Agreement or upon Customer’s reasonable request at any time. Where Personal Data has been processed incidentally as part of Customer-provided datasets, deletion shall be effected in accordance with standard system processes and data retention practices applicable to the Services. RTM UK may retain Personal Data to the extent required by applicable laws and only to the extent and for such period as required by the applicable laws and always provided that RTM UK shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
7.2. RTM UK shall return Personal Data to the Customer in accordance with the procedure and timeframe specified in the Agreement.
8. AUDITS AND INSPECTIONS
8.1. Customer or another auditor mandated by the Customer may, once a year at most, audit the level of the data protection on and appropriateness of the Processing of Personal Data by RTM UK upon forty five (45) working days’ prior written notice to ensure the compliance with this DPA and Data Protection Laws.
8.2. The auditor mandated by the Customer may not be a direct or indirect competitor of RTM UK. RTM UK has a right to require the mandated auditor to enter into an appropriate confidentiality agreement prior to the audition.
8.3. Customer shall carry its own costs relating to the audits and shall reimburse RTM UK for any reasonable costs and expenses that RTM UK may incur due to any such audit. Before the commencement of any such on-site audit, Customer and RTM UK shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible.
8.4. The Parties agree that RTM UK has the right to provide the Customer with an audit report covering the data processing and especially the technical and organizational security measures at its own costs. In this case, the Customer agrees that the rights to audit RTM UK have been satisfied and that the Customer has no additional rights under this Section 8 to audit RTM UK provided that:
the audit has been performed by a recognized, independent third party with proven experience in the field; and b) the audit report is no older than twelve (12) months.
9. LIABILITY
9.1 Each party’s liability arising out of or related to this DPA and all DPAs between Customer’s Affiliates and RTM UK, whether in contract, tort or under any other theory of liability, is subject to the limitation of liability section agreed under the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and all DPAs together.
9.2 For the avoidance of doubt, RTM UK’s total liability for all claims from the Customer and all of Customer’s Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Customer’s Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any of Customer’s Affiliate that is a contractual party to any such DPA.
9.3 Where a Data Subject asserts any claims against a party to this DPA in accordance with applicable Data Protection Legislation, the other party shall support in defending against such claims, where possible.
10. INTERNATIONAL PERSONAL DATA TRANSFERS
10.1. Customer acknowledges and accepts that RTM UK’s provision of RTM UK Services under the Agreement may involve the transfer of Personal Data to, or the Processing of Personal Data in, locations outside of the EEA, or UK, including to the United States or any other country in which RTM UK, RTM UK Affiliates, or RTM UK Sub- processors perform their services. Customer agrees that such transfers are permitted, provided that they comply with Data Protection Legislation and are consistent with the safeguards included in this Section 10.
10.2. RTM UK is an active participant in the EU-US Data Privacy Framework and agrees to maintain its participation in the EU-US Data Privacy Framework. Customers may choose to rely on the EU-US Data Privacy Framework as an adequate method of transferring Personal Data to RTM UK. To the extent the EU-US Data Privacy Framework is invalidated, the parties will instead rely on the attached 2021 EU SCCs as set out in the following clauses.
10.3. The attached 2021 EU SCCs shall apply to any transfers of Personal Data under this DPA from the European Economic Area or where EU Data Protection Legislation or Swiss Data Protection Legislation applies to the Customer or Customer’s Affiliate making the transfer and where such transfer is made to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Legislation of the foregoing territories, to the extent such transfers are subject to such Data Protection Legislation.
10.4. In the event of any conflict or inconsistency between this DPA, 2021 EU SCCs, the 2021 EU SCCs shall prevail.
11. SUBPROCESSORS
11.1. RTM UK has Customer’s general authorization to use the Subprocessors in the Processing of Personal Data, provided that RTM UK shall (i) carry out adequate diligence prior to engaging the Subprocessor to select Subprocessors that are capable of maintaining the privacy, confidentiality, security, integrity, and availability of Personal Data consistent with the requirements of this DPA; and (ii) ensure that the arrangement between RTM UK and Subprocessor is governed by a binding contract that includes terms which offer a substantially similar level of protection for Personal Data as those set forth in this DPA and which meet the requirements of Data Protection Legislation. RTM UK shall, upon reasonable request, make available information regarding its Subprocessors and shall notify Customer of any material changes to its Subprocessor arrangements, provided that such notification may be made via a publicly available list or similar mechanism. The use of Subprocessors may include third-party infrastructure, analytics, or processing tools that support the provision of the Services, including where such tools may incidentally process Personal Data as part of Customer-provided datasets.
11.2. RTM UK will remain liable to the Customer for the acts and omissions of RTM UK’s Subprocessors to the extent they relate to the provision of the RTM UK Services to the Customer, consistent with the limitations of liability set forth in the Agreement.
12. CCPA
12.1. This section shall only apply where the CCPA is applicable to the Parties. For purposes of this Section 12, the terms “Commercial Purpose,” “Sell,” “Service Provider,” and “Share” shall have the respective meanings given thereto in the CCPA, and “Personal Information” shall mean Personal Data that constitutes Personal Information governed by the CCPA.
12.2. It is the Parties’ intent that with respect to any Personal Information, RTM UK is the Service Provider. RTM UK (i) acknowledges that Personal Information is disclosed by Customer only for limited and specified purposes described in the Agreement; (ii) shall comply with applicable obligations under the CCPA, and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (iii) agrees that Customer has the right to take reasonable and appropriate steps under Section 8 of the DPA to help ensure that RTM UK’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (iv) shall notify Customer in writing of any determination made by RTM UK that it can no longer meet its obligations under the CCPA; and (v) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate use of Personal Information.
12.3. RTM UK, shall not (i) Sell or Share any Personal Information; (ii) retain, use, or disclose any Personal Information for any purpose other than for the specific Business Purpose of providing the RTM UK Services under and in accordance with this Agreement, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than the Business Purpose of providing the RTM UK Services or as otherwise permitted by the Agreement or applicable law; (iii) retain, use, or disclose the Personal Information outside of the direct business relationship between Customer and RTM UK; or (iv) combine Personal Information received pursuant to the Agreement with Personal Information (a) received from or behalf of another person or (b) or collected from RTM UK’s own interaction with any Consumer to whom such Personal Information pertains, except as otherwise permitted under the Agreement or Applicable Law.
12.4. Customer agrees that RTM UK notifying Customer of Subprocessor engagements in accordance with Section 11 of this DPA shall satisfy RTM UK’s obligation under the CCPA to give notice of such engagements.
12.5. The Parties acknowledge that RTM UK’s retention, use, and disclosure of Personal Information authorized by Customer’s instructions documented in the DPA are integral to the provision of the RTM UK Services and the business relationship between the Parties.
13. CHANGE IN LAWS
RTM UK may, on notice, amend this DPA to the extent reasonably necessary to address the requirements of Data Protection Legislation, including by replacing the relevant SCCs with (i) any new form of the relevant SCCs or any replacement thereof prepared and populated accordingly, or (ii) another transfer mechanism, other than the SCCs.
B. PARTIES AND DATA PROCESSING DETAILS
LIST OF PARTIES
Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union.
Name Address | Customer name as per the Agreement |
Customer address as per the Agreement | |
Contact Person’s name, position, and contact details Activities Relevant to the data transferred under these Clauses: | Customer contact as per the Agreement |
The data exporter is a customer of RTM UK receiving the Services under the Agreement. | |
Role (controller/process or): | As per section 2.1 of this DPA. |
Data importer(s): Identity and contact details of the data importer(s) and, where applicable, of its/their data protection officer and/or representative in the European Union.
Name | RTM UK |
Address Contact Person’s name, position, and contact details Role (controller/process or): | 131 Continental Dr Suite 301, Newark, DE 19713 |
Praveen Madhavan Pillai - IT Security and Privacy Compliance Officer Email: praveen.madhavanpillai@pixis.ai | |
Processor |
DETAILS OF PROCESSING AND DESCRIPTION OF TRANSFER
Categories of Data Subjects:
Categories of Personal Data Special Categories of Data, Sensitive | Customers, prospective customers, website users, and other individuals whose data may be included within Customer-provided datasets (including CRM systems, advertising platforms, or analytics tools), to the extent such data is made available by Customer. |
Personal Data may be included incidentally within Customer-provided datasets and may, where applicable, include:
| |
N/A |
Data and Safeguards Frequency of Transfer |
Technical and Organizational Measures Confidentiality Security Incident Response Data Transfer Data Subject Rights
|
Continuous (as required for provision of the Services) | |
Nature of Processing
Purpose of Processing | Processing is limited and incidental in nature and arises solely to the extent Personal Data is embedded within Customer-provided datasets. Such Processing may include access, retrieval, organisation, aggregation, and analysis of data for the purpose of enabling platform functionality and generating insights, diagnostics, and recommendations. Processing is primarily read-only in nature and does not involve execution of campaigns or modification of Customer systems.
|
To enable the provision of the Services, including platform-based analytics, diagnostic analysis, and advisory outputs, based on Customer-provided datasets. RTM UK does not require Personal Data for the standalone operation of its platform and does not independently determine the purposes for which such Personal Data is processed.
| |
Duration of Processing/Retention Period |
Personal Data shall be processed for the duration of the Agreement and retained only for as long as necessary to provide the Services, or as required under applicable law.
Where Personal Data is processed incidentally as part of Customer-provided datasets, retention shall be aligned with standard system processes and applicable data retention practices. |
C. 2021 EU STANDARD CONTRACTUAL CLAUSES
Standard Contractual Clauses” means with respect to Switzerland, the standard contractual clauses adopted by the European Commission 4, 2021, the text of which is available at:
https://eur-lex.europa.eu/legal content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN (“EU Standard Contractual Clauses”),
and with respect to the United Kingdom, the EU Standard Contractual Clauses supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, the text of which is available at:
(“International Data Transfer Addendum”) (together with the EU Standard Contractual Clauses, the “UK Standard Contractual Clauses”), including any updated, amended, or subsequent version thereof approved by the respective data protection authority.