Personal Data Processing Agreement
Annex 2 to the Main Agreement
1. PARTIES
Between MEIQ Systems AB (org. no. 559148-4380), located at Södra Förstadsgatan 1, 211 43 Malmö, hereinafter the ”Data Controller,” and the customer, hereinafter the ”Data Processor.”.
If the parties have specifically agreed on a specification of security measures and/or processing, it will be attached as an annex to the data processing agreement. In case of a conflict, this agreement takes precedence.
This agreement is Annex Two (2) of Two (2) to the Main Agreement, which is signed by the parties.
2. INTRODUCTION AND DESCRIPTION
This Data Processing Agreement governs the processing of personal data related to the agreed software (WEIQ), hereinafter referred to as the ”Service.” The Service is provided by MEIQ Systems AB (MEIQ Systems). This Data Processing Agreement is an annex to your agreement, together with the General Terms. Terms that begin with a capital letter are defined in the final section below if not directly defined in the text.
The customer (contracting party, as outlined in the agreement) gains access to the Service once this Data Processing Agreement, together with the general terms, is accepted, which happens when the agreement is signed. This data processing agreement and the General Terms apply regardless of whether the software is provided free of charge or for payment.
In the WEIQ Privacy Policy, you can read about how we handle personal data. By using WEIQ, you accept that MEIQ Systems may use this data in accordance with the Privacy Policy.
Personal data provided by the holder in connection with agreements and purchases via WEIQ, or otherwise registered in connection with them, is processed by WEIQ for the preparation and administration of WEIQ. WEIQ does not store any card information but uses third parties responsible for transactions. The personal data also serves as a basis for market and customer analysis, business follow-up, business and method development, and risk management.
If the data subject wishes to obtain information about the personal data processed by WEIQ about them, they can request this in writing by sending a letter to the above address or by email to privacy@weiq.tech. Anyone wishing to request the correction of incorrect or misleading information can contact WEIQ at the above address.
By signing the agreement with this annex, you consent to WEIQ using and storing the material you send for WEIQ's use.
2.1 Description of the Service
The WEIQ service offers software consisting of four instances: the User Application, Order Receiver Application, WEIQ Terminal, and an Admin Interface.
2.2 User Application Description
Upon signing the agreement, your Seller (the location where the service is used, such as restaurants, bars, cafés, food trucks, or similar) is added to the application, and your End Customers can check in at your location. The User Application is primarily used for ordering, viewing the menu, completing transactions, and receiving other information.
2.3 Description of the Order Receiver Application (WEIQ Order Hub)
Secondly, there is a tablet-based application for bartenders or other order receivers. In this view, the order receiver can manage orders, notify the customer, complete (or reject) orders, modify the menu, open/close the bar, and generate reports.
2.4 Description of the WEIQ Terminal
The WEIQ Terminal is a payment terminal that can also be used to take orders, create and update tabs, and print receipts. Staff members manage the terminal and can process payments through it.
2.5 Description of the Admin Interface
As a customer, you will also have access to the Admin Interface. In this web application, a ”superuser” (often a restaurant owner) can manage their WEIQ system. This includes viewing sales, changing prices, adjusting opening hours, or editing information that will be displayed to end customers. You can also retrieve accounting documentation and other reports.
Together, these four components form the foundation of the WEIQ Service, with certain support and other services also included from MEIQ Systems.
3. PURPOSE
3.1
The purpose of this Data Processing Agreement is to ensure that the Data Processor processes personal data within the scope of the Service for the Data Controller’s account, solely in accordance with the Data Controller’s instructions, in compliance with this agreement, and in accordance with the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679.
3.2
The subject of personal data processing under this agreement is the WEIQ Service. Processing will continue from the date of signature as long as the Data Processor stores or otherwise processes personal data on behalf of the Data Controller. This includes the processing of information about the end customer, including personal data as follows:
- Email address from the end customer.
- Customer's phone number.
- Name of the end customer.
- End customer purchase and order history.
4. DEFINITIONS
This agreement shall be interpreted in accordance with and use the definitions provided in Article 4 of the General Data Protection Regulation.
5. DATA CONTROLLER
The Data Controller is obligated to comply with the General Data Protection Regulation regarding personal data processing and engaging a processor. The Data Controller has the right to direct the Data Processor’s personal data processing and must provide documented instructions necessary for the processing.
6. DATA PROCESSOR'S RESPONSIBILITY
The Data Processor undertakes to process personal data solely in accordance with documented instructions from the Data Controller, as well as in compliance with this agreement and the Main Agreement.
6.1
The Data Processor undertakes to comply with applicable law, particularly the General Data Protection Regulation, when processing personal data. Additionally, the Data Processor agrees to comply with regulations, rulings, and recommendations concerning permissible personal data handling, issued by the Data Protection Authority or relevant EU body.
6.2
By signing this agreement, the Data Processor affirms that necessary technical and organizational measures will be taken to ensure that processing meets the requirements of the General Data Protection Regulation and protects the rights of the data subjects.
6.3
The Data Processor shall, according to the Data Controller’s instructions, promptly rectify, erase, or transfer incorrect, incomplete, or outdated personal data.
7. SECURITY MEASURES
The Data Processor must implement and maintain appropriate technical and organizational security measures to protect personal data, without any entitlement to special compensation for this.
7.1
The security measures must provide a level of protection required by applicable law, particularly the General Data Protection Regulation, and must be appropriate considering technical possibilities, implementation costs, specific risks of processing, and the sensitivity of the personal data being processed.
7.2
The Data Processor is responsible for ensuring adequate information security practices in its operations.
7.3
The Data Processor must ensure that employees, consultants, and others who process or have access to personal data are bound by confidentiality agreements and informed about how personal data processing should occur according to the Data Controller’s instructions.
7.4
The Data Processor's security measures must be implemented with consideration for the latest developments, implementation costs, the nature, scope, context, and purposes of the data processing, and the risks to the rights and freedoms of individuals.
7.5
Where appropriate, security measures must include pseudonymization and encryption of personal data, the ongoing ability to ensure the confidentiality, integrity, availability, and resilience of systems and services for processing personal data, and the ability to restore access to and availability of personal data within a reasonable time after a physical or technical incident.
7.6
When assessing the appropriate level of security, special attention must be given to the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
8. INCIDENTS
The Data Processor must immediately investigate any data security incident, such as unauthorized access, destruction, alteration, or any other unauthorized action involving personal data. The Data Processor must take appropriate actions to rectify the incident and prevent its recurrence. The Data Processor must notify the Data Controller and provide an Incident Report.
8.1
The Incident Report should include a description of the nature of the incident, categories of affected individuals, approximate number of data subjects and records affected, likely consequences, and actions taken to mitigate potential negative effects.
9. TRANSFER TO THIRD PARTIES
The Data Processor shall not transfer personal data to third parties or disclose information about the processing of personal data to third parties without prior written consent from the Data Controller. The Data Processor shall not extract or export personal data to any other system outside the software provided by the Data Controller.
10. Subprocessors
For the engagement or replacement of a subprocessor for the performance of tasks involving personal data processing (Subprocessor), the Data Processor must first obtain written approval from an authorized representative of the Data Controller. Such a request should include the subprocessor’s company name and contact details, type of service, location, and geographical placement of infrastructure relevant to the processing of personal data, as well as any other information about the subprocessor requested by the Data Controller. The Data Controller has the right to object, with binding effect, to the engagement of a particular subprocessor if there are reasonable grounds for doing so.
11. ACCESS
In order to ensure the maintenance of an appropriate level of security and compliance with this data processing agreement, the Data Controller has the right to necessary access to the parts of the Data Processor’s organization and systems related to personal data processing.
12. ADDITIONAL COMPENSATION
The Data Processor is not entitled to additional compensation for fulfilling the responsibilities and obligations under this data processing agreement or for following the instructions regarding personal data processing given by the Data Controller, unless this is explicitly stated in a written agreement.
13. LIABILITY FOR DAMAGE
If the Data Processor's processing of personal data or failure to do so, in violation of this data processing agreement or contrary to the instructions of the Data Controller, causes damage to the Data Controller, the Data Processor shall compensate for such damage.
14. ASSIGNMENT OF THE AGREEMENT
The assignment of this Data Processing Agreement may only occur in connection with the assignment of the Main Agreement and in accordance with the terms of the Main Agreement.
15. TERM OF THE AGREEMENT
This agreement is valid from the date of signature and as long as the Data Processor stores or otherwise processes personal data on behalf of the Data Controller.
Upon termination of the data processing agreement, the Data Processor, according to the Data Controller's instructions, must delete or return all data containing personal data on all media where personal data is stored, and thereafter delete any copies.
16. DISPUTES AND APPLICABLE LAW
Swedish law applies to this agreement. Any disputes arising from this data processing agreement shall be resolved in accordance with the dispute resolution provisions of the Main Agreement.
17. CHANGES
MEIQ Systems AB reserves the right to make changes and additions to this data processing agreement. If the Data Processor finds any changes or additions unsatisfactory, they are referred to terminate the Main Agreement.
This Data Processing Agreement was created in digital format as an annex to the Main Agreement. The parties acknowledge and agree that upon signing the Main Agreement, this Data Processing Agreement shall form part of the Main Agreement as Annex Two (2).
Last updated November 25, 2024.