WEIQ - Personal Data Processing Agreement

Personal Data Processing Agreement

Annex 2 to the main agreement

1. PARTIES

Between MEIQ Systems AB (org. no. 559148-4380), located at Kungsgatan 6, 21149 Malmö, hereinafter “Data Controller”, and the customer, hereinafter “Data Processor”.

If the parties have specifically agreed on a specification of security measures and/or processing, it will be attached as an annex to the data processing agreement. In case of a conflict, this agreement takes precedence.

This agreement is Annex Two (2) of Two (2) to the Main Agreement, which is signed by the parties.

2. INTRODUCTION AND DESCRIPTION

This data processing agreement governs the processing of personal data related to the agreed software (WEIQ), hereinafter referred to as the “Service”. The Service is provided by MEIQ Systems AB (MEIQ Systems). This data processing agreement is an annex to your agreement, together with the General Terms. Terms that start with a capital letter are defined in the final section below if not directly defined in the text.

The customer (contracting party, as outlined in the agreement) gains access to the Service once this Data Processing Agreement, together with the general terms, is accepted, which happens when the agreement is signed. This data processing agreement and the General Terms apply regardless of whether the software is provided free of charge or for payment.

In the WEIQ Privacy Policy on www.weiq.tech, you can read about how we handle personal data. By using WEIQ, you accept that MEIQ Systems may use this data in accordance with the Privacy Policy.

Personal data provided by the holder in connection with agreements and purchases via WEIQ, or otherwise registered in connection with them, is processed by WEIQ for the preparation and administration of WEIQ. WEIQ does not store any card information but uses third parties responsible for transactions. The personal data also serves as a basis for market and customer analysis, business follow-up, business and method development, and risk management.

If the holder wishes to obtain information about which personal data about them is processed by WEIQ, they can request this in writing by sending a letter to the above address or by email to privacy@weiq.tech. Anyone wishing to request the correction of incorrect or misleading information can contact WEIQ at the above address.

By signing the agreement with this annex, you consent to WEIQ using and storing the material you send for the use of WEIQ.

2.1 Description of the Service

The WEIQ service offers software consisting of four instances: the User Application, Order Receiver Application, WEIQ Terminal, and an Admin Interface.

2.2 Description of the User Application

Upon signing the agreement, your Seller (the location where the service is used, such as restaurants, bars, cafés, food trucks, or similar) is added to the application, and your End Customers can check in at your location. The User Application is primarily used for ordering, viewing the menu, completing transactions, and receiving other information.

2.3 Description of the Order Receiver Application (WEIQ Order Hub)

Secondly, there is a tablet-based application for bartenders or other order receivers. In this view, the order receiver can manage orders, notify the customer, complete (or reject) orders, modify the menu, open/close the bar, and generate reports.

2.4 Description of the WEIQ Terminal

The WEIQ Terminal is a payment terminal that is also used to take orders, create and update tabs and print receipts. The staff manages the terminal and can process payments through it.

2.5 Description of the Admin Interface

As a Customer, you will also have access to the Admin Interface. In this web application, a “superuser” (often a restaurant owner) can manage their WEIQ system, this includes: view sales, change prices, adjust opening hours, or edit information that will be displayed to End Customers. You can also retrieve accounting documentation and other reports.

Together, these four components form the foundation of the WEIQ Service, with certain support and other services also included from MEIQ Systems.

3. PURPOSE

3.1
The purpose of this Data Processing Agreement is to ensure that the Data Processor processes personal data within the scope of the Service for the Data Controller’s account, solely in accordance with the Data Controller’s instructions, in compliance with this agreement, and in accordance with the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679.

3.2
The subject of the personal data processing under this agreement is the Service WEIQ. The processing will continue from the date of signature as long as the Data Processor stores or otherwise engages in personal data processing for the Data Controller’s account. It consists of the processing of information about the end customer, including personal data as follows:

Email address from the end customer.
Phone number from the end customer.
Name of the end customer.
Purchase and order history of the end customer.

4. DEFINITIONS

This agreement should be interpreted in accordance with and use the definitions provided in Article 4 of the General Data Protection Regulation.

5. DATA CONTROLLER

The Data Controller is obligated to comply with the General Data Protection Regulation regarding personal data processing and engaging a processor. The Data Controller has the right to direct the Data Processor’s personal data processing and must provide documented instructions necessary for the processing.

6. DATA PROCESSOR’S RESPONSIBILITY

The Data Processor undertakes to process personal data solely in accordance with documented instructions from the Data Controller, as well as in compliance with this agreement and the Main Agreement.

6.1
The Data Processor undertakes to comply with applicable law, particularly the General Data Protection Regulation, when processing personal data. Additionally, the Data Processor agrees to comply with regulations, rulings, and recommendations concerning permissible personal data handling, issued by the Data Protection Authority or relevant EU body.

6.2
By signing this agreement, the Data Processor affirms that necessary technical and organizational measures will be taken to ensure that processing meets the requirements of the General Data Protection Regulation and protects the rights of the data subjects.

6.3
The Data Processor will, according to the Data Controller’s instructions, promptly rectify, erase, or transfer incorrect, incomplete, or outdated personal data.

7. SECURITY MEASURES

The Data Processor must implement and maintain appropriate technical and organizational security measures to protect personal data, without any entitlement to special compensation for this.

7.1
The security measures must provide a level of protection required by applicable law, particularly the General Data Protection Regulation, and must be appropriate considering technical possibilities, costs of implementation, special risks of processing, and the sensitivity of the personal data being processed.

7.2
The Data Processor is responsible for ensuring adequate information security practices in its operations.

7.3
The Data Processor must ensure that employees, consultants, and others who process or have access to personal data are bound by confidentiality agreements and informed about how personal data processing should occur according to the Data Controller’s instructions.

7.4
The Data Processor’s security measures must be implemented with consideration for the latest developments, implementation costs, the nature, scope, context, and purposes of the data processing, and the risks to the rights and freedoms of individuals.

7.5
Where appropriate, security measures must include pseudonymization and encryption of personal data, ongoing ability to ensure confidentiality, integrity, availability, and resilience of systems and services for processing personal data, and the ability to restore access and availability of personal data in a reasonable time after a physical or technical incident.

7.6
When assessing the appropriate level of security, special attention must be given to the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

8. INCIDENTS

The Data Processor must immediately investigate any security incident, such as unauthorized access, destruction, alteration, or other unauthorized actions involving personal data, take appropriate actions to rectify it, and prevent recurrence. The Data Processor must notify the Data Controller and provide an Incident Report.

8.1
The Incident Report should include a description of the nature of the incident, categories of affected individuals, approximate number of data subjects and records affected, likely consequences, and actions taken to mitigate potential negative effects.

9. TRANSFER TO THIRD PARTIES

The Data Processor may not transfer personal data to third parties or disclose information about the processing of personal data to third parties without prior written consent from the Data Controller. The Data Processor may not extract or export personal data to any other system outside the software provided by the Data Controller.

10. SUBPROCESSORS

For the engagement or replacement of a subprocessor for the performance of tasks involving personal data processing (Subprocessor), the Data Processor must first obtain written approval from an authorized representative of the Data Controller. Such a request should include the subprocessor’s company name and contact details, type of service, location, and geographical placement of infrastructure relevant to the processing of personal data, as well as any other information about the subprocessor requested by the Data Controller. The Data Controller has the right to object, with binding effect, to the engagement of a particular subprocessor if there are reasonable grounds for doing so.

11. ACCESS

In order to ensure the maintenance of an appropriate level of security and compliance with this data processing agreement, the Data Controller has the right to necessary access to the parts of the Data Processor’s organization and systems related to personal data processing.

12. ADDITIONAL COMPENSATION

The Data Processor is not entitled to additional compensation for fulfilling the responsibilities and obligations under this data processing agreement or for following the instructions regarding personal data processing given by the Data Controller, unless this is explicitly stated in a written agreement.

13. LIABILITY FOR DAMAGE

If the Data Processor’s processing of personal data or failure to do so, in violation of this data processing agreement or contrary to the instructions of the Data Controller, causes damage to the Data Controller, such damage shall be compensated by the Data Processor.

14. ASSIGNMENT OF THE AGREEMENT

The assignment of this data processing agreement may only occur in connection with the assignment of the Main Agreement and in accordance with the terms of the Main Agreement.

15. TERM OF THE AGREEMENT

This agreement is valid from the date of signature and as long as the Data Processor stores or otherwise processes personal data on behalf of the Data Controller.

Upon termination of the data processing agreement, the Data Processor must, according to the Data Controller’s instructions, delete or return all data containing personal data on all media where personal data is stored, and thereafter delete any copies.

16. DISPUTES AND APPLICABLE LAW

Swedish law applies to this agreement. Any disputes arising from this data processing agreement shall be resolved in accordance with the dispute resolution provisions of the Main Agreement.

17. CHANGES

MEIQ Systems AB reserves the right to make changes and additions to this data processing agreement. If the Data Processor finds any changes or additions unsatisfactory, they are referred to terminate the Main Agreement.

This data processing agreement was created in digital format as an annex to the main agreement, of which the parties have taken note, and upon signing the Main Agreement, it constitutes part of the Main Agreement as Annex Two (2).

Last updated November 25, 2024.