3. CONTROLLER OBLIGATIONS
The parties agree that Toast shall act as a Controller only where (i) data is disclosed in the context of a referral relationship, and/or (ii) specifically set forth in the Agreement. If neither Party is a Controller, the terms provided under this Section 3 are not applicable to the Agreement.
To the extent Toast and Partner Process Personal Information as Controllers as part of the Agreement, the Parties agree that:
3.1 Independent controllers: Each Party shall act as independent Controller and no “Joint Controller” relationship shall exist under the Applicable Data Protection Laws.
3.2 Compliance with law: Both Parties agree to comply with Applicable Data Protection Laws and shall not by any act or omission, put the other Party in breach of those Laws.
3.3 Compliance obligations: Each Party is obligated to manage its respective compliance obligations pursuant to Applicable Data Protection Laws and putting in place any applicable controls or governance, which may include (i) the provision and maintenance of a privacy statement or similar notice for each Party’s respective Processing; (ii) providing written notices to individuals (iii) obtaining any required consents (including initial consents or consents for secondary uses) before any initial or subsequent use or disclosure of Personal Information; (iv) fulfillment and management of opt-outs and individual rights requests; (v) compliance with any applicable direct marketing or spam legislation, and (vi) the oversight of Processing operations involving Personal Information.
3.4 Individual Rights Requests: Each Party shall comply with Individual Rights Requests under Applicable Data Protection Laws (including the right to withdraw consent, of access, restriction, rectification and erasure) in relation to Personal Information. The Parties shall reasonably cooperate with each other to respond to such requests where required or appropriate.
3.5 No Sales or Sharing: Each Party represents and warrants that, to the best of its knowledge, the transfer of Personal Information under the Agreement between the Parties does not constitute a “Sale” or “Sharing” under the Applicable Data Protection Laws. The Parties agree that any transfers of Personal Information to Third Parties, whether made directly by a Party or made at the request of the other Party will not constitute a “Sale” or “Sharing” To the extent any transfer to a Third Party is found to later constitute a “Sale” or “Sharing” the Party responsible for instructing that transfer shall be solely responsible for implementing the appropriate disclosures and managing any subsequent legal obligations (e.g., opt-outs) under the Applicable Data Protection Laws.
3.6 Specifically with regard to any Personal Information Partner discloses to Toast, Partner represents and warrants that it has provided the appropriate notice to Individuals and collected any required consent in compliance with Sections 3.3.(ii) and (iii) of this Addendum, and has a lawful basis for processing and disclosing the Personal Information with Toast in connection with the Services.
3.7 Upon Toast's request, Partner shall provide appropriate evidence of its compliance with the above Section 3.6 to Toast.
4. PROCESSOR OBLIGATIONS
This Section is divided into two sections depending on the relationship of the Parties. The first section (4.1 -4.10) applies only to the extent that Toast is a Processor acting on behalf of the Partner as a Controller. The second section (4.11-4.15) applies where both Toast and the Partner are Processors (in most cases with each Party acting on behalf of independent Third Parties).
Partner as a Controller and Toast as a Processor
To the extent Toast Processes Personal Information as a Processor where Partner is a Controller under the Agreement, Toast agrees that:
4.1 Processing: Toast shall only Process the Personal Information on documented instructions of the Partner and in order to provide the Services or where required by applicable law, in which case Toast will inform Partner of the legal requirement unless Toast is prohibited from doing so by law.
4.2 Audits and Assessments: To the extent required under the Applicable Data Protection Laws, Toast shall make available to Partner all information necessary to demonstrate compliance with the obligations under such Laws.
4.3 CCPA Service Provider: Where Toast acts as a “service provider” for the purposes of the CCPA, and with respect to Personal Information it processes in such capacity, in addition to the obligations set forth in this DPA and to the extent the CCPA applies: Toast shall not (a) combine Personal Information it receives in in connection with the Services with Personal Information it may receive from other sources (b) “Sell” or “Share” Personal Information as such terms are defined in the CCPA (c) retain, use, or disclose Personal Information for any purpose other than to provide the Services, and as otherwise permitted by applicable law (including but not limited to Applicable Data Protection Laws), (d) retain, use or disclose Personal Information outside of the direct business relationship between the Parties or outside the provision of the Services, and (e) disclose Personal Information to any person without including them on the list of Sub-processors described below. The Parties acknowledge that the transfer of Personal Information is in furtherance of a business purpose, described in the Agreement.
4.4 Sub-processors: Partner grants Toast a general authorization to appoint Sub-processors to Process Personal Information under the Agreement and permits each Sub-processor to appoint Sub-processors in accordance with the terms herein. Toast will have a written agreement with the Sub-processor imposing substantially similar obligations as those set out under this Addendum. Toast is responsible to Partner (or as applicable, a Third Party) for the failure of any Sub-processors to perform their obligations under this Addendum. See Annex 3 of this Addendum for a link to a website detailing Toast’s current Sub-processors. By visiting that site, Partner may also register to be notified of any modifications to the Sub-processor list (a “Notification”).
4.5 GDPR Sub-processors: In the case of a Sub-processor appointed that will Process Personal Information subject to the GDPR, if Partner objects on reasonable grounds to the use of a specific Sub-processor it must inform Toast of such objection in writing (by email to firstname.lastname@example.org) within 15 days of receipt of Notification. Toast will use reasonable efforts to make available to Partner a change in the Services or recommend a commercially-reasonable change to the configuration or use of the Services by Partner to avoid Processing of Personal Information by the objected-to new Sub-processor. Toast shall at its option (a) within a commercially reasonable timeframe find a replacement Sub-processor; or (b) provide a termination right pursuant to the Agreement. Before the Sub-processor first processes Personal Information, Toast agrees to carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Personal Information required by the Agreement. Toast will provide for Partner to review the form of agreement for such written contract, as Partner may request up to once per year.
4.6 Retention and deletion: Upon termination of the Agreement, Toast shall return or delete any Personal Information on Partner’s request, except where it is required to retain the Personal Information to comply with applicable laws, or, where permitted, such retention is in line with Toast’s current data retention schedule.
4.7 Reasonable support. Toast shall provide reasonable assistance and cooperation to Partner in relation to any individual rights requests made pursuant to the Applicable Data Protection Laws. In the event Toast receives a notification or request pursuant to this Section, Toast shall notify Partner and shall not respond to the individual making the request unless required to do so under applicable law (including the Applicable Data Protection Laws). Additionally, upon Partner’s request, Toast shall provide Partner with reasonable assistance and cooperation needed to fulfill Partner’s obligation to carry out a data protection impact assessment related to Partner’s use of the Services, to the extent that Partner does not otherwise have access to the relevant information and to the extent that such information is available to Toast.
4.8 Government Access Requests: If Toast becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Information of Partner, whether on a voluntary or a mandatory basis, then unless legally prohibited under applicable law, Toast shall: (1) immediately notify Partner (2) inform the requestor that Toast is a Processor and is not authorized to disclosure the Personal Information (3) inform the requestor that the request must be sent to the Partner (4) not provide access to the Personal Information unless required by applicable law or authorized by the Partner in writing. If applicable law prohibits Toast from complying with (1) to (4) above, then Toast shall use any lawful means to challenge (a) disclosure of the Personal Information and (b) the prohibition to notify Partner.
4.9 Third Party transfers: Partner acknowledges that Toast is not responsible for the Processing of Personal Information by Third Parties where the Personal Information is sent by Toast to the Third Party on the instructions of the Partner.
4.10 Additional GDPR Processor obligations: In addition to the other requirements set out in this Addendum, to the extent Toast Processes Personal Information subject to the GDPR, UK GDPR or laws of Switzerland, Toast shall comply with all requirements under Article 28 of the GDPR in relation to Toast’s role as a Processor (or the relevant equivalent requirements as applicable). This includes the contractual obligations set out in Article 28(3) as set out in this Addendum.
Toast and Partner as Processors
To the extent both Toast and Partner Process Personal Information as independent Processors on behalf of a Third Party under the Agreement, the Parties agree that the following terms shall apply to the relationship.
4.11 Compliance with law: Each Party shall comply with all Applicable Data Protection Laws and not by any act or omission put the other Party in breach of those Laws.
4.12 Partner Authority: Where Partner acting as Processor requests that Toast Process Personal Information from a Third Party (e.g., a Merchant), Partner represents and warrants that it has the requisite authority from the Third Party Controller for such instruction.
4.13 Merchant Processing: To the extent that Partner is acting as a Processor on behalf of a Merchant Controller and the Merchant directs Toast to transfer Personal Information to Partner, Partner agrees that it shall:
(i) adhere to any and all obligations of a Processor under the Applicable Data Protection Laws;
(ii) only process the Personal Information in line with the instructions of the Merchant and to provide the requisite services;
(iii) be responsible for evaluating Toast’s information collection practices and disclosures and ensuring that any downstream use by the Partner (whether on behalf of a Third Party or on behalf of the Controller) is compliant and permitted under the Applicable Data Protection Laws; and
(iv) ensure that at the end of the agreement with the Merchant that Personal Information is either returned or destroyed at the election of Merchant absent any obligation to retain the information under the applicable law.
4.14 Sub-processor relationship: In the event that Partner is required to act as a Sub-processor at any time during the Services, the Parties shall negotiate a set of mutually-agreeable written terms to govern such processing activity.
4.15 CCPA Service Providers: For the purposes of the CCPA, as applicable, both Parties shall act as a “service provider”and not (a) combine Personal Information it receives in in connection with the Services with Personal Information it may receive from other sources (b) “Sell” or “Share” Personal Information as such terms are defined in the CCPA (c) retain, use, or disclose Personal Information for any purpose other than to provide the Services, and as otherwise permitted by applicable law (including but not limited to Applicable Data Protection Laws), and (d) retain, use or disclose Personal Information outside of the direct business relationship between the Parties or outside the provision of the services.
Toast’s Processor obligations above shall be read and interpreted in light of any additional rights Toast may have in relation to the Personal Information pursuant to an agreement with a Merchant or Third Party.