Effective from 21.12.2023    This Contract for Processing of Personal Data is an integral appendix to the General Terms and Conditions for Partners in which Fudy and the Partner agree on the terms and conditions of Processing of Personal Data of Data Subjects.    The terms and conditions set out in the Contract for Processing of Personal Data apply to all the Personal Data processing activities performed by the Partner through or via the Platform.    1.INTRODUCTION AND DEFINITIONS    1.1. In the Contract for Processing of Personal Data, terms are used with the following meaning:    1.1.1. "Data subject" means an identified or directly or indirectly identifiable natural person. Pursuant to this Contract for Processing of Personal Data, Customers who are natural persons are deemed to be Data Subjects.    1.1.2. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council, 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.    1.1.3. "Personal Data" means any data related to any Data Subject, which are defined in more detail in clause 2 of the Contract for Processing of Personal Data.    1.1.4. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.    1.1.5. "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.    1.1.6. "Controller" means a natural or legal person who alone or jointly with others makes decisions relating to the purpose and means of Processing Personal Data.    1.2. Capitalised terms not defined in clause 1.1 of the Contract for Processing of Personal Data have the meaning attributed to them in the General Terms and Conditions.    1.3. If the terms and conditions of the Contract for Processing of Personal Data are in conflict with or incompatible with the General Terms and Conditions or Special Terms and Conditions, this Contract for Processing of Personal Data shall take precedence over the General Terms and Conditions and Special Terms and Conditions with regard to the conflict or the incompatible part.    2.ROLES AND RESPONSIBILITIES    2.1. Both Parties collect and share with one another Personal Data of Data Subjects for the purpose of performing the Contract. Fudy Processes Personal Data to enable the Partner and Customer to use the Platform. The Partner Processes the Personal Data of Customers in order to market products to Customers and to accept and fulfil Orders.    2.2. Both Parties are Controllers in the Processing of Personal Data of a Data Subject. Each Party independently determines the purposes and means of processing Personal Data to be Processed by them as part of the service to be provided through the Platform while being individually and separately liable for the performance of the obligations of the Controller set out in the GDPR.    2.3. The Parties agree that they are not joint controllers with regard to Personal Data to be Processed pursuant to the Contract for Processing of Personal Data for the purposes of Article 26 of the GDPR.    3.DESCRIPTION OF PROCESSING    3.1. The details of the Partner’s processing operations, in particular the categories of Personal Data to be Processed pursuant to the Contract for Processing of Personal Data and the purposes of Processing Personal Data are as follows.    Data Subjects whose Personal Data are Processed:  Categories of Personal Data  Customers:  Customer’s data: given name, phone number  Order data: order date, order number, order type (Customer picked up the order themselves, the order included delivery service), order amount, order status, Customer’s comments regarding the order, customer’s feedback or complaint.    Data Subjects whose Personal Data are Processed:  Processing of special categories of personal data  Customers:  The Partner does not process or share special categories of personal data    Data Subjects whose Personal Data are Processed:  Restrictions or safeguards for processing of special categories of personal data  Customers:  The Partner does not process or share special categories of personal data    Data Subjects whose Personal Data are Processed:  Frequency of transmitting personal data  Customers:  Personal Data is transmitted every time the Customer places an Order    Data Subjects whose Personal Data are Processed:  Nature of processing  Customers:  Collection, storage, erasure, transmission, consultation    Data Subjects whose Personal Data are Processed:  Purposes of processing  Customers:  -Entry into a contract of sale   -Acceptance of an Order and fulfilling the Order   -Answering the Customer’s questions, resolving complaints, and analysing Customer feedback   -Any other purpose related to the performance of the Contract   -Transmitting marketing information if the Customer has given their explicit consent    Data Subjects whose Personal Data are Processed:  Period of processing  Customers:  Term of the Contract    Data Subjects whose Personal Data are Processed:  Transmission of personal data  Customers:  Marketing service provider    4. OBLIGATIONS OF THE PARTNER    4.1.General. The Partner ensures that the Personal Data of a Data Subject is Processed only in accordance with applicable laws, incl. GDPR, terms and conditions of the Contract and Contract for Processing of Personal Data.    4.2.Limitation of the purpose. The Partner ensures that Personal Data is Processed only for the purposes set out in clause 2 of this Contract for Processing of Personal Data. The Partner may Process the Personal Data of a Data Subject only if: (1) the Data Subject has given them a prior consent; (2) Processing is necessary for the establishment, exercise or defence of a legal claim; (3) Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.    4.3.Accuracy and minimisation of Personal Data. The Partner ensures that Personal Data Processed by them are accurate. The Partner takes every reasonable step to ensure that Personal Data that are inaccurate, having regard to the purpose (purposes) for which they are Processed, are erased or rectified without delay. If the Partner learns that Personal Data are inaccurate or out of date, they shall notify Fudy thereof without undue delay. The Partner ensures that Personal Data are sufficient, relevant and necessary for achieving the purpose(s) of Processing Personal Data.    4.4.Security of Processing. The Partner is obligated to implement appropriate technical and organisational measures to ensure the security of Processing Personal Data. The measures implemented by the Partner shall, among others, ensure the protection of data against a security breach caused by accidental or unlawful destruction, loss, alteration, unauthorised disclosure of data or access to Personal Data (Personal Data Breach). In assessing the appropriate level of security, the Parties take account of the level of technology, costs of implementation, nature, scope, context and purposes of Processing, and risks associated with Data Subjects.    4.5. In order to ensure the security of Personal Data, the Partner grants access to the Personal Data of Data Subjects only to the employees to whom access is essential for the performance of their duties. The Partner confirms that all employees to whom access to the Personal Data of Data Subjects has been granted are bound by a confidentiality obligation without a term.    4.6.Personal Data Breach. In the event of a breach, the Partner immediately takes measures to mitigate the possible consequences of the breach to Data Subjects. The Partner is also obligated to notify Fudy of circumstances related to the breach within 24 hours of the occurrence of the breach. If a Personal Data Breach is likely to pose a serious threat to the rights and freedoms of natural persons, the Partner also notifies Data Subjects of the respective breach. The Partner documents all Personal Data Breaches, incl. circumstances of Personal Data Breach, its impact and corrective actions taken, in the register of breaches. The Partner is obligated to send the notice to estonia-restaurants@fudy.eu.    4.7.Documentation and compliance. The Partner shall be able to prove the compliance of their activities with the Contract for Processing of Personal Data. In connection with the above, the Partner is obligated to document Personal Data processing operations carried out by them.    4.8. The Partner performs the obligations arising from this Contract for Processing of Personal Data with due diligence, caution, foresight and all the necessary skills expected of an experienced and competent data processor and complies with, at minimum, the generally accepted standards of the industry and the GDPR.    4.9. The Partner does not process Personal Data outside the European Economic Area.    4.10. The Partner is obligated to ensure that persons processing Personal Data on their behalf process Personal Data only pursuant to the Partner’s instructions.    5.NOTIFICATION OF DATA SUBJECTS AND THEIR RIGHTS    5.1. Fudy notifies Data Subjects of matters related to the Processing of Personal Data, incl. the relationship between Fudy and the Partner in the Processing of Personal Data, when they first log in to the Platform.    5.2. Both Parties ensure that the processing operations carried out by them with the Personal Data of a Data Subject are lawful.    5.3. The Partner is obligated to process queries and requests related to the Processing of Personal Data received from a Data Subject and to respond to queries and requests without undue delay, but no later than within one month after the receipt of the query or request. Information to be submitted to the Data Subject by the Partner shall be in an understandable and easily accessible format, using clear and simple language.    5.4. In particular, upon the respective request of a Data Subject, the Partner is obligated to:  5.4.1. provide a confirmation to the Data Subject on whether Personal Data concerning them are being Processed. If the Partner confirms the Processing of Personal Data to the Data Subject, they shall also submit the following information to the Data Subject: purposes of Processing, types of Personal Data, recipients or categories of recipients to whom Personal Data is transmitted, period of storage of Personal Data, information about the rights of the Data Subject;  5.4.2. rectify incorrect or incomplete data concerning the Data Subject;  5.4.3. erase Personal Data concerning the Data Subject if any are Processed or have been Processed in breach of clauses ensuring the rights of any third parties or if the Data Subject withdraws a consent which served as a basis for Processing.    5.5. The Partner understands and agrees that they do not have the right to Process the Personal Data of Data Subjects for direct marketing purposes, unless the Data Subject has given their explicit consent to this. If the Partner Processes Personal Data for direct marketing purposes, they shall terminate Processing for these purposes if the Data Subject objects to it.    6.LIABILITY    6.1. Both Parties are liable for damage caused to the other Party by unlawful activities, incl. for any breach of this Contract for Processing of Personal Data.    6.2. The Partner is liable for processors authorised by them as for their own actions.    6.3. The Partner undertakes to compensate Fudy in full for damage, incl. costs for legal assistance, arising directly or indirectly from a breach of the Contract for Processing of Personal Data or the requirements arising from the GDPR by the Partner.    6.4. The Partner promptly notifies Fudy if a claim or administrative fine related to the Processing of Personal Data has been filed against the Partner.    7.PERIOD OF VALIDITY AND TERMINATION OF THE CONTRACT FOR PROCESSING OF DATA    7.1. This Contract for Processing of Personal Data is an integral part of the Contract. If the Contract is terminated, this Contract for Processing of Personal Data shall also automatically expire. Neither party can unilaterally terminate this Contract for Processing of Personal Data.    8.OTHER PROVISIONS  8.1. If any term and condition or provision of the Contract for Processing of Personal Data proves to be unlawful or unenforceable (fully or partially) pursuant to applicable law, the Parties intend to remove this term and condition or provision (or part thereof) from the Contract for Processing of Personal Data so that the rest of the Contract for Processing of Personal Data remains unchanged. The Parties make every effort to replace this provision (or part thereof) with a valid provision, the content of which is the most similar to the original provision and its economic content.    8.2. The expiry of the Contract for Processing of Personal Data does not affect the validity of provisions which survive the expiry of the Contract in accordance with the Contract for Processing of Personal Data or the purpose of the provision.    9.APPLICABLE LAW AND JURISDICTION    9.1. The Contract for Processing of Personal Data, any disputes or claims arising from thereof or related to thereof (incl. noncontractual disputes or claims) are subject to the law of the Republic of Estonia, unless the law of another country applies pursuant to the principles of applicable law.    9.2. The Parties irrevocably agree that all disputes or claims arising from this Contract for Processing of Personal Data or that are related to this in any way are subject to the jurisdiction of Harju County Court.