Effective: March 1, 2023
This Merchant Data Processing Addendum (the “Addendum”) is entered into between Toast, Inc., including its subsidiaries and affiliates (referred to generally as “Toast”) and the Merchant and forms part of the Merchant Agreement(s) entered into between Toast and Merchant (collectively the “Agreement”) and applies where either of the Parties process Personal Information under the Agreement.
1.1 Toast provides services to Merchant under the Agreement that may involve the processing of Personal Information.
1.2 Both Toast and Merchant (each a “Party” or together the “Parties”) agree to comply in good faith with the terms set out in this Addendum. The Parties wish to set out their mutual obligations in relation to the Processing of Personal Information in this Addendum.
1.3 If any language in this Addendum conflicts with the Agreement, this Addendum shall control.
Unless otherwise set out below, each capitalized term in this Addendum shall have the meaning set out in the Agreement.
2.1 “Alternative Transfer Mechanism” means a mechanism other than the Standard Contractual Clauses that enables the lawful transfer of Personal Information from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to a third country in accordance with Applicable Data Protection Laws, including, but not limited to, programs both approved and operated by the U.S. Department of Commerce and approved by the European Commission or other applicable governmental authority or entity.
2.2 “Applicable Data Protection Laws” means all applicable federal, state, provincial, regional and local laws, directives, regulations, and rules imposed by any government, agency or authority in relation to the processing and security of Personal Information, including, but not limited, to the European Union’s General Data Protection Regulation (Regulation 2016/679) pertaining to the protection of individuals within the European Economic Area (“EU GDPR”), the EU Directive on Privacy and Electronic Communications 2002/58/EC (“PECR”), the data protection law of the United Kingdom, including but not limited to the EU GDPR as incorporated into the United Kingdom, the Data Protection Act 2018 and any additional legislation (“UK GDPR”), Switzerland’s Federal Data Protection Act of 19 June 1992, Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), as well as any applicable provincial legislation, the CCPA, and the VCDPA as any of the foregoing may be amended, replaced or superseded.
2.3 “CCPA” means, as applicable, the California Consumer Privacy Act of 2018, California Civil Code 1798.100 et seq. (2018), including as amended by the California Privacy Rights Act of 2020; and any subsequent replacements to the foregoing laws. All implementing regulations forming part of the laws above shall also be included in this definition.
2.4 “Controller” means the Party that alone or jointly with others determines the purposes and means of the Processing of Personal Information. For the purposes of this Agreement, “Controller” includes similarly defined terms under Applicable Data Protection Laws, including, but not limited to, a “business”.
2.5 “GDPR” means, as applicable, the EU GDPR and the UK GDPR.
2.6 "Individual” has the same meaning as “consumer” or “data subject” under Applicable Data Protection Laws.
2.7 “Individual Rights Request” means the exercise of an individual’s right over their Personal Information (for example deletion, access or rectification) and shall be understood to have the same meaning as a “data subject rights request”, “a consumer right”, “a personal data rights request”, and similar terms as may be defined under Applicable Data Protection Laws.
2.8 “Sale” or “Sell” has the same meaning as such term is defined in the CCPA, any subsequent or similar legislation or other Applicable Data Protection Laws as enacted or amended from time to time.
2.9 “Share” or “Sharing” has the same meaning as such term is defined in the CCPA, any subsequent or similar legislation or other Applicable Data Protection Laws as enacted or amended from time to time.
2.10 “Standard Contractual Clauses” or “SCCs” means (i) in respect of EU Personal Information, the Standard Contractual Clauses implemented by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the EU GDPR, as updated or replaced from time to time (“EU Standard Contractual Clauses”) and (ii) in respect of UK Personal Information, means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office (ICO) in accordance with the UK GDPR and the Data Protection Act 2018, as amended or replaced (“UK Addendum”).
2.11 “Sub-processor” means any additional authorised Processor engaged by the original Processor that agrees to receive any Personal Information from the Controller as part of the Services.
2.12 “Third Party” means any Controller, Processor or Sub-processor engaged by a Party that agrees to receive Personal Information as part of the Services.
2.13 “VCDPA” means as applicable, the Virginia’s Consumer Data Protection Act 53.1 et seq. (2021) as amended or replaced. All implementing regulations forming part of the laws above shall also be included in this definition. >
3. CONTROLLER OBLIGATIONS
To the extent Toast and Merchant Process Personal Information as Controllers as part of the Agreement, the Parties agree that:
3.1 Independent controllers: Each Party shall act as independent Controller and no “Joint Controller” relationship shall exist under the Applicable Data Protection Laws.
3.2 Compliance with law: Both Parties agree to comply with Applicable Data Protection Laws and shall not by any act or omission, put the other Party in breach of those Laws.
3.3 Compliance obligations: Each Party is obligated to manage its respective compliance obligations pursuant to Applicable Data Protection Laws and putting in place any applicable controls or governance, which may include (i) the provision and maintenance of a privacy statement or similar notice for each Party’s respective Processing; (ii) providing written notices to individuals or obtaining any required consents (including consents for secondary uses) before any initial or subsequent use or disclosure of Personal Information; (iii) fulfilment and management of opt-outs and individual rights requests; (iv) compliance with any applicable direct marketing or spam legislation, and (v) the oversight of Processing operations involving Personal Information.
3.4 Individual Rights Requests: Each Party shall comply with Individual Rights Requests under Applicable Data Protection Laws (including the right to withdraw consent, of access, restriction, rectification and erasure) in relation to Personal Information. The Parties shall reasonably cooperate with each other to respond to such requests.
3.5 No Sales or Sharing: Each Party represents and warrants that, to the best of its knowledge, the transfer of Personal Information under the Agreement between the Parties does not constitute a “Sale” or “Sharing” under the Applicable Data Protection Laws. The Parties agree that any transfers of Personal Information to Third Parties, whether made directly by a Party or made at the request of the other Party will not constitute a “Sale” or “Sharing”.
3.6 Specifically with regard to any Personal Information Merchant uploads or discloses to Toast, Merchant represents and warrants that it has provided the appropriate notice to Individuals and collected any required consent in compliance with Sections 3.3 of this Addendum, and has a lawful basis for processing and disclosing the Personal Information with Toast in connection with the Services.
3.7 Where Merchant directs that Toast disclose Personal Information to any Third Parties (including partners), Merchant agrees that such disclosure is in line with its obligations under Section 3.3 of this Addendum and that Merchant is responsible for any downstream compliance.
3.8 Acknowledges that by using the Services, the Personal Information of Merchant, Merchant Employees and Customers will be processed in accordance with Toast’s Privacy Statement found at https://pos.toasttab.com/privacy. Merchant and its Employees are encouraged to read the Privacy Statement carefully, as it forms a binding part of this Agreement and contains important information about individuals’ rights and how Toast manages Personal Information. Merchant shall make the Privacy Statement available to its Employees and Customers (as appropriate) in such manner as Toast may reasonably request from time to time.