Revised date: 10.11.2023
This DPA applies between Customer and Liquid Barcodes Inc, as part of the Agreement between the Parties regarding supply of digital marketing services (the “Agreement”) as specified in the Order Form signed by the Parties. This DPA shall form an integral part of the Agreement. If the Agreement includes more than one Customer entity, for example all entities in the Customer’s company group, the term “Customer” used herein shall include all such entities.
The purpose of this DPA is to ensure the appropriate Processing of Consumers’ Personal Data in accordance with applicable United States federal privacy laws and state comprehensive privacy laws (collectively referred to as “US Privacy Laws”), including the California Consumer Privacy Act (as amended from time to time and including any implementing regulations) and other similar laws in effect now or in the future. The provisions of this DPA shall only apply to the extent that the Processing of Personal Data is subject to US Privacy Laws.
The capitalized terms used in this DPA, including “Consumer,” “Personal Data,” “Processing,” “Controller,” and “Processor,” shall have the same meanings as the same or functionally similar terms in the relevant US Privacy Law. For clarity, under the California Consumer Privacy Act, (i) “Personal Data” shall have the same meaning as “Personal Information”; (ii) “Controller” shall have the same meaning as “Business”; and (iii) “Processor” shall have the same meaning as “Service Provider.”
Customer is the Controller of all Personal Data being Processed under the Agreement and is responsible to ensure that all Processing is compliant with any applicable US Privacy Laws. Customer owns and formally controls Customer’s Personal Data being Processed by Liquid Barcodes and is responsible for ensuring that Personal Data may be Processed in compliance with US Privacy Laws by Liquid Barcodes, including by providing any required notices to Customer’s clientele, obtaining any necessary consents, offering any appropriate Processing opt outs and maintaining the accuracy and integrity of the Personal Data.
Liquid Barcodes is a Processor for Customer and shall only Process Customer’s Personal Data to perform its obligations under the Agreement and pursuant to documented instructions from Customer. Liquid Barcodes shall take such necessary actions as reasonably required to comply with Customer’s instructions regarding Processing of its Personal Data. Liquid Barcodes shall immediately inform Customer if Liquid Barcodes considers that an instruction from Customer would violate US Privacy Laws or cause Liquid Barcodes disproportionate costs or inconvenience.
The Parties agree that they shall at all times comply with their obligations under US Privacy Laws. Upon written request from Customer, Liquid Barcodes will provide evidence of its compliance with US Privacy Laws and this DPA. Liquid Barcodes will promptly notify Customer if Liquid Barcodes believes that it can no longer comply with US Privacy Laws. Upon such notice, Customer may suspend Personal Data Processing until the issue can be resolved by the Parties.
Unless otherwise permitted by US Privacy Laws, Liquid Barcodes shall limit its Processing to the following:
a) Purpose of the Processing: Processing shall be performed as necessary to operate and manage digital marketing on behalf of Customer using Rewards, Subscriptions, C-StorePay, Coupon shop and other products from the Liquid Barcodes product portfolio.
b) Nature and Duration of the Processing: Personal Data Processing is primarily related to creating, distributing and redeeming coupons, subscriptions and payments at and/or in store; and offering games, surveys and other marketing content to Customer’s clientele. Additionally, Personal Data may be analyzed during and after such campaigns. Personal Data will be stored for up to three (3) years for Customer’s clientele who continue to use their accounts and permit the maintenance of the Personal Data (for example, through consenting or by not opting out). Personal Data of Customer’s clientele will automatically be deleted after twelve (12) months of account inactivity. Where Personal Data is Processed to fulfill a Consumer request, such Personal Data will be stored for the minimum time required for the Liquid Barcodes system to be operational, up to a maximum of three (3) months following the expiration of any coupons or other content.
c) Categories of Personal Data: Please see specifications in the Order Form. No Sensitive Personal Data shall be Processed by Liquid Barcodes, and Customer shall not provide Sensitive Personal Data to Liquid Barcodes for Processing.
d) Categories of Consumers: Please see specifications in the Order Form.
Liquid Barcodes is responsible for maintaining the confidentiality of the Personal Data and ensuring that its personnel only have access to Customer’s Personal Data on a need-to-know basis and are legally obligated to keep such Personal Data confidential.
With respect to Personal Data Processing under this DPA, Liquid Barcodes will, upon Customer’s written request, provide Customer with necessary information and reasonable assistance to allow Customer to fulfill its obligations under US Privacy Laws, including reacting to security incidents involving Personal Data, carrying out privacy assessments and responding to privacy rights requests from Consumers. Liquid Barcodes will assist Customer to the extent possible and when reasonably instructed to fulfill valid Consumer privacy rights requests, including by correcting, deleting or restricting its Processing of Personal Data and informing subcontractors of Customer’s instructions with respect to the Consumer’s Personal Data.
Customer agrees to the use of Liquid Barcodes existing subcontractors, as provided at Appendix 1 to this DPA. Unless Customer reasonably objects in writing, Liquid Barcodes may, after providing notice to Customer, engage a new subcontractor to perform its obligations to Customer under the Agreement. If Customer objects, the Parties shall work together in good faith to find a suitable solution to address Customer’s reasons for objection. If no agreement can be reached, Customer and/or Liquid Barcodes have the right to terminate the Agreement with immediate effect and without penalty.
When using a subcontractor that will Process Customer’s Personal Data, Liquid Barcodes shall ensure that the subcontractor adheres to substantially the same Personal Data Processing obligations as those set out herein by way of a written data processing agreement.
Liquid Barcodes shall implement and maintain appropriate technical and organizational measures to protect Customer’s Personal Data against unauthorized or unlawful access; ensure that Processing by Liquid Barcodes meets the requirements of US Privacy Laws; and protect the rights of Consumers.
Liquid Barcodes shall immediately notify Customer in writing if any material deviations to this DPA occur, unless such deviation is unlikely to have an adverse effect on Customer or result in risk of harm to Consumers (a “Personal Data Breach”). Liquid Barcodes shall investigate any Personal Data Breach, identify its causes, take appropriate measures to rectify the Personal Data Breach and prevent recurrence and assist Customer with required notifications.
Customer may conduct an audit or assessment of Liquid Barcodes’s Processing of Customer’s Personal Data if needed to demonstrate compliance with this DPA. Such audit or assessment, which shall be at the cost of the Customer, may be performed no more than once per Agreement year by an independent professional auditor appointed and engaged by Customer. Both Parties shall receive a copy of the resulting report.
Liquid Barcodes will promptly provide the auditor with necessary information and other reasonable assistance in connection with any audit. The audit may include review of systems, operations, routines and security measures related to Personal Data Processing, including an on-site inspection, but it shall not include access to trade secrets or proprietary information.
Customer shall cover all costs for the auditor, including Liquid Barcodes’s direct expenses. Customer shall (i) ensure that the auditor is subject to appropriate confidentiality obligations; (ii) be liable to Liquid Barcodes for any breach of the auditor’s confidentiality obligations and/or other harms during the performance of the audit or assessment, and (iii) ensure that the audit or assessment is performed without causing interruptions to the regular operations of Liquid Barcodes and/or its subcontractors.
If the audit reveals material security failures or other material non-compliance with this DPA, Liquid Barcodes shall (and, if relevant, ensure that the relevant subcontractor shall) rectify such inadequacy or non-compliance within reasonable time and at its own expense.
To the extent Customer’s Personal Data is subject to the California Consumer Privacy Act (“CCPA”) and Customer notifies Liquid Barcodes that certain Personal Data is subject to the obligations of the CCPA, Liquid Barcodes will be Customer’s Service Provider, as defined in the CCPA, and with respect to such Personal Data will not:
a) retain, use or disclose Personal Data outside the direct relationship with Customer;
b) Process Personal Data for a purpose incompatible with the purposes identified in this Agreement, especially Section 3 of this DPA;
c) “sell” or “share” Personal Data, as those terms are defined in the CCPA; or
d) combine Personal Data received from or on behalf of Customer with Personal Data obtained from any other source.
Liquid Barcodes shall indemnify Customer for reasonable direct damages, up to the limit as defined in the Liquid Barcodes General Terms and Conditions, arising from third-party claims of Consumers or relevant regulatory authorities to the extent that such damages are a direct result of Liquid Barcodes’s Processing of Customer’s Personal Data hereunder in violation of one or more US Privacy Laws (except when the Processing has been approved by or carried out pursuant to instructions of Customer). Liquid Barcodes shall not, in any event, be liable for any indirect damages, including loss of revenue, contracts, customers or businesses, consequential damages or anticipated savings or revenues.
This DPA shall remain in force for as long as Liquid Barcodes is Processing Personal Data on behalf of Customer pursuant to the Agreement, unless superseded by a new data processing agreement.
Upon termination or expiry of the Agreement and/or upon Customer’s request, Liquid Barcodes shall, without undue delay, destroy, delete or return to Customer, Customer’s Personal Data Processed by Liquid Barcodes pursuant to the Agreement, except such Personal Data that Liquid Barcodes may be required to store pursuant to an applicable legal obligation. Any confidentiality obligations shall survive the expiry or termination of the Agreement. This DPA shall remain in effect as to any Personal Data maintain by Liquid Barcodes following the expiry or termination of the Agreement.
Any communications required under this DPA shall be directed to, in the case of Liquid Barcodes, the Data Protection Officer and, in the case of Customer, to the contact person specified in the Order Form, or to other persons specifically designated by either party.