Personal Data Processing Agreement

1. DEFINITIONS

Unless otherwise defined in this DPA, all terms in capital letters used in this DPA will have the meaning given to them in the Service Agreement. In the event of any conflict or inconsistency in terms of data protection safeguards between this DPA and the Service Agreement, this DPA will prevail.

Applicable Privacy/Data Protection Laws: Any applicable privacy or data protection laws regarding the safeguarding and lawful Processing of Personal Data; in the Kingdom of Saudi Arabia (“KSA”), the Personal Data Protection Regulations (“PDPIR”) and any other privacy/data protection legislation issued/to be issued by relevant KSA authorities and any guidance and / or codes of practice issued/to be issued by the National Data Management Office (“NDMO”) and other relevant authorities such as the Saudi Central Bank and the Communications, Space and Technology Commission.

Client Personal Data: Personal Data Processed by Foodics on behalf of Client, in connection with the provision of the Service.

Data Controller: in general, a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, pursuant to a legal basis.

Data Processor: in general, a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of a Data Controller pursuant to a legal basis.

Data Subject: An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Subjects’ Rights: the rights to which Data Subjects are entitled under the Applicable Privacy/Data Protection Laws, e.g., the right to request access to, rectification or erasure of Personal Data, to request the restriction of Processing concerning the Data Subject or to object to Processing, as well as the right to data portability.

DPA: this Data Processing Agreement, together with Annexes 1 to 3.

List of Sub-processors: a list of Sub-processors engaged by Foodics, under the terms of this DPA.

Personal Data: Any information, regardless of source or form whatsoever, which independently or when combine with other available information could lead to an identified or identifiable natural person including but not limited to first name and the last name, national identity ID numbers, address, phone number, bank account number, credit card number, health data, images or video of the person.

Process or Processing: any operation, or set of operations, which is performed on Personal Data, or on sets of Personal Data, whether or not by automated means, including collection, recording, transfer, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, unauthorised transfer or access to, Personal Data transmitted, stored or otherwise processed.

Special Categories of Personal Data: Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of natural persons, as well as genetic data, biometric data (when Processed for the purpose of uniquely identifying a natural person), data concerning health or data concerning a natural person's sex life or sexual orientation, including data relating to criminal convictions and offences or related security measures.

Standard Contractual Clauses: the standard contractual clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

Sub-processor: a natural or legal person engaged by a Data Processor (and which is external to the Data Processor and relevant Data Controller) to assist it in (or which undertakes any part of) Processing Personal Data on behalf of the relevant Data Controller, and which has been duly approved by that Data Controller.

Supervisory Authority: any authority which has powers to monitor and enforce the application of the Applicable Privacy/Data Protection Laws regarding the Processing of Client Personal Data in the context of the provision of the Service.

2. DATA PROTECTION ROLES

The Parties agree that:

1. The Client is the Data Controller regarding Client Personal Data Processed by Foodics in the context of the provision of the Service;
2. Foodics is a Data Processor regarding the Client Personal Data Processed in the context of the provision of the Service; and
3. This DPA governs the relationship between the Parties in terms of respective duties and obligations concerning the Processing of Client Personal Data by the Data Processor in the context of the provision of the Service.

3. OBLIGATIONS OF THE DATA PROCESSOR

3.1 The Data Controller determines the purposes for which Client Personal Data is Processed in the context of the provision of the Service.

3.2 Aside from the obligations listed in Annexes 1 to 3 of this DPA, the Data Processor further commits to complying with the following obligations:

1. The Data Processor will Process Client Personal Data only as necessary to provide the Service and subject to the Data Controller’s written instructions provided in this DPA. For these purposes, the Service Agreement and this DPA set out the Data Controllers’ complete instructions to the Data Processor in relation to the Processing of Client Personal Data – any Processing required which is outside the scope of these instructions (including the rights and obligations laid down in the Service Agreement) will require prior written agreement between the Parties;
2. The Data Processor will notify the Data Controller in the event that it considers a specific written instruction received from the Data Controller to be in violation of the Applicable Privacy/Data Protection Laws. In no case will the Data Processor be under any obligation to perform a comprehensive legal examination of any written instructions provided by the Client;
3. Foodics, as Data Processor, will notify the Data Controller without undue delay of any contact, communication or correspondence it may receive from a Supervisory Authority, related to the Processing of Client Personal Data. Both Parties acknowledge and agree that the responsibility for replying to such contacts, communications or correspondence rests solely on the Data Controller, and not on the Data Processor;
4. The Data Processor has implemented adequate operational, technical and organisational measures (which are described in Annex 2 of this DPA), to protect the Client Personal Data (including Special Categories of Personal Data). The Parties acknowledge and agree that the Data Processor is specifically allowed to implement adequate alternative measures or use alternative locations to Process the Client Personal Data (subject to receipt of appropriate approval from the Supervisory Authority, if the processing of Personal Data has been shifted outside the Kingdom of Saudi Arabia), so long as the security level of the measures is maintained and is, in all respects, adequate;
5. In the event that the Data Processor discloses Client Personal Data to its personnel which is directly and exclusively involved in the provision of the Service, the Data Processor will ensure that such personnel:
   1. is committed to confidentiality or is under an appropriate statutory obligation of confidentiality;
   2. apply the administrative procedures and technical measures that document data processing stages and allow identifying the user responsible for each stage;and
   3. Processes Client Personal Data under the instructions of the Data Processor, and in compliance with the Data Processor’s obligations under this DPA.

4. OBLIGATIONS OF THE DATA CONTROLLER

4.1 The Data Controller acknowledges and agrees that, in order for the Data Processor to provide the Service, the Data Controller must provide the Client Personal Data to the Data Processor.

4.2 he Data Controller represents and warrants that:

1. It has an appropriate legal basis, under the Applicable Privacy/Data Protection Laws, to Process and disclose the Client Personal Data to the Data Processor, in the context of the provision of the Service; and
2. the provisions laid down in this DPA reflect the obligations that the Applicable Privacy/Data Protection Laws require Foodics to comply with, regarding the Processing of Client Personal Data in the context of the provision of the Service.

5. CONSENT TO SUB-PROCESSING

5.1 The Data Controller acknowledges, agrees and consents that, for the sole and exclusive purpose of providing the Service and subject always to compliance with the terms of this DPA, Client Personal Data may be Processed by the Data Processor or its Sub-processors, as identified in the List of Sub-processors

5.2 As such, the Data Controller hereby provides a general authorisation to the Data Processor for the engagement of Sub-processors, provided that the Data Processor:

1. provides the Data Controller, at the Data Controller’s request, with the List of Sub-processors, including the identity, location and role performed by the Sub-processors engaged to provide the Service;
2. notifies the Data Controller of any update to the List of Sub-processors, so that the Data Controller may object to the engagement of any specific Sub-processors, under the terms of Clause 5.3. below;
3. enters into written agreements with each Sub-processor, binding them to the same obligations concerning the Processing of Client Personal Data as the Data Processor is bound to under this DPA;
4. exercises appropriate due diligence in selecting Sub-processors and retains liability for Sub-processors’ compliance with their obligations under this DPA;
5. informs the Data Controller, to a reasonable extent, as to actions and measures the Data Processor and its Sub-processors have undertaken to comply, in practice, with the provisions set forth in this DPA, at the Data Controller’s request.

5.3 Requests to be provided with the List of Sub-processors should be sent by the Data Controller to the following address: [[email protected]]. Once the List of Sub-processors has been provided to the Data Controller, the Data Processor will send notifications to the Data Controller regarding the addition or replacement of specific Sub-processors included in the List of Sub-processors, for the purposes mentioned in paragraph (b) of Clause 5.2. above.

5.4 The Data Controller may be required to accept appropriate non-disclosure, confidentiality and non-solicitation obligations, without which the List of Sub-processors may be withheld by the Data Processor.

6. TRANSFER OF PERSONAL DATA AND INCORPORATION OF STANDARD CONTRACTUAL CLAUSES

6.1 Where necessary, under the Applicable Privacy/Data Protection Laws, to ensure the lawfulness of the sharing of Client Personal Data between Client and Foodics, Client and Foodics agree to comply with the Standard Contractual Clauses, which are hereby incorporated into this DPA by reference. For these purposes:

1. The following specifications will apply to the main clauses of the Standard Contractual Clauses:
   1. Clause 7 of the Standard Contractual Clauses is applicable;
   2. Only the clauses of the Standard Contractual Clauses under MODULE TWO: Transfer controller to processor apply (to the exclusion of the other MODULES);
   3. Under Clause 9(a) of the Standard Contractual Clauses, Option 2 is applicable, under the terms of Clause 5 of this DPA;
   4. Under Clause 17 of the Standard Contractual Clauses, Option 2 is applicable. The laws of […] will apply;
2. Annexes 1 to 3 of this DPA will apply as Annexes I to III of the Standard Contractual Clauses.

6.2 The Data Controller acknowledges that, where necessary to ensure the lawfulness of the transfer under the Applicable Privacy/Data Protection Laws of Client Personal Data from the Data Processor to Sub-processors under Clause 5 of this DPA, the Data Processor will enter into Standard Contractual Clauses, or any other appropriate transfer tool under the Applicable Privacy/Data Protection Laws, with the relevant Sub-processor(s). The Data Controller may request a copy of these Standard Contractual Clauses, or other transfer tools, from the Data Processor. To the extent necessary to protect business secrets or other confidential information, including personal data, the Data Processor may redact the text of any copy shared with the Data Controller. Personal Data may be transferred to the Data Importer(s) from time to time, provided the Data Exporter has requisite approval from the Supervisory Authority for such transfers outside the Kingdom of Saudi Arabia and consent of the data subjects.

6.3 Nothing in this DPA shall be construed to prevail over any conflicting clause of the Standard Contractual Clauses. However, in the event of conflict between the Standard Contractual Clauses and the provisions of the Applicable Privacy/Data Protection Law, the provisions of the Applicable Privacy/Data Protection Law would prevail over the Standard Contractual Clauses.

6.4 The Data Controller acknowledges that it is the Data Controller’s responsibility to comply with any additional applicable duties and obligations required in order to make the transfer of Personal Data to the Data Processors and Sub-processors lawful, under the Applicable Privacy/Data Protection Laws. The Data Processor will provide reasonable assistance to the Data Controller in taking the steps necessary to achieve this compliance, under the terms of Clause 7.

7. COOPERATION AND ACCOUNTABILITY OBLIGATIONS

7.1 The Parties will cooperate in good faith, in order to ensure compliance with the provisions of this DPA, including, but not limited to, assuring the correct and timely exercise of Data Subjects’ Rights, managing incidents in the event of a security / Personal Data Breach so as to mitigate their possible adverse effects, etc.

7.2 The Parties will cooperate in good faith, in order to make available to each other, as well as to Supervisory Authorities, all information necessary to demonstrate compliance with the Applicable Privacy/Data Protection Laws.

7.3 The Data Processor will provide the Data Controller with all information necessary in order to demonstrate the Data Processor’s compliance with the obligations set forth in the Applicable Privacy/Data Protection Laws. This information will be provided upon request, in a manner which allows the Data Processor to safeguard its interests in preserving confidentiality of its trade secrets, know-how and other sensitive business information which is not directly related to the Processing of Client Personal Data, including Personal Data Processed on the Data Processor’s own behalf, or on behalf of third parties.

7.4 Where the Data Controller is legally required, under the Applicable Privacy/Data Protection Laws, to obtain information from the Data Processor on the Processing of Client Personal Data, and this requirement cannot reasonably or legally be satisfied by other means, the Parties will agree on terms under which the Data Controller, or a designated auditor, may carry out an audit of the Data Processor’s facilities and systems used in the Processing of Client Personal Data (covering, among other matters, the scope of the audit, the identity of the auditors and the allocation of audit costs).

8. DATA SUBJECT RIGHTS

8.1 Taking into account the nature of the Processing, the Data Processor will assist the Data Controller in the fulfilment of the Data Controller’s obligation to respond to requests to exercise Data Subjects’ Rights, by means of appropriate technical and organisational measures.

8.2 The Data Processor will cooperate with and assist the Data Controller, to a reasonable extent, and provide such information as may reasonably be required to respond to Data Subjects’ Rights requests, or otherwise to enable the Data Controller to comply with its duties related to Data Subjects' Rights under the Applicable Privacy/Data Protection Laws. The Data Controller acknowledges and agrees that, in the event that this cooperation and assistance requires a significant amount of resources on the part of the Data Processor, this assistance will be chargeable to the Data Controller, upon prior notice and with the Data Controller’s agreement.

9. DATA RETURN AND DELETION

9.1 The Data Processor will, at no cost to the Data Controller, return or destroy the Client Personal Data at the Data Controller’s request in accordance with the provisions of the applicable law of the respective countries. Furthermore, upon the expiration or earlier termination of this DPA, the Data Processor will, at no cost to the Data Controller, return or destroy the Client Personal Data to the Data Controller, subject to a written request of the Data Controller with reasonable advance notice in accordance with the provisions of the applicable law of the respective countries. This will not apply where mandatory applicable laws (including, but not limited to, the Applicable Privacy/Data Protection Laws) or binding orders from law enforcement authorities (including, but not limited to, the Supervisory Authority), prevent the Data Processor from doing so.

9.2 Without prejudice to Clause 9.1., the Data Processor will comply with requests from the Data Controller to return the Client Personal Data to the extent that they are feasible, subject to commercially reasonable technical and organisational constraints, commensurate with the volume, categories and amount of Client Personal Data Processed by the Data Processor.

9.3 Client Personal Data which is returned following the Data Processor’s standard internal procedure will be returned at no cost to the Client; if an alternative procedure is followed, at the Client’s request, it will be returned at a reasonable cost.

9.4 Without prejudice to Clause 9.1. and Clause 9.5., If the Data Controller chooses to have the Client Personal Data deleted, the Data Processor will provide a statement assuring such deletion to the Data Controller.

9.5 Subject to the Applicable Privacy/Data Protection Laws and with the prior consent from the Data Subjects, the Data Processor may retain Client Personal Data which is stored in accordance with regular computer back-up operations, in compliance with the Data Processor’s disaster recovery and business continuity protocols (see Clause 12), provided that the Data Processor may not, and must not allow its Sub-processors to, actively or intentionally Process such Client Personal Data for any purpose other than to provide the Service.

10. DATA TRANSMISSIONS

10.1 Personal Data which is transmitted via the Internet by the Data Processor in the context of the provision of the Service will be reasonably encrypted. The Parties acknowledge, however, that the security of transmissions over the Internet cannot be guaranteed. The Data Processor will not be responsible for ensuring the Data Controller’s access to the Internet, nor for any interception or interruption of any communications made over the Internet, or for changes to or losses of Personal Data transmitted via the Internet.

10.2 If a Personal Data Breach is suspected, the Data Processor may suspend the Data Controller’s use of the Service via the Internet immediately, pending an investigation, provided that the Data Processor notifies the Data Controller of this suspension as soon as reasonably possible, takes all reasonable measures to promptly restore use of the Service via the Internet and cooperates with the Data Controller in order to continue providing the Service via alternative communication channels.

10.3 The Data Controller must take all adequate and reasonable actions necessary to maintain the confidentiality of the usernames and passwords used by employees (or other collaborators) of the Data Controller in the context of the provision of the Service. The Data Controller will be liable for the consequences of any misuse of the Service by any of its employees (or other collaborators).

11. PERSONAL DATA BREACH

11.1 The Data Controller acknowledges and agrees that the Data Processor will not be held responsible for any Personal Data Breaches which are not imputable to the Data Processor’s negligence or wilful misconduct.

11.2 If the Data Processor becomes aware of a Personal Data Breach, it will:

1. take appropriate actions to contain and mitigate the Personal Data Breach, including notifying the Data Controller as soon as possible, but in no event later than twenty-four (24) hours after the Data Processor becomes aware of the Personal Data Breach, in order to enable the Data Controller to expeditiously implement its response programme. Notwithstanding the above, the Data Processor reserves the right to determine the measures it will take to comply with the Applicable Privacy/Data Protection Laws or to protect its own rights and interests;
2. cooperate with the Data Controller to investigate the nature, categories and approximate number of affected Data Subjects, the categories and approximate number of affected Personal Data records and the likely consequences of the Personal Data Breach, in a manner which is commensurate with its seriousness and its overall impact on the Data Controller and the provision of the Service under this DPA;
3. where the Applicable Privacy/Data Protection Laws require that the Personal Data Breach be notified to relevant Supervisory Authorities and affected Data Subjects, defer and take instructions from Data Controller, to the extent in which Client Personal Data is involved in the Personal Data Breach – the Data Controller is exclusively entitled to determine the measures to be taken in order to comply with the Applicable Privacy/Data Protection Laws or to remediate any risk, including, without limitation:
   1. whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others, as may be required by the Applicable Privacy/Data Protection Laws, or at the Data Controller's discretion; and
   2. the contents of such notice, whether any type of remediation may be offered to affected Data Subjects under the Client’s responsibility, and the nature and extent of any such remediation.

12. DISASTER RECOVERY AND BUSINESS CONTINUIT

The Data Processor must maintain commercially reasonable disaster recovery and business continuity protocols and must provide a summary of these protocols to the Data Controller upon request. The Data Processor agrees to comply with these protocols, and may amend them at any time, provided that its disaster recovery capacity is not lowered by any amendment to lesser than the effective disaster recovery capacity as existing on the date on which this DPA is entered into.

13. LIABILITY

Foodics’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the terms of the Service Agreement.