Site logo
    Add a listing
    Add a listing

    Data Processing Agreement

    Our SCC: [ https://roastersmap.ca/eea-standard-contractual-clauses ]

    Last updated on: February 05, 2025

    This Data Processing Agreement (“Agreement”) forms a legally binding contract between you and Roasters Map, Canada (registered in Toronto, Ontario, Canada) (“Roasters Map,” “we,” “us,” or “our”) and applies to the extent that Roasters Map processes Customer Personal Data on your behalf when you are the Data Controller.

    WHEREAS:

    (A) The Company acts as a Data Controller.

    (B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to Roasters Map as a Data Processor.

    (C) The Parties seek to implement a data processing agreement that complies with the requirements of the applicable legal framework in relation to data processing, including, as applicable, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the “GDPR”), along with any other applicable data protection laws.

    (D) The Parties wish to set forth their rights and obligations with respect to such processing.

    IT IS AGREED AS FOLLOWS:

    1. Definitions and Interpretation

    1.1 Unless otherwise defined herein, capitalized terms used in this Agreement shall have the following meanings:

    1.1.1 “Agreement” means this Data Processing Agreement and all Schedules attached hereto.

    1.1.2 “Company Personal Data” means any Personal Data processed by Roasters Map on behalf of the Company pursuant to or in connection with the Principal Agreement.

    1.1.3 “Contracted Processor” means any Subprocessor appointed by Roasters Map.

    1.1.4 “Data Protection Laws” means all applicable data protection or privacy laws, including without limitation the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, the GDPR and other EU Data Protection Laws, and any similar or successor laws in any jurisdiction.

    1.1.5 “EEA” means the European Economic Area.

    1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC as transposed into domestic legislation and the GDPR, including any amendments, replacements, or supersessions.

    1.1.7 “GDPR” means the EU General Data Protection Regulation 2016/679.

    1.1.8 “Data Transfer” means:

     (a) a transfer of Company Personal Data from the Company to Roasters Map; or

     (b) an onward transfer of Company Personal Data from Roasters Map to a Subprocessor, or between two establishments of Roasters Map, where such transfer would otherwise be restricted by Data Protection Laws.

    1.1.9 “Services” means the coffee roasters listing and marketplace services provided by Roasters Map.

    1.1.10 “Subprocessor” means any person or entity appointed by or on behalf of Roasters Map to process Personal Data on behalf of the Company in connection with the Services.

    1.2 The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the meanings ascribed to them in the GDPR, PIPEDA, and other applicable data protection laws.

    2. Processing of Company Personal Data

    2.1 Roasters Map, as the Processor, shall:

    2.1.1 Comply with all applicable Data Protection Laws in the processing of Company Personal Data; and

    2.1.2 Process Company Personal Data solely on the documented instructions provided by the Company.

    2.2 The Company instructs Roasters Map to process Company Personal Data in accordance with the terms of this Agreement.

    3. Processor Personnel

    Roasters Map shall take reasonable steps to ensure that any employee, agent, or contractor (including any Subprocessor) who has access to Company Personal Data:

    •Has a legitimate need to access such data only for the purposes of fulfilling the Services; and

    •Is subject to confidentiality obligations or statutory duties of confidentiality under applicable law.

    4. Security

    4.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Roasters Map shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Such measures shall include, but are not limited to, the measures referred to in Article 32(1) of the GDPR and any equivalent provisions under PIPEDA.

    4.2 In assessing the appropriate level of security, Roasters Map shall consider, in particular, the risks that are presented by Processing, including the risk of a Personal Data Breach.

    5. Subprocessing

    5.1 Roasters Map shall not engage any Subprocessor or disclose any Company Personal Data to any Subprocessor without the prior written consent of the Company, except where such engagement is required or authorized by this Agreement.

    6. Data Subject Rights

    6.1 Roasters Map shall assist the Company, insofar as possible, in fulfilling its obligations to respond to requests from Data Subjects under applicable Data Protection Laws.

    6.2 Roasters Map shall:

    6.2.1 Promptly notify the Company if it receives any request from a Data Subject regarding Company Personal Data; and

    6.2.2 Ensure that it does not respond to such requests except on the documented instructions of the Company or as required by law, in which case Roasters Map shall, to the extent permitted, inform the Company of such legal requirement prior to responding.

    7. Personal Data Breach

    7.1 Roasters Map shall notify the Company without undue delay upon becoming aware of any Personal Data Breach affecting Company Personal Data, providing sufficient details to allow the Company to meet any reporting or notification obligations under applicable Data Protection Laws.

    7.2 Roasters Map shall cooperate with the Company and take reasonable commercial steps as directed to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

    8. Data Protection Impact Assessments and Prior Consultation

    Roasters Map shall provide reasonable assistance to the Company with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as may be required under the GDPR, PIPEDA, or any other applicable Data Protection Law.

    9. Deletion or Return of Company Personal Data

    9.1 Subject to applicable law, upon termination of the Services or upon the Company’s request, Roasters Map shall, within 10 business days from the date of termination (the “Cessation Date”), delete or return all Company Personal Data, and delete any existing copies unless retention is required by applicable law.

    10. Audit Rights

    10.1 Roasters Map shall make available to the Company all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company, in relation to the processing of Company Personal Data by Roasters Map or any Subprocessor.

    10.2 The Company’s audit rights shall be exercised in a manner that minimizes disruption to Roasters Map’s operations and complies with applicable Data Protection Laws.

    11. Data Transfer

    11.1 Roasters Map shall not transfer or authorize the transfer of Company Personal Data to countries outside the EEA or Canada without the prior written consent of the Company. If such a transfer is necessary, the Parties shall ensure that appropriate safeguards are in place, such as the use of EU-approved standard contractual clauses or other mechanisms acceptable under applicable Data Protection Laws.

    12. General Terms

    12.1 Confidentiality:

    Each Party shall keep this Agreement and any Confidential Information received in connection with this Agreement strictly confidential and shall not disclose such information without the prior written consent of the other Party, except as required by law.

    12.2 Notices:

    All notices and communications under this Agreement must be in writing and delivered personally, sent by post, or sent by email to the addresses specified in this Agreement or such other addresses as may be notified by the Parties from time to time.

    13. Governing Law and Jurisdiction

    13.1 This Agreement shall be governed by and construed in accordance with the laws of the Province of Ontario, Canada.

    13.2 Any disputes arising in connection with this Agreement shall be submitted to the exclusive jurisdiction of the courts in Toronto, Ontario.