Waitwhile's Data Processing Addendum

Updated 20 May 2025

1. BACKGROUND

1.1 This Data Processing Addendum including its annexes (the “DPA”) is entered into since Waitwhile, Inc. (“Processor”) will provide access to its queue and appointment management platform (“Platform”) to the “Customer” – identified in the applicable order form or services agreement – and therefore will Process Personal Data on behalf of the Customer. The Customer is therefore the “Controller” for the Personal Data (as defined below).

1.2 This DPA is an appendix to the relevant order form/services agreement (the “Agreement”) between Customer and Processor and forms an integral part of it and is executed upon the execution of the Agreement. The definitions used in the Agreement are also used in this DPA unless otherwise is explicitly stated in this DPA. The Platform enables the Customer to create and manage a virtual queue and booking system for its Guests (as defined in the Agreement). This DPA will prevail in case of a conflict with the provisions of the Agreement.

1.3 This DPA sets out the rights and obligations of both Customer and the Processor with regard to the Processing of Personal Data and stipulates the Customer’s instructions to the Processor.

1.4 The parties agree to comply with all obligations related to their corresponding role under Applicable Data Protection Laws (as defined below). 

1.5 The schedules attached to this DPA form an integral part of it. The DPA and the Annexes shall be retained in writing, including electronically, by both Parties.

2. DEFINITIONS

In this DPA, the following capitalised terms shall have the following meaning:

GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the “GDPR”).

UK GDPR - UK General Data Protection Regulation

CCPA - The California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations.

Adequacy Decision -
⁠a) Means in case of Personal Data transferred from the EEA a decision under article 45 of the GDPR in which the EU Commission has determined that a non-EU/EEA country has an adequate level of data protection.
⁠b) Means in case of Personal Data transferred from the UK an adequacy regulation of the UK Secretary of State in which it has been determined that the non-UK country has an adequate level of data protection.

Applicable Data Protection Law - Means all applicable EU or national laws or regulations relating to the Processing of Personal Data under the Agreement, including but not limited to the GDPR, CCPA and UK GDPR.

Data Subject - The identified or identifiable person to whom Personal Data relates.

Data Subject Request - Means any request made by Data Subjects to exercise their data protection rights under Applicable Data Protection Law.

EEA - The European Economic Area.

Personal Data - Any information relating to an identified or identifiable natural person and which the Processor is processing under the Agreement and this DPA on behalf of the Controller. 

Personal Data Breach - A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

Standard Contractual Clauses or SCCs - The Standards Contractual Clauses issued by the EU Commission as an Annex to the Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj) or any other decision by the EU Commission amending this Implementing Decision.

Sub-Processor - Means any processor engaged by Processor to Process Personal Data on the behalf of the Controller.

Supervisory Authority - Means an independent public authority that has jurisdiction to enforce the Party’s respective compliance with Applicable Data Protection laws, including such authorities established by a member state pursuant to Article 51 of the GDPR.

Unless otherwise stated in this DPA, the capitalised terms used in this DPA, such as “Controller”, “Data Protection Impact Assessment”, “Processor”, “Processing”, and “Process” shall have the same meaning as defined in Applicable Data Protection Law. For clarity it is noted that Processor includes “Service Providers” as defined in and governed by the CCPA.

3. THE PROCESSING OF PERSONAL DATA

3.1 Customer shall in its use of the Services Process Personal Data in accordance with Applicable Data Protection Laws including any applicable requirement to provide notice to Data Subjects of the use of Waitwhile as a Processor (including where the Customer is a Processor, by ensuring that the ultimate Controller does so). For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Laws.

3.2 Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired the Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Personal Data, to the extent relevant under Applicable Data Protection Law.

3.3 Customer has the right to issue instructions to the Processor regarding the Processing of Personal Data (the “Instructions”). The initial Instructions are appended to this DPA in the Description of the Processing Schedule. Upon Processor’s written acceptance the Customer may amend (including updating or replacing) the Instructions within the scope of the Services. Such acceptance shall not be unreasonably withheld.

3.4 Processor shall Process Personal Data in compliance with Applicable Data Protection Laws, this DPA and Customer’s documented Instructions as amended from time to time in accordance with clause 3.3 above for the purpose of providing the Services.

3.5 Processor shall immediately inform Customer if the Instructions, in the opinion of Processor, contravene Applicable Data Protection Laws. In such a case, Processor shall not Process Personal Data further until the Parties agree upon the lawfulness of the Instructions or the Instructions have been amended in accordance with clause 3.3. above. Processor shall not in this case be liable for a failure to Perform the Services due to the Instructions not being amended.

3.6 In the absence of instructions that Processor deems necessary to perform its obligations, Processor shall notify Customer thereof without undue delay and await instructions.

3.7 The subject matter, nature, purpose, duration of Processing by Processor on behalf of Customer, the types of Personal Data and categories of Data Subjects, and Customer’s initial Instructions are set out in the appended Description of Processing Schedule.

4. CONFIDENTIALITY AND LIMITATION OF ACCESS

4.1 Processor shall take appropriate steps to ensure that its personnel – including both employees and consultants – have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in relation to the Personal Data Processed. However, this shall not prevent Processor from disclosing information as required by law.

4.2 Processor shall also ensure that such persons only access or otherwise Process Personal Data, on a need-to-know basis and only to the extent necessary to fulfil the obligations under this DPA and the Agreement.

5. SECURITY OF PROCESSING

5.1 Processor has implemented and shall maintain appropriate technical and organizational measures for the protection of Customer’s Personal Data in relation to the risk. Such measures shall correspond to requirements set in Applicable Data Protection Laws and take into account the state of the art and standards and requirements concerning the Processing of Personal Data.

5.2 The current technical and organisational measures that Processor has implemented to protect Customer’s Personal Data is detailed in Waitwhile’s Trust Center (https://trust.waitwhile.com/).

5.3 Both Parties agree that Processor’s current technical and organisational measures which Customer has reviewed are appropriate to the risk of the Processing and ensure the security of the Personal Data.

5.4 If Customer requires additional measures to be implemented by Processor the Customer shall notify Processor in writing. It is within Processor’s discretion whether to implement the requested measures or not and if implemented the cost shall be borne by Customer.

5.5 Processor will, independently from Controller, continuously evaluate the adequacy of the technical and organisational measures.

6. PERSONAL DATA BREACHES AND ASSISTANCE TO THE CONTROLLER

6.1 In case of a Personal Data Breach affecting the Personal Data, Processor will notify Customer without undue delay after Processor has become aware of the Personal Data Breach.

6.2 Customer is solely responsible to notify the relevant Supervisory Authority regarding the Personal Data Breach where required by Applicable Data Protection Laws.

7. SUB-PROCESSORS

7.1 Processor is provided with Customer’s general authorisation to engage Sub-Processors to Process Personal Data on Customer’s behalf for the provision of the Services. The Sub-Processors at each time engaged by Waitwhile (Processor) are set out in Waitwhile’s Sub-Processor List (https://waitwhile.com/assets/pdf/waitwhiles-sub-processor-list.pdf). The Customer hereby consent to the current Sub-Processors and their processing as described in said schedule.

7.2 Processor will inform Customer in writing of any addition or replacement of any Sub-Processor thirty (30) calendar days before such appointment. Customer has the right to object to the use of a new Sub-Processor within fifteen (15) days of notification. If Customer does not respond or otherwise act in relation to such notification such as continuing to use the Services, Customer will be deemed to have accepted the use of the new Sub-Processor.

7.3 If Customer objects to the use of a new Sub-Processor, the Parties shall discuss in good faith about alternative solutions to ensure the continuance of the provision of the Services under the Agreement. For clarity it is noted that if the Parties cannot agree on a solution and Customer still objects to the use of the new Sub-Processor the functionality of the Services might be affected without any right to compensation for the Customer.

7.4 Processor shall ensure that any Sub-Processor that Processes Personal Data on behalf of Customer complies with essentially the same data protection obligations as set out in this DPA and Applicable Data Protection Laws by way of a contract or other binding legal act under applicable law.

7.5 Processor remains liable for the acts and omissions of its Sub-Processors to the same extent as Processor would be liable under the Agreement, including this DPA, if the processing of the Personal Data in question would have been done by the Processor directly.

8. ASSISTANCE AND INFORMATION PROVIDED TO THE CONTROLLER

8.1 Processor, taking into account the nature of the Processing, shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligations to respond to Data Subject Requests under Applicable Data Protection Laws.

8.2 To the extent Customer in its use of the Services, does not have the ability to address a Data Subject Request, Processor shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request to the extent Customer is legally permitted to do so and the response to such Data Subject Request is required under Applicable Data Protection Laws. To the extent legally permitted, Customer shall compensate Processor for time spend and costs for the provision of such assistance.

8.3 Processor shall to the extent legally permitted promptly notify the Customer of any complaint or Data Subject Request that is made directly to Processor by the Data Subject or a Supervisory Authority relating to the Processing of the Customer’s Personal Data.

8.4 Processor will not respond to such Data Subject Requests or complaints or in any way appear to represent Customer in relation to such requests unless explicitly instructed to do so by Customer or required to do so by Applicable Data Protection Laws.

8.5 Processor shall make available to Customer relevant information to demonstrate compliance with this DPA and Applicable Data Protection Laws.

8.6 Upon Customer’s request, Processor shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligations under Applicable Data Protection Laws to carry-out Data Protection Assessments related to the Customer’s use of the Services to the extent the information is not made available to Customer by Processor pursuant to clause 8.5 and the information is available to Processor.

8.7 Customer shall keep all information received under this clause confidential and may only use it for the reason it is received or requested and may not otherwise share it with a third party.

9. AUDITS AND INSPECTIONS

9.1 If the information provided by Processor under clause 8.5 is not sufficient to demonstrate compliance with this DPA and Applicable Data Protection Laws, Customer may request additional information regarding the processing of its Personal Data and may, if necessary, in light of the provided information conduct an on-site-audit of Processor’s Processing of the Personal Data. The scope of such information requests and on-site-audits shall be limited to the Processing of the Personal Data processed on Customer’s behalf under this DPA and Customer will not access any other information, including will not access any data pertaining to Processor’s other clients.

9.2 Customer shall provide written notice to Processor of such an on-site-audit at least sixty (60) calendar days in advance. Such audits shall take place during business days and hours and shall cause minimum disruption to Processor’s ordinary course of business and must not jeopardise the Processor’s compliance with confidentiality obligations in relation to other third parties or applicable law. Customer shall keep all information received under this clause confidential and may not disclose it to a third party and only use it to confirm Processor’s compliance with this DPA. In the event that Customer appoints a third party to carry out the audit, this party shall not be a competitor to Processor and must sign a confidently undertaking towards Processor.

9.3 Customer shall bear the costs and expenses for or relating to information requests and on-site-audits under this clause 9 including the cost of a potential third-party-auditor, including compensating Processor for time spent and costs incurred. However, if the request or audit shows material non-compliance with this DPA or Applicable Data Protection Laws by the Processor in relation to the processing of Customer’s Personal Data each party shall instead bear its own costs.

10. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES

10.1 Processor is entitled to transfer (including access from) Personal Data to a Third Country (as defined below) as reasonably necessary for the provision of the Services.

10.2 A “Third Country” is in case of a transfer of Personal Data from the EEA any country outside the EEA and in case of a transfer of Personal Data from the UK any country outside the UK.

10.3 Where Processor is transferring Personal Data to a Third Country, such transfer shall take place in accordance with Chapter V of the GDPR and of the UK GDPR as applicable.

10.4 More specifically, the Processor shall ensure that a valid transfer mechanism is in place, such as an applicable Adequacy Decision or the applicable Standard Contractual Clauses including if necessary the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) or any replacing version thereof between the Processor and the Data Importer, pursuant to Article 46 of the GDPR or the UK GDPR as applicable.

10.5 It is noted that Processor is part of the EU-U.S. Data Privacy Framework including the UK Extension to the EU-US Data Privacy Framework and the Swiss-U.S. Data Privacy Framework. The parties agree that transfers of Personal Data to the United States will be conducted under said frameworks and the adjoining Adequacy Decision.

10.6 In the event that an Adequacy Decision is invalidated or otherwise becomes unavailable the applicable Standard Contractual Clauses (normally Module Two: Transfer controller to processor) including the UK Addendum shall automatically be incorporated into this Agreement and govern the Processing of Personal Data between the Parties that was affected by the Adequacy Decision being invalidated/unavailable.

a) The Controller is the Data Exporter under the SCCs and the Processor is the Data Importer. Contact details to the Parties are set forth in the Agreement.

b) The data transfer is described in the Description of the Processing Schedule attached hereto.

c) The SCCs shall be governed by the same law as the Agreement. However, if the Agreement is not governed by the laws of an EEA State in case of a transfer of Personal Data from the EEA the SCCs shall be governed by the laws of Sweden and in case of a transfer from UK the SCCs shall be governed by the laws of England and Wales.

d) The current technical and organisational measures that Processor has implemented to protect the Customer’s Personal Data is detailed in Waitwhile’s Trust Center (https://trust.waitwhile.com/).

e) The terms of this DPA shall be deemed included in the SCCs so that this DPA continues to have effect between the Parties to the extent allowed under the applicable SCCs.

10.7 The location for the sub-processors processing of Personal Data is set forth in  Waitwhile’s Sub-Processor List (https://waitwhile.com/assets/pdf/waitwhiles-sub-processor-list.pdf).

11. DATA DELETION AND TERM

11.1 The Personal Data will be retained or deleted in accordance with applicable retention policies for Customer Data and applicable law, such as in accordance with Waitwhile’s applicable policies or as specifically agreed in the Agreement or otherwise with Customer.

11.2 The DPA will be in force as long as Processor is processing Personal Data on behalf of Customer.

12. LIMITATION OF LIABILITY AND INDEMNIFICATION

12.1 Unless expressly provided, each Party shall only be liable for direct losses caused, and the total aggregate liability of each Party under the Agreement and the DPA shall be limited to the liability cap specified in the Agreement. 

12.2 Notwithstanding what is stated in this DPA or the Agreement Processor shall be held harmless from all liability, if such liability arises as a result of the Customer’s instructions which is in breach with the provisions of the GDPR or other applicable laws.

13. ORDER OF PRECEDENCE

13.1 In the event of any discrepancy between this DPA, the Agreement, Applicable Data Protection Laws, and the Standard Contractual Clauses, the following order of precedence shall apply:

(a) Applicable Data Protection Laws

(b) Standard Contractual Clauses

(c) This DPA

(d) The Agreement

14. GOVERNING LAW

This DPA shall be governed by the same law as the Agreement unless otherwise is required by Applicable Data Protection Laws.

15. CHANGES

Changes to this DPA can be done in accordance with the (if any) provisions in the Agreement regarding changes to the Agreement or in accordance with any provision of this DPA that allows or requires changes.

DESCRIPTION OF THE PROCESSING SCHEDULE