Table of Contents

Terms & Conditions

Part I Terms of use for the DISH Platform

1 Scope

1.1 These DISH General Terms of Use (“Terms of Use” or “User Agreement”) apply to the use of the services, benefits and content offered by DISH Digital GmbH, Metro-Straße 1, 40235 Düsseldorf, Germany (“DISH”) via the websitewww.DISH.co and via mobile applications (“DISH Platform”).

1.2 DISH provides all services of the DISH Platform to users registered under this clause 2 (“Client”) solely on the basis of these Terms of Use. Deviating terms and conditions of the Client shall not apply even if DISH does not expressly reject them and/or provides services and/or performances without reservation despite knowledge of the Client's conflicting and/or deviating terms and conditions.

1.3 The Part III provisions set forth in these Terms of Use shall only apply to the extent that the Client makes use of the respective services pursuant to clause 3.2. These Terms of Use shall also apply to the contractual relationship between the Client and DISH to the extent Client acquires the right to use services of the DISH Platform from a reseller approved by DISH (“Reseller”).

1.4 The use of the DISH Platform by non-registered users (“Visitors”) does not constitute a User Agreement. However, visitors' attention is drawn to the statutory provisions and clauses 3.6, 3.8, 8.5 and 10.2

2 Registration; Agreement’s execution

2.1 The use of certain functions of the DISH Platform requires prior registration as a Client.

2.2 Registration on the DISH Platform as a Client is only open to entrepreneurs (§ 14 of the German Civil Code (BGB)) who are active as such in the gastronomy and food industry. Natural persons (sole proprietors) must be of full age and have unlimited legal capacity. DISH may also grant access to entrepreneurs from other industries as well as other legal entities or associations of persons, provided that DISH deems this to be compatible with the purpose of the DISH Platform.

2.3 Registration requires the opening of a client account on the DISH Platform and the provision of the data requested as part of the registration process (including company and branch addresses). The Client assures to provide correct and complete information during the registration process.

2.4 DISH may make a Client's registration subject to confirmation by DISH. The issuance of the confirmation is at the sole discretion of DISH and shall be in text form. If further steps are required to complete the registration, the Client will be advised of this in the confirmation.

2.5 A separate sub-account can be set up for a Client's employees, which can be linked to the Client's account. The Client remains the contractual partner for such sub-accounts and thus responsible for actions of the sub-account holder. Not all services or functions of the DISH Platform are available to sub-account holders.

3 Subject matter of the DISH Platform

3.1 The DISH Platform is a digital marketplace where both DISH and third parties (these hereinafter “Third-Party Providers”) can offer information (such as in the form of blogs) and digital solutions for the hospitality industry (“Digital Tools”) as well as other goods and services (together hereinafter the “Services”).

3.2 Within the framework of the DISH Community (see Part II of the Terms of Use), the DISH Platform offers Clients the opportunity to exchange information with each other and to receive current information about the gastronomy and food industry and its digitalisation and to register for events. The terms and conditions listed in Part II of the Terms of Use shall also apply.

3.3 Clients can use the Services provided by DISH via the DISH Platform free of charge or for a fee. DISH shall also provide such Services of its own on the basis of the Terms of Use. The terms and conditions listed in Part III of the Terms of Use for the corresponding service shall also apply, unless separate or supplementary terms of use are agreed when the service is used.

3.4 Clients can also use the Services provided by Third-Party Providers via the DISH Platform free of charge or for a fee. DISH itself does not become a contractual partner of a contract concluded between Client and Third-Party Provider; DISH is merely an intermediary in the conclusion of the contract. All claims and obligations arising from such a contract are directly and exclusively between the Client and the Third-Party Provider. Details on the Services of a Thirdparty Provider can be found in the contract terms and product descriptions as well as on the website of the relevant provider.

3.5 The contract for the use of Services of DISH according to clause3.3 (“Individual Contract”; together with the User Agreement also “Agreement”) is concluded either directly in the sales process by electronic signature of the Client or otherwise by acceptance of the Client's application for the conclusion of a contract for the Services by DISH. The same applies to the use of Services of Third-Party Providers according to clause 3.4, unless otherwise stated in the terms and conditions of the Third-Party Provider.

3.6 DISH makes the marketplace technically available, but does not guarantee its availability to the Client, unless otherwise agreed. DISH provides access at the transfer point to the public grid. The Platform will be unavailable during necessary maintenance. DISH will endeavour to minimise the disruption caused by maintenance work.

3.7 DISH may adapt the DISH Platform and other Services to the state of the art and technical developments or needs. Insofar as the agreed scope of Services changes as a result, the provisions on the amendment of these Terms of Use shall apply in accordance with clause 17.

3.8 DISH may offer the Client additional Services in connection with the DISH Platform, the scope of which shall be agreed with the Client in each case and which, unless otherwise agreed, shall be provided in accordance with these Terms of Use.

4 Responsibility for content, data and information

4.1  Contents and Services provided by DISH itself are marked as such.

4.2  The digital tools contain functions by means of which the Client can offer and sell its own goods or services on the internet to consumers and other end customers. In this case, the contract is concluded directly between the Client and the respective end customer. DISH shall not act as an intermediary, but as a technical service provider for the Client, subject to the provisions in Clause 5.

4.3  In the case of Services provided by DISH that involve a connection to Services of third parties, DISH is dependent on the relevant third parties for the provision of the Services. The parties are aware that the third parties may change their terms of use or technical connections with- out DISH's intervention, so that further provision of DISH's Services is only possible to a limited extent or no longer possible. This does not constitute a breach of contract by DISH.

4.4  DISH assumes no responsibility for the information provided by third parties regarding Services offered by them. In particular, DISH does not warrant that such information is accurate or suit- able for achieving the purpose stated therein. Similarly, DISH does not warrant that the Third- Party Providers' statements regarding the functionality or specific availability of their Services are accurate.

4.5  DISH has no influence on the content of linked third-party websites. DISH therefore accepts no responsibility for the accuracy and completeness of such websites.

5 Marketing via third-party platforms; online intermediary services

5.1  Part III of the Terms of Use may provide, for certain digital tools, that the goods and services offered and managed by the Client through the DISH Platform may be marketed through plat- forms or directories operated by third parties (“Third-Party Platforms”). In this respect, DISH acts in its own name and under its own corporate trademark (in particular also as “or- derdirect”) both vis-à-vis the respective operator of the third-party platform and vis-à-vis the end customer as an online intermediary service within the meaning of Article 2(2) of Regulation (EU) 2019/1150 (“Online Intermediary Service”).

5.2  Also in this context, the contract for the goods and services is concluded directly between the Client and the respective end customer. DISH (as well as the operator of the third-party plat- form) is merely an intermediary. DISH provides the end customer with information about the identity of the Client. DISH may enter into its own intermediary agreement with the end customer. The Client grants DISH a power of attorney to cancel contracts with end customers on its behalf if there is reasonable doubt about the accuracy or authenticity of an order or necessary contact information.

5.3  DISH does not currently operate its own website as part of its activities as an online intermediary service and markets the Client's goods and services exclusively via third-party platforms. DISH itself does not influence the relative ranking of the Client's offers compared to offers from other traders (ranking) on these third-party platforms. If the Client uses other online intermediary services, these may appear on the third-party platforms in addition to the online inter- mediary service of DISH; the operator of the third-party platform will also decide on the order of the online intermediary services in this case.

5.4  The marketing of the Client's goods and services via third-party platforms shall only take place to the extent that the Client uses the underlying digital tool and has not activated or deactivated the marketing on this third-party platform in his Client account. A differentiated treatment of goods and services of the Client compared to goods and services of other commercial users does not take place.

5.5  DISH will ensure that the identity of the Client offering goods through DISH's online intermediary service is clearly identifiable.

6 Remuneration and payment

6.1  The use of the basic functions of the DISH Platform is free of charge for the Client.

6.2  Services may be offered by DISH or Third-Party Service Providers for a separate fee (“Charge- able Service”). The Client will be informed of this prior to the utilisation within the framework of the conclusion of the contract and will be requested to expressly confirm his payment obligation.

6.3  In the case of Chargeable Services by DISH, the Client shall pay DISH a corresponding remuneration in accordance with the offer on the DISH Platform. The Client receives a monthly invoice for these Services.

6.4  The obligation to pay the remuneration to DISH shall not apply if the Client acquires the right to use the Chargeable Services from a Reseller. Payment and invoicing in this case shall be governed exclusively by the contract between the Client and the Reseller.

6.5  If a Third-Party Provider or a Reseller offers Chargeable Services on the DISH Platform and the payment is not processed directly via the Third-Party Provider or Reseller but via the DISH Platform, the processing is carried out via the payment service provider specified on the Platform (“Payment Service Provider”). The Payment Service Provider accepts payments from the Cli- ent using the payment methods specified on the DISH Platform for the respective Chargeable Service (e.g. prepayment, credit card, Paypal) and disburses the funds to the Third-Party Provider or Reseller. At no time does DISH itself come into possession of the funds.

7 Duties and obligations of the Client

7.1  The Client shall continuously update and, if necessary, correct the data provided by him/her in the course of registration in accordance with clause 2 of these Terms of Use. The Client shall further ensure that messages sent to the e-mail address provided to DISH are regularly retrieved in order to receive information relevant to the contract.

7.2  The Client shall designate a contact person who shall serve as the contact for communication between DISH and the Client. The Client warrants that the contact person is authorised to make legally binding declarations with effect for and against the Client. The contact person must have a valid mobile phone number that allows the receipt of notifications via SMS (Short Message Service) and provide this mobile phone number to DISH during registration.

7.3  Access data that the Client receives from DISH or selects itself shall not be disclosed by the Client to third parties and shall be protected from access by third parties. The Client shall also bind the holders of sub-accounts to do so. The Client shall inform DISH immediately if the Client has reasonable suspicion or is aware of a possible misuse of the access data provided. In this case, DISH is entitled to temporarily block the access data of the Client or the affected sub-account until the suspicion of abuse is cleared or new access data is assigned by DISH.

7.4  The Client is responsible for meeting the system requirements that enable use of the DISH Platform. In particular, DISH is not responsible for providing an Internet browser, an Internet connection or any other infrastructure that enables the Client to access the DISH Platform.

8 Permitted use; Automated queries

8.1  The Client may only use the DISH Platform for its own business purposes. He is not entitled to grant a third party rights of use to the DISH Platform or to transfer his user account to third parties. He may, however, set up sub-accounts for his employees according to clause 2.5.

8.2  The Client may not use the DISH Platform in an unlawful manner or for unlawful purposes. In particular, the Client undertakes not to make available to third parties via the DISH Platform any content the publication, accessibility or possession of which is prohibited under the laws of the Federal Republic of Germany or the laws of the country in which the Client is present at the relevant time, or the publication or accessibility of which must be made dependent on a restriction of access to persons above a certain age (“Illegal Content”).

8.3  The Client shall not make available to third parties through the DISH Platform any content that is intended to harass, bully, humiliate, keep away or drive away (a)any other user or group of users or to disparage the(b) reputation of DISH (“Inappropriate Content”).

8.4  Clients may notify DISH at any time at support@dish.co of what they consider to be Unlawful or Inappropriate Content, including ratings or posts in discussion forums.

8.5  The use of the DISH Platform for the purpose of automated queries is not permitted. The contents available on the DISH Platform (photos, texts, graphics, videos) are protected by copy- right. Reproduction (in particular by automated reading out, “scraping”) as well as the use of contents for the purpose of further transmission without corresponding authorisation is prohibited.

9 Contents of the Client; provision of storage space

9.1 The Client may only make such content publicly accessible via the DISH Platform for which it holds the necessary copyrights or exploitation rights and other intellectual property rights. The making available may not infringe any personal rights of third parties, in particular rights to one's own image or word.

9.2  The Client will remain the owner of the intellectual property rights to content that it makes publicly available via or otherwise posts on the DISH Platform. However, the Client grants DISH a non-exclusive, worldwide, royalty-free right, transferable and sub-licensable without the Client's consent, to make the content made available by the Client via the DISH Platform publicly accessible and to reproduce and adapt it for this purpose. This right applies to ratings, posts to discussion posts and other contributions within the framework of the DISH Community for an unlimited period of time, and otherwise for a limited period of time until the termination of the User Agreement.

9.3  If the Client is provided storage space for a website or portions of a website as part of the Services, the Client understands that such website may be associated with DISH. The Client shall therefore take all necessary actions to present the Client's offer as its own offer and thus separate it from DISH’s offer or that of third parties in terms of content. The Client shall specifically state its own data in the legal notice of the website or keep them easily recognisable, directly accessible and permanently available in some other way.

9.4  To refinance the costs for the DISH Platform and Services, DISH reserves the right to display commercial advertising on the Client's website created through the DISH Platform. DISH will ensure that the extent and frequency of the promotional display does not conflict with the actual purpose of the website. The advertising companies remain responsible for the content of the advertising.

9.5  The Client shall indemnify DISH against all claims asserted by other users or third parties against DISH due to negligent or intentional infringement of their rights by the Client's content.

10 Granting of rights

10.1  DISH grants the Client a non-exclusive, non-transferable, nonsublicensable right, limited to the purpose stated in these Terms of Use and the duration of the User Agreement or the Individual Contract for the use of DISH's Services, to use the DISH Platform or the software contained in DISH's Services within the scope of these Terms of Use.

10.2  In all other respects, the statutory provisions shall apply, in particular those of copyright law for software and other works and the protection of ancillary copyright.

11 Data protection

11.1  In providing the DISH Platform and the Services, DISH processes personal data of the Client, its employees and third parties for its own purposes. The Client's attention is drawn to DISH's separate privacy policy; this serves exclusively to inform the Client and the data subjects in accordance with the provisions of Regulation (EU) 2016/679 (“GDPR”) and is not part of the contract.

11.2  In providing the Services, DISH further processes personal data on behalf of the Client based on the commissioned data processing agreement in Part IV the Terms of Use. It is hereby clarified that this only includes those processing activities where DISH itself does not determine the purposes and means of the processing. In particular, DISH shall act as a data controller within the meaning of Clause 11.1when providing online intermediary services.

11.3 To the extent that a newsletter function is included in the scope of Services, DISH manages the consent of users (opt-in) and, via automatic functions, declared objections or withdrawals of consent (opt-out) in accordance with Article 13 of Directive 2002/58/EC and § 7 (2) of the German Unfair Competition Act (UWG). The processing shall also be carried out on behalf of the Client based on the commissioned data processing agreement in the Part IVTerms of Use.

12 Confidentiality

12.1  The parties shall not make any confidential information available to third parties and shall not use it for other purposes that do not serve the Agreement. This also applies after the end of the contract term. All technical information and know-how made available to the Client as well as other information marked as confidential by one of the two parties and having economic value shall be deemed to be confidential. This expressly includes trade and business secrets.

12.2  The confidentiality obligation does not apply to the use of data by DISH under clause 13.1.

12.3  The confidentiality obligation also does not apply to information which has become or is al- ready known to a party or to the public without a breach of this clause 12, or which must be made accessible to third parties due to statutory provisions, judicial or official orders, or which is inspected by third parties bound to secrecy in the context of an intended company purchase.

13 Data use

13.1  The Client grants DISH the right to store, analyse and use for evaluation purposes all data generated during the use of the DISH Platform. The Client also grants DISH the power to supplement the data obtained with further data (for example from publicly accessible third-party sources (such as e.g. rating portals and social media) or other data sources accessible to DISH) to combine it and to evaluate it at DISH's discretion for its own purposes as well as to pass on these evaluations to third parties (in particular, but not exclusively, those involved in the (further) development and operation of the Services as sub-service providers, as well as partner companies of DISH that offer digital solutions or other services for Client's business operations) and to make them accessible to them. This power shall remain valid even after termination of the User Agreement.

13.2  Personal data that DISH processes on behalf of the Client in accordance with clause 13.1 are excluded from clause11.2, unless they have been anonymised beforehand on behalf of the Client.

13.3  Clause 13.1 also applies to data that DISH collects when providing online intermediary services. In this context, the data is transmitted to third parties not only to ensure the proper provision of online intermediary services, but also for the purpose of market research. The use of the data is part of these Terms of Use and cannot be switched off by the Client. The Client will be granted access via the DISH Platform to the data relating to individual transactions arranged by DISH as well as to evaluations of such data within the scope of the Service description of the respective digital tools. The Client will not have access to data of other commercial users in aggregated or any other form.

13.4 The provisions of the GDPR, Directive 2002/58/EC, the German Telecommunications Tele- media Data Protection Act (TTDSG), and other provisions on data protection or privacy shall remain unaffected.

14 Restrictions on use

14.1  DISH is entitled to block or delete content that the Client has made accessible via the DISH Platform if and to the extent there is reason to believe that

(a)  the Client has disseminated illegal content, in breach of clause 8.2, second sentence, or inappropriate content, in breach of clause 8.3; or

(b)  the Client has made available content that infringes the rights of third parties in breach of clause 9.1; or

(c)  DISH is obliged to do so by statutory provisions, an official order or a court decision.

14.2  DISH is entitled to block or restrict the Client's access to the DISH Platform or a sub-account if and to the extent that

(a)  the Client has provided incorrect or incomplete information or has not corrected the information without delay, in breach of clause 2.3 or 7.1;

(b)  the Client or the sub-account holder has repeatedly made content accessible via the DISH Platform that has been blocked or should have been blocked in accordance with clause 14.1;

(c)  the Client or the sub-account holder has made automated enquiries in breach of clause 8.5; or

(d)  the Client or the sub-account holder otherwise materially or repeatedly breaches any other obligation of the Client under these Terms of Use.

14.3  DISH will notify the Client of the restriction of use in text form before or at the same time as the restriction of use takes effect. Insofar as the restriction of use concerns an online intermediary service, DISH will justify the restriction of use in text form before or at the same time as the restriction of use takes effect.

15 Contract term and termination

15.1  DISH and the Client enter into the User Agreement for the DISH Platform for an indefinite period of time. The same applies to Individual Contracts for the use of further DISH Services, unless otherwise agreed upon conclusion of the Individual Contract.

15.2  The Client or DISH may terminate the User Agreement for the DISH Platform as well as the Individual Contracts for the use of additional Services with a notice period of one month, unless otherwise agreed with DISH or a Reseller. Notwithstanding sentence 1, the notice period for termination by DISH shall be at least thirty (30) days.

15.3 The right of the parties to extraordinary termination of the User Agreement or the Individual Contracts for good cause shall remain unaffected. Good cause for DISH applies in particular if:

(a)  DISH is subject to statutory or regulatory obligations that require a complete termination of the provision of the Services to the Client and thereby do not allow the Client to comply with the time limit under clause 15.2;

(b)  (i)the Client is in default for two (2) consecutive months in the payment of the agreed remuneration for chargeable services or of a not insignificant part thereof, or(ii) is in default for a period of more than two (2) months in the payment of the agreed remuneration for chargeable services in an amount equal to the agreed remuneration for two (2) months; or

(c)  the Client has provided false 2.3 or 7.1 incomplete information or has not promptly corrected the information, in breach of clause (i), and the Client has not corrected or supplemented the information within a period of at least thirty (30) days set by DISH in text form, or (ii) DISH is unable to contact the Client because the email address provided by the Client is invalid or no longer valid;

d)  the Client has disseminated illegal content in breach of clause 8.2 or inappropriate content in breach of clause 8.3; in the case of insulting other users or inappropriate content, however, this only applies if it occurs repeatedly after DISH has threatened the Client with termination of the account;

(e)  the Client has made available content that infringes the rights of third parties in breach of clause 9.1, if DISH has been held liable by third parties for this or if this occurs repeatedly after DISH has threatened the Client with termination; or

(f)  the Client otherwise materially or repeatedly breaches any of its obligations under these Terms of Use after DISH has threatened the Client with termination of the account.

15.4 To the extent that the termination relates to an Online Intermediary Service, DISH shall give notice of termination in text form at least thirty (30) days prior to the effective date of termination in the case of the clause 15.2 and immediately in the case of the clause15.3. In the justification, DISH will state the material facts or circumstances, including the content of the third party communications, that led DISH to make the decision and the grounds for termination under these Terms of Use that apply to that decision. This does not apply to the extent that DISH is not permitted to disclose the specific facts or circumstances and the applicable reason(s) due to legal or regulatory obligations or if DISH can prove that the Client has repeatedly violated the applicable General Terms and Conditions and DISH terminates for this reason.

15.5 The Client may ordinarily terminate the Agreement through a function provided for this purpose on the DISH Platform or in text form. Any other termination of the Agreement by one of the parties requires text form. A notice of termination (in particular in the case of clause 15.3(c)(ii)) shall also be deemed to have been received if the Client has frustrated receipt of the e-mail by providing or failing to update an invalid e-mail address or one that has become invalid.

15.6  If Individual Contracts are in place, the termination of the User Agreement shall also be deemed to be a termination of the Individual Contracts. In this case, the termination of the User Agreement shall take effect at the earliest when the last Individual Contract is terminated.

15.7  Termination of the User Agreement between DISH and the Client shall not affect any contract entered into between the Client and a Third-Party Provider, unless otherwise provided for in the respective contract with the Third-Party Provider.

16 DISH’s Liability

16.1  DISH’s liability for all damages of the Client, regardless of the legal reason, is excluded, unless otherwise stated in the following clauses 16.2-16.5.

16.2  DISH shall be liable within the scope of the statutory provisions for:

(a)  Damage resulting from injury to life, body or health caused by an intentional or negligent breach of duty by DISH or one of its legal representatives or vicarious agents;

(b)  Damage resulting from an intentional or grossly negligent breach of duty by DISH or one of its legal representatives or vicarious agents; and

(c)  other damage resulting from a (simple) negligent breach of obligations the fulfillment of which is a prerequisite for the proper performance of the Agreement with the Client and the observance of which the Client may regularly rely on, whereby, except in the cases of letters (a) and (b), DISH's liability shall be limited to typical and foreseeable damages.

16.3  Any liability on the part of DISH under the German Product Liability Act (to the extent applicable) shall remain unaffected. The same applies to any liability on the part of DISH under other statutory provisions which expressly establish that liability cannot be excluded or limited in advance.

16.4  If DISH has given a guarantee as to quality or otherwise assumed strict liability, the liability arising therefrom shall be governed exclusively by the terms and conditions of the respective guarantee or assumption and this clause 16 shall not apply.

16.5  The limitations of liability under this clause 16 shall apply mutatis mutandis to the liability of DISH's bodies, vicarious agents, employees and other staff, as well as to DISH's partner companies and their bodies, vicarious agents, employees and other staff.

17 Amendments to these Terms of Use

17.1  DISH reserves the right to make changes or additions to these Terms of Use. DISH shall notify the Client in text form of any proposed amendments to the Terms of Use.

17.2  The proposed amendments shall only be implemented after the expiry of a reasonable and proportionate period of time with regard to the nature and scope of the planned amendments and their consequences for the Client. This period shall be at least thirty (30) days from the date DISH notifies the affected Clients of the proposed amendments. DISH must grant longer periods if this is necessary to enable the Client to make the technical or business adjustments required due to the amendment.

17.3  To the extent that the proposed amendments do not (i) affect the Service description of al- ready agreed service components, the remuneration or other main service obligations, (ii) are reasonable for the Client and (iii) do not place the Client in a worse position overall, DISH may choose the following procedure:

(a)  The amendments shall be deemed to have been approved if the Client does not object in text form within the time limit set out in clause17.2. If the Client objects to the amendment, DISH may terminate the User Agreement, or the Individual Contract ac- cording to clause15.2.

(b)  The Client has the right to extraordinary termination of the affected User Agreement or Individual Contract before the expiry of the period according to clause 17.2. Termination shall take effect within fifteen (15) days of receipt of the notice under clause 17.2 unless a shorter notice period has been agreed in the individual case.

(c)  DISH shall inform the Client of the consequences of a failure to object and of the right to terminate without notice when informing the Client of amendments to the Terms of Use.

(d)  The Client may waive compliance with the time limit in accordance with clause 17.2 and thus waive its right of objection or right of termination in accordance with clause 17.3 by means of an unambiguous confirmatory act. More specifically, the conclusion of further Individual Contracts shall be deemed to be an unambiguous confirmatory act.

(e)  The time limit pursuant to clause 17.2 does not apply if DISH

(i)  due to statutory or regulatory obligations, must make amendments to the Terms of Use in a manner that does not allow DISH to meet the time limit set forth in clause17.2;

(ii)  in exceptional circumstances, must amend the Terms of Use to address an un- foreseen and imminent threat to protect the DISH Platform, consumers, the Client or other users from fraud, malware, spam, privacy breaches or other cybersecurity risks.

17.4  For amendments to the Terms of Use for which the procedure under clause 17.3 does not apply or is not chosen by DISH, DISH will request the Client in text form to expressly agree to the amendment to the Terms of Use. If the Client does not grant the consent within a time limit set by DISH, which may not be shorter than the reasonable period of time according to clause 17.2, DISH may ordinarily terminate the User Agreement, or the Individual Contract ac- cording to clause15.2.

18 Assignments of rights and obligations

18.1  The Client is not entitled to assign rights and obligations under this agreement without DISH's prior written consent. § 354a of the German Commercial Code (HGB) remains unaffected.

18.2  DISH shall be entitled to transfer this agreement to affiliated companies (within the meaning of §§ 15 et seq. of the German Stock Corporation Act (AktG)), provided that this does not constitute an unreasonable hardship to the Client. The rights and/or obligations may also be divided between the affiliated company and DISH, provided that the Client is not placed in a worse position as a result. In the case of a Client who is entitled to deduct input tax, it is not considered to be undue hardship or a worse position if VAT is incurred in the Client's country of domicile for the first time as a result of the transfer.

19 Applicable law and jurisdiction

19.1  The Agreement and all claims and rights arising out of or in connection with the agreement shall be governed exclusively by and construed and enforced in accordance with the laws of Germany, excluding its conflict of laws rules. The application of the United Nations Convention on Contracts for the International Sale of Goods (CISG) is excluded. The place of performance is Düsseldorf.

19.2  If the Client is a merchant, a legal entity under public law or a special fund under public law, the exclusive place of jurisdiction for all disputes arising from or in connection with this agreement, its execution or its performance shall be Düsseldorf. If the Client is domiciled abroad, DISH may, however, also bring an action there.

19.3  In the event of disputes concerning the use of online intermediary services, DISH's internal complaints management is available to the Client free of charge. For this purpose, the Client may send a complaint to DISH by e-mail to support@dish.digital because of the following problems:

(a)  DISH's alleged failure to comply with any of the obligations set out in Regulation (EU) 2019/1150 which has consequences for the Client,

(b)  technical problems directly related to the provision of online intermediary services that affect the Client;

(c)  measures or conduct of the provider that are directly related to the provision of the online intermediary services and that affect the Client.

DISH will process any complaints within a reasonable time and notify the Client whether the complaint can be resolved.

19.4 DISH is willing to cooperate with the following mediators for the out-of-court settlement of any disputes relating to the use of online intermediary services, in particular those that are not resolved by the means of internal complaint management as set out in Clause 19.3:

(a)  [Mediator 1]

(b)  [Mediator 2]

Part II Use of the DISH Community

1 General provisions

1.1 DISH offers Clients the opportunity to exchange information with each other and to receive current information about the gastronomy and food industry and its digitalisation and to register for events.

1.2 A Client may decide at any time on the management settings of its account whether its Client profile should be visible to other clients. In this case, the Client can be found by other clients via the search function of the DISH Platform. The Client set its profile page to “Private” at any time, so that other users cannot find the Client in the search and also do not receive any other information.

1.3 Clients are prohibited from disclosing contact information of other clients obtained through the use of the DISH Platform to third parties or using it for advertising purposes.

2 Team Management

2.1 DISH offers clients the opportunity to organise their teams on DISH. This includes the possibility to invite team members to DISH, assign different roles and responsibilities to team members.

2.2 This functionality also includes the distribution functionality. Client and team members can be informed about incoming information and tasks from connected digital tools through preferred communication channels (e.g. new reservations via the reservation tool, which are distributed to team members for further processing).

2.3 DISH serves only as a management and sales function. The processing of the tasks themselves is done within appropriate digital tools and not on DISH.

3 Posts in discussion forums and ratings

3.1 Clients can submit ratings for selected services on the DISH Platform and use related discussion forums.

3.2 Every Client is responsible for the content of a rating written by it, as well as for posts in discussion forums. The reviews and posts each represent the subjective view of the Client that wrote the review. DISH does not endorse these ratings.

Part III Special conditions for DISH digital tools and other Services

Chapter A DISH Order

1 Scope of Services

1.1  The Services include the following components:

(a)  DISH provides the Client with a comprehensive online meal ordering solution via the internet. The responsible provider of this service vis-à-vis the end client (who orders the meal) is the Client.

(b)  An order terminal is also made available to the Client for receiving and processing in- coming orders.

1.2  DISH owes an average availability of the online solution of 98.5% per year. Necessary maintenance times or release changes notified by DISH to the Client in advance will not be considered as a lack of availability.

1.3  In order to increase its reach, DISH may also publish the meals offered by the Client on third- party platforms (e.g. “Ordering with Google”) market. In this context, DISH offers, notwithstanding Clause 1.1(a), the ordering option on these third-party platforms under its own responsibility as an online intermediary service. If applicable, the Client can choose whether and via which third-party platforms such marketing takes place.

1.4  DISH provides the Client with a newsletter function.

2 Obligations of the Client

2.1  The Client shall comply with all local legal requirements relating to price labelling, allergen information, hygiene requirements, food preparation, occupational health and safety, workers' rights, additives, packaging, underage protection laws, food serving or delivery requirements and consumer protection laws.

2.2  If the Services already contain texts, they are merely suggestions for wording and in no case constitute legal advice or the like. It is the Client's responsibility to have these texts checked by a lawyer if necessary and to have them adjusted to its individual case.

3 Online payment function

3.1  If the Client wishes to use the online payment function, a separate registration with the payment service provider integrated by DISH is required for this purpose. The Client shall provide DISH or the payment service provider with the data and documents required for a proof-of- identity check in accordance with the German Money Laundering Act (GwG). DISH forwards them to the payment service provider on behalf of the Client.

3.2  For the use of the online payment function, separate fees are incurred per payment transaction, which are due to DISH (currently 1.89% of the gross turnover). DISH reserves the right to adjust the fee at its reasonable discretion to the changes in the costs that are relevant for the calculation of the fee. A price increase shall be considered and a price reduction shall be applied in particular in the event of a change in the charges of the relevant payment service provider or a change of payment service provider. Increases may only be used to increase fees to the extent that they are not offset by cost reductions in other transaction-related costs. In the event of fee reductions by the payment service provider, DISH's fees shall be reduced to the extent that the fee reductions are not offset by an increase in other transaction-related costs. In exercising its reasonable discretion, DISH shall choose the respective timings of a fee change in such a way that cost reductions are not taken into account according to standards that are less favourable for the Client than cost increases, i.e. that cost reductions have at least the same effect on prices as cost increases. The current fees can also be found in the separate price list at www.dish.co.

4 Order Terminal (Hardware)

4.1  The Service includes the delivery of an Order Terminal, which can be used to receive and man- age incoming orders at the business premises.

4.2  Depending on the specific offer, the Client either acquires ownership of the device directly (purchase) or only acquires ownership after an agreed rental period (hire purchase). In the event of a hire purchase, the Client shall treat the Order Terminal properly and with care.

4.3  In case of purchase, the warranty on the Order Terminal is limited to one year. In the case of hire purchase, no further warranty is granted after the end of the rental period.

4.4  In the case of a hire purchase, if the Service is terminated before the expiry of the agreed hire period, the hire shall cease as well. In this case, the Client shall return the Order Terminal within ten (10) days after the end of the rental period.

Chapter B DISH Website

1 Scope of Services

1.1 The Services include the following components:

(a) DISH provides Client with storage space for the publication of Client's own website, combined with an online solution for the creation and publication of simple websites with specified layouts and automatically generated texts (“Storage Space”), see clause 2.

(b) The scope of functions includes a“Claiming Service”, through which DISH enables Client to automatically transmit to Third-Party Providers information published on its website regarding Client's local accessibility (i.e., in particular, information regarding Client's local and time accessibility, e.g., address and opening hours of Client's business), see clause 3.

(c) DISH offers the Client a sub-domain (third-level domain), which the Client may select within the scope of availability and which will be associated with the storage space (“Sub-Domain”), see clause 4. Alternatively, the Client can use its own domain name.

1.2 DISH also provides the Client with a newsletter function.

2 Storage space

2.1 The storage space is provided to the Client free of charge. Therefore, DISH does not guarantee a certain availability of the storage space. DISH shall provide the Client with the further specifications of the storage space prior to the execution of the contract.

2.2 As the operator of the website and the controller for data processing, the Client shall ensure that the legal notice and the privacy policy are in compliance with the law and up-to-date.

2.3 The Client shall not execute or cause to be executed on the storage space any automated processes, scripts, software or other data and/or content and/or actions of any kind that interfere more than insignificantly with the systems, networks and/or other hardware or software or network components of DISH and/or third parties. If DISH becomes aware of such interference, DISH is entitled to terminate and/or interrupt such interference.

2.4 The Client will perform daily data backups in order to be able to restore the contents of the storage space without further costs.

2.5 The Client may only make websites publicly accessible on the storage space that were created with the online solution provided.

3 Claiming Service

3.1 DISH enables the Client to publish details of its local accessibility (such as address and opening hours) by means of the software on the website created by the Client and, at the same time, to transmit them to third party operators of platforms and directories for publication.

3.2 DISH shall provide the Claiming Service to the Client until revoked; this applies in any case with respect to the automatic transmission of the content entered by Client for this purpose by means of the software to Google My Business.

3.3 The transmission of this data to further Third-Party Providers is an optional service provided by DISH within the scope of the Claiming Service, which the Client may freely decide to use.

3.4 DISH may terminate or limit the Claiming Service at any time in its sole discretion (such as in the event of a discontinuance or change in the Third-Party Providers' service offers). DISH will give due consideration to the legitimate interests of the Client in making such a decision.

4 Sub-Domain ; own domain of the Client

4.1 The Client may register a maximum of three Sub-Domains (third-level domains) with DISH. The Sub-Domains are registered under the second-level domain “eatbu.com” registered by DISH according to the model “<xyz>.eatbu.com”; DISH may also provide other second-level domains in addition to “eatbu.com” for selection at its own discretion. The Client can only choose Sub-Domains that have not yet been registered by another Client.

4.2 The Sub-Domain can only be used in conjunction with the storage space. The Client is aware that it is not possible to switch to another provider or another registrar for Sub-Domains.

4.3 The Client undertakes and warrants to choose the Sub-Domain exclusively in accordance with applicable law, in particular, the Client will only choose a name for the Sub-Domain for which the Client holds the necessary rights, including trademark and/or name rights. Furthermore, the Client shall not register any domain names for the Sub-Domain that are contrary to morality or unethical.

4.4 The Client shall further comply with the requirements of the Internet Corporation for Assigned Names and Numbers (“ICANN”) or the registry designated by ICANN for .com domains, as applicable, when registering the Sub-Domain with DISH.

4.5 DISH is entitled to terminate without notice and delete domains that are chosen in disregard of the clauses 4.1, first sentence 1, 4.3 or 4.4.

4.6 The Client can alternatively register its own domain name or use an already registered domain name and link it to the storage space. DISH may refer the Client to suitable providers for this purpose. The contract for the registration of an own domain name is concluded exclusively between the Client and the respective provider.

4.7 Part I Clause 9.5 of the Terms of Use shall apply mutatis mutandis to infringements of rights caused by the client's choice of domain name.

Chapter C DISH MenuKit

1 Scope of Services

1.1 The Services include the following components:

(a) DISH grants the Client online access to software that enables the Client to manage its range of meals. The Client can use the software in particular to enter recipes and foodstuffs and to calculate possible sales prices and margins.

(b) The Client may create its own menu or use the menu on the DISH Order and DISH Website.

1.2 DISH MenuKit creates suggestions for retail prices according to general business and mathematical rules. The entrepreneurial risk for using the calculated prices remains exclusively with the Client. It is the Client's responsibility to check the calculated prices and adjust them if necessary. The final decision on pricing is made exclusively by the Client.

Chapter D DISH Reservation

1 Scope of Services

1.1 The Services include the following components:

(a) DISH provides the Client with storage space for use on DISH's systems, which the Client can access via the Internet (“Storage Space”).

(b) DISH grants the Client access via the Internet to software that enables the Client to incorporate, use and manage the online reservation software on its own website (“Software”) and to store and manage the collected data on the Storage Space.

1.2 To increase its reach, DISH may also make the availability of reservations (times, tables and number of persons) available to third-party platforms (e.g.“Reserve with Google”). In this context, DISH offers, notwithstanding Clause 1.1(a), the ordering option on these third-party platforms under its own responsibility as an online intermediary service. However, reservation enquiries received via this channel are handled exclusively via the DISH Platform. In the digital tool settings, the Client may select whether and via which third-party platforms he can make such a reservation. Since individual operators provide for a minimum number of persons for an automated reservation acceptance, DISH has provided for four persons as a basic setting for the automated reservation acceptance. This setting can be changed by the Client at any time. However, such a change may result in operators of other platforms and directories no longer displaying reservations that are actually available.

1.3 DISH also provides the Client with a newsletter function.

2 Storage Space

For the provision of Storage Space within the scope of DISH Reservation, clauses 2.1 to 2.4 of chapter B apply accordingly.

Chapter E DISH Weblisting

1 Scope of Services

1.1 The Services are provided in a free basic version or in the premium version, for which a fee is charged.

1.2 The Services include the following components in the basic version:

(a) Collection and storage of information from the Client.

As part of the Services, the Client shall provide the following information for a location/branch:

General information (name of the company, category), information on local accessibility (address and opening hours), accessibility via telecommunication means (telephone numbers, e-mail addresses, websites), products and services offered.

(b) Publication on online platforms (“Publishing”)

The Services enable automatic transmission of these details to third parties for publication on online platforms operated by them. In the basic version, the Client is not offered all connected online platforms here, but only a selection. If information is updated within the Service, these updates are automatically forwarded to the connected online platforms.

(c) Assumption of management rights (“Claiming”)

In the case of an already existing entry with a Third-Party Provider, the assumption of the management rights to this publication will be initiated, if enabled by the Third-Party Provider, and, if necessary, obtained with the cooperation of the Client. This also enables the automated updating of information about the Services.

(d) Reputation management

The Services enable the (automated) retrieval and aggregated presentation of the client feedback such as ratings, reviews or questions on the online platforms of the Third-Party Providers. The Services provide the ability to respond to client feedback or report inappropriate content where provided for by the Third-Party Provider. In the basic version, these additional services are partly limited to a certain number of replies or notifications (e.g. only five times a month).

(e) Statistics & Analyses

The Services offer the collection, sorting and aggregated display of usage statistics of the content at the Third-Party Providers (e.g. page views, displays of search queries). Within the scope of the basic version, a limited scope of usage statistics and filter/sorting options is provided.

1.3 In addition to the basic version, the Services in the premium version include the following chargeable components:

(a) Collection and storage of information from the Client

See clause 1.2(a).

(b) Publication on online platforms (“Publishing”)

Within the premium version, publication takes place on request on all online platforms connected to the Services. In addition, several branches/locations can be managed via the Services according to the conditions of the online platforms. A search and deletion of duplicate entries at the Third-Party Providers is possible. A regular check of entries is carried out with Third-Party Providers for incorrect changes by third parties.

(c) Assumption of management rights (“Claiming”)

See clause 1.2(c).

(d) Reputation management

In the premium version, the number of replies, notifications is unlimited. All filtering and sorting options are also available.

(e) Statistics & Analyses

In the premium version, the full range of usage statistics and filter/sorting options are available to the Client.

(f) Content Publishing

As part of the premium version, the Client is given the option, if supported by the Third-Party Provider, to compose messages for publication with Third-Party Providers and to submit them for publication (e.g. special offers, news, events).

Chapter F DISH Bonus

1 Scope of Services

1.1 The Services include the following components:

(a) DISH has concluded partner agreements with various loyalty programme providers. The DISH Bonus function enables the Client to offer loyalty benefits (e.g. miles or points) to the end client in its business without being a direct loyalty partner of the providers. In this respect, the DISH Bonus function, DISH is an intermediary.

(b) DISH grants the Client access to the DISH Bonus via the Internet, which generally allows the Client to offer up to two different loyalty programmes in its business.

(c) There is no entitlement to admission to a particular loyalty programme. Admission to a chosen loyalty programme will only take place after approval by the provider of the loyalty programme. The provider of the loyalty programme may refuse admission without stating reasons.

(d) Also, DISH reserves the right to limit the number of simultaneously selected/parallel loyalty programmes to two programmes.

(e) DISH Bonus offers a separate in-app functionality to capture or scan the corresponding end client card numbers. The recorded data and sales are forwarded via DISH to the corresponding provider of the loyalty programme. If provided for by the specific loyalty programme, the end client will receive a corresponding notification and subsequent crediting of the acquired loyalty points/benefits.

1.2 DISH Bonus provides the Client with a further separate in-app function, among other things, with a clear presentation and evaluation of the transactions made.

2 Obligations of the Client

2.1 DISH and the providers of the loyalty programmes make every effort to prevent abuse of the loyalty programme. However, the Client is still responsible to ensure that the loyalty points are properly awarded in its business and to prevent any abuse by its own employees by taking appropriate measures. Neither DISH nor the provider of the loyalty programme can accept any liability for damages in this context.

3 Access rights & data sharing

3.1 The Client grants DISH the authority to forward the correspondingly scanned data (in particular loyalty card number, transaction date, receipt amount) to the relevant loyalty programme provider for further processing.

3.2 If the specific provider of the loyalty programme provides its own advertising measures for the participating partners/operators (e.g. its own restaurant finder), DISH is expressly authorised to pass on the data and materials required for this purpose (e.g. also contact data, website, photos) to the provider of the corresponding loyalty programme. The loyalty programme provider is authorised by the Client to implement corresponding advertising measures for the benefit of the Client. Since the providers of the loyalty programme are involved in a mass advertising process, there can’t be any influence on each individual advertising measure. The Client reserves the right to withdraw this consent in full at any time. 

Chapter G DISH Guest

1 Scope of Services

1.1 The Services include the following components:

(a) DISH provides the Client with an online solution for recording the actual number of guests present in its restaurant. As an alternative to a paper solution, this makes it easier for the Client to record guests within the scope of the applicable legal requirements for contact data collection to combat the COVID 19 pandemic.

(b) The Client can generate a QR code via the service, which he can present and make available to his customers. The customers can access the website for the contact data collection for the restaurant via the QR code or the associated URL. The service provides for a check-in and check-out as well as a time-out function. After a period of two hours, an automatic check-out of guests on duty takes place.

(c) The Client can also present its current menu on the contact details website if desired, provided it is available online.

1.2 DISH owes an average availability of the online solution of 98.5% per year. Necessary maintenance times or release changes notified by DISH to the Client in advance will not be considered as a lack of availability.

1.3 The regulations on contact data collection to combat the COVID 19 pandemic are not uniformly regulated - often also within a single country - and can be changed at short notice by the respective legislators or ordinances may contain deviations for special types of catering establishments in individual cases. When setting up DISH Guest, the Client can select the relevant country or territory for its restaurant. DISH will make its best efforts to adapt the services promptly to any changes in the legal provisions in the respective country or territory. However, it is the Client's responsibility to check whether the services meet the requirements of the regulations applicable to him and, if necessary, to take supplementary measures.

1.4 DISH Guest is only available for catering establishments in the countries or territories that can be selected during setup.

Chapter Z Consulting services

1 Scope of the consulting services

1.1 DISH may provide consulting services to Client, in particular on how to set up the DISH Platform or individual Services for best long-term use (such as which supplemental features can be used) and how the DISH Platform can best interact with Client's business operations. 

1.2 Consulting services may also include the recommendation of other services and software solutions that can enhance the DISH Platform.

2 Provision by partner companies

2.1 The Client agrees that consulting services may also be provided by DISH partner companies at the registered office of the user (“Partner Companies”). If the consulting services are provided by a Partner Company, DISH merely acts as an intermediary for these services. DISH does not ensure the Client any particular quality or availability of such consulting services.

2.2 The following overview shows which Partner Company is responsible for the Client's registered office:

Austria

Belgium

Croatia

Czech Republic

METRO Cash & Carry Österreich GmbH

Metro Platz 1

2331 Vösendorf

Austria

MAKRO Cash & Carry Belgium NV

Nijverheidsstraat 70

2160 Wommelgem

Belgium

METRO C&C Zagreb d.o.o.

Jankomir 31

10090 Zagreb - Susedgrad

Croatia

MAKRO Cash & Carry  CR s.r.o.

Jeremiásova 7/1249

15500 Praha 5

Czech Republic

France

Germany

Hungary

Italy

METRO France SAS

5 rue des Grands Prés

92024 Nanterre Cedex

France

METRO Deutschland GmbH

Metro Street 8

40235 Düsseldorf

Germany

METRO Kereskedelmi Kft.

Budapark, Keleti 3

2041 Budaörs

Hungary

METRO Italia Cash and Carry S.p.A.

XXV Aprile 23

20097 San Donato

Milanese

Italy

Netherlands

Poland

Portugal

Romania

MAKRO Cash & Carry Nederland B.V.

De Flinesstraat 9

1114 AL Amsterdam-Duivendrecht

 Netherlands

MAKRO Cash and Carry Polska S.A.

Al. Krakowska 61

02-183 Warszawa

Poland

MAKRO Cash & Carry Portugal, S.A.

Rua Quinta do Paizinho, 1

Portela de Carnaxide

2794-066 Carnaxide

Portugal

METRO Cash & Carry Romania srl

51 N Theodor Pallady Blvd

Building C6, Frame A, Sector 3

Bucharest

Romania

Slovakia

Spain

Turkey

Ukraine

METRO Cash & Carry Slovakia, s.r.o.

Senecká cesta 1881

900 28 Ivanka Pri Dunaji

Slovakia

MAKRO España

Paseo Imperial, 40

28005 Madrid

Spain

METRO Grosmarket Bakirköy Alisveris

Hizmetleri Ticaret Sirketi Ltd. Sti.

Kocman Caddesi

34540 Günesli-Bakirköy (Istanbul)

Turkey

METRO C&C Ukraine Ltd.

43, Petra Grygorenka Street

02140 Kiev

Ukraine

Part IV Commissioned data processing agreement

For Clients who have their registered office or their respective branch office in a country of the European Union (EU) or another contracting party to the Agreement on the European Economic Area (EEA), the commissioned data processing agreement in the following shall apply Chapter Aexclusively. 

For Clients who have their registered office or their respective branch in a country outside the EU / EEA (“Third Country”), Chapter A that agreement shall also apply if and to the extent that an adequacy decision within the meaning of Article 45 GDPR applicable to the Client exists for the respective Third Country. If there is no adequacy decision for the Third Country or it is not applicable to the Client, the following shall apply instead.

Chapter A Clients in the EU or EEA and in Third Countries with adequacy decisions

Section I

Clause 1 Purpose and scope 

a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

b) The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.

c) These clauses apply to the processing of personal data in accordance with Annex II.

d) Annexes I to II are an integral part of the Clauses.

e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

Clause 2 Invariability of the Clauses

a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.

b) This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3 Interpretation

a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.

b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.

c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4 Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5 [not applicable]

Section II OBLIGATIONS OF THE PARTIES

Clause 6 Description of the processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex I.B.

Clause 7 Obligations of the parties

7.1 Instructions

a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.

b) The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.

7.2 Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex I.B, unless it receives further instructions from the controller.

7.3 Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex I.B.

7.4 Security of processing

a) The processor shall at least implement the technical and organisational measures specified in Annex II to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5 Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6 Documentation and compliance

a) The Parties shall be able to demonstrate compliance with these Clauses.

b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.

c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.

d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.

e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7 Use of sub-processors

a) The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least [SPECIFY TIME PERIOD] in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.

b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

c) At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.

d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfill its contractual obligations.

e) The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8 International transfers

Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.

The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7 for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8 Assistance to the controller 

a) The processor shall promptly notify the controller of any request it has received from the data subject.  It shall not respond to the request itself, unless authorised to do so by the controller.

b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions.

c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor: 

i) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;

ii) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;

iii) the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;

iv) the obligations under Article 32 of Regulation (EU) 2016/679.

d) The Parties shall set out in Annex ANNEX II the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9 Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or under Articles 34 and 35 of Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.

9.1 Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

b) in obtaining the following information which, pursuant to Article 33(3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:

i) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

ii) the likely consequences of the personal data breach; 

iii) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

c) in complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);

b) the details of a contact point where more information concerning the personal data breach can be obtained;

c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex ANNEX II all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

Section III FINAL PROVISIONS

Clause 10 Non-compliance with the Clauses and termination

a) Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated.  The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.

b) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:

i) the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension; 

ii) the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;

iii) the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

c) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1(b), the controller insists on compliance with the instructions.

d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data.  Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

Chapter B Standard contractual clauses for Clients in third countries without an adequacy decision

Section I

Clause 1 Purpose and scope 

a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation) when transferring personal data to a third country.

b) The Parties:

i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

d) The Annex to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2 Effect and invariability of the Clauses

a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Annex. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3 Third-party beneficiaries

a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7

ii) Clause 8  — Clause 8.1(b) and Clause 8.3(b)

iii) [not applicable]

iv) [not applicable]

v) Clause 13

vi) Clause 15.1(c), (d) and (e)

vii) Clause 16(e)

viii) Clause 18  — Clause 18

b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4 Interpretation

a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5 Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6 Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 [not applicable]

Section II OBLIGATIONS OF THE PARTIES

Clause 8 Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

a) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

b) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

d) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2 Security of processing

a) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data (7), the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a).  In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

c) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Documentation and compliance

a) The Parties shall be able to demonstrate compliance with these Clauses.

b) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9 [not applicable]

Clause 10 Rights of data subjects

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11 Exclusive remedy

a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints.  It shall deal promptly with any complaints it receives from a data subject.

Clause 12 Liability

a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses.  This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13 [not applicable]

Section III LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14 Local laws and practices affecting compliance with the Clauses

a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses.  This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred; 

ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;  

iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).  

f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation.  The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so.  In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses.  If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15 Obligations of the data importer in case of access by public authorities

15.1 Notification

a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or 

ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible.  The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).  

d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity.  The data importer shall, under the same conditions, pursue possibilities of appeal.  When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits.  It shall not disclose the personal data requested until required to do so under the applicable procedural rules.  These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter.  It shall also make it available to the competent supervisory authority on request. 

c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

Section IV FINAL PROVISIONS

Clause 16 Non-compliance with the Clauses and termination

a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated.  This is without prejudice to Clause 14(f).

c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

ii) the data importer is in substantial or persistent breach of these Clauses; or

iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

 In these cases, it shall inform the competent supervisory authority of such non-compliance.  If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

d) Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter.  Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses.  In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

e) Either Party may revoke its agreement to be bound by these Clauses where  

i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or 

ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred.  This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17 Governing law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights.  The Parties agree that this shall be the law of Germany.

Clause 18 Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of Germany.

ANNEX

ANNEX I

A. List of parties

Processor or data exporter 

1. Name: DISH Digital GmbH, Metro-Straße 1, 40235 Düsseldorf, Deutschland

Address: Metro-Straße 1, 40235 Düsseldorf, Germany

Contact person’s name, position and contact details: [...], support@dish.co

Signature and entry date: (Signing takes place digitally)

Role: Processor

Controller / data importer :

1. Name: (as specified during registration to the DISH Platform)

Address: (as specified during registration to the DISH Platform)

Contact person’s name, position and contact details: (as indicated during registration to the DISH Platform)

Signature and entry date: (Signing takes place digitally)

Role: Data controller

B. Description of the  processing or data transmission  

1 Categories of data subjects whose personal data are processed

  • Employees and other staff of the controller (“Employees”)
  • Users of the controller’s website (“End Users”)
  • End clients of the controller or their contact persons (“End Clients”) 
  • Suppliers of the controller or their contact persons (“Suppliers”)

2 Categories of personal data processed

  • Full name, gender, academic title
  • E-mail address 
  • Billing and delivery address (End Clients only, DISH Reservation only)
  • Consents for sending newsletters (End Users and End Clients only)
  • User name and password for sub-accounts (Employees only)
  • Reservations (End Clients only, DISH Reservation only)
  • Orders, order history (End Clients only, DISH Order only)
  • Contact details for COVID-19 pandemic control in accordance with national legislation (end customers only, DISH Guest only)

3 Sensitive data processed (if applicable) and restrictions or safeguards applied that take full account of the nature of the data and the risks involved, e.g. strict purpose limitation, access restrictions (including access only for employees who have undergone specific training), records of access to the data, restrictions on onward transfers or additional security measures

  • In individual cases, voluntary information from end customers on worldviews and health restrictions that may be relevant for the preparation of the ordered meals may be processed (only DISH Order and DISH Reservation, if applicable). Although they may be special categories of personal data, becoming aware of them would have no impact on the data subjects (low protection requirement). Therefore, no additional measures are required on the part of the processor.
  • Contact data with an increased need for protection is processed within the context of DISH Guest. These are stored in a separately secured area.

4 Type of processing

  • Collection
  • Storing
  • Use

5 Purpose(s) for which the personal data are processed on behalf of the controller

  • Provision of access to the DISH Platform for Employees (sub-accounts)
  • Provision of information via the Internet (operation of a website) (DISH website)
  • Receipt of table reservations for the restaurant of the controller; further processing of table reservations received by the processor as an online intermediary service (DISH Reservation)
  • Receipt of orders for the restaurant of the controller; further processing of orders received by the processor as an online intermediary service (DISH Order)
  • Fulfillment of the data controller's obligation to collect contact data in accordance with national legislation on COVID 19 pandemic.
  • Sending newsletters to End Users and End Clients and managing the necessary consents and objections for this purpose

6 Duration of the processing

  • Term of the User Agreement for the DISH Platform or of the respective Individual Contrac
  • In the case of DISH Guest, the data will be automatically deleted after the expiry of the periods regulated by national law for combating the COVID 19 pandemic.

ANNEX IITechnical and organisational measures, including those to ensure data security 

EXPLANATORY NOTE: The technical and organisational measures must be described in specific (and not generic) terms.  See also the general comment on the first page of the Annex, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

[Examples of possible measures:

  • Measures of pseudonymisation and encryption of personal data
  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  • Measures for user identification and authorisation
  • Measures for the protection of data during transmission
  • Measures for the protection of data during storage
  • Measures for ensuring physical security of locations at which personal data are processed
  • Measures for ensuring events logging
  • Measures for ensuring system configuration, including default configuration
  • Measures for internal IT and IT security governance and management
  • Measures for certification/assurance of processes and products
  • Measures for ensuring data minimisation
  • Measures for ensuring data quality
  • Measures for ensuring limited data retention
  • Measures for ensuring accountabilityMeasures for allowing data portability and ensuring erasure]

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

How did we do?

Contact