From 25 May 2018 on, a new regulation to protect the personal data of European citizens will apply: the general data protection regulation (GDPR). Under GDPR, you are obligated to ensure that the personal data of your EU-employees and your EU-guests (e.g. name, address, telephone numbers) that you process is protected in accordance with GDPR.
The Data Processing Addendum (DPA)
When using the orderbird app and my.orderbird.com, orderbird stores and processes personal data about you and, to a degree, your employees and guests. For this reason, the law provides that you, as a business owner, sign a data processing addendum (DPA) with orderbird.
What do I have to do?
Please download the data processing addendum (DPA), fill it in, sign it and mail it back to us:
The DPA regulates in detail which data we collect for the delivery of our services (orderbird App and my.orderbird.com), how we process the data and how we protect your data against unauthorized access.
You can fill out and sign the DPA directly on your computer.
- Download the DPA.
- Open the file with Adobe Acrobat Reader. You can download the program online free of charge.
- Enter your data into the document and sign it digitally. Here you can find instructions: "Fill and sign PDF forms".
- Save the completed contract on your computer and send your saved version by e-mail to email@example.com.
Alternatively, you can print out the DPA, fill it out, scan it and send it to us by email.
What happens if I do not sign the data processing addendum or do not sign it in time?
You can still use the orderbird app and my.orderbird.com without any restrictions. Since you are a business owner yourself, however, you are obligated to sign a DPA with us, since we also process a certain amount of data of your guests and your employees. You are the responsible party for signing the DPA in time. The penalties for non-compliance are high: In the event of non-compliance, entrepreneurs pay up to 4% of their total turnover or € 20 million.
My business is located in Switzerland. Am I affected by the GDPR?
Yes, you are! Because you never know when an EU citizen might visit your business.
What exactly does the GDPR say?
In short: This Regulation ensures that certain rules are respected in the processing of personal data of EU citizens. For example, the processing of personal data must be transparent and bound to a purpose.
You can find the full text of the GDPR here.
What data does orderbird store?
- Your sales data will be stored for 10 years, according to the legal retention period.
- Your personal data as well as personal data of your employees and, if applicable, data of your customers (for example name, company name, customer number, address) as well as communication data (for example e-mail address, telephone number) and contract billing and payment data are processed.
- All actions in your cash register that are logged according to GoBD requirements are saved. This includes, for example, information about who opened or closed a shift and when they did it, who booked or cancelled which items, etc.
- Your data is protected against unauthorized access.
- Only companies with whom we cooperate have contractually regulated access to your data within the scope of the cooperation. They handle your data as confidentially as we do!
The EU-US Privacy Shield
On 16 July 2020, the European Court of Justice (ECJ) declared the EU-US Privacy Shield ineffective.
What does this mean for your business relationship with orderbird?
Basically we do not use any providers or subcontractors from non-EU countries for our services: All orderbird servers used for orderbird services are located in Germany.
Internally, we currently use software in our daily work that is offered by providers from so-called third countries and that are subject to the EU-US Privacy Shield Agreement. We are currently investigating whether, after the Privacy Shield Agreement has expired, cooperation with these providers will be subject to other guarantees according to Art. 44 ff. GDPR after the abolition of the Privacy Shield Agreement. This examination will take some time since it will not only concern the providers themselves but also any subcontractors they may use.
Should the examination reveal that another guarantee for the security of data processing as standardized in Art. 44 ff. GDPR cannot be used or implemented, we will terminate our cooperation with these providers.