Since May 25, 2018, the regulation for the protection of the data of European citizens has been in force: the EU General Data Protection Regulation (GDPR). As part of the GDPR, you as an entrepreneur are also obliged to ensure that the personal data of your employees and your guests (e.g. name, address, telephone numbers) are protected and processed in accordance with the new General Data Protection Regulation.
The data processing agreement (DPA)
As part of the use of the orderbird MINI and MY orderbird, orderbird stores and processes personal data from you and to a certain extent also from your employees and guests. For this reason, the law stipulates that you, as an entrepreneur, enter into an data processing agreement with orderbird.
What should I do?
Please download the data processing agreement (DPA), fill it out and send it back to us:
In the DPA we regulate in detail which personal data we collect for the provision of our services (orderbird app and my.orderbird.com), how we process them and which technical and organisational measures we take to protect them against access by unauthorised persons.
You can fill out and sign the DPA directly on your computer.
- Open it with the program Adobe Acrobat Reader. You can download this free of charge from the Internet .
- Enter your data in the contract and sign it digitally. Here you will find instructions on how to do this: “ Fill in and sign PDF forms ”.
- Save the completed contract on your computer and email this version to firstname.lastname@example.org.
Alternatively, you can also print out the DPA, fill it out and then scan it and email it to us.
What happens if I don't sign the order processing contract?
You can continue to use the orderbird app and my.orderbird.com without restrictions. However, since you are an entrepreneur yourself, you are obliged to agree a DPA with us, since we may also process data from your guests and employees. In case of doubt, you are liable if you do not take care of the conclusion of a DPA in time. The penalties for default are high: In the event of violations, entrepreneurs pay up to 4% of the total turnover, or €20 million.
What exactly does the GDPR say?
In short: This regulation ensures that certain rules are observed when processing the personal data of EU citizens. Among other things, the processing of the data must be earmarked, transparent and proportionate.
You can see the original text on the GDPR here.
What data does orderbird store about me?
- Your sales data will be stored for 10 years, in accordance with the statutory retention period
- Your data and data of your employees and, if applicable, data of your customers (e.g. name, company name, customer number, address) as well as communication data (e.g. e-mail address, telephone number) and contract billing and payment data are processed as personal data.
- All actions in your cash register that are logged as part of the GoBD are saved. This includes, for example, information about who opened or closed a shift and when, who booked or canceled which items, etc.
- Your data is protected with us against access by unauthorised persons .
- Only companies with whom we also work have contractually regulated access to your data as part of the collaboration. They treat your data as confidentially as we do!
The EU-US Privacy Shield
On July 16, 2020, the European Court of Justice (ECJ) declared the EU-US Privacy Shield to be ineffective.
What does this mean for your business relationship with orderbird?
In principle, we do not use any providers or subcontractors from non-EU countries for our services: All orderbird servers used for orderbird services are located in Germany. Internally, we currently use software in our everyday work that is offered by providers from so-called third countries and is subject to the EU-US Privacy Shield Agreement. It is currently being examined whether the cooperation with these providers can be based on other guarantees according to Art. 44 et seq. GDPR after the Privacy Shield Agreement has ceased to exist. This check will take time, as it affects not only the providers themselves, but also any subcontractors they may use. If the check shows that another guarantee for the security of data processing standardised in Art. 44 et seq. GDPR cannot be used or implemented, we will end our cooperation with these providers.