We use cookies to improve your experience on our website. By clicking OK or by continuing to browse the website, you consent to their use.
Click here to review our Cookie Use Policy.

OK

by QSR

Supports robust qualitative and mixed methods research for virtually any data source and any research method.

Learn more

by QSR

Intuitive data analysis software designed for public policy experts analyzing surveys.

Learn more

Creating software to help you discover the rich insights from humanised data.

Learn more

 
This Data Protection Addendum (Addendum) forms part of the QSR Enterprise License Purchase Agreement as amended by the ELA Transcription Service Addendum, as updated from time to time between QSR International Pty Limited (QSR) and Customer (Agreement).
This Addendum shall apply to Personal Data that QSR or a QSR Affiliate processes in the course of providing the ELA Transcription Services to Customer under the Agreement.
Customer enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Customer Affiliates, if and to the extent QSR processes Personal Data for which such Customer Affiliates qualify as the Controller. 
DATA PROCESSING TERMS
  1. Definitions
    1. In this Addendum, unless the context otherwise requires, the following terms have the meaning set out below:
Applicable Laws means all applicable laws, rules and/or regulations applicable to the Agreement (as amended) or the activities contemplated thereunder, including without limitation any applicable Data Protection Laws
Customer Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where “control” is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
Customer Group Member means Customer or any Customer Affiliate;
Customer Personal Data means any Personal Data Processed by a Processor on behalf of a Customer Group Member pursuant to or in connection with the Agreement;
Data Protection Laws means all laws, regulations, binding legislative and regulatory requirements and codes of practice relating to data protection and the Processing of Personal Data, as applicable to either party or the Services, including, without limitation the UK Data Protection Act 1998 and any regulations or instruments thereunder, Directive 95/46/EC of the European Parliament and of the Council of October 24 1995 and any successor legislation (including, with effect from 25 May 2018, the GDPR);
EEA means the European Economic Area;
GDPR means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016;
Processor means any QSR Group Member which processes Customer Personal Data;
QSR Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with QSR; and
QSR Group Member means QSR or any QSR Affiliate.
Restricted Transfer means:
  1. a transfer outside the EEA of Customer Personal Data from any Customer Group Member to a Processor or Subprocessor; or
  2. a transfer outside the EEA (or an onward transfer) of Customer Personal Data from a Processor to a QSR Affiliate or Subprocessor, or between two establishments of Processors,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under clause 6.4.2 below;
Services means the services and other activities to be supplied to or carried out by or on behalf of QSR for the relevant Customer Group Members pursuant to the Agreement;
Standard Contractual Clauses means the contractual clauses for the transfer of personal data approved by the European Commission, as amended, replaced or supplemented from time to time;
Subprocessor means any person (including any third party and any QSR Affiliate, but excluding an employee of QSR or any of its sub-contractors) appointed by or on behalf of QSR to Process Customer Personal Data in connection with the Agreement;
  1. The terms, "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" (or equivalent terms) shall have the meanings set out in, and will be interpreted in accordance with, such Data Protection Laws as are applicable from time to time.
  2. Interpretation
    1. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
    2. A reference to a statute or statutory provision includes all subordinate legislation made under that statute or statutory provision from time to time, and is a reference to it amended, extended or re-enacted from time to time.
    3. Unless the context otherwise requires, words and expressions defined in the Agreement shall have the same meaning where used in this Addendum except where they are inconsistent with or replaced by the amendments set out in this Addendum.
    4. Nothing in this Addendum reduces QSR's or any QSR Affiliate’s obligations under the Agreement in relation to the protection of Personal Data or permits QSR or any QSR Affiliate to Process Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
  3. Status of parties
    1. Customer and its relevant Customer Group Members shall be Controllers of the Customer Personal Data and, a reference to Customer shall be deemed to be a reference to the relevant Customer Group Member that is the Controller of the relevant Customer Personal Data in respect of the relevant Processing.
    2. Except to the extent expressly provided otherwise in the Agreement, QSR shall be the Processor of Customer Personal Data on behalf of Customer. 
    3. In relation to obligations which this ELA Transcription Service Addendum purports to impose on QSR, where QSR is not the Processor it shall procure the performance of those obligations by the relevant QSR Affiliate. In relation to obligations which this ELA Transcription Service Addendum purports to impose on a Customer Group Member, where the Customer is not the relevant Customer Group Member it shall procure the performance of those obligations by the relevant Customer Affiliate.
  4. Customer obligations
    1. Customer and each relevant Customer Group Member shall comply with all Data Protection Laws in connection with the Processing of Customer Personal Data, the Services and the exercise and performance of its respective rights and obligations under this ELA Transcription Service Addendum, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws and the terms of this ELA Transcription Service Addendum.
    2. Customer (on its own behalf and on behalf of each relevant Customer Group Member) warrants, represents and undertakes, that:
      1. all data sourced by Customer for use in connection with the Services, prior to such data being provided to or accessed by QSR for the performance of the Services under this ELA Transcription Service Addendum, shall comply in all respects (which shall include Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; and
      2. all instructions given by it to QSR in respect of Customer Personal Data shall at all times be in accordance with Data Protection Laws.
  5. Processing of Customer Personal Data
    1. The Processor shall:
      1. comply with all applicable Data Protection Laws and the terms of this ELA Transcription Service Addendum in the Processing of Customer Personal Data; and
      2. not Process Customer Personal Data other than on the relevant Customer Group Member’s documented instructions unless Processing is required by Applicable Laws to which the relevant Processor is subject, in which case the Processor shall, to the extent permitted by Applicable Laws, inform the relevant Customer Group Member of that legal requirement before the relevant Processing of that Customer Personal Data.
    2. The Customer, on its own behalf and on behalf of each relevant Customer Affiliate:
      1. instructs the Processor (and authorises the Processor to instruct each Subprocessor) to:
        1. Process Customer Personal Data; and
        2. in particular, transfer Customer Personal Data to any country or territory (subject to clause 7 being complied with),

      2.       as reasonably necessary for the provision of the Services and consistent with the Agreement; and

      3. warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in clause 3.2.1 on behalf of each relevant Customer Affiliate.
    3. Annex 1 sets out certain information regarding the Processor’s Processing of the Customer Personal Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws).
  1. QSR and QSR Affiliate Personnel
The Processor shall take reasonable steps to ensure that any employee, agent or contractor of any of them who may have access to the Customer Personal Data is subject to confidentiality undertakings or professional or statutory obligations of confidentiality and only Processes the Customer Personal Data on instructions from Customer.
  1. Security
QSR shall, and shall where it is not the Processor, procure that the relevant QSR Affiliate implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise Processed in accordance with Data Protection Laws, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. The standard security measures that the Contracted Processor shall implement shall include those measures set out in Annex 2.
  1. Subprocessing
    1. The Customer, on its own behalf and on behalf of each relevant Customer Affiliate authorises the Processor to appoint (and permit each Subprocessor appointed in accordance with this clause 6 to appoint) Subprocessors in accordance with this clause 6 and any restrictions in this ELA Transcription Service Addendum.
    2. The Processor may continue to use the following Subprocessors:
      1. Speechmatics
      2. Zuora
      3. Netsuite.
    3. QSR shall at least 14 days before appointing any new Subprocessor provide notice to the Customer via the MyNVivo Website including full details of the Processing to be undertaken by the Subprocessor. If Customer notifies QSR in writing of any objections (on reasonable grounds) to the proposed appointment QSR must not disclose any Customer Personal Data to the proposed Subprocessor except with the prior written consent of Customer.
    4. With respect to each Subprocessor, QSR shall:
      1. ensure that the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this ELA Transcription Service Addendum and meet the requirements of Article 28(3) of the GDPR; and
      2. if that arrangement involves a Restricted Transfer, ensure that the provisions of clause 7 are complied with.
  2. International data transfers
QSR shall, and where QSR is not the Processor it shall procure the performance of those obligations by the relevant QSR Affiliate, ensure that in respect of all Restricted Transfers, the Standard Contractual Clauses are at all relevant times: (a) incorporated into the agreement between the Processor and the Subprocessor; or (b) entered into directly between the Subprocessor and the relevant Customer Group Member(s).
  1. Data Subject Rights
    1. Taking into account the nature of the Processing, the Processor shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the relevant Customer Group Members' obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.
    2. The Processor shall:
      1. promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
      2. not respond to that request except on the documented instructions of Customer or the relevant Customer Affiliate.
  2. Personal Data Breach
    1. The Processor shall notify Customer without undue delay upon the Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow each relevant Customer Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws.
    2. The Processor shall provide reasonable assistance to Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of the Processing and the information available to the Processor.
  3. Data Protection Impact Assessment and Prior Consultation
The Processor shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, as required under Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.
  1. Deletion or return of Customer Personal Data
    1. Subject to clause 11.2, the Processor shall at Customer’s written request and option promptly and in any event within 30 days of the date of cessation of any Services involving the Processing of Customer Personal Data: (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to QSR; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by any Processor.
    2. Each Processor may retain Customer Personal Data to the extent and for such period as required by Applicable Laws and always provided that the Processor shall hold such Customer Personal Data secure in accordance with clause 5 and ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
  2. Audit rights
    1. The Processor shall make available to each Customer Group Member on request all information reasonably required to demonstrate compliance with the obligations under Article 28 of the GDPR (or equivalent obligations under Data Protection Laws).
    2. Subject to clause 12.3, the Processor shall allow for and contribute to audits, including inspections, by any Customer Group Member or an auditor mandated by any Customer Group Member in relation to the Processing of the Customer Personal Data by the Processors.
    3. Information and audit rights of the Customer Group Members only arise under clause 12.2 to the extent that compliance cannot be adequately demonstrated in accordance with clause 12.1 or the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, Article 28(3)(h) of the GDPR), provided that such rights shall be subject to equivalent restrictions to those in the Agreement (including as to frequency, timing and minimising disruption). 
  3. General
Where a provision requires the Processor to assist Customer or a Customer Group Member with compliance with their obligations under Data Protection Laws, such assistance shall be provided at no additional cost where this can reasonably be accommodated within the standard provision of the Services. Otherwise, the associated costs shall be agreed between the parties in accordance with the change control or Addendum procedure applicable under the Agreement.
  1. Order of precedence
    1. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
    2. Subject to clause 13.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
ANNEX 1 TO QSR DATA PROCESSING ADDENDUM: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter of the Processing of the Customer Personal Data is set out in the Agreement. Processing of the Customer Personal Data by the Processor shall be for the term of the Agreement, provided that Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).
The nature and purpose of the Processing of Customer Personal Data
The Processing of Customer Personal Data is QSR's provision of the applicable services under the Agreement, which shall involve performance on behalf of the relevant Customer Group Member of the tasks and activities set out in the Agreement for the purpose of providing those Services.
The types of Customer Personal Data to be Processed
The Processor may Process any or all of the following types / categories of Personal Data, and any additional types of Customer Personal Data, as set out in the Agreement and as relevant in the context of the Services.
Personal Data, including personal details, family details, lifestyle and social circumstances, financial details, employment and education details, goods or services, visual images, personal appearance and behaviour, geolocation data.
Sensitive Personal Data / other categories of Personal Data, including information relating to physical or mental health data, genetic data or biometric data, criminal offences and alleged offences and proceedings, racial or ethnic origin, religious or philosophical beliefs, trade union membership, sex life or sexual orientation.
The categories of Data Subject to whom the Customer Personal Data relates
The categories of Data Subjects includes any or all of the following individuals: Customer Group Member customers and clients, research participants, Customer Group Member advisers, consultants and other professional experts, Customer Group Member employees and staff, Customer Group Member QSRs and services providers, complainants and enquirers who contact Customer Group Members, and / or individuals captured by CCTV images, including staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance.
The obligations and rights of Customer and Customer Affiliates
The obligations and rights of Company and Company Affiliates are set out in the Agreement (as varied).
ANNEX 2 TO QSR DATA PROCESSING ADDENDUM: STANDARD SECURITY MEASURES
 
  1. Network Security Management
Purpose: To ensure the protection of information in networks and its supporting information processing facilities.
  1. Responsibility and Ownership

(i)Networks shall be managed to ensure the security of data and the protection of connected services from unauthorised access. The overall responsibility for provision of network services and ensuring their security, to meet the business need, resides with the Head of Customer Infrastructure and Operations and the Head of Content Infrastructure and Distribution

  1. Network Controls
Configuration standards
  1. Configuration standards for network equipment shall be documented to provide instruction to staff regarding the configuration and setup of the equipment. The configuration standards should cover topics such as:
  • Device hardening
  • Admin account setup
  • Naming conventions
  • Configuration backup
  • Logging requirements
 
Change Control
  1. Changes to the configuration of the network shall be subject to documented change control procedures.
Diagrams
  1. Layer 3 and Layer 2 network diagrams must be maintained and kept up-to-date. Any network changes being presented through the change review process that have a material impact on the layer 3 or layer 2 topology need to be presented with as-is and to-be network diagrams to highlight impacts of the changes.
Network Management
  1. Access to network management systems shall be tightly controlled, making sure that users do not have more privilege than is required to perform their job. Access to network management systems, and the level of access granted shall be authorised by the Manager Infrastructure & Operations – Corporate, Network & Broadband Systems.
  2. Access to the network management interface on network security appliances shall be restricted to specially created network management VLANs.
  3. Authentication into devices and services that provide a network security function, for users with admin change privileges, should incorporate multi factor authentication.
Logging and Monitoring
  1. Appropriate logging and monitoring shall be applied to enable recording of network based events that may affect, or are relevant to Information Security. Examples of the types of events that need to be logged include:
  • Configuration change events on network devices
  • IP conversation history between systems on the network
  • Allow and deny hits on security policies on network security devices
    1. Logging should be kept for a minimum of one year to allow for forensic investigations into historical incidents.
Network Connection Control
  1. Any exposed network connection points that allow a user to plug a workstation into the network shall support authentication. 802.1X style controls with user name and password or machine certificates are the preference with MAC based authentication being the minimum standard.
  2. Non QSR International managed computers are not permitted to be plugged into the QSR International corporate network.
  3. Computers of partner organisation that require access to QSR International systems may only be connected to specially designed contractor network that segments the connected computers from the remainder of the corporate network and provides tight controls over precisely what internal systems can be accessed.
Wireless Network Security
  1. Staff, contractors, consultants or visitors must not introduce wireless networks or Access Points (AP) into a QSR International site. Wireless networks must only be setup by authorised Information and Technology Network administrators and must be approved by the Change Advisory Board through the change control process.
  2. An inventory of authorised wireless access points is to be maintained including a documented business justification.
  3. Business sites must be swept quarterly to detect and identify all authorised and unauthorised wireless access points.
  4. The wireless network shall be encrypted using a suitably strong protocol. The preferred standard is WPA2. Use of WPA and WEP is prohibited. A high level of key strength should be used (128 bit or higher). Static keys should be avoided, although they are permitted for guest networks that provide Internet access only and no access to the internal network.
  5. All wireless access points deployed at any QSR International site need to support central management through a single common management system.
1.3. Segregation in networks
i.          Groups of information services, users and information systems shall be segregated on networks through the design and implementation of network security domains. There are a variety of ways to define network security domains. The domains can be chosen based on trust levels (e.g. public access domain, desktop domain, server domain), along organisational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connected to multiple organisational units. The segregation can be performed using either physically different networks or by using different logical networks.
ii.          The network domain model needs to communicate the intent of network segmentation at QSR International, the typical control sets to apply to each domain and the communication rules between domains
Requirements for Firewalls (including routers)
i.          External network boundaries shall be secured by the use of an appropriately configured and managed firewall or combination of firewalls. Firewalls shall be configured to provide the maximum amount of security consistent with business requirements.
ii.          The security of gateways and firewalls must be subjected periodically to expert scrutiny with reference to the registered connections, and to penetration testing. This must be undertaken at least once a year, and after any major reconfiguration.
iii.         Any part of a network that is on premises where QSR International does not have control of the physical security shall be segregated by a firewall. Inward access shall be subject to risk assessment and strict control. A DMZ shall be used wherever possible for servers that are accessed by external users.
iv.        All firewall rules and router ACLs shall be adequately documented so that an independent reviewer can understand their purpose and the documentation must be maintained and made available for audit. Rulesets and ACLs must be reviewed annually quarterly to ensure that rules are correct and up-to-date.
v.         Disclosure of private IP addresses and routing information to unauthorised parties is prohibited. Note: Methods to obscure IP addressing may include, but are not limited to:
•           Network Address Translation (NAT)
•           Placing servers containing cardholder data behind proxy servers/firewalls,
•           Removal or filtering of route advertisements for private networks that employ registered addressing,
•           Internal use of RFC1918 address space instead of registered addresses.
vi.        Any QSR International managed mobile device, or employee owned device that facilitates access to QSR International resources and also connects to the Internet when outside the QSR International network shall have personal firewall software installed.
2.         Information Transfer
Purpose: To maintain the security of information transferred within an organisation and with any external entity.
2.1. General
Information transfer may occur through the use of a number of different types of communication facilities, including electronic mail, voice, facsimile and video. Software transfer may occur through a number of different mediums, including downloading from the Internet and acquisition from vendors selling off-the-shelf products.
i.          The business, legal and security implications associated with electronic data interchange, electronic commerce and electronic communications and the requirements for controls should be considered and documented.
ii.          The sensitivity of the information being transferred and the party its being transferred to will be critical factors in the overall assessment of risk associated with the information transfer and the controls that should be put in place to secure the transfer.
2.2. Transfer of sensitive or confidential information
Refer to Supplier Relationships Security Policy for details of Information Security in supplier relationships.
The following are the minimum sets of controls that need to be put in place for the transfer of sensitive or confidential information.
i.          When sharing confidential information with a 3rd party, a non-disclosure agreement shall be put in place prior to the sharing of any information. The non-disclose agreement should cover the following elements:
•           a definition of the information to be protected (e.g. confidential information);
•           expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;
•           required actions when an agreement is terminated;
•           responsibilities and actions of signatories to avoid unauthorised information disclosure;
•           ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
•           the permitted use of confidential information and rights of the signatory to use information;
•           the right to audit and monitor activities that involve confidential information;
•           process for notification and reporting of unauthorised disclosure or confidential information leakage;
•           terms for information to be returned or destroyed at agreement cessation;
•           expected actions to be taken in case of a breach of the agreement.
ii.          QSR International employee’s dealing with confidential QSR International information must be subject to non-discloser agreements.
iii.         Transfer of sensitive or confidential information to 3rd parties via electronic means shall be encrypted in transit. Email is not be used for the communication of sensitive information to third parties unless the attached payloads are encrypted. Decryption keys used in email communication cannot be sent via email. A separate out-of-bands communication channel needs to be used for this purpose.
iv.        QSR International data needs to be classified to determine its sensitivity and confidentiality level. Access controls need to be put in place to ensure that only staff with roles required to access sensitive data can actually access the information. Systems need to be put in place to ensure that reports can be generated to show who has access sensitive information, when they have accessed it and from where.
v.         Systems put in place for the electronic transfer of data between QSR International systems and 3rd party company systems, like API gateways and sFTP servers, need to be approved by QSR International. The exposed interfaces to the third parties must be tested every year for vulnerabilities.
vi.        The use of peer-to-peer file transfer applications is strictly prohibited.
Peer-to-peer file sharing is the distribution and sharing of digital media using peer-to-peer (P2P) networking technology. P2P file sharing allows users to access media files such as books, music, movies, and games using a P2P software program that searches for other connected computers on a P2P network to locate the desired content. The nodes (peers) of such networks are end-user computers and distribution servers (not required). Examples include BitTorrent and Gnutella
vii.        The use of consumer-based, cloud file sharing services (e.g. Dropbox, Google Drive, Box) is prohibited for the transfer of QSR International data.
viii.       Transfer of sensitive information over public networks must be encrypted at all times.
3.         Electronic messaging
i.          Employees shall receive security awareness training to reduce the risk of introducing malicious software.
ii.          Emails and attachments can be a source of malicious software and should be treated with caution.
iii.         Unsolicited emails are to be deleted and not responded to.
iv.        When sending email, employees are responsible for checking that the email is correctly addressed, and that the content of the message is only being sent to appropriate persons.
v.         Email sent unencrypted over the Internet is not secure and may be liable to interception, copying and tampering. Where confidential information must be sent outside QSR International’s own networks, an approved, secure messaging service shall be used to ensure security. Under no circumstances may user account information or passwords be sent over the Internet.
vi.        Email shall be retained according to QSR International’s Record Retention Schedule (in draft with Legal).
vii.        Users are prohibited from automatically forwarding QSR International email to a third party email system as doing so might cause emails with confidential or inappropriate content to be transmitted over the Internet.
 
viii.       Individual messages which are forwarded by the user must not contain QSR International confidential or sensitive information.
ix.        Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct QSR International business, to create or memorialise any binding transactions, or to store or retain email on behalf of QSR International. Such communications and transactions must be conducted through proper channels using QSR International-approved documentation and systems.
x.         Users are prohibited from using applications or software that have not been approved for use by QSR International for accessing or managing QSR International email, calendaring, or tasking systems.
xi.        Non-QSR International related commercial uses are prohibited.
xii.        QSR International employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
xiii.       QSR International may monitor messages without prior notice. QSR International is not obliged to monitor email messages.
xiv.      Acceptable use of electronic mail and other electronic forms of communication by users is covered by Acceptable Use of Assets Section of the Asset Management Policy, which is available on the Portal.
xv.       All use of email must be consistent with QSR International policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.
3.1. Business information systems
i.          Confidential information can be communicated by other systems such as voice mail, fax machines, printers, etc. These are subject to comparable security provisions to electronic mail.
ii.          Fax machines and printers that are used for printing out confidential information shall be located in secure rooms or protected by keys or personal passwords. It is the user’s responsibility to check that faxes are sent to the correct number, and print-outs to the correct printer.
iii.         Voice mail systems shall be protected by personal passwords or pin numbers.
3.2. Using the Internet
i.          Employees must use internet services in a responsible and security conscious manner.
ii.          This section applies to services utilising the Internet such as web browsing, Instant Messaging, Skype, Internet Protocol (IP) telephony, video conferencing or file sharing sites.
iii.         Unless applications using these communications methods are evaluated and approved by IT Compliance, they must not be used for communicating sensitive or classified information over the Internet.
iv.        All Employees must report any suspicious contact from external or unknown sources to the Service Desk, especially contact from external sources using Internet services. Suspicious contact may relate to questions regarding the work duties of employees or the specifics of projects being undertaken by employees.
 
v.         Monitoring of breaches of web usage policies—for example attempts to access blocked websites such as pornographic and gambling websites—as well as compiling a list of employees who excessively download or upload data without a legitimate business requirement assists QSR International in enforcing their web usage policies.
3.3. Posting official information on websites
i.          Employees must not post sensitive or classified information on public websites, especially in forums, blogs and social networking sites. Even unclassified information that appears to be benign in isolation, could, along with other information, have a considerable security or reputational impact on QSR International.
ii.          To report cases where such information is posted, employees are to advise their leader.
iii.         To ensure that personal opinions of employees are not interpreted as official Policy, employees must maintain separate professional and personal accounts when using websites, especially when using online social networks.
iv.        Employees can post information authorised for release into the public domain, only on approved websites
3.4. Peer–to–peer applications
i.          The installation and use of peer–to–peer applications is prohibited.
ii.          Employees are not to send or receive files via peer–to–peer applications.
iii.         Only QSR International approved methods of file sharing are to be used.
3.5. Electronic Commerce Services
Electronic commerce
i.          Electronic communication and commerce is vulnerable to a number of network threats which may result in fraudulent activity, contract dispute and disclosure or modification of information. When commercial information is communicated, a risk assessment shall be conducted to determine the appropriate level of controls that should be applied to protect against such threats.
Security considerations for electronic commerce shall include:
•           Authentication of the parties.
•           Authorisation of transactions.
•           Confidentiality and integrity of contract information.
•           Proof of transactions and non-repudiation.
•           Integrity of pricing information.
•           Vetting of payment information.
•           Protection of settlement against fraud.
•           Confidentiality and integrity of order information.
•           Liability for fraudulent transactions.
ii.          Electronic commerce arrangements between trading partners shall be supported by a documented agreement which commits both parties to the agreed terms of trading.
iii.         Consideration should be given to the resilience to attack of the host used for electronic commerce, and the security implications of any network interconnection required for its implementation.
On-line transactions
iv.        When an application involves on-line transactions that are confidential or sensitive (e.g. contractual or financial transactions), then a risk assessment shall be made to determine the appropriate level of controls.
v.         Transactions shall be protected against misrouting, and against any unauthorised alteration, disclosure or replay.
vi.        The following security measures shall be considered:
•           Use of electronic signatures for each of the parties involved in the transaction.
•           Encryption of the data between all involved parties.
•           Ensuring stored transaction data is not accessible from the Internet.
3.6. Publicly available systems
i.          Information that is published to publicly available systems, e.g. Internet Web servers, shall be protected from unauthorised modification. Such servers shall be hardened against attack, and the integrity of the information shall be checked frequently, preferably by an automated mechanism. There shall be a formal authorisation process before information is made publicly available.
ii.          Software, data and other information requiring a high level of integrity, when it is made available on a publicly available system, shall be protected by appropriate mechanisms, e.g. digital signatures.
 


By using this site, you acknowledge that you have reviewed the terms of this QSR Global Data Privacy Policy (“Privacy Policy”) and agree that we may collect, use, process and transfer your personal data in accordance with this Policy. If you do not agree with these terms, you may choose not to provide any personal data and not to use our site.  However, you may then not be able to use our products or services. This Privacy Policy also forms part of the Terms and Conditions for ordering and purchasing QSR’s products and services.
 

 

Who are we?

QSR International Pty Ltd A.C.N. 006 357 213 (“QSR International”) is a global organization. QSR International’s Head Office is located in Australia, with offices in the UK, US, and Japan.
The related entities of QSR International include the following:
  • QSR International (UK) Limited – United Kingdom
  • QSR International (Americas) Inc. – U.S.A.
  • QSR International Japan K.K. – Japan
For the purposes of this Privacy Policy, QSR International and its related entities will collectively be known as “QSR”. As part of the business operations of QSR, all the information you provide may be transferred or accessed by the various entities within the QSR group of companies and by QSR’s offices around the world in accordance with the provisions of this Privacy Policy.

QSR is committed to protecting the privacy of its customers’ personal data and the responsible use of such information in accordance with the relevant laws which relate to data privacy and handling of such information. We have developed this Privacy Policy to explain how we collect, store, use, process and disclose your personal data used online and across regions. 

Please read this Privacy Policy carefully for a clear understanding of how we collect, use and handle your personal data on our website.

From time to time we may make changes to the QSR Global Data Privacy Policy in accordance with legislative changes and business requirements.  The most current version of the QSR Global Data Privacy Policy will be posted on the QSR website.  In this Privacy Policy, “we”, “our” and “us” refers to QSR International and its related entities; and “you”, “your” and “yours” refers to our customers and third parties, excluding employees of QSR.

Consent needs to be free and informed.  You must ensure you understand the purpose for the collection.

In addition to QSR’s safeguards as contained in this Privacy Policy, the relevant laws protect your personal data.
  • Australia - The Australian Privacy Principles (“APPs”) are contained in schedule 1 of the Privacy Act 1988 (Cth). QSR International is considered to be an APP entity under the Australian Privacy Act and must comply with the Australian Privacy Act as to how to handle, use and manage personal information (as defined in the Australian Privacy Act 1988 (Cth)).
  • UK - Your personal data is protected in the UK by the Data Protection Act 1998 which requires data controllers to ensure that your personal data is processed lawfully and fairly. The EU Directive 2016/679 for the General Data Protection Regulation (“GDPR”) came into force on 24 May 2016 and will apply from 25 May 2018. The GDPR intends to unify data protection laws within the EU and the export of personal data of EU residents outside the EU. It is likely that the GDPR will be implemented by the UK despite Brexit.
  • U.S. - Data privacy is not currently highly regulated in the U.S. Although partial regulations exist, there is no all-encompassing law regulating the acquisition, storage, or use of personal data in the U.S. With the exception of California, very few states recognize an individual's right to privacy. The U.S. believes in self-regulation of data protection by companies.
  • Japan – The Act on the Protection of Personal Information 2003 (“APPI”) handles the protection of personal data in Japan.
This Privacy Policy sets out how we protect an individual’s personal data and provides information on:
  1. the general categories of personal data we collect;
  2. why we collect an individual's personal data;
  3. how it will be used, and who it will be disclosed to; 
  4. the legal basis of our processing that personal data; and
  5. your rights in relation to the personal data we collect.
 

What Type of Data is Collected?

QSR will collect, store, use, process and disclose personal data in the manner permitted by law. Personal data is any information or an opinion about an identified or identifiable natural person (“data subject”). The personal data collected, stored, used, processed and disclosed by QSR which is required for use of our website or software may include your name, an identification number, date of birth, gender, postal and email address, phone number, contact preferences, and credit and debit card information. When you apply for or we need to facilitate a specific product or service, we may also collect information from you related to that product or service.

If you are applying for employment with QSR, we may collect and process information about you such as employment history, qualifications, residency status, background check and other information required as part of the recruitment process. In that regard, we may also collect sensitive information or special categories of data such as health or medical information, racial or ethnic origin, and criminal convictions. You acknowledge and give your consent for QSR to collect, store, use, process and disclose any such information and personal data for the purpose of assessing your application for employment with QSR.


How does QSR Collect Your Personal Data?

QSR collects your personal data in various ways, such as over the phone, via email, over the internet if you transact with QSR online, when you register on our website, fill out a form, activate the QSR software etc.  We may also collect personal data about you from third parties, including (but not limited to) from our partners, agents and resellers.   

When ordering or registering on our website, as appropriate, you may be asked to enter your personal data such as your name or email address. We may ask for further personal data that identifies you, including your mailing address, phone number, contact preferences, and credit card information. QSR does not store your credit card information as payments are processed through third parties using external payment gateways.

In particular, your personal data will be collected when you participate in the following activities:
  • Request for free trial software download.
  • Purchase a product from QSR.
  • Activate QSR software and e-demos (includes trial software).
  • User testing community
  • Register for QSR training, webinars, conferences, events or exclusive content.
  • Subscribe to email communications and newsletters.
  • Submit a product support request (including product crash report dialogues)
  • Contact QSR about a query.
  • Participate in an online survey and/or user testing activities. 
  • QSR marketing/ promotional activities.
  • Surf the QSR website.
  • Visit QSR Partner sites.
You may visit our website anonymously or choose not to give us your personal data. However, without your personal data, we will not be able to provide you with the products or services which you may request of us nor will we be able to respond to any of your queries.

If you provide personal data to QSR about another person, then you are responsible for telling the other person that you have provided their personal data to QSR. You must inform them that QSR may use their personal data, and refer them to this Privacy Policy. By providing personal data relating to another person to QSR, you represent that you are legally permitted to provide such personal data, and QSR will not be responsible for verifying any such authorization.


How Your Personal Data may be Used by QSR 

QSR may collect, store, use, process and disclose your personal data (and you consent to us doing so) for the following purposes:
  • To personalize your experience as a user and to allow QSR to deliver the type of content and product offerings in which you are most interested.
  • To improve the QSR website in order to better serve you.
  • To enable QSR to respond promptly to your customer service requests.
  • To administer a contest, promotion, marketing survey or other site feature.
  • To facilitate payment transactions.
  • To review QSR services or products.
  • To communicate with you as a follow up to any queries via live chat, email or phone.
  • To provide the service(s), information or products you have requested or to carry out the transaction(s) you have authorised (or we may disclose this information to authorised QSR partners to undertake this activity on our behalf). 
  • For research and development in order to improve QSR’s product offerings/solutions to you.
  • For job applications within QSR, to review your skills and experience for employment. 
  • Where such use and process is required in order to ensure compliance with a legal obligation of QSR.


Retaining your Personal Data

We will retain your personal data for the period necessary to fulfil the purposes outlined in this Privacy Policy.  In most cases it may not be possible for us to specify in advance the periods for which your personal data will be retained.  In such cases, we will determine the period of retention based on the period required by applicable law.

QSR will destroy or de-identify your personal data if it is no longer needed for the purpose for which it could be used or disclosed in terms of applicable law.


Types of Data not Collected by QSR 

QSR does not collect any details of the data you are working with when you use our software products. This data is stored only in the projects or files into which you direct the software to save the data.
NCapture stores the data you capture only in the files you create. When using NCapture to capture data from social media sites, you may be asked by the site whether you wish to grant NCapture permission to collect particular kinds of data. 

Choosing to grant these permissions to NCapture:
(a)    Does not allow NCapture to capture any data that you, as a user of that social media site, do not yourself have access to.
(b)    Does not cause NCapture to send any captured data to QSR.

When you import data captured using NCapture into NVivo, you have the option to exclude some unwanted information (such as location or bio). Refer to the Help documentation in NCapture and NVivo for further details.


Third Parties to whom QSR may Disclose your Personal Data

In providing the products and services to you, and insofar as reasonably necessary for those purposes, QSR may need to disclose your personal data to third parties including: 
  • QSR’s suppliers, subcontractors, agents, solicitors, professional advisers, government regulatory bodies, tribunals, courts of law, debt collection agents, insurers and to their respective related entities.
  • Third parties engaged by QSR (who will be bound by confidentiality obligations) in your geographic region or able to communicate in your language, to ensure that you are better serviced. 
  • Third parties engaged by QSR to conduct customer satisfaction surveys (only with your prior consent). 
  • A third party event management platform such as Eventbrite to register QSR hosted events, workshops, eWorkshops and webinars.  Eventbrite has its own privacy policy and may be a data controller in its own right in relation to the personal data we disclose to Eventbrite.
  • In the event of a re-organization, merger, or sale we may transfer your personal data to a third party (who will be bound by confidentiality obligations) during the due diligence process.
  • Payment services providers in relation to financial transactions relating to our services, including processing payments.
  • In relation to disclosure necessary for compliance with a legal obligation applicable to QSR, we may also disclose your personal data in circumstances where necessary in legal proceedings, whether in or out of court.
Except as provided in this Privacy Policy, QSR will not disclose your personal data to a third party unless the disclosure is required or authorized by law, in an emergency or in the event of an investigation of suspected criminal activity such as fraud.


How does QSR keep your Personal Data Secure?

QSR has implemented security measures to protect personal data received from you. The following security measures are in place:
  • QSR uses malware scanning.  QSR’s website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to QSR’s website as safe as possible.
  • Your personal data is contained behind secured networks and is only accessible by a limited number of persons duly authorized by QSR, and required to keep the information confidential.
  • If you make an online application or undertake a payment transaction using QSR’s website, QSR takes additional steps to protect the security of your personal data. Your personal data is encrypted via a Secure Socket Layer (SSL) technology (in your web browser, you can confirm that your session is encrypted by the appearance of a locked padlock symbol at the foot of the browser).
  • All payment transactions are processed through a gateway provider and are not stored or processed on our servers.
Notwithstanding the security measures implemented by QSR, you should be aware that there are risks in transmitting information across the internet. While QSR takes measures to protect your personal data, we cannot warrant the security of any information transmitted to QSR online and users of our website do so at their own risk. QSR will remove your personal data from its system where it is no longer required unless QSR is required by law to store your personal data.


International Transfers of Personal Data

In certain circumstances we may need to transfer your personal data to countries outside the country in which the data was collected (or, in the case of personal data collected within the European Economic Area (“EEA”), to countries outside the EEA) including our offices around the world (currently located in Australia, USA and Japan). International transfers of your personal data will be protected by the appropriate safeguards, namely the standard data protection model clauses adopted by the European Commission or a supervisory authority, which we will incorporate into our agreements with such transferees of personal data.  You can find a copy of model contract clauses for transferring personal data outside the EEA at: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

As a customer or website user of QSR, you give your consent to QSR to transfer or grant access to your personal data between the companies in the QSR group. All data is transferred or accessed using either a secure transport layer or encrypted algorithm. A majority of the data collected is then centralized and imported into a central customer relationship management system, and housed within secure data centre facilities. This is available to staff across all regions within the QSR group by way of an encrypted secure transport layer and individual staff authentication is required.


Cloud Storage of Personal Data

We may store data on remote servers operated by a cloud service provider to QSR rather than storing it on our own servers. Regardless of where you use our online services or provide information to us, the information may be transferred to and maintained on servers located outside the country in which the data was collected (or, in the case of personal data collected within the EEA, to countries outside the EEA).  By providing any data through the online services, you hereby expressly consent to such transferring and processing of your data in such third countries.

Transfers of personal data to servers operated by cloud service providers outside the EEA will be protected by the appropriate safeguards, namely the standard data protection clauses adopted by the European Commission or a supervisory authority, which we will incorporate into our agreements with such cloud service providers.  You can find a copy of model contract clauses for transferring personal data outside the EEA at: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

All data is stored with secure methods and with limited/restricted access to persons authorized by QSR. Data from the various collection points with the QSR group are stored in Australia, USA, Singapore and Ireland.


Your Rights

You have certain rights under law regarding your personal data.  These are set out in the table below:
 
Your right How you may exercise your rights
Right to be informed You have the right to be informed about our collection and use of your personal data.  It is important that we are transparent about this.
 
Right of access You have the right to obtain confirmation as to whether your personal data is being processed, and where this is the case, access to your personal data (provided it does not adversely affect the rights and freedoms of others) and to obtain from us certain information relating thereto, including (but not limited to):
  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients of your personal data;
  • the envisaged period which we will hold your personal data for.
Right to request rectification You have the right to require us to:
  • rectify any inaccurate personal data we hold about you without undue delay;
  • complete any incomplete personal data, taking into account the purposes of the processing
Right to request erasure ("right to be forgotten") You have the right to request that your personal data be erased without undue delay.
We will be required to comply with such request without undue delay in certain circumstances, including (but not limited to) where:
  • the personal data is no longer necessary in relation to the purpose for which collected;
  • you withdraw consent on which the processing of such personal data is based;
  • the personal data has been unlawfully processed.
In certain circumstances, we will not be required to comply with such request, including (but not limited to) where the processing of such personal data is necessary for:
  • compliance with a legal obligation;
  • the establishment, exercise or defense of legal claims.
Right to restrict processing In certain circumstances you have the right to restrict our processing of your personal data, including (but not limited to) where:
  • you contest the accuracy of such personal data;
  • the processing of such personal data is unlawful, you object to the erasure thereof and prefer that the processing thereof be restricted instead;
  • we no longer need the personal data for the purposes of processing, but you require it for the establishment, exercise or defense of legal claims.
In such circumstances, we may continue to store your personal data,  and may only process it with your consent:
  • for the establishment, exercise or defense of legal claims;
  • for the protection of the rights of another natural or legal person; or
  • for reasons of important public interest of the European Union or of a member state.    
Right to data portability Provided it does not adversely affect the rights and freedoms of others, you have the right to obtain and reuse your personal data for your own purposes.
 
Right to object You have the right to object, on grounds relating to your particular situation, to:
  • processing your personal data based on legitimate interests or the performance of a task in the public interest/exercise of official authority;
  • processing your data for direct marketing purposes; and
  • processing your personal data for scientific, historical research or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Right to withdraw consent You have the right to withdraw your consent to us using and processing your personal data at any time.
The lawfulness of any processing based on consent before such withdrawal will not be affected.
 
Right to lodge a complaint with a supervisory authority You have the right to lodge a complaint with a supervisory authority if you consider the processing of your personal data an infringement of your rights under applicable privacy laws.
 
If you wish to speak to us in relation to any of your rights, please contact our data protection officer at the address set out below.


Links to Third Party Sites

The QSR website may provide links to other sites for your convenience and information. These websites may be operated by companies other than QSR. Linked websites may have their own privacy policies. QSR is not responsible for the content or privacy practices of any linked websites that are not operated by QSR.


Blogs and Other Interactive Services

QSR may provide blogs, online forums or other interactive services on its website which enable users to post and share information. Any information posted or shared by users through blogs, online forums or other interactive services will become public information and will be available to other users who access the QSR website.


Cookies

Cookies are small files that a site or its service provider transfers to your computer's hard drive through your web browser (if you allow) that enables the site's or service provider's systems to recognize your browser and capture and remember certain information.

We use cookies to understand and save user preferences for future visits and compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future.

Data collected through the use of cookies may include personal data (and therefore will be regulated by applicable privacy laws) if the data subject is an identified or identifiable natural person.

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser (like Internet Explorer) settings.

If you disable cookies, some features will be disabled. As a result, your site experience may be less efficient and some of our services will not function properly. However, you can still place orders.


Direct Marketing

We do not sell, trade, or otherwise transfer to third parties (other than as set out in this Privacy Policy) your personal data for the purposes of direct marketing. However, we may provide non-personally identifiable user data to third parties for marketing, advertising, or other uses. 

You will have a choice to opt out of any of our marketing activities, and QSR will respect your request not to receive marketing material. We will implement your request to opt out of all marketing activities as soon as practicable upon receipt of your request.


Unsubscribe from Emails 

If at any time you would like to unsubscribe from receiving future emails, you can email us at info@qsrinternational.com and we will promptly remove you from all correspondence from us.


Children

QSR considers a child to be anyone under the age of 18. We do not knowingly seek or collect personal data from without the consent of a parent or guardian. If QSR becomes aware that personal data that has been submitted relates to a child without the consent of a parent or guardian, QSR will use reasonable efforts to delete that personal data from its files as soon as possible; and ensure, where deletion is not possible, such personal data is not used further for any purpose, nor disclosed further to any third party.


How to Contact Us

You can contact us in writing about how we have handled your personal data at any time. At all times, privacy complaints will be treated seriously and in a confidential manner without affecting your existing commercial arrangements between you and QSR.

Our data protection officer is responsible for all matters relating to privacy and data protection.  He/she can be reached at the following address:  
Data Protection Officer
QSR International Australia (Head Office)
2nd Floor, 651 Doncaster Road
Doncaster, Victoria 3108
Australia
Email: dataprotectionofficer@qsrinternational.com

Our data protection officer will commence an investigation into your complaint, and inform you of the outcome of your complaint within a reasonable time following the completion of the investigation, and otherwise in accordance with time frames set out in privacy laws.