Data Processing Agreement


Data Processing Agreement

MaxOptra Data Processing

RECITALS:

  1. Data Processor has granted a Maxoptra Licence to the Data Controller, pursuant to the Maxoptra Licence and Service agreement Data Processor provides the Services which includes processing Personal Data on behalf of the Data Controller.
  2. Under paragraph 3 of Article 28 to the General Data Protection Regulation (EU Regulation 2016/679, GDPR) the Data Controller is required to put a written agreement in place with any organisation which processes personal data on its behalf governing the processing of that data. The Data Controller is such an organisation and this Agreement constitutes such written agreement for the purposes of that Article.
  3. The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing.
    1. IT IS AGREED as follows:

    2. Definitions and Interpretation

1.1 In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

Agreement means this Agreement and each of the Schedules (as amended or supplemented at the relevant time);
Data Controller, Data Processor, processing, and data subject respectively have the meanings given to the terms controller, processor, processing, and data subject respectively in Article 4 of the GDPR;
ICO means the UK’s supervisory authority, the Information Commissioner’s Office;
Maxoptra Licence written licence of the right to use the Maxoptra software granted by the Data Processor to the Data Controller via Licence and Service agreement signed between the Data Processor and the Data Controller;
Maxoptra software means the route optimisation and fleet management software developed and owned by Data Processor which is licenced to the Data Controller under a Maxoptra Licence;
Personal Data means all such personal data, as defined in Article 4 of the GDPR, as is, or is to be, processed by Dat Processor on behalf of the Data Controller, as described in Schedule 1;
Services means services provided by the Data Processor and the Maxoptra software licenced to the Data Controller under the Maxoptra Licence and Service agreement to the extent that this services comprise data processing by the Data Processor;
Sub-Processor means another processor appointed by the Data Processor for carrying out specific processing activities on behalf of the Data Controller; and
Sub-Processing Agreement means an agreement between the Data Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 9.

1.2 Unless the context otherwise requires, each reference in this Agreement to:

1.2.1. writing, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;

1.2.2. a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;

1.2.3. “this Agreement” is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;

1.2.4. a Schedule is a schedule to this Agreement; and

1.2.5. a clause or paragraph is a reference to a clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.

1.2.6. a Party or the Parties refer to the parties to this Agreement.

1.2.7. The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.

1.2.8. Words imparting the singular number include the plural and vice versa.

1.2.9. References to any gender include all other genders.

1.2.10. References to persons include corporations.

    1. Scope and Application of this Agreement

2.2. The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 1, carried out for the Data Controller by the Data Processor, and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.

2.3. The provisions of this Agreement supersede any other arrangement, understanding, or agreement including, but not limited to, Maxoptra Licence and Service Agreement made between the Parties at any time relating to the Personal Data.

2.4. This Agreement shall continue in full force and effect for so long as the Data Processor is processing Personal Data on behalf of the Data Controller.

    1. Provision of the Services and Processing Personal Data

The Data Processor agrees that save as required by law or competent authority it shall only process Personal Data received from the Data Controller for the purposes of providing Services or as otherwise notifiedlawfully and properly instructed (whether specifically or generically) by the Data Controller.

    1. Data Protection Compliance

4.1. Data Controller agrees not to instruct Data Processor to do anything which is or may be in breach of any requirement of the GDPR (or other applicable law). Data Processor shall be required to act only on instructions given by the Data Controller in writing.

4.2. Subject always to taking such steps as the Data Processor reasonably considers appropriate to ensure that it is able to comply with laws and applicable regulations The Data Processor shall to the extent that it is reasonably able promptly comply with any express written request from the Data Controller requiring The Data Processor to amend or delete Personal Data.

4.3. The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in such format as the Data Controller may reasonably request in writing.

4.4. Both Parties shall implement policies designed to ensure compliance with the GDPR and other applicable laws and shall take reasonable precautions to protect themselves in such way as to cause neither Party to breach any of its applicable obligations under the GDPR.

4.5. The Data Controller agrees to ensure that the Personal Data (and its collection, holding and processing of Personal Data) shall comply with the requirements of the GDPR.

4.6. The Data Processor agrees to comply with any reasonable measures requested in writing by the Data Controller to ensure that the Data Processor’s obligations under this Agreement are satisfactorily performed in accordance with applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO (provided that Data Controller shall reimburse to the Data Processor all costs that the Data Processor incurs in respect of doing anything that it is not required by law to do).

4.7. The Data Processor shall so far as it is able provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.

4.8. When processing the Personal Data on behalf of the Data Controller, the Data Processor shall:

4.8.1. process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law (in which case, the Data Processor shall inform the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);

4.8.2. implement appropriate technical and organisational measures, and take all steps as are reasonably necessary to protect the Personal Data against foreseeable unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure in accordance with generally accepted industry standards. The Data Processor shall inform the Data Controller in advance of any material changes to such measures that it implements;

4.8.3. if so requested by the Data Controller supply reasonable details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;

4.8.4. keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the GDPR;

4.8.5. make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with the GDPR;

4.8.6. on reasonable prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Data Controller believes that the Data Processor is in breach of any of its obligations under this Agreement or under the law; and

4.8.7. inform the Data Controller immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.

    1. Data Subject Access, Complaints, and Breaches

5.1. The Data Processor shall, at the Data Controller’s cost, assist the Data Controller in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches.

5.2. The Data Processor shall notify the Data Controller without undue delay if it receives:

5.2.1. a subject access request from a data subject; or

5.2.2. any other complaint or request relating to the processing of the Personal Data.

5.3. The Data Processor shall, at the Data Controller’s cost, cooperate fully with the Data Controller and assist as required in relation to any subject access request, complaint, or other request, including by:

5.3.1. providing the Data Controller with full details of the complaint or request;

5.3.2. providing the necessary information and assistance in order to comply with a subject access request;

5.3.3. providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller); and

5.3.4. providing the Data Controller with any other information requested by the Data Controller.

5.4. The Data Processor shall notify the Data Controller immediately if it becomes aware of any form of Personal Data breach as a result of its dealing with Personal Data, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.

    1. Liability and Indemnity

6.1. The Data Controller shall be liable for, and shall indemnify (and keep indemnified) the Data Processor in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data Processor and any Sub-Processor arising directly or in connection with:

6.1.1. any non-compliance by the Data Controller with the GDPR or other applicable legislation;

6.1.2. any Personal Data processing carried out by the Data Processor or Sub-Processor in accordance with instructions given by the Data Controller that infringe the GDPR or other applicable legislation; or

6.1.3. any breach by the Data Controller of its obligations under this Agreement.

6.2. Subject always to clause 4.5., The Data Processor shall be liable to the Data Controller in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data Controller arising directly as a result of The Data Processor’s Personal Data processing activities that are subject to this Agreement in breach of this Agreement provided however that it shall:

6.2.1. be liable only to the extent that the liability results from The Data Processor’s or a Sub-Processor’s breach of this Agreement; and

6.2.2. not be liable to the extent that the liability is or is contributed to by any breach of this Agreement or any rule of law the Data Controller or any of its agents.

6.2.3. The Data Controller shall not be entitled to claim back from the Data Processor or Sub-Processor any sums paid in compensation by the Data Controller in respect of any damage to the extent that the Data Controller is liable to indemnify the Data Processor or Sub-Processor under this Agreement.

6.2.4. Nothing in this Agreement shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under the GDPR. Furthermore, the Data Processor hereby acknowledges that it shall remain subject to the authority of the ICO and shall co-operate fully with the ICO, as required, and that failure to comply with its obligations as a data processor under the GDPR may render it subject to the fines, penalties, and compensation requirements set out in the GDPR.

    1. Intellectual Property Rights

All copyright, database rights, and other intellectual property rights subsisting in the Personal Data made available to it for the purposes of providing the Services (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Data Controller or the Data Processor) shall belong to the Data Controller or to any other applicable third party from whom the Data Controller has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). The Data Processor is licenced to use such Personal Data under such rights only for the term of the Maxoptra Licence, for the purposes of the Services, and in accordance with this Agreement.

    1. Confidentiality

8.1. The Data Processor shall maintain the Personal Data in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller.

8.2. The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.

8.3. Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.

    1. Use of Sub-Processors

9.1. The Data Controller agrees that the Data Processor may appoint Sub-processors to assist it in providing the Service and Processing Personal Data provided that such Sub-processors:

9.1.1. agree to act only on the Data Processor’s instructions when Processing the Personal Data (which instructions shall be consistent with Data Controller’s Processing instructions to Data Processor); and

9.1.2. agree to protect the Personal Data to a standard consistent with the requirements of this Agreement, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they Process

9.2. The Data Processor agrees that it shall remain liable to the Data Controller for the subcontracted Processing services of any of its direct or indirect Sub-Processors under this Agreement. The Data Processor shall maintain an up-to-date list of the names and location of all Sub-Processors used for the Processing of Personal Data under this Agreement which is available to the Data Controller upon request to privacy@maxoptra.com. The Data Processor shall inform the Data Controller about any new Sub-Processor to be appointed at least 30 days prior to the date on which the Sub-Processor shall commence processing Personal Data.

9.3. If the Data Controller objects to the Processing its Personal Data by any newly appointed Sub-Processor as described in clause 9.2, it shall inform The Data Processor immediately. In that event, The Data Processor will either (a) instruct the Sub-Processor to cease any further processing of Data Controller’s Personal Data, in which event this Agreement shall continue unaffected, or (b) itself terminate or allow the Data Controller to terminate this Agreement (and any related services agreement with The Data Processor) immediately.

9.4. In addition, and as stated in Maxoptra Licence, Maxoptra software services provide links to integrations with Third Party Services, including, without limitation, certain Third Party Services which may be integrated directly into Data Controller’s account or instance of Maxoptra software. If the Data Controller elects to enable, access or use such Third Party Services, its access and use of such Third Party Services is governed solely by the terms and conditions and privacy policies of such Third Party Services, and The Data Processor does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third Party Services, including, without limitation, their content or the manner in which they handle Service Data (including Personal Data) or any interaction between the Data Controller and the provider of such Third Party Services. The Data Processor is not liable for any damage or loss caused or alleged to be caused by or in connection with the Data Controller’s enablement, access or use of any such Third Party Services, or the Data Controller’s reliance on the privacy practices, data security processes or other policies of such Third Party Services. The providers of Third Party Services shall not be deemed Sub-processors for any purpose under this Agreement.

9.5. The Data Controller acknowledges that the Data Processor and its Sub-processors may maintain data processing operations in countries that are outside of the EEA and Switzerland, subject to hosting Maxoptra Software within the EEA and Switzerland only. As such, both the Data Processor and its Sub-processors may Process Personal Data in non-EEA and non-Swiss countries, if such non-EEA Processing is necessary to provide support-related or other services requested by the Data Controller.

9.6. Where the Data Processor permits any Sub-processor to process Personal Data outside the EEA, The Data Processor and its Sub-processor shall comply with the requirements of the EU Commission’s Controller -to- Processor Model Clauses (annexed to EU Commission Decision 2010/87/EU). The Parties have agreed to practical interpretations of certain provisions contained within the Controller-to-Processor Model Clauses, as permitted by the Article 29 Working Party and the amendments expected from the Article 29 Working Party in connection with the requirements of the GDPR.

    1. Deletion and/or Disposal of Personal Data

10.1. The Data Processor shall, at the written request of the Data Controller, delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:

10.1.1. the end of the provision of the Services under the Maxoptra Licence and Service Agreement; or

10.1.2. the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor’s obligations under this Agreement or the Maxoptra Licence and Service agreement.

10.2. Following the deletion, disposal, or return of the Personal Data under sub-clause 10.1, the Data Processor shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case the Data Processor shall inform the Data Controller of such requirement(s) in writing.

    1. Law and Jurisdiction

11.1. This Agreement (including any non-contractual matters and obligations arising in relation to it) shall be governed by, and construed in accordance with, the laws of England and Wales.

11.2. Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.

    1. Purpose of agreement

12.1. Nothing in this Agreement will be construed as placing an obligation on The Data Processor that it is not by law obliged to accept (and any such provision shall not be construed as creating a binding obligation on The Data Processor). If and to the extent that any provision of this Agreement contradicts applicable law, the applicable law shall apply.

    1. Data Protection Officer

13.1. The Data Processor shall appoint a data protection officer where such appointment is required by Data Protection Laws and Regulations. The appointed person(s) may be reached at privacy@maxoptra.com

    1. Duration

14.1. This Agreement will remain in force as long as the Data Processor processes Personal Data on behalf of the Data Controller under Maxoptra Licence and Service Agreement.

Schedule 1

Personal Data processing purposes and details

Subject matter: The subject matter of the data processing under this Agreement is the processing of Personal Data for the purpose of or in connection with the provision of the Maxoptra software services to the Data Controller.

Duration: As between the Data Processor and the Data Controller, the duration of the processing of Personal Data under this Agreement shall be until the expiration or termination of Maxoptra Licence and Service Agreement in accordance with its terms.

Purpose: The purpose of the processing of Personal Data under this Supplemental Agreement is the provision of the Maxoptra service to the Data Controller and the performance of Data Processor’s obligations under Maxoptra Licence and Service Agreement or as otherwise agreed by the parties from time to time.

Nature of the processing: The Data Processor provides the Maxoptra software services, fleet management services, as more particularly described in the Maxoptra Licence and Service Agreement.

Categories of Data Subject:

– The Data Controller’ users of the Maxoptra software services (Users);

– Individuals involved in the use of vehicles controlled by the Maxoptra software (whose personal data may be stored in the Maxoptra software services) (Delivery drivers);

– Any individual customers or customer contacts of the Data Controller (Customers).

Types of Personal Data processed:

Users: name, email;
Delivery drivers: name, email, phone number, home address, vehicle registration number, vehicles VIN, active location data
Customers: name, email, phone number, home address, order items