Data Processing Agreement
ShipitSmarter.com B.V. a company having its principal place of business in Hilversum, the Netherlands, registered with the Chamber of Commerce under number 34131907, hereby duly represented by M.J. van Mourik, and all related business entities. (hereinafter: ‘the Processor’);
CUSTOMER, a company having its principal place of business at ADDRESS, POSTCODE TOWN, COUNTRY. Registered with the Chamber of Commerce under COC NUMBER, hereby duly represented by CONTACT, (hereinafter: ‘the Controller’);
hereinafter collectively referred to as ‘Parties’ and individually ‘Party’,
having regard to the fact that,
- the Controller has access to the personal data of various stakeholders (hereinafter: ‘Data subjects’);
- the Controller wants the Processor to execute certain types of processing following the agreement concluded with the Processor on July 2nd, 2018 (hereinafter: ‘the Agreement’);
- the Controller has determined the purpose of and the means for the processing of personal data is governed by the terms and conditions referred to herein;
- the Processor has undertaken to comply with this data processing agreement (hereinafter: ‘the DPA’) and to abide by the security obligations and all other aspects of the General Data Protection Regulation (hereinafter: ‘GDPR’);
- the Parties wish to lay down their rights and duties in writing in this DPA,
have agreed as follows,
ARTICLE 1. PROCESSING OBJECTIVES
1.1. The Processor undertakes to process personal data (detailed in Schedule 1) on behalf of the Controller following the conditions laid down in this DPA. The processing will be executed exclusively within the framework of the Agreement, and for all such purposes as may be agreed to subsequently.
1.2. The Processor shall refrain from making use of the personal data for any purpose other than as specified by the Controller. The Controller will inform the Processor of any such purposes which are not contemplated in this DPA.
1.3. All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the relevant Data subjects.
1.4. The Processor shall take no unilateral decisions regarding the processing of the personal data for other purposes, including decisions regarding the provision thereof to third parties and the storage duration of the data.
1.5. The processor is allowed to use anonymized geolocation and shipment process data for analysis purposes only, guaranteeing non-disclosure of Controller sensitive-or personal data to other parties.
ARTICLE 2. PROCESSOR’S OBLIGATIONS
2.1. The Processor shall warrant compliance with the applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the GDPR.
2.2. The Processor shall furnish the Controller promptly on request with details regarding the measures it has adopted to comply with its obligations under this DPA.
2.3. The Processor’s obligations arising under the terms of this DPA apply also to whomsoever processes personal data under the Processor’s instructions.
ARTICLE 3. TRANSMISSION OF PERSONAL DATA
3.1. The Processor may process personal data in countries within the European Union. Besides, the Processor may also transfer the personal data to a country outside the European Union provided that such a country guarantees an adequate level of protection and it satisfies the other obligations applicable to it according to this DPA. If Processor transfers data to a third country on behalf of Controller based on either written consent, this DPA, or the Main Agreement between Parties, Processor assumes that Controller considers this to be a country as mentioned in the second sentence of this article.
3.2. Upon request, the Processor shall notify the Controller as to which country or countries the personal data will be processed in.
ARTICLE 4. ALLOCATION OF RESPONSIBILITY
4.1. The Processor shall only be responsible for processing the personal data under this DPA, under the Controller’s instructions, and the (ultimate) responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor, and processing by third parties and / or for other purposes.
4.2. The controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of all claims and actions of third parties related to the processing of personal data without the express consent and/or legal basis under this DPA.
ARTICLE 5. ENGAGING OF THIRD PARTIES OR SUBCONTRACTORS
5.1. The Processor is authorized within the framework of the Agreement to engage third parties. The processor will notify Controller 20 working days in advance of changes or additions in engaging Third Parties or Subcontractors. The controller will notify the Processor in case of objection within 10 working days thereafter. If no objection is received within this period, it will be regarded as the consent of the Controller. Upon request of the Controller, the Processor shall inform the Controller about the third party/parties engaged.
5.2. The Processor shall in any event ensure that such third parties will be obliged to agree in writing to the same duties that are agreed between the Controller and the Processor.
5.3. Carriers are not Subcontractors of ShipitSmarter. The Customer is responsible for concluding a Data Processing Agreement if the carrier processes Personal Data.
ARTICLE 6. DUTY TO REPORT
6.1. In the event of a security leak and/or the leaking of data, as referred to in article 33 & 34 of the GDPR, the Processor shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(-ies). This duty to report applies irrespective of the impact of the leak. The Processor will endeavor that the furnished information is complete, correct, and accurate.
6.2. If required by law and/or regulation, the Processor shall cooperate in notifying the relevant authorities and/or Data subjects. The Controller remains the responsible party for any statutory obligations in respect thereof.
6.3. The duty to report includes, in any event, the duty to report the fact that a leak has occurred, including details regarding:
- the (suspected) cause of the leak;
- the (currently known and/or anticipated) consequences thereof;
- the (proposed) solution;
- the measures that have already been taken.
ARTICLE 7. SECURITY
7.1. The Processor will take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration, or disclosure of personal data) in connection with the performance of processing personal data under this DPA.
7.2. The Processer has in any event taken the following measures:
- Encryption of digital files with Personal Data
- Security of network connections via Secure Socket Layer (SSL) technology
- Appropriate measures and procedures concerning database access
- Appropriate rules regarding secrecy and conduct for persons who have access to Personal Data.
- Unless legally required or permitted, data provided by the Customer to ShipitSmarter will not be provided to third parties.
- ShipitSmarter’s computer systems are kept up to date with verified security patches and updates.
7.3. The Processor will ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data, and the costs related to the security measures.
7.4. The Controller will only make the personal data available to the Processor if it is assured that the necessary security measures have been taken. The Controller is responsible for ensuring compliance with the measures agreed by and between the Parties.
ARTICLE 8. HANDLING REQUESTS FROM INVOLVED PARTIES
8.1. Where a data subject submits a request to the Processor regarding inspection, erasure, rectification, data portability or restriction of processing of their, personal, data, as stipulated by articles 15-18 GDPR, the Processor will forward the request to the Controller within 5 working days and the request will then be dealt with by the Controller. The Processor may notify the Data subject hereof.
ARTICLE 9. NON DISCLOSURE AND CONFIDENTIALITY
9.1. All personal data received by the Processor from the Controller and/or compiled by the Processor within the framework of this DPA is subject to a duty of confidentiality vis-à-vis third parties.
9.2. The processor will ensure that all of its personnel will act according to the same confidentiality obligations.
9.3. This duty of confidentiality will not apply if the Controller has expressly authorized the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary for a view of the nature of the instructions and the implementation of this DPA or the Main Agreement between Parties, or if there is a legal obligation to make the information available to a third party.
ARTICLE 10. AUDIT
10.1. To confirm compliance with this DPA, the Controller shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow the Processor’s reasonable security requirements, and will not interfere unreasonably with the Processor’s business activities.
10.2. In case there are specific grounds for suspecting the misuse of personal data, the Controller will notify the Processor of these grounds. The Processor will provide the Controller within two weeks thereafter with a report, containing an analysis of whether this suspicion is valid and if so which measures the Processor has taken. If Controller does not agree on the taken measures then an audit can be undertaken, however no earlier than one week after the Controller has provided written notice to the Processor.
10.3. The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
10.4. The costs of the audit will be borne by the Controller.
ARTICLE 11. DURATION AND TERMINATION
11.1. This DPA is entered into for the duration set out in the Agreement, and in the absence thereof, for the duration of the cooperation between the Parties.
11.2. The DPA may not be terminated in the interim.
11.3. This DPA may only be amended by the Parties subject to mutual consent.
11.4. Upon termination of the Agreement Processor shall send back all personal data which was provided by Controller and remove any remaining copies.
ARTICLE 12. MISCELLANEOUS
12.1. The DPA and the implementation thereof will be governed by Dutch law.
12.2. Any dispute arising between the Parties in connection with and/or arising from this DPA will be referred to the competent Dutch court in the district where the Processor has its registered office.
12.3. In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:
additional conditions, where applicable.
12.4. Logs and measurements taken by the Processor shall be deemed to be authentic unless the Controller supplies convincing proof to the contrary.
IN WITNESS WHEREOF, the Parties have caused this DPA to be executed by their duly authorized representatives.
SCHEDULE 1 TYPE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS
I. TYPE OF PERSONAL DATA
- First name
- Address (generally this is the company’s registered address)
- Telephone number (generally this is a business telephone)
- E-mail address (generally this is a business e-mail address)
II. CATEGORIES OF DATA SUBJECTS
- Employees, in the broadest sense, of the Customer.
- Customers, in the broadest sense, of the Customer.