BETWEEN:The Fleetworks Software Company Limited, a private limitedcompany registered in England with number 12235444 (the “Data Processor”)ANDEach individual Fleetworks Customer that Fleetworks processesdata for and that has not otherwise entered into a valid data processoragreement with Fleetworks (the “Data Controller”) (hereinafter referred toindividually as a “Party” or together as the “Parties”)
1. INTRODUCTIONThis Data Processing Agreement (“DPA”) specifies the Parties’data protection obligations, which arise from the Data Processor’s processingof personal data on behalf of the Data Controller under the quote, serviceagreement or other agreement between the Parties (“the Agreement”).The DPA is adopted as an appendix to the Agreement. In the eventthat any provision of this DPA is inconsistent with any term(s) of theAgreement, the DPA will prevail.
2. PURPOSE, SCOPE AND RESPONSIBILITIES
2.1 The Data Processor shall only process personal data inaccordance with the terms of this DPA.
2.2 The Data Processor shall process personal data for thelimited purpose of performing the obligations set out under the Agreement. Datamay, for that purpose, be processed by any of the Data Processor’s entities.
2.3 Data processing by the Data Processor shall include suchactions as may be specified in the Agreement.
2.4 The term of this DPA shall continue until the latter of thefollowing: the termination of the Agreement, or the date at which the DataProcessor ceases to process personal data for the Data Controller.
2.5 The personal data to be processed by the Supplier concernsthe categories of data, the categories of data subjects and the purposes of theprocessing set out in Exhibit 1.
2.6 With the exception of the data described in Exhibit 1, in noevent will the data processed by the Data Processor include (examples are notexhaustive):i) Personal data as set out in art. 9 or 10 in Regulation2016/679 of 27 April 2016ii) Financial data,iii) Personal data regarding criminal offenses, oriv) Data regarding persons’ economy, taxes, debt, sick days,family relations, residential circumstances, car, personality tests, exams orCVs.
3. FLEETWORKS WEBAPP
3.1. The Agreement enables the Data Controller to access and usethe “Fleetworks Webapp”, a software tool developed by the Data Processor.“Fleetworks" enables the Data Controller’s employees (with admin-access)to upload information without the Data Processors’ participation or knowledge.
3.2. The Data Processor undertakes no responsibility for datauploaded by the Data Controller in the “Fleetworks Webapp".
3.3. To the extent that such upload of data constitutesprocessing of personal data, the Data Controller warrants:i) that the Data Controller has the relevant legal basis forhaving and processing the personal data, including, if applicable, the relevantpermissions from the data subject; andii) that, if the transfer involves sensitive categories of data,cf. section
3.3, the data subject has been informed or will be informed beforethe transfer, or as soon as possible after, that its data could be transmittedto a third country not providing adequate protection within the meaning of theData Protection Legislation.
4. OBLIGATIONS OF THE DATA PROCESSORThe Data Processor warrants that the Data Processor will:
i) comply with the Data Protection Legislation from time to timeapplicable to the Data Processor’s obligations under the Agreement (“DataProtection Legislation”),
ii) process any personal data transferred to or collected by theData Processor only as a ‘processor’, as such terms are defined in the DataProtection Legislation, on behalf of the Data Controller,
iii) implement appropriate technical and organizational measuresin such a manner that processing will meet the requirements of the applicableData Protection Legislation and ensure the protection of the rights of the datasubjects,
iv) ensure that Sub-processors undertakes to process personaldata in accordance with the Data Protection Legislation,
v) taking into account the nature of the processing, assist theData Controller by appropriate technical and organizational measures, insofaras this is possible, for the fulfilment of the Data Controller’s obligation torespond to requests for exercising the data subject’s rights according to theData Protection Legislation,
vi) to a relevant extent assist the Data Controller in ensuringcompliance with the requirements for security of personal data,
vii) make available to the Data Controller all informationnecessary to demonstrate compliance with the obligations laid down in this DPAand allow for and contribute to audits, including inspections to facilities underthe control of the Data Processor, conducted by the Controller or an auditormandated by the Controller.
5. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
5.1. The Data Processor will implement and maintain throughoutthe term of the DPA and will procure its Sub-processors to implement andmaintain through the term of the DPA, the appropriate technical andorganizational security measures to protect personal data against accidental orunlawful destruction, loss, damage or alteration and against unauthorizeddisclosure, abuse or other processing in violation of the requirements of DataProtection Legislation.
5.2. The Data Processor will ensure that it and itsSub-processors involved in the processing of personal data at all times complywith the minimum data security requirements set out in Exhibit 2.
6. PERSONNEL
6.1. The Data Processor will procure that any personnel of theData Processor required to access personal data have committed themselves tothe obligation of confidentiality set out in the Agreement or are under astatutory obligation of confidentiality.
6.2. The Data Processor will procure that all personnel of theData Processor required to access personal data are informed of theconfidential nature of the personal data and the security procedures applicableto the processing of or access to the personal data.
6.3. The Data Processor’s personnel’s undertaking to abide bysuch confidentiality requirements will continue after the end term of this DPA.
7. ASSISTANCE TO THE DATA CONTROLLER
7.1 The Data Processor shall provide reasonable and timelyassistance to Data Controller to enable Data Controller to respond to:(i) any request from a data subject to exercise any of itsrights under Applicable Data Protection Law (including its rights of access,correction, objection, erasure and data portability, as applicable); and(ii) any other correspondence, inquiry or complaint receivedfrom a data subject, regulator or other third party in connection with theprocessing of the Data. In the event that any such request, correspondence,inquiry or complaint is made directly to Data Processor, Data Processor shallpromptly inform Data Controller providing full details of the same.
7.2 The Data Processor shall provide Data Controller withreasonable cooperation to enable Data Controller to conduct any data protectionimpact assessment that it is required to undertake under Applicable DataProtection Law.
8. SUB-PROCESSORS
8.1. The Data Processor shall meet the requirements specified inArticle 28(2) and (4) GDPR in order to engage another processor (aSub-processor).
8.2. With this DPA, the Data Processor has the Data Controller’sgeneral authorisation for the engagement of Sub-processors for the purpose ofperforming the obligations set out under the Agreement. The Sub-processors,approved by the Data Controller by the signing of this DPA, are listed inExhibit 3. The Data Processor shall;
i) maintain an up-to-date list of its Sub-processors on the DataProcessor’s website at https://www.fleetworks.co/ (or any futurewebsite used by the Data Processor);
ii) update with details of any change in Sub-processors at least30 days prior to any such change (except to the extent a 30 days’ notice is notpossible due to an emergency) and notify the Data Controller of such change viathe Data Processor’s usual e-mail notification process;
iii) provide a copy upon request of the data processingagreement(s) between the Data Processor and the Sub-processors at any giventime to the Data Controller.
8.3. The Data Controller may object to such new Sub-processorfor justified reasons relating to data protection. In the case of a justifiedobjection, the Parties shall negotiate in good faith to find an alternativesolution. If such alternative solution cannot be found and the Data Processordecides to proceed with such Sub-processor, the Data Controller can terminatethe Agreement with a notice of 30 days. Neither of the Parties shall beconsidered in breach of contract in the event of such termination.
9. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONALORGANISATIONS
9.1. Any transfer of personal data to third countries orinternational organizations by the Data Processor shall only occur on the basisof documented instructions from the Data Controller and shall always take placein compliance with Chapter V GDPR.
9.2. If any Data Controller Data originates from any country(other than an EEA country) with one or more laws imposing data transferrestrictions or prohibitions and Data Controller has informed Data Processor ofsuch data transfer restrictions or prohibitions, Data Controller and DataProcessor shall ensure appropriate transfer mechanism (satisfying the country’sdata transfer requirement(s)) is in place, as reasonably requested by DataController and mutually agreed upon by both Parties, before transferring oraccessing Data Controller’s Data outside of such country. For the avoidance ofdoubt, this transfer restriction does not pertain to Data Controller or itsAffiliates’ Authorized Users who have access to the Software and DataController Data, and Data Processor shall not be held responsible for actionsof Data Controller or its Affiliates’ Authorized Users. Neither Data Controllernor its Authorized Users shall be entitled to use the Software or SubscriptionServices in any country with data localization laws that would require DataController’s environment to be hosted in said country.
10. OBLIGATIONS OF THE DATA CONTROLLER
10.1. The Data Controller and the Data Processor will beseparately responsible for conforming with the Data Protection Legislation asapplicable to them.
10.2. The Data Controller shall be responsible, among others,for ensuring that the processing of personal data, which the Data Processor isinstructed to perform, has a legal basis.
10.3. The Data Controller will inform the Data Processor inwriting without undue delay following the Data Controller’s discovery of afailure to comply with Data Protection Legislation with respect to processingof personal data in accordance with this DPA.
10.4. The Data Controller shall be responsible for providingaccurate and relevant contact details after entering into the Agreement andthereafter to assist in Data Processor’s notification obligations.
11. NOTIFICATION OF DATA BREACH
11.1. The Data Processor shall without undue delay, and no laterthan 36 hours, in writing, notify the Data Controller in case of any identifiedor potential breach of personal data processed under the DPA.
11.2. The notification referred to in section 10.1. must, to theextent possible:
i) describe the nature of the personal data breach includingwhere possible (e.g., loss, theft, copying), the categories and approximatenumber of data subjects concerned and the categories and approximate number ofpersonal data records concerned,
ii) communicate the name and contact details of the person withthe Data Processor where more information can be obtained,
iii) describe the likely consequences of the personal databreach, andiv) describe the measures taken or proposed to be taken by theData Processor to address the personal data breach, including, whereappropriate, measures to mitigate its possible adverse effects.
12. ADDITIONAL ASSIGNMENTS
12.1. The Data Processor shall carry all costs associated withcompliance of this DPA in its capacity as Data Processor.
12.2. The Data Controller shall carry all costs associated withcompliance of this DPA in its capacity as Data Controller.
12.3. In respect of tasks of the Data Processor, that are not anobligation under this DPA, cf. the sections above, the Data Processor shall beentitled to charge the Data Controller for the additional resources, time andmaterial necessary to fulfil the required task(s), unless such services arealready included in the services rendered under the Agreement.
12.4. The Data Processor will notify the Data Controller inadvance of such additional charges and, to the extent possible, provide theData Controller with a quote of the expected costs.
12.5. If the Data Controller cannot agree to the costs, the DataProcessor shall be entitled not to perform the additional assignment and toterminate the Agreement with a notice of 30 days. The Data Processor shall notbe considered in breach of contract in this event.
13. DELETION AND RETURN OF PERSONAL DATA
13.1. Following the end term or termination of the Agreement,the Data Processor shall (at Data Controller’s election) destroy or return toData Controller all Data in its possession or control. The Data Processorreserves the right after 90 days to delete personal data from all locationswhen the Data Controller has not elected either option. This requirement shallnot apply to the extent that Data Processor is required by applicable law toretain some or all of the Data.
13.2. Upon the Data Controller’s request, the Data Processorshall certify in writing the destruction of the personal data.
14. LIABILITY
14.1. Each party’s liability for one or more breaches of thisDPA shall be subject to the limitations and exclusions of liability set out inthe Agreement. In no event shall either party’s liability for a breach of thisDPA exceed the liability cap set out in the Agreement. Neither party limits norexcludes any liability that cannot be limited or excluded under applicable law(such as for fraud).
15. LEGAL VENUE AND APPLICABLE LAW
15.1. This DPA shall be governed by the laws of England andWales.
15.2. Any claim or dispute arising from or in connection withthe Data Processing Agreement must be settled by the courts of England as firstinstance.
16. SIGNATURES Signed for and on behalf of the Data ProcessorDate: 18th February 2021Name: Marc LeeTitle: Managing DirectorEXHIBIT
1: INFORMATION ABOUT THE PROCESSING
1. The purpose of the Data Processor’s processing of personaldata on behalf of the Data Controller is:The Data Processor is a software development company, assignedby the Data Controller to make available to the Data Controller software as aservice for supporting the management of their vehicle fleet. The content ofthis DPA reflects the limited amount of personal data the Data Processorhandles for the Data Controller.
2. The Data Processor’s processing of personal data on behalf ofthe Data Controller shall mainly pertain to (the nature of the processing):Processing of traffic violations/fines including reassignment,creating and processing chargeback defences, the notification of unpaidinvoices and ad-hoc fleet management functions using the Data Processor’ssoftware as a service delivery system.
3. The processing includes the following types of personal dataabout data subjects:Name, e-mail address, address.
4. The processing includes the following type of specialcategories of data about data subjects:None.
5. Processing includes the following categories of data subject:Data Controller’s customers.
6. The Data Processor’s processing of personal data on behalf ofthe Data Controller may be performed when instructed in accordance with theAgreement. Processing has the following duration:Fleetworks will Process Personal Data for the duration of theAgreement, unless otherwise agreed upon in writing.EXHIBIT
2: DESCRIPTION OF MINIMUM DATA SECURITY
1. Technical and organizational measures baseline PhysicalAccess ControlsData Processor shall take reasonable measures to preventphysical access, such as secured buildings, to prevent unauthorized personsfrom gaining access to personal data.
2. System Access ControlsData Processor shall take reasonable measures to preventpersonal data from being used without authorization. These controls shall varybased on the nature of the processing undertaken and may include, among othercontrols, authentication via passwords and/or two-factor authentication,documented authorization processes, documented change management processesand/or logging of access on several levels.
3. Data Access ControlsData Processor shall take reasonable measures to provide thatpersonal data is accessible and manageable only by properly authorized staff,direct database query access is restricted and application access rights areestablished and enforced to ensure that persons entitled to use a dataprocessing system only have access to the personal data to which they haveprivilege of access; and, that personal data cannot be read, copied, modifiedor removed without authorization in the course of processing. The DataProcessor shall take reasonable measures to implement an access policy underwhich access to its system environment, to personal data and other data byauthorized personnel only.
4. Transmission ControlsData Processor shall take reasonable measures to ensure that itis possible to check and establish to which entities the transfer of personaldata by means of data transmission facilities is envisaged so personal datacannot be read, copied, modified or removed without authorization duringelectronic transmission or transport.
5. Input ControlsData Processor shall take reasonable measures to provide that itis possible to check and establish whether and by whom personal data has beenentered into data processing systems, modified or removed. Data Processor shalltake reasonable measures to ensure that
(i) the personal data source is underthe control of data exporter; and
(ii) personal data integrated into DataProcessor’s systems is managed by secured file transfer from the Data Processorand data subject.EXHIBIT 3: AUTHORIZED SUB-PROCESSORSEntity name:Microsoft Azure, IncSendGrid, IncSub-processing activities:Cloud Service ProviderEmail service provider for email authenticationEntity country:Ireland and The NetherlandsUSA