Cargobus Privacy Policy – Data Processing Agreement

Valid from 01.04.2019.

This Data Processing Agreement (hereinafter – the Agreement) governs the Data Processing performed by Cargobus, acting as the “Data Processor”, on behalf of its customer, acting as the “Data Controller”. Under the General Data Protection Regulation, this Agreement is binding on the Data Processor and the Data Controller.

AGREEMENT

1. DEFINITIONS

1.1. Unless the context of the Agreement requires otherwise, in this Agreement, including its preamble, and its annexes, the capitalised terms shall have the following meaning:

(a) General Data Protection Regulation—Regulation of the European Parliament and Council No. 2016/679 on protecting natural persons regarding the processing of personal Data and on the free movement of such Data and repealing Directive 95/46/EC. 

(b) Data Controller – a Party to this Agreement, a natural or legal person, public authority, agency or another body that jointly or separately determines the purposes and means of the Data Processing. 

(c) Data Processor – a Party to this Agreement, a natural or legal person, public authority, agency or another body that processes the personal Data on behalf of the Data Controller. 

(d) Data—any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location Data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(e) Data Processing – any operation or set of operations which is performed on personal Data or sets of personal Data, whether or not by Automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(f) Automated – any actions wholly or partly performed automatically.

(g) Data Subject – a natural person whose Data is processed following this Agreement.

(h) Third-Party – a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal Data.

(i) Technical and Organisational Measures – measures to protect Data from accidental or unlawful destruction, alteration, disclosure, or any other unauthorised processing. These measures must ensure the level of security appropriate for the type of stored Data and the risks of its processing.

1.2. In this Agreement:

(a) Words in the plural shall have the same meaning as those in the singular and vice versa.

(b) A specific gender (male or female) in the Agreement’s text shall be interpreted as using any gender.

(c) The word “including” shall mean “including but not limited to”.

(d) The section titles in this Agreement shall be used for convenience only and shall not affect the interpretation of the Agreement.

(e) References to paragraphs, annexes and other provisions shall be references to this Agreement’s paragraphs, annexes and other provisions.

1.3. The Agreement is the general result of the negotiations and agreements between the Parties; therefore, the Agreement may not be interpreted for the benefit or detriment of either Party because either of the Parties was or could have been responsible for preparing the Agreement draft or any part thereof.

1.4.   The terms not defined in the Agreement shall be interpreted according to the framework of the regulatory enactments.

2. SUBJECT AND PURPOSE OF THE AGREEMENT

2.1. This Agreement shall govern the personal Data Processing performed by the Data Processor on behalf of the Data Controller. It shall become binding on the Data Processor and the Data Controller under the General Data Protection Regulation.

2.2. The type, subject, and purpose of the personal Data Processing – performed by the Data Processor on behalf of the Data Controller – and the information associated with the processed personal Data and Data Subject categories are laid down in the annexe to this Agreement.

3. AGREEMENT PERIOD

3.1. This Agreement shall be applicable as long as the Data Processor processes personal Data on behalf of the Data Controller.

3.2. At the request of the Data Controller, after the termination or expiry of this Agreement, the Data Processor shall terminate the Data Processing activity and – if so requested by the Data Controller and the applicable Data protection legal enactments do not provide otherwise – delete or return all personal Data to the Data Controller and delete all existing copies of this Data.

4. OBLIGATIONS OF THE DATA PROCESSOR

4.1. The Data Processor has implemented the appropriate Technical and Organisational Measures to ensure that the personal Data Processing under the provisions of this Agreement meets the applicable requirements of the Data Protection Law, specifically the requirements of the General Data Protection Regulation, and guarantees the protection of the rights of the Data Subject.

4.2. The Data Processor undertakes to process the personal Data only following the written, documented instructions provided by the Data Controller, except where the applicable law provides otherwise. In such a case, before the start of the personal Data Processing, the Data Processor shall notify the Data Controller about such legal requirements to the extent permissible by the law. Suppose the Data Processor has no instructions on processing personal Data in a specific situation or any instructions that violate the applicable Data Protection Law. In that case, the Data Processor shall notify the Data Controller immediately.

4.3. Considering the type of Data Processing and applying the appropriate Technical and Organisational Measures to the extent possible, the Data Processor shall assist the Data Controller in performing the Data Controller’s obligation to respond to the requests regarding the use of the Data Subject rights. Under this Agreement, the Data Subject’s rights shall include the right to request information and – at the Data Subject’s discretion – to correct, destroy personal Data or stop the Data Processing activity.

4.4. Considering the type of Data Processing and the current information, the Data Processor shall assist the Data Controller in performing specific obligations under the applicable Data Protection Law. The particular commitments shall include Data Processing security (Article 32 of the General Data Protection Regulation), communication of personal Data breach (Article 33-34 of the General Data Protection Regulation), and Data protection impact assessment, as well as prior consultation (Article 35-36 of the General Data Protection Regulation).

4.5. The Data Processor undertakes to provide the Data Controller with all information and provide all necessary assistance to demonstrate the performance of the obligations under this Agreement and to create conditions that allow the Data Controller or another authorised auditor to perform an audit, including on-site inspections.

5. OTHER DATA PROCESSORS

5.1. The Data Controller declares that the Data Processor may recruit other companies indicated in the Annexe to the Agreement as other Data Processors. The Data Processor shall inform the Data Controller about all planned changes related to recruiting or changing other Data Processors, but the Data Controller is entitled to reject such changes.

5.2. The Data Processor guarantees and, at the request of the Data Controller, declares that other Data Processors have undertaken obligations under written contracts according to which, in addition to the obligations laid down in this Agreement, they must perform the relevant Data Processing obligations. The Data Processor is fully liable to the Data Controller regarding the duties performed by other Data Processors.

5.3. The Data Controller may request the Data Processor to check another Data Processor or submit a certification of such check or, if possible, obtain or helps the Data Controller to receive a conclusion from an external auditor regarding the activity of other Data Processors to ensure compliance with the requirements of the applicable Data Protection Laws.

6. TRANSFER OF DATA TO THIRD PARTIES

6.1. The obligation to process personal Data under the Agreement may be performed only in a European Union (EU) member state or a European Economic Area (EEA) member state. Any transfer of personal Data to a country that is not an EU or EEA member state shall take place only with a prior written agreement of the Data Controller and only if the special conditions are complied with as laid down in the applicable Data Protection Laws, Chapter V of the General Data Protection Regulation.

6.2. The Data Controller may revoke its Agreement to Data transfer to Third-Parties according to Paragraph 6.1 of this Agreement at any time. In such a case, the Data Processor shall discontinue the Data transfer immediately and provide written proof of such discontinuation upon the Data Controller’s request.

7. INFORMATION SECURITY AND CONFIDENTIALITY

7.1. The Data Processor guarantees adequate personal Data protection following this Agreement to protect personal Data from destruction, alteration, unauthorised disclosure of, or access to personal Data. Personal Data shall also be protected from other types of unauthorised processing.

7.2. The Data Processor shall prepare and continuously update the description of its technical, organisational and physical measures to meet the requirements of the applicable Data Protection Laws.

7.3. The Data Processor undertakes not to disclose without a prior written agreement of the Data Controller the personal Data processed under this Agreement and otherwise prevent their disclosure to any Third-Party, except other Data Processors recruited under this Agreement.

7.4. The Data Processor guarantees that all persons involved in the Data Processing have undertaken confidentiality obligations or are subject to the relevant confidentiality requirements in the applicable law.

8. APPLICABLE LAW AND DISPUTE RESOLUTION

8.1. This Agreement is drawn and shall be interpreted according to the laws and regulations of the Republic of Estonia, excluding conflict-of-law principles, when other law provisions may be applicable.

8.2. The Parties agree that the courts of the Republic of Estonia have the sole and exclusive jurisdiction over the settlement of all disputes arising in connection with this Agreement.

9. LIMITATION OF LIABILITY AND INDEMNITY

9.1. Unless otherwise agreed, the Parties are liable under the generally applicable law in Section 8 of the Agreement. Regardless of the above, the Parties shall not be responsible for loss of operation, loss of revenue, loss of goodwill, any indirect damages and their consequences. Data loss shall be deemed indirect damages.

9.2. The general liability of the Data Processor under this Agreement and all obligations provided therein, in any case, shall be limited to 3000 EUR. In any case, the Data Processor shall not be liable for loss of operation, loss of revenue, will, or any indirect damages and their consequences. The Parties agree that Data loss shall be deemed indirect damages.

10. OTHER PROVISIONS

Severability clause:

10.1. If any provision of this Agreement is found by the court or the court of arbitration to be unlawful, invalid or unenforceable, other provisions of this Agreement shall remain valid and in full force. Any provision of this Agreement found illegal, invalid or unenforceable only in part or to a certain extent, shall remain valid to the extent it is not found unlawful, invalid or unenforceable. The Parties shall replace such illegal, invalid or unenforceable provisions of this Agreement with lawful, valid and enforceable provisions that in their essence are as close as possible to the Parties’ intent at the time of the drawing of this Agreement. The Parties shall make all reasonable efforts to ensure the implementation of all provisions of this Agreement.

No contradictory agreements: 

10.2. This Agreement is a document that the Parties have discussed and prepared. It shall replace all previous agreements of the Parties regarding the subject of the Agreement and shall be the complete and only declaration of the Agreement’s provisions by the Parties. This Paragraph shall not restrict the right to hold the Party liable for defrauding the other Party.

10.3. After the execution of the Agreement, each Party undertakes not to conclude any agreements that may be incompatible with the obligations of the Party under this Agreement.

Amendments and supplements to the Agreement:

10.4. Any annexes, amendments, and supplements to this Agreement (including the modifications and supplements to this Paragraph) shall be valid only if drawn as a written document signed by all Parties.

Expenses:

10.5. Each Party shall cover its expenses associated with negotiating, preparing, signing, entering into force, and implementing this Agreement.

ANNEXE 1 TO THE DATA PROCESSING AGREEMENT

The subject and purpose of Data Processing – the provision of the Data Processor’s services or tasks to the Data Controller:

(a) Service provision – processing, administration of the services purchased (ordered) by the Data Subject; identification of the Data Subject in the Data Processor’s information systems.

(b) Identification of the Data Subject when logging in to its account on the Data Processor’s website (if the Data Processor provides this feature); resolving of issues associated with the service implementation, provision, and use; communication with the Data Subject, when the provisions of the services purchased by the Data Subject change; performance of other contractual obligations; direct marketing purposes; business analysis and statistical analysis, general research that allows improving services and their quality; audit.

Types of processed personal Data and what the processed personal Data includes:

(a) Personal contact information, for example, name, surname, telephone number or mobile phone number, electronic mail address, residence address, and place of work.

(b) Categories of Data Subject: The Data Controller’s representatives and end users, such as employees, candidates, contractors, colleagues, and partners, as well as the Data Controller’s customers and other persons who must be entered in the Data Processor’s central Data Controller system.

(c) Data Processing operations include entering, correcting, and deleting personal Data, creating backup copies, and protecting servers that may contain personal Data.