Data Processing Agreement TRAXXEO – GDPR
1- Scope
1.1 This data processing agreement (the “Data Processing Agreement”) applies to TRAXXEO’s
Processing of Personal Data as part of TRAXXEO’s provision of TRAXXEO Cloud Services, combining data of vehicle and object tracking and Mobile applications.
1.2 If there are any conflicts or inconsistencies between this data processing agreement and any other agreement with You detailing the terms and conditions of the provision of TRAXXEO Cloud Services, the provisions in this data processing agreement prevail.
2- Definitions
2.1 “Applicable Data Protection Law” means Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter the “GDPR”), applicable as of May 25, 2018; and (ii) any other data privacy or data protection law or regulation that applies to the Processing of Personal Data under this Data Processing Agreement;
2.2 “You” means the customer entity that is a customer of TRAXXEO;
2.3 “Data Subject”, “Data Protection Impact Assessments”, “Data Protection Officer”,
“Process/Processing”, “Supervisory Authority”, “Controller”, “Processor” and “Binding Corporate Rules”
(or any of the equivalent terms) have the meaning set forth in the GDPR;
2.4 “EU Model Clauses” means the standard contractual clauses annexed to the EU Commission
Decision 2010/87/EU of 5 February 2010 for the Transfer of Personal Data to Processors established in Third Countries under the Directive 95/46/EC, or any successor standard contractual clauses that may be adopted pursuant to an EU Commission decision;
2.5 “Personal Data” means any information relating to a Data Subject that TRAXXEO may Process on Your behalf as part of the Cloud Services;
2.6. “Sensitive or Special Categories of personal data” mean data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data
concerning a natural person’s sex life or sexual orientation, personal data relating to criminal convictions and offences or related security measures.
2.7 “Third Party Subprocessor” means a third party subcontractor, engaged by TRAXXEO and which may Process Personal Data as set forth in Section 3.3.
3- Controller and Processor of Personal Data and Purpose of Processing
3.1 You are and will at all times remain the Controller of the Personal Data Processed by TRAXXEO under the Data Processing Agreement. You are responsible for compliance with Your obligations as a Controller under Applicable Data Protection Law, in particular for justification of any transmission of Personal Data
to TRAXXEO (including providing any required notices and obtaining any required consents and/or authorizations, or otherwise securing an appropriate legal basis under Applicable Data Protection Law), and for Your decisions and actions concerning the Processing of such Personal Data.
3.2 TRAXXEO is and will at all times remain a Processor with regard to the Personal Data provided by You
to TRAXXEO under this Data processing Agreement. TRAXXEO is responsible for compliance with its obligations under this Data Processing Agreement and for compliance with its obligations as a Processor under
Applicable Data Protection Law.
3.3 TRAXXEO and any persons acting under the authority of TRAXXEO, including Third Party Subprocessors as set forth in Section 8, will Process Personal Data solely for the purpose of
- providing the Cloud Services in accordance with the Client contract and this Data Processing Agreement
- complying with Your documented written instructions in accordance with Section 5, or
- complying with TRAXXEO’s regulatory obligations in accordance with Section 14.
4- Categories of Personal Data and Data Subjects
4.1 In order to perform the Cloud Services and depending on the Cloud Services You have ordered, TRAXXEO may Process some or all of the following categories of Personal Data: personal contact
information such as name, national register number, home address, home telephone or mobile number, email address, date of birth, passwords and legal documents; details including employer name, job title and function, salary and other benefits, job performance and other capabilities, education/qualification; geolocation data such as declared position or distances travelled based on vehicle or device data; performance data such as work activities, absences, check-in @ work registrations
4.2 Categories of Data Subjects whose Personal Data may be Processed in order to perform the Cloud Services may include, among others, Your representatives and end users, such as Your employees, job applicants, interim workers, (sub)contractors, collaborators, partners, suppliers, customers and clients.
4.3 Unless otherwise specified in Your order, Your Content may not include any Sensitive or Special Categories of personal data that imposes specific data security or data protection obligations on TRAXXEO in addition to or different from those specified in this data processing agreement.
5- Your Instructions
5.1 TRAXXEO will Process Personal Data on Your written instructions as specified in this Data Processing agreement.
5.2 You may provide additional instructions in writing to TRAXXEO with regard to Processing of Personal Data in accordance with Applicable Data Protection Law. TRAXXEO will comply with all such instructions to the extent necessary for TRAXXEO
- to comply with its Processor obligations under Applicable Data Protection Law;
- to assist You to comply with Your Controller obligations under Applicable Data Protection Law relevant to Your use of the Cloud Services, including assistance with notifying Personal Data breaches as set forth in Section 11 and Data Subject requests as set forth in Section 6.
5.3 To the extent required by Applicable Data Protection Law, TRAXXEO will immediately inform You if, in its opinion, Your instruction infringes Applicable Data Protection Law. You acknowledge and agree that TRAXXEO is not responsible for performing legal research and/or for providing legal advice to You.
5.4 Without prejudice to TRAXXEO’s obligations under this Section 5, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by TRAXXEO to comply with instructions with regard to the Processing of Personal Data that require the use of resources different from or in addition
to those required for the provision of the Cloud Services.
6- Rights of Data Subjects
6.1 TRAXXEO will grant You electronic access to Your Cloud Services environment that holds Personal Data to enable You to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including requests to access, delete or erase, restrict, rectify, receive and transmit, block access to or object to Processing of specific Personal Data or sets of Personal Data.
6.2 To the extent such electronic access is not available to You, You can submit a “service request” via TRAXXEO Support, support@traxxeo.com , and provide detailed written instructions to TRAXXEO (including the Personal Data necessary to identify the Data Subject) on how to assist with such Data Subject requests in relation to Personal Data held in Your Cloud Services environment. TRAXXEO will promptly follow such instructions. If applicable, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by TRAXXEO to comply with instructions that require the use of resources different from or in addition to those required for the provision of the Cloud Services.
6.3 If TRAXXEO directly receives any Data Subject requests regarding Personal Data, it will promptly pass
on such requests to You, free of charge, without responding to the Data Subject if the Data Subject identifies You as the Data Controller. If the Data Subject does not identify You, TRAXXEO will instruct the Data Subject to contact the entity responsible for collecting their Personal Data.
7- Personal Data Transfers
7.1 Personal Data held in Your Cloud Services environment will be hosted in the data center selected by TRAXXEO within the European union. TRAXXEO will not migrate Your Cloud Services environment to a different data center region without Your prior written authorization.
7.2 Without prejudice to Section 7.1, TRAXXEO may access and process Personal Data on a European scale as necessary to perform the Cloud Services, including for IT security purposes, maintenance and performance of the Cloud Services and related infrastructure, Cloud Services technical support and
Cloud Service change management.
7.3 Under no circumstances, any Personal Data will be transferred to Third Party Subprocessors located in
countries outside the European Economic Area (“EEA”) or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national EEA data protection authority.
8- TRAXXEO’s Third Party Subprocessors
8.1 Subject to the terms and restrictions specified in Sections 3.3, 7 and 8, You agree that TRAXXEO may engage Third Party Subprocessors to assist in the performance of the Cloud Services.
8.2 TRAXXEO maintains lists of Third Party Subprocessors that may Process Personal Data. These lists will be made available to You as an Appendix to this agreement. You will be informed about any substantial change to this list. You will not unreasonably object to such changes. If, however, you cannot agree with one change and no solution can be found between the Parties negotiating in good faith, You will be allowed to terminate the Cloud Services in accordance with the provisions of the Client Contract.
8.3 The Third Party Subprocessors are required to abide by the same level of data protection and security as TRAXXEO under this Data Processing Agreement as applicable to their Processing of Personal Data.
8.4 Subject to Section 12, TRAXXEO remains responsible at all times for the performance of Third Party
Subprocessors’ obligations in compliance with the terms of this Data Processing Agreement and Applicable Data Protection Law.
9- Technical and Organizational Measures, and Confidentiality of Processing
9.1 TRAXXEO has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Data. These measures take into account the nature, scope and purposes of Processing as specified in this Data Processing Agreement, and are intended to protect Personal Data against the risks inherent to the Processing of Personal Data in the performance of the Cloud Services, in particular risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
9.2 TRAXXEO has implemented the appropriate physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures. A list with details of these security controls and measures will be made available to You upon simple written request to support@traxxeo.com.
9.3 TRAXXEO shall keep all Personal Data confidential and shall not disclose such Personal Data in any way to a third party without the prior approval of the Company, except where (1) the disclosure is required for the performance of the processing (e.g. transfer to a Third Party subprocessor), (2) subject to Section 14, Personal Data need to be disclosed to a competent public authority to comply with a legal obligation or as required audit purposes.
9.4 All TRAXXEO staff, as well as any Third Party Subprocessors that may have access to Personal Data are subject to appropriate confidentiality arrangements. TRAXXEO shall only provide access to TRAXXEO employees or Third Party Subprocessors to the extent necessary to perform the processing.
10- Audit Rights and Cooperation with You and Your Supervisory Authorities
10.1 You may audit TRAXXEO’s compliance with its obligations under this Data Processing Agreement up to once per year. In addition, to the extent required by Applicable Data Protection Law, including where mandated by Your Supervisory Authority, You or Your Supervisory Authority may perform more frequent audits, including inspections of the Cloud Service data center facility that Processes Personal Data. TRAXXEO will contribute to such audits by providing You or Your Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Cloud Services ordered by You.
10.2 If a third party is to conduct the audit, the third party must be mutually agreed to by You and TRAXXEO (except if such Third Party is a competent Supervisory Authority). TRAXXEO will not unreasonably withhold its consent to a third party auditor requested by You. The third party must execute a written confidentiality agreement acceptable to TRAXXEO or otherwise be bound by a statutory confidentiality obligation before conducting the audit.
10.3 To request an audit, You must submit a detailed proposed audit plan to TRAXXEO at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope,
duration, and start date of the audit. TRAXXEO will review the proposed audit plan and provide You with any concerns or questions (for example, any request for information that could compromise TRAXXEO security, privacy, employment or other relevant policies). TRAXXEO will work cooperatively with You to agree on a final audit plan.
10.4 The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and TRAXXEO’s health and safety or other relevant policies, and may not unreasonably interfere with TRAXXEO business activities.
10.5 You will provide TRAXXEO any audit reports generated in connection with any audit under this Section 10, unless prohibited by Applicable Data Protection Law or otherwise instructed by a Supervisory Authority. You may use the audit reports only for the purposes of meeting Your regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement.
The audit reports are Confidential Information of the parties under the terms of the Cloud Services Agreement.
10.6 Any audits are at Your expense. The parties will negotiate in good faith with respect to any charges or fees that may be incurred by TRAXXEO to provide assistance with an audit that requires the use of resources different from or in addition to those required for the provision of the Cloud Services
11- Incident Management and Personal Data Breach Notification
11.1 TRAXXEO promptly evaluates and responds to incidents that create suspicion of or indicate
unauthorized access to or Processing of Personal Data (“Incident”). All TRAXXEO staff that have access to or process Personal Data are instructed on responding to Incidents, including prompt internal reporting, escalation procedures, and chain of custody practices to secure relevant evidence. TRAXXEO’s agreements with Third Party Subprocessors contain similar Incident reporting obligations.
11.2 To the extent TRAXXEO becomes aware and determines that an Incident qualifies as a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed on TRAXXEO systems or the Cloud Services environment that compromises the security, confidentiality or integrity of such Personal Data (“Personal Data Breach”), TRAXXEO will inform You of such Personal Data
Breach without undue delay but at the latest within 24 hours by sending an email to Your DPO – or Your data protection or Information Security contact person, if his/her contact details have been provided to TRAXXEO. In case TRAXXEO has not received such contact details, TRAXXEO will send the information to the contact person mentioned in the Client Contract.
11.3 TRAXXEO will take reasonable measures designed to identify the root cause(s) of the Personal Data Breach, mitigate any possible adverse effects and prevent a recurrence.
11.4 Unless otherwise required under Applicable Data Protection Law, the parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or notices to the relevant Supervisory Authorities.
12- Return and Deletion of Personal Data upon Termination of Cloud Services
12.1 Following termination of the Cloud Services, TRAXXEO will return or otherwise make available for retrieval Your Personal Data then available in Your Cloud Services environment.
12.2 Upon termination of the Cloud Services or upon expiry of the retrieval period following termination of
the Cloud Services (if available), TRAXXEO will promptly stop processing and delete all copies of Personal Data from the Cloud Services environment by rendering such Personal Data unrecoverable, except as may be required by law.
13- Legally Required Disclosure Requests
13.1 If TRAXXEO receives any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority which relates to the
Processing of Personal Data (“Disclosure Request”), it will promptly pass on such Disclosure Request to You without responding to it, unless otherwise required by applicable law (including to provide an acknowledgement of receipt to the authority that made the Disclosure Request).
13.2 At Your request, TRAXXEO will provide You with reasonable information in its possession that may be responsive to the Disclosure Request and any assistance reasonably required for You to respond to the Disclosure Request in a timely manner.
14- Data Protection Officer
14.1 TRAXXEO has appointed a Data Protection Officer (DPO). The DPO can be contacted at any time by sending a service request to dpo@traxxeo.com.
14.2 If You have appointed a Data Protection Officer, You may request TRAXXEO to include the contact details of Your Data Protection Officer in the order, or may subsequently communicate the relevant contact details to TRAXXEO by e-mail via dpo@traxxeo.com.
