Privacy policy

Agreement on data processing – RGPD

 

1- Scope of Application

1.1 This Data Processing Agreement (“Data Processing Agreement”) applies to the Processing of personal data in connection with the provision by TRAXXEO of TRAXXEO Cloud Services, combining vehicle and object tracking data and Mobile Applications.

1.2 In the event of any conflict or inconsistency between this Data Processing Agreement and any other agreement entered into with You detailing the terms and conditions of the provision of TRAXXEO Cloud Services, the provisions of this Data Processing Agreement shall prevail.

2- Definitions

2.1 “Applicable Data Protection Law” means Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”), effective as of 25 May 2018; and (ii) any other law or regulation relating to data protection or data privacy that applies to the processing of personal data under this Data Processing Agreement ;

2.2 “You” means the client entity of TRAXXEO;

2.3 “Data Controller”, “Data Subject”, “Data Protection Impact Assessments”, “Data Protection Officer”, “Process/Processing”, “Supervisory Authority”, “Controller”, “Subcontractor” and “Binding Corporate Rules” (or any other equivalent term) shall have the meaning given to them in the GDPR ;

2.4 “Standard Contractual Clauses” means the standard contractual clauses annexed to European Commission Decision 2010/87/EU of 5 February 2010 on the transfer of personal data to processors established in third countries under Directive 95/46/EC, or any successor standard contractual clause adopted pursuant to a decision of the European Commission ;

2.5 “Personal Data” means any information relating to a Data Subject which TRAXXEO may process on Your behalf as part of the Cloud Services ;

2.6 “Sensitive or special categories of personal data” means data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership as well as genetic data, biometric data enabling a natural person to be uniquely identified, data concerning health or data concerning sex life or sexual orientation and personal data relating to criminal convictions and offences or related security measures.

2.7 “Third Party Processor” means a third party processor engaged by TRAXXEO who may process personal data as described in Article 3.3.

3- Data controller and data processor and purpose of processing

3.1 You are and shall at all times remain the Controller of the personal data processed by TRAXXEO under this Data Processing Agreement. You are responsible for Your obligations as a Data Controller under applicable Data Protection Law, including justifying any transmission of personal data to TRAXXEO (including providing the required notices and obtaining the necessary consents and/or authorizations, or determining an appropriate legal basis under applicable Data Protection Law), and for Your decisions and actions regarding the processing of such personal data.

3.2 TRAXXEO is and shall at all times remain a Processor of the personal data You have provided to TRAXXEO under this Data Processing Agreement. TRAXXEO is responsible for fulfilling its obligations under this Data Processing Agreement and its obligations as a Processor under applicable data protection law.

3.3 TRAXXEO and any person acting under the authority of TRAXXEO, including Third Party Processors as defined in Article 8, shall process personal data solely for the following purposes:

  • to provide the Cloud Services in accordance with the Customer Agreement and this Data Processing Agreement ;
  • to comply with Your written instructions in accordance with Article 5, or ;
  • to comply with TRAXXEO’s regulatory obligations in accordance with Article 14.

4- Categories of personal data and data subjects

4. 1 In order to perform the Cloud Services and depending on the Cloud Services you have ordered, TRAXXEO may process some or all of the following categories of personal data: contact details and personal information such as name, national identification number, home address, landline or mobile telephone number, e-mail address, date of birth, passwords and legal documents; information such as employer’s name, job title, salary and other benefits, job performance and other skills, diplomas/qualifications ; geolocation data such as current position or distances travelled based on vehicle or device data; performance data such as work activities, absences, recordings.

4.2 The categories of Data Subjects for whom personal data may be processed in order to perform the Cloud Services include in particular Your representatives and end users, such as Your employees, applicants, temporary workers, contractors, subcontractors, collaborators, partners, suppliers and customers.

4.3 Unless otherwise specified in Your order, Your Content may not include any sensitive or special category of personal data which imposes on TRAXXEO specific security or data protection obligations additional to or different from those stipulated in this Data Processing Agreement.

5- Your Instructions

5.1 TRAXXEO will process personal data in accordance with Your written instructions as specified in this Data Processing Agreement.

5.2 You may provide additional written instructions to TRAXXEO regarding the processing of personal data in accordance with applicable data protection law. TRAXXEO will comply with all Your instructions to the extent necessary for TRAXXEO :

  • complies with its obligations as a Processor under the Applicable Data Protection Law;
  • assists You in complying with Your obligations as a Controller under applicable Data Protection Law in relation to Your use of the Cloud Services, including assistance with Personal Data Breach notification as set out in Article 11 and Data Subject requests as set out in Article 6.

5.3 To the extent required by applicable Data Protection Law, TRAXXEO will immediately inform You if, in its opinion, Your instructions violate applicable Data Protection Law. You hereby acknowledge and agree that TRAXXEO is not responsible for conducting legal research and/or providing legal advice to You.

5.4 Without prejudice to TRAXXEO’s obligations under this Article 5, the parties shall negotiate in good faith with respect to any costs or fees which TRAXXEO may incur in order to comply with instructions relating to the Processing of personal data which require the use of resources additional to or different from those necessary for the provision of the Cloud Services.

6 Rights of Data Subjects

6.1 TRAXXEO shall grant You electronic access to Your Cloud Services environment which contains personal data in order to enable You to respond to requests from Data Subjects to exercise their rights under applicable Data Protection Law, including requests for access, deletion or erasure, restriction, rectification, receipt and portability, blocking access or objecting to the processing of particular personal data or sets of personal data.

6.2 To the extent that You do not have such electronic access, You may submit a “Service Request” by contacting TRAXXEO support at: support@traxxeo.com and provide detailed written instructions to TRAXXEO (including the personal data necessary to identify the Data Subject) on how to respond to such Data Subject requests with respect to the personal data held in Your Cloud Services environment. TRAXXEO will promptly implement such instructions. Where applicable, the parties will negotiate in good faith with respect to any costs or fees that may be incurred by TRAXXEO in order to comply with instructions that require the mobilization of resources different from or in addition to those required for the provision of the Cloud Services.


6.3 If TRAXXEO directly receives requests from a Data Subject relating to personal data, TRAXXEO shall promptly forward such requests to You free of charge, without responding to the Data Subject if the Data Subject identifies You as the Data Controller. If the Data Subject does not identify You as the Data Controller, TRAXXEO will ask the Data Subject to contact the entity responsible for collecting his/her personal data.

7- Transfer of personal data

7.1 The personal data held in Your Cloud Services environment will be hosted in the data centre selected by TRAXXEO within the European Union. TRAXXEO will not migrate Your Cloud Services environment to a data centre in another region without Your prior written consent.

7.2 Without prejudice to paragraph 7.1, TRAXXEO may access and process personal data Europe-wide to the extent necessary to perform the Cloud Services, including for purposes of IT security, maintenance and performance of the Cloud Services and related infrastructure, technical support of the Cloud Services and management of the Cloud Services.

7.3 Under no circumstances will personal data be transferred to third party processors located in countries outside the European Economic Area (“EEA”) or Switzerland, which have not been the subject of a binding adequacy decision by the European Commission or a competent EEA national data protection authority.

8- Third Party Subcontractors of TRAXXEO

8.1 Subject to the provisions of Articles 3.3, 7 and 8, You agree that TRAXXEO may engage Third Party Processors to assist TRAXXEO in the performance of the Cloud Services.

8.2 TRAXXEO maintains lists of Third Party Processors who may process personal data. These lists are made available to You in the Appendix to this Agreement. We will inform You of any substantial modification to this list and You undertake not to object unreasonably to these modifications. If You do not wish to accept a change and no agreement can be reached between the parties negotiating in good faith, You will be entitled to terminate the Cloud Services in accordance with the terms of the Customer Agreement.

8.3 Third Party Processors are required to provide a level of data protection and security at least equivalent to that which TRAXXEO applies to the processing of personal data under this Data Processing Agreement.

8.4 Subject to Article 12, TRAXXEO shall at all times remain responsible for the performance of the obligations of Third Party Processors in accordance with the provisions of this Data Processing Agreement and the applicable Data Protection Law.

9- Technical and organisational measures and confidentiality of processing

9.1 TRAXXEO has implemented and will maintain appropriate technical and organisational security measures for the Processing of personal data. These measures take into account the nature, scope and purpose of the Processing as stipulated in this Data Processing Agreement and are intended to protect personal data against the risks inherent in the Processing of personal data in the context of the performance of the Cloud Services, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.

9.2 TRAXXEO has implemented appropriate security controls and measures with regard to physical access, system access, data access, transmission and encryption, data entry, data backup, data segregation and monitoring. A detailed list of these controls and security measures will be made available to You upon written request to support@traxxeo.com.

9.3 TRAXXEO undertakes to keep all Personal Data confidential and not to disclose it in any way to any third party without the prior consent of the company, except where (1) such disclosure is necessary for the conduct of the Processing (e.g. in the case of a transfer to a Subcontractor), (2) subject to Article 14, the Personal Data is required to be disclosed to a competent public authority to comply with a legal obligation or for audit purposes.

9.4 All TRAXXEO staff, as well as any third party Contractor who may have access to personal data, shall be subject to confidentiality agreements appropriate to the purposes sought. TRAXXEO shall only grant access to data to its employees or Third Party Processors to the extent strictly necessary to carry out the processing.

10- Audit rights and cooperation with You and Your supervisory authorities

10.1 You may audit TRAXXEO’s compliance with its obligations under this Data Processing Agreement once a year. In addition, to the extent required by applicable Data Protection Law, and in particular where Your Supervisory Authority so prescribes, You or Your Supervisory Authority may conduct more frequent audits, including inspections of the Cloud Service data centre that processes personal data. TRAXXEO will assist You in conducting such audits by providing You or Your Supervisory Authority with information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to the Cloud Services ordered by You.

10.2 Where a third party is required to carry out the audit, such third party must be agreed between You and TRAXXEO (unless such third party is acting in the capacity of a Competent Supervisory Authority). TRAXXEO may not unreasonably withhold its consent to an audit being carried out by a third party at Your request. The third party is required to sign a written confidentiality agreement acceptable to TRAXXEO or otherwise be bound by a legal obligation of confidentiality prior to conducting the audit.

10.3 In order to request an audit, You are responsible for submitting a detailed audit plan proposal to TRAXXEO at least two weeks prior to the proposed audit date. In particular, the proposed audit plan shall describe the scope, duration and start date of the audit. TRAXXEO will review the proposed audit plan and notify You of any concerns or questions (for example, any request for information that may compromise TRAXXEO’s security, privacy, employment or other policies). TRAXXEO will work with You in good faith to agree on a final audit plan.

10.4 The audit shall be conducted during normal working hours at the relevant facility, subject to the agreed final audit plan and TRAXXEO’s health and safety or other applicable policies, and shall not unreasonably interfere with TRAXXEO’s business operations.

10.5 You will provide TRAXXEO with any audit reports prepared in the course of an audit conducted pursuant to this Article 10, unless prohibited by applicable Data Protection Law or instructed otherwise by a Supervisory Authority. You may only use audit reports for the purposes of meeting Your regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement. The audit reports constitute confidential information of the parties in accordance with the terms of the Cloud Services Agreement.

10.6 Any audit will be conducted at Your expense. The parties shall negotiate in good faith with respect to any costs or fees that may be incurred by TRAXXEO in providing assistance in connection with an audit that requires the mobilization of resources different from or in addition to those required for the provision of the Cloud Services.

11 Incident Management and Data Breach Notification

11.1 TRAXXEO undertakes to assess and react promptly to incidents which give rise to suspicions or indicate unauthorized access to personal data or the processing thereof (“Incident”). All TRAXXEO personnel with access to or in charge of processing personal data are instructed to respond to Incidents, including by making a prompt internal report and implementing escalation procedures and chain of custody practices to secure any evidence. TRAXXEO’s agreements with Third Party Subcontractors contain similar incident reporting obligations.

11. 2 Where TRAXXEO becomes aware of and determines that an Incident is considered to be a breach of security resulting in the accidental or unlawful misappropriation or destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed on TRAXXEO systems or in the Cloud Services environment, which compromises the security, confidentiality or integrity of such personal data (A “Personal Data Breach”), TRAXXEO will notify You of such a Personal Data Breach without undue delay, at the latest within 24 hours, by sending an e-mail to your Data Protection Officer – or to your contact person for data protection or data security, if his/her contact details have been provided to TRAXXEO. In the event that TRAXXEO has not received such contact details, TRAXXEO will send the information to the contact person mentioned in the Customer Agreement.

11.3 TRAXXEO agrees to take reasonable steps to identify the root cause(s) of the Personal Data Breach, to mitigate any adverse effects thereof and to prevent its recurrence.

11.4 Unless otherwise provided by applicable Data Protection Law, the parties agree to coordinate in good faith to develop the content of any related public statement or notification required for Data Subjects and/or any notification to the relevant Supervisory Authorities.

12- Return and deletion of personal data upon termination of the Cloud Services

12.1 Following termination of the Cloud Services, TRAXXEO will return or make available for retrieval Your personal data then available in Your Cloud Services environment.

12.2 Following termination of the Cloud Services or upon expiration of the recovery period following termination of the Cloud Services (if applicable), TRAXXEO will promptly stop processing and delete all copies of personal data from the Cloud Services environment rendering such personal data irretrievable, unless otherwise required by law.

13- Legally Required Disclosure Requests

13.1 If TRAXXEO receives a subpoena or is subject to a judicial, administrative or arbitral order from an executive or administrative agency, regulatory agency or any other governmental authority relating to the Processing of Personal Data (“Disclosure Request”), TRAXXEO will promptly forward such Disclosure Request to You without responding thereto, except as required by Applicable Law (including to issue an acknowledgement of receipt to the authority that made the Disclosure Request).

13.2 At Your request, TRAXXEO will provide You with reasonable information in its possession that may respond to the Disclosure Request and any assistance reasonably required to enable You to respond to the Disclosure Request in a timely manner.

14- Data Protection Officer

14.1 TRAXXEO has appointed a Data Protection Officer (DPO). The DPO may be contacted at any time by sending a request to: dpo@traxxeo.com.

14.2 If You have appointed a Data Protection Officer, You may request TRAXXEO to include the contact details of Your Data Protection Officer in the order, or You may subsequently communicate the contact details referred to to to TRAXXEO electronically at: dpo@traxxeo.com.