Data Processing Agreement

Data Processing Agreement: Custom Carrier

A. Terminology

  1. The Provider (Parcelspot): arranges the Transport Service with the Carrier in respect of the Consignment.
  2. Client (Client / Clients): natural or legal entity ordering services with the Provider.
  3. Consignment (Shipment, Parcel, Goods): the goods that form the subject matter of the Transport Service as ordered by the Client through the Ordering System.
  4. Carrier (Carrier / Carriers): entity different from the Provider, specialized in external transport or is a courier company, which physically transports the Consignment and is mediated by the Provider.
  5. Custom Carrier (Custom Carrier / Custom Carriers): an entity different to the Provider, who is a contractual partner of the Provider and the Client, and to which the Provider transmits data constituting the Client's Consignment information based on the contract for Submission of Data. The Provider does not arrange the Custom Carrier, it only transmits the data to the contracted Custom Carrier.
  6. Sender: actual person handing over a Consignment to a Courier.
  7. Recipient: person / entity designated as such on the Transport Waybill or Label, for whom the Consignment is intended.
  8. Ordering System (Parcelspot.com): online reservation service allowing comparison and booking of Transport Services provided by the Provider's partners (Carriers), consignment management and payments for services by the Client. Used to record data related to content, weight, dimensions, value of Consignments and address data, based on which, it calculates the cost of shipping, which is binding to the Provider.
  9. Transport (Transport Service, Transportation, Carriage): service provided by the Carrier. This means receiving, shipping and delivering the Consignment.
  10. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

B. Basic Provisions

  1. The provisions of this document (“Agreement”) will apply if the Client and the Provider have concluded a Submission of Data Contract in relation to the engagement of a Custom Carrier and this document will be annexed to the Submission of Data Contract.
  2. The Provider shall, in relation to the Personal Data of the Senders and Recipients, be the “processor” of the Personal Data as per GDPR and the Client will be the “controller” of the Personal Data. The provisions of GDPR will apply to the Client, notwithstanding the Client being an incorporated entity.
  3. The Client (hereinafter referred to as "the Controller") and the Provider (hereinafter referred to as "the Processor"), on the basis of the Submission of Data Contract, shall cooperate for the purposes of obtaining Consignments from the place of dispatch to the place of delivery, including performing other operations related to the Ordering System.
  4. In the context of this cooperation, the Personal Data of the Senders and Recipients as provided by the Controller to the Processor will be processed solely for the purpose of obtaining delivery of the Consignment under the Submission of Data Contract.

C. Processing of personal data

  1. The Processor will process the following personal data of the Senders and Recipients:
    1. First and last name and personal identification number / passport number (in the case of the Sender / Recipient being a natural person / individual).
    2. Company registered name, registration number and contact person details (in the case of the Sender / Recipient being an incorporated entity).
    3. VAT number.
    4. Contact details.
    5. Address.
    6. E-mail address.
    7. Phone number.
    8. Banking details.
    9. Consignment identification information.

(herein referred to as "Personal Data").

  1. The Controller warrants to the Processor that the Senders and Recipients have authorized the processing of their Personal Data.
  2. The Processor does not process any special categories of Personal Data.
  3. The Processor undertakes to process Personal Data to the extent and for the purposes outlined in this Agreement. The processing resources will be automated. The Processor will collect, store and dispose of Personal Data on storage media as part of the processing.
  4. The transfer of Personal Data takes place in such a way that the Controller, using the Ordering System, either directly by entering date or electronically (using the Controller’s API), inserts the Consignment data and also presents Personal Data that is necessary to enable the provision of Transport Services.
  5. The Controller is entitled to extend the purpose of the processing in accordance with the law, where the instruction for further processing can be communicated to the Processor only in writing – this includes the e-mail communication to and from authorized persons.
  6. Personal Data may only be processed in the workplaces of the Processor or its sub-processor, even outside the European Union.

D. The Processor’s Rights and Obligations

  1. The Controller consents to the Processor processing the Personal Data for the duration of the Submission of Data Contract and after the termination thereof for such period as the Processor may be required in law and / or in contract. Personal Data is processed according to the law, based on the instructions of the Controller and in accordance with the interests of the Controller and the Processor will not use the processed Personal Data for personal use or for uses unrelated to the Transport Service.
  2. The Processor undertakes to organise the protection of the processed Personal Data through technical means (e.g. data encryption or other appropriate and necessary means), in such a way that unauthorised or accidental access to the data, alteration, destruction, loss, unauthorised transmission, unauthorised processing and misuse is circumvented, and that all of the Processor’s obligations towards the protection of Personal Data is adhered to in accordance with the legal regulations.
  3. The technical and organisational measures adopted correspond to the level of risk involved. The Processor ensures the constant confidentiality, integrity, availability and resilience of the processing systems and services. In the event that a physical or technical incident takes place, the Processor will restore the availability and access of Personal Data.
  4. Personal Data will only be accessible by the Processor’s authorised persons and subcontractors. Any such person will be able to access the Personal Data under its unique identifier.
  5. The Processor shall assist the Controller, through appropriate technical and organisational measures, to meet the Controller's requests for the exercising of the data subject's rights under the GDPR, as well as to ensure compliance with obligations in accordance to Articles 32 to 36 of the GDPR where possible, taking into account the nature of the processing and the information available to the Processor.
  6. The Processor shall provide the Carrier with the requisite Personal Data provided that the GDPR requirements have been fulfilled.
  7. The Processor undertakes to repair, update or delete Personal Data as instructed by the Controller, without undue delay from such prompting.
  8. The Processor undertakes to maintain the confidentiality of the processed Personal Data. It may not, in particular, disclose, disperse or transmit information to other persons outside the Processor’s organisation and / or group or to unauthorised service providers. The Processor shall ensure that its employees and other authorised persons comply with confidentiality obligations.
  9. The Controller shall be required to report any suspicion of Personal Data breaches or other unauthorised access to Personal Data to the Processor by e-mail and within twenty-four (24) hours of discovery.
  10. If the Processor violates it’s obligations under this Agreement, it is liable for all damages caused. Additionally, the Processor is responsible for damages caused by any breach of this Agreement by the Processor’s staff.

E. The Controller’s Rights and Obligations

The Controller undertakes to immediately disclose all known facts which could adversely affect the proper and timely fulfilment of the Processor’s obligations as set out in this Agreement and to provide the Processor with the necessary assistance for the implementation of this Agreement.

F. Sub-Processors

  1. The Controller expressly consents to the Processor engaging any subcontractor (hereinafter referred to as "the sub-processor") as another processor according to Article 28 (a) 2 GDPR. Processors must impose the same data protection obligations on their sub-processors as a processor of Personal Data as set out in this Agreement. If that sub-processor fails to comply with its data protection obligations, the Processor shall be responsible for fulfilling the obligations of the sub-processor concerned.
  2. The Processor currently uses the following sub-processors:
    1. Carriers whose services are necessary for the provision of individual services.
    2. The delivery points and their operators, whose services are necessary for the provision of the Processor’s services.
    3. Other sub-processors whose use is necessary for the operation of the services, particularly hosting and cloud services.
  3. If the consignment is in a place of delivery outside the European Union, the Controller agrees to transfer Personal Data to a sub-processor located outside the European Union.

G. Final Provisions

  1. The Processor will erase all Personal Data and copies thereof at the Controller’s request, unless the law imposes an obligation to impose such Personal Data.
  2. The Processor will retain the Personal Data for so long as the Processor is required in law and / or in contract to do so. Upon the expiration of the aforesaid period, the Processor will expunge all copies of the Personal Data from its systems.
  3. The contact details of the Processor are as follows: +27100014220, info@parcelspot.com.
  4. Relations not expressly modified by this Agreement are governed by the GDPR and the laws of the Republic of Ireland.
  5. If any provision of the Agreement or part thereof is deemed void for any reason, it shall be deemed to have been deleted for that purpose. This does not affect the validity of the remaining parts of the Agreement.
  6. Subject to the Processor’s compliance with the provisions of GDPR and the laws of the Republic of Ireland, the Processor is entitled to amend this Agreement at any time and without prior notice. The Processor must, without undue delay, publish a new version of the Agreement on its website.