Data Processing Agreement
- The Client (hereinafter referred to as "the Controller") and PARCELSPOT LTD., Company Registration Number 648570, incorporated in The Republic of Ireland (hereinafter referred to as "the Processor"), on the basis of the contractual relationship to which this Agreement is annexed, shall cooperate in obtaining consignments from the place of dispatch to the place of delivery, including performing other operations related to the transport (hereinafter referred to as "ordering system").
- In the context of this cooperation, the personal data from the Senders and Consignees are transferred, where the data is provided by the Controller and the Processor’s personal data for the Controller is processed solely for the purpose of obtaining delivery of the consignment under the Agreement with the Controller, and Personal Data Processing (hereinafter referred to as "the Processing Agreement" or "Agreement").
- The Processor shall, in relation to the personal data of the Senders and Consignees, be the Processor as per Article 28 of the GDPR, unless they are also the Client. The Client is the controller of the data.
Processing of personal data
The Processor acts as a personal data Processor for the personal data controller-the sender is authorized to process the following personal data of the senders and recipients:
- Name and surname.
- Contact details.
- Email address.
- Telephone number.
- Banking details.
- Consignment identification information.
- The Processor for the Controller does not process any special categories of Personal Data.
- The Processor undertakes to process Personal Data for the user to the extent and for the purposes outlined in this Agreement. The processing resources will be automated. The Processor will collect, store and dispose of Personal Data on storage media as part of the processing.
- The transfer of Personal Data takes place in such a way that the Administrator, using the order system, either directly by entering date or electronically (using the Administrator API), inserts the consignment data and also presents Personal Data that is necessary to enable the provision of services - i.e. procurement of the Carriage of consignments and performing other transport related operations (hereinafter referred to as "Service").
- The Controller is entitled to extend the purpose of the processing in accordance with the law, where the instruction for further processing can be communicated to the Processor only in writing – this is includes the e-mail communication of the Parties addressed to authorized persons.
- Personal Data may only be processed in the workplaces of the Processor or its sub-Processor, even outside the European Union.
- The Processor acts as a personal data Processor for the personal data controller-the sender is authorized to process the following personal data of the senders and recipients:
The Processor’s Rights and Obligations
- The Processor agrees that the Controller can process the Personal Data provided by the Client, during the period necessary to exercise the rights and obligations arising from the contractual relationship between the Processor and the Client and the application of claims from these contractual relationships (the Processor has up to a period of five  years after the termination of the contractual relationship to defend its rights and obligations). Personal Data is processed according to the law, based on the instructions of the Controller and in accordance with the interests of the Controller and the Processor will not use the processed Personal Data for personal use or for uses unrelated to transport.
- The Processor undertakes to organise the protection of the processed Personal Data through technical means (e.g. data encryption or other appropriate and necessary means), in such a way that unauthorised or accidental access to the data, alteration, destruction, loss, unauthorised transmission, unauthorised processing and misuse is circumvented, and that all of the Processor’s obligations towards the protection of Personal Data is adhered to in accordance with the legal regulations.
- The technical and organisational measures adopted correspond to the level of risk involved. The Processor ensures the constant confidentiality, integrity, availability and resilience of the processing systems and services. In the event that a physical or technical incident takes place, the Processor will restore the availability and access of Personal Data.
- Personal Data will only be accessible by the Processor’s authorised persons and subcontractors according to Section D, Paragraph 2 of this Agreement. The Processor will provide the Controller with this information with the terms and the extent of the processing of the data and any such person will be able to access the Personal Data under its unique identifier.
- The Processor shall assist the Client, through appropriate technical and organisational measures, to meet the Client's requests for the exercising of the data subject's rights under the GDPR, as well as to ensure compliance with obligations in accordance to Articles 32 to 36 of the GDPR where possible, taking into account the nature of the processing and the information available to the Processor.
- The Processor shall provide the Carrier with all the information necessary, obligating under this Agreement and that the GDPR requirements have been fulfilled.
- The Processor undertakes to repair, update, delete or relocate Personal Data as instructed by the Administrator, without undue delay from such prompting.
- The Processor undertakes to maintain the confidentiality of the processed Personal Data. It may not, in particular, disclose, disperse or transmit information to other persons outside the employee's employment relationship with the Processor or other authorized persons entrusted with Personal Data processing. The Processor shall ensure that its employees and other authorised persons comply with confidentiality obligations.
- The Administrator shall be required to report any suspicion of Personal Data breaches or other unauthorised access to Personal Data to the Processor by email and within twenty-four (24) hours of discovery.
- If the Processor violates it’s obligations under this contract, it is liable for all damages caused. Additionally, the Processor is responsible for damages caused by any breach of this Agreement by the Processor’s staff.
The Administrator’s Rights and Obligations
- The Administrator undertakes to immediately disclose all known facts which could adversely affect the proper and timely fulfilment of the Processor’s obligations as set out in this Agreement and to provide the Processor with the necessary synergy for the implementation of this Agreement.
The Administrator grants authorisation with the involvement of a subcontractor (hereinafter referred to as "the sub-processor") as another processor according to Article 28 (a) 2 GDPR. In addition, the Processor grants the sub-processor general permission to involve the processing of another processor of Personal Data. Processors must impose the same data protection obligations on their sub-processors as a processor of Personal Data as set out in this Agreement. If that sub-processor fails to comply with its data protection obligations, the Controller shall be responsible for fulfilling the obligations of the sub-processor concerned.
The Processor currently uses the following sub-processors:
- Carriers whose services are necessary for the provision of individual services.
- The delivery points and their operators, whose services are necessary for the provision of the Processor’s services.
- Other sub-processors whose use is necessary for the operation of the services, particularly hosting and cloud services.
- If the consignment is in a place of delivery outside the European Union, the Controller agrees to transfer Personal Data to a sub-processor located outside the European Union.
- The Processor will erase all Personal Data and copies thereof at the Controller’s request, unless the law imposes an obligation to impose such Personal Data.
- In the event of the termination of the forwarding contract and the expiry of the period referred to in Section C, Paragraph 1 of this Agreement, the Processor is obliged to liquidate the Personal Data provided under this Agreement.
- The contact details of the Processor, in relation to this Agreement, are as follows: +27 (10) 001-4220, email@example.com.
- Relations not expressly modified by this Agreement are governed by the GDPR and the laws of the Republic of Ireland.
- If the data subject's objection is according to Article 21 (a) 1 of the GDPR, undertakes to remove the Processor immediately form invitation from the written invitation of the administrator of the defective state. Email communication between the parties is also considered in writing.
- If any provision of the Agreement or part thereof is deemed void for any reason, it shall be deemed to have been deleted for that purpose. This does not affect the validity of the remaining parts of the Agreement.
- The Processor is entitled to amend this Agreement at any time and without prior notice. The Processor must, without undue delay, publish a new version of the Agreement on its website and send the new version to the Administrator's email address.