Data Processing Agreement

‍

‍

Data Processing Agreement

Agreement on order processing

Regulations on data protection and data security in contractual relationships

according to Art. 28 GDPR

Shiftmove GmbH

Warschauer Straße 57

10243 Berlin

- hereinafter referred to as "Processor" -

and you
‍

- hereinafter referred to as the "Controller" -
‍

- hereinafter jointly referred to as the "Contracting Parties"

‍

Preamble

This Data Processing Agreement ("DPA") pursuant to Art. 28 GDPR is part of our General Terms and Conditions ("Main Agreement") concluded between our users and Shiftmove GmbH and can be accessed here: https://www.shiftmove.com/legal/agb. According to this agreement, this DPA applies to the processing of your personal data in the context of the provision of our product.

By signing the order form, the Terms and Conditions, including this DPA, are deemed to be bindingly agreed upon, so that a separate signature of this DPA is generally not required.

Nevertheless, we provide our customers with the option to download the DPA separately, sign it, and return it to us. In this case, we kindly ask you to send a copy of the signed version to privacy@shiftmove.com.

The agreement is based on the provisions of the GDPR, the German Federal Data Protection Act (BDSG), and the Data Act.

§ 1 Subject matter, type and purpose of processing; type of personal data, categories of data subjects

(1) The subject matter of the processing is the provision of one or multiple services as a Software-as-a-Service from the Shiftmove Group ("Services"). The nature and purpose of the processing are defined in Annex 1a. The type of processing is listed in Appendix 1b.

(2) The categories of data subjects are defined in Appendix 1c.

(3) The type of personal data processed is defined in Appendix 1d.

(4) Appendix 1 is part of this agreement.

(5) The Controller instructs the Processor to process this data for these purposes.

‍

§ 2 Duration of the order

The duration of this order (term) corresponds to the term of the Main Agreement.

‍

§ 3 Responsibility and authority to issue instructions

(1) The Controller shall be responsible for compliance with the provisions of data protection law, in particular for the lawfulness of the transfer of data to the Processor and for the lawfulness of the data processing (Art. 4 No. 7 GDPR). The Processor shall not use the data for any purposes other than those specified in this data processing agreement as well as the main Agreement and, in particular, is not authorised to pass them on to third parties not covered by § 6 of this agreement. Copies and duplicates will not be made without the knowledge of the Controller. Anything to the contrary shall only apply to the extent specified in § 3 (2) of this agreement.

(2) The Processor shall process personal data only on the documented instructions of the Controller, unless there is another obligation under Union law or the law of the Member State to which the Processor is subject. In the event of another obligation, the Processor shall inform the Controller of the corresponding legal requirements without delay prior to such processing, if legally permitted. 

(3) The controller, but not the processor, is the data owner (see Recital 22 of the Data Act). The processor undertakes not to use any data transmitted by the controller (personal and non-personal data) for its own purposes, for profiling or for product improvement, unless the processor has been expressly permitted to do so. The processor thus fulfills the requirements of Art. 6 and Art. 8(2) of the Data Act.

(4) If the Processor is of the opinion that an instruction of the Controller violates data protection regulations, it shall inform the Controller immediately in accordance with Art. 28 (3) GDPR. Until the corresponding instruction has been confirmed or amended, the Processor is authorised to suspend the processing based on the violating instruction. 

(5) Changes to the object of processing must be jointly agreed and documented. The Processor may only provide information to third parties or the data subject with the prior written consent of the Controller.

‍

§ 4 Confidentiality

The Processor shall only give access to Controller personal data to employees who have been bound to confidentiality in accordance with Art. 28 (3) (b) GDPR and who have received dedicated training on the data protection provisions relevant to them. The Processor and any person subordinate to the Processor who has access to personal data may only process this data in accordance with the Controller's instructions, including the authorisations granted in this Data Processing Agreement, unless they are legally obliged to do so.

‍

§ 5 Data security

(1) The contracting parties agree on the specific data security measures set out in Appendix 2 "Technical and organisational measures" to this agreement in accordance with Art. 28 (3) (c) GDPR in conjunction with Art. 32 (1) GDPR in order to ensure the security of the processing on behalf. The measures to be implemented by the Processor are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of data subjects  within the meaning of Art. 32 (1) GDPR will be taken into account by the Processor when implementing such measures.

(2) Appendix 2 is an integral part of this agreement.

(3) The Processor shall observe the principles of proper data processing. It shall guarantee the contractually agreed and legally required data security measures. The technical and organisational measures are subject to technical progress and further development. In this respect, the Processor is permitted to implement alternative adequate measures. In doing so, the security level of the defined measures must not be undercut. Significant changes must be documented and communicated to the Controller in writing.  

(4) In the event of a personal data breach, the Processor shall cooperate with and assist the Controller to enable the Controller to comply with its obligations under Art. 33, 34 GDPR, taking into account the nature of the processing and the information available to the Processor.

(5) In the event of a personal data breach in connection with the data processed by the Processor, the Processor shall notify the Controller without undue delay after becoming aware of the breach. This notification shall contain at least the following information:

• a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects affected and the approximate number of data records affected);
• contact details of a contact point where further information about the personal data breach can be obtained;
• the likely consequences and the measures taken or proposed to address the personal data breach, including measures to mitigate its possible adverse effects.

If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter.

‍

§ 6 Inclusion of further Processors (subcontractors)

(1) For the purposes of this agreement, subcontractors are further Processors whose services are directly related to the provision of the main service. This does not include ancillary services which the Processor utilises, e.g. as telecommunications services, postal/transport services and cleaning. However, the Processor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the data protection and data security of the Controller's data, even in the case of outsourced ancillary services.

(2) The use of subcontractors or the change of the existing subcontractor is permitted, provided that:

• the Processor notifies the Controller of such outsourcing to subcontractors 14 calendar days in advance in writing or in text form, and
• the Controller does not object to the planned outsourcing in writing or in text form to the Processor by the time the data is transferred.

(3)Should the controller object to a change of subcontractor within the objection period according to § 6 (2), the processor will check and inform the controller whether the service can be provided without the change of subcontractor. If, based on its review, the processor cannot provide the service without the change to the subcontractor, both parties shall have the right to terminate the contract in writing with a notice period of 14 days.

(4) A contractual agreement shall be concluded with the subcontractor in accordance with Art. 28 (3) and (4) GDPR.

(5) The transfer of personal data of the Controller to the subcontractor and the subcontractor's initial activities are only permitted once all legal requirements for subcontracting have been met. The subcontractors authorised by the Controller at the time the contract are listed in Appendix 3. The subcontractors of the subcontracting entities can be viewed under the links https://vimcar.de/datenschutz/subunternehmer and https://www.avrios.com/de/legal/sub-Processors.

(6) Affiliated companies of the Shiftmove Group are commissioned as subcontractors.

(7) Any transfer of data processing to a third country requires the prior documented instruction or authorisation of the Controller and may only take place if the special requirements of Art. 44-49 GDPR are met.

(8) Appendix 3 is part of this agreement.

‍

§ 7 Rights of data subjects

(1) The Processor is obliged to support the Controller with appropriate technical and organisational measures, where possible, to comply with the obligations to respond to requests of data subjects exercising their rights under Art. 12 to 22 GDPR (Art. 28 (3) (e) GDPR).

(2) Insofar as the data subject has a right to data portability vis-à-vis the Controller, the Processor shall ensure that the Controller can receive the personal data processed in the Processor's area of responsibility in a structured, commonly used and machine-readable format.    

(3) The Processor may only disclose, rectify, erase or restrict the processing of personal data in accordance with documented instructions from the Controller (Art. 28 (3) (g) GDPR).

(4) If a data subject contacts the Processor directly in order to exercise their rights pursuant to Art. 12 to 22 GDPR, the Processor shall forward the request to the Controller without undue delay.

(5) The Processor may only provide information to third parties or data subjects with the prior written authorisation  of the Controller.

(6) The Controller is responsible for informing data subjects in accordance with Art. 12 and 13 GDPR. Necessary information in connection with this obligation, which is only available to the Processor, will be made available to the Controller upon request.

(7) The Processor shall assist the Controller, at the latter's request, in providing data in a structured, interoperable, and machine-readable format and, where applicable, in transferring it to third parties, insofar as the controller is held liable as the data owner of users in accordance with Art. 4ff. and Art. 8 of the Data Act.

‍

§ 8 Obligations of the Processor

In addition to complying with the provisions of this contract, the Processor must comply with the obligations pursuant to Art. 28 to 36 GDPR. In this respect, the Processor shall in particular ensure compliance with the following requirements:

1. If the Processor is legally obliged to appoint a data protection officer in writing in accordance with Art. 37 GDPR, § 38 BDSG, the Processor shall provide the Controller with the contact details of the data protection officer for the purpose of direct contact. The Controller must be notified immediately of any change of data protection officer.
   
   
2. The external data protection officer at the Processor is

clever datenschutz GmbH

E-Mail: privacy@shiftmove.com

(2) The Processor shall support the Controller in complying with the obligations set out in Art. 32 - 36 GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations. This includes in particular

• ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a potential breach through security vulnerabilities and enable the immediate detection of relevant breach events
• the obligation to inform the Controller without undue delay if the Processor becomes aware of a personal data breach (Art. 28 (3) (f), Art. 33 (2) GDPR);
• the obligation to support the Controller in the context of his duty to inform the data subject and to provide him with all relevant information in this context without delay;
• the support of the Controller for its data protection impact assessment;
• the support of the Controller in the context of prior consultations with the supervisory authority.

(3) Any transfer of data by the processor to a third country or an international organisation shall be carried out exclusively in compliance with the legal requirements for the transfer of data to third countries in accordance with Art. 44ff. GDPR. In order to ensure an adequate level of data protection, the processor shall only transfer data to recipients in third countries if an adequacy decision of the EU Commission exists for the third country in question (Art. 45 of the GDPR), appropriate safeguards for the transfer, such as standard contractual clauses, are in place (Art. 46 GDPR) , internal data protection regulations (Art. 47 GDPR) or other exceptional circumstances for the transfer of data (Art. 48 GDPR). The controller consents to the transfer of data to subcontractors from §6 (5) of this agreement, who may be based in third countries.

(4) The Processor shall support the Controller in fulfilling its obligations regarding data portability and switching providers in accordance with the requirements of the Data Act and shall provide information on supported formats and interfaces in accordance with Articles 23-29 of the Data Act.

‍

§ 9 Control rights of the Controller, Art. 28 para. 3 sentence 2 lit. h GDPR

(1) The Processor undertakes to provide the Controller, upon written request and within a reasonable period of time, with all information and evidence necessary to carry out a written inspection.

(2) Audit and Inspection Rights of the Controller

The Controller shall have the right, prior to the commencement of processing and regularly thereafter, to verify compliance with the technical and organizational measures implemented by the Processor.

This shall primarily be carried out through:

• obtaining information from the Processor; and/or
• the submission of independent audit reports or recognized certifications.

a) Event-Related On-Site Inspections

The Controller shall be entitled to carry out an on-site inspection at the Processor’s premises if:

• there are specific indications giving rise to doubts about the accuracy or completeness of the submitted audit reports or certifications,
• a security incident within the meaning of Art. 33 (1) GDPR has occurred in connection with the data processing, or
• the documents provided do not sufficiently evidence the required safeguards.

In such cases, on-site inspections must generally be notified in writing at least 14 calendar days in advance.

A shorter notice period shall only be permissible in duly justified exceptional cases, where urgency directly results from the respective event (e.g., in the case of a security incident). In such cases, the Controller shall provide a comprehensible justification for the shortened notice period and, upon request, furnish evidence thereof to the Processor.

b) Non-Event-Related On-Site Inspections

Irrespective of any specific event, the Controller may conduct one non-event-related on-site inspection per calendar year.

Such inspections must also be notified in writing at least 14 calendar days in advance.

c) General Provisions

The exercise of inspection rights shall not unduly disrupt the Processor’s business operations or be exercised in an abusive manner.

The Controller shall bear any actual costs incurred by the Processor as a result of non-event-related on-site inspections.

(3) The Controller shall be obliged to prepare a written record of each inspection carried out. Any deviations, deficiencies, or other material findings identified in the course of the inspection shall be communicated to the Processor without undue delay, and in any case within a reasonable period following completion of the inspection, in text form. The inspection record shall be made available to the Processor upon request.

‍

§ 10 Liability

(1) The liability of the parties shall be governed by Art. 82 GDPR. This shall not affect the Processor’s liability to the Controller for breach of obligations under this contract or the main contract.

(2) The parties shall release each other from liability if one party proves that it is not responsible in any respect for the circumstance that caused the damage to a data subject. § 10 (2) sentence 1 shall apply accordingly in the event of a fine imposed on a party, whereby the indemnification shall be made to the extent that the respective other party bears a share of the responsibility for the breach sanctioned by the fine.

‍

§ 11 Non-compliance with the clauses and termination of the contract (Art. 28 (3) (g) GDPR)

(1) Without prejudice to any provisions of the GDPR, in the event that the Processor is in breach of its obligations under these Clauses, the controller may instruct the Processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The Processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.

(2) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:

• the processing of personal data by the Processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
• the Processor is in persistent breach of these Clauses or its obligations under the GDPR;
• the Processor fails to comply with a binding decision of a competent court or the competent supervisory authorities regarding its obligations pursuant to these Clauses or the GDPR.

(3) The Processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.

(4) Upon completion of the provision of the processing services, the Processor shall either delete or return all personal data at the discretion of the Controller, unless there is a legal obligation to store the personal data.

(5) In this case, the Processor shall confirm to the Controller in text form, stating the date and without further request, that it has returned to the Controller or destroyed or securely erased all data carriers and other documents that may have been provided to it and has therefore not retained any data of the Controller.

(6) Documentation that serves as proof of proper data processing shall be retained by the Processor beyond the end of the contract in accordance with the respective retention periods.

‍

§ 12 Final provisions

(1) Data carriers and data records provided shall remain the property of the Controller. 

(2) Should one or more provisions of this agreement be invalid, this shall not affect the validity of the remaining provisions. In the event of the invalidity of one or more provisions, the contracting parties shall immediately replace the invalid provision with a provision that most closely corresponds to the invalid provision in economic terms and in terms of data protection law.

(3) The contracting parties agree that Processor’s defense of the right of retention within the meaning of § 273 BGB (German Civil Code) with regard to the data to be processed and the associated data carriers is excluded.

(4) There are no oral side agreements between the parties. Any amendment, supplement, or termination of this agreement requires written form in order to be valid, which may itself only be waived in writing. Compliance with the written form requirement is satisfied by a signature executed with at least a simple electronic signature recorded via e-signature software. The electronic signature has full probative value.

(5) Insofar as other agreements at the time of the conclusion of this contract contain provisions to the contrary or contradict this contract, the contents of this contract shall take precedence.

(6) The following annexes form an integral part of this agreement: Appendix 1 "Information on processing",  Appendix 2 "Technical and organisational measures", Appendix 3 “Subcontractors”.

‍

Appendix 1

Information on processing

The information set out below regarding the subject matter and purpose of the processing, the types of processing, the categories of data subjects, and the categories of personal data processed relates to the full potential scope of the services offered by the Processor. Binding, however, are solely those purposes, types of processing, categories of data subjects, and categories of personal data which arise from the Main Agreement, including the respective Order Form, and which are required for the products and functionalities actually ordered by the Controller.

‍

a) Object and purpose of the processing

The subject of the processing is the provision of one or more of the following services as Software-as-a-Service:

• Software for fleet management (Avrios) including the purposes:
  • Management of vehicles and drivers
  • Management of fines
  • Administration of fuel cards
  • Management of damage reports
  • Carrying out driver's license checks
  • Creation of reports and analyses

• Live localisation and route documentation (Vimcar Fleet Geo) including the purpose:
  • Live tracking of vehicles
  • Route documentation of vehicles
  • Geo-fencing notification for vehicles

• electronic logbook (logbook) including the purposes:
  • Route documentation of vehicles
  • Export of logbook data

b) Type of processing

As part of the assignment, the Processor will carry out the following types of processing in accordance with Art. 4 No. 2 GDPR: Collection, recording, organization, ordering, storage, adaptation, alteration, retrieval, consultation, transmission, restriction, erasure and destruction of data.

‍

c) Categories of data subjects and personal data

When providing the services, personal data of the following categories of data subjects may be processed on a regular basis:

1. Drivers (former and current employees and their spouses and dependants, current contractors as well as applicants, candidates and future employees);
2. Users (authorised users of the customer (who are not drivers) who are entitled to use the services);
3. Third parties (customers, business partners, suppliers, consultants, representatives, freelancers and/or subcontractors of the customer (natural persons)).

‍

d) Type of data processed

Avrios fleet management:

• Tasks and comments
• Fine notice information (addressee, amount, photos)
• Entry date and exit date
• Vehicle information (CO2 emissions, damage reports, license plate, chassis number)
• Photos (driving license photos and portrait photos)
• Driving license information
• Contact information (telephone number, fax number, cell phone number, e-mail address)
• Personal master data (first name, surname, address, gender, date and place of birth, language, nationality, residence permit, marital status, details of dependents, national identification number)
• Company administration data (internal ID, cost centre, organization, department, location, sector and sub-sector, reporting structure)
• Information on salary planning (fringe benefits relating to company cars), service specifications and associated information (entitlement to company car and class of company car)
• Fuel card information (provider, costs, date, product)
• Accident prevention regulation test results
• Device data and IT usage data
  ‍

Vimcar Fleet Geo:

• First name, last name
• E-mail address, telephone number, cell phone number
• Logbook data
• Trip data during the journey
• Live tracking and route documentation;
• VIN (Vehicle Identification Number)
• Verification information for carrying out the automated driver's license check (optional when using the driver's license check)
• Technical vehicle data (e.g. repair status), photos of vehicles (optional when using the damage management system)
• Device data and IT usage dat

‍

Vimcar Logbook:

• First name, surname
• E-mail address, telephone number, cell phone number
• Logbook data
• Trip data during the journey
• Start and end point of trips
• Kilometers driven
• Categorization of private and business trips
• Contact and address data
• VIN (Vehicle Identification Number)
• Test parameters for carrying out the automated driver's license check (optional when using the driver's license check)
• Technical vehicle data (e.g. repair status), photos of vehicles (optional when using the damage management function)
• Device data and IT usage dat
  ‍

Appendix 2

Technical and organizational measures

You will find our technical and organisational measures as Appendix 2 in the .pdf files provided above.

‍

Appendix 3

Subcontractors

The Controller has authorized the use of the following sub-Processors:

1.                            Name: Vimcar GmbH
                               Address: Warschauer Str. 57, 10243 Berlin, Germany
                              Contact: datenschutz@vimcar.com
                               Third Country: No

                               Purpose:
                          - Provision and development of the SaaS Vimcar Logbook and Vimcar Fleet Geo
                          - customer support
                          - freight and package distribution

2.                           Name: Avrios International AG
                               Address: Rieterstr. 6, 8002 Zurich, Switzerland
                              Contact: privacy@avrios.com
                               Third Country: Yes
                               Guarantee:  Adequacy decision of the EU Commission

                               Purpose:
                          - Provision of the SaaS Avrios Fleet Management
                          - Customer support