1. Background and Intention
The company, individual or organisation agreeing to these terms (the “Company”), and CUBO Solutions Limited, or any other entity that is directly or indirectly controlled by CUBO Solutions Limited (as applicable, “CUBO”), have entered into an agreement (the “Agreement”) whereby CUBO will either supply Services to the Company or be Supplied Services by the Company.
As part of this Agreement, the Company will be sharing Data with CUBO. The intention of these Data Processing Terms (the “Terms”) is to ensure there are proper arrangements in place relating to Data passing from the Company to CUBO. Any transfer of Data from CUBO to the Company is dealt with separately and does not form part of these Terms.
The Terms will be effective from 25 May 2018 (the “Effective Date”) and will replace any and all data processing and security terms which were previously applicable. These Terms will take precedence should there be any conflict between these Terms and previously applicable terms, including those stipulated in the Agreement.
2. Definitions and Interpretation
Within these Terms:
‘Data Protection Legislation’ means all applicable statutes, laws, secondary legislation, rules, regulations and guidance from a Supervisory Authority (or its UK equivalent) relating to privacy, confidentiality, security, direct marketing or data protection of Personal Data or corporate data (including any national laws implementing any such legislation (including Directives 95/46/EC, 2002/58/EC and 97 /66/EC)), including the Data Protection Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (512003/2426), the Regulation of Investigatory Powers Act 2000, the Investigatory Powers Act 2016, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) and the General Data Protection Regulation.
‘Data’ means any data which is captured by Data Protection Legislation, which includes but is not limited to personal data and sensitive data as defined by GDPR.
‘GDPR’ means the General Data Protection Regulation
‘Services’ means the services provided by the Supplier as part of the Agreement.
‘Controller’ has the meaning given to it in Data Protection Legislation.
‘Data Subject’ has the meaning given to it in Data Protection Legislation.
‘Personal Data’ has the meaning given to it in Data Protection Legislation.
‘Processor’ has the meaning given to it in Data Protection Legislation.
‘Sub-Processor’ has the meaning given to it in Data Protection Legislation.
‘Supervisory Authority’ has the meaning given to it in Data Protection Legislation.
3. Data Processing
The Company warrants, represents and undertakes to CUBO that it has Lawful Grounds for Processing the Data, that it has informed and will continue to inform the Data Subjects of the purpose of processing the Data and shall at all times comply with its obligations under Data Protection Legislation.
The Company retains control of the Data in cases where CUBO was not already in control of the Data. CUBO will maintain the confidentiality of the Data and agrees to process the Data only in accordance with Data Protection Legislation and the following stipulations (to the extent that they are required by Data Protection Legislation):
a) CUBO shall process the Data;
(i) only to the extent and in such a manner as is necessary for its performance of the Services;
(ii) only in the European Economic Area or the UK, unless the transfer has been authorised by the Company or is to a country that the European Commission or, in respect of a transfer from the UK, the European Commission or an applicable Supervisory Authority, has decided from time to time ensures an adequate level of protection in accordance with Data Protection Legislation, or the transfer has appropriate safeguards in place, as set out within GDPR;
(iii) where applicable, in accordance with the Standard Contractual Clauses (Processors) approved by the European Commission in Commission Decision C(2010)593;
(iv) where applicable, in accordance with the requirements of the EU-US Privacy Shield (or any successor arrangement approved by the European Commission from time to time) and, where applicable, shall hold a valid registration with the US Department of Commerce to that effect.
b) CUBO shall ensure that all employees and other representatives of the Supplier accessing the Data
(i) are aware of these Terms; and
(ii) have received training on the Data Protection Legislation and related good practice; and
(iii) are bound by confidentiality obligations;
c) CUBO and the Company have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
d) The Company grants CUBO the right to involve third parties (including agents and sub-contractors) in the processing of the Data.
e) Taking into account the nature of the processing, CUBO shall adopt such technical and organisational measures as are necessary to enable it to, insofar as it is able, assist the Company to fulfil its obligation to respond to requests from Data Subjects exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc;
f) CUBO shall provide to the Company such assistance as it is able to enable the Company to comply with its obligations under Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to Data Subjects, data protection impact assessments and when necessary consultation with the ICO (or relevant Supervisory Authority;
g) CUBO shall maintain a written record of all categories of processing activities carried out on behalf the Company, containing all information required under the Data Protection Legislation, and, make this record available to any relevant European Union or Member State supervisory authority (and/ or its UK equivalent) where requested by that supervisory body;
h) To the extent required by Data Protection Legislation, CUBO shall delete the Data as soon as the Data are no longer necessary, or otherwise if at any time reasonably instructed to do so by the Company. Where the Company is a fleet vehicle tracking customer, it shall have the option to set the retention period of the data by logging into the fleet tracking application. Where CUBO is to delete the Data, deletion shall include destruction of all existing copies (to the extent required by Data Protection Legislation).
i) To the extent required by Data Protection Legislation, CUBO shall, if at any time reasonably requested to do so by the Company, make available to the Company the information necessary to demonstrate compliance with the obligations laid down under these Terms and allow for any reasonable requests for audits from the Company, provided that the Company compensates CUBO for any and all of its costs incurred in supporting the requirements of the audit (including the costs of employee time), access to certain records may be restricted by CUBO where such records are deemed commercially sensitive by CUBO (such judgements to be made by CUBO in its absolute discretion), no penetration testing, vulnerability scanning, or other security tests are performed, no records or copies of records may be removed from CUBO’s sites, CUBO receives 30 days notice prior to the audit and non-disclosure agreements are signed by any and all parties wishing to perform the audit (including any parties acting on the Company’s behalf);
j) CUBO shall observe suitable arrangements relating to the secure transfer of the Data from the Company to CUBO and the safe keeping of the Data by the CUBO;
k) CUBO shall maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created;
l) To the extent required by Data Protection Legislation, CUBO shall if reasonably requested to do so by the Company promptly return, amend, transfer, copy or delete any Data.
4. Notice Obligations etc
To the extent required by Data Protection Legislation, CUBO shall notify the Company promptly on becoming aware of any actual, suspected or threatened loss, leak or unauthorised processing or disclosure of any Data.; promptly upon receipt of a notice from any Supervisory Authority, which relates directly or indirectly to the processing of the Company’s Personal Data and shall cooperate with that Supervisory Authority; promptly if any of the Company’s Personal Data in the possession and/or control of CUBO is lost, corrupted or rendered unusable for any reason.
On the expiry or termination of these Terms, CUBO shall immediately cease to use, and shall procure that its agents and sub-contractors cease to use, the Data and shall arrange for its safe return or destruction (at the Company’s option) at the relevant time (unless European Union, Member State and/ or UK law requires storage of the Personal Data).
6. Rights in Personal Data
CUBO compiles data collected as part of the Services in aggregated and anonymised form (the ‘Aggregated Data’) and the Company grants permission for CUBO to do this. CUBO acquires the full rights to and ownership of the Aggregated Data at the point that this data is compiled and shall be under no obligation to keep confidential, delete, return or make any amendments to the Aggregated Data or any part thereof.
The Company grants CUBO permission to make contact with its employees, directors, officers and other representatives on an ongoing basis for the purposes of performing the Services and for marketing purposes, provided that the Company can at any stage withdraw such permission with 30 days notice.
Subject to Clause 7b, these Terms shall remain in force even after the Agreement has terminated, but may be terminated by CUBO at any time after the Agreement has terminated.
These Terms may be varied from time to time by CUBO (acting reasonably), provided that notification is given to the Company and the Company has the right and the opportunity to object to such variations. In the event that the Company objects to the variations, CUBO shall have the option to terminate the Terms by giving a minimum of 30 days notice.
Each Party irrevocably agrees that the courts of Northern Ireland shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with these Terms or its subject matter or formation.
The headings and sub-headings within these Terms are for convenience of reference and shall not form part of, or affect the interpretation of, these Terms.
If any provision within the Terms is held to be unenforceable or unreasonable it shall, to the extent of such illegality, invalidity, voidness, voidability, unenforceability or unreasonableness, be deemed severable. The remaining provisions of the Terms and the remainder of such provision shall therefore continue in full force and effect.