The terms and conditions contained in this GDPR Processing Schedule are incorporated into any agreement specifically referencing and incorporating this GDPR Processing Schedule (“Agreement”). To the extent that the Data Protection Laws (as defined below) are applicable to the Agreement, then the parties agree that this schedule shall apply.For purposes of this GDPR Processing Schedule, Customer is a Data Controller (sometimes referred to herein as “Data Controller”) and Logistyx is a Data Processor (sometimes referred to herein as “Data Processor”).The following words and expressions shall bear the following meanings:
“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process/Processed/Processing”, “Special Categories of Personal Data” and “Supervisory Authority” shall have the same meaning as in the Data Protection Laws;
“Data Protection Laws” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) as amended and superseded from time to time, and/or all applicable laws, rules, regulations, regulatory guidance, regulatory requirements from time to time, in each case in each jurisdiction where the Services are delivered in relation to data privacy;
1. SUBJECT MATTER AND DURATION. The subject matter and duration of the Processing are as set out in the Agreement.
2. PURPOSE AND NATURE. The purpose, nature, and subject matter of the processing of Personal Data may be as follows:
(a) Logistyx may, subject to Customer’s direction and control, have access to Personal Data when performing Professional Services and/or Software Maintenance and Support for Customer. It is not anticipated that Logistyx will process Personal Data when performing these services.
(b) Personal Data may be processed for the purpose of printing shipping labels for the shipment of goods ordered by the data subjects. The data may include a data subjects’ name and address. The Personal Data will be sent by secure transmission from Customer to Logistyx and forwarded by Logistyx to carriers nominated by the Customer in a secure method (subject to the requirements of each nominated carrier.) Following transmission of the Personal Data to the nominated carrier, all personally identifiable data will be deleted within ________ days.
The obligations and rights of the parties in respect of the Processing of Personal Data are set out in the Agreement.
3. TYPES OF PERSONAL DATA. The types of Personal Data that will be processed pursuant to this Agreement are as follows: name and address as detailed on a carrier’s shipping label. There are no special categories of Personal Data that will be shared by Customer with Logistyx. In the event Customer will share special categories of Personal Data with Logistyx, Customer agrees to notify Logistyx in writing with at least 30 days’ advance notice. Logistyx shall have the right to refuse to accept such special categories of Personal Data.
4. DATA CONTROLLER OBLIGATIONS. Within the scope of the Agreement and in its use of Logistyx’s services, Customer as a Data Controller shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to the Data Processor and the Processing of Personal Data. For the avoidance of doubt, Data Controller’s instructions for the Processing of Personal Data shall comply with the Data Protection Laws. The Agreement and this Schedule is Customer’s complete and final instruction to Logistyx in relation to Personal Data. Additional instructions outside the scope of the Agreement and this Schedule require prior written agreement between the parties. Instructions shall initially be specified in the Agreement and may, from time to time thereafter, be amended, amplified or replaced by Customer, as Data Controller, in separate written instructions (as individual instructions). Customer shall inform Logistyx without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data.
5. PROCESSING INSTRUCTIONS. If Data Processor cannot process Personal Data in accordance with Data Controller’s instructions due to a legal requirement under any applicable European Union or Member State law, Data Processor will (i) promptly notify the Data Controller of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Laws; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Data Controller issues new instructions with which Data Processor is able to comply. If this provision is invoked, Data Processor will not be liable to the Data Controller under the Agreement or this Schedule for any failure to perform the applicable services until such time as the Data Controller issues new instructions in regard to the Processing.
6. DATA PROCESSOR OBLIGATIONS. When acting as a Data Processor in relation to Personal Data provided by the Customer acting as a Data Controller, Logistyx shall:
(a) not Process the Personal Data or disclose Personal Data other than in accordance with the Data Controller’s documented instructions, unless required by EU or member state law to which the Data Processor is subject;
(b) not authorize any sub-contractor to Process the Personal Data (“sub-processor”) other than with the prior written consent of the Data Controller, such consent to be subject to the Data Processor meeting the conditions set out in all Data Protection Laws, including without limitation Article 28 (2) and (4) of the GDPR; for these purposes, Customer consents to and authorizes the engagement as sub-Processors of Logistyx’s affiliated companies and the following third parties: [Amazon Web Services, Inc., Google, Inc., Microsoft Azure, etc.];
(c) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and take all measures required pursuant to all Data Protection Laws, including without limitation Article 32 GDPR, in relation to the processing of Personal Data, taking account of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed;
(d) take all reasonable steps to ensure the reliability of persons authorized to Process the Personal Data and ensure that they have committed themselves to obligations of confidentiality;
(e) promptly notify the Data Controller if it receives any communication from a Data Subject or Supervisory Authority under the Data Protection Laws in respect of the Personal Data, including requests by a Data Subject to exercise rights in Chapter III of GDPR and assist the Data Controller in the Data Controller’s obligation to respond to these communications;
(f) immediately notify the Data Controller, upon becoming aware of or reasonably suspecting a Personal Data Breach and shall, unless Section 6 (g) below applies, provide the Data Controller at the time of original notification with sufficient information which allows the Data Controller to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
(i) describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
(ii) communicate the name and contact details of the Data Processor’s Data Protection Officer or, where the Data Processor has not appointed a Data Protection Officer, the relevant contact from whom information may be obtained;
(iii) describe the likely consequences of the Personal Data Breach; and
(iv) describe the measures taken or proposed to be taken to address the Personal Data Breach.
(g) if at the time of making the original notification described in Section 6(f), the Data Processor does not have available to it all the information described in Section 6(f)(i) to 6(f)(iv), the Data Processor shall include in the original notification such information as it has available to it at that time, and then shall provide the further information set out in Section 7(f)(i) to 7(f)(iv) as soon as possible thereafter;
(h) assist the Data Controller in ensuring compliance with the obligations pursuant to all Data Protection Laws, including without limitation Articles 35 and 36 of the GDPR, taking into account the nature of Processing and the information available to the Data Processor;
(i) at the choice of the Data Controller, delete or return all the personal data to the Data Controller after the end of the provision of Services relating to Processing;
(j) make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in all Data Protection Laws, including without limitation Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller;
(k) not (and shall procure that its sub-processors shall not) under any circumstances transfer Personal Data outside of the country where Logistyx is located unless authorized in writing by the Data Controller. If and to the extent that Logistyx and/or its sub-processors are located in any country which the European Commission has determined as providing an inadequate level of protection in relation to Personal Data, then Logistyx shall or shall procure that its sub-processors shall (as required by the Data Controller) enter into the Standard Contractual Clauses (Processors) (as laid down in the Commission Decision 2010/87 EU of 5 February 2010, or any subsequent version which replaces these).
In the event of a conflict, inconsistency or ambiguity between the terms of this Schedule and the terms of the Agreement with respect to the subject matter hereof, the terms of this Schedule shall prevail. This GDPR Processing Schedule is subject to change at Logistyx’s discretion; however, changes to this GDPR Processing Schedule will not result in a change in which Logistyx will not act in accordance with the GDPR.