Data Processing Agreement (DPA)

TDS Ultra Limited Data Processing Agreement

This Data Processing Agreement is made between:


(1) TDS Ultra Limited, a company incorporated under the laws of England with registered number 10219630, with its registered office at The Old Town Hall, 142 Albion Street, Brighton BN42 4AX, United Kingdom (“TDS Ultra”); and (2) The Customer as defined in the TDS Ultra Proposal (as defined below) (”the Customer”).


And is dated the same date of the Main Agreement (as defined below) entered into between TDS Ultra and the Customer.


BACKGROUND

(A) TDS Ultra is a specialist provider of vehicle tracking, fleet and driver performance data and risk data analysis, which it provides to through various channels including via its including the TDS Ultra software as a service offerings, which it makes available to clients on a subscription basis.


(B) As part of the provision of its business services to the Customer, including provided where referenced pursuant to aMain Agreement, TDS Ultra will process personal data on behalf of the Customer.

(C) This Data Processing Agreement sets out the terms, requirements and conditions on which TDS Ultra will processpersonal data when providing services to the Customer. This Data Processing Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.

The Terms of which are Agreed as follows:


AGREED TERMS


1. Data Protection 

1.1 TDS Ultra has agreed to provide vehicle tracking, fleet and driver performance data and other risk data analysisservices (‘the Services’) to the Customer. In the performance of such Services, TDS Ultra will process Protected Data (defined below) on behalf of the Customer.


1.2 In consideration for the Customer engaging the services of TDS Ultra, TDS Ultra shall comply with the data security, confidentiality and other obligations imposed on it under this Data Processing Agreement.


1.3 For the purposes of this Data Processing Agreement:


“Authorised Persons”​the persons or categories of persons that the Customer authorises to give TDS UltraPersonnel data processing instructions, being the signatories to this Data Processing Agreement.

“Business Purposes”​the services described in this Data Processing Agreement or relevant Main Agreement or any other purpose specifically identified in Appendix A.


“Data Controller, Data Processor, Data Protection Officer, 

Data Subject, Personal Data, Personal Data Breach

Process, Processed and Processing”

​​​shall bear their respective meanings given in the Data Protection Legislation; 


“Data Protection Legislation”

means any legislation relating to the processing, privacy and use of personal data, as applicable to the Customer, TDS Ultra and/or the Services being provided including under any relevant Main Agreement, including: the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all other applicable legislation implementing European Community Directives 95/46 and 2002/58, and any subsequent European Union legislation, including the EU General Data Protection Regulation 2016/679 (‘the GDPR’) and any applicable national legislation implementing or supplementing the GDPR or DPA 2018, in relation to the protection of personal data and/or any corresponding or equivalent national legislation in any relevant jurisdiction (once in force and applicable).


“Data Subject Requests”

a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Legislation relating to the Protected Data;


“Main Agreement”​a commercial agreement entered into by the parties to which this Data Processing Agreement attaches.


“Protected Data”​any personal data received from or on behalf of the Customer or otherwise obtained, created, generated, transmitted, stored or processed in connection with the performance of the TDS Ultra’s obligations under this Data Processing Agreement or the Main Agreement and which is not Anonymised Data (as defined below).


“TDS Ultra Personnel” ​all employees, staff, other workers, agents and consultants of TDS Ultra and of any sub-contractors who are engaged in the provision of the Services under this Data Processing Agreement from time to time.


“TDS Ultra Proposal”​the proposal agreed with the Customer setting out the Services to be provided by TDS Ultra and which is subject to a Main Agreement.


1.4 TDS Ultra and the Customer acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and the TDS Ultra is the Data Processor of any Protected Data in relation to which TDS Ultra is providing the Services.


1.5 Appendix 1 sets out the details of the processing of personal data as required by Article 28(3) of the GDPR. The Customer may make reasonable amendments to Appendix 1 by written notice to TDS Ultra from time to time as the Customer reasonably considers necessary to meet those requirements.


1.6 Appendix 2 sets out the Special Contract Clauses that may apply as set out under the terms of this Data Processing Agreement.


1.7 In the event of any conflict between the terms of this Data Processing Agreement and the Main Agreement, this Data Processing Agreement shall prevail. 


2. Personal Data Types and Processing Purposes  


2.1. The Customer and TDS Ultra acknowledge that for the purpose of the Data Protection Legislation, the Customer is the controller and TDS Ultra is the processor.


2.2. The Customer retains control of the Protected Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices, and the Customer further warrants to TDS Ultra that:


2.2.1. it has obtained and will obtain any necessary consents and has a lawful basis for any processing instructions it gives to TDS Ultra; and


2.2.2. it has in place and will maintain in place appropriate technical and organisational measures against:


2.2.2.1. unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Protected Data; 


2.2.2.2. accidental or unlawful loss, destruction, alteration, disclosure or damage of Protected Data; 


2.2.2.3. hacking, or unauthorised access or technical or physical disruption to its hosting, systems or services (including ensuring security, confidentiality, integrity, availability and resilience of its hosting, systems and services); 

and shall ensure that availability of and access to Protected Data can be restored in a timely manner after an incident, and shall regularly, test, assess and evaluate the effectiveness of its systems and the technical and organisational measures adopted by it, including as set out in this clause 2.2.2.


2.3. TDS Ultra may during and after the termination of this Data Processing Agreement use and disclose anonymised analytical data derived from the Protected Data (“Anonymised Data”) to third parties without the consent of theCustomer.  


3. Obligations of TDS Ultra


3.1. TDS Ultra will only process the Protected Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s written instructions from Authorised Persons. TDS Ultra will not process the Protected Data in a way that does not comply with this Data Processing Agreement or Main Agreement or the Data Protection Legislation. TDS Ultra must promptly notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Data Protection Legislation.


3.2. TDS Ultra must comply with any Customer request or instruction from Authorised Persons requiring TDS Ultra to amend, transfer, delete or otherwise process the Protected Data, or to stop, mitigate or remedy any unauthorised processing.


3.3. TDS Ultra will maintain the confidentiality of all Protected Data and will not disclose Protected Data to third parties unless the Customer or this Data Processing Agreement, or relevant Main Agreement, specifically authorises the disclosure, or if the Protected Data is anonymised by TDS Ultra, or as required by law. If a law, court, regulator or supervisory authority requires TDS Ultra to process or disclose Protected Data, TDS Ultra will use reasonable endeavours to first inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.


3.4. TDS Ultra will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of TDS Ultra’s processing and the information available to TDS Ultra, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.


3.5. The Customer must promptly notify TDS Ultra of any changes to Data Protection Legislation that may adversely affect TDS Ultra’s performance of this Data Processing Agreement, or relevant Main Agreement.


3.6. TDS Ultra will only collect Protected Data for the Customer using a notice or method that the Customer specifically pre-approves, the purpose or purposes for which their Protected Data will be processed, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing. 


4. Security


4.1. TDS Ultra will implement and maintain in place appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Protected Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Protected Data. 


4.2. TDS Ultra will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:


4.2.1. the encryption of personal data;


4.2.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;


4.2.3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;


4.2.4. a process for regularly testing, assessing and evaluating the effectiveness of security measures; and 


4.2.5. the anonymisation of any Protected Data required for analytical data purposes.


5. Breach Notification


5.1. TDS Ultra shall:


5.1.1. notify the Customer if it becomes aware of any unauthorised or unlawful processing of, loss of, damage to or destruction or corruption of, the Protected Data, or any attempts to gain unauthorised access to Protected Data and any notification must, at the very least, contain the information required by Data Protection Legislation;


5.1.2. within forty-eight (48) hours, provide the Customer with sufficient information to allow the Customer to meet any notification obligations to report or inform Data Subjects and/or the ICO or any other supervisory or regulatory body of any such breach under Data Protection Legislation;


5.1.3. except where required to do so by law, not notify a Data Subject, the ICO or any other supervisory or regulatory body or any other third party of an actual or suspected breach (and shall treat the existence and circumstances of such actual or suspected breach as confidential information) unless such notice by the Customer is required by applicable laws or is authorised in writing by the Customer;


5.1.4. following such breach or attempted breach of security, investigate and report on the cause of the breach, including proposed corrective action;


5.1.5. provide full co-operation to the Customer to assist the Customer with any investigation relating to security, mitigation, remediation or any other action which is carried out by or on behalf of the Customer in respect of such breach; and


5.1.6. where possible, restore, re-constitute and/or reconstruct such Protected Data unless the matter arose from the Customer’s specific instructions, negligence, wilful default or breach of this agreement or the Agreement, in which case the Customer shall cover all reconstitution or reconstruction expenses.


6. TDS Ultra Personnel


6.1. TDS Ultra shall ensure that access to the Protected Data is strictly limited to:


6.1.1. such TDS Ultra Personnel who need access to the Protected Data to assist the Customer in meeting the Customer's obligations under this Data Processing Agreement or relevant Main Agreement; and


6.1.2. in the case of any access by TDS Ultra Personnel, such part or parts of the Protected Data as is strictly necessary for performance of such person’s duties in delivering the Services.


6.2. TDS Ultra shall ensure that all TDS Ultra Personnel who have access to and/or process Protected Data:


6.2.1. are informed of the confidential nature of the Protected Data and have signed written confidentiality undertakings in respect of the Protected Data;


6.2.2. have undertaken adequate training on compliance with Data Protection Legislation; and


6.2.3. are aware both of TDS Ultra's duties and their personal duties and obligations under such laws and this Data Processing Agreement.


7. Rights of the Data Subject


7.1. At all times whilst it is engaged to provide the Services, TDS Ultra shall implement and maintain in placeappropriate technical and organisational measures to assist the Customer in the fulfilment of the Customer’s obligation to respond to Data Subject Requests under Data Protection Legislation. TDS Ultra shall notify the Customer promptly (and in any event within twenty-four (48) hours) if it receives a Data Subject Request.


7.2. TDS Ultra shall provide the Customer with full co-operation, information and assistance in relation to any Data Subject Request.


7.3. Except where required to do so by law, TDS Ultra shall not disclose any Protected Data to any Data Subject or to a third party other than at the request of, with the prior written consent of, and on the documented instructions of the Customer or as provided for in this Data Processing Agreement.


8. Rights of the Customer


8.1. TDS Ultra shall promptly make available to the Customer on request all information necessary to demonstrate compliance with this Data Processing Agreement and with Data Protection Legislation. The Customer is entitled, on giving at least five (5) working days' notice to TDS Ultra, to inspect or appoint representatives to inspect all facilities, equipment, documents and electronic data relating to the processing of Protected Data by TDS Ultra.


9. Liability


9.1. TDS Ultra will indemnify the Customer against loss or damage suffered or incurred by the Customer as a result of or arising out of any breach of TDS Ultra’s obligations under this Data Processing Agreement. TDS Ultra’s liability under this Data Processing Agreement shall not however exceed the subscription fees paid by the Customer to TDS Ultra in the preceding 6 months for the relevant services as part of the Services under this Data Processing Agreement or Main Agreement and shall in any event be capped at the maximum liability set out in the Main Agreement. 


9.2. Neither party shall be liable to the other for loss of profits, sales or business, agreements or contracts; anticipated savings; loss of or damage to goodwill; loss of use or corruption of software, data or information; loss or damage to premises, installation or reinstallation costs, or any indirect or consequential loss.


10. General


10.1. Nothing in this Data Processing Agreement shall be construed as preventing a party from taking such steps as are necessary to comply with its own obligations under any Data Protection Legislation or any other applicable law.


10.2. Nothing in this Data Processing Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, nor authorise any party to make or enter into any commitments for or on behalf of any other party.


10.3. This Data Processing Agreement shall continue in full force and effect for so long as TDS Ultra is processing Protected Data on behalf of Customer (including without limitation during the time TDS Ultra is providing the Services).


10.4. A person who is not a party to this Data Processing Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Data Processing Agreement, but this does not affect any right or remedy of a third party which exists, or is available, other than in that Act.


10.5. A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.


10.6. In the event of any inconsistency between the terms of the Main Agreement and the terms of this Data Processing Agreement, the terms of this Data Processing Agreement shall prevail.


10.7. This Data Processing Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales and the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Data Processing Agreement.

10.8. The parties agree to the enactment of the adoption and enactment of standard contractual clauses (SCCs – as set out at Appendix 2) if required as a result of the UK’s exit from the EU or other circumstances in which the parties agree they are required to ensure the continued flow, safeguarding and processing of the Protected Data by TDS Ultra. The terms of the SCCs shall prevail only so far as the applicable law demands that they do so and cannot otherwise be superseded by the terms of this Data Processing Agreement.  


THIS DATA PROCESSING AGREEMENT IS AGREED AND ENTERED INTO BY TDS ULTRA AND THE CUSTOMER ON THE DATE OF THE MAIN AGREEMENT.

image19

Appendix 1

TDS DETAILS OF PROCESSING


This Appendix includes certain details of the processing of the Protected Data as required by Article 28(3) of the GDPR. Click  on  the  image  above to  get   more  detail.