DATA PROCESSING

Data Processing Agreement – Ards Taxis and SumUp
Between:
Ards Taxis, 34 East Mount, Newtownards, United Kingdom (hereinafter “the Customer” or “Data
Controller”)
And
SumUp Limited, Block 8, Harcourt Centre, Charlotte Way, Dublin 2, Ireland D02 K580, VAT: IE9813461A
(hereinafter “SumUp” or “Data Processor”) each a “party”; together “the parties”,
HAVE AGREED to the terms of this Data Processing Agreement (hereinafter the “DPA” or “Agreement”)
on Personal Data Protection regarding the processing of Personal Data when the Customer is acting as
Data Controller and SumUp is acting as Data Processor, to fulfill the service obligations outlined in the
Services Agreement (detailed below). As part of the fulfilment of those service obligations, SumUp will
process certain Personal Data on behalf of the Data Controller, in accordance with the terms of this
contract. Each party agrees and will ensure that the terms of this contract shall also be fully applicable
to its Affiliates which may be involved in the processing operations of Personal Data for the project
defined in the Services Agreement. Specifically, SumUp will ensure that all Sub-Processors operate
within the same terms as this Agreement when processing Customer’s Personal Data. For the purposes
of the personal data processing under this DPA, SumUp uses as a sub-processor, an entity, part of
SumUp Group – Debitoor UK Ltd. 32-34 Great Marlborough Street, London W1F 7JB United Kingdom
(“Debitoor”).
Introduction and Definitions
Personal Data is defined as any information relating to a data subject by which it can be identified,
directly or indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person or legal entity (where
applicable).
All other definitions referred to herein, including the terms Data Controller and Data Processor, are as
determined by the relevant Data Protection laws, including EU General Data Protection Regulation
Regulation 2016/679 of 27 April 2016 (hereinafter “GDPR”).
Sensitive Personal Data is not deemed to be processed under the Application Service offered by the
Data Processor (SumUp Invoicing) and so is excluded from the terms of this Agreement.
By signing up to use the SumUp Invoicing program and accepting the Terms and Conditions, including
the Privacy Policy and this DPA, the parties agree under all national data protection laws and under
GDPR that this Agreement governs the relationship between the Data Controller and the Data Processor,
determining the processing of personal data by SumUp of the Customer’s data. This Agreement takes
precedence unless it has been replaced by another signed DPA which communicates its precedence over
this Agreement.
The purpose of SumUp’s processing of Personal Data for the Customer is to ensure the Customer’s full
use of the Service and to allow this Agreement to be fulfilled. SumUp ensures that sufficient security of
Personal Data is maintained at all times.
Both parties confirm their Authority to sign the Agreement by so doing.
Data Processor Responsibilities
The Data Processor must handle all personal data on behalf of the Data Controller and following their
instructions. By entering into this Agreement, SumUp (and any sub-processors whom the Data
Processor has legal agreement for services with) is instructed to process Personal Data of the
Customer:
1. In accordance with all national and European laws
2. To fulfil its obligations under the Terms and conditions for SumUp Invoicing
3. as further instructed by the Data Controller
4. as described in this Agreement
As part of providing the Application, the Data Processor is required to always provide the Customer with
adequate solutions to accompany continued development of their business by using the service. The
Data Processor tracks how the Customer use the Application in order to make the best suggestions, to
provide relevant services at all times and to engage in sending the most accurate communications to
aim towards continued ease of use and satisfaction. As far as the processing of personal data from the
Application form part of this, they are processed only in accordance with this DPA and applicable law
and are shared only as required to provide a better experience for the Customer.
Taking into account the available technology and the cost of implementation, as well as the scope,
context and purpose of the Processing, the Data Processor is required to take all reasonable measures,
including technical and organizational measures, to ensure a sufficient level of security in relation to the
risk and the category of Personal Data to be protected. The Data Processor shall assist the Data
Controller with appropriate technical and organizational measures as required and taking into account
the nature of the treatment and the category of information available to the Data Processor to ensure
compliance with the Data Controller’s obligations under applicable Data Protection laws.
The Data Processor shall notify the Data Controller without undue delay if the Data Processor becomes
aware of a security breach.
In addition, the Data Processor shall, as far as possible and legally, inform the Data Controller if a
request for information on data held is requested (Data Access Request) by any bodies to whom they
should provide it. The Data Processor will respond to such requests once authorized by the Data
Controller to do so. The Data Processor will also not disclose information about this Agreement unless
the Data Processor is required by law to do so, such as by court order.
If the Data Controller requires information or assistance regarding the security of data, documentation
or information about how the Data Processor processes Personal Data generally, they can request this
information of the Processor. The data processor, its employees and any Affiliates, shall ensure
confidentiality in relation to Personal Data processed under the Agreement. This provision continues to
apply after termination of the Agreement, regardless of the cause of termination.
Data Controller Responsibilities
The Data Controller confirms, by signing/accepting this agreement, that it will, when using the
Application, be able to freely process its data once in line with all Data Protection legal requirements
including GDPR. They are giving explicit consent to the processing of their Personal Data at all times
when using the Service.
The Data Controller can revoke the acceptance of this DPA at any stage, but by doing the Data
Processor will no longer be able to provide the Service.
The Customer has a legal basis for processing the Personal Data with the Data Processor (including any
sub-processors) with the use of SumUp’s services.
The Data Controller is responsible at all times for the accuracy, integrity, content and reliability of the
Personal Data Processed by the Data Processor. They have fulfilled all mandatory requirements in
relation to notification to, or obtaining permission from the relevant public authorities regarding the
Processing of Personal Data. They have further fulfilled their disclosure obligations to the relevant
authorities regarding the processing of Personal Data in accordance with all applicable data protection
legislation.
The Data Controller must have an accurate list of the categories of Personal Data it processes,
particularly if such processing differs from the categories listed by the Data Processor in Appendix A.
Agreement to Data Transfer and the Use of Subcontractors
In order to provide the service to the Data Controller, the Data Processor may use sub-processor (or
“subcontractors”). These subcontractors can be third party suppliers both within and outside the EU /
EEA. The data processor ensures that all subcontractors satisfy the obligations and requirements within
this agreement, specifically that their level of data protection meets the standard required under
relevant Data Protection laws. If a jurisdiction falls outside of EU / EEA and is not on the European
Commission approved listing of satisfactory data protection levels under GDPR, then specific agreement
is entered into between SumUp and such subcontractor to assure they will maintain all Personal Data in
line with the requirements under current EU Data Protection laws.
This Agreement constitutes the Data Controllers prior specific and explicit consent to the Data
Processor’s Use of subcontractor Data Processors which may at times be based outside the EU / EEA or
territories approved by the European Commission.
The Data Controller can revoke this consent at any stage, but by doing so terminates the Agreement in
place and the Data Processor will no longer be able to provide Service.
If a Subcontractor is established or stores Personal Data outside of the EU / EEA or European
Commission approved territories, the Data Processor has the responsibility to ensure a satisfactory
basis for transferring Personal Data to a third country on behalf of the Data Controller, including the use
of the EU Commission Standard Contracts or specific measures which have been pre-approved with the
EU Commission.
The Data Controller must be informed before the Data Processor replaces its Subcontractors. The Data
Controller can then object to a new Sub-Processor who processes their Personal Data on behalf of the
Data Processor, but only if the Sub-Processor do not process data in accordance with relevant data
protection legislation. The Data Processor can demonstrate compliance by providing the Data Controller
with access to the data protection assessment conducted by the Data Processor.
If the Data Controller still objects to the use of the Subcontractor, they may terminate their subscription
to the Service, without the usual notice period required, then ensuring that their Personal Data is not
processed by the non-preferred subcontractor.
Duration of the Agreement
The agreement remains valid as long as the Data Processor processes Personal Data with the Data
Controller’s use of the Service Application and unless it is replaced by another signed DPA which
communicates its precedence over this Agreement.
Termination of the Agreement
Should the data controller decide to stop using the service, whether the service is via subscription or
not, the data controller can also delete all their account data. Upon the execution of the data deletion
procedure initiated by the data controller, the Data Processor deletes all Personal Data, except that
which they are required to retain under any applicable legal requirements, and in such case will be held
in accordance with the technical and organizational safeguards within SumUp.
The Data Controller has full capability to retrieve all of their Personal Data within the Service
Application. If the Data Controller requests data retrieval assistance, the associated costs shall be
determined in agreement between the Parties and shall be based on the complexity of the requested
process and the time to fulfil it in the chosen format.
Changes to the Agreement
Changes to the Agreement might be made by the Data Processor in a separate Annex to the Agreement
or another visible way for the Data Controller and communicated to the Data Controller. If any of the
provisions of the Agreement are deemed invalid, this does not affect the remaining provisions. The
parties shall replace invalid provisions with a legal provision that reflects the purpose of the invalid
provision.
Audits
The Data Controller is entitled to initiate a review of the Data Processor’s obligations under the
Agreement once a year. If the Data Processor is required to do so under applicable legislation, audits
may be repeated once a year. The Parties decide together if a third party should conduct the audit.
However, the Data Controller may allow the Data Processor to have the security review by a neutral
third party of the Data Processor’s choice, if it is a processing environment where multiple data
controller data is processed.
If the proposed scope of the audit follows an ISAE, ISO or similar certification report conducted by a
qualified third-party auditor within the previous twelve months and the Data Processor confirms that
there have been no material changes in the measures under review, this will satisfy any requests
received within such time frame. Audits may not unreasonably interfere with the Data Processor’s
business as usual activities. The Data Controller is responsible for all costs associated with their request
for audit review.
Responsibilities and Jurisdictions
Liability for actions arising from breach of the provisions of this Agreement is governed by liability and
compensation provisions in the Terms and Conditions of SumUp Invoicing, section 13. This also applies
to any violation by the Data Processor Sub-Processors. This Agreement is governed by the Courts of the
United Kingdom who shall have exclusive jurisdiction to determine any dispute concerning same.
Appendix A – Categories of Personal Information and Usual
Processing Categories
A. Categories of Personal Information (list is non-exhaustive)
Name
Address
Telephone number(s)
Email address(es)
Address(es)
Any account numbers and/or bank details
B. Usual Processing Categories (list is non-exhaustive)
The Data Controller’s Employees
The Data Controller’s Contacts (telephone/email/addresses/etc) The Data Controller’s Customers
The Data Controller’s Banking information
Their Customer’s Employees
Their Customer’s Contacts (telephone/email/addresses/etc) Their Customer’s Customers
Their Customer’s Customers Banking information

 

 

Personal Data Processing Agreement – Ards Taxis and TaxiCaller Nordic AB

Between

TaxiCaller Nordic AB, company registration no. 556878-7864, with address Diskettgatan 11A, 583 35 Linköping, Sweden (Hereinafter referred to as the “Data Processor” or “Service Provider”)

and

The client, who provides passenger transportation services to its customers. (Hereinafter referred to as the “Data Controller” or “Customer”)

The Data Processor and the Data Controller being hereinafter referred to collectively as “Parties” and individually as “Party”.

1. Purpose of this Data Processing Agreement

The Parties have entered into an agreement (the “Service Agreement”) under which the Service Provider provides a cloud-based dispatch and booking solution for taxis and other forms of transportation (the “Service”). The full Service Agreement can be found here: https://admin.taxicaller.net/admin/billing/terms.php. The Service involves that the Service Provider processes personal data on behalf of the Customer. The Service Agreement remains in effect until terminated by either Party.

The purpose of this Data Processing Agreement is to regulate the rights and obligations of the Parties with regards to the processing of personal data under the Service Agreement in order to ensure that the personal data is processed in accordance with the provisions in the EU General Data Protection Regulation (GDPR) and any subsequent legislation replacing or supplementing the above.

In the event that the terms in this agreement and the Service Agreement should not be consistent or are in conflict regarding personal data processing, these terms override the conflicting personal data processing terms in the Service Agreement. The remainder of the Service agreement still apply.

2. The purpose and scope of the personal data processing

The purpose of the processing of personal data is to be able to handle taxi (and other transportation) bookings, dispatch jobs, provide technical support, train staff, data analysis, report generation, correspondence, payment processing and to improve the Service and technical platform of the Service.

Categories of data subjects and personal data which may be covered by the processing of personal data under the Service Agreement are specified in Appendix 1 to this Data Processing Agreement.

3. Obligations of the Data Controller

The Data Controller shall notify the Data Processor without undue delay of any and all circumstances that may arise which may involve the need to change the way in which the Data Processor processes personal data under this Data Processing Agreement. The Data Controller is responsible for all data entered into the system and may not enter data categorized as sensitive personal data or data needing extra protection.

4. Obligations of the Data Processor

4.1 Security Measures

The Data Processor shall implement appropriate technical and organisational measures to ensure that personal data is processed in accordance with the requirements in the applicable data protection laws, the conditions in the Service Agreement and in this Data Processing Agreement. All security measures must be at least equal to the level which the competent supervisory authority typically requires for equivalent processing activities. The measures must be documented and submitted to the Data Controller upon request without undue delay.

4.2 Instructions

The Data Processor must process personal data only on behalf of and for the benefit of the Data Controller, only for the purposes stated in item 2 above. The Data Processor must follow the instructions given by the Data Controller per Appendix 2 to this Data Processing Agreement.

The Data Processor shall ensure each of its personnel who has access to the personal data covered by this Data Processing Agreement to comply with the terms and conditions of this Data Processing Agreement including specifically only processing the personal data in accordance with the instructions given by the Data Controller.

If the Data Processor is of the opinion that the instructions given by the Data Controller are in conflict with the applicable data protection legislation, the Data Processor must immediately inform the Data Controller of the same through email.

4.3 Transfer of personal data and use of sub-contractors

The Data Controller agrees that the Data Processor may engage subcontractors to process Personal Data on the Data Controller’s behalf. Information about the subcontractors currently engaged by the Data Processor and authorized by the Data Controller can be found in Appendix 3 to this Data Processing Agreement.

The Data Processor must enter into an agreement with each of its subcontractors, binding the subcontractors to have at least the same obligations as the Data Processor has under the Service Agreement and this Data Processing Agreement. The Data Processor is fully responsible to the Data Controller for how the subcontractors process personal data, including their security measures.

The Data Processor shall provide the Data Controller reasonable advance notice (for which email or a message in TaxiCaller’s admin panel shall suffice) if it adds or removes subcontractors. In the event that the change cannot be approved by the Data Controller, the Data Controller has the right to terminate the Service agreement with immediate effect. This shall be done in writing by the Data Controller.

4.4 Requirements with regards to localisation and transfer of personal data to third countries

The Data Processor ensures that the personal data related to the usage of the Service within the EU is primarily stored and processed in an EU country. In the cases when personal data is stored and processed outside of EU the Data Processor shall ensure that this is done in accordance with the law, for example, but not limited to, by using 3rd party services who have incorporated the EU standard contractual clauses in their contracts or requiring external contractors to comply with GDPR.

4.5 Obligation of Confidentiality

The Data Processor must ensure that any person who will process personal data under this Data Processing Agreement is either covered by a statutory obligation of confidentiality or have undertaken the same in a binding agreement. Confidentiality shall apply with regards to all information processed by the Data Processor under this Data Processing Agreement and the information shall remain confidential also after this Data Processing Agreement has terminated. Access to personal data may only be granted to such person who needs it in order to carry out its duties.

4.6 Incident Reporting

The Data Processor must promptly notify the Data Controller of any security incidents where such incidents have resulted in or are likely to result in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the personal data covered by this Data Processing Agreement. Upon request from the Data Controller, the Data Processor must promptly provide the Data Controller with all requested information about the incident such as the facts relating to the incident, its effects and the remedial action taken and cooperate with the Data Controller in communicating about the incident with the supervisory authority where necessary.

4.7 Assistance with fulfilling obligations towards the data subjects

The Data Processor must assist the Data Controller in fulfilling its obligations towards data subjects and help the Data Controller facilitate the exercise of data subjects rights such as the correction and removal of data, data portability etc. in accordance with the data protection legislation. This assistance must be provided without undue delay and without any demands from the Data Processor for additional financial compensation unless the request requires time consuming manual work by the Data Processor.

4.8 Removal of personal data

During the current term of the Data Processing Agreement, the Data Controller’s user indicates when personal data is to be deleted. No later than May 25 th 2018 the Data Processor will make it possible for the Data Controller to delete or anonymize such data.

After the termination of the Service Agreement, the Data Processor undertakes to, at the choice of the Data Controller, delete or anonymize all personal data covered by the Service Agreement with the exception for data that the Data Processor is required by law to keep. This must take place promptly after the completion of the data processing activities under this Data Processing Agreement and after the Data Controller has notified the Data Processor in writing to delete the Data Controller’s TaxiCaller account without any requirement for additional financial compensation, unless the Parties agree otherwise.

4.9 Audits and inspections

The Data Processor must allow for and contribute to audits, including inspections conducted by the Data Controller or another auditor mandated by the Data Controller Additional rules on how the audit must be carried out are found in the instructions in Appendix 2 of this Data Processing Agreement. The costs for audits and inspections shall be paid by the Data Controller. These payments shall be done in advance.

4.10 The Data Controller may suspend or terminate the Service Agreement and this Data Processing Agreement at any time, with immediate effect by notice in writing and without incurring any liability for compensation for termination if the Data Controller, acting reasonably and in good faith, has reason to believe that the Data Processor is unable or has failed to comply with its obligations under this clause 4.

5. Limitation of liability

The limitations of liability in the Service Agreement apply to this Personal Data Processing Agreement. The Service agreement can be found here: https://admin.taxicaller.net/admin/billing/terms.php.

6. Updates to this agreement

This Data Processing Agreement can be updated by TaxiCaller at any time. An updated Data Processing Agreement will come into effect once the Data Controller has confirmed receipt of the update. The Data Controller has the right to stop using the Service and have all the data removed if the Data Controller doesn’t accept the updated terms.

Any updates made to this Data Processing Agreement must comply with GDPR.

7. Applicable Law and Jurisdiction

7.1 This Data Processing Agreement shall be governed by and construed in accordance with the laws of Sweden.

7.2 Any disputes arising out of or in connection with this Data Processing Agreement shall be determined by Linköping district court in Sweden or optionally, if TaxiCaller in its own discretion chooses so, by arbitration in accordance with the Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat of arbitration shall be Linköping. The language to be used in the arbitral proceedings shall be English.

7.3 In the event that any of the terms of this Agreement are in conflict with any applicable rule of law or statutory provision or otherwise unenforceable under applicable laws or regulations of any government or subdivision thereof, such terms shall be deemed stricken from this Agreement, but such invalidity or unenforceability shall not invalidate any of the other terms of this Agreement and this Agreement shall continue in force.

8. Indemnification

TaxiCaller reserves the right to access, read, preserve, and disclose any information as we believe is necessary to (i) satisfy any applicable law, regulation, legal process or governmental request or requests from police departments, (ii) enforce TaxiCaller’s Terms and conditions, including investigation of potential violations hereof, (iii) detect, prevent, or otherwise address fraud, security or technical issues, (iv) respond to user support requests, or (v) protect the rights, property or safety of TaxiCaller, its users and the public.

9. Term

This Data Processing Agreement shall remain in effect as long as the Data Processor is processing personal data on behalf of the Data Controller.


Appendix 1 to the Personal Data Processing Agreement

1. Categories of data subjects registered

The following categories of data subjects may be covered in relation to the processing under this Personal Data Processing Agreement.

  • Taxi passengers and persons ordering transportation.
  • Employees and persons using the service on behalf of transportation company.
  • Other users of TaxiCaller’s cloud-based dispatch system.

2. Categories of personal data

The following categories of personal data may be processed under this Personal Data Processing Agreement.

  • Name
  • Contact information
  • Home, work and other addresses
  • Vehicle information
  • Licenses to carry out services related to transportation and dispatching
  • Written and spoken communications
  • Photos
  • Timestamped GPS coordinates

Appendix 2 to the Personal Data Processing Agreement

1. Instructions

The client, who provides passenger transportation services to its customers, in its capacity as Personal Data Controller for the processing of personal data covered by the Agreement, hereby provides TaxiCaller Nordic AB, in its capacity as Personal Data Processor, the following instructions.

2. Audits

When the Personal Data Controller requests an audit the Personal Data Controller and the Personal Data Processor will agree on how the audit shall be done and by whom. The Personal Data Controller shall have paid for the audit costs before the audit starts.

3. Information security

1. The Personal Data Processor is responsible for, in accordance with industry best practices, (a) establishing controls to ensure the confidentiality of the personal data and to ensure that the personal data is not disclosed contrary to the provisions of the Data Processing Agreement or any privacy laws and, (b) develop, implement and maintain appropriate technical, physical, administrative and organisational security measures, procedures and practices designed to protect the personal data taking into account the risks that the processing of personal data may result in for the data subject’s rights and freedoms, and for the operations of the Personal Data Controller. The Personal Data Processor shall particularly ensure that the personal data is protected against any actual, suspected or anticipated threats to the security and integrity of personal data such as accidental or unlawful destruction, loss or change, unauthorised disclosure of or access to personal data and other data breaches.

2. The Personal Data Processor must ensure at least the following with regards to encryption of personal data. Passwords are encrypted or hashed, internet comunication is encrypted (In specific circumstances, and at the data controllers discretion some web pages may be accessed without encrypted data transfer)

3. The Personal Data Processor must ensure at least the following when it comes to authentication of users. Users access is granted by either username and password authentication, key based authentication, access tokens which either have exipry dates or can be revoked by the Data Controller.

4. The Personal Data Processor must ensure that any person working under its supervision who has access to personal data covered by this Data Processing Agreement only processes such data to the extent necessary in order for this person to carry out its work duties.5. The Personal Data Processor shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements in the Data Processing Agreement to all of its personnel who has access to personal data.

6. The Personal Data Processor may store, display, analyze and generate reports of personal data for the following

  • Customer relation management system for both personal and corporate clients
  • Vehicle tracking and driven routes.
  • Correspond with transportation customers.
  • System user handling and access control.
  • Provide a communication service beween system users and passengers.
  • System improvements, problem and error resolution.
  • Technical support and staff training
  • Transportation booking, handling and dispatching.
  • Processing payments.

 

Appendix 3 to the Personal Data Processing Agreement

Information about subcontractors engaged by TaxiCaller Nordic AB, including their functions and locations, is available at: https://app.taxicaller.net/agreement/subcontractors (as may be updated by TaxiCaller from time to time in accordance with these Terms).