Provisions for Commissioned Data Processing | Sendcloud GmbH (2018)
These Processing Provisions (hereinafter the "Provisions") apply to all Services (as defined below) provided by Sendcloud GmbH (hereinafter "Sendcloud").
Any party, company or business that has an account with the Sendcloud Platform or otherwise uses the Services (hereinafter the "Customer") is deemed to have accepted these Terms in full. For the purpose of these Terms, the Customer is the Data Controller and Sendcloud is the Data Processor.
Pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR), these Terms apply to all Services provided by Sendcloud to the Customer and reflect the parties' agreement regarding the processing of Customer Personal Data.
1.1 "Customer Personal Data" means all personal data processed in connection with the Services by Sendcloud or by third parties contracted by Sendcloud;
1.2 ''Data Breach'' means any unauthorised or unlawful processing, disclosure of or access to Customer Personal Data or any accidental or unlawful destruction, loss, alteration or corruption of Customer Personal Data;
1.3 ''Data Controller'' shall have the meaning set out in Article 4 of the GDPR;
1.4 "Data Processor" has the meaning set out in Article 4 of the GDPR;
1.5 ''Data Subject'' means a natural person whose Personal Data is processed by Sendcloud;
1.6 "EEA" means the European Economic Area;
1.7 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC;
1.8 "Personal Data" has the meaning set out in Article 4 of the GDPR;
1.9 "Privacy Shield" means the EU-US framework to provide a data protection compliance mechanism for companies transferring personal data from the European Union to the United States;
1.10 "Services" means all activities performed or provided by Sendcloud for the Customer when using Sendcloud.co.uk and Sendcloud.at; Sendcloud.nl; be; panel.sendcloud.sc; shipping-portal.com, and other related websites provided or made available by Sendcloud;
1.11 "Sub-processor" means any person or organisation appointed by or on behalf of Sendcloud to process Customer Personal Data.
1.12 Any terms not defined shall carry the same meaning as in the GDPR and their related terms shall be interpreted accordingly.
In the course of providing services to the Customer, Sendcloud may process Customer Personal Data on behalf of the Customer. The parties agree to respect the following provisions regarding Customer Personal Data, each acting reasonably and in good faith.
2 Applicability and duration of the provisions
2.1 These Terms apply to all Customer Personal Data processed by Sendcloud in respect of the Services. Sendcloud may rely on the fact that the person accepting these Terms is authorised to do so on behalf of the Customer. The Terms shall remain in force and automatically cease to be valid upon the deletion of all Customer Personal Data as described in Chapter 11 of these Terms (Deletion or Return of Personal Data).
3 Processing of personal data
3.1 Sendcloud processes Customer Personal Data only for the purposes of improving and providing the Services to the Customer. Sendcloud processes Customer Personal Data only on behalf of the Customer and in accordance with these Terms and the Customer's documented instructions, unless otherwise required by a relevant law to which Sendcloud is subject.
3.2 Sendcloud complies with all applicable data protection laws when processing Customer Personal Data.
3.3 Sendcloud shall inform the Customer without undue delay if, in Sendcloud's opinion, any instruction given by the Customer with respect to the processing of the Customer Personal Data violates important data protection laws and/or these Terms, unless applicable law prohibits it for important reasons of public interest.
4 Security measures and confidentiality
4.2 Security measures include, but are not limited to, measures to protect Customer Personal Data, the ability to ensure the continued confidentiality, integrity, availability and resilience of the processing systems and services, the ability to restore timely availability and access to Customer Personal Data following an incident, and regular testing/examination/evaluation of the effectiveness of the measures applied to ensure processing security.
4.3 Sendcloud shall take reasonable steps to ensure that the security measures are complied with by the persons authorised to process Customer Personal Data, including ensuring that all persons authorised to process Customer Personal Data have agreed to maintain confidentiality or are obliged to do so under a legal obligation of confidentiality.
4.4 Sendcloud shall ensure that only the persons authorised to process Customer Personal Data are granted access and only to the extent necessary for the provision and improvement of the Services to the Customer.
5 Subcontracted processing
5.1 Sendcloud will only engage a sub-processor for processing activities under these Terms if that sub-processor is located in the EEA or the United States of America (provided that such US-based party complies with the Privacy Shield). In all other cases, Sendcloud shall notify the Customer prior to using a sub-processor and shall give the Customer the right to expressly object to the service provision by deleting the Customer's account.
5.2 The Customer expressly permits the use of the sub-processors listed in Annex 1 (sub-processors as of 10 May 2018). In addition, the Customer generally permits the appointment of other third parties as sub-processors, as long as these parties are appointed in accordance with the rules set out in this chapter. Sendcloud shall update Annex 1 and notify the Customer in the event that a new sub-processor is appointed.
5.3 With regard to each Sub-Processor, Sendcloud shall ensure that:
5.3.1 Such appointment is set out in a written contract or other written legal instrument;
5.3.2 The obligations set out in these Terms and under Article 28(3) of the GDPR are transferred mutatis mutandis to the Sub-processor;
5.3.3 The Sub-processor processes the Customer Personal Data in accordance with appropriate and technical measures pursuant to these Terms and Article 32 of the GDPR;
5.4 Sendcloud is liable for the Customer Personal Data processed by a sub-processor. This does not apply to operator-related obligations as set out in the Sendcloud Terms and Conditions.
6. rights of data subjects
6.1 Sendcloud allows the Customer to access, rectify, erase, object to or restrict the processing of Customer Personal Data upon request and to export Customer Personal Data in accordance with the procedures and timeframes set out in these Terms.
6.2 Data Subject Requests
6.2.1 In the event that Sendcloud receives a request from a Data Subject with respect to Customer Personal Data, Sendcloud shall assist the Data Subject in sending its request to the Customer, who shall respond to such requests.
6.2.2 Sendcloud shall assist the Customer in fulfilling its obligation to respond to requests from data subjects in order to enable the exercise of the data subject's rights under Chapter III of the GDPR.
7. data transfer
7.1 Customer Personal Data will only be processed by Sendcloud and/or an appointed sub-processor: (i) within the EEA; or in (ii) the United States of America, provided that such US-based party complies with the Privacy Shield; or (iii) in a country with a level of data protection recognised by the EU Commission.
7.2 If Sendcloud is permitted by the Customer to transfer Customer Personal Data to a recipient or country outside the EEA or the United States of America, provided that such US-based party complies with the Privacy Shield, and such country does not have (i) a level of data protection recognised by the EU Commission; or (ii) is not covered by an appropriate framework or certificate recognised by relevant authorities or courts as providing an adequate level of data protection, Sendcloud shall implement the standard contractual clauses (pursuant to the EU Commission Decision of 5. February 2010 on standard contractual clauses for the transfer of personal data to processors in third countries that do not ensure an adequate level of data protection).
8. personal data breach
8.1 In the event of a data breach affecting Customer Personal Data, Sendcloud shall notify the Customer without undue delay after becoming aware of such breach. Sendcloud shall take immediate action to remedy such breach and mitigate any negative consequences.
8.2 Sendcloud shall assist the Customer in ensuring compliance with all legal obligations to notify a breach to a supervisory authority or to inform data subjects of a data breach in accordance with Articles 33 and 34 of the GDPR.
9 Data Protection Impact Assessment and Prior Consultation
9.1 Sendcloud shall provide assistance to the Customer in carrying out data protection impact assessments, including any consultations with supervisory authorities or other competent data protection authorities, in order to comply with the obligations set out under Articles 35 and 36 of the GDPR or equivalent provisions of any other data protection law.
10. recording of processing activities
10.1 Sendcloud shall keep records of processing activities in respect of these Terms and Customer Personal Data, in accordance with the provisions established pursuant to Article 30 of the GDPR.
10.2 Sendcloud shall make these records available to the Customer upon request and without undue delay.
11 Deletion or return of personal data
11.1 All personal data shall be pseudonymised within 12 months after inclusion in the Sendcloud system.
11.2 The customer may at any time request Sendcloud in writing to close his account and/or delete all personal customer data. In this case, Sendcloud shall delete all personal customer data within six (6) months from the request. Sendcloud cannot guarantee earlier deletion, as such data may be necessary for the adequate provision of the Services.
11.3 The provisions of this Chapter 11 are subject to the legal requirements of the EU or EU Member State regarding storage and retention of personal data.
12.1 The Customer or a third party auditor acting on the Customer's instructions shall have the right to conduct data protection and security checks on Sendcloud's data security and data protection procedures for the processing of Customer Personal Data and compliance with these provisions and the relevant data protection legislation at its own expense. The Customer may request Sendcloud to provide evidence of compliance with these provisions instead of or in addition to conducting an inspection.
13.1 Sendcloud's liability under these Terms or by operation of law shall at all times be limited to the amount covered by Sendcloud's liability insurance. If such liability insurance does not provide for adequate cover, Sendcloud's total sum insured shall at all times be limited to the amount of the fees paid by the Customer to Sendcloud for the related Services in the relevant calendar year.
14. final provisions
14.1 These Terms shall be governed by the laws of Germany.
14.2 Any disputes arising in relation to the Terms shall be brought before a court in Germany, which shall have exclusive jurisdiction to decide the matter, unless otherwise agreed in writing by the parties.
14.3 Any future amendments to these Terms shall be in writing. Such amendments shall be in the form of an updated version of these Terms.
14.4 If any provision of these Terms is held to be invalid or unenforceable, the remainder of these Terms shall remain valid and enforceable. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability while preserving as closely as possible the intentions of the parties or, if that is not possible, (ii) construed as if the invalid or unenforceable portion had never been included.