1. Data Protection Act (DPA) General
Both parties warrant that they will comply with their respective obligations under the privacy and data protection laws, including the GDPR when applicable.
The Customer is the “data Controller” and Delivery Mates is the “data Processor”.
2.1. The following terms shall have the meanings set out below:
- 2.1. ‘Controller’: The natural or legal person, public authority or any other body which determines the purposes and means of the processing of Customer Data.
- 2.2. ‘Customer Data’: Any Personal data provided to Delivery Mates for processing by the Customer.
- 2.3. ‘Data Subject’: An identifiable natural person about whom the Controller hold the data.
- 2.4. ‘GDPR’: General Data Protection Regulation 2016/679.
- 2.5. ‘Personal Data’: Any information relating to a Data Subject who can be identified directly or indirectly.
- 2.6. ‘Processor’: A natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller.
- 2.7. ‘Sub-processor’: A natural or legal person, public authority, agency or any other body contracted by the Processor to process Personal Data for the purpose of carrying out a specific processing activity.
- 2.8. ‘Supervisory Authority’: An independent public authority which is established by a Member State pursuant to Article 51 of GDPR.
3. Controller Obligations in Relation to Customer Data
3.1. The Customer warrants that all instructions provided to Delivery Mates in relation to the processing of Customer Data are lawful and shall include:
- 3.1.1. Nature and purpose of processing.
- 3.1.2. Type of Personal Data to be processed.
- 3.1.3. Categories of Data Subjects.
3.2. The Customer shall only provide instructions to Delivery Mates that are in accordance with this Term of Services and Data Processing
3.3. The Customer acknowledges that as Controller is solely responsible for determining the lawful processing condition.
3.4. It is the obligation of the Customer as Controller to get consent from the Data Subject. If your legal counsel determines you need to obtain consent before using Delivery Mates, make sure you only enter data of those customers who provided the required consent.
3.5. The Customer should not share classes of data (e.g. sexual orientation, religion-related information) that are not relevant to the management of final mile on-demand delivery services.
3.6. The parties acknowledge that processing of EEA resident Personal Data shall be lawful and only if at least one of the following conditions applies:
- 3.6.1. The Data Subject has given consent.
- 3.6.2. Processing is necessary for the performance of a contract to which the data subject is party.
- 3.6.3. Processing is necessary in order to protect the vital interests of the Data Subject.
- 3.6.4. Processing is necessary for the performance of a task carried out in the public interest.
- 3.6.5. Processing is necessary for the purposes of the legitimate interests of the Controller or a third party, provided such interests are not overridden by the interests or fundamental rights of the Data Subject.
4. Processor Obligations in Relation to Customer Data
4.1. Delivery Mates acting as the Processor shall:
- 4.1.1. Only carry out the processing of Customer Data in accordance with the Controller documented instructions.
- 4.1.2. Notify the Customer without undue delay of any requests received by a Data Subject and assist the Customer with fulfilling the request by taking appropriate technical and organisational measures when possible.
- 4.1.3.Take appropriate security measures for the protection of the security, confidentiality and integrity of Customer Data and resilience of the Service.
- 4.1.4. Inform the customer without undue delay when becoming aware of a breach of security that can result in a risk to the rights and freedom of natural persons. The obligations herein shall not apply to incidents that are caused by the Customer, Authorized Users and/or any Non-delivery Mates Products.
- 4.1.5. Detect and report Personal Data breaches in a timely manner.
- 4.1.6. Ensure that persons authorised to access Customer Data have committed themselves to confidentiality.
- 4.1.7. Make available to the Customer all information necessary to demonstrate compliance with the GDPR.
- 4.1.8. Assist the Customer with keeping Personal Data secure.
- 4.1.9. At the end of the provision of service, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless the Union or Member State law requires storage of data.
- 4.1.10. Ensure the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident.
5. Processing Operations
5.1. The personal data submitted to Delivery Mates will be processed in accordance with the Customer instructions and may be subject to the following processing activities:
- 5.1.1. Storage and other processing necessary to provide, maintain and improve the Services provided to the Customer.
- 5.1.2. Provide technical support to the Customer.
- 5.1.3. Disclosures in accordance with the Term of Service, as compelled by law
6. Use of Sub-processors
6.1. The Customer provides their consent for Delivery Mates to use Sub-processors.
6.2. Where required by law Delivery Mates shall inform the Customer of any changes concerning the addition or replacement of a Sub-processor.
6.3. The Customer may reasonably object to a new Sub-processor.
7. Transfers of EEA Resident Personal Data to Third Countries
7.1. Delivery Mates shall not cause or permit any Customer Data belonging to an EEA resident to be transferred outside of the EEA unless this is necessary for Delivery Mates carrying out its obligations.
7.2. A transfer of personal data to a third country or an international organisation shall take place only in case of the following specific condition. In such circumstances, the Customers as Controller shall determine and is solely liable for ensuring that one of these exceptions (Article 49 GDPR) apply:
- 7.2.1. The Data Subject has consented to the transfer after having been informed of the risks.
- 7.2.2. The transfer is necessary for the conclusion or performance of a contract between the Data Subject and the Customer.
- 7.2.3. The transfer is necessary for reasons of public interest.
- 7.2.4. The transfer is necessary for the defence of legal claims.
- 7.2.5. The transfer is necessary to protect the vital interests of the Data Subject.