Agreement on Data Processing  

INTRODUCTION  

The Controller and the Processor have entered into a framework agreement regarding the use of the WinFleet® system for vehicle geolocation services and, if applicable, the additional WinFleet® management applications ordered by the customer from the Processor, EcoMobility S.à r.l., for the Controller, who is a customer of EcoMobility (hereinafter referred to as “Services” and “Framework Agreement for Services”).  

The Controller instructs the Processor to process personal data on behalf of the Controller as part of the provision of the Services under the Framework Agreement for Services.  

The Controller has appointed the Processor to provide the Services and has determined the purposes and essential means of data processing to be carried out by the Processor on behalf of the Controller.  

The parties enter into this agreement to define their respective rights and obligations in connection with the processing of personal data by the Processor in accordance with Article 28 of Regulation (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”,  General Data Protection Regulation).  

ARTICLE 1 – SUBJECT MATTER AND DEFINITIONS  

1.1 This agreement defines the rights and obligations of the parties regarding the processing of personal data by the Processor on behalf of the Controller.  

1.2 Unless expressly agreed otherwise or unless the context requires otherwise, the terms used in this agreement have the meaning assigned to them in the GDPR.  

ARTICLE 2 – DESCRIPTION OF DATA PROCESSING CARRIED OUT BY THE PROCESSOR  

2.1 The Processor is instructed by the Controller to process personal data as part of the Services provided by the Processor under the Framework Agreement for Services.  

The categories of personal data and affected persons involved in the data processing are specified in Annex 1.  

2.2 The Processor will process personal data only in accordance with the instructions of the Controller. The instructions are provided as part of the contractual agreement between the parties.  

2.3 The Controller undertakes to confirm all instructions for the Processor regarding the processing of personal data in writing, including through the order form for the Services and the settings in the WinFleet® system, and to document these instructions.  

2.4 The Processor undertakes to process personal data only in accordance with the instructions of the Controller as part of the provision of the Services. In any case, the Processor will not process data for purposes other than the provision of the Services for the Controller and the fulfillment of its legal obligations.  

ARTICLE 3 – OBLIGATIONS OF THE PARTIES  

3.1 The Controller has determined the purpose(s) of the data processing before commissioning the Services from the Processor. The nature of the data processing and the purpose(s) of the data processing are described in Annex 1.  

3.2 The Controller has also defined the essential means of data processing, including the personal data to be collected by specifying the vehicles to be monitored, the identity of the persons authorized to access the personal data in the WinFleet® system, and the access permissions of these users, as well as the retention period of the personal data. The Controller has provided instructions to the Processor regarding these aspects at the time of signing the Framework Agreement for Services with the Processor. The essential means of data processing are determined by the Controller and can be changed at any time by sending a corresponding written request to the Processor or by changing the relevant settings in the WinFleet® system.  

3.3 Regarding the purpose(s) of the data processing, the Controller confirms and guarantees that it does not violate the provisions of the GDPR or other applicable laws when using or processing personal data or when commissioning the Processor to process personal data.  

3.4 The Processor will make reasonable efforts to inform the Controller as much as possible if the Controller’s instructions, in its opinion, violate the provisions of the GDPR, taking into account the information provided by the Controller. If the Processor considers the Controller’s instructions to be unlawful, it may suspend the execution of these instructions until their legality is verified and confirmed in writing by the Controller and, at the request of the Processor, also by the Controller’s external advisor. However, the Controller remains responsible for verifying and ensuring the legality of the data processing.  

3.5 Taking into account the state of the art, the costs of implementation, the nature and risks of processing personal data, as well as the relevant industry standards, the Processor undertakes to implement appropriate technical and organizational measures to ensure the protection of personal data and the processing of such personal data. The parties agree to the implementation of the technical and organizational measures specified in Annex 2 by the Processor.  

3.6 The Controller undertakes to expressly notify the Processor in writing if the processing of personal data in connection with the Services poses a particular higher risk, for example, due to the high value of the goods transported by the vehicles monitored by the geolocation services. Such notification by the Controller must be made in a timely manner before the start of the processing of personal data. In these cases, the Controller undertakes to restrict the access permissions of users in the WinFleet® system so that they can only access it if there is a justified need for information. Furthermore, it may request the Processor to strengthen internal access restrictions by limiting access permissions to certain employees.  

3.7 During the fulfillment of the agreement, the Controller may request the Processor to submit an offer for the implementation of additional technical or organizational measures. In this case, the Processor will inform the Controller whether these additional measures are feasible from a technical and organizational perspective. If so, the Processor will inform the Controller of the costs incurred in implementing these measures. If the Controller accepts the offer, the Processor will implement the additional measures in accordance with the conditions agreed between the parties.  

3.8 To ensure the protection of personal data and the processing of such personal data to the best of its ability, taking into account technological advancements and recognized modern developments in the Processor’s industry, the Processor may – at its own discretion and in accordance with Article 12.2 of this agreement – adapt and change Annex 2 to implement additional technical or organizational measures during the fulfillment of the agreement or to change the technical and organizational measures implemented at the time of the entry into force of this agreement or at a later date. In this case, the Processor undertakes to maintain an appropriate level of protection of personal data and the processing of such data. Significant changes to the technical and organizational measures implemented by the Processor must be documented and communicated to the Controller in accordance with Article 12.2 of this agreement.  

3.9 The Processor undertakes to regularly review the adequacy of the level of protection of the technical and organizational measures.  

3.10 The Processor undertakes not to process personal data relating to the Controller for purposes other than the provision of the Services for the Controller and exclusively in accordance with the instructions of the Controller, unless the Processor is legally or in the context of a possible legal dispute, e.g., regarding the provision of the Services for the Controller,  obliged to do so.  

ARTICLE 4 – RIGHTS OF AFFECTED PERSONS  

4.1 The Controller undertakes to inform the affected persons about the details of the data processing and to comply with all other legitimate requirements of the affected persons regarding their rights under the GDPR.  

4.2 If an affected person makes a request to exercise their rights to the Processor, the Processor will forward such a request to the Controller within a reasonable period, not exceeding seven (7) working days.  

ARTICLE 5 – BREACH OF PERSONAL DATA PROTECTION  

5.1 The Processor undertakes to promptly report a breach of personal data protection to the Controller in accordance with the definition in the GDPR when it becomes aware of said breach.  

5.2 As part of the notification of the breach of personal data protection to the Controller, the Processor will provide the following information:  

a description of the nature of the breach of personal data protection, if possible, indicating the categories and approximate number of affected persons, the affected categories, and the approximate number of affected personal data records;  

a description of the likely consequences of the breach of personal data protection;  

a description of the measures taken or proposed to remedy the breach of personal data protection and, if applicable, measures to mitigate its possible adverse effects;  

the contact details of the data protection officer or another person who can provide further necessary information.  

If and to the extent that the information cannot be provided by the Processor at the same time, it will provide this information to the Controller without undue further delay.  

5.3 The Controller undertakes to promptly report the breach of personal data protection to the competent data protection supervisory authority and, if applicable, to the affected persons if such notification is required under the GDPR or other legal provisions. The Controller will inform the Processor before submitting such a notification. The Controller will take into account the observations of the Processor regarding the proposed draft notification of the breach of personal data protection to the greatest extent possible.  

5.4 Upon request and written instruction from the Controller, the Processor may agree to submit the notification of a breach of personal data protection to the competent data protection supervisory authority and, if applicable, to the affected persons on behalf of the Controller.  

ARTICLE 6 – SUPPORT AND REVIEW  

6.1 The Processor will assist the Controller with reasonable effort in complying with its obligations regarding data protection impact assessments, if required under the GDPR, and related procedures for prior consultation with the competent data protection supervisory authority.  

6.2 The Processor will provide the Controller with all necessary information and documents to demonstrate compliance with its obligations under this agreement and the GDPR. In this context and to confirm compliance with this agreement, the Controller is entitled to conduct a review of the data processing carried out by the Processor on behalf of the Controller.  

The Controller and the Processor will agree in writing on the reasonable conditions under which such a review can be conducted. In any case, a review must meet the reasonable requirements of the Processor, such as security, confidentiality, and protection of trade secrets and business secrets. In particular, the following applies: If the review is conducted by a third party on behalf of the Controller, this third party must not be a competitor of the Processor and must sign a confidentiality agreement, which does not affect other conditions that the Processor may reasonably impose.  

A review must not unduly interfere with the usual business operations of the Processor. The Controller will generally inform the Processor in writing at least two weeks in advance of a review request.  

The results of the review will be evaluated and discussed by the parties. If applicable, the resulting additional measures agreed upon by the parties will be implemented as soon as possible by the relevant party.  

6.3 If necessary and if the Controller does not have direct access to the relevant information, the Processor will endeavor to assist the Controller in fulfilling its obligation to respond to legitimate requests from affected persons regarding their rights under the GDPR.  

6.4 The costs of the review and other services provided by the Processor to support the Controller will be borne by the Controller.  

6.5 To the extent permitted by law, the Controller undertakes to promptly notify the Processor of reviews, inspections, or other actions by the data protection supervisory authority or another competent authority regarding the processing of personal data in connection with this agreement. Such notification must be made free of charge and must include the essential elements to describe the content of the actions of the relevant authority. The parties will cooperate in responding to such requests.  

ARTICLE 7 – TRANSFER OF PERSONAL DATA OUTSIDE THE EU  

7.1 Unless expressly instructed in writing by the Controller or unless legally required, the Processor will not transfer personal data outside the European Union (hereinafter referred to as “EU”).  

7.2 If the Controller instructs the Processor to transfer personal data outside the EU, it must confirm in writing to the Processor that this transfer complies with the restrictions set out in the GDPR and attach the relevant information and documents regarding the legality of this transfer of personal data outside the EU before the transfer takes place.  

7.3 If the Processor is legally required to transfer personal data outside the EU, it will endeavor to inform the Controller accordingly before such transfer, unless prohibited by law.  

ARTICLE 8 – REPRESENTATIONS AND WARRANTIES, LIABILITY  

8.1 In the context of their contractual relationship, the parties confirm and warrant that they will comply with their respective obligations under the GDPR.  

8.2 The Processor is solely responsible for ensuring the best possible processing of personal data in accordance with this agreement. In particular, the Processor cannot guarantee that the technical and organizational security measures are effective under all circumstances. However, the Processor will make every effort to ensure that the level of protection of personal data and the processing of personal data is appropriate in accordance with Article 3 of this agreement.  

8.3 The Controller is responsible for ensuring that the data processing to be carried out by the Processor in accordance with its instructions is lawful and follows lawful and proportionate purposes. The Controller also confirms and warrants that the data processing contemplated in this agreement is lawful, does not violate applicable laws, and does not infringe the rights of third parties (including intellectual property rights). In particular, the transfer of personal data outside the EU at the instruction of the Controller in accordance with Articles 7.1 and 7.2 of this agreement is solely the responsibility of the Controller. Furthermore, the Processor is not liable for the processing of personal data carried out by the Controller itself or for the processing of personal data by third parties acting on the instructions of the Controller.  

ARTICLE 9 – SUBCONTRACTING  

9.1 The Controller hereby authorizes the Processor to generally subcontract certain data processing operations to subcontractors (hereinafter referred to as “Subprocessors”). Prior express approval of the Controller is not required in this case.  

9.2 In the event of subcontracting a Subprocessor, the following applies: The Processor will inform the Controller in writing at least thirty (30) days before a planned appointment or replacement of a Subprocessor. This prior notification must include a description of the nature of the affected processing activities and the designation of the Subprocessor. The Controller may, within fifteen (15) days of the prior notification and for legitimate data protection reasons, object to the appointment.  

9.3 The Processor undertakes to impose data protection obligations on a Subprocessor through a contractually binding written agreement between the parties that essentially corresponds to those set out in this agreement between the Controller and the Processor. In particular, the Processor undertakes to impose obligations on the Subprocessor to apply appropriate technical and organizational measures that essentially correspond to those specified in Annex 2, taking into account the specific data processing operations carried out by the Subprocessor.  

9.4 The Controller is informed that the Subprocessors listed in Annex 3 process personal data as part of the provision of the Services.  

9.5 The parties agree that the term “Subprocessor” refers only to service providers who provide data processing services in the capacity of a Processor. The parties further agree that this term does not apply to all service providers who provide ancillary services in the capacity of a Controller and whom the Processor may use in the context of providing the Services under the Framework Agreement for Services, such as telecommunications services, postal services, maintenance services, etc.  

9.6 The Processor will provide the Controller with a copy of such subcontracting agreement and any subsequent amendments upon request. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may redact the wording of the agreement before providing a copy.  

9.7 The Processor is fully liable to the Controller for ensuring that the Subprocessor complies with its obligations under the contract concluded with the Processor. The Processor will notify the Controller if the Subprocessor fails to fulfill its contractual obligations.  

ARTICLE 10 – CONFIDENTIALITY  

10.1 The Processor confirms that all employees who process personal data are subject to a confidentiality obligation and have been informed about the data protection principles of the GDPR.  

10.2 The parties agree to maintain the confidentiality of the content of this agreement. Each party will limit the disclosure of the content of this agreement within its own company to directors, executives, and/or employees with a justified need for information and will not disclose the agreement to third parties (whether an individual, company, or other entity) without the prior written consent of the other party. The parties are entitled to disclose the agreement to the competent authority if legally required or in the event of a legal dispute. The Controller confirms the importance of maintaining the confidentiality of the information contained in this agreement, particularly in Annexes 2 and 3, for the Processor’s business and undertakes to take appropriate measures to ensure confidentiality. The confidentiality obligation of the parties continues after the termination of this agreement.  

ARTICLE 11 – TERM AND TERMINATION  

11.1 This agreement is concluded for the term of the Framework Agreement for Services. If no term is specified, the agreement remains in effect for the duration of the business relationship between the parties.  

11.2 If the Processor fails to comply with its obligations under this agreement, the Controller may – without prejudice to the provisions of the GDPR – instruct the Processor to suspend the processing of personal data until it complies with this agreement. The Processor will promptly inform the Controller if it is unable to comply with this agreement for any reason.  

11.3 The Controller is entitled to terminate the contract regarding the processing of personal data under this agreement if:  

the Controller has suspended the processing of personal data by the Processor in accordance with Article 11.2 and compliance with this agreement has not been restored within a reasonable period, but in any case within 3 months after the suspension,  

the Processor significantly or continuously violates this agreement or fails to fulfill its obligations under the GDPR,  

the Processor fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under this agreement or the GDPR.  

11.4 The Processor is entitled to terminate the contract regarding the processing of personal data under this agreement if the Controller insists on the fulfillment of its instructions after being informed by the Processor that its instructions violate applicable legal requirements.  

11.5 After the completion of the provision of the Services in connection with the processing of personal data, the parties agree that the Processor will generally delete the personal data processed on behalf of the Controller as soon as possible. Alternatively, the Controller may request a copy of the personal data processed on its behalf against payment of the fees specified by the Processor for such service as part of a separate written agreement between the parties.  

In any case, the Processor is entitled to retain a copy of the personal data as long as necessary for evidentiary or legal retention purposes.  

ARTICLE 12 – MISCELLANEOUS  

12.1 This agreement, together with its annexes, replaces all previous oral or written agreements between the parties regarding the subject matter and constitutes the sole and exclusive agreement between the parties regarding the subject matter. In particular, the provisions of the Processor’s general terms and conditions regarding data protection and data storage are void and replaced by the provisions of this agreement, together with its annexes.  

12.2 This agreement may only be amended in writing with an express reference to this agreement. The Processor is entitled to amend this agreement, provided it informs the Controller in writing with a notice period of thirty (30) days. In particular, Annexes 2 and 3 to this agreement may be amended by the Processor at its discretion from time to time, provided it informs the Controller in writing with a notice period of thirty (30) days and meets the following requirements:  

Annex 2 may not be amended in a way that significantly and knowingly changes the level of protection of personal data ensured by the technical and organizational measures implemented in accordance with this Annex 2 at the time of the entry into force of this agreement;  

Annex 3 may be amended in accordance with Article 9.2 of this agreement.  

12.3 Each party will provide the other with all notifications and communications in writing.  

12.4 Validity, interpretation, and performance of this agreement are subject to the law of the Grand Duchy of Luxembourg, notwithstanding the principles of conflict of laws that may lead to the application of the substantive law of another jurisdiction.  

12.5 The exclusive jurisdiction for all claims, proceedings, or disputes arising out of or in connection with this agreement is the competent courts of the district of Luxembourg City, Grand Duchy of Luxembourg.