This Data Processing Addendum (“DPA”) between GALOOLI and Customer is incorporated into and forms an integral part of the terms of use pursuant to which Customer will access and use GALOOLI product (the “Terms of Use”). GALOOLI and Customer are sometimes referred to herein individually as a “Party” or collectively as the “Parties”.
“GDPR” means the General Data Protection Regulation ((EU) 2016/679), as amended or re-enacted from time to time, and any successor legislation to the GDPR. The terms “controller”, “processor”, “data subject”, “personal data”, “processing” and any other terms used in this DPA that are defined in the GDPR shall have meaning set out in the GDPR. Capitalized terms not defined hereunder shall have the meaning ascribed to them in the Terms of Use.
The Parties acknowledge that for the purposes of the GDPR, with respect to the processing of personal data by GALOOLI, Customer is the controller and GALOOLI is the processor. Each party will comply with all applicable requirements of the GDPR to which such party is subject. The provisions of this DPA are in addition to, and do not relieve, remove or replace, a party’s obligations under the GDPR.
Where GALOOLI is processing personal data on Customer’s behalf, the parties agree that such processing shall:
1.1.1.
involve only the processing of personal data of Customer’s clients, employees, and service providers and/or any other type of individuals designated or authorized by Customer from time to time;
1.1.2.
involve only the processing of personnel data that Customer collects from its clients, employees and service providers (e.g., personal contact details), information concerning the driving behavior of said individuals, including the location, speed, direction, fuel consumption, engine readings, and other asset-related information, and/or any other type of personal data designated or authorized by Customer from time to time;
1.1.3.
be solely for the purposes of enabling the operation of, and for supporting, maintaining, updating and hosting, the GALOOLI Product and otherwise performing the Terms of Use; and
1.1.4.
take place only during the term of the Terms of Use (or, where and to the extent strictly necessary to perform any post termination obligations, if any, for as long as the processing remains necessary for these purposes).
Customer shall be responsible to ensure that the categories of data subjects and the types of personal data processed under Sections 2.1.1 and 2.1.2 above comply with the GDPR.
Customer will ensure that it has all necessary appropriate lawful basis, consents and notices in place to enable lawful transfer of the personal data to GALOOLI, and for the processing thereof by GALOOLI, for the duration and purposes of the Terms of Use.
GALOOLI shall, in relation to any personal data processed by GALOOLI:
1.1.5.
process that personal data only on the written instructions of Customer, unless required to do so by applicable law to which GALOOLI is subject (it being agreed that this DPA is to be considered as a written instruction by Customer to GALOOLI to process personal data);
1.1.6.
ensure that it has in place appropriate technical and organizational measures to protect against unlawful or accidental destruction, loss alteration or unauthorized disclosure of personal data, appropriate to the harm that might result from the foregoing and taking into account the state of technological development, the costs of implementation and the nature, scope, context and purposes of processing;
1.1.7.
ensure that GALOOLI’s personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
1.1.8.
taking into account the nature of processing and the information available to GALOOLI, assist Customer, at Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
1.1.9.
notify Customer without undue delay on becoming aware of any breach of the GDPR in respect of such personal data and/or any other loss, damage to or corruption of such Personal Data;
1.1.10.
at the written direction of Customer, delete or return the personal data and copies thereof to Customer on termination of the Terms of Use unless required by applicable law to maintain records of the personal data; and
1.1.11.
maintain records and information reasonably necessary to demonstrate its compliance with this DPA and allow for the audit of its records by Customer’s designated auditor, reasonably acceptable to GALOOLI. The audit will take place during normal business hours and in a manner that will not interfere with GALOOLI’s business activities. Customer must send GALOOLI a written request for audit at least 30 days in advance. Following receipt by GALOOLI of such request, GALOOLI and Customer will discuss and agree in advance on the reasonable date(s) for the audit, the scope and duration thereof and reasonable security procedures, including the execution by the Customer and the auditor of appropriate confidentiality undertakings towards GALOOLI.
Customer grants to GALOOLI and its Affiliates a non-exclusive, royalty-free, perpetual, worldwide, license to aggregate, measure and analyze personal data, to create analytics, metrics, metadata, measurements, evaluations, statistics and other derivatives on the basis thereof (collectively “Analytics”), and to use said Analytics in any manner and through any means and technology (including in all sorts of publications), without attribution or compensation to Customer, for purposes of supporting, improving, enhancing and/or optimizing the GALOOLI Product, and for statistical, research and promotional purposes. Such Analytics may be used solely in an anonymized, aggregated form that will not identify the Customer or any data subject.
Customer acknowledges and agrees that personal data may be exported to, or remotely accessed from, any territory in the world where GALOOLI or any of its Sub-Processors (as defined below) maintain a presence, for purposes of GALOOLI or any of its Sub-Processors supporting, maintaining, updating, hosting or otherwise providing services in respect of the GALOOLI Product from that territory. Such transfer shall be conditioned on one of the following: (i) the adoption of an adequacy decision pursuant to Article 45(3) of the GDPR in respect of the territory to which the personal data is exported to or from which it is accessible (it being agreed that such decision includes, without limitation, in the case of transfer of personal data to Israel, EU Commission decision of 31 January, 2011 (2011/61/EU)), or (ii) provided that enforceable rights and effective legal remedies are available to the data subject, the implementation, at GALOOLI’s reasonable discretion, of appropriate safeguards pursuant to Article 46 of the GDPR.
Pursuant to Article 28(3) of the GDPR, Customer specifically authorizes the engagement of GALOOLI’s hosting provider, affiliates and authorized distributors as sub-processors of personal data (“Sub-processor”), and generally authorizes the engagement of other third parties (e.g., third party software providers which software is embedded in or interacts with the GALOOLI Product) as Sub-processors for the purpose of enabling the operation of, and for supporting, maintaining, updating and hosting, the GALOOLI Product and otherwise performing the Terms of Use.
The initial list of GALOOLI’s Sub-processors will, at GALOOLI’s discretion, be posted on GALOOLI’s website or notified to Customer in writing (email will suffice). GALOOLI will inform Customer of its intent to add or replace a Sub-processor included in the initial list by posting a notice on GALOOLI’s website or by sending Customer a written notice (email will suffice). Customer is advised to periodically visit GALOOLI’s website in order to make itself familiar with any changes to the list of Sub-processors.
GALOOLI will enter into a written agreement with each Sub-processor incorporating terms which are substantially similar to those set out in this DPA. GALOOLI will be liable for the acts and omissions of its Sub-processor, as if such acts or omissions were undertaken by GALOOLI.
The Parties will discuss in good faith revising this DPA by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme. If agreed to by the parties, such revisions shall apply by the execution of an attachment to this DPA.
The governing law and jurisdiction provisions governing this DPA shall be those as set out in the Terms of Use.
This DPA does not amend the Terms of Use except with respect to specific matters set forth in this DPA. All terms and conditions of the Terms of Use not explicitly amended hereby remain in full force and effect.
