The Parties acknowledge that for the purposes of the GDPR, with respect to the processing of personal data by GALOOLI, Customer is the controller and GALOOLI is the processor. Each party will comply with all applicable requirements of the GDPR to which such party is subject. The provisions of this DPA are in addition to, and do not relieve, remove or replace, a party’s obligations under the GDPR.
Where GALOOLI is processing personal data on Customer’s behalf, the parties agree that such processing shall:
involve only the processing of personal data of Customer’s clients, employees, and service providers and/or any other type of individuals designated or authorized by Customer from time to time;
involve only the processing of personnel data that Customer collects from its clients, employees and service providers (e.g., personal contact details), information concerning the driving behavior of said individuals, including the location, speed, direction, fuel consumption, engine readings, and other asset-related information, and/or any other type of personal data designated or authorized by Customer from time to time;
Customer shall be responsible to ensure that the categories of data subjects and the types of personal data processed under Sections 2.1.1 and 2.1.2 above comply with the GDPR.
GALOOLI shall, in relation to any personal data processed by GALOOLI:
process that personal data only on the written instructions of Customer, unless required to do so by applicable law to which GALOOLI is subject (it being agreed that this DPA is to be considered as a written instruction by Customer to GALOOLI to process personal data);
ensure that it has in place appropriate technical and organizational measures to protect against unlawful or accidental destruction, loss alteration or unauthorized disclosure of personal data, appropriate to the harm that might result from the foregoing and taking into account the state of technological development, the costs of implementation and the nature, scope, context and purposes of processing;
ensure that GALOOLI’s personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
taking into account the nature of processing and the information available to GALOOLI, assist Customer, at Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
notify Customer without undue delay on becoming aware of any breach of the GDPR in respect of such personal data and/or any other loss, damage to or corruption of such Personal Data;
maintain records and information reasonably necessary to demonstrate its compliance with this DPA and allow for the audit of its records by Customer’s designated auditor, reasonably acceptable to GALOOLI. The audit will take place during normal business hours and in a manner that will not interfere with GALOOLI’s business activities. Customer must send GALOOLI a written request for audit at least 30 days in advance. Following receipt by GALOOLI of such request, GALOOLI and Customer will discuss and agree in advance on the reasonable date(s) for the audit, the scope and duration thereof and reasonable security procedures, including the execution by the Customer and the auditor of appropriate confidentiality undertakings towards GALOOLI.
Customer grants to GALOOLI and its Affiliates a non-exclusive, royalty-free, perpetual, worldwide, license to aggregate, measure and analyze personal data, to create analytics, metrics, metadata, measurements, evaluations, statistics and other derivatives on the basis thereof (collectively “Analytics”), and to use said Analytics in any manner and through any means and technology (including in all sorts of publications), without attribution or compensation to Customer, for purposes of supporting, improving, enhancing and/or optimizing the GALOOLI Product, and for statistical, research and promotional purposes. Such Analytics may be used solely in an anonymized, aggregated form that will not identify the Customer or any data subject.
Customer acknowledges and agrees that personal data may be exported to, or remotely accessed from, any territory in the world where GALOOLI or any of its Sub-Processors (as defined below) maintain a presence, for purposes of GALOOLI or any of its Sub-Processors supporting, maintaining, updating, hosting or otherwise providing services in respect of the GALOOLI Product from that territory. Such transfer shall be conditioned on one of the following: (i) the adoption of an adequacy decision pursuant to Article 45(3) of the GDPR in respect of the territory to which the personal data is exported to or from which it is accessible (it being agreed that such decision includes, without limitation, in the case of transfer of personal data to Israel, EU Commission decision of 31 January, 2011 (2011/61/EU)), or (ii) provided that enforceable rights and effective legal remedies are available to the data subject, the implementation, at GALOOLI’s reasonable discretion, of appropriate safeguards pursuant to Article 46 of the GDPR.
The initial list of GALOOLI’s Sub-processors will, at GALOOLI’s discretion, be posted on GALOOLI’s website or notified to Customer in writing (email will suffice). GALOOLI will inform Customer of its intent to add or replace a Sub-processor included in the initial list by posting a notice on GALOOLI’s website or by sending Customer a written notice (email will suffice). Customer is advised to periodically visit GALOOLI’s website in order to make itself familiar with any changes to the list of Sub-processors.
GALOOLI will enter into a written agreement with each Sub-processor incorporating terms which are substantially similar to those set out in this DPA. GALOOLI will be liable for the acts and omissions of its Sub-processor, as if such acts or omissions were undertaken by GALOOLI.
The Parties will discuss in good faith revising this DPA by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme. If agreed to by the parties, such revisions shall apply by the execution of an attachment to this DPA.