Data Processing Terms

1. Background and Intention

The company, individual or organisation agreeing to these terms (the “Company”), and Quartix Holdings plc, Quartix Limited, Quartix Inc or any other entity that is directly or indirectly controlled by Quartix Holdings plc (as applicable, “Quartix”), have entered into an agreement (the “Agreement”) whereby Quartix will either supply Services to the Company or be Supplied Services by the Company.

As part of this Agreement, the Company will be sharing Data with Quartix. The intention of these Data Processing Terms (the “DP Terms”) is to ensure there are proper arrangements in place relating to Data passing from the Company to Quartix. Any transfer of Data from Quartix to the Company is dealt with separately and does not form part of these DP Terms. These DP Terms form part of the Agreement and, in the event of any discrepancy between the Agreement and these DP Terms, the Agreement shall take precedence.

2. Definitions and Interpretation

Within these DP Terms:

‘Data Protection Legislation’ means all applicable statutes, laws, secondary legislation, rules, regulations and guidance from a Supervisory Authority (or its UK equivalent) relating to privacy, confidentiality, security, direct marketing or data protection of Personal Data or corporate data (including any national laws implementing any such legislation (including Directives 95/46/EC, 2002/58/EC and 97 /66/EC)), including the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (512003/2426), the Regulation of Investigatory Powers Act 2000, the Investigatory Powers Act 2016, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) and the General Data Protection Regulation.

‘Data’ means any data which is captured by Data Protection Legislation, which includes but is not limited to personal data and sensitive data as defined by GDPR.

‘GDPR’ means the General Data Protection Regulation.

‘Services’ means the services provided by the Supplier as part of the Agreement.

‘Controller’ has the meaning given to it in Data Protection Legislation.

‘Data Subject’ has the meaning given to it in Data Protection Legislation.

‘Personal Data’ has the meaning given to it in Data Protection Legislation.

‘Processor’ has the meaning given to it in Data Protection Legislation.

‘Sub-Processor’ has the meaning given to it in Data Protection Legislation.

‘Supervisory Authority’ has the meaning given to it in Data Protection Legislation.

3. Data Processing

The Company warrants, represents and undertakes to Quartix that it has Lawful Grounds for Processing the Data, that it has informed and will continue to inform the Data Subjects of the purpose of processing the Data and shall at all times comply with its obligations under Data Protection Legislation.

The Company retains control of the Data in cases where Quartix was not already in control of the Data and retains the responsibilities and duties of Data Controller as set out in Data Protection Legislation. Quartix will maintain the confidentiality of the Data and agrees to process the Data only in accordance with Data Protection Legislation and the following stipulations (to the extent that they are required by Data Protection Legislation):

a) Quartix shall process the Data;

(i) as set out in the Quartix Customer Privacy Notice which specifies the data that may be collected and the purposes for which it may be used;
(ii) only in such a manner as is necessary for its performance of the Services as set out in the Agreement;
(iii) only in the European Economic Area or the UK, unless the transfer has been authorised by the Company or is to a country that the European Commission or, in respect of a transfer from the UK, the European Commission or an applicable Supervisory Authority, has decided from time to time ensures an adequate level of protection in accordance with Data Protection Legislation, or the transfer has appropriate safeguards in place, as set out within GDPR;
(iv) where applicable, in accordance with the Standard Contractual Clauses (Processors) approved by the European Commission in Commission Decision C(2010)593;

b) Quartix shall ensure that all employees and other representatives of the Supplier accessing the Data

(i) are aware of these DP Terms; and
(ii) have received training on the Data Protection Legislation and related good practice; and
(iii) are bound by confidentiality obligations;

c) Quartix and the Company have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

d) The Company grants Quartix the right to involve third parties (including agents and sub-contractors) in the processing of the Data. Quartix will remain liable to the Company for such third parties’ performance of privacy obligations in respect of the Data.

e) Taking into account the nature of the processing, Quartix shall adopt such technical and organisational measures as are necessary to enable it to, insofar as it is able, assist the Company to fulfil its obligation to respond to requests from Data Subjects exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc;

f) Quartix shall provide to the Company such assistance as it is able to enable the Company to comply with its obligations under Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to Data Subjects, data protection impact assessments and when necessary consultation with the ICO (or relevant Supervisory Authority;

g) Quartix shall maintain a written record of all categories of processing activities carried out on behalf the Company, containing all information required under the Data Protection Legislation, and, make this record available to any relevant European Union or Member State supervisory authority (and/ or its UK equivalent) where requested by that supervisory body;

h) To the extent required by Data Protection Legislation, Quartix shall delete the Data as soon as the Data are no longer necessary, or otherwise if at any time reasonably instructed to do so by the Company. Where the Company is a fleet vehicle tracking customer, it shall have the option to set the retention period of the data by logging into the fleet tracking application. Where Quartix is to delete the Data, deletion shall include destruction of all existing copies (to the extent required by Data Protection Legislation).

i) To the extent required by Data Protection Legislation, Quartix shall, if at any time reasonably requested to do so by the Company, make available to the Company the information necessary to demonstrate compliance with the obligations laid down under these DP Terms and allow for any reasonable requests for audits from the Company, provided that the Company compensates Quartix for any and all of its costs incurred in supporting the requirements of the audit (including the costs of employee time), access to certain records may be restricted by Quartix where such records are deemed commercially sensitive by Quartix (such judgements to be made by Quartix in its absolute discretion), no penetration testing, vulnerability scanning, or other security tests are performed, no records or copies of records may be removed from Quartix’s sites, Quartix receives 30 days notice prior to the audit and non-disclosure agreements are signed by any and all parties wishing to perform the audit (including any parties acting on the Company’s behalf);

j) Quartix shall observe suitable arrangements relating to the secure transfer of the Data from the Company to Quartix and the safe keeping of the Data by the Quartix;

k) Quartix shall maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created;

l) To the extent required by Data Protection Legislation, Quartix shall if reasonably requested to do so by the Company promptly return, amend, transfer, copy or delete any Data.

4. Notice Obligations etc

To the extent required by Data Protection Legislation, Quartix shall notify the Company promptly on becoming aware of any actual, suspected or threatened loss, leak or unauthorised processing or disclosure of any Data.; promptly upon receipt of a notice from any Supervisory Authority, which relates directly or indirectly to the processing of the Company’s Personal Data and shall cooperate with that Supervisory Authority; promptly if any of the Company’s Personal Data in the possession and/or control of Quartix is lost, corrupted or rendered unusable for any reason; promptly if Quartix have reason to believe that an action or instruction from the Company infringes Data Protection Legislation.

5. Termination

On the expiry or termination of these DP Terms, Quartix shall immediately cease to use, and shall procure that its agents and sub-contractors cease to use, the Data and shall arrange for its safe return or destruction (at the Company’s option) at the relevant time (unless European Union, Member State and/ or UK law requires storage of the Personal Data).

6. Rights in Personal Data

Quartix compiles data collected as part of the Services in aggregated and anonymised form (the ‘Aggregated Data’) and the Company grants permission for Quartix to do this. Quartix acquires the full rights to and ownership of the Aggregated Data at the point that this data is compiled and shall be under no obligation to keep confidential, delete, return or make any amendments to the Aggregated Data or any part thereof.

The Company grants Quartix permission to make contact with its employees, directors, officers and other representatives on an ongoing basis for the purposes of performing the Services and for marketing purposes, provided that the Company can at any stage withdraw such permission with 30 days notice.

7. General

(a) These DP Terms shall remain in force even after the Agreement has terminated, but may be terminated by Quartix at any time after the Agreement has terminated.

(b) Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with these DP Terms or its subject matter or formation.

(c) The headings and sub-headings within these DP Terms are for convenience of reference and shall not form part of, or affect the interpretation of, these DP Terms.

(d) If any provision within the DP Terms is held to be unenforceable or unreasonable it shall, to the extent of such illegality, invalidity, voidness, voidability, unenforceability or unreasonableness, be deemed severable. The remaining provisions of the DP Terms and the remainder of such provision shall therefore continue in full force and effect.