1. Background and Intention
The company, partnership, association or individual agreeing to these terms (the “Client”), and Quartix Technologies plc, Quartix Limited, Quartix SAS, Quartix Inc or any other entity that is directly or indirectly controlled by Quartix Technologies plc (as applicable, “Quartix”), have entered into a contract (the “Contract”) whereby Quartix supplies Services to the Client.
As part of this Contract, the Client will be sharing Data with Quartix. The intention of these Data Processing Terms (the “Terms”) is to ensure there are proper arrangements in place relating to Data passing between the Client and Quartix. These Terms form part of the Contract and, in the event of any discrepancy between the Contract and these Terms, the Contract shall take precedence.
2. Definitions and Interpretation
Within these Terms:
‘Data Protection Legislation’ means all applicable statutes, laws, secondary legislation, rules, regulations and guidance from a Supervisory Authority (or its UK equivalent) relating to privacy, confidentiality, security, direct marketing or data protection of Personal Data or corporate data (including Directives 95/46/EC, 2002/58/EC and 97 /66/EC, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (512003/2426), the Regulation of Investigatory Powers Act 2000, the Investigatory Powers Act 2016, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) and the GDPR.
‘Data’ means any data which is captured by Data Protection Legislation, which includes but is not limited to personal data and sensitive data as defined by GDPR.
‘GDPR’ means the General Data Protection Regulation or the UK GDPR (as defined in the UK Data Protection Act 2018), as applicable.
‘Services’ means the services provided by the Supplier as part of the Contract.
‘Controller’ has the meaning given to it in Data Protection Legislation.
‘Data Subject’ has the meaning given to it in Data Protection Legislation.
‘Personal Data’ has the meaning given to it in Data Protection Legislation.
‘Processor’ has the meaning given to it in Data Protection Legislation.
‘Sub-Processor’ has the meaning given to it in Data Protection Legislation.
‘Supervisory Authority’ has the meaning given to it in Data Protection Legislation.
3. Data Processing
The Client warrants, represents and undertakes to Quartix that it has Lawful Grounds for Processing the Data, that it has informed and will continue to inform the Data Subjects of the purpose of processing the Data and shall at all times comply with its obligations under Data Protection Legislation.
. Quartix will maintain the confidentiality of the Data and agrees to process the Data only in accordance with Data Protection Legislation and the following stipulations (to the extent that they are required by Data Protection Legislation):
a) Quartix shall process the Data;
(i) as set out in the Quartix Client Privacy Notice https://www.quartix.com/en-ie/customer-privacy-notice/ which specifies the data that may be collected and the purposes for which it may be used;
(ii) only in such a manner as is necessary for its performance of the Services and in accordance with the Client’s instructions as set out in the Contract or otherwise agreed in writing between the parties;
(iii) only in the European Economic Area or the UK, unless the transfer has been authorised by the Client or is to a country that the European Commission or, in respect of a transfer from the UK, the European Commission or an applicable Supervisory Authority, has decided from time to time ensures an adequate level of protection in accordance with Data Protection Legislation, or the transfer has appropriate safeguards in place, as set out within GDPR;
(iv) where applicable, in accordance with the Standard Contractual Clauses (Processors) approved by the European Commission in Commission Decision C(2010)593;
b) Quartix shall ensure that all employees and other representatives of Quartix accessing the Data
(i) are aware of these Terms; and
(ii) have received training on the Data Protection Legislation and related good practice; and
(iii) are bound by confidentiality obligations;
c) Quartix and the Client have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
d) The Client grants Quartix the right to involve third parties (including agents and sub-contractors) in the processing of the Data. Quartix shall ensure that it has agreements in place with such third parties, which offer an equivalent level of protection of the Data as that specified in these Terms. Quartix will remain liable to the Client for such third parties’ performance of privacy obligations in respect of the Data.
e) Taking into account the nature of the processing, Quartix shall adopt such technical and organisational measures as are necessary to enable it to, insofar as it is able, assist the Client to fulfil its obligation to respond to requests from Data Subjects exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc;
f) Quartix shall provide to the Client such assistance as it is able to enable the Client to comply with its obligations under Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to Data Subjects, data protection impact assessments and when necessary consultation with the ICO (or relevant Supervisory Authority);
g) Quartix shall maintain a written record of all categories of processing activities carried out on behalf the Client, containing all information required under the Data Protection Legislation, and, make this record available to any relevant European Union or Member State supervisory authority (and/ or its UK equivalent) where requested by that supervisory body;
h) To the extent required by Data Protection Legislation, Quartix shall delete the Data if at any time reasonably instructed to do so by the Client and, in any event, on completion of the processing in accordance with Data Protection Legislation (after any retention period). Where the Client is a fleet vehicle tracking client, it shall have the option to set the retention period of the data by logging into the fleet tracking application. Where Quartix is to delete the Data, deletion shall include destruction of all existing copies (to the extent required by Data Protection Legislation).
i) To the extent required by Data Protection Legislation, Quartix shall, if at any time reasonably requested to do so by the Client, make available to the Client the information necessary to demonstrate compliance with the obligations laid down under these Terms and allow for any reasonable requests for audits from the Client, provided that the Client compensates Quartix for any and all of its costs incurred in supporting the requirements of the audit (including the costs of employee time), access to certain records may be restricted by Quartix where such records are deemed commercially sensitive by Quartix (such judgements to be made by Quartix in its absolute discretion), no penetration testing, vulnerability scanning, or other security tests are performed, no records or copies of records may be removed from Quartix’s sites, Quartix receives 30 days notice prior to the audit and non-disclosure Contracts are signed by any and all parties wishing to perform the audit (including any parties acting on the Client’s behalf);
j) Quartix shall observe suitable arrangements relating to the secure transfer of the Data from the Client to Quartix and the safe keeping of the Data by Quartix;
k) Quartix shall maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created;
l) To the extent required by Data Protection Legislation, Quartix shall if reasonably requested to do so by the Client promptly return, amend, transfer, copy or delete any Data.
4. Notice Obligations etc
To the extent required by Data Protection Legislation, Quartix shall notify the Client: promptly on becoming aware of any actual, suspected or threatened loss, leak or unauthorised processing or disclosure of any Data; promptly upon receipt of a notice from any Supervisory Authority, which relates directly or indirectly to the processing of the Client’s Personal Data and shall cooperate with that Supervisory Authority; promptly if any of the Client’s Personal Data in the possession and/or control of Quartix is lost, corrupted or rendered unusable for any reason; promptly if Quartix have reason to believe that an action or instruction from the Client infringes Data Protection Legislation.
5. Termination
On the expiry or termination of these Terms, Quartix shall immediately cease to use, and shall procure that its agents and sub-contractors cease to use, the Data and shall arrange for its safe return or destruction (at the Client’s option) at the relevant time (unless European Union, Member State and/ or UK law requires storage of the Personal Data).
6. Rights in Personal Data
Quartix compiles data collected as part of the Services in aggregated and anonymised form (the ‘Aggregated Data’) and the Client grants permission for Quartix to do this. Quartix acquires the full rights to and ownership of the Aggregated Data and ceases to be a Processor acting on behalf of the Client at the point that this data is compiled in an anonymized form and shall be under no obligation to keep confidential, delete, return or make any amendments to the Aggregated Data or any part thereof.