Data processing agreement
Date last updated: 2023-01-08
Legal person who accepted the Rules for the Use of the Cargo Stream Transport Services Management System (“Data Controller”);
and
UAB “Keliu sistemos” (operating the Cargo Stream platform), a private limited liability company, established and operating under the laws of Republic of Lithuania, company code: 305161754, address: Gedimino av. 33-1, Vilnius, Lithuania (“Data Processor”);
taking into account that:
- The Data Processor provides transport services mangement system to the Data Controller;
- In the course of providing the above services to the Data Controller, the Data Processor has to process personal data on behalf of and for the interest of the Data Controller;
- Article 28(3) of the European Union Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) („GDPR“) requires that processing by a processor shall be governed by a contract or other legal act under the EU or the EU Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller;
have agreed as follows:
1. GLOSSARY
The following terms in this Data Processing Agreement shall have the following meaning:
- Applicable data protection laws
- means any national or internationally binding data protection laws or regulations applicable at any time during the term of this Data Processing Agreement on, as the case may be, the Data Controller or the Data Processor, including GDPR
- Data Controller
- means an entity or a person that has accepted the Rules for the Use of the Cargo Stream Transport Services Management System and that determines the purposes and means of the processing of Personal Data;
- Data Processor
- means UAB “Keliu sistemos” that processes Personal Data on behalf of the Data controller under this Data Processing Agreement;
- Personal Data
- means any information relating to an identified or identifiable natural person;
- Sub-processor
- means a third party subcontractor engaged by the Data Processor which, as part of the subcontractor’s role of delivering the services, will process Personal Data on behalf of the Data Controller.
2. DATA PROCESSING INSTRUCTIONS
2.1 The Data Processor shall process the personal data on documented instructions from the Data controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or EU Member State law to which the processor is subject.
2.2 The Data Controller’s instructions to the Data Processor regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects are as follows:
The subject-matter of data processing | Provision of Cargo Stream transport services mangement system to the Data Controller | |
The nature and purpose of the processing | To manage supply chain orders on behalf of the Data Controller | |
Duration of the processing | As long as the Data Controller has an account with the Data Processor or 3 months after the last order (whichever is longer) | |
Types of personal data | Name, surname, user name, password, email address, phone number, address of your workplace, name of the legal entity you represent, relationship with the represented legal entity, position, orders on the platform, warehouse timeslots’ bookings, communication messages, profile settings, files exchange, information provided by data subjects | |
Categories of data subjects | Representatives of legal entities |
2.3 The Data Processor shall, when processing Personal Data under this Data Processing Agreement, comply with any applicable data protection laws and applicable recommendations by the data protection authorities or other competent authorities.
2.4 The Data Controller entitles Data Processor to enter into agreements with Sub-processors on The Data Controller´s behalf for the performance of its obligations under this DPA.
3. COOPERATION
3.1 The Data Processor shall assist the Data Controller in fulfilling its legal obligations under applicable data protection laws, including but not limited to the Data Controller’s obligation to respond to requests for exercising the data subject’s rights to request information (register extracts) and for Personal Data to be corrected, blocked or erased at their request.
3.2 If data subjects, competent authorities or any other third parties request information from Data Processor regarding the processing of Personal Data covered by this Data Processing Agreement, the Data Processor shall refer such request to the Data Controller.
3.3 In the terms agreed between the parties and to the reasonable extent, the Data Controller shall be entitled, in its capacity as the data controller, to take measures necessary to verify that the Data Processor is able to comply with its obligations under this Data Processing Agreement, and that Data Processor has in fact undertaken the measures to ensure such compliance pursuant.
3.4 In the terms agreed between the parties and to the reasonable extent, the Data Processor shall assist the Data Controller in data protection impact assessments, prior consultations and other communications with data protection authorities.
4. DATA SECURITY OBLIGATIONS
4.1 The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. The Personal Data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the Data Processor shall implement adequate technical and organizational measures.
4.2 The Data Processor undertakes not to, without the Data Controller’s prior written consent disclose or otherwise make Personal Data processed under this Data Processing Agreement available to any third party, except for sub-processors engaged in accordance with this Data Processing Agreement.
4.3 The Data Processor shall take all necessary actions to assist and shall promptly notify the Data Controller in relation to any accidental or unauthorized access to Personal Data or any other security incidents (Personal Data breach) immediately if possible.
5. FINAL PROVISIONS
5.1 The provisions in this Data Processing Agreement shall apply during such time that Data Processor processes Personal Data in respect of which the Data Controller is the data controller.
5.2 Upon expiry of this Data Processing Agreement, the Data Processor shall, at the choice of the Data Controller as communicated to the Data Processor, delete or return all Personal Data to the Data Controller and shall ensure that any sub-processor does the same.
5.3 This Data Processing Agreement shall be an integral part of the Data Processors’ Rules for the Use of the Cargo Stream Transport Services Management System. Any matter not expressly governed by this Data Processing Agreement shall be governed by the Data Processors’ Rules for the Use of the Cargo Stream Transport Services Management System.