Despatch Cloud Ltd is committed to protecting the personal data of the stakeholders in that data and to ensuring its compliance with all relevant legislation. This means ensuring that we help our clients (data controllers or data processors subcontracting processing) to comply with the data protections laws.
The European Union (EU) General Data Protection Regulation (GDPR) and the UK DPPEC (Data Protection, Privacy and Electronic Communications (EU Exit)) Regulations 2019 places obligations on a controller of personal data to ensure the protection of that data when they are processed by a third party i.e. a processor. In forming a controller/processor relationship, the GDPR is quite specific about the fact that a contractual agreement must be in place between the two parties, and that it should specify key items of information about the personal data involved and how it is processed.
The Customer is using Despatch Cloud to subcontract some aspects of their data processing on their behalf or on behalf of their clients. In doing so they require that Despatch Cloud maintain compliance with the relevant data processing laws. This Agreement sets out the information about the processing of personal data.
‘controller’ means the natural or legal person, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. This is the client (you)‘processor’ means a natural or legal person, agency or other body which processes personal data on behalf of the controller.
2. GDPR Controller/Processor Agreement Policy
2.1 Information to be processed. The Data controller will pass on data including Personal Identifiable information (PII) to the data processor. In this case who will subcontract part of this processing (outlined below) to Despatch Cloud. This is limited to the information required by a courier to deliver an order. This will include Name, Address Line 1, Email Address, Telephone Number, and may include the individual Tax number for export orders to certain countries.
2.1.1 Subject matter and duration of the processing. The data is required for generating the label for the courier or postal service. The data may need to be checked for customer service and for tracking purposes but all data held by the data subprocessor will be delated after 30 days.
The provider is therefore not permitted to use the data for any other purpose and cannot retain the data for longer than is contractually agreed.
2.1.2 Nature and purpose of the processing. The processing of orders for physical items which require delivery through a post or courier network.
2.1.3 Type of personal data and categories of data subjects. Name, contact details & address of individuals who have placed order for physical products for delivery.
2.1.4 Obligations and rights of the controller. The controller of the personal data must comply with the GDPR and must therefore require the Customer to recognise and agree to specific terms that set out how they will assist the controller in remaining within the law. These terms are described in the following section.
2.1.5 Obligations of the Processor. Processes the personal data only on documented instructions from the controller (or the data processor as an agent of the data controller). ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality takes all measures required pursuant to Article 32 of the GDPR (see Note 1) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor (see Note 2) assists the controller and the data processor by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR (see Note 3) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (see Note 4) at the choice of the controller, or the data processor acting as an agent of the data controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data; makes available to the controller or data processor all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR (see Note 5) and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Article 32 – Security of processing requires both controllers and processors to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (to the rights and freedoms of natural persons)”. The level of risk may be evaluated from a data protection impact assessment and therefore the extent of security controls required will vary across contracts. These may include the use of encryption, backup systems and other techniques to provide an appropriate level of confidentiality, integrity, availability and resilience of the system that are used to process personal data.
These conditions dictate that the Customer may not engage another processor (sub-processor) without the prior authorisation of the controller. In cases where another processor is engaged, the sub-processor must be subject to the same contractual terms as described in this policy.
Chapter III – Rights of the data subject sets out the information that must be provided to the data subject and the types of request they may make to the controller. These include the right to access their personal data, have it erased and object to them being processed.
Articles 32 to 36 address the areas of security of processing, personal data breaches and data protection impact assessments.
Article 28 – Processor is the main article that addresses the contractual requirements of the GDPR and is largely the subject of this policy document.