DATA PROCESSING ARRANGEMENT

1. Preamble

This Arrangement between i-Cell Informatikai Fejlesztő és Szolgáltató Kft. (registered seat and postal address: 1143 Budapest, Hungária köz 5.) as Service Provider (hereinafter: the “Service Provider”) and its customer subject to toll payment as Customer (the “Customer”) regulates the data processing activities to be performed during the execution of the Agreement concluded for toll declaration operator’s services and constitutes Appendix 2 to the General Terms and Conditions of the Service Provider (“Agreement”).

2. Subject matter and duration of the Arrangement

(1) Subject matter of the Arrangement

Data processing in connection with the services relating to toll declaration operators’ services as defined in the contract concluded between the parties (the “Agreement”), pursuant to which the Service Provider carries out the following data management operations for the Customer:

(2) Duration of the Arrangement

The term of the Arrangement is the same as the term of the Agreement.

3. Content of the Arrangement

(1) Definition of the nature and purpose of data processing

The purpose of data processing is the use of personal data made available by the Customer with the aim that the Service Provider can provide the service(s) specified in the Agreement.

The Service Provider is only permitted to use the data handled on behalf of the Customer for the fulfilment of the Arrangement.

The Service Provider is only allowed to carry out data processing operations on the basis of the documented instructions of the Customer. The Service Provider is not authorized to make any decision on the merits in connection with data management.

(2) The following data types / categories are subject to data processing:

Route data, GPS coordinates of vehicles

(2) The categories of data subjects are as follows:

Customers, drivers

(4) Territory of data processing:

Data processing may only take place within the territory of the member states of the European Union (EU) or the European Economic Area (EEA).

A data transfer to a non-EU or non-EEA member state is not permitted unless the Customer has expressly agreed to this. In all these cases, the Service Provider is obliged to inform the Customer in writing including appropriate documentation about the manner in which it has ensured adequate protection of the data transfer.

4. Technical and organizational measures

(1) The Service Provider is liable to ensure the security of data management by means of appropriate technical and organizational measures so that the measures guarantee data security appropriate to the level of risks, in particular the provision of continued confidentiality, integrity, availability and breakdown security of systems and services used for processing personal data.

(2) Upon request, the Service Provider is obliged to inform the Customer in writing, in full and in detail about the measures it has actually taken.

5. Rectification, restriction or erasure of data

(1) The Service Provider is not entitled to rectify, restrict or erase the data processed on behalf of the Customer at its own discretion.

(2) If the data subject contacts the Service Provider directly in connection with the rectification, restriction or erasure of the data processing, the Service Provider is obliged to forward the data subject’s request to the Customer without delay.

(3) When provided for by the Customer, the Service Provider is obliged to ensure the exercise of the data subject’s right to erasure, to be forgotten, to restrict, and to rectify, to data portability and to access data. In addition, the Service Provider is obliged in each case to respond to the request of the data subject under the instructions of the Customer and to take the appropriate measures.

6. Other obligations of the Service Provider

Over and above its contractual obligations, the Service Provider is obliged to carry out its activities in accordance with the requirements set out in Articles 28-33 of the GDPR. Accordingly, the Service Provider is bound in particular to ensure the compliance with the following requirements:

(2) of the GDPR.

7. Engaging another data processor

(1) In the application of the Arrangement, the addition of a subcontractor means a service that directly affects the main service of the Arrangement, i.e. the data processing activity. Related services are not included, such as telecommunications services, postal, transport, maintenance and user support services, and the sale and purchase of data carriers or measures to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data. (hereinafter referred to as “Related Services”). However, the Service Provider is obliged to enter into appropriate agreements and take suitable control measures to protect and secure the data processed on behalf of the Customer even if the related services are outsourced.

(2) The Service Provider is only allowed to engage a subcontractor (another data processor) after it has received the explicit written or otherwise documented consent of the Customer.

(3) The addition of another data processor or the replacement of an existing other data processor is permitted if:

(4) The Service Provider shall not transfer the personal data to the other data processor and the other data processor is allowed to start processing the data only after all necessary requirements have been met.

(5) A prerequisite for further outsourcing performed by another data processor is the explicit consent of the Customer in documented form.

(6) The same data protection obligations shall be imposed on any other data processor by the Service Provider as set out in this Arrangement.

(7) The Service Provider is responsible for the activities of the other Data Processor and for compliance with data protection obligations as if it were its own activity.

8. Right of the customer to verification

The Service Provider is obliged to assist the Customer in verifying that all obligations provided for in Article 28 GDPR are fulfilled by the Service Provider. The service provider undertakes to provide the customer on request with the necessary information to prove that the technical and organizational measures have been implemented.

9. Additional obligations of the Service Provider with regard to data security

(1) The Service Provider is obliged to assist the Customer in complying with the requirements referred to in Articles 32-36 of the GDPR, with regard to the security of personal data, notification of data breaches, data protection impact assessment and prior consultation. These include the following activities:

10. The Customer’s right to issue instructions

(1) The Customer is obliged to immediately confirm the oral instructions in writing.

(2) The Service Provider is obliged to inform the Customer immediately if an instruction, in its opinion, infringes the data protection provisions. However, the mere acceptance of the instruction does not mean or does not suggest that the instruction complies with the data protection provisions. The Service Provider is entitled to suspend the execution of the relevant instructions until these have been confirmed or amended by the Customer.

11. Deletion and return of personal data

(1) No copy or replication of the data may be made without the knowledge of the Customer. Exceptions are backup copies, if they are necessary for the contractual processing of the data, as well as the copies that serve to fulfill the retention obligations provided by law.

(2) After the fulfillment of the Arrangement or at the request of the Customer also prior to it, but upon termination of the Agreement at the latest, the Service Provider is obliged to hand over to the Customer – or in case of prior approval to destruct- all documents in the possession of the Service Provider, as well as the results of the processing and the use and the datasets related to the Agreement in accordance with the data protection provisions. Upon request, the Service Provider is obliged to submit the destruction or deletion protocol to the Customer.

(3) The Service Provider is obliged to retain the documents confirming the adequacy and contractual nature of the data processing, even after the termination of this Arrangement, in accordance with the relevant provisions on data retention.

12. Other provisions

(1) The parties declare that the Customer is under no obligation to pay for the performance of the tasks carried out under the Arrangement. On the basis of the Arrangement the Service Provider cannot claim any fees or costs.

(2) E-mails sent to either party’s representative or contact person shall also be considered written or documented information in terms of the application of this Arrangement.

(3) The parties declare that – in addition to the Arrangement – at the time of its conclusion and in its scope there is no other oral or written agreement between them other than the Arrangement. Even if such an agreement existed, the parties consider it invalid.

(4) Words and expressions used in this Arrangement should be interpreted primarily in accordance with the GDPR.

(5) The Parties stipulate the application of the GDPR and Hungarian law with regard to their legal relationship resulting from this Arrangement.

Do you have any questions? Fill in the form and we'll call you back!