DATA PROCESSING ARRANGEMENT
This Arrangement between i-Cell Informatikai Fejlesztő és Szolgáltató Kft. (registered seat and postal address: 1143 Budapest, Hungária köz 5.) as Service Provider (hereinafter: the “Service Provider”) and its customer subject to toll payment as Customer (the “Customer”) regulates the data processing activities to be performed during the execution of the Agreement concluded for toll declaration operator’s services and constitutes Appendix 2 to the General Terms and Conditions of the Service Provider (“Agreement”).
2. Subject matter and duration of the Arrangement
(1) Subject matter of the Arrangement
Data processing in connection with the services relating to toll declaration operators’ services as defined in the contract concluded between the parties (the “Agreement”), pursuant to which the Service Provider carries out the following data management operations for the Customer:
- in order to perform the toll declaration prescribed by law, the Service Provider makes the GPS coordinate data collected by the Customer’s on-board unit suitable for performing the declaration and carries out the IT tasks necessary for this purpose;
- transmits the IT-compliant vehicle data collected by the on-board unit to the toll system operated by NTPS Plc. in such a format that corresponds to the technical and IT criteria of the system of the NTPS Plc as the NTPS Plc may specify from time to time;
- it stores the data for the period and in accordance with the terms and conditions specified in the GTC of the NPTS Plc.
(2) Duration of the Arrangement
The term of the Arrangement is the same as the term of the Agreement.
3. Content of the Arrangement
(1) Definition of the nature and purpose of data processing
The purpose of data processing is the use of personal data made available by the Customer with the aim that the Service Provider can provide the service(s) specified in the Agreement.
The Service Provider is only permitted to use the data handled on behalf of the Customer for the fulfilment of the Arrangement.
The Service Provider is only allowed to carry out data processing operations on the basis of the documented instructions of the Customer. The Service Provider is not authorized to make any decision on the merits in connection with data management.
(2) The following data types / categories are subject to data processing:
Route data, GPS coordinates of vehicles
(2) The categories of data subjects are as follows:
(4) Territory of data processing:
Data processing may only take place within the territory of the member states of the European Union (EU) or the European Economic Area (EEA).
A data transfer to a non-EU or non-EEA member state is not permitted unless the Customer has expressly agreed to this. In all these cases, the Service Provider is obliged to inform the Customer in writing including appropriate documentation about the manner in which it has ensured adequate protection of the data transfer.
4. Technical and organizational measures
(1) The Service Provider is liable to ensure the security of data management by means of appropriate technical and organizational measures so that the measures guarantee data security appropriate to the level of risks, in particular the provision of continued confidentiality, integrity, availability and breakdown security of systems and services used for processing personal data.
(2) Upon request, the Service Provider is obliged to inform the Customer in writing, in full and in detail about the measures it has actually taken.
5. Rectification, restriction or erasure of data
(1) The Service Provider is not entitled to rectify, restrict or erase the data processed on behalf of the Customer at its own discretion.
(2) If the data subject contacts the Service Provider directly in connection with the rectification, restriction or erasure of the data processing, the Service Provider is obliged to forward the data subject’s request to the Customer without delay.
(3) When provided for by the Customer, the Service Provider is obliged to ensure the exercise of the data subject’s right to erasure, to be forgotten, to restrict, and to rectify, to data portability and to access data. In addition, the Service Provider is obliged in each case to respond to the request of the data subject under the instructions of the Customer and to take the appropriate measures.
6. Other obligations of the Service Provider
Over and above its contractual obligations, the Service Provider is obliged to carry out its activities in accordance with the requirements set out in Articles 28-33 of the GDPR. Accordingly, the Service Provider is bound in particular to ensure the compliance with the following requirements:
- a) Ensuring the Customer’s right to issue instructions in accordance with Article 28(3)(a) of the GDPR and in accordance with the conditions set out in Articles 29 and 32(4) of the GDPR. Unless otherwise provided by law, the Service Provider and all persons having access to personal data, acting under the control of the Service Provider, may process the data only on the Customer’s instructions, within the limits set out in the Arrangement (and where applicable as set out in the Agreement).
- b) The obligation of confidentiality must be provided for according to Article 28(3)(b) of the GDPR. The Service Provider shall only involve in the data processing operations carried out under the Arrangement those employees who are subject to the obligation of confidentiality and have been previously informed about the data protection regulations with respect to their work.
- c) All technical and organizational measures required for the implementation of the Arrangement have to be taken in accordance with Article 32 of the GDPR.
- d) The Customer and the Service Provider shall cooperate, on request, with the supervisory authority in the performance of its tasks
- e) The Service Provider must inform the Customer immediately of the investigations carried out by the supervisory authority and of the measures taken by it if these have effect on the service under the Arrangement. The Service Provider’s obligation to provide information shall also apply if the proceedings conducted by the competent authority are directed against the Service Provider or the Service Provider otherwise involved in the proceedings, which proceedings are initiated for infringement of any civil, criminal or administrative law or of any other procedural rule relating to the data processing under this Arrangement.
- f) The Service Provider shall make every reasonable effort to assist the Customer if the supervisory authority initiates an investigation against the Customer, if administrative procedure, administrative offence or criminal proceedings are initiated against the Customer or if the data subject or a third party or any other person makes a claim against the Customer in connection with the data processing under this Arrangement.
- g) The Service Provider is obliged to regularly review its internal processes as well as technical and organizational measures to ensure that data processing under its responsibility complies with the applicable data protection legislation and the protection of the rights of the data subjects.
- h) The Service Provider is obliged to ensure the Customer’s right of verification with regard to the measures taken by the Service Provider in accordance with the Customer’s right of verification stipulated in Section 7 of the Agreement.
- i) The Service Provider shall maintain a record of processing activities under its responsibility in accordance with Article 30
(2) of the GDPR.
7. Engaging another data processor
(1) In the application of the Arrangement, the addition of a subcontractor means a service that directly affects the main service of the Arrangement, i.e. the data processing activity. Related services are not included, such as telecommunications services, postal, transport, maintenance and user support services, and the sale and purchase of data carriers or measures to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data. (hereinafter referred to as “Related Services”). However, the Service Provider is obliged to enter into appropriate agreements and take suitable control measures to protect and secure the data processed on behalf of the Customer even if the related services are outsourced.
(2) The Service Provider is only allowed to engage a subcontractor (another data processor) after it has received the explicit written or otherwise documented consent of the Customer.
(3) The addition of another data processor or the replacement of an existing other data processor is permitted if:
- a) The Service Provider – in writing or in another documented form – informs the Customer in advance, in a timely manner and
- b) The Customer does not object to the planned outsourcing in writing or in any other documented form by the date of transfer of the data to another Service Provider
- c) The addition of another data processor shall be based on an agreement pursuant to Article 28(2) to (4) of the GDPR.
(4) The Service Provider shall not transfer the personal data to the other data processor and the other data processor is allowed to start processing the data only after all necessary requirements have been met.
(5) A prerequisite for further outsourcing performed by another data processor is the explicit consent of the Customer in documented form.
(6) The same data protection obligations shall be imposed on any other data processor by the Service Provider as set out in this Arrangement.
(7) The Service Provider is responsible for the activities of the other Data Processor and for compliance with data protection obligations as if it were its own activity.
8. Right of the customer to verification
The Service Provider is obliged to assist the Customer in verifying that all obligations provided for in Article 28 GDPR are fulfilled by the Service Provider. The service provider undertakes to provide the customer on request with the necessary information to prove that the technical and organizational measures have been implemented.
9. Additional obligations of the Service Provider with regard to data security
(1) The Service Provider is obliged to assist the Customer in complying with the requirements referred to in Articles 32-36 of the GDPR, with regard to the security of personal data, notification of data breaches, data protection impact assessment and prior consultation. These include the following activities:
- a) Ensuring an adequate level of protection on the basis of technical and organizational measures, taking into account the circumstances and the purpose of the data processing as well as the probability and severity of an infringement due to the security vulnerabilities and which measures enable that such infringements are immediately detected.
- b) Reporting data breach to the Customer without undue delay.
- c) Supporting the Customer in fulfilling his obligation to provide information to the data subject and making allrelevant information available to the Customer without undue delay.
- d) Support of the customer in data protection impact assessments
- e) Support of the customer in prior consultation with the supervisory authority
10. The Customer’s right to issue instructions
(1) The Customer is obliged to immediately confirm the oral instructions in writing.
(2) The Service Provider is obliged to inform the Customer immediately if an instruction, in its opinion, infringes the data protection provisions. However, the mere acceptance of the instruction does not mean or does not suggest that the instruction complies with the data protection provisions. The Service Provider is entitled to suspend the execution of the relevant instructions until these have been confirmed or amended by the Customer.
11. Deletion and return of personal data
(1) No copy or replication of the data may be made without the knowledge of the Customer. Exceptions are backup copies, if they are necessary for the contractual processing of the data, as well as the copies that serve to fulfill the retention obligations provided by law.
(2) After the fulfillment of the Arrangement or at the request of the Customer also prior to it, but upon termination of the Agreement at the latest, the Service Provider is obliged to hand over to the Customer – or in case of prior approval to destruct- all documents in the possession of the Service Provider, as well as the results of the processing and the use and the datasets related to the Agreement in accordance with the data protection provisions. Upon request, the Service Provider is obliged to submit the destruction or deletion protocol to the Customer.
(3) The Service Provider is obliged to retain the documents confirming the adequacy and contractual nature of the data processing, even after the termination of this Arrangement, in accordance with the relevant provisions on data retention.
12. Other provisions
(1) The parties declare that the Customer is under no obligation to pay for the performance of the tasks carried out under the Arrangement. On the basis of the Arrangement the Service Provider cannot claim any fees or costs.
(2) E-mails sent to either party’s representative or contact person shall also be considered written or documented information in terms of the application of this Arrangement.
(3) The parties declare that – in addition to the Arrangement – at the time of its conclusion and in its scope there is no other oral or written agreement between them other than the Arrangement. Even if such an agreement existed, the parties consider it invalid.
(4) Words and expressions used in this Arrangement should be interpreted primarily in accordance with the GDPR.
(5) The Parties stipulate the application of the GDPR and Hungarian law with regard to their legal relationship resulting from this Arrangement.