Terms for Privacy & Data with SHIPHERO LLC, is effective from May 4, 2018
Personal data regulations regarding the relationship between the customer as the Data Controller and SHIPHERO LLC as the Data Processor
1. The subscription that the customer has with SHIPHERO LLC is a platform for enabling shipping processes for the customer and as a natural part of this, SHIPHERO LLC processes various personal data on the customer’s behalf.
This concerns data about the customer’s customers, i.e. data relating to the persons who are the recipients of the shipped orders.
This section 9 concerns the relationship between the Data Controller (customer) and the Data Processor (SHIPHERO LLC), in connection with the personal data regulations.
2 Processed personal data.
2.1. The Data Processor, as part of the subscription, has access, on behalf of the Data Controller, to process:
Name and address of the persons receiving the consignments.
Information about the individual type of item sent and the value/price of the item.
3. The purpose and scope of the personal data processing.
3.1. As a natural part of the Data Processor’s status as the provider of subscription-based solutions for handling the Data Controller’s freight processes, the Data Processor stores the information, and similarly the Data Controller exchanges information with relevant third parties in the form of freight companies that the Data Controller uses, and possibly customs authorities (if the consignments are cross-border).
3.2. The purpose of the personal data processing is to manage the Data Controller’s freight processes.
3.3. It is emphasized that the Data Processor may only process personal data to the extent necessary for the operation of the Data Controller’s SHIPHERO subscription with the Data Processor, and/or if the Data Processor is required by law to process the data otherwise.
3.4. It is emphasized that the freight companies to which personal data is disclosed as part of this agreement are the Data Controller’s (the customer’s) Data Processors, not SHIPHERO LLC’ Data Processors. – SHIPHERO LLC has only an intermediary function in this regard.
4. The Data Processor’s obligations
4.1. The Data Processor may only process the personal data in question in accordance with the instructions of the Data Controller, i.e. the instructions contained in the SHIPHERO solution under which the Data Processor shall manage freight processes for the Data Controller.
4.2. The Data Processor is required to comply with the currently-applicable personal data legislation and shall notify the Data Controller immediately if an instruction from the Data Controller is, in the Data Processor’s opinion, contrary to the General Data Protection Regulation.
4.3. The Data Processor shall use appropriate technical and organisational security measures to ensure that personal data is not destroyed, lost, degraded or disclosed to unauthorised bodies, misused or otherwise processed in breach of personal data legislation, whereby the Data Processor shall implement the measures necessary pursuant to article 32 of the General Data Protection Regulation.
4.4. The Data Processor is obliged to inform the Data Controller without undue delay of any data breach. In this regard, the Data Processor shall inform the Data Controller of:
- The nature of the data breach.
- If possible, the type and number of affected data subjects, as well as the type of personal data concerned and the number of records of personal data concerned.
- The measures that the Data Processor has taken or proposes should be taken to deal with the data breach, including, where appropriate, measures to limit its potential adverse effects.
- The probable consequences of the data breach.
4.5. The Data Processor shall, at the Data Controller’s request, provide the Data Controller with sufficient information to ensure that the Data Processor has taken the necessary technical and organisational security measures.
4.6 The Data Processor shall provide all the information necessary to demonstrate that the Data Processor complies with the General Data Protection Regulation’s article 28, whereby the Data Processor shall allow and contribute to audits, including inspections carried out by the Data Controller or another auditor authorised by the Data Controller. It is emphasised that inspections/audits in every respect take place at the Data Controller’s expense.
4.7. The Data Processor shall secure/ensure that the persons who are authorised by the Data Processor to process personal data have committed themselves to confidentiality or are bound by an appropriate statutory professional secrecy obligation.
4.8. If a data subject asks the Data Processor (usually such requests will be made to the Data Controller) for access to and insight into that person’s personal data, the Data Processor shall immediately forward the request to the Data Controller.
4.9. The Data Processor shall assist the Data Controller with appropriate technical and organisational tools to enable the Data Controller to fulfil the Data Controller’s obligations to respond to requests for the exercise of the rights of the data subjects as specified in chapter III of the General Data Protection Regulation.
5. Specifically about the transfer of information to sub-data processors or third parties
5.1. As a natural part of the SHIPHERO solution, the Data Processor is entitled to disclose personal data to the Data Controller’s other data processors (freight companies), and the Data Processor is also entitled to exchange personal data with the customs authorities.
5.2. In all other cases the Data Processor may only disclose or transfer personal data to third parties or sub-processors with the prior agreement with the Data Controller. However, the Data Processor may disclose or transfer personal data without the Data Controller’s instructions, if permitted by law.
5.3. If the Data Processor hands over personal data to another data processor (sub-processor), the Data Processor is obliged to conclude a sub-processor agreement with the sub-processor, whereby the Data Processor’s sub-processor is subject to at least the same conditions as stated in this section 9.
5.4. The Data Processor shall notify the Data Controller if the Data Processor has plans to extend the circle of sub-processors and/or to replace existing sub-processors with others.
5.5. The Data Processor must not transfer personal data to third countries that the EU Commission has not assessed as safe third countries.
5.6. If the information is transferred to foreign sub-processors, it must be stated in the data processing agreement, cf. 9.5.3 that sub-processors shall comply with the EU’s General Data Protection Regulation and any other current personal data law in force. Sub-processors in EU countries with specific regulatory requirements regarding data processing must also comply with these requirements.
6. Duration of data processing
6.1. The processing of personal data pursuant to this agreement continues until such time as the SHIPHERO subscription concluded between the parties ceases.
6.2. However, in the event of the termination of a subscription, the Data Processor is bound by this agreement for as long as the Data Processor has access to personal data originating from the Data Controller.
6.3. In the event of termination of a SHIPHERO subscription, the Data Processor is required to delete any backups and other copies of the personal data.