Data Processing Agreement

The processing of the Personal Data by the Processor shall take place within the framework of this DPA and only to the extent that Controller has instructed the Processor to do so in relation with the Agreement. The Processor processes the Personal Data on behalf of and per the instructions of the Controller. Modifications to the processing of Personal Data under the Agreement are subject to prior mutual agreement.

The Processor shall not use the Personal Data for any purpose other than as described in the Agreement.

The Controller has defined that the data categories from Data Subjects as specified in the DPS will be processed by the Processor under this DPA.

4.1. Technical and organizational measures

The Processor agrees and warrants that it shall implement technical and organizational measures that ensure the security of the Personal Data in compliance with the requirements set out in article 32 of the GDPR and as set out in the Information Security Annex available at tomtom.com. Any change in the Processor’s security policies and procedures or the addition or removal of a sub-processor by the Processor should not negatively affect the level of security. Substantial changes to such measures that diminish the level of security shall only be valid if prior agreed between the Parties in writing.

4.2. Audits and inspections

Controller is entitled to directly audit or appoint a third party independent auditor in the possession of the required professional qualifications and bound by a duty of confidentiality to inspect Processor’s and sub-processor’s compliance with this DPA and the applicable data protection legislation.
Controller’s right to audit shall be subject to giving the Processor at least thirty (30) days prior written notice of any such audit, except in the situations where an emergency audit has to take place, due to a Personal Data Breach or an order from a Supervisory Authority. Each Party shall bear its own costs for the audit, unless the audit reveals a non-conformity, in which case the Processor shall bear the cost of the audit together with any costs incurred to remediate the non-conformity.

4.3. Confidentiality

The Personal Data shall be treated as confidential information subject to at least the same degree of protection as the Processor applies to its own confidential information. This includes without limitation ensuring that the Processor:

4.3.1. prevents unauthorized persons from gaining access to data processing systems with which Personal Data are processes or used;
4.3.2. ensure that persons entitled to use a data processing system have access only to the Personal Data to which they have a right of access;
4.3.3. ensure that it is possible to check and establish whether and by whom Personal Data has been input into data processing systems, modified or removed.

4.4. Notification of Data Breaches

In case of a Personal Data Breach the Processor will take all adequate remedial measures immediately and must promptly provide Controller with all the relevant information and assistance as requested by Controller regarding the actual or suspected Personal Data Breach. The notification of the Personal Data Breach shall take place without undue delay and in any event within twenty-four (24) hours after the Processor becomes aware of the Personal Data Breach. The notification shall be done by contacting the Controller via the contact details as set forth in the DPS.
Without prejudice to the foregoing, the Processor shall notify any data security breach timely to the Controller in accordance with the ISA. The notification of a data security breach to Controller will, at a minimum, include:

4.4.1. a description of the security breach, including the date and time the security breach was discovered;
4.4.2. an overview of the Personal Data that was (potentially) lost or unlawfully processed as a result of the security breach;
4.4.3. information on the consequences of security breach; and
4.4.4. a description of the measures taken by Processor to limit the consequences of the data security breach.

Processor shall deal promptly and properly with all inquiries from the Controller relating to its processing of Personal Data, include without limitation:

5.1. Regulatory and compliance support: by providing such cooperation (including access to its facilities and provision of compliance documentation) as the Controller may reasonably request.

5.2. Rights of Data Subjects support: by assisting the Controller and providing information about the collection, processing or usage of Personal Data to a Data Subject, including by providing support with audits and inspections as set out in clause 5.2.

5.3. Rectification, deletion and blocking of data: upon instruction by the Controller, the Processor shall correct, rectify or block the Personal Data. Any request from a Data Subject directly to the Processor, shall be promptly directed to the Controller.

5.4. Notification of regulatory activities: notify the Controller immediately of any monitoring activities and measures undertaken by a Supervisory Authority.

6.1. Engagement of sub-processors

The Controller acknowledges and agrees that the Processor may engage sub-processors to support it in carrying out the processing of Personal Data after having obtained prior authorization from the Controller. As a further condition for permitting a sub-processor to process Personal Data, the Processor shall ensure that each sub-processor that it engages under this DPA undertakes or has already undertaken the same obligations as imposed on the Processor under this DPA and the Agreement by way of written agreement. This includes, without limitation, executing the applicable module(s) of the Standard Contractual Clauses. The Controller shall be entitled on obtain information from the Processor or sub-processor, upon written request, on the substance of such written agreements and its implementation by the sub-processor.

6.2. Current sub-processors and new engagements

The Processor and Controller have agreed that at the Effective Date the sub-processors listed by name and location in the DPS are explicitly authorized. The Processor shall inform the Controller of its intention to remove an existing sub-processor or engage a new sub-processor at least sixty (60) business days prior to the start of the change, by sending written notice to privacy@tomtom.com and the engagement can be effectuated only with the prior authorization of the Controller.

6.3. Liability

Where a sub-processor fails to fulfil its data protection obligations under any written agreement, the Processor shall remain fully responsible and liable to the Controller for the performance of the sub-processor's obligations under such agreement.

7.1. Data residency

All Processing of the Personal Data, including storage, shall take place in a member state of the EU, unless explicitly authorized otherwise in writing by the Controller prior to such processing.

7.2. Standard Contractual Clauses

to the extent that any data transfer to a third country has been authorized by the Controller in line with clause 7.1. and is essential to enable the Processor to provide the services under the Agreement, such data transfer shall be governed by the applicable module(s) of the Standard Contractual Clauses.

7.3. Onward transfer

To the extent clause 7.2 applies, Personal Data may only be disclosed to a sub-processor located or otherwise processing the Personal Data outside the EU (hereinafter “onward transfer”) if the sub-processor is or agrees to be bound by the applicable module(s) of the Standard Contractual Clauses or, alternatively, only if: (i) the sub-processor otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 GDPR with respect to the processing in question; or (ii) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 GDPR that covers the onward transfer. Any disclosure may only take place subject to compliance by the Processor with all the other safeguards under the Standard Contractual Clauses.

7.4. Immediate termination

The Controller shall be entitled to immediately terminate the DPA without any liability in the event that a data transfer or the supplementary measures implemented to manage the risk thereof under this DPA are considered to be inadequate by the Controller in its reasonable assessment. For the avoidance of doubt, the Processor shall immediately terminate the data transfer in that case.

8.1.

The Processor shall notify the Controller promptly if it cannot ensure compliance with its obligations set out in this DPA, for whatever reason, in which case the Controller is entitled to suspend the Processing.


8.2.

This obligation includes, without limitation, notifying the Controller where the Processor receives a disclosure or access request issued by a national surveillance or other governmental authority, to enable the Controller to intervene and challenge such disclosure, unless such notification is prohibited by law.


8.3.

If the Processor is allowed to notify the Controller, it will do so without undue delay and by clarifying whether the request is binding or non-binding. After notification, the Processor shall support the Controller in managing the request, by opposing or narrowing that request down, where too broad, including by challenging it before a judicial authority and immediately stop data processing where a disclosure or access request will result into non-compliance by the Processor with the Standard Contractual Clauses. The Processor shall follow the instructions of the Controller and no data shall be disclosed without prior approval of the Controller.


8.4.

If the Processor is prohibited to notify the Controller the Processor:

i. it will use its reasonable efforts to obtain the right to waive this prohibition and communicate as much information, without undue delay, to the Controller and demonstrate that to the Controller unless this is prohibited by law;
ii. where, despite its reasonable efforts, the Processor is not permitted to notify the Controller, it will make available yearly the number of requests it received and a brief description of the nature of the Personal Data requested and the name of the requesting authority to the Controller, unless prohibited;
iii. it will use reasonable efforts to oppose any such request for access to the Personal Data by any authority where the request is determined to be extensive and/or otherwise going beyond what is necessary in a democratic society; and
iv. it will contest its legal validity, to the extent legally permitted under national law.

The Parties agree that on the termination of the provision of the services under the Agreement, the Processor and its sub-processor(s), at the choice of the Controller, to be communicated within ninety (90) days of the date of the termination, shall either:

1. return all copies and storage media containing Personal Data to the Controller; or
2. destroy all copies and storage media containing Personal Data and certify to the Controller that it has done so in writing within thirty (30) days of the original request of the Controller.

Where applicable law prevents the Processor from returning or destroying all or part of the Personal Data, the Processor warrants that it shall guarantee the confidentiality and security of the retained Personal Data, retain it only as long as necessary by law and not actively process it anymore.

The Processor shall not assign its obligations under this DPA without the prior written consent of the Controller. Where the Processor assigns this DPA, with the consent of the Controller, it shall do so only by way of a written agreement with the assignee which imposes the same obligations on the assignee as are imposed on the Processor under this DPA.

Notwithstanding anything to the contrary in the Agreement, the Processor shall indemnify Controller for claims of any third party that arise as a result of Processor’s non-compliance with its obligations under this DPA and the applicable local laws and legislation of the countries where the Personal Data is processed and regulations regarding data protection and privacy.