close

Terms and Conditions

Third Party Product Terms (2019.12)

End User License Agreement (2019.12)

Security Terms

Data Processing Schedule

Archive


Data Processing Schedule

This data processing schedule (“Schedule”) is between the customer entity (“Licensee”) and the TomTom entity and its Affiliates (“TomTom”) which are a parties to the agreement for use of TomTom’s maps, software, live services, traffic stats and online services (“Agreement”) under which TomTom performs certain services. The parties agree that the Schedule supplements the Agreement and applies to the products supplied and services performed by TomTom (together for the purposes of this Schedule the “Services”), as defined in the Agreement to the extent that the same involve the processing by TomTom of Personal Data on behalf of Licensee.

Definitions

Terms defined in the Agreement between Licensee and TomTom shall have the same meaning when used in this Schedule. In addition, the definitions below apply in this Schedule:

Unless otherwise specified, all references to the GDPR shall be understood to be references to the applicable local equivalent which implements said reference into local law.

Subject and Term

The purpose of this Schedule is to describe the work to be carried out by TomTom in relation with the Agreement. This Schedule forms an integral part of the Agreement hereof. This Schedule shall be deemed to take effect from the Effective Date of the Agreement and shall continue in full force and effect until the termination of the Agreement.

Scope of the work

The purpose for the collection, processing and use of the Personal Data on behalf of Licensee is to provide the services as described in the Agreement, which forms an integral part hereof. The processing and use of the Personal Data will as take place in a member state of the European Economic Area unless the third country outside the European Economic Area is recognised as offering an adequate level of protection pursuant to article 45 GDPR or Standard Contractual Clauses (EU Commission Decision 2010/87; adopted on 5 February 2010) or similar officially recognised legal instruments are in place.

TomTom processes the Personal Data on behalf of Licensee. The processing of the Personal Data by TomTom shall take place within the framework of this Schedule and only to the extent that Licensee has instructed TomTom to do so in relation with the Agreement. Such instructions shall be deemed to be provided by Licensee’s use of the Services as is further described under the particular Services documentation (the “Documentation”) (such as, for example, by making an API call to the TomTom servers running the Online Services). In the event TomTom modifies the Documentation, continued use by Licensee of the Services shall be deemed to constitute acceptance by Licensee of the change in the manner under which TomTom processes the Personal Data and a revised instruction from Licensee accordingly.

TomTom shall not use the Personal Data for any purpose other than as described in this Schedule.

Data categories

Described below are the various categories of Personal Data for the respective Services as they are provided by TomTom under the Agreement.

1. Live Services Feeds with Traffic, Speed Cameras, Weather, Parking, Fuel,
a. Unique on-line & device identifiers, device configuration information, service requests including geolocation data, service responses, all time-stamped
b. Probe data: timestamped geolocation data, collected every few (typically: 5) seconds, immediately pseudo-anonymised with random temporary ID, subsequently anonymised within 24 hours (typically every 20 minutes) of vehicle shutdown or communication severed by deleting association between device/session ID and temporary ID

2. Online Services
a. Unique on-line & device identifiers, device configuration information, service requests including location data, service responses, all time-stamped
b. Probe data: timestamped geolocation data, collected every few (typically: 5) seconds, immediately pseudo-anonymised with random temporary ID, subsequently anonymised within 24 hours (typically every 20 minutes) of vehicle shutdown or communication severed by deleting association between device/session ID and temporary ID

3. NDS Data
a. Unique on-line & device identifiers, device configuration information, service requests including geolocation data, service responses, transaction log data, all time-stamped

4. Community Input Services
a. Unique on-line & device identifiers, device configuration information, service requests including geolocation data, service responses, transaction log data, all time-stamped
b. User contributed data including geolocation data

5. Access Management
The following data categories apply to the Online Services and, insofar this is provided under the Agreement, the Live Services.
a. Unique on-line & device identifiers, device configuration information, service requests and responses, all time-stamped
b. Entitlement & access rights, audit trails & reports, transaction log data, all time stamped

Technical and organisational measures

TomTom documents the implementation of the technical and organizational measures in accordance with the requirements of the GDPR.

TomTom ensures in particular that it has implemented the appropriate measures to:

a. Prevent unauthorized persons from gaining access to data processing systems with which personal data are processes or used;
b. Prevent data processing systems from being used without authorization;
c. Ensure that persons entitled to use a data processing system have access only to the Personal Data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization during processing or use and after storage;
d. Ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is impossible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged;
e. Ensure that it is possible to check and establish whether and by whom personal data has been input into data processing systems, modified or removed;
f. Ensure that, for commissioned processing of personal data, the Personal Data is processed strictly in accordance with the instructions of the Licensee (job control).

Significant changes of the above technical and organisational measures by TomTom which reduce the protection of Personal Data shall be agreed by the Parties in writing.

TomTom confirms that the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the Personal Data to be protected having regard to the state of the art and the cost of their implementation.

TomTom further confirms that the processing of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law and does not violate the relevant provisions.

TomTom’s obligations

Under this Schedule, TomTom has the obligation to:

a. Process the Personal Data only on behalf of the Licensee and in compliance with its instructions;
b. Ensure that only appropriately trained personnel shall have access to the Personal Data;
c. Provide Licensee with such cooperation (including access to its facilities) as the Licensee may reasonably request. Such cooperation may be subject to TomTom’s reasonable charges;
d. Implement such technical and organizational measures to protect the Personal Data as required by the GDPR;
e. Notify the Licensee immediately of any monitoring activities and measures undertaken by the relevant authority that supervises the applicable data protection legislation;
f. Support Licensee regarding Licensee’s obligations to provide information about the collection, processing or usage of Personal Data to a data subject;
g. Ensure that the Personal Data is not in any way used, manipulated, distributed, copied or processed for any other purpose than for the fulfilment of the contractual obligations as explicitly agreed upon and arising from this Schedule.

Sub-processing
The Licensee authorizes TomTom to appoint sub-processors to process Personal Data in accordance with this Schedule. TomTom shall conclude written agreements with sub-processors to protect Personal Data subject to conditions that are materially similar to the standards set forth in this Schedule. Where the sub-processor fails to fulfil its data protection obligations under such written agreement TomTom shall remain fully liable to the Licensee for the performance of the sub- TomTom's obligations under such agreement.

The Licensee shall be granted control and examination rights according to this Schedule and the applicable data protection legislation. This also includes the right of the Licensee to obtain information from TomTom, upon written request, on the substance of the contract and the implementation of the data protection obligations within the sub-processing relationship.

Licensee’s rights and obligations
Rights to monitor: Licensee is entitled to appoint a third party independent auditor in the possession of the required professional qualifications and bound by a duty of confidentiality, which auditor must be reasonably acceptable to TomTom, to inspect TomTom’s and its sub-processor’s compliance with this Schedule and the applicable data protection legislation required to determine the truthfulness and completeness of the statements submitted by TomTom under this Schedule. Licensee’s right to audit shall be subject to giving TomTom at least (4) weeks prior written notice of any such audit.

TomTom shall deal promptly and properly with all inquiries from the Licensee relating to its processing of the personal data subject to this Schedule.

Rectification, deletion and blocking of data: upon instruction by the Licensee, TomTom shall correct, rectify or block the Personal Data. Any request from a data subject directly to TomTom, shall be directed to Licensee.

Information obligations
If TomTom cannot provide compliance or foresees that it cannot comply with its obligations as set out in this Schedule, for whatever reasons, it agrees to promptly inform the Licensee of its inability to comply, in which case the Licensee is entitled to suspend the transfer of data.

TomTom will promptly notify the Licensee about:

1. Any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
2. Any request received directly from the Personal Data subjects without responding to that request, unless it has been otherwise authorised to do so; and
3. Any unauthorized acquisition, access, use, disclosure or destruction of the Personal Data constituting a personal data breach as defined in the GDPR. Such notification shall take place without undue delay, and no later than 72 hours after the Processor has become aware with a reasonable degree of certainty of such personal data breach. TomTom will take all adequate remedial measures immediately and must promptly provide Licensee with all the relevant information and assistance as requested by Licensee. The notification of a data security breach to Licensee will, at a minimum, include:

a. A description of the security breach, including the date and time the security breach was discovered;
b. An overview of the Personal Data that was (potentially) lost or unlawfully processed as a result of the security breach;
c. Information on the consequences of security breach; and
d. A description of the measures taken by TomTom to limit the consequences of the data security breach.

Assignment

TomTom shall not assign this Schedule without the prior written consent of the Licensee. Where TomTom assigns this Schedule, with the consent of the Licensee, it shall do so only by way of a written agreement with the assignee which imposes the same obligations on the assignee as are imposed on TomTom under this Schedule.

Consequences of termination

The parties agree that on the termination of the provision of the services, TomTom and the sub-processor shall, at the choice of the Licensee, return all the Personal Data transferred including any data storage media supplied to TomTom, and the copies thereof to the Licensee or shall destroy all the Personal Data and certify to the Licensee that it has done so, unless legislation imposed upon TomTom prevents it from returning or destroying all or part of the Personal Data transferred. In that case, TomTom warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore.