This Data Processing Agreement (“Agreement”) is incorporated into the Edge Petrol Terms and Conditions (“Terms and Conditions”) between the Edge Petrol entity listed on the relevant Order Form (“Edge”) and the client listed on that Order Form (“Client”), applies in respect of the performance of Edge’s obligations under the Terms and Conditions, including the provision of the Edge Product and Professional Services (“Services”) to Client if the Processing of the Personal Data described under Section 2 of this Agreement (“Client Personal Data”) is subject to the GDPR, only to the extent where Client is a Controller of Client Personal Data and Edge is a Processor. The Agreement is intended to satisfy the requirements of Article 28(3) of the GDPR. This Agreement shall be effective for the term of the Terms and Conditions.
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms and Conditions and “Data Subject”, “Personal Data Breach”, “Process”, “Processor” and “Controller” (and their grammatic variants) will each have the meaning given to them in the GDPR.
1. Details of The Processing
1.1. Categories of Data Subjects and types of Personal Data. This Agreement applies to the Processing of Client Personal Data relating to employees and other personnel of Client and the types of Client Personal Data include first name, last name, job title, email address and telephone number.
1.2. Subject-Matter, Nature and Purpose of the Processing. The subject-matter, nature and purpose of Processing of Client Personal Data by Edge is the provision of Services to Client in accordance with the Terms and Conditions.
1.3. Duration of the Processing. Client Personal Data will be Processed for the duration of the Terms and Conditions, subject to Section 2.9 of this Agreement.
2. Processing of Client Personal Data
2.1. Instructions. The parties agree that: (a) Client is the Controller of Client Personal Data and Edge is the Processor of Client Personal Data. Edge will only Process Client Personal Data as a Processor on behalf of and in accordance with Client’s prior written instructions, including with respect to transfers of Client Personal Data. Edge is hereby instructed to Process Client Personal Data to the extent necessary to enable Edge to provide Services; and (b) if Edge cannot process Client Personal Data in accordance with Client’s instructions due to a legal requirement under applicable law, Edge will: (a) promptly notify Client of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (b) cease all Processing of the affected Client Personal Data (other than merely storing and maintaining the security of the affected Client Personal Data) until such time as Client issues new instructions with which Edge is able to comply. If this provision is invoked, Edge will not be liable to Client under the Terms and Conditions for failure to provide Services until such time as Client issues new instructions.
2.2. Transfers. Client hereby consents to Edge transferring Client Personal Data outside of the European Economic Area, provided such transfers are made in accordance with Data Protection Laws.
2.3. Confidentiality. Edge will ensure that any person whom Edge authorizes to Process Client Personal Data on its behalf is subject to confidentiality obligations in respect of that Client Personal Data.
2.4. Security Measures. Edge will: (a) implement appropriate technical and organisational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Personal Data; and (b) at Client’s request, provide Client with reasonable assistance as necessary for the fulfilment of Client’s obligation to keep Client Personal Data secure.
2.5. Sub-Processing. Client authorizes Edge to appoint sub-Processors to perform specific services on Edge’s behalf which may require such sub-Processors to Process Client Personal Data. Edge will inform Client of any intended changes concerning the addition or replacement of any sub-Processors and Client will have an opportunity to object to such changes on reasonable grounds within five (5) days after being notified. If the parties are unable to resolve such objection, either party may terminate the relevant Order Form(s) by providing written notice to the other party. Edge will enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor substantially the same obligations that apply to Edge under this Agreement. Where any of its sub-Processors fails to fulfil its data protection obligations, Edge will be liable to Client for the performance of such obligations.
2.6. Data Subject Rights. Edge will, provide Client with assistance necessary for the fulfilment of Client’s obligation to respond to requests for the exercise of Data Subjects’ rights. Edge shall not respond to such requests without Client’s prior written consent and written instructions. Client shall be solely responsible for responding to such requests.
2.7. Personal Data Breaches. Edge will: (a) notify Client without undue delay after it becomes aware of any Personal Data Breach affecting any Client Personal Data; and (b) at Client’s request, Edge will promptly provide Client with all reasonable assistance necessary to enable Client to notify relevant security breaches to the competent data protection authorities and/or affected Data Subjects, if Client is required to do so under the GDPR. Client is solely responsible for complying with Personal Data Breach notification requirements applicable to Client and fulfilling any third-party notification obligations related to any Personal Data Breach.
2.8. Data Protection Impact Assessment and Prior Consultation. Edge will provide Client with reasonable assistance to facilitate conducting data protection impact assessments and consultations with data protection authorities, if Client is required to engage in such activities under the GDPR, and solely to the extent that such assistance is necessary and relates to the Processing by Edge of Client Personal Data, taking into account the nature of the Processing and the information available to Edge.
2.9. Return or Deletion of Client Personal Data. Edge will return or delete, at Client’s choice, Client Personal Data to Client after the end of the provision of Services relating to the Processing, and delete existing copies unless applicable law requires storage of the data.
2.10. Information. Edge will, at Client’s request, provide Client with all information necessary to enable Client to demonstrate compliance with its obligations under the GDPR, and allow for and contribute to audits, including inspections, conducted by Client or an auditor mandated by Client, to the extent that such information is within Edge’s control and Edge is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, and provided that such audits shall be carried out with advanced written notice of at least sixty (60) days, during regular business hours, not more often than once per calendar year and subject to Edge’s then- current security and confidentiality policies. Edge will immediately inform Client if, in its opinion, an instruction from Client infringes Data Protection Laws.
3. Client Obligations
3.1. Compliance and Costs. Client will: (a) comply with its obligations under Data Protection Laws (including any guidance issued by the European Data Protection Board or relevant supervisory authority) which arise in relation to this Agreement and its receipt of the Services; (b) not do or omit to do anything which causes Edge to breach any of its obligations under Data Protection Laws; and (c) reimburse Edge for its costs incurred in performing its obligations under Sections 2.4(b), 2.6, 2.7(b), 2.8, 2.9 and 2.10.
3.2. Right to Process. Client represents, warrants and undertakes to Edge that: (a) Client (and any other sub-contractor of Client) has obtained Client Personal Data in accordance with Data Protection Laws and has provided (or will provide) all necessary notices to Data Subjects whose Personal Data comprises part of Client Personal Data; and (b) it has (or will at the required time have) one or more valid grounds for Edge’s (and any sub-Processors) Processing of Client Personal Data in accordance with this Agreement, in each case so that Edge (and any sub-Processors) processing of Client Personal Data in accordance with this Agreement complies with Data Protection Laws.
4.1. Each party’s liability towards the other party under or in connection with this Agreement will be limited in accordance with the provisions of the Terms and Conditions and Client acknowledges that Edge is reliant on Client for direction as to the extent to which Edge is entitled to Process Client Personal Data on behalf of Client in performance of the Services. Consequently, Edge will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by Edge, to the extent that such action or omission resulted from Client’s instructions or from Client’s failure to comply with its obligations under Data Protection Laws.
4.2. With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and the Terms and Conditions, the provisions of this Agreement shall prevail.