This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement available at: https://www.chevinfleet.com/chevin-master-subscription-agreement/, as updated from time to time, or other written or electronic agreement between the Chevin Contracting Entity and Customer (the “Agreement”).

This DPA is between Customer and its authorized affiliates (“Customer” or “Controller”) and the Chevin Contracting Entity (“Chevin” or “Processor”) under the Agreement, in regards to the Services detailed on the applicable Order Form. Unless otherwise defined in this DPA, all capitalized terms used in this DPA will have the meanings set forth in the Agreement.

WHEREAS:

In the course of providing the Services to Customer pursuant to the Agreement, Chevin may process Personal Data, as Processor, on behalf of Customer, as Controller;

The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework as set forth in Applicable Data Protection Laws and lay down their respective rights and obligations.

NOW, THEREFORE, IT IS AGREED AS FOLLOWS:

 

Definitions and Interpretation

All capitalized terms in this DPA will have the meanings set forth in the Agreement unless defined below:

Customer Personal Data” means any Personal Data Processed by a Subprocessor on behalf of Customer pursuant to or in connection with the Agreement;

Customer Data” means any data, information, or content provided by or on behalf of the Customer to the Processor in connection with the Services, including but not limited to Customer Personal Data.

Applicable Data Protection Laws” means, as applicable, UK GDPR, EU GDPR and any national legislation implementing or supplementing the EU GDPR applicable within the EEA; and/or all laws and regulations to the extent applicable to and binding on the processing of Customer Data.

EEA” means the European Economic Area;

EU Data Protection Laws” means EU GDPR and any national legislation implementing or supplementing the EU GDPR applicable within the EEA;

EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.

Data Transfer” means: (a) a transfer of Customer Personal Data from the Customer to a Subprocessor; or (b) an onward transfer of Customer Personal Data from a Subprocessor to a Subprocessor, or between establishments of a Subprocessor, in each case, where such transfer would be restricted or prohibited by Applicable Data Protection Laws without appropriate transfer mechanisms such as Standard Contractual Clauses (EU SCCs), UK International Data Transfer Agreements (IDTAs), or other legally recognized safeguards;

Services” means the Fleet Management Software services detailed on the Order Form / Agreement.

Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Customer in connection with the Agreement, as further defined in Applicable Data Protection Law.

UK Data Protection Laws” means the Data Protection Act 2018 and the UK GDPR as amended, replaced, or superseded from time to time

UK GDPR” means the EU GDPR as retained and amended in UK law by the Data Protection Act 2018 and subsequent UK legislation following the UK’s withdrawal from the European Union;

The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “processing” and “Supervisory Authority” means as defined in Applicable Data Protection Law.

Processing of Customer Personal Data

Processor shall:

comply with all Applicable Data Protection Laws in the Processing of Customer Personal Data; and

not Process Customer Personal Data other than on the Customer’s documented instructions.

The Customer instructs Processor to process Customer Personal Data as necessary for the Services.

 

Processor Personnel

Processor shall take reasonable steps to ensure the reliability of its and its Subprocessor’s respective employee, agent, or contractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Data Protection Laws in the context of that individual’s duties to the Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

 

Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the EU GDPR and UK GDPR, as applicable.

In assessing the appropriate level of security, Processor shall take account of the risks that are presented by Processing, in particular from a Personal Data Breach.

 

Subprocessing

Processor shall not appoint nor materially change (or disclose any Customer Personal Data to) any Subprocessor unless required or authorized by the Customer. Processor shall notify Customer of any material changes as expeditiously as possible and without unreasonable delay. Controller may object to a Subprocessor by: (a) terminating the Agreement in accordance with its terms; or (b) ceasing to use the Service applicable to such Subprocessor.

Controller hereby grants general authorization to Processor to engage Subprocessors as necessary for the Services without obtaining any further written, specific authorization from the Controller. Controller acknowledges and agrees that: (a) Processor’s affiliates may be used as Subprocessors, and (b) Processor may implement immaterial changes or replacements of Subprocessors to the extent permitted by Applicable Data Protection Laws and this Agreement.

Customer hereby approves the applicable Microsoft entity as an approved sub-processor in accordance with the terms and conditions of this Agreement and the Microsoft Online Services Data Protection Addendum (DPA), as it may be updated from time to time, available here: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

 

In the event that Processor engaged a Subprocessor, the Processor shall:

restrict the Subprocessor’s access to Customer Data, including both Customer Personal Data and other Customer-provided content, to the limited extent necessary to provide or maintain the applicable Service in accordance with the Documentation. The Subprocessor is prohibited from accessing Customer Data for any other purpose;

enter into a written agreement with the Subprocessor and, to the extent the Subprocessor performs the same data processing services provided by Processor under this DPA, Processor will impose on the Subprocessor equivalent obligations as under this DPA; and

remain responsible for its Subprocessor’s compliance with the obligations of this DPA.

 

Data Subject Rights

Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under Applicable Data Protection Laws.

Processor shall:

promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and

ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Data Protection Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by such Applicable Data Protection Laws, inform Customer of that legal requirement before responding to the request.

 

Personal Data Breach

Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data and provide Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

Processor shall cooperate with the Customer and reasonably assist in the investigation and mitigation of each such Personal Data Breach.

 

Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities, which Customer reasonably considers to be required by Applicable Data Protection Law, in each case solely in relation to processing of Customer Personal Data by, and taking into account the nature of the processing and information available to, the Subprocessors.

 

Deletion or return of Customer Personal Data

Subject to this section 9, Processor shall promptly and in any event within 10 business days of Customer’s written request upon or after the date of cessation of any Services involving the processing of Customer Personal Data or otherwise when such deletion is required by Applicable Data Protection Law (the “Cessation Date“), delete and procure the deletion of all copies of such Customer Personal Data.

Processor shall provide written certification to Customer that it has fully complied with this section 9 within 10 business days of Customer’s written request.

 

Audit rights

Subject to this section 10, Processor shall make available to the Customer on commercially reasonable advance written notice of no less than ten (10) business days all information necessary to demonstrate compliance with this Agreement and Applicable Data Protection Laws, and shall cooperate with reasonable audits, including inspections, requested or mandated by the Customer or its independent auditor to the extent required by Applicable Data Protection Laws.

Information and audit rights of the Customer only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Applicable Data Protection Law.

 

Data Transfer

The Processor may not transfer or authorize the transfer of Personal Data to countries outside the UK or EEA unless appropriate safeguards recognized by Applicable Data Protection Laws are in place, including but not limited to:

EU SCCs for EU/EEA data transfers;

UK IDTA or the UK Addendum to the EU SCCs;

binding Corporate Rules approved by relevant authorities; or

other legally valid transfer mechanisms approved by relevant Supervisory Authorities.

Both Parties shall ensure such transfers comply at all times with Applicable Data Protection Laws.

 

U.S. State Privacy Laws

Chevin shall comply with relevant U.S. state privacy laws to the extent applicable to its performance under the Agreement, including but not limited to

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

Virginia Consumer Data Protection Act (VCDPA)

Colorado Privacy Act (CPA)

Connecticut Data Privacy Act (CTDPA)

Utah Consumer Privacy Act (UCPA)

Texas Data Privacy and Security Act (TDPSA)

Delaware Personal Data Privacy Act (DPDPA)

Oregon Consumer Privacy Act (OCPA)

Florida Digital Bill of Rights (FDBR)

New Jersey Data Privacy Act (NJDPA)

Iowa Consumer Data Protection Act (ICDPA)

Indiana Consumer Data Protection Act (ICDPA)

Tennessee Information Protection Act (TIPA)

Minnesota Consumer Data Privacy Act (MCDPA)

Kentucky Consumer Data Protection Act (KCDPA)

Any other similar U.S. state privacy laws that become effective during the term of this Agreement.

To the extent required by such U.S. state privacy laws, Processor shall:

Process Personal Data solely to fulfill obligations under this Agreement;

Not sell or share Personal Data, as defined in applicable state laws;

Assist Customer with responding to verifiable consumer requests, including access, deletion, correction, and data portability, where required;

Provide appropriate mechanisms to support consumer opt-outs from targeted advertising or profiling, where applicable;

Maintain reasonable administrative, technical, and physical safeguards appropriate to the nature and sensitivity of the Personal Data.

Nothing in this section shall impose obligations on the Customer or Chevin beyond those required by applicable state law. This section shall not be interpreted to establish a joint controller relationship or create any obligation inconsistent with U.S. public-sector procurement restrictions.

 

General Terms

Confidentiality. This DPA is subject to the confidentiality obligations of the Agreement. For avoidance of doubt, neither party shall use or disclose and Confidential Information without the prior written consent of the other Party except to the extent such use or disclosure is required by applicable law or necessary to provide or receive the Services,

Notices. This DPA is subject to the notice provisions of the Agreement.

Limitation of Liability. To the extent permitted by Applicable Data Protection Laws, this DPA is subject to the limitation of liability detailed in the Agreement.

Governing Law and Jurisdiction. This DPA shall be governed by the choice of law stated in the Agreement and any disputes arising under or in connection with this Agreement shall be subject to the jurisdiction specified therein.