US Data Processing Addendum
THIS DATA PROCESSING ADDENDUM APPLIES IF CLIENT HAS A BILLING ADDRESS IN THE USA (AND THEREFORE THE AGREEMENT IS BETWEEN CLIENT AND COMPLETE INNOVATIONS USA INC).
In consideration of the mutual obligations set forth in this USA Data Processing Addendum, and for other valuable consideration, the sufficiency of which is acknowledged, Complete Innovations USA Inc (“Fleet Complete”) and Client hereby enter into this USA Data Processing Addendum.
All capitalized terms are not defined in this USA Data Processing Agreement (“USA DPA”) shall have the meaning given in the remainder of the Agreement which incorporates this USA DPA by reference.
In providing the Services pursuant to the Agreement, Fleet Complete may Process certain Personal Information on behalf of Client (“Client Personal Data”). The Parties acknowledge that this USA DPA reflects the Parties’ agreement with regard to the Processing of Client Personal Data, and the Parties shall comply with this USA DPA with respect to all Client Personal Data.
- Definitions.
- (a) “Business”, “Business Purpose”, “Sell”, “Service Provider” and “Share” have the meaning ascribed to them in the CCPA.
- (b) “Data Subject” means an identified, or identifiable, natural person to whom Personal Information relates.
- (c) “Personal Information” means any information that identifies, relates to, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household, or is otherwise “personal data,” “personal information,” “personally identifiable information,” or similar designation under and regulated by Privacy Law.
- (d) “Privacy Law” means all applicable federal, state, territorial, and local laws, rules, directives, regulations, and governmental requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of Personal Information, including, to the extent relevant, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Privacy Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Children’s Online Privacy Protection Act, and any laws implementing, replacing or supplementing any of them, as amended, consolidated, re-enacted, or replaced from time to time.
- (e) “Process(ing)” means the collection, use, modification, storage, disclosure and any other activity with respect to Personal Information that is governed by Privacy Law.
- (f) “Specified Business Purpose” means the Business Purpose(s) for Processing Personal Information, which are the Services described in the Agreement.
- Processing of Personal Information.
- (a) Relationship of the Parties. Fleet Complete is the data processor and Service Provider Processing Client Personal Data on behalf of the Client, which is the Business and data controller for Client Personal Data.
- (b) Processing Instructions. Client has the sole right to give Fleet Complete instructions regarding the Processing of Client Personal Data. Client hereby instructs Fleet Complete to Process Client Personal Data to the extent required to provide the Services. If complying with an instruction by Client could, in Fleet Complete’s reasonable opinion, potentially cause a breach by Fleet Complete or Client of this USA DPA or Privacy Law, Fleet Complete may notify Client in writing and suspend execution of the instruction until Fleet Complete receives written confirmation from Client that compliance by Fleet Complete with the instruction would not breach this USA DPA or Privacy Law.
- (c) Client Obligations. Client covenants, represents, and warrants that: (i) Client is solely responsible for complying with Privacy Law in regards to its role as a Business and data controller for Client Personal Data; (ii) Client has collected and obtained, and shall Process, Client Personal Data in compliance with Privacy Law; and (iii) Client providing Client Personal Data to Fleet Complete pursuant to the Agreement will not cause Fleet Complete to be in violation of applicable law, including Privacy Law. For the avoidance of doubt, Client’s instructions for the Processing of Client Personal Data comply, and shall comply, with Privacy Law. In addition, Client is solely responsibility for the accuracy, quality, and legality of Client Personal Data and the means by which Client acquired Client Personal Data.
- (d) Fleet Complete Obligations. Fleet Complete will comply with all applicable Privacy Law and only Process Client Personal Data in accordance with the instructions provided by Client, including the instructions in this USA DPA, and as otherwise required by applicable law.
- (e) California Specific Obligations. To the extent Client Personal Data contains any data regulated by the CCPA, Fleet Complete certifies, as a Service Provider to Client, that it understands, and will comply with, the applicable restrictions set forth in the CCPA and agrees that:
- i. Fleet Complete will Process all Client Personal Data on behalf of Client only and that Client is disclosing Client Personal Data to Fleet Complete only for the Specified Business Purpose;
- ii. Fleet Complete is prohibited from retaining, using, or disclosing Client Personal Data for any purpose other than for the Specified Business Purpose, including, without limitation, from retaining, using, or disclosing such Client Personal Data (A) for a purpose other than the Specified Business Purpose or (B) outside of the direct business relationship between the relevant Data Subject and the Client (and Fleet Complete on behalf of Client);
- iii. Fleet Complete will not further collect, use, or disclose Client Personal Data except as necessary to provide and maintain the Services;
- iv. Fleet Complete will not Sell or Share Client Personal Data for any reason;
- v. Fleet Complete will not, unless otherwise necessary due to the Specified Business Purpose or applicable law, combine Client Personal Data with Personal Information it (A) receives from or on behalf of another person or third party or (B) collects from its own interactions with the applicable Data Subject;
- vi. Fleet Complete will promptly notify Client if Fleet Complete determines it can no longer meet any of its obligations under this USA DPA;
- vii. If Client believes Fleet Complete is collecting, using, Processing, or sharing Client Personal Data in a manner inconsistent with the Agreement (an “Unauthorized Use”), then Fleet Complete will, upon receiving written or oral notice from Client, cease all Processing, of Client Personal Data; and
- viii. Fleet Complete will provide Client with reasonable assistance and work with Client in good faith in order to fully resolve and remediate the Unauthorized Use.
Notwithstanding the foregoing, Fleet Complete is permitted to use Client Personal Data as expressly permitted under the exceptions to Service Provider use restrictions under the CCPA.
- Data Protection and Security.
- (a) Reliability and Confidentiality. Fleet Complete will take commercially reasonable steps to ensure the reliability of any person authorized to Process Client Personal Data and ensure that such persons have committed themselves in writing to confidentiality or are under an appropriate obligation to ensure confidentiality and comply with Privacy Law.
- (b) Security Measures. Fleet Complete will keep Client Personal Data confidential, and implement and maintain (and require any Subprocessors that have access to Client Personal Data to maintain) a comprehensive, effective, and documented information security program appropriate to the nature of Client Personal Data that: (i) contains administrative, technical, and physical safeguards to identify, assess and protect against any reasonably foreseeable, anticipated, or actual threats or hazards to the security or integrity of Client Personal Data (“Information Security Measures”), (ii) is compliant with Privacy Law. Fleet Complete will (i) proactively monitor and review the scope of Information Security Measures on a regular basis, and (ii) implement additional Information Security Measures to control the risks Fleet Complete identifies through the monitoring and reviews described in (i).
- Incident Notification and Management.
- (a) Breach Notification. Fleet Complete will notify Client without undue delay after the confirmation of any breach of security that resulted in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Client Personal Data transmitted, stored, or otherwise Processed by Fleet Complete or any of its Subprocessors (“Security Breach”).
- (b) Breach Assistance. Fleet Complete will provide assistance with any obligation of Client under Privacy Law, as reasonably requested, including to make notifications, regarding the Security Breach. Fleet Complete will not make any statement or notification to any Data Subject, regulatory authority, or otherwise, regarding the Security Breach without the prior written approval of Client unless otherwise required by applicable law.
- Rights of the Data Subjects. Client has the sole discretion in responding to rights asserted by the Data Subjects. Fleet Complete will forward to Client any requests by Data Subjects relating to the Processing of Client Personal Data by Fleet Complete. Fleet Complete will assist Client, at Client’s cost, in fulfilling any rights of the Data Subjects to the extent these rights relate to the Processing of Client Personal Data by Fleet Complete.
- Data Protection Assessments. Fleet Complete shall provide assistance, upon Client’s request, with any obligation of Client under Privacy Law to conduct or document any data protection assessments relating to the Processing of Client Personal Data and, where necessary, consultations with regulatory authorities in connection with the Processing of Client Personal Data.
- Data Return or Deletion. Upon termination or expiration of the Agreement, Fleet Complete will securely return or delete, at Client’s discretion, all Client Personal Data, including all existing copies, unless the country’s laws to which Fleet Complete is subject to require a longer retention period.
- Subprocessors
- (a) Appointment of Subprocessors. Where Fleet Complete engages another party to Process Client Personal Data (a “Subprocessor”):
- i. obligations providing for at least for an equal level of data protection, as established by this USA DPA, will be imposed on that Subprocessor by way of a written contract, such as a data processing agreement; and
- ii. Fleet Complete will remain responsible to Client for the performance of that Subprocessor’s obligations to the same extent as Fleet Complete would be responsible if performing the services of the Subprocessor under the terms of this USA DPA.
- (b) List of Current Subprocessors. Fleet Complete may continue to use the Subprocessors already engaged by Fleet Complete. Upon reasonable request, Fleet Complete shall make available to Client a list of current Subprocessors being utilized.
- (c) Notification of New Subprocessors and Objection Right. Fleet Complete will notify Client of any material, proposed changes to its Subprocessors. Fleet Complete will provide such notification at least twenty (20) days before engaging any new Subprocessor to Process Client Personal Data. Client may reasonably object in good faith to Fleet Complete’s use of a new Subprocessor by notifying Fleet Complete promptly in writing within three (3) days of receipt of Fleet Complete’s notice. If Client objects to a new Subprocessor as permitted, Fleet Complete will use reasonable efforts to make available to Client a change in the Services or recommend a commercial reasonable change to Client’s configuration or use of the Services to avoid Processing of Client Personal Data by the objected-to new Subprocessor. If Fleet Complete is unable to make available such change within a reasonable period of time, not to exceed sixty (60) days, Client will be entitled to terminate the affected Services, but only with respect to those Services which cannot be provided by Fleet Complete without the use of the objected-to new Subprocessor, by providing written notice to Fleet Complete.
- (a) Appointment of Subprocessors. Where Fleet Complete engages another party to Process Client Personal Data (a “Subprocessor”):
- Audits, Inspections, and Cooperation. Fleet Complete will make available to Client, upon request, the information reasonably necessary to demonstrate its compliance with this USA DPA. Fleet Complete will provide assistance, as reasonably requested by Client, in connection with any audits or inspections by competent regulatory authorities or government bodies to the extent such audit relates to the Processing of Client Personal Data under this USA DPA (each an “Audit”). In connection with Audits, Fleet Complete will grant Client reasonable access to its business premises during Fleet Complete’s regular business hours and make available all information reasonably necessary to demonstrate compliance with this USA DPA; provided, however, that such access shall be undertaken in a manner designed to cause minimal interruption to Fleet Complete’s business operations. Client will notify Fleet Complete, in writing, of any such request for access relating to an Audit at least eight (8) weeks in advance. Client may not request access relating to an Audit more than once per calendar year unless otherwise required by applicable Privacy Law.
- Final Provisions
- (a) Conflicts. In the case of any conflict or inconsistency between any of the terms or conditions of the remainder Agreement (except for the Third Party Terms which shall prevail over this USA DPA to the extent there is a conflict) or this USA DPA, the terms or conditions of this USA DPA shall control.
- (b) Changes in Privacy Law. The Parties shall negotiate in good faith any amendments to this DPA that are necessary to reflect changes in Privacy Law.
- (c) Governing Law and Venue. This USA DPA is subject to the laws of the jurisdiction as stated in the Agreement. The Parties exclusively submit to the courts of the chosen jurisdiction as set out in the Agreement.
- (d) Amendments. Any amendments or supplements to, or termination of, this USA DPA must be in writing in order to be legally effective, this requirement applies accordingly to any waiver of this written form requirement. For the avoidance of doubt, any references to any written form requirement in this USA DPA (e.g., “written” or “in writing”) include declarations and documents in electronic and text form whether bearing a signature or not (e.g., emails, fax copies or scans).
- (e) Severability. If a provision of this USA DPA is or becomes ineffective, in whole or in part, or if there is an omission, the remaining provisions of this USA DPA shall remain unaffected. In place of the ineffective provision, and to fill the omission, the Parties shall agree on a reasonable provision which comes – to the extent legally possible – closest to what the Parties agreed or would have agreed if they had considered this point.
[END OF DATA PROCESSING ADDENDUM]
Last updated: July 24, 2024
With Fleet Complete, you’ll experience your real-time fleet data transformed into actionable insights.
With this knowledge, you can make informed decisions about not only the efficiency of your fleet, but its safety, compliance, and sustainability.