Data Processing Agreement (DPA)

Between

Customer as client (hereinafter referred to as the "Controller")

And

DKV EURO Service GmbH + Co KG as contractor within the meaning of Art. 28 GDPR (hereinafter referred to as "DKV" or "Processor")

Individually also "Party", or together also "Parties"

Preamble

This DPA sets out the legal obligations of the Parties in relation to data protection arising from the processing of personal data in connection with the Parties' contract for the provision of the Fleet Management Software service (hereinafter also referred to as the "Contract").

This DPA is based on the Standard Contractual Clauses of the EU Commission from the Commission Implementing Decision (EU) 2021/915. Against this background, the Parties agree as follows:

SECTION I

CLAUSE 1: Purpose and scope of application

a) These Standard Contractual Clauses (hereinafter referred to as "Clauses") are intended to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

b) The Controller(s) and Processor(s) have agreed these Clauses to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.

c) These Clauses apply to the processing of personal data in accordance with Annex I.

d) Annexes I to III are an integral part of the Clauses.

e) These Clauses are without prejudice to the obligations to which the Controller is subject under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

f) These clauses do not in themselves ensure that the obligations relating to international data transfers under Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725 are fulfilled.

CLAUSE 2: Invariability of the Clauses

a) The Parties undertake not to amend the Clauses except to supplement or update the information provided in the Annexes.

b) This does not prevent the Parties from including the Standard Contractual Clauses set out in these Clauses in a more comprehensive contract and adding further clauses or additional safeguards, provided that these do not directly or indirectly contradict the Clauses or restrict the fundamental rights or freedoms of the data subjects.

CLAUSE 3: Interpretation

a) Where the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 are used in these Clauses, these terms shall have the same meaning as in the relevant Regulation.

b) These Clauses must be interpreted in light of the provisions of Regulation (EU) 2016/679 and Regulation (EU) 2018/1725.

c) These Clauses may not be interpreted in a way that is contrary to the rights and obligations provided for in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 or that restricts the fundamental rights or freedoms of the data subjects.

CLAUSE 4: Hierarchy/ Order of Precedence

In the event of any conflict between these Clauses and the provisions of any related agreements existing or subsequently entered into or concluded between the Parties, these Clauses shall prevail.

CLAUSE 5: Docking clause

a) An organisation that is not a Party to these Clauses may, with the consent of all Parties, accede to these Clauses at any time as a Controller or Processor by completing and (co-)signing the Annexes.

b) After completing and signing the Annexes referred to in point (a), the acceding organisation shall be treated as a Party to these Clauses and shall have the rights and obligations of a Controller or Processor in accordance with the Agreement reached.

c) No rights or obligations arising from these Clauses shall apply to the acceding organisation for the period prior to its accession as a Party.

SECTION II

OBLIGATIONS OF THE PARTIES

CLAUSE 6: Description of the processing

The details of the processing operations, in particular the categories of personal data and the purposes for which the personal data are processed on behalf of the Controller, are listed in Annex I.

CLAUSE 7: Obligations of the parties

7.1. Instructions

a) The Processor shall process personal data only on documented instructions from the Controller, unless it is obliged to do so under Union law or the law of a Member State to which it is subject. In such a case, the Processor shall inform the Controller of these legal requirements prior to processing, unless the law in question prohibits this due to important grounds of public interest. The Controller may issue further instructions for the entire duration of the processing of personal data. These instructions must always be documented.

b) The processor shall inform the controller immediately if it believes that instructions issued by the controller violate Regulation (EU) 2016/679, Regulation (EU) 2018/1725 or applicable Union or Member State data protection provisions.

7.2. Purpose limitation

The Processor shall process personal data within the scope of this DPA only for the specific purpose(s) set out in Annex I, unless it receives further instructions from the Controller.

7.3. Duration of the processing of personal data

The data shall only be processed by the Processor for the duration specified in Annex I.

7.4. Security of processing

a) The Processor shall implement at least the technical and organisational measures listed in Annex III to ensure the security of the personal data. This shall include the protection of the data against a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, the data, whether accidental or unlawful (hereinafter "Personal Data Breach"). In assessing the appropriate level of protection, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks presented to data subjects.

b) The Processor shall grant its personnel access to the personal data subject to processing only to the extent strictly necessary for the performance, management and monitoring of the Contract. The Processor shall ensure that the persons authorised to process the personal data received have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality.

7.5. Sensitive data

If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation of a person, or data relating to criminal convictions and offences (hereinafter "sensitive data"), the Processor shall apply specific restrictions and/or additional safeguards.

7.6 Documentation and compliance with the Clauses

a) The parties must be able to prove compliance with these Clauses.

b) The Processor shall process requests from the Controller regarding the processing of data in accordance with these Clauses promptly and appropriately.

c) The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set out in these Clauses and arising directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the request of the Controller, the Processor shall also authorise and contribute to an audit of the processing activities covered by these Clauses at appropriate intervals or where there are indications of non-compliance. When deciding on an inspection or audit, the Controller may take into account relevant certifications of the Processor.

d) The Controller may carry out the audit itself or commission an independent auditor. The audits may also include inspections of the Processor's premises or physical facilities and shall be carried out with reasonable prior notice where appropriate.

e) The Parties shall make the information referred to in this Clause, including the results of audits, available to the competent supervisory authority(ies) upon request.

7.7. Use of Sub-Processors

a) The Processor shall have the Controller's general authorisation to engage sub-processors included in an agreed list. The Processor shall expressly inform the Controller in writing at least 30 calendar days in advance of any intended changes to this list by adding or replacing sub-processors, thus giving the Controller sufficient time to object to these changes before the sub-processor(s) concerned is/are engaged. The Processor shall provide the Controller with the necessary information to enable the Controller to exercise its right to object.

If the Controller does not raise an objection within 30 days, their consent shall be deemed to have been granted.

The Controller hereby expressly agrees to the use of the sub-processors listed in Annex III.

b) Where the Processor engages a sub-processor to carry out certain processing activities (on behalf of the Controller), such engagement shall be by way of a contract which imposes on the sub-processor substantially the same data protection obligations as those applicable to the Processor under these Clauses. The Processor shall ensure that the sub-processor fulfils the obligations to which the Processor is subject under these Clauses and under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

c) The Processor shall provide the Controller with a copy of any such subcontracting agreement and any subsequent amendments at the Controller's request. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may obscure the wording of the agreement before providing a copy.

d) The Processor shall be fully liable to the Controller for ensuring that the Sub-Processor fulfils its obligations under the contract concluded with the Processor. The Processor shall notify the Controller if the Sub-Processor fails to fulfil its contractual obligations.

7.8. International data processing / international data transfers

a) Any processing / transfer of data by the Processor to a third country or an international organisation shall - notwithstanding the provision in lit. b below - only take place

1. on the basis of documented instructions from the Controller
2. on the basis of the prior (general) consent of the Controller, or
3. to comply with a specific provision under Union law or the law of a Member State to which the processor is subject and must comply with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

b) The Controller generally agrees that in cases where the processing of data by the Processor involves a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679 or the Processor uses a sub-processor pursuant to clause 7.7 to carry out certain processing activities (on behalf of the Controller) and these processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, such processing is permitted under the following conditions:

1. the processing takes place in a country for which the EU Commission has issued a corresponding adequacy decision on the basis of Article 45 of Regulation (EU) 2016/679, or
2. the Processor and the sub-processor shall ensure compliance with Chapter V of Regulation (EU) 2016/679 by using Standard Contractual Clauses adopted by the Commission pursuant to Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the application of these Standard Contractual Clauses are met.

c) The Controller hereby authorises the transfer and processing of personal data within the meaning of Chapter V of Regulation (EU) 2016/679 by the processors and/or sub-processors listed in Annex III.

CLAUSE 8: Assistance of the Controller

a) The Processor shall inform the Controller immediately of any request received from the data subject. It shall not respond to the request itself unless it has been authorised to do so by the Controller.

b) Taking into account the nature of the processing, the Processor shall assist the Controller in the fulfilment of the Controller's obligation to respond to requests from data subjects to exercise their rights. In fulfilling its obligations under points (a) and (b), the Processor shall follow the instructions of the Controller.

c) In addition to the Processor's obligation to assist the Controller pursuant to Clause 8(b), the Processor shall also assist the Controller in complying with the following obligations, taking into account the nature of the data processing and the information available to the Processor:

1. Obligation to carry out an assessment of the impact of the intended processing operations on the protection of personal data (hereinafter "data protection impact assessment") if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;
2. Obligation to consult the competent supervisory authority(ies) prior to processing if a data protection impact assessment indicates that the processing would result in a high risk, unless the Controller takes measures to mitigate the risk;
3. Obligation to ensure that the personal data is accurate and up to date by the Processor informing the Controller without undue delay if it becomes aware that the personal data it is processing is inaccurate or out of date;
4. Obligations under Article 32 of Regulation (EU) 2016/679.

d) The Parties shall specify in Annex II the appropriate technical and organisational measures for the Processor to assist the Controller in the application of this Clause and the scope and extent of the assistance required.

CLAUSE 9: Notification of personal data breaches

In the event of a personal data breach, the Processor shall cooperate with and assist the Controller to enable the Controller to fulfil its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or, where applicable, Articles 34 and 35 of Regulation (EU) 2018/1725, taking into account the nature of the processing and the information available to the Processor.

9.1 Data breach concerning data processed by the Controller

In the event of a personal data breach in connection with the data processed by the Controller, the Processor shall assist the Controller as follows:

1. the notification of a personal data breach to the competent supervisory authority or authorities without undue delay after the Controller has become aware of it, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
2. when obtaining the following information to be included in the Controller's notification in accordance with Article 33(3) of Regulation (EU) 2016/679, which must include at least the following information:
1. the nature of the personal data, where possible, indicating the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
2. the likely consequences of a personal data breach;
3. the measures taken or proposed to be taken by the Controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter.

c) in complying with the obligation under Article 34 of Regulation (EU) 2016/679 to notify the data subject without undue delay of a personal data breach where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Data breach concerning data processed by the Processor

In the event of a personal data breach in connection with the data processed by the Processor, the Processor shall notify the Controller immediately after becoming aware of the breach. This notification must contain at least the following information:

1. a description of the nature of the breach (if possible, specifying the categories and approximate number of data subjects affected and the approximate number of data records affected);
2. Contact details of a contact point where further information about the personal data breach can be obtained;
3. the likely consequences and the measures taken or proposed to address the personal data breach, including measures to mitigate its possible adverse effects.

If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter.

The Parties shall specify in Annex II, where necessary, any other information to be provided by the Processor to assist the Controller in fulfilling its obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

SECTION II

FINAL PROVISIONS

CLAUSE 10: Non-compliance with the Clauses and termination

a) Without prejudice to the provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, if the Processor fails to fulfil its obligations under these Clauses, the Controller may instruct the Processor to suspend the processing of personal data until it complies with these Clauses or the contract is terminated. The Processor shall inform the Controller immediately if, for whatever reason, it is unable to comply with these Clauses.

b) The Controller is authorised to terminate the contract insofar as it relates to the processing of personal data in accordance with these Clauses if

1. the Controller has suspended the processing of personal data by the Processor in accordance with point (a) and compliance with these clauses has not been restored within a reasonable period and in any event within one month of the suspension;
2. the Processor materially or persistently breaches these Clauses or fails to fulfil its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
3. the Processor fails to comply with a binding decision of a competent court or the competent supervisory authority(ies) relating to its obligations under these Clauses, Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

c) The Processor shall be entitled to terminate the Contract insofar as it relates to the processing of personal data under these Clauses if the Controller insists on the fulfilment of its instructions after being informed by the Processor that its instructions violate applicable legal requirements under Clause 7.1(b).

d) Upon termination of the contract, the Processor shall, at the choice of the Controller, delete all personal data processed on behalf of the Controller and certify to the Controller that this has been done, or return all personal data to the Controller and delete existing copies, unless there is an obligation to retain the personal data under Union or Member State law. Until the deletion or return of the data, the Processor shall continue to ensure compliance with these Clauses.

CLAUSE 11: List of annexes

• Annex I: Description of the Processing
• Annex II: Technical and organisational measures implemented
• Annex III: Sub-processors / International data transfers/ data processing

ANNEX I - DESCRIPTION OF PROCESSING

1. PURPOSE(S) FOR WHICH THE PERSONAL DATA IS/ARE PROCESSED ON OUR BEHALF

The Processor is commissioned by the Controller to act as a data processor in order to process personal data in the name of and on behalf of the Controller, insofar as this is necessary for the provision of the contractually agreed services.

Processing of personal data as part of the DKV Fleet Management Software service for the purpose of fulfilling the main contract concluded between the Client and the Customer for DKV Fleet Management Software.

Depending on the scope of services agreed with the Customer (basic version or premium version for a fee), the DKV fleet management software may contain the following modules / features in particular:

• Basic version (free of charge)
  • Master data management for drivers and vehicles incl. archiving
  • Vehicle manufacturer data stored in the system (Schwacke GmbH or DAT)
  • Connection to DKV objects (e.g. service card)
• Premium version (for a fee)
  • Export of drivers and vehicles
  • Document and contract management
  • Exam dates for drivers (driving licence, driver training, etc.)
  • Inspection dates for vehicles (HU, UVV etc.)
  • Administration of fines

2. TYPE OF PROCESSING

2.1 The Processor is authorised to collect, process and use personal data in accordance with the Contract and the Controller's instructions (see clause 7.1 above).

2.2 Details on the scope, type and purpose of the collection, processing and/or use of personal data can be found in the Contract, its service description and in Section 1 above (Purposes).

3. CATEGORIES OF DATA SUBJECTS WHOSE DATA ARE PROCESSED

Customers, Event participants, Communication subscribers, Interested parties, Supplier and/or service provider (individual contact persons at these providers), Employees, Former employees, Employees Relatives, Commercial agent, Contact for companies, Business partner, others please specify: system/service user, Visitors, Service users, Subscribers, Applicants, Trainees / Interns, Counsellor, Shareholders / executive bodies, Suppliers and service providers.

4. CATEGORIES OF PERSONAL DATA THAT ARE PROCESSED

General data / private contact information: Names, Private address data, Date of birth / age, Identification data / IDs (e.g. passport, driving licence, national insurance number), others please specify: E-mail addresses, vehicle registration numbers, data relating to administrative offences, Image files / personal profiles.

Contract data: Settlement payment data, Financial situation / creditworthiness, please specify others:, Bank details / credit card details, Contract / utilisation histories.

Professional data: Personal data, Performance Management, Wage/salary/social data, Position and employment details, Qualification and training details, Working time, absence data, others please specify: Communication data (e-mail, telephone, etc.).

Service and IT (usage) data: Device identifiers, Image / video data, Audio / voice data, Access data, Metadata, please specify others:, Usage and connection data, TC data / message content, Identification data / IDs, Authorisation/approvals.

Special categories of personal data: Racial / ethnic origin, Health data, Biometric data, Trade union membership, Criminal offences, convictions or sentences, please specify others:, Religious / secular beliefs Beliefs, Political opinions, Genetic data, Sexual life / sexual orientation.

Sensitive data processed (if applicable) and restrictions or safeguards applied that take full account of the nature of the data and the risks involved, e.g. strict purpose limitation, access restrictions (including access only for staff who have undergone specific training), records of access to the data, restrictions on onward transfers or additional security measures.

5. DURATION OF PROCESSING

5.1 The duration of the data processing depends on the term of the (main) contract and/or any individual contracts or orders based on a framework agreement.

5.2 Until completion of the processing and subject to any other documented instructions of the Controller, the Processor shall return to the Controller or to a third party designated by the Controller, all documents, data carriers, processing results and data which have come into its possession, and which are connected with the contractual relationship or have been generated in the course of the execution of the Contract and/or this DPA.

This obligation extends to copies and/or reproductions of data carriers and/or data stocks. There is no right of retention with regard to the aforementioned data and data carriers. Unless otherwise provided for in the Contract, the Processor shall return all data and data carriers to the Controller free of charge. The Processor shall bear any costs and other expenses in connection with the return of data.

5.3 The Controller cannot demand the deletion of the data stored by the Processor, if and to the extent the Processor is subject to statutory retention obligations. Instead of deletion, the processing of the data can be restricted, as far as this is permissible due to local / country-specific implementation laws on data protection. This applies in particular if, due to the specific storage method, the deletion is not possible or only possible with disproportionately high expenditure.

ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF DATA

See TOM's of the DKV in a separate pdf document (available on the DKV website https://www.dkv-mobility.com/de under the "Guidelines" tab in the footer).

ANNEX III - SUB-PROCESSORS / INTERNATIONAL TRANSFERS/ DATA PROCESSING

The Processor has involved the following sub-processors:

Insofar as the customer is provided with access to services in the area of DKV fleet management (https://my.dkv-mobility.com/fleetmanagement/...) via the DKV Cockpit as a front end, we would like to point out that the provision of the Cockpit is basically carried out within the framework of a controller-to-controller relationship, see Section 13.2 of the Special Terms of Use DKV Cockpit Products. DKV uses the following processors for the provision of its cockpit services in relation to access to the DKV fleet management services: