Data processing agreement

Updated on October 2020 (Version 1.0)

between the Customer and Avrios (each a Party, both herein referred to as Parties)

This Data Processing Agreement (“DPA”) forms part of the Software and Services Agreement (the “Agreement”) between Avrios
and Customer for the purchase of Services from Avrios. This DPA specifies the data protection obligations of the Parties in relation
to the personal data processed pursuant to the Agreement.
The defined terms set out in the Avrios General Terms of Service shall equally apply to this DPA. For the purposes of this DPA
only, and except where indicated otherwise, the term “Customer” shall include Customer and its Affiliates. Otherwise capitalized,
but not further defined terms shall be given the meaning assigned to them in the GDPR.

Clause 1
SCOPE AND RESPONSIBILITY

1. This DPA applies to personally identifiable Customer Data processed by Avrios acting as a processor on behalf of Customer acting as a controller.

2. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the controller and Avrios is the processor.  

3. Both Parties will comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove or replace, a Party’s obligations or rights under the Data Protection Legislation.

4. Table A attached to this DPA sets out (i) the scope, nature and purpose of processing by Avrios, (ii) the duration of the processing, (iii) the types of personal data and categories of data subjects, (iv) the set of operations which is performed on personal data or on sets of personal data, (v) person(s) authorized to give instructions by the controller, and (vi) Customer’s data protection officer.

5. Within the scope of the Agreement, the Customer (acting as “controller” under the GDPR) is solely responsible for complying with the statutory requirements relating to data protection, in particular regarding the transfer of personal data to Avrios (acting as “processor” under the GDPR) and the processing of personal data. Without prejudice to the generality of sentence 1 of this clause 1 para. (5), the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to Avrios for the duration and purposes of this DPA.

6. The Customer shall be entitled, in exercising its rights as controller, to demand the rectification, deletion, blocking and making available of personal data during and after the term of the Agreement. The Customer shall exercise these rights primarily by interacting with the interface(s) provided by Avrios.

Clause 2
OBLIGATIONS OF AVRIOS

1. Avrios shall, in relation to any personal data processed in connection with the performance by Avrios of its obligations under the Agreement:

(a). process that personal data only within the scope of the Customer’s documented instructions and in compliance with the Data Protection Legislation unless Avrios is required by the applicable law to otherwise process that personal data, in which case Avrios will inform the Customer of that law unless that law prohibits such information;

(b). ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential and have been duly instructed on the protective regulations of the Data Protection Legislation prior to the beginning of their processing activities;

(c). ensure that it has in place and maintains appropriate technical and organizational measures in accordance with art. 28 para. 1 GDPR (as set out in the Avrios Whitepaper on Data Security provided upon request and, as these measures are subject to organizational changes and technological improvements, updated from time to time while ensuring that the security level must not be reduced) to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (these measures may include, where appropriate, pseudonymisation and encrypting of personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it in accordance with art. 32 GDPR); 

(d). ensure that the Customer is able to verify compliance with the obligations of Avrios in accordance with art. 28 GDPR. Avrios undertakes to give the Customer the necessary information upon request. Such information may be given by, as applicable:

(i) demonstrating compliance with approved codes of conduct pursuant to art. 40 GDPR;

(ii) certification according to an approved certification procedure in accordance with art. 42 GDPR;

(iii) an adequacy decision (Angemessenheitsbeschluss) of the European Commission based on art. 45 GDPR;

(iv) providing an adequate level of protection by applying EU Standard Data Protection Clauses (controller-to-processor) in accordance with art. 46 GDPR;

(v) a suitable certification by IT security or data protection auditing, current auditor’s certificates, reports or excerpts from reports provided by independent bodies.

(e). take measures in order to enable the Customer to perform the rights of the data subjects in regard to (including, but not limited to) information, access, rectification, erasure, data portability and right to object within the required time frame, including by providing an interface(s) to the Customer as agreed in the Agreement, and shall provide the controller with all necessary information relating thereto;

(f). assist the Customer by providing all information to enable the Customer with its notification duties towards data protection authorities (art. 33 GDPR) and data subjects (art. 34 GDPR) in case of data breaches as well as in regard to data protection impact assessments (art. 35 GDPR) and prior consultation (art. 36 GDPR). Avrios can claim compensation for support, extra hours worked and any other kind of service provided that exceed the legal cooperation as required by the GDPR and which are (i) not part of the Agreement and (ii) not attributable to misconduct on the part of the Avrios;

(g). notify the Customer without undue delay on becoming aware of (i) any serious interruption of its operations or any other irregularity in processing Customer’s personal data, and (ii) any unauthorized or unlawful processing, loss of, damage to or destruction of the personal data or any suspicion in respect thereto. Furthermore, Avrios shall notify the Customer if it is of the opinion that any instructions issued by the Customer violate the GDPR or any data protection rules of the Data Protection Legislation;

(h). subject to the GDPR applying to the Customer, not transfer any personal data outside of Switzerland, the European Union and/or the European Economic Area unless the following conditions are fulfilled:

(i) Avrios has provided appropriate safeguards in relation to the transfer, either by way of an adequacy decision (Angemessenheitsbeschluss) of the European Commission based on art. 45 GDPR, by providing an adequate level of protection by applying EU Standard Data Protection Clauses (controller-to-processor) in accordance with art. 46 GDPR, or by providing binding corporate rules pursuant to art. 47 GDPR;

(ii) the data subject has enforceable rights and effective legal remedies; and

(iii) Avrios complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred.

i. at the written direction of the Customer (as referred to in clause 3 para. 4 DPA), delete or return personal data and copies thereof to the Customer on termination of this DPA unless required by the applicable law to store the personal data; and

j. provide complete and accurate information to demonstrate its compliance with this clause 2.(

Clause 3
OBLIGATIONS OF CUSTOMER

1. Customer and Avrios shall be separately responsible for conforming with such statutory data protection provisions under the Data Protection Legislation as are applicable to them. 

2. Customer shall inform Avrios without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the processing of personal data detected during verification of the results of such processing. 

3. As far as required by the Data Protection Legislation, Customer shall be obliged to fulfil its notification duties towards the competent data protection authorities including the maintenance of a data processing register. 

4. Customer shall, upon termination or expiration of the Agreement and by way of issuing a written instruction, stipulate the measures to return data carrier media or to delete stored data.

Clause 4
AUDIT RIGHTS

1. Customer may prior to the commencement of processing and in regular intervals thereafter, audit the technical and organizational measures taken by Avrios, and shall document the resulting findings. For such purpose, Customer may have an expert provide a testimonial or expert’s opinion.

2. At Customer’s written request Avrios shall allow for and contribute to audits (whether on-site or remotely) to verify Avrios’ compliance with its obligations under the GDPR and this DPA, to be carried out either (i) by an independent third-party audit firm bound by a duty of confidentiality and selected by the Customer and approved by Avrios (which approval shall not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority, or (ii) by a competent data protection authority. The audit will be carried out in close cooperation with Avrios’ Data Protection Officer. Parties shall agree on the scope of the audit in advance. The Customer shall notify Avrios in writing with a minimum of fifteen (15) calendar days prior to any audit being carried out. Avrios shall reasonably support and cooperate with Customer and/or the third party audit firm in order to allow audits to proceed expeditiously. In particular, Avrios shall provide, upon written request, within a reasonable period all information necessary to carry out audits in accordance with this clause 4.

3. If Customer requests more than one audit per calendar year (whether to be executed on-site or from remote), Avrios can claim compensation for support, extra hours worked, and any other kind of services provided that exceed the legal cooperation as required by the GDPR.

Clause 5
SUB-PROCESSORS

1. Customer acknowledges and agrees that (i) Avrios’ Affiliates may be retained as sub-processors, and (ii) Avrios and/or its Affiliates may engage third party sub-processors, in connection with the provision of the Services to the Customer as a processor. Avrios or its Affiliates have entered into a written agreement with each sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of personal data.

2. A current list of sub-processors for the Services, including their country of location and description of processed activities on behalf of Avrios, is accessible here. Customer is obliged to subscribe for updates and, upon subscription, may receive notifications of new sub-processor(s) and updates to existing sub-processor(s). Avrios shall provide the Customer with notification of new sub-processor(s) and updates to existing sub-processor(s) before authorizing such new sub-processor(s) to process personal data in connection with the provision of the applicable Service.

3. Customer may object to Avrios’ use of a new (or updated) sub-processor on reasonable grounds by notifying Avrios in writing within ten (10) business days after receipt of notification. In the event Customer objects to a new (or updated) sub-processor, as permitted in the preceding sentence, Avrios will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of personal data by the objected-to new sub-processor without unreasonably burdening the Customer. If Avrios is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Avrios without the use of the objected-to new sub-processor, by providing written notice to Avrios. Avrios will refund to Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on the Customer.

4. As between the Customer and Avrios, Avrios shall remain fully liable for all acts or omissions of any sub-processor appointed by it to the same extent Avrios would be liable if performing the services of each sub-processor directly under the terms of this DPA, save as otherwise set forth in the Agreement.

Clause 6
MISCELLANEOUS

1. This DPA enters into effect on the earlier of (i) the Contract Start Date or (ii) Avrios’s first processing of personal data, subject to clause 7(4), and will remain in force until the latter of (i) the end of the Services or (ii) Avrios’s deletion of all personal data processed as a processor for Customer.

2. Where the Customer’s personal data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while being processed, Avrios shall inform the Customer without undue delay. Avrios shall, without undue delay, notify to all pertinent parties in such action, that any personal data affected thereby is in Customer’s sole property and area of responsibility, that personal data is at Customer’s sole disposition, and that Customer is the responsible body in the sense of the relevant Data Protection Legislation. 

3. No change of or amendment to this DPA or any of its components, including any commitment issued by Avrios, shall be valid and binding unless made in writing and with express reference to being a change or amendment to this DPA. The foregoing shall also apply to the waiver of this mandatory written form.

4. This DPA is governed by the law applicable to the Agreement and shall only become legally binding between the Parties and, if applicable, their Affiliates, once duly executed.

TABLE A
(i) Nature and purpose of processing Avrios operates the Avrios Platform, a software-as-a-service for the purpose of managing the Customer’s vehicle fleet. Avrios processes personally identifiable data (in particular user and driver data) in order to deliver the services under the agreements with its customers. Avrios´ customers use the Avrios Platform, amongst other things, for the following tasks:
  • allocation of vehicles to drivers
  • generation of reports on vehicle costs and use
  • generation of rankings, benchmarks, indices and alerts based on driving performances and vehicle information
  • facilitation of vehicle procurement and partner communication 
  • digital invoice verification, damage analysis and processing of vehicle damages
  • fuel card administration 
  • leased contract management and tracking of vehicle returns
  • performance of drivers’ license checks and driver communication 
  • provisioning of data to leasing companies, insurance companies and/or public authorities
(ii) Duration of the processing During the term and in accordance with the provisions of the respective customer agreement.
(iii) Categories of data subjects Each customer may submit personal data to the Avrios Platform as determined and controlled by each customer in its sole discretion, including but not limited to the following categories of data subjects:
  • Drivers (former, current, and prospective employees and contractors as well as their spouses & dependents);
  • Users (individuals authorised to access the Avrios Platform on behalf of a customer);
  • Third parties (customers, business partners, suppliers, advisors, agents, freelancers and/or sub-contractor of the Customer or their respective employees, as the case may be).
The personal data transferred to and processed by Avrios include the following, broken down by data subject and category: 
Data subject Data category Type of personal data
Driver (individuals authorized to use a vehicle managed in the Avrios Platform). Master data
  • first name, surname, address, gender
  • internal ID, cost centre, organisation, department, location, line and sub-line of business, reporting structure
  • other address information, where applicable, such as temporary residence
  • date and place of birth, language, nationality, entitlement to residency, family status, details of dependents, National Identification Number
  • start date and end date (if applicable) of employment
  • salary plan information (fringe benefits around company cars), benefits records and related information (eligibility to a company car and company car level)
Communication data
  • phone number, fax number, mobile phone number, e-mail address
Biometric data
  • driver license picture
Vehicle(s) assigned
  • license plate, chassis number
User Master Data
  • first name, surname, gender
Communication Data
  • phone number, fax number, mobile phone number, e-mail address
Third parties (e.g. employees at a customer’s insurance service provider involved in damage management) Master data
  • first name, surname, company
  • license plate of the vehicle involved
(iv) Processing activities Processing activities include data collection (also through dedicated interfaces), storage, and analytics. Data is also used for communication purposes with the data subjects specified above.  
(v) Person(s) authorized to give instructions by the controller To complete: name, family name, email, telephone
(vi) Customer’s data protection officer To complete: name, family name, email, telephone
Scroll to Top