Data Processor Agreement

Between:

ABAX UK Ltd, company number 07764543 (Data Processor, hereinafter "ABAX")

And

CUSTOMER, as specified in order confirmation form, or other agreement with ABAX (Data Controller, hereinafter "Customer")

The following agreement on the processing of personal data has been entered into ("Data Processor Agreement"):

  1. BACKGROUND, CONDITIONS OF THE MASTER AGREEMENT, ETC.

The Data Processor Agreement applies to all processing of personal information that ABAX shall undertake for the Customer as a result of the agreement(s), that is applicable between the parties at any time regarding the Customer's purchase of one or more services from ABAX ("Master Agreement").

  1. DATA PROCESSOR AGREEMENT PURPOSE, ETC.

ABAX processes personal information on behalf of the Customer under the Master Agreement.

The purpose of processing, duration of processing, type of processing, types of personal data to be processed and categories of data subjects depend on which services are covered by the Master Agreement at any given time, and are specified for each of the services attachments to the Data Processor Agreement. The services covered by the Data Processor Agreement are thus stated in the Master Agreement.

The Data Processor Agreement shall ensure that personal data is processed in accordance with applicable laws in Norway for processing personal data, including the Personal Data Protection Act applicable at any time and associated regulations, as well as further regulations implemented in such law as the European Parliament and Council Regulation on the Protection of individuals upon personal data processing, and on the free flow of such information repealing Directive 95/46

  • EC (privacy regulation), and

(a) (Hereinafter referred to as the "Personal Data Protection Act”)

ABAX shall process personal information in the manner described in the Data Processor Agreement , or as otherwise agreed in writing (including electronically) between ABAX and the Customer. Concepts and definitions used in the Data Processor Agreement shall be understood in the same way as in the Personal Data Protection Act.

  1. CUSTOMER'S RIGHTS AND DUTIES. DATA PROCESSOR'S (ABAX) DUTIES

ABAX shall undertake appropriate technical and organisational measures to ensure that all processing under the Data Processor Agreement complies with the requirements of the Personal Information Act, and the Protection of Data Subjects' Rights, including compliance with all requirements pursuant to Article 32 of the Personal Data Protection Act.

ABAX shall only process personal data based on documented instructions from the Customer; unless processing is required by law, ABAX is subject to compliance with Article 28, paragraph 3 a).

The Customer hereby instructs ABAX to process personal information in accordance with the Data Processor Agreement and, to the extent and in the manner in which such processing is required to provide the Services to the Customer under the Master Agreement.

ABAX shall, by means of appropriate technical and organisational measures, bearing in mind the nature of processing and to the extent possible, assist the Customer in responding to requests submitted by data subjects seeking to exercise their rights pursuant to Chapter III of the Personal Data Protection Act.

ABAX shall assist the Customer in ensuring compliance with the obligations relating to personal information security and assessment of the privacy implications and pre-emptions in Articles 32 to 36 of the Personal Data Protection Act, bearing in mind the nature of the processing and the information available to ABAX.

ABAX shall keep a record of processing activities performed on behalf of the Customer, which shall contain at least the information provided pursuant to the Personal Data Protection Act, Article 30, no. 2.

ABAX commits to the confidentiality of personal data accessed by the person concerned under the Data Processor Agreement and the processing of personal data, and shall ensure that persons authorised to process personal data have committed themselves to their confidential processing, or are subject to an appropriate statutory duty of confidentiality. This provision also applies after the termination of the Data Processor Agreement .

If ABAX considers that an instruction from the Customer is in violation of the Personal Information Act, Personal Data Protection Act, or other regulation for the processing of personal data, ABAX shall immediately share its opinion with the Customer. ABAX undertakes to exercise its obligations under the Data Processor Agreement , despite its opinion.

  1. USE OF SUBCONTRACTORS

ABAX shall only use subcontractors for processing personal data (sub-processor) when required to and will implement measures to protect the subjects rights in accordance with the data processing requirements outlined in the Personal Data Protection Act.

An overview of authorised sub-processors of the Data Processor Agreement is found in the interface of ABAX's internet services.

The Customer grants ABAX general permission for the use of sub-processors for processing personal data under the Data Processor Agreement . Should ABAX start using new or replace existing sub-processors, ABAX shall update the sub-processors directory in the interface of ABAX's internet services.

All sub-processors should be aware of ABAX's obligations under this Data Processor Agreement , as well as the regulations governing the processing of Customer's personal information. Sub-processors shall also be subject to identical obligations concerning personal data protection as those stipulated in the Data Processor Agreement through a binding agreement, whereby the sub-processor shall provide sufficient assurance that technical and organisational measures will be implemented to ensure that processing meets regulatory requirements. ABAX bears full responsibility towards the Customer for the fulfilment of the sub-processor's obligations.

5. SECURITY AND DEVELOPMENT

ABAX shall fulfil the requirements for security measures imposed under the Personal Data Protection Act. ABAX shall be able to document procedures and other measures to meet these requirements.

ABAX shall make available to the Customer all information necessary to demonstrate fulfilment of all duties set forth in this paragraph 3, as well as facilitate and contribute to any audits, including inspections, carried out by the Customer or another inspector on behalf of the former.

In case of security or breach of privacy, ABAX shall notify the Customer without undue delay. The breach notification shall at least contain:

(a) a description of the nature of the breach of personal data protection, including, where possible, the categories of an approximate number of data subjects affected, and the categories of an approximate number of personal information items affected,

(b) the name and contact details of the privacy adviser, or another contact point where more information can be obtained,

(c) a description of the likely consequences of the breach of personal data protection,

(d) a description of the measures taken or proposed to be taken to deal with the breach of personal data protection, including, where applicable, measures to reduce any harmful effects arising thereof.

Any information not provided in the first message shall be given as soon as it becomes available.

The data controller shall submit a message to the supervisory authority, whereas ABAX may not send such notice or contact the supervisory authority without the Customer's instructions.

  1. TRANSFER TO THIRD COUNTRIES

Personal data may only be transferred to countries outside the EU/EEA (third country) upon the Customer's request. Thus, ABAX may not transfer or allow third-country nationals to gain access to personal information in any way without the express, written consent of the Customer, which should provide instructions for transfer or access in advance. Consent and instructions shall indicate the country to which this information should be transferred. Transfer to a third country, even with the Customer's consent and instructions, requires meeting the requirements for security and protection of data subject's rights arising from the Personal Data Protection Act and other regulations.

  1. ORDER TO SUSPEND

Upon breach of this Data Processor Agreement , the Personal Data Protection Act or other relevant regulations, the Customer may order ABAX to stop further information processing with immediate effect.

  1. DATA PROCESSOR AGREEMENT DURATION, DUTIES UPON TERMINATION AND CANCELLATION

The Data Processor Agreement applies as long as ABAX processes or has access to personal information on behalf of the Customer pursuant to the Master Agreement.

Upon termination of the Master Agreement, ABAX shall delete or return all personal information to the Customer in accordance with the Master Agreement Terms and Conditions for Deletion and Retrieval of Data, unless ABAX as Data Processor is subject to a legal requirement whereby this personal information must be retained.

When deleting personal information, ABAX shall also delete any backups, where it is sufficient that ABAX overwrites them pursuant to established backup procedures.

9. OTHER DUTIES AND RIGHTS

Other duties and rights are governed by the Master Agreement. The same contact people apply to the Data Processor Agreement and the Master Agreement.

The limitation of liability provided by the Master Agreement shall also apply to the Data Processor Agreement .

Upon transfer of the Master Agreement to other parties, the Data Processor Agreement shall be transferred accordingly.

  1. ANNEXES

Annexes to the Data Processor Agreement specify the purpose of processing, duration of processing, type of processing, types of personal data to be processed and categories of data subjects for each of the Services, as well as a directory of authorised sub-processors upon concluding the Data Processor Agreement , separated by individual service:

  1. ABAX Triplog with additional services
  1. ABAX Worker
  1. ABAX Equipment Control
  1. ABAX Toll Road
  1. ABAX Fleet Management
  1. ABAX Performance

*****

This agreement has been signed via ABAX internet user interface.

ANNEX 1 - ABAX TRIPLOG WITH ADDITIONAL SERVICES

Purpose of processing

To provide the services under the Master Agreement.

Duration of processing

The processing shall last for as long as ABAX provides services to the Customer under the Master Agreement.

Type of processing

Collection, storage and availability of data for the Customer and users via a graphical user interface to provide the services under the Master Agreement.

Availability of data for ABAX Group's technical and support personnel to provide support under the Master Agreement.

Data on how our services are used, collected, and stored to improve them and provide appropriate support.

Types of personal data to be processed

The following personal data must be processed under the Data Processor Agreement:

Name and contact information, registration number and other information about vehicle, serial number on ID card, employee number, position/role, account number, location data (GPS), trip data including start and stop addresses, speed, direction, duration, distance, temperature, digital signature.

Logging of usage pattern, statistics and analysis data including IP address.

Categories of data subjects

Customers.

Customers' employees (administrators and drivers).

Upon entering into the Data Processor Agreement , sub-processors appear on the list published in ABAX's online user interface.

ANNEX 2 - ABAX WORKER WITH ADDITIONAL SERVICES

Purpose of processing

To provide the services under the Master Agreement.

Duration of processing

The processing shall last for as long as ABAX provides services to the Customer under the Master Agreement.

Type of processing

Collection, storage and availability of data for the Customer and users via a graphical user interface to provide the services under the Master Agreement.

Availability of data for ABAX Group's technical and support personnel to provide support under the Master Agreement.

Data on how our services are employed, collected, and stored to improve them and provide appropriate support.

Types of personal data to be processed

The following personal data must be processed under the Data Processor Agreement :

Name and contact details, date of birth, schedules, crew lists, location data (GPS) project activities, checklists, material usage, images, health, environment and safety related information, contact details for relatives (name and contact information).

Logging of usage pattern, statistics and analysis data including IP address.

Categories of data subjects

Customers.

Customers' employees (administrators, project managers, employees).

Customers 'customers (information related to assignments that ABAX's customers could perform for their customers).

Upon entering into the Data Processor Agreement , sub-processors appear on the list published in ABAX's online user interface.

ANNEX 3 - ABAX EQUIPMENT CONTROL WITH ADDITIONAL SERVICES

Purpose of processing

To provide the services under the Master Agreement.

Duration of processing

The processing shall last for as long as ABAX provides services to the Customer under the Master Agreement.

Type of processing

Collection, storage and availability of data for customer and users via a graphical user interface to provide services under the Master Agreement.

Availability of data for ABAX Group's technical and support personnel to provide support under the Master Agreement.

Data on how our services are employed, collected, and stored to improve them and provide appropriate support.

 

Types of personal data to be processed

The following personal data must be processed under the Data Processor Agreement :

Equipment identifier (registration number, name, type, etc), location data (GPS / GSM), use of equipment (usage logging /engine timer).

Logging of usage pattern, statistics and analysis data including IP address.

Categories of data subjects

Customers.

Customer's employees if they use equipment with ABAX Equipment Control installed.

Upon entering into the Data Processor Agreement , sub-processors appear on the list published in ABAX's online user interface.

ANNEX 4 - ABAX TOLL ROAD WITH ADDITIONAL SERVICES

Purpose of processing

To provide the services under the Master Agreement.

Duration of processing

The processing shall last for as long as ABAX provides services to the Customer under the Master Agreement.

Type of processing

Collection, storage and availability of data for customer and users via a graphical user interface to provide services under the Master Agreement.

Availability of data for ABAX Group's technical and support personnel to provide support under the Master Agreement.

Data on how our services are employed, collected, and stored to improve them and provide appropriate support.

Types of personal data to be processed

The following personal data must be processed under the Data Processor Agreement :

Registration number on vehicle equipped with ABAX Toll Road, serial number on toll chip installed in vehicle with ABAX Toll Road, toll passes, name of the toll station and carrier company, time of passage, toll amount.

Logging of usage pattern, statistics and analysis data including IP address.

Categories of data subjects

Customers.

Customers' employees (Drivers).

Upon entering into the Data Processor Agreement , sub-processors appear on the list published in ABAX's online user interface.

ANNEX 5 - ABAX FLEET MANAGEMENT WITH ADDITIONAL SERVICES

Purpose of processing

To provide the services under the Master Agreement.

Duration of processing

The processing shall last for as long as ABAX provides services to the Customer under the Master Agreement.

Type of processing

Collection, storage and availability of data for customer and users via a graphical user interface to provide services under the Master Agreement.

Availability of data for ABAX Group's technical and support personnel to provide support under the Master Agreement.

Data on how our services are employed, collected, and stored to improve them and provide appropriate support.

Types of personal data to be processed

The following personal data must be processed under the Data Processor Agreement :

Name and contact details, car registration number, other information about the car, serial number on ID card, driver card, employee number, location data (GPS), trip data including start and stop addresses, speed, direction, duration, distance, temperature, driver activities (such as using auxiliary engine, littering, braking, salting, driving / rest time, driving disc data).

Logging of usage pattern, statistics and analysis data including IP address.

Categories of data subjects

Customers.

Customers' employees (Drivers).

Upon entering into the Data Processor Agreement , sub-processors appear on the list published in ABAX's online user interface.

ANNEX 6 - ABAX PERFORMANCE WITH ADDITIONAL SERVICES

Purpose of processing

To provide the services under the Master Agreement. (Analytics, Best Process, Communication).

Duration of processing

The processing shall last for as long as ABAX provides services to the Customer under the Master Agreement.

Type of processing

Collection, storage and availability of data for customer and users via a graphical user interface to provide services under the Master Agreement.

Availability of data for ABAX Group's technical and support personnel to provide support under the Master Agreement.

Data on how our services are employed, collected, and stored to improve them and provide appropriate support.

Types of personal data to be processed

The following personal data must be processed under the Data Processor Agreement :

Name and contact details, answers to questions related to own or third party personality traits, personality profile, answers to questionnaire, own goals and activities

Logging of usage pattern, statistics and analysis data including IP address.

Categories of data subjects

Customers

Customers 'employees and external (for example, customers' customers or partners)

Upon entering into the Data Processor Agreement , sub-processors appear on the list published in ABAX's online user interface.