Privacy Data Policy

2.1. The Data Processor, as part of the subscription, has access, on behalf of the Data Controller, to process:

Name and address of the persons receiving the consignments.

Information about the individual type of item sent and the value/price of the item.

3.1. As a natural part of the Data Processor’s status as the provider of subscription-based solutions for handling the Data Controller’s freight processes, the Data Processor stores the information, and similarly the Data Controller exchanges information with relevant third parties in the form of freight companies that the Data Controller uses, and possibly customs authorities (if the consignments are cross-border).

3.2. The purpose of the personal data processing is to manage the Data Controller’s freight processes.

3.3. It is emphasized that the Data Processor may only process personal data to the extent necessary for the operation of the Data Controller’s UPWMS subscription with the Data Processor, and/or if the Data Processor is required by law to process the data otherwise.

3.4. It is emphasized that the freight companies to which personal data is disclosed as part of this agreement are the Data Controller’s (the customer’s) Data Processors, not UPWMS Data Processors. – UPWMS has only an intermediary function in this regard.

4.1. The Data Processor may only process the personal data in question in accordance with the instructions of the Data Controller, i.e. the instructions contained in the UPWMS solution under which the Data Processor shall manage freight processes for the Data Controller.

4.2. The Data Processor is required to comply with the currently-applicable personal data legislation and shall notify the Data Controller immediately if an instruction from the Data Controller is, in the Data Processor’s opinion, contrary to the General Data Protection Regulation.

4.3. The Data Processor shall use appropriate technical and organisational security measures to ensure that personal data is not destroyed, lost, degraded or disclosed to unauthorised bodies, misused or otherwise processed in breach of personal data legislation, whereby the Data Processor shall implement the measures necessary pursuant to article 32 of the General Data Protection Regulation.

4.4. The Data Processor is obliged to inform the Data Controller without undue delay of any data breach. In this regard, the Data Processor shall inform the Data Controller of:

• The nature of the data breach.

• If possible, the type and number of affected data subjects, as well as the type of personal data concerned and the number of records of personal data concerned. The measures that the Data Processor has taken or proposes should be taken to deal with the data breach, including, where appropriate, measures to limit its potential adverse effects.

• The probable consequences of the data breach.

4.5. The Data Processor shall, at the Data Controller’s request, provide the Data Controller with sufficient information to ensure that the Data Processor has taken the necessary technical and organisational security measures.

4.6 The Data Processor shall provide all the information necessary to demonstrate that the Data Processor complies with the General Data Protection Regulation’s article 28, whereby the Data Processor shall allow and contribute to audits, including inspections carried out by the Data Controller or another auditor authorised by the Data Controller. It is emphasised that inspections/audits in every respect take place at the Data Controller’s expense.

4.7. The Data Processor shall secure/ensure that the persons who are authorised by the Data Processor to process personal data have committed themselves to confidentiality or are bound by an appropriate statutory professional secrecy obligation.

4.8. If a data subject asks the Data Processor (usually such requests will be made to the Data Controller) for access to and insight into that person’s personal data, the Data Processor shall immediately forward the request to the Data Controller.

4.9. The Data Processor shall assist the Data Controller with appropriate technical and organisational tools to enable the Data Controller to fulfil the Data Controller’s obligations to respond to requests for the exercise of the rights of the data subjects as specified in chapter III of the General Data Protection Regulation.

5.1. As a natural part of the UPWMS solution, the Data Processor is entitled to disclose personal data to the Data Controller’s other data processors (freight companies), and the Data Processor is also entitled to exchange personal data with the customs authorities.

5.2. In all other cases the Data Processor may only disclose or transfer personal data to third parties or sub-processors with the prior agreement with the Data Controller. However, the Data Processor may disclose or transfer personal data without the Data Controller’s instructions, if permitted by law.

5.3. If the Data Processor hands over personal data to another data processor (sub-processor), the Data Processor is obliged to conclude a sub-processor agreement with the sub-processor, whereby the Data Processor’s sub-processor is subject to at least the same conditions as stated in this Privacy Data Policy.

5.4. The Data Processor shall notify the Data Controller if the Data Processor has plans to extend the circle of sub-processors and/or to replace existing sub-processors with others.

5.5. The Data Processor must not transfer personal data to third countries that the EU Commission has not assessed as safe third countries.

5.6. If the information is transferred to foreign sub-processors, it must be stated in the data processing agreement, that sub-processors shall comply with the EU’s General Data Protection Regulation and any other current personal data law in force. Sub-processors in EU countries with specific regulatory requirements regarding data processing must also comply with these requirements.

6.1. The processing of personal data pursuant to this agreement continues until such time as the UPWMS subscription concluded between the parties ceases.

6.2. However, in the event of the termination of a subscription, the Data Processor is bound by this agreement for as long as the Data Processor has access to personal data originating from the Data Controller.

6.3. In the event of termination of a UPWMS subscription, the Data Processor is required to delete any backups and other copies of the personal data

7.1. UPWMS will maintain appropriate access controls to protect the Nonpublic Information throughout the term of the Agreement and at all times while UPWMS and UPWMS Parties have access to or possession of the Client’s Nonpublic Information.

7.2. Client will be solely responsible for implementing and maintaining access controls on its own systems to which UPWMS may be granted access in accordance with the provision of services.

8.1. UPWMS will limit access to the Client’s Nonpublic Information to those individuals who have a business need to access the Client’s Nonpublic Information in connection with the services provided to Client (“Authorized Persons”).