Quartix Data Processing Terms

1. Background and Intention

The company, partnership, association or individual agreeing to these terms (the “Customer”), and Quartix Technologies plc, Quartix Limited, Quartix SAS, Quartix Inc or any other entity that is directly or indirectly controlled by Quartix Technologies plc (as applicable, “Quartix”), have entered into an agreement (the “Agreement”) whereby Quartix supplies Services to the Customer.

As part of this Agreement, the Customer will be sharing Data with Quartix. The intention of these Data Processing Terms (the “Terms”) is to ensure there are proper arrangements in place relating to Data passing between the Customer and Quartix. These Terms form part of the Agreement and, in the event of any discrepancy between the Agreement and these Terms, the Agreement shall take precedence.

2. Definitions and Interpretation

Within these Terms:

‘Data Protection Legislation’ means all applicable statutes, laws, secondary legislation, rules, regulations and guidance from a Supervisory Authority (or its UK equivalent) relating to privacy, confidentiality, security, direct marketing or data protection of Personal Data or corporate data (including Directives 95/46/EC, 2002/58/EC and 97 /66/EC, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (512003/2426), the Regulation of Investigatory Powers Act 2000, the Investigatory Powers Act 2016, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) and the GDPR.

‘Data’ means any data which is captured by Data Protection Legislation, which includes but is not limited to personal data and sensitive data as defined by GDPR.

‘GDPR’ means the General Data Protection Regulation or the UK GDPR (as defined in the UK Data Protection Act 2018), as applicable

‘Services’ means the services provided by Quartix as part of the Agreement.

‘Controller’ has the meaning given to it in Data Protection Legislation.

‘Data Subject’ has the meaning given to it in Data Protection Legislation.

‘Personal Data’ has the meaning given to it in Data Protection Legislation.

‘Processor’ has the meaning given to it in Data Protection Legislation.

‘Sub-Processor’ has the meaning given to it in Data Protection Legislation.

‘Supervisory Authority’ has the meaning given to it in Data Protection Legislation.

3. Data Processing

The Customer warrants, represents and undertakes to Quartix that it has lawful grounds for Processing the Data, that it has informed and will continue to inform the Data Subjects of the purpose of processing the Data and shall at all times comply with its obligations under Data Protection Legislation.

Quartix will maintain the confidentiality of the Data and agrees to process the Data only in accordance with Data Protection Legislation and the following stipulations (to the extent that they are required by Data Protection Legislation):

a) Quartix shall process the Data;

(i) only to the extent set out in the Quartix Customer Privacy Notice (https://www.quartix.com/en-gb/quartix-customer-privacy-notice/) which specifies the data that may be collected and the purposes for which it may be used;

(ii) only in such a manner as is necessary for its performance of the Services and in accordance with the Customer’s instructions as set out in the Agreement or otherwise agreed in writing between the parties;

(iii) only in the European Economic Area or the UK, unless the transfer has been authorised by the Customer or is to a country that the European Commission or, in respect of a transfer from the UK, the European Commission or an applicable Supervisory Authority, has decided from time to time ensures an adequate level of protection in accordance with Data Protection Legislation, or the transfer has appropriate safeguards in place, as set out within GDPR;

(iv) where applicable, in accordance with the Standard Contractual Clauses (Processors) approved by the European Commission in Commission Decision C(2010)593;

b) Quartix shall ensure that all employees and other representatives of Quartix accessing the Data

(i) are aware of these Terms; and

(ii) have received training on the Data Protection Legislation and related good practice; and

(iii) are bound by confidentiality obligations;

c) Quartix and the Customer have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

d) The Customer grants Quartix the right to involve third parties (including agents and sub-contractors) in the processing of the Data. Quartix shall ensure that it has agreements in place with such third parties, which offer an equivalent level of protection of the Data as that specified in these Terms.  Quartix will remain liable to the Customer for such third parties’ performance of privacy obligations in respect of the Data.

e) Taking into account the nature of the processing, Quartix shall adopt such technical and organisational measures as are necessary to enable it to, insofar as it is able, assist the Customer to fulfil its obligation to respond to requests from Data Subjects exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc;

f) Quartix shall provide to the Customer such assistance as it is able to enable the Customer to comply with its obligations under Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to Data Subjects, data protection impact assessments and when necessary consultation with the ICO (or relevant Supervisory Authority;

g) Quartix shall maintain a written record of all categories of processing activities carried out on behalf the Customer, containing all information required under the Data Protection Legislation, and, make this record available to any relevant European Union or Member State supervisory authority (and/ or its UK equivalent) where requested by that supervisory body;

h) To the extent required by Data Protection Legislation, Quartix shall delete the Data at any time reasonably instructed to do so by the Customer and, in any event, on completion of the processing in accordance with Data Protection Legislation (after any retention period). Where the Customer is a fleet vehicle tracking customer, it shall have the option to set the retention period of the data by logging into the fleet tracking application. Where Quartix is to delete the Data, deletion shall include destruction of all existing copies (to the extent required by Data Protection Legislation).

i) To the extent required by Data Protection Legislation, Quartix shall, if at any time reasonably requested to do so by the Customer, make available to the Customer the information necessary to demonstrate compliance with the obligations laid down under these Terms and allow for any reasonable requests for audits from the Customer, provided that the Customer compensates Quartix for any and all of its costs incurred in supporting the requirements of the audit (including the costs of employee time), access to certain records may be restricted by Quartix where such records are deemed commercially sensitive by Quartix (such judgements to be made by Quartix in its absolute discretion), no penetration testing, vulnerability scanning, or other security tests are performed, no records or copies of records may be removed from Quartix’s sites, Quartix receives 30 days notice prior to the audit and non-disclosure agreements are signed by any and all parties wishing to perform the audit (including any parties acting on the Customer’s behalf);

j) Quartix shall observe suitable arrangements relating to the secure transfer of the Data from the Customer to Quartix and the safe keeping of the Data by the Quartix;

k) Quartix shall maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created;

l) To the extent required by Data Protection Legislation, Quartix shall if reasonably requested to do so by the Customer promptly return, amend, transfer, copy or delete any Data.

4. Notice Obligations etc

To the extent required by Data Protection Legislation, Quartix shall notify the Customer promptly on becoming aware of any actual, suspected or threatened loss, leak or unauthorised processing or disclosure of any Data.; promptly upon receipt of a notice from any Supervisory Authority, which relates directly or indirectly to the processing of the Customer’s Personal Data and shall cooperate with that Supervisory Authority; promptly if any of the Customer’s Personal Data in the possession and/or control of Quartix is lost, corrupted or rendered unusable for any reason; promptly if Quartix have reason to believe that an action or instruction from the Customer infringes Data Protection Legislation.

5. Termination

On the expiry or termination of these Terms, Quartix shall immediately cease to use, and shall procure that its agents and sub-contractors cease to use, the Data and shall arrange for its safe return or destruction (at the Customer’s option) at the relevant time (unless European Union, Member State and/ or UK law requires storage of the Personal Data).

6. Rights in Personal Data

Quartix compiles data collected as part of the Services in aggregated and anonymised form (the ‘Aggregated Data’) and the Customer grants permission for Quartix to do this. Quartix acquires the full rights to and ownership of the Aggregated Data and ceases to be a Processor acting on behalf of the Customer at the point that this data is compiled in anonymised form and shall be under no obligation to keep confidential, delete, return or make any amendments to the Aggregated Data or any part thereof.

Need to speak to one of our experts?

01686 806 663

01686 806 663

Get a quote

Get a quote

We’ll help you decide which vehicle tracking option is right for you