DATA PROCESSING (TD)
1. – Data protection of the signatories.
Each party shall act as data controller of the data of the persons who sign this agreement on behalf of the other party. The sole purpose of the processing shall be to make the contractual relationship possible. Data subjects may request further information about the processing of their data or exercise their data protection rights by contacting the relevant data controller.
2. – Order of treatment.
In compliance with Article 28.3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the parties agree that with regard to the processing of the personal data of the senders and recipients of the packages, KANGURO shall have the status of data controller, while ESTABLISHMENT shall have the status of data processor. The aforementioned relationship of processor shall be governed by the following covenants:
2.1 – Purpose of treatment:
To perform the service of reception, registration, custody, delivery and, if necessary, return of the parcels sent between sender and recipient, transported by KAGURO’s client transport operators and kept in the custody of the person in charge.
2.2 – Data categories:
Name, surname, postal address, ID, signature, e-mail, telephone and shipping number of senders and recipients of the packages.
2.3 – Treatment activities:
Viewing, recording, storing, sorting, sending, deleting and blocking.
2.4 – Data retention period:
Indefinite from delivery of the goods with a blocking prohibition after the first month.
2.5 – Duration of the treatment order:
For the duration of the main collaboration contract between the parties. Once this has ended, the person in charge must destroy the data or return them to KANGURO.
2.6 – Obligations of the person in charge:
a) To use the personal data being processed, or those collected for inclusion, only for the purpose of this order.
b) To process the data in accordance with KANGURO’s instructions.
c) Keep a written record of all categories of processing activities carried out on behalf of KANGURO in accordance with Article 30 of the GDPR.
d) Have in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing. In particular, it shall have measures relating to i) the pseudo-animation and encryption of personal data; ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; iii) the ability to restore availability and access to personal data promptly, in the event of a physical or technical incident; and iv) the process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to ensure the security of the processing.
e) Not to communicate the data to third parties, unless you have the express authorization of KANGURO or you are legally obliged to do so, in which case you will inform KANGURO.f) Not to hire subcontractors, unless authorized by KANGURO. In this case, the subcontractor shall also be obliged to comply with the obligations established in this document for the person in charge. The person in charge shall regulate the relationship of subcontractor and shall be liable to KANGURO for any breaches by the subcontractor.
f) Not to hire subcontractors, unless authorized by KANGURO. In this case, the subcontractor shall also be obliged to comply with the obligations established in this document for the person in charge. The person in charge shall regulate the relationship of subcontractor and shall be liable to KANGURO for any breaches by the subcontractor.
g) To maintain the duty of secrecy with regard to the personal data to which it has had access by virtue of this assignment, even after the end of its object. To this end, the person in charge shall ensure that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.
h) To keep at KANGURO’s disposal the documentation evidencing compliance with the obligation set forth in the preceding paragraph.
i) To guarantee the necessary training in matters of personal data protection of the persons authorized to process personal data.
k) Notifying breaches of data security. The person in charge will notify KANGURO, without undue delay, and in any case within a maximum period of 1 working day, and by e-mail, of any breaches of security of the personal data in his charge of which he becomes aware, together with all the relevant information for the documentation and communication of the incident.
m) Make available to KANGURO all the information necessary to demonstrate compliance with its obligations.
Data Processing (TD) – Version March 2023Purpose of processing: For the duration of the main collaboration contract between the parties. Upon termination, the data controller must destroy the data or return them to KANGURO.
