DATA PROCESSING AGREEMENT
This Data Protection Agreement (“DPA”) is between Planes Moving & Storage, Inc. and its affiliates (collectively, “Company”), and the service provider (“Service Provider”) named in the Services Agreement executed by the parties under which Service Provider has been engaged to provide services to Company (the “Services Agreement”).
- DEFINITIONS. In this DPA, the following terms shall have the meanings below. Capitalized terms not defined in this DPA have the meaning ascribed to those terms in the Services Agreement.“Applicable Data Protection Law” means the data protection and privacy laws and regulations to which the parties are subject, including, without limitation, state, European Data Protection Law, Non-European Data Protection Law, as well as any statutory codes of practice or other binding rules and regulations issued by Supervisory Authorities.“CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations.“Company Data” means any data or information of Company, its affiliates, or any of their respective customers or third-parties that:
(i) is provided to or obtained by Service Provider in connection with the Services Agreement:
(ii) is created, generated, collected, or otherwise processed by Service Provider in connection with the Services Agreement;
(iii) resides in or is accessed through Company Systems or third-party systems that are provided, operated, supported, or used by Service Provider in connection with the Services; or
(iv) is derived from any of the
“Company Information” means collectively, Company Data and Personal Data.
“Company Systems” means Company’ data storage and data processing systems.
“Controller” means the entity that determines the purposes and means of the processing
of Personal Data.“Data Subject” means the individual to which Personal Data relates.
“DPA” means this Data Protection Agreement.
“EEA” means the European Economic Area.
“European Data Protection Law” means, as applicable: (i) the GDPR, (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the UK GDPR; (v) the Swiss FADP, or (vi) any other law governing data privacy and protection in the European Union, UK, or EEA.
“GDPR” means the European Union General Data Protection Regulation (Regulation (EU) 2016/679).
“Member State” means one of the member states of the European Union.
“Non-European Data Protection Law” means data protection or privacy legislation, regulations, guidance, and statutory codes of practice in force outside of the EEA.
“Personal Data” means personal information from or about an individual including, but not limited to name, job title, department, name of corporation, postal or e-mail address, phone or fax number, username, password, and IP address. “Personal Data” is a subset of Company Information and includes information that identifies an individual, can reasonably be associated or linked with an individual, and Sensitive Personal Data.
“Process” or “Processing” means any operation or set of operations that is performed upon Company Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” means the entity that processes Company Information on behalf of the Controller.
“Security Incident” means any unauthorized access, acquisition, disclosure, loss, alteration, destruction, or use of Company Information.
“Sensitive Personal Data” means generally, medical and/or health related data, information regarding trade union membership, fingerprints, race or ethnic origin, political affiliations, sex life, religion, credit card or bank account number(s), social security or national identification number, data relating to criminal history or background, objectionable behavior, or other Personal Data that is considered sensitive under Applicable Data Protection Law.
“Standard Clauses” means the standard contractual clauses for the transfer of personal data published by the European Commission on 4 June 2021, or any subsequent version thereof released by the European Commission, with optional clauses removed.
“Subprocessor” means a natural or legal person, public authority, agency, or body other than the Data Subject or Company, who is engaged by Service Provider, or an affiliate of Service Provider, to process Personal Data.
“Supervisory Authority” means an independent public authority that is responsible for monitoring the application of Applicable Data Protection Law with jurisdiction over the parties.
“Swiss FADP” means, as applicable, the Federal Act on Data Protection of 19 June 1992 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 14 June 1993) or the revised Federal Act on Data Protection of 25 September 2020 (September) (with the Ordinance to the Federal Act on Data Protection of 31 August 2022).
“UK” means the United Kingdom.
“UK GDPR” means the GDPR as amended and incorporated into the law of England and Wales, Scotland, and Northern Ireland under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.
2. Compliance with Applicable Data Protection Laws. Service Provider represents and warrants that it i) shall only Process Company Information for the provision of services as required under the Services Agreement and/or as otherwise instructed in writing (email or otherwise) and only for as long as needed for the provision of services or in compliance with the instructions, and always in accordance with Applicable Data Protection Laws including. Service Provider will immediately notify Company if, in its reasonable opinion, an instruction to Process Company Information violates Applicable Data Protection Laws.
3. Subprocessors. Service Provider will not disclose, transfer, or otherwise make available Company Information to any third-party without first providing written notice to Company at least 30 days in advance of such disclosure or transfer and consent by Company. Service Provider shall require any approved Subprocessor to comply with all the terms of this DPA and remain fully liable for any Subprocessor’s failure to comply with this DPA or Applicable Data Protection Law.
4. Confidentiality. Service Provider will ensure that persons authorized to process Company Information have contractually committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Data Subject Requests. Service Provider shall promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data and ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which Service Provider is subject, in which case Service Provider shall to the extent permitted by Applicable Laws inform Company of that legal requirement before Service Provider responds to the request.
6. Assistance with Fulfilling Obligations to Data Subjects. Service Provider will assist Company fulfil its obligations to respond to Data Subject requests through appropriate technical and organizational measures. This includes maintaining accurate, complete, and up-to-date Data Subject Request Records.
7. Records of Processing. Service Provider will maintain records of processing activities under this DPA and the Services Agreement. Company reserves the right to inspect these records under this section at any time.
8. Data Protection Impact Assessments. If Service Provider reasonably believes or becomes aware that Processing of Company Information is likely to result in a violation of the data protection rights and/or freedoms given to Data Subjects under Applicable Data Protection Laws, it shall promptly inform Company in writing and provide all such reasonable and timely assistance as may be required in order to conduct a data protection impact assessment. Service Provider represents and warrants that it has no reason to believe that the Applicable Data Protection Laws prevent it from complying with the terms and conditions of this DPA. In the event of changes to Applicable Data Protection Laws which are likely to have a substantial, adverse effect on Service Provider’s representations, warranties and obligations hereunder, such impacted party will promptly notify the other in writing.
9. Information Security Program. Service Provider shall implement and maintain throughout the term of this DPA, or for as long as Service Provider remains in possession of Company Information, appropriate technical and organizational security measures to protect Company Information, including protection against Security Incidents. Such security measures shall include, at a minimum, the measures specified in Annex II of the Standard Clauses In the event the Standard Clauses are not applicable, technical and organizational security measures must be in accordance with Applicable Data Protection Laws and highest industry standards.
10. Audits. Service Provider will cooperate as directed by Company in any audits conducted by or on behalf of Company or its affiliates, a Supervisory Authority, or other authorities with respect to the processing of Company Information.
11. Security Incidents. Service Provider shall notify Company immediately in writing (and in any event, no later than twenty-four (24) hours from becoming aware) in the event that: (i) any Company Information is used, disclosed, or otherwise processed in violation of this DPA, the Services Agreement, or Applicable Data Protection Law, or (ii) if Service Provider discovers, is notified of, or suspects that a Security Incident has occurred, may have occurred, or may imminently occur. Service Provider shall provide a detailed description of the Security Incident, the type of data affected by the Security Incident, the identities of all affected Data Subjects, and any other information reasonably requested concerning the Security Incident as soon as this information can be collected or becomes available. Service Provider shall take immediate action, at its own expense, to investigate the Security Incident and identify, prevent, mitigate, and remediate the Security Incident and its effects, and carry out any recovery or other action (e.g., mailing statutorily required notices) necessary to respond to and remedy the Security Incident.
12. Indemnity. Service Provider shall defend, indemnify, and hold harmless Company, its customers, officers, directors, employees, agents, representative and affiliates from and against all losses, claims, costs, harms, expenses (including reasonable legal fees and expenses), liabilities or damages suffered or incurred as a result of a Data Breach, breach of this DPA and/or Applicable Data Protection Laws by Service Provider.
13. Deletion or Return of Data. Upon termination or expiration of the Services Agreement, Service Provider shall, upon request of Company, destroy or return all Company Information in the other party’s possession or control (including any Company Information provided to a Controller, Processor, or Subprocessor for Processing). This requirement shall not apply to the extent that a party is required by Applicable Data Protection Laws to retain some or all of the Company Information, in which event such Company Information shall be isolated and protected in accordance with this DPA.
14. Cross-Border Transfers. If European Data Protection Laws require that appropriate safeguards are put in place, the Standard Clauses will be incorporated by reference and will form an integral part of this DPA and the Services Agreement as follows:
i. For European Personal Data that is subject to the GDPR:
- Company is the “data exporter” and Service Provider is the “data importer”;
- Module Two “Controller to Processor” terms apply to the extent Company is a Controller of European Personal Data;
- in Clause 7, the optional docking clause applies;
- in Clause 9, Option 2 applies;
- in Clause 11, the optional language is deleted;
- the Annexes of the Standard Clauses will be deemed completed with the information set out in the Annex 1 of this DPA;
- the Supervisory Authority that will act as a competent supervisory authority will be determined in accordance with the GDPR; and
- if and to the extent the Standard Clauses conflict with any provision of this DPA or the Services Agreement, the Standard Clauses will prevail to the extent of such conflict.
ii. For European Personal Data that is subject to the UK GDPR, the Standard Clauses will apply and the following modifications:
- the Standard Clauses will be modified and interpreted in accordance with the UK Addendum, the terms of which will be incorporated reference and form an integral part of this DPA and the Services Agreement;
- Tables 1, 2, and 3 of the UK Addendum will be deemed completed with the information set out in Annex 1 of this DPA and Table 4 will be deemed completed by selecting “neither party”; and
- any conflict between the terms of the Standard Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
iii. for European Personal Data that is subject to the Swiss FADP, the Standard Clauses will apply and the following modifications:
- references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP;
- references to “EU,” “Union,” and “Member State law” will be interpreted as references to Swiss law; references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner” and the “relevant courts in ”15. CCPA. For processing of Personal Data that is subject to the CCPA, Service Provider shall not sell or share (as defined in the CCPA) Personal Data, retain, use, or disclose Personal Data outside of the direct business relationship between Service Provider and Company; or combine Personal Data with information received from any other16. Notices. Any notices or communications required or permitted to be given by Service Provider under this Agreement shall be given by email to privacy@planescompanies.com.
17. Governing Law. This DPA will be governed by and construed in accordance with the laws of the state of Ohio without regard for its choice of law rules.
ANNEX 1 – DETAILS OF PROCESSING
A. List of Parties
Data exporter
Name: Planes Moving & Storage, Inc.
Address: 9823 Cincinnati-Dayton Road, West Chester, OH
45069
Contact details: As set forth in the Services Agreement
Role: Controller
Activities: Personal Data processing pursuant to this DPA and in
connection with the Services Agreement
Data importer
Name: As set forth in the Services Agreement
Address: As set forth in the Services Agreement
Contact details: As set forth in the Services Agreement
Role: Processor
Activities: Personal Data processing pursuant to this DPA and in
connection with the Services Agreement
B. Description of Transfer
Categories of Data Subjects whose Personal Data is Transferred: As set out in this DPA and/or the Services Agreement.
Categories of Personal Data Transferred: As set out in this DPA and/or the Services Agreement.
Sensitive Data Transferred (if applicable): As set out in this DPA and/or the Services Agreement.
Frequency of transfer: Continuous
Purpose of the transfer and further processing: As set out in this DPA and/or the Services Agreement.
Period for which Personal Data will be retained: As set out in this DPA and/or the Services Agreement.