DATA PROTECTION POLICY FOR driverDOC SERVICES
Last Updated: October 5, 2024
This Data Protection Policy for driverDOC Services (“DPP”) is incorporated into and made part of the Agreement. Unless otherwise defined in this DPP, capitalized terms will have the meaning given to them in the Agreement. In the event of any conflict between these documents, the following order of precedence applies (in descending order): (a) any Binding Corporate Rules; (b) the Standard Contractual Clauses as provided in herein; (c) the body of the DPP; (d) any documents attached to the DPP; and (e) the Agreement.

1. DEFINITIONS. For purposes of this DPP:

“Controller,” “Business,” “Processor,” and “Service Provider” (or equivalent terms) have the meanings set forth under Data Protection Laws.

Data Protection Laws” means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, that apply to driverDOC’s Processing of Personal Data, including, without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, when effective, the California Privacy Rights Act amendments (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); the United Kingdom Data Protection Act of 2018 (“UK GDPR”); the Australian Privacy Act (No. 119, 1988) (as amended) (“the Privacy Act”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA"); Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (”LGPD”); the Singapore Personal Data Protection Act 2012 (No. 26 of 2012)(“PDPA”); and Japan’s Act on the Protection of Personal Information (Act No. 57 of 2003 as amended) (“APPI”). 

Data Subject” means an identified or identifiable natural person about whom Personal Data relates (or equivalent term under Data Protection Laws).

“Data Transfer” means either a transfer of Personal Data from a Controller to a Contracted Processor, an onward transfer of Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).

EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as set forth in Section 8 below.

Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” or equivalent terms that is Processed by driverDOC in connection with providing driverDOC Services under the Agreement, and such terms shall have the same meaning as defined by Data Protection Laws.

Process” and “Processing” has the meaning set forth under Data Protection Laws and the Security Attachment for driverDOC Services, and includes any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

2. SCOPE AND PURPOSES OF PROCESSING.

2.1 Depending on Data Protection Laws, Customer is a Controller or Business and driverDOC is a Processor or Service Provider with respect to driverDOC’s Processing of Personal Data to provide the driverDOC Services under the Agreement. This DPP applies to driverDOC’s Processing of Personal Data on Customer’s or Customer Affiliate’s behalf (as applicable) for the provision of the driverDOC Services as specified in the Agreement. 

2.2 The scope, nature, purposes, and duration of the processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this DPP, including its Schedule A. The details provided in Schedule A are deemed to satisfy any requirement to provide such details under any Data Protection Laws.

2.3 driverDOC will Process Personal Data solely: (a) to fulfill its obligations to Customer under the Agreement, including this DPP; (b) on Customer’s behalf pursuant to Customer’s instructions; and (c) in compliance with Data Protection Laws. driverDOC will not “sell” Personal Data (as such term in quotation marks is defined in Data Protection Laws), “share” or Process Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms are defined in Data Protection Laws), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Customer. driverDOC will not attempt to link, identify, or otherwise create a relationship between Personal Data and non-personal data or any other data without the express authorization of Customer.

2.4 Customer will ensure that: (a) all such notices have been given, and all such authorizations have been obtained, as required under Data Protection Laws, for driverDOC (and its Affiliates and Subprocessors) to process Personal Data as contemplated by the Agreement and this DPP; (b) it has complied, and will continue to comply, with all Data Protection Laws; and (c) it has, and will continue to have, the right to transfer, or provide access to, Personal Data to driverDOC for Processing in accordance with the terms of the Agreement and this DPP.

2.5 Unless otherwise specified in the Agreement, Customer agrees it will not provide driverDOC with any sensitive or special categories of Personal Data that impose specific data security or data protection obligations on driverDOC in addition to or different from those specified in this DPP (including any appendix to the DPP) or Agreement.

3. PERSONAL DATA PROCESSING REQUIREMENTS. driverDOC will:

(a) Ensure that the persons it authorizes to Process the Personal Data are subject to confidentiality obligations regarding such activity or are under an appropriate statutory obligation of confidentiality.

(b) Promptly notify Customer of: (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government request for access to or information about driverDOC’s Processing of Personal Data on Customer’s behalf, unless prohibited by applicable laws. driverDOC will provide Customer with commercially reasonable cooperation and assistance in relation to any such request. If driverDOC is prohibited by applicable laws from disclosing the details of a government request to Customer, driverDOC shall use all available legal mechanisms to challenge any demands for data access through the applicable government process that it receives, as well as any non-disclosure provisions.

(c) Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by Data Protection Laws.

(d) Provide commercially reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to driverDOC under Data Protection Laws to consult with a regulatory authority in relation to driverDOC’s Processing or proposed Processing of Personal Data.

(e) Comply with the CCPA's restrictions pursuant to 1798.140 (e)(6) regarding combining Personal Data with personal data received from, or on behalf of, another person or persons for the purposes enumerated in the CCPA. With respect to its obligations under CCPA, driverDOC certifies that it will comply with them under this DPP (including, without limitation to, the restrictions under Sections 2 and 3).

(f) Promptly notify Customer if it determines that: (i) it can no longer meet its obligations under this DPP or Data Protection Laws; or (ii) in its opinion, an instruction from Customer infringes Data Protection Laws.

4. DATA SUBJECT REQUESTS.

4.1 If driverDOC receives a direct request from a Data Subject regarding rights under Data Protection Laws, driverDOC will promptly notify the request to Customer if the Data Subject has identified Customer as Controller of the Personal Data subject to the request and may inform the Data Subject that it has done so. driverDOC will provide reasonable assistance to Customer in fulfilling its obligations under Data Protection Laws to respond to Data Subject requests, but Customer understands and agrees that, as a Controller, Customer is solely responsible for responding to such Data Subject’s requests or inquiries and that driverDOC has no responsibility to respond to a Data Subject for or on behalf of Customer.

4.2 If Customer receives a request or inquiry from a Data Subject related to Personal Data Processed by driverDOC, Customer can either: (a) access its driverDOC Services containing Personal Data to address the request or inquiry; or (b) to the extent such access is not available to Customer, contact driverDOC customer support for additional assistance to enable Customer to address the request or inquiry.

5. DATA SECURITY.

5.1 driverDOC will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data. Details regarding the specific security measures that apply to the driverDOC Services are as described in the Binding Corporate Rules, the Agreement and in the Security Attachment for driverDOC Services. Customer acknowledges that driverDOC’s security measures are subject to technical progress and development and that driverDOC may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the driverDOC Services purchased by Customer.

5.2 Customer shall be responsible for properly implementing access and use controls and configuring certain features and functionalities of the driverDOC Services that Customer may elect to use and agrees that it will do so in accordance with this DPP and the Agreement in such manner that Customer deems adequate, including, without limitation, maintaining appropriate security, protection, deletion, and backup of its own Personal Data.

6. DATA BREACH. driverDOC will notify Customer without undue delay upon becoming aware of any Data Breach and will assist Customer in Customer’s compliance with its Data Breach-related obligations, including, without limitation, by:

(a) Taking commercially reasonable steps to mitigate the effects of the Data Breach and reduce the risk to Data Subjects whose Personal Data was involved; and

(b) Providing Customer with the following information, to the extent known:

(i) The nature of the Data Breach, including, where possible, how the Data Breach occurred, the potential categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;

(ii) The likely consequences of the Data Breach; and

(iii) Measures taken or proposed to be taken by driverDOC to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects and causes.

(c) driverDOC’s obligation to report a Data Breach under this DPP is not and will not be construed as an acknowledgement by driverDOC of any fault or liability of driverDOC with respect to such Data Breach. Customer is solely responsible for determining whether to notify impacted Data Subjects and for providing such notice, and for determining whether relevant supervisory authorities need to be notified of a Data Breach as may be required for Customer’s own business and activities. Notwithstanding the foregoing, Customer agrees to reasonably coordinate with driverDOC on the content of Customer’s intended public statements or required notices for affected Data Subjects and/or notices to relevant supervisory authorities regarding the Data Breach.

7. SUBPROCESSORS.

7.1 Customer acknowledges and agrees that driverDOC may use driverDOC Affiliates and other Subprocessors (as defined in Data Protection Law) to Process Personal Data in accordance with the provisions within this DPP and Data Protection Laws. Where driverDOC subcontracts any of its rights or obligations concerning Personal Data, including to any Affiliate, driverDOC will take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with Data Protection Laws and this DPP and will remain liable for the performance of all its obligations under this DPP, whether or not performed by driverDOC, its Affiliates or Subprocessors.

8. INTERNATIONAL DATA TRANSFERS.

8.1 driverDOC will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with Data Protection Laws. Where driverDOC engages in an onward transfer of Personal Data, driverDOC shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.

8.2 To the extent driverDOC’s cross-border Processing of Personal Data involves a transfer of Personal Data subject to cross-border transfer obligations under Data Protection Laws, the Binding Corporate Rules apply to the Processing of Personal Data by driverDOC and/or its Affiliates as part of the provision of driverDOC Services under the Agreement. driverDOC agrees to use commercially reasonable efforts to maintain the regulatory authorization or other appropriate cross-border transfer safeguards for the duration of the Agreement.

8.3 With respect to Personal Data transferred from the United Kingdom, for which the UK GDPR (and not the GDPR or FADP) governs the international nature of the transfer, the International Data Transfer DPP to the EU SCCs (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (“UK SCCs”) forms part of this DPP and takes precedence over the rest of this DPP as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. The UK SCCs shall be deemed complete as follows: (a) the Parties’ details shall be the Parties and their Affiliates to the extent any of them are involved in such transfer; (b) the Key Contacts shall be the contacts set forth in the Agreement; (c) the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties; (d) either Party may end this DPP as set out in Section 19 of the UK SCCs; and (e) by entering into this DPP, the Parties are deemed to be signing the UK SCCs.

8.4 For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPP as set forth in Section 8.3 of this DPP, but with the following differences, to the extent required by the FADP: (a) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (b) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (c) the term “Member State” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (d) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).

9. AUDITS.

To the extent required by Data Protection Laws, driverDOC shall make available such information reasonably requested by Customer to confirm driverDOC’s compliance with this DPP (e.g., SOC, similar audit reports issued by a qualified third-party auditor, “Audit Report”), for driverDOC Services. Except as provided otherwise in the Agreement regarding audits, if Customer has a reasonable basis to conclude that an Audit Report provided by driverDOC is not satisfactory to confirm such compliance, Customer may, at Customer’s sole expense, upon thirty (30) days’ prior notice, request an audit during normal business hours of those driverDOC systems and records relevant to driverDOC’s Processing of Personal Data on Customer’s behalf. Customer shall limit its exercise of audit rights to not more than once in any twelve (12) calendar month period.

10. DESTRUCTION OR RETRIEVAL OF PERSONAL DATA.

Prior to termination or expiration of the Agreement, Customer may retrieve Personal Data processed by driverDOC in accordance with the terms of the Agreement and at Customer’s request, driverDOC will promptly delete all Personal Data in its possession or control as soon as reasonably practicable, save that this requirement will not apply to the extent that driverDOC is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data driverDOC will securely isolate and protect from any further processing, except to the extent required by applicable law. For Personal Data stored in Customer’s service environment, Customer acknowledges that it is required to take appropriate action to back up or otherwise store separately any Personal Data while the driverDOC Services environment is still active prior to termination.

11. MISCELLANEOUS PROVISIONS.

Notwithstanding anything else to the contrary in the Agreement, driverDOC reserves the right to make any modification to this DPP as may be required to comply with Data Protection Law so long as any such modification shall not degrade any service functionalities or safeguards associated with providing the driverDOC Services.

Any claims brought under this DPP shall be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.

This DPP will remain in force and effect through the term of the Agreement, or for as long as driverDOC is Processing Personal Data subject to this DPP, whichever is longer.