Evermile Data Processing Agreement For Delivery Partners
Last Updated: 2 October 2022
This Data Processing Agreement for Delivery Partners (“DPA”) forms an integral part of, and is subject to the Delivery Partnership Agreement (“Principal Agreement”), entered into by and between Evermile UK Limited (“Evermile”) and Delivery Partner, as defined in the Principal Agreement (the DPA together with the Principal Agreement – “Agreement"). Evermile and Delivery Partner are hereinafter jointly referred to as “Parties” and individually as “Party.” Capitalized terms not otherwise defined herein shall have the meaning given to them in Section 13 and in the Principal Agreement.
1. Processing of Evermile Personal Data.
1. 1This DPA shall apply with respect to Personal Data obtained by Delivery Partner as a result of Evermile’s use of Delivery Partner’s Services, as described in Annex 1 (Details of Processing of Evermile Personal Data) attached hereto. In connection with each Party’s rights and obligations under this Agreement, as between the Parties, Delivery Partner shall process Evermile Personal Data solely as a data Processor acting on behalf of Evermile and Evermile shall be deemed the data Controller of such Personal Data.
1. 2 Delivery Partner shall not Process Evermile Personal Data other than according to Evermile’s documented reasonable and customary instructions as specified in the Principal Agreement or this DPA, which were specifically and explicitly agreed to by Delivery Partner, unless such Processing is explicitly required by Applicable Laws. The Delivery Partner shall inform Evermile of such legal requirement before processing unless the law prohibits such action on public interest grounds.
1.3 Evermile instructs Delivery Partner (and authorizes Delivery Partner to instruct each Sub Processor) to (i) Process Evermile Personal Data only to the extent required for the provision of Delivery Partner's Services under the Agreement; and, in particular (ii) subject to Evermile’s prior written consent transfer Evermile Personal Data to any country or territory, all as reasonably necessary for the provision of the Services and consistent with Sections 1.1 -1.2 above, Section 11 below, and the Principal Agreement, and in accordance with Applicable Laws.
1.4 Furthermore, Evermile warrants and represents that it is and will remain duly and effectively authorized to give the instructions set out in Section 1.1 and any additional instructions as provided pursuant to the Principal Agreement and/or in connection with the performance thereof, on behalf of itself and each relevant Evermile Affiliate, at all relevant times and at least for as long as the Agreement is in effect and for any additional period during which Delivery Partner is lawfully processing the Evermile Personal Data.
1. 5 Evermile sets forth the details of the Processing of Evermile Personal Data, as required by Article 28(3) of the GDPR in Annex 1 (Details of Processing of Evermile Personal Data), attached hereto.
2. Evermile Obligations.
Evermile agrees not to provide Delivery Partner with any special categories of data, as defined in Article 9 of the GDPR, other than as provided in Annex 1.
3. Delivery Partner Personnel.
Delivery Partner shall ensure that access to the Evermile Personal Data is limited to a need to know/access basis, and that all Delivery Partner personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Evermile Personal Data.
Delivery Partner shall, in relation to the Evermile Personal Data, implement appropriate technical and organizational measures identified under Annex 4 (Technical and Organizational Measures) to ensure an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR, to ensure an appropriate level of security for the Evermile Personal Data, which has to be sustained throughout the entire duration of this DPA, aimed to ensure the ongoing confidentiality, security of Processing systems and services in connection with the Processing of the Evermile Personal Data, and aimed to restore the availability and access to Evermile Personal Data in a timely manner in the event of a physical or technical incident. In assessing the appropriate level of security, Delivery Partner shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Sub Processing.
5.1 Evermile authorizes Delivery Partner and each Delivery Partner Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 5 to appoint) Sub Processors in accordance with this Section 5 and any restrictions in the Agreement.
5.2 Delivery Partner and each Delivery Partner Affiliate may continue to use those Sub Processors already engaged by Delivery Partner or any Delivery Partner Affiliate as of the date of this DPA as identified in Annex 3 to this DPA (List of authorized Sub Processors), including for the purpose of cloud hosting services by reputable Sub Processors, as well as any Sub Processors whom Evermile requested Delivery Partner to use.
5.3 Delivery Partner may appoint new Sub Processors and shall give prior notice of the appointment of any new Sub Processor (for instance by e-mail), by specific reference to such Sub Processor (e.g., by name of Sub Processor), including relevant details of the Processing to be undertaken by the new Sub Processor. If, within fifteen (15) days of such notice, Evermile notifies Delivery Partner in writing of any objections to the proposed appointment, Delivery Partner shall not appoint for the processing of Evermile Personal Data the proposed Sub Processor until reasonable steps have been taken to address the objections raised by Evermile, and Evermile has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Evermile’s reasonable objections then Evermile may, by written notice to the Delivery Partner, with immediate effect, terminate the Agreement to the extent that it relates to the services which require the use of the proposed Sub Processor without bearing liability for such termination. Otherwise, Evermile shall be deemed to have accepted such appointment.
5.4 With respect to each new Sub Processor, Delivery Partner shall: (i) before the Sub Processor first Processes Evermile Personal Data, ensure that the Sub Processor is committed to provide the level of protection for Evermile Personal Data required by the Agreement; and (ii) ensure that the arrangement between Delivery Partner and the Sub Processor is governed by a written contract, including terms which offer materially similar level of protection for Evermile Personal Data as those set out in this DPA that meet the requirements of Data Protection Laws.
6. Data Subject Rights.
6.1 Evermile shall be responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Evermile Personal Data, etc.). Taking into account the nature of the Processing, Delivery Partner shall assist Evermile, to fulfill Evermile's said obligations with respect to such Data Subject requests, as applicable.
6.2 Delivery Partner shall (i) unless otherwise required under applicable laws, promptly notify Evermile if it receives a request from a Data Subject under any Data Protection Law in respect of Evermile Personal Data; and; (ii) ensure that it does not respond to that request except on the documented instructions of Evermile or as required by Applicable Laws to which the Delivery Partner is subject, in which case Delivery Partner shall, unless prohibited to do so under Applicable Laws, inform Evermile of that legal requirement before it responds to the request.
7. Personal Data Breach.
7.1 Delivery Partner shall notify Evermile without undue delay upon Delivery Partner becoming aware of a Personal Data Breach affecting Evermile Personal Data, in connection with the Processing of such Evermile Personal Data by Delivery Partner or Delivery Partner Affiliates. In such event, Delivery Partner shall provide Evermile with information to assist Evermile to meet any obligations to inform Data Subjects or data protection authorities of the Personal Data Breach under the Data Protection Laws.
7.2 At the written request of the Evermile, Processor shall cooperate with Evermile and take such steps as are agreed by the parties or necessary under Privacy Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation.
8.1 At the written request of the Evermile, the Delivery Partner and each Delivery Partner Affiliate shall provide reasonable assistance to Evermile, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any applicable Data Protection Laws.
9. Deletion or return of Evermile Personal Data.
9.1 Subject to Section 9.2, Delivery Partner shall promptly and in any event within up to sixty (60) days of the date of cessation of any Services involving the Processing of Evermile Personal Data, delete or anonymize all copies of such Evermile Personal Data, except such copies as authorized including under this DPA or required to be retained by the Processor in accordance with applicable law and/or regulation.
9.2 Subject to the Agreement, Delivery Partner may retain Evermile Personal Data to the extent authorized or required by applicable laws, provided that Delivery Partner shall ensure the confidentiality of all such Evermile Personal Data and shall ensure that it is only processed for such legal purpose(s).
9.3 Upon Evermile’s prior written request, Delivery Partner shall provide written certification to Evermile that it has complied with this Section 9.
10. Audit Rights.
10.1 To the extent required under applicable Data Protection Laws, subject to Section Error! Reference source not found., Delivery Partner shall make available to Evermile, (or a reputable independent auditor mandated by Evermile) in coordination with Delivery Partner, upon prior written request, such information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by Evermile or such reputable auditor in relation to the Processing of the Evermile Personal Data by Delivery Partner, provided that such third-party auditor shall be subject to confidentiality obligations.
10.2 To the extent feasible, Evermile shall give Processor reasonable prior written notice (which shall not be required in connection with an actual, or reasonably suspected Personal Data Breach relating to Evermile Personal Data) of any audit or inspection to be conducted under Section 9.1 and shall not cause (and take reasonable steps to ensure that each of its mandated auditors does not cause) any damage or injury to Processor’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Delivery Partner need not give access to its premises for the purposes of such an audit or inspection: (i) to any individual unless he or she produces reasonable evidence of identity and authority; (ii) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Evermile has given notice to Delivery Partner that this is the case before attendance outside those hours begins, and; (iii) for premises outside the Delivery Partner's control (such as data storage farms of Delivery Partner's cloud hosting providers).
11. Restricted Transfers.
Processing of Personal Data shall be carried out by the Delivery Partner exclusively within the EU / EEA or the United Kingdom, unless otherwise previously explicitly approved in writing by Evermile. The approval shall be deemed granted for Sub Processors enumerated in the table Annex 3 below. The Delivery Partner undertakes to ensure that the transfer of personal data outside the EU / EEA or the United Kingdom, if applicable, is carried out on the basis of the Standard Contractual Clauses.
To the extent one Party that is subject to the GDPR transfers Personal Data to the other Party who has its place of business in a Third Country that has not been recognized by the European Commission as an Adequate Country, the terms of the transfer between the Parties shall be governed by the EU Standard Contractual Clauses incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA, in the extent applicable to the transfer. The particular roles of the Parties, the applicable extent, and the relevant modules of the EU Standard Contractual Clauses that will apply to such transfers are defined in Section A of Annex 2. Section A of Annex 2 includes all necessary information that is required in the Appendix to the EU Standard Contractual Clauses.
To the extent one Party transfers Personal Data from the United Kingdom to the other Party who has its place of business in a Third Country that has not been recognized as an Adequate Country under the UK GDPR, the terms of the transfer between the Parties shall be governed by the UK Addendum that is incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA, as applicable to the transfer. The Parties agree the UK Addendum is appended to the EU Standard Contractual Clauses as modified (including the selection of modules and disapplication of optional clauses) by Section 11.2 and Section A of Annex 2. Section B of Annex 2 includes all necessary information that is required in Part 1 of the UK Addendum.
12. General Terms.
12. 1 Governing Law and Jurisdiction. The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
12. 2 Order of Precedence. Nothing in this DPA reduces Delivery Partner’s obligations under the Agreement in relation to the protection of Personal Data or permits Delivery Partner to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail solely with respect to the subject matter of this DPA and solely if such conflict or inconsistency originate from the requirements of Article 28 of the GDPR (except where explicitly agreed otherwise in writing, signed on behalf of the Parties).
12. 3 Changes in Data Protection Laws.
12. 3. 1 Evermile may by at least forty-five (45) calendar days' prior written notice to Delivery Partner, request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under any applicable Data Protection Law, to allow Processing of those Evermile Personal Data to be made (or continue to be made) without breach of that Data Protection Law; and
I12. 3. 2 If Evermile gives notice with respect to its request to modify this DPA under Section 12.3.1: (i) Delivery Partner shall make commercially reasonable efforts to accommodate such modification request; and (ii) Evermile shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Delivery Partner.
I12. 3. 3 If Evermile gives notice under Section12.3.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Evermile’s notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within thirty (30) days, then Evermile or Delivery Partner may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof).
12. 4 Severance. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Applicable Laws” means (a) European Union or Member State laws with respect to any Evermile Personal Data in respect of which Evermile is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Evermile Personal Data in respect of which the Evermile is subject to any other Data Protection Laws;
“Evermile Personal Data” means any Personal Data Processed by Delivery Partner on behalf of Evermile pursuant to or in connection with the Principal Agreement;
“Data Protection Laws” means (a) EU Data Protection Laws; (b) the UK GDPR; and (c) to the extent applicable, the data protection or privacy laws of any other applicable country as agreed in writing between the Parties, including in the United States and Israel;
“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
“EU SCC" or “EU Standard Contractual Clauses” mean the annex to the EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the council as shall be amended from time to time (including without limitation, the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June, 2021), in all cases incorporating the Relevant Amendments (as defined above). Upon the effective date of adoption for any revised standard contractual clauses by the European Commission, all references in this DPA to the "EU SCCs” shall refer to that latest version and the parties shall cooperate to prepare such amendments to this DPA, including the Relevant Amendments, as may be required to take into account and give effect to the European Commission’s adoption of the revised standard contractual clauses. In the event of any conflict or inconsistency between the terms of this DPA and the provisions of the EU SCC (to the extent the latter has been entered into by the parties pursuant to Section 11.2 (Restricted Transfers) below), the provisions of the EU SCC shall prevail;
“GDPR” means EU General Data Protection Regulation 2016/679 and any subsequent amendments, replacements or supplements;
“Relevant Amendments" means the amendments to the EU SCC and the UK Addendum identified under Annex 2 (Standard Contractual Clauses).
“Restricted Transfer” means (i) a transfer of Evermile Personal Data from Evermile to Delivery Partner; or (ii) an onward transfer of Evermile Personal Data from Delivery Partner to a Sub Processor, or between two establishments of Delivery Partner, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of a legal transfer mechanism to be established under this DPA, including without limitation the applicable Standard Contractual Clauses;
“Sub Processor” means any third party (including any third party and any Delivery Partner Affiliate, but excluding an employee of Delivery Partner or any of its sub-contractors) appointed by or on behalf of Delivery Partner or any Delivery Partner Affiliate to Process Personal Data on behalf of Evermile in connection with the Principal Agreement; and
“Standard Contractual Clauses” or “SCCs” means the EU SCC and the UK Addendum as defined herein, and as applicable to the transfers of Personal Data pursuant to this DPA;
“UK Addendum” means the International Data Transfer Addendum to the EU Commission standard contractual clauses issued by the UK Information Commissioner’s Office (version, B1.0, in force March 21st, 2022);
“UK GDPR” means the United Kingdom’s Data Protection Act 2018 and the GDPR as adapted into law of the United Kingdom by virtue of section 3 of the United Kindgom’s European Union (Withdrawal) Act 2018; and
The terms, “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Special Categories of Data,” “Process/Processing,” “Controller,” “Processor,” and “Supervisory Authority” shall have the same meanings given to them in the GDPR (or another applicable Data Protection Laws).
Details of Processing of Evermile Personal Data
This Annex 1 includes certain details of the Processing of Evermile authorized user Personal Data as required by Article 28(3) or 28(4) GDPR.
Subject Matter and Duration of the Processing of Evermile Personal Data. The subject matter and duration of the Processing of the Evermile Personal Data are set out in the Principal Agreement.
The nature and purpose of the Processing of Evermile Personal Data: Delivery Partner’s Processing activities with respect to Evermile Personal Data includes the collection, storage, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction of data (whether or not by automated means) as necessary to provide the Delivery Partner services under the Principal Agreement.
The types of Evermile Personal Data to be Processed are as follows:
(a) Delivery Data – Evermile Customer’s delivery address; Delivery Partner contact details; Package data (size, type, weight, and contents(; additional information requested by Evermile to ensure the delivery promise;
(b) End-Customer Data – Evermile Customers, User name and contact details, End-Customer details preferred delivery time window and any additional information requested by Evermile to ensure Customers and End-Customers can use the Platform and receive services by Evermile.
The categories of Data Subject to whom the Evermile Personal Data relates to are as follows:
Evermile’s Customers and End-Customer.
The obligations and rights of Evermile. The obligations and rights of Evermile and Evermile Affiliates are set out in the Agreement and this DPA.
Annex 2 - Standard Contractual Clauses
A. EU Standard Contractual Clauses
For the purposes of the EU Standard Contractual Clauses, the Parties agree on the following:
(i) Module One and Module four language shall be deleted.
(ii) Clause 7 (Docking Clause) does not apply.
(iii) For Clause 9 (Use of sub-processors) (a) (only for MODULE TWO: Transfer controller to processor and MODULE THREE: Transfer processor to processor), Option 1 applies with a 30-day time period.
(iv) The optional paragraph under Clause 11 (Redress) (a) does not apply.
(v) For Clause 17 (Governing law) (only for MODULE TWO: Transfer controller to processor and MODULE THREE: Transfer processor to processor), Option 1 applies. The EU Standard Contractual Clauses shall be governed by the law of Ireland.
(vi) For Clause 18 (Choice of forum and jurisdiction), any dispute arising from the EU Standard Contractual Clauses shall be resolved by the courts of Ireland.
The following modules of the EU Standard Contractual Clauses apply to the transfers under this DPA:
☐ MODULE TWO: Transfer controller to processor
☒ MODULE THREE: Transfer processor to processor
For the avoidance of doubt, modules not checked above do not apply to the transfers under this DPA.