Schedule 1

SCHEDULE 1

DATA PROTECTION

1. Definitions

"Agreement" means this contract;

"Data Controller", "Data Processor", "Data Protection Impact Assessment", "Data Protection Officer", "Data Subject", "Personal Data", "Personal Data Breach", "Subject Access Request", "Supervisory Authority" have the meanings set out in the UK GDPR (and related terms, such as "process" have corresponding meanings);

"Data Protection Legislation" means all applicable privacy and data protection laws relating to the processing of Personal Data and the privacy of electronic communications including the UK GDPR, Data Protection Act 2018, EU GDPR, the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), and any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;

"Disclosing Party" means the Party providing Relevant Personal Data to the Receiving Party to Process it for the Processing Purposes;

"Party" means a party to this Agreement;

"Personal Data Breach" means the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, or processing of Personal Data covered by this Agreement;

"Personnel" includes employees, agents and sub-contractors undertaking work for a Party;

"Processing Purposes" means those purposes for Processing the Relevant Personal Data set out in Clause 9 of this Schedule;

"Receiving Party" means the Party receiving Personal Data from the Disclosing Party for it to Process for the Processing Purposes;

"Relevant Personal Data" means the Personal Data which is transferred between the Parties in connection with the Services;

"Services" means the services to provided pursuant to this Agreement; and

"UK GDPR" has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

This Schedule 1 sets out the framework for the sharing of personal data between the Parties.

DATA CONTROLLER OBLIGATIONS

2.1 The Parties acknowledge that for the purposes of providing the Services and the Data Protection Legislation, each Party:

(a) is a separate and independent Data Controller in respect of the Relevant Personal Data;

(b) shall comply with its obligations as a Data Controller under the Data Protection Legislation and the requirements set out in this Agreement;

(c) shall not Process the Relevant Personal Data other than for the Processing Purposes and in accordance with the terms of this Agreement;

(d) shall use compatible data formats and or technology for the processing of the Relevant Personal Data to ensure that there is no lack of accuracy or integrity resulting from the transfer of the Relevant Personal Data;

(e) shall maintain complete and accurate records in respect of the Relevant Personal Data;

(f) will use its reasonable endeavours to ensure that it will not perform its obligations under this Agreement in such a way as to result in the other Party breaching its obligations under the Data Protection Legislation; and

(g) will provide such co-operation and information as the other Party may reasonably require in order to enable that Party to comply with its obligations under Data Protection Legislation.

DISCLOSING PARTY OBLIGATIONS

3.1 The Disclosing Party warrants that it is entitled to share the Relevant Personal Data with the Receiving Party and shall ensure that:

(a) all Relevant Personal Data has been collected and disclosed to the Receiving Party in accordance with the Data Protection Legislation;

(b) the Relevant Personal Data is accurate and up to date;

(c) the Relevant Personal Data contains contact details of the Data Subjects to enable the Receiving Party to provide them with its Privacy Notice; and

(d) the Relevant Personal Data is transferred to the Receiving Party using appropriate technical and organisational security measures as required by the Data Protection Legislation and agreed between the Parties including but not limited to encryption and/or password protection.

RECEIVING PARTY OBLIGATIONS

4.1 The Receiving Party shall:

(a) implement and maintain appropriate technical and organisational measures to preserve the confidentiality, integrity and availability of the Relevant Personal Data and prevent any unlawful Processing or loss or damage, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects;

(b) notify the Disclosing Party without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach that relates to or could relate to the Relevant Personal Data and is required by the Data Protection Legislation to be notified to a supervisory authority;

(c) notify the Disclosing Party without undue delay, and in any event within 48 hours of becoming aware of a request or enquiry from a Supervisory Authority or Data Subject about the Relevant Personal Data, and respond to any reasonable requests for information from the Disclosing Party about the handling of such request or enquiry; and

(d) take all steps set out below in respect of its Personnel who have access to the Relevant Personal Data:
(i) ensure that only those Personnel who need to have access to the Relevant Personal Data are granted such access and only for the purposes of performing their respective obligations under this Agreement;
(ii) take all reasonable steps to ensure the reliability of its Personnel;
(iii) ensure that all Personnel have completed training in Data Protection Legislation and in the care and handling of Personal Data;
(iv) ensure that all Personnel are informed of the confidential nature of the Relevant Personal Data and are subject to appropriate contractual obligations of confidentiality; and
(v) not disclose any Relevant Personal Data to any third party in any circumstances except as required by law or permitted by this Agreement.

TRANSPARENCY OBLIGATIONS

5.1 When a Party first engages with a Data Subject whose Personal Data is to be shared pursuant to this Agreement, it shall ensure that appropriate transparency information, including a Privacy Notice, has been provided to that Data Subject.

MUTUAL ASSISTANCE

6.1 A Party will provide reasonable assistance to the other (at its own cost and when requested by the other Party to do so) if it receives:

(a) a request from a Data Subject to exercise one or more of their rights under the Data Protection Legislation in relation to the Relevant Personal Data and the Processing of it by one or both of the Parties;

(b) a complaint or request that relates to its obligations under the Data Protection Legislation in respect of the Relevant Personal Data;

(c) any other communication directly relating to the processing of the Relevant Personal Data;

(d) in the event of a dispute or claim brought by a Data Subject or a Supervisory Authority concerning the Processing of the Relevant Personal Data against either or both Parties, the Parties will inform each other as necessary about the dispute or claim and will cooperate with a view to settling the dispute or claim amicably in a timely fashion; and

(e) Each Party shall provide the other with contact details of at least one employee or representative as a point of contact and responsible manager for the purposes of compliance with this Schedule.

CHANGE IN LEGISLATION

7.1 If, during the term of this Agreement, the Data Protection Legislation changes, and any such change requires amendments to this Schedule in order to enable one or both of the Parties to achieve compliance with the amended Data Protection Legislation, the Parties, acting reasonably, will discuss and agree appropriate amendments as necessary to achieve that compliance. Each Party will bear its own costs in doing so.

INDEMNITY

8.1 Each Party shall indemnify the other against liabilities, costs, expenses, damages and losses suffered or incurred by the indemnified Party arising out of or in connection with a breach of this Schedule 1 by the indemnifying Party, its employees or agents, provided that the indemnified Party gives to the indemnifier prompt notice of any such claim(s), full information about the circumstances giving rise to it, reasonable assistance in dealing with a claim(s) and sole authority to manage, defend and/or settle such claim(s).

DETAILS OF PROCESSING ACTIVITIES

9.1 The following table sets out the Processing Purposes of the Relevant Personal Data:

Purposes for which the Relevant Personal Data shall be Processed ('Processing Purposes')

The purposes for which the Receiving Party will process the Relevant Personal Data are to:

deliver/collect Consignments to/from the Consignees of its Customers;
comply with any legal or regulatory obligations, including with regard to the collection and payment of duties and taxes and pursuant to the Data Protection Legislation;
send notifications and provide tracking information regarding the Services, including by way of an App or similar media or technology;
support the process of promoting, performing and improving the delivery of the Services (including fraud prevention, service experience surveys, 'in-flight options' and delivery preferences);
enable the Receiving Party to comply with its obligations and exercise its rights under this Agreement;
enable the Receiving Party to exercise legal rights or bring or defend legal claims and
achieve such other purpose(s) as may be agreed between the Parties from time to time.

Description of the categories of the Data Subjects

Consignors (Senders of Consignments)

Consignees (Recipients of Consignments)

Description of the categories of Relevant Personal Data

Consignee details including (as applicable) name, address, email address, telephone number, and photographs of delivery location.

Consignor details including name, address, email address, and telephone number.

�