3.    PRAGMACHARGE COMPLIANCE OBLIGATIONS
3.1.    PragmaCharge will comply with its direct obligations under European Data Protection Laws in relation to the processing of Personal Data. Except as expressly agreed in the Order Details for an order outside the EEA, PragmaCharge shall have no obligation to comply with non-European Data Protection Laws.
3.2.    PragmaCharge will not access, use, or disclose to any third party any Personal Data except as necessary to provide the eTaaS Services, or as necessary to comply with Applicable Laws or a valid and binding order of a governmental body (such as a subpoena or court order).
3.3.    PragmaCharge has no obligation to evaluate Personal Data to identify information subject to specific legal requirements.

4.    CUSTOMER RIGHTS AND OBLIGATIONS
4.1.    The rights and obligations of the Client are set out in the AM, which includes this DPA.
4.2.    The Client retains control over the Personal Data through the settings he/she selects using the PC Cloud Server.
4.3.    The Client shall comply with its direct obligations under Data Protection Laws and employment law in relation to the processing of Personal Data, and with any actions it takes based on the knowledge provided by PC Cloud Server.
4.4.    The Client shall ensure that it has all appropriate consents and notices necessary to enable PragmaCharge's lawful processing of Personal Data for the provision of the eTaaS. In particular, it shall inform all Driver Users of the categories of data processing involved as described above.
4.5.    If Customer is a data processor (and PragmaCharge is a sub-processor): (a) Customer ensures on an ongoing basis that the relevant data controller has authorized: (i) Customer's use of the personal data; ( ii ) Customer's appointment of PragmaCharge as a data processor; and ( iii ) PragmaCharge's engagement of sub-processors; and (b) Customer will promptly forward to the relevant data controller any notices provided by PragmaCharge under this DTP.
4.6.    The Customer confirms: (a) that it has exercised reasonable care to comply with its obligations under applicable Data Protection Laws and employment laws in its engagement of PragmaCharge, and its choice and use of eTaaS under the AM; and (b) that it has assessed its intended use of eTaaS (including by the Customer’s Representatives) and that the technical and organisational measures set out in the Processing Details provide a level of security appropriate to the risk to the Personal Data (taking into account the Customer’s state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Personal Data as well as the risks to data subjects).
4.7.    The Client is responsible to PragmaCharge and individuals for providing correct and compliant Personal Data and its decision on the legal basis of processing and any transparency notice to data subjects that Personal Data will be processed by PragmaCharge.

5.    TREATMENT INSTRUCTIONS
5.1.    Customer instructs PragmaCharge to process personal data solely in accordance with Data Protection Laws: (a) to provide, protect and monitor the eTaaS Services; (b) as hereinafter specified through Customer's or Customer Representative's use of the eTaaS Services (including account management and other functionality of the eTaaS Services); (c) as documented in the AM; and (d) as hereinafter documented in any other written instructions given by Customer and acknowledged by PragmaCharge as constituting instructions for purposes of this DPA (collectively, the Instructions).
5.2.    The Client continuously ensures that its Instructions, and therefore PragmaCharge's performance of processing in accordance with the Instructions, comply with the Data Protection Laws.
5.3.    Unless prohibited by Applicable Law, PragmaCharge will: (a) only process Personal Data in accordance with the Instructions (including with respect to international transfers of Personal Data); and (b) comply with the Instructions.
5.4.    PragmaCharge will notify Customer if, in PragmaCharge's opinion: (a) Applicable Laws prohibit PragmaCharge from complying with an Instruction, unless such notification is prohibited by Applicable Laws for important reasons of public interest; or (b) PragmaCharge is otherwise unable to comply with the Instruction.
5.5.    PragmaCharge may suspend all or part of the eTaaS Services by giving written notice to the Customer with immediate effect if PragmaCharge considers (in its reasonable discretion) that: (a) it is unable to adhere to, perform or implement any Instruction issued by the Customer due to technical limitations of its systems, equipment and/or facilities; and/or (b) adhering to, performing or implementing any such Instruction would require a disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise). If PragmaCharge does this, the Parties will attempt in good faith to overcome the objection (at no additional cost or expense to PragmaCharge).

6.    PRAGMACHARGE STAFF
6.1.    PragmaCharge will ensure that all PragmaCharge individuals (including contractors) who have access to Personal Data are informed of the sensitive nature of the Personal Data and are subject to the confidentiality obligations and usage restrictions as set forth in Part A. above.
6.2.    PragmaCharge will take reasonable steps to ensure the reliability, integrity and trustworthiness of PragmaCharge individuals (including contractors) with access to Personal Data.

7.    TREATMENT SAFETY
7.1.    PragmaCharge will implement appropriate technical and organizational measures against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage to Personal Data. The measures are those identified in the Processing Details and/or in Part A. above.
7.2.    PragmaCharge will implement reasonable measures to ensure a level of security appropriate to the risk involved in providing eTaaS to its customers, including, as appropriate: (a) pseudonymisation and encryption of personal data; (b) the ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process to periodically test, evaluate and assess the effectiveness of security measures.

8.    INCIDENT MANAGEMENT
8.1.    "Data Incident" means a breach of PragmaCharge's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data on systems managed by or under the control of PragmaCharge. Unsuccessful attempts where there has been no unauthorized access to Personal Data or to any of PragmaCharge's equipment or facilities storing Personal Data (for example, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful login attempts, denial of service attacks, packet sniffing or other unauthorized access to traffic data not resulting in access beyond the headers, or similar incidents) are expressly excluded.
8.2.    PragmaCharge will take appropriate measures to address and mitigate any Data Incident.
8.3.    PragmaCharge will, without undue delay, notify Customer of any Data Incident (Data Incident Notification).
8.4.    At the time of Data Incident Notification or as soon as reasonably practicable thereafter, PragmaCharge will also provide Customer with the following information: (a) a description of the nature of the Data Incident; (b) the likely consequences for Customer's Users; and (c) a description of the measures taken or proposed to address the Data Incident (including measures to mitigate its potential adverse effects on Data Users) (Data Incident Report).
8.5.    The Data Incident Notification and Data Incident Report will be delivered to the Customer's Privacy Contact on the Cover Sheet . It is the Customer's sole responsibility to ensure that PragmaCharge has an accurate and up-to-date email address for the Customer for privacy-related communications.
8.6.    The Client acknowledges that the level of disclosure in the Data Incident Report will need to take into account the nature of the processing, the information available to PragmaCharge at the time, and any restrictions on the disclosure of the information, such as confidentiality or the requirements of insurers, forensic investigators and/or law enforcement agencies.
8.7.    The Client agrees that, with respect to Personal Data, it is best able to determine the likely consequences of a Data Incident and any notifications it may require, whether to a Supervisory Authority or to affected Client Users. The Client will provide PragmaCharge with any copies, referencing PragmaCharge, required to be sent to any Supervisory Authority or Client User prior to submission, and will implement any reasonable modifications required by PragmaCharge for factual accuracy.
8.8.    PragmaCharge's notification under this Clause 8 shall not be construed as an admission by PragmaCharge of any fault or liability in respect of the Data Incident.

9.    SUBPROCESSING
9.1.    PragmaCharge will not engage a third party to process personal data without the Client's prior specific or general written authorization.
9.2.    The Client consents, by means of a general authorization, to PragmaCharge appointing any third party processor of personal data as part of its common technological and service infrastructure for the eTaaS and the general provision of its services (see the URL in the Processing Details for an updated list).
9.3.    With respect to sub-processors: (a) PragmaCharge confirms that it has entered into or (as the case may be) will enter into written agreements with any sub-processors in compliance with European Data Protection Laws, in respect of which the Client acknowledges and agrees: (i) that the appointment of sub-processors is subject to the terms of each sub-processor’s standard data processing agreement (Sub-processor’s DPA Terms) and that PragmaCharge relies on each sub-processor to ensure that the Sub-processor’s DAP Terms comply with European Data Protection Laws; and ( ii ) any obligations of PragmaCharge to the Client in respect of sub-processors are subject to the Sub-processor’s DPA Terms; (b) PragmaCharge will restrict the sub-processor’s access to Personal Data only to what is necessary to provide the eTaaS Services, and will prohibit the sub-processor from accessing the Personal Data for any other purpose; (c) PragmaCharge will ensure that appropriate safeguards are in place before any Data Transfer is made to a sub-processor; and (d) PragmaCharge remains responsible for its compliance with its obligations under this DPA and for any act or omission of the sub-processor that causes PragmaCharge to breach any of PragmaCharge’s obligations to Customer under this DPA.
9.4.    PragmaCharge will inform the Client of any additional or substitute sub-processors of the Personal Data by updating the sub-processor list at the URL in the Processing Details (Change of Sub-processor).
9.5.    Any objection to a Sub-processor Change must be raised by the Client within 14 days of notification, stating the reasons, to privacy@pragmacharge.com. The Client acknowledges that eTaaS is a common infrastructure product provided to many clients and will therefore seek to be reasonable in any objection raised.
9.6.    If Customer objects pursuant to Section 9.5, PragmaCharge will use reasonable efforts to make available a commercially reasonable change to the configuration of the eTaaS Services at Customer's cost and expense that prevents the use of such proposed sub-processor.
9.7.    Where a commercially reasonable change under clause 9.6 is not practicable for one of the following reasons: (i) the change to eTaaS cannot be made within 90 days of PragmaCharge receiving notice from the Customer; ( ii ) no commercially reasonable change to eTaaS is practicable; and/or ( iii ) the Customer refuses to bear the cost of the proposed change, then either Party may, by written notice to the other Party with immediate effect, partially terminate the MA to the extent that it relates to the provision of that part of eTaaS requiring the use of the proposed sub-processor.

10.    ASSISTANCE TO THE INTERESTED PARTY
10.1.    PragmaCharge will assist the Client by ensuring that reasonable technical and organisational measures are in place to provide information that will assist the Client in complying with the rights of data subjects in relation to personal data under European Data Protection Laws, including the rights of access, rectification and erasure of personal data, the right to object to processing and automated processing of personal data, and the right to restrict the processing of personal data.
10.2.    If a data subject for whom the Client is responsible makes a request to PragmaCharge, PragmaCharge will forward that request to the Client. The Client authorizes PragmaCharge, on its behalf and on behalf of its data controllers where the Client acts as a data processor , to respond to any data subject who makes a request to PragmaCharge, to confirm that PragmaCharge has forwarded the request to the Client.

11.    ASSISTANCE TO THE SUPERVISORY AUTHORITY AND REQUESTS FROM GOVERNMENTAL AGENCIES
11.1.    PragmaCharge (at the Client's cost and expense and taking into account the nature of the processing and the information available) will assist the Client with its obligations to Supervisory Authorities in relation to Data Incidents, data protection impact assessments and enquiries affecting Personal Data, and with its obligation to keep Personal Data secure.
11.2.    PragmaCharge will notify the Client if it receives any notice from a Supervisory Authority that directly relates to the processing of Personal Data (unless the supervisory authority requests not to do so).
11.3.    If any government agency sends PragmaCharge a request for data that may include Personal Data, PragmaCharge will attempt to redirect the government agency to request it directly from the Customer. To do so, PragmaCharge will provide the Customer's basic contact information to the government agency. If compelled to disclose Personal Data to a government agency, then PragmaCharge will attempt to give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy, unless PragmaCharge is prevented from doing so by Applicable Laws.

12.    DELETION OR RETURN OF THE CUSTOMER'S PERSONAL DATA
12.1.    PragmaCharge will comply (at Customer's cost and expense) with any written instructions from Customer requiring PragmaCharge to amend, transfer, erase or otherwise process Personal Data, or to stop, mitigate or remedy any unauthorized processing.
12.2.    Upon termination of the MLA (or, if later, once PragmaCharge's processing of any Personal Data is no longer required for the purposes of PragmaCharge's performance of its obligations under the MLA), PragmaCharge will delete all Personal Data such that it is no longer considered Personal Data.
12.3.    PragmaCharge allows the Customer (on a self-service basis) to securely retrieve or delete Personal Data from the eTaaS Services. The Customer shall use self-service access to retrieve or delete Personal Data.
12.4.    If any Applicable Law requires PragmaCharge to retain any Personal Data that PragmaCharge would otherwise be required to return or destroy under clauses 12.1 to 12.3, it may do so.

13.    RECORD KEEPING AND AUDITING
13.1.    PragmaCharge will maintain records relating to any processing of Personal Data it carries out for the Client under this DTP in accordance with European Data Protection Laws (Records).
13.2.    PragmaCharge will ensure that the Records are sufficient to enable the Client to verify PragmaCharge's compliance with its obligations under this DPA and PragmaCharge will provide the Client with copies of the Records upon request (not more than once per calendar year).
13.3.    Customer’s authorized representative, subject to confidentiality and conflict of interest authorizations (including confidentiality of other PragmaCharge customers) and at Customer’s cost and expense, may audit the Records upon 30 days’ written notice to PragmaCharge (not more than once per calendar year). Customer will use its reasonable efforts (and ensure that its designated auditor does so as well) to avoid causing damage, injury or disruption to PragmaCharge’s facilities, equipment, personnel, data and business (including any interference with the confidentiality or security of data of other PragmaCharge customers or the availability of eTaaS systems to other customers) during the audit of the Records.
13.4.    If necessary to comply with European Data Protection Laws and subject to the Client reimbursing PragmaCharge for all costs incurred and time spent, PragmaCharge will contribute to an audit conducted under clause 13.3.

14.    DATA TRANSFERS
14.1.    Adequate Country means, for personal data processed under European Data Protection Laws, a country that is subject to an adequacy decision under applicable European Data Protection Laws. Data Transfer means the transfer of personal data, whether directly or by onward transfer, from the United Kingdom or the EEA to a Non-Adequate Country. Data Transfer Mechanism means a mechanism for legitimising a Data Transfer under European Data Protection Laws.
14.2.    Personal Data may be processed in any country in which PragmaCharge or its sub-processors maintain facilities.
14.3.    The Parties will comply with European Data Protection Laws in respect of any transfer of personal data or relationship management data, including ensuring that appropriate safeguards are in place to ensure an adequate level of protection with respect to individuals’ privacy rights, including Article 46 of the UK GDPR.
14.4.    Where there is a transfer of personal data or relationship management data between the parties that requires a Data Transfer Mechanism to comply with European Data Protection Law, the relevant provisions identified in the processing details will be incorporated by reference into this DTP. By entering into the AM Contract and this DTP, the Parties shall be deemed to have signed the Data Transfer Mechanism, incorporating this DTP.
14.5.    For the purposes of the Transfer Mechanism: (a) the Transmitting Party shall act as the data exporter; and (b) the Recipient shall act as the data importer.
14.6.    The information required for the purposes of Annexes I to IV of the EU CEC and Tables 1-3 of Part 1 of the UK Appendix is that contained in the treatment data.
14.7.    For each EU SCC module, where applicable, the following applies: (a) the optional coupling clause in clause 7 applies; (b) in clause 9, option 2 (general written authorisation) applies. For the purposes of clause 9(a), PragmaCharge has the general authorisation of the Client to engage Sub-processors in accordance with clause 9 of this DTP and PragmaCharge will inform the Client of any changes to Sub-processors in accordance with that clause; (c) in clause 11, the optional language does not apply; (d) PragmaCharge’s liability under clause 12(b) shall be limited to any damage caused by its processing where PragmaCharge has failed to comply with its obligations under Data Protection Laws specifically directed to processors, or where it has acted outside or contrary to the Client’s lawful instructions, as specified in Article 82 UK GDPR; (e) all square brackets are removed from clause 13; (f) in clause 17 (option 1), the EU SCCs will be governed by the laws of the United Kingdom and Wales; and (f) in clause 18(b), disputes will be resolved by the courts of the United Kingdom and Wales.
14.8.    For the purposes of Table 4 of Part One of the UK Appendix, PragmaCharge may terminate the UK Appendix when it changes.
14.9.    For data transfers regulated by the Swiss FADP, the EU SCCs also apply to the transfer of information relating to an identified or identifiable legal person where such information is protected in a similar manner to personal data under the Swiss FADP until such laws are amended to no longer apply to a legal person. In such circumstances, general and specific references in the EU SCCs to the GDPR or EU or Member State law shall have the same meaning as the equivalent reference in the Swiss FADP.
14.10.    If the Data Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer shall promptly implement additional measures to ensure that the Personal Data are protected to the same level as required by data protection legislation.
14.11.    In the absence of appropriate safeguards required by Clause 14.2, the Parties shall comply with European data protection law in respect of any transfer of Personal Data or Relationship Management Data, including Article 49 of the UK GDPR.
14.12.    Subject to Clause 11 and the terms of the relevant Data Transfer Mechanism (and in the event of a conflict between Clause 11 and the terms of the relevant Data Transfer Mechanism, the Data Transfer Mechanism shall prevail), if the data importer receives a request from a public authority to access Personal Data, it shall (if legally permitted): (a) contest the request and notify the data exporter, and (b) disclose to the public authority only the minimum amount of Personal Data required and keep a record of the disclosure.
14.13.    The Parties acknowledge that the interested party may invoke the Transfer Mechanism against the Parties.

15.    SUSPENSION OF TREATMENT
15.1.    If a change in any of the Data Protection Laws prevents a Party from complying with all or part of its obligations under this DPA, the Parties shall suspend the processing of Personal Data until such processing complies with the new requirements.