Remote Services Terms and Conditions
This agreement is entered into between:
- REPAIRIFY UK LTD (CRN 11511329) t/a asTech whose registered office is situated at Old Chambers, 93-94 West Street, Farnham, Surrey GU9 7EB and whose principal address is Traynor House, Traynor Way, Peterlee, SR8 2RU (“asTech” and the “Service Provider”); and
- THE PARTY whose name and address are set forth below (the “Customer”) (together the “Parties”) (the “Agreement”).
1. Purchase of services relating to the asTech device (the “Device”)
This Agreement relates to the purchase by the Customer and performance by the Service Provider of the diagnostic services (the “Diagnostic Services”) in accordance with the terms of this Agreement.
2. Diagnostic Services
- During the Term the Customer may request that the Service Provider provides the following Diagnostic Services for a specified vehicle or vehicles by submitting a ‘Request for Service’ (“RFS”) to the Service Provider.
- The Diagnostic Services provided by the Service Provider connect a vehicle located remotely to the original equipment manufacturer (or aftermarket) scan tools and asTech Master Technicians, allowing asTech to communicate directly with the vehicle and perform certain automotive services (the Diagnostic Service) including but not limited to an initial pre-repair health scan, a diagnosis of specific trouble codes and required post-accident calibrations, glass calibrations, ADAS calibrations, and the reprogramming of specific control modules.
- The Service Provider shall determine at its discretion whether to provide such Diagnostic Services with respect to all or part of an RFS.
The Service Provider shall provide the necessary asTech hardware allowing the Customer to undertake Diagnostic Services, however, performance of the Diagnostic Services does not include the provision by the Service Provider of any internet communication services, operating supplies or other accessories that may be required for a Customer to receive any part of the Diagnostic Services.
4. Responsibilities of the Customer
- To enable the Service Provider’s performance of the Diagnostic Services, the Customer will provide and maintain secure access to a high speed (minimum 10 Mb/s) internet connection to which the Device will be connected and over which the Diagnostic Services will be delivered by the Service Provider during the Term. Ideally the device will be connected via a wired ethernet connection to give best results and avoid any interruptions when programming.
- Ensure that the Device is kept and operated in a suitable environment, used only for the purposes for which it is designed, and operated in a proper manner by trained competent staff in accordance with any operating instructions provided by the Service Provider.
- Take such steps (including compliance with all safety and usage instructions provided by the Service Provider) as may be necessary to ensure, so far as is reasonably practicable, that the Device is at all times safe and without risk to health when it is being set, used, cleaned or maintained by a person at work.
- At its own expense the Device in good and substantial repair in order to keep it in as good an operating condition as it was on the Start Date (fair wear and tear only excepted), including replacement of worn, damaged and lost parts, and shall make good any damage to the Device, and
- Operating and maintenance records of the Device and make copies of such records readily available to the Service Provider, together with such additional information as the Service Provider may reasonably require.
- Make no alteration to the Device and not remove any existing component (or components) from the Device without the prior written consent of the Service Provider, unless the component (or components) is (or are) replaced immediately (or, if removed in the ordinary course of repair and maintenance, as soon as practicable) by the same component or by one of a similar make and model or an improved or advanced version of it. Title and property in all substitutions, replacements, renewals made in or to the Device shall vest in the Service Provider immediately on installation.
- Keep (i) the Service Provider fully informed of all material matters relating to the Device; and (ii) the Device at the Customer Location at all times and not move or attempt to move any part of the Device to any other location without the Service Provider’s prior written consent.
- Not use the Device for any unlawful activities
- At its own expense, obtain and maintain the following insurances (during the Term and the risk period):
- Insurance for such amounts as a prudent owner or operator of the Device would insure for, or such amount as the Service Provider may from time to time reasonably require, to cover any third party or public liability risks of whatever nature and however arising in connection with the Device; and
- Insurance against such other or further risks relating to the Device as may be required by law, together with such other insurance as the Service Provider may from time to time consider reasonably necessary and advise to Customer.
- In respect of the Diagnostic Services performed by the Service Provider the Service Provider may invoice the Customer on or at any time after it has provided such Diagnostic Services to the Customer.
- The Customer shall pay each invoice submitted by the Service Provider: (a) within 30 days of receipt of the invoice, and (b) in full and in cleared funds to a bank account nominated in writing by the Service Provider (or via such other payment method as agreed between the parties in writing), and time for payment shall be of the essence of this Agreement.
- Any amount remaining unpaid thirty (30) days after the due date of an invoice shall bear interest at 1.5% per month above the base rate of the Bank of The Service Provider may charge the Customer a £25 service fee, or up to the maximum rate allowed by law, whichever is less, if the Customer’s cheque, bank draft, electronic funds transfer, credit card or other order for payment is dishonoured or returned for insufficient funds or any other reason. In the event of a payment default, the Customer will be responsible for all of the Service Provider’s costs of collection, including, but not limited to, court costs, filing fees and reasonable legal fees. In addition, the Service Provider reserve the right to terminate any Diagnostic Services until payment is received.
- Installation and training are not included in the fees, unless agreed between the Parties in
- All fees are exclusive of VAT and all other sales, use, excise, or other taxes, all of which are the responsibility of the Customer.
- All fees are exclusive of import and/or export duties, export crating, freight, or insurance, unless otherwise agreed between the parties in All amounts due under this Agreement shall be paid in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law).
- The Service Provider may, from time to time but not more than once during each calendar year, review and increase the fees either in line with the UK Consumer Price Index, and/or at any time for Diagnostic Services where the Service Provider has demonstrably incurred an increase in its fees, costs, surcharges and/or expenses (including from any third party supplier and/or as result of a change in law). the Service Provider will notify the Customer in writing of any such increase, which shall take effect within twenty-eight (28) days of the date of such notice being issued to the
- This Agreement shall be effective from the date both Parties sign this Agreement (the “Start Date”) and shall remain in force for a period of two (2) years (the “Initial Term”). This Agreement shall renew automatically for successive and subsequent six (6) month periods (“Extension Periods”) and, together with the Initial Term, the “Term”) unless a Party gives the other Parties not less than thirty
(30) days’ prior written notice to terminate this Agreement at the end of the then current six (6) month period.
- Notwithstanding the foregoing, the Service Provider may terminate this Agreement at any time during the Term: (a) by providing thirty (30) days’ written notice to the Customer, (b) immediately upon a material breach of this Agreement by the Customer, or (c) immediately upon an insolvency event of the Customer.
- The Service Provider does not warrant or represent as to, and shall not have any liability for labour performed on a vehicle by the Customer in relation to which Diagnostics Services are preformed by the Service Provider or otherwise.
8. Limits Of Liability
- The remedies of the Customer set forth in this Agreement are the Customer’s exclusive remedies. Subject to clause 3, the aggregate liability of the Service Provider for any claim of any kind for any loss or damage resulting from, arising out of or connected with this Agreement or any Diagnostic Service, whether based on contract or tort (including negligence) or otherwise, shall in no event exceed the fees allocable to the Diagnostic Services during a 12-month period which gave rise to the claim. In no event shall the Service Provider be liable to the Customer or any other party for:
- Any failed or ineffectual Diagnostic Services (in whole or in part) due to an RFS containing inaccurate or incomplete information, nor
- Compensatory, punitive, special, incidental or consequential damages, or any similar damages, whether foreseeable or not (and even if that party has been advised of the possibility of such loss or damage), arising from the Diagnostic Services, including but not limited to: loss of profits, revenue, business opportunity and/or loss by reason of shutdown of facilities.
- The Customer assumes the sole responsibility for determining whether the Diagnostic Services are suitable for the Customer’s contemplated use, whether or not such use is known to the Service Provider. The Customer assumes all risks and liabilities arising from the Diagnostic Services. The Service Provider is not is responsible for any changes the Customer may make to a vehicle (and any resulting diagnostic trouble codes therefrom), including after the Device is
Nothing in this Agreement shall operate to exclude or limit a Party’s liability for any liability which cannot be excluded or limited under applicable law (including liability for fraud, death and personal injury resulting from negligence).
9. Waiver Of Insured Claims And Subrogation
The Customer and the Service Provider, for themselves, for all other insured under any applicable insurance policy, and for their insurers under any applicable insurance policy, hereby waive any right of subrogation against each other and against their respective employees, agents, officers, suppliers and affiliates, to the fullest extent permitted by each such policy.
10. Intellectual Property
- Each Party agrees and acknowledges that (as between the Parties) the Service Provider shall own all right, title and interest in and to (a) all data, information, text, and code including resulting, related, extracted, derivative, analytical, extrapolated data, information, text and code (the “Data”) (c) the Diagnostic Services, and (d) systems, technologies, processes, procedures, software, computer programs, websites, documents, information, techniques, business methods, drawings, logos, instruction manuals, lists and procedures hardware developed and / or used by the Service Provider whether in conjunction or for the purposes of the development, design, manufacture, provision, support, maintenance, repair, improvement, change, upgrade or update of the e Diagnostic Services, including all intellectual property rights, whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world (the “IP Rights”). If and to the extent that any IP Rights in any Data become vested in the Customer, the Customer hereby assigns all such IP Rights (by way of a present assignment of past, present and future rights) to the Service Provider (or their nominee) with full title guarantee. The Customer shall, the Service Provider’s request, do all such further acts and execute all such documents as may from time to time be necessary to vest all IP Rights in the Data in the Service Provider (or their nominee).
- The Customer shall not: (i) copy, modify, create any derivative work of; or (ii) reverse engineer or otherwise attempt to derive source code (or the underlying ideas, algorithms, structure or organisation); or (iii) remove any patent or copyright notices, identification or any other proprietary notice from any hardware, software, copyrighted content and any proprietary information related to the Diagnostic Services.
11. Data Protection
- Where the Service Provider process personal data in connection with the Diagnostic Services, the Parties acknowledge that the Service Provider is a processor of the Customer. The parties shall comply with their data protection obligations as set out in the Schedule (Data Protection) in respect of such personal data.
12. Customer Representations, Warranties, Indemnification
- The Customer represents, warrants and covenants to the Service Provider that:
- It has, and will continue to have throughout the Term, full right, title and authority to enter into this Agreement and to accept and perform the obligations imposed on it by this Agreement;
- The entering into, and performance by it of this Agreement will not breach any agreement which it has with any third party and/or any applicable law or regulation; and
- It is entering this Agreement as a business and not in any capacity whatsoever as a consumer.
- The Customer represents, warrants and covenants to the Service Provider that it will use the Diagnostic Services only for its intended use; will not use the Diagnostic Services for personal, family or household purposes; will train in the use of the Diagnostic Services all operators, service technician personnel, other employees and third parties who deal with the Diagnostic Services; will be responsible for completing any RFS accurately and completely, including all required vehicle information; will implement and comply with any and all applicable state, federal, national, regional, provincial, municipal, and other laws or regulations; has determined without reliance on the Service Provider that the Diagnostic Services are a suitable component in the Customer’s processes and services and will comply with the terms of this Agreement without limiting the foregoing.
- The Customer shall promptly notify the Service Provider of any failure or ineffectual results from the Diagnostic Services.
- The Customer understands that the Diagnostic Services do not include any internet communication services, operating supplies or accessories. The Customer is further aware that the Diagnostic Service provided by the Service Provider shall be rendered remotely by and through the internet and the Customer is solely responsible for providing and maintaining its own secure high speed (minimum 10 MB/sec) internet connection in order to receive the Diagnostic Services, including vehicle code analytics, delivered by the Service Provider. the Service Provider shall not be responsible for any failures caused by any internet outages, the Customer’s internet service provider or the Customer’s connection thereto.
- The Customer agrees that if any damage or injury (including death) to any person or to any property (including loss of use thereof) results, or is alleged to have resulted, in whole or in part from the Diagnostic Services, from the improper or abnormal operation of the Diagnostic Services without the Service Provider’s written consent or approval, the Customer’s failure to follow the Service Provider’s relevant vehicle manufacturer’s procedures or recommendations, from the Customer’s breach of this clause 12 or of other provisions of this Agreement, or where the vehicle was not scanned by the Service Provider or as a result of, arising from or relating to the Customer’s wilful misconduct or negligence, then the Customer will defend, indemnify, and hold the Service Provider harmless from all liability, costs, and expenses (including reasonable legal fees and all other costs of litigation and defence) for which the Service Provider may be held liable in connection with such injury or damage, whether the Service Provider’s liability or alleged liability be in contract, negligence, strict tort, or otherwise.
13. Force Majeure
- The Service Provider shall not liable for any loss or delay due to acts of God, any change in or adoption of any law or regulation by a governmental authority, strikes, natural disasters, fires, floods, earthquakes, severe weather, epidemics, pandemics, quarantine restrictions, war, terrorism, riot, delays in transportation, telecommunication infrastructure or Internet failures, inability to obtain necessary labour or materials from usual sources, or other causes beyond the reasonable control of the Service Provider (collectively, referred to herein as Force Majeure Events).
- Without limitation, in the event of any delays in performance due to such causes, the date of delivery or performance shall be deferred for a period equal to the time lost by the reason of the delay.
14. Confidentiality; Publicity; Ownership
- The Customer and the Service Provider shall each use their commercially reasonable efforts to avoid disclosure to third parties of any of the Customer’s and the Service Provider’s proprietary and confidential information associated with, but not limited to, the Diagnostic The Customer shall use the Diagnostic Services only with the Customer’s employees, agents, consultants and representatives requiring access to the Diagnostic Services in order to perform vehicle repair services. The Customer and the Service Provider shall not be responsible for the use and disclosure of any such confidential and proprietary information if the same is: (i) in the public domain at the time it was disclosed; (ii) used or disclosed with the prior approval of the other Party; (iii) already in receiving Party’s possession free from confidentiality at the time of disclosure or independently developed by the receiving Party without use of the proprietary or confidential information; (iv) becomes known to the receiving Party from a third party without any obligation of confidentiality and without any breach of confidentiality by such third party.
- No news release, including photographs and films, advertisement, public announcement, denial or conformation of same, or any part of the subject matter of this Agreement or the Customer’s use of the Diagnostic Services shall be made by the Customer without prior written approval from the Service Provider.
- This Agreement contains the entire and only agreement between the Parties with respect to the subject matter hereof and supersedes all prior oral and written offers, negotiations, and understandings between the Customer and the Service Provider the delivery of the Diagnostic Services as described in this Agreement. Any prior course of dealings or usage of the trade are excluded unless they are expressly incorporated in this Each Party acknowledges that in entering into this Agreement it has not relied upon any oral or written statements, collateral or other warranties, assurances, representations or undertakings which were made by or on behalf of the other Parties in relation to the subject-matter of this Agreement at any time before their signature, other than those which are set out in this Agreement. No variation of this Agreement shall be effective unless signed in writing by the Parties (or their duly authorised representatives). In the event that one or more of the provisions of this Agreement shall be found by a competent court of law to be invalid, illegal or unenforceable in any respect, the validity, legality and enforceability of the remaining provisions contained herein shall not be affected thereby, and the Parties agree such provisions shall be reformed by such court of law to make such provisions enforceable to the maximum extent permitted by law.
- Any notice or other communication required to be given under this Agreement shall be in writing and shall be delivered personally, or sent by recorded delivery or by commercial courier or by email to the party required to receive the notice or communication as set out in the Key Terms. Any notice or other communication shall be deemed to have been duly received (i) if delivered personally, when left at the address and for the contact referred to in the Key Terms; or (ii) if delivered by recorded delivery or commercial courier, on the date and at the time that that delivery is recorded to have occurred; or (iii) if sent by email, on sending, provided that the sender does not receive notification of non-delivery of such email (in which case the sender may resend the email or use an alternative method of delivering the notice).
- Should the Service Provider retain legal counsel to recover any sums the Customer may owe to the Service Provider, or to enforce any other provision of this Agreement, the Customer shall reimburse the Service Provider for all costs of such recovery and/or enforcement, including but not limited to reasonable attorneys’ fees.
- None of the terms of this Agreement shall be relied upon or enforceable by any third party who is not a party to this Agreement, whether by virtue of the Contracts (Rights of Third Parties) Act 1999 or otherwise.
- The failure to exercise, or delay in exercising, a right, power or remedy provided by this Agreement or by law shall not constitute a waiver of that right, power or remedy. If a Party waives a breach of any provision of this Agreement, this shall not operate as a waiver of a subsequent breach of that provision, or as a waiver of a breach of any other provision.
- The rights and remedies of each Party under or in connection with this Agreement may only be waived by express written notice to the other Any waiver shall apply only in the instance and for the purpose for which it is given.
- Unless otherwise agreed in writing by the Parties, all documentation, signs, warnings, explanations, information, operating manuals and training materials shall be provided by the Service Provider only in English; the Customer at its cost shall supply, in a timely fashion, translations of all such items into the language(s) of the country where the the Service Provider device will be installed and operated and shall promptly place warnings and signs on the the Service Provider device and supply translated documentation to users, operators, and others as reasonably expected or needed for safety, information, and compliance with applicable laws. The Customer shall indemnify the Service Provider with respect to any costs, damages, and other losses suffered by the Service Provider, including but not limited to reasonable attorneys’ fees, for the Customer’s failure of the timely and accurate supply of documentation and interpretation as provided in this clause 15.7.
- This Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by, and construed in accordance with, the laws of England and Wales. All disputes and claims arising out of or in connection with this Agreement (including any dispute or claim relating to non-contractual obligations) will be subject to the exclusive jurisdiction of the courts of England.
Schedule Data Protection
“Data Protection Legislation” means the GDPR, the UK Data Protection Act 2018, Directive 2002/58/EC and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction“
“GDPR” means, in each case to the extent applicable to the processing activities: (i) Regulation (EU) 2016/679; and (ii) Regulation (EU) 2016/679 as amended by any legislation arising out of the withdrawal of the UK from the European Union;
“Security Breach” means any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that the Supplier processes in the course of providing the Service“;
“controller“, “processor“, “data subject“, “personal data“, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the GDPR.
- The parties agree the provisions of this Schedule shall apply to the personal data the Service Provider processes in the course of providing the Diagnostic Services. The parties agree that the Customer is the controller and the Service Provider is the processor in respect of this personal data.
- The subject matter of the data processing is the performance of the Diagnostic Services . The obligations and rights of the Customer as controller are as set out in this Schedule. Annex One of this ScheduleSchedule sets out the nature, duration and purpose of the processing, the types of personal data the Service Provider processes and the categories of data subjects whose personal data is processed.
- When the Service Provider processes personal data as described in (a), the Service Provider shall:
- Process the personal data only in accordance with documented instructions from the Customer, which may be specific instructions or instructions of a general nature as set out in this DSA or as agreed between the parties from time to If the Service Provider is required to process the personal data for any other purpose by applicable laws to which the Service Provider is subject, the Service Provider and/or will inform the Customer of this requirement prior to processing, unless this is prohibited by such applicable law; and
- Notify the Customer immediately if, in the Service Provider’s reasonable opinion, an instruction for the processing of personal data given by the Customer infringes applicable Data Protection Legislation, it being acknowledged that the Service Provider shall not be obliged to undertake additional work or screening to determine if the Customer’s instructions are compliant.
- the Service Provider shall ensure that personnel required to access the personal data are subject to a binding duty of confidentiality in respect of such personal data;
- the Service Provider shall assist the Customer, always taking into account the nature of the processing:
- by appropriate technical and organisational measures and in so far as is possible, in fulfilling the Customer’s obligations to respond to requests from data subjects exercising their rights under Data Protection Legislation;
- in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the information available to the Service Provider; and
- by making available to the Customer all information which the Customer reasonably requests to allow the Customer to demonstrate that the obligations set out in Article 28 of the GDPR relating to the appointment of processors have been met;
- To the extent that assistance under (e) is not included within the Diagnostic Services, the Service Provider may charge a reasonable fee for any such assistance, save where assistance was required directly as a result of the Service Provider’s own acts or omissions, in which case such assistance will be at the Service Provider’s expense;
- the Service Provider shall implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be As a minimum, these should include the requirements set out in Annex Two to this Schedule.
- In the event of a suspected Security Breach, the Service Provider shall notify the Customer without undue delay and shall take action to investigate the suspected Security Breach and take appropriate action to mitigate and remedy the Security Breach.
- the Service Provider shall not give access to or transfer any personal data processed under this Schedule to any third party without the prior written consent of the Customer. Where the Customer does consent to the Service Provider engaging a sub-contractor to carry out any part of the data processing under this Schedule, the Service Provider must include in any contract with the third party provisions in favour of the Customer which are substantially similar to those in this Schedule and as are required by applicable Data Protection Legislation. For the avoidance of doubt, where a third party fails to fulfil its obligations under any sub- processing agreement or any applicable Data Protection Legislation, the Service Provider will remain fully liable to the Customer for the fulfilment of the Service Provider’s obligations under this Agreement.
- Subject to compliance with (i), the Customer agrees that the Service Provider’s affiliates may be retained as sub- contractors for the processing of personal data and that the Service Provider and its affiliates may engage third- party sub-contractors for the purposes of processing personal data under this Schedule. A list of the sub- contractors approved by the Customer as at the date of this DSA can be found on the Service Provider’s website at www.asTech.com. the Service Provider can at any time appoint new sub-contractors for the purposes of processing personal data under this Schedule, provided that the Customer is given 30 days prior notice and the Customer does not object to the such changes for reasonable data protection reasons within such timeframe. If the Customer objects to the proposed change within such period, the Customer may, by providing written notice to the Service Provider, terminate the Agreement.
- The Service Provider shall allow the Customer and its respective auditors and agents to conduct audits or inspections during the Term and shall provide all reasonable assistance to assist the Customer in exercising its audit rights under this Schedule. The purpose of such an audit shall be the compliance of the Service Provider with this Schedule. The Customer shall be responsible for its, and the Service Provider’s, costs in relation to any such audit, unless such audit reveals the Service Provider’s non-compliance, and such an audit may only be conducted once ever twelve (12) months, unless required by a supervisory authority. If the Customer’s request for information or access relates to a sub-contractor, or information held by a sub- contractor which the Service Provider cannot provide to Customer itself, the Service Provider will promptly submit a request for additional information in writing to the relevant sub-contractor(s). The Customer acknowledges that access to the sub-contractor’s premises or to information about the sub-contractor’s previous independent audit reports is subject to agreement from the relevant sub-contractor, and that the Service Provider cannot guarantee access to that sub-contractor’s premises or audit information at any particular time, or at all.
- The Customer authorises the Service Provider to transfer personal data outside of the UK and European Economic Area where it is necessary to carry out the data processing under this Schedule. Where the Service Provider makes such transfers it will only do so where an adequacy decision applies, or where the transfer is otherwise permitted under Data Protection Legislation. Customer authorises the Service Provider to enter into Standard Contractual Clauses on its behalf for the transfer of personal data to data processors established in third countries adopted by the European Commission decision of 5 February 2010, published under document number C(2010) 593 2010/87/EU (the “Processor Standard Contractual Clauses”) or under any replacement mechanism authorised under applicable Data Protection Legislation, for the transfer of data to the Service Provider’s affiliates. or any other sub-contractor named in Annex One to this Schedule, as necessary to ensure adequate protection of personal data. The details of the appendices applicable to the Processor Standard Contractual Clauses are as set out in Annex One and Annex Two of this Schedule. The Parties agree that the Service Provider’s liability under the Processor Standard Contractual Clauses shall be limited as set out in this DSA, and that in the event of any conflict between this DSA and the Processor Standard Contractual Clauses, or any replacement mechanism, the Processor Standard Contractual Clauses or replacement mechanism shall prevail.
- At the end of the Term, upon the Customer’s request, the Service Provider shall securely destroy or return such personal data to the Customer and delete existing copies unless applicable laws require storage of such personal data.
Annex One – Data Processing Information
Nature and purpose of processing operations
The personal data transferred will be processed as follows (please specify):
- For the provision of Diagnostic Services
Categories of data subject
The personal data transferred concern the following categories of data subjects (please specify):
- Customer’s personnel and clients
Categories of data
The personal data transferred concern the following categories of data (please specify):
- identifying information, such as contact details, employer and role
- car related information, including VIN, model and details of relevant faults
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
Duration of Processing
The Term of the Agreement
Annex Two – Data Processing Information
- Access control to premises and facilities Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:
� Access control system
� ID reader, magnetic card, chip card
� (Issue of) keys
� Door locking (electric door openers etc.)
� Alarm system, video/CCTV monitor
� Logging of facility exits/entries
2. Access control to systems
Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:
� Password procedures (incl. special characters, minimum length, change of password)
� No access for guest users or anonymous accounts
� Central management of system access
� Access to IT systems subject to approval from HR management and IT system administrators
3. Access control to data
Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights. These measures shall include:
� Differentiated access rights
� Access rights defined according to duties
� Automated log of user access via IT systems
4. Disclosure control
Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer,
and to ensure that all transfers are secure and are logged. These measures shall include:
� Compulsory use of a wholly-owned private network for all data transfers
� Encryption using a VPN for remote access, transport and communication of data.
� Prohibition of portable media
5. Input control
Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures should include:
� Logging user activities on IT systems
6. Job control
Measures should be put in place to ensure that data is processed strictly in compliance with the data importer’s instructions. These measures must include:
� Unambiguous wording of contractual instructions
� Monitoring of contract performance
7. Availability control
Measures should be put in place to ensure that data are protected against accidental destruction or loss. These measures must include:
� Backup procedures
� Uninterruptible power supply (UPS)
� Business Continuity procedures
� Remote storage
� Anti-virus/firewall systems
8. Segregation control
Measures should be put in place to allow data collected for different purposes to be processed separately. These should include:
� Restriction of access to data stored for different purposes according to staff duties.
� Segregation of business IT systems
� Segregation of IT testing and production environments