Data Processing Agreement

The Processor processes personal data on behalf of the Controller solely for the purpose of providing the VIGILFleet services described in the main services agreement (the “Agreement”). This DPA remains in force for the duration of the Agreement and survives termination for such period as the Processor continues to hold personal data subject to this DPA.

Processing consists of the collection, storage, structuring, retrieval, and deletion of personal data, performed by means of the VIGILFleet platform and its supporting infrastructure, and is strictly limited to what is necessary to deliver the Service.

• Categories of data subjects: drivers, dispatchers, operational personnel, customers, and counterparts of the Controller.
• Categories of personal data: identification data (name, contact details), employment data (role, assigned vehicle), tachograph identifiers and working-time records, location and route data, operational and cost records, dispatcher communications, and customer tracking links.

• Process personal data only on documented instructions from the Controller, including with regard to transfers outside the EEA, unless required to do otherwise by Union or Member State law to which the Processor is subject.
• Ensure that all persons authorised to process personal data are bound by a contractual or statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organisational measures as described in Section 5 and in the Security Overview.
• Assist the Controller, taking into account the nature of the processing, in fulfilling its obligations under Articles 12–23 GDPR.

The Processor maintains technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest, role-based access control, comprehensive audit logging, segregation of Customer data, documented incident response procedures, and regular testing. A summary of controls is published at vigilfleet.eu/security.

The Controller authorises the Processor to engage the sub-processors listed at vigilfleet.eu/subprocessors. The Processor shall:

• Impose data-protection obligations on each sub-processor no less protective than those set out in this DPA.
• Provide the Controller with at least thirty (30) days’ prior notice of any intended addition or replacement of sub-processors.
• Remain liable for the acts and omissions of its sub-processors as if for its own.

Where personal data is transferred to a third country or international organisation, the Processor relies on the Standard Contractual Clauses (Commission Implementing Decision 2021/914) or another transfer mechanism lawful under Chapter V GDPR, together with supplementary measures where a transfer-impact assessment so requires.

The Processor assists the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling responses to requests from data subjects exercising rights under Articles 15–22 GDPR.

The Processor notifies the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any personal data breach, providing the information required under Article 33(3) GDPR to enable the Controller to meet its own notification obligations.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. Audits shall be conducted with reasonable notice, no more than once in any rolling twelve (12) month period, and at the Controller’s expense, save in the case of a confirmed breach by the Processor.

Upon termination of the Agreement, at the Controller’s option, the Processor shall return all personal data or delete it, along with all existing copies, within thirty (30) days, unless Union or Member State law requires further storage. A written confirmation of deletion is provided on request.