Great news Frequent Seller... your account is ready!

Start booking your parcels and you'll see your new cheaper pricing automatically applied at checkout.

Remember: Send 40+ parcels each calendar month for cheaper pricing next month!

ATTACHMENT B - GENERAL TERMS DATA PROTECTION AND PRIVACY

In this Attachment B the terms defined in Annex 1 to this Attachment B shall have the meanings set out therein.

1           

DATA PROTECTION

1.1        

For certain Services provided by Evri it will act as a controller (as defined by the Data Protection Legislation) including where a Customer registers directly with Evri to receive Evri’s parcel tracking services. For other Services, Evri may act as a data processor for the Customer Personal Data it receives in connection with such Services and the provisions of Paragraph 2 below shall apply.

1.2        

The Client warrants that it has the right and has obtained all necessary consents and registrations to process the Client Personal Data and that the processing by Evri of Client Personal Data on behalf of the Client will not thereby be in breach of the Data Protection Legislation.

1.3        

Both Parties shall comply with Data Protection Legislation in connection with the processing of Client Personal Data.

2           

PROCESSING

2.1        

Where Evri acts as a Data Processor in relation to Client Personal Data this Paragraph 2 of Attachment B shall apply.

2.2        

Processing - [Art 28, GDPR]

2.2.1    

Evri is a data processor (or sub-processor) acting on the Client’s behalf and shall process Client Personal Data in accordance with the provisions of this Contract, the Client’s documented instructions and the Purpose, unless otherwise required to process the Client Personal Data in order to comply with Applicable Laws in which case it shall to the maximum extent permitted inform the Client of that legal requirement before Processing.

2.2.2    

Evri shall immediately inform the Client if, in its reasonable opinion, any instruction provided to it in connection with the Services infringes the Data Protection Legislation and provide upon request evidence of the rationale used to reach that conclusion

2.2.3    

The subject matter and duration of the Processing of Client Personal Data is set out in this Contract and the context and purpose for the Processing of Client Personal Data is the Purpose.

2.2.4    

The Client Personal Data that Evri may Process is Customer names, addresses and associated information required for the Purpose. The Data Subjects are the Customers.

2.2.5    

Evri shall co-operate and assist the Client with any privacy impact assessments and consultations with (or notifications to) relevant regulators that the Client reasonably considers are relevant pursuant to Data Protection Legislation in relation to the Client Personal Data and the Services. Evri shall be entitled to charge the Client in respect of the reasonable costs of such assistance.

2.2.6    

Evri shall procure that its personnel are obligated to maintain the security and confidentiality of any Client Personal Data as provided in this Contract.

2.2.7    

Evri shall promptly forward to the Client and otherwise co-operate with and assist Client at no charge with any requests from Data Subjects for any Client Personal Data pursuant to Data Protection Legislation.

2.2.8    

Evri shall at the Client's option, delete (unless required by Applicable Laws) or return all copies of Client Personal Data and cease Processing such Client Personal Data after the business purposes for which the Client Personal Data was Processed have been fulfilled, or earlier upon the Client’s written request.

2.2.9    

Evri shall maintain a record of all categories of Processing activities carried out on behalf of the Client which shall be made available to the Client upon request.

2.3       

Disclosure

2.3.1    

Evri will not disclose Client Personal Data outside of Evri except: (i) as the Client directs (including as permitted under this Contract); or (ii) as required by UK GDPR.

2.3.2    

In the event that the Supplier receives any request for disclosure of Client Personal Data by a law enforcement person or agency Evri will, to the extent allowed by UK GDPR at no additional charge promptly notify the Client and provide a copy of the request and if compelled to disclose Client Personal Data to law enforcement, then Evri will do so unless prohibited by UK GDPR from doing so.

2.4       

Security - [Arts 28 and 32 GDPR]

2.4.1     Evri shall take security measures required by the Data Protection Legislation including, taking into account the state of the art, costs of implementation and the Processing to be undertaken, implementing and maintaining appropriate technical and organisational measures to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorised access to, or Processing of, the Client Personal Data.

2.5       

Notification And Incidents - [Arts 33 and 34]

2.5.1    

If Evri becomes aware of any Security Incident, Evri will without undue delay:

(a)         

notify the Client of the Security Incident;

(b)        

investigate the Security Incident and provide the Client with detailed information about the Security Incident including making available a suitably senior, appropriately qualified individual to discuss any concerns or questions the Client may have;

(c)         

take reasonable steps to mitigate the effects and to minimise any damage resulting from the Security Incident to the extent that such mitigation is within the Evri’s control as well as reasonable steps to prevent a recurrence of such Security Incident.

2.6       

Subcontractors - [ART 28, GDPR]

2.6.1    

The Client acknowledges and consents to Evri permitting Sub-Contractors to Process Client Personal Data strictly subject to the terms of this Contract and providing that Evri shall notify the Client of any intended change concerning the addition or replacement of any sub-processor within a reasonable period before such addition or replacement.

2.6.2    

The Client acknowledges that Evri entered into an agreement with a Sub-Contractor for the supply of handheld terminals/mobile devices and/or managed services in respect of such handheld terminals/mobile devices and the Client agrees to the processing of the Client’s Personal Data pursuant to such agreement and any replacement agreement as set out in Paragraph 2.6.4 of this Attachment B.

2.6.3    

The Client acknowledges that Evri has and may enter into agreements with Sub-Contractors to provide international parcel delivery and fulfilment services (being part of the Services), back office customer support, software support and development services, analytics services and related support services to Evri and this will involve the transfer of Client Personal Data outside of the UK and/or European Economic Area. The Client agrees to the processing of such Client Personal Data subject to Evri compliance with Paragraph 2.6.4 and Paragraph 2.7 of this Attachment B.

2.6.4    

Evri is fully liable to the Client for any acts or omissions of the Sub-Contractor in respect of its Processing of Client Personal Data.

2.7       

Transfer of Data

2.7.1     Save as set out herein, or as the Client may otherwise authorise, Evri will not transfer to any third-party Client Personal Data.

2.7.2    

Evri (or any Sub-Contractor) shall only transfer Client Personal Data from the UK to a country outside the UK where:

(a)         

the entity receiving the Client Personal Data is located in a territory which is subject to a current finding by the UK under applicable Data Protection Legislation that it provides adequate protection for Personal Data; or

(b)        

the Model Clauses (or other mechanism continue to be recognised and accepted by the relevant authorities as a legitimate basis for transfer of Personal Data,) are effected between the relevant parties; or

(c)         

the necessary statutory approvals required to be obtained by Evri (or Sub-Contractor) as a data processor (or sub-processor), if any, have all been obtained to enable the transfer of the Client Personal Data.

2.8       

Audit - [Art 28(3)(H), GDPR]

Subject to reasonable written advance notice, Evri shall permit the Client and/or a qualified representative (subject to reasonable and appropriate confidentiality undertakings) to conduct during normal working hours periodic security scans and audits of Evri’s systems and processes in relation to the Processing of Client Personal Data and shall comply with all reasonable requests or directions by the Client to verify and/or procure that Evri is in full compliance with its obligations under Paragraph 2.2 to 2.7 of this Attachment B (inclusive). Where the Client requests any such security scans or audits which would involve Evri’s Sub-Contractors’ systems, Evri shall only be obliged to use its reasonable endeavours to permit such security scan or audit, and the Client acknowledges that Evri’s obligation shall not exceed the extent it is able to grant such rights in accordance with its relevant Sub-Contractor contract terms.

ANNEX 1: DEFINITIONS

“Client Personal Data” means Personal Data provided to Evri by the Client in connection with this Contract;

“Data Processor” has the meaning given to it by the Data Protection Legislation;

“Data Protection Legislation” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) as it forms part of domestic law in the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018; in each case as amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (“UK GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 or as otherwise amended, extended or re-enacted from time to time and in each case any statutory guidance issued by a UK Regulator;

“Model Clauses” means standard contractual clauses for the transfer of personal data to processors established in third countries issued or approved by the UK government or UK Regulator from time to time;

“Personal Data” means any information relating to an identified or an identifiable natural person (“Data Subject”) being one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity, or as otherwise defined under applicable Data Protection Legislation;

“Process” or “Processing” or “Processed” means accessing, obtaining, recording, holding, disclosing, using, altering or deleting Personal Data, or carrying out any operation(s) on the Personal Data or as otherwise defined under applicable Data Protection Legislation;

“Purpose” means processing as is necessary to provide the Services and any improvements thereto including means of communicating with Customers for the purpose of effecting a successful delivery or collection and confirming the level of satisfaction the Customers have with the Services;

“Security Incident” means the unauthorised acquisition, access, use or disclosure of Client Personal Data; and

“UK Regulator” means any UK regulator, authority or body responsible for administering Data Protection Legislation including the Information Commissioner.

29.01.26