1.1 Parcelhub Limited (“PHL”) acts as a data processor on behalf of its customers who, as data controllers, submit data through PHL’s software (“Parcelhub”) in order to access the services of providers of courier and postal despatch. PHL processes their data to this end and in order to provide supporting and related services. In certain cases the data so provided will relate to an identifiable subject and so is defined as “personal data” under EU General Data Protection Regulation 2016/679 (“GDPR”). This document serves the purpose of the written contract required to be in place between PHL and its customers (“Controller”) clarifying their responsibilities and liabilities under GDPR.
2.1 PHL will act only on the written instructions of the Controller in processing any data supplied (“the Data”), personal or otherwise, unless required by law to act without such instruction. Agreement to trade with PHL under written Sales Agreements is taken to constitute consent to process the Data solely for the purposes necessary to perform the contracted services.
2.2 PHL will ensure that any people processing or accessing the Data are subject to a duty of confidence. All staff of PHL are bound by the terms of PHL’s Staff Data Policy regarding correct and lawful processing.
2.3 PHL will take appropriate measures to ensure the security of processing the Data, such that are outlined in PHL’s Data Policy as published on PHL’s website.
2.4 PHL will only engage sub-processors of the Data with the prior consent of the Controller and a written contract. By submitting the Data for delivery by a chosen courier or postal provider through Parcelhub, such shipment being governed by prior written Sales Agreement, the Controller consents to PHL passing any of the Data necessary to that courier or postal provider for processing for their contracted purpose of conducting that delivery. Any other sub-processing of the Data will be subject to a further and separate written agreement.
2.5 PHL will assist the Controller in meeting any stated obligations regarding the provision of subject access to their personal data and any other rights under GDPR. Should PHL receive such a request directly, it will in the first instance refer the request to the Controller, inform the data subject that it has done so, and subsequently act according to the reasonable instruction of the Controller in providing further information or access.
2.6 PHL will assist the Controller in meeting any stated obligations regarding security of processing of the Data. The Controller is advised to incorporate the Details of Processing in this contract into their own data policy, and is advised that elements relating the usage and storage of data therein are liable to form a central part of any such policy.
2.7 PHL will notify the Controller of any personal data breaches relating to the Data, and any resultant data protection impact assessments, in line with its obligations under GDPR.
2.8 PHL will submit to audits and inspections of its processing practices by any supervisory authority, and provide the Controller with any information required to meet an equivalent audit or inspection or any connected legal obligations.
2.9 PHL will immediately inform the Controller if it is asked by a third-party to infringe GDPR or any other applicable data-protection law in relation to the Data.
3.1 PHL processes the Data on behalf of the Controller by using its submission through Parcelhub to supply relevant information to providers of courier and postal despatch. Subsequently the data is used to provide tracking information and supporting customer services on request and through provided online tools.
3.2 PHL processes the data for the purpose of enabling delivery to the Controller’s designated recipients.
3.3 The Data may contain a number of types of “personal data”, frequently consisting of name and address information and sometimes also accompanying telephone numbers and/or email addresses. Those names may be connected with either business or home addresses, and their usage for both business and personal purposes. While it is conceivable there may be “personal Data” relating to vulnerable persons, to children, and to other special categories of person within the Data, this in current practice will not be identifiable therein, nor is the purpose of processing related to that status.
3.4 PHL’s general policy is that there should be no reason for the Controller to supply definable “sensitive personal data” to PHL for the purposes of its processing. Should PHL become aware of such instances, the Controller will be advised on ways in which the Data can be supplied that does not constitute qualification as “sensitive”. Should there be no alternative to the Controller supplying “sensitive personal data” to meet its processing deeds, PHL will agree a separate written arrangement regarding its safe usage and storage.
3.5 The Data is retained for a period of 90 days following despatch within PHL’s central courier database prior to its anonymisation by the removal of any identifiable personalising information. No personal information is held in PHL’s associated and other systems and databases for longer than this unless it is a necessary part of a continuing and unresolved query, claim, or dispute after 90 days, in which case any of the Data required for the resolution thereof will be retained until 30 days after last use.
3.6 The Data is submitted by PHL to the supplier of the chosen despatch service for the purpose of conducting delivery, and will then be stored by that supplier in line with their own processing terms.
3.7 Information, including the Data where applicable, that is submitted to PHL by email is stored for a period of 2 years after submission prior to archiving in an encrypted form offsite. Secure forms of information transmission other than email, deleted within 30 days of use, are alternatively available to Controllers that do not have their own such method in place.
3.8 The Controller holds responsibility for ensuring that the Data it provides to PHL for processing complies with all legal obligations. Specifically, (a) the Controller verifies that the Data, and any record therein, has been made subject to a valid and documented “lawful basis for processing” under GDPR, and that (b) the period for which the Data is retained within the areas of Parcelhub under the Controller’s administration has formed a part of that valid and documented test, (c) the Controller verifies that it has complied with any valid and reasonable subject request for removal or deletion it has received and that no records of such subjects exist within the Data, (d) the Controller verifies that the Data does not contain any record that is required to be excluded by either MPS or TPS registration as appropriate, (e) the Controller verifies that it is willing and able to cooperate with any compliance requirements made of it under GDPR.
4.1 PHL does not indemnify the Controller against any data breach or against any other financial harm resultant from its lawful processing of the Data, other than by prior additional arrangement or other than as governed by law.
4.2 Nothing within this contract relieves PHL of its own direct responsibilities and liabilities under GDPR.
Parcelhub Limited is registered with the ICO, registration number ZA308498.
For further information or questions regarding processing of data, please email [email protected]