1.1 Parcelhub Limited (“PHL”) acts as a data processor on behalf of its customers who, as data controllers, submit data through PHL’s software (“Parcelhub”) in order to access the services of providers of courier and postal despatch, or submit data to PHL for the purpose of contracting PHL to despatch items that it has stored and/or packed and prepared for despatch. PHL processes their data to this end and in order to provide supporting and related services. In certain cases the data so provided will relate to an identifiable subject and so is defined as “personal data” under EU General Data Protection Regulation 2016/679 (“GDPR”). This document serves the purpose of the written contract required to be in place between PHL and its customers (“Controller”) clarifying their responsibilities and liabilities under GDPR.
2.1 PHL will act only on the written instructions of the Controller in processing any data supplied (“the Data”), personal or otherwise, unless required by law to act without such instruction. Agreement to trade with PHL under written Sales Agreements, or by written acceptance of provided quotation for services, is taken to constitute consent to process the Data solely for the purposes necessary to perform the contracted services.
2.2 PHL will ensure that any people processing or accessing the Data are subject to a duty of confidence. All staff of PHL are bound by the terms of PHL’s Staff Data Policy regarding correct and lawful processing.
2.3 PHL will take appropriate measures to ensure the security of processing the Data, such that are outlined in PHL’s Data Policy as published on PHL’s website.
2.4 By submitting the Data for delivery by a chosen courier or postal provider through Parcelhub, such shipment being governed by prior written Sales Agreement, or by written acceptance of provided quotation for services, the Controller consents to PHL passing any of the Data necessary to that courier or postal provider for processing for their contracted purpose of conducting that delivery. PHL may also use other companies within the Whistl Group to assist with Customer Service provision, in which event restricted staff thereof will access related data to the query. Otherwise PHL will only engage sub-processors of the Data with the prior consent of the Controller and written agreement.
2.5 PHL will assist the Controller in meeting any stated obligations regarding the provision of subject access to their personal data and any other rights under GDPR. Should PHL receive such a request directly, it will in the first instance refer the request to the Controller, inform the data subject that it has done so, and subsequently act according to the reasonable instruction of the Controller in providing further information or access.
2.6 PHL will assist the Controller in meeting any stated obligations regarding security of processing of the Data. The Controller is advised to incorporate the Details of Processing in this contract into their own data policy, and is advised that elements relating the usage and storage of data therein are liable to form a central part of any such policy.
2.7 PHL will notify the Controller of any personal data breaches relating to the Data, and any resultant data protection impact assessments, in line with its obligations under GDPR.
2.8 PHL will submit to audits and inspections of its processing practices by any supervisory authority, and provide the Controller with any information required to meet an equivalent audit or inspection or any connected legal obligations.
2.9 PHL will immediately inform the Controller if it is asked by a third-party to infringe GDPR or any other applicable data-protection law in relation to the Data.
3.1 PHL processes the Data on behalf of the Controller by using its submission through Parcelhub to supply relevant information to providers of courier and postal despatch, or by formatting supplied information such that it is suitable for entry into any relevant despatch systems, and by using that information to produce and print despatch documentation. Subsequently the data is used to provide tracking information and supporting customer services on request and through provided online tools.
3.2 PHL processes the data for the purpose of enabling delivery to the Controller’s designated recipients.
3.3 The Data may contain a number of types of “personal data”, frequently consisting of name and address information and sometimes also accompanying telephone numbers and/or email addresses. Those names may be connected with either business or home addresses, and their usage for both business and personal purposes. While it is conceivable there may be personal data relating to vulnerable persons, to children, and to other special categories of person within the Data, this in current practice will not be identifiable therein, nor is the purpose of processing related to that status.
3.4 PHL’s general policy is that there should be no reason for the Controller to supply definable Special Category data to PHL for the purposes of its processing. It is possible that in certain specific instances the supply of a product description in combination with personally identifiable details will constitute Special Category data. The responsibility for legal processing of this data, which will normally involve obtaining and recording explicit consent for all processing from the data subject, rests with the Controller. Should PHL become aware of such instances, the Controller will be advised on ways in which the Data can be supplied that may avoid Special Category status. Should there be no alternative to the Controller supplying Special Category data to meet its processing deeds, PHL will require a Variation of Terms to be agreed by the Controller specifying that they meet their legal processing requirements.
3.5 If the Data is provided other than by submission through Parcelhub, PHL retains files within which the Data is supplied for a period of 30 days following last processing, after which they are deleted.
3.6 The Data if submitted through Parcelhub or used for courier or tracked postal despatch is retained for a period of 90 days following despatch within both PHL’s and Whistl’s central courier databases prior to its anonymisation by the removal of any identifiable personalising information. No personal information is held in PHL’s associated and other systems and databases for longer than this unless it is a necessary part of a continuing and unresolved query, claim, or dispute after 90 days, in which case any of the Data required for the resolution thereof will be retained until 30 days after last use.
3.7 The Data is submitted by PHL to the supplier of the chosen despatch service for the purpose of conducting delivery, and will then be stored by that supplier in line with their own processing terms.
3.8 Information, including the Data where applicable, that is submitted to PHL by email is stored therein for a period of 2 years after submission and also archived on Mimecast (a cloud-based cybersecurity system) for 7 years before permanent deletion. The Controller is under no obligation to supply the Data in this way and is encouraged not to do so where the Data constitutes “personal data” under GDPR, although PHL recognises that the Controller holds ultimate responsibility and control over how the Data is submitted and used. Secure forms of information transmission other than email, deleted within 30 days of use, are alternatively available to Controllers that do not have their own such method in place.
3.9 Personal data processed using PHL’s designated warehouse/stock management system is stored therein for a period of 1 year prior to anonymisation by removal of personally-identifying name and address details.
3.10 The Controller holds responsibility for ensuring that the Data it provides to PHL for processing complies with all legal obligations. Specifically, (a) the Controller verifies that the Data, and any record therein, has been made subject to a valid and documented “lawful basis for processing” under GDPR, and that (b) the period for which the Data is retained within the areas of Parcelhub under the Controller’s administration has formed a part of that valid and documented test, (c) the Controller verifies that it has complied with any valid and reasonable subject request for removal or deletion it has received and that no records of such subjects exist within the Data, (d) the Controller verifies that the Data does not contain any record that is required to be excluded by either MPS or TPS registration as appropriate, (e) the Controller verifies that it is willing and able to cooperate with any compliance requirements made of it under GDPR.
4.1 PHL does not indemnify the Controller against any data breach or against any other financial harm resultant from its lawful processing of the Data, other than by prior additional arrangement or other than as governed by law.
4.2 Nothing within this contract relieves PHL of its own direct responsibilities and liabilities under GDPR.
Parcelhub Limited, part of the Whistl Group, is registered with the ICO, registration number ZA308498.
For further information or questions regarding processing of data, please email [email protected]