My Garage Control Panel Data Processing Agreement

Last Updated: 21/03/2024

VMS Group LTD as data controller appoints the garage with access to the My Garage Control Panel as a data processor

This agreement is made between Vehicle Management Systems Limited, registered number 09690853, registered office is at 7 The Hayloft, Far Peak, Northleach, Glos, England, GL54 3AP ("VMS") and the garage with access to the My Garage Control Panel (Garage).

BACKGROUND

The Garage wishes to supply to VMS, and VMS wishes to receive, the Services on and subject to the terms and conditions of this Agreement.

OPERATIVE PROVISIONS

1. DEFINITIONS AND INTERPRETATION

   In this Agreement:

   1. the following words and expressions have the following meanings unless the context otherwise requires:

      "Affiliate"	means: Vehicle Management Systems Limited; VMS's holding company and ultimate holding company and each of its subsidiary companies and its holding company and ultimate holding company's subsidiary companies from time to time (with "holding company" and "subsidiary" having the meanings given to them in section 1159 of the Companies Act 2006);
      "Agreement Personal Data"	means the Personal Data set out in Part 1 of Schedule 1 as Processed by the Garage on behalf of VMS or its Affiliates;
      "Applicable Laws"	means any: law including any statute, statutory instrument, bye-law, order, regulation, directive, treaty, decree, decision (as referred to in Article 288 of the Treaty on the Functioning of the European Union) (including any judgment, order or decision of any court, regulator or tribunal); legally binding rule, policy, guidance or recommendation issued by any governmental, statutory or regulatory body; and/or legally binding industry code of conduct or guideline in force from time to time which relates to this Agreement and/or the Services and/or the activities which are comprised in all or some of the Services, the use or application of the output from any part of the Services and/or VMS's business or the business of any other Service recipient;
      "Authorised Sub-Processor"	means as defined in clause 2.3.1;
      "Business Day"	means a day that is not a Saturday, Sunday or public or bank holiday in England and/or Wales;
      "Commercial Contract"	Means the commercial contract in relation to the Services between the parties to this Agreement as defined in clause 1.5;
      "Data Protection Legislation"	shall mean, the Applicable Laws, decisions, binding and non-binding codes of practice and guidance of a competent institution supervising or regulating data protection, the Processing of Personal Data and privacy of EU citizens, including the EU Directive 95/46/EC and from 25 May 2018 the General Data Protection Regulation (EU) 2016/679, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications);
      "Data Security Breach"	means as defined in clause 2.4.1.5;
      "Indemnified Costs"	means all costs (on a full indemnity basis) including legal and other professional costs and costs of enforcement;
      "Losses"	means all losses including all direct, indirect and consequential losses;
      "Recoverable Liabilities"	means all Losses, liabilities, Indemnified Costs, damages and expenses that the indemnified person does or will incur or suffer, all claims or proceedings made, brought or threatened against the indemnified person by any person and all Losses, liabilities, Indemnified Costs, damages and expenses the indemnified person does or will incur or suffer as a result of defending or settling any such actual or threatened claim or proceeding;
      "Services"	means the services provided by or on behalf of the Garage as set out in Part 2 of Schedule 1; and
      "Supervisory Authority"	means any applicable authority that oversees compliance with the Data Protection Legislation (in the UK currently the Information Commissioner's Office) as varied from time to time.

   2. references to the clauses and Schedules are to the clauses of and schedules to this Agreement;
   3. the Schedules form part of this Agreement and will have the same force and effect as if set out in the body of this Agreement and any reference to this Agreement will include the Schedules;
   4. unless the context otherwise requires:
      1. references to the singular include the plural and vice versa and references to any gender include every gender; and
      2. references to a "person" include any individual, body corporate, association, partnership, firm, trust, organisation, joint venture, government, local or municipal authority, governmental or supra-governmental agency or department, state or agency of state or any other entity (in each case whether or not having separate legal personality).
   5. Notwithstanding the terms set out in relation to the Services between the parties to this Agreement (the "Commercial Contract"), the parties agree that this Data Processing Agreement takes precedence over the terms of the Commercial Contract to the extent only of any conflict or inconsistency with the terms of this Agreement (and notwithstanding any sub-contracting or assignment of the Commercial Contract)
2. DATA PROTECTION

   References in this Agreement to Data Subjects, Personal Data, Process, Processed, Processing, Sensitive Personal Data, Special Personal Data, Data Controller or Data Processor, where capitalised, shall have the meanings in, and shall be interpreted in accordance with, the Data Protection Legislation.

   1. Compliance with laws
      1. The Garage shall not cause VMS to breach any obligation under the Data Protection Legislation.
      2. The Garage shall notify VMS in writing immediately, if in the delivery of the Services as an experienced supplier of the Services, it or they identifies (or identify) any potential areas of actual or potential non-compliance with the Data Protection Legislation.
   2. Authority
      1. VMS authorises the Garage to Process the Agreement Personal Data during the term of this Agreement as a Data Processor (on its and its Affiliates' behalf) for the purposes of providing the Services only.
      2. In consideration of the mutual payment of £1.00 (receipt of which is hereby acknowledged), the Garage agrees to provide the Services subject to the terms of this Agreement.
   3. Sub-processing
      1. The Garage shall not engage, use or permit any third party to Process Agreement Personal Data without the prior written consent of VMS, which may be withheld or subject to conditions at VMS's discretion. If VMS has consented to the use of third parties (subsequently, an "Authorised Sub-Processor") for the Processing of Agreement Personal Data:
         1. the Garage shall provide VMS with advance written notice of any intended changes to any Authorised Sub-Processor, allowing VMS sufficient opportunity to object;
         2. the Authorised Sub-Processor's activities must be specified and the same contractual terms set out in this clause 2, imposed on that Authorised Sub-Processor.
         Without prejudice to this clause 2.3.1, the Garage shall remain responsible for all acts or omissions of the Authorised Sub-Processor as if they were its own.
   4. Garage Obligations
      1. the Garage shall (and shall procure that any Authorised Sub-Processor shall):
         1. Process the Agreement Personal Data only on documented instructions from VMS, including this Agreement;
         2. without prejudice to clause 2.4.1.1, the Garage shall ensure that Agreement Personal Data will only be used by the Garage to the extent required to provide the Services. The Garage shall not without the express prior written consent of VMS (a) convert any Agreement Personal Data into anonymised, pseudonymised, depersonalised, aggregated or statistical data; (b) use any Agreement Personal Data for "big data" analysis or purposes; or (c) match any Agreement Personal Data with or against any other Personal Data (whether the Garage's or any third party's).
         3. not to cause or permit the Processing or transfer of any Personal Data in or to any country outside of the European Economic Area (and, should the United Kingdom cease at any time to be within the European Economic Area, it shall for the purposes of this clause 2.4.1.3 be treated as if it were nevertheless part of the European Economic Area) (a "Restricted Country") without the prior express written consent of the Customer (which may be refused at the Customer's sole discretion) and, where such written consent is given, take such steps as required by the Customer in order to protect the Personal Data and ensure that the transfer is in accordance with Data Protection Legislation and where it shall only be transferred to the extent of such written consent (and subject to any conditions set out therein, such as ensuring that the data importer is in a Restricted Country which has been and remains validly recognised by the UK's data protection authority as providing adequate protection for Personal Data) and, where deemed necessary in the opinion of the Customer, put in place and maintain throughout the period of any such transfer or other Processing outside of the European Economic Area such contractual requirements of the Customer as are required under the Data Protection Legislation so as to ensure the compliant export of the Agreement Data to third countries or international organisations (including a standalone set of the Standard Contractual Clauses as approved by the Commission Decision 2010/87/EU dated 5 February 2010 (or such other replacement set of Clauses as may be approved from time to time by the Commission)) and as between the Customer in its capacity as Data Controller and the relevant "data importer" as that term is used in the Clauses.
         4. ensure that any person authorised to process the Agreement Personal Data:
            1. have committed themselves to confidentiality obligations equivalent to those set out in the Commercial Contract
            2. Processes the Agreement Personal Data solely on written documented instructions from VMS;
            3. will not cause VMS or any of its Affiliates to breach any obligation under the Data Protection Legislation; and
            4. are appropriately reliable, qualified and trained in relation to their Processing of Agreement Personal Data;
         5. implement (and assist VMS to implement) technical and organisational measures at a minimum to the standard set out in Schedule 2 Information Security to ensure a level of security appropriate to the risk presented by Processing the Agreement Personal Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed (together, a "Data Security Breach");
         6. notify VMS without undue delay (an in any event no later than 24 hours) after becoming aware of a reasonably suspected, "near miss" or actual Data Security Breach. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay, and for the avoidance of doubt, the Garage and Authorised Sub-Processor may not delay notification under this clause 2.4.1.6 on the basis that an investigation is incomplete or ongoing, and not make or permit any announcement to any party, without VMS's consent, which may be subject to conditions at VMS's sole discretion;
         7. assist VMS in:
            1. ensuring privacy by design and default in respect of the Services and performance of this Agreement and the Commercial Contract;
            2. responding to requests for exercising the Data Subject's rights under the Data Protection Legislation, including by appropriate technical and organisational measures, insofar as this is possible;
            3. reporting any Data Security Breach to any Supervisory Authority or Data Subjects and documenting any Data Security Breaches;
            4. taking measures to address the Data Security Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
            5. conducting privacy impact assessments of any Processing operations and consulting with any applicable Supervisory Authority or appropriate persons accordingly;
         8. at the choice of VMS, securely delete or return all Agreement Personal Data to VMS after the end of the provision of the Services relating to Processing, and securely delete any remaining copies and certify when this exercise has been completed; and
         9. hold Agreement Personal Data physically and electronically separate to any other records or Personal Data, Processed by the Garage or Authorised Sub-Processor other than for the performance of the Services.
   5. Information provision
      1. The Garage shall make available to VMS all information necessary to demonstrate compliance with the obligations laid down in this clause 2 and allow for and contribute to audits, including inspections, conducted by VMS or another auditor mandated by VMS. The Garage shall immediately inform VMS if, in its opinion, an instruction infringes the Data Protection Legislation.
   6. Indemnity
      1. The Garage will indemnify VMS and its Affiliates against the Recoverable Liabilities, in each case arising out of or in connection with any breach by the Garage of any of its obligations under this clause 2 (including any failure or delay in performing, or negligent performance or non-performance of, any of those obligations).
3. TERM
   1. This Agreement will be effective from its date and will remain in force unless and until terminated by VMS.
4. NOTICES
   1. Any notice given under or in connection with this Agreement will be in the English language, marked for the attention of the specified representative of the party to be given the notice and:
      1. sent to that party's address by pre-paid firstclass post or mail delivery service providing guaranteed next working day delivery and proof of delivery; or
      2. delivered to or left at that party's address (but not, in either case, by one of the methods set out in clause 4.1.1); or
      3. sent by email to [email protected]
      4. The address, and e-mail address for VMS is set out below and may be changed by that party giving at least 10 Business Days' notice in accordance with this clause 4:
         1. Address: FAO The Data Protection Officer, My Garage, 7 The Hayloft, Far Peak, Northleach, Glos, England, GL54 3AP
         2. E-mail: [email protected]
      5. The address and e-mail address for the Garage is as defined in their My Garage Control Panel account.
   2. Any notice given in accordance with clause 4.1 will be deemed to have been served:
      1. if given by pre-paid first class post or mail delivery service as set out in clause 4.1.1, at 9.00am on the second Business Day after the date of posting;
      2. if given as set out in clause 4.1.2, at the time the notice is delivered to or left at that party's address; and
      3. at the time of sending the e-mail;
      provided that if a notice is deemed to be served before 9.00am on a Business Day it will be deemed to be served at 9.00am on that Business Day and if it is deemed to be served on a day which is not a Business Day or after 5.00pm on a Business Day it will be deemed to be served at 9.00am on the immediately following Business Day.
   3. If a notice is given in accordance with clause 4.1.3, the title to the e-mail will begin with the words "Service of Notice" and a copy of the notice will be sent to the receiving party's address (as set out in or changed in accordance with clause 4.1) by pre-paid first class post or mail delivery service providing guaranteed next working day delivery and proof of delivery within 24 hours after sending the e-mail. The requirements set out in this clause 4.3 are a condition to valid service of the relevant notice by e-mail.
   4. For the purposes only of this clause 4, references to time of day are to the time of day at the address of the recipient party as referred to in clause 4.1 and references to Business Days are to normal working days in the territory in which such address is situated.
   5. To prove service of a notice it will be sufficient to prove that the provisions of clause 4.1 were complied with.
5. ENTIRE AGREEMENT
   1. This Agreement constitutes the entire agreement between the parties and supersedes any prior agreement or arrangement in respect of its subject matter and:
      1. neither party has entered into this Agreement in reliance upon, and it will have no remedy in respect of, any misrepresentation, representation or statement (whether made by the other party or any other person and whether made to the first party or any other person) which is not expressly set out in this Agreement;
      2. the only remedies available for any misrepresentation or breach of any representation or statement which was made prior to entry into this Agreement and which is expressly set out in this Agreement will be for breach of contract; and
      3. nothing in this clause 5 will be interpreted or construed as limiting or excluding the liability of any person for fraud or fraudulent misrepresentation.
6. NO WAIVER
   1. A delay in exercising or failure to exercise a right or remedy under or in connection with this Agreement will not constitute a waiver of, or prevent or restrict future exercise of, that or any other right or remedy, nor will the single or partial exercise of a right or remedy prevent or restrict the further exercise of that or any other right or remedy. A waiver of any right, remedy, breach or default will only be valid if it is in writing and signed by the party giving it and only in the circumstances and for the purpose for which it was given and will not constitute a waiver of any other right, remedy, breach or default.
7. SEVERANCE
   1. If any term of this Agreement is found by any court or body or authority of competent jurisdiction to be illegal, unlawful, void or unenforceable, such term will be deemed to be severed from this Agreement and this will not affect the remainder of this Agreement which will continue in full force and effect.
8. VARIATION
   1. Save as otherwise expressly provided in this Agreement, no variation to this Agreement will be effective unless it is in writing and signed by a duly authorised representative on behalf of each of the parties.
9. NO PARTNERSHIP OR AGENCY
   1. Nothing in this Agreement and no action taken by the parties in connection with it will create a partnership or joint venture or relationship of employer and employee between the parties or, save as expressly provided otherwise in this Agreement, give either party authority to act as the agent of or in the name of or on behalf of the other party or to bind the other party or to hold itself out as being entitled to do so.
10. INDEPENDENT CONTRACTORS
    1. Each party agrees that it is an independent contractor and is entering into this Agreement as principal and not as agent for or for the benefit of any other person.
11. RIGHTS OF THIRD PARTIES
    1. The parties may vary or rescind this Agreement without the consent of the Garage's employees, agents or sub-contractors.
    2. The parties do not intend that any term of this Agreement will be enforceable under the Contracts (Rights of Third Parties) Act 1999 by any person.
12. JURISDICTION
    1. The courts of England and Wales have exclusive jurisdiction to determine any dispute arising out of or in connection with this Agreement (including in relation to any non-contractual obligations).
    2. Any party may seek specific performance, interim or final injunctive relief or any other relief of similar nature or effect in any court of competent jurisdiction.
    3. Subject to clause 12.2, each party waives any objection to, and agrees to submit to, the jurisdiction of the courts of England and Wales.
13. GOVERNING LAW
    1. This Agreement and any non-contractual obligations arising out of or in connection with it will be governed by the law of England and Wales.

SCHEDULE 1

Part 1 - Schedule of Data

For customers using the My Garage App, 'My Garage'.

Part 2 - Services (overview)

Set out in more detail in the Commercial Contract and Order Form.

SCHEDULE 2

Information Security

• Consumer personal data must be only be stored, accessed, and used by the methods detailed in this agreement.
• No other media than website to store consumer personal data – no email address books, writing pads, appointment books, wall calendars etc.
• Consumer name associated with a phone number will not be stored in garage telephony.
• Consumer booking and job queries will be managed using phone calls using website data not transferring personal information onto other media such as email.
• For the My Garage App service consumer data will not be used for any other purpose than agreed by the consumer. VMS will process all agreed marketing communications with the customer.
• All consumer service communications will be professional and courteous and of an appropriate frequency to communicate the message, eg:
  • Reminder day before work booking
  • Notification of any additional work required or recommended for the vehicle
  • Notification that vehicle is ready for collection
• Minimise access to the website application to roles required to complete the work. User IDs will not be shared and passwords will be securely stored.
• Enforce a password policy:
  • Default passwords must not be used
  • Passwords must be of at least 12 characters in length and must contain at least one of each of the following:
  • Lower case characters
  • Upper case characters
  • Numbers
  • Special characters
  • Accounts will be locked out after 10 incorrect login attempts
• The PC used to access the My Garage App should be in a secure position not accessible to the public, or if this is not possible, the machine should be logged out every time it is not being used.
• If you believe that the website has been compromised or accessed by an unauthorised user, contact customer service on [email protected], as soon as possible and within one hour of identification.
• Will have broadband internet access and a PC on site.
• PCs must be kept up to date with security patches and have a current anti virus program installed.
• PC Minimum Specification: Supported operating system: Windows 10 or later / Chrome / Minimum screen resolution 1024 x 768

SIGNED BY or on behalf of the parties at the time of agreeing to the terms on the My Garage Control Panel.