Last updated May 1, 2020
These Data Processing Terms (“DPA” or “Data Processing Terms”), when incorporated by reference into a commercial agreement (“Agreement”) between The Descartes Systems Group Inc. or one of its affiliates (hereafter referred to as “Descartes”) and a Customer, as defined in the Agreement, apply to any Processing of Personal Information performed by Descartes on Customer’s behalf as part of Descartes provision GLN Services, Data Services, or other of services (collectively, “Services”). All capitalized terms used in these Data Processing Terms shall have the meaning set out in the Agreement unless otherwise defined in these Data Processing Terms.
Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement and any other attachments thereto and the Data Processing Terms, the Data Processing Terms shall take precedence but only to the extent of the conflict. For greater certainty, where an obligation is not addressed in these Data Processing Terms which is addressed in the Agreement, a conflict shall not be deemed to have arisen.
These Data Processing Terms do not apply to the Processing of any data that does not qualify as Personal Information under Data Protection Regulations.
1. Relationship Between the Parties
Descartes provides one or more Services to Customer under an existing commercial relationship. Descartes and Customer are separate legal entities with independent obligations under Data Protection Regulations. Customer understands that it may have an obligation under Data Protection Regulations to independently determine whether its use of Services complies with Data Protection Regulation. Customer acknowledges that Descartes has not made, and explicitly disclaims, any representations that the use of Services will cause Customer to become compliant with Data Protection Regulations.
“Controller” and “Processor” have the meaning set out in the Data Protection Regulations.
“Data Subject” means an identified or identifiable living natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Descartes’ Affiliates” means the affiliates of Descartes that may assist in the performance of the GLN Services.
“Data Protection Regulations” means (a) Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5); (b) the General Data Protection Regulation (Regulation (EU) 2016/679) and applicable laws by EU member states which either supplement or are necessary to implement the GDPR (collectively “GDPR”); (c) the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.198(a)), along with its various amendments (collectively “CCPA”); and (d) any other applicable law related to the protection of Personal Information.
“Model Clauses” means the standard contractual clauses annexed to the EU Commission Decision 2010/87/EU of 5 February 2010 for the Transfer of Personal Data to Processors established in Third Countries under the Directive 95/46/EC, or any successor standard contractual clauses that may be adopted pursuant to an EU Commission decision.
“Personal Information” means any information that relates to a Data Subject that Customer or its Administrative User or Permitted Users provide to Descartes to Process under the Agreement.
“Process” or “Processing” means any operation or set of operations, whether or not by automated means, which is performed upon Personal Information that is stored on computers, servers, or mobile devices owned or maintained by Descartes, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination of otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means the Descartes entity listed in the Agreement.
“Processor List” means the list of Descartes’ Affiliates and/or Third Party Processors who may assist Descartes with some or all of the Processing of Personal Information of the Customer, a copy of the list being accessible at https://www.descartes.com/legal/privacy-center/supplemental-privacy-information.
“Third Party Processor” means a third party subcontractor, other than a Descartes’ Affiliate, engaged by Descartes, which, as a part of the subcontractor’s role in providing services under the Agreement, will Process Personal Information of the Customer.
- Controller and Processor of Personal Information
Customer shall remain the Controller of the Personal Information for the purposes of the Agreement, including under this DPA. Customer is responsible for compliance with its obligations as a Controller under the Data Protection Regulations and, in particular, for the basis of any transmission of Personal Information to Descartes (including providing any required notices and obtaining any required consents and authorizations), and for its decisions and actions concerning the Processing and use of Personal Information. Customer will not provide Descartes with access to any special categories of Personal Information, as defined under the Data Protection Regulations, or any health, payment card, or similar information that imposes specific data security obligations for the processing of such Personal Information unless permitted in the Agreement.
Descartes is a Processor of the Personal Information for the purposes of the Agreement. Descartes will Process Personal Information as necessary for the purposes of the Agreement in accordance with this DPA and will not disclose Personal Information to third parties other than to Descartes’ Affiliates or Third Party Processors for the aforementioned purposes or as required by law.
- Types of Personal Information
Customer authorizes and requests that Descartes Process the necessary types of Personal Information required to fulfill the Agreement, which may include but is not limited to:
- personal contact information of Customer’s employees, trading partners or contractors (such as name, home address, home telephone number, mobile number or email address, etc.);
- transactional data (such as details of goods and services purchased, value of purchase, VAT registration number, delivery addresses, or names and contact information of shippers, receivers, or other individuals involved in the transportation or movement of the goods); and
- where required, identification data (such as government ID numbers if required by a government when information is submitted to or received from that government).
- Processing Instructions
Customer authorizes Descartes to Process Personal Information for the following purposes only:
- providing the requested Descartes product or service under the Agreement;
- communicating about the Descartes product or service including confirming the provision of all or part of the product or service;
- handling or preparing for disputes or litigation;
- complying with Customer’s written instructions in accordance with Section 5;
- to comply with Descartes’ legal or regulatory obligations; and
- for no other reason unless provided for under the Data Protection Regulations.
To the extent Descartes receives additional instructions for the Processing of Personal Information, Descartes will comply with such instructions to the extent necessary for: (i) Descartes to comply with its Processor obligations under the Data Protection Regulations; and (ii) to assist Customer in complying with its Controller obligations under the Data Protection Regulations in relation to the Agreement. Without prejudice to Descartes’ obligations under this Section 5, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by Descartes to comply with Customer’s instructions with regard to the Processing of Personal Information that require the use of resources different from, or in addition to, those normally required for the provision of the product or services under the Agreement.
Customer will ensure that its instructions to Descartes for the Processing of Personal Information will, at all times, be lawful and in compliance with the Data Protection Regulations. Descartes will notify Customer if it reasonably believes any instruction or request from the Customer will require Descartes to take any action that Descartes reasonably believes will not be in compliance with the Data Protection Regulations. Descartes shall have no other obligation to act beyond sending such notice to the Customer and is not responsible for performing legal research or providing legal advice.
- Requests from Data Subjects
In the event Descartes receives any requests from Data Subjects to access, remove, release, restrict, modify, or otherwise limit the Processing of Personal Information, Descartes will promptly provide to Customer a copy of that request to Customer's designated contact in the Agreement. Descartes will not be responsible for responding directly to the Data Subject’s request, unless otherwise required by law.
Where the Services already provide Customer with sufficient means to comply with any such requests, Customer agrees that it will utilize those means to respond to any Data Subject requests. Customer is responsible for using those means properly in accordance with any documentation or written guidelines provided by Descartes from time to time, and will not hold Descartes responsible for any improper use.
If in the event the Services do not provide any means for Customer to self-manage a specific Data Subject request, Descartes will use commercially reasonable efforts, on Customer’s written instruction, to effect that specific Data Subject request. Notwithstanding the above, at no time shall Descartes have any obligation to alter any records that are maintained as system of record of past transactions, to make any change to any records that would be inconsistent with the purpose for which the Personal Information was originally provided to Descartes for Processing, or to alter any record that Descartes is required to keep by any law or for any regulatory purposes. If Customer requires Descartes to develop or implement any additional or specific means or methods related to the access, deletion, release, correction, modification, or blocking of access to Personal Information on behalf of Customer, Customer and Descartes will mutually agree on the scope of the work that Descartes may be willing to undertake and the reasonable fees, if any, for such work.
- Cross-Border Transfers Out of the European Union
Any transfers of Personal Information of Data Subjects across international borders to Descartes from Customer, or by Descartes to a Descartes Affiliate or a Third Party Processor will be subject to the following protections, presented in the order by which they will be applied:
- Transfer made subject to applicable local laws where Descartes, the Descartes Affiliate, or Third Party Processor is located within a jurisdiction deemed by the European Commission, or other similar body, to be a jurisdiction with data protection laws and regulations deemed “adequate” as set out at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm (as amended from time to time).
- Transfers made only to entities with a current and active Privacy Shield certification from the United States Department of Commerce where Descartes, the Descartes Affiliate, or Third Party Processor is located within the United States of America.
- Transfer is subject to the terms of the European Union’s standard Model Clauses (alternatively referred to as the Standard Contractual Clauses and as found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en or other replacement websites as set out by the European Commission) if permitted by applicable Data Protection Regulations.
- Transfer made subject to any other manner as specified in and permitted by applicable Data Protection Regulations.
Where Descartes has transferred Personal Data pursuant to one of the above conditions, and where that condition is no longer true, Descartes will take all commercially reasonable steps to ensure the transfer is permissible under some other condition as set out by the GDPR, including but not limited to the entering into of Model Clause agreements as required.
- Additional Processors
Some or all of Descartes obligations under the Agreement may be performed by Descartes’ Affiliates and/or Third Party Subprocessors. Descartes maintains a Processor List, which lists all Descartes’ Affiliates and Third Party Subprocessors that may Process Personal Information on behalf of Descartes. A copy of that list is available at https://www.descartes.com/legal/privacy-center/supplemental-privacy-information or upon request.
The Descartes’ Affiliates and Third Party Subprocessors are required to abide by substantially the same obligations as Descartes under this DPA as applicable to the Processing of the Customer’s Personal Information and, in any event, in a manner that is compliant with the Data Protection Regulations.
Descartes remains responsible at all times for compliance with the terms of this DPA by Descartes’ Affiliates and Third Party Subprocessors. Customer consents to Descartes use of Descartes’ Affiliates and Third Party Subprocessors in the performance of the Services in accordance with this DPA.
If additional Descartes’ Affiliates or Third Party Subprocessors are required to process Customer’s Personal Information in connection with Descartes’ performance under an Agreement, Customer will be notified in advance of changes to the Processor List. The Customer may refuse to consent to the involvement of a Descartes’ Affiliate or a Third Party Subprocessor under this DPA by sending written notice to Descartes of their refusal within ten (10) business days of receipt of notice and providing reasonable and justified, objective grounds relating to such Descartes’ Affiliate or Third Party Processor’s ability to adequately protect Personal Information in accordance with this DPA. In the event that the Customer’s objection is justified, Descartes and Customer will work together in good faith to find a mutually acceptable resolution to address Customer’s objection(s). If Descartes and Customer are unable to reach a mutually acceptable solution within a reasonable timeframe, Customer may immediately terminate the Agreement without obligation, if any is provided under the Agreement, for the payment of any further Fees that otherwise may be due as result of early termination of the Agreement.
- Security Measures
Descartes shall implement appropriate physical, administrative, organizational, technical, and personal security measures based on the type and nature of the Personal Information being processed and the level of risk associated with it. Descartes shall retain all Personal Information, including Personal Information that is contained on back-up media, in a logically secure environment that protects it from unauthorized access, modification, theft, misuse and destruction. Descartes shall ensure that platforms hosting the Personal Information are configured to conform to industry standard security requirements and that hardened platforms are monitored for unauthorized change. Descartes’ security policy shall not allow electronic files containing Personal Information to be stored on personal desktops, laptops, or removable data storage devices, unless the device is password protected and the Personal Information is encrypted using industry standard encryption technology. Descartes shall ensure that all employees with access to Personal Information are subject to a duty of confidence and/or written confidentiality agreement.
- Breach Management and Notification
For the purposes of this section, “Security Breach” means the misappropriation or unauthorized Processing of Personal Information located on Descartes’ systems, including by a Descartes employee, that compromises the security, confidentiality or integrity of such Personal Information. Unless prohibited by applicable law, upon becoming aware of the Security Breach, Descartes will: (i) within forty eight (48) hours, or sooner as required by applicable law, provide to Customer a notification of the occurrence of the Security Breach; (ii) within five (5) business days, provide to Customer a summary report of the Security Breach containing details of the Security Breach, its impact on the services under the Agreement and the Personal Information and the initial steps taken by Descartes to address the Security Breach; and (iii) within fifteen (15) business days, provide to Customer a detailed incident report analyzing the Security Breach and a rectification plan which sets out what steps, if any are appropriate, will be taken to stop and further prevent the Security Breach occurring in the future.
In investigating any Security Breach, Descartes will work to provide to Customer a root cause analysis in order to prevent a recurrence. In addition, unless prohibited by applicable law, Descartes will provide Customer with a summary of the Security Breach and share information about the Security Breach as it becomes available.
- Security Breach Public Statements
In the event of a Security Breach, the parties agree to coordinate in good faith on developing the content of any related public statements or required notices for the affected Data Subjects and/or notices to the relevant data protection authorities. Notwithstanding the above, nothing in this DPA shall be interpreted as limiting or restricting Customer’s rights or obligations under any applicable Data Protection Regulations.
During the Term of the Agreement, on an annual basis, Descartes will conduct, at no charge to Customer, an SSAE SOC 1, Type II audit of controls relating to the network operations of Descartes through which Personal Information is processed by Descartes under an Agreement. The results of that audit (“Audit Report”) is considered the confidential information of Descartes, and will be provided by Descartes to Customer on request only. The audit will be performed by an independent qualified third party auditor (or similarly qualified person). If a deficiency is identified as result of such audit, Descartes will remediate, as Descartes deems reasonable given the circumstances, within an agreed to and reasonable timeframe. All costs of remediation will be the responsibility of Descartes.
In the event Customer wishes to audit Descartes’ compliance with this DPA, an independent third party auditor mutually agreed to by the parties (the “Auditor”) may, on behalf of Customer and at the expense of Customer, audit Descartes’ compliance with the terms of this DPA up to once per year. The Auditor may perform more frequent audits of the data center facility that Processes Personal Information to the extent required by laws applicable to Customer. Prior to the commencement of any audit, the Auditor must execute a written confidentiality agreement acceptable to Descartes.
To request an audit, Customer must submit a detailed audit plan to Descartes at least four weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, and start date of the audit. Descartes will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Descartes’ security, privacy, employment or other relevant policies). Descartes will work cooperatively with Customer to agree on a final audit plan. If the requested audit scope is addressed in an existing Audit Report that was prepared for Descartes within the prior twelve (12) months and Descartes confirms there are no known material changes in the controls audited, Customer agrees, unless restricted by law or other regulatory requirements, to accept those findings in lieu of requesting an audit of the controls already covered by the report.
The audit must be conducted during regular business hours at the applicable facility, subject to Descartes’ policies, and may not unreasonably interfere with Descartes’ business activities.
Customer will provide Descartes any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer agrees that Descartes may, at their discretion, release the audit report to a third party provided Customer is given a reasonable opportunity to redact any personal, confidential, or proprietary information that may be contained in the audit report. Customer may use the audit reports only for the purpose of confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the parties under the terms of the Agreement.
Any audits requested by Customer are at the Customer's expense. Any request for Descartes to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from, or in addition to, those required for the provision services under the Agreement. Descartes will seek the Customer's written approval and agreement to pay any related fees before performing such audit assistance.
- Legally Required Disclosures
Except as otherwise required by law, Descartes will promptly notify Customer of any requirement of a governmental agency or by operation of law (a “Demand”) that it receives and which relates to the Processing of Personal Information. At Customer’s request, Descartes will provide Customer with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Customer to respond to the Demand in a timely manner. Customer acknowledges that Descartes has no responsibility to interact directly with the entity making the Demand, unless required by Data Protection Regulations or other applicable law to do so.
- Destruction of Personal Information
If requested by Customer, Descartes will, within a commercially reasonable period of time, destroy or render unreadable all Personal Information received by Descartes from Customer using appropriate methods of data destruction based on current industry standards, except where the Data Protection Regulations or local law provide for that Personal Information to be preserved or maintained. Written confirmation that the Personal Information was destroyed or rendered unreadable can be provided upon request.
- CCPA Specific Provisions
For the purposes of the CCPA, Descartes and Customer agree that:
- Descartes is service-provider to the Customer; and
- Descartes, as a for-profit entity, processes the Personal Information provided to it by Customer on behalf of Customer, for the purposes of fulfilling the Agreement, and at Customer’s direction, which Customer shall always provide to Descartes in writing.
|Data Processing Terms||May 2018|
|Data Processing Agreement Customer Letter||May 2018|
|Data Processing Terms||Feb 2020|