Appendix on data processing EasyPost

1. General

1.1. This appendix on data processing or data processing agreement within the meaning of Article 28.3 General Data Protection Regulation (GDPR) (hereinafter: “Appendix”) will be added to the Agreement concluded between the Parties to form an integral part thereof. In the event of a conflict between the Agreement and this Appendix, the provisions of the Appendix will always take precedence. The provisions of the Agreement that are not affected by this Appendix remain unchanged and apply in full.

1.2. The provisions of this Appendix apply only if and insofar as EasyPost, within the framework of the Agreement, Processes Personal Data of Data Subjects for the benefit of and in accordance with the instructions of the Principal, whereby EasyPost qualifies as “processor” and the Principal as “controller” within the meaning of Article 4 GDPR.

1.3. This Appendix is entered into for a period equal to the term of the Agreement concluded between the Parties or as long as the Services are performed.

2. Definitions

2.1. In this Appendix, the following words or expressions, when capitalised, shall have the following meanings:

Appendix”: this appendix on data processing (as data processing agreement within the meaning of Article 28 GDPR) that forms an integral part of the Agreement;

GDPR”: Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation);

Data Protection Legislation”: the GDPR, together with other legislation arising from the GDPR and/or any other legislation of any other country regarding the protection of personal data or privacy.

2.2. Personal Data”, “Processing”, “Process” or “Processed”, “Controller”, “Processor” and “Data Subject(s) shall have the meaning as defined in Article 4 GDPR and as further defined in Article 3 below. “Data Breach” has the meaning of a “personal data breach” within the meaning of Article 4, 12) GDPR. 

2.3. The other capitalised words or phrases shall have the meanings defined in the Agreement.

3. Description of the Processing

3.1. Subject – nature: for the performance of the Agreement, EasyPost can Process certain Personal Data of Data Subjects in accordance with the instructions and for the benefit of the Principal. This is done in the context of the Services, in particular optimising the outgoing mail of the Principal, including mail collection and processing (weighing, sorting, labelling, enveloping and franking), internal courier services, the services of EasyPrint (if applicable) and the delivery to the Universal Postal Service Provider or other engaged Postal Service Providers, as further described in the Agreement. The Personal Data are Processed via the systems, tools and software of EasyPost (including the EasyPost portal).

3.2. Personal Data: the Personal Data Processed by EasyPost are the Personal Data of Data Subjects that are submitted by the Principal to EasyPost to enable or facilitate the performance of the relevant Services. In the first place these are the name and address details (name, address, place of residence), possibly telephone number and e-mail address of the Data Subjects, as stated on the Mail Items and/or acknowledgements of receipt, as well as mail ID barcodes that can be linked to a Mail Item and/or acknowledgement of receipt. The Mail Items themselves are Processed by EasyPost enveloped (in a closed envelope) so that it and/or its appointees do not have access to their contents, including any financial data, special categories of data (e.g. medical, judicial, criminal or sensitive data) or other Personal Data of Data Subjects not mentioned on or linked to the Mail Items or the acknowledgements of receipt themselves.

3.3. Data Subjects: the Data Subjects are the contact persons, addressees, senders and correspondents of the Principal. In principle, these are all persons with whom the Principal comes into contact during or as a result of its business operations or activities, who receive Mail Items from the Principal and whose Personal Data are Processed by EasyPost. These may also be persons to whom the contents of the Mail Items of the Principal relate (and not only the relevant addressees of the Mail Items), without prejudice to what is stipulated in this regard in Article 3.2.

3.4. Purposes: The purpose of the Processing of Personal Data by EasyPost is to (be able to) provide the relevant Services to the Principal. In particular, the name and address details on (enveloped) Mail Items are Processed for the following purposes: (i) the collection of outgoing Mail Items by EasyPost; (ii) optically reading the name and address details of the Mail Items and creating a digital mail ID barcode that is affixed to the Mail Items (the mail ID barcode is affixed to the Mail Item, then an optical file is registered and this optical file is processed by EasyPost OCR software to extract the address and link it to the mail ID barcode; finally, the name and address details and the mail ID barcode are forwarded to the Universal Postal Service Provider or other engaged Postal Service Providers via a secure protocol (web service); (iii) sorting and preparing the mail drop from the Universal Postal Service Provider or other engaged Postal Service Providers and (iv) storing acknowledgements of receipt for Registered Mail Items on the EasyPost portal.

3.5. Duration: as a rule, the Personal Data will only be Processed by EasyPost for the duration of the Agreement and/or this Appendix, and will not be kept longer than necessary for the purposes stated in Article 3.4, unless special legal provisions apply to its storage or Processing, or longer storage is necessary for the performance of the Agreement. In any case, the Personal Data will be stored no longer than ten (10) years after the termination of the Agreement with the Principal (being the limitation period for contractual claims).

4. Instructions from the Principal

4.1. EasyPost Processes the Personal Data exclusively in accordance with the (documented or written) instructions from the Principal, except in the case of deviating legal obligations, in which case the Principal shall inform EasyPost thereof prior to the Processing, unless such notification is prohibited by law. The Principal hereby authorises and instructs EasyPost to Process Personal Data in accordance with this Appendix and the Agreement. This Appendix and the Agreement together contain the full instructions from the Principal to EasyPost regarding the Processing of Personal Data. All additional or alternative instructions must be given separately in writing and agreed upon by the Parties.

4.2. The Principal represents and warrants that it is and remains authorised to give the aforementioned instructions on behalf of any affiliated company that, if applicable, is or may be responsible for the Processing of Personal Data of Data Subjects (whether or not jointly with the Principal).

5. Obligations of the Principal

5.1. The Principal shall comply with the Data Protection Legislation. It shall take all appropriate and organisational measures to ensure that the Processing of Personal Data of Data Subjects complies with the GDPR. In particular, the Principal will take the necessary measures with regard to components that the Principal provides, manages or controls, including workstations from which the Services of EasyPost are connected (such as the EasyPost portal), systems used for data transfer and for its personnel or appointees (including employees, subcontractors and self-employed workers).

5.2. The Principal is responsible for the legality of the (collection and/or Processing of the) Personal Data Processed by EasyPost in the context of the Agreement. The Principal will take all necessary measures to update the Personal Data and to erase and/or rectify incomplete or incorrect Personal Data.

5.3. The Principal represents and warrants that:

    • it has complied with applicable Data Protection Legislation when collecting and Processing Personal Data of Data Subjects;
    • it has adequately informed the Data Subjects about their rights and obligations (in accordance with Articles 13-14 GDPR), in particular about the Processing by EasyPost (or a category of service providers such as EasyPost) for and on the instructions of the Principal;
    • the Processing of Personal Data under the Agreement is lawful;
    • its personnel and appointees (including employees, subcontractors and the self-employed workers) know and will comply with the obligations under the Agreement and the Data Protection Legislation.

5.4. If compliance with Data Protection Legislation requires any action or measure on the part of EasyPost, in addition to the obligations under this Agreement, EasyPost will take such action or measure after prior consultation and agreement with the Principal. The latter will in any case inform EasyPost in advance of the required actions or measures, fully cooperate and provide assistance to EasyPost in this respect, and compensate EasyPost according to the rates applicable at that time, the Price List or prices agreed upon between Parties for services in this regard that require additional services, investments or modifications to the Services.

5.5. However, EasyPost is not responsible for compliance with any legislation applicable to the Principal or its activities that is not generally or specifically applicable to EasyPost.

6. Transfer of Personal Data outside the European Economic Area (EEA)

6.1. Any possible transfer of Personal Data to ((group) companies, third parties, service providers or servers in) countries outside the EEA will be done in accordance with the Data Protection Legislation.

6.2. EasyPost will Process the Personal Data it Processes for the benefit of the Principal in any country in which EasyPost, its affiliated companies and/or authorised sub-processors pursuant to Article 9 below have facilities. The Principal expressly authorises EasyPost to carry out any transfer of Personal Data to, and to perform any Processing in, such country under the Agreement.

6.3. EasyPost does not control and is not responsible for the location from which the Principal or its end users (can) Process Personal Data. In any case, the Principal will fully indemnify and hold EasyPost harmless against any damage suffered by third parties in this regard.

7. Transfer or disclosure of Personal Data

7.1. EasyPost will not pass on or transfer Personal Data to third parties, except:

    • on the instruction(s) of the Principal;
    • if required for the Processing of Personal Data by a sub-processor in accordance with Article 9 below;
    • if required by law.

7.2. In the case of passing on or transferring Personal Data to a third party on the instruction(s) of the Principal, only the latter is responsible for concluding written agreements with this third party regarding the protection and Processing of Personal Data. In any case, the Principal will fully indemnify EasyPost and hold it harmless against any damage resulting from such passing on or transfer by EasyPost to a third party, unless the aforementioned damage is due only to a proven shortcoming on the part of EasyPost.

7.3. EasyPost guarantees that its personnel acting under its authority, who are authorised to process Personal Data and have access to it, will observe the confidentiality of the Personal Data.

8. Security measures

8.1. EasyPost takes all appropriate technical and organisational measures regarding the security of the Processing required by Article 32 GDPR. These security measures will ensure a level of protection appropriate to the risks associated with the Processing and the nature of the Personal Data to be protected, taking into account the state of the art and the costs of its implementation.

8.2. At the request of the Principal, EasyPost can provide an updated description of the implemented security measures.

9. Use of sub-processors

9.1. The Principal acknowledges and expressly authorises EasyPost to engage sub-processors for the Processing of Personal Data and to pass on Personal Data to them.

9.2. EasyPost will inform the Principal about any change of sub-processor(s). If the Principal does not agree to the Processing of Personal Data by one or more sub-processors, the Principal will inform EasyPost in writing within fifteen (15) calendar days after receiving the aforementioned notification. If necessary, EasyPost will make reasonable efforts to propose changes to the Principal with a view to avoiding Processing of Personal Data by the sub-processor(s) in question.

9.3. EasyPost will enter into written agreements with any such sub-processor containing obligations no less protective than EasyPost’s obligations under this Agreement and in particular with regard to the obligation to take appropriate security measures to ensure that the Processing complies with Data Protection Legislation

9.4. In any case, EasyPost at all times remains the relevant point of contact for the Principal. In the event that the respective sub-processor fails to fulfil its data protection obligations, EasyPost remains responsible for this sub-processor’s compliance with the obligations under this Agreement.

10. Rights of the Data Subjects

10.1. Taking into account the nature of the Processing of Personal Data and insofar as possible, EasyPost will provide assistance and cooperation to the Principal in fulfilling its obligations under the Data Protection Legislation, in particular so that the Principal can comply with its obligation(s) to respond to requests from Data Subjects exercising their rights. The Principal shall make it possible for the Data Subjects to exercise their rights. The Principal shall provide all the necessary information about the Processing of Personal Data to the Data Subjects in accordance with Articles 13-14 GDPR.

10.2. If a Data Subject should contact EasyPost directly to access/copy, rectify, erase or limit the Processing of his/her Personal Data, EasyPost will refer the Data Subject in question to the Principal. EasyPost will not respond to the request itself. However, EasyPost can provide the Data Subject in question with the basic contact details of the Principal for support purposes. The Client shall inform the Data Subjects that they can only exercise their rights directly with the Principal. The Principal will respond to any such request from a Data Subject and fulfil its obligations under the Data Protection Legislation.

11. Notifications, inspections and audits

11.1. Unless prohibited by law, EasyPost will notify the Principal without unreasonable delay if EasyPost or any of its sub-processors receives a question, subpoena, or request for inspection or audit from a competent governmental or supervisory authority in connection with the Processing of Personal Data. EasyPost will also inform the Principal if EasyPost intends to provide Personal Data to a competent governmental or supervisory authority outside the scope of the Services. Finally, EasyPost will immediately notify the Principal if, in its opinion, an instruction or order from the Principal violates the Data Protection Legislation.

11.2. At the request of the Principal, EasyPost will provide the former with all information so that it can meet its obligations under Article 28 GDPR.

11.3. The Principal has the right to monitor compliance with the Data Protection Legislation. To this end, the Principal may, upon written request, once every twelve (12) months – unless (i) the audit is requested by a competent supervisory authority in accordance with Data Protection Legislation or (ii) after a Data Breach – and subject to prior written notification of thirty (30) calendar days, have an audit or inspection carried out at EasyPost by an expert.

11.4. Prior to such an audit or inspection, the Principal will inform EasyPost of its scope and duration, and coordinate its procedures in mutual consultation with EasyPost.

11.5. EasyPost will provide the necessary reasonable assistance and cooperation in such inspections or audits. All assistance in this regard will be reimbursed by the Principal according to the currently applicable rates, the Price List or prices agreed between the Parties.

11.6. The Parties agree that the performance of such inspections or audits may not unduly delay, disrupt or limit the business activities of EasyPost and/or the performance of the Services. In the event of such a delay, disruption or limitation, EasyPost will notify the Principal thereof and the Parties will try to mutually agree on a solution as soon as possible.

11.7. The Principal will immediately inform EasyPost in writing of any shortcomings identified during an inspection or audit. The Principal will provide a draft (audit) report to EasyPost free of charge. This report, as well as any other information to which the Principal or the designated expert has access in the context of an inspection or audit, is and remains strictly confidential.

11.8. The costs resulting from an inspection or audit by the Principal are fully for the expense of the Principal. The Principal may not request any compensation from EasyPost for these costs.

12. Data Breaches

12.1. EasyPost will inform the Principal without unreasonable delay as soon as it has become aware of a Data Breach, regardless of the cause.

12.2. The Principal will immediately notify EasyPost of any security incident or security issue, including a Data Breach, that is in any way related to the Services.

12.3. The Party responsible for the Data Breach will further investigate the Data Breach and keep the other Party informed of new developments as well as of the measures being taken and to be taken to limit and prevent the Data Breach from occurring.

12.4. Both Parties will cooperate in such an investigation and will provide mutual assistance in fulfilling their obligations under Data Protection Legislation, in particular the obligation to report a Data Breach to the Data Protection Authority pursuant to Article 33 GDPR.

12.5. A notification or announcement on the basis of current Article 12 and/or the Data Protection Legislation always takes place without (adverse) acknowledgement of any error or liability with regard to the Data Breach.

13. Data Protection Impact Assessments (DPIAs)

In the case that the Principal is obliged to provide a DPIA pursuant to Article 35 GDPR, EasyPost will provide the necessary cooperation and assistance to the Principal so that the Principal is able to fulfil its obligations in this regard. Such assistance is reimbursed to EasyPost at the rates currently applicable, the Price List or prices agreed between the Parties.

14. Erasure and return of Personal Data

14.1. In the event of termination of the Agreement and/or this Appendix, EasyPost will delete or anonymise all Personal Data on its systems (except in the case of any backup or archives) within sixty (60) days of the aforementioned termination, unless the Principal instructs otherwise or (further) storage or retention of the Personal Data is required by law, is necessary in the context of legal proceedings or is imposed by (judicial or supervisory) authorities. The aforementioned article applies without prejudice to Article 3.5 above.

14.2. If the Principal requests this in writing no later than thirty (30) days before termination of the Agreement and/or this Appendix, EasyPost will provide it with a copy of the Personal Data on its systems, with (all) expenses for the Principal.

15. Intellectual property rights

All intellectual property rights, including copyrights, database rights, trademark rights, trade names, domain names and software rights, on or in connection with the Services or processing activities (excluding the Personal Data themselves), as well as on or in connection with copies or adaptations thereof, at all times remain the property of EasyPost and/or its licensor(s). No provision of this Agreement can be construed as a full or partial transfer of the rights – ownership as well as (sub)license – to the Principal.

16. Liability

Without prejudice to Article 10 of the general terms and conditions of EasyPost, the Principal is liable and fully indemnifies EasyPost with respect to principal, interest and (lawyers) costs for all damage (including sanctions imposed by supervisory authorities (such as the Data Protection Authority) and administrative penalties) and damage suffered by Data Subjects or EasyPost) as a result of the Principal’s failure to comply with its obligations under this Agreement, internal policies, procedures and/or best practices of EasyPost regarding the processing of personal data and/or the Data Protection Legislation.