CARFAX Policy for the Processing of Data Governed by the GDPR

In connection with the services offered by CARFAX Europe GmbH (“CARFAX”), CARFAX may collect, process or handle Personal Data relating to individuals in the European Economic Area (the “Personal Data”) on behalf of its customers and its affiliates, where applicable (“customer”).

Although CARFAX’s relationship with its customers is typically governed by general terms and conditions and/or a master agreement, which includes order forms, schedules and addenda (the “Agreement”), CARFAX is also legally bound under the EU General Data Protection Regulation 2016/679 (the “GDPR”) concerning the manner in which it collects, uses, and processes Personal Data. This Policy describes CARFAX’s commitment to the processing of Personal Data under the GDPR.

If the European Economic Area (“EEA”) member state law applicable to a specific CARFAX customer requires that this Policy be appended to the Agreement, then, CARFAX will execute a version of this Policy upon written request. Please contact your usual account representative or CARFAX at privacy@carfax.eu if you would like an executed version of this Policy.

 

1. Appropriate Technical and Organizational Measures. When CARFAX processes Personal Data on behalf of a customer, CARFAX implements appropriate technical and organizational measures to satisfy the requirements of the GDPR, to ensure the level of security of Personal Data is appropriate to the level of risk, and to help ensure the protection of the rights of the data subject.

 

2. Subprocessing. Customers hereby provide CARFAX with authorisation to utilize subprocessors. CARFAX requires that each of its subprocessors that may have access to Personal Data through CARFAX agrees to provide at least the same level of protection as is described in this Policy. To the extent required by law, CARFAX remains liable to its customers for any actions by its subprocessors that impact any rights guaranteed under the GDPR. If you would like further information about the service providers that we use from time to time to subprocess Personal Data, please contact CARFAX at privacy@carfax.eu.

 

3. Written Instructions. CARFAX only processes Personal Data in accordance with the terms (and to satisfy our obligations) set out in any Agreement, this Policy, the CARFAX Privacy Policy and any other written terms agreed with customer from time to time. The foregoing documents set out the subject-matter, duration, nature, purpose, types of Personal Data, categories of data subjects, and the obligations and rights of CARFAX’s customer relating to its processing of such Personal Data.

 

4. Transfers to non-EEA Countries. In connection with certain of its products and services, CARFAX confirms that Personal Data may be transmitted outside of the EEA. However, CARFAX will only transfer Personal Data provided it has a legal basis to do so under the GDPR, such as by offering to customers the Controller-Processor Standard Contractual Clauses or where it abides by the EU-U.S. Privacy Shield framework. CARFAX can provide customers a list of the countries to which Personal Data related to CARFAX’s relevant products or services may be transmitted, as well as the Controller-Processor Standard Contractual Clauses that govern such products or services, upon request to CARFAX at privacy@carfax.eu .

 

5. Confidentiality. CARFAX requires that the people it authorizes to process Personal Data are under appropriate obligations of confidentiality.

 

6. Cooperation Concerning Data Subjects. CARFAX cooperates with the reasonable requests of its customers (at the customer’s reasonable expense) to help them fulfill their obligations under the GDPR to respond to requests by data subjects to access, modify, rectify, or remove their Personal Data.

 

7. Cooperation Concerning Customer Documentation. CARFAX cooperates with the reasonable requests of its customers to provide information necessary to demonstrate compliance with this Policy and the GDPR or to conduct audits of the Personal Data held by CARFAX that was received from the customer. CARFAX will typically agree to such audits on the following basis: (a) audits may only occur once per calendar year and during normal business hours, and only after reasonable notice to CARFAX (not less than 30 business days); (b) audits will be conducted by customer or an appropriate independent auditor appointed by customer (not being a competitor of CARFAX) to conduct audits, in a manner that does not have any adverse impact on CARFAX’s normal business operations; (c) customer and/or its representatives will comply with CARFAX’s standard safety, confidentiality and security procedures in conducting any such audits and shall not have access to any proprietary or third party information or data; and (d) any records, data or information accessed by the Company and/or its representatives in the performance of any such audit will be deemed to be the confidential information of CARFAX, as applicable, and may be used for no other reason than to assess CARFAX’s compliance with the terms of this Policy (in connection with the foregoing, CARFAX may require Customer and and/or its representatives to enter into a customary confidentiality agreement prior to any such audit); (e) to the extent any such audit incurs or is reasonably likely to incur in excess of 10 hours of CARFAX personnel time, CARFAX shall be entitled to charge Customer USD500 per hour for any such excess hours.

 

8. Personal Data Breach. In the event of a Personal Data breach under the GDPR, CARFAX will notify its applicable customers without undue delay after becoming aware of the breach. Such notification(s) may be delivered to an email address provided by Customer or, at CARFAX’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is responsible for ensuring that any email address provided by Customer is current and valid. CARFAX will take reasonable steps to provide its customers with information that they may reasonably require to comply with their obligations to notify impacted data subjects or supervisory authorities.

 

9. Deletion of Data; Termination and Variation. At the termination of a customer’s relationship with CARFAX, CARFAX will delete or return all Personal Data to our customer, unless CARFAX is permitted to retain it or is otherwise required to retain it by applicable laws, regulations or bona fide audit and compliance policies. CARFAX reserves the right to charge a reasonable fee to comply with any customer’s request to return Personal Data. This Policy shall not be effective until 25 May, 2018 and will remain in effect until, and automatically expire upon, deletion of all Personal Data by CARFAX. CARFAX reserves the right to reasonably amend and update this Policy from time to time. CARFAX will give no less than 30 days’ notice of any such changes, which shall be included on the CARFAX website.

 

10. Governing Law. This Policy shall be governed by the governing law (and subject to the jurisdiction(s)) of the relevant Agreement and otherwise subject to the limitations and remedies expressly set out in the Agreement.

 

If you have any queries about this Policy please contact your usual account representative or CARFAX at privacy@carfax.eu .