Data Protection Agreement

1. Introduction

HubBox needs to collect and use certain types of information about Customers and their parcels in order to provide the Service to the Retailer under the Terms. HubBox processes and stores this information in accordance with the GDPR and the Privacy Policy.

2. Data Protection

2.1 This Agreement shall apply only to the extent to which Personal Data (as defined in the GDPR) controlled by the Retailer is processed by HubBox for the purpose of providing the Service.

2.2 The parties acknowledge and agree that in respect of any Personal Data collected for the purpose of the Service, that each of HubBox and the Retailer will be acting as a separate controller for the purposes of the GDPR. Each party shall comply with its obligations under the GDPR, all applicable laws, enactments, regulations, orders, standards and other similar instruments.

2.3 HubBox shall process the Personal Data only to the extent, and in such a manner, as is necessary to perform its obligations under the Terms (the “Permitted Purpose”), except where otherwise required by any applicable law, and shall not process the Personal Data for any other purpose not set out in the Terms.

2.4 HubBox shall not perform its obligations under the Terms in such a way that causes (or is likely to cause) the Retailer to breach any of its obligations under the GDPR.

2.5 HubBox shall promptly comply with any request received from the Retailer requiring HubBox to amend, transfer or delete Personal Data.

2.6 HubBox shall not transfer Personal Data outside of the European Economic Area and/or the United Kingdom unless (i) it has first obtained the Retailer’s prior written consent; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with the GDPR.

2.7 HubBox shall provide reasonable and timely assistance to the Retailer to enable the Retailer to respond to: (i) any request from a Data Subject (as defined in the GDPR) to exercise any of its rights under the GDPR (including its rights of access, correction, objection, erasure, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Personal Data or to either party’s compliance with the GDPR. In the event that any such request, correspondence, enquiry or complaint is made directly to HubBox, HubBox shall promptly inform the Retailer providing full details of the same.

2.8 At the Retailer’s request, HubBox shall provide the Retailer with a copy of all Personal Data relating to the Retailer’s Customers held by HubBox in a format and on a media reasonably specified by the Retailer.

2.9 Upon termination or expiry of the Terms, HubBox shall, if requested by the Retailer, destroy or return to the Retailer all Personal Data relating to the Retailer (including all copies of Personal Data) in HubBox’s possession or control (including Personal Data subcontracted to a third party for processing), save in a situation where a Customer has independently registered with HubBox, in which case HubBox shall be entitled to retain the Personal Data relating to that Customer. This requirement shall not apply to the extent that HubBox is required by any EU (or any EU Member State) law to retain some or all of the Personal Data, in which event HubBox shall isolate and protect the Personal Data from any further processing except to the extent required by such law.

2.10 HubBox shall ensure that access to the Personal Data is limited to:

(a) those employees, agents and subcontractors who need access to the Personal Data to meet HubBox’s obligations under the Terms; and
(b) in the case of any access by any employee, agent or subcontractor, such part or parts of the Personal Data as is strictly necessary for performance of that person’s duties.

2.11 Subject to Clause 2.1, HubBox shall ensure that any person that it authorises to process the Personal Data (including HubBox’s employees, agents and subcontractors):

(a) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty); and
(b) processes the Personal Data only as necessary for the Permitted Purpose.

2.12 HubBox shall take reasonable steps to ensure the reliability of any of HubBox’s employees, agents or subcontractors who have access to the Personal Data.

2.13 The Retailer is entitled, on giving at least 20 Business Days’ notice to HubBox, to inspect or appoint representatives to inspect all facilities, equipment, documents and electronic data relating to the processing of Personal Data by HubBox. HubBox acknowledges that the Retailer (or its appointed representatives) may enter its premises for the purposes of conducting this inspection, providing that the Retailer gives notice in accordance with this Clause 2.13, conducts its inspection during Working Hours, and takes all reasonable measures to prevent unnecessary disruption to HubBox’s operations.

2.14 The Retailer will not exercise its inspection rights under Clause 2.13 more than once in any 12 calendar month period, except if and when required by instruction of a competent data protection authority.

2.15 Subject to Clause 2.1 HubBox warrants that it shall implement appropriate technical and organisational measures to protect the Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to Personal Data (a Security Incident). HubBox shall promptly inform the Retailer in the event of any Security Incident and will provide timely information and cooperation to the Retailer in order for the Retailer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) the GDPR.

3. Disclosure

HubBox may, in certain circumstances, be required under the GDPR to share Personal Data with other agencies (including governmental agencies) without the Customer’s consent. In such circumstances, HubBox will share no more information than is legally required.

4. HubBox’s Liability

HubBox’s liability is limited to the extent set out in the Terms.

5. Term and Termination

This Agreement shall be coterminous with the Terms save that HubBox’s obligations to protect and, if requested, delete Personal Data shall continue for as long as Retailer Customers’ Personal Data is processed by HubBox.

6. Variation

6.1 HubBox may amend this Agreement at any time by publishing revised wording on the HubBox Website and by giving 20 Business Days’ written notice of the same to the Retailer. The Retailer’s continued use of the Service after the notice period has expired will constitute acceptance of the revised Agreement.
6.2 Notice under this Clause 6 must be given to the Retailer in accordance with the notice provisions in the Terms.

7. Applicable law

7.1 This Agreement shall be construed in accordance with the laws of England and Wales.
7.2 The Courts of England and Wales shall have exclusive jurisdiction in relation to any matters arising out of this Agreement.

8. Third parties

A person who is not a party to this Agreement shall have no right to enforce any of its provisions under the Contracts (Rights of Third Parties) Act 1999.

9. Waiver

HubBox does not give up its rights by delaying or failing to exercise them at any time.

10. Severance

If any provisions of this Agreement are found by a court to be illegal or not enforceable, all other provisions will still be in effect.

Definitions

Business Day: means a day other than a Saturday, Sunday or bank or public holiday in England and Wales

Controller, Processor, Data Subject, Personal Data and Processing (and Process): shall have the meanings given in the GDPR

Customer: means a natural person purchasing goods from the Retailer’s website

GDPR: means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as amended, replaced or updated

HubBox: means Convenient Collect Limited (Company No. 9271441) t/a HubBox whose registered office is at 50 Liverpool Street, London EC2M 7PY, and includes HubBox’s servants, agents

HubBox Collect Point: means a dry cleaner, pharmacy, convenience store or other entity designated as a ‘Collect Point’ by HubBox

HubBox Website: means www.hub-box.com

Privacy Policy: means the HubBox customer privacy policy from time to time which can be found on the HubBox Website

Retailer: means the entity contracting with HubBox for provision of the Service as detailed in the Terms

Service: means

  1. in the case of Retailers whose Terms relate to HubBox Click & Collect, the provision of software and HubBox Collect Point network that enables the Retailer’s Customers to collect their deliveries from their local HubBox Collect Point; and/or
  2. in the case of Retailers whose Terms relate to HubBox Connect, the provision of software that enables the Retailer’s Customers to collect their deliveries from the Retailer’s own stores; and/or
  3. in the case of Retailers whose Terms relate to UPS Ship to Access Point ™, the provision of software that enables the Retailer’s Customers to collect their deliveries from their local UPS Access Point ™.

Terms: means the agreement between HubBox and the Retailer for the provision of the Service

UPS Access Point ™: means a location designated as a UPS Access Point ™ by UPS on www.ups.com.

Working Hours: means the opening hours displayed on the HubBox Website from time to time