Personal Data Processing Agreement

between

TaxiCaller Nordic AB, company registration no. +44 1527 868000, with address Teknikringen

1A, +44 1527 868000 Linköping, Sweden (Hereinafter referred to as the “Data Processor” or “Service Provider”)

and Bromsgrove Taxi Cabs LTD.

The client, who provides passenger transportation services to its customers.

(Hereinafter referred to as the “Data Controller” or “Customer”)

The Data Processor and the Data Controller being hereinafter referred to collectively as

“Parties” and individually as “Party”.

1. Purpose of this Data Processing Agreement

The Parties have entered into an agreement (the “Service Agreement”) under which the

Service Provider provides a cloud-based dispatch and booking solution for taxis and other

forms of transportation (the “Service”). The full Service Agreement can be found here:

https://admin.taxicaller.net/admin/billing/terms.php. The Service involves that the Service

Provider processes personal data on behalf of the Customer. The Service Agreement remains

in effect until terminated by either Party.

The purpose of this Data Processing Agreement is to regulate the rights and obligations of the

Parties with regards to the processing of personal data under the Service Agreement in order

to ensure that the personal data is processed in accordance with the provisions in the EU

General Data Protection Regulation (GDPR) and any subsequent legislation replacing or

supplementing the above.

In the event that the terms in this agreement and the Service Agreement should not be

consistent or are in conflict regarding personal data processing, these terms override the

conflicting personal data processing terms in the Service Agreement. The remainder of the

Service agreement still apply.

2. The purpose and scope of the personal data processing

The purpose of the processing of personal data is to be able to handle taxi (and other

transportation) bookings, dispatch jobs, provide technical support, train staff, data analysis,

report generation, correspondence, payment processing and to improve the Service and

technical platform of the Service.

Categories of data subjects and personal data which may be covered by the processing of

personal data under the Service Agreement are specified in Appendix 1 to this Data

Processing Agreement.

3. Obligations of the Data Controller

The Data Controller shall notify the Data Processor without undue delay of any and all

circumstances that may arise which may involve the need to change the way in which the

Data Processor processes personal data under this Data Processing Agreement. The Data

Controller is responsible for all data entered into the system and may not enter data

categorized as sensitive personal data or data needing extra protection.

4. Obligations of the Data Processor

4.1 Security Measures

The Data Processor shall implement appropriate technical and organisational measures to

ensure that personal data is processed in accordance with the requirements in the

applicable data protection laws, the conditions in the Service Agreement and in this Data

Processing Agreement. All security measures must be at least equal to the level which the

competent supervisory authority typically requires for equivalent processing activities.

The measures must be documented and submitted to the Data Controller upon request

without undue delay.

4.2 Instructions

The Data Processor must process personal data only on behalf of and for the benefit of the

Data Controller, only for the purposes stated in item 2 above. The Data Processor must

follow the instructions given by the Data Controller per Appendix 2 to this Data

Processing Agreement.

The Data Processor shall ensure each of its personnel who has access to the personal data

covered by this Data Processing Agreement to comply with the terms and conditions of

this Data Processing Agreement including specifically only processing the personal data

in accordance with the instructions given by the Data Controller.

If the Data Processor is of the opinion that the instructions given by the Data Controller

are in conflict with the applicable data protection legislation, the Data Processor must

immediately inform the Data Controller of the same through email.

4.3 Transfer of personal data and use of sub-contractors

The Data Controller agrees that the Data Processor may engage subcontractors to process

Personal Data on the Data Controller's behalf. The subcontractors currently engaged by

the Data Processor and authorized by the Data Controller are specified in Appendix 3 to

this Data Processing Agreement.

The Data Processor must enter into an agreement with each of its subcontractors, binding

the subcontractors to have at least the same obligations as the Data Processor has under

the Service Agreement and this Data Processing Agreement. The Data Processor is fully

responsible to the Data Controller for how the subcontractors process personal data,

including their security measures.

The Data Processor shall provide the Data Controller reasonable advance notice (for

which email or a message in TaxiCaller's admin panel shall suffice) if it adds or removes

subcontractors. In the event that the change cannot be approved by the Data Controller,

the Data Controller has the right to terminate the Service agreement with immediate

effect. This shall be done in writing by the Data Controller.

4.4 Requirements with regards to localisation and transfer of personal data to third

countries

The Data Processor ensures that the personal data related to the usage of the Service

within the EU is primarily stored and processed in an EU country. In the cases when

personal data is stored and processed outside of EU the Data Processor shall ensure that

this is done in accordance with the law, for example, but not limited to, by using 3rd party

services complying with Privacy Shield or requiring external contractors to comply with

GDPR.

4.5 Obligation of Confidentiality

The Data Processor must ensure that any person who will process personal data under this

Data Processing Agreement is either covered by a statutory obligation of confidentiality or

have undertaken the same in a binding agreement. Confidentiality shall apply with regards

to all information processed by the Data Processor under this Data Processing Agreement

and the information shall remain confidential also after this Data Processing Agreement

has terminated. Access to personal data may only be granted to such person who needs it

in order to carry out its duties.

4.6 Incident Reporting

The Data Processor must promptly notify the Data Controller of any security incidents

where such incidents have resulted in or are likely to result in accidental or unlawful

destruction, loss, alteration, unauthorised disclosure of or access to the personal data

covered by this Data Processing Agreement.

Upon request from the Data Controller, the Data Processor must promptly provide the

Data Controller with all requested information about the incident such as the facts relating

to the incident, its effects and the remedial action taken and cooperate with the Data

Controller in communicating about the incident with the supervisory authority where

necessary.

4.7 Assistance with fulfilling obligations towards the data subjects

The Data Processor must assist the Data Controller in fulfilling its obligations towards

data subjects and help the Data Controller facilitate the exercise of data subjects rights

such as the correction and removal of data, data portability etc. in accordance with the

data protection legislation. This assistance must be provided without undue delay and

without any demands from the Data Processor for additional financial compensation

unless the request requires time consuming manual work by the Data Processor.

4.8 Removal of personal data

During the current term of the Data Processing Agreement, the Data Controller’s user

indicates when personal data is to be deleted. No later than May 25th 2018 the Data

Processor will make it possible for the Data Controller to delete or anonymize such data.

After the termination of the Service Agreement, the Data Processor undertakes to, at the

choice of the Data Controller, delete or anonymize all personal data covered by the

Service Agreement with the exception for data that the Data Processor is required by law

to keep. This must take place promptly after the completion of the data processing

activities under this Data Processing Agreement and after the Data Controller has notified

the Data Processor in writing to delete the Data Controller’s TaxiCaller account without

any requirement for additional financial compensation, unless the Parties agree otherwise.

4.9 Audits and inspections

The Data Processor must allow for and contribute to audits, including inspections

conducted by the Data Controller or another auditor mandated by the Data Controller

Additional rules on how the audit must be carried out are found in the instructions in

Appendix 2 of this Data Processing Agreement. The costs for audits and inspections shall

be paid by the Data Controller. These payments shall be done in advance.

4.10 The Data Controller may suspend or terminate the Service Agreement and this Data

Processing Agreement at any time, with immediate effect by notice in writing and

without incurring any liability for compensation for termination if the Data Controller,

acting reasonably and in good faith, has reason to believe that the Data Processor is

unable or has failed to comply with its obligations under this clause 4.

5. Limitation of liability

The limitations of liability in the Service Agreement apply to this Personal Data

Processing Agreement. The Service agreement can be found here:

https://admin.taxicaller.net/admin/billing/terms.php

6. Updates to this agreement

This Data Processing Agreement can be updated by TaxiCaller at any time. An

updated Data Processing Agreement will come into effect once the Data Controller

has confirmed receipt of the update. The Data Controller has the right to stop using the

Service and have all the data removed if the Data Controller doesn’t accept the

updated terms.

Any updates made to this Data Processing Agreement must comply with GDPR.

7. Applicable Law and Jurisdiction

7.1 This Data Processing Agreement shall be governed by and construed in accordance

with the laws of Sweden.

7.2 Any disputes arising out of or in connection with this Data Processing Agreement

shall be determined by Linköping district court in Sweden or optionally, if TaxiCaller in

its own discretion chooses so, by arbitration in accordance with the Rules for Expedited

Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce. The seat

of arbitration shall be Linköping. The language to be used in the arbitral proceedings shall

be English.

7.3 In the event that any of the terms of this Agreement are in conflict with any applicable

rule of law or statutory provision or otherwise unenforceable under applicable laws or

regulations of any government or subdivision thereof, such terms shall be deemed stricken

from this Agreement, but such invalidity or unenforceability shall not invalidate any of the

other terms of this Agreement and this Agreement shall continue in force.

8. Indemnification

TaxiCaller reserves the right to access, read, preserve, and disclose any information as

we believe is necessary to (i) satisfy any applicable law, regulation, legal process or

governmental request or requests from police departments, (ii) enforce TaxiCaller's

Terms and conditions, including investigation of potential violations hereof, (iii)

detect, prevent, or otherwise address fraud, security or technical issues, (iv) respond to

user support requests, or (v) protect the rights, property or safety of TaxiCaller, its

users and the public.

9. Term

This Data Processing Agreement shall remain in effect as long as the Data Processor is

processing personal data on behalf of the Data Controller.

_________________________

Appendix 1 to the Personal Data Processing Agreement

1. Categories of data subjects registered

The following categories of data subjects may be covered in relation to the processing under

this Personal Data Processing Agreement.

 Taxi passengers and persons ordering transportation.

 Employees and persons using the service on behalf of transportation company.

 Other users of TaxiCaller’s cloud-based dispatch system.

2. Categories of personal data

The following categories of personal data may be processed under this Personal Data

Processing Agreement.

 Name

 Contact information

 Home, work and other addresses

 Vehicle information

 Licenses to carry out services related to transportation and dispatching

 Written and spoken communications

 Photos

 Timestamped GPS coordinates

Appendix 2 to the Personal Data Processing Agreement

Instructions

The client, who provides passenger transportation services to its customers, in its capacity as

Personal Data Controller for the processing of personal data covered by the Agreement,

hereby provides TaxiCaller Nordic AB, in its capacity as Personal Data Processor, the

following instructions.

2. Audits

When the Personal Data Controller requests an audit the Personal Data Controller and

the Personal Data Processor will agree on how the audit shall be done and by whom.

The Personal Data Controller shall have paid for the audit costs before the audit starts.

3. Information security

1. The Personal Data Processor is responsible for, in accordance with industry

best practices, (a) establishing controls to ensure the confidentiality of the

personal data and to ensure that the personal data is not disclosed contrary to

the provisions of the Data Processing Agreement or any privacy laws and, (b)

develop, implement and maintain appropriate technical, physical,

administrative and organisational security measures, procedures and practices

designed to protect the personal data taking into account the risks that the

processing of personal data may result in for the data subject’s rights and

freedoms, and for the operations of the Personal Data Controller. The Personal

Data Processor shall particularly ensure that the personal data is protected

against any actual, suspected or anticipated threats to the security and integrity

of personal data such as accidental or unlawful destruction, loss or change,

unauthorised disclosure of or access to personal data and other data breaches.

2. The Personal Data Processor must ensure at least the following with regards to

encryption of personal data.

Passwords are encrypted or hashed, internet comunication is encrypted (In

specific circumstances, and at the data controllers discretion some web pages

may be accessed without encrypted data transfer)

3. The Personal Data Processor must ensure at least the following when it comes

to authentication of users.

Users access is granted by either username and password authentication, key

based authentication, access tokens which either have exipry dates or can be

revoked by the Data Controller.

4. The Personal Data Processor must ensure that any person working under its

supervision who has access to personal data covered by this Data Processing

Agreement only processes such data to the extent necessary in order for this

person to carry out its work duties.

5. The Personal Data Processor shall provide training, as appropriate, regarding

the privacy, confidentiality and information security requirements in the Data

Processing Agreement to all of its personnel who has access to personal data.

6. The Personal Data Processor may store, display, analyze and generate reports

of personal data for the following

- Customer relation management system for both personal and corporate

clients

- Vehicle tracking and driven routes.

- Correspond with transportation customers.

- System user handling and access control.

- Provide a communication service beween system users and passengers.

- System improvements, problem and error resolution.

- Technical support and staff training

- Transportation booking, handling and dispatching.

- Processing payments.

March 19, 2020