FOD Rental Platform Data Processing Agreement

  1. DEFINITIONS

    1.1 Words that are capitalised but have not been defined in this DPA have the meanings given to them in the Terms. In addition, in this DPA the following definitions have the meanings given below:

    Adequacy Decision: means any valid adequacy decision as referred to in Article 45 of the EU GDPR.

    Adequacy Regulation: means any valid adequacy regulation as referred to in Article 45 of the UK GDPR.

    Applicable Law means the following to the extent forming part of the law of United Kingdom (or a part of the United Kingdom) as applicable and binding on either party or the Fleetondemand Rental Platform:

    (a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time;
    (b) the common law and laws of equity as applicable to the parties from time to time;
    (c) any binding court order, judgment or decree; or
    (d) any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business.

    Controller has the meaning given to that term in Data Protection Laws.

    Data Protection Laws: means, as binding on either party or the Services or the Fleetondemand Rental Platform:

    (a) the EU GDPR;
    (b) the UK GDPR;
    (c) any laws from time to time to the extent giving effect to Article 71 (Protection of personal data) of the agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community;
    (d) the Data Protection Act 2018;
    (e) any laws which implement any such laws; and
    (f) any laws which replace, extend, re-enact, consolidate or amend any of the foregoing.

    Data Protection Losses means all liabilities, including all:

    (a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
    (b) to the extent permitted by Applicable Law:

    (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
    (ii) compensation which is ordered by a court or Supervisory Authority to be paid to a Data Subject; and
    (iii) the reasonable costs of compliance with investigations by a Supervisory Authority.

    Data Subject has the meaning given to that term in Data Protection Laws.

    Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR.

    EU GDPR: means the General Data Protection Regulation, Regulation (EU) 2016/679.

    International Recipient means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited without your prior written authorisation.

    Lawful Safeguards means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time.

    Onward Transfer: means a Transfer from one International Recipient to another International Recipient. Personal Data: has the meaning given to that term in Data Protection Laws.

    Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data. processing has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings).

    Processing Instructions has the meaning given to that term in paragraph 3.1.1.

    Processing End Date: means the earlier of:

    (a) the end of the provision of the relevant Services or the Fleetondemand Rental Platform related to processing of the Protected Data; or
    (b) once processing by FOD of any Protected Data is no longer required for the purpose of FOD’s performance of its relevant obligations under our Agreement.

    Processor has the meaning given to that term in Data Protection Laws.

    Protected Data: means Personal Data received from or on behalf your, or otherwise obtained or accessed by FOD in connection with the performance of the Services or the provision of the Fleetondemand Rental Platform.

    Sub-Processor means a Processor engaged by us or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on your behalf.

    Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

    Transfer bears the same meaning as the word ‘transfer’ in Article 44 of the UK GDPR and EU GDPR (and related terms such as Transfers, Transferred and Transferring have corresponding meanings).

    Transfer: bears the same meaning as the word ‘transfer’ in Article 44 of the UK GDPR and EU GDPR. Related expressions such as Transfers and Transferring shall be construed accordingly.

    UK GDPR: means the General Data Protection Regulation, Regulation (EU) 2016/679 as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).
  2. PROCESSOR AND CONTROLLER

    2.1 We each agree agree that, for the Protected Data, where you are the Controller and we are your Processor, this DPA shall apply. Nothing in this DPA or any other part of our Agreement relieves you of any responsibilities or liabilities under any Data Protection Laws.

    2.2 To the extent you are not sole Controller of any Protected Data you warrant that you have full authority and authorisation of all relevant Controllers to instruct us to process the Protected Data in accordance with our Agreement.

    2.3 We will process Protected Data in compliance with:

    2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of our obligations under our Agreement; and

    2.3.2 the terms of our Agreement.

    2.4 You will ensure that each Authorised User will at all times comply with:

    2.4.1 all Data Protection Laws in connection with the processing of Protected Data, the use of the Fleetondemand Rental Platform (and each part) and the exercise and performance of your respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and

    2.4.2 the terms of our Agreement.

    2.5 You warrant, represent and undertake, that at all times:

    2.5.1 the processing of all Protected Data (if processed in accordance with our Agreement) will comply in all respects with Data Protection Laws, including in terms of its collection, use and storage;

    2.5.2 fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by us and our Sub-Processors in accordance with our Agreement;

    2.5.3 the Protected Data is accurate and up to date;

    2.5.4 you will establish and maintain adequate security measures to safeguard the Protected Data in your possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to us (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by us or any other person;

    2.5.5 all instructions given by you to us in respect of Personal Data will at all times be in accordance with Data Protection Laws; and

    2.5.6 you have undertaken due diligence in relation to our processing operations and commitments and are satisfied (and all times you continue to receive the benefit of any Services and/or use the Fleetondemand Rental Platform remain satisfied) that:

    2.5.6.1 our processing operations are suitable for the purposes for which you propose to receive the benefit of any Services and use the Fleetondemand Rental Platform and engage us to process the Protected Data;

    2.5.6.2 the technical and organisational measures set out in the Information Security Policy (as updated by us from time to time) will (if we comply with our obligations under the Information Security Policy) ensure a level of security appropriate to the risk in regards to the Protected Data as required by Data Protection Laws; and

    2.5.6.3 we have sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
  3. INSTRUCTIONS AND DETAILS OF PROCESSING

    3.1 Insofar as we process Protected Data on your behalf, we:

    3.1.1 unless required to do otherwise by Applicable Law, will (and will take steps to ensure each person acting under its authority will) process the Protected Data only on and in accordance with your documented instructions as set out in our Agreement (including with regard to Transfers of Protected Data to any International Recipient), as updated with both of our agreement from time to time (Processing Instructions);

    3.1.2 if Applicable Law requires us to process Protected Data other than in accordance with the Processing Instructions, will notify you of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and

    3.1.3 will promptly inform you if we become aware of a Processing Instruction that, in our opinion, infringes Data Protection Laws, provided that:

    3.1.3.1 this will be without prejudice to paragraphs 2.4 and 2.5; and

    3.1.3.2 to the maximum extent permitted by Applicable Law, we will have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Processing Instructions following your receipt of the information required by this paragraph 3.1.3.

    3.2 You acknowledge and agree that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Fleetondemand Rental Platform by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons). You will ensure that Authorised Users do not execute any such command unless authorised by you (and by all other relevant Controller(s)) and acknowledge and accept that if any Protected Data is deleted pursuant to any such command, we are under no obligation to seek to restore it.

    3.3 The processing of the Protected Data by us under our Agreement will be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in the Appendix.
  4. TECHNICAL AND ORGANISATIONAL MEASURES

    4.1 We will implement and maintain technical and organisational measures:

    4.1.1 which are appropriate, having regard to the nature of the processing, the nature of the Personal Data being processed, the measures available, the cost of implementing such measures and the risks to individuals of the unlawful or unauthorised processing of that Personal Data in relation to the processing of Protected Data by us, as set out the Information Security Policy; and

    4.1.2 to assist you insofar as is possible (taking into account the nature of the processing) in the fulfilment of your obligations to respond to Data Subject Requests relating to Protected Data, in each case at your cost on a time and materials basis in accordance with our standard rates. We each have agreed that (taking into account the nature of the processing) our compliance with paragraph 6.1 will constitute our sole obligations under this paragraph 4.1.2.
  5. USING STAFF AND OTHER PROCESSORS

    5.1 We have your general authorisation for the engagement (whether directly or via a Sub-Processor) of any Sub-Processors from time to time.  As at the Effective Date, FOD engages the Sub-Processors made available at https://www.fleetondemand.com/legal/fleetondemand-sub-processors (the Sub-Processor List). FOD shall update the Sub-Processor List whenever it intends to make any changes concerning the addition or replacement of a Sub-Processor or any changes to the processing we will undertake. You shall be responsible for monitoring the Sub-Processor List and any changes made thereto by FOD at all times. If you wish to object (which you shall only do so on reasonable grounds) to the appointment of any Sub-Processor or to any change to any processing undertaken by any Sub-Processor, you will notify FOD in writing to dataprotection@fodmobilitygroup.com within 5 days of the relevant change being published by FOD on https://www.fleetondemand.com/legal/fleetondemand-sub-processors (the Objection Period). FOD shall be permitted to engage such new or replacement Sub-Processor(s) following the end of the Objection Period if you do not object prior to the end of the Objection Period in the manner required by this paragraph.

    5.2 If you reject any proposed addition or replacement of a Sub-Processor in accordance with paragraph 5.1:

    5.2.1 we shall use commercially reasonable endeavours to find an alternative Sub-Processor to your reasonable satisfaction; and

    5.2.2 where  we are unable to meet the requirement in paragraph 5.2.1 above, we shall not be liable to you for any failure to perform or delay in the performance of our obligations under our Agreement directly arising as a result of such rejection by you of any proposed addition or replacement of a Sub-Processor.

    5.3 FOD shall:

    5.3.1 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially the same obligations as under paragraphs 2 to 12 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures);

    5.3.2 ensure each such Sub-Processor complies with all such obligations; and

    5.3.3 remain fully liable for all the acts and omissions of each Sub-Processor as if they were our own.

    5.4 We will ensure that all natural persons authorised by us (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case we will, where practicable and not prohibited by Applicable Law, notify you of any such requirement before such disclosure).
  6. ASSISTANCE WITH COMPLIANCE AND DATA SUBJECT RIGHTS

    6.1 We will refer all Data Subject Requests we receive to you without undue delay. You will pay us for all work, time, costs and expenses incurred by us or any Sub-Processor(s) in connection with such activity, calculated on a time and materials basis at our then current rates.

    6.2 We will provide such assistance as you reasonably require (taking into account the nature of processing and the information available to us) to you in ensuring compliance with your obligations under Data Protection Laws with respect to:

    6.2.1 security of processing;

    6.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);

    6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and

    6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by you in response to any Personal Data Breach,

    provided you will pay us for all work, time, costs and expenses incurred us or any Sub-Processor(s) in connection with providing the assistance in this paragraph 6.2, calculated on a time and materials basis at our then current rates.
  7. INTERNATIONAL DATA TRANSFERS

    7.1 Subject to paragraph 7.2, FOD shall not Transfer (nor permit any Transfer or Onward Transfer of) any Protected Data outside the United Kingdom or the EEA without your prior written authorisation except where required by Applicable Law

    7.2 All Transfers of Protected Data by FOD to an International Recipient (including any Onward Transfer) shall:

    7.2.1 to the extent required under Data Protection Laws, be effected by way of Lawful Safeguards and in accordance with paragraph 7.3 and Our Agreement; and

    7.2.2 be made pursuant to a written contract that includes equivalent obligations on each Sub-Processor in respect of Transfers of Protected Data to International Recipients as apply to FOD under this paragraph 7.

    The provisions of this DPA shall constitute your instructions with respect to Transfers of Protected Data for the purposes of this DPA.

    7.3 The Lawful Safeguards employed by FOD in connection with Our Agreement shall be as follows:

    7.3.1 any relevant Adequacy Decision or Adequacy Regulation (as applicable);

    7.3.2 in the absence of an appropriate Adequacy Decision or Adequacy Regulation (as applicable), relevant standard contractual clauses approved by any applicable Supervisory Authority (the SCCs); and/or

    7.3.3 an alternative Lawful Safeguard.

    7.4 FOD and each Sub-Processor is not obliged to make any unlawful Transfer of Protected Data and shall not be liable to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under Our Agreement due to:

    7.4.1 there being no available valid Lawful Safeguard agreed under paragraph 7.3 from time to time for any of the Transfers authorised by you; or

    7.4.2 FOD or any Sub-Processor declining to permit any Transfer(s) on the basis it believes (acting reasonably) that the circumstances in paragraph 7.4.1 apply.

    7.5 You acknowledge that due to the nature of cloud services, the Protected Data may be Transferred to other geographical locations in connection with use of the Fleetondemand Rental Platform further to access and/or computerised instructions initiated by Authorised Users. You acknowledge that we do not control such processing and you will ensure that Authorised Users (and all others acting on its behalf) only initiate the Transfer of Protected Data to other geographical locations if Lawful Safeguards are in place and that such Transfer is in compliance with all Applicable Laws.
  8. INFORMATION AND AUDIT

    8.1 We will maintain, in accordance with Data Protection Laws binding on us, written records of all categories of processing activities carried out on your behalf.

    8.2 On request, we will provide you (or auditors mandated by you) with a copy of the third party certifications and audits to the extent made generally available to our customers. Such information will be confidential to us and will be our Confidential Information as defined in our Agreement, and will be treated in accordance with applicable terms.

    8.3 In the event that you, acting reasonably, deem the information provided in accordance with paragraph 8.2 insufficient to satisfy your obligations under Data Protection Laws, we will, on request by you make available to you such information as is reasonably necessary to demonstrate our compliance with our obligations under this DPA and Article 28 of the UK GDPR and EU GDPR, and allow for and contribute to audits, including inspections, by you (or another auditor mandated by you) for this purpose provided:

    8.3.1 such audit, inspection or information request is reasonable, limited to information in our possession or control and is subject to you giving us reasonable (and in any event at least 60 days’) prior notice of such audit, inspection or information request;

    8.3.2 we each (each acting reasonably and consent not to be unreasonably withheld or delayed) will agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which you or a third party auditor will comply (including to protect the security and confidentiality of other customers, to ensure we are not placed in breach of any other arrangement with any other customer and so as to comply with the remainder of this paragraph 8.3);

    8.3.3 you will ensure that any such audit or inspection is undertaken during our normal business hours, with minimal disruption to our businesses;

    8.3.4 the duration of any audit or inspection will be limited to one Business Day;

    8.3.5 all costs of such audit or inspection or responding to such information request will be borne by you, and our costs, expenses, work and time incurred in connection with such audit or inspection will be reimbursed by you on a time and materials basis in accordance with our then current rates;

    8.3.6 your rights under this paragraph 8.3 may only be exercised once in any consecutive 12 month period, unless otherwise required by a Supervisory Authority or if you (acting reasonably) believe we are in breach of this DPA;

    8.3.7 you will promptly (and in any event within one Business Day) report any non-compliance identified by the audit, inspection or release of information to us;

    8.3.8 you agree that all information obtained or generated by you or your auditor(s) in connection with such information requests, inspections and audits will be our Confidential Information as defined in our Agreement, and will be treated in accordance with applicable terms;

    8.3.9 you will ensure that each person acting on your behalf in connection with such audit or inspection (including the personnel of any third party auditor) will not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in our control or possession while conducting any such audit or inspection; and

    8.3.10 this paragraph 8.3 is subject to paragraph 8.4.

    8.4 You acknowledge and accept that relevant contractual terms agreed with Sub-Processor(s) may mean that we or you may not be able to undertake or facilitate an information request or audit or inspection of any or all Sub-Processors pursuant to paragraph 8.3 and:

    8.4.1 your rights under paragraph 8.3 will not apply to the extent inconsistent with relevant contractual terms agreed with Sub-Processor(s);

    8.4.2 to the extent any information request, audit or inspection of any Sub-Processor are permitted in accordance with this paragraph 8.4, equivalent restrictions and obligations on you to those in paragraphs 8.3.1 to 8.3.10 (inclusive) will apply together with any additional or more extensive restrictions and obligations applicable in the circumstances; and

    8.4.3 paragraphs 8.2 and 8.3 will be construed accordingly.
  9. BREACH NOTIFICATION

    9.1 In respect of any Personal Data Breach, we will, without undue delay:

    9.1.1 notify you of the Personal Data Breach; and

    9.1.2 provide you with details of the Personal Data Breach.
  10. DELETION OF PROTECTED DATA AND COPIES

    Following the end of the provision of the Services and the Fleetondemand Rental Platform (or any part) relating to the processing of Protected Data we will dispose of Protected Data in accordance with our obligations under our Agreement. We will have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with our Agreement. FOD shall (and shall ensure that each of the Sub-Processors shall) delete the Protected Data (and all copies) within a reasonable time after the Processing End Date except to the extent that storage of any such data is required by Applicable Law (and, if so, FOD shall inform you of any such requirement and shall (and shall ensure any relevant Sub-Processor shall) securely delete such data promptly once it is permitted to do so under Applicable Law).
  11. COMPENSATION AND CLAIMS

    11.1 You will indemnify and keep us indemnified in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, us and any Sub-Processor arising from or in connection with any: non-compliance by you with the Data Protection Laws; processing carried out by us or any Sub-Processor pursuant to any Processing Instruction that infringes any Data Protection Law; or breach by you of any of your obligations under this DPA, except to the extent that we are liable under paragraph 11.2.

    11.2 We will be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with our Agreement:

    11.2.1 only to the extent caused by the processing of Protected Data under our Agreement and directly resulting from our breach of our Agreement; and

    11.2.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Agreement by you (including in accordance with paragraph 3.1.3).

    11.3 If one of us receives a compensation claim from a person relating to processing of Protected Data in connection with our Agreement, the Services or the Fleetondemand Rental Platform, it will promptly provide the other one with notice and full details of such claim.

    11.4 We each agree that you will not be entitled to claim back from us any part of any compensation paid by you in respect of such damage to the extent that you are liable to indemnify or otherwise compensate us in accordance with our Agreement.

    11.5 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between us, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:

    11.5.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and

    11.5.2 that it does not affect the liability of either party to any Data Subject.
  12. SURVIVAL

    This DPA will survive termination (for any reason) or expiry of our Agreement and continue until no Protected Data remains in our or any Sub-Processor’s possession or control, except that paragraphs 10 to 12 (inclusive) will continue indefinitely.

    APPENDIX - DETAILS OF PROCESSING

    Subject-matter of processing:

    The supply of the Services and the provision of the Fleetondemand Rental Platform.

    Duration of the processing:

    Until the earlier of final termination or final expiry of our Agreement.

    Nature and purpose of the processing:

    Processing in accordance with the rights and obligations of the parties under our Agreement;

    Processing as required to provide the Services and the Fleetondemand Rental Platform; and

    Processing as initiated, requested or instructed by Authorised Users in connection with their use of the Services, the Fleetondemand Rental Platform or by you, in each case in a manner consistent with our Agreement.

    Type of Personal Data:

    Customer CUI-using bookers: Contact details (name, email address, phone number), information about which reservations they have created / amended etc. Information about activity on the Fleetondemand Rental Platform including URLs visited, user account unique identifier, session identifier and IP address.

    Customer CUI-using drivers: Contact details (name, email address, phone number), information about which reservations they have created / amended etc. Data collected as required to provide their rentals such as home address where a delivery/collection is to that address. Information about activity on the Fleetondemand Rental Platform including URLs visited, user account unique identifier, session identifier and IP address.

    Customer Non-CUI-using bookers: Contact details (name, email address, phone number), information about which reservations have been created on their request to the operator.

    Customer Non-CUI-using drivers: Contact details (name, email address, phone number), information about which reservations have been created for them. Data collected as required to provide their rentals such as home address where a delivery/collection is to that address.

    Operator OUI-users: Contact details (name, email address, phone number), information about which reservations they have created / amended etc. Information about activity on the Fleetondemand Rental Platform including URLs visited, user account unique identifier, session identifier and IP address.

    Supplier SUI-users: Contact details (name, email address, phone number), information about which new/amended reservations they have confirmed. Information about activity on the Fleetondemand Rental Platform including URLs visited, user account unique identifier, session identifier and IP address.

    Categories of Data Subjects:

    Authorised Users, employees and customers

    Version: January 2024.
Fleetondemand is transforming the way employees move with a world class ground transportation platform and integrated vehicle rental, taxi, and pool fleet management services.
Explore
ServicesTechnologyAboutInsightsContact
Contact
0330 123 1089enquiries@fodmobilitygroup.comHead Office - 3rd Floor, The Waterfront
Building, Salts Mill Road, Shipley, BD17 7EZ, UK
Fleetondemand is part of
FOD Mobility Group LogoCyber essentials logo
© 2025 Copyright FOD Mobility UK Ltd. All Rights Reserved. Registration No. 02712473.  Registered in England and Wales.
Privacy PolicySitemapImpressum