Privacy and Security Statement

Updated with effective on 25th May 2018 for compliance the General Data Protection Regulation 2016/679 (“GDPR”)

This Agreement is made as of 25th May, 2018 between Master Global Logistics Limited and his affiliates (herein after referred to as “Master Global”); and User (herein after referred to as “Data Controller”) whereas:

A. The User appointed Master Global pursuant to contract to provide Services (as defined below) to the User.

B. The User and Master Global agree to supplement and amend the terms of the Contract to address their mutual rights, duties and obligations arising as a result of the implementation of the Regulation (as defined below) and the Applicable Data Protection Laws (as defined below), to the extent applicable.

IT IS HEREBY AGREED as follows:
1 DEFINITIONS AND INTERPRETATION

1.1 Unless otherwise stated, this Agreement adopts the same definitions and interpretation in the Contract. The capitalised terms in this Agreement shall have the meanings set out in Schedule 1.

1.2 Reference to this Agreement includes the Schedules. If there is any inconsistency between the Clauses and the Schedules to this Agreement, the Clauses shall take precedence.

2 AMENDMENT TO THE CONTRACT

2.1 This Agreement amends the Contract in accordance with the provisions thereof. All existing provisions of the Contract shall continue in full force and effect saves as amended by this Agreement. The Contract and this Agreement shall be read and construed together and shall be deemed to constitute one and the same instrument.

3 DATA PROTECTION

3.1 As and from the Effective Date, the Contract shall be amended and supplemented by Clauses 3.2 to 3.11 below.

3.2 The User authorises Master Global to process Personal Data provided to Master Global or which is made available to it for the purposes of providing Services to the User pursuant to the Contract and for any other purposes set out in Schedule 2.

3.3 The User shall be the “Data Controller” and Master Global shall be a “Data Processor” for the purposes of the Regulation and/or the Applicable Data Protection Law. The Data Subjects, Categories of Personal Data, Processing Operations and Duration of Processing relevant to the provision of the Services are defined in Schedule 2.

3.4 The User represents and warrants that it complies with the Regulation and any Applicable Data Protection Laws regarding the collection, use and all other security measures of the Personal Data, in particular:

(a) all of the Personal Data that the User provides or makes available to Master Global has been lawfully and validly obtained or processed by the User, and can be lawfully disclosed to Master Global for the provision of Services and any other agreed purposes. The Processing of such Personal Data will be relevant, fair, lawful and proportionate to the respective uses of the User;

(b) all Data Subjects have been informed of Master Global’s Processing of their Personal Data for the agreed purposes and the User can demonstrate a lawful basis for such Processing; and

(c) the User has established a procedure for the exercise of the rights of individuals whose Personal Data are collected and are in its custody or under its control.

3.5 The User agrees that Master Global is permitted to, and instructs Master Global to:

(a) Process all Personal Data that Master Global collects from, or relating to, the User in order to provide the Services under the Contract, including but not limited to transferring Personal Data to competent bodies, courts or regulatory authorities in order to provide the Services, comply with Applicable Data Protection Laws or comply with requests from such bodies, courts or authorities;

(b) disclose or transfer the Personal Data to its Affiliates, and any of its employees, agents, delegates, Sub-Processors, or competent authorities (including customs and tax authorities) and bodies in order to provide the Services or services ancillary thereto;

(c) Process the Personal Data to carry out actions or investigations that Master Global considers appropriate to meet its obligations arising from applicable laws relating to fraud prevention, sanction, money laundering, terrorist, bribery, corruption, and the provision of other services to persons who may be subject to economic or trade sanctions (including disclosure to Sub-Processors);

(d) report regulatory related information to competent bodies or authorities in order to comply with its legal and regulatory obligations;

(e) retain the Personal Data for so long as it is required to provide the Services or perform investigations in relation to such, or otherwise required by Applicable Data Protection Law and/or justified under the relevant English or other statutory limitation periods (as applicable), whichever is the later; and

(f) Process, retrieve or track the Personal Data for the purpose of updating the User’s records for fees and billing, improving service, servicing the client relationship, developing, operating, maintaining and improving Master Global’s services, products, websites, software and/or other business tools, conducting system testing, troubleshooting and to advise the User of other products and services offered by Master Global and/or its Affiliates.

3.6 Unless otherwise prevented by Applicable Data Protection Laws, Master Global agrees that it will

(a) Process the Personal Data only on behalf of the User and in compliance with the written instructions of the User and this Agreement. If it is required by any applicable laws to process or disclose Personal Data for purposes other than those agreed, it shall promptly inform the User of that legal requirement before processing the Personal Data;

(b) as soon as practicable inform the User if in Master Global’s opinion, and without any obligation to perform any legal assessment, an instruction given to it breaches the Regulation, Applicable Data Protection Law and/or any applicable laws;

(c) take appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss or destruction of, or damage to, the Personal Data, and ensure that all persons who have access to process Personal Data have committed themselves to appropriate obligations of confidentiality;

(d) provide reasonable assistance to the User to enable it to comply with (i) the rights of Data Subjects; (ii) the security requirements; and (iii) any privacy assessment procedure or consultation, as required under the Regulation and/or Applicable Data Protection Law;

(e) inform the User without delay of (i) any request for the disclosure of the Personal Data by a law enforcement authority; (ii) any incident which gives rise to a risk of unauthorised access, disclosure, loss, destruction, misuse or alternation of Personal Data; (iii) any notice, inquiry or investigation by a Supervisory Authority; and (iv) any complaint or request (in particular, requests for access to, rectification or blocking, erasure and destruction of Personal Data) received directly from the Data Subjects;

(f) Notify the User as soon as it becomes aware of a Reportable Breach and will provide the User with reasonable assistance in responding to and mitigating it. Where the Reportable Breach is connected to Master Global’s Processing of the Personal Data, the User shall provide Master Global with a copy of the intended notification (if any) to be made by the User to the affected Data Subjects and/or Supervisory Authority for Master Global’s prior written approval; and

(g) Upon termination of the Contract, the Personal Data shall, at the User’s option, be destroyed or returned to the User.

3.7 The User acknowledges and agrees that Master Global shall be permitted to perform any or all of its Personal Data processing obligations through its Affiliates, subcontractors, or continue to use sub-contractors engaged by Master Global, provided that (i) Master Global shall remain liable to the User for such performance of its Personal Data processing obligations by any Affiliate or subcontractor; and (ii) all Affiliates or subcontractors engaged by Master Global shall be bound by the terms of an agreement which contain the same or equivalent obligations with respect to Personal Data processing as are imposed on Master Global under this Agreement.

3.8 The User acknowledges and agrees that Master Global may transfer the Personal Data to a country outside of the European Economic Area (“EEA”) in accordance with the Model Clauses, Ad hoc Clauses or other available data transfer solutions under the Regulation and/or Applicable Data Protection Law. The User hereby consents to such transfers and agrees to be bound by the Model Clauses or Ad Hoc Clauses (as the case may be). The User represents and warrants to Master Global that disclosure of any transfer contemplated will be made in the User’s documentation.

3.9 The User shall remain solely and fully liable for any damage which a Data Subject may suffer as a result of the Processing of their Personal Data which is under the User’s control and which does not result from a breach by Master Global of its obligations under this Agreement and the Applicable Data Protection Law.

3.10 The User acknowledges and agrees that Master Global is reliant upon the User as the Data Controller for lawful direction and documented instructions as to the extent to which Master Global is entitled to process any Personal Data. The User agrees that Master Global will not be liable and it shall fully and effectively indemnify Master Global for any claim brought by a Data Subject and/or any competent authority or body arising from any action or omission of Master Global, to the extent that such action or omission resulted from the User’s instructions given to Master Global.

3.11 Both Parties acknowledge and agree that, whether Master Global or the User has paid full compensation for damages suffered by a Data Subject, where joint liability has been determined in the course of any legal proceeding or other decision, the Party that paid the compensation in full to the Data Subject is entitled to claim back from the other Party that portion of the compensation corresponding to the other Party’s responsibility for the damage to the fullest extent that such indemnification is permitted by the Applicable Data Protection Law.

4 PRECEDENCE

4.1 In the event of any conflict and/or inconsistency between any Data Protection Provisions contained in the Contract (if any) and the data protection provisions contained in this Agreement, the provisions on data protection only in this Agreement shall prevail.

5 COUNTERPARTS

5.1 This Agreement may be executed in any number of counterparts and by the different Parties hereto on separate counterparts each of which when executed and delivered shall constitute an original and all such counterparts together constituting but one and the same instrument.

6 VARIATION

6.1 No provisions of this Agreement may be amended, changed, waived, discharged or terminated except in writing signed by each of the Parties.

6.2 If any of the provisions of this Agreement is found by an arbitrator, court or other competent authority to be void, illegal or unenforceable, this will not affect the remaining provisions of this Agreement. The Parties shall negotiate in good faith in order to replace this void, illegal or unenforceable provision with such a valid, legal or enforceable provision which the parties would have agreed upon if they have been aware of the void, illegal or unenforceable provision. The same procedure to apply in case of a contractual gap.

7 GOVERNING LAW AND JURISDICTION

7.1 This Agreement (including any non-contractual obligations arising out of or in connection with the same) shall be governed by and construed, and any and all claims, suits, proceedings or disputes howsoever arising in connection with this Agreement or the rights and obligations in the Contract shall be determined in accordance with the laws of England.

7.2 The provisions of this Clause 7 shall continue to apply notwithstanding the termination of this Agreement.

Any notice or any communication under this Agreement shall be delivered to the other party in writing at the address mentioned below or by electronic means as advised by Master Global or the User from time to time.

Master Global (Data Processor)
Signed for and on behalf of Master Global Logistics Limited
Ivy Lau
Director and General Manager
Unit 7, 7th Floor, Fook Yip Building, 53-57 Kwai Fung Crescent, Kwai Chung, N.T. Hong Kong.
Date: 23rd May, 2018

User (Data Controller)
Signed for and on behalf of _____________________ (Company Name)
Name:
Title:
Address:
Date:

SCHEDULE 1

“Ad hoc Clauses” means the draft contractual clauses prepared by the Article 29 Working Party on data transfers from processors to sub-processors established in third countries according to Article 26(2) of Directive 95/46/EC of the European Parliament and of the Council, and as may be amended or replaced from time to time, a copy of which can be found at http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp214_en.pdf;

“Contract” means the contract entered into or will be entered into pursuant to which Master Global provides the Services (as defined below) to the User pursuant to the Terms of Use and Privacy and Security Statement, and including all schedules and appendices thereto (as may be amended from time to time);

“Affiliate” means any subsidiary or holding company of Master Global or the User, as the case may be, and any subsidiary of such holding company and for these purposes the terms “subsidiary” and “holding company” are defined as follows:

(i) a company is a “subsidiary” of another company only if—

(a) it is controlled by—

i. that other company; or

ii. that other company and one or more companies each of which is controlled by that other company; or

iii. two or more companies each of which is controlled by that other company; or

(b) it is a subsidiary of a subsidiary of that other company.

(ii) a company is the “holding company” of another only if that other company is its subsidiary.

“Applicable Data Protection Law(s)” means

(i) for the purposes of English law, all applicable national laws, regulations and other legal requirements relating to (a) privacy, data security, consumer protection, marketing, promotion and text messaging, email and other communications; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Information, in which Master Global or its Affiliate is subject to or which are otherwise applicable;

(ii) for the purposes of European Union law, the Data Protection Acts 1988 and 2003 (as amended), the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications Regulations 2011 and the Regulation (as defined below) (as amended or replaced from time to time), and any other EU regulations, directives, guidance, directions, determinations, codes of practice, circulars, orders, notices or demands issued by any Supervisory Authority in which Master Global or its Affiliate is subject to; and

(iii) any applicable national, international, regional, municipal or other data privacy authority or other data protection laws or regulations in any other territory in which Master Global or its Affiliate is subject to or which are otherwise applicable.

“Data Controller” has the meaning assigned to it in the Regulation and/or any Applicable Data Protection Law;

“Data Processor” has the meaning assigned to it in the Regulation and/or any Applicable Data Protection Law;

“Data Protection Provisions” mean any and all provisions in the Contract relating to the Parties’ rights, duties and obligations under any Applicable Data Protection Law;

“Data Subjects” means the identified or identifiable natural person to whom the Personal Data relates and includes the categories of data subjects listed in the Schedule 2;

“Effective Date” means the date on which the Regulation become applicable to the Services;

“Model Clauses” mean the standard contractual clauses annexed to the European Commission’s Decision 2010/87/EU for the Transfer of Personal Data to Processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, as amended, on the protection of individuals with regard to the Processing of the Personal Data and on the free movement of such data, and as may be amended or replaced from time to time, a copy of which can be found at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en;

“Personal Data”/“Personal Information” has the meaning assigned to it in Applicable Data Protection Laws and includes the categories of Personal Data processed (as defined below) by the Parties under the Contract, as set out in the Schedule 2; for the avoidance of doubt, Personal Data means any information about an identified or identifiable individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual, including Sensitive Personal Data and further includes:

(a) the categories of Personal Data set out in Schedule 2; and

(b) Personal Data collected as part of the monitoring and recording of calls and electronic communications by Master Global.

“Processing (and its derivatives)” means carrying out any operation on Personal Data, including collecting, obtaining, recording, holding, storing, organising, adapting, structuring, altering, retrieving, transferring, consulting, using, disclosing, disseminating or otherwise making available, aligning, combining, restricting, blocking, erasing or destroying it.

“Regulation” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) as and when it becomes applicable to the Services on and from 25 May 2018;

“Reportable Breach” means (i) any breach of security leading to the loss or unlawful destruction or unauthorised disclosure of or access to Personal Information which is likely to adversely affect a Data Subject; and/or (ii) the unauthorised or unlawful Processing, and/or any accidental or unlawful destruction of, loss of, alteration to, or corruption to Personal Data;

“Sensitive Personal Data” means any Personal Data relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information;

“Services” have either (a) the same meaning as the term “Services” set out in the Contract, or (b) in the event that the Contract does not contain any such defined term, the services that Master Global has agreed to perform pursuant to the terms of the Contract;

“Sub-Processor” means a third party engaged by the Data Processor or by any Sub-Processor of the Data Processor who is not a Party to this Agreement and who agrees to receive from the Data Processor or from any other Sub-Processor of the Data Processor, Personal Data exclusively for processing activities to be carried out on behalf of the Data Controller;

“Supervisory Authority” means an authority established in accordance with Article 51 of the Regulation or any other equivalent authority established under the Applicable Data Protection Law, the Minister responsible for information and communication technologies policy and innovation or any other authority or official appointed and/or delegated with responsibility for the oversight or enforcement of the Applicable Data Protection Law.

SCHEDULE 2

This Schedule describes the categories of Personal Data, Data Subjects and the Processing operations to be carried out by Master Global.

1. Data Subjects

The Personal Data to be Processed by Master Global concerns but are not limited to the following categories of Data Subjects:

(1) the Users of Master Global; and

(2) all employees, representatives, contractors, Affiliates and agents of the Users.

2. Categories of Personal Data

The Personal Data to be Processed by Master Global includes but are not limited to:

(1) Name or user ID

(2) Business Card

(3) Number of identity card, passport or other personal identification documents

(4) Department

(5) Role/Job title

(6) Contact number (home, mobile or fax)

(7) Mail address

(8) Signature

(9) Email (office or private)

(10) Address

(11) Source of Funds

(12) Identity details of instant messaging or social networking applications

(13) Social media profile

3. Categories of Sensitive Personal Data

The Categories of Sensitive Personal Data are:

(1) Sex

(2) Age

(3) Date of Birth

(4) Images of identity cards, passports or other personal identification documents

(5) Bank account number

(6) Nationality

(7) Legal domicile

(8) Place of birth

(9) Photograph

(10) Health Issue

(11) Marital status

(12) Family member's name (spouse, minors, etc)

(13) Sanction screening and adverse media searches

4. Processing Operations

The Personal Data will be Processed for purposes including, but not limited to:

(1) Performance of the transportation contract

(2) Payment requests and settlement

(3) Communications

(4) Conducting Sanction, Anti-Money Laundering checks and other legal/regulatory obligations related to client processing

(5) Hosting

(6) Software development

(7) Business development

(8) Relationship improvement and development

(9) Service improvement and development

(10) System testing and troubleshooting

(11) Marketing

(12) Insurance and Claims

(13) Audit and compliance activities related to the above

5. Duration

Personal Data may be processed by Master Global for the duration during which it is to provide Services pursuant to the Contract or perform investigations in relation to such, unless otherwise required by applicable laws and/or justified under applicable statutory limitation periods, whichever is the later.

[End]