Seite 1 von 3
Data Processing Agreement (DPA) under Art. 28 GDPR
KIR Group GmbH
Adress:
Laurenzerberg 2/1/1
Postal Code:
1010 Wien
E-Mail:
mobility@kir-group.com
Phone:
+43 1 9973016
Website:
www.smartmove.eu
VAT Nummer:
ATU75007378
GLN:
9110028222191
GISA:
34701393, 34100202, 34100196
Company Register:
523892f
Jurisdiction:
Handelsgericht Wien
Preamble
This DPA specifies the data protection obligations of the parties under the main
contract (“smartmove Fleets GTC”). The
controller
is the respective fleet operator;
the
processor
is smartmove (KIR Group GmbH).
§ 1 Subject & Duration
smartmove processes personal data solely for the operation of the smartmove
platform and the contractually agreed modules. The duration corresponds to the term
of the main contract.
§ 2 Type & Purpose of Processing
•
Collection, transmission & storage of vehicle telemetry
•
Provision of fleet management functions (reports, API)
•
Support, maintenance, error analysis
•
Billing & contract fulfillment
§ 3 Types of Data / Categories of Data Subjects
Data Types
Betroffene Personen
Identity, contact, contract, vehicle &
telemetry data
Drivers, fleet admins, end
customers
Seite 2 von 3
§ 4 Rights & Obligations of the Controller
The controller is responsible for lawfulness, obtaining consent, protecting data
subject rights, and fulfilling information obligations.
§ 5 Obligations of the Processor
1. Processing only on documented instructions of the controller.
2. Confidentiality: all employees are bound by data secrecy.
3. Security: implementation of the technical & organizational measures
described in Annex 1 (TOM).
4. Sub-processors: current list in Annex 2 (Smartcar, Invers, Geotab,
Caruso). Changes only with prior notification and right of veto (§5 para.
4).
5. Data subject requests & notifications: supporting the controller with
rights to information, erasure, DPIA, reporting, and audits.
6. Deletion/Return: After contract termination, all personal data will be
deleted or – on request – returned.
7. Proof: provision of all necessary information to comply with this
agreement and enable audits.
§ 6 Audit Rights of the Controller
The controller may, with reasonable notice (14 days) during normal business hours,
review compliance with this DPA at smartmove or have it reviewed by third parties.
§ 7 Confidentiality & Non-Disclosure
Both parties commit to confidentiality regarding all data & information obtained under
this agreement.
§ 8 Liability
Liability is governed by the provisions of the main contract and the statutory GDPR
provisions (esp. Art. 82).
§ 9 Term & Termination
This DPA comes into force upon signing and automatically ends with the termination
of the main contract. The right to extraordinary termination for good cause remains
unaffected.
Seite 3 von 3
Annex 1: Technical & Organizational Measures (TOM)
1. Access control to facilities (data centers ISO 27001, biometric access
systems)
2. Access control to systems (SAML-SSO, MFA, role-based rights)
3. Access control to data (least-privilege principle, encrypted DB fields)
4. Transfer control (TLS 1.3, VPN, SCC for third-country transfers)
5. Input control (audit logs, immutable log storage for 12 months)
6. Contract control (sub-processor checks, DPAs, annual pen tests)
7. Availability control (multi-AZ deployment, 24/7 monitoring, hourly
backups)
8. Separation control (tenant IDs, DB schemas)
9. Privacy by design & default (privacy-by-design, privacy-by-default)
Annex 2: Approved Sub-Processors
Unterauftrags-verarbeiter
Dienst
Sitz
Schutz-garantie
Smartcar Inc.
Telematics-Cloud
USA
SCC + additional
measures
Invers GmbH
Telematics-Cloud
DE
EU-DPA
Geotab Inc.
Telematics-Cloud
Kanada
Adequacy
decision
Caruso GmbH
Telematics-Cloud
DE
EU-DPA
Meta Platforms Ireland Ltd.
Ads, Tracking
Ireland/
USA
SCC + additional
measures
Google Ireland Ltd.
Ads, Analytics,
Tracking
Ireland/
USA
SCC/
Adequacy
decision
HubSpot Inc.
Marketing
Automation
USA
SCC + additional
measures