Contents

Data Processing Agreement

Version 2 – April 2022

1. DEFINITIONS

“data controller” (or “controller”), “data processor” (or “processor”), “data subject”, “personal data”,

“processing” and “appropriate technical and organizational measures” shall be interpreted in accordance with applicable Data Protection Legislation (as defined in the Agreement”).

“Children’s Data” means personal data relating to an individual under 18 years.

“Customer Personal Data”, “Service Data” and “Sub-processor” are as defined in Metapack’s Master Subscription Agreement (the “Agreement”).

“Extended EEA Country” means a country within the European Economic Area (including the EU), Switzerland and the UK.

“Extended EEA Personal Data” means personal data as defined in the Data Protection Legislation of the applicable Extended EEA Country, the processing of which in connection with the services provided under the Agreement, is governed by the Data Protection Legislation of the applicable Extended EEA Country.

“Security Breach” means any accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, or access to Customer Personal Data.

“Sensitive Personal Data” means the categories of personal data defined in Article 9 of the GDPR, and data relating to criminal convictions and offences.

“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission decision of 4 June 2021 and published under document number C(2021) 3972 available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en&uri=CELEX:32021D0914) as amended/updated from time to time.

Capitalized terms used but not defined herein shall have the meanings specified in the Agreement.

2. LAWFUL BASIS FOR PROCESSING

2.1 Customer will ensure that it and any other data controllers of the Customer Personal Data:

1. ave complied and will continue to comply with their obligations under the Data Protection Legislation, including ensuring that it is fair and lawful for Metapack, its staff and sub-contractors to process the Service Data;
2. have all necessary and appropriate consents and notices in place so that Metapack may lawfully receive, transfer, use and process the Service Data for the duration and purposes of the Agreement;

2.2 Customer warrants that it and any other data controllers of the Customer Personal Data shall not knowingly transmit Children’s Data or Sensitive Personal Data to Metapack.

2.3 Customer shall defend, indemnify and hold harmless Metapack against all claims, fines (including regulatory fines), actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with Customer’s breach of its obligations hereunder.

2.4 Metapack shall, in providing the Services, comply with its data protection and information security policies relating to the privacy and security of the Customer Personal Data, as such documents may be amended from time to time by Metapack in its sole discretion.

3. PROCESSING ON CUSTOMERS INSTRUCTIONS

3.1 When processing Customer Personal Data in connection with the performance of Metapack’s obligations under the Agreement, Metapack will act only in accordance with the lawful and documented instructions of the Customer as set out in this Data Processing Agreement or as provided in writing by Customer from time to time (subject to Metapack’s right to charge additional sums at its then-current rates should the scope of the agreed Services be exceeded), unless Metapack is required by law to process the Customer Personal Data. Where Metapack is relying on applicable law as the basis for processing Customer Personal Data, Metapack shall notify Customer before performing the processing required by law unless such laws prohibit Metapack from notifying Customer.

3.2 Customer hereby instructs Metapack to process the Customer Personal Data:

1. for the provision of the Services (and for each of these purposes Metapack may share such Customer Personal Data with such Carriers as are stipulated by Customer from time to time and with Metapack’s Sub-processors as necessary to provide the Services);
2. for the purpose of fulfilling its obligations and exercising its rights under the Agreement;
3. as may be required by law, court order or any governmental or regulatory authority; and
4. until the date that Metapack ceases to provide the Services to Customer.

3.3 Customer acknowledges that Metapack processes the Service Data on Customer’s instructions. Consequently, Metapack shall not be liable for any claim brought by a data subject arising from any action or omission by Metapack, to the extent that such action or omission resulted directly from Customer’s instructions.

3.4 Customer acknowledges that the Services support secure transmission of data. To the extent that Customer chooses to transfer data to or from Metapack by an insecure method or instructs Metapack to transmit data to or receive data from Carriers who do not support secure transmission of data, Customer accepts the risks related to such transmission. Metapack will work with Customer and relevant Carriers to facilitate migration of data transfer to secure methods upon request.

3.5 Metapack shall notify Customer if it considers that an instruction from Customer is in breach of Data Protection Legislation, and Metapack shall be entitled but not obliged to suspend execution of the instructions concerned, until Customer confirms such instructions in writing.

4. METAPACK OBLIGATIONS

4.1 In relation to any Customer Personal Data processed in connection with the performance of its obligations under the Agreement, Metapack shall:

1. Implement appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Customer Personal Data and against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access to Customer Personal Data;
2. At Customer’s written request, assist Customer in responding to any request from a data subject necessary for compliance with its obligations under the Data Protection Legislation;
3. Notify Customer without undue delay upon becoming aware of any Security Breach involving Customer Personal Data;
4. At Customer’s written request, taking into account the nature of processing and the information available to Metapack, assist Customer with its obligations under Articles 32 to 36 of the GDPR and the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
5. At Customer’s written request, taking into account the nature of processing and the information available to Metapack, assist Customer by making available to Customer all information which Customer reasonably requests to allow Customer to demonstrate that the obligations set out in Article 28 of the GDPR relating to the appointment of processors have been met;
6. Maintain complete and accurate records of all processing operations under its responsibility. Such records shall contain the information required by the Data Protection Legislation. Metapack shall make such information available to Customer and/or any competent supervisory authority on written request;
7. On Customer’s written request, allow Customer and its respective auditors or authorized agents to conduct audits or inspections of Metapack within business hours during the term of the Agreement, on ten (10) Business Days’ prior written notice from Customer. The purposes of any audit pursuant to this paragraph is to verify that Metapack is processing Customer Personal Data in accordance with its obligations under this Data Processing Agreement. Customer undertakes to treat the results of such audits and inspections as Confidential Information and to ensure that its agents do likewise;
8. At Customer’s written request, delete or return to Customer any Customer Personal Data after the end of the provision of the Services, unless applicable law requires longer storage of the Customer Personal Data;
9. Ensure that all Metapack personnel who have access to or process the Customer Personal Data are subject to a binding duty of confidentiality and have received appropriate training on the Data Protection Legislation.

4.2 Metapack will not generally charge for responding to Customer’s written requests (as set out above in this paragraph), but reserves the right, at its sole discretion, to charge reasonable fees based on the administrative costs of providing such assistance, if provision of such assistance requires excessive resources or occurs at an excessive frequency.

5. SUB-PROCESSORS AND DATA TRANSFERS

5.1 Customer agrees that Metapack may transfer the Customer Personal Data or give access to Customer Personal Data to third party suppliers as Sub-processors for the purpose of providing the Services, provided that Metapack complies with the provisions of this paragraph 5.

5.2 Metapack shall ensure that it enters into written agreements with its Sub-processors which incorporate terms which are materially equivalent to those in paragraph 4 and as are required by applicable Data Protection Legislation.

5.3 Metapack shall remain responsible for its Sub-processor’s compliance with the obligations of this Schedule.

5.4 Metapack can at any time appoint a new Sub-processor provided that Customer is given ten (10) Business Days’ prior notice and Customer does not legitimately object to such changes within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor’s non-compliance with applicable Data Protection Legislation. If, in Metapack’s reasonable opinion, such objections are legitimate, Metapack shall refrain from using such Sub-processors to process Customer Personal Data. In such cases, Metapack may use commercially reasonable efforts to make available to Customer a change in the Services to avoid the processing of Customer Personal Data by the objected-to Sub-processor.

5.5 Metapack is established in the UK. The UK is deemed to be an adequate data protection jurisdiction by the European Commission. Under both UK and EU Data Protection Legislation where Metapack (as a data processor) transfers Extended EEA Personal Data to Sub-processors in countries not deemed adequate under UK or EU Data Protection Legislation (“Restricted Jurisdictions”) it is possible for Metapack to do so by putting in place a prescribed form of standard contractual clauses with such Sub-processors.

5.6 Customer agrees that Metapack may transfer Extended EEA Personal data to Restricted Jurisdictions provided that Metapack shall enter into a written agreement with any Sub-processor located in a Restricted Jurisdiction to whom Metapack transfers such Extended EEA Personal Data before making such transfer. Such an agreement shall incorporate terms which are required under applicable Data Protection Legislation (for example, the Standard Contractual Clauses).

5.7 In the event that any competent judicial or supervisory authority holds that a data transfer mechanism relied on by the Parties (including pursuant to paragraph 5.6 above) is invalid, or any competent judicial or supervisory authority requires transfers of personal data made pursuant to such mechanism to be suspended, then the parties will co-operate to facilitate use of an alternative transfer mechanism.

6. MISCELLANEOUS

6.1 In the event of any conflict or inconsistency between the provisions of the Agreement and this Data Processing Agreement, the provisions of these terms shall prevail. Save as specifically modified and amended in these terms, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern these terms.

6.2 Metapack will provide Analytics Data to Customer as required to provide the Services, including the provision of tracking information, profiling and analytics relating to Customer shipments, and such other activities as agreed between the parties. Metapack shall be entitled to retain and process Analytics Data for internal business purposes, anonymous profiling, benchmarking, trend evaluation, industry wide analytics, analysis of potential fraudulent customer activity and for developing and commercially exploiting products and services offered to third parties that incorporate Analytics Data including those made available in the Services. In all such cases Analytics Data will only be shared with third parties in a form that does not enable the third party to identify data subjects. Customer hereby authorizes and irrevocably licenses Metapack to use Analytics Data for the purposes specified above, subject always to Analytics Data being supplied to third parties on an anonymized and aggregated basis.

For the purpose of this clause “Analytics Data” means any shipment-related data that is not Customer Personal Data including but not limited to data relating to the carriage, storage, delivery, routing and product type of shipped items

7. PROCESSING ACTIVITIES

7.1 Subject matter and duration of the processing

1. The Customer Personal Data shall be provided to Metapack by Customer and processed in accordance with Customer’s instructions in order to allow Metapack to provide the Services.
2. The processing shall take place for the duration of the Agreement, unless otherwise directed by the Customer.
3. Metapack shall retain end-user Service Data for 90 days from the date the Services are completed in respect of such data, except where otherwise agreed with Customer.

7.2 Nature and purpose of the processing

1. Metapack will process personal data of the Customer’s staff in order to:
   • provide access to Metapack Services, such as accounts on the Metapack Customer portal, and access to the Metapack support team.
   • provide relevant information to Customer in connection with the Agreement.
   • manage the commercial relationship with Customer in line with the provisions of the Agreement.
2. Metapack will process personal data of Customer’s end users in order to:
   • fulfil the terms of the Agreement with the Customer by providing the Services.
   • facilitate, on Customer’s instructions, the transmission of such data to Carriers with whom the Customer has a contractual relationship, in order to fulfil Customer’s contractual obligations to its end users.
   • facilitate the transmission of tracking and delivery data from such Carriers back to the Customer

7.3 Categories of data subjects. The Customer Personal Data processed relates to the following categories of data subjects: (1) Customer’s end users (i.e. members of the public who place an order with the Customer); and (2) Customer’s staff (including employees, workers and contractors).

7.4 Types of Personal Data

1. The Customer Personal Data is provided to Metapack by the Customer, and depending on the Services selected, elements of it relating to deliveries may be provided by the Customer’s Carriers.
2. There may be variations in the data provided to Metapack by a specific Customer, but typically the following categories of data are processed:
   • Customer Staff Personal Data
     • Names
     • (Business) email addresses
     • (Business) telephone numbers
     • Usernames and passwords
     • Job Titles
     • Other data as set out in the Metapack website privacy policy, which is available on https://www.metapack.com/legal/privacy-policy
   • Customer’s End User Personal Data
     • Names
     • Delivery Addresses
     • Telephone Numbers
     • Email Addresses
   • And optionally, dependent on the configuration chosen by Customer:
     • Dates of birth (e.g. for Carrier verification of age-restricted products)
     • Job titles
     • Other personal data as provided to Metapack by Customer
   • Tracking and delivery data as received from Carriers with whom Customer has a contractual relationship. Customer acknowledges that as this data is provided by the Carrier, the Carrier has sole control of the content, timeliness and accuracy of such data.
3. Customer acknowledges that it has control over the content of the Service Data which it shares with Metapack.
4. Customer shall not knowingly provide special categories of data, nor Children’s Data.