Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Agreement between The Right Fuel Card Company Limited (“TRFC”) and the relevant provider (“Provider”).
The Parties agree that this DPA sets out the terms on which the Provider processes personal data on behalf of TRFC in connection with the Services, in accordance with applicable data protection law, including the UK GDPR, the Data Protection Act 2018 and, where relevant, the EU GDPR.
The Parties further agree that:
The provisions of this DPA form part of the Agreement and shall prevail over any conflicting provisions relating to personal data processing.
The remaining provisions of the Agreement shall continue in full force and effect except as amended by this DPA; and
References in this DPA to Data Protection Legislation include any amendment, replacement or re-enactment of such legislation.
ARTICLE 1 – DEFINITIONS
For the purposes of this DPA, the terms Personal Data, Controller, Processor, Processing, Data Subject and Personal Data Breach have the meanings given to them in applicable Data Protection Legislation.
In this DPA:
“Data Protection Legislation” means all laws and regulations applicable to the processing of personal data under this DPA, including the UK GDPR, the Data Protection Act 2018 and, where relevant, the EU GDPR.
“Driver Data” means the limited personal data relating to drivers processed by the Provider on behalf of TRFC under this DPA, namely:
full name; and
vehicle registration number.
“Services” means the fuel card and related services provided under the Agreement.
“Sub-processor” means any third party appointed by the Provider to process Personal Data on behalf of TRFC in connection with the Services.
ARTICLE 2 – SCOPE
2.1 The purpose of this DPA is to define the conditions under which the Provider undertakes to process Personal Data on behalf of TRFC in connection with the performance of the Services.
2.2 This DPA applies only where:
TRFC acts as Controller; and
the Provider acts as Processor or Sub-processor,
in relation to the Driver Data processing described in Appendix 2.
2.3 Driver Data processed under this DPA is restricted to:
the driver’s full name; and
the driver’s vehicle registration number.
2.4 Such Driver Data may be processed only for the following purposes:
embossing or otherwise personalising fuel cards for authorised drivers, where applicable;
receiving, recording and processing transaction information where the driver is asked to provide their name and vehicle registration number at the point of purchase;
supporting service administration connected with the fuel card service; and
supporting fraud prevention and misuse investigations linked to the fuel card service.
2.5 The Provider shall process Personal Data only on TRFC’s documented instructions, unless otherwise required by applicable law. Where the Provider considers that an instruction infringes Data Protection Legislation, it shall inform TRFC without undue delay.
2.6 Each Party shall comply with its obligations under applicable Data Protection Legislation in relation to the Personal Data processed under this DPA.
ARTICLE 3 – GENERAL OBLIGATIONS
3.1 The Provider shall:
process Personal Data solely for the purpose of performing the Services and only in accordance with this DPA and TRFC’s documented instructions;
immediately inform TRFC in writing if, in its opinion, an instruction infringes Data Protection Legislation;
implement and maintain appropriate technical and organisational measures for the duration of the Agreement to protect Personal Data and support compliance with Data Protection Legislation;
ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations;
not use any Artificial Intelligence system or model when processing Personal Data without TRFC’s prior written consent;
not use or re-use Personal Data for its own purposes relating to AI, including training, testing, improving or fine-tuning any AI model;
comply with the principles of privacy by design and privacy by default to the extent applicable to the Services; and
make available to TRFC the information reasonably necessary to demonstrate compliance with this DPA.
3.2 TRFC shall:
provide or make available the Personal Data described in Appendix 2;
provide documented instructions to the Provider; and
remain responsible for supervising the processing carried out on its behalf, including through audits or reviews where appropriate.
ARTICLE 4 – COOPERATION AND ASSISTANCE
4.1 The Provider shall cooperate with and provide reasonable assistance to TRFC, taking into account the nature of the processing and the information available to the Provider, to enable TRFC to comply with its obligations under Data Protection Legislation.
4.2 In particular, the Provider shall provide reasonable assistance to TRFC:
in responding to requests from Data Subjects exercising their rights under Data Protection Legislation;
in meeting obligations relating to security of processing;
in assessing, investigating and responding to Personal Data Breaches;
in carrying out data protection impact assessments where required; and
in cooperating with the Information Commissioner’s Office or other competent authority where required.
4.3 If the Provider receives a request directly from a Data Subject or competent authority relating to Personal Data processed under this DPA, it shall promptly notify TRFC and shall not respond substantively unless legally required to do so.
For the purposes of this Article, TRFC may be contacted at: dpo@rightfuelcard.co.uk
ARTICLE 5 – SECURITY
5.1 The Provider acknowledges that security is a fundamental requirement of the Services and shall implement appropriate technical and organisational measures to protect Personal Data.
5.2 The Provider shall comply with its obligations under Data Protection Legislation and shall take into account the nature, scope, context and purposes of the processing, the risks to Data Subjects, the sensitivity of the Personal Data, and the state of the art.
5.3 The Provider shall implement and maintain appropriate security measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services used in connection with the Personal Data.
5.4 The technical and organisational measures implemented by the Provider shall, where appropriate, include:
access controls and authentication measures;
role-based access restrictions;
secure storage and transmission controls;
backup and recovery arrangements;
logging and monitoring;
regular testing and review of security controls; and
staff confidentiality and awareness measures.
5.5 The Provider shall ensure that Personal Data is disclosed only to those of its employees, agents and authorised personnel who need access to it for the performance of the Services and who are bound by appropriate confidentiality obligations.
ARTICLE 6 – DATA BREACH
6.1 The Provider shall notify TRFC without undue delay and, where feasible, no later than twenty-four (24) hours after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
6.2 Such notification shall include, where available:
a description of the nature of the breach;
the categories and approximate number of Data Subjects affected;
the categories and approximate number of Personal Data records concerned;
the likely consequences of the breach;
the measures taken or proposed to address the breach and mitigate its adverse effects; and
the name and contact details of the relevant contact point for further information.
6.3 Where all information is not available at the same time, the Provider may provide the information in phases without undue further delay.
6.4 TRFC shall determine whether notification to a supervisory authority or affected Data Subjects is required, unless the Provider is legally required to notify directly.
6.5 The Provider shall provide reasonable assistance to TRFC in investigating, mitigating and remediating any Personal Data Breach affecting Personal Data processed under this DPA.
ARTICLE 7 – AUDIT
7.1 The Provider shall make available to TRFC, upon reasonable request, the information necessary to demonstrate compliance with this DPA and Data Protection Legislation.
7.2 TRFC or an auditor mandated by TRFC may, on reasonable prior notice, carry out an audit or review of the Provider’s compliance with this DPA, provided that such audit is limited to matters relevant to the Services and does not unreasonably disrupt the Provider’s business operations.
7.3 The Provider shall cooperate reasonably with any such audit and shall provide access to relevant documentation, records and systems to the extent necessary to verify compliance.
7.4 If an audit identifies a material non-compliance, the Provider shall promptly take appropriate remedial action at its own cost.
ARTICLE 8 – SUBCONTRACTING
8.1 The Provider shall not appoint a Sub-processor without TRFC’s prior specific written consent.
8.2 The Provider shall notify TRFC in writing of any intended addition or replacement of a Sub-processor sufficiently in advance to allow TRFC to assess the proposed change.
8.3 The Provider shall ensure that each authorised Sub-processor is bound by written contractual terms imposing data protection obligations no less protective than those set out in this DPA.
8.4 The Provider shall remain fully liable to TRFC for the performance of each authorised Sub-processor’s obligations in relation to the processing of Personal Data.
ARTICLE 9 – RECORDS OF PROCESSING
The Provider shall maintain a written record of the categories of processing activities carried out on behalf of TRFC, in accordance with Article 30 UK GDPR and any other applicable Data Protection Legislation.
Such record shall include, where applicable:
the name and contact details of the Provider, TRFC, any authorised Sub-processor, and the Provider’s data protection contact;
the categories of processing carried out on behalf of TRFC;
any applicable international transfers and the safeguard relied upon; and
a general description of the technical and organisational security measures in place.
ARTICLE 10 – INTERNATIONAL TRANSFERS
10.1 The Provider shall not transfer, host, disclose or permit access to Personal Data outside the United Kingdom or the European Economic Area unless:
the transfer is permitted under Data Protection Legislation; and
appropriate safeguards are in place.
10.2 Where required, such safeguards may include:
an adequacy decision or adequacy regulation;
approved standard contractual clauses or other recognised transfer mechanism; or
another lawful safeguard under Data Protection Legislation.
10.3 The Provider shall provide TRFC with reasonable prior notice of any proposed international transfer and shall provide reasonable information regarding the safeguard relied upon.
ARTICLE 11 – PERSONAL DATA AT THE END OF THE AGREEMENT
11.1 On expiry or termination of the Services, and at TRFC’s choice, the Provider shall:
Relete the Personal Data together with any copies; or
Return the Personal Data to TRFC in a reasonable and usable format and delete any remaining copies.
11.2 This obligation shall apply unless applicable law requires the Provider to retain some or all of the Personal Data, in which case the Provider shall continue to protect that Personal Data in accordance with this DPA for as long as it is retained.
11.3 On request, the Provider shall provide TRFC with written confirmation of deletion.
APPENDIX 1 – ARTIFICIAL INTELLIGENCE
The Provider undertakes to comply with the applicable laws and regulations relating to Artificial Intelligence (AI) (“AI Laws”), including but not limited to Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on Artificial Intelligence ("EU AI Act").
In the event where the Provider uses, deploys or creates, without being exhaustive, any system, model, program, solution or software related to the use of AI, the Provider will commit to comply with the obligations pertaining to the applicable AI Laws, prior to the signature of the Agreement or prior to the implementation of AI for the Services provided under the Agreement. Furthermore, the Provider warrants that any AI classified as generating or causing unacceptable risk under the AI Act will be prohibited.
In any case, the Provider shall not incorporate, use, or make AI features available in the performance of the Services or in any deliverables provided to TRFC without obtaining TRFC's prior written consent. The Provider shall not use any AI system or model when processing TRFC Personal Data, without the prior written consent of TRFC, and shall not use or reuse TRFC Personal Data for its own purposes related to AI uses (i.e. training of an AI model). The Provider shall not use any TRFC data to train, improve, or modify its AI models or to benefit third parties. The Provider must regularly monitor and assess the AI features for accuracy and reliability, ensuring compliance with all applicable laws and adherence to industry practices.
The Provider shall implement and maintain policies for the ethical and responsible use of AI features. These policies must promote transparency, mitigate bias, and ensure fairness and accountability in all applications of AI features under this Agreement.
All data provided by TRFC to the Provider (“Customer Data”) and all outputs generated by the AI system based on Customer Data (“Output Data”) are TRFC’s confidential Information. The Provider shall have no rights to use, disclose, or distribute Customer Data or Output Data except as necessary to provide the services under this Agreement.
In case of unauthorised use of AI by the Provider, the latter will indemnify and hold harmless TRFC against all claims brought by third parties, notably in respect of any breach of their intellectual property rights, data breaches, data protection rights or equivalent claims.
Both Parties acknowledge that, prior to the deployment and use of any AI related to the Services, they will reconvene and agree on a specific addendum, implementing a dedicated framework for the use of said AI.
APPENDIX 2 – TRFC PERSONAL DATA PROCESSING DETAILS
At the signature date of the Agreement, the Parties agree that the Personal Data processing covered by this DPA consists of the following.
Subject-matter of the Processing
The processing of limited driver personal data in connection with the provision of fuel card services.
Nature of the Processing
Collection
The employer, card issuer or point of sale collects the driver’s full name and vehicle registration number.
Receipt and recording
The driver’s full name and vehicle registration number may be received and recorded by the Provider for transaction processing, card administration and associated record keeping.
Card embossing / personalisation
Where applicable, the driver’s full name may be used to emboss or personalise a fuel card.
Storage
The driver’s full name and vehicle registration number may be stored for service administration, fraud prevention and related record keeping.
Purpose(s) of the Processing
identification of the authorised driver or vehicle linked to a fuel card;
embossing or personalisation of a fuel card, where applicable;
receiving, recording and processing transaction information where the driver provides their name and vehicle registration number at the point of purchase;
service administration connected with the fuel card service; and
fraud prevention, misuse investigation and related accountability.
Duration of the Processing
The duration of the Agreement and any limited period afterwards where retention is required by law, dispute handling, fraud prevention or secure deletion processes.
Categories of Personal Data
Full name
Vehicle registration number
Categories of Data Subjects
Drivers authorised to use fuel cards by TRFC customers
Authorised Sub-processors
B2Mobility GmbH (BP) Wittener, Straße 45 Bochum 44789 Germany |
CH Jones Walsall Limited (Keyfuels) Premier Business Park Queen Street Walsall WS2 9PB |
Corpay – AllStar/KeyFuels/RightPay 4th floor 8 - 10 Moorgate London EC2R 6DA |
FastFuels – Valero Energy Ltd (Texaco) 27th Floor 1 Canada Square London E14 5AA |
Fuelgenie Mid City Place 71 High Holborn London WC1V 6EA |
Radius – (Fast Fuels/UK Fuels) Eurocard Centre Herald Park Herald Drive Crewe CW1 6EG |
RightCharge Limited 86-90 Paul Street 3rd Floor Paul Street London EC2A 4NE |
Shell UK Oil Products Ltd Shell Centre London SE1 7NA |
WEX Europe Services Limited 7th Floor Hyphen Building 75 Mosley Street Manchester M2 3HR |
UNION TANK Eckstein GmbH & Co.KG Heinrich-Eckstein-Straße 1 63801 Kleinostheim Germany |
Description of the Sub-processed Activities
Fuel card embossing or personalisation, transaction processing, service administration, and related fraud prevention activity, only to the extent necessary for the Services.
Personal Data Transfer Outside the UK / EEA
N/A unless otherwise agreed in writing and subject to Article 10.
Contact of the Data Protection Officer
dpo@rightfuelcard.co.uk
Other Specific Point of Contact in the Event of a Major Security Incident
support@rightfuelcard.co.uk