Privacy Terms Privacy Terms | Shipit.fi | Shipit
Go to homepage
Customer Portal Registration

Privacy Terms

Privacy Terms

Last updated March 31, 2022 - terminology clarified and unnecessary content removed.

Parties and Background

This Data Processing Agreement (DPA) is between Shipit Oy Ab 2705721-8 (hereinafter also service provider, personal data and register data processor, and Shipit) and the customer who is making a shipment, potentially making a shipment, registering as a Shipit customer, intending to register as a Shipit customer, or inquiring about other matters that may lead to customer relationship with Shipit. Except for marketing, this also applies to prepayment customers. Shipit acts as a data processor and processes the controller's (hereinafter also customer's) data to ensure delivery of shipments and service development. The purpose of this agreement is to ensure data protection, data security, and processing standards for personal data. This agreement appendix is an essential and inseparable part of Shipit Oy Ab's terms of service.

Shipit Oy Ab Askonkatu 9 A, 15100, Lahti Finland. Postal address PB 60, 22101 Mariehamn, Åland Finland.

This data processing agreement is defined according to (EU) 679/2016 (GDPR) and enters into force on May 25, 2018. If there is a conflict between the general terms of service and the data processing agreement, the data processing agreement takes precedence.

Definitions

The terms used in this agreement appendix have the meaning given to them in the European Union regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("Data Protection Regulation").

Such terms include specifically:

  • Legislation. European Union General Data Protection Regulation (2016/679, "GDPR") from its application date (May 25, 2018) and possible future, applicable legislation

  • Controller. Customer who determines the purposes and means of Personal Data Processing. Excluding natural persons who process shipments through Shipit

  • Data Subject. Natural person as defined by the Legislation

  • Personal Data. Any information relating to an identified or identifiable natural person

  • Processor. Service provider who Processes Personal Data on behalf of the Customer

  • Processing. Any operation or set of operations performed on Personal Data

  • Subcontractor/sub-processor. Performs Processing under this appendix on behalf of the Service Provider and Customer by Service Provider's assignment

  • Standard Contractual Clauses. Standard contractual clauses approved by the European Commission for transferring personal data from EU controllers to processors in third countries (Decision 2002/16 EC)

Purpose

With this appendix, the parties agree that the Service Provider as a personal data processor Processes personal data on behalf of the Customer, the controller, during the validity of the agreement.


Shipit may process personal data on behalf of the customer that may refer to the identification of a natural person (hereinafter also data subject). Direct and indirect information e.g. person's name, address information, IP address, location data, online identifier, phone number, email, transmission data and messages. Shipit does not process personal identity numbers on its pages but can if necessary help the customer provide this to the shipping company e.g. for export or import clearance.

Unless otherwise defined by customer's written instruction, Shipit may process all information related to direct or indirect parties involved in the shipment.

Customer's Obligations

The Customer acts as the Controller as defined in applicable legislation regarding personal data of their customers, employees or other persons that the Service Provider processes in the Service for its implementation ("Customer's Personal Data").

The Customer defines how personal data is used, exchanged or otherwise processed. It is the Customer's responsibility to ensure that all data subjects have been properly notified and given necessary information about the processing of their Personal Data, and that the Customer has necessary rights and consents for processing Personal Data. As a controller, the Customer is also responsible for preparing the processing record.

The Customer transfers to the service and systems only such information that it has the right to process according to applicable data protection legislation.

The Customer is obligated to inform the Service Provider of any circumstances (including special risks or categories of personal data) that may require additional technical or organizational security measures.

The Customer is also responsible for their employees using the Service and persons to whom the Customer has granted access or usage rights to the Services. The Customer is responsible for processing acknowledged in this data processing agreement if a third party gains unauthorized access to its Personal Data or Service.

Processor's Obligations

Shipit and its personnel process Personal Data on behalf of the Customer only according to the agreement and appendices and possible separately agreed written instructions, unless otherwise required by applicable legislation.

Shipit keeps Customer's personal data confidential and ensures that persons authorized to process personal data have committed to maintaining confidentiality.

  • Personal data processing is based on legitimate interest of the controller or third party

  • The individual party has received appropriate information about personal data processing

  • The controller has the right to transfer and manage personal data in the case in question

  • The controller processes data according to applicable data protection legislation.

Data Processing and Actions

Shipit implements appropriate measures so that processing meets the requirements of applicable legislation and safeguards aimed at preventing accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to data. These measures take into account ensuring security level corresponding to the risk.

  • Viewing personal data always leaves a trace in Shipit's system

  • Information provided by the controller is stored within legal requirements

  • Shipit's employees are bound by confidentiality regarding personal data

  • Pseudonymization and encryption of personal data

  • Access rights management

  • System security testing and password solutions for encrypting data transfer

  • Risk management

  • Personnel security clearances

Shipping information may also be processed to the extent necessary by shipping companies used as Shipit's subcontractors.

Final acceptance of these terms always occurs when the customer creates a shipment through Shipit or when the customer provides information for Shipit to process e.g. in transport inquiries.

Shipit helps within possibilities the controller with appropriate technical and organizational measures to respond to requests concerning the exercise of data subject's rights. The Customer is obligated to compensate Shipit for costs incurred from this work according to Shipit's current price list.

Shipit helps the controller ensure compliance with obligations related to personal data security and data protection impact assessment and prior consultation. The Customer is obligated to compensate Shipit for costs incurred from this work according to Shipit's current price list.

Depending on customer's request, Shipit deletes or returns all personal data to the customer within 60 days after processing service is completed unless EU or EU member state laws specify otherwise. If returning data is not possible or would require disproportionate measures, the data must be deleted within the same schedule.

Use of Subcontractors

The Customer gives Shipit permission to also use subcontracting to perform functions, Shipit and subcontractor have an agreement that obligates the subcontractor to act according to this data processing agreement. Shipit is also responsible that the subcontractor acts according to the agreement.

If the customer finds a gap in subcontractor's operations or the subcontractor otherwise does not comply with specifications set for the subcontractor, the customer has the right for justified reason to demand in writing that said subcontractor not be used to process said customer's data. In such situation the subcontractor must either delete or return customer's data.

For clarity it is noted that Shipit is customer's only contracting partner and that Customer can through Shipit order services from Shipit's subcontractors (shipping companies), in connection with which data is transferred to third party who processes Customer's personal data on behalf of Shipit.

Personal Data Security Breaches

Both parties notify without undue delay of security incident and breach that comes to their knowledge that has or may have impact on personal data processing.

Shipit assists the controller if operations are subject to authority investigation. In these cases customer is obligated to compensate Shipit according to current price list. Shipit informs customer in these matters unless law otherwise requires e.g. due to criminal investigation.

Shipit is obligated to notify customer of requests concerning personal data processing from third parties.

If Shipit becomes aware of personal data security breach, Shipit informs customer of this without delay - with information required for making authority notification - however latest within 36 hours of receiving information. Shipit also helps within reasonable limits with measures to finalize matter with authorities and mitigate adverse effects.

Shipit provides at least following information to customer in case of breach:

  • Description of personal data security breach

  • Contact person from whom to get additional information in matter

  • Likely consequences resulting from breach

  • Measures taken or planned by Shipit that processor would suggest controller to take.

Each party investigates security breach in their area of responsibility and takes appropriate measures to stop breaches, mitigate their effects and prevent other similar security breaches. Parties must document and notify other party of results of their investigation and implemented measures. Parties make reasonable cooperation to fulfill their obligations under data protection appendix and legislation.

Audits

Customer has permission to investigate at own cost or with help of third party that Shipit complies with this data processing agreement. Said investigations must be done in way that does not disturb Shipit's other operations more than necessary. Shipit has right to require that investigations are done by professional party who can make such inspection if actions can lead to compromising sensitive information or if third party is found incompetent in handling said matter. If customer finds major deficiencies in personal data processing that cannot be fixed within 30 days of finding customer has right to terminate agreement without delay. If only minor errors are found Shipit has right to reasonable compensation due to inspection.

Limitation of Liability

Service provider as personal data processor is liable for damage caused by processing only if it has not complied with obligations specifically directed to personal data processors in data protection legislation or if it has acted contrary to controller's lawful instructions. Service provider is not liable for indirect or consequential damages, such as loss of earnings or revenue.

Location and Data Transfer

Shipit's data centers where all personal data is stored and processed are located in Finland. However, Shipit may transfer personal data to any data centers or sub-processors located in EU/EEA area or in countries decided by European Commission to have adequate level of data protection.

Data Transfer to Third Countries

If transaction obligates Shipit to transfer personal data to company operating outside EU or national organization operating outside EU / EEA customer is responsible for checking that necessary protections are in place according to GDPR article 46. Shipit is not obligated to complete personal data transfer if security measures are not in place. Shipit may also use standard contractual clauses and appropriate data protection measures for data transfer outside EU/EEA area.

Confidentiality

All personal data that Shipit processes on behalf of controller is considered controller's confidential information and not to be disclosed or revealed to any third party or used for other than agreed purpose. Shipit also commits to not disclose and reveal personal data in its own organization to others than such employees or other persons (incl. possible subcontractors) who need to know said information for agreed purpose and who are obligated to keep information confidential based on their service or other agreements or by law.

Entry into Force of Agreement Appendix and Effects of Agreement Termination

This appendix enters into force on May 25, 2018 and remains in force according to terms concerning validity of agreement until party terminates service agreement observing notice period or agreement ends for other reason. Customer has obligation to present request to Shipit if data should be returned to it before contractual obligations cease.

When agreement ends data processor deletes Customer's personal data according to its practices. However, personal data processor has right to retain Customer's personal data even after agreement ends as long as necessary for Service provider's own statutory obligations, ensuring security of services or investigating misuse, without otherwise continuing processing of personal data and still complying with confidentiality obligations described in this appendix.