1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service agreement between Sell Any Car 247 (the "Data Processor" or "Processor") and the user (the "Data Controller" or "Controller") (together, the "Parties").

This DPA reflects the parties' agreement with respect to the processing of personal data by the Processor on behalf of the Controller in connection with the services provided by Sell Any Car 247.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

• "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and the UK GDPR as incorporated into UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018.
• "Data Protection Laws" means all applicable laws relating to data protection and privacy including the GDPR, the UK Data Protection Act 2018, and any other applicable regulations.
• "Personal Data" means any information relating to an identified or identifiable natural person ('data subject') as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations which is performed on personal data, as defined in Article 4(2) of the GDPR.
• "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

3. Data Processing

3.1 Purpose of Processing

The Processor shall process Personal Data solely for the purpose of providing the services as described in the Terms of Service, which includes:

• Processing vehicle information for the purpose of providing quotations
• Arranging vehicle collection and payment services
• Communicating with the data subject regarding their inquiry or transaction
• Complying with legal requirements for vehicle purchases, including DVLA regulations
• Marketing communications where specific consent has been provided

3.2 Types of Personal Data

The Processor will process the following categories of Personal Data:

• Identity Data: name, title
• Contact Data: email address, telephone number, address
• Vehicle Data: registration number, make, model, year, condition
• Payment Data: bank account details (where applicable)

3.3 Duration of Processing

The Processor will process Personal Data for the duration of the service provision and as necessary to comply with legal obligations or until instructed by the Controller to delete or return the data.

4. Obligations of the Processor

The Processor shall:

1. Process the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization.
2. Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
4. Not engage another processor without prior specific or general written authorization of the Controller.
5. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
6. At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless storage is required by law.
7. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Obligations of the Controller

The Controller shall:

1. Ensure that the processing of Personal Data, including the transfer itself, will be carried out in accordance with the relevant provisions of the applicable Data Protection Laws.
2. Ensure that it has the legal right to transfer the Personal Data to the Processor for the purposes described in this DPA.
3. Provide documented instructions to the Processor regarding the processing of Personal Data.
4. Comply with its obligations as a Controller under the applicable Data Protection Laws.

6. Data Subject Rights

The Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights under the applicable Data Protection Laws.

If the Processor receives a request from a data subject in relation to their Personal Data, the Processor shall redirect the data subject to the Controller without undue delay.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. Such notification shall:

• Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
• Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• Describe the likely consequences of the personal data breach;
• Describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Sub-Processors

The Processor may engage sub-processors to fulfill specific processing activities. Any such sub-processor shall be bound by the same data protection obligations as set out in this DPA.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

9. International Data Transfers

The Processor shall not transfer Personal Data to a third country or an international organization unless such transfer is necessary for the performance of the services. In such a case, the Processor shall ensure that the transfer complies with the requirements of Chapter V of the GDPR.

10. Liability

Each party shall be liable to the other party for damages it causes by any breach of this DPA. The Processor shall be liable to the Controller for the damage caused by processing only where it has not complied with obligations of this DPA or where it has acted outside or contrary to lawful instructions of the Controller.

11. Term and Termination

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination of the services, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller, unless retention is required by law.

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the United Kingdom, without giving effect to any choice of law principles. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of the United Kingdom.

13. Contact Information

For any questions regarding this Data Processing Agreement, please visit our website.