Last updated: 1 June 2025
PCNTrack — Automated PCN Management
This Data Processing Agreement ("DPA") forms part of the Terms of Service between PCNTrack ("Processor") and the business customer ("Controller") and governs the processing of personal data in connection with the PCNTrack service.
This DPA is entered into in accordance with Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Controller means the business customer who determines the purposes and means of processing personal data.
Processor means PCNTrack, which processes personal data on behalf of the Controller.
Personal Data means any information relating to an identified or identifiable natural person, as defined in the UK GDPR.
Processing has the meaning given in the UK GDPR and includes any operation performed on personal data.
Sub-processor means any third party engaged by PCNTrack to process personal data on behalf of the Controller.
| Subject matter | PCN (Penalty Charge Notice) management and fleet compliance automation |
| Duration | For the term of the Controller's subscription to PCNTrack, plus any retention period required by law |
| Nature and purpose | Processing driver personal data to automate the transfer of liability for Penalty Charge Notices issued to vehicles operated by the Controller's fleet |
Type of personal data processed:
Categories of data subjects:Employees, contractors, and authorised drivers of the Controller's fleet vehicles.
The Controller warrants and represents that:
4.1 It has a lawful basis for processing the personal data it provides to PCNTrack under this agreement.
4.2 It has provided all required privacy notices to data subjects (drivers) informing them that their personal data may be shared with PCNTrack for the purpose of PCN liability management.
4.3 It will ensure that personal data provided to PCNTrack is accurate, adequate, and limited to what is necessary for the purposes described in this DPA.
4.4 It will promptly notify PCNTrack of any changes to personal data that affect the accuracy of data held within the PCNTrack platform.
PCNTrack agrees to:
5.1 Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organisation.
5.2 Ensure that persons authorised to process personal data have committed themselves to confidentiality.
5.3 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
5.4 Not engage any sub-processor without prior written authorisation from the Controller, except as listed in Schedule 1 of this DPA.
5.5Assist the Controller in ensuring compliance with obligations under Articles 32–36 of the UK GDPR (security, breach notification, DPIAs, prior consultation).
5.6 At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless retention is required by law.
5.7 Make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 UK GDPR.
The Controller provides general authorisation for PCNTrack to engage the following sub-processors. PCNTrack will notify the Controller of any intended changes and provide the opportunity to object.
Current approved sub-processors:
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase Inc | Database hosting and authentication | EU (Ireland) | Within UK adequacy zone |
| Vercel Inc | Application hosting and deployment | EU / Global | Standard contractual clauses |
| Anthropic PBC | AI-powered PCN data extraction | United States | Standard contractual clauses |
| Stripe Inc | Payment processing | United States / EU | Standard contractual clauses |
| SendGrid (Twilio) | Transactional email delivery | United States | Standard contractual clauses |
Where sub-processors are located outside the UK, PCNTrack ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent UK transfer mechanisms.
PCNTrack will assist the Controller in responding to requests from data subjects exercising their rights under the UK GDPR, including:
PCNTrack will notify the Controller of any data subject request received directly within 5 working days.
8.1 PCNTrack will implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
8.2PCNTrack will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Controller's data.
8.3 Notifications will include, to the extent available: the nature of the breach, categories and approximate number of data subjects concerned, likely consequences, and measures taken or proposed.
9.1PCNTrack retains personal data for the duration of the Controller's active subscription.
9.2 Upon termination of the subscription, PCNTrack will retain data for a further 30 days to allow the Controller to export their data.
9.3 After the 30-day period, personal data will be permanently deleted from PCNTrack systems, except where retention is required by applicable law.
9.4 The Controller may request earlier deletion by contacting hello@pcntrack.co.uk.
The Controller may audit PCNTrack's compliance with this DPA on 30 days' written notice, no more than once per year. PCNTrack may satisfy audit requirements by providing relevant third-party certifications or audit reports where available.
This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
For all data protection queries:
Email: hello@pcntrack.co.uk
Subject line: Data Protection Query
ICO Registration: [add number once registered]
Full details of sub-processors, their privacy policies, and applicable data transfer mechanisms are available on request by emailing hello@pcntrack.co.uk.