Data Processing Addendum (UAE)
DATA PROCESSING ADDENDUM (UAE)
This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Controller”) and UDB Logistics FZCO (DIEZ) (“Processor”, “UDB”) and applies where UDB processes personal data on behalf of the Controller in connection with the Services.
1. Definitions
- Personal Data, Processing, Controller, Processor: as defined under applicable data protection laws.
- Sub-processor: a third party appointed by UDB to process personal data on behalf of the Controller.
2. Scope and roles
2.1. Controller determines the purposes and means of processing personal data.
2.2. UDB processes personal data only:
- to provide the Services; and
- on documented instructions from the Controller (including booking instructions and shipment documentation), unless otherwise required by law.
3. Controller obligations
Controller is responsible for:
- ensuring it has a lawful basis to provide personal data to UDB;
- ensuring instructions are lawful and do not violate applicable laws;
- ensuring shipment documents and declarations are accurate and complete.
4. Confidentiality
UDB ensures persons authorized to process personal data are bound by confidentiality obligations.
5. Security measures
UDB implements reasonable technical and organizational measures appropriate to the risk, designed to protect personal data. High-level measures may include, as appropriate:
- access controls and least-privilege;
- authentication and logging for key systems;
- secure storage and transmission practices;
- operational controls for document handling and retention.
(Additional details may be provided on request where appropriate for customer due diligence.)
6. Sub-processing
6.1. Controller authorizes UDB to use Sub-processors where reasonably necessary for the Services (e.g., carriers, handlers, trucking, IT providers).
6.2. Sub-processor list: due to frequent operational changes (routing, handling, trucking), UDB provides the current list of relevant Sub-processors on request.
6.3. UDB remains responsible for Sub-processors’ performance of their processing obligations to the extent required by applicable law and relevant contracts.
7. Assistance to Controller
UDB will provide reasonable assistance to Controller (taking into account the nature of processing) with:
- responding to data subject requests (where UDB is a Processor and the request relates to UDB’s processing);
- providing information reasonably needed for compliance assessments, security due diligence, or regulatory inquiries (subject to confidentiality and operational constraints).
8. Personal data breach
If UDB becomes aware of a personal data breach affecting Controller’s personal data, UDB will notify Controller without undue delay (and in any event within a reasonable time) and provide available information reasonably required for Controller to assess and respond, subject to ongoing investigation and the information available at the time.
9. Audit and compliance information
Upon reasonable written request, UDB will provide information reasonably necessary to demonstrate compliance with this DPA. Where an on-site audit is requested:
- it must be agreed in advance (scope, timing, confidentiality);
- it must not unreasonably disrupt operations; and
- it may be subject to reasonable fees.
10. Return or deletion
Upon termination of the Services, UDB will, at Controller’s choice and where feasible:
- return personal data; or
- delete personal data,
unless retention is required by law or necessary for legitimate operational/legal purposes (e.g., accounting, dispute defense, compliance recordkeeping).
11. Cross-border transfers
Controller acknowledges that logistics operations may involve cross-border processing depending on routing and operational partners. UDB applies reasonable safeguards and contractual controls where applicable.
12. Liability
This DPA does not expand either party’s liability beyond what is set out in the governing commercial agreement and the applicable Terms & Conditions for the contracting entity.
Annex 1 — Processing details
Subject matter: logistics and related services (booking, documentation, coordination, exception handling).
Duration: for the term of Services + applicable retention.
Nature of processing: collection, storage, access, use, disclosure to operational partners, and deletion.
Categories of data subjects: customer personnel, shipper/consignee contacts, notify parties, agents/intermediaries (as applicable).
Categories of personal data: business contact details, shipment documentation data, identifiers, communications, and compliance-related records (as applicable).
Annex 2 — Security (summary)
- Access controls, role-based permissions
- Operational document-handling controls
- System monitoring/logging where applicable
- Staff confidentiality obligations
Annex 3 — Sub-processors
Available on request (operationally dependent on routing, carriers, handlers, trucking, and IT providers).