1. Parties

1. The Digital Address Hub - Registered Company of DIGITAL PLANET , office at The Dubai Internet City, building 17, Dubai, U.A.E, registered under number CN-8435632. Hereinafter referred to as: "Processor".

2. Controller - The natural or legal person who enters into an agreement with the Processor for (among other things) mail processing and makes use of the scanning service for this purpose. Hereinafter referred to as: "Controller".

3. The Controller and Processor are hereinafter collectively referred to as the "Parties".

This Agreement applies regardless of whether the Customer (Controller) acts in a personal or business capacity.

This Data Processing Agreement applies exclusively to the scanning and digitisation of mail items containing personal data. For all other categories of personal data processed by TBH (including account data, billing data and communication data), TBH acts as an independent data controller as described in its Privacy Statement.

​

2. Definitions

1. GDPR: The General Data Protection Regulation (EU) 2016/679.

2. Personal data: Any data that can be traced, directly or indirectly, to an identified or identifiable natural person and that may be in the Controller's mail when it is scanned.

3. Processing (or "Processing"): Any operation or set of operations which is performed on personal data, such as storage, transmission, making available, etc.

4. Data Breach / Security Incident: A breach of security that (potentially) leads to the destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, forwarded, stored or otherwise processed personal data.

5. Where this agreement refers to definitions from the GDPR, those terms have the same meaning as in Article 4 of the GDPR.

6. Customer / Controller: In this Agreement, the Customer acts as the Controller within the meaning of Article 4(7) GDPR, and The Digital PO Box acts as the Processor within the meaning of Article 4(8) GDPR.
    

3. Purpose and scope

1. This Data Processing Agreement only applies when the Controller makes use of the Processor's scanning service.

2. As a controller, the Controller has personal data. The Processor processes these personal data only on behalf of the Controller, by scanning (digitizing) and, if necessary, forwarding mail items that may contain personal data.
    

4. Roles and responsibilities

1. Responsible:

   • determines the purposes and means of the processing of personal data in the postal service;

   • is and remains ultimately responsible for the lawfulness of the processing and compliance with the GDPR;

   • only instructs the Processor to scan personal data and make it available via the agreed systems.

2. Processor:

   • only carries out processing on behalf of and under the responsibility of the Controller, as stipulated in this Agreement and the underlying Service-Specific Agreement;

   • has no independent control over the purpose and means of the processing.
      

5. Obligations of the processor

The Processor guarantees the following obligations in accordance with Article 28 GDPR:

​

5.1 Confidentiality

1. The Processor and its affiliated employees (and any sub-processors) shall treat the personal data of which they become aware confidentially.

2. This duty of confidentiality will also continue to apply after termination of this Data Processing Agreement.
    

5.2 Appropriate security measures

1. The Processor shall take appropriate technical and organisational security measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

2. Technical measures include, for example, firewalls, virus scanners, strong passwords and (where relevant) encryption according to the ISO 27001 and ISO 27701 standards. Organizational measures include access restrictions, screening of staff and closure of areas where data is processed.

3. The security measures are at least in accordance with the requirements of Article 32 of the GDPR and appropriate to the nature of the data processed (this may vary per postal item).
    

5.3 Processing within the EU/EEA

1. The Processor will not allow the processing of personal data to take place outside the European Economic Area (EEA) unless such transfer is covered by appropriate safeguards, including the EU Standard Contractual Clauses (SCCs) or equivalent mechanisms ensuring an adequate level of protection, or where required by law.

2. For transfers to the United Kingdom or the United Arab Emirates, the Processor applies the same contractual, technical, and organisational safeguards as described in TDPB’s Privacy Statement.
    

5.4 No Further Processing

1. The Processor shall only process the personal data in accordance with the instructions of the Controller. Use for other purposes (e.g. own marketing) is not permitted.
    

5.5 Assistance in the fulfilment of obligations

1. To the extent reasonably possible, the Processor will assist the Controller in complying with obligations under the GDPR, such as handling requests from data subjects or conducting data protection impact assessments (DPIA).
    

5.6 Provision of information and audit

1. Providing information
   The Processor shall, upon first request and to the extent reasonably necessary, provide the Controller with all information necessary to demonstrate compliance with the Obligations under this Data Processing Agreement and the GDPR.

2. Compliance support
   If the Controller has well-founded reasons to do so (e.g. periodic check or suspicion of irregularities), the Processor will cooperate with audits or inspections, including (where appropriate) the provision of technical documentation or reports.

3. Audit conditions

   • The Controller shall announce an intended audit or inspection in writing at least 30 working days in advance, with a clear description of the scope and purpose, so that the Processor can prepare and the continuity of the service is not unnecessarily compromised.

   • Audits will not affect the confidentiality of other Controllers or the security of systems that also contain third-party data. The Controller agrees that the audit may be carried out by an independent third party, under confidentiality, in order to protect the privacy of other Controllers.

   • The costs of an audit, including man-hours of the Processor, shall be borne by the Controller, unless it is established that the Processor is acting in violation of this Data Processing Agreement or the GDPR, in which case the Processor shall bear the reasonable audit costs.

4. Outcomes and improvements
   The Processor shall inform the Controller of relevant findings from an audit or inspection and, if applicable, propose or implement improvement measures to continue to ensure compliance with this Data Processing Agreement and the GDPR.
    

5.7 Processing by AI Systems

• Scope of AI use: The Processor may use AI systems (including OpenAI) solely for supporting customer communication and internal service improvement. AI tools are not used in the processing of mail items or any Controller-provided personal data.

• No processing of Controller data: AI systems do not receive or process personal data originating from the Controller’s mail items, scans, forwarding instructions or any other data processed under this Agreement.

• Anonymisation: Only anonymised or pseudonymised conversation data—unrelated to identified or identifiable natural persons—may be processed using AI systems. Such data cannot be attributed to the Controller or any data subjects.

• Sub-processor obligations: OpenAI acts as a technical sub-processor. The Processor ensures that OpenAI is contractually bound to confidentiality, data-security requirements and the restrictions set out in this Agreement.

• No automated decision-making: AI systems are not used to make decisions that produce legal effects or similarly significant impacts on data subjects within the meaning of Article 22 GDPR, UK GDPR or UAE PDPL.

• Technical safeguards: The Processor shall maintain measures preventing any identifiable personal data from being transmitted to AI systems, and shall ensure that all AI processing remains strictly separate from Controller data.

This Article applies to all AI-assisted operations carried out by the Processor and forms part of the technical and organisational measures required under Article 28 GDPR.

Appropriate safeguards, including but not limited to the EU Standard Contractual Clauses and equivalent UK and UAE transfer mechanisms, apply to any processing performed by OpenAI.
 

6. Sub-processors

6.1 No Activation Without Permission

1. The Processor shall not engage any additional third parties (sub-processors) for the actual processing of personal data without the (specific or general) consent of the Controller.

2. If the Processor has a general permission from the Controller, the Processor shall inform the Controller at least fourteen (14) days before the addition or replacement of a sub-processor, by notification through the Controller Portal or by e-mail, so that the Controller can object to this.
    

6.2 Current Sub-processor for Scanning

1. The Controller acknowledges and agrees that the Processor already engages a sub-processor for the scanning and digitization of mail items. This sub-processor is bound by the same (privacy) obligations as included in this Data Processing Agreement, so that it also complies with the GDPR.

2. The Controller may request information from the Processor about the identity and location of this sub-processor, as well as the way in which appropriate safeguards are ensured.
    

6.3 Agreements with sub-processors

1. If the Processor engages a sub-processor, the Processor will provide a written agreement with that sub-processor, which includes at least the same (privacy) obligations as in this Processing Agreement, so that the sub-processor complies with the GDPR.

2. The Processor remains the primary point of contact for the Controller at all times and retains (contractual) responsibility for the processing by the sub-processor.
    

7. Data Breaches (Security Incidents)

7.1 Obligation to report

1. In the event of an established or suspected security incident (possible data breach) that relates to the personal data processed by the Processor, the Processor will report this to the Controller without undue delay.

2. The Processor shall provide as much relevant information as possible, so that the Controller can comply with its own obligation to report to the supervisor (and any data subjects).
    

7.2 Support

1. The Processor will support the Controller in any investigations or measures that need to be taken as a result of the data breach (such as forensic investigations, remedial measures).
    

8. Data Subject Requests

8.1 Handling by the Controller

1. If the Processor receives a request (e.g. inspection, correction, deletion) directly from a data subject, the Processor will forward this request to the Controller without unreasonable delay.

2. The Controller is responsible for the further processing of these requests.
    

8.2 Cooperation

1. The Processor shall, to the extent reasonably possible, cooperate to enable the Controller to fulfil its obligations (Articles 12–22 GDPR).
    

9. Term and Termination

9.1 Duration

1. This Data Processing Agreement enters into force upon the commencement of the main agreement (Controller - Processor) and remains valid as long as the Processor processes personal data in the context of the scan service.
    

9.2 Termination

1. All scans and related personal data will be deleted or destroyed within ninety (90) days from the original upload date, or thirty (30) days after termination of the scanning service, whichever occurs later, unless a statutory retention obligation applies or the Controller instructs a transfer in writing.

2. Where a digital archive has been maintained, the Processor will keep the scans for the same maximum period of ninety (90) days before final deletion or destruction.

3. Exceptions and legal retention: If the Controller and Processor are obliged by law (e.g. tax or administrative) to retain certain data for a longer period of time, the Processor may, after consultation with the Controller, continue to retain the data for that specific (legal) period.

4. Transfer request: The Controller may request the transfer of the scans in a digital file or other agreed form within the period referred to in paragraph 2. The Processor will cooperate with this, to the extent reasonably possible. Costs associated with this may be charged to the Controller, unless otherwise agreed.

5. Guarantee of removal: After the periods referred to in this article, the Processor will ensure that the personal data (scans) are completely deleted or destroyed, so that they are no longer accessible or recoverable. The Processor can provide a confirmation of destruction upon request.
    

10. Liability

1. The liability provisions from the Processor’s General Terms & Conditions apply equally to this Data Processing Agreement. In all cases, the Processor’s total cumulative liability, whether in contract, tort or otherwise, shall not exceed the total amount paid by the Controller to the Processor for the relevant scanning services during the twelve (12) months preceding the event giving rise to the claim.

2. The Processor shall not be liable for any indirect, consequential, or special damages, including but not limited to loss of profit, data, or goodwill, except in cases of gross negligence or wilful misconduct by the Processor.

3. The Controller remains solely responsible for the lawfulness of the processing of personal data and for ensuring that its instructions comply with applicable data-protection legislation.
    

11. Miscellaneous

1. Any changes to this Agreement must be in writing (including electronic form) and accepted by both Parties (e.g., via electronic acceptance mechanisms).

2. The parties make joint efforts to comply with the GDPR and other applicable privacy legislation.

3. This Data Processing Agreement shall be governed by and construed in accordance with the laws of England and Wales. The Parties shall make all reasonable efforts to resolve any dispute amicably. If the Parties cannot reach an amicable settlement within thirty (30) days, the dispute shall be finally resolved by arbitration under the Rules of the London Court of International Arbitration (LCIA), which rules are deemed to be incorporated by reference. The seat of arbitration shall be London, United Kingdom, and the language of arbitration shall be English. The award rendered by the arbitrator shall be final and binding on both Parties.
   Nothing in this clause shall deprive a consumer of the protection afforded by the mandatory laws of their country of residence.

4. Notices and Updates: Any notices or communications under this Data Processing Agreement, including updates or amendments, shall be provided electronically via the Customer Portal or by e-mail to the contact address registered by the Controller. Continued use of the scanning service after notification constitutes acceptance of the updated terms, unless the Controller objects in writing within fourteen (14) days.

5. In the event of any contradictions or differences between this English version and any translations, the English version shall prevail. Translations are provided for convenience only and do not create any legal obligations or rights.
    

This document forms part of The Digital Address Hub Legal Framework.

Date: 01-11-2025