1. Parties
-
The Digital PO Box - Registered trademark of The Bizz Hub LLC-FZ, office at The Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E, registered under number 2536783.01. Hereinafter referred to as: "Processor".
- Controller - The natural or legal person who enters into an agreement with the Processor for (among other things) mail processing and makes use of the scanning service for this purpose. Hereinafter referred to as: "Controller".
- The Controller and Processor are hereinafter collectively referred to as the "Parties".
This Agreement applies regardless of whether the Customer (Controller) acts in a personal or business capacity.
This Data Processing Agreement applies exclusively to the scanning and digitisation of mail items containing personal data. For all other categories of personal data processed by TBH (including account data, billing data and communication data), TBH acts as an independent data controller as described in its Privacy Statement.
5. Obligations of the processor
The Processor guarantees the following obligations in accordance with Article 28 GDPR:
5.1 Confidentiality
- The Processor and its affiliated employees (and any sub-processors) shall treat the personal data of which they become aware confidentially.
- This duty of confidentiality will also continue to apply after termination of this Data Processing Agreement.
5.2 Appropriate security measures
- The Processor shall take appropriate technical and organisational security measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- Technical measures include, for example, firewalls, virus scanners, strong passwords and (where relevant) encryption according to the ISO 27001 and ISO 27701 standards. Organizational measures include access restrictions, screening of staff and closure of areas where data is processed.
- The security measures are at least in accordance with the requirements of Article 32 of the GDPR and appropriate to the nature of the data processed (this may vary per postal item).
5.3 Processing within the EU/EEA
- The Processor will not allow the processing of personal data to take place outside the European Economic Area (EEA) unless such transfer is covered by appropriate safeguards, including the EU Standard Contractual Clauses (SCCs) or equivalent mechanisms ensuring an adequate level of protection, or where required by law.
- For transfers to the United Kingdom or the United Arab Emirates, the Processor applies the same contractual, technical, and organisational safeguards as described in TDPB’s Privacy Statement.
5.4 No Further Processing
- The Processor shall only process the personal data in accordance with the instructions of the Controller. Use for other purposes (e.g. own marketing) is not permitted.
5.5 Assistance in the fulfilment of obligations
- To the extent reasonably possible, the Processor will assist the Controller in complying with obligations under the GDPR, such as handling requests from data subjects or conducting data protection impact assessments (DPIA).
5.6 Provision of information and audit
- Providing information
The Processor shall, upon first request and to the extent reasonably necessary, provide the Controller with all information necessary to demonstrate compliance with the Obligations under this Data Processing Agreement and the GDPR.
- Compliance support
If the Controller has well-founded reasons to do so (e.g. periodic check or suspicion of irregularities), the Processor will cooperate with audits or inspections, including (where appropriate) the provision of technical documentation or reports.
- Audit conditions
The Controller shall announce an intended audit or inspection in writing at least 30 working days in advance, with a clear description of the scope and purpose, so that the Processor can prepare and the continuity of the service is not unnecessarily compromised.
- Audits will not affect the confidentiality of other Controllers or the security of systems that also contain third-party data. The Controller agrees that the audit may be carried out by an independent third party, under confidentiality, in order to protect the privacy of other Controllers.
- The costs of an audit, including man-hours of the Processor, shall be borne by the Controller, unless it is established that the Processor is acting in violation of this Data Processing Agreement or the GDPR, in which case the Processor shall bear the reasonable audit costs.
- Outcomes and improvements
The Processor shall inform the Controller of relevant findings from an audit or inspection and, if applicable, propose or implement improvement measures to continue to ensure compliance with this Data Processing Agreement and the GDPR.
5.7 Processing by AI Systems
- Scope of AI use: The Processor may use AI systems (including OpenAI) solely for supporting customer communication and internal service improvement. AI tools are not used in the processing of mail items or any Controller-provided personal data.
- No processing of Controller data: AI systems do not receive or process personal data originating from the Controller’s mail items, scans, forwarding instructions or any other data processed under this Agreement.
- Anonymisation: Only anonymised or pseudonymised conversation data—unrelated to identified or identifiable natural persons—may be processed using AI systems. Such data cannot be attributed to the Controller or any data subjects.
- Sub-processor obligations: OpenAI acts as a technical sub-processor. The Processor ensures that OpenAI is contractually bound to confidentiality, data-security requirements and the restrictions set out in this Agreement.
- No automated decision-making: AI systems are not used to make decisions that produce legal effects or similarly significant impacts on data subjects within the meaning of Article 22 GDPR, UK GDPR or UAE PDPL.
- Technical safeguards: The Processor shall maintain measures preventing any identifiable personal data from being transmitted to AI systems, and shall ensure that all AI processing remains strictly separate from Controller data.
This Article applies to all AI-assisted operations carried out by the Processor and forms part of the technical and organisational measures required under Article 28 GDPR.
Appropriate safeguards, including but not limited to the EU Standard Contractual Clauses and equivalent UK and UAE transfer mechanisms, apply to any processing performed by OpenAI.