Contact
Language Preferences

Get more precise information about services and resources by setting your language.

  • English
  • Dutch (Nederlands)
  • French (Français)
  • German (Deutsch)
  • Italian (Italiano)
  • Finnish (Suomeksi)
  • Swedish (Svenska)
  • Polish (Polski)
  • Spanish (Español)
Language Preferences

Our website is available in different languages. Would you prefer to switch language?

Continue in English
  • Home
  • Data Processing Agreement

Data Processing Agreement

2026-01
Discover more

1          Scope

This Data Processing Agreement (DPA) forms part of and is incorporated into any services, supplies, or other commercial agreements between the Parties. It applies solely where one Party processes Personal Data as Processor on behalf of the other Party as Controller in connection with the Services. This DPA becomes binding on the Effective Date of the underlying agreement or upon the Parties’ execution or acceptance of an Order Form that references this DPA.”

2          Parties

This Data Processing Agreement (“Agreement”) is entered into by and between:

  • Customs Support Group B.V. and its affiliates (“CSG”), with principal place of business at Willem Barentszstraat 11, 3165 AA Rotterdam–Albrandswaard, The Netherlands , and
  • Any legal entity or individual, customer or supplier, that enters into a commercial relationship with CSG involving the Processing of Personal Data (“Counterparty”).

The Agreement applies whenever one party acts as Controller and the other acts as Processor (as defined in Article 4 GDPR).

Where both parties act as independent Controllers for certain processing, this Agreement does not create joint controllership but complements their respective obligations.

3          Role Allocation

  • Customer scenario – The customer acts as Controller, CSG acts as Processor when CSG processes customer Personal Data to deliver services.
  • Supplier scenario – CSG acts as Controller, the supplier acts as Processor when the supplier processes CSG Personal Data to provide goods or services.
  • Where the Parties jointly determine purposes and means of specific processing, they are Joint Controllers within the meaning of Article 26 GDPR and will conclude a separate written arrangement describing respective duties.

4          Purpose

Processing of Personal Data under this Agreement shall be strictly limited to what is necessary to perform and administer the underlying commercial agreement between the parties

  1. Business Need Only: Personal Data may be used solely to deliver the specific services or products set out in the contract.
  2. No Other Use: The Processor shall not use the data for any additional purpose, such as marketing or analytics, without the Controller’s prior written consent and a valid legal basis.
  3. Data Minimisation: Only the minimum amount of Personal Data required to achieve the agreed purpose may be collected and retained.
  4. Changes to Purpose: Any expansion or change of processing purpose requires the Controller’s advance written approval.

5          Processor Obligations

Whenever a Party acts as Processor, it shall:

  1. Processing Scope and Lawful Instructions

The Processor shall handle Personal Data only to the extent and in the manner necessary to fulfil the agreed business purposes, and strictly in line with the Controller’s written instructions provided by authorised representatives. The Processor will not use the Personal Data for any other purpose or in any way that contravenes this Agreement or applicable Data Protection Legislation. If the Processor believes that a Controller instruction would breach Data Protection Legislation, it will promptly notify the Controller.

  • Acting on Controller Requests

The Processor agrees to act on any reasonable request or authorised instruction from the Controller to amend, transfer, delete, or otherwise process Personal Data, or to stop, mitigate, or remedy any unauthorised processing.

  • Confidentiality and Lawful Disclosure

The Processor shall keep all Personal Data confidential and shall not disclose it to third parties except where expressly authorised by the Controller, permitted by this Agreement, or required by law. If disclosure is mandated by law, a court, a regulator, or a supervisory authority, the Processor will inform the Controller of the requirement and provide an opportunity to object or challenge it, unless the law prohibits such notice.

  • Assistance with Compliance Obligations

The Processor will provide reasonable assistance to the Controller in fulfilling the Controller’s obligations under Data Protection Legislation, taking into account the nature of the processing and the information available to the Processor. This includes support with data-subject rights requests, data-protection impact assessments, and any required reporting to or consultation with supervisory authorities.

  • Personal Data Breach Notification and Cooperation

The Processor shall notify the Controller without undue delay, ideally within 24 hours of becoming aware of a Personal Data Breach and shall provide all information reasonably required for the Controller to meet its own reporting obligations. Such information includes:

  • A description of the nature of the breach, including categories and approximate number of data subjects and records affected.
    • The likely consequences of the breach.
    • Measures taken or proposed to address the breach and mitigate possible adverse effects.
    • The Processor shall cooperate fully with any follow-up investigation or remedial action required by the Controller.
  • Data Deletion or Return at Contract End

At the Controller’s written instruction and choice, the Processor will securely delete or return all Personal Data at the end of the contract and will ensure that any remaining copies are erased, unless retention is required by applicable law. If retention is required, the Processor shall continue to protect the data in accordance with this Agreement and notify the Controller of the legal basis for retention.

  • Records of Processing Activities and Audit Rights

The Processor will maintain complete and accurate records of all processing activities carried out on behalf of the Controller and make these records available upon request to demonstrate compliance with Data Protection Legislation. Subject to reasonable prior notice, the Processor shall permit audits or inspections by the Controller or an auditor mandated by the Controller, and will provide all information necessary to verify compliance. Subject to confidentiality obligations, Controller may audit Processor’s compliance with this DPA no more than once in any 12‑month period (or following a Personal Data Breach or material change in processing), during normal business hours and on at least five (5) days’ prior written notice. Before conducting an on‑site audit, Controller will first review available third‑party attestations and reports provided by Processor and on‑site audits will be limited to what is reasonably necessary.

5.1               Security Measures

The Processor shall implement appropriate technical and organisational measures to safeguard Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. The level of security applied shall be proportionate to the potential harm that could result from such events and shall take into account the sensitivity and nature of the Personal Data being protected.

These measures shall include, where relevant:

  • Encryption and/or pseudonymisation of Personal Data to reduce exposure in the event of a breach.
    • Systems and controls designed to maintain confidentiality, availability, and resilience of processing services and related infrastructure.
    • Access management, including strong authentication, role-based permissions, and regular review of user rights.
    • Physical safeguards such as secure facilities and restricted access to locations where Personal Data is stored or processed.
    • Regular testing, assessment, and evaluation of the effectiveness of security measures, including vulnerability scans and penetration testing.
    • Incident-response planning to ensure prompt detection, containment, and remediation of security events.

5.2               Sub-contractors

The Processor shall not delegate or subcontract any of its processing activities under this Agreement without the Controller’s prior written authorisation, which may be granted for specific sub-processors or through a general written consent.

  1. Conditions for Approved Subcontractors
    Any authorised subcontractor (“sub-processor”) must be bound by a written contract imposing data-protection obligations that are no less protective than those set out in this Agreement and applicable Data Protection Legislation.
    – The Processor shall remain fully liable to the Controller for the performance of the sub-processor’s obligations and for any acts or omissions that result in a breach of this Agreement or Data Protection Legislation.
  2. Notification and Changes
    The Processor shall provide the Controller with reasonable prior notice of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object on legitimate data-protection grounds.
    – If the Controller objects, the parties will work in good faith to find a suitable alternative; if no solution is reached, the Controller may suspend or terminate the affected processing activities.
  3. Ongoing Oversight
    – The Processor shall monitor the sub-processor’s compliance, conduct appropriate due diligence, and, upon request, provide evidence of such oversight to the Controller.

5.3               Cross-border Data Transfer

The Processor shall not transfer, access, or otherwise make Personal Data available outside the European Economic Area (EEA) or the United Kingdom (UK) without the Controller’s prior written authorisation. Any approved transfer must ensure a level of protection essentially equivalent to that provided under the GDPR and UK GDPR, and may take place only where one of the following safeguards is in place:

  1. Adequacy Decision: The destination country or territory has been formally recognised by the European Commission or the UK Government as providing an adequate level of protection. The Processor shall monitor the status of any adequacy decision relied upon and inform the Controller of any changes.
  2. Standard Contractual Clauses (SCCs): In the absence of an adequacy decision, the parties have executed the applicable Standard Contractual Clauses adopted by the European Commission, and have implemented any supplementary technical or organisational measures required to maintain equivalent protection.
  3. Other Approved Mechanism: Another legally recognised safeguard, such as Binding Corporate Rules or an approved certification scheme, has been validly implemented and documented.

The Processor shall keep written records of the chosen transfer mechanism, provide them to the Controller on request, and promptly notify the Controller if it believes the safeguard can no longer be met or if legal changes in the destination country could affect compliance.

6          Controller Obligations

The Controller shall:

  1. Lawful Instructions and Legal Basis
    Provide the Processor with clear, lawful, and documented instructions for all processing of Personal Data carried out under this Agreement.
    Ensure that a valid legal basis (such as consent, contract performance, legal obligation, vital interests, public task, or legitimate interest) exists for each processing activity and is properly documented.
  2. Data Subject Rights
    Inform the Processor without undue delay of any Data Subject request or complaint that relates to the Processor’s processing activities.
    – Cooperate with the Processor to enable the timely handling of such requests, including rights of access, rectification, erasure, restriction, portability, and objection, as well as rights related to automated decision-making.
  3. Records and Documentation
    Maintain and update records of processing activities in accordance with Article 30 GDPR, including details of processing purposes, categories of data subjects and personal data, recipients, international transfers, retention periods, and security measures.
    – Make such records available to supervisory authorities upon request.
  4. Data Quality and Accuracy
    – Ensure that all Personal Data provided to the Processor is accurate, complete, and kept up to date, and notify the Processor promptly of any required correction or deletion.
  5. Cooperation and Information Sharing
    – Provide the Processor with all information reasonably necessary for the Processor to meet its obligations under this Agreement and applicable Data Protection Legislation, including information needed for security assessments, breach notifications, or Data Protection Impact Assessments (DPIAs).
  6. Compliance with International Transfer Requirements
    – Where the Controller instructs or authorises any transfer of Personal Data outside the EEA or the United Kingdom, ensure that an appropriate safeguard or transfer mechanism is in place and documented before such transfer occurs.
  7. Security Responsibilities
    – Implement and maintain appropriate technical and organisational measures within the Controller’s own environment to protect Personal Data before it is transferred to, or processed by, the Processor.

7          International Data Transfers

Personal Data may not be transferred outside the European Economic Area (EEA) or to any third country or international organisation that is not subject to an adequacy decision under the GDPR unless a valid safeguard is in place, including:

  1. an adequacy decision by the European Commission;
  2. execution and application of the European Commission’s Standard Contractual Clauses, Module 2 and/or Module 3 as applicable; or
  3. another legally recognised mechanism (e.g. Binding Corporate Rules or an approved certification scheme) ensuring an essentially equivalent level of protection.

The Parties will conduct and document any required transfer impact assessments and implement supplementary measures where necessary.

To the extent that any processing under this Agreement involves a transfer of Personal Data to a third country or international organisation not subject to an adequacy decision under the GDPR, the Parties shall ensure that the EU Standard Contractual Clauses adopted by the European Commission, Module 2 and/or Module 3 as applicable, are hereby incorporated by reference and shall apply.

The Data Exporter shall be responsible for:

  • identifying any transfer of Personal Data requiring such safeguards;
  • selecting the appropriate transfer module or agreement;
  • conducting and documenting a transfer-risk assessment in accordance with EDPB Recommendations 01/2020; and
  • implementing any necessary supplementary technical and organisational measures to ensure an essentially equivalent level of protection.

The Data Importer shall comply with and assist the Data Exporter in fulfilling its obligations under the applicable transfer mechanism.

8          Term and Effect

a) Duration

This Agreement will remain valid and enforceable for as long as:

  • the underlying Terms and Conditions continue in effect, or
  • the Processor retains any Personal Data connected to the Terms and Conditions in its possession or under its control (the “Term”).

b) Survival of Provisions

Any clause of this Agreement that, by its nature or explicit wording, must continue to operate after the termination or expiry of the Terms and Conditions in order to safeguard Personal Data shall remain fully effective and binding.

9          Indemnity and Liability

Each Party is liable for damages it causes by processing in breach of GDPR.

a) Indemnification by the Processor

The Processor shall indemnify and hold harmless the Controller from any losses, damages, fines, or reasonable costs (including legal fees) arising from:

  • a breach of this Agreement or applicable Data Protection Legislation by the Processor or its approved sub-processors; or
  • unauthorised or unlawful processing, loss, destruction, or disclosure of Personal Data caused by the Processor or its sub-processors.

b) Indemnification by the Controller

The Controller shall indemnify the Processor for losses, damages, fines, or reasonable costs resulting from:

  • the Controller’s breach of this Agreement or applicable Data Protection Legislation; or
  • the Controller’s failure to provide a lawful basis or accurate instructions for the processing of Personal Data.

c) Limitations of Liability

Neither party limits or excludes liability for death or personal injury caused by negligence, for fraud, or for any liability that cannot be excluded under Data Protection Legislation (including liability to data subjects).