According to applicable personal data legislation (“Applicable Legislation”) including, but not limited to, Federal Decree Law No. 45 of 2021 (“UAE Data Law”) and EUs General Data Protection Regulation 2016/679 (“GDPR”), the following data processor agreement is made:
Purpose
The purpose of the Addendum is to regulate rights and obligations in relation to the applicable Federal Decree Law No. 45 of 2021 (“UAE Data Law”) and EUs General Data Protection Regulation 2016/679 of 27 April 2016 (“GDPR”).
The Addendum governs the processing of personal data by sub-processors on behalf of data processors, including the collection, registration, compilation, storage or disclosure of personal data, or combinations thereof, in connection with the provision of aviation services in accordance with Agreement for Aviation Services between the parties entered into simultaneously (“Main Agreement”).
Vendor (here after “Sub-processor”) understands that UAS (hereafter the “Data Processor”) acts on behalf of a Data Controller for the personal data covered by the Main Agreement, and that Sub-processor are subject to similar obligations as the Data Processor is required by the Data Controller in accordance with GDPR and UAE Data Law.
The agreement shall ensure that personal data is not used illegally, unlawfully or that the information is processed in ways that lead to unauthorized access, alteration, deletion, damage, loss or inaccessibility.
In the event of a conflict, the terms of this agreement shall precede the privacy statement of the Sub-processor, or the terms of other agreements entered into between the Data Processor and the Sub-processor in connection with the Main Agreement.
The purpose of the processing and the types of processing activities that will be processed shall be solely for the purposes of the execution of the obligations as outlined within the Main Agreement. These conditions cannot be changed by either party without a new agreement or an amendment to the agreement being signed.
Instructions
Sub-processors shall follow the written and documented instructions for the processing of personal data that the Data Processor has decided to apply.
Sub-data processors undertake to comply with all obligations in accordance with the applicable personal data law applicable to the processing of personal data.
Sub-processor undertakes to notify Data Processor if Sub-processor receives instructions from Data Processor that violates the privacy regulations.
The rights of registered subjects
The Sub-processor is obliged to assist the Data Processor in the treatment of the data subject’s compliance with the data subject’s rights in accordance with applicable personal data legislation.
The data subject’s rights include the right to information on how his or her personal data is processed, the right to demand access to his own personal data, the right to demand rectification or deletion of his personal data and the right to demand the processing of his personal data.
To the extent applicable, the Sub-processor shall assist the Data Processor in connection with the Data Controller’s protection of data subjects’ right to data portability and the right to oppose automatic decisions, including profiling.
Sub-processor is liable to the data subject if errors or negligence of Sub-processor incurs the recorded financial or non-financial losses due to their rights or privacy being violated.
Satisfactory information security
Sub-processor shall ensure appropriate technical, physical and organizational security measures to protect personal data covered by this Agreement against unauthorized or unlawful access, alteration, deletion, damage, loss or inaccessibility.
Sub-processor must document their own security organization, guidelines and procedures for security work, risk assessments and established technical, physical or organizational security measures. Further, Sub-processor will establish continuity and contingency plans for effective management of serious security incidents. All such documentation should be available to the Data Processor. Data Processor can provide the Data Controller with access to the documentation so that the Data Controller can fulfill his/her duties under applicable personal data legislation.
Sub-processors shall provide sufficient information and training to their own employees in order to safeguard the security of personal data processed on behalf of the Data Processor. Sub-processor must document the training of their own employees in information security. The documentation should be available to the Data Processor. The Data Processor can provide the Data Controller with access to the documentation so that they can fulfill his/her duties under the current personal data legislation.
Confidentiality
Only employees of Sub-processor who have a service need for access to personal data managed on behalf of a Data Processor can be granted such access. The Sub-processor is required to document access control policies and procedures. The documentation should be available to the Data Processor. The Data Processor can provide the Data Controller with access to the documentation so that the Data Controller can fulfill their duties under the applicable personal data legislation.
Sub-Processors shall ensure that employees of Sub-Processors are subject to a duty of confidentiality regarding documentation and personal data that they may have access to in accordance with this Agreement. This provision also applies after termination of the agreement.
Access to documentation
The Sub-processor is obliged to provide the Data Processor with access to all documentation that is necessary for the Data Processor to assist the Data Controller to fulfill his/her duties under the applicable personal data legislation.
Sub-Processor is obliged to provide Data Processor with access to any documentation that enables the Data Processor to assess whether the Sub-processor complies with the terms of this Agreement.
The Data Processor may provide the Data Controller with access to documentation to enable the controller to fulfill their obligations under applicable personal data legislation but retains a duty of confidentiality regarding confidential documentation that the Sub-processor makes available to them.
Duty to notify in case of security breach
Sub-processor shall notify the Data Processor without undue delay if personal data processed on behalf of the data Processor is exposed to security breaches which entail a risk of violations of the data subjects’ privacy.
The notification to the Data Processor shall include, as a minimum, information describing the breach, which data subjects are affected by the breach, what personal information is affected by the breach, what immediate action has been taken to deal with the breach, and any preventive measures that may have been taken to avoid it similar events in the future.
The Data Processor is responsible for ensuring that notifications of security breaches from the Sub-processor are passed on to the Data Controller.
Subcontractors
Sub-processor is obliged to enter into separate agreements with any subcontractors that regulate the subcontractor’s processing of personal data on behalf of Sub-processor. In those agreements, subcontractors shall be required to fulfill all obligations that the Sub-processor itself is subject to, under this Agreement. The sub-processor is required to submit the agreements to Data Processor, on request, who may submit the agreements to the Data Controller.
Sub-processor shall verify that all subcontractors comply with their contractual obligations, that information security is satisfactory and that subcontractor employees are aware of, and fulfill, their obligations. Sub-processor is liable for damages in accordance with Clause 13 for financial losses of the Data Processor due to illegal or unlawful processing of personal data or insufficient information security of subcontractors.
Security audits and impact assessments
Sub-processors shall regularly carry out security audits of their own work to secure personal data against unauthorized or illegal access, alteration, deletion, damage, loss or unavailability.
Sub-processors will conduct security audits of the information security in the business. Security audits shall include the Sub-processor’s security objectives and security strategy, security organization, guidelines and procedures for security work, established technical, physical and organizational security measures and work on information security with subcontractors. It shall also include procedures for alerting Data Processor in case of security breaches and testing contingency and continuity plans.
Sub-processors must document the security audits. The Data Processor shall be given access to the audit reports. The Data Processor can provide the Data Controller with access to the documentation so that the Data Controller can fulfill their duties under the applicable personal data legislation. If an independent third-party conducts security audits at the Sub-processor, the Data Processor shall be informed of which auditor is used and have access to summaries of the audit reports.
Return and deletion
Upon termination of this Agreement, the Sub-processor is obliged to delete and/or return all personal data processed by the Sub-processor on behalf of the Data Processor in connection with the Main Agreement. The Data Processor decides how the return of personal data should take place, including the format to be used.
Sub-processors shall delete personal data from all storage media containing personal data processed by the Sub-processor on behalf of the Data Processor. Deletion must occur by sub-processor using a deletion tool approved by the Data Processor or by overwriting. This also applies to backups of personal data.
Sub-processors shall document that deletion of personal data has been carried out in accordance with this Agreement. The documentation shall be made available to the Data Processor. The Data Processor can provide the Data Controller with access to the documentation so that the Data Controller can fulfill his/her duties under the applicable personal data legislation.
Sub-processor covers all costs associated with the return and deletion of all such personal data.
Breach
In the event of any material breach of the terms of this Agreement due to errors or negligence on the part of the Sub-processor, the Data Processor may terminate the Agreement with immediate effect. Sub-processors will continue to be obliged to return and/or delete personal data processed on behalf of the Data Processor in accordance with the provisions of clause 10 above.
Compensation
The Data Processor may claim compensation for financial losses that errors or neglect on the part of the Sub-processor, including breach of the terms of this agreement, have caused the Data Processor.
Duration
This Agreement applies as long as Sub-processor processes personal data on behalf of Data Processor originating in the Main Agreement.
Notification
All notifications shall be made in accordance with the terms stipulated in the main Agreement. Otherwise, to immediately notify or contact the Sub-Processor for questions related to this Addendum email: legal@uas.aero.
Choice of Law and Venue
The Addendum is governed by English law. The parties adopt the Courts of the home jurisdiction of the Sub-processor as venue for any dispute arising out of this Addendum.
Contact UAS China Team
Become a UAS Fuel Partner today!
Want to become a UAS Fuel Partner? Fill out the form below and we’ll be in touch!