Top Express Privacy Policy – Data Processing Agreement

Effective date: 03 January 2022
Last amended:

This Data Processing Agreement (“Agreement”) governs the processing of personal data carried out by Top Express Ltd (the “Processor”) on behalf of its client acting as the “Controller”. This Agreement is binding on the Processor and the Controller in accordance with the General Data Protection Regulation (GDPR).

AGREED AS FOLLOWS:

1. DEFINITIONS AND INTERPRETATION

1.1 Unless the context requires otherwise, capitalised terms in this Agreement (including its Preamble and Annexes) shall have the following meanings:

  • “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council.

  • “Controller” means the entity which determines the purposes and means of processing personal data.

  • “Processor” means the entity processing personal data on behalf of the Controller.

  • “Data” means any information relating to an identified or identifiable natural person.

  • “Processing” means any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

  • “Automated means” refers to operations performed with automated tools.

  • “Data subject” means the person to whom the personal data relates.

  • “Third party” means any person or entity other than the Data Subject, Controller, or Processor.

  • “Technical and organisational measures” means measures designed to safeguard data against accidental or unlawful loss, alteration, or disclosure.

1.2 In this Agreement:

(a) Plural words shall include the singular and vice versa;
(b) Gender references shall be interpreted as applicable to any gender;
(c) “Including” shall mean “including without limitation”;
(d) Clause headings are for convenience only and do not affect interpretation;
(e) References to clauses, annexes, or provisions are to this Agreement.

1.3 This Agreement reflects the mutual negotiations and cannot be interpreted against either party as the drafter.

1.4 Terms not defined herein shall be interpreted in accordance with applicable law.

2. SUBJECT AND PURPOSE

2.1 This Agreement regulates the processing of personal data carried out by the Processor on behalf of the Controller in accordance with the GDPR.

2.2 The scope, type, and purpose of processing, as well as categories of data subjects and types of personal data, are set out in Annex 1.

3. TERM

3.1 This Agreement applies as long as the Processor processes personal data on behalf of the Controller.

3.2 On request, after termination, the Processor shall cease processing and, unless otherwise required by law, delete or return all personal data to the Controller and erase all copies.

4. PROCESSOR OBLIGATIONS

4.1 The Processor shall implement appropriate technical and organisational measures to ensure compliance with GDPR.

4.2 The Processor shall process data only based on documented instructions from the Controller, unless required by law, in which case the Processor shall notify the Controller before processing, if possible.

4.3 Taking into account the nature of processing, the Processor will assist the Controller in responding to data subject requests.

4.4 The Processor shall assist the Controller with obligations relating to data security, breach notification, impact assessments, and consultations under GDPR Articles 32–36.

4.5 The Processor shall provide all necessary information and assistance for the Controller to demonstrate compliance and allow audits.

5. SUB‑PROCESSORS

5.1 The Controller authorises the engagement of sub‑processors listed in Annex 1. The Processor shall inform the Controller of changes and the Controller may object.

5.2 The Processor ensures sub‑processors are bound by written agreements mirroring obligations and remains fully responsible for their performance.

5.3 The Controller may require the Processor to audit sub‑processors or provide audit results.

6. TRANSFERS TO THIRD COUNTRIES

6.1 Processing shall occur within the EU/EEA. Transfer to third countries requires prior written consent and GDPR Article 46 safeguards.

6.2 The Controller may revoke consent at any time; the Processor shall cease transfers and confirm in writing.

7. CONFIDENTIALITY AND SECURITY

7.1 The Processor guarantees appropriate protection of personal data against destruction, alteration, unlawful disclosure, or access.

7.2 The Processor shall maintain up‑to‑date records of technical, organisational, and physical security measures.

7.3 The Processor shall not disclose personal data without Controller’s prior written consent, except to authorised sub‑processors.

7.4 Persons involved in processing shall commit to confidentiality or be bound by statutory confidentiality duties.

8. APPLICABLE LAW AND DISPUTE RESOLUTION

8.1 This Agreement is governed by Latvian law, excluding conflict‑of‑law provisions.

8.2 Disputes shall be resolved exclusively in the courts of the Republic of Latvia with jurisdiction.

9. LIABILITY AND INDEMNIFICATION

9.1 Unless otherwise agreed, liability is subject to general applicable laws. Neither party is liable for indirect losses, including lost profits, reputation damage, or other indirect damages. Loss of data is considered indirect.

9.2 Processor’s total liability is capped at EUR 3,000. No liability for indirect losses even in case of data loss by agreement.

10. MISCELLANEOUS

10.1 Severability – Invalid or unenforceable provisions shall be replaced with lawful, enforceable provisions closest in intent. Remaining provisions continue in force.

10.2 Entire Agreement – This Agreement supersedes all prior agreements on its subject matter; except in case of fraud.

10.3 Incompatibility – Parties shall not enter conflicting agreements post‑execution.

10.4 Amendments – Any amendments require written form signed by both parties.

10.5 Costs – Each party bears its own costs related to negotiation, preparation, execution, and performance.

Annex 1 – Details of Data Processing

Subject & Purpose
Provision of services or tasks, including: processing and administering service purchases/orders, identification of data subjects in Processor’s systems; account login; issue resolution; communication about purchased services; contract fulfilment; direct marketing; business analytics; audits; and general research to improve service quality.

Categories of Data
Contact information such as name, surname, phone/mobile number, email address, home or work address.

Categories of Data Subjects
Controller’s representatives and end users—employees, job applicants, contractors, colleagues, partners, customers, and other individuals entered into the Processor’s system.

Processing Activities
Entering, correcting, deleting personal data; backing up and protecting servers containing personal data.

Processor details:
Top Express SIA
Reg. No.: 40103923851
VAT No.: LV40103923851
Legal address: Brīvības gatve 300‑3, Rīga, LV‑1006
Bank: Swedbank
IBAN: LV06HABA0551040768233
Email: info@topexpress.lv