GENERAL DATA PROCESSING AGREEMENT PRIPARCEL B.V.

1. Parties

1. PriParcel B.V. - Established at Weteringweg 18, 2641KM Pijnacker, the Netherlands, registered with the Chamber of Commerce under number 88426882. Hereinafter referred to as: "Processor".
2. Customer or Webshop - The natural or legal person who has entered into an agreement with PriParcel for the processing of returns, including any scanning of return forms and the (digital) processing of shipping labels. Hereinafter referred to as: "Controller".
3. The Controller and Processor are hereinafter collectively referred to as the "Parties".

2. Definitions

1. GDPR: The General Data Protection Regulation (EU) 2016/679.
2. Personal data: Any data that can be traced, directly or indirectly, to an identified or identifiable natural person. In this case, this can be customer data (e.g. name, address, telephone number, email address) on return labels, return forms or in packaging.
3. Processing (or "Processing"): Any processing of personal data, such as scanning, digitizing, storing, forwarding or otherwise editing return forms, labels, etc.
4. Data Breach / Security Incident: A breach of security that (potentially) leads to the destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, forwarded, stored or otherwise processed personal data.
5. Where this agreement refers to definitions from the GDPR, those terms have the same meaning as in Article 4 of the GDPR.

3. Purpose and scope

1. This Data Processing Agreement applies when the Controller engages the Processor to process returns (including opening, processing, scanning and/or digitizing return forms, shipping labels and other documents).
2. The Controller acts as the Controller, because it determines that returns are handled by the Processor and that personal data of (end) customers may be included in the return shipment. The Processor is the Processor, because it only processes the data on behalf of the Controller.

4. Roles and responsibilities

1. Responsible:
   • Determines the purpose and means of processing personal data in the returns process (e.g., "we want to process returns in order to be able to credit customers or replace a product").
   • Is and remains ultimately responsible for the lawfulness of the processing and communication with end customers, e.g. access or deletion requests.
2. Processor:
   • Processes the personal data exclusively on behalf of the Controller, in accordance with this agreement and the main agreement (return service).
   • Has no independent control over the processing and will not use personal data for its own purposes.

5. Obligations of the processor

The Processor guarantees the following obligations in accordance with Article 28 GDPR:

5.1 Confidentiality

1. The Processor and its affiliated employees (and any sub-processors) shall treat the personal data of which they become aware confidentially.
2. This duty of confidentiality will also continue to apply after termination of this Data Processing Agreement.

5.2 Appropriate security measures

1. The Processor shall take appropriate technical and organisational security measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
2. Technical measures include, for example, firewalls, virus scanners, strong passwords and (where relevant) encryption according to the ISO 27001 and ISO 27701 standards. Organizational measures include access restrictions, screening of staff and closure of areas where data is processed.
3. The security measures are at least in accordance with the requirements of Article 32 of the GDPR and appropriate to the nature of the data processed (this may vary per postal item).

5.3 Processing within the EU/EEA

1. The Processor will not allow the processing of personal data to take place outside the European Economic Area (EEA), unless otherwise agreed in writing with the Controller or a legal obligation requires this.
2. For transfer outside the EEA, the Processor will first request permission from the Controller and arrange any additional safeguards (such as SCCs).

5.4 No Further Processing

1. The Processor does not use the personal data obtained for other purposes (such as marketing or its own analyses), unless there is an explicit instruction from the Controller for this.

5.5 Assistance in the fulfilment of obligations

1. To the extent reasonably possible, the Processor will assist the Controller in complying with obligations under the GDPR, such as handling requests from data subjects or conducting data protection impact assessments (DPIA).

5.6 Provision of information and audit

1. Providing information
   The Processor shall, upon first request and to the extent reasonably necessary, provide the Controller with all information necessary to demonstrate compliance with the Obligations under this Data Processing Agreement and the GDPR.
2. Compliance support
   If the Controller has well-founded reasons to do so (e.g. periodic check or suspicion of irregularities), the Processor will cooperate with audits or inspections, including (where appropriate) the provision of technical documentation or reports.
3. Audit conditions
   
   The Controller shall announce an intended audit or inspection in writing at least 30 working days in advance, with a clear description of the scope and purpose, so that the Processor can prepare and the continuity of the service is not unnecessarily compromised.
   • Audits will not affect the confidentiality of other customers or the security of systems that also contain third-party data. The Controller agrees that the audit may be carried out by an independent third party, under confidentiality, in order to protect the privacy of other customers.
   • The costs of an audit, including man-hours of the Processor, shall be borne by the Controller, unless it is established that the Processor is acting in violation of this Data Processing Agreement or the GDPR, in which case the Processor shall bear the reasonable audit costs.
4. Outcomes and improvements
   The Processor shall inform the Controller of relevant findings from an audit or inspection and, if applicable, propose or implement improvement measures to continue to ensure compliance with this Data Processing Agreement and the GDPR.

6. Sub-processors

6.1 No Activation Without Permission

1. The Processor shall not engage any additional third parties (sub-processors) for the actual processing of personal data without the (specific or general) consent of the Controller.
2. If the Processor has a general permission from the Controller, the Processor shall inform the Controller at least 14 days before the addition or replacement of a sub-processor, so that the Controller can object to this. If the Controller does not object within this period, the Controller will be deemed to have agreed to the new sub-processor.

6.2 Current Sub-processor for Scanning

1. The Controller acknowledges and agrees that the Processor already engages a sub-processor for the scanning and digitization of mail items. This sub-processor is bound by the same (privacy) obligations as included in this Data Processing Agreement, so that it also complies with the GDPR.
2. The Controller may request information from the Processor about the identity and location of this sub-processor, as well as the way in which appropriate safeguards are ensured.

6.3 Agreements with sub-processors

1. If the Processor engages a sub-processor, the Processor will provide a written agreement with that sub-processor, which includes at least the same (privacy) obligations as in this Processing Agreement, so that the sub-processor complies with the GDPR.
2. The Processor remains the primary point of contact for the Controller at all times and retains (contractual) responsibility for the processing by the sub-processor.

7. Data Breaches (Security Incidents)

7.1 Obligation to report

1. In the event of an established or suspected security incident (possible data breach) that relates to the personal data processed by the Processor, the Processor will report this to the Controller without delay without undue delay.
2. The Processor shall provide as much relevant information as possible, so that the Controller can comply with its own obligation to report to the supervisor (and any data subjects).

7.2 Support

1. The Processor will support the Controller in any investigations or measures that need to be taken as a result of the data breach (such as forensic investigations, remedial measures).

8. Data Subject Requests

8.1 Handling by the Controller

1. If the Processor receives a request (e.g. inspection, correction, deletion) directly from a data subject, the Processor will forward this request to the Controller without unreasonable delay.
2. The Controller is responsible for the further processing of these requests.

8.2 Cooperation

1. The Processor shall, to the extent reasonably possible, cooperate to enable the Controller to fulfil its obligations (Articles 12–22 GDPR).

9. Term and Termination

9.1 Duration

1. This Data Processing Agreement commences at the time the Controller enters into the return agreement with the Processor and remains valid as long as the Processor processes personal data from returns.

9.2 Termination

1. End of main agreement
   As soon as the main agreement ends and the Controller no longer uses the return service, the Processor will handle the relevant personal data (such as labels, mail and scans) in accordance with the Processor's internal procedures.
2. Retention period upon termination
   
   • If the Controller does not have an active digital archive with the Processor, all scans will be deleted or destroyed within four (4) weeks after termination of the scanning service at the latest, unless a statutory retention obligation applies or the Controller instructs the transfer in writing.
   • If the Controller does have a digital archive at the Processor, the Processor will keep the scans for a maximum of three (3) months from the date of termination. Thereafter, the personal data will be deleted or destroyed, unless there is a legal basis for further storage or the Controller expressly orders the transfer.
3. Exceptions and legal retention
   If the Controller and Processor are obliged by law (e.g. tax or administrative) to retain certain data for a longer period of time, the Processor may – after consultation with the Controller – continue to retain the data for that specific (legal) period.
4. Transfer request
   The Controller may request the transfer of the scans in a digital file or other agreed form within the period referred to in this article. The Processor will cooperate with this – to the extent reasonably possible. Costs associated with this may be charged to the Controller, unless otherwise agreed.
5. Guarantee of removal
   After the periods referred to in paragraphs b and/or c, the Processor will ensure the complete removal or destruction of the personal data, so that they are no longer accessible or recoverable. The Processor can provide a confirmation of destruction upon request.

10. Liability

1. The liability provisions from the main or general terms and conditions of the Processor apply, insofar as they are not in conflict with this Data Processing Agreement and the GDPR.
2. The Controller remains ultimately responsible for the personal data and the assessment of whether processing is lawful.

11. Miscellaneous

1. Any changes to this Agreement must be in writing (including electronic form) and accepted by both Parties (e.g., via electronic acceptance mechanisms).
2. The parties make joint efforts to comply with the GDPR and other applicable privacy legislation.
3. This Data Processing Agreement is governed by Dutch law. Disputes will be submitted to the competent court in The Hague, unless the Parties agree otherwise.
4. In the event of any contradictions or differences between the Dutch version of these terms and conditions and the translations into other languages, the Dutch version shall prevail.