Last Modified: [6 May. 2024]

Customer Data Processing Addendum Controller to Processor
Data Processing Addendum “Addendum”

According to applicable personal data legislation (“Applicable Legislation”) including, but not limited to, Federal Decree Law No. 45 of 2021 (“UAE Data Law”) and EUs General Data Protection Regulation 2016/679 (“GDPR”), the following data processing agreement is made:

  1. Purpose

    The purpose of the Addendum is to regulate rights and obligations in relation to the applicable Federal Decree Law No. 45 of 2021 (“UAE Data Law”) and EUs General Data Protection Regulation 2016/679 of 27 April 2016 (“GDPR”).

    The Addendum governs the processing of personal data by the Processor on behalf of the Controller, including the collection, registration, compilation, storage or disclosure of personal data, or combinations thereof, in connection with the provision of aviation services in accordance with Agreement for Aviation Services between the parties entered into simultaneously (“Main Agreement”).

    Client (hereafter “Controller”) understands that UAS (hereafter the “Processor”) acts on behalf of the Controller for the personal data covered by the Main Agreement, and the Processor is required by the Controller to act in accordance with GDPR and UAE Data Law.

    The Controller and Processor shall ensure that personal data is not used illegally, unlawfully or that the information is not processed in ways that could lead to unauthorized access, alteration, deletion, damage, loss or inaccessibility.

    In the event of a conflict, the terms of this Addendum, shall precede the privacy statement of the Controller, or the terms of other agreements entered into between the Controller and Processor, or any other entity, in connection with the Main Agreement, or the provision of aviation services in accordance with it.

    The purpose of the processing and the types of processing activities shall be solely for the purposes of the execution of the obligations as outlined within the Main Agreement. These conditions cannot be changed by either party without a new agreement or an amendment to the agreement being signed.

  2. Obligations of the Parties

    The Processor shall process the personal data for the purpose of providing aviation services in accordance with the Main Agreement or as lawfully instructed by the Controller Where instructed by the Controller, or where necessary to deliver the aviation services, the Processor may transfer or process the data outside of the UAE, in accordance with the accepted principles of cross-border transfer under the applicable data processing law.

    Processors undertake to comply with all obligations in accordance with the applicable personal data law applicable to the processing of personal data.

    Processor undertakes to notify Controller if Processor receives instructions from Controller that violates the UAE Data Law and/or the GDPR.

    Processor shall assist Controller in ensuring compliance with the Controller’s obligations under the UAE Data Law and the GDPR, taking into account the nature of the processing and the information available to the Processor.

    The Controller shall:

    1. ensure that it has a valid legal basis under the UAE Data Law and the GDPR to make the transfer to the Processor for the purpose of rendering aviation services.
    2. take all reasonable steps appropriate to ensure that the data it shares with the Processor is accurate and up-to-date;
    3. provide a fair processing notice to those data subject(s) whose personal data are to be disclosed to a Processor under the Main Agreement, informing them that their personal data will be disclosed to the Processor for the purpose of rendering aviation services.
    4. Implement appropriate technical and organizational measures to ensure the security of the personal data whilst in transit to the Processor.
    5. guarantee that the data was obtained through a lawful manner in accordance with UAE data law and the GDPR, including but not limited to, the consent of the data subject to the proposed data processing activities.

  3. The rights of registered subjects

    The Processor is obliged to assist the Controller in compliance with the data subject’s rights in accordance with applicable personal data legislation.

    The data subject’s rights include the right to information on how his or her personal data is processed, the right to demand access to his own personal data, the right to demand rectification or deletion of his personal data and the right to restrict the processing of his personal data.

  4. Satisfactory information security

    Processor shall ensure appropriate technical, physical and organizational security measures to protect personal data covered by this Addendum against unauthorized or unlawful access, alteration, deletion, damage, loss or inaccessibility.

    Processors will provide sufficient information and training to their own employees in order to safeguard the security of personal data processed on behalf of the Controller.

  5. Confidentiality

    Only employees of the Processor who have a service need for access to personal data managed on behalf of a Controller can be granted such access. The Processor is required to document access control policies and procedures.

    Processor shall ensure that employees of Processor are subject to a duty of confidentiality regarding documentation and personal data that they may have access to in accordance with this Addendum. This provision also applies after termination of the agreement.

  6. Duty to notify in case of security breach

    Processor shall notify the Controller without undue delay if personal data processed on behalf of the Controller is exposed to security breaches which entail a risk of violations of the data subjects’ rights.

    Any notification to the Controller shall include, as a minimum, information describing the breach, which data subjects are affected by the breach, what personal information is affected by the breach, what immediate action has been taken to deal with the breach, and any preventive measures that may have been taken to avoid it similar events in the future.

  7. Access to Documentation

    The Controller is obliged to provide the Processor with data-subject approved access to all documentation that is necessary for the fulfillment of the Main Agreement.

    The Controller shall provide the Processor with access to documentation to enable the Processor to fulfill their obligations under applicable law but retains a duty of confidentiality regarding confidential information that the Controller make available to the Processor.

  8. Sub-processors

    Processor is obliged to enter into separate agreements with any Sub-processors that regulate the sub-processors’ processing of personal data. In those agreements, sub-processors shall be required to fulfill all obligations that the Processor itself is subject to, under this Addendum. The Processor is required to submit the agreements to the Controller, on request by the Controller.

  9. Security audits and impact assessments

    Processor shall make available to the Controller on request all information necessary to demonstrate compliance with the obligations that are set out in this Addendum and shall also permit and contribute to audits of the processing activities covered by this Addendum, at reasonable intervals or if there are indications of non-compliance.

    Processor shall regularly carry out security audits of their own work to secure personal data against unauthorized or illegal access, alteration, deletion, damage, loss or unavailability.

    Processor must document the security audits. The Controller shall be given access to the audit reports upon reasonable request of the Controller.

  10. Liability and Indemnity

    The Controller shall indemnify, defend and/or settle and hold harmless Processor against any loss or damage which Processor may sustain or incur, in relation to any third-party claim, to the extent such claim is based upon Processors processing of personal data on behalf of the Controller in accordance with the terms of the Main Agreement or this Data Processing Addendum or upon the breach by the Controller of this Addendum. For avoidance of doubt, and to the extent permitted by applicable law, this indemnification shall include any fines or penalties imposed by the regulator.

  11. Return and deletion

    Upon termination of the main Agreement or this Addendum, the Processor is obliged to delete and/or return all personal data processed by the Processor on behalf of the Controller in connection with the Main Agreement.

    Processor shall delete personal data from all storage media containing personal data processed by the Processor on behalf of the Controller unless the Processor is required to keep the data in compliance with the applicable laws.

    Processor shall provide written confirmation that deletion of personal data has been carried out in accordance with this Addendum. The documentation shall be made available to the Controller, upon reasonable requests.

  12. Duration

    This Addendum applies as long as Processor processes personal data on behalf of Controller originating in the Main Agreement.

  13. Notification

    All notifications shall be made in accordance with the terms stipulated in the main Agreement. Otherwise, to immediately notify or contact the Processor for questions related to this Addendum email: legal@uas.aero.

  14. Choice of Law and Venue

    The Addendum is governed by English law. The parties adopt the Courts of the home jurisdiction of the Controller as venue for any dispute arising out of this Addendum.