Rechtliches

Partner-Auftragsverarbeitungsvertrag

Zuletzt aktualisiert: 27. März 2026

This Data Processing Agreement (“DPA”) forms part of the Partnership Terms & Conditions available at oleaoffice.com/partner-terms (the “Terms”) between Olea Office Ltd (“Olea”, the “Controller”) and the location partner identified in the Partner Agreement (the “Partner”, the “Processor”).

This DPA sets out the terms on which the Partner processes personal data on behalf of Olea in connection with the services provided under the Partner Agreement and the Terms.

This DPA is entered into pursuant to Article 28 of the UK GDPR / EU GDPR (as applicable) and supplements (but does not replace) the Terms. In the event of any conflict between this DPA and the Terms, this DPA shall prevail in respect of data protection matters.

1. Definitions

Capitalised terms not defined in this DPA have the meanings given in the Terms. In addition:

“Applicable Data Protection Law” means: (a) the UK GDPR and the Data Protection Act 2018; (b) the EU GDPR (Regulation (EU) 2016/679); and (c) any other applicable data protection or privacy legislation, in each case as amended or replaced from time to time.

“Customer Data” means personal data relating to Customers that is processed by the Partner on behalf of Olea in connection with the services.

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data.

“Sub-processor” means any third party appointed by the Partner to process Customer Data on behalf of Olea.

2. Scope of Processing

2.1 Roles

The parties acknowledge that for the purposes of Applicable Data Protection Law:

  • Olea is the Controller of Customer Data.
  • The Partner is a Processor acting on Olea’s documented instructions.

2.2 Subject matter and duration

The Partner processes Customer Data for the purpose of providing the services described in the Partner Agreement and the Terms at each Location. Processing begins on the effective date of the Partner Agreement and continues for the duration of the partnership, plus any applicable retention period set out in this DPA.

2.3 Categories of data subjects

  • Customers of Olea
  • Employees, directors, and legal representatives of Customer businesses
  • Authorised persons (individuals nominated by Customers to collect mail or access services)
  • Visitors to the Location who interact with Olea services

2.4 Categories of personal data

  • Full names and company names
  • Contact details (email addresses, telephone numbers)
  • Mail sender information (names and addresses visible on envelopes and parcels)
  • Visitor records and reception logs
  • Workspace booking records
  • Authorised pickup person lists (names and identification details)
  • Any other personal data incidentally received in the course of providing services at the Location

2.5 Nature of processing

The Partner processes Customer Data in order to:

  • Receive, sort, and securely store mail and parcels on behalf of Customers
  • Verify the identity of Customers and Authorised Persons collecting mail
  • Facilitate workspace bookings (meeting rooms, coworking, offices)
  • Manage reception services and visitor access
  • Forward mail to Olea’s scanning hub or to Customer-specified addresses
  • Maintain records necessary for service delivery

3. Partner’s Obligations as Processor

The Partner shall:

3.1 Documented instructions. Process Customer Data only on Olea’s documented instructions as set out in this DPA, the Terms, and the Partner Agreement, unless required to do so by Applicable Law. If the Partner believes an instruction infringes Applicable Data Protection Law, it shall promptly notify Olea.

3.2 Confidentiality. Ensure that all personnel authorised to process Customer Data are bound by appropriate obligations of confidentiality (whether contractual or statutory).

3.3 Security measures. Implement and maintain appropriate technical and organisational measures to protect Customer Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures shall include, as a minimum:

  • Secure physical storage for mail and parcels (locked facilities with restricted access)
  • Access controls limiting Customer Data access to authorised personnel only
  • Staff training on data protection and confidentiality
  • Secure destruction of documents when required

3.4 Sub-processors. Not engage any Sub-processor without Olea’s prior written consent. Where consent is given, the Partner shall impose data protection obligations on the Sub-processor that are no less protective than those in this DPA. The Partner remains fully liable to Olea for the acts and omissions of any Sub-processor.

3.5 Data subject requests. Promptly assist Olea in responding to requests from data subjects exercising their rights under Applicable Data Protection Law (including access, rectification, erasure, restriction, portability, and objection), taking into account the nature of the processing.

3.6 Data Breach notification. Notify Olea without undue delay and in any event within 24 hours of becoming aware of any Data Breach. The notification shall include:

  • A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records affected
  • The name and contact details of the Partner’s contact point
  • A description of the likely consequences of the Data Breach
  • A description of the measures taken or proposed to address the Data Breach

The Partner shall cooperate fully with Olea in investigating, mitigating, and remediating any Data Breach.

3.7 Data protection impact assessments. Provide reasonable assistance to Olea with any data protection impact assessment (DPIA) or prior consultation with a supervisory authority, where required under Applicable Data Protection Law, taking into account the nature of the processing and the information available to the Partner.

3.8 Audit and inspection. Make available to Olea all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law, and allow for and contribute to audits, including inspections, conducted by Olea or an auditor mandated by Olea, on reasonable notice.

4. International Data Transfers

4.1 The Partner shall not transfer Customer Data outside the United Kingdom or the European Economic Area without Olea’s prior written consent.

4.2 Where Olea consents to an international transfer, the Partner shall ensure that an appropriate transfer mechanism is in place in accordance with Applicable Data Protection Law (such as Standard Contractual Clauses, UK International Data Transfer Agreement, or an adequacy decision).

5. Return and Deletion of Data

5.1 On termination or expiry of the Partner Agreement, the Partner shall, at Olea’s election, either return or securely destroy all Customer Data within 14 days and provide written certification of destruction.

5.2 The Partner may retain Customer Data only to the extent required by Applicable Law, and shall isolate and protect such data and refrain from any further processing except as required by law.

6. Term

This DPA takes effect on the effective date of the Partner Agreement and remains in force for the duration of the partnership. Clauses that by their nature should survive (including clauses 3.6, 4, 5, and 6) shall survive termination.

7. Governing Law

This DPA is governed by the laws of England and Wales, subject to the mandatory provisions of Applicable Data Protection Law in the Partner’s jurisdiction.

8. Contact

For data protection enquiries relating to this DPA:

Olea Office Ltd

Email: operations@oleaoffice.com

Post: Data Protection, Olea Office Ltd, 66 Paul Street, London, EC2A 4NA

Partner-Auftragsverarbeitungsvertrag | Olea