Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the Customer Terms and Conditions available at oleaoffice.com/customer-terms (the “Terms”) between Olea Office Ltd (“Olea”, the “Processor”) and the customer identified in the Order Confirmation (the “Customer”, the “Controller”).

This DPA applies where the Customer uses the Digital Mailbox service and Olea processes personal data contained in the Customer’s mail on the Customer’s behalf.

This DPA is entered into pursuant to Article 28 of the UK GDPR / EU GDPR (as applicable) and supplements (but does not replace) the Terms. In the event of any conflict between this DPA and the Terms, this DPA shall prevail in respect of data protection matters.

1. Definitions

Capitalised terms not defined in this DPA have the meanings given in the Terms. In addition:

“Applicable Data Protection Law” means: (a) the UK GDPR and the Data Protection Act 2018; (b) the EU GDPR (Regulation (EU) 2016/679); (c) the Bundesdatenschutzgesetz (BDSG); and (d) any other applicable data protection or privacy legislation, in each case as amended or replaced from time to time.

“Customer Mail Data” means personal data contained within the Customer’s mail that is processed by Olea through the Digital Mailbox service, including scanned images, extracted text, and metadata.

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Mail Data.

“Scanning Hub” means the third-party mail scanning and digitisation provider engaged by Olea as a Sub-processor to operate the Digital Mailbox service.

“Sub-processor” means any third party appointed by Olea to process Customer Mail Data on behalf of the Customer.

2. Scope of Processing

2.1 Roles

The parties acknowledge that for the purposes of Applicable Data Protection Law:

• The Customer is the Controller of Customer Mail Data.
• Olea is a Processor acting on the Customer’s documented instructions.

2.2 Subject matter and duration

Olea processes Customer Mail Data for the purpose of providing the Digital Mailbox service as described in the Terms. Processing begins on activation of the Digital Mailbox service and continues for the duration of the Customer’s subscription, plus any applicable retention period.

2.3 Categories of data subjects

Data subjects are those individuals whose personal data appears in the Customer’s mail, which may include:

• The Customer’s own clients, customers, and business contacts
• Employees and officers of the Customer
• Suppliers, counterparties, and correspondents of the Customer
• Government officials and regulatory bodies corresponding with the Customer
• Any other individuals whose data is incidentally contained in postal items

2.4 Categories of personal data

Customer Mail Data may include any personal data contained in postal items, such as:

• Names, addresses, and contact details
• Financial information (invoices, bank statements, payment notices)
• Government and regulatory correspondence (tax notices, registration documents)
• Legal correspondence
• Business records and contracts
• Any other personal data incidentally contained in mail items

The exact categories depend on the nature of the Customer’s mail and are determined by the Customer, not by Olea.

2.5 Nature of processing

Olea processes Customer Mail Data in order to:

• Receive mail at the Business Address on the Customer’s behalf
• Open and scan mail items (under the postal power of attorney granted in the Terms)
• Digitise and upload scanned images to the Customer’s Digital Mailbox portal
• Store digital copies in accordance with the Customer’s settings and the Scanning Hub’s terms
• Forward physical mail to the Scanning Hub for processing
• Destroy physical originals in accordance with the Terms and Scanning Hub’s retention policy

3. Customer’s Obligations as Controller

3.1 The Customer is responsible for ensuring that its use of the Digital Mailbox service complies with Applicable Data Protection Law, including having a lawful basis for Olea’s processing of Customer Mail Data.

3.2 The Customer acknowledges that by activating the Digital Mailbox service and granting the postal power of attorney under the Terms, the Customer instructs Olea to process Customer Mail Data as described in Section 2.5.

3.3 The Customer shall inform Olea promptly if any of the Customer’s instructions would, in the Customer’s view, require a data protection impact assessment.

4. Olea’s Obligations as Processor

Olea shall:

4.1 Documented instructions. Process Customer Mail Data only on the Customer’s documented instructions as set out in this DPA and the Terms, unless required to do so by Applicable Law. If Olea believes an instruction infringes Applicable Data Protection Law, it shall promptly notify the Customer before processing (unless prohibited by law from doing so).

4.2 Confidentiality. Ensure that all personnel authorised to process Customer Mail Data are bound by appropriate obligations of confidentiality (whether contractual or statutory). Olea complies with postal secrecy obligations under §39 PostG and §206 StGB where applicable.

4.3 Security measures. Implement and maintain appropriate technical and organisational measures to protect Customer Mail Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and role-based permissions on the Digital Mailbox portal
• Secure handling and transportation of physical mail to the Scanning Hub
• Regular security assessments
• Staff training on data protection, confidentiality, and postal secrecy
• Incident response procedures

4.4 Sub-processors. Olea engages the following Sub-processor(s) for the Digital Mailbox service:

Olea shall notify the Customer of any intended changes to its Sub-processors by email at least 30 days before the change takes effect. If the Customer objects to a new Sub-processor on reasonable data protection grounds, the Customer may terminate the affected service without penalty by giving notice within the 30-day period.

Olea shall impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. Olea remains liable to the Customer for the acts and omissions of its Sub-processors.

4.5 Data subject requests. Promptly assist the Customer in responding to requests from data subjects exercising their rights under Applicable Data Protection Law, taking into account the nature of the processing.

4.6 Data Breach notification. Notify the Customer without undue delay and in any event within 72 hours of becoming aware of any Data Breach affecting Customer Mail Data. The notification shall include:

• A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records affected
• A description of the likely consequences
• A description of the measures taken or proposed to address the Data Breach

Olea shall cooperate fully with the Customer in investigating, mitigating, and remediating any Data Breach.

4.7 Data protection impact assessments. Provide reasonable assistance to the Customer with any data protection impact assessment or prior consultation with a supervisory authority, where required under Applicable Data Protection Law.

4.8 Audit and inspection. Make available to the Customer all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law. Olea shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to:

• Reasonable advance notice (at least 30 days)
• Audits limited to once per year (unless a Data Breach has occurred or a supervisory authority requires an audit)
• Olea may charge reasonable costs for audit assistance beyond standard scope

5. International Data Transfers

5.1 Olea processes Customer Mail Data within the United Kingdom and the European Economic Area. The Scanning Hub is located in Germany.

5.2 Olea shall not transfer Customer Mail Data outside the UK/EEA without the Customer’s prior written consent. Where such transfer is necessary, Olea shall ensure an appropriate transfer mechanism is in place (such as Standard Contractual Clauses, UK IDTA, or an adequacy decision).

6. Return and Deletion of Data

6.1 The Customer may delete scanned mail from the Digital Mailbox portal at any time.

6.2 On termination or expiry of the Agreement:

• Digital copies: The Customer may download their data before account closure. Olea shall delete all Customer Mail Data from its systems within 30 days of termination, unless required by Applicable Law to retain it.
• Physical originals: Handled in accordance with the Scanning Hub’s terms and the Terms (Section 6.13).

6.3 Olea shall provide written confirmation of deletion on request.

6.4 Olea may retain Customer Mail Data only to the extent required by Applicable Law, and shall isolate and protect such data and refrain from any further processing except as required by law.

7. Term

This DPA takes effect on activation of the Digital Mailbox service and remains in force for the duration of the Customer’s subscription. Clauses that by their nature should survive (including clauses 4.6, 5, 6, and 7) shall survive termination.

8. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms.

9. Governing Law

This DPA is governed by the laws of England and Wales, subject to the mandatory provisions of Applicable Data Protection Law in the Customer’s jurisdiction. The Jurisdiction-Specific Provisions in the Terms (Section 18) apply to this DPA as applicable.

10. Contact

For data protection enquiries relating to this DPA:

Olea Office Ltd

Email: support@oleaoffice.com

Post: Data Protection, Olea Office Ltd, 66 Paul Street, London, EC2A 4NA