These terms apply in cases where Aphaia Ltd (hereinafter referred to as PROCESSOR) or another company in its group is considered to be the data processor for CONTROLLER in accordance with EU General Data Protection Regulation (GDPR). They form part of the contract for outsourced Data Protection Officer (DPO) service provision between the PROCESSOR and CONTROLLER (hereinafter referred to as Contract). These Terms constitute part of documented processing instructions from CONTROLLER to PROCESSOR. The same Terms apply mutatis mutanis, where appropriate, for any processing of the data where the CONTROLLER acts as the processor for other controllers. In these cases, it is CONTROLLER’s responsibility to ensure it is permitted to process the data of such other controllers.


When used in these Terms, the following terms shall have the same meaning as in the GDPR: personal data; data controller; data processor; processing; and supervisory authority.

Subject matter and nature of processing

These Terms apply to any services to be supplied by PROCESSOR under the Contract that may involve the processing by PROCESSOR of personal data on behalf of CONTROLLER. These services are The PROCESSOR shall perform for CONTROLLER the following services: the tasks of the DPO for the CONTROLLER under GDPR, which may include but are not limited to: monitoring, support, training and interaction with data subjects and supervisory authorities regarding data protection issues.

Purpose of processing

The purpose of the processing is to enable PROCESSOR to perform the relevant services under the Contract.

Categories of data

The personal data comprises any data that is required in order to enable or facilitate the provision of the services by PROCESSOR under the Contract and these Terms.

Data subjects

Data subjects include the individuals about whom personal data is provided to PROCESSOR by the Controller or the data subjects whose data is processed by CONTROLLER and which may include but is not limited to personal data relating to the following categories of data subjects:
1. Prospects, customers, business partners and vendors of CONTROLLER (who are natural persons)
2. Employees or contact persons of CONTROLLER’s prospects, customers, business partners and vendors (who are natural persons)
3. Employees, agents, advisors, freelancers of CONTROLLER (who are natural persons).

Duration and end of processing

The processing shall take place until the end of the Contract term and may be subject to extension by mutual agreement. After the end of the processing, PROCESSOR shall, at the choice of CONTROLLER, delete or return all the personal data to CONTROLLER, and delete existing copies.


PROCESSOR shall engage in actual processing of personal data only persons who have committed themselves to confidentiality of data in their contracts with PROCESSOR. The PROCESSOR shall at all times adhere the principles of confidentiality and data minimisation when accessing and/or using the data of CONTROLLER users.

Additional obligations of Processor

In addition, PROCESSOR shall:
– process the personal data (including when making an international transfer of the personal data) only to the extent necessary in order to provide the services and then only in accordance with:
o these Terms and the Contract;
o CONTROLLER’s written instructions from time to time;
unless otherwise required by law. Where PROCESSOR is required by law to process the personal data otherwise than as provided by this agreement, PROCESSOR will notify CONTROLLER before carrying out the processing concerned (unless the law also prevents PROCESSOR from doing so for reasons of important public interest);
– ensure security of processing in accordance with Article 32 GDPR;
– assist CONTROLLER by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of CONTROLLER’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR;
– assist CONTROLLER in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to Processor.

Engaging another processor

CONTROLLER authorises PROCESSOR to use other processors to store, communicate and analyse information in order to perform the services according to the Contract These processors would typically include standard cloud tools.

PROCESSOR shall inform CONTROLLER of any intended changes concerning the addition or replacement of other processors, thereby giving CONTROLLER the opportunity to object to such changes.

Equivalent data protection obligations as set out in these Terms shall be imposed on other processors by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of GDPR.

Inspection and audits

Processor shall make available to CONTROLLER all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by CONTROLLER or another auditor mandated by CONTROLLER.

Transfers outside the EEA and to third parties

CONTROLLER authorises PROCESSOR to transfer the data outside the UK/EU/EEA subject to other processors’ compliance with GDPR and the lawful guarantees given, typically by means of an adequacy decision or EU-US Privacy Shield.

Effect of these Terms

Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between these terms and the remaining terms of the Contract, the Contract shall prevail.

Change of these Terms

These Terms may be changed from time to time by means of their publication on Aphaia website.