- Global
- Algeria, Djazair
- Angola
- Argentina
- Australia
- Austria
- Belgium
- Brazil
- Canada
- Chile
- China
- Colombia
- Cyprus
- Czechia
- Dominicana
- Ecuador
- Egypt
- EU Intermodal
- Germany
- Hong Kong
- Hungary
- India
- Indonesia
- Italy
- Malaysia
- Mexico
- Mozambique
- Netherlands
- New Zealand
- Pakistan
- Panama
- Peru
- Philippines
- Poland
- Romania
- Rwanda
- Saudi Arabia
- Senegal
- Serbia
- Singapore
- Somaliland
- South Korea
- Spain
- Suriname
- Thailand
- Turkiye
- United Arab Emirates
- Ukraine
- United Kingdom
- USA
- Vietnam
View map
Menu

SOLUTIONS
FREIGHT FORWARDING

CONTRACT LOGISTICS

MARKET ACCESS

ECONOMIC ZONES

PORTS & TERMINALS

MARINE SERVICES
Related content

Global supply chains are no strangers to disruption, whether caused by trade disputes, geopolitics or the unpredictable forces of climate change. Amidst these challenges, an often-overlooked vulnerability lies in supply chain data gaps.

Rail freight has the potential to revolutionise supply chains in both developed and developing nations, providing a key role in promoting sustainability and economic growth.
INDUSTRIES
AUTOMOTIVE

TECHNOLOGY

HEALTHCARE

PERISHABLES

RETAIL

CHEMICALS
Related content

Healthy societies transform economies, yet the pandemics of the past few years have demonstrated that healthcare logistics is a complex beast and unique to that of any other sector.

Electric vehicles (EVs) are proving to be the most popular replacement for fossil fuel cars. So much so that by 2030 electric vehicles will represent over 60% of vehicles sold globally.
INSIGHTS
SUSTAINABILITY
ESG & REPORTING

CLIMATE CHANGE

PEOPLE & COMMUNITIES

EDUCATION

WATER
Related content

Changing the perception of water

Water is crucial for life on Earth and vital for our well-being. Businesses, including ours, can play a significant role in changing how water is used.
Read more

Climate proofing the supply chain

We examine three climate scenarios, assessing the potential impact of weather hazards across 50 ports and terminals in our global portfolio.
Read more

DP World Data Processing Agreement

Effective from: 18.03.2025

This Data Processing Addendum (“DPA”) has been incorporated by reference into an agreement (the “Agreement”) between DP World FZE (and/or any of its affiliates worldwide) (“DP World”) and the counterparty specified in that Agreement (the “Supplier” and together with DP World, the “Parties”) to reflect the Parties’ agreement with respect to the processing of Personal Data.

1 Roles and relationship of the Parties

1.1 The Parties acknowledge and agree that:

1.1.1 where the Agreement specifies that the Parties act as independent controllers in relation to Personal Data processed under the Agreement, the terms of Annex 2 shall apply to the processing of Personal Data; and

1.1.2 in all other circumstances, the Supplier acts as a processor, acting on behalf of DP World, and DP World acts as a controller, and Clauses 2 to 7 of this DPA shall apply to the processing of Personal Data.

1.1.3 to ensure the accuracy and completeness of the DPA, DP World reserves the right to amend the DPA from time to time so as to comply with regulatory data protection requirements, without requiring the prior consent from the Supplier. Such amendments shall not affect the binding nature or validity of the DPA. DP World shall update the "Effective from:" date to reflect the last date the DPA was amended.

2 Data Protection

2.1 The Supplier will comply with Data Protection Legislation when processing Personal Data under this Agreement.

2.2 The processing carried out by the Supplier will be for the term of the Agreement and for the purpose of performing its obligations under the Agreement.

2.3 The Supplier confirms that, when acting as a processor for DP World in relation to Personal Data, the Supplier shall:

2.3.1 only process Personal Data on the documented instructions of DP World (which shall include the processing of Personal Data in accordance with the terms of this Agreement) unless required to process the Personal Data for other purposes in accordance with Applicable Law. Where such a requirement is placed on the Supplier, it shall provide prior notice to DP World unless Applicable Law prohibits the giving of notice on important grounds of public interest. This notice must be sent to [email protected]

2.3.2 immediately inform DP World if, in its opinion, DP World’s instructions would be in breach of Data Protection Legislation;

2.3.3 provide reasonable assistance to DP World and, at DP World’s request, any other service provider that assists DP World in complying with Data Protection Legislation, to respond to requests from individuals exercising their rights under Data Protection Legislation;

2.3.4 promptly notify DP World if it receives a request from an individual attempting to exercise their rights under Data Protection Legislation. This notice must be sent to [email protected]. The Supplier shall act in accordance with DP World’s instructions when dealing with that request; and

2.3.5 provide assistance to DP World and, at DP World’s request, any other service provider that assists DP World in complying with Data Protection Legislation, to conduct a privacy impact assessment (and any related consultations) where required or desirable under Data Protection Legislation.

3 Data Security

3.1 The Supplier shall implement appropriate technical and organisational measures to protect DP World Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. This shall include:

3.1.1 ensuring any of its employees or agents or other persons to whom it provides access to DP World Data are obliged to keep it confidential;

3.1.2 the use of pseudonymisation and encryption of DP World Data, where appropriate;

3.1.3 measures to ensure the ongoing confidentiality, integrity, availability and resilience of the Supplier’s systems and services;

3.1.4 the ability to restore the availability and access to DP World Data in a timely manner in the event of a physical or technical incident;

3.1.5 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of DP World Data; and

3.1.6 assisting DP World to comply with its own data security obligations under Data Protection Legislation.

3.2 Reflecting DP World’s obligations as an operator of major or critical infrastructure and facilities as well as its role as a controller of personal data, the Supplier shall notify DP World immediately (and in any event within 24 hours) should it become aware of an actual security breach or of grounds to suspect that a security breach may have taken place, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, DP World Data (a “Security Breach”). This notice must be sent to [email protected]. As part of that notification, the Supplier shall:

3.2.1 provide any information needed or requested by DP World including a description of the nature of the Security Breach, the volume and type of DP World Data affected, the categories and approximate number of individuals concerned;

3.2.2 provide details of the likely consequences of the Security Breach; and

3.2.3 take all measures necessary to address the Security Breach, mitigate its effects and prevent further breaches, and provide details of those measures to DP World.

4 Use of sub-processors

4.1 Subject to Clause 4.2, the Supplier shall not engage any other processors to process DP World Data without DP World’s prior written consent.

4.2 DP World provides the Supplier with a general authorisation to engage other processors to process DP World Data where such other processors are either (i) in the same group of companies as the Supplier; and/or (ii) not engaged solely for the purpose of this Agreement and the products and/or services provided by such other processors do not constitute a material component of the products and/or services provided under this Agreement (each of (i) and (ii) being “Non-Material Sub-processors”). Other processors not falling within the Non-Material Sub-processor category are defined in this DPA as “Material Sub-processors”.

4.3 The Supplier has set out in the Agreement the Non-Material Sub-processors and Material Sub-processors as at the date of this Agreement, together with their jurisdiction of establishment. The list of Non-Material Sub-processors are hereby approved under Clause 4.2 and the Material Sub-processors under Clause 4.1.

4.4 The Supplier shall give DP World prior notice of any intended addition to, or replacement of, those Non-Material Sub-processors or Material Sub-Processors (together with the relevant jurisdiction of establishment). If DP World reasonably objects to the change of Non-Material Sub-processor in writing, the Supplier shall refrain from making that addition or replacement. Changes to Material Sub-processors shall be dealt with in accordance with Clause 4.1.

4.5 The Supplier shall ensure it has a written contract with any processors (including Non-Material Sub-processors) it engages to process DP World Data in accordance with this Agreement. That contract must impose obligations on the processor equivalent to those set out in Clauses 2 to 7 of this DPA and the Supplier shall ensure the other processor complies with those obligations. Where the other processor fails to comply with those obligations, the Supplier shall remain liable to DP World for such failure.

5 Audit

At the request of DP World, the Supplier shall provide all information necessary to demonstrate its compliance with Clauses 2 to 7 of this DPA and allow DP World to audit that compliance, including via inspection (either itself or by using an auditor nominated by DP World).

6 Return or deletion of data

On termination or expiry of the Agreement, and at the option of DP World, the Supplier shall promptly return or delete DP World Data and certify in writing that it has done so. The Supplier may retain a copy of the DP World Data where required by Applicable Law but must delete the DP World data when that obligation ceases to apply.

7 Restricted International Transfers of Personal Data

7.1 If the Parties’ performance of their respective obligations under this Agreement results in a Restricted International Transfer of Personal Data, then the Parties shall be deemed to have entered into, and shall comply with, the Controller-Processor Clauses, which shall be incorporated herein, in order to adduce adequate safeguards for the relevant Restricted Transfer of Personal Data.

7.2 Upon the effective date of any adoption for any revised Controller-Processor Clauses by a relevant authority, all references to “Controller-Processor Clauses” shall refer to that latest version and DP World may prepare such amendments to this DPA as may be required to take into account and give effect to the revised Controller-Processor Clauses.

Annex 1: Definitions

“Applicable Law” means a mandatory requirement of statute, rules, regulations, regulator guidance, regulatory notice, common law or similar, which applies to the relevant activity or processing, in the jurisdiction in which DP World is established (or where DP World is established in a member state of the EEA, in any member state of the EEA);

“Applicable Non-EEA Laws” shall mean, to the extent applicable to the Data Exporter from time to time, any and/or all domestic and foreign laws, rules, directives and regulations, or any local, provincial, state, federal or national level, pertaining to data privacy, data security and/or the protection of Personal Data outside the European Economic Area, including any and all amendments, successor legislation or regulations thereto of any and/or all such privacy/data protection laws;

“Australia SCC Amendments” means, where relevant, amendments made to the Standard Contractual Clauses in relation to an Australia SCC Export, as set out in Section 1 of Annex 4;

“Australia SCC Export” means a Restricted International Transfer of Personal Data by the Data Exporter Established in Australia;

“Canada SCC Amendments” means, where relevant, amendments made to the Standard Contractual Clauses in relation to a Canada SCC Export, as set out in Section 2 of Annex 4;

“Canada SCC Export” means a Restricted International Transfer of Personal Data by the Data Exporter Established in Canada;

“China SCCs” means the Standard Contract Measures for the Export of Personal Information issued by the Cyberspace Administration of China on 24 February 2023;

“China SCC Export” means a Restricted International Transfer of Personal Data by the Data Exporter Established in China;

“Controller-Controller Clauses” means:

(i) with respect to an Australia SCC Export, Module One of the Standard Contractual Clauses, incorporating and as amended by the Australia SCC Amendments incorporating the Relevant SCC Details in Section 1 of Annex 3;

(ii) with respect to a Canada SCC Export, Module One of the Standard Contractual Clauses, incorporating and as amended by the Canada SCC Amendments incorporating the Relevant SCC Details in Section 1 of Annex 3;

(iii) with respect to a China SCC Export, the China SCCs incorporating the Relevant China SCC Details;

(iv) with respect to a DIFC SCC Export, the DIFC SCCs, incorporating the Relevant DIFC SCC Details;

(v) with respect to an India SCC Export, Module One of the Standard Contractual Clauses, incorporating and as amended by the India SCC Amendments incorporating the Relevant SCC Details in Section 1 of Annex 3;

(vi) with respect to an SCC Export, Module One of the Standard Contractual Clauses, incorporating the Relevant SCC Details in Section 1 of Annex 3; and

(vii) with respect to a UK SCC Export, Module One of the Standard Contractual Clauses, incorporating and as amended by the UK Addendum and incorporating the Relevant UK Addendum Details;

“controller, data subject, processor and processing” have the meanings given to them in the Data Protection Legislation;

“Controller-Processor Clauses” means:

(i) with respect to an Australia SCC Export, Module Two of the Standard Contractual Clauses, incorporating and as amended by the Australia SCC Amendments incorporating the Relevant SCC Details in Section 2 of Annex 3;

(ii) with respect to a Canada SCC Export, Module Two of the Standard Contractual Clauses incorporating the Relevant SCC Details in Section 2 of Annex 3;

(iii) with respect to a China SCC Export, the China SCCs incorporating the Relevant China SCC Details;

(iv) with respect to a DIFC SCC Export, the DIFC SCCs, incorporating the Relevant DIFC SCC Details;

(v) with respect to an India SCC Export, Module Two of the Standard Contractual Clauses, incorporating and as amended by the India SCC Amendments incorporating the Relevant SCC Details in Section 1 of Annex 3;

(vi) with respect to an SCC Export, Module Two of the Standard Contractual Clauses, incorporating the Relevant SCC Details in Section 2 of Annex 3; and

(vii) with respect to a UK SCC Export, Module Two of the Standard Contractual Clauses, incorporating and as amended by the UK Addendum and incorporating the Relevant UK Addendum Details;

“Data Exporter” means DP World;

“Data Importer” means the Supplier;

“Data Protection Legislation” means the following legislation to the extent applicable from time to time: (a) national laws implementing the Directive on Privacy and Electronic Communications (2002/58/EC); (b) the General Data Protection Regulation (2016/679) and any national law issued under that Regulation; and (c) the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003; and (d) any other Applicable Non-EEA Laws;

“DIFC” means Dubai International Financial Centre;

“DIFC Data Protection Laws” means the DIFC Law No. 5 of 2020 and the associated Data Protection Regulations 2020, and any other related, then current, laws, regulations, rules, guidelines or standards relating to data protection, banking secrecy, confidentiality, data security, data privacy or similar matters;

“DIFC SCC” means the Standard Data Protection Contractual Clauses issued by the DIFC Commissioner of Data Protection for the transfer of personal data from a DIFC exporter to a non-DIFC importer established in jurisdictions other than the DIFC, whether in UAE or elsewhere with no or unrecognised data protection laws, pursuant to the DIFC Law No. 5 of 2020 and the Data Protection Regulations 2020;

“DIFC SCC Export” means a Restricted International Transfer of Personal Data in relation to which the data protection or privacy laws or regulations applicable in the jurisdiction in which the Data Exporter is Established are the DIFC Data Protection Laws;

“DP World Data” means all information, data or records of whatever nature and in whatever form (including Personal Data) relating to the business, employees or other activities of DP World and its group companies, whether subsisting before the date of this Agreement or as created or processed as part of, or in connection with, the Agreement;

“Established” in a jurisdiction in relation to an entity or person, means in relation to an entity or person which is:

(i) a body corporate, being incorporated under the law of that jurisdiction;

(ii) a partnership or other unincorporated association, being formed under the law of, or any part of, that jurisdiction; or

(iii) any other person or legal entity who does not fall within paragraphs (i) or (ii) above, maintaining in that jurisdiction an office, branch or agency through which it carries on any business activity, or a regular practice;

“GDPR” means Regulation 2016/679 of the General Data Protection Regulation (2016/679) of 27 April 2016 the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as amended or replaced from time to time;

“India SCC Export” means a Restricted International Transfer of Personal Data by the Data Exporter Established in India;

“India SCC Amendments” means, where relevant, amendments made to the Standard Contractual Clauses in relation to an India SCC Export, as set out in Section 4 of Annex 4;

“Personal Data” means any personal data (as such term is defined in Data Protection Legislation) processed as part of the Agreement;

“Relevant China SCC Details” means the details set out in paragraph 2 of Annex 5;

“Relevant DIFC SCC Details” where (i) the Controller-Controller Clauses apply, has the meaning given in Section 1.1 of Annex 5; and (ii) the Controller-Processor Clauses apply, has the meaning given in Section 1.2 of Annex 5;

“Relevant SCC Details” where (i) the Controller-Controller Clauses apply, has the meaning given in Section 1.1 of Annex 3; and (ii) the Controller-Processor Clauses apply, has the meaning given in Section 2.1 of Annex 3;

“Relevant UK Addendum Details” has the meaning given in Section 5 of Annex 4;

“Restricted International Transfer of Personal Data” means a transfer of Personal Data: (a) from a Party which is subject to Data Protection Legislation which imposes restrictions on extra-territorial transfers of Personal Data; (b) to a Party in a territory that does not provide an adequate level of protection for Personal Data as required by the Data Protection Legislation of the country of export;

“SCC Export” means a Restricted International Transfer of Personal Data in relation to which the data protection or privacy laws or regulations applicable in the jurisdiction in which the Data Exporter is established are: (a) the GDPR; (b) the Swiss Federal Act on Data Protection; or (c) Applicable Non-EEA Laws (other than the UK GDPR) for which the Standard Contractual Clauses are recognised by the competent supervisory or governmental authority as (or otherwise are, even where not so recognised) an appropriate safeguard for the extra-territorial transfer of personal data;

“Standard Contractual Clauses” means the standard contractual clauses issued by the European Commission for the transfer of personal data under Commissioner Implementing Decision (EU) 2021/914/EC of 4 June 2021, as amended or replaced from time to time;

“UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses, version B1.0, issued under Section 119A of the Data Protection Act 2018, as amended or replaced from time to time;

“UK GDPR” means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended or replaced from time to time; and

“UK SCC Export” means a Restricted International Transfer of Personal Data by the Data Exporter Established in the United Kingdom.

Annex 2: Independent Controller Terms

The terms of this Annex 2 apply to the processing of Personal Data where the Parties act as independent controllers pursuant to the terms of the Agreement.

1 Data Protection and Data Security

1.1 General

1.1.1 The Supplier and DP World each act as independent controllers for the purposes of Data Protection Legislation in relation to DP World Data (and not as joint controllers).

1.1.2 The Supplier shall comply with Data Protection Legislation when processing any Personal Data in DP World Data.

1.1.3 DP World shall ensure that its disclosure of DP World Data to the Supplier under the terms of this Agreement complies with Data Protection Legislation.

1.1.4 Unless prohibited from doing so by applicable law, the Supplier shall promptly notify DP World of any requests or enquiries from a regulator appointed under Data Protection Legislation in relation to the DP World Data and shall consult with DP World before responding to that regulator.

1.1.5 The Supplier shall delete, or at DP World’s request return, the DP World Data when it no longer needs it for the purposes of this Agreement. The Supplier may keep one copy of the DP World Data to the extent required by Applicable Law.

1.2 Data security

1.2.1 The Supplier shall implement appropriate technical and organisational measures to protect DP World Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. That shall include the use of pseudonymisation and encryption where appropriate and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of DP World Data.

1.2.2 The Supplier shall notify DP World promptly should it become aware of, or reasonably suspect there has been, a security breach or breach of Data Protection Legislation affecting DP World Data (a “Security Breach”). The Supplier shall promptly:

(i) provide any information needed or requested by DP World including a description of the nature of the Security Breach, the volume and type of DP World Data affected, the categories and approximate number of individuals concerned and the likely consequences of the Security Breach; and

(ii) take all measures necessary to address the Security Breach, mitigate its effects and prevent further breaches, and provide details of those measures to DP World.

1.2.3 The Supplier shall, so far as is practical, notify and consult DP World prior to notifying a Security Breach to a regulator or to data subjects.

1.3 Restricted International Transfers of Personal Data

1.3.1 If the Parties’ performance of their respective obligations under this Agreement results in a Restricted International Transfer of Personal Data, then the Parties shall be deemed to have entered into, and shall comply with, the Controller-Controller Clauses, which shall be incorporated herein, in order to adduce adequate safeguards for the relevant Restricted Transfer of Personal Data.

1.3.2 Upon the effective date of any adoption for any revised Controller-Controller Clauses by a relevant authority, all references to “Controller-Controller Clauses” shall refer to that latest version and DP World may prepare such amendments to these terms as may be required to take into account and give effect to the revised Controller-Controller Clauses.

1.4 Liability

1.4.1 DP World does not intend the Supplier to rely on the DP World Data, makes no representations or warranties as to the accuracy or completeness of the DP World Data disclosed and does not undertake any duty to update or correct the DP World Data.

1.4.2 DP World shall not be liable to the Supplier or to any third party, whether in contract (including under any indemnity or warranty), in tort (including negligence) under any statute or otherwise for or in respect of provision or content of the DP World Data, save in the case of fraud.

Annex 3: Completion of the Standard Contractual Clauses

1 Completion of Standard Contractual Clauses for Controller-Controller transfers

1.1 In relation to an SCC Export where the Controller-Controller Clauses apply, the Standard Contractual Clauses will be deemed to be completed as follows (the “Relevant SCC Details”):

1.1.1 Part A of Annex I (List of Parties) shall be completed by inserting the names and addresses of the Parties set out in the Agreement. The contact persons shall be, where individuals are identified in any notice provision in the Agreement, those individuals and where no such individuals are identified, the Party’s respective head of privacy, data protection officer or head of privacy legal or (where none of the above exist) both the company secretary and head of legal;

1.1.2 Part B of Annex I (Description of Transfer) shall be completed by inserting the relevant details from the Agreement to which the transfer relate(s);

1.1.3 Part C of Annex I (Competent Supervisory Authority) shall be completed by inserting the relevant details of the relevant competent supervisory authority for the place of Establishment of the Data Exporter (based on the address referred to in 1.1.1 above);

1.1.4 Annex II (Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of Data) shall be completed by inserting the relevant details of the technical and organisational measures as identified in Annex 6 of this DPA;

1.1.5 Clause 7 of the Standard Contractual Clauses shall not apply;

1.1.6 the optional drafting in Clause 11(a) of the Standard Contractual Clauses shall not apply;

1.1.7 where the GDPR applies to the Restricted International Transfer of Personal Data:

(i) the applicable wording for Clause 13(a) (as determined by the instructions in square brackets in that Clause) listed first is retained and the two remaining alternatives deleted;

(ii) in Clause 17, Option 2 is deleted, and Option 1 completed with details of the laws of the country or territory in which the Data Exporter is Established; and

(iii) Clause 18(b) is completed with details of the courts of the country or territory in which the Data Exporter is Established;

1.1.8 where the GDPR does not apply to the Restricted International Transfer of Personal Data:

(i) Clause 13(a) shall be completed with details of the country of Establishment and supervisory authority of the Data Exporter;

(ii) in Clause 17, Option 2 is deleted and Option 1 is completed with details of English law (unless another governing law of the Standard Contractual Clauses is required as a mandatory requirement of the Applicable Non-EEA Law, in which case Clause 17 shall be completed with details of the law which the Applicable Non-EEA Law requires must be applied to such Standard Contractual Clauses);

(iii) Clause 18(b) is completed with details of the courts of England and Wales (unless another country, state or territory must have jurisdiction over the Standard Contractual Clauses as a mandatory requirement of Applicable Non-EEA Law, in which case Clause 18(b) of such Standard Contractual Clauses shall be completed with details of the country, state or territory which the Applicable Non-EEA Law requires must have jurisdiction over the Standard Contractual Clauses);

(iv) all references to the GDPR in such Standard Contractual Clauses are replaced by references to Applicable Non-EEA Law and references to provisions or concepts of the GDPR are replaced by references to the provisions or concepts of Applicable Non-EEA Law most closely related to the relevant term as understood in the GDPR;

(v) all references to Member States of the European Union or to the European Union are replaced by references to the country of Establishment of the Data Exporter;

(vi) save where required as a mandatory requirement of Applicable Non-EEA Law, all references in the Standard Contractual Clauses to

(i) third party beneficiary rights and (ii) regulatory oversight by any regulator established outside the jurisdiction of Establishment of a Party, shall be deleted and ignored; and

(vii) where applicable, incorporating the amendments specified in Annex 4 to this DPA,

and to the extent any part of the Standard Contractual Clauses referred to in this definition is replaced in any amended, replacement or subsequently approved Standard Contractual Clauses, then the relevant parts of this definition shall include any similar provisions or clauses in such amended, replacement or subsequently approved Standard Contractual Clauses.

2 Completion of Standard Contractual Clauses for Controller-Processor transfer

2.1 In relation to an SCC Export where the Controller-Controller Clauses apply, the Standard Contractual Clauses will be deemed to be completed as follows (the “Relevant SCC Details”):

2.1.1 Part A of Annex I (List of Parties) shall be completed by inserting the names and addresses of the Parties set out in the Agreement. The contact persons shall be, where individuals are identified in any notice provision in the Agreement, those individuals and where no such individuals are identified, the Party’s respective head of privacy, data protection officer or head of privacy legal or (where none of the above exist) both the company secretary and head of legal;

2.1.2 Part B of Annex I (Description of Transfer) shall be completed by inserting the relevant details from the Agreement to which the transfer relate(s);

2.1.3 Part C of Annex I (Competent Supervisory Authority) shall be completed by inserting the relevant details of the relevant competent supervisory authority for the place of Establishment of the Data Exporter (based on the address referred to in 2.1.1 above);

2.1.4 Annex II (Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of Data) shall be completed by inserting the relevant details of the technical and organisational measures as identified in Annex 6 of this DPA;

2.1.5 Annex III (List of Sub-Processors) shall be completed by inserting the details of the Material Sub-processors and Non-Material Sub-Processors the Supplier intends to engage, using the relevant details from the Agreement;

2.1.6 in Clause 9 of the Standard Contractual Clauses, Option 2 shall apply and the relevant time period shall be seven days;

2.1.7 the optional drafting in Clause 11(a) of the Standard Contractual Clauses shall not apply;

2.1.8 where the GDPR applies to the Restricted International Transfer of Personal Data:

(i) the applicable wording for Clause 13(a) (as determined by the instructions in square brackets in that Clause) listed first is retained and the two remaining alternatives deleted;

(ii) in Clause 17, Option 2 is deleted, and Option 1 completed with details of the laws of the country or territory in which the Data Exporter is Established; and

(iii) Clause 18(b) is completed with details of the courts of the country or territory in which the Data Exporter is Established;

2.1.9 where the GDPR does not apply to the Restricted International Transfer of Personal Data:

(i) Clause 13(a) shall be completed with details of the country of Establishment and supervisory authority of the Data Exporter;

(v) all references to Member States of the European Union or to the European Union are replaced by references to the country of Establishment of the Data Exporter;

(vi) save where required as a mandatory requirement of Applicable Non-EEA Law, all references in the Standard Contractual Clauses to (i) third party beneficiary rights and (ii) regulatory oversight by any regulator established outside the jurisdiction of Establishment of a Party, shall be deleted and ignored; and

(vii) where applicable, incorporating the amendments specified in Annex 4 to this DPA,

Annex 4: Amendments to the Standard Contractual Clauses in specific jurisdictions

In relation to Restricted International Transfers of Personal Data made by a Data Exporter Established in the jurisdictions set out below, the Standard Contractual Clauses will be amended as follows, and notwithstanding Clause 5 of the Standard Contractual Clauses, in the event of any inconsistency between the amendments set out below and the remaining terms of the Standard Contractual Clauses, the amendments set out below shall take priority.

1 Australia

1.1 With respect to an Australia SCC Export, the following amendments are made to the Standard Contractual Clauses:

1.1.1 Clause 4(a) shall be amended as follows:

“Where these Clauses use terms that are defined in the Australian Privacy Act or where a similar term is defined in the Australian Privacy Act, those terms shall have the same meaning as in Australian Privacy Act. In particular, "personal data" will have the meaning given to "personal information" in the Australian Privacy Act, "personal data breach" will have the meaning given to "eligible data breach" in the Australian Privacy Act and "transfer" will include a disclosure of personal data by an entity that makes personal data accessible or visible to others outside the entity and releases the personal data from the effective control of that entity.”

1.1.2 Clause 11 shall be amended as follows:

"(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the Office of the Australian Information Commissioner; or

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The data importer shall abide by a decision that is binding under the laws of New South Wales, Australia.

(e) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws."

1.1.3 Clause 14(a) shall be amended as follows:

“The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses."

1.1.4 New Clause 15A shall be inserted in between Clause 15 and Clause 16 as follows:

15A.1 Data collection

(a) The data importer warrants and agrees that:

i. it will not adopt a government related identifier (as that term is defined in the Australian Privacy Act) of a data subject as its own identifier of a data subject unless the adoption of the government related identifier is required or authorised by or under an Australian law or court / tribunal order. The data importer must not use or disclose a government related identifier of a data subject unless that use or disclosure is reasonably necessary for the data importer to verify the identity of the data subject for the purposes of its activities or functions or is otherwise permitted by Australian law; and

ii. where practicable, it will ensure that data subjects are provided with the option of not identifying themselves, or of using a pseudonym, when dealing with the data importer.

(b) The data exporter warrants that it has provided data subjects with collection notices as required by and, if so required, then in compliance with the Australian Privacy Act and that such collection notices include notice of disclosure of personal data to the data importer such that the data importer is not required to provide additional collection notices to the relevant data subjects.”

1.1.5 Clause 16(e) shall be deleted.

1.2 With respect to an Australia SCC Export where the Controller-Controller Clauses apply, the following additional amendments are made to the Standard Contractual Clauses:

1.2.1 Clause 8.2(a)(iv) shall be amended as follows:

"where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer, the country in which the third party/ies are located and the ground therefore pursuant to Clause 8.7."

1.2.2 Clause 8.5(e) shall be amended as follows:

"In case of a personal data breach, the data importer shall without undue delay notify the data exporter and, if required, the Office of the Australian Information Commissioner pursuant to Clause 13. Such notification shall contain any information required to be included under the Australian Privacy Act and i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained."

1.2.3 Clause 8.5(f) shall be amended as follows:

"In case of a personal data breach, the data importer shall, to the extent permitted by law, also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), including points i) to iv). If the provision of individual notification to data subjects would involve disproportionate efforts, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach."

1.2.4 Clause 8.7 shall be amended as follows:

"The data importer shall not disclose the personal data to a third party located outside Australia (hereinafter “onward transfer”) unless:

(i) the third party is or agrees to be bound by these Clauses, under the appropriate Module;

(ii) the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter; or

(iii) where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject."

1.2.5 Clause 10(c) shall be amended as follows:

“Where the data importer processes the personal data for direct marketing purposes, it shall:

(i) have in place effective procedures allowing the data subject at any time to “opt-out” from having his or her personal data used for such purposes; and

(ii) cease processing for such purposes if the data subject "opts-out".”

1.2.6 Clause 10(f) shall be amended as follows:

"The data importer may refuse a data subject’s request if such refusal is allowed under the Australian Privacy Act."

1.3 With respect to an Australia SCC Export where the Controller-Processor Clauses apply, the following additional amendments are made to the Standard Contractual Clauses:

1.3.1 Clause 8.8 shall be amended as follows:

"The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data importer shall not disclose the personal data to a third party located outside Australia (hereinafter “onward transfer”) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation."

2 Canada

2.1 With respect to a Canada SCC Export where the Controller-Controller Clauses apply, the following amendments are made to the Standard Contractual Clauses:

2.1.1 For data transfers involving the province of Québec, a new Clause 10(b)(iv) shall be inserted as follows:

“Cease the dissemination of a data subject’s personal data, or de-index or re-index any hyperlink attached to that data subject’s personal data if the dissemination of that information contravenes a law or a court order. Data subjects may also require that the data importer cease dissemination of their personal data, or require such de-indexing or re-indexing, if:

the dissemination of the information causes the data subject any serious injury in relation to his or her reputation or privacy,
the injury is clearly greater than the data importer’s interest or free expression, and
the cessation of the dissemination, re-indexation, or de-indexation does not exceed what is necessary for preventing the perpetuation of the injury.”

2.1.2 For data transfers involving the province of Québec, new Clause 10(b)(v) shall be inserted as follows:

“Provide the personal data about the data subject that the data importer has in its possession, in a structured, commonly used technological format and communicate this personal data to any person or body authorized by law to collect such information, unless doing so raises serious practical difficulties.”

2.1.3 For data transfers involving the province of Québec, Clause 10 (d) shall be amended as follows:

“The data importer shall not make a decision based exclusively on the automated processing of the personal data transferred (hereinafter “automated decision”) without having previously informed the data subject concerned accordingly. The data importer shall, where necessary in cooperation with the data exporter and at the request of the data subject concerned, inform the latter of:

(i) the personal data used to render the decision;

(ii) the reasons and the principal factors and parameters that led to the decision; and

(iii) their right to have the personal information used to render the decision corrected.

The data subject concerned must be given an opportunity to submit observations to a representative of the data importer who is in a position to review the decision.”

3 India

3.1 With respect to an India SCC Export, the following amendments are made to the Standard Contractual Clauses:

3.1.1 Clause 11(a) shall be amended as follows:

“The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject but within one month from the date of receipt of the complaint.”

3.1.2 Clause 16(e) shall be deleted.

3.2 With respect to an India SCC Export where the Controller-Controller Clauses apply, the following additional amendments are made to the Standard Contractual Clauses:

3.2.1 A new Clause 8.1A shall be inserted after Clause 8.1 as follows:

“The data importer may only process sensitive personal data and information for another purpose where the data subject’s prior consent has been obtained for such purpose.”

3.2.2 Clause 8.2(b) shall be amended as follows:

“Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter.”

3.2.3 A new Clause 8.5(a)A shall be inserted after Clause 8.5(a) as follows:

“The data importer and, during transmission, also the data exporter shall implement and comply with reasonable security practices and procedures commensurate with ensuring the protection of the sensitive personal data or information being transferred. A Party will be considered to have complied with reasonable security practices and procedures if it has implemented security practices and standards and has a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures. The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard.”

3.2.4 The following text shall be added at the end of Clause 8.6:

“Sensitive personal data or information” means passwords, financial information, physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information and any information relating to the above.”

3.2.5 A new Clause 8.7A shall be inserted after Clause 8.7 as follows:

“The data importer shall not disclose sensitive personal data or information to a third party (hereinafter ‘onward transfer’) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:

(i) the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter; or

(ii) where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s) and the identity of the recipient.”

3.3 With respect to an India SCC Export where the Controller-Processor Clauses apply, the following additional amendments are made to the Standard Contractual Clauses:

3.3.1 A new Clause 8.6(a)A shall be inserted after Clause 8.6(a) as follows:

“The data importer and, during transmission, also the data exporter shall implement and comply with reasonable security practices and procedures commensurate for ensuring the protection of the sensitive personal data or information being transferred. A Party will have considered to have complied with reasonable security practices and procedures if it has implemented security practices and standards and has a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures. The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard.”

3.3.2 The following text shall be added at the end of Clause 8.7:

3.3.3 A new Clause 8.8A shall be inserted after Clause 8.8 as follows:

“The data importer shall not disclose any sensitive personal data or information to a third party (hereinafter “onward transfer”) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.”

4 United Kingdom

4.1 With respect to a UK SCC Export, the Standard Contractual Clauses shall be amended by the UK Addendum, which is deemed completed as follows (the “Relevant UK Addendum Details”):

4.1.1 The signatures of each party are deemed to be inserted;

4.1.2 Table 1 of the UK Addendum shall be completed by inserting the start date as the date of this Agreement, and the details of the relevant Data Exporter and Data shall be completed by inserting the names and addresses of the Parties set out in the Agreement. The contact persons shall be, where individuals are identified in any notice provision in the Agreement, those individuals and where no such individuals are identified, the Party’s respective head of privacy, data protection officer or head of privacy legal or (where none of the above exist) both the company secretary and head of legal;

4.1.3 Table 2 of the UK Addendum is deemed completed by selecting the second option and shall be completed by inserting the information about the Standard Contractual Clauses set out in Annex 3 of this DPA;

4.1.4 Table 3 of the UK Addendum shall be completed by inserting the information about the Standard Contractual Clauses set out in Annex 3 of this DPA; and

4.1.5 In Table 4 of the UK Addendum, the Party that may end the UK Addendum shall be DP World.

Annex 5: Standard contractual clauses in other jurisdictions

1 DIFC SCCs

1.1 In relation to a DIFC SCC Export where the Controller-Controller Clauses apply, the DIFC SCCs shall be deemed completed as follows (the “Relevant DIFC SCC Details”):

1.1.1 Clause 9 of the DIFC SCCs shall not apply;

1.1.2 the signatures of each Party are deemed to be inserted;

1.1.3 the details of the relevant Data Exporter and Data Importer in Appendix 1 shall be completed by inserting the names and addresses of the Parties set out in the Agreement. The contact persons shall be, where individuals are identified in any notice provision in the Agreement, those individuals and where no such individuals are identified, the Party’s respective head of privacy, data protection officer or head of privacy legal or (where none of the above exist) both the company secretary and head of legal;

1.1.4 the activities relevant to the data transferred in Appendix 1 and the role of the Data Exporter and Data Importer shall be completed by inserting the relevant details from the Agreement to which the transfer relate(s);

1.1.5 the descriptions of the categories of Personal Data and the nature of the processing activities in Appendix 1 shall be completed by inserting the relevant details from the Agreement to which the transfer relate(s); and

1.1.6 Appendix 2 shall be completed by inserting the relevant details of the technical and organisational measures as identified in Annex 6 of this DPA.

1.2 In relation to a DIFC SCC Export where the Controller-Processor Clauses apply, the DIFC SCCs shall be deemed completed as follows (the “Relevant DIFC SCC Details”):

1.2.1 the signatures of each Party are deemed to be inserted;

1.2.2 the details of the relevant Data Exporter and Data Importer in Appendix 1 shall be completed by inserting the names and addresses of the Parties set out in the Agreement. The contact persons shall be, where individuals are identified in any notice provision in the Agreement, those individuals and where no such individuals are identified, the Party’s respective head of privacy, data protection officer or head of privacy legal or (where none of the above exist) both the company secretary and head of legal;

1.2.3 the activities relevant to the data transferred in Appendix 1 and the role of the Data Exporter and Data Importer shall be completed by inserting the relevant details from the Agreement to which the transfer relate(s);

1.2.4 the descriptions of the categories of Personal Data and the nature of the processing activities in Appendix 1 shall be completed by inserting the relevant details from the Agreement to which the transfer relate(s); and

1.2.5 Appendix 2 shall be completed by inserting the relevant details of the technical and organisational measures as identified in Annex 6 of this DPA; and

1.2.6 Appendix 3 shall be completed by inserting the details of the Sub-processors the Supplier intends to engage, using the relevant details from the Agreement.

2 China SCCs

In relation to a China SCC Export the China SCCs shall be deemed completed as follows (the “Relevant China SCC Details”):

2.1.1 The details of the Personal Information Handler shall be completed by inserting the names and address of the DP World entity Established in the PRC set out in the Agreement (and the contact information and contact person details for that Party set shall be, where individuals are identified in any notice provision in the Agreement, those individuals and where no such individuals are identified, the Party’s respective head of privacy, data protection officer or head of privacy legal or (where none of the above exist) both the company secretary and head of legal);

2.1.2 The details of the Overseas Recipient shall be completed by inserting the names and address of the Supplier entity Established in the PRC set out in the Agreement (and the contact information and contact person details for that Party set shall be, where individuals are identified in any notice provision in the Agreement, those individuals and where no such individuals are identified, the Party’s respective head of privacy, data protection officer or head of privacy legal or (where none of the above exist) both the company secretary and head of legal);

2.1.3 The date of the China SCCs shall be the date of the Agreement;

2.1.4 The technical and management measures to be inserted in Article 2(5) China SCCs shall be those set out in Annex 6 of this DPA;

2.1.5 The address for notices in Article 9(3) China SCCs shall be the address for notifications set out In the Agreement for the attention of either (i) where individuals are identified in any notice provision in the Agreement, those individuals or (ii) where no such individuals are identified, the Party’s respective head of privacy, data protection officer or head of privacy legal or (iii) (where none of the above exist) both the company secretary and head of legal;

2.1.6 In Article 9(4)(a) China SCCs, the Parties elect the Shanghai International Arbitration Centre, with the place of Arbitration to be London;

2.1.7 For the purposes of Article 9(6) China SCCs, the China SCCs are executed, with parties holding copies, in the same manner as the Agreement;

2.1.8 The signatures of the Parties are deemed inserted;

2.1.9 In the Appendix to the China SCCs:

(i) Under para 1, purposes of processing shall be for the purpose of providing the services set out in the Agreement;

(ii) Under para 2, method of processing shall be as described in the Agreement;

(iii) Under paras 3-5 and 7, Scale of Personal Information, Types of Personal Information, Types of Sensitive Personal Information and Transfer Method shall in each case be as necessary to achieve the purposes of the Agreement (unless specified particularly in the Agreement in which case that specification shall apply)

(iv) Under para 8, Storage period shall be the term of the Agreement;

(v) Under para 9, storage place shall be the place of establishment of the Supplier and the places of Establishment of any Material Sub-processors and Non-material Sub-processors.

(vi) Under para 6, insert details of the Material Sub-Processors and Non-Material Sub-processors set out in the Agreement, as amended from time to time pursuant to paragraph 4 of this DPA.

Annex 6: Technical and Organisational Measures

The Supplier must implement a security and governance program that is based on industry-standard security frameworks such as NIST 800-53, ISO 27001 (the “Information Security Management System”). Pursuant to the Information security program, the Supplier must implement and maintain commercially reasonable technical, physical, administrative, and organizational safeguards to protect the security, confidentiality, integrity, and availability of all Personal Data.

Supplier must also adhere to the DP World Cyber Security Schedule covering but not limited to below safeguards:

1. Information Security Policies: The Supplier must define, implement, and review information security policies annually or after significant changes while maintaining and improving the Information Security Management System.

2. Human Resources Security: The Supplier must implement policies for employee background screening, ensure confidentiality agreements are signed, conduct security awareness training, and define a disciplinary process.

3. IT Acceptable Use and Access Control: The Supplier must establish acceptable usage policies, define and enforce access control measures based on least privilege principles, and conduct periodic access reviews.

4. Encryption and Key Management: The Supplier must implement cryptographic controls aligned with industry standards, encrypt personal data in transit (TLS 1.2+) and at rest (with AES 256), and define policies for encryption and key management.

5. Network and Communication Security: The Supplier must define policies to protect networks, systems, and information using controls such as firewalls, network segmentation, intrusion detection systems, and web application firewalls.

6. System Development and Maintenance: The Supplier must integrate security & privacy into the application development lifecycle, ensure applications undergo user acceptance and security testing, and protect and control test data.

7. Physical and Environmental Security: The Supplier must secure premises processing controller data using ISO 27001 or equivalent standards and regularly review hosting provider compliance through attestation records.

8. Data Backup and Availability: The Supplier must implement and test backup procedures to ensure data integrity and availability while maintaining redundancy and system availability as per agreements.

9. Change Management: The Supplier must apply change management controls for system and application updates relevant to the services.

10. Security Incident Management: The Supplier must define policies for incident response and communication, monitor networks and systems for threats, analyze security incidents, and collaborate with the Controller to ensure compliance.

11. Risk Management: The Supplier must implement a risk management framework, conduct risk assessments annually or after significant changes, and remediate identified vulnerabilities.

12. Logging and Monitoring: The Processor must maintain policies for logging and monitoring system activities, protect audit logs from unauthorized access, and review them periodically.

13. Third-Party Risk Management: The Supplier must manage third-party risks, conduct due diligence for Sub-processors during onboarding and at intervals, and ensure the protection of information assets.

14. Audits and Compliance: The Supplier must conduct annual internal or external audits by independent assessors to demonstrate compliance with the security, governance and privacy controls as per industry-standard security frameworks such as NIST 800-53, ISO 27001.

Changing the perception of water

Climate proofing the supply chain