1) Parties and role allocation
This Data Processing Agreement (“DPA”) forms part of the service-layer relationship between:
- the Client, acting as Controller to the extent it determines the purposes and means of the personal data processing covered by the service relationship; and
- EU Returns Hub — Dzianis Vislavus, acting as Processor to the extent it processes personal data on behalf of the Client in connection with the agreed returns-operations service layer.
This DPA becomes relevant where the parties enter into an actual service relationship involving processing on behalf of the Client. It is not intended to govern ordinary website browsing or standalone digital product purchases.
2) Subject matter and duration
The subject matter of the processing is the performance of agreed returns-operations services, such as intake, registration, inspection support, evidence handling, decision-routing support, export-related workflow handling, billing-related operational logging, and associated client communications, to the extent these activities involve personal data processed on behalf of the Client.
The duration of the processing is limited to the duration of the underlying service relationship, together with any legally required retention, incident handling, recordkeeping, and orderly offboarding period.
3) Processing on documented instructions
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers, unless otherwise required by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement unless prohibited by law.
Documented instructions may arise from the applicable service agreement, onboarding materials, service workflow accepted by the parties, operational tickets, decision records, client instructions submitted through approved workflow channels, or other written or system-documented directions reasonably connected to the service relationship.
If the Processor believes an instruction infringes applicable data protection law, the Processor may notify the Controller and suspend the affected instruction until clarified.
4) Confidentiality
The Processor shall ensure that persons authorized to process personal data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.
Access to personal data shall be limited to personnel, operators, and support providers who need such access for the performance, maintenance, or protection of the service relationship.
5) Security measures
The Processor shall implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of processing, as well as the likelihood and severity of the risks to natural persons.
These measures may include, as appropriate:
- role-based access restriction;
- password protection and account hygiene;
- controlled access to operational systems and records;
- segregation of internal workspaces and service records where appropriate;
- security monitoring, logging, and incident review where proportionate;
- backup, restoration, and continuity measures where relevant;
- reasonable physical and organisational controls for environments handling service-layer records.
More detail is provided in Annex 2.
6) Sub-processors
The Controller grants the Processor a general authorization to use sub-processors where reasonably necessary to support the service relationship, including hosting providers, infrastructure providers, communication tools, storage providers, workflow tools, document systems, and similar support providers.
The Processor shall remain responsible for ensuring that sub-processors are bound by appropriate data protection obligations relevant to the services they support.
Where commercially and operationally appropriate, the Processor shall provide information about material categories of sub-processors upon reasonable request in the context of an active service relationship.
7) Assistance to the Controller
Taking into account the nature of the processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller in relation to:
- data subject requests;
- security and breach-related obligations;
- data protection impact assessments where relevant to the processing performed by the Processor;
- consultation with supervisory authorities where applicable and reasonably necessary.
Such assistance shall be limited to what is reasonable and proportionate in light of the actual service relationship and the Processor’s role.
8) Personal data breach handling
If the Processor becomes aware of a personal data breach affecting personal data processed under this DPA, the Processor shall notify the Controller without undue delay after becoming sufficiently aware of the incident.
The Processor’s notification shall, where reasonably possible at the time, describe:
- the nature of the incident;
- the categories of affected data where known;
- the likely impact where known;
- the measures taken or proposed to address the incident.
Initial notice may be supplemented as further information becomes available.
9) Return and deletion
Upon termination or expiry of the relevant service relationship, the Processor shall, at the Controller’s choice where applicable and reasonably operational, delete or return personal data processed on behalf of the Controller, unless retention is required by law or reasonably necessary for the establishment, exercise, or defence of legal claims, incident handling, billing reconciliation, fraud prevention, or regulatory recordkeeping.
Deletion may occur through scheduled retention controls, secured archival expiry, account decommissioning, or other reasonable internal procedures appropriate to the service environment.
10) Information and audit rights
The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and allow for reasonable verification measures, including document-based review, where appropriate.
Any audit or verification activity shall be subject to reasonable notice, proportionality, confidentiality, security controls, operational feasibility, and protection of other clients, systems, and confidential information.
On-site inspections, if any, must be exceptional, justified, and coordinated in advance.
11) International transfers
Where personal data subject to this DPA is transferred outside the EEA/UK/other relevant protected jurisdiction, the Processor shall ensure that such transfer is supported by an appropriate transfer mechanism where required by law.
The parties acknowledge that some operational or support providers may process data in multiple jurisdictions depending on the technology stack in use at the time.
12) Liability and precedence
This DPA forms part of the service-layer documentation governing the relevant client relationship. To the extent of conflict between this DPA and the general website terms applicable to ordinary site use or digital product sales, this DPA shall prevail only with respect to the service-layer processing relationship to which it applies.
Nothing in this DPA creates a broader live service commitment than what is actually agreed between the parties in the underlying service relationship.
Annex 1 — Description of processing
| Item | Description |
|---|---|
| Subject matter | Returns-operations service-layer support, including intake-related administration, evidence handling, inspection support, client-decision routing, export workflow support, and related operational records. |
| Duration | For the duration of the applicable service relationship plus any reasonable or legally required retention period. |
| Categories of data subjects | Client contacts, end customers where relevant to the service layer, carrier-related contacts, warehouse or operational contacts, and other persons whose data appears in service-related records. |
| Categories of personal data | Names, contact details, return identifiers, shipment-related information, parcel records, decision records, evidence records, communications data, billing-related records, and operational metadata. |
| Nature of processing | Collection, recording, organisation, structuring, storage, consultation, limited sharing within workflow, retrieval, alignment, transmission where instructed, and deletion or retention control. |
| Purpose | To deliver the returns-operations service layer requested by the Controller and support the agreed workflow, control, execution, and service administration. |
Annex 2 — Technical and organisational measures
The Processor maintains measures appropriate to the service environment, which may include:
- access controls and account restrictions based on role;
- credential protection and administrative access limitation;
- logical separation of systems, documents, and operational records where appropriate;
- reasonable device, browser, and session hygiene practices;
- secure hosting or managed infrastructure for website and workflow components;
- controlled sharing practices for service-related records;
- reasonable retention and deletion routines;
- incident identification, escalation, and breach-response coordination.
This page describes the service-layer DPA framework used by EU Returns Hub. It becomes applicable within a real service relationship requiring such terms, whether through service onboarding, accepted client workflow, separate written agreement, or other documented commercial acceptance.
For service-related questions, contact denis@eureturnshub.eu.
