Personal Data Processing Agreement concluded between the Contractor/Carrier acting as „the Controller” and The Employer/Freight Forwarder acting as „the Processor”, hereinafter individually and collectively referred to as “Parties”.

1.     Preamble (the aim of the Agreement).The parties shall aim at to regulate the principles of Personal Data Processing in order the principles to be fully compliant with the Regulation (EU) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016 O.J. (L119)1), hereinafter GDPR.

2.     Controller’s statement. The Controller declares that he is the Controller of the entrusted data and that he is authorised to process the data within the scope that data was entrusted to the Processor. 

3.     Type of data [Art. 28, section 3 GDPR].Under the provision of this Agreement and the Main Agreement, i.e. Freight Forwarding Order in International Road Transport, the Controller entrusts to the Processor (within the meaning of GDPR) the processing of Personal Data that may include common data of the Contractor or of his employees (drivers and others associates performing the contract): names and surnames, company’s data, e-mail addresses, IP addresses, telephone numbers, home addresses, dates of births, VAT numbers, passports or ID numbers and series, parents’ names, bank account numbers.

4.     Storage limitation [Art. 28, section 3 GDPR].Processing the data will be carried out in the period of the of the Main Agreement and to the expiry of time barring periods of any claims arising from the Agreement.

5.     Aim and character [Art. 28, section 3 GDPR].The aim and the character of data processing arise from the Main Agreement: in particular, the character of the processing is defined by the specific role of the Processor acting as a Freight Forwarder, and the purpose of processing data is an appropriate performance of the contract (the Main Agreement) and forwarding goods according to the freight forwarding order.

6.     Non-processing outside EEA [Art. 28, section 3a GDPR]. The Processor declares that he shall not transfer the data to third-parties nor international organisations and bodies, i.e. outside EEA (European Economic Area). The Processor also declares that he does not use subcontractors that submit data outside EEA.

7.     Notification or an intention to process data outside EEA [Art. 28, section 3a GDPR].If the Processor intends or is obliged to transfer personal data outside EEA he will inform the Controller, so The Controller will take necessary decisions and actions in order to ensure data processing is compliant with the law or he will terminate the entrustment of personal data.

8.     Confidentiality. [Art. 28, section 3b GDPR].The Controller shall obtain written consents from all persons authorised to process data for the purposes of the Agreement or he shall verify if the authorised persons are under a legal obligation of confidentiality.

9.     Security [Art. 28, section 3c GDPR].The Controller will ensure the security and take any necessary

security measures mentioned in Article 32 GDPR, in accordance with further provisions of the Agreement.


10.   Assisting in security duties [Art 28, section 3f GDPR]. The Processor will assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (data protection, complaints to a supervisory authority, notifications of persons affected by a data breach, an assessment of the potential consequences of a data breach and prior consultations with a supervisory authority.

11.   Data minimisation [Art. 25, section 2 GDPR].The Processor will ensure personal data will be transferred solely to authorised persons whose access to his personal data is necessary to complete the Agreement.

12.   Controller’s responsibilities.The Controller shall assist the Processor in completing the Agreement, explain and response to any Processor’s concerns regarding lawfulness of his instructions and perform his duties in a timely manner.

13.   Security measures.The parties agreed the level of security of personal data on the Processor’s part. The Processor introduced to the Controller information confirming that appropriate and sufficient technical and organisational measures have been taken by the Processor. Both parties shall keep a copy of this Agreement and all documents confirming given information for accountability purposes.

14.   Notification of a personal data breach. The Processor shall notify the Controller of any alleged personal data breach not later than 24 hours from the first report. The processor shall enable the Controller to assist in explanatory actions and shall notify him in undue time about the arrangements, in particular about the infringement of personal data. The notification sent to the Controller shall include all necessary documentation of the breach to enable him to report the infringement to a supervisory authority.

Information clause

1.  The Processor of your personal data mentioned above is FIDE-TRANS Ożóg Spółka Jawna, hereinafter “the Controller”. You may contact the Controller using the contact details included in this agreement.

2.  The legal basis for your data processing is the performance of the Main Agreement between You and the Controller hereinafter “the Agreement”. For its purposes, processing your data is necessary.

3.  Your personal data will be processed solely for the performance of this agreement and to take necessary steps prior to entering into the Agreement.

4.  Submitting your personal data is not compulsory; however, refusal to provide your data will lead to failure of the conclusion and performance of the Agreement.

5.  Your data will be stored no longer than it will be necessary, i.e. for the period of the Main Agreement and to the expiry of time barring periods of any claims arising from this Agreement.

6.  The Controller will not aim to transfer your data to any third-parties or international organisations.

7.  You have a right to access, rectify, obtain and reuse, erase and to restrict processing of your personal data.

8.  In relation to processing your personal data you have a right to lodge a complaint to a supervisory authority.

9.  On the basis on your data the Controller will not take any automated individual decisions, including decisions resulting from profiling.