Book a demo
Legal

Information Clause on Data Protection for Signatories and Data Processing Agreement

Version dated 1 April 2026

Download: Data Processing Agreement

Information Clause on Data Protection for Signatories and Data Processing Agreement

Version dated 1 April 2026

1. Information clause for signatories

In compliance with Regulation (EU) 2016/679 ("GDPR") and Organic Law 3/2018 on Personal Data Protection ("LOPDGDD"), the signatories acting in the name and on behalf of each of the Parties to the Accession Agreement (the "Agreement") are informed that their personal data included in the Agreement will be processed independently by each of the Parties identified in the heading of the Agreement, each acting as an independent data controller. Any defined term used in this clause or in the following clause which is not expressly defined in either of them shall have the meaning given to it in the Agreement.

Amphora does not have a data protection officer. For any query regarding data protection or to exercise your rights, in the case of Amphora you may contact: privacy@amphoralogistics.com. The details and contact address of the Client's data protection officer, where the Client has appointed one, are those indicated in the Agreement.

The personal data of the signatories will be processed for the purposes of managing and performing the Agreement, verifying the authority of the signatories, maintaining a register of executed contracts and complying with applicable legal obligations. The legal bases are performance of the contract (Article 6.1(b) GDPR), compliance with legal obligations (Article 6.1(c) GDPR) and legitimate interest in maintaining records of contractual relationships (Article 6.1(f) GDPR). No automated decisions will be made and no profiles will be created using the personal data of the signatories.

Personal data may be communicated where necessary for contractual management, legal compliance or internal coordination within the corporate group of each Party, in the case of Amphora expressly including, without limitation, "AMPHORA OPERATIONS, S.L.U." (tax identification number B-22961916) and "AMPHORA DEVELOPMENT, S.L.U." (tax identification number B-22961759). No international data transfers will be carried out.

The data will be retained for the duration of the contractual relationship and, thereafter, for the legally established periods required to address any potential liabilities, with a minimum retention period of six years.

The signatories may exercise their rights of access, rectification, erasure, restriction of processing, portability and objection before the relevant controller through the contact details indicated. They may also lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

2. Data processing agreement

The Client acts as data controller of the personal data of its customers (recipients of the shipments), and Amphora acts as data processor in respect of such personal data, pursuant to Article 28 GDPR and Article 33 LOPDGDD. Therefore, by signing the Agreement, as provided therein, the parties also expressly accept the content of this data processing agreement (the "Data Processing Agreement").

2.2.1. Subject matter and purpose of the processing

Amphora will process the personal data provided by the Client exclusively for the provision of the Services. The duration of the processing will coincide with the term of the Agreement.

2.2.2. Categories of data and data subjects

The personal data processed will include, without limitation, the following identification and contact data: first name and surname, postal address, telephone number and email address of the recipients of the shipments and, only where legally required for the management, dispatch, transport, delivery or customs clearance of the shipment at destination, the data contained in the recipient's national identity document. Due to the nature of the Services, no processing of special categories of data is envisaged.

2.2.3. Obligations of Amphora as data processor

Amphora undertakes to:

a) Process the personal data only in accordance with the Client's documented instructions, unless required otherwise by law, in which case it will inform the Client in advance, unless legally prohibited, and notify the Client where Amphora has reasonable grounds to consider that any of the Client's documented instructions infringes the GDPR, the LOPDGDD or any other applicable data protection legislation. Amphora shall not be liable for any processing of personal data carried out before such notification and in strict compliance with the Client's documented instructions. If, after receiving the notification, the Client insists on the instruction and such instruction subsequently proves to be unlawful, this shall constitute a breach of the Client's representations and warranties and shall trigger the indemnification obligation under clause 2.2.9.

b) Ensure that the persons authorised to process personal data have undertaken to observe confidentiality or are subject to a statutory duty of confidentiality.

c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. Amphora shall prepare and maintain a record of processing activities in its capacity as data processor, in accordance with Article 30 GDPR, which shall be made available to the Client exclusively within the framework of the audit and information right provided for in paragraph g) of this clause.

d) Assist the Client in complying with its obligations to respond to the exercise of rights by data subjects.

e) Assist the Client in complying with the obligations set out in Articles 32 to 36 GDPR.

f) Erase or return the personal data to the Client, at the Client's choice, once the provision of services has ended, and erase existing copies unless there is a legal obligation to retain them.

g) Make available to the Client all information necessary to demonstrate compliance with the obligations under this agreement and allow for and contribute to audits.

2.2.4. Communication of data to carriers

The Client expressly requests Amphora, as part of the contracted Services, to communicate the personal data of the recipients of the shipments to the necessary carriers determined by Amphora for the performance of the shipping service. Such communication constitutes a disclosure of data to independent data controllers within the meaning of Article 4.7 GDPR, since the carriers independently determine the purposes and means of their processing for the provision of the transport service.

The authorised carriers include, by way of example and without limitation: UPS, FedEx, DHL, SEUR, Correos, MRW, GLS and other transport operators that Amphora may use for the provision of the Services. The Client may request the updated list of carriers at any time.

Amphora shall select carriers that offer appropriate guarantees of regulatory compliance in data protection matters. However, the Client acknowledges that, as they are independent data controllers, the processing carried out by the carriers will be governed by their own privacy policies and Amphora shall not be liable for the processing that they carry out independently. Likewise, the Client, in its capacity as data controller, has the exclusive obligation to ensure that the recipients of the shipments have been duly informed, in accordance with Articles 13 and 14 GDPR and the applicable provisions of the LOPDGDD, of the communication of their personal data to Amphora and the subsequent disclosure to the carriers as independent data controllers. Amphora shall not assume any liability for any claims, penalties or damages arising from the Client's failure to comply with its information and transparency obligations towards data subjects in relation to such communications.

2.2.5. Sub-processors

The Client hereby expressly authorises Amphora to engage other sub-processors for the provision of the Services. Amphora shall impose on the sub-processors, by contract, the same data protection obligations as those set out in this Data Processing Agreement. Amphora shall notify the Client in writing of any intended change relating to the addition or replacement of sub-processors at least ten (10) calendar days in advance. If the Client does not object in writing within that period, the authorisation shall be deemed extended to the new sub-processor. Any objection by the Client must be based on objective and demonstrable grounds relating to data protection. If the Parties do not reach an agreement, Amphora may terminate the Agreement by giving reasonable written notice.

2.2.6. International transfers

No transfers of personal data to third countries outside the European Economic Area are envisaged. If any international transfer becomes necessary for the provision of the service, Amphora shall inform the Client in advance and ensure that appropriate safeguards are in place in accordance with the GDPR.

2.2.7. Notification of security breaches

Amphora shall notify the Client, without undue delay and in any event within a maximum period of 48 hours, of any personal data breach of which it becomes aware, providing all available information so that the Client can comply with its notification obligations to the supervisory authority and, where applicable, to the data subjects.

2.2.8. Representations and warranties of the Data Controller

The Client represents and warrants to Amphora, both at the time of signing the Agreement and, consequently, this Data Processing Agreement, and on an ongoing basis throughout its term, as follows:

a) Prior to and during any transmission of personal data to Amphora, the Client has complied and will continue to comply with all information and transparency obligations set out in Articles 13 and 14 GDPR in respect of its customers (recipients of the shipments), including specifically informing them of: (i) the communication of their personal data to Amphora as data processor; (ii) the subsequent disclosure of their data to the carriers as independent data controllers for the performance of the delivery service; (iii) the purpose and legal basis of such processing activities and disclosures; and (iv) the categories of data recipients.

b) The Client has obtained and maintains an adequate and sufficient legal basis under Article 6 GDPR for the processing of the personal data of its customers and for the communication of such data to Amphora and, where applicable, to the carriers.

c) The Client's privacy policy and legal notices addressed to its customers are truthful, complete, up to date and compliant with the applicable data protection legislation.

d) The Client shall keep the information provided to its customers up to date if there are changes to the purposes, legal bases, categories of recipients or any other relevant element of the processing described in this Agreement.

The breach of any of the representations and warranties contained in this clause constitutes a material breach of the Data Processing Agreement and entitles Amphora, without prejudice to any indemnification rights under clause 2.2.9, to terminate the Data Processing Agreement with immediate effect without prior notice or court order.

The indemnification consequences arising from breach of these representations and warranties shall be governed by clause 2.2.9.

2.2.9. Indemnification in favour of the Data Processor

The Client undertakes to indemnify and hold harmless Amphora, as well as its group companies, directors, employees and representatives, from and against any claims, actions, penalties, costs, damages, losses and expenses (including reasonable lawyers' and Spanish procedural representatives' fees) arising directly or indirectly from:

a) Any breach by the Client of its obligations as data controller under the GDPR, the LOPDGDD or any other applicable data protection legislation;

b) Any failure, omission or insufficiency in the information provided by the Client to the data subjects in accordance with Articles 13 and 14 GDPR, including in relation to the communications of data to Amphora as data processor and to the carriers as independent data controllers pursuant to clause 2.2.4;

c) The processing by Amphora of personal data in strict compliance with the Client's documented instructions, where such processing proves to be unlawful or contrary to the applicable legislation;

d) Any claim brought by data subjects or by the Spanish Data Protection Agency (AEPD) or any other competent supervisory authority, to the extent caused by the Client's breach of its obligations as data controller;

e) The inaccuracy or falsity of any representation or warranty given by the Client in this Data Processing Agreement.

Amphora shall notify the Client without undue delay of any claim or proceeding that may give rise to the indemnification obligation. Amphora may, at its option, allow the Client to assume control of the defence, in which case: (i) Amphora shall provide reasonable cooperation; (ii) the Client may not settle, compromise or agree to any resolution that implies an admission of liability by Amphora without Amphora's prior written consent; and (iii) Amphora shall retain the right to participate in the defence through its own counsel at its own cost.

This indemnification obligation is independent and cumulative with respect to all other liability provisions set out in the Agreement and in the applicable law, and shall not be subject to any general liability limits or exclusions established in the Agreement, unless expressly agreed otherwise in writing.

2.2.10. Amendments to the Data Processing Agreement

Any amendment to this Data Processing Agreement must be signed or accepted in writing by both parties.