Privacy policy

Cargobus Privacy Policy - Data Processing Agreement

Valid from 2019.05.01.

Last updated -

Thus data processing agreement (hereinafter - the Agreement) governs the data processing performed by Cargobus acting as the "Data processor" on behalf of its customer who is acting as the "Data controller". This Agreement is binding to the Data processor and the Data controller under the General Data Protection Regulation.



1.1. Unless the context of the Agreement requires otherwise, in this Agreement, including its Preamble, and its annexes, the capitalized terms shall have the following meaning:

General Data Protection Regulation:  Regulation of the European Parliament and the Council No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. 

Data controller: a party to this Agreement, a natural or legal person, public authority, agency or another body that jointly or separately determines the purposes and means of the data processing. 

Data processor: a party to this Agreement, a natural or legal person, public authority, agency or another body that processes the personal data on behalf of the Data controller. 

Data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Automated: any actions that are wholly or partly performed by automatic means.

Data subject: a natural person whose Data are processed in accordance with this Agreement.

Third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data

Technical and organizational measures: measures used to protect Data from accidental or unlawful destruction, alteration, disclosure or any other unauthorized processing. These measures must ensure the level of security that is appropriate for the type of Stored Data and the risks of their processing.

1.2. In this Agreement:

(a) words in plural shall have the same meaning as these words in singular and vice versa;

(b) the use of a specific gender (male or female) in the text of the Agreement shall be interpreted as the use of any of these genders;

(c) the word “including” shall mean “including but not limited to”;

(d) the section titles in this Agreement shall be used for convenience only and shall not affect the interpretation of the Agreement;

(e) references to paragraphs, annexes, and other provisions shall be references to paragraphs, annexes and other provisions of this Agreement.

1.3. The Agreement is the general result of the negotiations and agreements between the Parties; therefore, the Agreement may not be interpreted for the benefit or detriment to either Party because either of the Parties was or could have been responsible for preparing the Agreement draft or any part thereof.

1.4.   The terms not defined in the Agreement shall be interpreted according to the framework of the regulatory enactments.


2.1. This Agreement shall govern the personal data processing performed by the Data processor on behalf of the Data controller. This Agreement shall become binding to the Data processor and the Data controller pursuant to the General Data Protection Regulation.

2.2. The type, subject, and purpose of the personal data processing - performed by the Data processor on behalf of the Data controller - as well as the information associated with the type of the processed personal data and data subject categories are laid down in the Annexe to this Agreement.


3.1. This Agreement shall be applicable as long as the Data processor processes personal data on behalf of the Data controller.

3.2. At the request of the Data controller, after the termination or expiry of this Agreement, the Data processor shall terminate the data processing activity and - if so requested by the Data controller and the applicable data protection legal enactments do not provide otherwise - the Data processor shall delete or return all personal data to the Data controller and delete all existing copies of this data.


4.1. The Data processor has implemented the appropriate technical and organizational measures to ensure that the personal data processing under the provisions of this Agreement meets the applicable requirements of the data protection law, specifically - the requirements of the General Data Protection Regulation, and guarantees the protection of the rights of the data subject.

4.2. The Data processor undertakes to process the personal data only in accordance with the written, documented instructions provided by the Data controller, except in the case where the applicable law provides otherwise. In such a case, before the start of the personal data processing the Data processor shall notify the Data controller about such legal requirements to the extent permissible by the law. If the Data processor has no instructions on how to process personal data in a specific situation or any of the instructions violated the applicable data protection law, the Data processor shall notify the Data controller immediately.

4.3. Taking into consideration the type of data processing and applying the appropriate Technical and organizational measures to the extent possible, the Data processor shall assist the Data controller in performing the Data controller's obligation to respond to the requests regarding the use of the Data subject rights. Under this Agreement, the Data subject rights shall include the right to request information and - at the data subject's discretion - to correct, destroy personal data or stop the data processing activity.

4.4. Taking into consideration the type of data processing and the current information, the Data processor shall assist the Data controller in performing specific obligations under the applicable data protection law. The specific obligations shall include data processing security (Article 32 of the General Data Protection Regulation), communication of personal data breach (Article 33-34 of the General Data Protection Regulation) and data protection impact assessment, as well as prior consultation (Article 35-36 of the General Data Protection Regulation).

4.5. The Data processor undertakes to provide the Data controller with all information and provide all necessary assistance to demonstrate the performance of the obligations under this Agreement, as well as to create conditions that allow the Data controller or another authorized auditor to perform an audit, including on-site inspections.


5.1. The Data controller declares that the Data processor may recruit other companies indicated in the Annexe to the Agreement as other data processors. The Data processor shall inform the Data controller about all planned changes related to recruiting or changing other data processors, but the Data controller is entitled to reject such changes.

5.2. The Data processor guarantees and at the request of the Data controller declares that other data processors have undertaken obligations under written contracts pursuant to which - in addition to the obligations laid down in this Agreement - they must perform the relevant data processing obligations. The Data processor is fully liable to the Data controller regarding the obligations performed by other data processors.

5.3. The Data controller may request the Data processor to check another data processor or submit a certification of such check or, if possible, obtains or helps the Data controller to obtain a conclusion from an external auditor regarding the activity of Other data processors to ensure compliance with the requirements of the applicable data protection laws.


6.1. The obligation to process personal data under the Agreement may be performed only in the European Union (EU) member state or the European Economic Area (EEA) member state.  Any transfer of personal data to a country that is not an EU or EEA member state shall take place only with a prior written agreement of the Data controller and only if the special conditions are complied with as laid down in the applicable data protection laws, Chapter V of the General Data Protection Regulation.

6.2. The Data controller may revoke its agreement to data transfer to third parties pursuant to Paragraph 6.1 of this Agreement at any time. In such a case, the Data processor shall discontinue the data transfer immediately and, upon Data controller's request, provide written proof of such discontinuation.


7.1. The Data processor guarantees adequate personal data protection in accordance with this Agreement with the purpose to protect the personal data from destruction, alteration, unauthorized disclosure of or access to personal data. The personal data shall also be protected from other types of unauthorized processing.

7.2. The Data processor shall prepare and continuously update the description of its technical, organizational and physical measures to meet the requirements of the applicable data protection laws.

7.3. The Data processor undertakes not do disclose without a prior written agreement of the Data controller the personal data processed under this Agreement and otherwise prevent their disclosure to any Third party, except other data processors recruited under this Agreement.

7.4. The Data processor guarantees that all persons involved in the data processing have undertaken confidentiality obligation or are subject to the relevant confidentiality requirements laid down in the applicable law.


8.1. This Agreement is drawn and shall be interpreted according to the laws and regulations of the Republic of Estonia, excluding conflict-of-law principles, when other provisions of law may be applicable.

8.2. The Parties agree that the courts of the Republic of Estonia have the sole and exclusive jurisdiction over the settlement of all disputes arising in connection with this Agreement.


9.1. Unless otherwise agreed, the Parties are liable under the generally applicable law set out in Section 8 of the Agreement. Regardless of the above, the Parties shall not be liable for loss of operation, loss of revenue, loss of goodwill, any indirect damages and their consequences. Data loss shall be deemed as indirect damages.

9.2. The general liability of the Data processor under this Agreement and all obligations provided therein, in any case, shall be limited to 3000 EUR. In any case, the Data processor shall not be liable for loss of operation, loss of revenue, loss of goodwill, any indirect damages and their consequences. The Parties agree that data loss shall be deemed indirect damages.


Severability clause

10.1. If any provision of this Agreement is found by the court or the court of arbitration to be unlawful, invalid or unenforceable, other provisions of this Agreement shall remain valid and in full force. Any provision of this Agreement that is found unlawful, invalid or unenforceable only in part or to a certain extent, shall remain valid to the extent it is not found unlawful, invalid or unenforceable. The Parties shall replace such unlawful, invalid or unenforceable provisions of this Agreement with lawful, valid and enforceable provisions that in their essence are as close as possible to the intent of the Parties at the time of the drawing of this Agreement. The Parties shall make all reasonable efforts to ensure the implementation of all provisions of this Agreement.

No contradictory agreements 

10.2. This Agreement is a document that has been discussed and prepared by the Parties. This Agreement shall replace all previous agreements of the Parties regarding the subject of the Agreement and shall be the full and only declaration of the provisions of the Agreement by the Parties. This Paragraph shall not restrict the right to hold the Party liable for defrauding the other Party.

10.3. After the execution of the Agreement, each Party undertakes not to conclude any agreements that may be incompatible with the obligations of the Party under this Agreement.

Amendments and supplements of the Agreement

10.4. Any Annexes, amendments, and supplements to this Agreement (including the modifications and supplements to this Paragraph) shall be valid only if they are drawn as a written document signed by all Parties.


10.5. Each Party shall cover its expenses associated with the negotiations of this Agreement, the preparation, signing, entry into force and implementation of this Agreement.

Annex 1 to the Data Processing Agreement

The subject and purpose of data processing The provision of Data processor’s services or tasks to the Data controller:

Service provision - processing, administration of the services purchased (ordered) by the Data subject; identification of the Data subject in the Data processor’s information systems;

Identification of the Data subject when logging in its account on the Data processor’s website (if the Data processor provides this feature); resolving of issues associated with the service implementation, provision, use; communication with the Data subject, when the provisions of the services purchased by the Data subject change; performance of other contractual obligations;

direct marketing purposes; business analysis and statistical analysis, general research that allows improving services and their quality; audit.

Types of processed personal data The processed personal data include:

Personal contact information, for example, name, surname, telephone number or mobile phone number, electronic mail address, residence address; place of work.

Categories of Data subject Data controller’s representatives and end users such as employees, candidates, contractors, colleagues, partners, as well as the clients of the Data controller and other persons who must be entered in the Data processor’s central data controller system.

Data processing operations Entry, correction, and deletion of personal data, as well as the creation of backup copies and protection of servers that may contain personal data.