Effective Date: May 13, 2025
Parties:

• Data Controller: The client, customer, or user of ODAS OIL’s services (“Controller”, “you”)

• Data Processor: ODAS GLOBAL UNLIMITED OIL PRODUCTS TRADING L.L.C (“ODAS OIL”, “we”, “our”, “us”)

Registered Office: S1-28 PROPERTY INVESTMENT OFFICE 4, Dubai Investment Park First, DUBAI, 111485
Email: office@odasoil.com | Phone: +971 503 956 811

---

1. Purpose and Scope

This DPA governs the processing of personal data carried out by ODAS OIL on behalf of the Controller in connection with the provision of services and is part of any existing agreement or engagement with the Controller.

---

2. Definitions

• “Personal Data”: Any information relating to an identified or identifiable natural person.

• “Processing”: Any operation performed on personal data (collection, storage, use, disclosure, etc.).

• “Data Subject”: The individual to whom the personal data relates.

• “Applicable Law”: Includes the General Data Protection Regulation (EU) 2016/679 (GDPR), UAE Federal Decree Law No. 45 of 2021, and any other relevant data protection laws.

---

3. Roles and Responsibilities

• The Controller determines the purposes and means of processing personal data.

• ODAS OIL acts as a Processor and shall process personal data only on documented instructions from the Controller.

---

4. Categories of Data Processed

• Data Subjects: Clients, partners, employees, suppliers, prospects

• Data Types: Names, email addresses, phone numbers, IP addresses, business contact information, job titles, transactional records

---

5. Processor’s Obligations

ODAS OIL agrees to:

• Process data solely based on documented instructions from the Controller;

• Ensure that persons authorized to process data are bound by confidentiality;

• Implement appropriate technical and organizational measures to protect data (e.g., encryption, access controls);

• Provide assistance in ensuring compliance with the Controller’s obligations (e.g., rights requests, impact assessments);

• Notify the Controller without undue delay of any personal data breach;

• Assist with audits and inspections as per Clause 11 below.

---

6. Sub-Processing

ODAS OIL may engage sub-processors for specific tasks. We shall:

• Notify the Controller in advance of any changes;

• Ensure sub-processors are bound by equivalent contractual obligations;

• Remain fully liable for the acts and omissions of all sub-processors.

Current Sub-processors may include:

• Secure hosting providers (UAE/EU-based)

• Email communication platforms (e.g., Microsoft 365)

• CRM or customer platforms

---

7. International Transfers

Where personal data is transferred outside the UAE or European Economic Area (EEA), ODAS OIL shall ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs)

• Data Transfer Agreements

• Transfers to jurisdictions with adequacy decisions

---

8. Data Subject Rights

ODAS OIL shall assist the Controller, to the extent possible, with responding to data subjects’ requests including:

• Right of access

• Right to rectification

• Right to erasure (“right to be forgotten”)

• Right to object or restrict processing

• Right to data portability

---

9. Security Measures

ODAS OIL has implemented the following technical and organizational security measures:

• Encrypted data transmission (SSL/TLS)

• Access restricted by roles and policies

• Multi-factor authentication for internal systems

• Regular backups and system monitoring

• Staff training in data protection and confidentiality

---

10. Personal Data Breach

In the event of a data breach, ODAS OIL shall:

• Notify the Controller within 48 hours after becoming aware;

• Provide sufficient information to allow the Controller to meet legal obligations;

• Cooperate fully in breach containment and mitigation.

---

11. Audit and Inspection Rights

The Controller has the right to conduct reasonable audits or inspections. ODAS OIL shall:

• Provide necessary information and access;

• Cooperate fully with audit processes;

• Allow independent third-party audits under confidentiality and with prior written notice.

---

12. Data Retention and Deletion

Upon termination of services, ODAS OIL shall, at the Controller’s choice:

• Return all personal data; or

• Delete all personal data unless otherwise required by law.

Proof of deletion or destruction can be provided upon request.

---

13. Duration

This DPA shall remain in effect for the duration of the main service contract or agreement and for as long as ODAS OIL processes personal data on behalf of the Controller.

---

14. Liability and Indemnification

Each party is responsible for its own compliance with applicable data protection laws. ODAS OIL shall indemnify the Controller only for damages arising from willful misconduct or gross negligence in breach of this DPA.

---

15. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the United Arab Emirates. Any disputes shall be settled under the exclusive jurisdiction of the courts of Dubai, UAE.

---

16. Contact Information

For all data protection matters, please contact:
ODAS GLOBAL UNLIMITED OIL PRODUCTS TRADING L.L.C
S1-28 PROPERTY INVESTMENT OFFICE 4, Dubai Investment Park First, DUBAI, 111485
+971 503 956 811
office@odasoil.com