Data Processing Agreement

• "Applicable Data Protection Law" means the GDPR, Act 843, and any other data protection or privacy law applicable to the processing.
• "Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach" have the meanings given in the GDPR; equivalent terms in Act 843 (including "data controller" and "data processor") are read consistently.
• "Customer Personal Data" means Personal Data processed by the Processor on behalf of the Controller under the Principal Agreement, as described in Annex 1.
• "Sub-processor" means any third party engaged by the Processor to process Customer Personal Data.
• Capitalised terms not defined here have the meaning given in the Principal Agreement.

• The Controller is the controller and the Processor is the processor in respect of the Customer Personal Data. The Controller determines the purposes and means of processing.
• The subject matter, duration, nature and purpose of the processing, the types of Personal Data and the categories of Data Subjects are set out in Annex 1.
• The Processor shall process Customer Personal Data only for the purpose of providing the Service and only as set out in this DPA, the Principal Agreement, and the Controller's documented instructions.
• This DPA does not apply to Personal Data for which GoGoo is itself the controller (for example, the Controller's account, billing and contact data), which is governed by the GoGoo Fleet Privacy Policy.

The Processor shall:

• (a) process Customer Personal Data only on the Controller's documented instructions (including as to international transfers), unless required to do otherwise by law, in which case it will inform the Controller (unless legally prohibited);
• (b) ensure that persons authorised to process the data are bound by confidentiality;
• (c) implement the technical and organisational measures set out in Annex 2 (clause 7);
• (d) respect the conditions for engaging Sub-processors (clause 5);
• (e) taking into account the nature of the processing, assist the Controller, by appropriate measures, to respond to Data Subject requests (clause 6);
• (f) assist the Controller in ensuring compliance with its security, breach-notification, data-protection-impact-assessment and prior-consultation obligations (Articles 32–36 GDPR and the equivalent Act 843 duties), taking into account the information available to the Processor;
• (g) at the Controller's choice, delete or return the Customer Personal Data at the end of the Service (clause 11);
• (h) make available to the Controller information necessary to demonstrate compliance with this DPA and allow for and contribute to audits (clause 10);
• (i) immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

The Processor shall not sell Customer Personal Data and shall not use it for its own purposes, except that it may create and use aggregated and de-identified data that does not identify the Controller or any Data Subject.

The Controller:

• (a) is responsible for the lawfulness of the Personal Data and of its instructions, and warrants that it has a valid lawful basis to have the Customer Personal Data processed as contemplated by the Service;
• (b) is responsible, in particular, for monitoring of vehicles and Drivers: for having a lawful basis, for informing Drivers transparently, and for obtaining any consents or fulfilling any consultation/notice obligations required by law (consistent with the Principal Agreement);
• (c) warrants that it is entitled to disclose the Customer Personal Data to the Processor and to the Sub-processors listed in Annex 3;
• (d) shall issue instructions that comply with Applicable Data Protection Law.

• The Controller grants the Processor general written authorisation to engage Sub-processors. The current Sub-processors are listed in Annex 3.
• The Processor shall impose on each Sub-processor, by written contract, data-protection obligations equivalent to those in this DPA (Article 28(4) GDPR), and shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.
• The Processor shall give the Controller prior notice of the addition or replacement of any Sub-processor (by email or via the Service), giving the Controller the opportunity to object on reasonable data-protection grounds within 14 days. If the parties cannot resolve a reasonable objection, the Controller may terminate the affected part of the Service.

• The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests by Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, objection, and rights relating to automated decisions) under the GDPR and the data-subject participation rights under Act 843.
• If the Processor receives a request directly from a Data Subject relating to Customer Personal Data, it shall not respond itself (except to confirm it acts as a processor) but shall forward the request to the Controller without undue delay.

• The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in Annex 2, having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing.
• Given that the Service involves the systematic monitoring of vehicle and Driver location on a potentially large scale, the parties acknowledge this is higher-risk processing that may require a Data Protection Impact Assessment (DPIA) by the Controller; the Processor will provide reasonable assistance.

• The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the information reasonably available to enable the Controller to meet its own notification duties (including the GDPR 72-hour obligation to the supervisory authority and the Act 843 duty to notify the Ghana Data Protection Commission and affected individuals).
• The Processor shall take reasonable steps to mitigate and remediate the breach and shall not make any public statement attributing the breach to the Controller without the Controller's consent, unless required by law.

• The Customer Personal Data originates in Ghana and, in the course of the Service, is processed in Ghana, the European Economic Area (Germany) and — through Sub-processors — in other countries including the United States.
• For transfers from the EEA to countries without a European Commission adequacy decision (including Ghana), the parties rely on the EU Standard Contractual Clauses (SCCs) and any additional measures required. Transfers to the United States rely on the recipients' certification under the EU–US Data Privacy Framework and/or the SCCs.
• The Processor shall ensure that transfers of Ghana-originating data comply with Act 843, including ensuring an adequate level of protection where required.
• The SCCs, where applicable, are incorporated by reference and prevail over this DPA in case of conflict on transfer matters.

• The Processor shall maintain records of its processing of Customer Personal Data and make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.
• The Controller may audit the Processor's compliance no more than once per year (or following a Personal Data Breach), on 30 days' prior written notice, during business hours, subject to confidentiality and without unreasonable disruption. The Processor may satisfy audit requests by providing existing reports or third-party attestations where available.

On termination of the Service, the Processor shall, at the Controller's choice, return or delete all Customer Personal Data and delete existing copies, unless retention is required by law, within 30 days of a written request. The Processor shall confirm deletion in writing on request. Aggregated and de-identified data may be retained.

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Principal Agreement. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Law, including for breaches of Data Subjects' rights.

This DPA takes effect on the date of the Principal Agreement and continues for as long as the Processor processes Customer Personal Data, after which clauses intended to survive (including confidentiality, return/deletion and liability) continue.

• This DPA is governed by the law of the Republic of Ghana, without prejudice to mandatory provisions of Applicable Data Protection Law and (where applicable) the governing law of the SCCs.
• In case of conflict, the order of priority is: the SCCs (on transfer matters), then this DPA, then the Principal Agreement, then the Privacy Policy.
• If any provision is unenforceable, the remainder remains in effect.

The Processor maintains measures appropriate to the risk, including confirm and tailor to actual implementation — do not overstate:

• Role-based access controls and the principle of least privilege; token-based authentication for platform access.
• Encryption in transit (TLS) for data transmitted to and from the Service.
• Logical separation and controlled access to Customer Personal Data.
• Logging and audit trails of access to and changes within the Service. confirm scope
• Secure handling and prompt revocation of credentials for staff and partners on personnel changes or termination.
• Confidentiality obligations on personnel and partners; data-protection awareness for staff.
• Sub-processor due diligence and written data-protection terms with each Sub-processor.
• Use of reputable infrastructure providers (e.g. Google) with their own physical and platform security controls.
• Pseudonymisation / aggregation where feasible for analytics.
• A documented incident-response and breach-notification process.
• Backup and recovery measures. confirm

The parties acknowledge these measures may evolve; the Processor will not materially reduce the overall level of security during the term.