Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of any Service Agreement (“Service Agreement”) concluded between:

Relovate OÜ (registry code 17370391), Riia mnt 59-6, 80019 Pärnu, Estonia (“Relovate”, “Processor”)
and
the Client, a legal entity receiving relocation or immigration support services (“Client”, “Controller”).

This DPA applies only when Relovate processes personal data on behalf of the Client in connection with business-to-business relocation services. Private clients are not subject to this DPA.

If there is a conflict between this DPA and the Service Agreement regarding data processing, this DPA shall prevail.

1. Definitions and Roles

1.1
Terms used in this DPA have the meanings given in the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

1.2
The Client is the Controller of the personal data.
Relovate OÜ is the Processor and processes personal data solely on behalf of the Client.

1.3
This DPA applies only when the Client is a legal entity and Relovate processes employee or contractor data as part of the relocation process.

2. Obligations of Relovate OÜ (Processor)

2.1 Compliance

Relovate shall process personal data only in accordance with:
• applicable law,
• the Service Agreement, and
• this DPA.

2.2 Purpose Limitation

Processor shall process personal data only for the purposes described in Section 11 (“Description of Processing”).

2.3 Documented Instructions

Processor shall process personal data solely on documented instructions from the Client. If the Client provides instructions that violate applicable law, Relovate will inform the Client and may decline to follow such instructions.

2.4 Records of Processing

Processor maintains internal records as required by GDPR Article 30(2).

2.5 Personnel

As a sole operator, Relovate OÜ processes all personal data personally. No other individuals have access. Processor ensures confidentiality obligations and internal security.

2.6 Assistance

Processor shall provide reasonable assistance to the Client in:
• responding to data subject requests,
• fulfilling obligations under GDPR Articles 32 and 33 relating to security and breaches, to the extent that Processor’s activities are relevant.

2.7 No Automated Decision-Making

Processor does not use automated decision-making or profiling.

2.8 Right to Decline Instructions

Processor may refuse instructions that are unlawful, unethical, outside the scope of the Service Agreement, or would compromise data security.

3. Obligations of the Client (Controller)

3.1 Lawful Basis

The Client warrants that it has a valid legal basis for transferring employee and family member data to Relovate.

3.2 Accuracy and Minimisation

The Client ensures that personal data submitted is accurate, relevant and limited to what is necessary.

3.3 Documented Instructions

All instructions must be documented, including instructions delivered through:
• email,
• Trello boards,
• Google Drive folders,
• official HR platforms,
• or other agreed channels.

3.4 Client-Side Security

The Client is responsible for securing its own systems, devices and communication tools. Processor is not responsible for breaches occurring due to insecure Client systems.

4. Confidentiality

Processor ensures that:
• personal data processed on behalf of the Client is kept confidential,
• no unauthorised persons gain access,
• confidentiality obligations remain in force after termination of services.

5. Security Measures

Processor applies appropriate technical and organisational measures as required by GDPR Article 32, considering the nature, scope and risks of processing.

Security measures include:
• encrypted laptop and smartphone,
• strong passwords and two-factor authentication,
• secure private Wi-Fi and 5G network,
• use of Google Workspace, Trello and DigiDoc secure systems,
• no document printing,
• secure deletion practices.

Processor’s full security measures are described in the Information & Security Policy, which forms part of this DPA by reference.

6. Audit and Compliance Requests

6.1
The Client may request documentation demonstrating Processor’s compliance with this DPA once per year.

6.2
Audits are limited to document-based verification. No access to devices, systems, laptops or physical inspections is permitted.

6.3
Processor may decline requests that are excessive, disruptive or not legally required.

7. Personal Data Breach

7.1 Notification
Processor shall notify the Client without undue delay and no later than 72 hours after becoming aware of a personal data breach affecting data processed under this DPA.

Notification shall include:
• nature of the breach,
• categories and approximate number of data subjects,
• likely consequences,
• measures taken or planned.

7.2 Cooperation
Processor will cooperate with the Client to investigate and mitigate the breach.

7.3 Documentation
Processor maintains internal breach records as required by GDPR.

8. Return, Deletion and Retention of Data

8.1 On Termination
Upon termination of the Service Agreement, Processor will return personal data to the Client upon request.

8.2 Deletion
Processor deletes personal data used for relocation services at the end of the retention period.

8.3 Retention Periods
Processor may retain personal data:
• for up to 3 years for legal defence and audit purposes, and
• for 7 years for accounting and invoicing records.

8.4 Backups
Deletion from automated cloud backups occurs according to system backup cycles.

9. Sub-Processors and International Transfers

9.1 Sub-Processors
Processor may use standard cloud service providers as sub-processors.

9.2 Current Sub-Processors
• Google Workspace (Gmail, Google Drive, Google Meet)
• Atlassian Trello
• SK ID Solutions (DigiDoc)
• LHV Bank (payments)
• Squarespace (website hosting)

9.3 Sub-Processor Obligations
All sub-processors are bound by contracts providing GDPR-equivalent protections.

9.4 Liability
Processor remains fully liable for the performance of sub-processors.

9.5 International Transfers
When data is transferred outside the EEA, Processor relies on:
• Standard Contractual Clauses, or
• other legally valid safeguards.

10. Liability

Processor’s liability under this DPA is limited to the total amount paid by the Client under the applicable Service Agreement.

Processor is not liable for:
• errors in data provided by the Client,
• insecure communication systems used by the Client,
• unlawful instructions provided by the Client.

11. Description of Processing

11.1 Purpose

To provide relocation and immigration support services to the Client.

11.2 Data Subjects

• Client’s employees
• Client’s contractors (if applicable)
• Employees’ family members

11.3 Categories of Personal Data

• Identification data (name, date of birth, nationality)
• Contact details (email, phone)
• Passport and ID information
• Employment details needed for immigration
• Application-related supporting documents
• Family relationship documents
• Communication records
• Consultation notes
• Special category data contained in official documents

11.4 Processing Operations

• Receiving documents from Client
• Organising information in Trello / Gmail / Google Drive
• Storage and case management
• Communication with Client and authorities
• Preparing immigration documentation
• Submitting applications to PBGB and embassies on Client’s behalf under Power of Attorney
• Returning or deleting data
• Retention for legal defence and accounting

11.5 Processing Period

Duration of the Service Agreement, plus retention periods described in Section 8.

12. Governing Law and Validity

This DPA is governed by the laws of the Republic of Estonia.
Disputes shall be resolved in Estonian courts.

This DPA remains valid as long as Processor processes personal data on behalf of the Client.

Last updated: 22.12.2025