International Data Transfer Agreement — Fallback Provision
Preamble
This International Data Transfer Agreement Fallback Provision ("Fallback Provision") forms part of the framework contract between The Despatch Company Ltd ("We", "Us", "Our", "Provider", or "The Despatch Company Ltd") and the Client ("You", "Your"), which comprises:
The Statement of Work(s);
The Extended Terms and Conditions; and
The Data Processing Agreement.
This Fallback Provision is activated automatically where the transfer of Client Personal Data from the Client (as Data Controller) to The Despatch Company Ltd (as Data Processor) in the United Kingdom constitutes a restricted transfer under the EU GDPR or the UK GDPR, and where no adequacy decision or other appropriate safeguard already applies to that transfer.
Where the transfer is not a restricted transfer (for example, where the Client is based in the United States and the data subjects are US nationals), this Fallback Provision does not apply, and the Data Processing Agreement governs the relationship in full. This Fallback Provision is published on Our website and forms part of each Client agreement to ensure that, wherever a restricted transfer does arise, the appropriate legal mechanism is already in place without the need for separate negotiation.
Definitions
The following definitions apply throughout this Fallback Provision. Where a term is already defined in the Extended Terms and Conditions or the Data Processing Agreement, it carries the same meaning here, ensuring consistency across all documents that form part of the framework contract.
"Addendum" means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the Information Commissioner's Office (ICO) and laid before Parliament on 2 February 2022 pursuant to section 119A of the Data Protection Act 2018 (template Addendum B.1.0), as revised from time to time in accordance with Section 18 of the Mandatory Clauses.
"Agreement" has the meaning given to it in clause 1.6 of the Extended Terms and Conditions, being the framework contract comprising the Statement of Work(s), the Extended Terms and Conditions, and the Data Processing Agreement.
"Client" has the meaning given to it in clause 1.53 of the Extended Terms and Conditions, being the entity entering into a Statement of Work or Order Form as the "Client". In the context of this Fallback Provision, the Client is the Data Exporter and the Data Controller.
"Client Data Subject(s)" has the meaning given to it in clause 1.17 of the Extended Terms and Conditions, being the entities whose data is processed by The Despatch Company Ltd on behalf of the Client.
"Client Personal Data" has the meaning given to it in clause 1.20 of the Extended Terms and Conditions, being any Personal Data that is processed by The Despatch Company Ltd on behalf of the Client in relation to the Agreement, but excluding Personal Data with respect to which The Despatch Company Ltd is a Data Controller.
"Data Controller" or "Controller" has the meaning given to it in the Data Processing Agreement, being the natural or legal person, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. This is the Client (You).
"Data Exporter" means the Data Controller transferring Personal Data to the Data Importer. In the context of this Fallback Provision, this is the Client.
"Data Importer" means the Data Processor receiving Personal Data from the Data Exporter. In the context of this Fallback Provision, this is The Despatch Company Ltd.
"Data Processing" has the meaning given to it in clause 1.23 of the Extended Terms and Conditions, being the meaning given to it by UK GDPR and the Data Protection Act 2018.
"Data Processing Agreement" or "DPA" means the data processing agreement published at https://thedespatchcompany.com/data-processing-agreement, which forms part of the framework contract.
"Data Processor" or "Processor" has the meaning given to it in the Data Processing Agreement, being a natural or legal person, agency or other body which processes Personal Data on behalf of the Controller. This is The Despatch Company Ltd (Us).
"Data Protection Laws" has the meaning given to it in clause 1.24 of the Extended Terms and Conditions, being all applicable laws relating to the processing of Personal Data including, while it is in force and applicable to Client Personal Data, the General Data Protection Regulation (Regulation (EU) 2016/679) or UK equivalent.
"EU GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679).
"EU SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to the EU GDPR, as adopted by the European Commission on 4 June 2021 under Commission Implementing Decision 2021/914.
"Extended Terms and Conditions" means the extended terms and conditions published at https://thedespatchcompany.com/extended-terms, which form part of the framework contract.
"Fallback Provision" means this International Data Transfer Agreement Fallback Provision.
"Label" has the meaning given to it in clause 1.13 of the Extended Terms and Conditions, being a single API request sent to a courier to generate a label for the dispatch of a letter or packet.
"Order" has the meaning given to it in clause 1.12 of the Extended Terms and Conditions, being the addition of a record in a The Despatch Company Ltd system that has data (in full or in part) that would enable goods to be shipped to a recipient.
"Personal Data" has the meaning given to it in clause 1.38 of the Extended Terms and Conditions, being the meaning given to it in the Data Protection Laws applicable in the United Kingdom.
"Restricted Transfer" means a transfer of Personal Data from the United Kingdom or the European Economic Area to a country or territory that is not subject to an adequacy decision, or from the EEA to a country that is not subject to an EU adequacy decision, in each case where such transfer is subject to the UK GDPR or EU GDPR respectively.
"Security Incident" has the meaning given to it in clause 1.42 of the Extended Terms and Conditions, being an unauthorised access or breach of data security.
"Statement of Work" or "Statement of Works" has the meaning given to it in clause 1.60 of the Extended Terms and Conditions, being one or more documents titled as such that describe the specific Hosted Services, Support Services or Development Services to be delivered under the Agreement.
"Sub-processor" means any Data Processor engaged by The Despatch Company Ltd to carry out processing activities on behalf of the Client, as referred to in clause 4.5 of the Data Processing Agreement.
"UK GDPR" means the retained EU law version of the General Data Protection Regulation (Regulation (EU) 2016/679) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
PART 1: UK INTERNATIONAL DATA TRANSFER ADDENDUM
This Part 1 sets out the tables required to complete the UK Addendum, as issued by the ICO. The Mandatory Clauses of Part 2 of the Addendum are incorporated into this Fallback Provision by reference, being template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
PART 2: MANDATORY CLAUSES OF THE UK ADDENDUM
The Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, are incorporated into this Fallback Provision by reference in their entirety.
The full text of the Mandatory Clauses is available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
PART 3: EU STANDARD CONTRACTUAL CLAUSES — MODULE 2 (CONTROLLER TO PROCESSOR)
The EU Standard Contractual Clauses (Module 2: Controller to Processor), as adopted by the European Commission on 4 June 2021 under Commission Implementing Decision 2021/914, are incorporated into this Fallback Provision by reference in their entirety.
The full text of the EU SCCs is available at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
The Annexes to the EU SCCs are set out below and are populated to reflect the specific nature of the services provided by The Despatch Company Ltd.
ANNEX I: DESCRIPTION OF THE TRANSFER
A. List of Parties
Data Exporter:
The Data Exporter is the Client, as identified in the Statement of Work or Order Form. The Client is the Data Controller who determines the purposes and means of the processing of Client Personal Data. The Client transfers Client Personal Data to The Despatch Company Ltd for the purpose of receiving despatch and logistics services.
Data Importer:
The Data Importer is The Despatch Company Ltd, registered in England & Wales under company number 09615192. The Despatch Company Ltd is the Data Processor which processes Client Personal Data on behalf of the Client in connection with the provision of Hosted Services as described in the Statement of Works. The Despatch Company Ltd processes Client Personal Data solely in the United Kingdom, in UK-based data centres.
B. Description of Transfer
Categories of Data Subjects whose Personal Data is transferred:
The Client Personal Data transferred concerns the following categories of Data Subjects, as defined in the Data Processing Agreement and referred to as "Client Data Subjects" in the Extended Terms and Conditions:
Customers of the Client who have placed Orders for the delivery of physical goods.
End Users of the Client, being entities to which the Client resells the service or otherwise enters into a contract with.
Employees or representatives of the Client where their contact details are provided in connection with the management of the account.
Categories of Personal Data transferred:
The Client Personal Data transferred falls within the following categories, as described in clause 2.1 of the Data Processing Agreement:
Full name.
Delivery address and, where applicable, billing address.
Email address.
Telephone number.
Individual tax number, where required for export Orders to certain countries.
Order reference numbers and associated order information.
Any other information provided by the Client that is necessary for a courier to deliver an Order.
Sensitive Data transferred (if applicable):
No special categories of Personal Data (as defined under Article 9 of the UK GDPR or EU GDPR) are intended to be transferred under this Fallback Provision. The Client must not transfer special category data to The Despatch Company Ltd without prior written consent and a separate agreement addressing the additional safeguards required.
Frequency of the transfer:
The transfer is continuous and occurs on a per-Order basis throughout the duration of the Agreement.
Nature of the processing:
The Despatch Company Ltd, as Data Processor, will carry out the following processing activities on the Client Personal Data, as described in clauses 2.1.1 and 2.1.2 of the Data Processing Agreement:
Receiving and ingesting Client Personal Data via the Hosted Services Platform.
Storing Client Personal Data securely in UK-based data centres.
Processing Orders for physical items which require delivery through a post or courier network.
Generating postage Labels (physical or digital images) containing the relevant Client Personal Data.
Transmitting the necessary Client Personal Data to authorised Sub-processors, including courier and postal services, for the purpose of fulfilling delivery.
Providing order management and warehouse management services through the Hosted Services.
Purpose(s) of the data transfer and further processing:
The sole purpose of the transfer is to enable The Despatch Company Ltd to provide despatch and logistics services to the Client as described in the Statement of Works. The Despatch Company Ltd is not permitted to use Client Personal Data for any other purpose, in accordance with clause 4.2 of the Data Processing Agreement.
Retention period:
Client Personal Data will be retained for the duration of the processing of an Order and for a subsequent period as specified in clause 6.2 of the Extended Terms and Conditions. Where no specific retention period is stated in the Statement of Works, Client Personal Data will be securely deleted or anonymised within 90 days of the completion of the service to which it relates, in accordance with clause 4.11 of the Data Processing Agreement. The Despatch Company Ltd will retain data for longer periods only where required to do so by applicable law.
For transfers to Sub-processors:
Where Client Personal Data is transferred to Sub-processors, the subject matter, nature and duration of the processing are as set out in Annex III of this Fallback Provision.
ANNEX II: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
This Annex sets out the technical and organisational measures implemented by The Despatch Company Ltd to ensure a level of security appropriate to the risk to the rights and freedoms of Client Data Subjects, as required by Article 32 of the UK GDPR and EU GDPR, and as referenced in clause 4.4 of the Data Processing Agreement.
1. Data Encryption
The Despatch Company Ltd implements encryption as a core security control across all stages of data processing. All Client Personal Data transmitted between the Client and The Despatch Company Ltd, and between The Despatch Company Ltd and its Sub-processors, is encrypted in transit using Transport Layer Security (TLS) version 1.2 or higher. All databases, storage volumes and backup systems containing Client Personal Data are encrypted at rest using AES-256 encryption or an equivalent industry-standard algorithm. Encryption keys are managed through a formal key management process, with access to keys restricted to authorised personnel only.
2. Access Control and Authentication
Access to Client Personal Data is governed by the principle of least privilege. Role-Based Access Control (RBAC) is implemented across all systems, ensuring that personnel are granted only the level of access necessary to perform their specific job functions. All access to systems containing Client Personal Data requires multi-factor authentication (MFA). User access rights are reviewed on a regular basis and are promptly revoked upon any change in role, employment status, or business need. A formal access request and approval process is maintained.
3. Physical and Environmental Security
The Despatch Company Ltd processes all Client Personal Data in UK-based data centres. These facilities are operated with 24/7 physical security monitoring, biometric and card-based access controls, CCTV surveillance, and environmental controls including fire suppression and climate management systems. Access to data centre facilities is restricted to authorised personnel only. The Despatch Company Ltd's offices are secured with appropriate physical access controls.
4. Network and System Security
The Despatch Company Ltd maintains a layered network security architecture. Firewalls and network segmentation are used to protect systems containing Client Personal Data from unauthorised access. Intrusion Detection and Prevention Systems (IDPS) are deployed to monitor network traffic for malicious activity and to block potential threats. Regular vulnerability assessments and penetration testing are conducted on systems and applications that process Client Personal Data. Security patches and updates are applied in a timely manner in accordance with The Despatch Company Ltd's patch management policy.
5. Data Minimisation and Secure Deletion
In accordance with clause 4.2 of the Data Processing Agreement, The Despatch Company Ltd processes only the Client Personal Data that is strictly necessary to provide the Hosted Services described in the Statement of Works. Client Personal Data is securely deleted in accordance with the retention periods set out in Annex I, Section B of this Fallback Provision and clause 4.11 of the Data Processing Agreement. Secure deletion procedures ensure that data cannot be recovered or reconstructed following deletion.
6. Security Incident Management and Breach Notification
The Despatch Company Ltd maintains a Security Incident Response Plan, as required by clause 4.10 of the Data Processing Agreement. This plan details the procedures for identifying, containing, investigating and remediating Security Incidents, including those involving Client Personal Data. In the event of a Personal Data breach or suspected breach, The Despatch Company Ltd will notify the Client as soon as possible and in any event within 24 hours of becoming aware of the incident, in accordance with clause 4.10 of the Data Processing Agreement. Breach notifications will include the information required to allow the Client to meet its own notification obligations under applicable Data Protection Laws.
7. Personnel Security and Confidentiality
All personnel employed or engaged by The Despatch Company Ltd who have access to Client Personal Data are subject to contractual confidentiality obligations, in accordance with clause 4.3 of the Data Processing Agreement. The Despatch Company Ltd provides regular data protection and information security training to all relevant personnel. Background checks are conducted on personnel in accordance with applicable law and The Despatch Company Ltd's HR policies.
8. Sub-processor Management
The Despatch Company Ltd engages Sub-processors only in accordance with clause 4.5 of the Data Processing Agreement and the requirements of Article 28 of the UK GDPR. All Sub-processors are subject to written contracts that impose data protection obligations equivalent to those set out in the Data Processing Agreement and this Fallback Provision. The Despatch Company Ltd remains fully liable to the Client for the performance of Sub-processors' obligations.
9. Business Continuity and Disaster Recovery
The Despatch Company Ltd maintains documented business continuity and disaster recovery plans. Regular backups of Client Personal Data are performed and stored securely. Recovery procedures are tested periodically to ensure that data can be restored within acceptable timeframes. The Despatch Company Ltd guarantees a 99.8% uptime for the Hosted Services, as set out in clause 3.3 of the Extended Terms and Conditions.
10. Data Protection by Design and by Default
The Despatch Company Ltd integrates data protection considerations into the design and operation of its Hosted Services. Privacy-enhancing technologies and data minimisation techniques are applied by default. Data protection impact assessments are carried out where processing activities are likely to result in a high risk to the rights and freedoms of Data Subjects.
ANNEX III: LIST OF SUB-PROCESSORS
The Client, as Data Controller, provides general written authorisation for The Despatch Company Ltd to engage Sub-processors for the purpose of providing the Hosted Services, subject to the conditions set out in clause 4.5 of the Data Processing Agreement and this Annex.
A current list of Sub-processors engaged by The Despatch Company Ltd will be provided to the Client in the Statement of Works. The Despatch Company Ltd will notify the Client in writing of any intended changes to the list of Sub-processors, including the addition or replacement of Sub-processors, giving the Client sufficient opportunity to object to such changes before the new Sub-processor begins processing Client Personal Data.
All Sub-processors are bound by written agreements that impose data protection obligations no less protective than those set out in the Data Processing Agreement and this Fallback Provision. Where a Sub-processor is located outside the United Kingdom or the European Economic Area, The Despatch Company Ltd will ensure that an appropriate transfer mechanism is in place for that onward transfer, in accordance with clause 4.9 of the Data Processing Agreement.
General Provisions
Relationship to Other Documents
This Fallback Provision supplements and forms part of the framework contract. In the event of any conflict or inconsistency between this Fallback Provision and the Extended Terms and Conditions or the Data Processing Agreement, the provisions of this Fallback Provision shall prevail to the extent necessary to ensure compliance with the EU SCCs and the UK Addendum. In all other respects, the Extended Terms and Conditions shall prevail in accordance with clause 2.4 of those terms.
Updates to this Fallback Provision
The Despatch Company Ltd reserves the right to update this Fallback Provision in accordance with clause 2.6 of the Extended Terms and Conditions, and specifically to reflect changes in applicable Data Protection Laws, regulatory guidance, or the requirements of the EU SCCs or UK Addendum. In accordance with clause 2.6.3 of the Extended Terms and Conditions, any changes to this Fallback Provision may only be made to reflect changes in law or regulatory guidance and not to reduce data protection safeguards.
Governing Law and Jurisdiction
This Fallback Provision, to the extent it constitutes the UK Addendum, is governed by the laws of England and Wales. The courts of England and Wales shall have jurisdiction over any disputes arising under the UK Addendum component of this Fallback Provision. The EU SCCs component of this Fallback Provision is governed by the law of the Republic of Ireland, as selected in Table 2 above.
Acceptance
By entering into a Statement of Work or Order Form with The Despatch Company Ltd, the Client confirms that it has read, understood and agrees to be bound by this Fallback Provision as part of the framework contract.
This document is published by The Despatch Company Ltd and forms part of its standard framework contract. It is intended for informational and contractual purposes. Clients are advised to seek independent legal advice to confirm that this Fallback Provision meets their specific legal requirements.
Last reviewed: March 2026