Data Processing Agreement

Version: 1.0

Dated: 23 October 2025

‍

1. Introduction
   
   1. This data processing agreement (the “DPA”) is incorporated and forms part of the agreement, including its relevant terms and conditions (the “Agreement”), between you (the “Controller”, or “you”), as user of ParkBee’s parking space management system (the “Portal”) and, depending on your location, either ParkBee B.V., a Dutch private limited company with its registered office at Mr. Treublaan 7, 1097 DP Amsterdam, the Netherlands, registered with the Dutch Chamber of Commerce under number 58811001 (for EU), or ParkBee Limited, a company registered in England and Wales with its registered office at Fora - Borough, 180 Borough High Street, London, England, SE1 1LB, United Kingdom under number 10130303 (for the UK) (“Processor”, “we” or “ParkBee”). Controller and Processor may also jointly be referred to as the “Parties” and each as a “Party”.
   2. This DPA governs the Processing of Personal Data performed by ParkBee on behalf of the Controller in connection with the use of the Portal, in compliance with the General Data Protection Regulation (EU) 2016/679 and/or the UK General Data Protection Regulation (UK GDPR).
   3. You agree that ParkBee may modify this DPA at any time in its sole discretion and without prior notice to you. Any changes will be published online and will be effective upon such publishing. We will notify you directly in case of any material changes to this DPA. We encourage you to review this DPA periodically to ensure familiarity with its then-current terms and conditions. Your continued use of the Portal constitutes your acceptance of the DPA, as amended.
   4. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected. 
2. Definitions
   
   1. The definitions used in this DPA shall have the meaning ascribed to them in the Agreement or in this clause 2.1:

“Agreement” has the meaning given to it in clause 1.1;

“Business Days” means any day other than a Saturday, Sunday, or public holiday in the Netherlands and/or the United Kingdom on which banks are open for general business;

“Controller” has the meaning given to it in clause 1.1;

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by us and/or our Sub-Processors in connection with the Portal. A Data Breach will not include mitigated or unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, ddos, and other network attacks on firewalls or networked systems;

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the Processing of Personal Data under the Agreement, including without limitation European Data Protection Laws, the UK General Data Protection Regulation, and other applicable privacy laws, in each case as amended, repealed, consolidated, or replaced from time to time;

“DPA” has the meaning given to it in clause 1.1;

“ParkBee” has the meaning given to it in clause 1.1;

“Party” or “Parties” has the meaning given to it in clause 1.1;

“Personal Data” means any information relating to an identified or identifiable individual where such information is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws;

“Portal” has the meaning given to it in clause 1.1;

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Data. The terms “Process”, “Processes”, and “Processed” will be construed accordingly; and

“Processor” has the meaning given to it in clause 1.1.

2. The headings in this DPA do not affect its interpretation. 
3. References to the word ‘including’ shall be construed so as to be followed by the words ‘but not limited to’. In this DPA, a reference to a clause, subclause, paragraph, or schedule is a reference to a clause, subclause, paragraph, or schedule of this DPA. The schedules form part of this DPA.

3. Roles
   
   1. The Controller determines the purposes and means of Processing Personal Data and is responsible for compliance with applicable Data Protection Laws. The Processor shall process Personal Data solely on behalf of the Controller and only in accordance with the Controller’s documented instructions, unless required to do so by law. 
   2. In particular but without prejudice to clause 3.1, you acknowledge and agree that you will be solely responsible for: (i) the accuracy, quality, and legality of Personal Data provided in the Portal and the means by which you acquired such Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under Data Protection Laws for the collection and use of Personal Data, including providing adequate notices, and obtaining any necessary consents and authorizations; (iii) ensuring you have the right to transfer, or provide access to, the Personal Data to ParkBee for Processing in accordance with the terms of the Agreement (including this DPA); (iv) complying with all laws applicable to any emails or other content created, sent, or managed through the Subscription Services (including those relating to obtaining consents to send emails, the content of emails, and email deployment practices); and (v) ensuring that your use of Personal Data complies with Data Protection Laws and is strictly limited to the purposes set out in the Agreement (including this DPA). You will inform us without undue delay if you are not able to comply with your responsibilities under this clause or Data Protection Laws.
4. Subject of this DPA
   
   1. The Controller will be granted access to the Portal. The use of the Portal may involve the Processing of Personal Data, which will be subject to this DPA. The Processor is authorised to process Personal Data on behalf of the Controller on the terms and conditions set out in this DPA.
   2. The following data is Processed by the Processor: name, contact information, license plate number, reservation data, access data, role data, transaction details, subscription information, location, and usage statistics. Additional data may be Processed when it is collected via the Portal. The Personal Data Processed by the Processor may vary depending on the products and/or functions used by the Controller in the Portal. Processor only processes Personal Data which is entered into by the Controller in the Portal or is generated by the use of the Controller of the Portal.
   3. The categories of data subjects include garage owners, their employees, users, guests, and other individuals for whom reservations are made. Special categories of personal data are not intended to be Processed.
   4. The duration of the Processing corresponds to the duration of the Controller’s use of the Portal. The subject matter of Processing is the provision of access to and use of the Portal. The nature and purpose of the Processing include management of parking spaces, user bookings, and revenue reporting.
   5. The Processor shall use its reasonable efforts to ensure that it only Processes Personal Data as where necessary (data minimization). 
5. Obligations of the Processor
   
   1. The Processor shall process Personal Data in accordance with the documented instructions of the Controller, unless otherwise required by Data Protection Laws. In such cases, the Processor shall, where legally permissible, inform the Controller without undue delay and refer the competent authority to the Controller.
   2. The Processor confirms that all persons authorized to process Personal Data are subject to an appropriate statutory or contractual confidentiality obligation.
   3. The Processor confirms that it has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk in accordance with section 32 of the (UK) GDPR. These measures are further detailed in clause 6.
   4. To the extent reasonably possible and upon written request, the Processor shall assist the Controller in fulfilling its obligations under Chapter III of the (UK) GDPR, including responding to data subject requests. Should the Processor receive a request directly from a data subject and reasonably determine that the request concerns Processing under the Controller’s responsibility, it shall forward the request to the Controller without undue delay.
   5. The Processor shall, upon reasonable request and to the extent it is necessary and proportionate, support the Controller in meeting its obligations under sections 32 up to and including 36 of the (UK) GDPR, including Data Breach notifications, data protection impact assessments, and prior consultations. Support shall be limited to what is reasonably practicable, considering the nature of the Processing and the information available to the Processor.
   6. We will notify you without undue delay, but within 48 hours, after we become aware of any Data Breach and will provide the relevant information relating to the Data Breach as it becomes known to us. At your request, we will provide you with such reasonable assistance as necessary to enable you to notify the Data Breach to competent authorities and/or affected data subjects, if you are required to do so under Data Protection Laws.
   7. The Controller is entitled to verify compliance with the obligations set out in this Agreement, including through audits by an independent third party, which costs shall be borne by the Controller. The Processor shall reasonably cooperate and make available information necessary for such verification, provided that (i) reasonable prior written notice is given, (ii) audits are conducted during normal business hours, and (iii) such audits do not unreasonably interfere with the Processor’s business operations. Such an audit may be requested once per year, unless the Controller has reasonable suspicion that Processor is in breach of its obligations, in which event such limitation does not apply.
   8. If the Processor considers that an instruction from the Controller violates applicable Data Protection Laws, it shall inform the Controller without undue delay. The Processor shall be entitled to suspend the execution of the instruction until it is confirmed or amended by the Controller.
6. Security of Processing
   
   1. The Processor has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including pseudonymisation, encryption, confidentiality, integrity, availability, and resilience of processing systems. Processor makes use of access control mechanisms (role-based access and multi-factor authentication), audit logging and monitoring procedures. Processor maintains an information security program including access controls, encryption (minimum TLS 1.2 for data in transit, AES-128 or equivalent for data at rest), vulnerability management, system monitoring, and physical security measures. These are regularly reviewed, tested, and updated to ensure continued protection of Personal Data.
7. Sub-processors
   
   1. The Controller hereby authorises the use of sub-processors by the Processor. A current list of sub-processors can be found at https://business.parkbee.com/en/legal/privacy-policy. The Processor shall ensure that any sub-processor is bound by the same data protection obligations as set out in this DPA. The Processor shall remain fully liable to the Controller for any failure by a sub-processor to fulfil its obligations.
   2. In the event of new sub-processors, Processor shall update the list of sub-processors as included at https://business.parkbee.com/en/legal/privacy-policy.
   3. For sub-processors handling significant volumes of Personal Data or involved in high-risk Processing activities, the Processor shall conduct and document a risk assessment before engagement and notify the Processor via e-mail.
   4. The Controller shall have the right to object to any new sub-processor on reasonable and documented data protection grounds, within 20 Business Days of receiving the notification. Such objections must be submitted in writing and must clearly state the specific data protection concerns involved. Upon receipt of a valid objection, the Parties shall promptly enter into good-faith discussions to address the Controller’s concerns. The Processor will use reasonable efforts to propose a commercially reasonable alternative, including delaying the engagement of the proposed sub-processor, offering a modified service configuration, or addressing the concern through additional safeguards satisfactory to the Controller. If no mutually acceptable solution is reached within 20 Business Days of the Controller’s objection, the Processor shall not engage the proposed sub-processor in relation to the Controller’s Personal Data. If the inability to appoint the sub-processor materially prevents the Processor from performing its services based on the Agreement, the Parties shall discuss in good faith whether a termination or partial suspension of the affected services is appropriate, in accordance with the Agreement.
8. International transfers
   
   1. Personal Data may only be transferred outside the EEA or UK where appropriate safeguards are in place pursuant to Chapter V of the GDPR and/or UK GDPR. Such safeguards include transfers to countries with adequacy decisions, or where the Processor has implemented:
      
      1. For EEA transfers: Standard Contractual Clauses (SSC) per Commission Implementing Decision (EU) 2021/914, or other transfer mechanisms approved under section 46 GDPR; or
      2. For UK transfers: UK adequacy regulations (including for EEA transfers), the UK IDTA or UK Addendum to the EU SCCs, or other UK-approved transfer mechanisms approved under section 46 UK GDPR and section 17C of the Data Protection Act 2018.

The Processor shall conduct transfer impact assessments where required and maintain documentation of all international transfers and applicable safeguards. In the event of the SSC being required, Processor shall ensure that they are executed separately.

2. Where transfer impact assessments identify risks that cannot be adequately mitigated, the Processor shall: (a) notify the Controller promptly; (b) suspend the transfer until adequate measures are implemented; and (c) document all supplementary measures applied.

9. Liability
   
   1. Each Party shall be liable in accordance with the applicable provisions of the (UK) GDPR for any damage suffered by a data subject resulting from unlawful or incorrect Processing or use of Personal Data in the context of this DPA. The Parties shall indemnify each other from liability to the extent that one Party can legally demonstrate it is not responsible for the event that caused the damage to the data subject.
   2. Any liability for damages shall be limited to the amount covered by the Processor’s business liability insurance, and in any event, shall not exceed twelve (12) times the monthly License Fee (Licentiekosten) payable under the Agreement.
   3. For the avoidance of doubt, nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable Data Protection Laws, including but not limited to liability under section 82 (UK) GDPR. The limitations in clause 9.2 apply only to contractual damages between the Parties and do not affect any statutory right to compensation under Data Protection Laws.
10. Notices
    
    1. All notices and communication from Controller to Processor with regard to this DPA may be addressed to privacy@parkbee.com. Any notices and communication from Processor to Controller shall be communicated via the Portal and/or e-mail.
11. Duration of the DPA

This DPA shall remain in effect for the duration of the Agreement or for the period the Controller has access to the Portal, whichever is longer. This DPA cannot be terminated separately from the Agreement. Upon termination, the Processor shall, at the Controller’s choice, delete or return all Personal Data and delete existing copies unless required by law to retain such data, in accordance with its privacy policy available at https://business.parkbee.com/en/legal/privacy-policy.

12. Governing Law and jurisdiction
    
    1. For Controllers located in the EEA, this DPA shall be governed by Dutch law and any dispute shall be submitted to the competent court in Amsterdam. 
    2. For Controllers located in the UK, this DPA shall be governed by the laws of England and Wales and disputes shall be submitted to the courts of England and Wales.

‍