Data Processing Agreement


This agreement ("Agreement") comes into effect when registering on after May 25th 2018. It is automatically valid and protects all users registered before that date.

This agreement is made between:

Registered Users of (hereinafter called “CLIENT”, or “Controller” and together with VMGLTD, the “Parties”),


Velocity Made Good Ltd., having its principal office at 1002 Unicorn Trade Center, 127-131 Des Voeux Road, Central, Hong Kong (hereinafter called “VMGLTD”).


A. The Parties have entered into an HLR Lookup Services Agreement under the Terms of Service of, hereinafter: (“Main Agreement”);

B. In the course of providing the Services as defined in the Main Agreement it is necessary for VMGLTD to process certain personal data on behalf of the CLIENT, who may act as a controller or as a processor of personal data as defined under the Applicable Data Protection Law;

the Parties have entered into this Data Processing Agreement (hereinafter: “DP Agreement”) according to the Article 28 of the EU General Data Protection Regulation (GDPR) and agree as follows:


(a) GDPR” shall mean Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(b) “Applicable Data Protection Law” means all applicable laws, regulations, legislative and regulatory requirements, and codes of practice applicable to the processing of personal data, including all the provisions of the GDPR, and any other relevant laws, regulations or instruments, as amended or superseded from time to time and together with any regulations or instruments made thereunder, that are applicable to a controller or processor.

(c) “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of such a natural person.

(d) “Controller” is the natural or legal person, authority, organization or other agency that makes decisions individually or together with other parties regarding the purposes and means for processing Personal Data.

(e) “Processor” is a natural or legal person, authority, organization or other agency that processes Personal Data on behalf of the Controller.

(f) “Sub-processor” is the contractual partner of the Processor, engaged to carry out specific processing activities on behalf of the Controller.

(g) “Third Party” means a natural or legal person, public authority, agency, or body other than the Data Subject, Controller, Processor, Sub-processor, and persons who, under the direct authority of the Controller, Processor or Sub- processor, are authorized to process Personal Data.

(h) The terms used in this DP Agreement such as “processing” (and “process”), “transfer of data”, “categories of data”, “personal data breach” and “technical and organizational measures” shall have the meaning ascribed to them in the Applicable Data Protection Laws.

(i) The term “Services” shall have the meaning ascribed to it in the Main Agreement.


2.1. This DP Agreement governs the processing of Personal Data by VMGLTD as a Processor for and on behalf of the CLIENT as a Controller, according to the Controller’s instructions, in connection with the provision of the Services defined in the Main Agreement.

2.2. This DP Agreement serves to supplement the Main Agreement and forms its integral part. If there is a conflict between this DP Agreement and the Main Agreement, the provisions of this DP Agreement will prevail.


3.1. If and to the extent that the Processor will be processing Personal Data on behalf of the Controller in the course of the performance of the Services, an overview of the nature, purposes and duration of the processing, categories of Personal Data, and categories of Data Subjects, insofar this is not already described in the Main Agreement or in separate written, including e-mail, communication between the Parties.


4.1. The Controller shall be solely responsible for assessing whether Personal Data can be processed lawfully and for safeguarding the rights of the Data Subjects. The Controller shall ensure in its area of responsibility that the necessary legal requirements are met (for example by collecting declarations of consent) so that the Processor can provide the agreed Services in a way that does not violate any legal regulations.

4.2. The Processor shall process Personal Data only upon the documented instructions of the Controller, and the Controller shall ensure that its instructions are lawful and that Processor’s processing of Personal Data will not cause the Processor to violate any applicable law, regulation or rule, including Applicable Data Protection Laws.


5.1. Permitted purposes

5.1.1. Processor shall process Personal Data exclusively in the context of the concluded Main Agreement and only to the extent and in the appropriate way necessary in order to provide its Services to the Controller under the Main Agreement (permitted purposes).

5.2. Instructions

5.2.1. The Processor shall process Personal Data in accordance with this DP Agreement and Applicable Data Protection Laws and only upon the documented instructions of the Controller, including the transfer of Personal Data to a non-EU country or an international organisation, unless the Processor is required to process the Personal Data under mandatory law.

5.2.2. In the event that a mandatory law prevents the Processor from complying with such instructions or requires Processor to process and/or disclose the Personal Data to a Third Party, Processor shall inform Controller in writing of such legal requirement before carrying out the relevant processing activities and/or disclosing the Personal Data to a Third Party, unless the Processor is prohibited under that law from informing the Controller of such processing.

5.2.3. The Processor shall inform the Controller in writing if, in the Processor's opinion, an instruction infringes any applicable legal provisions. The Processor shall be entitled to suspend performance of such an instruction until it is confirmed or changed by the Controller.

5.3. Confidentiality

5.3.1. All Personal Data that the Processor receives from the Controller in the course of providing its Services pursuant to the Main Agreement or on the basis of the Main Agreement is confidential and the Processor shall not provide or make the Personal Data in any other way available to any Third Party without the Controller’s prior written consent.

5.3.2. The Processor shall ensure that only those of its employees and other persons operating on behalf of the Processor who have a need to know and are under confidentiality obligations with respect to the Personal Data, have access to the Personal Data.

5.4. Technical and Organisational Measures

5.4.1. The Processor warrants that it maintains and shall continue to maintain appropriate and sufficient technical and organisational measures to protect Personal Data against accidental loss, destruction, damage, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

5.4.2. Taking into account the state of the art, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor warrants that appropriate technical and organisational measures have been implemented in order to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of Personal Data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing services;
  • the ability to restore the availability and access to Personal Data in a timely manner in the event of an incident.

5.4.3. Processor commits that it has implemented the procedure to control and identify unauthorized or illegal access or use of Personal Data. This includes regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing on an ongoing basis. The Processor shall continuously enhance and improve such data protection measures.

5.4.4. At the Controller’s request, the Processor shall provide the Controller with full details of the technical and organisational measures employed by it.

5.5. Responding to Data Subject and Third Party requests

5.5.1. In the event that Processor receives a complaint, request, enquiry or communication from either a Data Subject, supervisory authority or Third Party which relates to the processing of Personal Data or to either Party's compliance with Applicable Data Protection Laws or this DP Agreement, Processor shall immediately, and in any case no later than within five (5) working days, inform the Controller providing details of the same, to the extent legally permitted.

5.5.2. Unless obliged to do so by mandatory laws, Processor shall not respond to any such request, complaint, enquiry or communication without the Controller’s prior written consent, except to confirm that such request relates to the Controller, and shall provide the Controller with full co-operation, information and assistance in relation to it, including but not limited to the correction, deletion and blocking of Personal Data.

5.6. Assistance with the Controller’s compliance

5.6.1. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights. Insofar as a Data Subject consults the Processor directly with regard to the assertion of a Data Subject right, the Processor shall forward the requests of the Data Subject promptly to the Controller.

5.6.2. Taking into account the nature of processing and the information available to the Processor, Processor shall provide the Controller at the Controller’s cost any further assistance required to ensure compliance with the Controller’s obligations under Applicable Data Protection Laws, including assisting the Controller with the performance of any relevant data protection impact assessments and prior consultations with data protection supervisory authorities regarding high risk processing.

5.7. Personal Data breach notification

5.7.1. In respect of any Personal Data breach, the Processor shall notify the Controller of such a breach immediately, but in no event later than 48 h (forty-eight hours) after becoming aware of the Personal Data breach and provide reasonable details pertaining the subject Personal Data breach.

5.7.2. Personal Data breach notification shall be sent to the Controller’s registered e-mail addresses, and shall include, at the time of notification or as soon as possible after notification:

  • the description of the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned as well as the categories and an estimated number of Personal Data records concerned;
  • the name and contact details of the data protection officer or other contact point for further relevant inquiries;
  • the description of the likely consequences of the Personal Data breach;
  • the description of the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

5.7.3. The Processor shall provide all necessary information and assistance to the Controller in relation to any action taken in response to such Personal Data breaches under Applicable Data Protection Laws.

5.7.4. Unless required by mandatory law, the Processor shall not disclose nor publish any statement, communication, notice, press release or report regarding a Personal Data breach, nor notify Data Subjects or data protection authorities, without the Controller’s prior written consent.

5.8. Records of processing activities

5.8.1. If is required so by Applicable Data Protection Laws, the Processor shall maintain complete, accurate and up to date records of processing activities carried out on behalf of the Controller according to Applicable Data Protection Laws and Art. 32 (2) GDPR and provide those records upon request to the Controller.

5.8.2. The Processor shall cooperate with the Controller and shall provide the Controller with any details necessary for maintaining its records of processing activities when requested to do so.


6.1. The Controller consents to the Processor to engage further processors (sub-processors) for carrying out specific processing activities on behalf of the Controller, under the condition that the Processor impose the same data protection obligations as set out in this DP Agreement on that other processors, to the extent applicable to the nature of the services provided by such Sub-Processor, by way of a written contract or other legal act according to the Applicable Data Protection Laws. The Processor shall provide the Controller with all necessary information regarding such contracts with sub-processors upon request.


7.1. Unless otherwise agreed with the Controller in writing (including e-mail), the Processor shall ensure that Personal Data are stored and processed at the processing systems located in its data centres within European Economic Area (EEA), and any transfer of Personal Data to the Processor’s data centres located outside the European Union or European Economic Area (EEA) can be made only upon such a instruction of the Controller.

7.2. Where the performance of the Services involves a transfer of Personal Data outside the European Economic Area (EEA), the Processor will take such steps as may be required to ensure there is adequate protection for such Personal Data in accordance with the Applicable Data Protection Laws (especially Articles 44 to 49 of the GDPR), which may include entering into the Standard Contractual Clauses set out in the European Commission’s Decision 2010/87/EU.

7.3. The Controller hereby grants its consent to the Processor to enter into any agreement or take any measures, including on behalf of the Controller, to establish and ensure an adequate level of data protection in the transfer of Personal Data to a sub-processing party outside the EEA. In the event of an application of the EU standard contractual clauses, the Processor is entitled to conclude such clauses on behalf of the Controller. The power of authority for this purpose is hereby granted by the Controller.


8.1. This DP Agreement shall come into effect on May 25, 2018 or upon signature of both Parties, whichever occurs later, and shall be valid for the duration of the actual provision of Services by the Processor. The Processor’s confidentiality obligations shall survive any termination of this DP Agreement.

8.2. In case Processor is in material breach of any provision of this DP Agreement, Controller has the right to terminate both this DP Agreement as well as the Main Agreement for cause, in whole or in part, under the conditions defined in the Main Agreement.

8.3. Following the termination of this DP Agreement and/or of the Main Agreement for any reason Processor shall, at the instruction of the Controller

  • comply with any other agreement made between the Parties concerning the return or deletion of Personal Data; and/or
  • return or delete, at the Controller’s choice, all Personal Data passed to Processor by VMGLTD for processing.

When Personal data shall have to be returned, that should be in a format with can be easily read and used by Controller. Personal Data will be returned in accordance with a schedule agreed by the Parties, within a time frame of ten (10) working days from termination of this DP Agreement or the Man Agreement. Processor shall not retain any copies of the Personal Data in any form what so ever, with the only exception being as expressly required as per mandatory laws, and even then solely for the duration and the purposes required by the same; and/or on receipt of instructions from the Controller, delete all such data unless prohibited from doing so by mandatory law, in which case the Processor shall inform the Controller of any such requirement unless prohibited by that applicable law.

8.4. Where applicable, Processor shall ensure that all of its own sub-contractors comply with obligation set out in the Article 8.3. of this DP Agreement.

8.5. Upon request by the Controller, Processor shall automatically delete processed MSISDNs twelve months after submission.


9.1. In case of any conflict, the provisions of this DP Agreement shall take precedence over the provisions of the Main Agreement. Where individual provisions of this DP Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this DP Agreement shall not be affected.

Effective: May, 20th 2018