PROCESSING AGREEMENT UNDER THE GENERAL DATA PROTECTION REGULATION
ARTICLE 1. PRELIMINARY PROVISIONS
The terms in this Processor Agreement that are defined in the GDPR have the meaning as described therein.
Where reference is made in this Processor Agreement to a provision of the Wbp, as of May 25, 2018, we are referencing the corresponding provision of the General Data Protection Regulation (the “GDPR”)
ARTICLE 2. PURPOSES OF PROCESSING
The Processor undertakes to process personal data on behalf of the Controller under the conditions of this Processor Agreement. Processing will only take place in the context of executing the Agreement and for purposes to be determined with further consent.
The Controller himself determines which (types of) personal data he will have processed by the Processor and to which (categories of) data subjects these personal data relate. The Processor does not influence this.
The Processor will not process the personal data for any purpose other than as determined by the Controller. The Controller will inform the Processor of the processing purposes insofar as they have not already been mentioned in the Processor Agreement.
The personal data to be processed on behalf of the Controller remain the property of the Controller or the relevant person(s).
The Controller guarantees that the content, use, and instructions to process personal data as referred to in the Processor Agreement are not unlawful and does not infringe any rights of third parties. In addition, the
Responsible for: the processing of personal data falls under one of the exemptions under the GDPR, or if this is not the case, a notification will be sent to the Dutch Data Protection Authority; and that from 25 May 2018 it will keep a register of the processing operations regulated under this Processor Agreement.
The Controller indemnifies the Processor against all claims and claims related to non-compliance or incorrect compliance with the obligations from Article 2.5.
ARTICLE 3. OBLIGATIONS OF THE PROCESSOR
With regard to the processing operations referred to in Article 2, the Processor will ensure compliance with the conditions set for the processing of personal data by the Processor based on the AVG and the AVG.
The Processor will inform the Controller, at its first request, about the measures it has taken with regard to its obligations under this Processor Agreement and the Wbp and AVG.
The obligations of the Processor arising from this Processor Agreement also apply to those who process personal data under the authority of the Processor.
ARTICLE 4. TRANSFER OF PERSONAL DATA
The Processor may process the personal data in countries within the European Union.
Transfer to countries outside the European Union is only permitted with due observance of the applicable regulations under the GDPR.
The Processor will notify the Controller on request which country or countries it concerns.
ARTICLE 5. ALLOCATION OF RESPONSIBILITIES
The permitted processing will be performed by the Processor within a (semi) automated environment under the control of the Processor.
The Processor is only responsible for the processing of the personal data under this Processor Agreement, in accordance with the instructions of the Controller and under the explicit (final) responsibility of the Controller.
The Processor is not responsible for any other processing of personal data, including the collection of personal data by the Controller, processing for purposes that have not been reported to the Processor by the Controller, processing by third parties, or for any other purpose.
ARTICLE 6. ENGAGE THIRD PARTIES OR SUBCONTRACTORS
The Controller gives the Processor permission to use third parties when processing personal data on the basis of this Processor Agreement, with due observance of the applicable privacy laws and regulations.
The Processor will inform the Responsible Party, if the Responsible Party so requests, as soon as possible about the third parties it has engaged. The Controller has the right to object to any third parties engaged by the Processor.
The Processor will not object on unreasonable grounds and must sufficiently substantiate the objection. If the Controller objects to third parties engaged by the Processor, the Parties will enter into consultation to reach a solution.
The Processor ensures that third parties engaged by it assume written obligations that are at least as strict as the obligations that rest on the Processor under the Processor Agreement.
The Processor guarantees correct compliance with the obligations referred to in Article 6.4 by these third parties and is liable towards the Controller in the event of errors as if it had committed the error(s) itself.
Processor’s maximum liability for damage as referred to in Article 6.5 is limited to the amount agreed in the Agreement (including Processor’s general terms and conditions).
ARTICLE 7. SECURITY
The Processor will take appropriate technical and organizational measures with regard to the processing of personal data to be carried out, against loss, or any form of unlawful processing (such as unauthorized access, impairment, modification, or provision of the personal data).
Despite the fact that the Processor must take appropriate security measures in accordance with the first paragraph of this article, the Processor cannot fully guarantee that the security is effective under all circumstances. In the event of a threat of – or actual breach of – these security measures, the Processor will do everything it can to limit the loss of personal data as much as possible.
If an explicitly described security is missing in the Processor Agreement, the Processor will ensure that the security meets a level that is not unreasonable given the state of the art, the sensitivity of the personal data, and the costs associated with taking the security.
The Controller will only make personal data available to the Processor for processing if the Controller has ensured that the required security measures have been taken.
ARTICLE 8. REPORTING OBLIGATION
In the event of a data breach (which is understood to mean: a breach of the security of personal data that leads to a significant chance of adverse consequences, or has adverse consequences, for the protection of personal data, within the meaning of Article 34a Wbp) Processor makes every effort to inform the Controller about this as soon as possible, but in any case within 48 hours after the data breach has become known to the Processor.
The reporting obligation only applies if the leak has actually taken place and in any case includes reporting the fact that there has been a data leak, as well as, insofar as this information is available at the Processor:
What is the (alleged) cause of the leak;
what the (as yet known or expected) consequence is;
what is the (proposed) solution;
contact details for the follow-up of the report;
the number of persons whose data has been leaked, or the minimum and maximum number of persons whose data has been leaked if no exact number is known;
a description of the group of persons whose data has been leaked;
the type or types of personal data that have been leaked;
the date on which the leak occurred, or the period within which the leak occurred
occurred if no exact date is known;
the date and time at which the leak became known to the Processor, or a third party or subcontractor engaged by it;
whether the data has been encrypted, hashed, or otherwise made incomprehensible or inaccessible to unauthorized persons;
and what the intended and already taken measures are to close the leak and to limit the consequences of the leak.
The controller assesses whether it will inform the relevant authorities and/or the person(s) involved and responsible for compliance with (statutory) reporting obligations. If required by privacy laws and regulations, the Processor will cooperate in informing the relevant authorities or data subjects.
ARTICLE 9. HANDLING OF REQUESTS FROM THE STAKEHOLDERS
If a data subject wishes to exercise one of its legal rights and addresses the request to this effect to the Processor, the Processor will forward this request to the Controller. The responsible party will then take care of handling the request. The Processor may inform the data subject thereof.
In the event that a data subject submits a request to the Controller to exercise one of his legal rights, the Processor will, if the Controller so desires, cooperate insofar as possible and insofar as this is reasonable. The Processor may charge reasonable costs to the Controller for this.
ARTICLE 10. DUTY OF CONFIDENTIALITY
All personal data that the Processor receives from the Controller or that the Processor collects itself in the context of this Processor Agreement is subject to a duty of confidentiality towards third parties.
This duty of confidentiality does not apply insofar as the Controller has given explicit permission to provide the information to third parties, if the provision of the information to third parties is logically necessary for the execution of the Processor Agreement, or if there is a legal obligation to provide the information to third parties. to provide a third party.
If the Processor is legally obliged to provide information to a third party, the Processor will inform the Controller about this as soon as possible to the extent permitted by law.
ARTICLE 11. AUDIT
The Controller has the right to have audits performed by an independent expert third party who is bound by confidentiality to check the security requirements as agreed in Article 7 of the Processor Agreement.
The audit referred to in Article 11.1 will only take place in the event of a concrete suspicion of abuse that has been demonstrated by the Controller. The audit initiated by the Controller takes place two weeks after the Controller’s prior announcement.
The Processor will cooperate with the audit and provide all information reasonably relevant to the audit, including supporting data such as system logs, and employees as timely as possible and within a reasonable period of time, whereby a maximum period of two weeks is reasonable.
The findings as a result of the audit performed will be assessed by the Parties in mutual consultation and, as a result thereof, may or may not be implemented by one of the Parties or by both Parties jointly.
The costs of the audit are borne by the Controller.
ARTICLE 12. LIABILITY
For the liability of the Parties for damage as a result of an attributable shortcoming in the fulfilment of the Processor Agreement, or tort or otherwise, the liability scheme agreed in the Agreement (including the Processor’s general terms and conditions) is declared applicable.
ARTICLE 13. DURATION AND TERMINATION
This Processor Agreement is entered into for the duration as stipulated in the Agreement and in the absence thereof in any case for the duration of the cooperation between the Parties. This Processor Agreement cannot be terminated prematurely.
Parties may only change this Processor Agreement with mutual consent but will provide their full cooperation to adapt the Processor Agreement to any new or amended privacy laws and regulations.
After termination of the Processor Agreement, the Processor will destroy all personal data in possession, unless the Parties agree otherwise.
+31 (0)416 311 417