Data Processing Agreement

This Data Processing Agreement is intended as part of the agreement entered into between the Licensee and the Processor for the provision of services, and specifically concerns the processing of personal data in the execution of the Agreement.

Whereas:

The Controller (Licensee) wishes to have personal data processed by the Processor (Service Provider) for the purpose of executing the agreement concluded with the Processor (hereinafter: the “Agreement”);
“Personal data” means any data as defined in Article 4(1) of Regulation (EU) 2016/679, General Data Protection Regulation (hereinafter “GDPR”);
The Processor, who processes personal data on behalf of the Controller within the context of the Agreement, qualifies as a Processor under Article 4(8) of the GDPR, while the Controller qualifies as a Controller within the meaning of Article 4(7) of the GDPR;
The Processor and the Controller (hereinafter individually: a “Party” and jointly: the “Parties”), in accordance with the requirement under Article 28(3) of the GDPR, wish to set out their rights and obligations in writing through this Data Processing Agreement (hereinafter: “DPA”);
The general provisions of this DPA apply to all processing activities performed in the context of the Agreement;
As of 25 May 2018, the provisions of the GDPR apply, and until that date, reference shall be made to the corresponding provisions of the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens, hereinafter “Wbp”).

ARTICLE 1. GENERAL PROVISIONS

1.1 The Processor undertakes, under the conditions of this DPA and on behalf of the Controller, to process personal data. The Processor shall process the personal data properly, carefully, and in accordance with the GDPR.

1.2 The Processor shall only process personal data to the extent necessary to provide the service as described in the Agreement to the Controller (hereinafter: the “Service”).

1.3 The Processor shall not retain the personal data made available to it under the Agreement longer than is necessary (i) for the performance of this Agreement; or (ii) to comply with a legal obligation to which it is subject.

1.4 The Processor shall only process the personal data on instruction and in accordance with the instructions of the Controller. The Processor shall not process the personal data for its own purposes, for the benefit of third parties, or for any other purposes, unless it is required to do so by binding legal provisions. Control over the personal data provided to the Processor under the Agreement or other agreements between the Parties, as well as over the data processed by the Processor in that context, shall remain with the Controller.

1.5 The Processor is responsible for the processing of personal data under this DPA in accordance with the Controller’s instructions. The Controller remains responsible for its own processing of personal data, in which the Processor is not involved.

1.6 The Processor shall immediately inform the Controller of any future changes in the execution of the Agreement, to allow the Controller to monitor compliance with the terms agreed with the Processor. This includes, but is not limited to, the engagement of (new) sub-processors, without prejudice to the provisions of Article 3 (Use of Sub-processors) and Article 12 (Amendments).

1.7 Processing of data by the Processor, including personal data, shall never result in enrichment of the Processor’s own databases using data originating from the Controller’s datasets. Combining data originating from the Controller without written consent is not permitted.

1.8 The definitions used in this DPA shall have the same meaning as the corresponding definitions in the GDPR.

ARTICLE 2. OBLIGATIONS OF THE PROCESSOR

2.1 The Processor guarantees compliance with the applicable laws and regulations, including but not limited to data protection legislation such as the GDPR.

2.2 Upon first request by the Controller, the Processor shall provide information about the measures it has taken regarding its obligations under this DPA and the GDPR.

2.3 The obligations of the Processor under this DPA also apply to any person processing personal data under the authority of the Processor, including but not limited to individuals affiliated with the Processor, such as staff and/or third parties. The Processor shall ensure proper authorisation for such individuals regarding access to the Controller’s personal data.

2.4 The Processor shall support the Controller in conducting a Data Protection Impact Assessment (hereinafter: “DPIA”) when required under the GDPR, or when such support is requested by the Controller. This support may include the provision of relevant information by the Processor necessary for the DPIA. Only after prior consultation and approval by the Controller may the Processor charge the Controller reasonable costs incurred for supporting the DPIA.

ARTICLE 3. USE OF SUB-PROCESSORS

3.1 The Processor is permitted to engage sub-processors.

3.2 When engaging sub-processors, the Processor shall impose at least the same obligations on the sub-processor in writing as are imposed on the Processor under this DPA. The Controller has the right to review the relevant agreements.

3.3 The Processor remains responsible for compliance with these obligations by the sub-processors.

ARTICLE 4. SECURITY MEASURES

4.1 The Processor shall implement appropriate technical and organisational measures to protect personal data against loss or any form of unlawful processing (such as unauthorised access, alteration, or disclosure of the data). Taking into account the state of the art and the cost of implementation, these measures shall ensure a level of security appropriate to the risks involved in the processing and the nature of the personal data to be protected. These measures shall also aim to prevent unnecessary collection and further processing, and shall meet the security requirements as laid down in Article 32 of the GDPR.

4.2 The Processor shall at all times maintain an appropriate and up-to-date security policy detailing the technical and organisational measures implemented. Upon request, the Processor shall provide the Controller access to this policy.

ARTICLE 5. CONFIDENTIALITY

5.1 The Parties shall keep confidential all data of which they know or could reasonably suspect the confidential nature and which comes to their knowledge or is made available to them in the context of the execution of the Agreement or this Data Processing Agreement. They shall not disclose such data (even if anonymized or pseudonymized) internally or externally, nor provide it to third parties, except where:

Disclosure or provision is necessary for the performance of the Agreement;
A mandatory legal provision or court order requires the Parties to disclose or provide such data or information, in which case the Parties shall first inform the other Party;
Disclosure or provision is made with the prior written consent of the Controller.

5.2 The Parties shall impose a contractual confidentiality obligation on all persons engaged by them (whether or not directly employed) who are involved in the processing of confidential data.

ARTICLE 6. DATA BREACH NOTIFICATION AND SECURITY INCIDENTS

6.1 In the event of a (suspected) Data Breach (a breach of security that accidentally or unlawfully leads to the destruction, loss, alteration, unauthorized disclosure of, or access to transmitted, stored or otherwise processed data), the Processor shall inform the Controller immediately, but no later than twelve (12) hours after first discovery of the incident. The Controller shall then assess whether to notify the data subject(s) and/or the relevant supervisory authority. This notification obligation applies regardless of the severity or impact of the breach.

6.2 The notification shall at least include the fact that a breach has occurred, as well as, where known to the Processor:

The (suspected) cause of the breach;
The (known or expected) consequence;
The (proposed) solution;
Contact details for follow-up;
The number of individuals affected (if the exact number is unknown, the minimum and maximum estimates);
A description of the category of individuals affected;
The type(s) of personal data involved;
The date on which the breach occurred (or the time period, if the exact date is unknown);
The date and time the breach was discovered by the Processor or any sub-processor;
Whether the data has been encrypted, hashed, or otherwise rendered unintelligible or inaccessible to unauthorized parties;
The intended and/or already taken measures to close the breach and to mitigate its consequences.

6.3 The Processor guarantees that the information provided under Article 6.2 is complete, accurate, and correct.

6.4 The Processor shall, at its own expense, take all reasonably necessary measures to prevent or limit unauthorized access, alteration, disclosure, or other unlawful processing, and to stop and prevent any future breaches of security or confidentiality, or further loss of confidential data.

6.5 Upon request by the Controller, or if required by law or regulation, the Processor shall cooperate in informing the competent authorities and data subject(s).

ARTICLE 7. AUDIT

7.1 The Controller has the right to have audits conducted by an independent third party bound by confidentiality, to verify compliance with all provisions of this Data Processing Agreement. The Controller may conduct such an audit once per year, or more frequently in case of a specific suspicion of misuse of personal data. The audit shall be announced at least two weeks in advance.

7.2 The Processor shall fully cooperate with the audit and provide all reasonably relevant information, including supporting data such as system logs, and make employees available as soon as possible.

7.3 In addition to the audit right of the Controller, the Processor shall proactively share relevant audit reports in its possession. These may include reports resulting from ISO27001 or equivalent certifications.

7.4 The costs of the audit conducted at the Controller’s request shall be borne by the Controller, unless the audit reveals that the Processor has failed to comply with the provisions of this Data Processing Agreement. In that case, the costs shall be borne by the Processor.

7.5 If the audit reveals that the Processor is not compliant with the Agreement or the Data Processing Agreement, the Processor shall take all reasonably necessary measures to ensure compliance.

ARTICLE 8. INTERNATIONAL DATA TRANSFERS

8.1 The Processor guarantees that all processing of personal data carried out by or on behalf of the Processor, including by its sub-processors, in connection with the performance of the Agreement, will take place within the European Economic Area (EEA). Processing outside the EEA is only permitted if the legal requirements under the GDPR for such transfers are fulfilled.

8.2 If personal data is processed outside the EEA, such transfer shall be encrypted using advanced encryption techniques.

8.3 Prior to entering into this Data Processing Agreement, the Processor shall inform the Controller of the location(s) where processing under the Agreement will take place.

ARTICLE 9. REQUESTS FROM AUTHORITIES

9.1 If the Processor receives a request or order from a supervisory authority, government agency, or law enforcement authority to disclose personal data, the Processor shall immediately inform the Controller, unless prohibited by law.

AARTICLE 10. DATA SUBJECT RIGHTS

10.1 The Processor shall provide full cooperation to enable the Controller to comply with its legal obligations in the event a data subject wishes to exercise one of their rights under the GDPR.

10.2 If a data subject contacts the Processor directly regarding their rights under the GDPR, the Processor shall forward the request to the Controller without delay.

ARTICLE 11. AMENDMENTS

11.1 Partijen mogen deze Verwerkersovereenkomst alleen schriftelijk en met wederzijdse instemming wijzigen.

ARTICLE 12. TERM AND TERMINATION

12.1 The duration of this Data Processing Agreement shall be equal to the duration of the Agreement.

12.2 Upon termination, the Processor shall delete all data or, at the request of the Controller, transfer it to a successor service provider.

ARTICLE 13. GOVERNING LAW

13.1 This Data Processing Agreement shall be governed by Dutch law.

13.2 Disputes shall be submitted to the competent court in the jurisdiction where the Processor is established.