PROCESSING AGREEMENT
THE UNDERSIGNED:
(1) <Company>, established in <Place>, duly represented in this matter by <name> hereinafter referred to as: ‘Controller’;
and
(2) Digital Marketing & Publishing International BV, established in Heino, duly represented in this matter by Mr. Joost J. Hoogstrate, Chamber of Commerce 65988256, hereinafter referred to as: ‘Processor’;
Controller (Client) and Processor (Contractor) are also referred to herein collectively as “Parties” or individually as “Party”;
TAKE INTO ACCOUNT THE FOLLOWING:
(A) Controller has entered into a service agreement with Processor, hereinafter referred to as: Agreement. Based on this Agreement, the Processor carries out <complete activities> with the aim of <describe purpose>. In order to implement the Agreement, the Processor will process personal data for and on behalf of the Controller;
(B) Parties wish to record in this Processor Agreement their agreements about the processing of the personal data by the Processor on behalf of the Controller in accordance with the Applicable Law;
AND DECLARE THAT HAVE AGREED AS FOLLOWS:
-
- Annex: appendix to this Processor Agreement, which, after being signed by both Parties, forms part of this Processor Agreement;
-
- Data breach (s): any incident, resulting in (possible) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the personal data sent, stored or otherwise processed, regardless of whether the incident took place in relation to the processing facilities or elsewhere;
-
- Processor Agreement: this Processor Agreement that forms an integral part of the general terms and conditions and forms part of the Agreement including considerations and Annex (s), as well as any change, replacement, update or other later versions thereof;
-
- Employees: the employees and other persons or auxiliary persons to be engaged by the Processor for the implementation of this Processor Agreement, who fall under its responsibility;
-
- Applicable Law: the applicable law or regulation, the General Data Protection Regulation (EU) 2016/67 applicable as of 25 May 2018 or any (other) guidelines, policies, instructions or recommendations from any competent governmental authority, applicable to the processing of the personal data, including any changes, replacements, updates or other later versions thereof.
-
- Agreement In the context of the performance of the Agreement and the Appendices thereto, Party 1 can be regarded as the Controller for the processing of the personal data under Applicable Law, and Party 2 as the Processor of the personal data for the benefit of of Party 1.
-
- This Processor Agreement forms part of the general terms and conditions and replaces any previously made (oral or written) agreements between Controller and Processor regarding the processing of personal data.
-
- In the event of any contradiction between the provisions of this Processor Agreement, the general terms and conditions and the Agreement, the provisions of the general terms and conditions prevail, unless expressly provided otherwise in this Processor Agreement.
-
- The Processor will only process the personal data on behalf of the Controller. Processor does not have independent control over the personal data that it processes. Processor will not process the personal data for its own benefit, for the benefit of third parties, or for other purposes, except for deviating legal obligations under Applicable Law.
-
- Processor guarantees that it will process the personal data in accordance with Applicable Law. Processor will immediately notify Data Controller if in its opinion any instruction violates Applicable Law.
-
- If the Processor determines the purposes and means of the processing of the personal data in violation of this Processor Agreement and / or the Applicable Law, the Processor will be regarded as the Controller within the meaning of the Applicable Law for those processing operations.
- Processing of the personal data
-
- For the implementation of the Agreement and the Appendices, the Processor processes the personal data as described in more detail in Appendix 1.
-
- Taking into account the nature of the processing and the information available to the Processor, the Processor will provide the Controller with all necessary assistance in order to fulfill the obligations incumbent on the Parties under Applicable Law, in particular the obligations with regard to the security of personal data, reporting obligations of Data Leaks, obligations with regard to the performance of a data protection impact assessment (DPIA), as well as having a prior consultation by competent public authority (s).
-
- Processor will only disclose the personal data to those Employees who need the personal data for the performance of their work or who must necessarily have knowledge of the personal data for the implementation of the Agreement and the Appendices, and keep it secret for the rest, unless deviating from it. legal obligations under Applicable Law.
-
- Appendix 1 lists which (groups of) Employees may have access to which personal data. The Processor is expressly prohibited from providing other (groups of) persons with access to the personal data than described in Annex 1. The
-
- Processor will impose the obligations laid down in this Processor Agreement and in the Agreement, including the security and confidentiality obligations, on the parties engaged by it. Staff members. Processor will ensure that these Employees comply with the relevant obligations under this Processor Agreement, the Agreement and the Appendices.
- Sub-processors The processor
-
- states in Appendix 1 which third parties (sub-processors) are used for the processing of the Personal Data.
-
- The Client gives the Processor permission to engage other sub-processors for the performance of its obligations arising from the Agreement.
-
- The Processor will inform the Client of a change in the third parties engaged by the Processor. The client has the right to object to the aforementioned change. The Processor will ensure that the third parties engaged by it commit to the same security level with regard to the
protection of the Personal Data as the security level to which the Processor is bound towards the Client on the basis of this Processor Agreement.
- Reliability Requirements and Security The
-
- Processor will at least observe the reliability requirements from Appendix 2 and implement the technical and organizational security measures also detailed in Appendix 2.
-
- The technical and organizational security measures to be implemented by the Processor must ensure an adequate level of protection, among other things with a view to the obligation of the Controller with regard to dealing with requests from data subjects who exercise their rights. This in accordance with Applicable Law, taking into account the state of the art, the costs involved in the implementation and the nature, scope, context and purposes of the processing, as well as the varying risks for the rights and freedoms of persons in terms of likelihood and severity. These measures shall include, where appropriate, at least:
- The ability to ensure the confidentiality, integrity, availability and resilience of processing services on an ongoing basis;
-
-
- Appropriate preventive measures that enable the Processor to immediately recognize a Data Breach and to inform the Controller of this in a timely manner, such as intrusion detection, future-proof encryption, the possibility to restore the availability of the personal data in a timely manner;
-
-
- A process for regularly testing, assessing and evaluating the effectiveness of the technical and organizational security measures to ensure the security of the processing of personal data.
-
-
- Processor will regularly evaluate and if necessary update the technical and organizational security measures taken.
- Reporting Data Breaches The
-
- Processor will maintain adequate procedures aimed at detecting and taking action on any Data Breaches, including procedures for corrective actions, and also to prevent the repetition of any Data Breaches. These procedures have been set up by Processor in such a way that both Controller and Processor are able to comply with the reporting obligations regarding Data Breaches under Applicable Law.
-
- As soon as the Processor detects a Data Breach or reasonably suspects that a Data Breach has occurred or may occur, the Processor will inform the Controller of this immediately, and in any case within 24 hours after detection or suspicion of a Data Breach. Such a report will be made via the website and by telephone as stated in Appendix 3.
-
- In the event of a Data Breach, the Processor will take adequate remedial measures as soon as possible. In addition, the Processor will provide the Controller with all relevant information requested by the Controller with regard to the Data Breach. This information will in any case include:
- A description of the nature and size of the Data Breach, an estimate of the number of data subjects (possibly) affected and an indication of the nature of the personal data affected and whether these personal data were encrypted or otherwise secured. or made inaccessible;
-
-
- A description of the corrective measures taken and to be taken, planned measures and the recommended measures to limit the damage, including an emergency plan and the expected solution and work-around time;
-
-
- Information about which third parties, such as government agencies and the (social) media, are or may be aware of the Data Breach;
-
-
- The contact details of the authorized representative (s) of the Processor from whom the Controller can obtain immediate and regular updates on the status of the Data Breach.
-
- The Processor will provide all reasonably expected assistance to the Controller and share all necessary information or information requested by the Controller with the Controller, so that the Controller may or may not be affected by the data subject (s) and / or the relevant government authorities or supervisors who are authorized to judge the Processing of can inform the personal data about the Data Breach in a timely manner and is enabled to demonstrate compliance with the data breach reporting obligations under Applicable Law.
- The Controller’s audit right The Controllerincumbent
-
- is entitled, at its own expense, to check the measures and compliance with the obligationson the Processor, provided that the Controller notifies the Processor ten (10) working days in advance and on the condition that the Controller during the inspection follows the reasonable instructions of the Processor and the inspection does not unreasonably disrupt the business operations of the Processor.
-
- Processor makes all information available to the Controller that is necessary to demonstrate compliance with Applicable law.
-
- Controller can engage third parties (experts) to exercise its audit rights. Conducting an audit by the Controller or on behalf of the Controller will not lead to a delay in the activities of the Processor or one of its Subcontractors. If such a delay nevertheless threatens, the Parties will enter into consultation.
- Transfer of personal data
-
- Processor will not transfer personal data – other than as described in Annex 1 – to, make it accessible from or otherwise process it in a country outside the European Economic Area (EEA) or with which there are agreements that offer an adequate level of protection.
-
- subjects The Processor will cooperate fully so that the Controller can comply with its legal obligations if a data subject exercises his rights under Applicable Law.
-
- As soon as the Processor receives a request to that effect, as referred to in the previous paragraph, from a data subject, the Processor will immediately inform the Controller of this, and thereby hand over a copy of all correspondence received to the Controller.
- Requests from government agency (s)
10.1 If the Processor receives a request from a government agency to provide (access to) personal data, the Processor will immediately inform the Controller of this in writing before (access to) personal data is (is) provided, together with a copy of all available information. hand over received correspondence to the Controller. Processor will only cooperate with a request to that effect if it is obliged to do so by virtue of Applicable Law.
-
- Thein the implementation of this Processor Agreement are not included in the prices and fees as agreed in the Agreement.
11.2 Appendix 4 lists the prices as they are charged, which are involved in any activities that fall under the implementation of support in the context of this processor agreement.
- Liability and indemnification
The liability of the Processor for damage arising from or in connection with the non-compliance with this Processor Agreement, or acting in violation of Applicable Law is limited in accordance with the provisions of Article 14 of the general terms and conditions, unless there is intent. or deliberate recklessness.
-
- This agreement has a term equal to the Agreement and cannot be terminated prematurely. Articles that by their nature, including in the context of the settlement of the Processor Agreement, are intended to continue to apply after the end of the Processor Agreement will remain in full force after termination of the Processor Agreement.
-
- Changes to the Processor Agreement are only possible by written agreement by the Parties.
-
- Unless otherwise ensues from Applicable Law, if this Processor Agreement ends, the Processor will ensure: (i) that the personal data are immediately returned and / or provided to the Controller or a replacement service provider designated by the Controller in a manner deemed suitable by the Controller, then however (ii) that the personal data are immediately destroyed if the Controller requests this in writing.
14 Applicable law
14.1 This Processor Agreement is governed by Dutch law.
14.2. Issues caused my interpretation due to the translation will be solved according to the Dutch, original, translation.
Agreed and signed:
Treatment Responsible Processor
Name: Name: Joost Hoogstrate
Position: Position: CEO DMPI
Date: Date:
ANNEX 1 Processors Convention: Overview of Services and related processing activities
A. General Information |
Name product and / or service |
|
name Processor and establishment data |
|
link to supplier and / or product page |
|
Brief explanation and operation of product and service |
|
B. Description of specific services |
- Description of the specifically provided services and associated Processing of Personal Data:
|
a. |
|
b. |
|
c. |
|
- Description of the optional Processing Operations that the Processor offers
|
a. |
|
B. |
|
C. Purposes for processing data |
|
D1. Categories of Data Subjects
(tick which categories of Data Subjects apply) |
|
1: Employees |
|
2: Relationships |
|
3: Other, namely: |
D2. Categories Personal data
(tick which categories of Personal data apply) |
|
Contact data limited (name, e-mail address and organizational unit) |
|
Contact data other (Naw, date of birth, title, etc.) |
|
etc |
|
Enter what personal data is processedto be used |
Specificby the Processor retention period of Personal Data (or assessment criteria to determine this) and the agreements about this: |
F. Storage of Processing of Personal Data: |
Place / Country of storage and Processing of the Personal Data: |
G. Sub-processors TheAgreement. |
Processor uses the following at the time of concluding the Processingfollowing Sub-processors: |
Party name |
Statutory place of business Sub-processor |
Brief description of task / service showing which information is Processed by this Sub-processor |
Place / country of storage and Processing of Personal Data |
|
|
|
|
Note: if the Personal Data outside the EEA are processed, a separate statement is made of the countries where the Personal Data processed and how it is guaranteed that the data can be passed on lawfully.
H. Contact details for substantive contacts about the processing of Personal data |
Party |
Name |
Function |
E-mail address |
Telephone number |
Processing |
|
|
|
|
manager Processor |
|
|
|
|
I. Version |
Version number |
date (last) adjustment |
Description of change (s) |
1.0 |
|
|
APPENDIX 2 processor agreement: Reliability requirements and security
measures DMPI BV has taken the following technical and organizational security measures to protect the personal data:
Policy document for information security:
- There is a policy document that explicitly states the describes measures that the controller takes to protect the processed personal data.
- This policy document has been approved at the administrative or managerial level and has been sufficiently communicated to all Employees involved in the data processing.
Assignment of responsibilities for information security:
- All responsibilities necessary for adequate information security are clearly defined at both the management and the executive level. These responsibilities are vested in those responsible persons who are allowed and able to take the security measures.
Security:
Awareness1. All Employees of DMPI are informed and regularly updated regarding the information security policy and information security procedures.
- During the information process, explicit attention is paid to the handling of (special or otherwise sensitive) Personal Data.
Physical security and protection of equipment:
- IT facilities and equipment are physically protected against unauthorized access, damage and malfunction. The protection provided is in accordance with the identified risks and the level of security that would be appropriate according to legislation and regulations.
Access security:
- Procedures are in place to provide authorized users with access to the information systems and services they require for the performance of their duties and to prevent unauthorized access to information systems.
- The procedures shall cover all stages in the user access lifecycle, from the initial registration of new users to the eventual logout of users who no longer require access to information systems and services.
Correct processing in application systems:
- Security measures are built into all application systems (privacy by design).
- These security measures include checking that imports, internal processing and exports meet predetermined requirements (validation).
- System parts in which sensitive personal data are processed or that affect the processing of sensitive personal data are equipped with additional security measures.
Management of technical vulnerabilities:
- Software on DMPI servers, such as virus scanners and operating systems, is kept up-to-date.
- DMPI evaluates the extent to which its system is exposed to technical vulnerabilities.
Incident management:incidents
- DMPI timely and effectively handles information securityand security vulnerabilities as soon as they are reported. In the event that an information security incident occurs, the Controller, in consultation with DMPI, assesses the risks for the data subjects and effectively informs the data subjects and, if necessary, also the supervisory authority.
- DMPI uses the lessons learned from the incidents handled to structurally improve security where possible.
- If follow-up proceedings after an information security incident involve legal action (civil or criminal), the evidence shall be collected, retained and presented in accordance with the rules for evidence established for the relevant jurisdiction.
Handling of data leaks and security:
incidents1. DMPI immediately reports data leaks to the Controller. The controller will report this leak to the relevant supervisory authority as soon as possible.
- DMPI will, if required or obliged to do so, also inform those involved about the security incident or data breach.
APPENDIX 3 Processor agreement: Procedure for data leaks
Contact details in the event of a breach in connection with Personal data |
Party |
Name |
Function |
E-mail address |
Telephone number |
responsible |
|
|
|
|
Processor |
|
|
|
|
ControllerInforming about Data leaks and / or incidents with regard to security |
There is a procedure for informing in case of data breaches and / or incidents with regard to security, and contains at least the following points: |
- The way in which monitoring and identification of incidents takes place,
- The way in which information is shared:
- In which way (via e-mail, telephone);
- To whom (contact persons and contact details);
- Who can be contacted (for follow-up actions).
- Information that must in any case be shared about an incident
- The characteristics of the incident, such as: date and time of detection, summary of the incident, characteristic and nature of the incident (what part of the security does it see, how did it occur, did it related to reading, copying, changing, deleting / destroying and / or theft of personal data);
- The cause of the security incident;
- The measures taken to prevent any / further damage;
- Naming those involved who may be affected by the incident, and the extent to which;
- The size of the group of stakeholders;
- The type of data affected by the incident (particularly special data, or data of a sensitive nature, including access or identification data or financial data).
- Any agreements as to whether, and if so how, the Processor can report to the Dutch Data Protection Authority.
|
Version |
version number |
date of last adjustment |
|
|
APPENDIX 4 Processorcosts
Agreement: SupportIn the event that DMPI provides support that serves to implement the Applicable Law, which is not laid down in the Agreement, it will charge costs for this.