Article 2. Purposes of the processing
Processor undertakes to process personal data on behalf of the Responsible Party under the conditions of this Processor Agreement. Processing will only take place within the framework of the execution of the Agreement and for purposes that are determined with further approval.
The controller determines for himself which (types of) personal data he has processed by the Processor and to which (categories of) data subjects these personal data relate. Processor has no influence on this.
Processor will not process the personal data for any purpose other than as determined by the Controller. The controller will inform the Processor of the processing purposes insofar as these have not already been mentioned in the Processor Agreement.
The personal data to be processed on the instructions of the Responsible Person remain the property of the Responsible Person or the person (s) concerned.
The controller guarantees that the content, use and instruction to process personal data as referred to in the Processor Agreement is not unlawful and does not infringe any rights of third parties. In addition, the Controller is responsible for: that the processing of personal data falls under one of the exemptions under the AVG, or if this is not the case, a report has been made to the Dutch Data Protection Authority; and that from 25 May 2018 it will keep a register of the processing operations regulated under this Processor Agreement.
The responsible party indemnifies the Processor against all claims and claims that are related to non-compliance or incorrect compliance with the obligations under Article 2.5.
Article 3. Obligations of Processor
With regard to the processing operations referred to in Article 2, Processor will ensure compliance with the conditions that are imposed on Processor to process personal data on the basis of the AVG and the AVG.
Processor will, at its first request, inform the Controller of the measures it has taken regarding its obligations under this Processor Agreement and the Wbp and AVG.
The Processor’s obligations arising from this Processor Agreement also apply to those who process personal data under the Processor’s authority.
Article 4. Transfer of personal data
Processor may process the personal data in countries within the European Union.
Transfer to countries outside the European Union is only permitted with due observance of the applicable AVG regulations.
At the request of the Processor, the Controller will report which country or countries it concerns.
Article 5. Division of responsibility
The permitted processing will be carried out by Processor within a (semi) automated environment under the control of Processor.
Processor is only responsible for the processing of the personal data under this Processor Agreement, in accordance with the instructions of the Controller and under the express (final) responsibility of the Controller.
For all other processing of personal data, including in any case the collection of personal data by the Controller, processing for purposes not reported by the Controller to the Processor, processing by third parties or for other purposes, the Processor is not responsible.
Article 6. Engaging third parties or subcontractors
The controller gives the Processor permission to make use of third parties when processing personal data on the basis of this Processor Agreement, with due observance of the applicable privacy laws and regulations.
The Processor will, if the Controller requests this, inform the Controller as soon as possible about the third parties it has engaged. The controller has the right to object to any third parties engaged by the Processor.
Processor will not object on unreasonable grounds and must provide sufficient reasons for the objection. If the Controller raises an objection against third parties engaged by the Processor, the Parties will consult to reach a solution.
Processor ensures that third parties engaged by it assume written obligations that are at least as strict as those imposed on the Processor pursuant to the Processor Agreement.
Processor guarantees correct compliance with the obligations referred to in Article 6.4 by these third parties and is liable in the event of errors by itself towards the Controller as if it had committed the error (s) itself.
The maximum liability of Processor for damage as referred to in Article 6.5 is limited to the amount agreed in the Agreement (including the General Terms and Conditions of Processor).
Article 7. Security
Processor shall take appropriate technical and organizational measures with regard to the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorized access, encroachment, alteration or provision of personal data).
Although Processor must take appropriate security measures in accordance with paragraph 1 of this article, Processor cannot fully guarantee that security is effective under all circumstances. However, in the event of a threat of – or actual breach of – these security measures, the processor will do everything possible to limit the loss of personal data as much as possible.
If an explicitly described security is not included in the Processor Agreement, Processor shall ensure that the security meets a level that, in view of the state of the art, the sensitivity of the personal data and the costs associated with taking the security, is not unreasonable.
The controller only makes personal data available to the Processor for processing if the Controller has ensured that the required security measures have been taken.
Article 8. Reporting obligation
In the case of a data leak (which is understood to mean: a breach of the security of personal data that leads to a considerable chance of adverse consequences, or has adverse consequences, for the protection of personal data, within the meaning of Article 34a Wbp) , Processor makes every effort to inform the Controller of this as quickly as possible, but in any case within 48 hours after the data leak has become known to Processor.
The reporting obligation only applies if the leak has actually occurred and in any case includes reporting that a data leak has occurred, and, insofar as this information is available to Processor:
what the (alleged) cause of the leak is ;
what the (as yet known or expected) consequence is;
what the (proposed) solution is;
contact details for following up the report;
the number of people whose data has been leaked, or the minimum and maximum number of people whose data has been leaked if no exact number is known;
a description of the group of people whose data has been leaked;
the type or types of personal data that have been leaked;
the date on which the leak occurred, or the period within which the leak
occurred if no exact date is known;
the date and time at which the leak became known to the Processor or to a third party or subcontractor engaged by him;
whether the data is encrypted, hashed or otherwise made incomprehensible or inaccessible to unauthorized persons;
and what the planned and already taken measures are to close the leak and to limit the consequences of the leak.
The responsible party assesses itself whether it will inform the relevant authorities and / or person (s) involved and is itself responsible for compliance with (legal) reporting obligations. If privacy laws and regulations require this, Processor will cooperate in informing the relevant authorities or parties involved.
Article 9. Processing requests from involved parties
If a data subject wishes to exercise one of his legal rights and the request for this is addressed to Processor, Processor will forward this request to Controller. The person responsible will then take care of the handling of the request. Processor may inform the data subject thereof.
In the event that a data subject submits a request to the Controller to exercise one of his legal rights, the Processor will, if the Controller requires this, cooperate as far as possible and insofar as this is reasonable. Processor may charge the responsible party reasonable costs for this.
Article 10. Confidentiality
All personal data that Processor receives from the Controller or that Processor collects itself in the context of this Processor Agreement is subject to a confidentiality obligation towards third parties.
This confidentiality obligation does not apply to the extent that the Controller has given explicit permission to provide the information to third parties, if the provision of the information to third parties is logically necessary for the execution of the Processor Agreement, or if there is a legal obligation to transfer the information to third parties. to provide a third party.
If Processor is legally obliged to provide information to a third party, Processor will inform the Controller of this as soon as possible to the extent permitted by law.
Article 11. Audit
The controller has the right to have audits carried out by an independent third party expert who is bound by confidentiality to check the security requirements as agreed in Article 7 of the Processor Agreement.
The audit referred to in Article 11.1 only takes place if there is a concrete suspicion of abuse that has been demonstrated by the Controller. The audit initiated by the Responsible Party takes place two weeks after prior announcement by the Responsible Party.
Processor shall cooperate with the audit and make all information reasonably relevant to the audit, including supporting data such as system logs, and staff available as soon as possible and within a reasonable period, whereby a maximum period of two weeks is reasonable.
The findings arising from the audit will be assessed by the Parties in mutual consultation and, as a result thereof, may or may not be implemented by one of the Parties or by both Parties jointly.
The costs of the audit are borne by the Controller.
Article 12. Liability
For the liability of the Parties for damage as a result of an attributable shortcoming in the fulfillment of the Processor Agreement, or as a result of an unlawful act or otherwise, the liability arrangement agreed in the Agreement (including the General Terms and Conditions of Processor) is declared applicable .
Article 13. Duration and termination
This Processor Agreement is entered into for the duration as stipulated in the Agreement and, in the absence thereof, in any case for the duration of the cooperation between the Parties. This Processor Agreement cannot be canceled in the interim.
Parties may only amend this Processor Agreement with mutual consent, but will fully cooperate in adapting the Processor Agreement to any new or amended privacy laws and regulations.
After termination of the Processor Agreement, Processor will destroy all personal data that is present with it, unless the Parties agree otherwise.