This Processor Agreement is an integral part of the agreements agreed between the Parties on [CONTRACT START DATE]* (hereinafter: “the Agreement”).
SPOT MARKETING SOLUTIONS B.V., with its registered office at Gedempte Zuiderdiep 124 in Groningen, registered with the Chamber of Commerce under number 65394178 and legally represented by Mr N. Giavedoni (hereinafter: “Processor”);
[CUSTOMER]*, located at [ADDRESS]*, registered with the Chamber of Commerce under number [NUMBER]* and legally represented by Mr/Ms [NAME]* hereinafter: “Responsible Person”);
· The Controller has concluded an agreement with its customers and the Controller wishes to engage the Processor for the execution of that agreement;
· The Controller and the Processor have concluded an Agreement for the foregoing on [CONTRACT START DATE]* (hereinafter: "the Agreement"), in order to [CONTRACT END DATE]*;
· Processor in the execution of the Agreement can be regarded as Processor within the meaning of Article 4, paragraph 8 of the General Data Protection Regulation (hereinafter: “GDPR”);
· Responsible person is regarded as Responsible within the meaning of Article 4, paragraph 7 of the GDPR;
· Where this Processor Agreement refers to personal data, this refers to personal data within the meaning of Article 4, paragraph 1 of the GDPR;
· The controller designates the purposes and means for the processing and to which the conditions stated herein apply;
· Processor is willing to do so and is also willing to comply with the obligations regarding security and other aspects of the GDPR, insofar as this is within its power;
· The GDPR imposes an obligation on the Controller to ensure that the Processor offers sufficient guarantees with regard to the technical and organizational security measures with regard to the processing to be carried out;
· The GDPR also imposes the obligation on the Controller to monitor compliance with those measures;
· Parties, also in view of the requirement from Article 28 paragraph 3 of the GDPR, wish to record their rights and obligations in writing by means of this processor agreement (hereinafter: “Processing Agreement”);
· Where in this Processor Agreement reference is made to provisions from the GDPR, until May 25, 2018, the corresponding provisions from the Personal Data Protection Act (hereinafter: “Wbp”) are meant.
have agreed as follows
Article 1. Purposes of processing
1.1 Processor undertakes to process personal data on behalf of Controller under the conditions of this Processor Agreement. Processing will only take place in the context of the Processor Agreement in order to achieve [CONTRACT END DATE]* and those purposes that have been laid down in the Agreement with further consent.
1.2 The personal data that are or will be processed by the Processor in the context of the Agreement, and the categories of data subjects from whom they originate, are included in Appendix 1. The Processor will not process the personal data for any other purpose than as determined by the Controller. . The Controller will inform the Processor of the processing purposes insofar as they have not already been mentioned in this Processor Agreement.
1.3 The Processor has no control over the purpose and means of the processing of personal data. Processor does not make independent decisions about the receipt and use of the personal data, the provision to third parties and the duration of the storage of personal data.
Article 2. Obligations of the Processor
2.1 With regard to the processing operations referred to in Article 1, the Processor will ensure compliance with the conditions imposed on the processing of personal data by the Processor in its role under the Wbp and the AVG.
2.2 The Processor will inform the Controller, at its request and within a reasonable period of time, about the measures it has taken with regard to its obligations under this Processor Agreement.
2.3 The obligations of the Processor arising from this Processor Agreement also apply to those who process personal data under the authority of the Processor.
2.4 The processing of personal data by the Processor will never entail that the Processor's databases are enriched with the data from the datasets of the Controller, unless the data is in aggregated, non-traceable form. In that case, the Processor is allowed to use this data for its own other purposes.
2.5 Processor will immediately inform the Controller if, in its opinion, an instruction from the Controller is contrary to the legislation referred to in paragraph 1.
Article 3. Transfer of personal data
3.1 Processor may process the personal data in countries within the European Economic Area (hereinafter: “EEA”). Transfer to countries outside the EEA is only permitted if this takes place on the basis of the Controller's prior written order/consent, or if there is one of the appropriate safeguards within the meaning of the GDPR.
Article 4. Division of responsibility
4.1 The permitted processing will be carried out by the Processor within a (semi-)automated environment.
4.2 The Processor is solely responsible for the processing of the personal data under this Processor Agreement, in accordance with the instructions of the Controller and under the explicit (final) responsibility of the Controller. For all other processing of personal data, including but not limited to the collection of personal data by the Controller, processing for purposes that have not been reported by the Controller to the Processor, processing by third parties and/or for other purposes, the Processor is not responsible. The responsibility for these processing operations rests solely with the Controller.
4.3 The Controller guarantees that the content, the use and the assignment to process the personal data as referred to in this Processor Agreement are not unlawful and do not infringe any rights of third parties.
4.4 From the moment the GDPR becomes applicable on 25 May 2018, the Parties will keep a register of the processing operations regulated under this Processor Agreement.
Article 5. Engaging third parties or subcontractors
5.1 The Controller hereby grants the Processor permission to use a third party for the processing of personal data, on the basis of this Processor Agreement, with due observance of the applicable privacy legislation.
5.2 At the request of the Controller, the Processor will inform the Controller as soon as possible about the third parties it has engaged. The Controller has the right to object to any third parties engaged by the Processor. If the Controller objects to third parties engaged by the Processor, the Parties will consult each other to find a solution.
5.3 Processor will in any case ensure that these third parties assume the same obligations in writing as agreed between Controller and Processor. The Processor guarantees correct compliance with these obligations by these third parties and is liable to the Controller in the event of errors by these third parties for all damage as if he himself committed the error(s).
Article 6. Security
6.1 The Processor will endeavor to take appropriate technical and organizational measures with regard to the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorized access, impairment, modification or provision of the personal data).
6.2 The Processor will make every effort to ensure that the security meets a level that is not unreasonable in view of the state of the art, the sensitivity of the personal data and the costs associated with taking the security.
6.3 If it appears that a necessary security measure is missing, the Processor will ensure that the security meets a level that is not unreasonable in view of the state of the art, the sensitivity of the personal data and the costs associated with taking the security.
Article 7. Notification obligation
7.1 In the event of a data breach (which is understood to mean: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, transmitted, stored or otherwise processed data) the Processor will inform the Controller about this without delay or at the latest within forty-eight (48) hours, on the basis of which the Controller assesses whether it will inform the supervisory authorities and/or data subjects or not. Processor makes every effort to ensure that the information provided is complete, correct and accurate.
7.2 The responsible party will ensure compliance with any (legal) reporting obligations. If required by law and/or regulations, the Processor will cooperate in informing the relevant authorities and any involved parties.
7.3 The reporting obligation in any case includes reporting the fact that there has been a leak, as well as, insofar as Processor is aware:
· the date on which the leak occurred (if no exact date is known: the period within which the leak occurred);
· what is the (alleged) cause of the leak;
· the date and time on which the leak became known to the Processor or to a third party or subcontractor engaged by it;
· the number of persons whose data has been leaked (if no exact number is known: the minimum and maximum number of persons whose data has been leaked);
· a description of the group of individuals whose data has been leaked, including the type or types of personal data that have been leaked;
· whether the data has been encrypted, hashed or otherwise made incomprehensible or inaccessible to unauthorized persons;
· what the intended and/or already taken measures are to close the leak and to limit the consequences of the leak;
· contact details for the follow-up of the report.
Article 8. Rights of data subjects
8.1 In the event that a data subject submits a request to the Processor to exercise his/her legal rights, the Processor will forward the request to the Controller and inform the data subject thereof. The controller will then further handle the request independently. If it appears that the Controller needs help from the Processor for the execution of a request from a data subject, the Processor may charge costs for this.
Article 9. Confidentiality
9.1 All personal data that the Processor receives from the Controller and/or collects itself in the context of this Processor Agreement is subject to a duty of confidentiality towards third parties. Processor will not use this information for a purpose other than that for which it obtained it, unless it has been put in such a form that it cannot be traced back to data subjects.
9.2 This duty of confidentiality does not apply insofar as the Controller has given explicit permission to provide the information to third parties, if the provision of the information to third parties is logically necessary in view of the nature of the assignment and the execution of this Processor Agreement, or if there are there is a legal obligation to provide the information to a third party.
Article 10. Audit
10.1 The Controller has the right to have audits carried out by an independent ICT expert who is bound by confidentiality to check compliance with all points from this Processor Agreement.
10.2 This audit will only take place after the Controller has requested and assessed the similar audit reports present at the Processor and puts forward reasonable arguments that still justify an audit initiated by the Controller. Such an audit is justified when the similar audit reports present at the Processor provide no or insufficient information about compliance with this Processor Agreement by the Processor. The audit initiated by the Controller takes place two weeks after prior announcement by the Controller, and at most once a year.
10.3 The Processor will cooperate with the audit and provide all information reasonably relevant to the audit, including supporting data such as system logs, and employees as timely as possible and within a reasonable period of time, whereby a maximum period of two weeks is reasonable unless an urgent interest opposes this, providing. The Controller will ensure that the audit causes the least possible disruptive effect on the Processor's other activities.
10.4 The findings as a result of the audit performed will be assessed by the Parties in mutual consultation and, as a result thereof, may or may not be implemented by one of the Parties or by both Parties jointly.
10.5 The reasonable costs for the audit are borne by the Responsible Party, on the understanding that the costs for the third party to be hired will always be borne by the Responsible Party.
10.6 The Processor will support the Controller in the performance of a Privacy Impact Assessment (hereinafter: 'PIA') if the Processor is required to do so under the GDPR. This support can be expressed, among other things, in the provision of the necessary information by the Processor to the Controller for the correct execution of the PIA.
Article 11. Duration and termination
11.1 This Processor Agreement has been entered into for the duration as stipulated in the Agreement between the Parties and in the absence thereof in any case for the duration of the cooperation.
11.2 The Processor Agreement cannot be terminated prematurely.
11.3 Parties may only change this Processor Agreement by mutual agreement
11.4 After termination of the Processor Agreement, the Processor will immediately destroy the personal data received from the Controller, unless the parties agree otherwise.
Article 12. Other provisions
12.1 The Processor Agreement and its implementation are governed by Dutch law.
12.2 All disputes that may arise between the Parties in connection with the Processor Agreement will be submitted to the competent court in the district of the court that is also competent to judge within the framework of the Agreement.
12.3 If one or more provisions of the Processor Agreement prove to be invalid, the remainder of the Processor Agreement will remain in force. In that case, the parties will consult about the provisions that are not legally valid, in order to make a replacement arrangement that is legally valid and which corresponds as much as possible with the purport of the arrangement to be replaced.
12.4 If the privacy legislation changes, the parties will cooperate in adjusting this Processor Agreement in order to be able to (continue to) comply with this legislation.
12.5 In the event of conflict between different documents or their appendices, the following order of precedence applies:
· the agreement;
· this Processor Agreement;
· the General Terms and Conditions of the Processor;
· any additional conditions.
** Data as in the agreement (contract)