1. Article 1. Definitions
  • The terms ‘Personal Data, ‘Processing, ‘Controller, ‘Processor’, ‘Party Concerned’ and ‘Third Party’ as set out in article 4 of the GDPR have the same meaning as in this GDPR. These terms will be written with a capital letter in the Processor’s Policy. Other terms written with a capital letter have the same meaning as set out in the Processor’s Policy.
  • Personal Data of Employees is defined as all information about a specific or identifiable employee as referred to in article 4 sub 1 GDPR.
  1. Article 2: Relation between Client and Users
  • Client enables its Employees and/or Partners/Clients by means of the Purchase Order with Processor to use the software platform of Processor.
  • The platform can only be accessed by Clients who agree to comply with user conditions, in which is set out that User is aware of the fact that he/she shall be regarded in the context of the Agreement as Controller within the meaning of the GDPR and that he/she agrees to be part of this Agreement in this capacity.
  1. Article 3: Following assignment and instructions by Processor
  • Processor processes Personal Data only on behalf of User and/or Client, unless there are deviating legal obligations.
  • Processor processes data on behalf of User and/or Client in accordance with instructions of the Client and under Client’s responsibility.
  • Processor has no authority over the purpose and means for the processing of Personal Data. Consequently, he does not make decisions about receipt and use of data, distribution to Third Parties and duration of data storage. The control over Personal Data supplied under this agreement will never rest with the Processor.
  1. Article 4: Requirement of Confidentiality
  • Any person involved in the implementation of this agreement, and who acquires data of which the confidential nature is known or suspected, and who, on account of his duties, profession or legal provision, is not bound by the requirement of confidentiality, shall be obliged to treat any information as confidential, unless legally obliged to disclose any information or when the necessity to disclose information arises during the execution of his duties.
  • Processor shall with regards to Personal Data processed as part of the contract by Controller exercise absolute confidentiality towards Third Parties. This obligation also applies to any other person who processes Personal Data under the authority of Processor.
  1. Article 5: Security measures
  • Processor will take all appropriate technical and organizational measures to secure Personal Data against loss or any form of unlawful processing. These measures will guarantee an appropriate level of security given the nature of Personal Data processed by Processor.
  • Processor works according to ISO 27001 standards. The organizational and security measures as mentioned under article 5.1 are included in the Statement of Applicability. The following measures are included:
    • There will be made a back-up of Personal Data on a daily basis, in order to prevent loss of Personal Data of Employees;
    • The back-ups mentioned under sub a) shall be stored in a secure and separate location;
    • The software platform is located in a twin datacenter concept, so that a high availability can be guaranteed;
    • Processor shall provide adequate security so that Personal Data of Employees can only be accessed by authorized personnel;
    • Processor runs an adequate and up-to-date mechanism in order to detect and divert malicious software, including, but not limited to, computer viruses;
    • External parties will carry out penetration tests on a regular basis to check systems for potential vulnerabilities;
    • Processor uses secure network connections.
  1. Article 6: Collaboration with sub-Processors
  • If Processor uses sub-Processors, the Client will be informed. Processor will remain fully responsible for the processing of Personal Data of Employees by sub-Processors.
  • If sub-Processors are called upon, Processor will conclude an agreement with sub-Processor, in which is stated that sub-Processors have similar responsibilities and obligations with regards to data processing and protection as included in the Processor’s Agreement.
  1. Article 7. Procedure Data Breach
  • Despite the technical and organizational measures taken by Processor, it is still possible that, unforeseen, a breach arises with regards to Personal Data and that this Personal Data will be destroyed, lost, altered or made available or accessible in an unlawful manner (hereinafter: ‘Data Breach’).
  • A Data Breach will be reported in writing to Client as soon as possible, and within 24 hours after discovering this breach.
  • Client assesses as Controller, after prior consultation with the Processor, whether the Data Breach has to be reported to the GDPR and any other person(s) affected by this breach. The responsibility for reporting (accurately, timely and fully) to the GDPR and any other person(s) affected within the legal time limit rests with Client. If Client intends to report a Data Breach to the GDPR and/or other person(s) affected, Processor will be informed.
  • Processor has the right, at all times, to consider whether a Data Breach has to be reported to the GDPR and/or other person(s) affected.
  • Processor will provide all information regarding the Data Breach that the Client needs to comply with reporting requirements, including:
    • The nature of the Data Breach, where possible stating the categories of Persons Involved and personal data registers and, approximately, number of Persons Involved and the relevant personal data registers;
    • If Processor is aware, the potential consequences of the Data Breach, such as loss of control over Personal Data of Persons Involved, and the inability to exercise their rights;
    • Measures taken by Processor in order to limit the harmful consequences of the Data Breach;
    • Processor shall inform Client of any new developments regarding the Data Breach and the measures taken in order to limit the consequences of the Data Breach and to avoid any recurrence.
  1. Article 8: Audits
  • Client has the right to check the Processor’s Agreement through an audit by an independent authority. The costs of this audit shall be borne by Client.
  • Processor shall, in fairness, cooperate with an audit and provide all the relevant information for this audit in a timely manner and at the location where the audit takes place, assuming that the audit does not interrupt inordinately the operating activities of Processor in consideration of time and scope.
  • The authority that carries out the audit, shall comply with the security procedures as in force at Processor.
  1. Article 9: Rights of Person(s) Involved
  • If a Person Involved makes a request to Processor under the pursuit of the in article 15 up to and including 20 of the mentioned privacy rights of the GPDR, than this request shall be dealt with by Processor within the time limit applicable. If a Person Involved makes the request to Controller, then Processor shall cooperate within a reasonable time with this request to Controller.
  1. Article 10: Liability
  • If a party fails to fulfil its obligations in accordance with this Processor’s Agreement, the GPDR and/or other laws and regulations in terms of processing Personal Data, this party shall be liable for any damages the other party suffers in consequence.
  • The liability of Parties is limited to direct damages and to the maximum amount that the insurer will pay out to the liable person.
  1. Article 11: General
  • This agreement shall take effect as soon as Parties have signed the agreement.
  • The agreement shall be entered into for a period in which Processor carries out any processing on behalf of the Users and/or Client.
  • This agreement can be amended only with the approval of Parties, and an amendment must be agreed upon in writing by Parties.
  • As soon as the collaboration is terminated, Processor shall destroy all Personal Data of Users and/or Client, unless the Parties agree The obligation to confidentiality as described in this agreement shall remain in force indefinitely.
  • To this agreement Delaware law applies.
  • All legal disputes between Parties related to this agreement, shall be referred to the competent court.