Data Processing Agreement (Clients)

1.1.This Data Processing Agreement applies exclusively to the processing of personal data in the scope of the Contract between the parties for services rendered (hereinafter to be referred to as: the “Service Agreement”).

1.2.Terms such as “processing”, “personal data”, “data controller” and “processor” shall have the meaning ascribed to them in the General Data Protection Regulation (hereinafter: the “GDPR") or any successor legislation.

1.3.It is possible that the Data Processor will be processing personal data (hereinafter to be referred to as: the “Personal Data”) on behalf of the Data Controller in the course of the performance of the Service Agreement with the Data Controller. An overview of the categories of Personal Data and purposes for which the Personal Data are being processed is provided in Annex 1.

2.1.The Data Processor will act as the data processor and the Data Controller will act as the data controller.

2.2.The Data Processor warrants that it will only process the Personal Data in such manner as- and to the extent that - this is necessary for the provision of the services under the Service Agreement, except as required to comply with a legal obligation to which the Data Processor is subject, or to follow instructions of the Data Controller. The Data Processor shall never process the Personal Data for its own purposes.

2.3. The Parties conclude the Service Agreement in order to benefit from the expertise of the Processor in securing and processing the Personal Data for the purposes set out in Annex 1. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to comply with the Service Agreement and the instructions of the Data Controller.

3.1.Without prejudice to any other security standards agreed upon by the Parties, the Data Processor shall take appropriate technical and organizational measures to ensure the security of the processing of Personal Data. These measures shall include in any case:

3.2.The Data Processor shall at all times have in place a suitable, written security policy with respect to the processing of Personal Data, outlining in any case the measures set forth in Article 3.1. At the request of the Data Controller, the Data Processor shall provide a copy of such security policy, shall demonstrate the measures it has taken pursuant to this Article 3, shall allow the Data Controller to audit and test such measures, and shall amend its security policy in accordance with the Data Controller's further written instructions. Data controller will bear the cost of such an audit.

3.3If a data subject contacts the Data Processor for the purpose of exercising their rights as a data subject (e.g. regarding access to, erasure or rectification of personal data), the Data Processor shall promptly forward this request to the Data Controller. The Data Processor will, upon request, reasonably assist the customer to comply with its obligations with respect to the rights laid down in Chapter III of the GDPR.
Upon request, the Data Processor shall support the Data Controller by providing information for the performance of Data Protection Impact Assessments pursuant to Art. 35, 36 GDPR.

4.1.The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 3 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Article 3.

4.2.The Data Controller has the right to instruct the Data Processor to take additional security measures. Where an amendment to the Service Agreement is necessary in order to execute such an instruction, the Parties shall negotiate an amendment to the Service Agreement in good faith.

5.1.The Data Controller has the right to perform an audit of the Data Controller in order to determine to what extent the Data Processor complies with the provisions of the Data Processing Agreement. Such an audit will be performed by an independent third party and will take place at a time defined by both parties together. The Data Processor shall provide the auditor access – on request of the auditor – to the facilities, personnel, policies and documents that are reasonably necessary for the purpose of the audit.

5.2.The Data Controller will bear the costs for the audit, unless the audit shows that the Data Processor does not comply with the Data Processing Agreement. In such case, the Data Processor bears the costs of the audit.

6.1The Data Processor shall immediately notify the Data Controller of any (planned) permanent or temporary transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection and shall only perform such a (planned) transfer after obtaining the consent of the Data Controller.

6.2The Data Controller may impose conditions on the consent as meant in Article 6.1, such as the condition that a transfer only takes place if the relevant parties conclude model contract clauses, such as described in Article 46, second paragraph, under c, GDPR.

7.1.The Data Processor shall immediately notify the Data Controller of any incident with regard to the processing of the Personal Data, shall at all times cooperate with the Data Controller and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response and to take suitable further steps in respect of the incident. Specifically, the Data Processor warrants that it provides the Data Controller with all information necessary to fulfil its legal obligations, such as the obligation to notify incidents under Article 33 GDPR. The Data Controller alone may notify any public authority.

7.2.The term “incident” used in Article 7.1 shall be understood to mean in any case any breach of the security and/or confidentiality as set out in Article 4, paragraph 12 GDPR and Article 3 of this Data Processing Agreement leading to the loss or any form of unlawful processing, including destruction, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.

7.3.The Data Processor shall notify the Data Controller within 24 hours after discovery of the incident. Such notification shall include at least the following information: (i) the nature of the incident; (ii) the date and time upon which the incident took place and was discovered; (iii) the (amount of) data subjects affected by the incident; (iv) which categories of Personal Data were involved with the incident; and (v) whether and, if so, which security measures – such as encryption – were taken to render the Personal Data incomprehensible or inaccessible to anyone without the authorization to access these data.

7.4.The Data Processor shall at all times have in place written procedures which enable it to provide an immediate response to the Data Controller about an incident, and to cooperate effectively with the Data Controller in addressing the incident, and shall provide the Data Controller with a copy of such procedures upon the Data Controller’s written request.

8.1.The Data Processor shall not subcontract any of its activities described in the Service Agreement to any third party without the prior written consent of the Data Controller.

8.2.The consent of the Data Controller as described in the previous paragraph shall be without the liability of the Data Processor vis-à-vis the Data Controller for any consequences of subcontracting – including any potential damages – with such third party in accordance with Article 10.

8.3.The consent of the Data Controller pursuant to Article 8.1 shall not alter the fact that consent is required under Article 7 GDPR for the engagement of sub-processors in a country outside the European Economic Area without an adequate level of protection. If the Processing carried out by the Data Processor includes the transfer of Personal Data to a country outside of the EEA which is not recognized by the European Commission to have an adequate level of protection in accordance with Data Protection Law, the Data Controller and the Data Processor shall enter into a supplementary agreement containing the Standard Contractual Clauses ("SCC").

8.4.If Processing of Personal Data under this DPA includes the transfer of Personal Data to a Sub-processor located in a country outside of the EEA which is not recognised by the European Commission to have an adequate level of protection in accordance with Data Protection Law, the Data Processor shall ensure that the data transfer to such sub-processor is lawful in accordance with Art. 44 et seq. GDPR.

8.5.The Data Processor shall ensure that the sub-processor is bound by the same or equivalent obligations as the Data Processor under this Data Processing Agreement, and shall supervise compliance thereof.

9.1.Upon termination of this Data Processing Agreement, or upon the Data Controller’s written request, the Data Processor shall, at the discretion of the Data Controller, either destroy or return the Personal Data to the Data Controller.

9.2.The Data Processor shall notify all third parties involved with the processing of the Personal Data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller.

10.1.The Data Processor indemnifies the Data Controller and holds the Data Controller harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Controller and arising directly or indirectly out of or in connection with a breach of this Data Processing Agreement by the Data Processor.

11.1.This Data Processing Agreement shall come into effect on the same date as the Service Agreement and shall end automatically either: when the Service Agreement is terminated or expires; or at such as the Data Processor has deleted or returned all Personal Data in accordance with Article 9, whichever is later.

11.2.Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its obligations meant to survive the termination or expiration of the Data Processing Agreement, including but not limited to the obligations deriving from 5, 9 and 10 of this Data Processing Agreement.

12.1.In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Service Agreement, the provisions of this Data Processing Agreement shall prevail.

12.2.This Data Processing Agreement is governed by the laws of the Netherlands. Any disputes arising out or in connection with this Data Processing Agreement shall be brought exclusively before the competent Court of Amsterdam.

12.3.Any reference to provisions of law which are repealed during the term of this Data Processing Agreement are also intended to include a reference to any successor provision with a similar subject matter.