Data processing agreement

This Data Processing Agreement is an integral part of the agreements between the Customer and is the Processor of the personal data and the Customer is the Controller with regard to the personal data.

1. Purposes of data processing operations

1.1 The Processor commits to processing personal data on the instructions of the Controller, subject to the conditions of this Data Processing Agreement. The data will only be processed for the purpose of storing data of the Controller in the 'cloud', the related online services, colocation and those purposes that can be reasonably associated with it or will be determined by mutual agreement.

1.2 The Controller will decide which types of personal data it requires the Processor to process and therefore also to which (categories of) data subjects the personal data relate. The Processor exerts no influence on this decision. This relates in any case to personal data of customers of the Controller, and staff of the Controller, that are stored by the Customer at the Processor. The Processor will refrain from using the personal data for any purpose other than that determined by the Controller. The Controller will inform the Processor of the purposes of the processing where these are not already stated in this Data Processing Agreement.

1.3 The personal data to be processed on the instruction of the Controller will remain the property of the Controller and/or the data subjects concerned.

2. Obligations of the Processor

2.1 In respect of the processing referred to in Article 1, the Processor will ensure compliance with applicable legislation and regulations, including in any event the legislation and regulations in the field of the protection of personal data, such as the General Data Protection Regulation.

2.2 The Processor will inform the Controller, upon the latter’s first request, of the measures it has taken to meet its obligations under this Data Processing Agreement.

2.3 The Processor’s obligations arising from this Data Processing Agreement also apply to any party processing personal data under the authority of the Processor, including, but not confined to, employees, in the broadest sense.

2.4 The Processor will notify the Controller if it feels that an instruction provided by the Controller violates the legislation referred to in paragraph 1.

3. Transfer of personal data

3.1 The Processor is allowed to process the personal data in European Union member states. In addition, the Processor is allowed to transfer the personal data to a country outside the European Union, provided the Processor ensures an adequate level of protection and it complies with the other obligations to which it is subject pursuant to this Data Processing Agreement and the General Data Protection Regulation.

3.2 Upon request, the Processor will inform the Controller of the country or countries involved.

3.3 In particular, the Processor will, in determining an adequate level of protection, take account of the duration of the intended processing, the country of origin and the country of final destination, the general and sectoral rules of law that apply in the country concerned, as well as the professional rules and the security measures complied with in those countries.

4. Division of responsibility

It is preferable that a report is only made once it is likely that the notifier and the content provider will be unable to reach an agreement. The notifier is responsible for ensuring reports are correct and complete.

4.1 The Processor will make ICT means available for the processing that can be used by the Controller for the purposes stated above. The Processor will itself only perform processing on the basis of separate agreements.

4.2 The Processor is solely responsible for the processing of the personal data under this Data Processing Agreement, in accordance with the instructions of the Controller and under the express (ultimate) responsibility of the Controller. The Processor is expressly not responsible for any other processing operations involving personal data, including in any event, but not confined to, the collection of personal data by the Controller, processing for purposes that the Controller has not notified to the Processor and processing by third parties and/or for other purposes.:

4.3 The Controller warrants that the content, the use and the instructions for the processing of personal data as referred to in the Agreement are not unlawful and do not infringe any third-party right.

5. Engagement of third parties or sub-contractors (sub-processors)

5.1 The Processor engages third parties, which are available on request and for which the Controller hereby provides authorisation. In the case of new third parties, the Processor will inform the Controller thereof. If the Controller has well-founded objections to the engagement of the third party, a suitable solution must be sought in consultation. If the parties are unable to reach a suitable solution, the Controller may give notice to terminate the Agreement if the use of a specific third party of which it has been notified is unacceptable to it.

5.2 The Processor will in any case ensure that these third parties assume similar obligations in writing as those agreed between the Controller and Processor.

5.3 The Processor warrants correct compliance with the obligations in this Data Processing Agreement by such third parties and, in the event of errors committed by such third parties, is liable itself for any and all damage or loss as if it had committed the error(s) itself.

6. Security

6.1 The Processor will endeavour to take sufficient technical and organisational measures against loss or any form of unlawful processing (such as unauthorised disclosure, interference, alteration or provision of personal data) in connection with the processing of personal data to be performed.

6.2 The Processor does not guarantee that the security is effective in all circumstances. If the Agreement does not include explicitly defined security, the Processor will endeavour to ensure that the security provided shall meet a standard that is not unreasonable, taking into account the state of the art, the sensitivity of the personal data and the costs associated with implementing the security measures.

7. Notification obligation

7.1 The Controller is at all times responsible for reporting data leaks (which includes a breach of the security of personal data that leads to a risk of negative consequences, or has negative consequences, for the protection of personal data) to the supervisory authority and/or data subjects. In order to enable the Controller to meet this legal obligation, the Processor must inform the Controller without delay of a data leak after it has detected one and if the leak relates to the personal data that are processed by the Processor on behalf of the Controller.

7.2 The notification obligation shall in any case include reporting that a leak has occurred, as well as:

the supposed or known cause of the leak;
the consequences (that are currently known and/or are to be expected);
the solution or proposed solution.

8. Handling requests from data subjects

In the event that a data subject submits a request to exercise their statutory right of inspection or their statutory right to improvement, addition, amendment, blocking, erasure of data or data portability to the Processor, the Processor shall forward the request to the Controller and the Controller will handle the request. The Processor may inform the data subject about this.

9. Privacy and confidentiality

9.1 All personal data the Processor receives from the Controller and/or collects itself within the framework of this Data Processing Agreement is subject to a duty of confidentiality towards third parties. The Processor will not use this information for any purpose other than that for which it was provided.

9.2 This duty of confidentiality does not apply insofar as the Controller has expressly granted permission to provide the information to third parties, if providing the information to third parties is logically required in view of the nature of the work assigned and the performance of this Data Processing Agreement or if there is a statutory obligation to provide the information to a third party.

10. Audit

10.1 The Controller may have an audit conducted at the Processor by an independent ‘Register EDP Auditor’ who is bound by a duty of confidentiality in order to verify compliance with the agreements under this Data Processing Agreement concerning the protection of the personal data processed by the Processor on behalf of the Controller.

10.2 This audit will only take place where there is a specific and well-founded suspicion of misuse of personal data, and only after the Controller has requested and assessed similar existing reports from the Processor, and has made reasonable arguments to justify an audit being initiated by the Controller. Such an audit is justified if the similar reports that the Processor has available provide an insufficient or inconclusive answer regarding compliance with this Data Processing Agreement by the Processor. The Controller will notify the Processor of the audit in advance, giving at least two weeks’ notice.

10.3 The Parties will jointly assess the findings of the audit that has been conducted and will determine on that basis whether or not those findings will be implemented by one of the Parties or by both Parties jointly.

10.4 Insofar as possible and reasonable, the Processor will cooperate with the Controller in carrying out a data protection impact assessment.

10.5 The costs of the audit described in paragraphs 1 and 4 above will be borne by the Controller.

11. Duration and termination

11.1 This Data Processing Agreement will enter into effect once it has been signed by the Parties, on the date of the second signature.

11.2 This Data Processing Agreement has been entered into for the term specified in the Agreement between the Parties, in the absence of which it will at least apply for the duration of the collaboration.

11.3 Upon termination of the services by the Processor, the Controller is itself responsible for making copies of, exporting or otherwise returning, in good time, the personal data that the Processor processes on behalf of the Controller. After the end of the term of the Agreement, the Processor will remove or destroy the (personal) data of the Controller.

11.4 The Processor is entitled to revise this agreement from time to time. It will inform the Controller of the changes at least three (3) months in advance. The Controller may lodge a notice of objection by the end of these three (3) months if it does not agree to the changes. If the Processor does not receive a notice of objection within this period, the changes will be deemed to have been accepted by the Controller.

12. Applicable law and settlement of disputes

12.1 The Data Processing Agreement and its execution are governed by Dutch law.

12.2 Any disputes that may arise between the Parties in connection with the Data Processing Agreement will be submitted to the competent court in Rotterdam.

Please note that the Dutch version of the data processing agreement is binding. The english data processing agreement is a free translation of the Dutch "Verwerkersovereenkomst".

Download Data processing agreement