DATA PROCESSING AGREEMENT
1. General In this data processing agreement, the following definitions apply:
1.1 General Terms and Conditions:
the General Terms and Conditions of Processor, which apply in full to every agreement between Processor and Controller and of which this processing agreement is an integral part.
1.2 Processor:
ALLETS Network, with its registered office and place of business at Alkmaar with chamber of commerce number 80536263 and all entities affiliated to, including but not limited to.
1.3 Data: the personal data as described in Annex
1. 1.4 Agreement: every agreement between Controller and Processor for Processor to perform Work for benefit of Controller, in accordance with the provisions of the order confirmation.
1.5 Controller: the natural person or legal entity who has instructed Processor to perform Work.
1.6 Work: all work commissioned by Controller or carried out by Processor. The above applies in the broadest sense of the word and in any case includes the activities as stated in the order confirmation.
2. Applicability of data processing agreement
2.1 This data processing agreement applies to all data collected by Processor for Controller in the context of the execution of the Agreement with Controller, as well as all the Work arising from the Agreement.
2.2 Controller is responsible for processing the Data concerning certain categories of data subjects, as described in Annex 1. 2.3 In the execution of the Agreement, Processor processes certain personal data for Controller.
2.4 This is a data processing agreement within the meaning of article28 paragraph 3 General Data Protection Regulation (GDPR), in which the rights and obligations of Controller and Processor with regard to the processing of the personal data are regulated in writing, including with regard to security. This data processing agreement binds Processor with respect to Controller.
2.5 This data processing agreement, like the General Terms and Conditions of Processor, is part of the Agreement and all future agreements between the parties.
3. Scope dataprocessing agreement
3.1 By giving the instruction to perform Work, Controller has instructed Processor to process the Data on behalf of Controller in the manner described in Annex 1 and in accordance with the provisions of this data processing agreement.
3.2 Processor processes the Data exclusively in accordance with this data processing agreement, in particular as is included in Annex 1. Processor confirms not to process the Data for other purposes.
3.3 Processor will never have control over the Data.
3.4 Controller may give additional reasonable written instructions to Processor due to modifications or changes to the applicable regulations regarding the protection of personal data.
3.5 Processor only processes the Data in the European Economic Area.1 of
6 Version September 2018 DATA PROCESSING AGREEMENT 4. Confidentiality
4.1 Processor and the persons employed by Processor or carrying out work for him, insofar as these persons have access to personal data, process the Data only on instruction of Controller, subject to deviating legal obligations.
4.2 Processor and the persons employed by Processor or carrying out work for him, insofar as these persons have access to personal data, are obliged to maintain confidentiality of the personal data of which they take notice, except insofar as any statutory regulation obliges them to disclose or a task results in the need for disclosure.
5. No further sharing
5.1 Processor will not share Data with or provide it to third parties, unless Processor has obtained prior written consent or instruction from Controller or is obliged to do so by mandatory law. If Processor is obliged to share Data with or to provide it to third parties pursuant to mandatory law, Processor will inform Controller in writing, unless this is not permitted.
6. Security measures
6.1 Taking into account the state of the art, the implementation costs, as well as the nature, the size, the context and the processing objectives and the various risks to the rights and freedoms of persons in terms of probability and seriousness, Processor will take appropriate technical and organizational measures to ensure a level of security tailored to the risk. The security measures that have already been taken are defined in
Annex 2.
6.2 Processor shall also take measures that serve to prevent unnecessary collection and further processing of personal data. 6.3 The Data will only be stored and processed within the European Economic Area.
7. Supervision of compliance
7.1 Processor shall, at request and expense of Controller, provide Controller with information about the processing of the Data by Processor or its sub processors. Processor will provide the requested information as quickly as possible, but no later than five working days.
7.2 Controller has, at its own expense, the right to have an independent third party, jointly designated by Controller and Processor, carry out an inspection once per year to verify whether Processor fulfils the obligations under the GDPR and this data processing agreement. Processor will provide all reasonably necessary cooperation. Processor has the right to charge the costs associated with the inspection to Controller.
7.3 In the context of its obligation under paragraph 1 of this article, Processor will provide Controller, or a third party engaged by Controller;
7.3.1 all relevant information and documents;
7.3.2 access to all relevant buildings, information systems and Data.
7.4 Controller and Processor will consult each other as soon as possible after the report has been completed in order to address the possible risks and shortcomings. At the expense of Controller, Processor will take measures to bring the identified risks and shortcomings to an acceptable level for Controller, unless the parties have agreed otherwise in writing.2 of 6 Version September 2018 DATA PROCESSING AGREEMENT
8. Data breach
8.1 As soon as possible after Processor becomes aware of an incident or data breach that (also) has or may have a connection with the Data, Processor will inform Controller of this via the contact details of Controller that are known to Processor and will provide Controller with information about: the nature of the incident or the data breach, the affected data, the determined and expected consequences of the incident or data breach on the Data and the measures that Processor has taken and will take.
8.2 Processor will assist Controller in notifying the parties involved and / or authorities.
9. Sub-processors
9.1 Controller grants Processor prior general permission to subcontract its obligations to third parties. Processor will inform Controller of the intention to engage the sub-processor. Processor grants Controller a period of 7 working days to object on reasonable grounds to the engagement of the sub-processor. Processor will not engage the sub-processor until the 7-day period has expired without Controller having objected, or if Controller has indicated that he / she does not object to the sub-processor being engaged.
9.2 Controller grants Processor permission for engaging the sub-processors as listed in Annex 3.
9.3 Processor shall ensure that the sub-processor is subject to this data processing agreement or to a sub-data processing agreement containing the same obligations as this data processing agreement.
10. Participation duties and rights of data subjects
10.1 Processor will co-operate with Controller on request of Controller in the event of a complaint, question or request from a data subject, or investigations or inspections by the Dutch Authority for Personal Data (Autoriteit Persoonsgegevens).
10.2 Processor will assist Controller at its request and expense in performing a data protection impact assessment.
10.3 If Processor receives a direct request from a data subject for access to, correction or deletion of his or her Data, Processor will inform Controller of the receipt of the request. Without undue delay, Processor will carry out all written instructions issued by Controller to Processor as a result of such a request from the data subject. Processor shall take the necessary technical and organizational measures necessary to comply with such instructions from Controller.
10.4 If instructions from Controller to Processor conflict with any legal provisions regarding data protection, Processor will report this to Controller if Processor is aware of the conflict.
11. Duration and termination
11.1 This data processing agreement is valid as long as Processor has the instruction of Controller to process Data on the basis of the Agreement between Controller and Processor. As long as Work is performed for Controller, this data processing agreement applies.
11.2 If, after termination of the Agreement, Processor is obliged on the basis of a statutory obligation to retain data, data processing and / or documents, computer disks or other data carriers on which or in which Data is stored, Processor shall ensure the destruction of this data or these documents, 3 of 6 Version September 2018 DATA PROCESSING AGREEMENT computer disks or other data carriers within 4 weeks after the termination of the statutory retention.
11.3 Upon termination of the Agreement between Controller and Processor, Controller may, at its own expense and within two months after termination of the Agreement, request Processor to return all Data that is stored with Processor. In the event Controller requests return of the Data, Processor will provide the Data in the form as present at Processor. If the Data is stored in a computer system or in another form due to which the Data cannot reasonably be provided to Controller, Processor will provide Controller with an accessible, readable copy of the Data. After the expiry of this period, Processor will proceed to the final destruction of the Data, unless Processor is obliged to store Data on the basis of a statutory obligation.
11.4 Without prejudice to the other provisions of this article, Processor will not keep or use any Data after termination of the Agreement.
11.5 The method of destruction is determined in consultation with Controller. After cancellation, Processor will provide written confirmation to Controller.
12. Invalidity
12.1 If one or more provisions of this data processing agreement are null and void or are otherwise invalidated, the other conditions remain in full force. If any provision of this data processing agreement is not legally valid, parties will negotiate the content of a new provision, which provision will approach the content of the original provision as closely as possible.
13. Applicable law and choice of forum
13.1 Dutch law applies to this data processing agreement.
13.2 All disputes in connection with the data processing agreement or its execution shall be submitted to the competent court at the district of North Holland.4 of 6 Version September 2018
DATA PROCESSING AGREEMENT
ANNEX 1
DATA, PURPOSES AND CATEGORIES OF DATA SUBJECTSDATA
Controller will have Processor process the following Data within the framework of the assignment, including but not limited to personnel administration, payroll, financial reporting:
(1) Name (initials, last name)
(2) Telephone number
(3) E-mail address
(4) Date of birth
(5) Domicile
(6) Data of identification document (related to the Anti-Money Laundering and Anti Terrorist Financing Act (Wwft))
(7) Financial data, both business and private
(8) Name and address details and citizen service number (BSN) of the personnel of Controller
PURPOSES
The activities for which the above-mentioned Data may be processed, only if necessary, are in any case:
(1) the work, to be regarded as the primary service, in the context of which Controller has issued an order to Processor;
(2) the maintenance, including updates and releases of the system made available by Processor or sub-processor to Controller;
(3) data and technical management, also by a sub-processor;
(4) the hosting, also by a sub-processor.;
5 of 6 Version September 2018
DATA PROCESSING AGREEMENT
ANNEX 2 SECURITY MEASURESSECURITY MEASURES
Processor has taken at least the following security measures:
• Backup and recovery procedures
• Security of network connections
• Powers are assigned to a limited number of persons who are charged with carrying out the processing (including a periodic check on this). • Implemented code of conduct
• Non-disclosure agreements in employment contracts
• Logical access control by means of passwords and / or personal access codes
• Logging and control of access to personal data
• Sub-worker agreements with third parties6 of 6 Version September 2018