Processor Agreement
Parties
Cadexpress B.V., located at Europalaan 18, 5232 BC in ‘s-Hertogenbosch, Chamber of Commerce number: 17141119, hereinafter referred to as “processor”;
and
Principal, hereinafter referred to as “responsible party”;
Consider as follows
- the parties have entered into an agreement pursuant to which the processor processes (personal) data of the responsible party as referred to in article 4, paragraphs 1 and 2 of the AVG, hereinafter referred to as: ‘the main agreement
- the parties are obliged, pursuant to Article 28 (3) of the AVG, to make arrangements concerning the safeguarding of the privacy of personal data and to lay these down in a processing agreement, hereinafter referred to as: ‘the Agreement
- parties will provide each other with all necessary information in a timely manner to enable proper compliance with applicable privacy laws and regulations
- the provisions of this Agreement shall prevail over any other arrangements in place between the parties with respect to the processing of personal data, if and to the extent that they differ from those set forth in this Agreement
Have agreed
Article 1 – Duration of the agreement
- This Agreement shall take effect upon signature by the parties and shall terminate after Processor has deleted and/or returned all personal data to which this Agreement relates in accordance with the provisions of Article 13.
- This Agreement may not be terminated in the interim.
- The provisions described in Article 4 shall remain in effect after the expiration of this Agreement.
Article 2 – Object of the agreement
- For the execution of the Master Agreement, the Controller provided the Processor with a statement of:
- The nature and purpose of the agreed processing
- the categories of personal data processed
- the categories of data subjects
- the categories of recipients/users of personal data
- Statements of the information referred to in paragraph 1 shall be attached as an appendix to this Agreement.
Article 3 – Processing and use of the personal data
- The controller determines the purpose of the processing and what personal data it allows to be processed for this purpose.
- To this end, the responsible party shall provide written instructions to the processor.
- The Processor shall use the personal data obtained only for the purposes for which they were provided and only in accordance with the written instructions of the Controller.
- If the Controller orders the processing of personal data in a way that the Processor believes is contrary to the legal obligations, the Processor shall inform the Controller of this and consult with the Processor to find a solution that does not violate the legal obligations.
- The processor has its own responsibility not to process the data in violation of applicable laws and regulations.
- The Processor will not provide personal data to third parties, unless this is done on behalf of the Controller or when it is necessary to comply with a legal obligation.
- The Processor shall ensure that personal data is not processed outside the European Economic Area, unless prior written consent has been obtained from the Controller.
Article 4 – Confidentiality
- The Processor shall take all necessary measures to ensure the confidentiality of the Personal Data of the Controller.
- The obligation set forth in paragraph 1 shall not apply if the Controller has given prior written consent to disclose the personal data to a third party or if the Processor is required to do so by law.
- The processor shall impose the same duty of confidentiality on its staff or any persons or sub-processors engaged for that purpose.
- If this article is violated, the processor forfeits an immediately payable fine of € 5,000 per violation to the responsible party, without prejudice to the right of the responsible party to claim full compensation.
Article 5 – Security
- The Controller and the Processor will both take appropriate technical and organizational measures, as referred to in Article 32 of the AVG, to ensure a level of security appropriate to the risk.
- The Controller shall inform the Processor of the legal reliability requirements applicable to the processing according to the possible consequences for the Data Subjects, such as in the event of loss, corruption or unlawful processing, and shall provide all necessary information to this end to enable the Processor to comply.
- If the Controller desires a higher level of security than required by law, the Processor may charge the reasonable costs separately to the Controller for this purpose.
- When implementing security measures, the processor shall take into account the state of the art, the implementation costs, as well as the nature, scope, context, processing purposes, likelihood and severity of the various risks to the rights and freedoms of persons all in accordance with the provisions of Article 28 (3) (f) of the AVG.
- If the Controller wishes to conduct an assessment of an intended processing activity, the Processor shall provide all reasonable cooperation to conduct such assessment in accordance with applicable laws and regulations.
- The Processor shall also provide all reasonable cooperation to any prior consultation of the Personal Data Authority.
- The parties have made concrete agreements regarding the technical and organizational security measures necessary for the execution of this agreement, which the responsible party currently considers appropriate.
- These agreements shall include at least the following topics:
- reliability requirements
- The agreed security level (if any)
- the measures taken by the processor to ensure that only authorized personnel have access to the personal data
- measures of protection such as against loss, alteration, unauthorized or unlawful processing, access or disclosure
- the measures to be taken for vulnerability detection and incident management
- The parties will periodically evaluate and, if necessary, adjust the agreements referred to in paragraphs 7 and 8.
- These agreements are attached as an appendix to this Agreement.
Article 6 – Audit
- The Responsible Party shall have the right to have an annual audit conducted at its own expense to verify compliance with this Agreement.
- The Processor shall provide all reasonable cooperation to the audit referred to in paragraph 1, such as providing access to the databases and making all relevant information available.
- The processor, in consultation with the responsible party, shall implement the recommendations resulting from the audit as soon as possible.
- If the adjustments as a result of paragraph 3 arise from changed insights or legislation, the reasonable costs for these adjustments are for the responsible party.
- If the adjustments resulting from paragraph 3 arise from a failure to comply with the agreed security requirements, then these costs shall be borne by the processor.
- If the Personal Data Authority or any other competent authority wishes to conduct an investigation, the Processor shall provide all reasonable cooperation in this regard and shall inform the Controller as soon as possible.
Article 7 – Data breach
- If a data breach as referred to in Article 4(12) of the AVG occurs, the processor will inform the responsible party in the manner further described in Article 8.
- In the event of a data breach, the Processor shall take all reasonable measures necessary to mitigate the consequences and prevent another leak.
- The processor will provide the responsible party with all the cooperation that is necessary to be able to assess the scope and consequences of the data leak and to be able to comply with the possible duty to report data leaks to the Authority for the Protection of Personal Data as well as the duty to inform those involved.
- The parties have laid down their agreements about the procedure to be followed in the event of a data leak in a procedure for reporting data leaks, as described in Article 8. This procedure can be adapted if the state of the art requires it or if the regulations concerning the mandatory data breach change.
- If the processor fails to report the data breach in good time in accordance with the procedure for reporting data breaches referred to in Article 8, it will owe the responsible party an immediately payable penalty of €2,500, plus 2% of this amount for each hour that the report is late.
Article 8 – Procedure for reporting data breaches
If a data breach occurs, the following procedure applies:
- the processor records all security incidents in a manner that is transparent to the responsible party
- this record shall include at least the following information: a description of the incident; the approximate number of persons affected by the incident; the group or groups of persons affected by the incident; the date and time of the incident; the nature of the breach; the type of data affected; the possible consequences for those affected; the technical and organisational measures taken in response to the incident; how the leaked data have been secured; whether the data have been hashed, rendered inaccessible or can be remotely erased c.q. have been erased; and whether, and if so what data of persons in other EU countries have been affected by the data breach
- the processor informs the responsible party within 8 hours of becoming aware of the incident under simultaneous handover of its record, as described above
- the processor will remain permanently available for consultation with the processor or any experts designated by the processor for the first 24 hours after informing the responsible party about a data breach
- the controller consults with the processor in order to assess whether the incident should be reported to the Authority for the Protection of Personal Data
- the responsible party informs the processor in advance, when it decides to report the leak to the Authority for the Protection of Personal Data
- the processor shall render all necessary cooperation to the responsible party so that the latter can submit a data breach notification to the Personal Data Authority in compliance with the statutory requirements
- the processor shall provide all cooperation to the responsible party in order to be able to inform the affected persons in accordance with Article 34 of the AVG about the data breach
Article 9 – Requests from data subjects
- Any request for inspection, rectification, deletion of data, restriction of processing, data portability or objection as referred to in Articles 15 to 21 AVG that reaches the Processor shall be forwarded to the Controller without delay.
- The Processor shall provide all reasonable cooperation to the Controller so that the latter may comply with a request as referred to in paragraph 1 within the statutory time limits.
- The Controller will reimburse the Processor for the reasonable costs of such cooperation.
Article 10 – Sub-processors
- The Processor shall not be entitled to engage sub-processors to process the personal data under this Agreement unless it has received prior written consent to do so.
- The Processor shall be responsible and liable for the actions of sub-processors engaged by it.
- If a Processor engages a Sub-Processor, the Processor shall be obligated to stipulate that such Sub-Processor performs all of the obligations imposed on the Processor by this Agreement and shall enter into an agreement with such Sub-Processor for that purpose that is consistent with this Agreement.
- If the Processor engages sub-processors without consent as referred to in paragraph 1, the Processor shall be liable for a penalty of €500 without prejudice to the right of the Controller to full compensation.
Article 11 – Access to personal data
The processor shall ensure that the controller maintains access to the personal data in question at all times, even in the event of its bankruptcy or suspension of payments.
Article 12 – Liability and indemnity
- The Processor is not responsible for damages resulting from violations of any laws or regulations by the Controller.
- The Controller shall indemnify the Processor against claims by third parties and costs incurred by the Processor as a result of a breach referred to in paragraph 1.
- The responsible party is not responsible for damages resulting from violations of any laws or regulations by the processor.
- The Processor shall indemnify the Controller against claims by third parties and costs incurred by the Controller as a result of a breach as referred to in paragraph 3.
- The other party, in a case as referred to in paragraph 1 or 3, is entitled to terminate the main agreement with immediate effect.
Article 13 – Termination and Consequences of Termination
- This agreement will only end after the underlying assignment has ended and the Processor has transferred all personal data provided to it to the Controller or to a third party designated in writing by the Controller in advance, as well as all data left behind at the Processor and its sub-processors, if any.
- At the request of the Controller, the Processor shall make available the personal data provided to it in a format other than that in which they were provided upon reimbursement of the reasonable costs thereof.
- Instead of transferring the data, the controller may also request the processor to destroy the data.
- Destruction of the data referred to in paragraph 3 can only take place after prior written consent has been given by the responsible party.
- However, the provisions of Article 4 shall remain in full force and effect.
Article 14 – Consequences of nullity or voidability
If any part of the Agreement is void or voidable, this shall not affect the remaining provisions of the Agreement. A provision that is void or voidable shall in that case be replaced by a provision that comes closest to what the parties had in mind on that point at the conclusion of the contract.
Article 15 – Applicable law and competent court
- This agreement is governed by Dutch law.
- Any disputes arising as a result of this Agreement that cannot be resolved amicably shall be submitted to the competent court in the district of the Processor’s place of business.