IN ACCORDANCE WITH THE GENERAL DATA PROTECTION REGULATION
ARTICLE 1. INTRODUCTORY PROVISIONS
The terms used in this processing agreement and which are defined in the GDPR shall be understood to have the same significance as in the GDPR.
As of May 25, 2018, any reference in this processing agreement to a provision in the Wet Berscherming Persoongegevens (Personal Data Protection Act) shall refer to the corresponding provision in the Algemene Verordening Gegevensbescherming (the General Data Protection Regulation).
Under this agreement, Flowcomm Nederland B.V. shall be the processor, while the client shall be the responsible party.
ARTICLE 2. OBJECTIVES OF THE AGREEMENT
The processor agrees to process personal information on behalf of the responsible party in accordance with the conditions contained in this processing agreement. The processing shall take place exclusively in connection with the implementation of the agreement and for purposes yet to be determined further.
The responsible party shall itself determine what (types of) personal information shall be processed on its behalf by the processor as well as the (categories of) parties to which this personal information shall refer. The processor shall have no influence in this regard.
The processor shall only process the personal information for the objective or purpose determined by the responsible party, and not for any other purpose whatsoever. The responsible party shall inform the processor with regard to the objective or purpose of the processing, unless this has already been described or indicated in the processing agreement.
The personal information to be processed on behalf of the responsible party shall remain the property of the responsible party or of the party or parties concerned.
The responsible party shall guarantee the lawfulness of the content and use of the personal information, as well as of the order for its processing, and shall ensure that no infringement occurs of the rights of third parties. In addition,
the responsible party shall ensure: that the processing of personal information falls within one of the exemptions of the GDPR or, if this is not the case, notification is provided to the Autoriteit Persoonsgegevens (Personal Information Authority); that as of May 25, 2018, the responsible party shall maintain a register of the personal information complied under this processing agreement.
The responsible party shall release the processor from any and all claims that may arise in connection with compliance or non-compliance with the obligations contained in Article 2.5.
ARTICLE 3. OBLIGATIONS OF THE PROCESSOR
With respect to the processing referred to in Article 2, the processor shall exercise due care in regard to compliance with the conditions applicable, on the basis of the GDPR, to the processing of personal information by the processor.
The processor shall notify the responsible party upon request regarding the measures undertaken by the processor in accordance with the processor’s obligations under this processing agreement as well as under the Personal Data Protection Act and the General Data Protection Regulation.
The obligations of the processor under this processing agreement shall also apply to any persons processing personal information on behalf of the processor.
ARTICLE 4. TRANSMISSION OF PERSONAL INFORMATION
The processor shall be entitled to process the personal information in countries located within the European Union.
Transmission to countries outside the European Union shall be permitted exclusively in compliance with the applicable provisions of the GDPR.
The processor shall inform the responsible party regarding the identity of the country in question upon request.
ARTICLE 5. APPORTIONMENT OF LIABILITY
The approved processing shall be carried out by the processor in a (semi)automated environment under the control of the processor.
The processor shall only be responsible for the processing of the personal information under this processing agreement in accordance with the instructions provided by the responsible party and under the express (ultimate) responsibility of the responsible party.
The processor shall not be responsible or liable with regard to any additional or other processing of personal information including, in any event, the collection of personal information by the responsible party, processing for objectives and/or purposes of which the processor has not been informed by the responsible party, or processing by third parties or for other purposes.
ARTICLE 6. INTRODUCING THIRD PARTIES OR SUBCONTRACTORS
The responsible party shall consent to the use of third parties by the processor in order to process the personal information in accordance with this processing agreement, provided this is done in compliance with the applicable legislation and regulations regarding privacy.
Upon the request of the responsible party, the processor shall inform the responsible party as soon as possible with regard to any third parties introduced by the processor. The responsible party shall be entitled to object to any third party or parties introduced by the processor.
The processor shall not object based on unreasonable grounds, and any objection shall be accompanied by full reasons. Should the responsible party object to a third party introduced by the processor, the parties shall consult with one another in order to reach a solution.
The processor shall ensure that any third parties it introduces undertake obligations, in writing, that are at least as stringent as the obligations of the processor in accordance with the processing agreement.
The processor shall ensure proper compliance by third parties with the obligations referred to in Article 6.4 and, if an error occurs, the processor shall be liable to the responsible party as though the error had been committed by the processor.
The maximum liability of the processor for damages as referred to in Article 6.5 shall be limited to the amount agreed in the agreement (inclusive of the general conditions of the processor).
ARTICLE 7. SECURITY
The processor shall take appropriate technical and organisational measures with regard to the processing of personal information to be undertaken, against loss as well as against any form of unlawful processing (including access by unauthorised persons, degradation or deterioration, modification or transmission of the personal information).
Despite the obligation of the processor to adopt appropriate security measures in accordance with the first section in this article, the processor cannot absolutely guarantee that the security will be effective under all circumstances. Should a threat to – or actual breach of – these security measures occur, the processor shall nevertheless do everything it possibly can to limit, as far as possible, loss of personal information.
Should a particular security measure which has been described in the processing agreement be lacking, then the processor shall nevertheless ensure that the security actually provided is sufficient in accordance with a level of security that is not unreasonable, taking into consideration the current state of technology, the sensitivity of the personal information and the costs required to implement the security.
The responsible party shall only make personal information available to the processor for processing if the responsible party is satisfied that the required security measures have been adopted.
ARTICLE 8. OBLIGATION TO NOTIFY
In the event of a data leak (which shall be understood to include: a breach of the security of the personal information leading to a significant possibility of harmful consequences, or indeed actual harmful consequences with regard to the protection of personal information, within the meaning of Article 34a of the Personal Data Protection Act), the processor shall endeavour to notify the responsible party as soon as possible in this regard, in any case within forty-eight (48) hours after the processor becomes aware of the data leak.
The obligation to notify shall only apply if the data leak has actually taken place and shall in any case comprise notification of the fact that a data leak has occurred, together with the following information, as far as this information is available to the processor:
- the (suspected) cause of the leak;
- the consequences (thus far known) of the leak;
- the (proposed) solution;
- contact information for following up on the notification;
- the number of persons whose data has been leaked, or the minimum and maximum number of persons whose data has been leaked in the event an exact number is not known;
- a description of the group of persons whose data has been leaked;
- the type or types of personal data that has been leaked;
- the date when the leak took place, or the period during which the leak
took place in the event the exact date is not known;
- the date and time when the processor became aware of the leak, or the date and time when the third party or subcontractor introduced by the processor became aware of the leak;
- whether the data have been encrypted, hashed or otherwise rendered unreadable or inaccessible to unauthorised parties;
- as well as the measures, both undertaken and contemplated, for plugging the leak and limiting the effects of the leak
The responsible party shall determine itself whether to notify the relevant authorities and/or concerned party or parties, and the responsible party shall assume responsibility for compliance with (legal) notification requirements. If required in accordance with the laws and regulations regarding privacy, the processor shall cooperate with regard to notification of the relevant authorities or concerned parties.
ARTICLE 9. PROCESSING OF PARTIES’ REQUESTS
If a concerned party desires to exercise one of its legal rights and accordingly directs a request in this regard to the processor, then the processor shall transmit this request to the responsible party. The responsible party shall accordingly exercise due care in processing the request. The processor may provide the concerned party with notification in this regard.
Should a concerned party direct a request to exercise one of its legal rights to the responsible party, then, if the responsible party so requests, then the processor shall cooperate as far as possible and as far as cooperation is reasonable. The processor shall be entitled to recover reasonable costs in this regard from the resposible party.
ARTICLE 10. OBLIGATION TO MAINTAIN CONFIDENTIALITY
The processor shall cause third parties to maintain confidentiality with respect to all personal information received from the responsible party or collected by the processor in connection with this processing agreement.
This obligation to maintain confidentiality shall not apply if the responsible party has provided its express consent to the transmission of the information to third parties if such transmission to third parties is reasonably necessary in order for the processing agreement to be implemented, or if there is a legal obligation to transmit this information to third parties.
If the processor is legally obliged to transmit information to third parties, the processor shall provide notification in this regard as soon as possible to the responsible party, as far as this may be permissible in accordance with law.
ARTICLE 11. AUDIT
The responsible party shall be entitled to have one or more audits performed by an independent expert third party bound to maintain confidentiality for supervisory review of the security requirements in accordance with the Article 7 of the processing agreement.
The audit referred to in Article 11.1 shall only take place if a well-founded suspicion of misuse or abuse arises, and this can be demonstrated by the responsible party. The audit initiated by the responsible party shall take place two weeks after the responsible party has provided the notification described above.
The processor shall cooperate with respect to the audit and shall make available, in as timely a fashion as possible and within as reasonable a time as possible (whereby a period of two weeks shall be regarded as reasonable) all employees and all information reasonably required for the audit, including supporting information such as system logs.
The results of the audit shall be evaluated by the parties together and, in response thereto, either be implemented or not be implemented, as the case may be, by one of the parties alone or by both parties together.
The costs of the audit shall be borne by the responsible party.
ARTICLE 12. LIABILITY
As regards the parties’ liability for damage resulting from a culpable deficiency in compliance with the processing agreement or unlawful act or otherwise, the provisions regarding liability agreed upon in the agreement (inclusive of the general conditions of the processor) shall apply.
ARTICLE 13. DURATION AND TERMINATION
This processing agreement shall be effective for the period set out in the agreement or, if no such period is set out in the agreement, for the duration of the cooperation between the parties. There shall be no early cancellation of this processing agreement.
The parties shall only be permitted to modify or amend this processing agreement upon provision of mutual consent, but they shall cooperate fully in order to effect any modifications or amendments required in the event of any amended legislation or regulations regarding privacy.
Unless otherwise agreed by the parties, the processor shall destroy or delete all personal information in its possession following termination of the processing agreement.