Processor Agreement – Expivi B.V.
Last update: December 10, 2018
Article 1: Purposes of processing
1.1 The Processer undertakes to process personal data on assignment from the Processing Officer, pursuant to the conditions of this Processor Agreement. Processing shall only take place in the framework of the hosting of parts of the Processing Officer’s website, and associated online services, storage of the Processing Officer’s data in the ‘cloud’, and associated online services, plus those purposes which are reasonably related thereto, or that are determined in further consent.
1.2 The Processor shall only process (special) personal data on assignment from the Processing Officer which has been provided by the Processing Officer to the Processer in the framework of this Processing Agreement and which shall be hosted by Processor.
1.3 The Processor shall not make any independent decisions about the processing of the personal data for other purposes, including the provision thereof to third parties and the duration of the storage of data. The control over personal data provided to the Processor in the framework of this Processor Agreement or other agreements between the parties, as well as the data processed by the Processor within that framework, is vested with the Processing Officer.
1.4 The personal data to be processed on assignment from the Processing Officer remains the property of the Officer and/or the data subjects concerned.
1.5 The Processing Officer guarantees to keep a register of the processing operations regulated under this Processor Agreement. The Processing Officer indemnifies the Processor against all legal claims and claims relating to the non-compliance or incorrect compliance with the registration obligation.
Article 2: Processor’s obligations
2.1 With regard to the processing operations referred to in article 1, the Processor shall ensure compliance with applicable laws and regulations, including, in any case, the laws and regulations relating to the protection of personal data, such as the General Data Protection Regulation.
2.2 The Processor shall inform the Processing Officer, on first request, of the measures it has taken with regard to its obligations pursuant to this Processor Agreement.
2.3 The Processor’s obligations arising from this Processor Agreement also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.
2.4 The Processing Officer shall extend the necessary cooperation to the Processing Officer, if, in the context of processing, a Data Protection Impact Assessment (DPIA) or prior consultation of the supervisory authority, is necessary.
Article 3: Transfer of personal data
3.1 The Processor may process the personal data in countries within the European Union. Transfer to countries outside the European Union is prohibited, without the prior written consent of the Processing Officer.
Article 4: Distribution of responsibility
4.1 The Processor shall make ICT resources available for the processing operations that can be used by the Processing Officer for the aforementioned purposes. The Processor only carries out processing on the basis of separate agreements.
4.2 The Processor is solely responsible for the processing of the personal data pursuant to this Processing Agreement, in accordance with the assignment from the Processing Officer and under the explicit (final) responsibility of the Processing Officer. The Processer is explicitly not responsible for the other processing of personal data, including, in any case, but not limited to the collection of the personal data by the Processing Officer, processing for purposes not reported to Processor by the Processing Officer, processing by third parties and/or for other purposes.
4.3 The Processing Officer guarantees that the content, the use and the assignment for the processing of the personal data as referred to in this Agreement are not unlawful and do not infringe any rights of third parties.
Article 5: Engaging third parties or subcontractors
5.1 The Processing Officer hereby gives the Processor permission to engage a third party in the processing of personal data, based on this Processor Agreement, with due observance of the applicable privacy legislation.
5.2 The Processor shall make every effort to ensure that these third parties undertake the same obligations, in writing, as those agreed between the Processing Officer and the Processor regarding the processing of personal data.
Article 6: Security
6.1 The Processor shall take the appropriate technical and organisational measures with regard to the processing of personal data, against loss or against any form of unlawful processing (such as unauthorised inspection, violation, modification or provision of the personal data).
6.2 In any case, the Processor has taken the following measures:
- Logical access control, using passwords or keys.
- Physical measures for access security.
6.3 The Processor does not guarantee that the security is effective under all circumstances. If an explicitly described security measure is missing from the Processor Agreement, the Processor shall make every effort to ensure that the security shall fulfil a level that, as regards the state-of-the-art, the sensitivity of the personal data and the costs associated with providing the security, are not unreasonable.
6.4 The Processing Officer shall only make personal data available to the Processer for processing, if it has been ensured that the required security measures have been taken. The Processing Officer is responsible for compliance with the measures agreed by the Parties.
Article 7: Reporting obligation
7.1 In the case of a data leak concerning the personal details from the Processing Officer, the Processor shall inform the Processing Officer of this immediately, or within 24 hours of the discovery of the leak, as a result of which the Processing Officer shall assesses whether it shall inform the data subjects and / or the relevant regulator(s) or not. The Processor shall make every effort to ensure the information provided is complete, correct and accurate. The reporting obligation applies regardless of the impact of the leak.
7.2 If the laws and/or regulations so require, the Processor shall cooperate in informing the relevant authorities and/or the data subjects.
7.3 The reporting obligation, in any case, includes reporting the fact that there has been a leak, as well as:
- The date on which the leak occurred (if no exact date is known: the period within which the leak occurred);
- What is the (alleged) cause of the leak;
- The date and time at which the leak became known to the Processor or to a third party or subcontractor engaged by it;
- Whether the data is encrypted, hashed, or is otherwise incomprehensible or inaccessible to unauthorised persons;
- What are the intended measures and/or measures already taken to plug the leak and to limit its consequences;
- Contact details for the follow-up of the report.
Article 8: Data subjects’ rights
8.1 In the case that a data subject submits a request to the Processor to exercise his/her legal rights, the Processor shall forward the request to the Processing Officer and inform the data subject of this. The Processing Officer shall then continue to process the request independently.
8.2 In the case that a data subject submits a request to the Processing Officer to exercise one of his/her legal rights, the Processor shall, if this is required by the Processing Party, cooperate insofar as this is possible and reasonable. The Processor may charge to the Processing Officer the reasonable costs incurred for this.
Article 9: Secrecy and confidentiality
9.1 All personal data received by the Processor from the Processing Officer and/or which is collected b in the framework of this Processor Agreement is subject to a confidentiality obligation with regard to third parties. The Processor shall not use this information for any purpose other than the purpose for which it has obtained this information; even if the information has been put in such a form that it cannot be traced back to the data subjects
9.2 This confidentiality obligation does not apply insofar as the Processing Officer has given explicit permission to provide the information to third parties, if the provision of the information to third parties is logically necessary in view of the nature of the assignment and the execution of this Processor Agreement, or if there is a legal obligation to provide the information to a third party.
Article 10: Audit
10.1 The Processing Officer has the right to have audits carried out by an independent ICT expert, who is bound by a confidentiality obligation, in order to check compliance with all the points in this Processor Agreement.
10.2 This audit shall only take place after the Processing Officer has requested and assessed similar audit reports from the Processor, and presented reasonable arguments which justify an audit initiated by the Processing Officer. Such an audit is justified when the similar audit reports from the Processor give no information or insufficient information regarding the compliance with this Processor Agreement by the Processor. The audit initiated by the Processing Officer shall take place two weeks after prior notification by the Processing Officer, and, at most, once a year.
10.3 In the case that an audit takes place, all reasonably relevant information, including supporting data, such as system logs and employees, shall be made available in as timely a manner as possible and within a reasonable period of time; with a maximum period of two weeks being reasonable. The Processing Officer shall ensure that the audit causes the least possible operational disruption to the Processor’s other work.
10.4 The findings resulting from the audit shall be assessed by the Parties in mutual consultation and, in response thereto, shall be implemented by one of the Parties or jointly by both Parties.
10.5 The costs of the audit are borne by the Processing Officer.
Article 11: Liability
11.1 The Processor’s liability for damage as a result of a culpable shortcoming in compliance with the Processor Agreement, whether from an unlawful deed or otherwise, is excluded. Insofar as the aforementioned liability cannot be excluded, per event (a series of consecutive events counts as one event) it is limited to the compensation of direct damage, to a maximum of the amount of the fees received by the Processor for the work pursuant to this Processor Agreement for the month proceeding the event which caused the damage. The Processor’s liability for direct damage, in total, shall never be more than the amount of compensation received for the work pursuant to Processor Agreement over the three months prior to the event causing the damage.
11.2 Direct damage is exclusively understood to mean all damage consisting of:
- Damage directly inflicted on material property (“property damage”);
- Reasonable and demonstrable costs to remind the Processor to perform the Processor Agreement (again) properly;
- Reasonable costs to determine the cause and extent of the damage, insofar as this concerns the direct damage as referred to here; and
- Reasonable and demonstrable costs incurred by the Processing Officer to prevent or limit the direct damage as referred to in this article.
11.3 The liability of the Processor for indirect damage is excluded. Indirect damage is understood to mean all damage that is not direct damage and, therefore, in any case, but not limited to, consequential loss, lost profit, missed savings, reduced goodwill, loss due to business stagnation, damage due to non-determination of marketing objectives, damage related to the use of data or data files prescribed by the Processing Officer, or loss, malformation or destruction of data or data files.
11.4 The exclusions and limitations referred to in this article shall lapse, if and insofar as the damage is the result of intent or deliberate recklessness on the part of the Processor or its Management.
11.5 Unless compliance by the Processor is permanently impossible, the liability of Processor due to a culpable shortcoming in the fulfilment of the Agreement only arises if Processing Officer immediately informs the Processor in writing, establishing reasonable term for remedying the shortcoming; and after that term, the Processor remains in culpable non-compliance with the fulfilment of its obligations. The notice of default must contain as complete and detailed a description of the shortcoming as possible, so that the Processor is given the opportunity to adequately remedy it.
11.6 Any claim for compensation by Processing Officer against Processer, which has not been specified and explicitly reported, shall expire with the passage of twelve (12) months after the time at which the claim arose.
Article 12: Duration and termination
12.1 This Processor Agreement is entered into at the moment that acceptance by the Processing Officer is communicated to the Processor and shall continue for the duration of the Agreement and, in the absence of such term, for the duration of the (further) cooperation.
12.2 As soon as the Processor Agreement has been terminated, for whatever reason and in whatever way, the Processor shall return all personal data which it has in its possession to the Processing Officer or delete and/or destroy this data.
12.3 The Processing Officer may be charged the reasonable costs for the return of the personal data and/or any copies thereof by the Processor.
12.4 The parties may only amend this agreement by mutual consent.
Article 13: Applicable law and dispute resolution
13.1 The Processor Agreement and its execution are governed by Dutch law.
13.2 All disputes that may arise between the Parties in connection with the Processor Agreement shall be submitted to the competent court of the district in which the Processor is established.
13.3 Logs and measurements made by the Processor apply as compelling evidence, subject to proof to be provided by the Processing Officer.