Processing Agreement

This document describes how handles your data

This GDPR data processing agreement - like the general terms and conditions - forms an integral part of every agreement regarding services between BV, located in Zwolle, NL and registered with the Chamber of Commerce under number: 69588686 (hereinafter: “”), and her client.

This document has been translated from Dutch and may contain errors. In any case of doubt, the Dutch text is leading. Dutch law applies to this agreement and wherever GDPR is mentioned, the Dutch AVG legislation is meant.

In the context of this Data Processing Agreement, is regarded as “Processor” and the client (or other party) as “Controller”.

Considering that:

The Controller has concluded an agreement with its customers and the Controller wishes to engage the Processor for the implementation of that agreement;

Controller and Processor have concluded an Agreement for the purpose of the foregoing;

In the performance of the Agreement, the Processor can in some cases be regarded as a Processor within the meaning of Article 1 sub e of the General Data Protection Regulation (hereinafter: “GDPR”);

Controller is regarded as Controller within the meaning of Article 4.7 of the GDPR;

Where this Processing Agreement refers to personal data, this means personal data within the meaning of Article 4.7 of the GDPR (AVG);

The Processor is prepared to comply with obligations regarding security and other aspects of the GDPR, insofar as this is within its power;

The GDPR imposes the obligation on the Controller to ensure that the Processor offers sufficient guarantees with regard to the technical and organizational security measures with regard to the processing operations to be carried out;

The GDPR also imposes an obligation on the Controller to monitor compliance with those measures;

Partly in view of the requirement of Article 28.3 of the AVG, the parties wish to record their rights and obligations in writing by means of this Processor Agreement (hereinafter: “Processor Agreement”), where terms from the AVG or General Data Protection Regulation (AVG) are mentioned in this Processor Agreement , this refers to the corresponding terms from the AVG or AVG;

Where this Processor Agreement refers to the AVG, from 25 May 2018 this refers to (the corresponding provisions from) the AVG.

Have agreed as follows:

Article 1.1 Purposes of processing

1. Processor undertakes to process personal data under the terms of this Processor Agreement on behalf of the Controller. Processing will only take place within the framework of the Processor Agreement – on the basis of which, among other things, data from the controller is hosted and services are provided to the controller – and those purposes that are reasonably related thereto or are set out with further consent in the Agreement.

2. The Processor will not process the personal data for any purpose other than as determined by the Controller. The Controller will inform the Processor of the processing purposes insofar as they have not already been mentioned in this Processor Agreement.

3. Processor has no control over the purpose and means of processing personal data. Processor does not make any decisions about the receipt and use of the personal data, the provision to third parties and the duration of the storage of personal data.

4. The controller guarantees that, from 25 May 2018, when the GDPR becomes applicable, it will keep a register of the processing operations regulated under this Processor Agreement. The Controller indemnifies the Processor against all claims and claims related to failure to properly comply with this registration obligation.

Article 1.2. Obligations Processor

1. With regard to the processing operations referred to in Article 1, the Processor will ensure compliance with the conditions that, pursuant to the GDPR, are set for the processing of personal data.

2. The Processor will inform the Controller, at its request and within a reasonable period of time, about the measures it has taken regarding its obligations under this Processor Agreement.

3. The obligations of the Processor arising from this Processor Agreement also apply to those who process personal data under the authority of the Processor.

4. The Processor will inform the Controller if, in its opinion, an instruction from the Controller is in conflict with relevant privacy laws and regulations.

5. The Processor will provide the necessary cooperation to the Controller if a data protection impact assessment, or prior consultation of the supervisory authority, is necessary in the context of the processing.

Article 1.3. Transfer of personal data

1. Processor may process the personal data in countries within the European Union. In addition, if applicable, the Controller hereby grants the Processor permission for the processing of personal data in countries outside the European Union, with due observance of the relevant laws and regulations.

2. The Processor will inform the Controller, at its request, of the country or countries involved.

Article 1.4. Division of responsibility

1. Parties will ensure compliance with applicable privacy laws and regulations.

2. The permitted processing will be carried out by the Processor within an automated environment.

3. The Processor is solely responsible for the processing of the personal data under this Processor Agreement, in accordance with the instructions of the Processing Officer and under the explicit (final) responsibility of the Processing Manager. The Processor is not responsible for all other processing of personal data, including in any case but not limited to the collection of the personal data by the Controller, processing for purposes that have not been reported to the Processor by the Controller, processing by third parties and/or for other purposes. . The responsibility for these processing operations rests exclusively with the Controller.

4. The controller guarantees that the content, the use and the order to process personal data, as referred to in this Processor Agreement, is not unlawful and does not infringe any right of third parties and indemnifies the processor against all claims and claims related to this.

Article 1.5. Engaging third parties or subcontractors

1. Controller hereby grants Processor permission to engage third parties (sub-processors) for the processing.

2. At the request of the Controller, the Processor will inform the Controller as soon as possible about the sub-processors it has engaged. The controller has the right to object to the engagement of a sub-processor. This objection must be submitted in writing, within two weeks and supported by arguments.

3. The Processor unconditionally ensures that these third parties assume the same obligations in writing as agreed between the Controller and the Processor. Processor guarantees correct compliance with these obligations by these third parties.

Article 1.6. Security

1. Processor will make every effort to take appropriate technical and organizational measures with regard to the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorized access, damage, alteration or provision of the personal data). At the request of the Controller, the processor will provide information about the security measures taken.

2. Processor does not guarantee that the security is effective under all circumstances. The Processor will make every effort to ensure that the security meets a level that is not unreasonable in view of the state of the art, the sensitivity of the personal data and the costs associated with taking the security into account.

3. The Controller will only make personal data available to the Processor for processing if the Controller has ensured that the required security measures have been taken.

4. The Controller is responsible for compliance with the measures agreed upon by the Parties.

Article 1.7. Duty to report

1. In the event of a security breach and/or a data breach (which is understood to mean: a breach of the security of personal data that leads to a significant chance of adverse consequences, or has adverse consequences, for the protection of personal data, as referred to in Article 33.1 of the GDPR), the Processor will make every effort to inform the Controller within 48 hours, on the basis of which the Controller will assess whether or not it will inform the supervisory authorities and/or data subjects. Processor makes every effort to make the information provided complete, correct and accurate.

2. If required by law and/or regulations, the Processor will cooperate in informing the relevant authorities and any parties involved. Controller is responsible for reporting to the relevant authorities.

3. The duty to report in any case includes reporting the fact that there has been a leak, as well as:

What is the (alleged) cause of the leak;

What is the (as yet known and/or expected) consequence;

What is the (proposed) solution;

What are the measures already taken;

Contact details for following up the report;

Who has been informed (such as the person concerned, Controller, supervisor).

Article 1.8. Handling requests from data subjects

1. In the event that a data subject sends a request about his personal data to the Processor, the Processor will forward the request to the Controller and inform the data subject thereof.

The controller will then handle the request independently. If it appears that the Controller needs help from the Processor for the implementation of a request from a data subject, the Processor will cooperate and the Processor may charge costs for this.

Article 1.9. Secrecy and Confidentiality

1. All personal data that the Processor receives from the Controller and/or collects itself in the context of this Processor Agreement is subject to a duty of confidentiality towards third parties. Processor will not use this information for any other purpose than for which it was obtained, unless it has been brought into such a form that it cannot be traced back to those involved.

2. This duty of confidentiality does not apply:

insofar as the Controller has given explicit permission to provide the information to third parties;


if the provision of the information to third parties is logically necessary for the implementation of the Main Agreement or this Processor Agreement;


if there is a legal obligation to provide the information to a third party.

Article 1.10. Audit

1. The controller has the right to have audits carried out by an independent ICT expert who is bound by confidentiality to verify compliance with all points of this Processor Agreement.

2. This audit will only take place after the Controller has inquired with the Processor whether similar audit reports are available and, if this is the case, has requested and assessed the available audit reports and has provided reasonable arguments that still justify an audit initiated by the Controller. Such an audit is justified if the similar audit reports available at the Processor provide no or insufficient information about the Processor's compliance with this Processor Agreement. The audit initiated by the Controller takes place once a year two weeks after prior announcement by the Controller.

3. Processor will cooperate with the audit and provide all information reasonably relevant to the audit, including supporting data such as system logs, and employees as soon as possible and within a reasonable period of time, whereby a maximum period of two weeks is reasonable, unless an urgent interest opposes this. , providing.

4. The findings resulting from the audit performed will be assessed by the Parties in mutual consultation and, as a result thereof, will or will not be implemented by one of the Parties or by both Parties jointly.

5. The reasonable costs for the audit are borne by the Controller, on the understanding that the costs for the ICT expert to be hired will always be borne by the Controller.

Article 1.11. Duration and Termination

1. The Processor Agreement has been entered into for the duration as stipulated in the Agreement between the Parties and, in the absence thereof, in any case for the duration of the collaboration.

2. The Processor Agreement cannot be terminated prematurely.

3. Parties may only change this Processing Agreement with mutual consent.

4. After termination of the Processor Agreement, the Processor will destroy the personal data received from the Controller after one (1) calendar month, unless the parties agree otherwise.

Article 1.12. Other provisions

1. The Processor Agreement and its implementation are governed by Dutch law.

2. All disputes that may arise between the Parties in connection with the Processor Agreement will be submitted to the competent court in the district where the Processor is located.

3. If privacy legislation changes, the parties will cooperate in amending this Processor Agreement in order to (continue to) comply with this legislation.

4. Logs and measurements made by the Processor count as compelling evidence, unless evidence to the contrary is provided by the Processing Officer.

5. In the event of conflict between different documents or their annexes, the following order of precedence applies:

• the agreement;

• this Data Processing Agreement;

• the terms and conditions;

• any additional conditions.

We use cookies uses cookies to make sure the website works as expected. In addition to functional cookies, we also use analytical and cookies from third parties. These cookies are used to measure website visits.

Choose ”Agree” to accept the cookies. Choose ”Set preferences” to decide which specific cookies you accept.

Do you need more information? Please read our cookie statement.