Processor Agreement

According to the General Data Protection Regulation

Article 1. Introductory provisions

Article 1.1.

The terms in this Processing Agreement that are defined in the GDPR have the meaning as described therein.

Article 1.2.

Where this Processing Agreement refers to a provision from the Wbp, as of May 25, 2018, the corresponding provision from the General Data Protection Regulation (the ‘GDPR’) is meant.

NB:

The processor is Happy to Host You, the responsible party is the customer.

 

Article 2. Purposes of the processing

Article 2.1.

The Processor undertakes to process personal data on behalf of the Controller under the conditions of this Processing Agreement. Processing will only take place in the context of the execution of the Agreement and for purposes determined with further consent.

Article 2.2.

The Controller himself determines which (types of) personal data he has processed by the Processor and to which (categories of) data subjects these personal data relate. The processor has no influence on this.

Article 2.3.

The Processor will not process the personal data for any purpose other than as determined by the Controller. The Controller will inform the Processor of the processing purposes insofar as these have not already been mentioned in the Processing Agreement.

Article 2.4.

The personal data to be processed on behalf of the Controller remains the property of the Controller or the relevant data subject(s).

Article 2.5.

The controller guarantees that the content, use and order to process personal data as referred to in the Processing Agreement is not unlawful and does not infringe any right of third parties. In addition, the
Controller ensures: that the processing of personal data falls under one of the exemptions under the GDPR, or if this is not the case, a notification has been made to the Dutch Data Protection Authority; and that it will keep a register of the processing operations regulated under this Processing Agreement from 25 May 2018.

Article 2.6.

The Controller indemnifies the Processor against all claims and claims relating to failure to comply or incorrectly comply with the obligations set out in Article 2.5.

 

Article 3. Processor obligations

Article 3.1.

With regard to the processing referred to in Article 2, the Processor will ensure compliance with the conditions that, on the basis of the GDPR and the GDPR, are imposed on the processing of personal data by the Processor.

Article 3.2.

The Processor will inform the Controller, at its first request, about the measures it has taken regarding its obligations under this Processing Agreement and the Wbp and GDPR.

Article 3.3.

The obligations of the Processor arising from this Processing Agreement also apply to those who process personal data under the authority of the Processor.

 

Article 4. Transfer of personal data

Article 4.1.

The processor may process the personal data in countries within the European Union.
Transfer to countries outside the European Union is only permitted in compliance with the applicable regulations of the GDPR.

Article 4.2.

The Processor will inform the Controller at his request which country or countries are involved.

 

Article 5. Division of responsibility

Article 5.1.

The permitted processing will be carried out by the Processor within a (semi) automated environment under the control of the Processor.

Article 5.2.

The Processor is only responsible for the processing of the personal data under this Processing Agreement, in accordance with the instructions of the Controller and under the explicit (ultimate) responsibility of the Controller.

Article 5.3.

The Processor is not responsible for all other processing of personal data, including in any case the collection of personal data by the Controller, processing for purposes that have not been reported to the Processor by the Controller, processing by third parties or for other purposes.

 

Article 6. Engaging third parties or subcontractors

Article 6.1.

The Controller gives the Processor permission to use third parties when processing personal data on the basis of this Processing Agreement, in accordance with the applicable privacy laws and regulations.

Article 6.2.

If the Controller so requests, the Processor will inform the Controller as soon as possible about the third parties it has engaged. The Controller has the right to object to any third parties engaged by the Processor.

Article 6.3.

The processor will not object on unreasonable grounds and must provide sufficient motivation for the objection. If the Controller objects to third parties engaged by the Processor, the Parties will enter into consultation to reach a solution.

Article 6.4.

The Processor ensures that third parties engaged by it undertake written obligations that are at least as strict as the obligations incumbent on the Processor under the Processing Agreement.

Article 6.5.

The Processor guarantees correct compliance with the obligations referred to in Article 6.4 by these third parties and is liable to the Controller in the event of errors as if it had committed the error(s) itself.

Article 6.6.

The maximum liability of the Processor for damage as referred to in Article 6.5 is limited to the amount agreed in the Agreement (including the General Terms and Conditions of the Processor).

 

Article 7. Security

Article 7.

The processor will take appropriate technical and organizational measures with regard to the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorized access, impairment, modification or provision of the personal data).

Article 7.2.

Although the Processor must take appropriate security measures in accordance with the first paragraph of this article, the Processor cannot fully guarantee that the security is effective under all circumstances. However, in the event of a threat of – or actual breach of – these security measures, the processor will do everything possible to limit the loss of personal data as much as possible.

Article 7.3.

If explicitly described security is missing in the Processing Agreement, the Processor will ensure that the security meets a level that is not unreasonable, taking into account the state of the art, the sensitivity of the personal data and the costs associated with providing security.

Article 7.4.

The Controller only makes personal data available to the Processor for processing if the Controller has ensured that the required security measures have been taken.

 

Article 8. Reporting obligation

Article 8.1.

In the event of a data leak (which is understood to mean: a breach of the security of personal data that leads to a significant risk of adverse consequences, or has adverse consequences, for the protection of personal data, within the meaning of Article 34a Wbp) , the Processor makes every effort to inform the Controller of this as soon as possible, but in any case within 48 hours after the data breach has become known to the Processor.

Article 8.2.

The reporting obligation only applies if the leak has actually occurred and in any case includes reporting the fact that there has been a data leak, as well as, insofar as this information is available from the Processor:

  • what the (alleged) cause of the leak is;
  • what the (as yet known or expected) consequence is;
  • what the (proposed) solution is;
  • contact details for following up on the report;
  • the number of persons whose data has been leaked, or the minimum and maximum number of persons whose data has been leaked if no exact number is known;
  • a description of the group of persons whose data has been leaked;
  • the type or types of personal data that have been leaked;
  • the date on which the leak occurred, or the period within which the leak occurred if no exact date is known;
  • the date and time at which the leak became known to the Processor or a third party or subcontractor engaged by it;
  • whether the data has been encrypted, hashed or otherwise made unintelligible or inaccessible to unauthorized persons;
  • and what the proposed and already taken measures are to close the leak and to limit the consequences of the leak.

Article 8.3.

The controller itself assesses whether it will inform the relevant authorities and/or data subject(s) and is responsible for compliance with (legal) reporting obligations. If privacy laws and regulations require this, the Processor will cooperate in informing the relevant authorities or data subjects.

 

Article 9. Handling requests from data subjects

Article 9.1.

If a data subject wishes to exercise one of his legal rights and requests this to the Processor, the Processor will forward this request to the Controller. The person responsible will then take care of handling the request. The processor may inform the data subject of this.

Article 9.2.

In the event that a data subject submits a request to the Controller to exercise one of his legal rights, the Processor will, if the Controller so requests, cooperate to the extent possible and to the extent that this is reasonable. The Processor may charge the Controller reasonable costs for this.

 

Article 10. Duty of confidentiality

Article 10.1.

All personal data that the Processor receives from the Controller or that the Processor itself collects in the context of this Processing Agreement is subject to an obligation of confidentiality towards third parties.

Article 10.2.

This confidentiality obligation does not apply to the extent that the Controller has given explicit permission to provide the information to third parties, if the provision of the information to third parties is logically necessary for the execution of the Processing Agreement, or if there is a legal obligation to provide the information to third parties. to be provided to a third party.

Article 10.3.

If the Processor is legally obliged to provide information to a third party, the Processor will inform the Controller of this as soon as possible to the extent permitted by law.

 

Article 11. Audit

Article 11.1.

The controller has the right to have audits carried out by an independent expert third party who is bound by confidentiality to check the security requirements as agreed in Article 7 of the Processing Agreement.

Article 11.2.

The audit referred to in Article 11.1 will only take place if there is a concrete suspicion of abuse that has been demonstrated by the Controller. The audit initiated by the Controller will take place two weeks after prior announcement by the Controller.

Article 11.3.

The processor will cooperate with the audit and make all information reasonably relevant to the audit, including supporting data such as system logs, and employees available as timely as possible and within a reasonable period, with a maximum period of two weeks being reasonable.

Article 11.4.

The findings resulting from the audit carried out will be assessed by the Parties in mutual consultation and, based on this, may or may not be implemented by one of the Parties or by both Parties jointly.

Article 11.5.

The costs of the audit are borne by the Controller.

 

Article 12. Liability

Article 12.1.

The liability arrangement agreed in the Agreement (including the general terms and conditions of the Processor) is declared applicable to the liability of the Parties for damage resulting from an attributable shortcoming in the fulfillment of the Processing Agreement, or from an unlawful act or otherwise. .

 

Article 13. Duration and Termination

Article 13.1.

This Processing Agreement is entered into for the duration as determined in the Agreement and, failing that, in any case for the duration of the cooperation between the Parties. This Processing Agreement cannot be terminated prematurely.

Article 13.2.

The parties may only change this Processing Agreement with mutual consent, but will provide their full cooperation in adapting the Processing Agreement to any new or amended privacy laws and regulations.

Article 13.3.

After termination of the Processing Agreement, the Processor will destroy all personal data in its possession, unless the Parties agree otherwise.

× How can I help you?