Processing agreement
In accordance with the General Data Protection Regulation
Navigation
1. Introductory provisions
2. Processing objectives
3. Obligations of the processor
4. Transmission of personal information/data
5. Allocation of responsibility
6. Commission of third parties or subcontractors
7. Security
8. Obligation to report
9. Processing of concerned parties’ requests
10. Obligation to maintain confidentiality
11. Audit
12. Liability
13. Duration and termination/cancelation
1. Introductory provisions
2. Processing objectives
3. Obligations of the processor
4. Transmission of personal information/data
5. Allocation of responsibility
6. Commission of third parties or subcontractors
7. Security
8. Obligation to report
9. Processing of concerned parties’ requests
10. Obligation to maintain confidentiality
11. Audit
12. Liability
13. Duration and termination/cancelation
Article 1. Introductory provisions
Article 1.1
The terms contained in this Processing Agreement, and which are defined in the General Data Protection Regulation, shall be interpreted in accordance with their meaning as described in the General Data Protection Regulation.
Article 1.2
Where reference is made in this Processing Agreement to a provision of the WBP (Personal Data Protection Act of the Netherlands), as of 25 May 2018, this shall be deemed to be a reference to the corresponding provision in the General Data Protection Regulation (‘GDPR’).
NB:
IntoMachines shall be the processor and the client shall be the responsible party
Article 2. Processing objectives
Article 2.1
The terms contained in this Processing Agreement, and which are defined in the General Data Protection Regulation, shall be interpreted in accordance with their meaning as described in the General Data Protection Regulation.
Article 2.2
The responsible party shall make its own determinations with regard to which (types of) personal information/data are to be processed by the processor on his or her behalf, as well as the (categories of) persons to whom this personal information/data is to relate. The processor shall have no influence with regard to this determination.
Article 2.3
The processor shall not process the personal information/data for any purpose other than as agreed with the responsible party. The responsible party shall inform the processor regarding the processing objectives, provided these have not already been described in the Processing Agreement.
Article 2.4
Personal information/data to be processed on behalf of the responsible party shall remain the property of the responsible party or of the persons concerned.
Article 2.5
The responsible party shall ensure that the contents, use as well as the order for processing of personal information are lawful in accordance with the provisions of the Processing Agreement and that the rights of third parties are not breached or infringed upon thereby. Furthermore, the responsible party shall ensure that the processing of the personal information/data falls within only one of the exemptions provided for in the General Data Protection Regulation or, if this is not the case, that notification in this regard has been provided to the competent authority for personal information/data; and that, as of 25 May 2018, they shall maintain an index of the items processed in accordance with the provisions of this Processing Agreement.
Article 2.6
The responsible party shall indemnify the processor and hold the processor harmless as against any and all claims which may arise in connection with the failure to comply, or indeed improperly comply, with the requirements contained in article 2.5.
Article 3. Obligations of the processor
Article 3.1
With respect to the processing mentioned in article 2, the processor shall ensure compliance with the conditions of the General Data Protection Regulation as they apply to the processing of personal information/data by the processor.
Article 3.2
Upon request of the responsible party, the processor shall inform the responsible party regarding the measures adopted by the processor in order to meet the processor’s objectives under this Processing Agreement, as well as under the Personal Data Protection Act of the Netherlands and the General Data Protection Regulation.
Article 3.3
The objective of the processor under this Processing Agreement are of continuing application and shall also apply with respect to persons processing the personal information/data under the authority of the processor.
Article 4. Transmission of personal information/data
Article 4.1
The processor shall be entitled to process the personal information/data in member countries of the European Union.
Article 4.2
Upon request, the processor shall provide the responsible party with information regarding the particular country or countries to which information/data is to be transferred.
Article 5. Allocation of responsibility
Article 5.1
The approved processing shall be performed by the processor in a (semi)automated environment under the control of the processor.
Article 5.2
The processor shall only be responsible for the processing of the personal information/data in accordance with this Processing Agreement, and in accordance with the instructions provided by the responsible party and under the express (ultimate)responsibility of the responsible party.
Article 5.3
The processor shall bear no responsibility for any other or additional processing of personal information/data, including but not limited to, in any case, the collection of personal information/data by the responsible party, processing for objectives concerning which the responsible party has not informed the processor, processing by third parties or for other or additional purposes.
Article 6. Commission of third parties or subcontractors
Article 6.1
The responsible party shall consent to the processor’s commission of third parties for the processing of personal information/data under this Processing Agreement in accordance with the applicable laws and regulations regarding privacy.
Article 6.2
Upon request, the processor shall inform the responsible party as soon as possible with regard to the third parties commissioned by the processor. The responsible party shall be entitled to object to any third party or parties commissioned by the processor.
Article 6.3
The processor shall not object on unreasonable grounds and shall be required to provide reasons for its objection. If the responsible party objects to a third party commissioned by the processor, then the parties shall come together and endeavour to reach a solution.
Article 6.4
The processor shall ensure that any third party or parties it commissions agree(s) in writing to undertake an obligation regarding protection of personal information/data which is at least as strict, on its face, as the obligation of the processor under the Processing Agreement.
Article 6.5
The processor shall ensure proper compliance by the third party or parties with the obligations contained in article 6.4, and shall bear liability for errors and omissions committed by the third party or parties in the same fashion as if the processor had committed these errors or omission itself.
Article 6.6
The maximum liability of the processor for damages as described in article 6.5 shall be limited to the amount agreed in the Agreement (with incorporation by reference of the General Conditions of the processor).
Article 7. Security
Article 7.1
The processor shall adopt suitable technical and organisational measures with regard to the anticipated processing of personal information/data, against loss as well as against any form of illegal or unlawful processing (including access by unauthorised persons, deterioration, modification as well as unauthorised disclosure).
Article 7.2
Irrespective of the fact that, in accordance with the first paragraph of this article, the processor is required to adopt suitable security measures, the processor cannot guarantee with absolute certainty that the security will be effective in all circumstances. In the event of a threat to – or actual breach of – these security measures, the processor shall adopt all measures available to limit, as far as possible, any loss of personal information/data.
Article 7.3
If security of a kind clearly described in the Processing Agreement is lacking, then the processor shall ensure that the security conforms with a level of security that is not unreasonable given the current state of technology, the sensitivity/vulnerability of the personal information/data and the costs associated with adoption of the security measures.
Article 7.4
The responsible party shall make individual personal information/data available to the processor for processing, if the responsible party has assured himself/herself that the requested security measures have been adopted.
Article 8. Obligation to report
Article 8.1
If a data leak/leak of information (which is understood to include, among other things: a breach of the security of personal information/data resulting in significant likelihood of damage, or which indeed results in damage with regard to the protection of personal information/data within the meaning of article 34a of the Personal Data Protection Act of the Netherlands) occurs, the processor shall endeavour to inform the responsible party of this fact as soon as possible, in any case within forty-eight (48) hours after the processor becomes aware of the data leak/leak of information.
Article 8.2
The obligation to report shall only apply if the leak has indeed taken place, and in any case shall include notification of the fact that a data leak has indeed occurred, along with, as far as this information is available to the processor:
- The (suspected) cause of the leak; the result of the leak (whether anticipated or still unknown)
- The (proposed) solution
- Contact information needed to follow-up on the report
- The number of persons whose information has been leaked, or the minimum and maximum number of persons whose information has been leaked in the event the precise number is unknown
- A description of the group of persons whose information has been leaked
- The type or types of personal information/data that has/have been leaked
- The date the leak occurred, or the period during which the leak occurred, if the exact date is unknown
- The date and time at which the processor first became aware of the leak in the processor’s system as well as the date and time at which any sub-contractor commissioned by the processor first became aware of the leak in the sub-contractor’s system
- Whether the data has been encrypted, hashed or otherwise rendered unreadable or inaccessible to unauthorised parties
- As well as the measures adopted and already implemented to plug the leak and to limit the effects of the leak
Article 8.3
The responsible party shall make its own decision as to whether the relevant authorities and/or parties concerned need be contacted, and the responsible party shall be liable with respect to compliance with (legal and statutory) obligations regarding reporting. If required in accordance with the laws and regulations regarding privacy, the processor shall cooperate with regard to notification of the relevant authorities or concerned parties, under the circumstances.
Article 9. Processing of concerned parties’ requests
Article 9.1
If a concerned party wishes to exercise one of his or her rights and submits this request to the processor, the processor shall forward this request to the responsible party. The responsible party shall subsequently use reasonable care in the processing of the request. The processor may inform the concerned party in this regard.
Article 9.2
If one of the concerned parties directs his or her request for exercise of one of his or her legal or statutory rights to the responsible party, the processor shall, at the request of the responsible party, provide cooperation as far as this is reasonably possible. The processor shall be entitled to recover reasonable costs associated herewith from the responsible party.
Article 10. Obligation to maintain confidentiality
Article 10.1
An obligation to maintain confidentiality in favour of third parties exists with regard to all personal information/data received from the responsible party by the processor in connection with this Processing Agreement.
Article 10.2
This obligation to maintain confidentiality shall not apply if the responsible party has provided his or her express consent to the transmission of information/data to third parties, if transmission of the information to third parties is understandably necessary in connection with the execution of the Processing Agreement, or if a legal or statutory obligation exists to transmit the information/data to third parties.
Article 10.3
If the processor is under a legal or statutory obligation to transmit the information/data to third parties, the processor shall notify the responsible party of this fact as soon as possible, as far as this is required by law.
Article 11. Audit
Article 11.1
The responsible party shall be entitled to have audits performed by an independent, qualified third party who is obliged to maintain confidentiality in order to monitor compliance with the security requirements as agreed in article 7 of the Processing Agreement.
Article 11.2
The audit referred to in article 11.1 shall take place exclusively in circumstances in which the responsible party can demonstrate a reasonable and concrete suspicion that misuse has occurred. The audit initiated by the responsible party shall take place three (3) weeks following the above-mentioned declaration of the responsible party.
Article 11.3
The processor shall cooperate with regard to the audit, and, in order that the audit may be performed, shall make available all information reasonably relevant to the audit, including supporting data such as system logs as well as individual employees, as seasonably as possible and within a reasonable period of time, whereby a period of three (3) weeks shall be considered reasonable.
Article 11.4
The conclusions of the audit shall be evaluated in accordance with mutual consultation between the parties and a determination shall subsequently be made as to whether these should be transmitted to one of the parties only or to both parties concurrently.
Article 11.5
The costs of the audit shall be borne by the responsible party.
Article 12. Liability
Article 12.1
With respect to the liability to be assumed by the parties in the event of damage resulting from breach of an obligation under the Processing Agreement, or resulting from an unlawful act or otherwise, the provision governing liability contained in the Agreement (which is understood to incorporate by reference the General Conditions of the processor) shall apply.
Article 13. Duration and termination/cancelation
Article 13.1
This Processing Agreement shall become effective for the period of time indicated in the Agreement, or, failing that, in any case for the duration of the cooperation between the parties. There shall be no cancellation of this Processing Agreement while it remains executory.
Article 13.2
The parties shall only be entitled to amend this Processing Agreement in accordance with the mutual consent of both parties, and they shall cooperate fully in order to adjust or modify this Processing Agreement to accommodate any new or amended provisions or regulations under privacy law.
Article 13.3
Following termination of this Processing Agreement, the processor shall destroy all personal information/data in his or her possession, unless otherwise agreed by the parties.