This Processing Agreement - like the General Terms and Conditions - forms an integral part of any contract for services between MijnPartnerGroep, located in Vianen and registered with the Chamber of Commerce under number: 09188646 (hereinafter: "MPG") and its counterparty.
For the purposes of this Processing Agreement, MPG shall be designated as "Processor" and the other party (Customer) as "Processor".
taking into account that
- Processor has entered into an agreement with its customers and Processor wishes to engage Processor to perform that agreement;
- Processor and Processor have entered into an Agreement for the purposes of the foregoing;
- When performing the Agreement, the Processor may in some cases be considered a Processor in the sense of article 1(e) of the Personal Data Protection Act ("WBP");
- Processor is considered a Processing Agent in the sense of Section 1(d) of the Wbp;
- where this Processing Agreement refers to personal data, this means personal data in the sense of Article 1(a) of the Wbp;
- the Processor is prepared to fulfil obligations in respect of security and other aspects of the Wbp to the extent that this is within its power;
- The Wbp imposes a duty on the Controller to ensure that the Processor provides sufficient guarantees in respect of the technical and organizational security measures relating to the processing to be carried out;
- in addition, the Wbp imposes a duty on the Processor to ensure compliance with those measures;
- Partly in view of the requirement of Article 14(5) of the Wbp, the parties wish to lay down their rights and obligations in writing by means of this Processor Agreement (hereinafter "Processor Agreement").
- Wherever terms in the Wbp or the General Data Protection Regulation (AVG) are mentioned in this Processing Agreement, the corresponding terms in the Wbp or AVG are meant;
- Where reference is made in this Processor Agreement to the Wbp, as of May 25, 2018, this refers to (the corresponding provisions from) the AVG.Have agreed as follows
Article 1. Purposes of Processing
- 1.1 - The Processor undertakes to process personal data under the terms of this Processing Agreement on the instructions of the Processing Responsible Party. Processing will only take place in the context of the Processor Agreement - under which, among other things, data of the Processor is hosted and services are provided to the Processor - and those purposes that are reasonably related to it or are set out in the Agreement with further consent.
- 1.2 - Processor will not process the Personal Data for any purpose other than as established by Processor. Processor shall inform Processor of the processing purposes insofar as they are not already mentioned in this Processing Agreement.
- 1.3 - Processor has no control over the purpose and means of processing personal data. Processor does not make decisions on the receipt and use of the personal data, the disclosure to third parties and the duration of storage of personal data.
- 1.4 - Processor warrants that, as of May 25, 2018 at the time the AVG becomes applicable, it will maintain a register of the processing operations regulated under this Processing Agreement. Processor shall indemnify Processor against all claims and demands related to the failure to properly comply with this register obligation.
Article 2. Obligations of Processor
- 2.1 - With respect to the processing referred to in Article 1, the Processor shall ensure compliance with the conditions imposed on the processing of personal data under the Personal Data Protection Act (Wbp).
- 2.2 - The Processor will inform the Processing Party, at the latter's request and within a reasonable period, of the measures it has taken regarding its obligations under this Processor Agreement.
- 2.3 - The obligations of Processor arising from this Processing Agreement shall also apply to those who process personal data under the authority of Processor.
- 2.4 - Processor shall notify Processor if, in its opinion, an instruction from Processor is in breach of relevant privacy laws and regulations.
- 2.5 - Processor will provide Processor with the necessary cooperation if a data protection impact assessment, or prior consultation of the supervisory authority, should be required in connection with the processing.
Article 3. Transfer of personal data
- 3.1 - Processor may process the personal data in countries within the European Union. In addition, if applicable, Processor hereby authorizes Processor to process personal data in countries outside the European Union, in compliance with the relevant laws and regulations.
- 3.2 - The Processor will inform the Accountable Party, at its request, of which country or countries are involved.
Article 4. Division of responsibility
- 4.1 - The parties will ensure compliance with applicable privacy laws and regulations.
- 4.2 - The permitted processing will be carried out by Processor within an automated environment.
- 4.3 - Processor is solely responsible for processing the personal data under this Processing Agreement, in accordance with the instructions of Processor and under the express (final) responsibility of Processor. For all other processing of personal data, including in any case but not limited to the collection of the personal data by Processor, processing for purposes not notified by Processor to Processor, processing by third parties and/or for other purposes, Processor is not responsible. The responsibility for these processing operations rests exclusively with Processor.
- 4.4 - The Processor warrants that the content, use and assignment of personal data processing, as referred to in this Processing Agreement, is not unlawful and does not infringe any rights of third parties and indemnifies the Processor against all claims and demands relating thereto.
Article 5. Engagement of third parties or subcontractors
- 5.1 - Processor hereby grants Processor permission to engage third parties (sub-processors) in the processing.
- 5.2 - At the request of Processor, Processor shall inform Processor as soon as possible about the sub-processors it has engaged. Processor has the right to object to the inchoate use of a subprocessor. This objection must be made in writing, within two weeks and supported by arguments.
- 5.3 - Processor shall unconditionally ensure that these third parties assume in writing the same duties as agreed between Processor and Processor. The Processor guarantees that these third parties will correctly comply with these duties and, in the event of errors made by these third parties, will itself be liable to the Processing Responsible for all damage as if it had made the error(s) itself.
Article 6. Security
- 6.1 - The Processor will make every effort to take appropriate technical and organizational measures with respect to the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorized access, impairment, modification or disclosure of the personal data). At the request of the Processing Controller, Processor will provide the information on the security measures taken.
- 6.2 - Processor does not guarantee that the security is effective in all circumstances. Processor will make every effort to ensure that the security meets a level that is not unreasonable, given the state of the art, the sensitivity of the personal data and the costs involved in implementing the security.
- 6.3 - Processor will only make personal data available to Processor for processing if Processor has ensured that the required security measures have been taken. The Processing Responsible Party is responsible for compliance with the measures agreed by the Parties.
Article 7. Duty to report
- 7.1 - In the event of a security breach and/or a data leak (which is understood to mean: a breach of the security of personal data that leads to a significant risk of adverse effects, or has adverse effects, on the protection of personal data, as referred to in Article 34a of the Personal Data Protection Act), the Processor will make every effort to inform the Processing Responsible Party as soon as possible, following which the Processing Responsible Party will decide whether or not to inform the supervisory authorities and/or those involved. Processor shall make a best effort to make the information provided complete, correct and accurate. The obligation to report shall only apply if the leak has actually occurred.
- 7.2 - If required by law and/or regulations, Processor shall cooperate in informing the relevant authorities and any parties concerned. Controller is responsible for reporting to the relevant authorities.
- 7.3 - The duty to report shall in any case include reporting that a leak has occurred, as well as:
- What the (alleged) cause of the leak is;
- What is the (currently known and/or expected) consequence;
- What is the (proposed) solution;
- What the actions already taken are;
- Contact details for following up the report;
- Who has been informed (such as the person involved, the Processor, the supervisory authority).
Article 8. Handling of requests from data subjects
- 8.1 - In the event that a data subject makes a request about their personal data to Processor, Processor will forward the request to Processor and inform the data subject accordingly. Processor will then further handle the request independently. If it appears that the Processing Responsible requires assistance from Processor in order to implement a data subject's request, Processor will cooperate and may charge Processor for this.
Article 9. Secrecy and confidentiality
- 9.1 - All personal data that Processor receives from the Processing Party and/or collects itself in the context of this Processing Agreement is subject to a duty of confidentiality to third parties. Processor will not use this information for any purpose other than that for which it was obtained, unless it is put in such a form that it cannot be traced back to data subjects.
- 9.2 - This duty of confidentiality does not apply:
- -to the extent that Processor has given express permission to provide the information to third parties; or
- -if providing the information to third parties is logically necessary for the performance of the Master Agreement or this Processing Agreement; and
- -if there is a legal obligation to provide the information to a third party.
Article 10. Audit
- 10.1 - Processing Controller has the right to have audits carried out by an independent ICT expert who is bound by confidentiality to verify compliance with all points in this Processing Agreement.
- 10.2 - Such an audit will only take place after Processor has checked with Processor whether similar audit reports are present and if so, has requested the audit reports present, assessed them and provided reasonable arguments justifying an audit initiated by Processor. Such an audit will be justified if the similar audit reports present at Processor's premises do not provide any or sufficient evidence of Processor's compliance with this Processing Agreement. The audit initiated by Processor shall take place once a year, two weeks after prior announcement by Processor.
- 10.3 - Processor shall cooperate with the audit and provide all information reasonably relevant to the audit, including supporting data such as system logs, and employees as timely as possible and within a reasonable time period, a time period of up to two weeks being reasonable unless an urgent interest dictates otherwise.
- 10.4 - The findings as a result of the audit carried out will be assessed by the Parties in mutual consultation and, as a result, will or will not be implemented by one of the Parties or by both Parties jointly.
- 10.5 - The reasonable costs of the audit will be borne by the Processor, on the understanding that the costs of the ICT expert to be hired will always be borne by the Processor.
Article 11. Duration and termination
- 11.1 - The Processing Agreement is entered into for the term specified in the Agreement between the Parties and, in the absence thereof, in any event for the duration of the collaboration.
- 11.2 - The Processing Agreement cannot be terminated in the interim.
- 11.3 - The Parties may amend this Processing Agreement only by mutual consent.
- 11.4 - After termination of the Processing Agreement, Processor shall destroy the personal data received from Processor after one (1) calendar month unless parties agree otherwise.
Article 12. Other provisions
- 12.1 - The Processor Agreement and its implementation are governed by Dutch law.
- 12.2 - All disputes that may arise between the Parties in connection with the Processing Agreement will be submitted to the competent court in the district where the Processor is located.
- 12.3 - If the privacy legislation changes, the parties will cooperate in amending this Processor Agreement in order to comply or continue to comply with this legislation.
- 12.4 - Logs and measurements made by the Processor are binding evidence, subject to evidence to the contrary to be provided by the Processing Responsible Party.
- 12.5 - In case of conflict between different documents or their annexes, the following order of precedence shall apply:
- 1. the Agreement;
- 2. this Processor Agreement;
- 3. the Service Level Agreement and any annexes;
- 4. the General Terms and Conditions;
- 5.any additional terms and conditions.