Processor agreement
INNOVATIONSOFT B.V. AND INNOVATIONSOFT INTERNATIONAL B.V.
Processor agreement
This Processor Agreement applies where Innovationsoft qualifies as a processor within the meaning of the General Data Protection Regulation (GPDR). Innovationsoft is hereinafter also referred to as Processor and the other party or client as Controller. This processor agreement (the Processor Agreement) forms an integral part of the arrangements between the Parties as agreed in the agreement between the two parties (the Agreement).
This Processor Agreement only applies to personal data of organisations based within the EEA.
1. Purposes of processing
1.1. Processor undertakes to process personal data on behalf of the Controller under the terms of this Processor Agreement. Processing will only take place as agreed in the contract between the Processor and the Controller, plus those purposes reasonably related thereto or determined by further agreement.
1.2. The personal data processed by Processor in the context of the activities referred to in the previous paragraph and the categories of data subjects from whom they originate are set out in Annex I.
1.3. Processor shall not process the personal data for any purpose other than as determined by Controller. Controller shall inform Processor of the processing purposes to the extent they are not already mentioned in this Processor Agreement.
1.4. The personal data to be processed on behalf of Controller shall remain the property of the Controller and/or the relevant data subjects.
2. Obligations of processor
2.1. In respect of the processing mentioned in Article 1, Processor shall ensure compliance with the GDPR.
2.2. Processor shall inform Controller, upon its first request to do so, about the measures taken by it regarding its obligations under this Processor Agreement.
2.3. The obligations of the Processor arising from this Processor Agreement also apply to those who process personal data under the authority of Processor, including but not limited to employees, in the broadest sense.
2.4. The Processor shall immediately notify the Processor if, in its opinion, an instruction of the Processor violates the legislation referred to in paragraph 1.
2.5. Processor shall, to the extent within its power, reasonably assist Controller regarding a data protection impact assessments (DPIAs) within the scope of the agreement. The time spent in this regard shall be at the expense and risk of Controller and shall be charged by Processor to Controller.
3. Transfer of personal data
3.1. Processor may process personal data in countries within the EEA. Transfers to countries outside the EEA are not permitted, subject to Controller r’s consent.
3.2. Processor shall notify Controller of the country or countries concerned.
3.3. This article 3 does not apply to organisations with branches outside the EEA.
4. Division of responsibility
4.1. The authorised processing operations will be carried out by employees of Processor within an automated environment.
4.2. Processor is solely responsible for the processing of the personal data under this Processor Agreement, in accordance with the Controller’s instructions and under the express (ultimate) responsibility of the Controller. For other processing of personal data, including in any case, but not limited to, the collection of the personal data by the Controller, processing for purposes not notified to the Processor by the Controller, processing by third parties and/or for other purposes, the Processor is explicitly not responsible.
4.3. Controller warrants that the content, use and commissioning of the personal data processing operations (including but not limited to the personal data itself) referred to in this Processor Agreement are not unlawful and do not infringe any rights of third parties.
5. Engagement of third parties or subcontractors
5.1. Processor is entitled to contract third parties in the context and for the execution of this Processor Agreement and will provide a list of third parties (sub-processors) to Controller upon request.
5.2. Processor shall in any case ensure that these third parties assume in writing at least the same duties as agreed between Processor and Controller.
5.3. Processor guarantees correct compliance with the obligations under this Processor Agreement by these third parties and, in case of errors by these third parties, is itself liable for all damages as if it had committed the error(s) itself.
5.4. In case of changes of sub-processors, the Processor offers the Controller the opportunity to object. If the Controller ultimately does not consent to the change, the Processor has the right to terminate the Contract with immediate effect and without having to pay any (compensation).
6. Security
6.1. Processor shall take appropriate technical and organisational measures in relation to the processing of personal data to be performed, against loss or against any form of unlawful processing (such as unauthorised access, deterioration, modification or disclosure of the personal data).
6.2. In any case, Processor has taken the measures mentioned in the security protocol attached as Annex II to this Processor Agreement (the Security Protocol). Processor may unilaterally amend the Security Protocol at any time. It shall inform Processor of any adjustments.
6.3. In the absence of an explicitly defined security in the Processor Agreement, Processor shall make every effort to ensure that the security meets a level that is not unreasonable, given the state of the art, the sensitivity of the personal data and the costs associated with implementing the security.
6.4. Controller shall only make personal data available to Processor for processing if it has satisfied itself that the required security measures are in place.
7. Duty to report
7.1. Controller is responsible at all times for reporting a security breach and/or data leak (which is understood to mean: a breach of personal data security that leads to a risk of adverse consequences, or has adverse consequences, for the protection of personal data as referred to in the GDPR) to the national authority and/or data subjects. To enable Controller to comply with this legal obligation, Processor shall notify the Controller of the security breach and/or data leak within 48 hours after the leak has become known to it.
7.2. The obligation of the Processor to notify the Controller shall in any case include the notification of the fact that a data breach has occurred. In addition, the notification will include the following:
- the nature of the personal data breach, specifying where possible the categories of data subjects and personal data records concerned and, approximately, the number of data subjects and personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- the likely consequences of the personal data breach;
- the measures proposed or taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate any adverse effects thereof.
8. Handling request from data subjects
In case a data subject makes a request to Processor to exercise his/her legal rights, Processor shall forward the request to Controller, and Controller shall further process the request. Processor may notify the data subject accordingly. Processor will provide its reasonable assistance to Controller in relation to the request.
9. Secrecy and confidentiality
9.1. Processor shall keep confidential all personal data it processes under this Processor Agreement. Processor shall not use this information for any other purpose and share it with third parties other than the purpose for which it obtained it.
9.2. This duty of confidentiality does not apply to the extent that Controller has given its consent to provide the information to third parties, if the provision of the information to third parties is logically necessary given the nature of the assignment provided and the performance of this Processor Agreement, or if there is a legal obligation to provide the information to a third party.
9.3. The persons having access to the personal data have undertaken to maintain confidentiality or are bound to confidentiality by an appropriate legal obligation.
10. Audit
10.1. Processor hereby grants Controller the right to have an audit performed by an independent third party bound by confidentiality to verify compliance with the provisions of this Processor Agreement or Processor shall provide Controller with a third-party communication that can be used to assume that Processor is acting in accordance with the provisions of this Processor Agreement.
10.2. A request for an audit must be made in in writing including substantiation of what it wishes to have investigated.
10.3. This audit may take place once a year as well as in case of a concrete suspicion of misuse of personal data.
10.4. Processor shall cooperate with the audit and provide all information reasonably relevant to the audit, including supporting data such as system logs, and employees as timely as possible.
10.5. The findings resulting from the audit conducted will be reviewed by Processor and may, at Processor’s discretion and in the manner determined by Processor, be implemented by Processor.
10.6. The cost of the audit shall be borne by Controller.
11. Liability
11.1. Processor’s liability provision from the Agreement shall also apply to the Processor Agreement.
11.2. Any claim for damages by Processor against Processor that is not specified and explicitly reported shall expire by the mere lapse of twelve (12) months after the claim arose.
12. Duration and termination
12.1. This Processor Agreement shall apply until such time as the Processor ceases to process personal data on behalf of the Controller.
12.2. Once the Processor Agreement has been terminated, for whatever reason and in whatever manner, Processor shall – at Processor’s option – return to Controller all personal data held by it in original or copy form, and/or remove and/or destroy such personal data and any copies thereof. The foregoing with the exception of the personal data of which Processor must retain it in order to comply with statutory (retention) obligations.
12.3. Processor is entitled to revise this Processor Agreement from time to time. It shall give at least three months’ notice of the amendments to Controller. Processor may terminate by the end of these three months if it cannot agree to the changes. Otherwise, the changes shall be deemed to be approved by Controller.
13. Applicable law and dispute resolution
13.1. The Processor Agreement , including but not limited to the choice of forum in article 13.2, party shall be governed by Dutch law. Terms included in these terms and conditions and/or other agreements refer to Dutch legal concepts, in which case the explanation and interpretation of those concepts shall be in line with such Dutch legal concept.
13.2. All disputes that may arise between the Parties in connection with the Processor Agreement shall be submitted to the competent court for the district in which Processor has its registered office.
Annex 1 - Personal Data
1. Specification of personal data and data subjects
1.1. Processor may process the following personal data, depending on the information stored by the Controller. This includes the following personal data: name, address, email address, gender, language, date of birth, place of birth, country of birth, phone number, mobile number, measurements, spouse (if applicable), department, location, employment details, and employee number. The Controller will not provide any other personal data to the Processor.
1.2. The Controller is solely responsible for which personal data is processed on its behalf by the Processor.
1.3. The Processor does not verify which (personal) data is being processed within client environments. Therefore, the Processor assumes by default that it acts as a processor of the category of standard personal data as outlined in Article 1.1 above and has implemented control measures accordingly.
1.4. The Controller guarantees that only personal data lawfully obtained by the Controller and authorized to be shared with the Processor will be processed. For all processing activities where required, the Processor has conducted a data protection impact assessment (DPIA).
1.5. If the Controller instructs the Processor to process citizen service numbers or special categories of personal data (such as race/ethnic origin, health data, religious/philosophical beliefs, non-conforming sexual orientation, political opinions/preferences, sexual orientation/behaviour, trade union membership, legal data, or genetic/biometric data), and requires specific control measures for such data, this must be explicitly communicated to the Processor in writing by the Controller. In such cases, the Processor must also provide the legal basis on which the personal data is processed, along with a justification for that legal basis.
1.6. The Controller must provide any special categories of personal data, along with any applicable specific control measures, in a “Personal Data Register” that complies with the requirements set out in the GDPR.
1.7. The Controller is also responsible for keeping the submitted “Personal Data Register” up to date.
1.8. If the Processor does not receive a “Personal Data Register” with any applicable additional control measures from the Controller, it will be assumed that no special categories of personal data are being processed, or only standard personal data, and that the standard control measures are sufficient for the purpose of the Agreement.
1.9. The Controller guarantees that the categories of data subjects described in this Annex 1 are complete and accurate, and indemnifies the Processor against any defects or claims resulting from an incorrect representation by the Controller.
