This Processor Agreement applies to all forms of processing of personal data that XITENS, registered with the Chamber of Commerce under number 61228893, (hereinafter: Controller) has carried out by a party it engages for that purpose (hereinafter: Processor) on the basis of the agreement concluded between the parties (hereinafter: the General terms and conditions
Article 1. Purposes of processing
- 1.1. Processor undertakes to process personal data on behalf of Controller under the terms of this Processing Agreement. Processing will only take place in the context of handling orders and payments for products or services of Controller, managing the accounting and financial administration of Controller, managing the HR administration of Controller, maintaining telephone contact with customers of Controller for the purpose of handling complaints and providing service, sending newsletters on behalf of Controller, managing the customer administration of Controller, plus those purposes that are reasonably related thereto or that are determined with further consent.
- 1.2. The personal data processed by the Processor in the context of the activities referred to in the previous paragraph and the categories of data subjects from whom they originate are included in Appendix 1. The Processor will not process the personal data for any other purpose than as determined by the Controller. The Controller will inform the Processor of the processing purposes insofar as these are not already mentioned in this Processor Agreement. However, the Processor may use the personal data for quality purposes, such as surveying data subjects or conducting scientific or statistical research into the quality of its services.
- 1.3. The personal data to be processed on behalf of the Controller remain the property of the Controller and/or the relevant data subjects..
Article 2. Processor Obligations
- 2.1. With regard to the processing referred to in Article 1, the Processor shall ensure compliance with the applicable laws and regulations, including in any case the laws and regulations in the field of the protection of personal data, such as the General Data Protection Regulation.
- 2.2. Processor shall inform Controller, upon first request, of the measures taken by it with regard to its obligations under this Processor Agreement.
- 2.3. The obligations of the Processor arising from this Processor Agreement also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.
- 2.4. The Processor shall immediately notify the Controller if, in its opinion, an instruction from the Controller conflicts with the legislation referred to in paragraph 1.
- 2.5. Processor shall, to the extent within its power, assist Controller in carrying out Data Protection Impact Assessments (PIAs).
- 2.6. The Processor shall, in accordance with Article 30 GDPR, maintain a register of all categories of processing activities that it carries out on behalf of the Controller under this Data Processing Agreement. Upon request, the Processor shall provide the Controller with access to this register.
Article 3. Transfer of personal data
- 3.1. Processor may process the personal data in countries within the European Union. Transfer to countries outside the European Union is prohibited.
Article 4. Division of responsibility
- 4.1. The permitted processing will be carried out by employees of the Processor within an automated environment.
- 4.2. Processor is solely responsible for the processing of the personal data under this Processor Agreement, in accordance with the instructions of Controller and under the express (final) responsibility of Controller. Processor is expressly not responsible for other processing of personal data, including but not limited to the collection of personal data by Controller, processing for purposes not reported to Processor by Controller, processing by third parties and/or for other purposes.
- 4.3. The Controller guarantees that the content, use and order for the processing of the personal data as referred to in this processing agreement are not unlawful and do not infringe any rights of third parties.
Article 5. Engaging third parties or subcontractors
- 5.1. Processor may not use a third party in the context of this processing agreement without the prior written consent of Controller, which consent may be subject to further conditions.
- 5.2. Processor shall in any case ensure that these third parties assume in writing at least the same obligations as agreed between Controller and Processor. Controller has the right to inspect any agreements involved in this.
- 5.3. Processor is responsible for the correct compliance with the obligations under this Processor Agreement by these third parties and is itself liable for all damage in the event of errors by these third parties as if it had committed the error(s) itself.
Article 6. Security
- 6.1. Processor shall endeavor to take sufficient technical and organizational measures with regard to the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorized access, corruption, modification or provision of the personal data).
- 6.2. Processor does not guarantee that the security is effective under all circumstances. If an explicitly described security is missing in the Processor Agreement, Processor will make an effort to ensure that the security meets a level that is not unreasonable, given the state of the art, the sensitivity of the personal data and the costs associated with implementing the security.
- 6.3. The Controller shall only make personal data available to the Processor for processing if it has ensured that the required security measures have been taken. The Controller shall be responsible for compliance with the measures agreed upon by the Parties.
Article 7. Reporting obligation
- 7.1. The Controller is at all times responsible for reporting a security breach and/or data leak (meaning: a breach of the security of personal data that leads to a chance of adverse consequences, or has adverse consequences, for the protection of personal data) to the supervisory authority and/or data subjects. In order to enable the Controller to comply with this legal obligation, the Processor shall immediately inform the Controller of the security breach and/or data leak.
- 7.2. A report must always be made, but only if the event has actually occurred.
- 7.3. The notification obligation shall in any event include reporting the fact that a breach has occurred. In addition, the notification obligation shall include: the nature of the personal data breach, specifying, where possible, the categories and approximate number of data subjects and personal data records concerned; the name and contact details of the data protection officer or other contact point where more information can be obtained; the likely consequences of the personal data breach; the measures proposed or taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- 7.4. The Processor shall, in accordance with Article 33 paragraph 5 GDPR, document all data breaches, including the facts surrounding the personal data breach, its consequences and the corrective measures taken. Upon request, the Processor shall provide the Controller with access to this information.
Article 8. Handling of requests from data subjects
- 8.1. In the event that a data subject submits a request to exercise his/her legal rights (Articles 15-22 GDPR) to Processor, Processor will forward the request to Controller, and Controller will further handle the request. Processor may inform the data subject thereof.
Article 9. Confidentiality and secrecy
- 9.1. All personal data that Processor receives from Controller and/or collects itself in the context of this Processor Agreement is subject to a duty of confidentiality towards third parties. Processor will not use this information for any purpose other than that for which it obtained it, even if it is in such a form that it cannot be traced back to data subjects.
- 9.2. This confidentiality obligation does not apply to the extent that the Controller has given express permission to provide the information to third parties, if providing the information to third parties is logically necessary given the nature of the assignment given and the performance of this Processing Agreement, or if there is a legal obligation to provide the information to a third party.
Article 10. Audit
- 10.1. The Controller shall have the right to have audits carried out by an independent third party bound by confidentiality to verify compliance with the security requirements, and anything directly related thereto.
- 10.2. This audit may take place in the event of a concrete suspicion of misuse of personal data.
- 10.3. Processor shall cooperate with the audit and provide all information reasonably relevant to the audit, including supporting data such as system logs, and employees as promptly as possible.
- 10.4. The findings resulting from the audit performed will be implemented by the Processor as soon as possible.
- 10.5. The costs of the audit shall be borne by the Data Controller.
Article 11. Liability and penalty provisions
- 11.1. Processor’s liability for damage resulting from an attributable failure to comply with the Processor Agreement, or from unlawful act or otherwise, is excluded. To the extent that the aforementioned liability cannot be excluded, it is limited per event (a series of consecutive events is considered one event) to compensation for direct damage, up to a maximum of the amount of the compensation received by Processor for the work under this Processor Agreement over the month preceding the event causing the damage. Processor’s liability for direct damage will never exceed € 100,000.00 in total.
- 11.2. Direct damage is understood to mean exclusively all damage consisting of: damage directly caused to tangible property (“property damage”); reasonable and demonstrable costs to urge the Processor to (re)perform the Processor Agreement properly; reasonable costs to determine the cause and extent of the damage insofar as it relates to direct damage as referred to herein; and reasonable and demonstrable costs incurred by the Controller to prevent or limit direct damage as referred to in this article.
- 11.3. Processor’s liability for indirect damage is excluded. Indirect damage is understood to mean all damage that is not direct damage and therefore in any case, but not limited to, consequential damage, lost profit, lost savings, reduced goodwill, damage due to business stagnation, damage due to the failure to determine marketing objectives, damage related to the use of data or data files prescribed by the Controller, or loss, mutilation or destruction of data or data files.
- 11.4. The exclusions and limitations referred to in this article shall lapse if and to the extent that the damage is the result of intent or deliberate recklessness on the part of the Processor or its management.
- 11.5. Unless performance by Processor is permanently impossible, Processor shall only be liable for attributable failure to perform the Agreement if Controller immediately notifies Processor in writing of default, setting a reasonable period for remedying the failure, and Processor continues to fail to perform its obligations after that period. The notice of default must contain a description of the failure that is as complete and detailed as possible, so that Processor is given the opportunity to respond adequately.
- 11.6. Any claim for damages by the Controller against the Processor that has not been specifically and explicitly reported shall lapse by the mere passage of twelve (12) months after the claim arose.
- 11.7. Processor shall have and maintain adequate insurance for liability in accordance with this article during the Processor Agreement. The insurance conditions for this purpose can be viewed upon request.
- 11.8. In the event of a breach of the Processing Agreement, Processor shall forfeit to Controller an immediately due fine of €100,000.00 per breach and €10,000.00 per day that the breach continues.
Article 12. Duration and termination
- 12.1. This Processing Agreement is concluded by signature of the Parties and on the date of the last signature.
- 12.2. This Processor Agreement has been entered into for the duration as determined in the General Terms and Conditions between the Parties and, in the absence thereof, in any case for the duration of the collaboration.
- 12.3. As soon as the Processor Agreement is terminated for whatever reason and in whatever manner, Processor shall — at the Controller’s option — return all personal data in its possession in original or copy form to Controller, and/or delete and/or destroy such original personal data and any copies thereof.
- 12.4. Controller is entitled to revise this Processor Agreement from time to time. It will notify Processor of the changes at least three months in advance. Processor may terminate at the end of these three months if it cannot agree to the changes.
Article 13. Applicable law and dispute resolution
- 13.1. The Processing Agreement and its implementation are governed by Dutch law.
- 13.1. The Processor Agreement and its implementation are governed by Dutch law. 13.2. All disputes that may arise between the Parties in connection with the Processor Agreement will be submitted to the competent court for the district in which the Controller is established.
Appendix 1: Specification of personal data and data subjects
- Personal data Processor will, in the context of Article 1.1 of the Processor Agreement, process the following (special) personal data on behalf of the Controller:
- Phone number
- Email address
- IP-adres
- Visiting behavior
- Name and address details
- Social media accounts
- Financial data
Of the categories of persons involved:
- Customers
- Staff
- Suppliers
- Account holders
- Website visitors
- Patients
- Potential customers
- Members
- Tenants
The Controller warrants that the personal data and categories of data subjects described in this Appendix 1 are complete and correct, and indemnifies the Processor against any defects and claims resulting from an incorrect representation by the Controller.