Data processing agreement
Parties:
- The private company with limited liability SkillReflect B.V., having its official place of business under the articles of association in Eindhoven, the Netherlands, and its principal place of business in Aarle-Rixtel, at Dorpsstraat 1 (5735 EA), hereinafter referred to as the ‘Processor’; and
- The legal entity that approved the offer, hereinafter referred to as the ‘Data Controller’.
Considerations:
A The Data Controller and the Processor have entered into an agreement for the performance of the following service: providing a training and analysis module for various skill development disciplines. This agreement results in the Processor processing Personal Data ordered by the Data Controller.
B The Data Controller and the Processor wish to document the mutual rights and obligations for Processing Personal Data by the Processor in this agreement, in accordance with the applicable Privacy Legislation.
Declare to have agreed as follows:
1. Definitions:
1.1. The terms or phrases used in this agreement have the following meanings:
(a) Data Subject: the person Personal Details relate to;
(b) Underlying Agreement: the agreement with which the Data Controller has ordered the Processor to perform Processing;
(c) Agreement: this data processing agreement including its appendices;
(d) Personal Data: all information regarding an identified or identifiable individual, that the Processor Processes or needs to Process based on the Underlying Agreement;
(e) Privacy Legislation: all applicable legislation concerning the Processing and protection of personal data, including, but not limited to the GDPR and the GDPR Implementation Act;
(f) Process/Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;`
2. Applicability
2.1. Unless the Parties have agreed otherwise in writing, the provisions of this Agreement apply to any Processing by the Processor pursuant to the Underlying Agreement.
3. Processing by the Processor
3.1. The Processor Processes Personal Data for the Data Controller, in accordance with its written instructions and under his responsibility and in the manner laid down in the Underlying Agreement.
3.2. The Processor Processes the Personal Data only on behalf of the Data Controller, unless there are deviating legal obligations.
3.3. The Processor has no control over the purpose and means for the Processing of Personal Data and does not make any decisions about the use of the Personal Data, the provision to third parties and the duration of the storage of Personal Data.
3.4. The Processor must ensure compliance with the conditions that are imposed on the Processing of Personal Data on the basis of the applicable Privacy Legislation.
3.5. The Processor only provides access to the Personal Data to its employees insofar as this is necessary for the performance of the services under the Underlying Agreement.
3.6. The Processor may only Process Personal Data outside the Netherlands with the prior written consent of the Data Controller.
3.7. The Processor will not process the Personal Data for longer than 24 months, unless the Data Controller has explicitly instructed this in writing.
4. Provision of Personal Data to third parties
4.1. The Processor will not provide or make Personal Data available to a third party, unless on the basis of an express written order from the Data Controller or on the order of a judicial or administrative authority, provided that the Processor in that case informs the Data Controller of this within 24 hours of receiving such an order to enable the Data Controller to exercise a remedy available to it.
4.2. If the Processor is of the opinion that it must make Personal Data available to a competent authority on the basis of a legal obligation, it will only proceed to do so after consultation with and approval of the Data Controller.
5. Requests from Data Subjects
5.1. The Processor must inform the Data Controller of all requests received directly from Data Subjects in relation to Data Subject rights under applicable Privacy Legislation, including, but not limited to requests for access, rectification, erasure, limitation of processing or transfer of the Personal Data. The Processor will only respond to such a request if the Data Controller has instructed the Processor to do so in writing.
5.2. The Processor handles all requests for information from the Data Controller with regard to the Processing of the Personal Data promptly and properly.
6. Processor cooperation
6.1. The Processor will lend its assistance to the Data Controller in complying with the obligations to: (i) respond to requests from Data Subjects regarding the exercise of Data Subject rights under applicable Privacy Legislation; (ii) take appropriate technical and organisational measures to ensure a risk-adjusted security level; (iii) report data breaches to the supervisory body and the parties involved; (iv) perform a data protection impact assessment; (v) consult the supervisory body prior to Processing that entails a high risk.
7. Engaging third parties by Processor
7.1. The Processor may only engage a third party for the execution of this Agreement after prior written permission from the Data Controller, under the conditions that the Data Controller places thereby. When entering into the Agreement, the Processor has received permission to engage the third parties as listed in Appendix 1.
8. Confidentiality
8.1. The Processor will keep the Personal Data and other information obtained from the Data Controller strictly confidential, whereby it will exercise at least the same level of care as that which it takes into account with regard to the protection of its own information of a highly confidential nature.
9. Notification of data breaches
9.1. The Processor must immediately inform the Data Controller and in any case no later than within 24 hours after the Processor has become aware of any breach of security (of any nature whatsoever) that (also) relates to or could relate to the Processing of Personal Data.
9.2. The Processor must in any case provide the Data Controller with information about the following: (i) the nature of the breach, including where possible, the categories and approximate number of Data Subjects concerned; (ii) the (possibly) affected Personal Data and, approximately, the amount of affected Personal Data in question; (iii) the identified and anticipated consequences of the breach for the Processing of Personal Data and the persons involved; and (iv) the measures taken or proposed to be taken by the Processor to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.3. The Processor will take all measures that can reasonably be expected of it to limit the (possible) damage of a security breach and will support the Data Controller with reports to Data Subjects and/or authorities.
10. Security measures and inspection
10.1. The Processor will take all appropriate technical and organisational measures to protect Personal Data against loss or any form of illegitimate processing, in accordance with Article 32 of the GDPR.
10.2. The Processor submits an overview of the security measures taken, whereby the Data Controller has indicated that the Processor has complied with the legal requirements (Appendix 2).
11. Data Controller obligations
11.1. The Data Controller agrees and guarantees (indemnification) that the Processing of the Personal Data pursuant to this Agreement complies with the applicable Privacy Legislation, and it has a valid basis for each processing to which it orders the Processor.
12. Termination
12.1. The Agreement is entered into for an indefinite period of time and ends at the time that the Underlying Agreement ends.
12.2. In the event of termination of the Agreement, the Processor will, without prejudice to a written instruction from the Data Controller, immediately return all Personal Data made available to it to the Data Controller and will destroy all digital copies of Personal Data and declare to the Data Controller that it has done so.
13. Transfer of rights and obligations
13.1. This Agreement and the rights and obligations arising from this Agreement cannot be transferred by the Processor to third parties without the prior written consent of the Data Controller.
14. Divisibility
14.1. If one or more provisions of this Agreement prove to be invalid, the Agreement will remain in effect for the remainder. The Parties will consult on the provisions that are not legally valid in order to make a replacement arrangement that is legally valid and as far as possible in line with the scope of the regulation to be replaced.
15. Applicable law and disputes
15.1. Dutch law applies to this Agreement.
15.2. All disputes arising from or with regard to this Agreement will be brought exclusively to the competent court of the Zeeland-West-Brabant district court.