Data Processing Agreement
Company Name ……………………………………………………………
having its registered office and located at …………………………………….
Street Name + House Number …………………………………………..
Postal Code …………………………………………
Represented by ……………………………….. (authorized signatory)
(hereinafter referred to as “Controller”), and,
The private limited company Collection Company B.V. and/or C.M. Business B.V., established and with its registered office at (2514 AA) The Hague, Koninginnegracht 14 C, registered in the Trade Register under number 56170394 and hereby legally represented by (name) (hereinafter referred to as “Processor”)
Jointly hereinafter referred to as the “Parties”,
- Processor offers the Service to Controller and, in this capacity, stores personal data of Controller’s customers;
- Processor, in the context of its service provision, collects (special) personal data of Controller’s customers and processes them using the application;
- To the extent that Processor processes personal data on behalf of Controller in the context of the Agreement, Controller qualifies as the data controller for the Processing of personal data under Article 4, parts 7 and 8, of the Regulation, and Processor as the data processor; ● The Parties wish to record their agreements regarding the Processing of Personal Data by the Counterparty in this Data Processing Agreement, as referred to in Article 28, paragraph 3, of the Regulation, which are applicable to their relationship in connection with the (Processing of personal data in the context of the) aforementioned activities commissioned by and for the benefit of Controller.
Declare the following agreement:
Article 1 Definitions
1.1 In this Data Processing Agreement, the following terms, always capitalized, have the following meanings regardless of whether they are used in the plural or singular:
- General Terms and Conditions: the general terms and conditions of the Processor, which are an integral part of the Agreement;
- Agreement: the agreement concluded between Controller and Processor regarding the use of the Service of the Processor by the Controller;
- Data Processing Agreement: this agreement, including its appendices, which is part of the Agreement;
- Appendix: attachment to the Data Processing Agreement, which is an integral part of the Data Processing Agreement;
- Personal Data: all data directly or indirectly attributable to a natural person as referred to in Article 4, paragraph 1, of the GDPR;
- Processing: an operation or set of operations as part of the Agreement related to Personal Data, or a set of Personal Data, whether or not performed by automated processes, such as collecting, recording, organizing, structuring, storing, updating, or modifying, retrieving, consulting, using, providing by means of transmission, distribution, or making available by other means, aligning, or combining, protecting, erasing, or destroying. Processing of Personal Data as referred to in Article 4, paragraph 2, of the GDPR;
- Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.2 To the extent that capitalized terms above are not defined, the relevant definitions are included in the Agreement and/or General Terms and Conditions.
1.3 The provisions of the Agreement are fully applicable to the Data Processing Agreement. To the extent that the General Terms and Conditions contain provisions regarding the processing of personal data, the provisions of this Data Processing Agreement take precedence.
Article 2 Subject of this Data Processing Agreement
2.1 This Data Processing Agreement regulates the Processing of Personal Data by Processor in the context of the Agreement.
2.2 As part of this Data Processing Agreement, Processor undertakes to process personal data on behalf of Controller. Controller and Processor have entered into this Data Processing Agreement with respect to the execution of the Agreement. An overview of the type of Personal Data, categories of data subjects, and purposes for which the Processing of Personal Data takes place is included in Appendix 1.
2.3 Controller guarantees that the instruction for the Processing of such personal data is in compliance with all applicable laws and regulations. Controller indemnifies Processor against all claims by third parties arising from any failure to comply with this guarantee.
2.4 Controller is responsible for the Processing of personal data in the context of the Agreement, as well as for Personal Data resulting from further data processing.
2.5 Processor undertakes to process personal data exclusively for the purposes mentioned in this Data Processing Agreement and/or the Agreement. Processor may use the personal data in anonymized form for statistical purposes. Processor guarantees that, without express and written consent from Controller, it will not use the personal data processed under this Data Processing Agreement and/or the Agreement in any way, unless a legal provision applicable to Processor obliges it to process. In that case, Processor shall inform Controller, prior to the Processing, of the relevant legal provision, unless such legislation prohibits such notification for weighty reasons of public interest.
Article 3 Technical and Organizational Measures
3.1 Processor shall implement appropriate technical and organizational measures to secure Personal Data against loss or any form of unlawful Processing, ensuring a security level appropriate to the risk. These measures, taking into account the state of the art and the cost of implementation, shall guarantee an appropriate security level, considering the risks associated with the Processing and the nature of the data to be protected. Processor shall take measures to secure personal data against destruction, whether accidental or unlawful, accidental and intentional loss, tampering, unauthorized distribution or access, or any other form of unlawful Processing.
3.2 The technical and organizational measures taken by Processor are described in Appendix 2. Controller acknowledges that it is aware of these measures, and by signing this Data Processing Agreement, Controller agrees to the measures taken by Processor.
3.3 If and to the extent that Controller expressly requests so in writing, Processor shall take additional measures to ensure the security of Personal Data.
3.4 Processor shall not process Personal Data outside the European Union, unless it has obtained explicit written consent from Controller and subject to deviating legal obligations and in compliance with applicable legal obligations. Processor shall inform Controller in advance about any such transfer, or following Controller’s prior written consent. Such consent shall not be unreasonably denied.
3.5 Processor shall provide assistance to Controller, as far as reasonably possible, in fulfilling its obligations under the GDPR to implement appropriate technical and organizational measures to ensure an appropriate level of security.
Article 4 Confidentiality – Confidentiality by Processor’s Personnel
4.1 Processor shall have all its employees involved in the execution of the Agreement sign a confidentiality declaration, whether or not included in the employment contract with those employees, stipulating, among other things, that these employees must maintain confidentiality with respect to the Personal Data. Processor shall take such measures, including securing data carriers, as are necessary to ensure compliance with this duty of confidentiality.
Article 5 Engagement of Third Parties (Sub-Processors)
5.1. Processor is permitted, within the scope of this Data Processing Agreement and the Agreement, to engage third parties and/or subcontractors (“Sub-Processors”), as listed in the Appendix. If Processor intends to engage another Sub-Processor, Processor shall inform Controller about the intended changes and provide Controller with the opportunity to object to these changes.
5.2. Processor shall contractually impose on each Sub-Processor, at a minimum, the same data protection obligations as specified in this Data Processing Agreement, including but not limited to confidentiality obligations, notification requirements, and security measures.
Article 6 Liability
6.1 Article 14 of the General Terms and Conditions regarding limitation of liability applies correspondingly.
6.2 Notwithstanding Article 6.1 of this Data Processing Agreement, Processor shall only be liable for damage caused by Processing when such Processing does not comply with specific obligations of the GDPR directed at Processor, or when Processor has acted contrary to the lawful instructions of Controller, or when Processor has demonstrably failed to meet its obligations under this Data Processing Agreement.
Article 7 Personal Data Breach
7.1 If Processor becomes aware of a Personal Data breach as defined in the GDPR and/or any other incident related to the security of Personal Data, Processor shall i) notify Controller thereof within 1 week, unless it is unlikely that the breach poses a risk to the rights and freedoms of natural persons, and ii) take all reasonable measures to prevent or limit any further violation of the GDPR. Controller acknowledges that Processor may involve third parties in this context without prior notification to Controller.
7.2 Processor shall, to the extent reasonable, provide assistance to Controller and support Controller in fulfilling its legal obligations with regard to the detected incident. Processor shall, to the extent reasonable, support Controller in fulfilling its reporting obligation regarding the Personal Data breach to the Supervisory Authority and/or the data subject, as referred to in Articles 33(3) and 34(1) of the GDPR. Processor shall not be obliged to report a Personal Data breach to the Supervisory Authority and/or the data subject.
7.3 Processor shall document all breaches of Personal Data as referred to in Article 7.1 of this Data Processing Agreement, including the facts surrounding the breach, its consequences, and the corrective measures taken. Processor shall only provide this documentation to Controller in the event of a request from the supervisory authority to Controller, as referred to in Article 33(5) of the GDPR.
Article 8 Assistance to Controller
8.1 Processor shall, as far as reasonably possible, assist Controller in fulfilling its obligations under the GDPR to respond to requests to exercise the rights of a data subject, especially the right of access (Article 15 of the GDPR), rectification (Article 16 of the GDPR), erasure (Article 17 of the GDPR), restriction of Processing (Article 18 of the GDPR), data portability (Article 20 of the GDPR), and the right to object (Articles 21 and 22 of the GDPR). Processor shall forward a complaint or request from a data subject related to the Processing of Personal Data to Controller within 1 month, who is responsible for handling the request. Processor may charge Controller for any costs associated with such assistance.
8.2 Processor shall, as far as reasonably possible, assist Controller in fulfilling its obligations under the GDPR to carry out a data protection impact assessment (Articles 35 and 36 of the GDPR). Processor may charge Controller for any costs associated with this assistance.
8.3 Processor shall make available to Controller all information necessary to demonstrate that Processor complies with its obligations under the GDPR. Furthermore, Processor shall, at the request of Controller, enable audits, including inspections, by Controller or an auditor authorized by Controller, and contribute to them. Processor may charge Controller for any costs associated with such audits, unless such audit reveals demonstrable gross negligence on the part of Processor with regard to the implementation of the security measures agreed upon in Appendix 2 of this Data Processing Agreement.
Article 9 Termination
9.1 This Data Processing Agreement ends when the Agreement ends, unless after termination of the Agreement, for any reason whatsoever, Processor still Processes or has Personal Data, in which case the Data Processing Agreement will remain in force as long as Processor Processes Personal Data. Without prejudice to the specific provisions of the Agreement, upon Controller’s first request, Processor shall erase all Personal Data or return it to Controller and delete existing copies, unless Processor is legally obligated to store the Personal Data. Processor shall provide Controller with written confirmation once the Personal Data has been destroyed at Controller’s request.
Article 10 Changes and Retention Periods
10.1 Processor is at all times entitled to amend and/or supplement this Data Processing Agreement if necessary to comply with current or future laws and regulations. Minor changes, such as obvious typos, evident omissions, and similar changes, may be made at any time without requiring Controller’s consent and without Controller being entitled to terminate the Agreement/Data Processing Agreement. The most current version of the Data Processing Agreement will be available on Processor’s website, both on the website and after logging in.
10.2 Controller shall adequately inform Processor about (legal) retention periods that apply to the Processing of Personal Data by Processor. Processor shall not Process the Personal Data for longer than in accordance with these retention periods.
10.3 The obligations arising from this Data Processing Agreement, which by their nature are intended to survive termination, will continue to apply after the termination of this Data Processing Agreement.
Signature by authorized signatory,
Services of Processor:
Processor provides online services to Controller, consisting of the online portal of Processor. The services provided by Processor are described in the Agreement and the General Terms and Conditions.
The data processing agreement applies for the following purposes:
To provide the online total solution, consisting of:
- Relationship management
- Sales • Other commercial purposes
- Financial administration
- Project administration
- Time registration
- File management
- Judicial procedures
- Recovery activities
The processing also takes place to implement and maintain the software systems.
The processing pertains to the following categories of data subjects:
- Contact details per user (name, email address, password, role, address details, phone number)
- Data provided by Controller to Processor for processing purposes (“Customer Data”)
Processor will process the following types of Personal Data:
- Data relating to Controller
- Data provided by Controller for the recovery activities
Appendix 2 Specification of Security
To maintain high-level security standards, Processor uses the following measures. Processor shall inform Controller if the described security measures are changed:
Physical security measures
- All personal data is stored on servers of Processor’s suppliers, which are certified. • Only selected employees of Processor have access codes.
- Employee-signed confidentiality statements.
Technical security measures
- Access to the databases is restricted to a specific IP range and can only be accessed by employees of Processor.
- The server of Processor containing personal data cannot be accessed externally, except by the aforementioned employees.
- All information managed by Processor is secured with a secure modem. • All web services of Processor are secured with SSL certificates.
- The Back Office web services are secured with the EV SSL certificate (which provides the highest level of security for authentication).
Appendix Suppliers and Sub-Processors
- Software suppliers