Home PageProcessor Agreement

Data Processing Agreement in the context of the GDPR law

The undersigned:

  1. Company Name ……………………………………………………………
    Having its registered office and principal place of business at …………………………………….
    Street name + house number …………………………………………..
    Postal code …………………………………………..
    Represented by ………………………………………….. (authorized signatory)

    (hereinafter referred to as “Client”), and,

  2. The private limited company Legalwork B.V., operating under the name ‘Collection Company’ and ‘Invorderingsbedrijf’, based on an issued license, established and having its registered office at (2514 AA) The Hague, Koninginnegracht 14C, registered in the Dutch Commercial Register under number 73065137, and duly represented by Joost Konings (hereinafter referred to as “Contractor”).

    (together hereinafter referred to as “Parties”)

Considering that:

  • The Contractor offers the Service to the Client and, in that capacity, stores personal data of the Client’s customers;
  • The Contractor collects (special) personal data of the Client’s customers in the context of its services and processes these using the application;
  • Insofar as the Contractor processes personal data on behalf of the Client under the Agreement, the Client qualifies as the data controller for the processing of personal data under Article 4, sections 7 and 8, of the Regulation, and the Contractor qualifies as the data processor;
  • The Parties wish to record their agreements regarding the processing of personal data by the Contractor in this Data Processing Agreement, as referred to in Article 28, paragraph 3, of the Regulation, which applies to their relationship in connection with the (processing of personal data within the framework of) the aforementioned activities on behalf of and for the benefit of the Client.

Declare to have agreed as follows:

Article 1: Definitions

1.1 In this Data Processing Agreement, the following terms, always written with a capital letter, shall have the following meanings whether they are used in singular or plural form:

  • General Terms and Conditions: The Contractor’s general terms and conditions, which form an integral part of the Agreement.
  • Agreement: The agreement entered into between the Client and the Contractor for the purpose of the Client’s use of the Contractor’s Service.
  • Data Processing Agreement: This Agreement, including its Appendices, which forms part of the Agreement.
  • Appendix: An annex to the Data Processing Agreement, which forms an integral part thereof.
  • Personal Data: Any data that is directly or indirectly traceable to a natural person as referred to in Article 4(1) of the GDPR.
  • Processing: Any operation or set of operations carried out on Personal Data within the scope of the Agreement, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, updating, or modifying, retrieving, consulting, using, disclosing by transmission, disseminating, or otherwise making available, aligning or combining, blocking, erasing, or destroying, as defined in Article 4(2) of the GDPR.
  • Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).

1.2 To the extent that terms written with a capital letter are not defined above, the relevant definitions in the Agreement and/or General Terms and Conditions shall apply.

1.3 The provisions of the Agreement shall apply in full to this Data Processing Agreement. Where provisions concerning the processing of personal data are included in the General Terms and Conditions, the provisions of this Data Processing Agreement shall prevail.

Article 2: Subject of this Data Processing Agreement

2.1 This Data Processing Agreement governs the processing of Personal Data by the Contractor under the Agreement.

2.2 The Contractor undertakes under this Data Processing Agreement to process Personal Data on behalf of the Client. A summary of the type of Personal Data, the categories of data subjects, and the purposes for which the Processing takes place is included in Appendix 1.

2.3 The Client warrants that the order to process such Personal Data is in compliance with all applicable laws and regulations. The Client indemnifies the Contractor against all claims from third parties arising in any way from a failure to comply with this warranty.

2.4 The Client is responsible for the processing of Personal Data under the Agreement, as well as for Personal Data generated through further processing of data.

2.5 The Contractor undertakes to process Personal Data solely for the purposes outlined in this Data Processing Agreement and/or the Agreement. The Contractor may, however, use Personal Data in anonymized form for statistical purposes. The Contractor guarantees that, without the Client’s explicit and written consent, Personal Data processed under this Data Processing Agreement and/or the Agreement will not be used in any other manner unless a legal provision requires such processing. In such a case, the Contractor shall inform the Client in advance, unless prohibited by law for reasons of public interest.

Article 3: Technical and Organizational Measures

3.1 The Contractor shall implement (or have implemented) appropriate technical and organizational measures to secure Personal Data against loss or any form of unlawful Processing and thus provide a risk-appropriate level of security safeguards. These measures will, taking into account the state of the art and the cost of implementation, ensure an appropriate level of security, given the risks posed by the processing and the nature of the data to be protected. The Contractor shall, in any case, take measures to secure Personal Data against destruction, whether accidental or unlawful, against accidental and intentional loss, forgery, unauthorized distribution or access, or any other form of unlawful processing.

3.2 The technical and organizational measures taken by the Contractor are described in Appendix 2. The Client acknowledges having taken note of the relevant measures and agrees with the measures taken by the Contractor by signing this Data Processing Agreement.

3.3 If and to the extent that the Client expressly requests it in writing, the Contractor shall take additional measures to ensure the security of Personal Data.

3.4 The Contractor shall not process Personal Data outside the European Union unless it has obtained the express written consent of the Client and subject to applicable legal obligations, whereby the Contractor will inform the Client in advance.

3.5 Contractor will assist Client, to the extent reasonably possible, in enforcing its duty under the GDPR to provide appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Article 4: Confidentiality – Secrecy of Contractor’s Staff

4.1 The Contractor shall ensure that all employees involved in the execution of the Agreement sign a confidentiality agreement. This may be included in the employment contract and must include, at a minimum, the obligation to maintain confidentiality with respect to Personal Data. The Contractor shall implement appropriate measures, such as securing data carriers, to guarantee compliance with this confidentiality obligation.

Article 5: Engagement of Third Parties (Sub-processors)

5.1 The Contractor is permitted, within the scope of this Data Processing Agreement and the Agreement, to engage third parties and/or subcontractors (“Sub-processors”), as specified in the Schedule. If the Contractor intends to engage additional Sub-processors, it will inform the Client of the intended changes and provide the Client with the opportunity to object.

5.2 The Contractor shall ensure that any Sub-processor it engages is contractually obligated to meet at least the same data protection obligations as those outlined in this Data Processing Agreement. This includes confidentiality obligations, reporting requirements, and security measures.

Article 6: Liability

6.1 Article 14 of the General Terms and Conditions, concerning the limitation of liability, applies correspondingly to this Data Processing Agreement.

6.2 Notwithstanding Article 6.1, the Contractor shall only be liable for damage caused by Processing where it has failed to comply with specific obligations under the GDPR addressed to data processors, acted outside the lawful instructions of the Client, or failed in its obligations under this Data Processing Agreement.

Article 7: Personal Data Breach

7.1 If the Contractor becomes aware of a personal data breach as defined by the GDPR, or any other incident affecting the security of Personal Data, it will:

  • Notify the Client within 1 week, unless the breach is unlikely to pose a risk to the rights and freedoms of natural persons;
  • Take all reasonable measures to prevent or mitigate further violations of the GDPR.

The Client acknowledges that the Contractor may involve third parties without prior notice to the Client to address the breach.

7.2 The Contractor will, to the extent reasonably possible, assist the Client in meeting its legal obligations, including reporting the breach to the Data Protection Authority and/or affected data subjects as required under Articles 33 and 34 of the GDPR. The Contractor is not responsible for making such notifications itself.

7.3 The Contractor shall not be liable for the Client’s failure to comply with its reporting obligations under Articles 33 and 34 of the GDPR.

7.4 The Contractor shall document all breaches, including their causes, consequences, and remedial actions. This documentation will only be provided to the Client in the event of a request from a supervisory authority.

Article 8: Assistance to the Client

8.1 The Contractor will, to the extent reasonably possible, assist the Client in responding to data subject requests under the GDPR, including requests for access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21 and 22). Complaints or requests received from data subjects will be forwarded to the Client within 1 month. The Contractor reserves the right to charge the Client for reasonable costs incurred.

8.2 The Contractor will also assist the Client, where reasonably possible, in conducting data protection impact assessments (Art. 35 and 36 GDPR). The Contractor may charge the Client for the associated costs.

8.3 The Contractor will provide the Client with all necessary information to demonstrate compliance with its obligations under the GDPR. At the Client’s request, the Contractor will allow audits or inspections by the Client or an authorized auditor, provided reasonable notice is given. The Contractor may charge the Client for associated costs, unless serious negligence is demonstrated during the audit.

Article 9: Termination

9.1 This Data Processing Agreement terminates when the Agreement ends, unless the Contractor continues to process or hold Personal Data for any reason. In such a case, the terms of this Agreement will remain applicable for as long as the Contractor processes Personal Data. Upon the Client’s request, the Contractor will delete or return all Personal Data and confirm in writing once this has been completed, unless retention is required by law.

Article 10: Changes and Retention Periods

10.1 The Contractor may amend this Data Processing Agreement at any time to comply with current or future legal requirements. Minor changes, such as corrections to typographical errors, may be made without prior Client approval. The latest version of the Agreement will be made available on the Contractor’s website.

10.2 The Client will inform the Contractor of applicable retention periods for the Personal Data being processed. The Contractor will not retain Personal Data for longer than specified by the Client or required by law.

10.3 Obligations under this Agreement that are intended to survive termination shall remain in effect.

Signatures

Signature by authorized signatory:

………………………………………………………
Name: ………………………………………………………

Appendix 1: Contractor’s Services

Contractor makes available to Client online services consisting of Contractor’s online portal. The services provided by Contractor are described in the Agreement and the General Terms and Conditions.
The Processing Agreement takes place for the following purposes:

  • Relationship management
  • Sales management
  • Other commercial purposes
  • Financial administration
  • Project administration
  • Calendar of events
  • Tasks
  • Correspondence
  • Time registration
  • Dossier management
  • Invoicing
  • Bookkeeping
  • Legal proceedings
  • Collection activities

Processing also takes place to implement and maintain the software systems.

The processing relates to the following categories of data subjects:

  • Contact details per user (name, email address, password, role, address details, telephone number)
  • Data provided by the Client to the Contractor for the processing purposes (“Client Data”)

Contractor will process the following type of Personal Data:

  • Data relating to the Client
  • Data provided by the Client for the purpose of collection activities

Appendix 2: Specification of Security

In order to maintain high-level security standards, the Contractor shall use the following measures. The Contractor will inform the Client if the security measures described below are changed:

Physical security measures

  • All personal data is stored on servers of the Contractor’s suppliers, which are certified.
  • Only selected employees of the Contractor have access codes.
  • Non-disclosure statements signed by employees.

Technical security measures

  • Access to the databases is limited to a specific IP range and can only be accessed by employees of the Contractor.
  • The Contractor’s server containing the personal data cannot be accessed from the outside, except for the aforementioned employees.
  • All information managed by the Contractor is secured with a secure modem.
  • All web services of the Contractor are secured with SSL certificates.
  • The Back Office web services are secured with the EV SSL certificate (this provides the highest level of security for authentication).

Appendix 3: Suppliers and Subcontractors

  • Software Suppliers
  • Bailiffs
  • Lawyers