Data processing agreement
Article 1 – Definitions
|GDPR||General Data Protection Regulation.|
|Data Subjects||The persons of which personal data is collected on the basis of this data processing agreement; data subjects within the meaning of what is specified in the GDPR.|
|Agreement||The underlying Data Processing Agreement, applicable between Parties.|
|Parties||Processor and Controller referred to jointly.|
|personal data||Data which can be used either directly or indirectly to identify a natural person, as intended in the GDPR.|
|Controller||You, who as a user makes use of our services and therefore you supply us with personal data of Data subjects. As such, you are the Controller in the sense of the GDPR.|
|Processor||We, Cookie First by Digital Data Solutions with the following address: Plantage Middenlaan 42a, 1018 DH Amsterdam, registered with the Chamber of Commmerce under the following number: 75762277, operating as a processor of personal data with which Controller supplies us.|
|Sub Processors||Third parties, employed by Processor for the processing of personal data for the benefit of Controller.|
Article 2 – Background
- Controller acts as a controller (also called a ‘data controller’), in the sense of the GDPR. This means that the purpose and the means of the processing of personal data are determined by Controller, and that Controller uses this data for its own personal purposes.
- Processor acts as a ‘processor’ in the sense of the GDPR. This means that Processor only processes the personal data supplied by Controller in accordance with Controller’s written instructions, as described in this Data Processing Agreement. Processor shall not process the data for its own personal purposes.
Article 3 – Execution of the processing
- In the execution of the assignment, Data Processor will handle the personal data in a careful manner and only process the personal data based on the assignment of Data Controller, in accordance with its written instructions and in accordance with this Agreement and the GDPR.
- Data Processor will not process the personal data for any other purpose than as determined by Data Controller. Data Processor has no control over the purpose and means of the processing of the personal data.
- Data Processor further guarantees that every person acting under its authority will process the personal data lawfully and in accordance with this Agreement and the GDPR.
- At the request of Data Controller, Data Processor will provide Data Controller with information about the (security) measures taken in order to comply with the obligations under the GDPR, this Agreement and other instructions from Data Controller.
Article 4 – Warranty Data Controller
Data Controller guarantees the processing of the personal data of the Data Subjects, as referred to in this Agreement, is not unlawful and does not violate the rights of others. Data Controller indemnifies Data Processor against all claims relating to this.
Article 5 – Transfer of personal data
- In principle, Processor only processes the personal data within the confines of the European Union and the countries that have been designated by the European Commission as countries offering an adequate level of protection.
- Processor shall only pass along personal data to countries for which no adequacy decision has been taken, if this is in accordance with the requirements of the GDPR. In case the consent of Data Subjects is required, Controller shall bear the responsibility for acquiring it.
- Processor shall notify Controller in advance of any processing in another country that is not included in paragraph 1 of this article, unless such processing is legally prohibited.
Article 6 – Security measures
- Data Processor implements all appropriate technical and organisational measures to prevent loss of personal data or any form of unlawful processing. These measures shall guarantee an adequate level of protection of the personal data being processed.
- Data Processor will at least take the following security measures:
- Encryption of digital files containing personal data
- Security of the network connection with Secure Socket Layer (SSL) technology or a similar technology
- Restriction of access to the personal data to authorised employees
- Back-ups of the personal data to restore them in time in case of physical or technical incidents
- Data Processor shall provide Data Controller with all available information to provide Data Controller assistance in carrying out security measures, conducting audits and inspections and carrying out data protection impact assessments.
- The Controller can contribute or request audits and inspections but may not conduct an audit more than once per calendar year. The audit shall be proceeded by an independent company, which is not a competitor of the Processor or related. The Controller shall reimburse the Processor for any cost or expenses incurred as a result of the audit.
Article 7 – Security incidents
- Data Processor will report any theft, loss, misuse or other form of data breach to Data Controller as soon as possible. This report includes, as far as possible, at least the following: the nature of the breach, the categories and scope of the personal data concerned, the likely consequences of the data breach, the measures Data Processor has taken and the contact details for Data Controller to obtain more information.
- If needed, Data Processor will fully cooperate to inform the authorities and Data Subjects about such security incidents or data breaches. In addition, Data Processor will fully cooperate in carrying out risk assessments, analysing the cause of the incident or breach, identifying required corrective measures and implementing those measures.
Article 8 – Duration and termination
- Parties enter into this Agreement for an indefinite period.
- This Agreement may be terminated by the end of each month, subject to a six months notice.
- If this Agreement is terminated or dissolved, Parties must continue to comply with the provisions of this Agreement regarding confidentiality, liability, indemnification and all other provisions that are intended by nature to remain applicable between the parties after terminations or dissolution of this Agreement.
- If this Agreement is terminated or dissolved, Data Processor will return all data, including personal data, which are processed by Data Processor based on this Agreement, to Data Controller at his request. Data Controller must submit this request to Data Processor within four weeks. After this period, Data Processor will safely remove or destroy all personal data, including any copies of it, unless Data Processor is legally obliged to store the (personal) data for a longer period.
Article 9 – Confidentiality and non-disclosure
- Data Processor will treat all personal data and other data received by Data Controller as confidential. Data Processor will limit the access to this data to persons working for Data Processor, who need access to correctly process the data on behalf of Data Controller.
- All (personal) data, Data Processor receives based on this Agreement are subject to a non-disclosure obligation towards third parties. All persons employed by or working for Data Processor, as well as Data Processor itself, are required to remain secrecy regarding the personal data.
- Data Processor will not provide third parties with the (personal)data or copy, multiply or otherwise make the personal data public, without permission of Data Controller.
Article 10 – Rights of Data Subjects
- Data Processor will assist Data Controller with all requests which may be received from Data Subjects, such as the right to access, rectification or erasure.
- If Data Processor receives a request from a third party to provide access to the personal data based on an alleged (legal) obligation, data Processor will inform Data Controller in writing before he provides the third party access, so Data Controller can assess whether the request is legitimate.
Article 11 – People working under the authority of Data Processor
The obligations for Data Processor arising from this Agreement also apply to those who process personal data under the authority of Data Processor, including but not limited to employees.
Article 12 – Sub Processors
- Data Processor may sub-contract the processing of the personal data to external parties. Data Processor has sub-contracted (part of) the processing of the personal data to the following “Sub Processors”: Digital Ocean, Inc (USA), Cloudflare, Inc (USA), TransIP, BV (NL), Stripe Payments Europe, Ltd (Ireland), PayPal (Europe) S.à r.l. & Cie, S.C.A (Luxembourg).
- Data Processor may appoint new Sub Processors for the processing of the personal data. Data Processor will notify Data Controller of the addition or replacement of any Sub Processors. Data Processor is then also offered the possibility to object to this. In addition, Data Controller may request an overview of all appointed Sub Processors.
Article 13 – Indemnification
- Data Processor is responsible for all all personal data (or other data) that Data Controller has shared with Data Processor. Data Processor indemnifies Data Controller against all claims by third parties or fines by the Autoriteit Persoonsgegevens because of the transfer of this Data.
- Data Processor is only liable for direct damage suffered by Data Controller, that is unequivocally caused by a shortcoming of Data Processor.
- The limitations of liability included in this article do not apply if the damage is caused as a consequence of the wilful intent or gross negligence of Processor.
- The Data Processor is not liable for damages or fines that incur from wrong use of the software the Data Processor provides to the Data Controller.
Article 14 – Nullity
If a part of this Agreement is deemed void or voidable, this does not change the validity of the rest of this Agreement. Any invalid provision shall be replaced by a provision that is valid and which interpretation shall be as close as possible to the intent of the invalid provision.
Article 15 – Final provision
- This Agreement can only be amended in writing.
- This Agreement replaces all prior agreements between parties.
Article 16 – Applicable law
Article 17 – Competent court
The court in Amsterdam.