Data Processing Agreement

version 2.0 | 12 januari 2021

The Undersigned

Full company name:

 

Address + house number:

 

Place:

 

Postal code:

 

Duly represented by:

 

Hereinafter referred to as:

the “Client”

AND

The private company with limited liability “Drawbridge54 B.V.”, trading under the trade name “Drawbridge54” and “DB54”, having its registered office at Zaagmolen 2, 3962GA, Wijk bij Duurstede, represented in this matter by Mr G.J.C. de Steur, hereinafter referred to as: “DB54”.

hereinafter referred to individually as “Party” and collectively referred to as “Parties”

Taking into account that:

  1. DB54 delivers the DB54 Tool set to the Client as laid down in the Processor Agreement;
  2. When delivering the DB54 Tool set DB54 processes personal data of the Client;
  3. Parties are obliged under the General Data Protection Regulation to conclude a processing agreement if personal data is processed by Parties;
  4. Under the aforementioned legislation, the Client is regarded as a Controller and DB54 as a Processor;
  5. The parties therefore conclude this processor agreement (hereinafter referred to as: “processor agreement”).

Agree to the following:

  • Scope and purpose limitation
    • The subject of this Processor Agreement is making agreements about the processing of personal data as referred to in Article 28 paragraph 3 of the General Data Protection Regulation (GDPR).
      On the basis of the applicable laws and regulations and in the context of the processing of personal data, the Parties respectively distinguish and acknowledge the following roles (including the associated responsibilities): the Client is the Controller, DB54 is regarded as the Processor, a possibly engaged by DB54 third party that processes personal data is Sub-Processor.
      DB54 processes personal data in the context of the performance of the agreed work and services as laid down in the Agreement, the personal data only on behalf of and on the instructions of the Client and in accordance with the processing goals as determined and described by him.
    • Appendix 1. If the instructions cannot be followed within the framework of the activities and services agreed in the Agreement, the Parties will consult about the (financial) consequences of the performance and follow the desired instructions. DB54 will notify the Client if an instruction given by the Client in accordance with DB54 is in conflict with the prevailing laws and regulations regarding the processing of personal data. If the Agreement is expanded in such a way that Annex 1 requires amendment, the Parties agree to an addendum to update Annex 1.

    • In the context of the performance of the agreed activities and services as laid down in the Agreement, DB54 will only process the personal data for the benefit of the Client, whereby DB54 is not permitted to process the Client’s personal data for its own purposes, other than agreed, and / or to provide it to third parties.
    • DB54 provides the Client with the agreed ICT resources and / or software for the processing of personal data, which resources and / or software can be used by the Client for the purposes set by it. DB54 is therefore a passive processor, in the sense that DB54 does not determine the processing goals and means at all. The purposes for processing are indicated in Appendix 1, it is the responsibility of the Client to ensure that it deploys or uses the aforementioned ICT resources in such a way that the personal data are processed in accordance with the applicable privacy legislation and pre-established legitimate purposes.
    • If and insofar as the Client is obliged by law or an (internal) regulation to involve a participation and participation body in the implementation of the service, it will ensure that the relevant bodies or persons are informed about the purpose and means of the service. SaaS service and are consulted insofar as relevant in this context.
    • Confidentiality
      • Each of the Parties will take all reasonable measures to be taken to guarantee the secrecy of confidential information insofar as this is possible in connection with the performance of the Agreement.
      • The data obtained from the Client and personal data to be processed by DB54 will not be provided by DB54 to third parties, unless written permission has been granted by the Client, or unless the performance of the agreed work and services requires compliance with a legal obligation, a request from an authority, or a court decision is necessary.
      • DB54 ensures that the data is only provided to personnel of the Parties on a need-to-know basis, and that only the personnel charged with carrying out the agreed work or services has access to the (processing of) personal data. 
  • Technical and organizational measures
    • The parties will ensure correct compliance with the applicable laws and regulations, including in any case laws and regulations in the field of the protection of personal data, such as the General Data Protection Regulation and the Personal Data Protection Act.
    • DB54 implements appropriate technical and organizational measures to protect personal data against loss or any form of unlawful processing. These measures guarantee, taking into account the state of the art and the costs of implementation, an appropriate level of security in relation to the risks associated with the processing and the nature of the data to be protected. The measures are also aimed at preventing unnecessary collection and further processing of personal data. These measures include:
      two-factor authentication for User;
      b. SSL connection with User (encryption in transit);
      c. deployment of ISO 27001 certified hosting company;
      d. logical separation of the Client’s stored data;
      e. one-way encrypted User passwords.
    • The Client shall implement appropriate technical and organizational measures for the part for which it is responsible to protect personal data against loss or any form of unlawful processing. Taking into account the state of the art and the costs of implementation, these measures guarantee an appropriate level of security, taking into account the risks associated with the processing and the nature of the data to be protected. The measures are also aimed at preventing unnecessary collection and further processing of personal data. This concerns, for example: (i) business processes that comply with the relevant legislation regarding the processing of personal data; (ii) authorization models in which personnel who have nothing to do with or only limited access to certain data have no or regulated access to that data (iii); workstation security; (iv) an adequate password and access policy. The Client must also ensure that it has an adequate policy regarding the use of (private) use of its own systems, internet and e-mail, stipulating that personal data can be logged when using applications.
    • Before commencing the agreed work, the customer informs DB54 about the technical and organizational measures it has taken as referred to in the aforementioned paragraph. It is the responsibility of the Client to notify DB54 in a timely manner of new or amended policy with regard to the technical and organizational measures that it is required to take pursuant to laws, regulations and traffic opinions.
    • The Client itself assesses to what extent a data protection impact assessment (PIA) as referred to in Article 35 GDPR is necessary. If DB54 believes in its sole discretion that a PIA should be performed in a specific case, DB54 will inform the Client of this and request the Client to perform a PIA.
    • f the Client has carried out a data protection impact assessment (PIA) in the context of the processing of personal data, the Client will provide DB54 with a copy of the results and any measures to be taken or taken before the commencement of agreed work or delivery of agreed services.
    • During the term of the Processor Agreement, the Client is entitled to have the aforementioned measures tested by an independent expert by means of an audit, under the conditions that: (i) the audit is announced by the Client in time; (ii) the costs (including independent third party costs as referred to above and the costs for freeing one or more employees of DB54 who support the auditor at the hourly rate for the relevant employee (s)) for the audit are borne by the Client; and (iii) the outcome of the audit is discussed with DB54.
    • Before the Client proceeds to an audit, the Client first consults and assesses the reports available at DB54 and if the Client subsequently believes that the consulted reports are insufficient, then he must state the reasons and arguments in the request that still warrant an audit. An audit as referred to here can only be carried out under the cumulative conditions as mentioned in the aforementioned paragraph.
  • Third parties
    • DB54 may use a Sub-Processor in the context of the Agreement. The Client hereby gives general permission in advance for the engagement of Sub-Employees. The list of sub-processors is attached to this Processor Agreement in Appendix 2. This list can be expanded by DB54 at its own discretion and judgment. Should DB54 expand the list with new Sub-Processors, the Client will be informed of this in a timely manner, whereby the Client will be given the opportunity to object to the intended new Sub-Processors.
    • If and insofar as the objection referred to in the previous paragraph is reasonable and well-founded, DB54 and the Client will look for reasonable solutions to remove the objections and to meet the wishes. If the Client and DB54 are unable to arrive at a workable solution, the Client is entitled to terminate the Processor Agreement and the agreements associated with it and / or related (such as the Agreement) with due observance of a notice period of 30 (thirty) days.
    • DB54 is not allowed to transfer the personal data to a country outside the E.U. without the consent of the Client. / HONOR. to pass. This does not apply to transfers to the sub-processors as laid down in Appendix 2.
    • DB54 concludes sub-processor agreements with the aforementioned Sub-Processors if and as far as possible.
    • DB54 cannot guarantee for every Sub-Processor that DB54 will be notified by the Sub-Processor about changes to sub-sub-processors.
  •  Data leaks and data subjects’ rights
    • If DB54 suspects or has come to know that the personal data of the Client has been or has been compromised (security breach or a data breach), DB54 will immediately report this to the Client. Based on this, the Client will assess whether it will inform those involved and / or report the incident to the supervisor designated by law. The customer is and always remains responsible for any legal obligation to do so. Nevertheless, DB54 will cooperate insofar as necessary to be able to comply with the legal obligations resting on the Client.
    • In the event that a data subject submits a request for access, correction or deletion to DB54, or wishes to exercise any other right that is due to him, DB54 will forward the request to the Client, and the Client will further process the request. DB54 informs the data subject of this. Insofar as not contrary to any legal provision, DB54 will, upon request, cooperate with the Client in handling and handling the request
    • At the first request of the Client: (i) DB54 will provide information requested by the Client regarding the processing of the Client’s personal data; and (ii) DB54 will cooperate with the Client if and insofar as this is necessary to fulfill the obligations of the Client under the applicable laws and regulations with regard to the processing of personal data. The second sentence of article 3 applies mutatis mutandis.
  • Other provisions
    • The Client guarantees that the content, the use and the order to process the personal data as referred to in this Processor Agreement is not unlawful and does not infringe any right of third parties. The Client indemnifies DB54 against all claims and claims related to this.
    • This Processor Agreement continues as long as DB54 performs activities and / or services for the Client. Afterwards, DB54 will destroy the personal data of the Client, or if the Client so requests, it will supply the personal data to the Client, before destroying the personal data. DB54 provides a statement at the Customer’s first request that the personal data have been destroyed.
    • The customer is responsible for the way in which he supplies the data to DB54. It is therefore his responsibility to check whether the way in which the data is supplied to DB54 complies with the relevant legislation and / or (internal compliance) regulations. In doing so, the Client takes into account the applicable guidelines of DB54 for the supply of data. If the delivery by the Client does not fit within the guidelines that DB54 uses for this, DB54 has the right to refuse the desired method of delivery and / or to request a delivery that is in accordance with the guidelines of DB54. The customer indemnifies DB54 against all claims and / or damage if and insofar as the data has not been supplied to DB54 in accordance with the relevant regulations and / or (internal compliance) regulations.
    • Dutch law applies to this Processor Agreement. Disputes arising from this Processor Agreement will be submitted to the competent court.
    • This Processor Agreement serves as an addendum to the Agreement. Therefore, this Processor Agreement cannot be viewed separately from the Agreement. In the event of a conflict between the provisions of this Processor Agreement and the Agreement, the provisions of this Processor Agreement will prevail.

Agreed and recorded in duplicate.

DrawBridge54 B.V.

Wijk bij Duurstede

Date: ________

Mr. G.J.C. de Steur

Date: ________

Annex 1 | Personal data to be processed and purpose of processing

Category

Data

Target

Users

User name

For identification within DB54 Tool set. So that other Users recognize the relevant User.

Email address User

Login

Password

Login

Annex 2 | Sub-processors

Company

Activity

Inside or outside E.U. / E.E.R.

IInstrument underlying transfer if outside E.U. / HONOR.

Strato B.V.

Hosting

Whitin E.U.

n / a