This Data Processing Agreement applies to the processing of personal data by VobeSoft B.V., based in 's-Hertogenbosch and registered with the Dutch Chamber of Commerce under 76416429 (hereinafter: "Processor"), for the benefit of its customer, specifically the User of the cloud platform as provided by Processor (hereinafter: "Controller") to whom Processor provides services based on the contract concluded between these Parties.
1 Definitions and applicability
1.1 'GDPR' in this Data Processor Agreement means the General Data Protection Regulation, which is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.2 The terms used above and below, which are also defined in the GDPR, such as "personal data" and "processing" in any conjugation, have the same meaning as in the GDPR.
1.3 'Agreement' refers to the agreement, including the general terms and conditions of Processor, which the Data Subject and Processor have agreed upon, whether or not digitally via the website of Processor, regarding access to and use of the cloud platform of Processor.
1.4 This Data Processing Agreement forms an integral part of the Agreement. Provisions in the Agreement, for example, on applicable law, also apply to this Data Processing Agreement. This Data Processing Agreement is entered into for the duration of the Agreement and automatically terminates when the Agreement is terminated. This Data Processing Agreement cannot be terminated separately from the Agreement in the interim by either Processor or Controller. In case of conflict between terms in the Agreement and this Data Processing Agreement, the terms in this Data Processing Agreement take precedence over the Agreement.
2.1 Processor shall process personal data only on behalf of the Controller and based on the reasonable instructions of the Controller. The purpose of the processing consists of the provision by Processor of the services as agreed between Processor and Controller and may be further defined by the Parties in Appendix 1.
2.2 The categories of personal data and the categories of data subjects from whom this personal data originates are listed in Appendix 1.
2.3 Processor does not acquire control over the personal data. The personal data remain the property of Controller or the relevant data subjects.
2.4 The Parties shall comply with the GDPR and other applicable laws and regulations regarding personal data protection. The Controller warrants to the Processor that the Controller may process the personal data and have it processed by the Processor, as per the Agreement. If Processor reasonably believes that an instruction of Controller violates laws and regulations, Processor shall notify the Controller.
2.5 At the request of the Controller, the Processor shall provide the Controller with all reasonable cooperation in the performance of the obligations arising from Articles 32 to 36 of the GDPR. Such cooperation shall, in any case, include sharing the information required by the Controller. If support is requested that cannot be expected from Processor free of charge, the Parties will consult on a fee based on the standard hourly rate as applied by Processor.
3 Confidentiality and security of personal data
3.1 Unless otherwise instructed by the Controller or required by law, Processor shall keep the personal data confidential, and Processor shall ensure that Processor's employees are also required to maintain confidentiality.
3.2 Considering the state of technology and the cost of implementation, Processor shall implement appropriate technical and organizational security measures to protect personal data against loss or against any other form of unlawful processing.
3.3 At the request of the Controller, Processor will inform the Controller in more detail about the security measures taken. Given the general nature of Processor's services, the Controller guarantees that the security measures taken are appropriate to the nature of the personal data to be processed and the risk of the processing operations that the Controller wishes to perform within Processor's services.
3.4 Processor will periodically review and update the security measures in place to keep the security measures in line with the state of technology and to protect personal data from new threats.
3.5 If Controller is of the opinion that additional security measures must be implemented, the Parties will enter into proper consultation on this matter.
4 Data breaches
4.1 In the event of a personal data breach, also referred to as a "Data Breach," Processor shall inform the Controller about it without unreasonable delay, but at the latest within 48 hours after its discovery. Only the Controller shall assess whether notification to the supervisory authority is necessary and whether data subjects must be informed.
4.2 When reporting a Data Breach to the Controller, Processor shall provide all relevant information available at that time. Also, Processor will conduct further investigation to provide the Controller with the information necessary to report the Data Breach to the supervisory authority in the near future or to determine that such a report to the supervisory authority is not necessary.
4.3 Upon discovery of a Data Breach, Processor shall endeavor to take measures to minimize the impact of the Data Breach and to remedy the Data Breach as soon as possible. If possible, Processor will also take measures to prevent similar Data Breaches in the future.
5 Rights of data subjects
5.1 Controller shall handle requests from data subjects. Processor will provide its reasonable cooperation for this purpose so that Controller can handle the data subject's request in a timely manner.
5.2 If Processor receives a request from a data subject, Processor shall forward the request to Controller, and Controller shall further process the request. Processor may notify the data subject.
6.1 In the context of providing services to Controller and the resulting processing of personal data, Processor may engage subprocessors as listed on Processor's website.
6.2 The subprocessors engaged by Processor may change from time to time. When Processor intends to engage a new subprocessor, Processor will notify Controller by email. Following such notification, Controller shall have 14 days to object to the proposed new subprocessor. Controller agrees to the new subprocessor if Controller does not object within the aforementioned 14-day period. If Controller does object within the said period, the Parties shall enter into proper consultation to reach a solution. If no solution is found and Processor continues the engagement of the subprocessor, Controller is entitled to terminate the contract.
6.3 Subprocessors engaged by Processor, upon the written consent of Controller, shall be subject to the same data protection obligations as also contained in this Data Processing Agreement for Controller.
7 Transfer of personal data
7.1 The processing of personal data by Processor will take place within the European Economic Area (EEA). The processing of personal data outside the EEA is only permitted if an appropriate transfer mechanism in accordance with the GDPR is used, such as an adequacy decision or the conclusion of the so-called Standard Contractual Clauses.
7.2 In the event Processor or a subprocessor processes personal data outside the EEA, Processor shall provide the Controller with information about this transfer on Processor's website. Here, Processor will, in any case, indicate to which country the transfer takes place and which transfer mechanism applies.
8.1 Controller shall be entitled to periodically audit compliance with privacy laws and regulations. If Controller wishes to conduct such an audit, Controller shall first request and review existing documentation and audit reports from Processor.
8.2 If the existing documentation and/or audit reports do not address any concerns of Controller, Controller may request a (further) audit of Processor. Controller will substantiate this request, and then the Parties will agree on when such an audit can be performed and what scope this audit will have. In doing so, the Parties shall observe the following: (i) such an audit at the request of the Controller may take place once a year, (ii) the audit must be carried out by an independent expert, engaged by the Controller and bound by strict confidentiality, (iii) the Controller shall bear the costs of the audit, and (iv) the audit shall be planned and organized in a manner that causes as little disruption as possible to the normal business operations of Processor.
8.3 Processor will cooperate with the audit and provide all reasonably relevant information for the audit. The results of the audit will be discussed by Processor and Controller. If the audit reveals that Processor does not comply with this Data Processing Agreement or the privacy laws, Processor shall take measures to ensure that Processor does comply with this Data Processing Agreement and the privacy laws. Processor shall bear the cost of such measures. Information shared as part of the audit, as well as any results, is confidential and will be treated as such by Parties.
9.1 If Processor is liable to Controller for damages resulting from failure to comply with this Data Processing Agreement or applicable laws and regulations, then Processor's liability shall be limited to the amount paid out by Processor's insurer in that case. If the insurer makes no payment, then Processor's liability shall be limited to the amount paid by Controller to Processor under the Agreement in the twelve (12) months preceding the occurrence of the damage.
9.2 This limitation of liability shall not apply to the extent that the damage results from intentional or knowingly reckless acts by Processor, or in other cases where Processor's liability cannot be limited by mandatory law.
10 Return of personal data
10.1 Once this Data Processing Agreement terminates for any reason and manner, Processor shall delete the data processed by Processor on behalf of Controller after the expiration of 30 days. This applies unless a legal or state law obligation applies to Processor that shows the need to retain the personal data. During this 30-day period, the Controller may export the data. By mutual agreement, Processor is willing to make further arrangements with Controller to provide any support in migrating Controller's data on Processor's systems.
10.2 At the request of Controller, Processor will send a confirmation that the data has been deleted.
11 Closing provisions
11.1 Processor shall be entitled to amend this Data Processing Agreement by giving 30 days advance notice of the intended amendments by email to the Controller. Controller may object to the amendments during this period, after which the Parties will enter into proper consultation regarding the proposed amendments. If the Parties fail to reach a mutual agreement and Processor implements the proposed amendments, Controller is entitled to terminate the Agreement and this Data Processing Agreement by the date the amendments take effect.
11.2 Dutch law applies to this Data Processing Agreement and its implementation. If the parties have a dispute, the Controller and Processor will do their best to resolve it jointly and in good consultation. If the Parties cannot resolve the dispute mutually, the dispute may be submitted exclusively to the competent court of the district in which Processor is located.
Appendix 1: Specification of personal data processed
The nature of the cloud platform VobeSoft entails that Controller is in control of which data of which categories of data subjects are processed. This may also change from time to time in the event that Controller modifies its environment and use of VobeSoft. Processor is not aware of this.
Categories of those involved:
Controller, upon signing the Data Processing Agreement, anticipates that data of the following categories of data subjects will be processed:
- Employees of Controller and other persons using VobeSoft under the responsibility of Controller.
- Any clients of Controller whose data is processed by Controller in VobeSoft.
Categories of personal data:
Controller, upon signing the Data Processing Agreement, provides that the following data will be processed:
- Contact information (name, address, city, phone number, email address, etc.)
- Analytical data or metadata (IP address, log data, etc.)
The retention period of data in the cloud platform VobeSoft is controlled by Controller. At the end of the Agreement, the data will be deleted after 30 days.