Data Processing Agreement
Versie 1.0 | DSD Europe B.V. | May 2018
- The reseller as registered in DSD Europe’s platform as the Data Controller, (hereinafter referred to as “Controller”):
- DSD Europe B.V. based in in [5245 NH] Rosmalen, at the Burgemeester Burgerslaan 40B, duly represented by Mr Thijs van de Moosdijk (hereinafter referred to as “Processor”).
- The Controller has access to personal data of various data subjects.
- The Controller wishes to have certain forms of processing carried out by the Processor.
- In this agreement, “personal data” refers to personal data within the meaning of Article 4(1) of the General Data Protection Regulation (hereinafter referred to as “GDPR”.
- The Controller designates the purposes and means for the processing to which the conditions set out herein apply.
- The Processor is prepared to do this and is also prepared to fulfil obligations with regard to security and other aspects of the GDPR, insofar as this falls under its statutory responsibility.
- The Controller may be regarded as a Data Controller within the meaning of Article 4(7) of the GDPR, but is referred to as “Controller” throughout this agreement.
- The Processor may be regarded as Processor within the meaning of Article 4(8) of the GDPR.
- In view of the requirements of Article 28(3) of the GDPR, the Parties wish to lay down their rights and obligations in writing by means of this Data Processing Agreement (hereinafter referred to as “Data Processing Agreement”).
The Parties agree as follows:
ARTICLE 1. THE PURPOSE OF THE PROCESSING
1.1. Under the terms of this Data Processing Agreement, the Processor undertakes to process personal data on the instructions of the Controller. Processing will only take place in connection with the processing of transaction data for orders placed with the Controller and with customers of the Controller, as laid down in the General Terms and Conditions of the Processor.
1.2. The Processor will not process the personal data for any purpose other than as determined by the Controller, with the exception of statistical and analytical purposes for the Processor’s own benefit.
1.3. The following types of personal data will be processed during processing by the Processor: Name and address details, email addresses, telephone numbers. In addition, the following categories of data subjects can be distinguished: reseller customers, which can be subdivided into corporate and private customers.
1.4. The Processor will not make any independent decisions about the processing of personal data. Control over personal data provided to the Processor under this Data Processing Agreement or other agreements between the Parties, as well as over data processed by the Processor thereunder rests with the Controller.
1.5. The personal data to be processed on the instructions of the Controller remains the property or possession of the Controller and/or the relevant data subjects.
ARTICLE 2. OBLIGATIONS OF PROCESSOR
2.1. The Processor guarantees compliance with the applicable legislation, which in any case includes the legislation on the protection of personal data, such as the GDPR, insofar as those obligations fall under its statutory responsibility.
2.2. Upon request, the Processor will inform the Controller of the measures it has taken with respect to its obligations under this Data Processing Agreement and the relevant legislation.
2.3. The obligations of the Processor under this Data Processing Agreement will also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.
2.4. The Processor will give the Controller the opportunity to audit compliance with regard to the protection of personal data, or to have this audited, at least once a year. The Controller may make a request to this effect to the Processor. The Processor will make arrangements to this effect with the Controller. The Controller will bear the costs of an audit. The Controller will provide the Processor with a copy of the results of the audit.
ARTICLE 3. TRANSFER OF PERSONAL DATA
3.1. The Processor is permitted to process the personal data in countries within the European Union. Transfer to countries outside the European Union is only permitted after approval by the Controller and subject to the applicable legislation.
ARTICLE 4. RESPONSIBILITY AND LIABILITY
4.1. The permitted processing operations are carried out within an automated environment under the control of the Processor.
4.2. The Processor is responsible for processing the personal data under this Data Processing Agreement, in accordance with the written instructions of the Controller and solely in accordance with its statutory responsibility.
4.3. The Controller is responsible for its own processing of personal data, in which the Processor is not involved.
4.4. The Processor will be liable to the Controller if the Processor fails to fulfil its obligations under this agreement or the law due to any circumstances attributable to the Processor. The liability of Processor towards the Controller will be limited in the manner provided for in the General Terms and Conditions of the Processor.
ARTICLE 5. ENGAGING THIRD PARTIES
5.1. Under this Data Processing Agreement, Processor is permitted to make use of a third party and will immediately inform the Controller thereof.
5.2. In any event, the Processor will ensure that such a third party assumes in writing the same obligations as agreed between the Processor and the Controller. The Processor guarantees the correct fulfilment of these obligations by these third parties and, in the event of errors of these third parties, will be liable for damage as if it had committed the error(s) itself, except in cases of wilful intent or wilful recklessness on the part of the third party.
ARTICLE 6. DUTY TO REPORT AND DATA LEAKS
6.1. In the event of a data leak (i.e. a personal data breach) relating to the personal data of the Controller processed by the Processor, the Processor will inform the Controller thereof within 24 hours of discovery of the data leak, on the basis of which the Controller will assess whether or not to inform the data subject(s) and/or the relevant regulatory authority or authorities. The Processor warrants that the information provided is complete, correct and accurate. The Processor’s duty to report to the Controller applies regardless of the impact of the leak.
6.2. The Controller is at all times responsible for the decision on whether or not to report and will file the report itself. Only if required by law will the Processor cooperate in informing the relevant authorities and/or data subjects, as well as in other obligations under the GDPR.
6.3. The duty to report to the Controller will in any case include reporting the fact that there has been a leak, as well as:
- the (alleged) cause of the leak;
- the (as yet known and/or expected) consequence;
- the (proposed) solution;
- the rights the data subject has;
- contact details for following up on the report;
- the measures already been taken.
ARTICLE 7. SECURITY MEASURES
7.1. The Processor guarantees that its own security is satisfactory under all reasonably foreseeable circumstances, considering the type of data and the associated risk. The Processor guarantees that it will take sufficient technical and organisational measures within its own organisation with regard to the processing of personal data, against loss or against any form of unlawful processing (such as unauthorised access, corruption, alteration or disclosure of the personal data).
7.2. The Processor has at a minimum taken the following measures:
- logical access control using passwords;
- physical measures for access security;
- encryption of digital files containing personal data in backups and at workstations;
- organisational measures for access security;
- security of network connections using Secure Sockets Layer (SSL) technology;
- target-specific access restrictions;
- control of the rights granted;
- patch management;
- multi-layer antivirus security;
- next generation firewall in which a high level of protection can be activated (e.g. SSL inspection).
ARTICLE 8. CATEGORIES OF DATA SUBJECTS
8.1. In the event that a data subject makes a request for inspection, correction, supplementation, modification or blocking to the Processor, the Processor will immediately forward this request to the Controller, without complying with the request itself or contacting the data subject.
8.2. In the event that a data subject submits a request as referred to in the previous paragraph to the Controller, the Processor will, if the Controller so requests, provide cooperation to the extent that is necessary and reasonable.
ARTICLE 9. CONFIDENTIALITY AND CONFIDENTIALITY
9.1. All personal data that the Processor receives from the Controller and vice versa and/or collects itself under this Data Processing Agreement is subject to an obligation of confidentiality towards third parties.
9.2. This obligation of confidentiality does not apply insofar as the Controller has given its express consent to the provision of the information to third parties, if the provision of the information to third parties is logically necessary in view of the nature of the order given and the performance of this Data Processing Agreement, or if there is a statutory obligation to provide the information to a third party.
ARTICLE 10. TERM AND TERMINATION
10.1. This Data Processing Agreement is entered into for the duration as stipulated in the separate Agreement between the Parties, and in the absence thereof, for the duration of the cooperation.
10.2. The Data Processing Agreement may be terminated prematurely following the parties’ mutual written consent.
10.3. Upon termination of the cooperation, the Controller will have the option of having the Processor destroy all personal data processed on behalf of the Controller or having it returned to the Controller. In either case, the Processor will cease to have any personal data of the Controller in its possession as soon as possible, unless otherwise required by law.
10.4. The Parties may only amend this Data Processing Agreement by mutual consent.
10.5. The Parties will cooperate fully in amending this Data Processing Agreement and bringing it in line with any new privacy legislation or changes to existing privacy legislation.
ARTICLE 11. APPLICABLE LAW AND DISPUTES
11.1. The Data Processing Agreement and its fulfilment are governed by Dutch law.
11.2. Any disputes that may arise between the Parties in connection with the Data Processing Agreement will be brought before the competent court in the district in which the Controller has its office.