Processing agreement

PROCESSING AGREEMENT
Parties:

1. Clients of Webshoptiger BV, hereinafter referred to as “responsible";and
2. Webshoptiger BV located at 't Zwaantje 23, 5056 ED Berkel-Enschot, Chamber of Commerce number: 18058599, hereinafter referred to as "processor"

Consider as follows:

• The parties have entered into an agreement under which the processor processes (personal) data of the controller as referred to in Article 4 paragraphs 1 and 2 of the GDPR, hereinafter referred to as: 'the main agreement'.
• Pursuant to Article 28(3) of the GDPR, the parties are obliged to make agreements regarding guaranteeing the privacy of personal data and to record them in a processing agreement, hereinafter referred to as: 'the agreement'.
• Parties will provide each other with all necessary information in a timely manner to enable proper compliance with the applicable privacy laws and regulations.
• the provisions of this agreement take precedence over all other agreements that apply between the parties with regard to the processing of personal data, if and insofar as they deviate from what is stated in this agreement

Match:

Article 1 – Duration of the agreement

1. This agreement takes effect from the date of signature by the parties and ends after the processor has deleted and/or returned all personal data to which this agreement relates in accordance with the provisions of Article 13.
2. This agreement cannot be terminated prematurely.
3. The provisions as described in Article 4 will remain in force even after the expiry of this agreement.

Article 2 – Object of the agreement

1. For the execution of the main agreement, the controller has provided the processor with a statement of:
   • the nature and purpose of the agreed processing
   • the categories of personal data that are processed
   • the categories of data subjects
   • the categories of recipients/users of personal data
2. A statement of the information referred to in paragraph 1 is attached as an appendix to this agreement.

Article 3 – Processing and use of personal data

1. The controller determines the purpose of the processing and which personal data he has processed for this purpose.
2. The controller will provide written instructions to the processor to this end.
3. The processor uses the personal data obtained only for the purposes for which they were provided and exclusively in accordance with the written instructions of the controller.
4. If the controller orders the processing of personal data in a manner that, according to the processor, is contrary to legal obligations, the latter will inform the controller of this and consult with the processor to arrive at a solution that does not conflict with the legal obligations. legal requirements.
5. The processor has its own responsibility not to process the data in violation of applicable laws and regulations.
6. The processor will not provide personal data to third parties, unless this is done on behalf of the controller or when this is necessary to comply with a legal obligation.
7. The processor processes the personal data within the European Economic Area and in the following countries: United States of America.

Article 4 - Confidentiality

1. The processor takes all necessary measures to ensure the confidentiality of the personal data of the controller.
2. The obligation set out in paragraph 1 does not apply if the controller has given prior written consent to provide the personal data to a third party or if the processor is legally obliged to do so.
3. The processor will impose the same confidentiality obligation on its staff or persons or sub-processors engaged for this purpose.
4. In the event of a violation of this article, the processor will forfeit an immediately payable fine of €0 per violation to the controller, without prejudice to the controller's right to claim full compensation.

Article 5 - Security

1. The controller and the processor will both take appropriate technical and organizational measures, as referred to in Article 32 GDPR, so that they can ensure a level of security appropriate to the risk.
2. The controller informs the processor about the legal reliability requirements that apply to the processing based on the possible consequences for the data subjects, such as in the event of loss, corruption or unlawful processing, and provides all necessary information so that the processor can comply with them.
3. If the controller requires a higher level of security than legally required, the processor can separately charge the controller for the reasonable costs for this.
4. When taking security measures, the processor takes into account the state of the art, the implementation costs, as well as the nature, scope, context, processing purposes, likelihood and severity of the various risks to the rights and freedoms of persons, in accordance with the provisions in Article 28(3)(f) GDPR.
5. If the controller wishes to carry out an assessment of an intended processing activity, the processor shall provide all reasonable cooperation to carry out this assessment in accordance with applicable laws and regulations.
6. The processor also provides all reasonable cooperation with a prior consultation of the Dutch Data Protection Authority.
7. The parties have made concrete agreements regarding the technical and organizational security measures necessary for the implementation of this agreement, which the controller currently deems appropriate.
8. These agreements include at least the following topics:
   1. the reliability requirements
   2. the agreed security level (if applicable)
   3. the measures taken by the processor so that only authorized personnel have access to the personal data
   4. measures to protect against loss, alteration, unauthorized or unlawful processing, access or disclosure
   5. the measures to be taken for detecting weaknesses and incident management
9. The parties will periodically evaluate the agreements referred to in paragraphs 7 and 8 and adjust them if necessary.
10. These agreements are attached as an appendix to this agreement.

Article 6 – Audit

1. The controller has the right to have an annual audit carried out at his own expense to verify compliance with this agreement.
2. The processor will provide all reasonable cooperation with the audit referred to in paragraph 1, such as granting access to the databases and making all relevant information available.
3. The processor implements the recommendations resulting from the audit as quickly as possible in consultation with the person responsible.
4. If the adjustments as a result of paragraph 3 arise from changed insights or legislation, the reasonable costs for these adjustments are borne by the controller.
5. If the adjustments as a result of paragraph 3 arise from a failure to comply with the agreed security requirements, these costs will be borne by the processor.
6. If the Dutch Data Protection Authority or another competent authority wishes to conduct an investigation, the processor will provide all reasonable cooperation and inform the controller as soon as possible.

Article 7 – Data breach

1. If a data breach as referred to in Article 4 sub 12 GDPR occurs, the processor will inform the controller in the manner further described in Article 8.
2. In the event of a data leak, the processor will take all reasonable necessary measures to limit the consequences and prevent a new leak.
3. The processor shall provide the controller with all cooperation necessary to assess the extent and consequences of the data breach and to comply with any obligation to report data breaches to the Dutch Data Protection Authority as well as the obligation to provide information to data subjects.
4. The parties have recorded their agreements on the procedure to be followed in the event of a data breach in a data leak reporting obligation procedure, as described in Article 8. This procedure can be adjusted if the state of technology so requires or the regulations regarding the data leak reporting obligation change.
5. If the processor fails to report the data breach in a timely manner in accordance with the data breach reporting obligation procedure as referred to in Article 8, he will owe an immediately payable fine of €0 to the controller plus 2% of this amount per hour that the notification is made too late.

Article 8 – Procedure for reporting data leaks

If a data breach occurs, the following procedure applies:

• the processor records all security incidents in a way that is transparent to the controller
• this registration includes at least the following information: a description of the incident; the approximate number of people affected by the incident; the group(s) of people affected by the incident; the date and time of the incident; the nature of the infringement; the type of data affected; the possible consequences for those involved; the technical and organizational measures taken as a result of the incident; how the leaked data is secured; whether the data has been hashed, made inaccessible or can be deleted remotely; and whether and, if so, which data of persons in other EU countries has been affected by the data breach
• the processor informs the controller within 72 hours after becoming aware of the incident, simultaneously handing over its registration, as described above
• the processor is continuously available for consultation with the processor or any experts appointed by the processor for the first 24 hours after informing the controller about a data breach
• the controller consults with the processor to assess whether the incident should be reported to the Dutch Data Protection Authority
• the controller informs the processor in advance when he decides to report the leak to the Dutch Data Protection Authority
• the processor provides the controller with all necessary cooperation so that the latter can report a data breach to the Dutch Data Protection Authority in accordance with the legal requirements
• the processor provides all cooperation to the controller in order to inform the affected persons in accordance with Article 34 GDPR about the data breach

Article 9 – Requests from data subjects

1. Any request for access, rectification, erasure, restriction of processing, portability of data or objection as referred to in Articles 15 to 21 GDPR that reaches the processor will be forwarded to the controller without delay.
2. The processor shall provide the controller with all reasonable cooperation so that the latter can comply with a request as referred to in paragraph 1 within the legal periods.
3. The controller will reimburse the processor for the reasonable costs entailed by such cooperation.

Article 10 – Sub-processors

1. The processor uses the following sub-processor(s) to process the personal data: Transip BV in Amsterdam, The Rocket Science Group in Atlanta, Reeleezee B.V. in Breukelen, Google LLC in Mountain View, Apple Inc. in Cupertino and De Cijfer Company BV in Tilburg; and will not engage other sub-processors unless he has received prior permission to do so.
2. The processor is responsible and liable for the actions of sub-processors engaged by him.
3. If a processor engages a sub-processor, he is obliged to stipulate that this sub-processor fulfills all obligations imposed on the processor under this agreement and will conclude an agreement with the relevant sub-processors that is in accordance with this agreement.
4. If the processor engages sub-processors without permission as referred to in paragraph 1, the processor is liable to pay a fine of €0 without prejudice to the controller's right to full compensation.

Article 11 – Access to personal data

The processor ensures that the controller maintains access to the relevant personal data at all times, even in the event of bankruptcy or suspension of payments.

Article 12 - Liability and indemnity

1. The processor is not responsible for damage resulting from violations of any laws or regulations by the controller.
2. The controller indemnifies the processor against claims from third parties and costs incurred by the processor as a result of a violation as referred to in paragraph 1.
3. The controller is not responsible for damages resulting from violations of any laws or regulations by the processor.
4. The processor indemnifies the controller against claims from third parties and costs incurred by the controller as a result of a violation as referred to in paragraph 3.
5. In a case as referred to in paragraph 1 or 3, the other party is entitled to terminate the main agreement with immediate effect.

Article 13 – Termination and consequences of termination

1. This agreement only ends after the underlying assignment has been terminated and the processor has transferred all personal data provided to him to the controller or to a third party designated in writing in advance by the controller, and all data remaining with the processor and any sub-processors have been destroyed.
2. At the request of the controller, the processor will make the personal data provided to him available in a different format than the one in which they were supplied in return for compensation for the reasonable costs involved.
3. Instead of transferring the data, the controller can also request the processor to destroy the data.
4. Destruction of the data as referred to in paragraph 3 can only take place after the controller has given prior written permission for this.
5. However, the provisions of Article 4 remain in full force.

Article 14 – Consequences of nullity or voidability

If part of the agreement is void or voidable, this will not affect the other provisions in the agreement. A provision that is void or voidable will in that case be replaced by a provision that comes closest to what the parties had in mind on that point when concluding the agreement.

Article 15 - Applicable law and competent court

1. Dutch law applies to this agreement.
2. Any disputes that arise as a result of this agreement and that cannot be resolved amicably will be submitted to the competent court in the district of the processor's place of business.Signed in duplicate:
   

   			City:
   	Client, on behalf of the person responsible		Date:

    

    

   			Place Berkel-Enschot
   	E.S.N.M. van de Wouw, on behalf of the processor		Date: 11-11-20211