• NederlandsNederlands
  • PolskiPolski
  • Processing Agreement – UDEB Administratiekantoor

    Processing Agreement UDEB Administratiekantoor BV

    This Processing Agreement applies to all forms of processing of personal data carried out by (hereinafter referred to as Processor) out for the benefit
    of a counterparty to whom it provides services (hereinafter referred to as Controller) on the basis of the agreement concluded between the parties
    (hereinafter referred to as the Main Agreement).

    Article 1. Processing purposes

    1.1. The Processor undertakes to process personal data on the instruction of the Controller, subject to the conditions of this
    Processing Agreement. Processing will only take place in the context of storing data of the Controller in the Cloud, and
    associated online services, management of the accounting and financial administration of the Controller, plus the purposes
    that are reasonably related thereto or that are determined with further consent.
    1.2. The personal data processed by the Processor within the framework of the activities referred to in the previous sentence
    and the categories of data subjects who the data originates from, are included in Appendix 1. The Processor will not process
    the personal data for any purpose other than the purpose stipulated by the Controller. The Controller will notify the Processor
    of the processing purposes, insofar as not already stated in this Processing Agreement.
    1.3. The personal data to be processed on the instructions of the Controller remain the property of the Controller and/or the
    data subjects in question.

    Article 2. Obligations of the Processor

    2.1. With regard to the processing referred to in Article 1, the Processor will ensure the applicable legislation and regulations
    are complied with which, in any case, includes legislation in the field of protection of personal data, such as the General
    Data Protection Regulation.
    2.2. The Processor will notify the Controller, on demand of the latter, of any of the measures taken by the Processor in respect
    of his obligations under this Processing Agreement.
    2.3. The Processor’s obligations under this Processing Agreement also apply to any parties processing personal data on the
    Processor’s behalf, including, but not restricted to, employees in the broadest sense of the word.
    2.4. The Processor will immediately notify the Controller if he is of the opinion that an instruction issued by the Controller
    violates the legislation referred to in paragraph 1.
    2.5. Insofar as it lies within his powers, the Processor will cooperate with the Controller in order to conduct data protection
    impact assessments (DPIAs).
    2.6. The Processor will keep a register of all categories of processing activities in accordance with Article 30 of the GDPR,
    which it performs on behalf of the Controller under this Processing Agreement. The Processor will provide the Controller with
    access to this upon request

    Article 3. Transfer of personal data

    3.1. The Processor is permitted to process the personal data in countries within the European Union. Transfer to countries
    outside the European Union is prohibited.

    Article 4. Distribution of responsibility

    4.1. Permitted processing operations will be performed by the Processor’s employees within an automated environment.
    4.2. The Processor is only responsible for the processing of the personal data under this Processing Agreement in accordance
    with the instructions of the Controller and under the explicit (ultimate) responsibility of the Controller. The Processor is explicitly
    not responsible for other processing of personal data which, in any case, includes but is not limited to the compiling of
    personal data by the Controller, the processing for purposes which the Processor has not been notified of by the Controller
    and processing by third parties and/or for other purposes.
    4.3. The Controller guarantees that the contents, the use and the instruction to process the personal data as referred to in this
    Processing Agreement are not unlawful and do not infringe any third-party rights.

    Article 5. Engagement of third parties or subcontractors

    5.1. Within the framework of this processing agreement, the Processor may hire third parties, provided that they are reported
    to the Controller in advance. The Controller may object if the use of a specific reported third party is unacceptable to it.
    5.2. The Processor will, in any case, ensure that these third parties assume in writing the same obligations as agreed between
    the Controller and the Processor.
    5.3. The Processor guarantees full compliance of the obligations under this Processing Agreement by these third parties and
    in the event of errors by these third parties, he will be personally liable towards the Controller for any damage, as if they
    themselves made the error or errors.

    Article 6. Security

    6.1. The Processor will endeavour to take adequate technical and organisational measures with respect to the processing of
    personal data to protect personal data against loss or any form of illegitimate processing (such as unauthorised access,
    corruption, modification, or disclosure of personal data).
    6.2. The Processor does not guarantee that the security is effective under all circumstances. If no security is explicitly set out in
    the Processing Agreement, the Processor will make every effort to ensure that the security complies with a level which, given
    the prior art, the sensitivity of the personal data and the security costs involved, is not unreasonable.
    6.3. The Controller makes personal data available to the Processor only for processing, provided the Controller is satisfied that
    the required security measures have been taken. The Controller is responsible for compliance with the measures agreed on
    by the Parties.

    Article 7. Duty to report

    7.1. The Controller is at all times responsible for reporting a security breach and/or data breach (which is understood to mean
    a breach of security that accidentally or unlawfully leads to the destruction, loss, alteration or unauthorised disclosure of or
    unauthorised access to data transmitted, stored or otherwise processed) to the supervisor and/or data subjects. To enable
    the Controller to fulfil this statutory duty, the Processor will notify the Controller of the security breach and/or the data breach
    within a reasonable term.
    7.2. The Processor only needs to notify the Controller in the case of strong impact events and only if the event did in fact
    7.3. The duty to report does, in any case, include reporting the fact that a breach took place. The duty to report also
    • the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and
    the categories and approximate number of personal data records concerned;
    • the name and contact details of the data protection officer or another contact point where more information can be obtained;
    • the likely consequences of the personal data breach;
    • the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures
    to mitigate its possible adverse effects.
    7.4. The Processor will document all data breaches in accordance with Article 33, paragraph 5 of the GDPR, including the facts regarding the
    personal data breach, the consequences thereof and the corrective measures taken. The Processor will provide the Controller with access to this
    upon request

    Article 8. Handling requests from data subjects

    8.1. If a data subject submits a request to the Processor to exercise his/her legal rights (Article 15-22 of the GDPR), the Parties
    will handle the data subject’s request in mutual consultation. In that case, the Controller remains ultimately responsible for
    the processing.

    Article 9. Secrecy and confidentiality

    9.1. All personal data which the Processor receives from the Controller and/or which the Processor collates himself within the
    framework of this Processing Agreement is subject to a duty of confidentiality towards third parties. The Processor will not use
    this information for any purpose other than for which he obtained it, even if it is presented in such a way that it cannot be
    traced back to the data subjects.
    9.2. This duty of confidentiality does not apply insofar as the Controller has given explicit approval to disclose the information
    to third parties, if the provision of information to third parties is logically required with a view to the nature of the instruction
    given and the execution of this Processing Agreement, or if there is a statutory obligation to disclose the information to a third party.

    Article 10. Liability

    10.1. The parties explicitly agree that the provisions of the Main Agreement apply with regard to liability.

    Article 11. Term and termination

    11.1. This Processing Agreement is formed when it is signed by the Parties and it starts on the date on which the final signature
    is placed.
    11.2. This Processing Agreement is concluded for the term stipulated in the Main Agreement between the Parties and failing
    that, for the term of the collaboration, at least.
    11.3. As soon as the Processing Agreement is terminated, regardless of the reason and method, the Processor – at the
    discretion of the Controller – will return all original and copied personal data held by him to the Controller and/or he will
    remove and/or destroy this original personal data and any copies thereof.
    11.4. The Processor is entitled to review this agreement from time to time. He will notify the Controller of any changes at least
    three months in advance. The Controller can cancel the agreement with effect from the end of these three months if he
    does not agree with the changes.

    Article 12. Applicable law and dispute resolution

    12.1. The Processing Agreement and the performance thereof are governed by Dutch law.
    12.2. All disputes arising between the Parties in connection with the Processing Agreement will be submitted to the
    competent court in the district where the Processor has his registered office.

    Appendix 1: Specification of personal data and data subjects

    Personal data

    Within the framework of Article 1.1 of the Processing Agreement, the Processor will process the following (special) personal data on the instruction of the Controller:
    • Dates of birth
    • Social security number
    • E-mail address
    • Marital status
    • Telephone number
    • Financial details
    • Name and address details
    • Other data necessary for the performance of the agreement