Processing Agreement UDEB Administratiekantoor BV

This Processing Agreement applies to all forms of processing of personal data carried out by (hereinafter referred to as Processor) out for the benefit
of a counterparty to whom it provides services (hereinafter referred to as Controller) on the basis of the agreement concluded between the parties
(hereinafter referred to as the Main Agreement).

Article 1. Processing purposes

1.1. The Processor undertakes to process personal data on the instruction of the Controller, subject to the conditions of this
Processing Agreement. Processing will only take place in the context of storing data of the Controller in the Cloud, and
associated online services, management of the accounting and financial administration of the Controller, plus the purposes
that are reasonably related thereto or that are determined with further consent.
1.2. The personal data processed by the Processor within the framework of the activities referred to in the previous sentence
and the categories of data subjects who the data originates from, are included in Appendix 1. The Processor will not process
the personal data for any purpose other than the purpose stipulated by the Controller. The Controller will notify the Processor
of the processing purposes, insofar as not already stated in this Processing Agreement.
1.3. The personal data to be processed on the instructions of the Controller remain the property of the Controller and/or the
data subjects in question.

Article 2. Obligations of the Processor

2.1. With regard to the processing referred to in Article 1, the Processor will ensure the applicable legislation and regulations
are complied with which, in any case, includes legislation in the field of protection of personal data, such as the General
Data Protection Regulation.
2.2. The Processor will notify the Controller, on demand of the latter, of any of the measures taken by the Processor in respect
of his obligations under this Processing Agreement.
2.3. The Processor’s obligations under this Processing Agreement also apply to any parties processing personal data on the
Processor’s behalf, including, but not restricted to, employees in the broadest sense of the word.
2.4. The Processor will immediately notify the Controller if he is of the opinion that an instruction issued by the Controller
violates the legislation referred to in paragraph 1.
2.5. Insofar as it lies within his powers, the Processor will cooperate with the Controller in order to conduct data protection
impact assessments (DPIAs).
2.6. The Processor will keep a register of all categories of processing activities in accordance with Article 30 of the GDPR,
which it performs on behalf of the Controller under this Processing Agreement. The Processor will provide the Controller with
access to this upon request

Article 3. Transfer of personal data

3.1. The Processor is permitted to process the personal data in countries within the European Union. Transfer to countries
outside the European Union is prohibited.

Article 4. Distribution of responsibility

4.1. Permitted processing operations will be performed by the Processor’s employees within an automated environment.
4.2. The Processor is only responsible for the processing of the personal data under this Processing Agreement in accordance
with the instructions of the Controller and under the explicit (ultimate) responsibility of the Controller. The Processor is explicitly
not responsible for other processing of personal data which, in any case, includes but is not limited to the compiling of
personal data by the Controller, the processing for purposes which the Processor has not been notified of by the Controller
and processing by third parties and/or for other purposes.
4.3. The Controller guarantees that the contents, the use and the instruction to process the personal data as referred to in this
Processing Agreement are not unlawful and do not infringe any third-party rights.

Article 5. Engagement of third parties or subcontractors

5.1. Within the framework of this processing agreement, the Processor may hire third parties, provided that they are reported
to the Controller in advance. The Controller may object if the use of a specific reported third party is unacceptable to it.
5.2. The Processor will, in any case, ensure that these third parties assume in writing the same obligations as agreed between
the Controller and the Processor.
5.3. The Processor guarantees full compliance of the obligations under this Processing Agreement by these third parties and
in the event of errors by these third parties, he will be personally liable towards the Controller for any damage, as if they
themselves made the error or errors.

Article 6. Security

6.1. The Processor will endeavour to take adequate technical and organisational measures with respect to the processing of
personal data to protect personal data against loss or any form of illegitimate processing (such as unauthorised access,
corruption, modification, or disclosure of personal data).
6.2. The Processor does not guarantee that the security is effective under all circumstances. If no security is explicitly set out in
the Processing Agreement, the Processor will make every effort to ensure that the security complies with a level which, given
the prior art, the sensitivity of the personal data and the security costs involved, is not unreasonable.
6.3. The Controller makes personal data available to the Processor only for processing, provided the Controller is satisfied that
the required security measures have been taken. The Controller is responsible for compliance with the measures agreed on
by the Parties.

Article 7. Duty to report

7.1. The Controller is at all times responsible for reporting a security breach and/or data breach (which is understood to mean
a breach of security that accidentally or unlawfully leads to the destruction, loss, alteration or unauthorised disclosure of or
unauthorised access to data transmitted, stored or otherwise processed) to the supervisor and/or data subjects. To enable
the Controller to fulfil this statutory duty, the Processor will notify the Controller of the security breach and/or the data breach
within a reasonable term.
7.2. The Processor only needs to notify the Controller in the case of strong impact events and only if the event did in fact
7.3. The duty to report does, in any case, include reporting the fact that a breach took place. The duty to report also
• the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and
the categories and approximate number of personal data records concerned;
• the name and contact details of the data protection officer or another contact point where more information can be obtained;
• the likely consequences of the personal data breach;
• the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures
to mitigate its possible adverse effects.
7.4. The Processor will document all data breaches in accordance with Article 33, paragraph 5 of the GDPR, including the facts regarding the
personal data breach, the consequences thereof and the corrective measures taken. The Processor will provide the Controller with access to this
upon request

Article 8. Handling requests from data subjects

8.1. If a data subject submits a request to the Processor to exercise his/her legal rights (Article 15-22 of the GDPR), the Parties
will handle the data subject’s request in mutual consultation. In that case, the Controller remains ultimately responsible for
the processing.

Article 9. Secrecy and confidentiality

9.1. All personal data which the Processor receives from the Controller and/or which the Processor collates himself within the
framework of this Processing Agreement is subject to a duty of confidentiality towards third parties. The Processor will not use
this information for any purpose other than for which he obtained it, even if it is presented in such a way that it cannot be
traced back to the data subjects.
9.2. This duty of confidentiality does not apply insofar as the Controller has given explicit approval to disclose the information
to third parties, if the provision of information to third parties is logically required with a view to the nature of the instruction
given and the execution of this Processing Agreement, or if there is a statutory obligation to disclose the information to a third party.

Article 10. Liability

10.1. The parties explicitly agree that the provisions of the Main Agreement apply with regard to liability.

Article 11. Term and termination

11.1. This Processing Agreement is formed when it is signed by the Parties and it starts on the date on which the final signature
is placed.
11.2. This Processing Agreement is concluded for the term stipulated in the Main Agreement between the Parties and failing
that, for the term of the collaboration, at least.
11.3. As soon as the Processing Agreement is terminated, regardless of the reason and method, the Processor – at the
discretion of the Controller – will return all original and copied personal data held by him to the Controller and/or he will
remove and/or destroy this original personal data and any copies thereof.
11.4. The Processor is entitled to review this agreement from time to time. He will notify the Controller of any changes at least
three months in advance. The Controller can cancel the agreement with effect from the end of these three months if he
does not agree with the changes.

Article 12. Applicable law and dispute resolution

12.1. The Processing Agreement and the performance thereof are governed by Dutch law.
12.2. All disputes arising between the Parties in connection with the Processing Agreement will be submitted to the
competent court in the district where the Processor has his registered office.

Appendix 1: Specification of personal data and data subjects

Personal data

Within the framework of Article 1.1 of the Processing Agreement, the Processor will process the following (special) personal data on the instruction of the Controller:
• Dates of birth
• Social security number
• E-mail address
• Marital status
• Telephone number
• Financial details
• Name and address details
• Other data necessary for the performance of the agreement