Processor Agreement The web design (part of Printbazar)
This Processor Agreement – like the general terms and conditions – forms an integral part of every agreement in respect of services between The web design, established in Amsterdam and registered with the Chamber of Commerce under number: 57557667 (hereinafter: “Printbazar”) and its counterparty . In the context of this Processing Agreement, Printbazar is designated as “Processer” and the other party (customer) as “Processing Officer”.
Considerations
Processing Officer (you) and Processor (Printbazar) have entered into an agreement for building a website (with a contact form).
With a website with a form, this form can be used by visitors of the website of the Processing Officer to leave data behind. The accountability officer determines which fields the form represents and which information the visitor leaves behind from his website. This data is sent to the e-mail address of the Processing Officer as set up in the website management system and stored in the website management system (cms).
Processing officer determines whether or not its website contains a SSL certificate. The Contractor can have the Processing Officer installed by the Processor against payment.
The Processing Officer and the Processor wish in this agreement to record the mutual rights and obligations for the Processing of Personal Data by the Processor in accordance with the General Data Protection Regulation (hereinafter: GDPR).
The processor will process the personal data for the purposes determined by the Processing Officer and with the agreed means. Under Article 24 of the GDPR, the Processing Officer is obliged to implement appropriate technical and organizational security measures against loss or against any form of unlawful processing of the Personal Data;
In accordance with Article 28 paragraph 1 GDPR, the Processing Officer shall be obliged by Incorporation by Processer to process the Personal Data for the accountability officer to ensure that the Processor offers sufficient guarantees regarding technical and organizational security measures to protect the Personal Data against loss or against any form of unlawful processing;
According to Article 33 and 34 of the AVG, the Processing Officer has an obligation to report breaches of security as referred to in Article 4 sub 12 AVG (hereafter: Data Leaks) to the Dutch Data Protection Authority (hereafter: the AP) and to the ‘data subject’ in the sense of the GDPR (hereinafter: Subject).
Parties in accordance with Article 28, paragraph 3 AV G, wish to record all their agreements regarding the processing of Personal Data by the Processor and the reporting of Data Leaks in this Agreement.
Article 1 Definitions:
1.1 The words or phrases used in this agreement have the following meanings:
a) The person concerned: the person to whom a Personal Data relates;
b) Data leak: a breach of security, as referred to in article 4 sub 12 GDPR which leads to the considerable chance of serious adverse consequences or serious adverse consequences for the protection of personal data;
c) Underlying Agreement: the agreement whereby the Processing Officer has instructed the Processor to perform Processing;
d) Agreement: this Processor Agreement;
e) Personal data: any information concerning an identified or identifiable natural person
f) Processing / processing: all actions or series of actions performed on Personal Data, whether or not by automated means, such as collecting, recording, structuring, storing, adjusting or modifying, retrieving, consulting, using, publishing by transfer, distribution or otherwise making available, tuning or combining, blocking, erasing or destroying.
Article 2 General
2.1 The Processer processes the Personal Data for the Processing Controller in accordance with the written instructions of the Processor and the explicit responsibility of the Processing Officer and in the manner laid down in the Underlying Agreement.
2.2 With regard to the Personal Data ‘Processing Manager’ and Processer ‘Processor’, 2.2 Processing Officer is within the meaning of the GDPR. The Packaging Manager agrees and guarantees that the processing of the Personal Data in accordance with the Processor Agreement is in accordance with the GDPR.
2.3 Processing Controller has control over the processing of the Personal Data and has determined the purpose and means for the processing of the Personal Data.
2.4 The processor has no control over the purpose and the means for the processing of the Personal Data and therefore makes no decisions about, among other things, the use of the Personal Data, the departure of third parties and the duration of the storage of the Personal Data. The control of the Personal Data never comes to rest with the Processor.
2.5 Parties commit themselves to act in accordance with the GDPR.
2.6 If the processor is of the opinion that, on the basis of a legal obligation, it must make Personal Data available to a competent authority, it will not proceed to do so, after consultation with and approval of the Processing Officer. She will be the Verification Manager as soon as possible
informing in writing the legal obligation and thereby providing all relevant information that Verification Controller reasonably needs to take the necessary measures to determine whether provision can take place and, if so, under which conditions.
2.7 The Processor must inform the Processing Officer of all requests regarding access to the Personal Data received directly from a Data Subject. The processor will only respond to such a request if the Processing Officer has instructed the Processor to do so in writing.
2.8 The processor may not have the processing performed by a subprocessor without written permission. If Processor activates a subprocessor, Processor is responsible for the actions of this third party.
2.9 Processing Officer instructs Processor to use the following service providers (hereinafter: Subprocessors), and to process the following data for the following purposes:
Aniwebdesigns: For sending managing projects (websites), hosting data, domain name, login data CMS
Sisow: For handling payments within our web shops. E-mail address, name, payment details such as amount, payment method and posting date, name and address, company name, telephone number, e-mail address, account number, Chamber of Commerce number, VAT number.
Protagonist: For the domains and hosted e-mail. Name and address, company name, phone number, e-mail address, registration username, registration and expiry date, removal code, DNS settings, registered e-mail addresses, mailbox statistics on logins, number of messages sent and data usage, mailbox forward e-mail address, change history or settings.
Version: For the domains and hosted e-mail. Name and address, company name, phone number, e-mail address, registration username, registration and expiry date, removal code, DNS settings, registered e-mail addresses, mailbox statistics on logins, number of messages sent and data usage, mailbox forward e-mail address, change history or settings
KPN: For telephony. Phone number, call date, call duration, call recording.
Quick start: For accounting and invoicing. Name and address, name, company name, telephone number, e-mail address, account number, Chamber of Commerce number, VAT number, mandate number for direct debit.
Twilio: For SMS communication. Telephone number, SMS history.
Google Docs: For documents, spreadsheets, presentations and forms in cloud storage. Name and address details, telephone number, e-mail address, company name, Chamber of Commerce number, hosting details, domain name, contract duration, CMS login details.
Twak chat : For smooth chat communication via the website on all devices. Name, e-mail address, IP address and location, visit history, site reached via URL, chat history, operating system / device type, browser information, derived statistics such as chat ratings, duration of calls and chat conversion.
Debit port: For the management of collection trajectories. Name and address, company name, telephone number, e-mail address, account number, payment status, Chamber of Commerce number, VAT number, correspondence
2.10 The processor shall process the data in accordance with article 28 GDPR and the measures required in accordance with 32 GDPR.
2.11 Processor will agree with Sub Processors that they take appropriate technical and organizational measures in accordance with Article 28, paragraph 3, Article 32, paragraph 3, of the GDPR.
2.12 The Processer will not process the personal data for any other purpose than as determined by the Processing Officer. Processing Manager will inform the Processer of the processing objectives to the extent that these have not already been mentioned in the Processor Agreement.
2.13 Processing controller guarantees that an adequate legal basis is available for the processing.
2.14 Processing Controller guarantees that the content, use and assignment to the processing as referred to in this Agreement is not unlawful and does not infringe any right of third parties. The processing manager indemnifies Processor against all claims and claims related to this.
Article 3 Security
3.1 The processor shall take appropriate technical and organizational security measures to protect the Personal Data against loss or against any form of unlawful processing. These measures ensure, taking into account the state of the art and the costs of implementation, an appropriate level of security in view of the risks involved in the processing and the nature of the data to be protected. The measures are also aimed at preventing unnecessary collection and further processing.
3.2 If unauthorized processing of personal data takes place in spite of the security measures, the burden of proof lies with the Processing Officer that the Processor has not acted adequately.
3.3 The security measures, taking into account the state of the art and the costs of implementing the security measures, offering an appropriate level of security, in view of the risks involved in the processing and the nature of the Personal Data.
3.4 The processor shall endeavor to ensure that the security measures comply with a level which, at least with regard to the state of the technology and the costs of implementing the security measures, is customary in the industry in view of the services provided by Processor.
3.5 The processor is responsible for the effectiveness of the security measures.
3.6 If the Processing Officer or Processer is of the opinion that a change in the security measures to be taken by the Processor is necessary to provide an adequate level of security, the Processing Officer and the Processor will enter into consultation about the change required by the Processing Officer in the security measures.
Article 4 Security Incidents and Data Leaks
4.1 With regard to the Processing of Personal Data pursuant to this Agreement, the Processing Manager is the ‘Processing Officer’ as described in Article 4 sub 7 GDPR.
4.2 The Processing Officer has the obligation to report Data Leaks to the AP, and in certain cases, the Data Subject pursuant to Article 34 and Article 34 of the GDPR.
4.3 In the event of a security breach and/or a Data Leak, the Processing Agent will inform the Processing Officer of this within the period set by law, as a result of which the Processing Officer assesses whether it will inform the data subjects or not. Processing Manager is and remains responsible for any legal obligation to do so.
4.4 The Processing Party must immediately inform the Processing Officer after it has become aware of any breach of security (of any nature whatsoever) that (also) relates to the processing of Personal Data, and in any event the Processer shall provide information on the following : (i) the nature of the infringement; (ii) the (possibly) affected Personal Data; (iii) the determined and expected consequences of the breach for the processing of the Personal Data and the persons involved; and (iv) the measures that the Contractor has taken and will take to limit the negative consequences of the infringement.
4.5 Notification of Data Leaks, as referred to in Article 33 of the GDPR, is the responsibility of the Processing Officer.
4.6 The Processor will fully cooperate with the necessary information provision to the Processing Officer in the context of the Security Incidents reported by the Processor to the Processing Officer.
4.7 The controller shall indemnify Processor against any legal claim by a third party, on any grounds whatsoever, in connection with the Personal Data and the performance of the Agreement.
Article 5 Confidentiality
5.1 All employees of the Controller and all employees of the Processor are obliged to keep confidential the Personal Data of which they take note.
5.2 The provisions of the first paragraph of this article do not apply if and insofar as provision of the relevant Personal Data to a third party is necessary following a court decision, a statutory provision or on the basis of a competent order issued by a governmental authority .
5.3 All access and/or identification codes, certificates, access and/or password policy information provided by the Processor to the Processing Officer and all information provided by the Processor to the Processing Officer that provides technical and organizational security measures are confidential. The parties ensure that employees comply with the obligations in this article.
Article 6 Duration and termination
6.1 This Agreement shall enter into force on the date of the last signature of this Agreement by the Parties and shall be concluded for an indefinite period.
6.2 This Agreement ends by operation of law upon termination of the Underlying Agreement and cannot be terminated separately from the Underlying Agreement.
6.3 In the event of termination of this Agreement, the Processor will return all Personal Data received from the Processing Officer to the Processing Officer or, if agreed by the Parties, destroy within the specified retention period. If, in the reasonable opinion of Processor, an independent legal obligation of the Processor prohibits or restricts the complete or partial return or destruction of the Personal Data by the Processor, it will notify the Processing Officer as soon as possible in writing of the legal obligation and thereby provide all relevant information that the Processing Officer reasonably necessary to determine whether destruction can take place and, if so, under which conditions. If, in the reasonable opinion of the Processing Officer, the legal obligation (partial) destruction of the Personal Data is authorized by the Processor, the Processor will proceed without delay at the request of the Processing Officer. If the Processing Manager is of the opinion that the destruction may not take place, then it will inform the Processor thereof in writing. In that case, the Processor guarantees the confidentiality of the Personal Data towards the Processing Officer and will not Process the Personal Data except for the fulfillment of its aforementioned legal obligation or after written instructions from the Processing Officer.
Article 7 Other
7.1 In the event that a data subject sends a request regarding the inspection, correction, data portability or removal to the Processing Officer, the Processor will assist the Processing Officer in fulfilling those requests if the Processing Party so requests.
7.2 If Processing Officer Processing Party requests assistance with other obligations than mentioned in Article 7.1, such as (non-limitative) reporting a data breach (within the meaning of Article 34 GDPR) or a data protection effect assessment (within the meaning of Article 35 of the GDPR), Processing Processing Officer will assist the Processing Officer if the Processing Officer requests this.
7.3 This Agreement forms an integral part of the Underlying Agreement. All rights and obligations under the Underlying Agreement, including liability, are therefore also applicable to this Agreement.
7.4 This Agreement and the rights and obligations arising from this Agreement cannot be transferred by the Contractor to third parties without the prior written consent of the Processing Officer.
7.5 The Processor shall make available all information necessary to demonstrate compliance with the obligations laid down in article 28 of the General Terms and Conditions and make audits possible, including inspections by the Processing Officer or an inspector authorized by the Processing Officer and, if so desired , contribute to it.
7.6 If one or more provisions of this Agreement proves not to be legally valid, the Agreement will remain in force for the remainder. The parties will consult on the provisions that are not legally valid, in order to make a replacement arrangement that is legally valid and as far as possible in line with the scope of the regulation to be replaced.
7.7 Dutch law applies to this Agreement. All disputes arising from or in connection with this Agreement will only be submitted to the competent court in Amsterdam.
If changes in legislation or other circumstances give cause to do so, the Parties shall, in joint consultation, amend this Agreement in accordance with the then current applicable legislation.