Dataverwerkingsovereenkomst

Global version – November 2019

This Data Processing Agreement is an integral part of the agreements between the Customer(hereinafter ‘the Controller’) and Smartdc (hereinafter ‘the Processor’).

Article 1. Definitions

1.1 In this Data Processing Agreement, the following definitions are used, both singular and plural.
Controller: a natural or legal person, public authority, agency or other body that, alone or together with others, determines the purposes and means of the processing of Personal Data.
Personal Data: Personal Data (as defined by the GDPR) relating to the Controller or its staff, clients and/or other contacts.
Processor: the legal entity that processes Personal Data on behalf of the Controller.
Subprocessor: a legal entity or person, not being a member of the Processor’s staff, who is or will been gaged by the Processor for the purpose of providing products or services to the Controller on the Processor’s behalf, for which purpose the engaged person or entity may receive or have access to Personal Data.

Article 2. Purposes of data processing operations

2.1. The Processor commits to the processing of Personal Data on the instructions of the Controller, subject to the conditions of this Data Processing Agreement. The data will only be processed for the purpose of storing data of the Controller in the ‘cloud’, the related online services, network services, colocation and those purposes that can be reasonably associated with it or will be determined by mutual agreement.
2.2. The Controller will decide which types of Personal Data it requires the Processor to process and therefore also to which (categories of) data subjects the Personal Data relate. The Processor exerts no influence on this decision. This relates in any case to Personal Data of customers of the Controller, and staff of the Controller, that are stored by the Controller at the Processor. The Processor will refrain from using the Personal Data for any purpose other than that determined by the Controller. The Controller will inform the Processor of the purposes of the processing where these are not already stated in this Data Processing Agreement.
2.3. The Personal Data to be processed on the instruction of the Controller will remain the property of the Controller and/or the data subjects concerned.

3. Obligations of the Processor

3.1. In respect of the processing referred to in article 2, the Processor will ensure compliance with applicable legislation and regulations, including in any event the legislation and regulations in the field of the protection of Personal Data, such as the General Data Protection Regulation.
3.2. All subsidiaries, sister companies and parent companies in the Processor’s Group have the same right sand associated obligations under this Data Processing Agreement as the Processor.
3.3. The Processors obligations arising from this Data Processing Agreement also apply to any party processing Personal Data under the authority of the Processor, including, but not confined to, employees, in the broadest sense.

Article 4. Transfer of Personal Data

4.1. The Processor is allowed to process the Personal Data inside of the European Economic Area. In addition, the Processor is allowed to transfer the Personal Data to a country outside the European Economic Area, provided the Processor ensures an adequate level of protection and it complies with the other obligations to which it is subject pursuant to this Data Processing Agreement and the General Data Protection Regulation.
4.2. Upon request, the Processor will inform the Controller of the country or countries involved.
4.3. In particular, the Processor will, in determining an adequate level of protection, take account of the duration of the intended processing, the country of origin and the country of destination, the general and sectoral rules of law that apply in the country concerned, as well as the professional rules and the security measures complied with in those countries.

Article 5. Division of responsibility

5.1. The Processor will make IT means available for the processing that can be used by the Controller for the purposes stated in article 2. The Processor will itself only perform processing based on agreements with the Controller.
5.2. With respect to all Personal Data and instructions issued by the Controller to the Processor, the Controller guarantees that it has the necessary authority. The Controller will indemnify the Processor against any form of harm and/or third-party claims that may arise from, or be related to or based on, an assertion that the Controller was not authorized to issue certain Personal Data or a certain instruction to the Processor.

Article 6. Subprocessors

6.1. The Processor engages Subprocessors, which are available on request and for which the Controller hereby provides authorization. In the case of new Subprocessors, the Processor will inform the Controller thereof. If the Controller has well-founded objections to the engagement of the Subprocessors, a suitable solution must be sought in consultation. If the parties are unable to reach a suitable solution, the Controller may give notice to terminate the Agreement if the use of a specific Subprocessor of which it has been notified is unacceptable to it.
6.2. All the companies within the Processor’s Group, are part of the Subprocessors which the Processor engages.
6.3. The Processor will in any case ensure that these Subprocessors assume similar obligations in writing as those agreed between the Controller and Processor.
6.4. The Processor warrants correct compliance with the obligations in this Data Processing Agreement by such Subprocessors and, in the event of errors committed by such Subprocessors, is liable itself for any and all damage or loss as if it had committed the error(s) itself.

Article 7. Security

7.1. The Processor will put in place appropriate technical and organizational measures to secure the Personal Data against loss or any form of unlawful processing, including unnecessary collection or further processing.
7.2. The Processor will ensure that the security measures as described in Annex A or otherwise agreed in writing are always in place.

Article 8. Notification obligation

8.1. The Processor will inform the Controller, without unreasonable delay and if possible, within twenty-four(24) hours, if the Processor discovers or has reasonable grounds to suspect that unauthorized access to or unauthorized obtaining, use, loss, theft, destruction or disclosure of the Personal Data (‘a data breach’) is occurring or has occurred.
8.2. In case of a data breach the Processor will complete the form in Annex B as complete and accurate as possible and send it to the Controller.

Article 9. Handling requests and complaints from data subjects

9.1 If a data subject sends the Processor a request to access, improve, supplement, change or block their data, or submits a complaint to the Processor, the Processor will forward the request or complaint to the Controller and the Controller will follow up on the request or complaint. The Processor may inform the data subject that it has done so.

Article 10. Confidentiality

10.1. The Processor will keep secret all Personal Data which it receives from the Controller, or to which it is given access by the Controller, and the Processor will not disclose or make this data accessible to third parties (other than permitted Subprocessors) without prior written permission from the Controller, unless the Personal Data must be disclosed to a party authorized to receive such data (such as a supervisory authority, investigating officer or court) pursuant to a written obligation.

Article 11. Compliance check (audit)

11.1. The Controller is entitled to arrange that a suitable external party who is accepted by the Processor performs an audit in order to determine whether the Processor complies fully and correctly with this Data Processing Agreement. This party will be bound by confidentiality towards third parties.
11.2. In conducting the audit, an attempt will be made to minimize any impact on the Processor’s business operations. Audits will be performed once per year at most and will be announced at least fourteen (14) days in advance.
11.3. The Processor will cooperate in the audit and will make available any information and employees that may reasonably be relevant to the audit (including supporting information such as system logs) as soon as possible.
11.4. If the audit shows that the Processor has materially failed to comply with this Data Processing Agreement, the Processor will put in place at its own expense all measures necessary to remedy any observed breach as quickly as possible. The Controller will bear the costs of the external party who performs the audit.
11.5 If the audit shows that the Processor has not failed to comply with this Data Processing Agreement, the Controller will bear the costs of the audit (including the reasonable costs incurred by the Processor through cooperating in the audit).

Article 12. Duration and termination

12.1. This Data Processing Agreement will remain in effect for the term specified in the agreement between the Parties, in the absence of which it will at least apply for the duration of the collaboration.
12.2. Upon termination of the services by the Processor, the Controller is itself responsible for making copies of, exporting or otherwise returning, in good time, the Personal Data that the Processor processes on behalf of the Controller. After termination of the Data Processing Agreement, the Processor will remove or destroy the (Personal Data) data of the Controller.
12.3. The Processor is entitled to revise this Data Processing Agreement and any of its annexes from time to time. It will inform the Controller of the changes at least one (1) month in advance. The Controller may lodge a notice of objection by the end of this one (1) month if it does not agree to the changes. If the Processor does not receive a notice of objection within this period, the changes will be deemed to have been accepted by the Controller.

Article 13. Applicable law and settlement of disputes

13.1. The Data Processing Agreement and its execution are governed by Dutch law.

13.2. Any disputes that may arise between the Controller and the Processor in connection with this Data Processing Agreement will be submitted to the competent court in Rotterdam.

Annex A. Security measures

# Subject
1 Information security policy An information security policy is in place which complies with the GDPR and any guidelines from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), and which is aligned with the ISO/IEC 27001 standard. This policy has been communicated internally and implemented in practice through documented procedures.
2 Access management The principles of ‘least privilege’ and ‘need-to-know’ are applied to staff and permitted Subprocessors. User access will be revoked or amended in a timely manner if there is any change to the status of staff members, suppliers, clients, business partners or third parties. Up-to-date forms of encoding and encryption that are generally regarded as safe will be used for identification, authentication and authorization.
3 Staff Employees have been informed of their responsibilities regarding information security and there is a procedure for verifying that employees comply with their obligations.
4 Subprocessor contract management A Data Processing Agreement for Subprocessors will be signed with every permitted Subprocessor, which will contractually oblige the Subprocessor to comply with the same obligations to the processing as are contained in this Data Processing.
5 Security incident response A documented security incident response plan is in place that is suitable for detecting, resolving and reporting data breaches, in accordance with the requirements of Article 8.
6 Vulnerability / patch management Periodic scans are conducted to detect vulnerabilities in the systems and network equipment used. Security patches are installed or implemented immediately or promptly after they become available.
7 Network and system security Measures have been put in place to combat and detect malware as well as misuse of the network and systems (such as firewalls and antivirus software).
8 Physical access security Suitable measures (such as locks, cameras and alarm systems) have been put in place to secure against unauthorized access the rooms where the Personal Data may be processed.
9 Logging Through logging, it can be shown that only legitimate users are using or processing the Personal Data. When non-legitimate users are detected, suitable action is taken.
10 Business continuity and disaster recovery Policy, processes and procedures have been implemented to ensure that the products or services provided, and the processed Personal Data remain available in case of unforeseen circumstances and disasters or can be recovered as quickly as possible.
11 Independent audits Independent external audits are periodically performed to uncover non-compliances with defined security measures.

Annex B. Data breach notification form

  1. What kind of incident occurred?
  2. What kind of data were involved?
  3. In what way were the data compromised?
  4. When did the incident occur?
  5. What kind of consequences might the incident have for the Controller?
  6. What measures have been taken to end the incident and/or limit the consequences?
  7. What measures will be taken to end the incident and/or limit the consequences?
  8. On what date are these measures expected to be implemented?