processor agreement impression® creative design agency

Version 1.2
18 November 2022

Parties:

This Processor Agreement applies to all forms of processing of personal data impression ® | creative design agency. located at Dyksterbuorren 33, 9036MR Menaam registered with the Chamber of Commerce under number 75258900 (hereinafter "Processor") Performs for the benefit of the other party to whom it provides services (hereinafter: Controller).

considering that:

  • the Processor Agreement has been concluded in the context of the delivery of the service from Processor to Controller, for the execution of the service of Processor;
  • the Processor's service consists of sending newsletters to the relations of the Data Controller who has been set up by the Data Controller via the online platform of Processor, to managing the data base of the Data Controller for the purpose of sending these newsletters and collecting information about the the actions performed in relation to the newsletter received;
  • Processor is hereby deemed to be a Processor within the meaning of Article 4, paragraph 8 of the General Data Protection Regulation (hereinafter: “AVG”);
  • Processing controller is hereby designated as Processing Controller within the meaning of Article 4, paragraph 7 of the AVG;
  • Processor for the execution of its services will process personal data within the meaning of Article 4, paragraph 1 of the GDPR, on behalf of Processing Controller;
  • Processor is prepared to comply with the obligations regarding security and other aspects of the AVG and, until 25 May 2018, the Personal Data Protection Act (hereinafter: “Wbp”), insofar as this is within its power;
  • the Wbp and the AVG impose an obligation on the Processing Controller to ensure that the Processor offers sufficient guarantees with regard to the technical and organizational security measures with regard to the processing to be performed;
  • additionally, the Wbp and the AVG impose on the Data Controller the duty to monitor compliance with those measures;
  • Parties, partly in view of the requirement in Article 28, paragraph 3 of the AVG, wish to record their rights and obligations in writing through this Processor Agreement (hereafter: "Processor Agreement");
  • where in this Processor Agreement reference is made to provisions from the AVG, until 25 May 2018 the corresponding provisions from the Wbp are meant.

Have agreed as follows:

ARTICLE 1. PURPOSES OF PROCESSING

1 Processor undertakes to process personal data under the conditions of this Processor Agreement on behalf of Data Controller. Processing will only take place in the context of the Processor Agreement in order to send newsletters to the Controller of relations that the Controller has prepared via the processor's online platform and to thereby also be able to manage the Controller's relationship file for this activity, including the collecting data relating to the receipt of the newsletters by the relations, for the benefit of the Data Controller (including but not limited to data about opening the newsletters and clicking on hyperlinks included in the newsletters), and to achieve those purposes recorded with further approval.

1.2 The personal data that are processed by Processor in the context of its services, and the categories of data subjects from whom they originate, are included in Appendix 1. Processor will not process the personal data for any purpose other than as determined by the Controller. The controller will inform the Processor of the processing purposes insofar as these have not already been mentioned in this Processor Agreement.

1.3 Processing controller guarantees that it will keep a register of the processing operations regulated under this Processing Agreement. Processing controller indemnifies Processor against all claims and claims related to non-compliance or incorrect compliance with the obligation to register.

ARTICLE 2. OBLIGATIONS OF THE PROCESSOR

2.1 With regard to the processing operations referred to in Article 1, Processor will ensure compliance with the conditions that, pursuant to the Wbp and the AVG, are set for the processing of personal data by Processor from his role.

2.2 The Processor will, at its request and within a reasonable time, inform the Data Controller of the measures it has taken with regard to its obligations under this Processor Agreement.

2.3 The obligations of the Processor that arise from this Processor Agreement also apply to those who process personal data under the authority of the Processor.

2.4 The processing of personal data by Processor will never result in the Processor's databases being enriched with the data from the data sets of Processor, unless it concerns the data in aggregated, non-traceable form. In that case, the Processor is permitted to use this data for its own other purposes.

ARTICLE 3. TRANSFER OF PERSONAL DATA

3.1 Processor will only process the personal data in countries within the European Economic Area (EEA).

ARTICLE 4. BREAKDOWN OF RESPONSIBILITY

4.1 The permitted processing will be carried out by Processor within a semi-automated environment.

4.2 Processor is solely responsible for the processing of the personal data under this Processor Agreement, in accordance with the instructions of the Controller and under the express (final) responsibility of the Controller. For all other processing of personal data, including in any case but not limited to the collection of the personal data by the Controller, processing for purposes that have not been reported by the Controller to the Processor, processing by third parties and / or for other purposes, the Processor is not responsible. The responsibility for these processing operations lies exclusively with the controller.

4.3 Processing controller guarantees that the personal data as described in 'Appendix 1' under 'CATEGORY B: Relationships (involved parties) of Processing controller' may be supplied by Processing controller and that Processor may process it in its order.

4.4 Processing controller guarantees that the required legal basis such as consent, as referred to in, but not limited to, the AVG and the Telecommunications Act, is present for the purposes specified in Article 1.1.

4.5 Processing controller guarantees that the content, use and instruction to process the personal data as referred to in this Processing Agreement is not unlawful and does not infringe any rights of third parties, and that all additional guarantees that have been met apply to the processing of special personal data, as laid down in the relevant laws and regulations. Processing controller indemnifies Processor against all claims and claims related to this.

ARTICLE 5. INVOLVEMENT OF THIRD PARTIES OR SUB-CONTRACTORS

5.1 Processing controller hereby gives Processor permission to use a third party to process personal data, based on this Processor Agreement, with due observance of applicable privacy legislation.

5.2 At the request of the Controller, the Processor will inform the Controller as soon as possible about the third parties it has engaged. Processing controller has the right to object to any third parties engaged by the Processor. If the Processing Controller has an objection against third parties engaged by the Processor, the Parties will consult each other to find a solution for this.

5.3 Processor shall in any case ensure that these third parties assume the same obligations in writing as agreed between the Controller and Processor with regard to the processing of personal data. Processor is responsible for correct compliance with these obligations by these third parties and, in the event of errors by these third parties, is itself liable towards the person responsible for processing for the damage as if it had committed the error (s) itself.

ARTICLE 6. SECURITY

6.1 Processor shall endeavor to take appropriate technical and organizational measures with regard to the processing of personal data, against loss or against any form of unlawful processing (such as unauthorized access, encroachment, alteration or provision of personal data). Processor mainly works in accordance with ISO 27001 and works towards achieving certification.

6.2 The processor shall endeavor to ensure that the security meets a level that is not unreasonable in view of the state of technology, the sensitivity of the personal data and the costs associated with taking the security.

6.3 Despite the fact that Processor must take appropriate security measures in accordance with the first paragraph of this article, Processor cannot fully guarantee that security is effective under all circumstances. However, in the event of a threat or actual breach of these security measures, the processor will do everything that is reasonably possible to limit the loss of personal data as much as possible.

6.4 The controller only makes personal data available to the Processor for processing if he has ensured that the required security measures have been taken. The controller is responsible for compliance with the measures agreed by the Parties.

ARTICLE 7. REPORT DUTY

7.1 In the case of a security breach and / or a data breach (which is understood to mean: a security breach that accidentally or unlawfully leads to the destruction, loss, alteration, or unauthorized provision of or unauthorized access to forwarded (stored or otherwise processed data), Processor, to the best of its ability, shall endeavor to inform the Controller immediately or at the latest within forty-eight (48) hours, on the basis of which the Controller assesses whether it will inform the supervisory authorities and / or data subjects or not. Processor makes every effort to make the information provided complete, correct and accurate. The reporting obligation applies regardless of the impact of the leak.

7.2 The duty to report includes at least the reporting of a leak, as well as:

  • the date on which the leak occurred (if no exact date is known: the period within which the leak occurred);
  • what the (alleged) cause of the leak is;
  • the date and time at which the leak became known to the Processor or to a third party or subcontractor engaged by him;
  • the number of people whose data has been leaked (if no exact number is known: the minimum and maximum number of people whose data has been leaked);
  • a description of the group of persons whose data has been leaked, including the type or types of personal data that have been leaked;
  • whether the data is encrypted, hashed or otherwise made incomprehensible or inaccessible to unauthorized persons;
  • what the intended and / or already taken measures are to close the leak and to limit the consequences of the leak;
  • contact details for following up the report.

7.3 The controller will ensure that any (legal) reporting obligations are met. If required by law and / or regulations, Processor will cooperate in informing the relevant authorities and / or parties involved.

ARTICLE 8. RIGHTS OF INTERESTED PARTIES

8.1 In the event that a data subject submits a request to Processor to exercise his / her legal rights, Processor will forward the request to the Processor and inform the data subject thereof. The controller will then further process the request independently.

8.2 In the event that a data subject submits a request for the exercise of one of his legal rights to the Processing Controller, the Processor will, if the Processing Controller requires this, cooperate to the extent that this is possible and reasonable. Processor may charge reasonable costs for this to the controller.

ARTICLE 9. OBLIGATION OF CONFIDENTIALITY

9.1 All personal data that Processor receives from the Controller and / or collects itself in the context of this Processor Agreement is subject to a confidentiality obligation towards third parties. Processor shall not use this information for a purpose other than that for which it was obtained, unless it has been presented in such a form that it cannot be traced back to data subjects.

9.2 This duty of confidentiality does not apply to the extent that the Controller has given explicit permission to provide the information to third parties, if the information to third parties is logically necessary in view of the nature of the assignment given and the implementation of this Processor Agreement, or if there is a there is a legal obligation to provide the information to a third party.

ARTICLE 10. AUDIT

10.1 The controller has the right to have audits carried out by an independent IT expert who is bound by confidentiality to check compliance with all points in this Processor Agreement.

10.2 This audit only takes place after the Controller has requested the similar audit reports present at the Processor, assessed and provides reasonable arguments that justify an audit initiated by the Controller. Such an audit is justified if the similar audit reports present at Processor do not provide sufficient or conclusive information about the Processor's compliance with this Processor Agreement. The audit initiated by the Controller is carried out two weeks after prior announcement by the Controller, and no more than once a year.

10.3 Processor shall cooperate with the audit and make all information reasonably relevant to the audit, including supporting data such as system logs, and employees available as soon as possible and within a reasonable period, whereby a period of no more than two weeks is reasonable. Processing controller will ensure that the audit causes the least possible disruptive effect on the other activities of Processor.

10.4 The findings as a result of the audit will be assessed by the Parties in mutual consultation and, as a result thereof, may or may not be implemented by one of the Parties or by both Parties jointly.

10.5 The reasonable costs for the audit are borne by the Controller, on the understanding that the costs for the third party to be hired will always be borne by the Controller.

ARTICLE 11. LIABILITY

11.1 The liability of the Processor for damage as a result of an attributable failure to comply with the Processor Agreement is limited per event (a series of consecutive events to be one event) to the compensation of direct damage, to a maximum of the amount received by the Processor. for the work under this Processor Agreement for the month prior to the event giving rise to the damage.

11.2 Direct damage is exclusively understood to mean all damage consisting of:

  • damage directly caused to material things ("property damage");
  • reasonable and demonstrable costs to urge the Processor to (properly) comply with the Processor Agreement;
  • reasonable costs to determine the cause and extent of the damage insofar as it relates to direct damage as referred to here;
  • reasonable and demonstrable costs incurred by the Data Controller to prevent or limit the direct damage as referred to in this article.

11.3 The liability of the Processor for indirect damage is excluded. Indirect damage means all damage that is not direct damage.

11.4 The exclusions and limitations referred to in this article will lapse if and insofar as the damage is the result of intent or willful recklessness on the part of the Processor or its management.

11.5 Unless fulfillment by the Processor is permanently impossible, the Processor's liability for imputable shortcomings in the fulfillment only arises if the Processing Responsible person immediately gives the Processor written notice of default, whereby a reasonable period for remedying the shortcoming is set, and the Processor also after that period imputably fails to meet its obligations. The notice of default must contain a description of the shortcoming that is as complete and detailed as possible, so that Processor is given the opportunity to respond adequately.

11.6 Any claim for compensation by the Processing Controller against the Processor that has not been specified and explicitly reported will lapse by the mere lapse of twelve (12) months after the claim arose.

11.7 Processor is expressly not liable for damage to the Data Controller as a result of a fine imposed by one of the national supervisors, including the Dutch Data Protection Authority, including in the context of legal reporting obligations. This, unless the fine has been imposed on the Controller as a result of an attributable shortcoming in the processor's compliance with the Processor Agreement, and the Controller and Processor have done everything within their power to prevent or reduce the penalty.

ARTICLE 12. DURATION AND TERMINATION

12.1 This Processor Agreement has been entered into for the duration of the collaboration.

12.2 The Processor Agreement cannot be terminated in the interim.

12.3 Parties may only amend this Processor Agreement with mutual consent
written consent.

12.4 After termination of the Processor Agreement, Processor will immediately destroy the personal data received from the Controller, unless the parties agree otherwise.

ARTICLE 13. OTHER PROVISIONS

13.1 The Processing Agreement and its implementation are governed by Dutch law.

13.2 All disputes that may arise between the Parties in connection with the Processor Agreement, will be submitted to the competent court in the district of the court where Processor is established.

13.3 If one or more provisions of the Processor Agreement prove not to be legally valid, the Processor Agreement will remain in force for the rest. The parties then consult on the provisions that are not legally valid, in order to make a replacement arrangement that is legally valid and as far as possible in line with the scope of the regulation to be replaced.

13.4 If the privacy legislation changes, the parties will cooperate in adjusting this Processor Agreement in order to be able to (continue to) comply with this legislation.

13.5 In the event of conflict between various documents or their appendices, the following order of priority applies:

        1. this Processor Agreement;
        2. the General Terms and Conditions of Processor;
        3. any additional conditions.

Appendix 1: Specification of personal data and data subjects

Personal data

In order to deliver its services on behalf of Processing Controller, Processor will process the following personal data of Processing Controller himself, and of relationships (parties involved) to be determined by Processing Controller:

Category A: Processing controller (customer service):

  • (Company Name;
  • Name and address data;
  • e-mail address;
  • sex;
  • credentials.

CATEGORY B: Relationships (involved parties) of the Controller:

  • (Company Name;
  • e-mail address;
  • Name and address data;
  • sex;
  • data relating to the receipt of the newsletters by the business partners (including, but not limited to, data about opening the newsletters and clicking on hyperlinks included in the newsletters).

Processing controller guarantees that only the personal data necessary for the Processor will be provided.