Data Processor Agreement

Definitions

Offer / Special Offer each offer of Intercept to conclude an Agreement
Agreement any agreement between the Parties under which Intercept provides Services to the Client
Client the natural person(s) and/or legal entit(y)(ies) to whom Intercept makes a Special Offer to deliver Products, perform Services and/or with whom Intercept concludes an Agreement
Part(y)(ies)  Intercept and Client
Intercept the private limited company Intercept B.V. (registered with the 
Commercial Register of the Dutch Chamber of Commerce under number: 
58096973), this being the user of the Conditions
Services all (additional) services and/or (technical) work activities, of any kind, which are performed by Intercept pursuant to the Agreement, including the rendering of consultancy services and the development of Software 
and/or making Software available;
Software all software, whether or not basis of user licence(s) made available or delivered to Client and/or developed for Client and/or other software related means including software interfaces, (mobile) applications, web applications and/or (other) control and/or user environments made 
available by or through Intercept to Client, including but not limited to 
Microsoft Azure, including instruction documentation material and other information belonging to the software
Personal Information all information about an identified or identifiable natural person
Controller the Client
Processor Intercept
Sub-Processor the natural person(s) and/or legal entity(ies) engaged by the Processor to carry out (part of) the processing of personal data on behalf of the Data Controller as defined in the General Data Protection Regulation (GDPR).
Processing Agreement these Processor Agreement of Intercept

 

This Processing Agreement constitutes an integral part of the arrangements made between the Parties in a Agreement as set out in the Intercept General Terms and Conditions.

whereas:

  • Controller has entered into an agreement with Processor and wishes to engage Processor for the performance of said agreement;
  • For the purpose of the foregoing, Controller and Processor entered into an Agreement for the purpose of performing the services agreed in the Agreement;
  • In the performance of the Agreement, Processor is to be considered a Processor within the meaning of Article 4, paragraph 8 of the General Data Protection Regulation (hereinafter: "GDPR");
  • Controller is to be considered a processor within the meaning of Article 4, paragraph 7 of the GDPR;
  • Where this Processing Agreement mentions personal data, this means personal data in the sense of article 4, paragraph 1 of the GDPR;
  • Controller designates the purposes and means of processing, which are subject to the terms and conditions set forth herein;
  • Processor is thereto prepared and is also prepared to fulfil the obligations regarding security and other aspects of the GDPR, where this is within its power;
  • The GDPR imposes a duty on the Controller to ensure that Processor provides sufficient protection in respect of the technical and organisational security measures relating to the processing to be carried out;
  • The GDPR moreover imposes a duty on the Processor to monitor compliance with these measures;
  • Also in view of the requirement of article 28, paragraph 3 of the GDPR, the parties wish to lay down their rights and obligations in writing through this processing agreement (hereinafter: "Processing Agreement");
  • Where this Processing Agreement refers to provisions in the GDPR, until 25 May 2018, the corresponding provisions of the Personal Data Protection Act (hereinafter: "Wbp") are referred to.

Article 1. Processing purposes

  1. Processor undertakes to process personal data on behalf of the Controller under the terms of this Processing Agreement. Processing shall take place solely under the Processing Agreement in order to achieve the provision of services which are laid down in the Agreement with further consent.
  2. The personal data that are or will be processed by the Processor under the Agreement, and the categories of data subjects from whom they originate, are included in Appendix 1. Processor shall not process the personal data for any purpose other than the purposes determined by Controller. Controller shall inform Processor of the processing purposes where not already mentioned in this Processing Agreement.
  3. The Processor has no control of the purpose and means of processing personal data. Processor shall not make independent decisions about the receipt and use of the personal data, the disclosure to third parties and the duration of storage of personal data.

Article 2. Controller obligations

  1. With regard to the processing referred to in Article 1, Processor shall ensure compliance with the conditions imposed on the processing of personal data by Processor pursuant to the Dutch Data Protection Act (Dutch: Wbp) and the General Data Protection Regulation (GDPR).
  2. Processor shall inform Controller, upon request and within a reasonable time, about the measures taken by it regarding its obligations under this Processing Agreement.
  3. The obligations of the Processor arising from this Processing Agreement also apply to those who process personal data under the authority of the Controller.
  4. The processing of personal data by Processor shall never ensue that the databases of Processor are enriched with the data from the datasets of Controller unless it concerns the data in aggregated, non-traceable form. In that case the Processor is allowed to use this data for its own other purposes.
  5. Processor shall immediately notify the Controller if, in its opinion, any instruction of the Controller is in breach of the legislation referred to in paragraph 1.

Article 3. Transfer of personal data

  1. Processor may process the personal data in countries within the European Economic Area ("EEA"). Transfer to countries outside the EEA is not permitted.

Article 4. Distribution of responsibility

  1. The permitted processing will be conducted by Processor within a (semi-)automated environment.
  2. Processor is solely responsible for processing the personal data under this Processing Agreement, in accordance with the instructions of Controller and under the express (final) responsibility of Controller. Processor is not responsible for any other processing of personal data, including in any case but not limited to the collection of the personal data by the Controller, processing for purposes not reported by Controller to Processor, processing by third parties and/or for other purposes. The responsibility for these processing operations is solely vested with Controller.
  3. Controller guarantees that the content, use and order of the processing of the personal data referred to in this Processing Agreement is not unlawful and does not infringe any rights of third parties.
  4. From the moment the GDPR becomes applicable on 25 May 2018, the Parties will keep a register of the processing operations regulated under this Processing Agreement.

Article 5. Engaging third parties or subcontrators

  1. Processor shall not sub-contract its activities consisting of processing Personal Data or requiring Personal Data to be processed to any Sub-Processor without prior notice from Controller. The foregoing shall not apply to the Sub-processors listed in Appendix 2. During the term of this Agreement, Processor may add to and/or change the Sub-Processors listed in Appendix 2. Controller may object to the engagement of another Sub-Processor, but will not unreasonably withhold its consent to the engagement of other Sub-Processors.
  2. To the extent that Controller agrees to engaging a Sub-Processor, Processor shall impose the same or more stringent obligations on such Sub-Processor as arise for itself under this Processing Agreement and the Act. Processor will record these agreements in writing and will monitor compliance by the Sub-Processor. Processor shall provide Controller with a copy of the agreement(s) entered into with the Sub-processor upon request.
  3. Notwithstanding Controller’s consent to the engagement of a Sub-processor who processes (part of) data on behalf of the Processor, Processor remains fully liable in respect of Controller for the consequences of outsourcing work to a Sub-processor. Controller’s consent to the outsourcing of work to a Sub-processor does not affect the consent required for the deployment of Sub-processors in a country outside the European Economic Area.

Article 6. Security

  1. Processor shall endeavour to take appropriate technical and organisational measures with regard to the processing of personal data to be performed, against loss or against any form of unlawful processing (such as unauthorised access, impairment, alteration or transmission of the personal data).
  2. Processor will make every effort to ensure that the security meets a level which is not unreasonable in view of the state of the art, the sensitivity of the personal data and the costs involved in making the security arrangements.
  3. If a required security measure appears absent, Processor will ensure that the security meets a level that is not unreasonable in view of the state of the art, the sensitivity of the personal data and the costs involved in implementing the security.
  4. Processor evidently operates in accordance with ISO 27001.

Article 7. Duty to notification

  1. In the event of a data breach (which means: a breach of security resulting in the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, data transmitted, stored or otherwise processed), Processor shall notify Controller without delay or at the latest within forty-eight (48) hours, following which Controller shall decide whether or not to inform the supervisory authorities and/or data subjects. Processor shall make every effort to ensure that the information provided is complete, appropriate and accurate.
  2. Controller shall ensure compliance with any (legal) notification requirements. If required by law and/or regulations, Processor shall cooperate to informing the relevant authorities and any data subjects concerned.
  3. The duty to notification shall in any case include notifying the fact that there has been a leak, as well as to the extent known to Processor:
    1. the date when the leak occurred (if no exact date is known: the period in which the leak occurred);
    2. the (alleged) cause of the leak;
    3. the date and time when the leak became known to Processor or to a third party or subcontractor engaged by the Processor;
    4. The number of people whose data has been leaked (if an exact number is not known: the minimum and maximum number of people whose data has been leaked);
    5. a description of the group of persons whose data has been leaked, including the type or types of personal data leaked;
    6. whether the data has been encrypted, hashed or otherwise made unintelligible or inaccessible to unauthorised persons;the measures planned and/or already taken to seal the leak and to limit the consequences of the leak;
    7. contact details for follow-up of the notification.

Article 8. Right of data subjects

  1. In the event that a data subject makes a request to exercise his/her legal rights to Controller, Processor shall forward the request to Controller and notify the data subject. Controller will then further handle the request independently. If the Controller should require assistance from the Processor in order to carry out a data subject's request, the Processor may charge a fee for this.

Article 9. Duty of confidentiality

  1. All personal data received by the Processor from Controller and/or collected by itself under this Processing Agreement, is subject to a duty of confidentiality in respect of third parties. Processor shall not use this information for any purpose other than the purpose for which it was obtained, unless it is in such a form that it is not traceable to those involved.
  2. This duty of confidentiality does not apply where Controller has given its express consent to provide the information to third parties, if providing the information to third parties is logically necessary in view of the nature of the order given and the performance of this Processing Agreement, or in case of a legal obligation to provide the information to a third party.

Article 10. Audit

  1. Controller has the right to have audits conducted by an independent ICT expert who is bound by confidentiality to verify compliance with all provisions of this Processor Agreement.
  2. This audit shall only take place after the Controller has requested the similar audit reports present at the Processor, assessed them and provided reasonable arguments that still justify an audit initiated by the Controller. Such an audit will be justified if the similar audit reports present at the Processor do not provide any or not sufficient evidence of compliance with this Processor Agreement by Processor. The audit initiated by the Controller shall take place within two weeks after prior notice by the Controller, and only pursuant to any reasons caused with respect to this on the basis of deviations and incidents.
  3. Processor shall cooperate to the audit and provide all information reasonably relevant to the audit, including supporting data such as system logs and employees as timely as possible and within a reasonable period, while a period of up to two weeks is considered reasonable unless a compelling interest dictates otherwise. Controller shall ensure that the audit causes as little disruption as possible to the other activities of the Processor.
  4. The findings of the audit will be assessed by the Parties in mutual consultation and, as a result, may or may not be implemented by one or both Parties jointly.
  5. The reasonable costs of the audit shall be borne by the Controller, provided that the costs of the third party to be hired shall always be borne by the Controller.
  6. Processor will support Controller in the performance of a Data Protection Impact Assessment (hereinafter: "DPIA") if Processor is required to do so under the GDPR. This support may include the provision of any required information by Processor to Controller, for the proper performance of the DPIA.

Article 11. Liability

  1. Controller bears full responsibility and is therefore fully liable for the stated purpose of processing, the use and content of personal data, the disclosure to third parties, the duration of storage of personal data, the manner of processing and the means used for that purpose.
  2. Controller shall indemnify Processor against any (damage) claim, on any grounds whatsoever, from data subjects or third parties for breach of the General Data Protection Regulation or other legal obligations as well as the obligations included in this processing agreement, unless and insofar as the (damage) claim is based on any failure by Processor of compliance with its obligations under this processing agreement.
  3. Processor is liable in respect of Controller as stipulated in the Agreement. The liability of the Processor is at all times limited to three times the value of the order as stated in the Agreement, or, if it concerns a continuing performance contract with a term longer than one year, limited to a maximum of the insured amount, on the proviso that in Article 13.1 of the General Terms and Conditions of Processor "the amount that the insurer pays, if any" also means any own risk of Processor.

Article 12. Duration and termination

  1. This Processing Agreement is entered into for the term specified in the Agreement between the Parties and, in the absence thereof, in any event for the term of the collaboration.
  2. The Processing Agreement cannot be terminated prematurely.
  3. The Parties may amend this Processing Agreement only by mutual written consent.
  4. After termination of the Processing Agreement, Processor shall destroy the personal data received from Controller without delay, unless the parties agree otherwise.
  5. Any obligations which by their nature are intended to continue after the termination of this Processing Agreement will continue after the termination of this Processing Agreement. These include, for example, those arising from the provisions on confidentiality, liability, dispute resolution and applicable law.

Article 13. Other provisions

  1. The Processing Agreement and its implementation are governed by Dutch law.
  2. Any disputes that may arise between the Parties with respect to the Processing Agreement will be brought before the competent court in the district of the court that is also competent to issue a ruling with regard to the Agreement.
  3. If one or more provisions of the Processing Agreement prove to be invalid, the remaining provisions of the Processing Agreement will remain effective. The parties will in that case discuss the provisions that are not legally valid in order to agree on a replacement provision that is legally valid and, where possible, corresponds with the purport of the provision to be replaced.
  4. If privacy legislation changes, the parties will cooperate to an amendment of this Processing Agreement in such a way that it will comply or continue to comply with this legislation.
  5. In the event of a conflict between different documents or their appendices, the following order of precedence shall apply:
    1. this Processing Agreement;
    2. the Agreement;
    3. the General Terms and Conditions of the (sub-)Processor;
    4. any additional conditions.