Processing Agreement CodeImpact BV

Processing Agreement CodeImpact BV

The undersigned:

1. Private company with regular structure Code Impact BV is registered at the Chamber of Commerce under number 73,872,083 and is located at 140 Teggert (6367XR) Voerendaal represented by Jan-Jaap Arends, hereinafter referred to as “Processing Responsible”;

and

2. [Processor/Business Form] [Processor/Company Name], is registered with the Chamber of Commerce under number [Processor/KVK], legally represented by [Processor/Contact Person], hereinafter referred to as “Processor“

Controller and Processor hereinafter jointly referred to as: “Parties“

Considering that:

●        The Controller has instructed the Processor to process the personal data of its company in the context of the main agreement, which is an integral part of this processor agreement;

●        Controller designates the purposes and means to which the conditions stated herein apply;

●        Processor is willing to perform the processing and is also willing to comply with obligations regarding security and other aspects of the General Data Protection Regulation (“GDPR”), insofar as this is within its power;

●        Processor does not process the personal data for its own purposes;

●        The controller can be regarded as a controller within the meaning of Article 4(7) of the GDPR;

●        Processor can be regarded as a processor within the meaning of Article 4(8) of the GDPR;

●        Where this agreement refers to personal data, this refers to personal data within the meaning of Article 4, paragraph 1 of the GDPR;

●        The parties wish to record their rights and obligations in writing by means of this Processor Agreement (hereinafter (“, also in view of the requirement from Article 28(3) of the GDPRProcessor Agreement”).

The parties have agreed as follows:

Article 1 – Purpose of the processing

1. Processor undertakes to process personal data under the conditions of this Processor Agreement on behalf of Controller. Processing will only take place in the context of the execution of the assignment agreement and this Processor Agreement within the meaning of Article 28 paragraph 3 GDPR.

2. The Processor is prohibited from processing the personal data for a purpose other than the purpose established by the Controller. The purpose of the processing is to provide the services requested by the Controller as described and recorded in the Main Agreement. To this end, the following activities are performed: [execution of processing activities; what exactly will the self-employed person do?] and all other common tasks that the Controller explicitly outsources to the Processor.

3. The category of data subjects whose personal data is collected is: customers, employees and/or other persons or relations of the Controller with whom the Processor comes into contact if he processes personal data on behalf of the Controller.

4. The category of personal data that is processed are: contact and name and address data, financial data and other data for which the Controller has given explicit permission. (which data does the self-employed person see?).

5. Processor will not process the personal data for any purpose other than as determined by the Controller. The Controller will inform the Processor of the processing purposes insofar as they have not already been mentioned in this Processor Agreement.

6. Processor has control over the means for processing and storing the personal data. The controller is responsible for determining the purpose of the processing and must clearly record this.

7. Processing will take place manually as well as (semi)automatically.

8. The personal data to be processed on behalf of the Controller remain the property of the Controller and/or the relevant data subjects.

Article 2 – Term of the agreement

1. This agreement commences after signing the agreement and has been entered into for the duration of the main agreement.

2. This agreement cannot be terminated prematurely.

3. Changes to this agreement as a result of changes in any underlying agreement for services, legislation or regulations or other relevant circumstances are only legally valid if they are added to the Processor Agreement after consultation and with the explicit permission of the parties.

4. This agreement ends by operation of law if the Main Agreement ends.

5. As soon as the agreement has been terminated for any reason and in any way whatsoever, the Processor – at the discretion of the Controller – will return all personal data that are present with it in original or copy form to the Processing Manager and/or this original personal data and any copies remove and/or destroy it within a maximum period of 28 days. Any costs associated with this will be borne by the Processor.

6. Confidentiality, liability and dispute resolution provisions shall remain in full force and effect after termination of this Agreement.

Article 3 – Obligations of the Processor

1. The Processor is obliged to comply with the conditions imposed on the processing of personal data on the basis of applicable laws and regulations, in particular the AVG and the AVG Implementation Act.

2. The Processor is prohibited from enriching its own database(s) and/or files with any (personal) data from the database(s) of the Controller, except in the event that the Processor provides temporary database(s) and/or files. for the proper processing of personal data. The temporary files are immediately deleted from the moment that these temporary files are no longer needed for processing.

3. The Processor will inform the Controller at its first request about the measures it has taken with regard to its obligations under this Processor Agreement.

4. If the Controller gives instructions to the Processor with regard to the processing of personal data, the Processor must follow these instructions insofar as this is necessary for correct processing, except in the event that these instructions are contrary to laws and regulations and any applicable being professional and behavioral rules. Only the Controller is authorized to give its exclusive opinion in this regard.

5. All obligations resting on the Processor also apply to persons who process personal data under the authority of the Processor (after explicit permission from the Controller), including the employees of the Processor and the third parties engaged by it.

6. Processor is responsible for ensuring that only employees and/or third parties have access to the personal data for which access is necessary for the execution of the agreement. The employees and/or third parties work under the responsibility of the Processor.

7. The Controller only has limited access to the personal data at the Processor. The Processor is obliged to cooperate at the first request of the Controller with regard to inspection, audits and/or inspections.

8. This agreement is not transferable, unless expressly agreed otherwise.

Article 4 – Transfer of personal data

1. Subject to the written permission of the Controller, the Processor will not have any personal data processed by or on behalf of the Processor or a sub-processor engaged by it, in connection with the performance of the Agreement, transferred to or accessible ( ) from countries or international organizations that the European Commission has not yet decided to ensure an adequate level of protection in accordance with applicable privacy regulations. Articles 44 to 50 of the GDPR are complied with at all times. The Processor provides insight into the location(s) where the processing takes place at the first request of the Controller.

2. If the Processor intends to process personal data by a country or international organization for which the European Commission has not yet given permission, the Processor will inform the Controller in writing of this intention. Transfer of personal data to another country also includes making the personal data accessible from (an entity in) such other country.

Article 5 – Responsibility of the Processor Controller

1. The Processor will perform the activities for thein the context of this agreement as referred to in Article 1.2 of this agreement, as well as the other activities as laid down in the Main Agreement.

2. Processor is responsible for the processing of the personal data under this Processor Agreement in accordance with the instructions of the Controller. For the other processing of personal data, including in any case, but not limited to: the collection of the personal data by the Processing Manager, processing for purposes that have not been reported to the Processor by the Controller and processing by third parties and/or for other purposes, the Processor is also responsible.

Article 6 – Third parties

Processor’s activities can only be outsourced to third parties after explicit prior permission from Controller. The Processor is responsible for these third parties and is responsible and liable for damages for all damage caused to the Controller by the actions of third parties. All obligations under this agreement also apply to this third party(ies), the (sub-processor).

Article 7 – Security measures for personal data

1. Processor makes every effort to take sufficient and appropriate organizational and technical measures against any form of unlawful processing with regard to the processing of personal data to be carried out by it.

2. The security level of the measures must at least meet a level that is not unreasonable in the context of the associated costs, sensitivity of the personal data concerned, as well as the state of the art and risks. The Processor guarantees that the security measures it has taken are effective at all times, under all circumstances. In consultation, the parties can take other additional or further security measures.

3. The Processor has its own responsibility to inform itself and/or its employees and third parties engaged by it of all protocols, the (security) policy and other instructions that enable and promote safe processing.

4. Processor is responsible and liable for its part of the processing.

5. If there is a breach in the security of the personal data, which can cause damage or have adverse consequences for the protection of the personal data, the Processor, the Controller must inform the Processor about this immediately, at least without undue delay, but within 24 hours after the Processor has notified this reasonably could have been informed. The controller will then inform the Dutch Data Protection Authority and any data subjects as soon as possible about the infringement within 48 hours.

6. The above notification to the Controller must contain the necessary information so that the Controller can send the notification to the Personal Data Authority more quickly or have it checked whether the breach is subject to notification.

7. Pursuant to the Processor’s notification obligation, the notification of an infringement must consist of at least the following components:

●        the nature of the personal data breach, specifying where possible the categories of data subjects and personal data concerned and, approximately, the number of data subjects and personal data registries concerned;

●        the name and contact details of the data protection officer or other contact point where more information can be obtained;

●        the likely consequences of the personal data breach;

●        the measures proposed or taken by the Processor to address the personal data breach, including, where appropriate, measures to limit any adverse consequences thereof.

8. Controller and Processor must each keep a register of all infringements in accordance with Article 33(5) of the GDPR. Processor must document all breaches, including the facts about the breach in connection with personal data, the consequences thereof and the corrective measures taken. At the first request of the Controller, the Processor will provide the Controller with access to this.

9. If a breach of the security of the personal data has occurred at the Processor, the Processor is obliged to take appropriate measures at its own expense to prevent future incidents and/or breaches.

Article 8 – Confidentiality

Processor and its employees, as well as third parties engaged by Processor, are obliged to maintain the confidentiality of all personal data, sensitive information and/or company data obtained through this agreement. The duty of confidentiality does not apply if the Controller has given explicit and written permission to the Processor to share this data and information with third parties, or if there is a legal obligation to provide the data and information to a third party. After the expiry of this agreement, the parties remain obliged to adhere to this confidentiality obligation.

Article 9 – Rights of data

subjects 1. If the Processor receives a request for inspection from a data subject or an authorized body, the Processor will process this request as soon as possible, but at the latest within 5 working days. If it is not possible to handle the request yourself, the request will be forwarded to the Controller within 4 days. If requested, the processor must cooperate in the execution of the request. The costs that the Processor must incur for the benefit of the cooperation will be for the Processor’s own account.

2. The provisions of Article 9.1 apply mutatis mutandis if a data subject wishes to assert other rights, such as her right to rectification, erasure, right to restriction of processing, right to data portability, right to object and rights in case of automated individual decision-making, as laid down in sections 3 and 4 of the General Data Protection Regulation.

Article 10 – Audit

1. The Controller can have an expert check compliance with this Processor Agreement after it has become apparent that the reports of the Controller’s audit have been found to be insufficient (no or insufficient clarity about the Processor’s compliance with the Processor Agreement) and the content of these reports justify such an audit.

2. The Controller may have an inspection carried out at the Processor once a year. The Processor will be informed of this at least one month in advance, so that it can inform its suppliers about this and further agreements can be made regarding the audit.

3. Processor is obliged to cooperate with the inspection and will make all relevant information available as soon as possible, but at the latest within 14 calendar days after the request for information has been received by Processor. The processor can be granted a maximum of one month’s delay to still supply the information. If such circumstances arise, the Processor must provide the requested information within such a period that it is received in time and in full in the context of any (interim proceedings) procedure.

4. The findings of the audit are discussed by the parties and, if desired, implemented by one or both parties jointly.

5. The controller bears the costs for the check. If, after checking, it appears that some adjustments are necessary in the security measures of the Processor, the full costs of the security measures (to be taken) will be borne by the Processor. By initialing and signing this Processor Agreement, the Processor declares to agree to this.

Article 11 – Liability

1. The processor is responsible for the processing of the personal data and guarantees that the processing is lawful and does not infringe the rights of the data subjects. The Processor is liable for all damage as a result of the Processor’s actions and/or omissions or non-compliance with laws and regulations.

2. The Processor is liable for both direct and indirect damage, consequential damage, lost profit, lost savings, reduced goodwill, business interruption of the Controller and/or damage as a result of claims from data subjects and/or third parties.

3. Without prejudice to the provisions of this article, the Processor is liable for damage caused by the processing if the obligations of the GDPR specifically addressed to the Processor have not been complied with during this processing or if the lawful instructions of the Controller have been acted upon. .

4. The Processor is not liable for the damage if it can demonstrate that it is in no way responsible for the event causing the damage.

Article 12 – Indemnification

1. Processor indemnifies Controller against claims, fines and/or periodic penalty payments from or on behalf of the Dutch Data Protection Authority and/or other authorities, where it has been established that the violations fall under the responsibility of Processor.

2. The Controller can recover the fines and/or periodic penalty payments imposed from the Processor if it can be held responsible for the violations.

Article 13 – Dispute resolution

1. This agreement is governed by Dutch law.

2. All disputes arising between parties arising from or related to or relating to this Processor Agreement will be settled by the competent court of the Limburg District Court (location Maastricht).

Thus agreed and signed in duplicate:

Controller	Processor
————————————————– ———————-	————————————————– ———————-
Jan-Jaap Arends CodeImpact BV Place: Date:	[Processor/Contact person] [Processor/Company name] Place: Date: