Processing agreement
How Filer processes your data
If Filer processes personal data for the benefit of the Client in the performance of the agreement, the following conditions apply in addition to the General Conditions. The applicability of the Client's processing agreements is expressly rejected
Filer offers the Client the option of purchasing a subscription whereby Filer processes Personal Data for the performance of the services for and on behalf of the Client. In the Processing of Personal Data, the Client is designated as the Controller and the Filer, depending on the capacity of the Client, is designated as the Processor or Sub-processor
Considering that:
- Controller has instructed the Processor to process the personal data in the context of the assignment agreement (main agreement)
- Processor accepts the order to process this personal data and does not process this data for its own purposes
- Controller is responsible for the processing of the data by Processor within the meaning of the General Data Protection Regulation
- The parties wish to record the agreements made in writing
Have agreed:
-
Article 1 - Definitions
- GDPR: the General Data Protection Regulation (Regulation (EU) 2016/679) elaborated in the UAVG
- Data subject: the person to whom the Personal Data relate, as referred to in Article 4 paragraph 1 GDPR
- Main agreement: the main agreement (s), including attachments, concluded between the Controller and the Processor, to which this Processor Agreement relates
- Breach of Personal Data: a breach of security that results in the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to transmitted, stored, or otherwise processed personal data as referred to in Article 4 paragraph 12 GDPR
- Employees: Persons who work at the Controller or at the Processor
- Recipient: a natural or legal person, a government agency, a service or another body, whether or not a third party, to whom/to which the Personal Data are provided as referred to in Article 4 paragraph 9 GDPR
- Parties: Controller and Processor
- Personal data: all information in the broadest sense of the word about an identified or identifiable natural person (the Data Subject) that is processed in the context of the Main Agreement as referred to in Article 4 paragraph 1 GDPR; is considered identifiable by means of which a natural person can be directly or indirectly identified, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person
- Company data: all information in the broadest sense of the word about the company that is processed under the agreement
- UAVG: the implementing law of the General Data Protection Regulation (Regulation (EU) 2016/679) of 16 May 2018
- Processor: the natural person or legal person, a government organization, a service or other body that processes Personal Data for the purposes of the Processing Manager as referred to in Article 4 (8) GDPR
- Sub-processor: another processor that is used by the Processor to Process Personal Data on behalf of a Controller
- Controller: the natural or legal person who alone or together with others determines the purpose and means for the Processing of Personal Data as referred to in Article 4 paragraph 7 GDPR
- Processor Agreement: this Processor Agreement for recording the agreements as referred to in Article 28 paragraph 3 GDPR
- Processing: an operation or set of operations relating to Personal Data, whether or not carried out via automated processes, such as recording, organizing, collecting, structuring, storing, changing, retrieving, consulting, using, providing by means of forwarding, distributing or otherwise make available, align or combine, protect, delete or destroy data as referred to in Article 4 paragraph 2 GDPR
-
Article 2 - Purpose of the processing
- The Processor undertakes to process personal data on the instructions of the Controller, under the conditions of this Processor Agreement. Processing will only take place in the context of the execution of the assignment agreement and this processing agreement within the meaning of Article 28 paragraph 3 GDPR
- The Processor is prohibited from processing the personal data for a purpose other than that established by the Controller. The purpose of the processing is to store the data of the Client and to offer a search system in order to search the data of the Client as described and laid down in the Main Agreement. For this purpose, the Processor offers its Service
- The category of data subjects whose personal data is collected concerns: the Client and its customers and/or other involved persons that the Client is dealing with, including but not limited to: its (potential) customers, cooperation partners, relations, employees, as well as company data
- The category of personal data that is processed is data, including in any case, but not limited to contact and name and address data, the e-mail address, the location and login data, search terms used, file names, (sensitive) company data, IP addresses, and other categories of Personal Data, which also includes both non-special and special personal data
- The Processor will not process the personal data for any purpose other than as determined by the Controller. Controller will inform Processor of the processing purposes insofar as these are not already mentioned in this Processor Agreement
- Processor has no control over the processing and use of the personal data. The controller is responsible for the means and determining the purpose of the processing and must clearly record this in writing
- Most of the processing will be automated, but can be done manually on request, and if Processor assesses it as necessary for the implementation of the Main Agreement
- The personal data to be processed on behalf of the Controller will remain the property of the Controller (insofar as this data has not previously belonged to third parties)
-
Article 3 - Duration of the agreement
- This agreement starts after registration of the account and has been entered into for the duration of the assignment as agreed in the main agreement
- This agreement cannot be canceled prematurely
- Changes to this agreement as a result of changes in any underlying agreement of assignment, legislation or regulations or other relevant circumstances are only legally valid if they are added to the processing agreement after consultation and with the express consent of the parties
- This agreement ends by operation of law if the Main Agreement ends
- As soon as the agreement has been terminated, for whatever reason and in whatever way, the Controller is responsible for removing his data from the Processor's system in a timely and correct manner. All consequences of the deletion of this data are fully for the account and risk of the Controller
- The provisions regarding confidentiality, liability and dispute resolution remain in full force after termination of this agreement
-
Article 4 - Processor's obligations
- Processor is obliged to comply with the conditions that are imposed on the processing of personal data on the basis of applicable laws and regulations, in particular the GDPR and the GDPR Implementation Act
- The Processor is prohibited from enriching its database (s) and/or files with any (personal) data from the Database (s) of the Controller, unless the Processor must create temporary database (s) and/or files for for the proper processing of personal data. The temporary files are deleted immediately when these temporary files are no longer needed for processing
- The Processor will inform the Controller at its request about the measures it has taken with regard to its obligations under this processor agreement
- Processor is not obliged to follow any instructions and/or directions from Controller
- All obligations that rest on the Processor also apply to the persons who process personal data under the authority of the Processor, including employees and engaged third parties of the Processor
- Controller has access at all times to the (personal) data stored by him by logging into the application and/or dashboard that is part of the Services offered
- Processor has access to the stored (personal) data
- This agreement is not transferable unless expressly agreed otherwise
-
Article 5 - Transfer of personal data
- The Processor will notify the Controller of the country or countries involved in the transfer of personal data. Processor guarantees that, in view of the circumstances that affect the transfer of personal data or a category of data transfers, countries outside the European Union have an adequate level of protection
- In particular, in determining an appropriate level of protection, the Processor will take into account the duration of the intended processing, the country of origin and the country of final destination, the general and sectoral legal rules applicable in the country concerned, as well as the rules of professional life and the security measures observed in those countries
-
Article 6 - Processor Responsibility
- The Processor will carry out the activities for the Controller under this agreement as referred to in Article 2.2 of this agreement
- The Processor is only responsible for the storage of the personal data under this Processor Agreement, in accordance with the instructions of the Controller and under the express (final) responsibility of the Controller. For the other processing of personal data, including in any case including, but not limited to, the collection of the personal data by the Controller, processing for purposes that have not been reported to the Processor by the Controller, processing by third parties and/or for other purposes, Processor explicitly not responsible
- Controller guarantees that the content, use and the order for the processing of the personal data as referred to in this processor agreement are not unlawful and do not infringe any right of third parties
-
Article 7 - Third parties
- The activities of Processor can be outsourced to third party (ies), the Sub-processor. All obligations under this agreement also apply to these third parties
-
Article 8 - Security measures
- Processor makes every effort to take sufficient and appropriate organizational and technical measures against any form of unlawful processing with regard to the processing of the personal data to be carried out by it, all this within the reasonable possibilities that the (software) suppliers of Processor offer
- The security level of the measures must at least meet a level that is not unreasonable in terms of the associated costs, sensitivity of the personal data concerned, as well as the state of the art and risks, which include, where appropriate, the following: encryption, pseudonymisation and encryption of personal data. Processor does not guarantee that the security measures taken are effective at all times, under all circumstances
- Controller is responsible for compliance with the agreements made by the parties
- The Controller must take all (security) measures to ensure that every natural person who acts under the authority of the Controller and has access to the Services of the Processor only processes the relevant stored (personal) data on behalf of the Controller
- If there is a leak in the security or data, which can cause damage or may have adverse consequences for the protection of the personal data, the Processor shall immediately inform the Processing Controller, at least without unreasonable delay, but within 24 hours after the Processor reasonably informs could have been to inform. The controller will then inform the Dutch Data Protection Authority and the data subjects as soon as possible about the breach
- Pursuant to the processor's obligation to report, the notification of a leak must consist of at least the following components:
- the nature of the personal data breach, where possible specifying the categories of data subjects and personal data concerned and, approximately, the number of data subjects and personal data registers concerned
- the name and contact details of the data protection officer or other contact point where more information can be obtained
- the likely consequences of the personal data breach
- the measures proposed or taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
- Controller and Processor must each keep a register of Data Leaks in accordance with article 33 paragraph 5 GDPR. Processor must document all data breaches, including the facts regarding the personal data breach, its consequences and corrective action taken. On request, the Processor will provide the Controller with access to this
- If a breach of the security of the personal data has taken place at the Processor, the Processor is obliged to take appropriate measures at its own expense to prevent future incidents and/or breaches
-
Article 9 - Confidentiality
- The Processor and its employees, as well as the third party or parties engaged by the Processor, are obliged to maintain the confidentiality of all personal data, sensitive information and/or company data obtained by this agreement. The duty of confidentiality does not apply if the Controller has given explicit and written permission to the Processor to share this data and information with a third party, or if there is a legal obligation to provide the data and information to a third party. After this agreement has ended, the parties remain obliged to comply with this confidentiality obligation
-
Article 10 - Rights of stakeholders
- If the Processor receives a request for inspection from a data subject or a competent authority and/or supervisory authority, the Processor will forward this request as soon as possible, but no later than within 7 working days, to the Controller who will further process the request. If requested, the processor must cooperate in the execution of the request. The reasonable costs that the Processor must incur for the benefit of the cooperation are for the account of the Controller
- The provisions of Article 9.1 apply mutatis mutandis if a data subject wishes to assert other rights such as his right to rectification, data erasure, right to restriction of processing, right to data portability, right to object and rights in the case of automated individual decision-making, such as laid down in sections 3 and 4 of the General Data Protection Regulation
-
Article 11 - Audit
- The controller may have an expert check compliance with this processor agreement, only after it has been found that the reports of the processor's control by the controller have been found to be insufficient (no or insufficient clarity regarding the processor's compliance with the processor agreement) and the content of these reports such. justifies control
- The Processor is obliged to cooperate with the inspection and will make all relevant information available as soon as possible, but no later than 14 calendar days after the request for information has been received by the Processor. Processor can be granted a maximum delay of one month to still provide the information
- The findings of the audit are discussed by the parties and, if desired, implemented by one or both parties jointly
- The costs of the audit are entirely for the account of the Controller. If after inspection it appears that adjustments are needed in the security measures of Processor in the broadest sense of the word, the costs of the (measures to be taken) security measures will be borne by Processor, unless agreed otherwise
-
Article 12 - Liability
- The controller is ultimately responsible for the processing of the personal data and guarantees that the processing is lawful and does not infringe the rights of data subjects. Processor is not liable for damage as a result of actions and/or omissions or non-compliance with laws and regulations by the Controller
- Processor is not liable for indirect damage, consequential damage, loss of profit, missed savings, reduced goodwill, business stagnation and/or damage as a result of claims from the Controller, data subjects and third parties
- Without prejudice to the provisions of this article, the Processor is only liable for the damage caused by the processing if this processing has not complied with the obligations of the GDPR specifically addressed to the Processor or if the contrary action has been taken by the Controller. If and insofar as any damage has arisen, the Processor's liability is limited to the invoice value excluding VAT from the past 12 months
- Controller guarantees that the order to process the personal data is in accordance with applicable laws and regulations
-
Article 13 - Indemnification
- Controller will indemnify Processor against claims, fines and/or periodic penalty payments from or on behalf of the Dutch Data Protection Authority and/or other authorities, whereby it has been established that the violations fall under the responsibility of Controller and/or Processor. The Processor can recover the imposed fines and/or periodic penalty payments from the Controller if it cannot be held responsible for the violations
- Controller will indemnify Processor against all claims from third parties, including the supervisor (s) and/or other authorities, that arise from non-compliance with applicable laws and regulations
-
Article 14 - Dispute resolution
- Dutch law applies to this agreement
- All disputes that arise between parties arising from, related to or relating to this processor agreement will be settled by the competent court where the Processor is established