Data Processing Agreement

Within the meaning of the General Data Protection Regulation

Version January 2020

This Processor Agreement is part of the general terms and conditions of eConnect International B.V. and applies to the relationship between eConnect International B.V. and the Client if eConnect International B.V. processes personal data for the benefit of the Client (hereinafter: Processor) within the framework of the execution of the Agreement as Processor (hereinafter also so named).

Taking into consideration:

1. that a Contract has been concluded between Processor and Processor concerning the provision of electronic invoice processing services by Processor for Processor;

2. that, pursuant to and in connection with the services of the Processing Responsible Party included in the Contract, the Processor acquires knowledge of Personal Data, which Personal Data are processed by the Processor in connection with the performance of the Contract mentioned under A., for the benefit of the Processing Responsible Party, without the Processor being under the direct authority of the Processing Responsible Party;

3. Both parties wish - also in implementation of the provisions of Article 28(3) of the General Data Protection Regulation (hereinafter: GDPR) - to establish in the present supplementary agreement a number of conditions applicable to their relationship in connection with the work to be performed by Processor for the benefit of Processor and its members.

4. that Processor is to be considered as Processor within the meaning of the GDPR and Processor is to be considered as Processor within the meaning of the GDPR.

Article 1 Definitions

In this agreement, a number of terms are used. The meaning of those terms is clarified below. The terms referred to are capitalised in this agreement.

• GDPR: General Data Protection Regulation, including its implementing law. The GDPR replaces the Personal Data Protection Act as of 25 May 2018.
• Data Subject: The person to whom a Personal Data relates.
• Third Parties: Persons other than both parties and their employees.
• EEA: European Economic Area.
• Underlying assignment: The assignment as referred to above in recitals under A.
• Agreement: The agreement concluded between both parties regarding the performance of services by Processor for Processor in the field of electronic invoice processing.
• Personal Data: Any information about an identified or identifiable natural person (the Data Subject) processed in the context of the "Underlying Assignment"; an identifiable natural person is considered to be one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characterising the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
• Sub-processor: Another processor engaged by the Processor to perform specific processing activities on behalf of the Controller.
• Processing / Processing: An operation or set of operations involving personal data or a set of personal data, whether or not carried out by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data.
• Processor: A natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller, without being subject to its direct authority.
• Processor/Responsible Party: A natural or legal person, a public authority, an agency or another body who/which, alone or jointly with others, determines the purposes and means of processing personal data.

Article 2 Duration and transfer of Personal Data

2.1 This Processor Agreement shall run for as long as the Agreement between the parties is in force.

2.2 Obligations under this Processor Agreement that by their nature are intended to continue after the end of this Processor Agreement shall continue after the end of this Processor Agreement.

2.3 Within 1 month after the end or (interim) termination of the Agreement, Processor shall transfer to Processor or destroy all Personal Data processed by it, related to the provision of services to Processor, upon request of Processor, and confirm in writing to Processor that all Personal Data have been transferred or destroyed.

Article 3 Processing

3.1 Processor processes the Personal Data only in the context of the performance of the Agreement, on the instructions of, based on the written instructions and under the explicit responsibility of Processor and in accordance with the Agreement and this Processor Agreement. Processor has no control over the purposes and means of processing Personal Data.

3.2 The Controller retains control over the Personal Data at all times and this control shall never become the responsibility of the Processor.

3.3 The Processing of Personal Data by Processor shall comply with all applicable laws and regulations regarding the protection of Personal Data.

3.4 Processor guarantees to Processor that the content, use and/or processing of the Personal Data is not unlawful and does not infringe any right of a third party.

3.5 Processor shall inform Processor on its processing activities regarding which Personal Data, which Data Subjects and retention periods via the Processor's website: https://eConnect.eu/en/gdpr.

3.6 Processor shall provide Processor with the necessary assistance in fulfilling obligations concerning requests to exercise rights of Data Subjects. Examples include: deletion, amendment, inspection or disclosure in a common format of Personal Data. Processor shall also assist Processor in fulfilling obligations under Art. 35 and 36 of the GDPR.2.3 Processor shall, within 1 month after expiry or (interim) termination of the Agreement, transfer to Processor or destroy all Personal Data processed by it, which are related to the provision of services to Processor, upon request of Processor and confirm in writing to Processor that all Personal Data have been transferred or destroyed.

Article 4 Security measures

4.1 Processor undertakes to take all appropriate technical and organisational security measures prescribed within the legal framework to protect the Personal Data against loss or against any form of unlawful Processing. Taking into account the state of the art and the costs of implementation, these measures guarantee an appropriate level of security in view of the risks involved in the processing and the nature of Personal Data to be protected. The measures are also aimed at preventing unnecessary collection and further processing of Personal Data.

4.2 The measures taken by Processor are laid down in an ISMS (Information Security Management System) certified in accordance with the ISO 27001 standard. The certificate can be found on Processor's website.

Article 5 Monitoring

5.1 The Information Security Management System (ISMS) of Processor is subject to an annual audit by an external auditor in the context of its ISO 27001 certification. In the context of inspection and control in respect of the performance of processing activities in accordance with the GDPR, the result of this control audit is available to Processor on request.

Article 6 Confidentiality

6.1 Processor undertakes to maintain confidentiality, without prejudice to any other contractual agreements between the two parties, regarding the Personal Data of which it becomes aware in the context of the performance of the Contract, except insofar as any statutory regulation requires disclosure and/or release.

6.2 Processor shall not disclose the Personal Data to third parties, in any manner whatsoever, except with the prior written approval of Processor, or except insofar as any legal requirement to disclose and/or surrender so requires.

6.3 Processor warrants that it will inform all its employees and Third Parties engaged in processing Personal Data of the confidential nature of the Personal Data and information. In addition, Processor warrants that all such persons or parties are bound to the Processor by the same confidentiality obligations as the Processor under this Processor Agreement.

6.4 Processor shall adequately secure its systems and infrastructure at all times.

Article 7 Disclosure/incident management

7.1 Processor shall inform Processed Party immediately and prior to disclosure if a competent (governmental) authority has made a law-based request for the disclosure of Personal Data.

7.2 The Processor shall at all times inform the Controller adequately and without disproportionate delay if an incident occurs regarding the processing of Personal Data that affects data subjects and/or the Controller. Processor shall inform Processed Party about the nature of the breach, the consequences of the breach and to which Data Subjects these consequences apply.

7.3 Processor shall keep Processor Accountable informed of any new developments concerning the incident and of the measures taken by Processor to mitigate on its side the consequences of the incident and prevent recurrence.

7.4 The term 'incident' as used in this Article 7 includes any unauthorised or unlawful processing, or any security incident where Personal Data has been lost or unlawful processing cannot reasonably be ruled out.

7.5 Any notification of the incident to the Personal Data Authority shall be made by Processor.

7.6 The Processor shall assist the Processed Party in complying with its obligations concerning the mandatory data breach notification.

Article 8 Liability

8.1 Processor is liable vis-à-vis Processor for direct damage as a result of a shortcoming attributable to it and demonstrable in the fulfilment of its obligations as incumbent on it as Processor pursuant to the GDPR with due observance of what the parties have agreed in the Contract about liability.

8.2 Processor shall indemnify Processor against any legal claim by a Data Subject or Third Party, on any grounds whatsoever, in connection with the Personal Data and the performance of this Processor Agreement.

Article 9 Outsourcing activities

9.1 Processor shall enter into an agreement with Sub-processors imposing on the Sub-processors at least the same obligations that Processor must comply with under this Processor Agreement.

9.2 Processor shall not engage any new Sub-processors without the prior specific or general written consent of Processor. In the case of general written consent, Processor shall inform Processor of any intended changes regarding the addition or replacement of Sub-Processors, giving Processor the opportunity to object to such changes.

9.3 Where a Sub-Processor fails to comply with its GDPR obligations, the Processor shall remain liable to the Controller for compliance with the Sub-Processor's obligations.

Article 10 Employees Processor

10.1 Processor may only provide the Personal Data to those employees within its organisation who need the Personal Data for the performance of their work in the context of the performance of the Agreement.

10.2 The obligations of Processor arising from this Processor Agreement shall apply without prejudice to its employees who obtain knowledge of the Personal Data under the authority of Processor.

Article 11 Processing outside the EEA

11.1. The Personal Data shall in principle only be processed within the EEA. With regard to the processing of Personal Data outside the EEA, Processor guarantees that the transfer is and remains fully in line with the applicable legal requirements.

Article 12 Final Provisions

12.1 This Processor Agreement prevails over previously concluded agreements. The general terms and conditions of Processor are also not applicable to this Processor Agreement.

12.2 If one or more provisions in this Processor Agreement are found to be invalid, this shall not affect the validity of the other provisions in this Processor Agreement.