Data processing agreement within the meaning of the General Data Protection Regulation
Version January 2020
This data processing agreement is part of the general terms and conditions of eConnect International B.V. and applies to the relationship between eConnect International B.V. and the Customer if eConnect International B.V. processes personal data for the benefit of the Customer (hereinafter: Controller) in the context of the performance of the Agreement as a Processor (hereinafter referred to as Processor).
A. that an Agreement has been concluded between the Controller and Processor regarding the provision of services by Processor to Controller concerning the electronic processing of invoices;
B. that Processor (might) receive(s) Personal Data on the basis of and in connection with the services provided by the Controller included in the Agreement referred to under A., which Personal Data is processed by the Processor without being under the direct authority of the Controller.
C. that both parties wish – partly in implementation of the provisions of Article 28, paragraph 3 of the General Data Protection Regulation (hereinafter: GDPR) – to lay down a number of conditions in this additional agreement that apply to their relationship in connection with the activities that Processor will perform for the benefit of Controller and its members.
D. that Controller is to be regarded as Controller within the meaning of the GDPR and Processor is to be regarded as Processor within the meaning of the GDPR.
Article 1 Definitions
A number of recurring terms are used in this agreement. The meaning of these terms is explained below. The terms mentioned are written with a capital letter in this agreement.
Agreement: The agreement concluded between both parties with regard to the provision of services by the Processor to the Controller concerning the electronic processing of invoices.
Controller: A natural or legal person, a public authority, a service or other body that determines, solely or together with others, the purpose of and the means for the processing of personal data.
Data Subject: The person to whom the Personal Data relates.
EEA: European Economic Area.
GDPR: General Data Protection Regulation, including the implementing law of this regulation.
Personal data: Any information about an identified or identifiable natural person (the Data Subject) that is processed in the context of the “Underlying Assignment”; an identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychological, economic , cultural or social identity of that natural person.
Processing / Processing: An operation or a set of operations relating to personal data or a set of personal data, whether or not performed by automated processes, such as collecting, recording, organizing, structuring, storing, updating or changing, retrieving, consulting, using, providing by means of forwarding, distributing or otherwise making available, aligning or combining, blocking, deleting or destroying data.
Processor: A natural or legal person, a public authority, a service or other body that processes personal data on behalf of the Controller, without being subject to his direct authority.
Sub-processor: Another processor deployed by the Processor to perform specific processing activities on behalf of the Controller.
Third parties: Other than both parties and their employees.
Underlying assignment: The assignment as referred to above in the considerations under A.
Article 2 Duration and transfer of Personal data
2.1 This Processor Agreement is valid for as long as the Agreement is in force between the parties.
2.2 Obligations under this Processor Agreement that by their nature are intended to continue after the end of this Processor Agreement will continue to exist after the end of this Processor Agreement.
2.3 The Processor will transfer or destroy all Personal Data processed by it, which are related to the provision of services to the Controller, at the request of the Controller, within 1 month after the expiry or (early) termination of the Agreement, and confirm in writing to the Controller that all Personal Data have been transferred or destroyed.
Article 3 Processing of Personal Data
3.1 The Processor only processes the Personal Data in the context of the performance of the Agreement, on behalf of, on the basis of the written instructions and under the express responsibility of the Controller and in accordance with the Agreement and this Processor Agreement. Processor has no control over the purpose of and the means for the processing of the Personal Data.
3.2 The Controller at all times retains control over the Personal Data and this control never rests with the Processor.
3.3 The Processing of Personal Data by the Processor will comply with all applicable laws and regulations regarding the protection of Personal Data.
3.4 Controller guarantees to Processor that the content, use and / or processing of the Personal Data are not unlawful and do not infringe any right of a third party.
3.5 The Processor informs the Controller of its processing activities with regard to which Personal Data, which Data Subjects and retention periods via the Processor’s website: https://econnect.eu/nl/avg/.
3.6 The Processor provides the Data Controller with the necessary assistance in fulfilling obligations regarding requests to exercise the rights of the Data Subjects. Examples include: deletion, modification, inspection or provision of personal data in a common format. The Processor also provides the Controller with assistance in fulfilling obligations under art. 35 and 36 of the GDPR.
Article 4 Security measures
4.1 The Processor undertakes to take all appropriate technical and organizational security measures prescribed within the legal framework to protect the Personal Data against loss or any form of unlawful Processing. Taking into account the state of the art and the costs of implementation, these measures guarantee an appropriate security level in view of the risks associated with the processing and the nature of the Personal Data to be protected. The measures are also aimed at preventing unnecessary collection and further processing of personal data.
4.2 The measures taken by the Processor are included in an ISMS (Information Security Management System) that is certified in accordance with the ISO 27001 standard. The certificate can be found on the Processor’s website: https://econnect.eu/nl/blog/everbinding-is-iso27001-gecertificeerd/.
Article 5 Control
5.1 The Processor’s information security system (ISMS) is subject to an annual audit by an external auditor as part of its ISO 27001 certification. In the context of inspection and control with regard to the performance of the processing activities in accordance with the GDPR, a result of this control audit is available on request to the Controller.
Article 6 Confidentiality
6.1 The Processor undertakes to maintain confidentiality, without prejudice to any other contractual agreements between both parties, of the Personal Data of which it becomes aware in the context of the performance of the Agreement, except insofar as any statutory regulation requires disclosure and / or delivery to do so.
6.2 The Processor will not provide the Personal Data to third parties in any way whatsoever, unless with the prior written approval of the Controller, or except insofar as any legal regulation requires disclosure and / or delivery to do so.
6.3 Processor guarantees that it will notify all its employees and Third Parties engaged in the processing of Personal Data of the confidential nature of the Personal Data and information. In addition, Processor guarantees that all these persons or parties are bound by the same confidentiality obligations towards Processor as Processor under this Processor Agreement.
6.4 The Controller secures his systems and infrastructure adequately at all times.
Article 7 Provision of information / incident management
7.1 The Processor will inform the Controller immediately and prior to the provision if a competent (government) body has made a request based on the law for the provision of Personal Data.
7.2 The Processor will at all times inform the Controller adequately and without disproportionate delay if an incident occurs with regard to the processing of the Personal Data that has consequences for data subjects and / or for the Controller. Processor informs Controller of the nature of the infringement, the consequences of the infringement and to which Data Subjects these consequences apply.
7.3 The Processor will keep the Controller informed of any new developments surrounding the incident and of the measures that the Processor is taking to limit the consequences of the incident and prevent recurrence.
7.4 The term “incident” as used in this Article 7 includes any unauthorized or unlawful processing, or a security incident in which Personal Data has been lost or unlawful processing cannot reasonably be ruled out.
7.5 Any report of the incident to the Dutch Data Protection Authority will be made by the Controller.
7.6 The Processor provides the Controller with assistance in fulfilling its obligations regarding the obligation to report data leaks (‘Meldplicht Datalekken’).
Article 8 Liability
8.1 The Processor is liable to the Controller for direct damage as a result of a demonstrable and attributable shortcoming in the fulfillment of his obligations as a Processor under the GDPR, with due observance of what the parties have agreed on liability in the Agreement.
8.2 The Controller indemnifies the Processor against any legal claim of a Data Subject or Third Party, on whatever grounds, in connection with the Personal Data and the implementation of this Processor Agreement.
Article 9 Outsourcing activities
9.1 The Processor enters into an agreement with Sub-processors whereby at least the same obligations are imposed on the Sub-processors as those that the Processor must comply with under this Processor Agreement.
9.2 The Processor does not employ new Sub-processors without the prior specific or general written consent of the Controller. In the case of general written consent, the Processor will inform the Controller of envisaged changes regarding the addition or replacement of Sub-processors, whereby the Controller will be given the opportunity to object to these changes.
9.3 If a Sub-processor fails to fulfill its obligations under the GDPR, the Processor remains liable to the Controller for the fulfillment of the Sub-processor’s obligations.
Article 10 Employees of the Processor
10.1 The Processor may only provide the Personal Data to those employees within its organization who need the Personal Data to perform their work in the context of the performance of the Agreement.
10.2 The obligations of the Processor arising from this Processor Agreement apply in full to its employees, who become aware of the Personal Data under the authority of the Processor.
Article 11 Processing outside the EEA
11.1. In principle, the Personal Data is only processed within the EEA. With regard to the processing of Personal Data outside the EEA, the Processor guarantees that the transfer is and remains fully in line with the applicable legal requirements.
Article 12 Final provisions
12.1 This Processor Agreement prevails over previously concluded agreements. The general terms and conditions of the Controller also do not apply to this Processor Agreement.
12.2 If one or more provisions in this Processor Agreement prove to be invalid, this will not affect the validity of the other provisions in this Processor Agreement.