THE PARTIES TO THE AGREEMENT:
In the following also jointly referred to as: “Parties” and individually as “Party”.
DECLARE TO HAVE AGREED AS FOLLOWS:
Article 1. Definitions
1.1. In this Processor agreement, by the concepts below with a capital letter is intended as follows:
1.2. The aforementioned and other concepts are interpreted in accordance with AVG/GDPR. Until 25 May 2018, concepts are interpreted in accordance with the comparable provision from Wbp.
1.3. Wherever reference is made in this Processor agreement to certain standards (such as NEN7510) always intended is its most recent version. To the extent the relevant standard is no longer maintained, in its stead must be read the most recent version of the logical successor of the standard in case.
1.4. Any possible deviations from the text are only effective to the extent they have been specified in appendix 4. What is stipulated in appendix 4 prevails over what is otherwise stipulated in this processor agreement.
2.1.This Processor agreement regards the processing of Personal data by Processor by order of the Data controller in the context of the implementation of the Agreement(s).
2.2.Parties conclude the Agreement(s) to use the expertise which Processor has in the matter of the processing and protecting of Personal data, for the purposes resulting from the Agreement(s) which are further described in this Processor agreement. Processor guarantees that he is qualified to that effect.
2.3.This Processor agreement is an integral part of the Agreement(s). To the extent what is stipulated in this Processor agreement is in conflict with the provisions in the Agreement(s), what is stipulated in the Processor agreement prevails.
3.1.Processor guarantees that he will exclusively process personal data for Data controller to the extent:
3.2.In the context of what is stipulated in the first section of article 3 under a) Processor will exclusively process the Personal data specified in Appendix 1 in the context of the nature and purposes of the processing described in that appendix.
3.3.Processor will follow all reasonable instructions of Data controller in connection with the processing of the Personal data. Processor immediately informs Data controller if in his opinion instructions violate the applicable legislation regarding the processing of Personal data.
3.4.Without prejudice to what is stipulated in the first section of this article 3, it is permitted to Processor to process Personal data if a legal requirement (also including court or administrative orders based on it) obliges him to process. In that case, the Processor informs Data controller prior to the processing of the intended processing and the legal requirement, unless that legislation prohibits this notification on weighty grounds of public interest. Processor will enable Data controller, wherever possible, to defend themselves against this mandatory processing and will also otherwise limit the mandatory processing to
3.5.Processor will process the Personal data demonstrably in an adequate and diligent manner, and in accordance with the obligations he is subject to as a Processor pursuant to AVG/GDPR, to the extent still applicable Wbp, and other legislation and regulations. In that context, Processor will at least maintain a register of processing as intended in article 30 AVG/GDPR and provide Data controller upon first request with a copy of that register.
3.6.If the provision of services by Processor implies the processing of health-related data or other special Personal data, Processor guarantees that he will not act in violation of health-related legislation.
3.7.Processor will not, unless he has obtained emphatic prior written permission from Data controller, process Personal data nor have it processed either by himself or by third parties located outside the European Economic Area (“EEA”).
3.8.Processor assures that the involved Collaborators have signed a non-disclosure agreement and on request lets Data controller peruse this non-disclosure agreement.
4.1.Processor will demonstrably take appropriate and effective technical and organisational security measures which, in view of the current state of the art and the associated costs, correspond with the nature (as specified in Appendix 1) of the Personal data to be processed, to protect the Personal data against loss, unauthorised cognisance, maiming or any form of illegitimate processing, as well as to guarantee the (temporary) availability of the data. Included in these security measures are such measures as may have been stipulated in the Agreement. The measures comprise in any case:
4.2.Processor demonstrably works in accordance with ISO27001 and/or NEN 7510 and has implemented an appropriate, written security policy for the processing of Personal data, in which the measures mentioned in the first section of this article 4 have at least been stipulated.
4.3.Processor is demonstrably compliant with the security measures for network connections as described in NEN7512.
4.4.Processor is demonstrably compliant with the requirements regarding logging as described in NEN7513.
4.5.Processor is demonstrably compliant with the requirements of other NEN-standards, to the extent they have been declared applicable to healthcare.
4.6.Upon first request of Data controller, Processor will present a valid certificate issued by an independent third party with expertise in the matter, if he has such at his disposal, which evinces that Processor is compliant with the obligations from this article.
4.7.Data controller has the right to (let) monitor compliance with the measures mentioned in the preceding under article 4.1 through 4.4. If Data controller so requests, Processor enables the former at least once a year to (let) control matters at a time to be further established by Parties through mutual agreement, and additionally in the event Data controller sees grounds for doing so in connection with (suspicion of) information or privacy-incidents. Processor will provide all reasonable assistance for such an investigation. Processor will follow any possible instructions issued reasonably by Data controller in connection with such an investigation, regarding the modification of the security policy, within a reasonable term.
4.8.Parties acknowledge that security requirements change constantly and that an effective security requires frequent evaluation and regular improvement of obsolete security measures. Processor will therefore evaluate the measures as they have been implemented pursuant to this article 4 periodically and, where necessary, improve the measures to remain compliant with the obligations pursuant to this article 4. The preceding leaves unaffected the instruction authorisation of Data controller to (let) take additional measures wherever necessary.
5.1.Processor will monitor actively for breaches of the security measures and report on the results of the monitoring in accordance with this article 5 to Data controller.
5.2.As soon as an Incident occurs, has occurred or may occur, Processor is obligated to immediately inform Data controller accordingly and thereby to provide all relevant information about:
5.3.Processor is obligated, without prejudice to the other obligations from this article, to take measures which can reasonably be expected of him to resolve the Incident as soon as possible or otherwise to limit further consequences as much as possible. Without any delay, Processor enters into consultation with Data controller so as to make further arrangements concerning.
5.4.Processor will give Data controller assistance at all times and will follow the instructions of Data controller and enables Data controller to conduct an adequate investigation of the Incident, formulate a correct response and take appropriate follow-up steps with regard to the Incident, also including informing the monitoring authority ‘Autoriteit Persoonsgegevens’ (AP) and/or the Data subject, as stipulated in article 5.8.
5.5.Processor will have available at all times written procedures which enable him to provide Data controller with an immediate response regarding an Incident, and to effectively cooperate with Data controller to settle the Incident. Processor will provide Data controller with a copy of such procedures if Data controller so requests.
5.6.Reports made pursuant to article 5.2 are immediately directed at Data controller or, if relevant, to Collaborators of Data controller indicated by the latter curing the effective time of this Processor agreement in writing. If Data controller has appointed a Data Protection Officer (DPO), the reports are directed at this DPO.
5.7.It is not permitted to Processor to provide information about Incidents to data subjects or other third parties, barring to the extent that Processor is legally obliged to do so or if Parties have established otherwise.
5.8.If and to the extent Parties have established that Processor maintains direct contact with the authorities or other third parties with regard to an Incident, then Processor will constantly keep the Data controller informed.
6.1.AVG/GDPR and other (privacy) legislation attributes certain rights to the Data Subject. Processor will offer his full and timely assistance to Data controller for compliance with the obligations which Data controller is subject to pursuant to these rights.
6.2.A complaint received by Processor or a request of Data subject with regard to the processing of Personal data is forwarded by Processor without delay to Data controller.
6.3.Upon the first request to that effect of Data controller, Processor will provide Data controller with all relevant information regarding the aspects of the aspects of the processing of Personal data conducted by him, so that Data controller, also by way of that information, can prove that they are compliant with the applicable (privacy) legislation.
6.4.Processor will furthermore, upon first request of Data controller provide all necessary assistance for compliance with the legal obligations to which Data controller is subject pursuant to the applicable privacy legislation (such as the conducting of a privacy impact assessment).
7.1.Processor will not outsource his activities which consist of the processing of Personal data or the requiring of the processing of Personal data to a Sub-processor without the prior written consent of Data controller. The preceding is not applicable to the Sub-processors indicated in Appendix 1.
7.2.To the extent Data controller agrees with the deployment of a Sub-processor, Processor will impose on this Sub-processor the same or stricter obligations than those resulting for him from this Processor agreement and legislation. Processor will record these arrangements in writing and will monitor compliance with it by the Sub-processor. Upon request, Processor will provide Data controller with a copy of the agreement(s) concluded with the Sub-processor.
7.3.Despite the permission of Data controller for the deployment of a Sub-processor who (partially) processes data by order of the Processor, Processor remains fully liable towards Data controller for the consequences of the outsourcing of activities to a Sub-processor. The consent of Data controller for the outsourcing of activities to a Sub-processor does not affect the fact that for the deployment of Sub-processors in a country outside the European Economic Area permission is required in accordance with article 3.7 of this Processor agreement.
8.1.Parties are both responsible and liable for their own actions.
8.2.Any limitation of liability in the Agreement, mutatis mutandis, is also applicable to this Processor agreement, under the proviso that:
8.3.Processor safeguards Data controller against and indemnifies the Data controller for all claims, actions, third-party claims, as well as fines from AP, which flow directly from an attributable shortcoming by Processor and/or his sub-contractors/Sub-processors in complying with his obligations under this Processor agreement and/or any violation by Processor and/or his sub-contractors/Sub-processors of the applicable legislation in the field of the processing of Personal data.
8.4.To the extent Parties are severally and jointly liable towards third parties, also including the data subject, or if a fine is imposed on them jointly by AP they are obligated towards each other, each for the part of the debt which concerns them in their mutual relationship, in accordance with what is stipulated in Volume 6, Title 1, Department 2 of the Netherlands Civil Code, ‘Burgerlijk Wetboek’, to contribute to the debt and the costs, unless AVG/GDPR stipulates otherwise, in which case AVG/GDPR prevails.
8.5.To the extent no limitation of liability for Data controller is stipulated in the Agreement, the limitation included in section 2 for Processor also applies to the Data controller.
8.6.Any limitation of liability furthermore comes to lapse for the relevant Party in case of intent or gross negligence on the part of the relevant Party
8.7.Parties take care of sufficient coverage for the liability.
9.1.The costs for the processing of data which are inherent to the normal implementation of the Agreement are supposed to be comprised in the remunerations already owed pursuant to the Agreement.
9.2.Any support or any other additional services which Processor must provide on grounds of this Processor agreement, or which is requested by Data controller, including all requests for additional information, will be charged to Data controller in accordance with the rates specified in Appendix 3.
9.3.The preceding provision is not applicable if the activities are related to a shortcoming of Processor under this Processor agreement. The activities will in that case be conducted free of charges (without prejudice to the right of Data controller to claim the damage effectively incurred from Processor).
10.1.This Processor agreement enters into effect on the date of signing and the duration of this Processor agreement is equal to the duration of the Agreement(s) mentioned in Appendix 1, including any possible extensions thereof.
10.2.After its signing by both Parties, the Processor agreement is an integral and inextricable part of the Agreement(s). Termination of the Agreement(s), on whatever grounds (cancellation/rescission), results in the Processor agreement being terminated on the same grounds (and vice versa), unless Parties in such case as may occur establish otherwise.
10.3.Obligations which by their nature are intended to continue after termination of this processor agreement as well, remain effective after termination of the Processor agreement. Included in these provisions are, for instance, those which result from the clauses regarding non-disclosure, liability, disputes settlement, and applicable law.
10.4.Each of the Parties has the right, without prejudice to what is stipulated regarding in the Agreement, to suspend the implementation of this Processor agreement and the associated Agreement, or to rescind it without judicial intervention with immediate effect, if:
10.5.Considering the great dependence of Data controller on Processor, as well as the risk of continuity in the event of incidents and calamities (such as bankruptcy), Processor presently declares himself willing for such case, upon first request of Data controller, to make additional arrangements with Data controller to reduce aforementioned risks. These additional arrangements may, for example, consist of:
10.6.Processor has an exit-plan for compliance with all obligations from this Processor agreement, in case the Agreement or the Processor agreement is terminated (prematurely). Upon first request of Data controller, Processor hands over a copy of this plan.
10.7.Data controller has the right to rescind this Processor agreement and the Agreement with immediate effect if Processor indicates he cannot (any longer) comply with the reliability requirements which are established for the processing of Personal data pursuant to developments in legislation and/or jurisprudence.
10.8.Processor must inform Data controller beforehand and on time about an intended take-over or transfer of property.
10.9.It is not permitted to Processor without the emphatic and written permission of Data controller to transfer this Processor agreement and the rights and obligations which are associated with this Processor agreement to a third party.
11.1.Processor does not retain the Personal data for any longer than is strictly necessary, including the statutory retention periods or any arrangement regarding retention terms as may have been concluded between Parties, as established in Appendix 1. Under no circumstance does Processor keep the Personal data for any longer than until the end of this Processor agreement. Data controller decides whether and if so for how long data must be kept.
11.2.Upon termination of the Processor agreement, or if applicable at the end of the established retention periods, or upon written request of Data controller, Processor will, against reasonable costs, at the discretion of Data controller, (let) destroy or return to Data controller the Personal data definitively. Upon request of Data controller, Processor provides evidence for the fact that the data have been definitively destroyed or removed. The returning of data as may occur will be in a generally customary, structured and documented data-format, through electronical channels. If the returning, definitive destruction or removal is not possible, Processor will immediately inform Data controller accordingly. In that case, Processor guarantees that he will handle the Personal data with confidentiality and will no longer process them.
12.1. To the extent the (collection of) Personal data is protected by any intellectual property right, Data controller grants permission to Processor to use the Personal data in the context of the implementation of this Processor agreement.
13.1.The considerations are a part of this Processor agreement.
13.2.In case of the nullity and/or annullability of one or more provisions from this Processor agreement, the other provisions remain fully effective.
13.3.In all cases for which this Processor agreement does not provide, Parties decide through mutual agreement.
13.4.To this Processor agreement, Netherlands legislation is applicable.
13.5.Parties will exert themselves to resolve conflicts through mutual agreement. Included here is the possibility to terminate the dispute through mediation or arbitration established through mutual agreement.
13.6.Disputes about or in connection with this Processor agreement are exclusively submitted to the court or arbiter(s) indicated for this purpose in the Agreement.
This Processor agreement is an appendix to the subsequent Agreements and regards the following types of processing of Personal data.
More specifically, Processor also applies the following security measures:
Not applicable. See Agreement.
Partijen komen uitdrukkelijk de navolgende afwijkingen op de standaardtekst van de verwerkersovereenkomst overeen:
Reason Processor will in principle not process medical or health-related data with their general communication platform.
Reason New editors provide sufficient assurances and prevents that parties in case of changes to, for example, communication and hosting services, must first arrange for a written contract.
Reason The service of Processor enables Data controller to download their own data. This renders superfluous an exit-plan.
Reason Proof of destruction (demonstrating that something is not present) is impossible to provide. In addition, the service of Processor enables Data controller to download the data themselves in a current format.
Reason Solely additional clarity regarding the competent court of law.