Appendix 1: Overview with processing of personal data and processing goalsAppendix 2: Overview with security measuresAppendix 3: Process when reporting data leaks and the information to be provided
This processing agreement applies to all forms of processing of personal data which Highbiza, brand and organization linked to UWKM/Highbeat BV, registered with the Dutch Chamber of Commerce under number 08167443, hereinafter referred to as 'data processor', for the benefit of a counterparty to whom it provides services, hereinafter referred to as 'data controller', and, like the general terms and conditions, forms an integral part of every agreement between Highbiza and its counterparty. Data processor and data controller are hereinafter collectively referred to as 'parties'.
Parties have concluded an agreement regarding the provision of digital services. Personal details will be processed for the purposes of this agreement. Data controller attaches great importance to the protection of personal data, which is why a number of agreements on this matter have been laid down in this processor meeting.
The terms used below and for this are taken from the General Data Protection Regulation and have the following meaning:
1.1. Personal data: all information about an identified or identifiable natural person ('the person concerned'). An identifiable person shall be regarded as identifiable, directly or indirectly, in particular by means of an identifier such as a name, identification number, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
1.2. Processing: an operation or a set of operations relating to personal data or a set of personal data, whether or not performed via automated processes, such as collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting, using, providing by means of forwarding, distributing or otherwise making available, aligning or combining, protecting, deleting or destroying data.
1.3. Responsible for processing: a natural or legal person, a government agency, a service or any other body that, individually or jointly with others, determines the purpose and means for the processing of personal data. When the objectives of and the means for this processing are established in European Union law or member state law, it is possible to determine who is the controller or according to which criteria it is designated ('responsible').
1.4. Processor: a natural or legal person, a government body, a service or another body that processes personal data on behalf of the controller ('processor').
1.5. Person concerned: identified or identifiable natural person to whom the processed personal data relate.
1.6. Processor agreement: this agreement including the annexes ('processor agreement').
1.7. Agreement: the main agreement that results from this processor agreement.
1.8. Infringement in connection with personal data: a breach of security that inadvertently or unlawfully leads to the destruction, loss, modification or unauthorized disclosure of or unauthorized access to transmitted, stored or otherwise processed data ('data breach') .
1.9. Data protection impact assessment: carrying out an assessment, prior to carrying out the processing, of the effect of the intended processing activities on the protection of the personal data.
1.10. Supervisory authority: an independent government body responsible for supervising compliance with the law in connection with the processing of personal data, in this case the Dutch Data Protection Authority.
2.1. This processor agreement forms part of the agreement between Highbiza and its customer and will apply for as long as the agreement lasts.
2.2. If the agreement ends, this processor agreement ends automatically. The processor agreement can not be terminated separately.
2.3. After termination of this processor agreement, current obligations for data processor, such as the reporting of data breaches involving the personal data of the data controller, and the duty of confidentiality, will continue.
3.1. Data processor will only process personal data on behalf of data controller and has no control over the personal data. Data processor follows the data controller's instructions on this and may not process the personal data in any other way, unless data controller gives permission or instructions in advance.
3.2. Appendix 1 lists the personal data that the data processor will process and for which processing purposes.
3.3. Data processor complies with the law and processes the data in a proper, careful and transparent manner.
3.4. Data processer will not use any other persons or organizations without prior written permission when processing the personal data of data controller, unless this is necessary for the assignment, such as for hosting, management, maintenance and monitoring.
3.5. When data processor with permission authorizes other organizations, they must meet the requirements set out in this processor agreement.
3.6. When data controller receives a request from a data subject who wishes to exercise his or her privacy rights, the data processor cooperates with it. These rights consist of a request for inspection, correction, supplementation, removal or blocking, objecting to the processing of the personal data and a request for the portability of their own personal data.
3.7. When data controller requests information, data processor will provide the information necessary for performing a data protection impact assessment. This may be necessary to estimate the risk of processing that data processor performs on behalf of data controller.
4.1. Data processor ensures that the personal data are sufficiently secure. In order to prevent loss and unlawful processing, the data processor takes appropriate technical and organizational measures.
4.2. These measures are tailored to the risk of processing. An overview of these measures and the policy on them can be found in Appendix 2.
4.3. Data controller can request a report containing the security measures taken and any possible attention and/or improvement points. The costs of this will be charged to data controller.
4.4. Data controller may have an inspection or audit carried out in the data processor organization to determine whether the processing of personal data complies with the law and the agreements made in this processor agreement. Data processor will cooperate in this, including granting access to buildings and databases and making all relevant information available, insofar as this is reasonable and fair and does not harm the rights of others.
4.5. If one of the parties considers that a change in the security measures to be taken is necessary, the parties will consult on the amendment thereof.
5.1. Data processer shall not have personal data processed by other persons or organizations outside the European economic area without obtaining prior written consent from data controller, unless this is necessary for the activities.
6.1. Data processor will keep the personal data provided to him confidential, unless this is not possible on the basis of a legal obligation.
6.2. The data processor will ensure that his staff and assigned assistants also comply with this confidentiality by including a confidentiality obligation in the (employment) contracts.
7.1. In the event of a discovery of a possible data breach, the data processor will inform the data controller about this within 24 hours and provide the information specified in Appendix 3, so that the data controller can, if necessary, notify the supervisor.
7.2. After reporting a data breach, parties will keep each other informed of new developments surrounding the data breach and the measures taken to limit and terminate their scope and to try to prevent a similar incident in the future.
7.3. The data processor does not itself report a data breach to the supervisor and/or the data subjects, which is a data controller's responsibility.
7.4. Any costs incurred to resolve a data breach and to prevent it in the future will be charged to data controller.
8.1. If one of the parties does not comply with the provisions of this processor agreement, the other party can hold this party liable.
8.2 Consequential damages or fines are not recoverable from data processor.
8.3. Parties are not liable for claims of data subjects or other persons and organizations when there is force majeure.
9.1. After the processing agreement has been terminated, the data processor will return the personal data, whereby any remaining personal data will be destroyed in a careful and safe manner.
9.2. The personal data processed in accordance with this processor agreement will be destroyed after the expiry of the legal storage period and/or at the request of data controller. A legal retention period exists, for example, when the data processor must keep the personal data for tax reasons.
10.1. This processor agreement is part of the agreement entered into. All rights and obligations under the agreement therefore also apply to the processor agreement.
10.2. In the event of any inconsistencies between the provisions in the processor agreement and the agreement, the provisions of this processor agreement apply.
10.3. Deviations from this processor agreement are only valid when the parties agree this in writing.
10.4. Dutch law applies to this processing agreement and the activities.
The Netherlands, Deventer, November 16, 2018.
Description processing activities by processor
Processed personal data
Technical security measures
Organizational security measures
A data breach is a security incident in which personal data may have been lost or inadvertently accessed by third parties. This concerns data that can be linked to these persons, such as, but not limited to, names, addresses, telephone numbers, e-mail addresses, login details, cookies, IP addresses or identifying information of computers or telephones.
Where will a security breach be reported?
If Highbiza discovers a security incident, direct contact is made with the relevant officer of the client.
All the available information will be reported, also for the benefit of the national Data Protection Authority:
With also the name(s) of the system(s) involved.
Such as, but not limited to, name, address, e-mail address, IP number, citizen service number, passport photo
and everything else which can be traced back to a person.
An estimate of the minimum and maximum number of persons.
Possible delimitation of the group involved, with special attention to data from vulnerable (groups of) people.
The ability to inform those involved about the data breach.
Inschatting van de oorzaak van het beveiligingsincident.