Data processing agreement
This agreement regulates the processing of Personal Data by Processor for Controller in accordance with article 28 paragraph 3 of the General Data Protection Regulation (GDPR). Now that the GDPR has stricter rules than the current Personal Data Protection Act (Wbp), the parties have decided to apply the new rules.
……………………………………………………….. , with its registered office on…………………………………………….. in……………………………………………. is registered in the commercial register under number ………………………., hereby legally represented by its director ………………………………………………………….., hereinafter referred to as ‘Controller’;
Van Hoesel/de Blaey Belastingadviseurs B.V., with its registered office on Brouwerstraat 6, 3364 BE in Sliedrecht and registered in the commercial register under number 24398996, hereby legally represented by its director Mr P.J. van Noortwijk hereinafter referred to as "Processor";
Consider the following:
The Processor will provide services to the Controller, which lead to the Processor processing Personal Data on behalf of the Controller.
This agreement regulates the processing of Personal Data by Processor for Controller in accordance with article 28 paragraph 3 of the General Data Protection Regulation (GDPR).
In view of the regulations in the privacy regulations, the parties wish to specify the conditions of the processing of Personal Data in this data processing agreement.
And therefore agree the following:
The controller is the "controller" and the processor is the "processor" as referred to in Article 4 under 7 GDPR and Article 4 under 8 GDPR respectively:
- The capitalised terms in this agreement have the same meaning as the GDPR definitions:
- Personal data: ‘personal data’ from Article 4 under 1 GDPR, which concerns all information about an identified or identifiable natural person;
- Processing: ‘processing’ from Article 4 under 2 GDPR, which concerns an operation or a set of operations related to the Personal Data;
- Data subject: ‘the data subject’ from Article 4 paragraph 1 GDPR, or identified or identifiable natural person to whom the Personal Data relates;
- Authority: ‘supervisory authority’ from Article 4 paragraph 21 GDPR, or the Dutch Data Protection Authority;
- Privacy Impact Assessment (PIA) or Data Protection Impact Assessment under article 35 GDPR;
- Infringement: 'infringement in connection with personal data' from Article 4 paragraph 12 GDPR, which is a breach of security that leads to the destruction, loss, alteration or unauthorised provision of or unauthorised access to forwarded, stored or otherwise processed data.
- The explanation of the other terminology included in this agreement should be in line with the definitions from Article 4 GDPR.
- The considerations and appendices to these agreements form an integral part thereof.
- The subject, nature and purpose of the Processing operations are: Fulfilling the obligations arising from the underlying service contract regarding the payroll administration and/or financial administration, the preparation of tax returns, and the related activities. Processing takes place according to written instructions, unless the processor is obliged by law or regulation to act otherwise (for example, when weighing up whether a notification of an “unusual transaction” must be made under the Dutch money laundering and terrorist financing prevention Act (Wwft)).
- If, in our opinion, an instruction violates the GDPR, we will inform you immediately.
- The duration of the Processing operation is: as long as is necessary for the assignment of the services
- After the termination of the service agreement, the Processor's processing services will continue for a maximum of one (1) calendar month to give the Controller the opportunity to receive the Personal Data, in which case the duration of the Processing will be extended by this period. After carrying out the processing services or at the request of the Controller, the Processor will delete the Personal Data without keeping a copy thereof, unless Dutch or European law obliges the Processor to store the Personal Data.
- The Personal Data to be processed is of the following type and includes the following Personal Data categories, as listed in appendix 1 to this agreement.
3. Processor’s General obligations
- Processor processes Personal Data strictly on the basis of written instructions from Controller.
- The Processor will keep the Personal Data of the Controller strictly confidential and observe at least the same duty of care and guarantees as they apply to their own confidential information. Processor will also handle data not considered to be Personal Data in a careful and appropriate manner. Processor guarantees that this confidentiality also extends to the persons who are authorised to process the Personal Data.
- The Processor will not store or process the Personal Data made available to it longer than is necessary for the execution of the underlying assignment. The Processor will make all Personal Data available to the Controller as per Controller's first request, but no later than within a period to be agreed after the end of this agreement or the end of the service agreement.
- The Processor will, in as far as possible, assist the Controller in fulfilling its obligation to process requests from Data Subjects based on Articles 14 to 22 GDPR that - in short - serve to obtain transparency and insight, to rectify and erase Personal Data or ensure restriction of processing and to transfer the Personal Data. In this context, the Processor will also assist the Controller with the notification obligation of the latter in response to such requests and the handling of any objections by Data Subjects and taking appropriate measures in any automated decision-making and/or profiling of Data Subjects. The Processor will in any case provide the Controller with information within one (1) month with regard to the follow-up to requests from Data Subjects.
- The Processor will assist the Controller, in as far as possible, in fulfilling the latter's obligation to conduct a Privacy Impact Assessment (PIA) and ensure prior consultation with the Authority, in cases where the processing is likely to present a high risk to the privacy of Data Subjects, in particular cases for which new technologies are used.
4. Engaging other processors and transfer by Processor
- Processor is entitled to engage other processors (“sub-processors”) for the Processing operation. Processor will inform Controller of intended changes regarding the addition or replacement of other processors. The controller can object to such changes based on reasonable grounds.
- When another processor is engaged by the Processor, the same obligations will be imposed on this other processor by agreement as those that also ensue from this agreement, so that there are sufficient guarantees in place with regard to the application of appropriate technical and organisational measures. Processor remains responsible to the Data Controller for fulfilling the obligations of that other processor, if the latter does not fulfil its obligations.
- Processor will never pass on Personal Data to countries outside the European Union or to an international organisation without written instruction from the Controller, unless European or Dutch law obliges Processor to do so. In that case, the Processor will notify the Controller prior to the transfer, unless the relevant laws or regulations prohibit this notification.
- Processor will, taking into account the state of technology, the implementation costs, as well as the nature, scope, context, purpose of the Processing operation and the probability and seriousness of the various risks to the rights and freedoms of Data Subjects, take appropriate technical and organisational measures to ensure processing in accordance with the GDPR and to guarantee an appropriate level of security.
- Processor ensures that every natural person (such as an employee) who acts under its authority and has access to the Personal Data, only processes it on the instructions of the Controller, unless the Processor is obliged to do so under Union or Member State law, and that these persons are adequately instructed.
- Processor will in any case take the measures as described in appendix 2.
- Processor will, taking into account the nature, scope, context and the purpose of the processing operation and the probability and seriousness of the various risks to the rights and freedoms of Data Subjects, take appropriate technical and organisational measures to ensure processing is in accordance with the GDPR and to guarantee an appropriate level of security.
- Processor and, where applicable, the Processor's representative, keep a written or electronic register of all categories of processing operations that it carries out on behalf of the Controller. This register contains the following data: the name and contact details of any other processors and of the Controller, and, where applicable, of the representative of the Controller or of the other processor and of any data protection officer; the processing categories on behalf of the Controller; where applicable, transfers of Personal Data to another country or an international organisation, specifying that country or international organisation and any documents related to the appropriate safeguards as referred to in Article 49 paragraph 1 second subparagraph GDPR; a general description of the technical and organisational security measures referred to in Article 5.3 and appendix 2 of this agreement.
- The Processor will provide the Controller with all information necessary to demonstrate the obligations under this agreement and to enable audits, including inspections. The Processor will immediately inform the Controller if, in the opinion of the Processor, an instruction from the Controller is not in accordance with the GDPR or other Dutch or European data protection laws and regulations.
- Controller has the right to verify compliance with this agreement once a year, through an audit or inspection, if performed by a certified auditor. An audit may not unnecessarily disrupt the Processor's business operations.
- Controller will bear the costs of checks, with the exception of the costs of the employees of the Processor who supervises the check. The latter costs are borne by the Processor. If the audit shows that the Processor has failed to comply with this agreement or the GDPR, the Processor will bear the costs of the audit or inspection and the Processor will immediately repair the shortcomings that have been identified.
7. Reporting data breaches
- If an Infringement has taken place, the Processor will report this to the Controller without unreasonable delay as soon as they have taken note of it, but no later than 48 hours after the notification, unless it is unlikely that the Infringement will pose a risk to the rights and freedoms of natural persons. If it is not possible to provide all information in one go, the Processor can supply the information in steps, provided this is done without unreasonable delay.
- The notification, in any case, must include: the nature of the Breach, where possible, specifying the of Data Subject categories and personal data registers concerned and, approximately, the number of Data Subjects and personal data registers concerned; the name and contact details of the data protection officer or other contact point where more information can be obtained by Controller; the likely consequences of the Infringement; the measures that the Processor proposes or has already taken to address Infringement, including any measures to limit any adverse consequences thereof.
- Processor will assist Controller in documenting all Infringements.
- Processor will assist Controller in notifying Data Subjects when the Infringement is likely to pose a high risk to Data Subjects' rights and freedoms.
8. Final provisions
- Dutch law applies to this agreement. The choice of forum for any disputes arising from or related to this agreement is determined in the underlying service agreement. If no choice of forum has been determined, the relevant district court with regard to the Processor has exclusive jurisdiction to handle disputes between parties.
- Both parties are each responsible and liable for their own actions. If the Processor culpably fails to comply with this agreement or acts culpably in violation of the provisions of the GDPR, it will indemnify the Controller against any claims from third parties, including Data Subjects, arising from this, and all related costs and damages. Fines given by the Authority to the Controller are expressly excluded from the Processor's liability and indemnification.
- With regard to the processing of Personal Data, the provisions stated in this agreement prevail in the event of conflict with other contractual terms between the parties, unless the parties explicitly deviate from the provisions of this agreement in a further written agreement.
- If one or more provisions of this agreement prove not to be legally valid, then the agreement will remain in effect while the parties discuss making a replacement arrangement that is both legally valid and as much as possible in line with the arrangement that is to be replaced.
Drawn up and signed in duplicate:
||Van Hoesel /de Blaey Belastingadviseurs B.V.;
APPENDIX 1 THE TYPE OF PERSONAL DATA AND DATA SUBJECT CATEGORIES
- Personal data type
Any information about an identified or identifiable natural person (“the Data Subject”); regarded as identifiable as a natural person who can be directly or indirectly identified, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
The following personal data in any case includes the following:
- email address
- first name
- last name
- postal code
- telephone number
- marital status
- place of birth
- date of birth
- CVs / CV data
- copy of passport / passport information
- copy drivers license / drivers license information
- copy payslip / payslip information
- social security number / BSN
- bank account number / IBAN
- insurance policy numbers
- client number
- customer number
- login name
- telecom information
- company information / company name
2. Data subject categories
- customers / clients
- business contacts
APPENDIX 2 TECHNICAL AND ORGANISATIONAL MEASURES
Processor applies the following measures when processing for Controller:
1. Physical access control system
Appropriate measures to prevent unauthorised persons from accessing data processing systems in which personal data is processed:
- alarm system
- protection of buildings
- automatic access control system
- separation of work - and visiting areas
- security locks
- check key allocation
2. Digital access control system
Measures to prevent a data processing system from being used by unauthorised persons:
- Assigning user rights
- password policy (length, layout, rotation)
- Username/password authentication
- multi-factor authentication (2FA)
- protocol for working at home
- use of VPN technology
- use of anti-virus software
- use of a firewall
3. Access control system personal data
Measures to ensure that authorised users can only access the personal data for which they are authorised and to prevent further unauthorised processing:
- operating an authorisation system
- rights management by a system administrator
- secure storage of data carriers
- use of shredders or shredding services
4. Transfer control system
Measures to ensure that personal data in electronic transmission or during transport or storage on data carriers cannot be read, processed or deleted by unauthorised persons and that it can be checked and demonstrated to whom a transfer of personal data has been made:
- use of VPN tunnels
- use of SSL / TLS connections
- use of proxy servers
- use of email encryption
- use of safe transport packaging and holders
5. Entry check
Measures to ensure that it can be demonstrated subsequently whether, when and by whom personal data has been entered, changed or deleted in data processing systems:
- protocols for handling requests to modify, limit or delete data
- traceability of entry, modification or deletion of data by individual usernames
- use user rights for processing data based on authorisation
6. Job control
Measures that ensure that personal data processed on assignment can only be processed according to the instructions of the clients:
- use of processing agreements
- written instructions to the contractors
- careful selection of contractors
- prior investigation into the documentation of the safety measures with the contractor
- obligation to keep the data confidential for employees
- obligation to keep the data confidential for clients
- destruction of the data after termination of the service
7. Availability check
Measures that guarantee availability and continuity:
- emergency power supply for servers
- check temperature and humidity in the server room
- fire and smoke alarm system
- fire extinguishing systems / fire extinguishers in the server room
- backup and recovery plan
- storage of backup data on a secure, remote server
- backup tests and data recovery
- climate control in server rooms
- protection of power strips in server rooms
- emergency plan
- archive system
- spam filter