Data processing agreement
Between:
[●], (the “Controller”); and
Leat Netherlands B.V., a limited liability company incorporated under the laws of the Netherlands, with its registered office in Utrecht, having its principal place of business at Bisonspoor 3002 B 901, 3605 LT in Maarssen, and registered in the business register under number 58334904 (the “Processor”).
The parties to this DPA are hereinafter also referred to collectively as the Parties and each as a Party.
Considering that:
Controller processes personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”), including but not limited to personal data regarding its [●] for which they determine the purposes and means of processing and thereby qualify as controller within the meaning of Article 4(7) GDPR;
Parties have entered into the agreement [●] with effective date [●] (the "Agreement"). The Agreement relates to the online customer engagement platform as offered by Processor;
In the context of the performance of the Agreement, Controller will directly and/or indirectly provide Personal Data to Processor and/or Processor will obtain access to Personal Data of Controller;
In the context of the performance of the Agreement, Processor will process Personal Data under the instructions of Controller, without being subject to their direct authority and thereby qualifying as a processor within the meaning of Article 4(8) GDPR; and
Parties wish, in addition to the Agreement, to establish their rights and obligations in this DPA in accordance with the GDPR, the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming), and any other applicable European and national privacy laws and regulations ("Applicable Data Protection Legislation").
Parties agree as follows:
1. Definitions
The Parties use the following (capitalized) definitions in this DPA:
Authority: The supervisory authority as referred to in Article 51 GDPR;
Data Subject: The identified or identifiable natural person to whom the Personal Data relates;
Security Protocols: The security measures to be applied by Processor as described in Appendix 1;
Data Breach: A breach of security of Personal Data as referred to in Article 4(12) GDPR;
Personal Data: Any information relating to an identified or identifiable natural person as referred to in Article 4(1) GDPR, which Processor has obtained directly and/or indirectly from Controller and/or to which Processor has been given access by Controller.
2. Purpose of processing
2.1 - Processor shall process Personal Data solely for the benefit of the Controller, in accordance with the instructions and under the responsibility of the Controller, in accordance with what is described in Appendix 2 to this DPA. Processor does not control the purposes and means of processing Personal Data.
2.2 - In view of the provisions of the preceding paragraph, the processing of Personal Data by Processor shall only take place in the context of:
the performance of the Agreement and this DPA; and
a legal obligation that requires Processor to process Personal Data; in that case, if permitted by law, Processor shall notify Controller of that legal requirement prior to processing.
2.3 - The Personal Data shall remain the property of Controller and/or the relevant Data Subject. Controller warrants that the Personal Data does not contain special categories of personal data within the meaning of Article 9 and 10 GDPR, national identification numbers within the meaning of Article 87 GDPR, or sensitive personal data as described by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
3. Obligations of the processor
3.1 - Processor is obligated to provide, at the Controller's first request, such cooperation as is necessary to access, transfer, delete and/or destroy Personal Data.
3.2 - Processor is obligated to impose its obligations under the DPA in writing to those acting under the authority of Processor, including but not limited to employees of Processor and (sub)processors engaged by Processor. Processor is fully liable to Controller for (damages resulting from) the processing of Personal Data by (sub)processors it has engaged in accordance with Article 13 of this DPA.
3.3 - Processor is obligated to provide the Controller with the reasonable cooperation necessary for complying with the Data Subject's rights as referred to in Article 12 through Article 22 of the GDPR, carrying out Data Protection Impact Assessments as referred to in Article 35 of the GDPR, and complying with the legal obligations of the Controller in this respect.
3.4 - Processor is obligated to keep records showing in detail how it complies with its obligations under this DPA and the Applicable Data Protection Legislation. Processor is obliged to allow Controller to inspect these records upon first request and to inform Controller in writing of the measures it has taken with respect to its obligations under this DPA and the Applicable Data Protection Legislation.
4. Security measures
4.1 - Processor shall take appropriate technical and organizational measures to secure the Personal Data against loss and/or any form of unlawful processing. To this end, Processor shall at least, but not exclusively, adhere to the level of security set forth in the Security Protocols.
4.2 - Processor is aware of the importance of security measures and shall, upon request, disclose annually in a manner to be designated by Processor what appropriate technical and organizational measures Processor has taken to secure the Personal Data.
4.3 - If Processor changes the measures laid down in the Security Protocols and if these changes adversely affect the security level of Personal Data, Processor will inform Controller prior to the changes, giving Controller the opportunity to object to those changes. Processor shall comply with objections of the Controller if the changes make it impossible for Processor and/or Controller to comply with the requirements of Article 32 GDPR.
5. Data breach notification
5.1 - In the event of a Data Breach, Processor shall, without undue delay, but in any event within 48 hours of discovery of the Data Breach, notify Controller in writing at the following email address: [●].
5.2 - Within 48 hours of discovery of the Data Breach, if available at that time, Processor shall provide Controller with the information required to make the notification(s) referred to in Articles 33 and 34 of the GDPR, covering at least:
the categories and an indication of the number of Personal Data affected;
the categories and an indication of the number of Data Subjects affected;
the nature of the Data Breach;
the period during which the Data Breach occurred;
the measures taken to mitigate the negative consequences of the Data Breach;
a description of the observed and suspected consequences of the Data Breach;
the measures taken or proposed to be taken by Processor and/or the (sub)processor(s) engaged by it to remedy these consequences.
5.3 - Controller shall itself make the notifications referred to in Article 33 GDPR to the Authority and if necessary to the Data Subject in accordance with Article 34 GDPR. Without the prior written consent of Controller, Processor is not entitled to report Data Breaches to the Authority and/or Data Subject.
5.4 - Parties may agree in writing that and under which conditions Processor shall make notifications within the meaning of Articles 33 and 34 GDPR.
6. International data transfers
6.1 - Processor is permitted to process and/or transfer Personal data to third countries or international organizations outside the European Economic Area, provided that one or more of the safeguards as referred to in Article 44 through 49 of the GDPR is applicable. Processor is obligated to inform Controller in writing about its intended transfer of Personal Data to third countries or international organizations outside the European Economic Area and the measures taken in this respect.
7. Control and audit
7.1 - Processor shall provide Controller with reasonably required information and cooperate with audits by Controller, or by a third party designated by Controller, that are reasonably requested and required to demonstrate that Processor is in compliance with its obligations under this DPA.
7.2 - The timing of any audit shall be mutually agreed upon.
7.3 - Controller shall provide Processor with timely written notice of an audit that Controller requests to conduct in accordance with Section 7.1, including an explanation of the grounds for the inspection. Controller shall limit the quantity of audits and ensure that Controller or the third party designated by Controller is bound by confidentiality obligations, complies with the reasonable instructions and directions of Processor, complies with safety and other regulations applicable at the site of inspection, and does not cause damage or otherwise disrupt business operations. Processor will not be required to provide access to its premises for the purposes of an inspection:
to persons who cannot identify themselves and produce proof of authority; or
outside normal business hours and/or on weekends.
7.4 - The costs associated with an audit will be borne entirely by the Controller. The labour hours that will be required from Processor for the purposes mentioned in this Section will be charged to Controller at an hourly rate of EUR 175 on an after-the-fact basis.
7.5 - Controller shall provide Processor with a copy of the audit report as soon as possible after the completion of an audit and give Processor reasonable opportunity to respond in writing to the audit report.
8. Data subjects rights
8.1 - Processor is obligated to inform Controller within one calendar week if a Data Subject has made a request to exercise their rights referred to in Article 12 through 22 of the GDPR.
8.2 - Processor is obligated to provide Controller with the appropriate cooperation that may be reasonably required for the exercise of the Data Subject's rights under the GDPR.
9. Confidentiality
9.1 - Processor is obligated to maintain the confidentiality of Personal Data. Processor shall impose this obligation of confidentiality on its employees and on third parties engaged by Processor.
9.2 - Without prior written consent of Controller, Processor is not permitted to disclose information that can reasonably be attributed to this DPA and/or a Data Subject and/or a Data Breach to third parties, including but not limited to Data Subject, Authorities and the media.
10. Term and termination
10.1 - This DPA shall enter into force upon valid signature by the Parties and shall be entered into for the duration of the Agreement. Subject to the provisions of Section 12 of this DPA, this DPA shall terminate automatically upon termination (beëindiging) or dissolution (ontbinding) of the Agreement.
10.2 - Article 10 (Confidentiality) and Article 15 (Governing law and jurisdiction) shall survive between Parties indefinitely, even after the termination (beëindiging) or dissolution (ontbinding) of this DPA.
11. Consequences of termination
11.1 - To the extent that Processor still has Personal Data in its possession after the termination or dissolution of this DPA, it shall destroy it as soon as possible or – at the discretion of Controller – return it to Controller, unless Processor is required to retain the Personal Data under applicable laws or regulations. In the latter case, Processor shall fulfil all its obligations under this DPA for the entire period during which it is required to retain the Personal Data under applicable laws or regulations. Processor shall inform Controller about the existence of such obligations without unreasonable delay, unless this is not permitted under applicable laws or regulations.
11.2 - Upon termination or dissolution of this DPA, Processor shall inform Controller in writing of the date of deletion of the Personal Data. Controller may elect up to 48 hours prior to the deletion date to have the Personal Data returned rather than deleted, through written notice to Processor. If the Controller opts for return, Processor shall return Personal Data to Controller and delete existing copies on the deletion date. Requests from Controller to delete or return Personal Data may be directed to the following email address: contracts@leat.com.
12. Engaging (sub)processors
12.1 - Controller grants general consent to Processor to engage (sub)processors. Prior to engaging a (sub)processor, Processor shall inform Controller about the intended changes regarding the addition or replacement of other (sub)processors, giving Controller the opportunity to object to these changes.
12.2 - Upon the first request of the Controller, Processor shall provide Controller with an overview of (sub)processors engaged by it. An overview of (sub)processors already engaged at the time of signing of this DPA is included in Appendix 3 to this DPA.
13. Costs
13.1 - Costs arising from Data Subject rights as referred to in Article 14 through 22 of the GDPR, from Data Protection Impact Assessments as referred to in Article 35 of the GDPR, and/or from investigations or audits by the Authority regarding the Personal Data will be borne by Controller. The labour hours required from Processor will be charged to Controller at an hourly rate of EUR 175 on an after-the-fact basis. Costs incurred by Processor at the request of Controller or Authorities shall be borne by Controller.
14. Changes in legislation
14.1 - Upon the amendment of existing laws and/or regulations and upon the introduction of new laws and/or regulations, Processor shall at the first request of Controller provide all cooperation that can reasonably be expected from it, such as but not limited to amending this DPA.
15. Governing law and jurisdiction
15.1 - The legal relationship between Parties that is regulated by this DPA shall be governed by Dutch law.
15.2 - All disputes between Parties related to or arising from this DPA shall be settled by the competent court in the court district of Midden-Nederland.
Appendix 1: Security Protocols
The measures to be taken by the Processor as referred to in Section 4 of the DPA will consist of at least, but not exclusively:
A. - Adhering to the obligations mentioned in clause 5 (data breach notification) and clause 9 (confidentiality) of the DPA;
B. - Installing and keeping up-to-date a system through which access to Personal Data is secured by way of an authentication method, such as a password, or similar measures that are at least equally reliable. Processor will ensure that its employees follow 'best practices' regarding aforementioned authentication methods, including at least by ensuring that the password is treated as confidential information;
C. - Securing the system by which the Processor processes Personal Data by way of preventive, detective and corrective measures (including but not limited to timely implementation of security patches and virus scanning) and protecting information systems and technology against malware (including but not limited to viruses, spyware, and ransomware);
D. - Encrypting and 'salting' stored passwords by which Controller may access the Personal Data;
E. - Adequate physical protection of the spaces in which and devices on which Personal Data is stored against unlawful access;
F. - Conducting penetration testing to identify gaps in security measures and taking measures to implement the results of such testing.
Appendix 2: Description of processing
Processor will only process the Personal Data in accordance with the instructions of Controller as set out below.
Subject, nature, estimated duration and purposes of processing:
Subject of processing: the personal data (see below) provided by customers and/or employees of Controller to Controller and/or Processor for the purposes of a loyalty programme;
Nature of processing: among other things, partitioning and segmenting customer data, tracking customer relations and performing direct marketing;
Estimated duration: processing will last until termination of the Agreement or until Controller requests that certain data be deleted;
Purpose: Processor supports Controller with customer relations management and direct marketing through the use of loyalty programmes on the Leat platform.
Categories of Personal Data
Categories of personal data may include, among other things:
first name;
last name;
email address;
phone number;
date of birth;
residential address; and/or
postal code
Controller may specify through further instructions in the Leat platform which personal data may be processed by Processor.
Categories of Data Subjects
Data subjects are customers and/or employees of Controller.
Appendix 3: (Sub)processors
Processor shall, in accordance with Section 12.1 of the DPA, engage (sub)processors to support the provision of services. Processor uses at least the (sub)processors set out below.