with its registered office and principal place of business at:
hereinafter referred to as “Responsible Person”
the private company Vercauteren Administraties
with its registered office in The Hague at Loire 184, 2491 AL The Hague,
hereinafter referred to as "Processor".
1 - General: In this processor agreement, the following definitions apply:
1.1 - General Terms and Conditions: the General Terms and Conditions of the Processor, which apply in full to every agreement between the Processor and the Controller and of which General Terms and Conditions this Processor Agreement is an integral part.
1.2 - Processor: the private company Vercauteren Administraties, with its registered office in The Hague at Loire 184, 2491 AL The Hague.
1.3 - Data: the personal data as described in Annex 1.
1.4 - Client: the natural or legal person who has instructed Processor to perform Work, also Responsible.
1.5 - Agreement: any agreement between the Client and the Processor for the performance of Work by the Processor for the Client, in accordance with the provisions of the order confirmation.
1.6 - Responsible Party: the Client who, as a natural person or legal entity, has instructed the Processor to perform Work.
1.7 - Activities: all activities that have been commissioned or that are performed by the Processor for other reasons. The foregoing applies in the broadest sense of the word and in any case includes the work as stated in the order confirmation.
2 - Applicability of the processing agreement
2.1 - This processor agreement applies to all data collected by the Processor for the Client in the context of the performance of the work for the Client, as well as to all Work arising for the Processor and the data to be collected in that context.
2.2 - Controller is responsible for the processing of the Data concerning certain categories of data subjects, as described in Annex 1.
2.3 - During the execution, the Processor processes certain personal data for the Controller.
2.4 - This is a processing agreement within the meaning of Article 28 paragraph 3 of the General Data Protection Regulation (GDPR), in which the rights and obligations with regard to the processing of personal data are arranged in writing, including with regard to security. This processor agreement is binding on the Processor with regard to the Controller.
2.5 - This processor agreement, just like the General Terms and Conditions of the Processor, forms part of the Agreement and all future agreements between the parties.
3 - Scope of the processing agreement
3.1 - By giving the order to perform Work, the Controller has instructed the Processor to process the Data on behalf of the Responsible Party in the manner described in Annex 1 in accordance with the provisions of this processor agreement.
3.2 - Processor processes the Data exclusively in accordance with this processing agreement, in particular with what is included in Annex 1. Processor confirms that it will not process the Data for other purposes.
3.3 - Control over the Data never rests with the Processor.
3.4 - The Controller can give additional, written instructions to the Processor due to adjustments or changes in the applicable regulations in the field of personal data protection.
3.5 Processor only processes the Data in the European Economic Area.
4 - Secrecy
4.1 - Processor and the persons who are employed by the Processor or who perform work for him, insofar as these persons have access to personal data, only process the Data on behalf of the Controller, subject to deviating legal obligations.
4.2 - Processor and the persons who are employed by Processor or who perform work for him, insofar as these persons have access to personal data, are obliged to maintain the confidentiality of the personal data of which they become aware, except insofar as any statutory regulation obliges them to disclose or the need to communicate arises from a task.
5 - No further disclosure
5.1 - The Processor will not share the data with or provide it to third parties, unless the Processor has obtained prior written permission or instruction from the Controller or is obliged to do so on the basis of mandatory legislation. If Processor on the basis is obliged by mandatory law to share the Data with or provide it to third parties, the Processor will inform the Controller about this in writing, unless this is not permitted.
6 - Security Measures
6.1 - Taking into account the state of the art, the implementation costs, as well as the nature, scope, context and processing purposes and the risks to the rights and freedoms of individuals, varying in probability and seriousness, the Processor takes appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The security measures that have now been taken are specified in Annex 2.
6.2 - Processor will take measures that are partly aimed at preventing unnecessary collection and further processing of personal data.
6.3 - The Data is only stored and processed within the European Economic Area.
7 - Compliance Monitoring
7.1 - The Processor will provide the Controller at its request and at its expense with information about the Processing of the Data by the Processor or Sub-processors. Processor will provide the requested information as soon as possible, but at the latest within five working days.
7.2 - The Controller has the right once a year and at its own expense to have an independent third party jointly designated by the Controller and the Processor perform an inspection to verify whether the Processor complies with the obligations under the GDPR and this processor agreement. Processor will provide all reasonably necessary cooperation. Processor has the right to charge its costs associated with the inspection to Controller.
7.3 - In the context of its obligation under paragraph 1 of this article, the Processor will in any case:
7.3.1 - provide all relevant information and documents;
7.3.2 - grant access to all relevant buildings, information systems and Data.
7.4 The Controller and the Processor will consult each other as soon as possible after the report has been prepared to address any risks and shortcomings. The Processor will take measures at the expense of the Responsible Party to bring the identified risks and shortcomings to an acceptable level for the Responsible Party, unless the parties have agreed otherwise in writing.
8 - Data breach
8.1 - As soon as possible after the Processor becomes aware of an incident or data breach that (also) relates or may relate to the Data, the Processor will inform the Controller of this via the contact details of the Controller known to the Processor and the Processor will provide information about: the nature of the incident or data breach, the Data affected, the established and expected consequences of the incident or data breach on the Data and the measures that the Processor has taken and will take.
8.2 - Processor will support Controller with reports to data subjects and/or authorities.
9 - Sub-processors
9.1 - If the Processor has prior (general) permission to outsource its obligations to third parties, the Processor will inform the Controller of the intention to engage the sub-processor. Processor gives the Controller a term of 7 working days to object to the engagement of the sub-processor. Processor will only engage the sub-processor if the period of 7 days has expired without Controller having objected, or if Controller has indicated that it does not object to engaging the sub-processor.
9.2 - If Processor does not have prior permission to outsource its obligations to third parties, Processor will request prior permission for engaging the sub-processor.
9.3 - Processor ensures that the sub-processor is subject to this processor agreement or to a sub-processor agreement that contains the same obligations as this processor agreement.
10 - Duties and rights of data subjects
10.1 - Processor will cooperate with the Controller on request in the event of a complaint, question or request from a data subject, or investigations or inspections by the Dutch Data Protection Authority.
10.2 - Processor will assist the Controller at its request and at its expense in carrying out a data protection impact assessment.
10.3 - If the Processor receives a request directly from a data subject to inspect, correct or delete his or her Data, the Processor will inform the Controller within two working days of the receipt of the request. The Processor will carry out all instructions that the Controller gives to the Processor in writing as a result of such a request from the data subject as soon as possible. V The worker takes the necessary appropriate technical and organizational measures that are necessary to comply with such instructions from the Controller.
10.4 - If instructions from the Controller to the Processor conflict with any legal provisions regarding data protection, the Processor will report this to the Controller.
11 - Duration and Termination
11.1 - This processing agreement is valid as long as the Processor has been instructed by the Controller to process Data on the basis of the Agreement between the Controller and the Processor. As long as the Processor performs Work for the Responsible Party, this processing agreement applies to this relationship.
11.2 - If, after termination of the Agreement, the Processor has to keep certain data and/or documents, computer disks or other data carriers on or in which the Data is located for a statutory period on the basis of a statutory retention obligation, the Processor will ensure the destruction of this data or documents, computer disks or other data carriers within 4 weeks after termination of the statutory retention obligation.
11.3 - Upon termination of the Agreement between the Responsible Party and the Processor, the Responsible Party may request the Processor within two months after termination of the Agreement to return all documents, computer disks and other data carriers on which or in which data is located, to the Responsible Party, at the expense of the Responsible Party. In the event of a return, the Processor will provide the data in the form available to the Processor. Insofar as the Data is located in a computer system or in another form through which the Data cannot reasonably be provided to the Controller, the Processor will provide the Controller with an accessible, legible copy of the Data. After this period has expired, the Processor will proceed to definitively destroy the Data, unless the Processor is obliged to store Data on the basis of a legal obligation.
11.4 - Without prejudice to the other provisions of this article 12, the Processor will not keep or use any Data after termination of the Agreement.
11.5 - The manner of destruction is determined in consultation with the Responsible. After destruction, the Processor will provide the Controller with written confirmation of this.
11.6 - Without prejudice to the other provisions of this article 12, the Processor will not keep or use any Data after termination of the Agreement.
12 - Nullity
12.1 - If one or more provisions of this processing agreement are void or destroyed, the other conditions remain fully applicable. If any provision of this processor agreement is not legally valid, the parties will negotiate the content of a new provision, which provision will approach the content of the original provision as closely as possible.
13 - Applicable law and choice of forum
13.1 - This processor agreement is governed by Dutch law.
13.2 - All disputes in connection with the processor agreement or its implementation will be submitted to the competent court at the court of The Hague.
ANNEX 1: DATA, PURPOSES AND CATEGORIES OF Stakeholders
The Controller has the Processor process the following Data by the Processor in the context of the assignment, which may include, but is not limited to, personnel administration, payroll administration, financial reporting:
(1) Name (initials, last name)
(2) Phone number
(3) Email Address
(4) Date of Birth
(5) Place of residence
(6) Data ID proof (in connection with the Wwft)
(7) Financial data, both business and private
(8) Name and address details and BSN of employees of the Controller
The activities for which the above-mentioned Data may be processed, only if necessary, are in any case:
(1) The work, to be regarded as the primary service, in the context of which the Controller has issued an order to the Processor;
(2) the maintenance, including updates and releases, of the system made available to the Controller by the Processor or sub-processor;
(3) data and technical management, including by a sub-processor;
(4) the hosting, including by a sub-processor.
CATEGORIES OF Stakeholders
The Data that are processed concerning the following categories of data subjects:
(2) Client employees
ANNEX 2: SECURITY MEASURES
The Processor has in any case taken the following security measures:
- Backup and restore procedures
- Security of the network connections
- Powers are assigned to a limited number of persons who are charged with the execution of the processing (including a periodic check on this)
- Confidentiality declarations in employment contracts
- Encryption v of personal data during electronic transfer to external parties
- Intruder alarm
- Logical access control by means of passwords and/or personal access codes
- Sub-processor agreements with third parties
- Safe way to store data files
I have taken note of the content and agree to the Processor Agreement:
Agree Data Processing Agreement
Date for approval:
A copy will be sent to the above email address.