Version 2.0
Article 1: Definitions
The terms listed below, written with an initial capital letter, whether in the singular or plural, have the following meanings:
General Terms and Conditions: the Processor’s General Terms and Conditions, which apply in full to every agreement between the Processor and the Data Controller and of which these Processor Terms and Conditions form an integral part;
Annex: an appendix to these Processing Terms, which forms an integral part of these Processing Terms;
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Data Subject: the identified or identifiable natural persons to whom Personal Data relates, as referred to in Article 4(1) of the GDPR;
Third Party: a natural or legal person, public authority, agency or other body, other than the Data Subject, the Controller, the Processor, or the persons authorised under the direct authority of the Controller or the Processor to process Personal Data, as referred to in Article 4(10) of the GDPR;
Data breach: a breach of security leading, accidentally or unlawfully, to the destruction, loss, alteration or unauthorised disclosure of, or unauthorised access to, Personal Data transmitted, stored or otherwise Processed, as defined in Article 4(12) of the GDPR;
Underlying Agreement: the agreement between the Processor and the Controller relating to the provision of services by the Processor to the Controller;
Personal Data: any information relating to an identified or identifiable natural person, as referred to in Article 4(1) of the GDPR and as further defined in Annex 1;
Sub-processor: another Processor engaged by the Processor for the purpose of processing Personal Data on behalf of the Controller;
Supervisory authority: one or more independent public authorities responsible for supervising the application of the GDPR, as referred to in Article 4(21) and Article 51 of the GDPR. In the Netherlands, this is the Dutch Data Protection Authority (AP);
Processor: Dr. Van Haeringen Laboratorium B.V., Chamber of Commerce number 09112692, which processes Personal Data on behalf of the Controller;
Processing or its conjugations: any operation or set of operations performed on Personal Data or a set of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data, as referred to in Article 4(2) of the GDPR;
Controller: a natural or legal person, a public authority, a body, or any other entity, being the party that has entered into an Agreement with the Processor, which, alone or jointly with others, determines the purposes and means of the processing of personal data, as referred to in Article 4(7) of the GDPR.
Article 2: Applicability of the Data Processor’s Terms and Conditions
2.1 The Processor undertakes, subject to the terms of these Processing Terms, to Process Personal Data on behalf of the Controller. Processing shall take place exclusively in the context of the performance of the supply of goods and services under the Underlying Agreement and for purposes reasonably related thereto or as determined by further agreement.
2.2 These are processing terms within the meaning of Article 28(3) of the GDPR, in which the rights and obligations regarding the processing of personal data are set out in writing, including those relating to security.
2.3 These Data Processor Terms, like the Data Processor’s General Terms and Conditions, form part of the Underlying Agreement and all future agreements between the parties.
Article 3: Obligations regarding Processing
3.1 The Processor shall not Process the Personal Data for any purpose other than that determined by the Controller and specified in Annex 1. The Controller shall inform the Processor in writing of the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects, and the rights and obligations of the Data Controller vis-à-vis Data Subjects, as referred to in Article 28(3) of the GDPR, insofar as this information is not already set out in these processing terms or the Underlying Agreement.
3.2 The Processor shall process the Personal Data exclusively on the basis of written instructions from the Controller, unless laws or regulations applicable to the Processor require it to process the data. In that case, the Processor shall inform the Controller, prior to processing, of that legal requirement, unless legislation and/or regulations prohibit this.
3.3 If, in the opinion of the Processor, an instruction as referred to in the second paragraph conflicts with a legal requirement under the GDPR or other legislation concerning the protection of Personal Data, it shall immediately notify the Controller thereof.
3.4 With regard to the Processing operations referred to in Article 2, the Processor shall ensure compliance with the applicable laws and regulations, including, in any event, those relating to the protection of Personal Data.
3.5 The permitted Processing operations shall only be carried out by authorised employees of the Processor within an automated environment.
3.6 The obligations of the Processor arising from these processing terms and conditions shall also apply to those who Process Personal Data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.
3.7 Control and responsibility for the Personal Data shall never rest with the Processor.
3.8 The Controller may issue additional written instructions to the Processor 3.8 The Controller may provide the Processor with additional written instructions due to amendments or changes in the applicable regulations regarding the protection of personal data.
3.9 The Processor shall process the Personal Data solely within the European Economic Area.
Article 4: Sub-processing
4.1 The Processor is permitted to engage Sub-processors. The Controller hereby grants the Processor general authorisation, on condition that the Processor notifies the Controller in writing of any change (addition or replacement) to the already known Sub-processors as listed in Annex 3, no later than thirty (30) days prior to any intended change. The Controller may raise a reasoned objection up to ten (10) days prior to the effective date of the proposed change. Annex 3 lists the Sub-processors known at the time of the entry into force of these processing terms and conditions.
4.2 If the Processor engages a Sub-processor with the consent of the Controller, the Processor shall ensure that the Sub-processor is bound by the obligations under these processing terms and conditions through a contract and complies with them.
4.3 The Processor remains responsible to the Controller for the performance of the Sub-processor’s obligations in accordance with its agreement with the Processor. The Processor shall notify the Controller of any failure by the Sub-processor to fulfil its contractual obligations.
Article 5: Confidentiality
5.1 All Personal Data that the Processor receives from the Controller and/or collects itself within the scope of these processing terms is subject to a duty of confidentiality vis-à-vis Third Parties. The Processor shall not use this information for any purpose other than that for which it was obtained.
5.2 This duty of confidentiality shall not apply insofar as the Controller has given express consent to provide the information to Third Parties, if the provision of the information to Third Parties is logically necessary given the nature of the assignment and the performance of these processing terms, or if there is a legal obligation to provide the information to a Third Party.
5.3 The Processor shall ensure that its staff and any auxiliary persons engaged who are responsible for the Processing of Personal Data undertake to observe confidentiality and have access to Personal Data only to the extent strictly necessary for the performance of these processing terms or the Underlying Agreement.
Article 6: Security Measures
6.1 The Processor shall – taking into account the applicable regulations regarding the protection of Personal Data, the state of the art and the costs of implementation – implement technical and organisational security measures to protect the Personal Data against loss or any form of unlawful Processing. The security measures currently in place are set out in Annex 2.
Article 7: Monitoring of compliance
7.1 The Processor shall provide the Controller with the cooperation necessary to fulfil the accountability requirements referred to in Article 28(3) of the GDPR. A reasonable fee shall be charged for these activities, unless otherwise agreed in the Underlying Agreement.
7.2 The Controller shall be entitled to have an audit carried out once a year by a (legal) person authorised by the Controller, in respect of the Processor’s organisation, in order to demonstrate that the Processor complies with the provisions of the Underlying Agreement, these processing terms, the GDPR and other applicable laws and regulations concerning the Processing of Personal Data. The costs shall be borne by the Controller.
7.3 The Processor is obliged, in the context of the audit referred to in paragraph 2, to provide an overview of the Personal Data being processed.
Article 8: Data Breach
8.1 In the event of a personal data breach within the meaning of Article 33 of the GDPR, the Processor shall inform the Controller thereof without undue delay.
8.2 If and insofar as all this information cannot be provided at the same time, the initial notification shall contain the information available at that time, and further information shall then be provided without delay as soon as it becomes available.
8.3 The Processor shall, where possible, assist the Controller in fulfilling its responsibilities towards the Supervisory Authority and/or Data Subjects as referred to in Articles 33 and 34 of the GDPR.
8.4 Reporting a Personal Data Breach to the Supervisory Authority and/or Data Subjects, as well as maintaining a record of Personal Data Breaches as referred to in Articles 33 and 34 of the GDPR, is the responsibility of the Controller.
Article 9: Support for the Controller
9.1 The Processor shall, upon request, assist the Controller in fulfilling the Controller’s obligations under Articles 33 to 36 of the GDPR.
9.2 In the event that a Data Subject invokes one or more rights as referred to in Articles 15 to 22 of the GDPR and addresses the corresponding request to the Processor, the Processor shall notify the Controller of the request. The Processor shall not handle the request itself, unless otherwise agreed.
9.3 In the event that a Data Subject invokes one or more rights as referred to in Articles 15 to 22 of the GDPR and addresses the corresponding request to the Controller, the Processor hereby provides the necessary assistance to the Controller.
Article 10: Liability
10.1 The Processor shall only be liable, in accordance with the provisions of Article 82 of the GDPR, for damage or loss insofar as this arises from its activities. The General Terms and Conditions and the limitation of liability contained therein shall apply in full.
10.2 The Controller guarantees that the content, use and instructions regarding the processing of Personal Data as referred to in these processing terms and conditions are not unlawful and do not infringe the rights of Data Subjects and/or Third Parties. The Data Controller indemnifies the Data Processor against any claims by Data Subjects or Third Parties arising from or in connection with the Processing.
Article 11: Term and termination
11.1 The Data Processing Agreement shall remain in force for the duration of the Underlying Agreement and shall terminate upon the termination of the Underlying Agreement.
11.2 If, pursuant to a statutory retention obligation, the Processor is required to retain certain data and/or documents, computer disks or other data carriers on which or in which Personal Data is contained for a statutory period, the Processor shall ensure the destruction of such data or documents, computer disks or other data carriers within 4 weeks of the statutory retention obligation ceasing.
11.3 Upon termination of the Underlying Agreement between the Controller and the Processor, the Controller may request the Processor to return all documents containing Personal Data to the Controller, at the Controller’s expense. In the event of such return, the Processor shall provide the Personal Data in the form in which it is held by the Processor.
11.4 Without prejudice to the other provisions of this Article 11, the Processor shall, following termination of the Agreement, neither retain nor use any Personal Data.
11.5 Following the termination of the Underlying Agreement and these processing terms, provisions of these processing terms which, by their nature, are intended to remain in force shall continue to apply, in particular Article 5.
Article 12: Final provisions
12.1 If one or more provisions of these processing terms are void or are set aside, the remaining provisions shall remain in full force and effect. If any provision of these processing terms is not legally valid, the parties shall negotiate the content of a new provision, which provision shall approximate the content of the original provision as closely as possible.
12.2 The parties may only agree to amendments to these processing terms in writing.
12.3 The Data Controller may not transfer these processing terms and the rights and obligations associated therewith to a Third Party, unless explicitly agreed otherwise in writing. The Processor is permitted to do so.
12.4 In the event of any conflict with provisions of the applicable Underlying Agreement and/or General Terms and Conditions, the provisions of these processing terms shall take precedence.
12.5 In these processing terms, ‘in writing’ also includes electronic means within the meaning of Section 6:277a of the Dutch Civil Code.
12.6 These processing terms and conditions are governed by Dutch law.
12.7 All disputes relating to the processing terms and conditions or their performance shall be submitted to the competent court in the district of Gelderland; the court in Zutphen shall have exclusive jurisdiction to hear any such dispute.
ANNEX 1: PERSONAL DATA AND PURPOSES
The Data Controller instructs the Data Processor to process the following Personal Data within the scope of the assignment, which may include, but is not limited to:
(1) Name (initials, surname);
(2) Telephone number;
(3) Email address;
(4) Place of residence;
(5) Bank account number;
The Personal Data may only be processed in the context of the following activities:
(1) The activities, to be regarded as the primary service provision, in the context of which the Data Controller has issued an assignment to the Processor;
(2) maintenance, including updates and releases of the system made available to the Data Controller by the Processor or a Sub-processor;
(3) data and technical management, including by a Sub-processor;
(4) hosting, including by a Sub-processor.
ANNEX 2: SECURITY MEASURES
The Processor has, in any event, implemented the following security measures:
- Backup and recovery procedures
- Security of network connections and networks
- Data encryption
- Encryption of personal data during electronic transfer to external parties
- Confidentiality clauses in employment contracts
- Intruder alarm
- Logical access control by means of passwords and/or personal access codes
- Sub-processor agreements with third parties
- Secure methods for storing data files
ANNEX 3: LIST OF SUB-PROCESSORS
The Processor engages the following sub-processors for the Services:
Server hosting and management: Microsoft (Azure), Beyonder and CJ2
Payment provider: CM Payments
Support and development: Beyonder and VHLGenetics