DATA PROCESSING AGREEMENT

This Data Processing Agreement1 (“DPA“) forms part of the services agreement under the TM-Pro Terms and Conditions (the “Principal Agreement”) between TM-Pro B.V., a company registered under the laws of The Netherlands with its offices at Sarphatistraat 370, 1018GW, Amsterdam, The Netherlands (“The Controller”)

And

Company name. having its place of business at .. address .. registered un the laws of the Netherlands( ..or other..) , Chamber of Commerce number: 123).. (the “Processor”).

Considering:

a) The Controller wishes to subcontract certain Services, which implies the processing of personal data, to the Data Processor.

b) The Parties seek to implement a DPA that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

It Is agreed as follows:

Data processing agreement

This Data Processing Agreement1 (“DPA“) forms part of the services agreement under the TM-Pro Terms and Conditions (the “Principal Agreement“) between TM-Pro B.V., a company registered under the laws of The Netherlands with its offices at Sarphatistraat 370, 1018GW, Amsterdam, The Netherlands (“The Controller”)

And

Company name. having its place of business at ​.. address .. registered un the laws of the Netherlands( ..or other..) , Chamber of Commerce number: 123)..  (the “Processor”).

Considering:

  1. The Controller wishes to subcontract certain Services, which implies the processing of personal data, to the Data Processor.
  2. The Parties seek to implement a DPA that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

It Is agreed as follows:

Article 1. Definitions

  • “Principal agreement” means the contract for services between Controller and Processor.
  • “Personal Data” means any Personal Data Processed by a Processor on behalf of Controller pursuant to or in connection with the Principal Agreement;
  • “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
  • “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
  • “GDPR” means EU General Data Protection Regulation 2016/679;
  • “Services” means the __________________ services the Processor provides.
  • “Sub-processor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Controller in connection with the Agreement.

The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

Article 2. Purpose of the Data Processing Agreement

2.1 The DPA supplements the Principal Agreement and overtrumps any agreements previously made between the Parties regarding the Processing of Personal Data. In case of conflict between the provisions of the DPA and the Principal Agreement, the provisions of the DPA shall prevail.

2.2 The DPA shall apply to all Processing carried out in relation to the Principal Agreement. Processor shall notify Controller without delay if Processor has reason to believe that Processor can no longer comply with the Data Processing Agreement.

2.3 Controller mandates and instructs Processor to process the personal data on behalf of Controller. The scope of the Processing operations are defined In the Principal Agreement. Processor shall not process any personal data other than on the relevant Controller’s documented Instructions.

2.4 Processor and Controller shall comply with the GDPR and other applicable laws and regulations regarding the Processing of Personal Data. Processor shall immediately notify the Controller if, in the opinion of Processor, an instruction of the Controller violates the GDPR and/or other applicable laws and regulations regarding the Processing of Personal Data.

2.5 If Processor operates in violation of the DPA and/or GDPR and/or other applicable laws and regulations regarding the Processing of Personal Data, Processor shall be held accountable.

Article 3. Access to personal data

3.1 Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Sub-Processor who may have access to the Controllers Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

3.2 Processor shall not provide Sub-processors with access to Personal Data without the prior written consent from Controller.

3.3 Processor shall, in the event of intended changes regarding the addition, replacement or modification of Sub-processor(s), Inform Controller no later than three (3) months prior to said Intended changes in writing, giving the Controller the opportunity to object to such changes within one(1) month after Controller has been informed by Processor of the intended change. Both parties can negotiate about the intended changes. If no satisfactory outcome comes from negotiation the DPA can be, with mutual consent, terminated , which in turn will lead to termination of the Principal agreement.

3.4 Processor remains fully responsible and fully liable for the performance and obligations of any sub processor(s). These obligations include the appropriate measures as described in section 4.1.

Article 4. Security

4.1 Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 Processor shall record its security policy in writing. At the request of Controller, Processor shall provide evidence of a written security policy.

4.3 In assessing the appropriate level of security, Processor shall take account in particular the risks that are presented by Processing personal data.

Article 5 Data subject rights

5.1 Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations, as reasonably understood by Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

5.2 Processor shall ensure that it does not respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Controller of that legal requirement before the Processor responds to the request.

5.3 The Controller and the Processor shall cooperate, on request, with a supervisory authority. The Controller shall be informed immediately of any inspections and measures executed by a supervisory authority, insofar as they relate to the activities under this DPA. This also applies insofar as the Processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any provision regarding the processing of personal data in connection with the processing of this DPA. Insofar as the Controller is subject to an inspection by a supervisory authority, an administrative fine, a preliminary injunction or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the processing of data by the Processor as of this DPA, the Processor shall make every effort to support the Controller.

Article 6 Personal data breach

6.1 Processor shall inform Controller without undue delay, but no later than 24 hours, after becoming aware of a Personal Data Breach.

6.2 Processor shall provide Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

6.3 Processor shall co-operate with the Controller and take reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

6.4 Processor has established adequate policies and procedures to detect data breaches related to Personal Data at the earliest possible stage and respond appropriately and promptly to a Personal Data Breach.

 

Article 7 Audit

7.1 Subject to this section, Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the Processing of the Company Personal Data by the Contracted Processors.

7.2 The cost of a periodic audit Initiated by Processor shall be borne by Processor. The costs of the audit at the request of Controller shall be borne by Controller, unless the findings of the audit show that Processor has failed to comply with the provisions of the DPA and/or the GDPR and/or other applicable laws and

7.3 If results from an audit demonstrate that Processor fails to comply with the provisions of the DPA and/or the GDPR and/or other applicable laws and regulations concerning the Processing of Personal Data, Processor shall without delay take all reasonably necessary measures to ensure that Processor complies at the soonest. The related costs shall be borne by Processor when regulations regarding the Processing of Personal Data have not been complied with.

Article 8 Data transfer

8.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Controller. If personal data processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

8.2 Processor shall, upon request of Controller, demonstrate that requirements as described in Article 8.1 have been met.

Article 9 Changes

9.1 Processor is obliged to immediately inform Controller about intended changes in the Services, the Principal Agreement and/or the DPA that relate to the Processing of Personal Data and that (potentially) require an amendment of the DPA and/or the Annexes.

Article 10 Duration and termination

10.1 The duration of the DPA is equal to the duration of the Agreement. The DPA is not terminable separately from the Principal Agreement. Upon termination of the Principal Agreement, the DPA shall terminate by operation of law and vice versa.

10.2 Controller is entitled to terminate the DPA if Processor fails or can no longer comply with the DPA and/or GDPR and/or other applicable laws and regulations regarding the Processing of Personal Data and Processor is in default, without Processor claiming any compensation. At termination, Controller shall observe a reasonable notice period, unless the circumstances warrant immediate termination.

10.3 Within ten (10) working days after the DPA ends, Processor shall destroy and/or return all Personal Data and/or transfer this data to Controller and/or another party to be designated by Controller, at Controller’s option. All existing (other) copies of Personal Data, including but not limited to Employees and/or Sub-processors, will be demonstrably permanently deleted.

10.4 Processor confirms in writing at the request of Controller that Processor has complied with all obligations under Article 10.3.

10.5 Processor shall bear the costs of destruction, return and/or transfer of the Personal Data. Controller may impose further requirements on the manner of destruction, return and/or transfer of the Personal Data, including requirements on the file format. The transfer of Personal Data shall be based on an open file format. The parties will agree on a reasonable division of any additional costs for the further requirements.

10.6 Obligations under the DPA that by their nature are intended to continue after termination of the DPA shall continue after termination of the Data Processor Agreement.

Article 11 Confidentiality

11.1 Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party.

11.2 All Personal Data qualifies as confidential data and should be treated as such.

Article 12 Liability

12.1 Processor shall be liable for any damages arising out of or in connection with the breach of the DPA and/or the GDPR and/or other Applicable Laws and Regulations concerning the Processing of Personal Data.

12.2 A Party may not invoke a limitation of liability provided in the Principal Agreement , DPA or other agreement or arrangement existing between the Parties, in respect of any action brought by the other Party under Article 82 GDPR; or under the DPA, filing to the extent that the action consists of a fine paid to the Supervisory Authority that is wholly or partially attributable to the other Party.

12.3 Each Party is obliged to inform the other Party without undue delay of a (possible) liability or the (possible) imposition of a fine by a Supervisory Authority, both in connection with the DPA. Each Party is in reasonable obligation to provide the other Party with information and/or support for the purpose of conducting  defence against a (possible) liability or fine, as referred to in the previous sentence. The Party providing information and/or support is entitled to charge any reasonable costs in this respect to the other Party, Parties will inform each other of these costs in advance to the extent possible.

Article 13 Governing Law and jurisdiction

13.1 This DPA is governed by the laws of The Netherlands

13.2 Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the competent court in the place where Controller is located.