Processor Agreement

According to the General Data Protection Regulation

Article 1. Introductory provisions

Article 1.1.

The terms in this Processor Agreement that are defined in the AVG shall have the meanings set forth therein.

Article 1.2.

Wherever this Processor Agreement refers to a provision of the Wbp, the corresponding provision of the General Data Protection Regulation (the "AVG") is meant as of relevant date.
Note: Processor is U-center Holding B.V.; responsible party is the customer.

Article 2. Purposes of processing

Article 2.1.

Processor undertakes to process personal data on behalf of Responsible Party under the terms of this Processor Agreement. Processing will only take place in the context of performing the Agreement and for purposes determined by further agreement.

Article 2.2.

Respondent itself determines which (types of) personal data it allows Processor to process and to which (categories of) data subjects these personal data relate. Processor has no influence on this.

Article 2.3.

Processor shall not process the personal data for any purpose other than as determined by Respondent. Respondent will inform Processor of the processing purposes insofar as they are not already mentioned in the Processor Agreement.

Article 2.4.

Personal data to be processed on behalf of Respondent shall remain the property of Respondent or the relevant data subject(s).

Article 2.5.

The Responsible Party guarantees that the content, use and assignment of processing of personal data as referred to in the Processing Agreement is not unlawful and does not infringe any rights of third parties. In addition, the Responsible Party guarantees: that the processing of personal data falls under one of the exemptions under the AVG, or if this is not the case a notification has been made to the Personal Data Authority; and that it will keep a register of the processing operations regulated under this Processor Agreement as of May 25, 2018.

Article 2.6.

Respondent shall indemnify Processor against all claims and demands related to the failure to comply or to comply properly with the obligations in Article 2.5.

Article 3. Obligations of Processor

Article 3.1.

In respect of the processing mentioned in Article 2, Processor shall ensure compliance with the conditions that, under the AVG, are imposed on the processing of personal data by Processor.

Article 3.2.

Processor shall inform the Respondent, at the latter's first request, of the measures it has taken regarding its obligations under this Processor Agreement and the Wbp and AVG.

Article 3.3.

The obligations of Processor arising from this Processor Agreement also apply to those who process personal data under the authority of Processor.

Article 4. Transfer of personal data

Article 4.1.

Processor may process personal data in countries within the European Union.Forwarding to countries outside the European Union is permitted only in compliance with the relevant regulations of the AVG.

Article 4.2.

Processor will notify Respondent upon request of the country or countries involved.

Article 5. Division of responsibility

Article 5.1.

The permitted processing operations will be performed by Processor within a (semi)automated environment under the control of Processor.

Article 5.2.

Processor is only responsible for the processing of personal data under this Processor Agreement, in accordance with the instructions of Respondent and under the express (ultimate) responsibility of Respondent.

Article 5.3.

For all other processing of personal data, including, in any case, the collection of personal data by Respondent, processing for purposes not notified to Processor by Respondent, processing by third parties or for other purposes, Processor is not responsible.

Article 6. Engaging third parties or subcontractors

Article 6.1.

Respondent authorizes Processor to use third parties when processing personal data under this Processor Agreement, subject to applicable privacy laws and regulations.

Article 6.2.

Processor shall, if requested by Respondent, inform Respondent as soon as possible about the third parties engaged by it. Respondent has the right to object to any third parties engaged by Processor.

Article 6.3.

Processor shall not raise an objection on unreasonable grounds and shall provide sufficient justification for the objection. Where the Respondent objects to third parties engaged by the Processor, the Parties shall consult with each other to reach a solution.

Article 6.4.

Processor shall ensure that third parties it engages assume obligations in writing that are at least as stringent as the obligations imposed on Processor under the Processor Agreement.

Article 6.5.

Processor shall ensure proper compliance by these third parties with the duties referred to in Article 6.4 and shall be liable to the Responsible Party in the event of errors as if it had committed the error(s) itself.

Article 6.6.

The maximum liability of Processor for damages referred to in Article 6.5 shall be limited to the amount agreed in the Contract (including Processor's general terms and conditions).

Article 7. Security

Article 7.1.

Processor shall take appropriate technical and organizational measures with respect to the processing of personal data to be performed, against loss or against any form of unlawful processing (such as unauthorized access, deterioration, alteration or disclosure of the personal data).

Article 7.2.

Despite the fact that Processor is required to implement appropriate security measures in accordance with the first paragraph of this article, Processor cannot fully guarantee that the security is effective under all circumstances. However, in the event of a threat to - or actual breach of - these security measures, Processor shall make every effort to minimize the loss of Personal Data.

Article 7.3.

In the absence of an expressly defined security in the Processor Agreement, Processor shall ensure that the security meets a level that is not unreasonable, given the state of the art, the sensitivity of the personal data and the costs associated with implementing the security.

Article 7.4.

Respondent shall make personal data available to Processor for processing only if Respondent has satisfied itself that the required security measures are in place.

Article 8. Duty to report

Article 8.1.

In the case of a data leak (...) within 48 hours after the data leak becomes known to Processor.

Article 8.2.

The obligation to report applies only if the leak has actually occurred and includes, in any case, reporting the fact that a data leak has occurred, as well as, to the extent this information is available at Processor: (...) and to mitigate the consequences of the leak.

Article 8.3.

Respondent itself assesses whether it will inform the relevant authorities and/or data subject(s) and is itself responsible for compliance with (statutory) reporting obligations. If required by privacy laws and regulations, Processor will cooperate in informing the relevant authorities or data subjects.

Article 9. Handling requests from data subjects.

Article 9.1.

If a data subject wishes to exercise one of his/her legal rights and directs the request to Processor to do so, Processor will forward this request to Controller. Controller will then take care of processing the request. Processor may notify the data subject accordingly.

Article 9.2.

In the event that a data subject makes a request to the Respondent to exercise one of his legal rights, Processor shall, if the Respondent so requires, cooperate as far as possible and as far as reasonable. Processor may charge Responsible Party reasonable costs for this purpose.

Article 10. Duty of confidentiality

Article 10.1.

All personal data that Processor receives from Respondent or that Processor itself collects in the context of this Processor Agreement is subject to a duty of confidentiality to third parties.

Article 10.2.

This confidentiality obligation does not apply to the extent that Respondent has given express consent to provide the information to third parties, if providing the information to third parties is logically necessary for the performance of the Processor Agreement, or if there is a legal obligation to provide the information to a third party.

Article 10.3.

If Processor is required by law to provide information to a third party, Processor will inform the Responsible Party as soon as possible to the extent permitted by law.

Article 11. Audit

Article 11.1.

Respondent has the right to have audits performed by an independent expert third party bound by confidentiality to verify the security requirements as agreed in Article 7 of the Processor Agreement.

Article 11.2.

The audit referred to in Article 11.1 will only take place in the event of a concrete suspicion of abuse which has been demonstrated by the Responsible Party. The audit initiated by Respondent will take place two weeks after prior notice by Respondent.

Article 11.3.

Processor shall cooperate with the audit and provide all information reasonably relevant to the audit, including supporting data such as system logs, and employees as timely as possible and within a reasonable time frame, with a maximum of two weeks being reasonable.

Article 11.4.

The findings resulting from the audit conducted will be reviewed by the Parties in mutual consultation and, as a result, may or may not be implemented by either or both Parties jointly.

Article 11.5.

The cost of the audit shall be borne by Respondent.

Article 12. Liability

Article 12.1.

The Parties' liability for damages resulting from an attributable failure to perform the Processor's Agreement, or in tort or otherwise, shall be governed by the rules on liability agreed upon in the Agreement (including the general terms and conditions of Processor).

Article 13. Duration and termination

Article 13.1.

This Processor Agreement is entered into for the duration as stipulated in the Agreement and, failing that, in any case for the duration of the cooperation between the Parties. This Processor Agreement cannot be terminated in the interim.

Article 13.2.

The parties may amend this Processor Agreement only by mutual agreement, but will cooperate fully to adapt the Processor Agreement to any new or amended privacy laws and regulations.

Article 13.3.

Upon termination of the Processor Agreement, Processor shall destroy all personal data in its possession, unless the Parties agree otherwise.