Processor Agreement: Customer (Controller) – DailyPack (Processor) AVG
Considerations:
A. We have entered into a partnership with You for the provision of the following services by Us: Processing Your Orders and Managing Your Inventory (the “Underlying Order”).
We thereby Process the Personal Data listed in the Appendix accompanying this Agreement.
B. Because of the performance of this Underlying Assignment and with regard to the Personal Data that We will Process hereby, we can be regarded as “Processor” and You as “Controller”. We set out our mutual rights and obligations in this Agreement.
The parties agree as follows:
1. Definitions
A number of terms are used in this Agreement. The meaning of these terms is explained below. The terms listed are capitalized in this Agreement. In the list below, use is often made of the definition of the term from the legislation and regulations in the field of privacy.
Data Subject: The person to whom Personal Data relates.
Processor: A natural or legal person, a public authority, a service or other body that processes personal data on behalf of the Controller, without being subject to its direct authority.
Sub-processor: Another processor that is deployed by the Processor to perform specific processing activities on behalf of the Controller.
Controller / Controller: A natural or legal person, a public authority, a service or any other body that, alone or together with others, determines the purposes and means of the processing of personal data.
Special Personal Data: These are data showing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a person, data about health, or data related to a person’s sexual behavior or sexual orientation. As well as personal data regarding criminal convictions and offenses or related security measures.
Data breach / Breach in connection with personal data: A breach of security that accidentally or unlawfully leads to – or where it cannot reasonably be ruled out that it could lead to – the destruction, loss, modification or unauthorized disclosure of or unauthorized access to transmitted, stored or otherwise processed personal data.
Third Parties: Others than You and We and Our Employees.
Data Leaks Reporting Obligation: The obligation to report Data Leaks to the Dutch Data Protection Authority and (in some cases) to the Data Subject (s).
Employees Persons who work for you or with Us, either employed or hired on a temporary basis.
Underlying assignment: The assignment as referred to above in the considerations under A.
Agreement: This processor agreement.
Personal data: All information about an identified or identifiable natural person (“the Data Subject”) that is processed in the context of the “Underlying Assignment”; an identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Personal data of a sensitive nature Personal data where loss or unlawful Processing can lead to (among other things) stigmatization or exclusion of the Data Subject, damage to health, financial damage or to (identity) fraud.
These categories of personal data should in any case include:
• Special personal data
• Information about the financial or economic situation of the Data Subject
• (Other) data that can lead to stigmatization or exclusion of the Data Subject
• Usernames, passwords and other login details
• Data that can be misused for (identity) fraud
Processing / Processing: An operation or a whole of operations relating to personal data or a set of personal data, whether or not carried out by automated processes, such as collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting, using, providing by means of transmission, dissemination or otherwise make available, align or combine, block, delete or destroy data.
GDPR General Data Protection Regulation, including the implementing law of this regulation. The AVG replaces the Personal Data Protection Act as of 25 May 2018.
2. Applicability and term
2.1 This Agreement applies to any Processing performed by Us as Processor on the basis of the Underlying Assignment, given by You as the Controller.
2.2 This Agreement enters into effect on the date the Underlying Assignment takes effect and ends when we no longer have any Personal Data in our possession that we process for you in the context of the Underlying Assignment. It is not possible to terminate this Agreement prematurely.
2.3 Articles 6 and 7 of this Agreement will continue to apply, even after the Agreement (or the Underlying Assignment) has been terminated.
3. Processing
3.1 We Process the Personal Data only in the manner that We have agreed with You in the Underlying Assignment. We will not do this Processing for longer or more extensively than necessary for the execution of this Underlying Assignment.
3.2 The Processing takes place under Your responsibility. We have no control over the purpose and means of the Processing and do not make decisions about matters such as the use of Personal Data, the retention period of the Personal Data processed for you and the provision of Personal Data to Third Parties. You must ensure that You have clearly identified the purpose and means of the Processing of the Personal Data. Control over the Personal Data never rests with Us.
3.3 You are legally obliged to comply with applicable privacy laws and regulations. In particular, you must determine whether there is a lawful basis for Processing the Personal Data. We ensure that We comply with the regulations applicable to us as Processor in the field of the Processing of Personal Data and the agreements We have made in this Agreement.
3.4 We ensure that only Our Employees have access to the Personal Data. The exception to this is included in Article 3.5. We limit access to Employees for whom access is necessary for their work, with access limited to Personal Data that these Employees need for their work. We also ensure that the Employees who have access to the Personal Data have received correct and complete instruction on how to handle Personal Data and that they are familiar with the responsibilities and legal obligations.
3.5 We may engage other processors (Sub-processors) to perform certain activities arising from the Underlying Assignment, for example if these Sub-processors have specialist knowledge or resources that We do not have. By signing this Agreement, you consent to the engagement of the Sub-Processors listed in the Annex accompanying this Agreement. We will inform you in advance about engaging other Sub-Processors and give you the opportunity to object to this.
3.6 To the extent possible, We will assist You in fulfilling Your obligations to deal with requests to exercise the rights of Data Subjects. If We receive (direct) requests from the Data Subject (s) to exercise their rights (for example, access, change or deletion of Personal Data), We will forward these requests to You. You process these requests yourself, whereby We can of course help You if We have access to these Personal Data in the context of the Underlying Assignment. We can charge costs for this.
3.7 We will only Process the Personal Data within the European Economic Area, unless We have made other arrangements with You about this. We jointly record these agreements in writing or by e-mail. By signing this Agreement, you consent to the Processing outside of the EEA listed in the Annex to this Agreement.
3.8 If We receive a request to provide Personal Data, We will make it available. We try to do this in such a short time that it is possible for You to institute any legal remedies against the provision of the Personal Data. If We are allowed to inform You, We will also inform You o shift about the way in which and which data We will make available.
4. Security measures
4.1 We have taken the security measures listed in the Schedule that accompanies this Agreement. When taking the security measures, the risks to be mitigated, the state of the art and the costs of the security measures have been taken into account.
4.2 You have informed yourself well about the security measures We have taken and are of the opinion that these measures have a security level that is appropriate to the nature of the Personal Data and the scope, context, purposes and risks of the Processing.
4.3 We will inform you if one of the security measures changes substantially.
4.4 We offer suitable guarantees for the application of the technical and organizational security measures with regard to the Processing to be carried out. If You wish to have the manner in which We comply with the security measures inspected, You can submit a request to Us to this effect. We will make agreements about this jointly with you. The costs of an inspection are at your expense. You provide Us with a copy of the inspection report.
5. Data breaches
5.1 If there is a Data Breach, We will notify you. We aim to do this within 48 hours after we have discovered this Data Breach, or as soon as possible after we have been informed by Our Sub-processors. Further agreements on the manner in which are included in Article 11 of this Agreement. We will provide you with the information that you reasonably need to – if necessary – make a correct and complete report to the Dutch Data Protection Authority and possibly the Data Subject (s) in the context of the Data Breach Reporting Obligation or we will send the report from our Sub-processor to you. We will also keep you informed of the measures taken by Us, or our Sub-processor, in response to the Data Breach.
5.2 Reporting Data Leaks to the Dutch Data Protection Authority and (possibly) the Data Subject (s) is always Your own responsibility.
5.3 Keeping a register of Data Breaches is always your own responsibility.
6. Duty of confidentiality:
6.1 We keep the Personal Data obtained from you secret and oblige Our Employee to do so.
7. Liability
7.1 You guarantee that the Processing of Personal Data on the basis of this Agreement is not unlawful and does not infringe the rights of the Data Subject (s).
7.2 We are not liable for damage resulting from your failure to comply with the GDPR or other laws or regulations. You also indemnify us against claims from Third Parties based on such damage. The indemnification applies not only to the damage suffered by Third Parties (material but also immaterial), but also to the costs that We have to incur in connection therewith, for example in any legal proceedings, and the costs of any fines imposed on Us. as a result of your actions.
7.3 The limitation of Our liability agreed in the Underlying Assignment and the accompanying general terms and conditions applies to the obligations as included in this Agreement, on the understanding that one or more claims for damages under this Agreement and / or the Underlying Assignment will never be exceeded. of the restriction.
8. Transferability Agreement
8.1 Unless We jointly agree otherwise in writing, You and Us are not permitted to transfer this Agreement and the rights and obligations associated with this Agreement to anyone else.
9. Termination and Return / Destruction of Personal Data
9.1 If the Underlying Assignment is terminated, We will transfer the Personal Data You have provided to Us back to You or – if You request Us to do so – destroy it. We will only keep a copy of the Personal Data if We are obliged to do so by law or (professional) regulations.
9.2 The costs of collecting and transferring Personal Data upon termination of the Underlying Assignment are at Your expense. The same applies to the costs of the destruction of the Personal Data. If you request it, We will give you an estimate in advance.
10. Additions and amendments to the Agreement
10.1 Additions and changes to this Agreement are only valid if they are in writing. “In writing” also includes changes communicated by e-mail, followed by an agreement by e-mail from the other party.
10.2 A change in the processed Personal Data or in the reliability requirements, the privacy regulations or your requirements may give rise to supplementing or changing this Agreement. If this leads to significant adjustments to the underlying engagement, or if We cannot provide an appropriate level protection, this may be a reason for Us to terminate the Underlying Assignment.
11. Final provisions
11.1 At Your request, We will make available to You all information necessary to demonstrate compliance with the obligations set out in this Agreement. We facilitate and contribute to audits, including inspections, by you or an auditor authorized by you. The costs of such requests, audits or inspections will be at Your expense. Any audits at Our Sub-processors are also at your expense.
11.2 On request, the parties will cooperate with the supervisory authority in the performance of its duties.
11.3 This Agreement is governed by Dutch law and the Dutch court has jurisdiction to hear all disputes arising from or related to this Agreement.
11.4 This Agreement ranks higher than other agreements We have entered into with You. If You use terms and conditions, they do not apply to this Agreement. The provisions of this Agreement supersede the provisions of Our general terms and conditions, unless explicit reference is made to a provision in the general terms and conditions.
11.5 If one or more provisions in this Agreement prove to be invalid, this will not affect the validity of the other provisions in this Agreement. We will then consult with you to jointly draw up a new provision. This provision will be in the spirit of the invalid provision as much as possible, but of course designed in such a way that the provision is valid.
Appendix
Personal data
We process the order and personal data made available by you in our system in collaboration with our sub-processors with the aim of preparing your products for shipment.
The following Personal Data will be processed in the context of the Underlying Assignment:
We process the PII information. data, e-mail, telephone number and the products ordered.
Processing
We Process Personal Data for You in the following ways:
We process data entered by you in our system or taken over from one or more sales channels of you.
You determine which Personal Data are processed and how, You are the Controller for this processing.
Technical and organizational measures
We take the following technical and organizational measures to protect the Personal Data against loss or unlawful Processing:
We keep our software up-to-date and monitor our security.
Third parties
We engage these third parties (Sub-processors) to carry out the Underlying Assignment:
(Sub) processor Processing
PostNL PII information + email + telephone number
GLS PII information + email + telephone number
DPD PII information + email + telephone number
DHL PII information + email + phone number
SendCloud PII information + email + phone number
KeenDelivery PII information + email + phone number
MyParcel PII information + email + telephone number
Processing outside the European Economic Area
The following Processing operations are carried out outside the EEA when performing the Underlying Assignment:
(Sub) processor Processing