Processing conditions

Version 1.00

‘Controller’; a company that is responsible for the personal data
and provides the party that will process these personal data, hereinafter: ‘’Controller’’;

‘Processor’; ZooEasy, a private limited company with registered office in Drachten and its principal place of business in Drachten at Hanebalken 227, 9205CL, duly represented by Erik Reudink, hereinafter: ‘’Processor’’;

whereas:

  • The Processor performs genealogical animal registers and administration software.
  • In that context the Processor will save and store personal data for the Controller during a term of 2 years.
  • In cases that arise, at the (written) request of the Controller, the Processor must also put personal data in order and/or connect and adjust them.
  • This concerns processing of personal data as referred to in the Personal Data Protection Act, General Data Protection Resolution (hereinafter ‘GDPR’).
  • The Controller has indicated the purpose and means of processing which, together with the agreements between the Parties on the protection of the personal data, have been set out in this Agreement (hereinafter: the ‘Processing Agreement’).

HAVE AGREED THE FOLLOWING:

1. Purposes of the processing

1.1. The Processor performs genealogical animal registers and administration software. This concerns (special) personal data of the Controller, such as:

– Name and address details;
– email addresses;
– telephone numbers.

1.2. Processing shall be done only within the framework of the Contract for Services and for the purposes set out in this Processing Agreement.
1.3. Processing by the Processor will take place in an automated environment.
1.4. The Processor is not and shall not become the owner of the personal data to be processed.

2. Obligations of the Processor and Controller

2.1. The Processor must:

  • comply with the applicable laws and regulations, including the Wbp/GDPR;
  • not provide any personal data to third parties and not allow data subjects to inspect them without having obtained prior written permission for this from the Controller;
  • inform the Controller of all measures taken by the Processor (in relation to the obligations under the Processing Agreement), if and as soon as the Controller requests this;
  • provide the Controller with all possible support in complying with the obligations with a view to requests concerning the rights of data subjects;
  • not store data longer than necessary.

2.2. The Controller guarantees that the processing of personal data is lawful.

3. Location of the data processing

3.1. The Processor will process personal data obtained from the Controller in the Netherlands or another country/other countries in the European Union. The Processor may only take data to/process data in countries that are not Member States of the European Union if prior written permission to do so has been obtained from the Controller.

3.2. If the Processor takes data to/processes data in countries that are not Member States of the European Union, it must inform the Controller of which countries are concerned.

4. Security measures and inspection

4.1. The Processor must take appropriate technical and organisational measures to protect Personal Data against loss or any other form of unlawful processing. These measures must guarantee an appropriate level of protection, taking account of the:

  • state of the art;
  • costs of implementing the measures;
  • risks involved in the processing;
  • nature of the personal data to be protected.

4.2. The technical and organisational measures taken by the Processor as referred to in the preceding paragraph are described in the appended.

4.3. The Processor must inform the Controller if one of the security measures changes.

4.4. Under the conditions referred to in paragraph 4.5, the Processor must allow the Controller (or the investigating authority indicated by the Controller) to inspect compliance with the security measures taken by the Processor. Said inspection is connected only with the processing activities coming under the Processing Agreement.

4.5. If the Controller wants to conduct an inspection as referred to in the preceding paragraph, it will be bound by the following conditions:

  • such inspection will be conducted only if, after the Controller has made a request to that effect, the Processor does not reply or does not give a definite answer about compliance by the Processor with the security measures;
  • the inspection will take place no more than once a year;
  • The Controller will inform the Processor of its intention to conduct an inspection (or have one conducted) in writing at least two weeks prior to the inspection;
  • the inspection will be conducted by an independent ICT expert that is bound by a duty of confidentiality;
  • the inspection will be conducted on working days/during office hours;
  • The Processor and Controller will make (more detailed) agreements in good consultation with each other on the date, time and/or duration of the inspection. The Processor will provide all cooperation in the conduct of an inspection that is reasonably necessary.
  • 4.6. If costs are involved in the inspection referred to in this article for the Processor and/or Controller, these costs will be payable by the Controller.

5. Confidentiality

5.1. The Processor must maintain the confidentiality of all personal data it receives from the Controller, except if it has written permission from the Controller to provide the personal data or if it is legally required to provide them.

5.2. The Processor must have staff members and third parties it engages in the processing of personal data sign a written confidentiality statement.

6. Engagement of third parties and subcontractors

While maintaining full liability for compliance with the obligations under this Agreement, the Processor may engage one or more third parties/subcontractors in the context of performing this Processing Agreement, provided the Processor:

a. guarantees by way of a written agreement with the third party that such third party will also follow the instructions of the Controller; and
b. guarantees by way of a written agreement with the third party that it will be subject to all obligations under this Agreement to which the Processor is subject;
c. has obtained permission from the Controller.

7. Incident response

7.1. The moment the Processor gains knowledge of breach of Section 34a of the Wbp/Art. 33 GDPR and/or any other incident in relation to security of the personal data it processes under the Agreement, it must:

  • inform the Controller of this immediately;
  • provide the Controller as quickly as possible with all information about:
    • the nature of the breach;
    • the personal data (possibly) affected;
    • and the established/expected consequences of the breach for the processing of the personal data and/or the data subject(s);
  • take all reasonable measures to prevent/limit further violation of the Wbp.

7.2. To the best of its ability, the Processor must keep a log of the incidents as referred to in the preceding paragraphs and the measures taken following on such incidents, which it will allow the client to inspect as soon as possible on request.

7.3. The Processor is aware that the Controller is legally required under certain circumstances to report a breach of the security of personal data that the Processor processes to the data subject(s) or to the competent authority. The Controller can also be subject to the obligation to cooperate in an investigation by the competent authority and have the obligation in that context to provide information. The Processor shall not consider compliance with the aforementioned obligations as a failure to comply with the Processing Agreement or the Contract for Services by the Controller or as unlawful action.

7.4 The Controller will decide whether there has been a security incident that must be reported to the data subject(s) or to the competent authority. If the Controller decides that a report must be made, the Controller will provide tor this. The parties can occasionally make different agreements to this effect. These agreements must be set out in writing.

7.5 The Processor must take all measures that are needed to limit harm (if any) and support the Controller in making the reports referred to in this article to the data subject(s) and/or the competent authority or in an investigation by this authority.

8 Liability

8.1 The Controller shall be liable for the harm arising from a breach of the security of the personal data or any other incident in relation to the security of the personal data, unless it is established at law that the Processor has failed imputably.

8.2 The Processor and Controller undertake to each other to insure themselves adequately and keep themselves insured during the term of the Processing Agreement for liability in accordance with this article.

9 Duration and termination of the Processing Agreement

9.1 The Processing Agreement will be concluded once the Parties have signed it. The stipulations set out in the Contract for Services in relation to termination are also applicable to the Processing Agreement. The Processing Agreement will end in any case at the time the Contract for Services ends.

9.2 The Processor must see to it that all personal data made available to it are returned/made available to the Controller as soon as possible after termination of the Processing Agreement. The Processor must delete any digital copies of personal data immediately after termination of the Processing Agreement. If the Controller gives different written instructions to the Processor prior to the end of the Processing Agreement, the Processor must follow these instructions. The Processor will notify the Controller in writing of the return/making available/deletion of the personal data.

If the Processor is of the opinion that it has an independent statutory obligation that wholly or partially prohibits the return/making available/deletion of the personal data, it must contact the Controller about this as soon as possible in writing. The Processor must also provide the Controller with all information that is reasonably necessary to assess whether deletion is possible and under what conditions. The Controller will notify the Processor of its response in writing. If in the Controller’s reasonable opinion the Processor may delete the personal data wholly or partially, the Processor must proceed to do so as soon as possible. If the Controller is of the opinion that the personal data may not be deleted, the Processor must guarantee that it will not process the personal data further, except to comply with a statutory obligation or after written instructions from the Controller.

10 Other stipulations

10.1 If and in so far as the Processing Agreement and the Contract for Services and/or the General Terms and Conditions applicable to the Contract of Services differ from and/or are in conflict with each other, the stipulations in the Processing Agreement will take precedence.

10.2 If one or more stipulations of the Processing Agreement prove not to be legally valid, the Processing Agreement will remain in force for the rest. The Parties will consult about the stipulations that are not legally valid for the purpose of replacing them with stipulations that are legally valid. They will seek to bring these stipulations as far as possible in line with the purport of the stipulations to be replaced.

10.3 Changes to the services to be performed by the Processor and/or the purpose of the processing must be agreed by the Parties in writing in advance.

10.4 Unless the Parties have agreed otherwise in writing, the stipulations of the Contract for Services will apply to the Processing Agreement.

10.5 If security measures need to be taken pursuant to a mandatory legislative amendment, and the Processor states in writing that it does not agree to this, the Controller will then be entitled to terminate this Processing Agreement and the related agreement on the date on which the legislative amendment enters into effect.

11 Applicable law and dispute resolution

The Processing Agreement is governed by Dutch law. Any disputes will be brought before the court which has jurisdiction.