v1.02
V1.02: Updated, see this link for an overview of all changes.
All ZooEasy legal documents are only available in Dutch and English.
The hereafter stated terms indicated with an initial capital letter, whether written in singular or plural, shall have the following meanings:
General Terms and Conditions: the Processor’s General Terms and Conditions, that apply in full to any agreement between the Processor and Data Controller and of which General Terms and Conditions these Data Processing Terms form an inseparable part;
Annex: an annex to these Data Processing Terms, which forms an inseparable part of these Data Processing Terms;
GDPR: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Person Concerned: the identified or identifiable natural persons to whom Personal Data relates, as referred to in section 4 under 1 GDPR;
Third Party: a natural or legal person, a public authority, a service or other body, not being the Person Concerned, nor the Data Controller, nor the Processor, nor the persons authorized under the direct authority of the Data Controller or the Processor to Process Personal Data, as referred to in section 4 under 10 GDPR;
Personal Data Breach: a breach of security that accidentally or unlawfully results in the destruction, loss, alteration or unauthorized disclosure of or unauthorized access to Personal Data transmitted, stored or otherwise Processed, as referred to in section 4 under 12 GDPR;
Underlying Agreement: the agreement between Processor and Data Controller regarding the provision of services by Processor to Data Controller;
Personal Data: any information about an identified or identifiable natural person, as referred to in section 4 under 1 GDPR and as further defined in Annex 1;
Sub-processor: another Processor engaged by the Processor for the purpose of Processing Personal Data for Data Controller;
Supervisory authority: one or more independent public authorities responsible for monitoring the application of the GDPR, as referred to in section 4 under 21 and section 51 GDPR. In the Netherlands, this is the Personal Data Authority (AP);
Processor: Reudink Software B.V., a private limited liability company, having its registered office in Zuidlaren at Julianalaan 57, 9471 EB, legally represented by Erik Reudink who Processes Personal Data on behalf of Data Controller;
Processing/Process or conjugations thereof: any operation or set of operations involving Personal Data or a set of Personal Data, whether or not carried out by automated means, such as the collection, recording, organization, structuring, saving, adaption or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data, as referred to in section 4 under 2 GDPR;
Data Controller: a natural or legal person, a public authority, a service or another body, being the person who has entered into an Agreement with Processor, who alone or together with others determines the purpose and means of Processing Personal Data, as referred to in section 4 under 7 GDPR.
2.1 Processor undertakes to Process Personal Data on behalf of Data Controller under the terms of these Data Processing Terms. Processing will only take place in the context of the performance of the provision of goods and services under the Underlying Agreement and the purposes reasonably related thereto or as determined by further agreement.
2.2 These are Data Processing Terms within the meaning of section 28 paragraph 3 GDPR, which regulate in writing the rights and obligations with respect to the Processing of Personal Data, including with respect to security.
2.3 These Data Processing Terms are, together with the General Terms and Conditions, part of the Underlying Agreement and all future agreements between the parties.
3.1 Processor shall not Process Personal Data for any purpose other than as determined by Data Controller and specified in Annex I. Data Controller shall inform Processor in writing of the subject and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Person Concerns and the rights and obligations of the Data Controller towards Person Concerns, as referred to in section 28 paragraph 3 GDPR, to the extent that this information is not already mentioned in these Data Processing Terms or Underlying Agreement.
3.2 Processor shall Process the Personal Data only on the basis of written instructions from the Data Controller, unless a provision of Union or Member State law applicable to the Processor requires her to Process. In that case, the Processor shall notify the Data Controller, prior to the Processing, of that legal requirement, unless the legislation prohibits this for important reasons of public interest.
3.3 If, in the opinion of the Processor, an instruction referred to in the second paragraph violates a legal requirement under the GDPR or other legislation on the protection of Personal Data, he immediately notifies the Data Controller.
3.4 With respect to the Processing mentioned in section 2, Processor shall ensure compliance with the applicable laws and regulations, including in any case the laws and regulations regarding the protection of Personal Data.
3.5 The permitted Processing operations will be performed only by authorized employees of Processor within an automated environment.
3.6 The obligations of the Processor arising from these Data Processing Terms also apply to those who Process Personal Data under the authority of Processor, including but not limited to employees, in the broadest sense.
3.7 The control and responsibility over the Personal Data never rests with Processor.
3.8 The Data Controller may issue additional, written instructions to Processor due to updates or changes in applicable personal data protection regulations.
3.9 Processor processes Personal Data only in the European Economic Area.
4.1 Processor is permitted to engage Sub-processors. Data Controller hereby gives general consent to Processor, subject to the condition that in the event of a change (addition or replacement) of the already known Sub-processors as listed in Annex 3, Processor shall notify Data Controller in writing no later than thirty (30) days prior to a proposed change. Processor may object with reasons up to ten (10) days before the effective date of the proposed change. Annex 3 lists the Sub-processors known at the time of the effective date of these Data Processing Terms.
4.2 If Processor engages a Sub-processor after permission from Data Controller, Processor shall ensure that the Sub-processor imposes the obligations of these Data Processing Terms through a contract and complies with them.
4.3 The Processor shall remain responsible to the Data Controller for the performance of the Sub-processor’s obligations in accordance with its contract with the Processor. The Processor shall notify the Data Controller of any failure of the Sub-processor to fulfill its contractual obligations.
5.1 All Personal Data that Processor receives from Data Controller and/or collects herself in the context of these Data Processing Terms shall be subject to a duty of confidentiality towards Third Parties. Processor shall not use this information for any other purpose than that for which she obtained it.
5.2 This obligation of confidentiality does not apply to the extent that Data Controller has given express consent to provide the information to Third Parties, if the provision of the information to Third Parties is logically necessary given the nature of the assignment provided and the performance of these Data Processing Terms, or if there is a legal obligation to provide the information to a Third Party.
5.3 Processor shall ensure that its staff and engaged auxiliary persons charged with the Processing of Personal Data undertake to observe confidentiality and only have access to Personal Data to the extent strictly necessary for the performance of these Data Processing Terms or the Underlying Agreement.
6.1 Processor shall – taking into account the applicable regulations on the protection of Personal Data, the state of technology and the costs of implementation – take technical and organizational security measures to secure the Personal Data against loss or against any form of unlawful Processing. The security measures currently in place are defined in Annex 2.
7.1 Processor shall provide the Data Controller with the cooperation necessary to fulfill the accountability obligation referred to in section 28 paragraph 3 GDPR. A reasonable fee will be charged for this work, unless otherwise agreed in the Underlying Agreement.
7.2 Data Controller has the right to have an audit performed once a year by a (legal) person authorized by the Data Controller, with respect to the organization of the Processor, in order to demonstrate that the Processor complies with the provisions of the Underlying Agreement, these Data Processing Terms, the GDPR and other applicable laws and regulations regarding the Processing of Personal Data. The costs shall be borne by the Data Controller.
7.3 Processor is obliged to provide an overview of the Personal Data being processed as part of the audit mentioned in paragraph 2.
7.4 Once a year, at the request of Data Controller, Processor shall provide a report to Data Controller in which Processor informs about the state of the security measures as described in section 6.
7.5 Data Controller and Processor may jointly agree on further security measures as a result of the report mentioned under paragraph 3.
8.1 In the event of a Personal Data Breach within the meaning of section 33 GDPR, Processor shall inform the Data Controller without unreasonable delay.
8.2 If and to the extent that all this information cannot be provided at the same time, the initial notification shall contain the information then available and further information shall thereafter be provided promptly as it becomes available.
8.3 Processor shall, where possible, assist the Data Controller in fulfilling its responsibilities towards the Supervisory Authority and/or Person Concerns as referred to in section 33 and 34 GDPR.
8.4 Reporting a Personal Data Breach to the Supervisory Authority and/or Person Concerns as well as maintaining a register of Personal Data Breaches as referred to in section 33 and 34 GDPR is the responsibility of Data Controller.
9.1 Upon request, Processor shall support Data Controller in fulfilling Data Controller’s obligations under sections 33 to 36 GDPR.
9.2 In the event that a Person Concerned invokes one or more rights referred to in sections 15 to 22 GDPR and directs the corresponding request to Processor, Processor shall inform the Data Controller of the request. Processor will not handle the request itself, unless otherwise agreed.
9.3 In the event that a Person Concerned invokes one or more rights referred to in sections 15 to 22 GDPR and directs the corresponding request to Data Controller, Processor provides the necessary assistance to Data Controller with this.
10.1 In accordance with the provisions of section 82 GDPR, Processor shall only be liable for damage or harm to the extent that it is caused by his activity.
10.2 Data Controller guarantees that the content, use and commissioning of the Processing of Personal Data as referred to in these Data Processing Terms are not unlawful and do not infringe the rights of Person Concerns and/or Third Parties. Data Controller shall indemnify Processor against any claims of Person Concerns or Third Parties arising out of or because of the Processing.
11.1 The Data Processing Terms are entered into for the term of the Underlying Agreement and terminate when the Underlying Agreement ends.
11.2 If a legal retention obligation requires Processor to retain certain data and/or documents, computer disks or other data carriers containing Personal Data for a legal period, then Processor shall ensure the destruction of such data or documents, computer disks or other data carriers within 4 weeks after the termination of the legal retention obligation.
11.3 Upon termination of the Underlying Agreement between Data Controller and Processor, Data Controller may request Processor to return to Data Controller, at Data Controller’s expense, all documents containing Personal Data. In case of return, Processor shall provide the Personal Data in the form as present with Processor.
11.4 Notwithstanding anything else in this section 11, Processor shall neither keep nor use any Personal Data after the termination of the Agreement.
11.5 Upon termination of the Underlying Agreement and these Data Processing Terms, provisions of these Data Processing Terms that by their nature are intended to continue to exist shall remain in effect, in particular section 5.
12.1 If one or more provisions of these Data Processing Terms are null and void or destroyed, the remaining conditions remain fully applicable. If any provision of these Data Processing Terms is not legally valid, the parties will negotiate the content of a new provision, which provision will approach the content of the original provision as closely as possible.
12.2 Parties may amend these Data Processing Terms only by mutual agreement.
12.3 Parties may not assign these Data Processing Terms and the rights and obligations related thereto to a Third Party, unless explicitly agreed otherwise in writing.
12.4 The provisions of these Data Processing Terms shall prevail in case of conflict with provisions of applicable Underlying Agreement and/or General Conditions.
12.5 In these Data Processing Terms, written also means by electronic means within the meaning of section 6:277a of the Dutch Civil Code.
12.6 These Data Processing Terms are governed by Dutch law.
12.7 All disputes related to the Data Processing Terms or their implementation shall be submitted to the competent court of the district court in which Data Controller is domiciled.
Notwithstanding the provisions of paragraph 7, Data Controller and Processor may choose another method of dispute resolution.
The Data Controller shall allow the Processor to Process the following Personal Data in the context of the assignment, which may include, but not be limited to:
(1) Name (initials, last name);
(2) Phone number;
(3) Email address;
(4) Residence;
(5) Bank account number
Personal Data may only be processed in the context of the following activities:
(1) The work, to be considered as the primary service, under which Data Controller has issued an order to Processor;
(2) The maintenance, including updates and releases of the system provided by Processor or Sub-Processor to Data Controller;
(3) Data and technical management, including by a Sub-processor;
(4) Hosting, including by a Sub-processor.
Processor has taken at least the following security measures::
To conduct the work, the Processor uses the following Sub-Processors:
Hosting and managing servers: CJ2
Payment provider: CM Payments