Version 1.01
Version changes:
v1.01: Completely new document that is based on processing conditions that must be accepted instead of a processing agreement that must be signed.
In these Data Processing Terms, the following definitions have the following meaning:
1.1 Terms and Conditions: the Processor’s Terms and Conditions, that are applicable to any agreement between the Processor and Controller. The Data Processing Terms form an integral part of these Terms and Conditions.
1.2 Processor: ZooEasy, a private limited liability company, having its registered office in Zuidlaren at Domineeskamp 8, 9471 BG, legally represented by Erik Reudink.
1.3 Data: the personal data as described in Annex 1.
1.4 Principal: the natural or legal person who has instructed the Contractor to perform work activities, also Controller.
1.5 Contractor: ZooEasy, a private limited liability company, having its registered office in Zuidlaren at Domineeskamp 8, 9471 BG, legally represented by Erik Reudink.
1.6 Agreement: any agreement between the Principal and Contractor that concerns the performance of work activities by the Contractor for the benefit of the Principal, as determined in the Contract of Services.
1.7 Controller: the natural or legal person that determines the purposes and means of the processing of personal data, also Principal.
1.8 Work activities: all activities that have been ordered by the Principal or that are conducted by the Contractor to carry out the Contract of Services. The above applies in the broadest sense and includes the activities as stated in the Contract of Services.
2.1 These Data Processing Terms apply to all data collected by the Contractor for the Principal regarding the implementation of the Agreement and to the data that is being processed in the context of work activities arising from the agreement.
2.2 Controller is responsible for the processing of the personal data as described in Annex 1.
2.3 Processor processes certain personal data in the context of the implementation of the Agreement.
2.4 These are Data Processing Terms within the meaning of Article 28 paragraph 3 General Data Protection Regulation, which contains the rights and obligations with regard to the processing of personal data, including the security measures that should be taken.
2.5 These Data Processing Terms are, together with the Terms and Conditions, part of the Agreement and all future agreements between the parties.
3.1 By giving the order to carry out work activities, the Controller has instructed the Processor to process the data on behalf of the Controller, as described in Annex 1 and in accordance with the provisions of these Data Processing Terms.
3.2 Processor will only process the data in accordance with these Data Processing Terms, in particular in accordance with Annex 1. Processor will not process the data for other purposes.
3.3 Processor will never have the control over the data.
3.4 Controller may give additional, written instructions to Processor due to modifications or changes in the applicable regulations regarding the protection of personal data.
3.5 Processor will only process the personal data in the EER.
4.1 Controller shall take all the measures necessary to make sure the personal data are accurate – given the purpose for which they are collected or processed – and provided to Processor as such.
5.1 Processor and its employees or persons that carry out its orders, insofar as these persons have access to personal data, process the personal data only on the instructions of Controller, except by way of a legal derogation.
5.2 Processor and its employees or persons that carry out its orders, insofar as these persons have access to personal data, are obligated to observe confidentiality of the personal data they observe. They are exempt from this confidentiality to the extent that any statutory regulation obliges them to communicate the personal data or if the need to communicate arises from a task.
6.1 Processor will not share the personal data with third parties, unless Processor is instructed to do so by Controller or if Controller is required to do so on the grounds of mandatory regulations. In case of this latter matter, Processor will inform Controller in writing, unless this is not permitted under the aforementioned regulations.
6.2 Processor may use third parties (sub-processors) to carry out the work activities. By concluding and agreeing to these Data Processing Terms, the Processor received permission to use sub-processors as included in Annex 3, if necessary. This is done under the conditions as described in Article 10.1.
7.1 Processor will take technical and organizational security measures to protect against loss or any form of unlawful processing of the personal data, taking into account the applicable data protections regulations, the level of technical protection and the costs of implementation of these measures. The security measures already taken are defined in Annex 2.
7.2 Processor will make sure the measures also serve to prevent unnecessary collection and further processing of personal data.
8.1 Processor will enable Controller to check upon compliance with these Data Processing Terms and in particular the security measures taken as stated in Article 7 once a year, taking into account a reasonable period of notice.
8.2 In the context of the inspection referred to in Paragraph 1, Processor is obliged to provide an overview of the personal data that is being processed.
8.3 At the request of Controller, Processor will provide a report once a year, which contains information about the state of the security measures as described in Article 7.
8.4 Controller and Processor can agree further security measures in response to the report referred to in Paragraph 8.3.
9.1 When Processor takes notice of an incident or data breach that (among others) has or may have a connection with the personal data, Processor will inform Controller as soon as possible via the contact details that are known to Processor. Processor will provide information concerning the nature of the incident or data breach, the affected data, the determined and expected consequences on the data and the measures Processor has taken and will take.
9.2 Processor will support Controller in reporting to the parties and/or authorities involved.
10.1 If Processor is allowed under the agreement to subcontract its obligations to third parties, Processor will either impose these Data Processing Terms on this third party or conclude a (sub)processing agreement concerning the responsibilities and obligations of the sub-processor.
11.1 On request, Processor will support Controller in fulfilling their commitments under Articles 32 to 36 of the General Data Protection Regulation.
12.1 In accordance with the provisions of Article 82 of the General Data Protection Regulation, Processor shall only be liable to damage or loss to the extent that it is caused by Processor’s activity. Processor is only liable for the damage that can be attributed to him in the context of his activities regarding these Data Processing Terms and/or a breach of obligations of Processor under these Data Processing Terms.
13.1 These Data Processing Terms are valid for as long Controller gives Processor the instruction to process personal data on the basis of the Agreement between Controller and Processor. As long as Processor is conducting work activities on behalf of Controller, these Data Processing Terms apply to this relation.
13.2 If Processor on the grounds of a legal obligation has to retain certain documents, computer disks and/or other data carriers that contain data, Processor will ensure destruction of these data carriers within 4 weeks after the end of the legal obligation to retain.
13.3 Upon termination of the Agreement between Processor and Controller, Controller may request to return all documents, computer disks and other data carriers that contain data to Controller, borne by Controller. Processor will provide the data in the form as present at Processor.
13.4 Without prejudice to the provisions of Article 12, Processor will not keep nor use any data after termination of the Agreement.
14.1 If one or more provisions of these Data Processing Terms are void or nullified, the other provisions remain fully applicable. If any provision of these Data Processing Terms is not legally valid, the parties will negotiate the content of a new provision, which provision will approach the contents of the original provision as closely as possible.
15.1 Dutch law is applicable to these Data Processing Terms.
15.2 All disputes relating to these Data Processing Terms or the implementation thereof shall be submitted to the competent court in the district in which Contractor is domiciled.
15.3 By way of derogation from paragraph 2, Principal and Contractor may opt for different method of dispute resolution.
Controller will have Processor process the following personal data within the framework of the assignment, possibly including, but not limited to,:
(1) Name (initials, surname);
(2) Telephone number;
(3) E-mail address;
(4) Place of residence;
(5) Bank account number;
The activities for which the above-mentioned data may be processed – exclusively if necessary – are in any case:
(1) The activities that are regarded as primary services, in the context of which Controller has issued an order to Processor.
(2) The maintenance, including updates and releases of the system made available by (sub-)Processor to Controller.
(3) Data and technical management, including management by a sub-processor.
(4) Hosting, including hosting by a sub-processor.
Processor has at least taken the following security measures:
To conduct the work, Processor uses the following sub-processors:
Hosting servers: CJ2
Payment provider: CM Payments
Hosting and maintenance servers: Sights