‘Controller’: a company that is responsible for the personal data
and provides the party that will process these personal data, hereinafter: “Controller”;
‘Processor’: ZooEasy, a private limited company with registered office in Drachten and its principal place of business in Drachten at Hanebalken 227, 9205CL, duly represented by Erik Reudink, hereinafter: “Processor”;
1. Purposes of the processing
1.1. The Processor performs genealogical animal registers and administration software. This concerns (special) personal data of the Controller, such as:
– Name and address details;
– email addresses;
– telephone numbers.
1.2. Processing shall be done only within the framework of the Contract for Services and for the purposes set out in this Processing Agreement.
1.3. Processing by the Processor will take place in an automated environment.
1.4. The Processor is not and shall not become the owner of the personal data to be processed.
2.1. The Processor must:
2.2. The Controller guarantees that the processing of personal data is lawful.
3.1. The Processor will process personal data obtained from the Controller in the Netherlands or another country/other countries in the European Union. The Processor may only take data to/process data in countries that are not Member States of the European Union if prior written permission to do so has been obtained from the Controller.
3.2. If the Processor takes data to/processes data in countries that are not Member States of the European Union, it must inform the Controller of which countries are concerned.
4.1. The Processor must take appropriate technical and organisational measures to protect Personal Data against loss or any other form of unlawful processing. These measures must guarantee an appropriate level of protection, taking account of the:
4.2. The technical and organisational measures taken by the Processor as referred to in the preceding paragraph are described in the appended.
4.3. The Processor must inform the Controller if one of the security measures changes.
4.4. Under the conditions referred to in paragraph 4.5, the Processor must allow the Controller (or the investigating authority indicated by the Controller) to inspect compliance with the security measures taken by the Processor. Said inspection is connected only with the processing activities coming under the Processing Agreement.
4.5. If the Controller wants to conduct an inspection as referred to in the preceding paragraph, it will be bound by the following conditions:
5.1. The Processor must maintain the confidentiality of all personal data it receives from the Controller, except if it has written permission from the Controller to provide the personal data or if it is legally required to provide them.
5.2. The Processor must have staff members and third parties it engages in the processing of personal data sign a written confidentiality statement.
While maintaining full liability for compliance with the obligations under this Agreement, the Processor may engage one or more third parties/subcontractors in the context of performing this Processing Agreement, provided the Processor:
a. guarantees by way of a written agreement with the third party that such third party will also follow the instructions of the Controller; and
b. guarantees by way of a written agreement with the third party that it will be subject to all obligations under this Agreement to which the Processor is subject;
c. has obtained permission from the Controller.
7. Incident response
7.1. The moment the Processor gains knowledge of breach of Section 34a of the Wbp/Art. 33 GDPR and/or any other incident in relation to security of the personal data it processes under the Agreement, it must:
7.2. To the best of its ability, the Processor must keep a log of the incidents as referred to in the preceding paragraphs and the measures taken following on such incidents, which it will allow the client to inspect as soon as possible on request.
7.3. The Processor is aware that the Controller is legally required under certain circumstances to report a breach of the security of personal data that the Processor processes to the data subject(s) or to the competent authority. The Controller can also be subject to the obligation to cooperate in an investigation by the competent authority and have the obligation in that context to provide information. The Processor shall not consider compliance with the aforementioned obligations as a failure to comply with the Processing Agreement or the Contract for Services by the Controller or as unlawful action.
7.4 The Controller will decide whether there has been a security incident that must be reported to the data subject(s) or to the competent authority. If the Controller decides that a report must be made, the Controller will provide tor this. The parties can occasionally make different agreements to this effect. These agreements must be set out in writing.
7.5 The Processor must take all measures that are needed to limit harm (if any) and support the Controller in making the reports referred to in this article to the data subject(s) and/or the competent authority or in an investigation by this authority.
8.1 The Controller shall be liable for the harm arising from a breach of the security of the personal data or any other incident in relation to the security of the personal data, unless it is established at law that the Processor has failed imputably.
8.2 The Processor and Controller undertake to each other to insure themselves adequately and keep themselves insured during the term of the Processing Agreement for liability in accordance with this article.
9.1 The Processing Agreement will be concluded once the Parties have signed it. The stipulations set out in the Contract for Services in relation to termination are also applicable to the Processing Agreement. The Processing Agreement will end in any case at the time the Contract for Services ends.
9.2 The Processor must see to it that all personal data made available to it are returned/made available to the Controller as soon as possible after termination of the Processing Agreement. The Processor must delete any digital copies of personal data immediately after termination of the Processing Agreement. If the Controller gives different written instructions to the Processor prior to the end of the Processing Agreement, the Processor must follow these instructions. The Processor will notify the Controller in writing of the return/making available/deletion of the personal data.
If the Processor is of the opinion that it has an independent statutory obligation that wholly or partially prohibits the return/making available/deletion of the personal data, it must contact the Controller about this as soon as possible in writing. The Processor must also provide the Controller with all information that is reasonably necessary to assess whether deletion is possible and under what conditions. The Controller will notify the Processor of its response in writing. If in the Controller’s reasonable opinion the Processor may delete the personal data wholly or partially, the Processor must proceed to do so as soon as possible. If the Controller is of the opinion that the personal data may not be deleted, the Processor must guarantee that it will not process the personal data further, except to comply with a statutory obligation or after written instructions from the Controller.
10.1 If and in so far as the Processing Agreement and the Contract for Services and/or the General Terms and Conditions applicable to the Contract of Services differ from and/or are in conflict with each other, the stipulations in the Processing Agreement will take precedence.
10.2 If one or more stipulations of the Processing Agreement prove not to be legally valid, the Processing Agreement will remain in force for the rest. The Parties will consult about the stipulations that are not legally valid for the purpose of replacing them with stipulations that are legally valid. They will seek to bring these stipulations as far as possible in line with the purport of the stipulations to be replaced.
10.3 Changes to the services to be performed by the Processor and/or the purpose of the processing must be agreed by the Parties in writing in advance.
10.4 Unless the Parties have agreed otherwise in writing, the stipulations of the Contract for Services will apply to the Processing Agreement.
10.5 If security measures need to be taken pursuant to a mandatory legislative amendment, and the Processor states in writing that it does not agree to this, the Controller will then be entitled to terminate this Processing Agreement and the related agreement on the date on which the legislative amendment enters into effect.
The Processing Agreement is governed by Dutch law. Any disputes will be brought before the court which has jurisdiction.