Processor Agreement

Processor Agreement

This Processor Agreement applies to all forms of processing of personal data carried out by WP Provider BV, hereinafter referred to as “WP Provider”, based in Bussum, registered with the Chamber of Commerce under number 73142689, (hereinafter referred to as Processor) on behalf of another party to whom it provides services (hereinafter referred to as Processor).

Hereinafter collectively referred to as “Parties.

Considering:

1. The Parties have entered into an Agreement relating to hosting services and domain name registrations, hereinafter referred to as the “Agreement”.
   In performance of the Agreement, Processor processes Personal Data for the benefit of Processor-Responsible;
   Parties wish to handle with care and in accordance with the AVG and other Applicable Laws and Regulations relating to the Processing of Personal Data the Personal Data that (will) be processed in performance of the Agreement;
   C. The Parties wish, in accordance with the AVG and other Applicable laws and regulations regarding the Processing of Personal Data, to set out their rights and obligations in respect of the Processing of Personal Data of Data Subjects in Writing in this Processor Agreement.
   D. Exclusively Processor shall determine the purposes and means of processing personal data and Processor shall have no influence thereon;

Have agreed as follows:

1. Terms

1.1 Data Subject: the person to whom a Personal Data relates.
1.2 Data Breach: a breach of the security of Personal Data that has serious adverse consequences for the protection of Personal Data.
1.3 Personnel: the persons to be engaged by the Parties for the performance of this Processor Agreement, who will work under their responsibility.
1.4 Personal Data: any data relating to an identified or identifiable natural person.
This term also includes (traceable) pseudonymized personal data.
1.5 Sub-processor: third party engaged by Processor to process Personal Data on behalf of Processor, without being subject to the direct authority of Processor.
1.6 Controller: the person responsible for the Processing within the meaning of the Personal Data Protection Act (WBP) and/or European regulations and directives regarding the protection of personal data (AVG).
1.7 Processor: the person who processes Personal Data on behalf of the Controller without being subject to its direct authority.
1.8 Processing: any operation or set of operations concerning Personal Data, including in any case the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, provision by means of transmission, dissemination or any other form of making available, bringing together, linking, as well as the blocking, erasure or destruction of data.

2. Subject

2.1 If Processor only has access to the Personal Data, without an obligation to process it, Processor shall comply with both national and international laws and regulations relating to personal data and the provisions of this Processor Agreement; if and to the extent that Processor has timely notified Processor in advance of the presence of Personal Data and the place (path) where such Personal Data is located.
2.2 If Processor has undertaken in the Contract to process Personal Data, Processor shall do so with great care and in accordance with the purposes of the processing, observing both the national and international laws and regulations relating to personal data and the provisions of this Processor’s Agreement; if and to the extent that Processor has timely notified Processor in advance of the presence of Personal Data and the location of such Personal Data.

3. Obligations of the Controller

3.1 Processor shall notify Processor of changes relating to the Processing (if applicable) and any consequences thereof in a timely manner, in principle within 10 working days.
3.2 Processor guarantees that the instruction to Process the Personal Data (if applicable) is not unlawful and does not infringe on the rights of third parties.

4. Obligations of the Processor

4.1 Processor shall only access and/or process the Personal Data if and to the extent necessary for the performance of the Agreement and shall follow all reasonable instructions from Processor.
4.2 Processor shall not store the Personal Data in a location outside the European Economic Area.
Domain registrations may require the transfer of Personal Data to countries outside the European Economic Area.
This will then be limited to what is required by the relevant registry.
4.3 Processor guarantees that its Personnel will comply with the provisions of this Processor Agreement, if and insofar as they are involved in any way in the Processing of Personal Data.
The employees of Processor are bound by a duty of confidentiality.
4.4 Processor has appointed a Data Protection Officer.
4.5 Processor shall, upon the first request of Processor, immediately make available to Processor all copies of Personal Data originating from Processor and/or processed on the instructions of Processor, or destroy them upon request.
4.6 Processor shall implement appropriate technical and organizational security measures to secure the Personal Data against loss and against unlawful processing.
These measures, taking into account the state of the art and the costs of their implementation, guarantee an appropriate level of security in view of the risks involved in the processing and the nature of the data to be protected.
4.7 Processor shall keep a record of all categories of processing activities it has performed for the Controller.
4.8 Processor shall provide Processor with its full and timely cooperation to allow Data Subjects to inspect their personal data, to have their personal data deleted or corrected, and/or to demonstrate that such personal data has been deleted or corrected or, if Processor disputes the position of Data Subject, to record that Data Subject considers their personal data to be incorrect.
4.9 Processor takes adequate internal management measures to comply with the obligations under this Agreement and records them in a manner that makes monitoring compliance easy.
When Processing Personal Data, activities and incidents relating to the Personal Data are recorded in log files.
4.10 At the Controller’s request, Processor shall cooperate with encryption (encoding) and pseudonymization of Personal Data.
If this leads to higher costs for Processor, Processor shall reimburse these costs.
4.11 Processor may once a year have the Processing of Personal Data audited for correct compliance with the Processor Agreement by means of an examination by an independent registered EDP Auditor.
The Auditor will be required to maintain confidentiality.
Processor shall provide all information requested by the Auditor.
The Auditor will report to Processor in general terms, but will not disclose details of the security measures taken.
The costs of the investigation shall be borne by Processor.
4.12 The content and scope of the assignment to Processor and the fee to be paid for it shall be in accordance with what is arranged in the Agreement in this regard.
Processor shall comply with instructions from the Processing Responsible Party regarding the processing and/or storage of Personal Data.

5. Subprocessor

5.1 Processor may outsource all or part of the performance of the Processor Agreement to a Subprocessor.
The Processor remains at all times the point of contact for the Processing Responsible Party and responsible for compliance with the provisions of this Processor Agreement.
5.2 The Processor shall impose the same obligations on the Subprocessor – and lay this down in writing in a contract – as arise for itself from this Processor Agreement and supervise compliance thereof by the Subprocessor.
Processor is fully liable to Processor for the consequences of outsourcing work to a Subprocessor.
5.3 An exception to Articles 5.1 and 5.2 is the outsourcing of domain name registrations.
Depending on the Top Level Domain, your personal data may be made public and/or Processor cannot guarantee the security of your personal data.

6. Provision of Personal Data.

6.1 Processor shall not be permitted to provide Personal Data to anyone other than Processor except pursuant to a legal obligation or for the purposes of the contract with Processor.
6.2 If Processor is required to provide Personal Data pursuant to a legal obligation, Processor shall:

• verify the basis of the request and the identity of the requester and, prior to disclosure, inform Processor accordingly;
• limit the provision to what is required by law;
• Enable Processor to exercise the rights of Processor and Data Subjects and defend the interests of Processor and Data Subjects;
• when issued to a Data Subject, provide the data in a structured, common and machine-readable form.

7. Security

7.1 Controller and Processor shall take appropriate technical and organizational measures to ensure a risk-appropriate level of security to ensure that the Processing complies with the requirements of the AVG and other Applicable Laws and Regulations relating to the Processing of Personal Data and that the protection of the rights of Data Subjects is guaranteed.
The security measures taken by Processor are listed in Appendix A.
7.2 Processor and Processor shall make every effort to secure and keep secure the Personal Data against intrusion and against external calamities as well as against negligent processing, unlawful disclosure or unauthorized disclosure and against loss, destruction or damage.
Both parties shall ensure that their IT facilities and equipment are physically protected against unauthorized access and against damage and malfunctions and shall take measures to prevent unauthorized access to information systems.
7.3 Processor and Processor shall continuously monitor whether the processing systems used (continue to) meet adequate requirements of confidentiality, integrity, availability and resilience (rapid recovery after temporary unavailability).
7.4 If Requested in writing by Processor, Processor shall take special measures for security and/or confidentiality with respect to the (categories of) Personal Data designated therein.
If this results in higher costs for Processor, Processor shall reimburse Processor for these costs.

8. Data breach

8.1 When a Data Breach occurs at Processor, Processor shall immediately, but in any case within 24 hours, notify Processor, stating the nature of the Data Breach, its (suspected) consequences and the measures taken to remedy or mitigate the consequences.

9. Secrecy

9.1 All data of Processor and its customers are confidential and shall be treated as such by Processor.
Processor is obliged to maintain the confidentiality of all Personal Data and information that it processes, or of which it becomes aware in the context of the Agreement or this Processor Agreement.
9.2 Confidentiality does not apply to information:

• Which is publicly known without such disclosure being a consequence of an unauthorized act;
• Of which release is required by any provision of law or Court order, all subject to prior written notice from the disclosing party, to the party whose information is affected;
• Who developed a Party independently;
• Which a Party already holds without obligation of confidentiality.
• Upon termination of this Processor Agreement, this Article and the obligation of confidentiality set forth herein shall remain in effect.

10. Intellectual property

10.1 All Intellectual Property Rights including copyrights, database rights and all other rights of intellectual property as well as similar rights to protect information on the collection of data and Personal Data, copies or edits thereof, are vested in Processor (or a customer of Processor).
10.2 All Intellectual Property Rights – including copyrights, database rights and all other rights of intellectual property as well as similar rights to protect information – on Processor’s products and services are vested in Processor.

11. Liability and insurance

11.1 Processor is liable for damages suffered by Processor and fines forfeited by Processor as a result of Processor’s failure to comply with, or act in violation of, regulations under or pursuant to the Personal Data Protection Act and/or European regulations and directives on the protection of personal data and/or other relevant laws and regulations and/or this Processor Agreement.
11.2 Processor’s liability for damages suffered by Processor and/or fines forfeited as referred to in Article 11.1 is limited to €50 per event.
This limitation of liability shall lapse if and insofar as the damage is the result of intent or gross negligence (conscious recklessness) on the part of Processor.
11.3 Processor shall indemnify Processor against claims of third parties (in particular Data Subjects) and any damages resulting therefrom, based on non-compliance with requirements under or pursuant to the Personal Data Protection Act and/or European regulations and directives regarding the protection of personal data and/or other laws and regulations in this regard and/or this Processor Agreement.
11.4 Processor undertakes to cover the risks referred to in Articles 11.1 to 11.2 by means of liability insurance.

12. Duration and termination

12.1 The Processor Agreement shall enter into force on the day it is signed by the Parties.
12.2 The provisions on duration and termination of the Agreement shall apply as provisions on duration and termination of the Processor Agreement.
When the Agreement terminates for any reason, the Processor Agreement shall also terminate.
12.3 In the event of termination of the Processor Agreement, Processor shall transfer all Personal Data to Processor, or, upon the express written request of Processor, destroy the Personal Data in Processor’s possession.
12.4 Obligations that by their nature are intended to continue even after termination of the Processor Agreement shall continue to apply after termination.
These obligations include, inter alia, the provisions on confidentiality, transfer and destruction, liability and applicable law.

13. Dissolution

13.1 Either Party may rescind the Agreement in whole or in part if the other Party imputably fails to comply with the Processor Agreement and the failure has not been remedied even after notice of default, without prejudice to the right to damages.
13.2 Either Party may terminate the Agreement in whole or in part with immediate effect without notice of default if the other Party is granted a moratorium on payments, if bankruptcy is applied for in respect of the other Party, if the other Party’s business is wound up or terminated other than for the purpose of reconstruction or amalgamation of businesses.

14. Other

14.1 Changes or additions to this Agreement shall be agreed upon in writing between Processor and Controller.
Amendments or supplements shall be recorded in an addendum to this Agreement and shall be binding if this addendum is signed by both Parties.
14.2 Any disputes arising from this Agreement shall, after an attempt to resolve the dispute by mutual agreement has proved fruitless, be settled by arbitration in accordance with the rules and procedures of the Netherlands Arbitration Institute, whereby the arbitrator(s) shall apply Dutch law.

Appendix A – Security measures

The measures that Processor complies with at a minimum:

1. The Processor maintains a policy document that explicitly addresses the measures taken by the Processor to secure data processing as well as to ensure privacy.
2. The Processor’s employees involved in the processing of personal data are bound by a duty of confidentiality/integrity code and, if applicable, a pre-employment screening has taken place.
3. All employees of the organization and, as applicable, hired personnel and external users shall receive appropriate training and regular in-service training on the organization’s information security policies and procedures, as relevant to their positions.
   Within the training and continuing education, explicit attention shall be paid to the handling of personal data.
4. IT facilities and equipment are physically protected from unauthorized access, damage and failure.
5. Procedures are in place to allow authorized users access to the information systems and services they need to perform their duties and to prevent unauthorized access to information systems.
6. When transporting confidential information explicitly designated as such by the Controller over networks, adequate encryption should always be applied.
7. For the management of certificates and associated keys, a current key plan is applicable in which authorizations and segregation of duties are secured.
8. Procedures are in place for the acquisition, development, maintenance and destruction of data and information systems.
9. Activities that users perform (with personal data) are recorded in log files.
   The same applies to other relevant events, such as attempts to gain unauthorized access to personal data and disruptions that may result in the mutilation or loss of personal data.
   Logging of specific data is possible on a customized basis via a quote.
10. Security measures are built into all application systems including adequate access management.
11. The network and information systems are actively monitored and managed.
    A procedure is also available to handle any data breaches.
    Part of this includes informing the Controller.
12. The Processor shall install solutions released by suppliers for security vulnerabilities in a timely manner.
    All this only if and to the extent that the software in question is/is supplied, or used, or maintained by the Processor for the benefit of the Controller.
13. Procedures are in place for the timely and effective handling of information security incidents and security weaknesses once reported.
14. The Controller reports data breaches that are subject to a statutory reporting obligation to the relevant regulator (usually the Personal Data Authority).