Processor agreement

Created on 31 December, 2024Information • 11 minutes read

Processors Agreement

Version 23 May 2024

This processor agreement constitutes a vital component of the agreements between you (the other party) and ShopQRcode | Prompt Media. ShopQRcode assumes the role of the processor (hereinafter referred to as the 'Processor') of the personal data, and the other party assumes the role of the processor (hereinafter referred to as the 'Processor') of the personal data hereinafter referred to individually as a 'Party' and collectively as 'Parties'.

Whereas:

  • Processor holds personal data of various customers or customers' customers (hereinafter referred to as 'Data Subjects);
  • Controller uses the online programme for creating QR codes and barcodes offered by Processor ;
  • Processor may process Personal Data on behalf of the Data Controller, as outlined in the Main Contract, by using the online programme for creating QR codes and barcodes offered by Processor;
  • The processor is prepared to comply with the obligations concerning security and other aspects of the Personal Data Protection Act (Wbp), insofar as this is within its power;
  • The parties, also in view of the requirement under Article 14(5) of the Wbp, wish to set out their rights and obligations in writing by means of this Processor Agreement (hereinafter: Processor Agreement);
  • The processor may be regarded as a processor within the meaning of Article 1(e) of the Wbp in the performance of the main contract;
  • The processor will be regarded as the responsible party as defined in Article 1(d) of the Wbp;
  • In this processor agreement, 'personal data' is defined as set out in Article 1(a) of the WBP.
  • In instances where this Processor Agreement refers to terms from the WBP or General Data Protection Regulation (AVG), the corresponding terms from the WBP or AVG are intended to be referenced;
  • In the event of there being any reference to the WBP in this Processor Agreement, please note that as of 25 May 2018, this refers to the corresponding provisions of the AVG;
  • The processor may be regarded as a processor within the meaning of Article 1(e) of the Wbp in the performance of the main contract.

Agree:

Article 1: Purposes of processing

1.1 The Processor undertakes to process personal data on behalf of the Controller under the terms of this Processor Agreement. This processing will be carried out in accordance with the terms of this Processor Agreement and the purposes laid down in the Main Agreement. Please refer to Annex 1A of this Processor Agreement for details of the categories of data subjects and personal data concerned. The Controller shall provide the Processor with written notification of the intended processing purposes, in instances where such purposes have not been explicitly specified in this Processor Agreement.

1.2 The Processor has no control over the purposes and means of processing personal data. The Processor does not make independent decisions regarding the receipt and use of personal data, disclosure to third parties, or the duration of storage of personal data.

1.3 From 25 May 2018, when the AVG comes into force, the Processor shall maintain a register of the processing operations governed by this Processing Agreement. The Processing Responsible Party will indemnify the Processor against all claims and demands related to the failure to properly comply with this register obligation.

Article 2: Division of responsibility

2.1 The parties will ensure compliance with applicable privacy laws and regulations.

2.2 The permitted processing operations will be carried out by the Processor within a (semi-)automated environment.

2.3 The Processor is solely responsible for the processing of personal data under this Processor Agreement, in accordance with the instructions of the Processor and under the express (ultimate) responsibility of the Processor. For all other processing of personal data, including but not limited to the collection of personal data by the Controller, processing for purposes not notified by the Controller to the Processor, processing by third parties and/or other purposes, the Processor is not responsible.The responsibility for these processing operations rests exclusively with the Processor.

2.4 The Processor guarantees that the content, use and instruction to process personal data, as referred to in this Processor Agreement, is lawful and does not infringe any rights of third parties.

Article 3: Obligations of Processor

3.1 With regard to the processing outlined in Article 1, the Processor is required to ensure compliance with the stipulated conditions for the processing of personal data under the Wbp and AVG.

3.2 The Processor is obligated to inform the Controller, upon the Controller's initial request and within a reasonable timeframe, of the measures implemented in accordance with its obligations under this Processor Agreement.

3.3 The Processor shall notify the Controller if, in its opinion, an instruction of the Controller violates relevant privacy laws and regulations.

3.4 Processor shall provide the necessary cooperation to Processor Responsible Party if a data protection impact assessment, or prior consultation of the regulator, should be necessary in the context of the processing.

3.5 The obligations of the Processor arising from this Processor Agreement also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense.

Article 4: Transfer of personal data

4.1 The processor processes personal data in countries within the European Union (EU). Additionally, if applicable, the processor gives the processor permission to process personal data in countries outside the European Union, subject to the relevant laws and regulations.

4.2 Upon the processor's first request, the processor will inform the processor of the country or countries concerned.

Article 5: Engagement of third parties or sub-processors

5.1 The Controller hereby grants the Processor permission to engage third parties (sub-processors) in the processing, subject to the applicable privacy laws.

5.2 The Processor shall inform the Controller as soon as possible about the sub-processors it engages, and the Controller reserves the right to object to the engagement of the sub-processor. This objection must be made in writing within two weeks and supported by arguments.If the Processing Responsible Party objects to a sub-processor to be engaged by the Processor, the Parties will enter into mutual consultation to reach a solution.

5.3 In any case, the Processor shall ensure that sub-processors assume in writing at least the same duties as have been agreed between the Processing Data Controller and the Processor. The Processor guarantees correct compliance with the duties by these sub-processors and, in the event of errors by these sub-processors, is itself liable to the Processor for any damage as if it had committed the error(s) itself.

Article 6: Security

6.1 The Processor shall endeavour to take appropriate technical and organisational measures to protect the personal data against loss or against any form of unlawful processing (such as unauthorised access, impairment, modification or disclosure of personal data).To this end, the Processor has taken the security measures listed in Appendix 1B.

6.2 The Processor shall take all reasonable measures to ensure that the security measures meet a level that is commensurate with the state of the art, the sensitivity of the personal data and the costs associated with implementing the security.

6.3 The Controller shall only make personal data available to the Processor for processing if it has ensured that the required security measures have been taken.The Processor is responsible for compliance with the measures agreed by the Parties.

Article 7: Duty to report data breaches

7.1 In the event of a security breach and/or data leak (which is understood to mean: a breach of the security of personal data that leads to a significant chance of serious consequences, or has serious adverse consequences, for the protection of personal data, as referred to in Article 34a of the Personal Data Protection Act (Wbp)). In such an event, the Processor shall endeavour to inform the Processing Authority without delay or at the latest within 48 hours. The Processing Authority shall decide whether or not to inform the supervisory authorities and/or data subjects.The Processor shall ensure that the information provided is complete, correct and accurate.Please note that the obligation to notify only applies if the leak has actually occurred.

7.2 The Processor shall ensure compliance with any (statutory) reporting obligations and, if the laws and/or regulations so require, shall cooperate in informing the relevant authorities and any parties involved.

7.3 The duty to report includes the following:

  • Notifying the occurrence of a data leak;
  • Identifying the suspected cause of the data leak;
  • Outlining the potential consequences of the data leak;
  • Proposing a solution to address the data leak;
  • Providing contact information for follow-up inquiries;
  • Specifying who has been informed, such as the data subject, the Controller, or the supervisor.

Article 8: Handling requests from data subjects

8.1 If a data subject makes a request regarding their personal data to the Processor, the Processor shall forward the request to itself. The Processor may then notify the data subject accordingly. The Processor shall provide the necessary cooperation in handling the request. If it turns out that the Processing Responsible Party requires assistance from the Processor in fulfilling a data subject's request, the Processor may charge costs for this.

Article 9: Secrecy and confidentiality

9.1 All Personal Data that the Processor receives from the Responsible Party and/or collects itself in the context of this Data Processing Agreement shall be subject to a duty of confidentiality towards third parties. Processor shall not use such information for any purpose other than that for which it was obtained, unless it is in such form that it cannot be traced back to the data subjects.

9.2 This confidentiality obligation shall not apply

  • if the Processor has expressly consented to the disclosure of the information to third parties;
  • orif the disclosure of the information to third parties is logically necessary for the performance of the Main Agreement or this Processor Agreement;
  • andif there is a legal obligation to disclose the information to a third party.

Article 10: Audit

10.1 The Processor shall have the right to carry out or have carried out an audit by a competent, independent third party bound by confidentiality in order to check compliance with all points of this Processor Agreement and everything directly related thereto.

10.2 Such audit shall only take place after the Processor has requested, verified and provided reasonable arguments to justify an audit not already initiated by the Processor. Such an audit shall be justified if the similar audit reports available to Processor are inconclusive or insufficient as to Processor's compliance with this Processor Agreement. The audit initiated by Processor shall take place two weeks after prior notification by Processor and not more than once per calendar year.

10.3 Processor shall cooperate with the audit and make available all information reasonably relevant to the audit, including supporting data such as system logs, and employees as soon as possible and within a reasonable time, a period of up to two weeks being reasonable, unless an urgent interest prevents this.

10.4 The results of the audit shall be evaluated by the Parties in mutual consultation. As a result, changes to the security may or may not be made by one of the parties or by both parties jointly.

10.5 All costs of the audit shall be borne by the Processor, including the (internal) costs incurred by the Processor, on the understanding that the costs of the third party to be engaged shall always be borne by the Processor.

Article 11: Liability

11.1 The liability of the parties for damages resulting from an attributable failure to perform this Processing Agreement, in tort or otherwise, shall be limited to the amount of the last invoice paid by the Processor.

11.2 Any right to compensation shall always be subject to the condition that the Processing Party notifies the Processor of the damage in writing by registered letter as soon as possible after becoming aware of it. Any claim for compensation by the Processor shall lapse three months after the Processor has become aware of the damage.

11.3 The Processor shall expressly not be liable for any damage suffered by the Responsible Party as a result of a fine imposed by a national supervisory authority, including the Personal Data Authority, inter alia in connection with statutory reporting obligations.

Article 12: Duration and termination

12.1 This Processor Agreement shall come into force by acceptance of this Agreement when an Order is placed.

12.2 This Processor Agreement is entered into for the duration specified in the main agreement between the parties, and in the absence of such an agreement, for the duration of the cooperation.

12.3 Upon termination of the Processor Agreement, for whatever reason and in whatever manner, the Processor shall give the Processor the opportunity to download or export to the Processor all Personal Data in its possession in original form or in the form of a copy in an Excel, CSV or Pdf file and thereafter to delete and/or destroy it and all copies thereof.

12.4 The parties may only amend this Processor Agreement by mutual written consent.

Article 13: Other provisions

13.1 The Processor Agreement and its performance shall be governed by Dutch law.

13.2 All disputes that may arise between the parties in connection with the Processor Agreement shall be submitted to the competent court in the district where the Processor is established.

13.3 The records and measurements made by the Processor shall be conclusive evidence, unless the Processor provides evidence to the contrary.

13.4 In the event of a conflict between different documents or their annexes, the following order of precedence shall apply:

  • the Main Contract;
  • the General Terms and Conditions;
  • this Processor Agreement;
  • any Additional Conditions.

Appendix 1A: Specification of Personal Data and Data Subjects

Processor will process the following (special) personal data on behalf of Processor under the Main Agreement:Processor will process the following types of personal data on behalf of Processor:

  • Name and address details;
  • Contact details;
  • Gender;
  • IP address;
  • Payment details;
  • Login details.

The categories of data subjects concerned are

  • (potential) customers;
  • suppliers;
  • employees.

The Processor warrants that the personal data and categories of data subjects described in this Schedule 1 of the Processor Agreement are complete and accurate and indemnifies the Processor against all deficiencies and claims arising from any inaccurate representation by the Processor.

Appendix 1B: Security Measures

Processor has implemented the following security measures:

  • Logical access control using strong passwords;
  • IP restrictions to protect access to the database and files at Processor;
  • Encryption (encryption) of personal data stored in the database;
  • Organisational measures for access security;
  • Security of network connections using Transport Layer Security (TLS) technology;
  • Confidentiality obligations of employees and third parties.