Processor Agreement

Created on 2 June, 2024Information • 12 minutes read

Processor Agreement

Version 1 June 2024.

This Processor Agreement forms an integral part of the agreements between you (other party) and ShopQRcode | Prompt Media. For the purposes of this agreement, ShopQRcode | Prompt Media is the processor (hereinafter referred to as "Processor") of the Personal Data, and the other party is the processor (hereinafter referred to as "Processor") of the Personal Data. The parties to this agreement are collectively referred to as "Parties," and individually as "Party."

whereas:

  • The Processor holds personal data relating to various Customers or Customers' customers (hereinafter referred to as Data Subjects);
  • The Processor utilizes the online program for the creation of QR codes and barcodes offered by Processor;
  • The Processor, through the use of the online program for creating QR codes and barcodes, processes personal data in accordance with the terms of the agreement between the Parties (hereinafter referred to as the Main Agreement);
  • The processor is prepared to comply with the obligations regarding security and other aspects of the Personal Data Protection Act (Wbp), insofar as this is within its power;
  • In accordance with the requirements set forth in Article 14, paragraph 5 of the WBP, the parties wish to set forth their respective rights and obligations in writing through this Processor Agreement (hereinafter referred to as the "Processor Agreement");
  • The parties, also in view of the requirement in article 14 paragraph 5 of the Wbp, wish to lay down their rights and obligations in writing by means of this Processor Agreement (hereinafter: Processor Agreement);
  • In accordance with Article 1(e) of the Wbp, the processor in the performance of the Master Contract may be regarded as a processor;
  • The designated Responsible Party is the Processing Responsible Party as defined in Article 1, sub d of the Wbp;
  • In accordance with the terms of the Processor Agreement, the term "personal data" shall be interpreted in accordance with the definition set forth in Article 1, Section A of the WBP;
  • Please note that in this Processor Agreement, terms from the Wbp or General Data Protection Regulation (AVG) are mentioned. This means that the corresponding terms from the Wbp or AVG apply;
  • Please be advised that, as of May 25, 2018, reference is made to the AVG in place of the PDPA in the Processor Agreement.

correspond:

Article 1: Purposes of Processing

1.1 The Processor agrees to process personal data on behalf of the Controller in accordance with the terms of this Processor Agreement. Processing will only take place within the framework of this Processor Agreement and for the purposes set out in the Master Agreement. Appendix 1A of this Processor Agreement defines the categories of data subjects and personal data involved. The Controller shall inform the Processor in writing of the processing purposes insofar as they are not already mentioned in this Processor Agreement.

1.2 The Processor is not responsible for the purpose and means of processing personal data. The Processor does not make independent decisions about the receipt and use of personal data, the disclosure to third parties, or the duration of storage of personal data.

1.3 The processor is not responsible for determining the purpose and means of processing personal data. The processor does not make independent decisions about the receipt and use of personal data, the disclosure to third parties, or the duration of storage of personal data.

1.4 Processor guarantees that, as of May 25, 2018, when the AVG becomes applicable, it will maintain a register of all processing operations regulated under this Processing Agreement. The Processing Responsible Party shall indemnify Processor against all claims and demands related to failure to properly comply with this register obligation.

Article 2: Division of Responsibility

2.1 The parties will ensure compliance with all applicable privacy laws and regulations..

2.2 The permitted processing operations will be carried out by the Processor within a semi-automated environment.

2.3 The Processor is solely responsible for the processing of Personal Data under this Processor Agreement, in accordance with the Controller's instructions and under the express (ultimate) responsibility of the Controller. For all other processing of Personal Data, including in any case but not limited to the collection of Personal Data by the Controller, processing for purposes not notified by the Controller to the Processor, processing by third parties and/or other purposes, the Processor is not responsible. The responsibility for these processing operations rests solely with the Processor.

2.4 The Processor warrants that the content, use, and processing of personal data, as referred to in this Processor Agreement, is not unlawful and does not infringe any rights of third parties.

Article 3: Obligations of the Processor

3.1 In regard to the processing mentioned in Article 1, Processor shall ensure compliance with the conditions imposed under the Wbp and AVG on the processing of personal data by Processor in its role.

3.2 The Processor shall notify the Processor, upon its first request and within a reasonable time, of the measures taken by it regarding its obligations under this Processor Agreement.

3.3 The Processor shall notify the Processor if, in its opinion, an instruction of the Processor violates relevant privacy laws and regulations.

3.4 The Processor shall provide the Processor with the necessary cooperation when a data protection impact assessment or prior consultation with the supervisor may be necessary in the context of the processing.

3.5 The obligations of the Processor set forth in this Processor Agreement also apply to those who process personal data under the authority of the Processor, including, but not limited to, employees in the broadest sense.

Article 4: Transfer of Personal Data

4.1 The Processor processes personal data in countries within the European Union (EU). The Processor is additionally authorised to process personal data in countries outside the European Union, subject to relevant laws and regulations.

4.2 Processor shall notify Processor, upon its first request, of the country or countries concerned.

Article 5. Engagement of Third Parties or Sub-Processors

5.1 Controller hereby authorizes Processor to engage third parties (sub-processors) in the processing of data, subject to applicable privacy laws.

5.2 The Processor shall inform the Processor as soon as possible about the sub-processors engaged by it. The Processor shall have the right to object to the engagement of the sub-processor. This objection must be made in writing within two weeks and supported by arguments. If the Processed Party objects to a sub-processor being engaged by the Processor, the Parties shall enter into mutual consultation to reach a solution.

5.3 The Processor shall ensure that any sub-processors engaged by them assume in writing at least the same duties as agreed between the Processor and the Processor. The Processor shall ensure proper compliance with the duties by such sub-processors and, in the event of errors by such sub-processors, shall itself be liable to the Processor for all damages as if it had itself committed the error(s).

Article 6. Security

6.1 The Processor shall take all appropriate technical and organizational measures to protect the personal data against loss or against any form of unlawful processing (such as unauthorized access, impairment, modification or disclosure of personal data). The Processor has taken the security measures listed in Appendix 1B for this purpose.

6.2 The Processor shall make every effort to ensure that the security meets a level that is not unreasonable, given the state of the art, the sensitivity of the personal data and the costs associated with implementing the security.

6.3 The Processor shall only make personal data available to the Processor for processing if it has satisfied itself that the required security measures are in place. The Processor is responsible for compliance with the measures agreed upon by the Parties.

Article 7: Duty to Report Data Breaches

7.1 In the event of a security breach and/or data leak (as defined in Article 34a of the Personal Data Protection Act (Wbp)), Processor will take immediate action to inform the relevant authorities and/or data subjects. In accordance with the Personal Data Protection Act (Wbp), the Processor will, to the best of its ability, inform the Processor without delay or at the latest within 48 hours of becoming aware of the breach. The Processor will then assess whether or not to inform the supervisory authorities and/or data subjects. The Processor shall make every effort to ensure that the information provided is complete, correct, and accurate. The obligation to notify only applies if the leak has actually occurred.

7.2 The Processor shall ensure compliance with any statutory reporting obligations. In the event that law and/or regulations require it, the Processor shall cooperate in informing the relevant authorities and any data subjects.

7.3 The duty to report shall include, at a minimum, reporting the fact that a leak has occurred, as well as the following information:

  • What is the (alleged) cause of the data breach;
  • What the (as yet known and/or expected) consequence is;
  • What the (proposed) solution is;
  • Contact information for following up on the report?
  • Who has been informed (such as data subject himself, Controller, supervisor)?

Article 8: Handling Requests from Data Subjects

8.1 In the event that a data subject makes a request about their personal data to the Processor, the Processor shall forward the request to the Controller. The Processor may notify the data subject accordingly. The Processor shall provide the necessary cooperation in handling the request. If it appears that the Processor needs assistance from the Processor in fulfilling a data subject's request, the Processor may charge a fee for this assistance.

Article 9: Secrecy and Confidentiality

9.1 All personal data received by the Processor from the Processor and/or collected by the Processor in the context of this Processor Agreement shall be subject to a duty of confidentiality towards third parties. The Processor shall not use this information for any other purpose than that for which it has obtained it, unless it has been put in such a form that it cannot be traced back to data subjects.

9.2 This duty of confidentiality does not apply in the following instances:

  • If the Processor has given express consent to provide the information to third parties; or
  • If providing the information to third parties is logically necessary for the performance of the Master Agreement or this Processor Agreement; and
  • If there is a legal obligation to provide the information to a third party.

Article 10. Audit

10.1 The Processor shall have the right to conduct or cause to be conducted an audit by a competent, independent third party bound by confidentiality to verify compliance with all items in this Processor Agreement, as well as any related matters.

10.2 The audit shall only take place after the Processor has requested, reviewed, and provided reasonable arguments that justify an audit initiated by the Processor. Such an audit shall be justified when the similar audit reports present at the Processor are inconclusive or insufficiently conclusive of the Processor's compliance with this Processor Agreement. The audit initiated by the Processor shall take place two weeks after the previous announcement by the Processor, at most once per calendar year.

10.3 The Processor shall cooperate in the audit and make available all information reasonably relevant to the audit, including supporting data such as system logs, in a timely manner and within a reasonable time frame. A period of up to two weeks is reasonable unless an urgent interest dictates otherwise.

10.4 The findings of the audit shall be assessed by the Parties in mutual consultation. Based on this assessment, changes to security may be made by one Party or by both Parties jointly.

10.5 All costs associated with the audit shall be borne by the Processor, including any internal costs incurred by the Processor. It is understood that the costs for a third-party to be hired shall always be borne by the Processor.

Article 11. Liability

11.1 In the event of a breach of this Processor Agreement, the liability of the Parties for damages shall be limited to the amount of the last invoice paid by the Processor.

11.2 Any right to compensation is contingent upon the Processing Responsible Party reporting the damage to the Processor in writing and by registered mail as soon as possible after becoming aware of it. Any claim for compensation by the Processor shall lapse by the mere expiration of three months after the Processor became aware of the fact that it has suffered damage.

11.3 The Processor shall not be liable for any damages incurred by the Processor as a result of a fine imposed by any of the national regulators, including the Personal Data Authority, including in the context of statutory reporting obligations.

Article 12. Term and Termination

12.1 This Processor Agreement is established by the customer's acceptance of this agreement upon placing an order.

12.2 This Processor Agreement is entered into for the duration as stipulated in the Main Agreement between the Parties, or in the absence thereof, for the duration of the cooperation.

12.3 In the event of the termination of the Processor Agreement for any reason and in any manner, the Processor shall provide the Processor with the opportunity to download or export all personal data held by it in original or copy form in an Excel, CSV, or PDF file. The Processor shall thereafter delete and/or destroy the data and any copies thereof.

12.4 Any amendments to this Processor Agreement must be made in writing and agreed to by both parties.

Article 13: Other Provisions

13.1 The Processor Agreement and its performance shall be governed by Dutch law.

13.2 In the event of a dispute between the parties regarding the Processor Agreement, the matter shall be submitted to the appropriate court in the district where the Processor is located.

13.3. All logs and measurements made by the Processor shall constitute compelling evidence, subject to evidence to the contrary being provided by the Processor.

13.4 In the event of a conflict between different documents or their annexes, the following order of precedence shall apply:

  • the Master Agreement;
  • the General Conditions;
  • this Processor Agreement;
  • any additional conditions.

Appendix 1A: Specification of Personal Data and Data Subjects.

In accordance with the terms of the Master Agreement, the Processor will process the following categories of personal data on behalf of the Processor:

  • NAW data;
  • Contact details;
  • Gender;
  • IP address;
  • Payment details;
  • Login information.

The following categories of stakeholders are to be considered:

  • (Potential) customers;
  • Suppliers;
  • Staff.

The Processor represents and warrants that the personal data and categories of data subjects described in this Schedule 1 of the Processor Agreement are complete and accurate. Furthermore, the Processor indemnifies itself for any defects and claims resulting from an incorrect representation by the Processor.

Appendix 1B: Security measures

The processor has implemented the following security measures:

  • Logical access control, using strong passwords;
  • IP restrictions for access protection of database and files at the processor;
  • Encryption (encoding) of personal data stored in the database;
  • Organizational measures for access security;
  • Securing network connections via Transport Layer Security (TLS) technology;
  • Confidentiality obligations of employees and third parties engaged.