Data Processing Agreement of VASCO-fulfilment B.V.

Data Processing Agreement of VASCO-fulfilment B.V.

VASCO-fulfilment B.V.

labor contract

Client Name (hereinafter: Data Controller),

and

VASCO-fulfilment B.V., registered with the Chamber of Commerce under number 62864165 (hereinafter: VASCO-fulfilment),

whereas

  • The data controller holds personal data on various data subjects,
  • The data controller wishes to have certain types of processing carried out by VASCO-fulfilment, with the data controller specifying the purpose and the means,
  • VASCO-fulfilment is also prepared to take the legally required measures regarding security and other aspects of the General Data Protection Regulation (hereinafter: GDPR), to the extent that this is within its power,
  • The parties, taking into account the requirement set forth in Article 28(3) of the GDPR, wish to set forth their rights and obligations in writing

have agreed as follows:

Section 1. Purposes of Processing

  • VASCO-fulfilment undertakes, under the terms of this Data Processing Agreement, to process personal data on behalf of the Data Controller. Processing will take place exclusively in connection with the fulfillment of orders for the Controller’s products or services, the storage of the Controller’s data in the “cloud,” and related online services, the management of the Controller’s customer records, as well as for purposes reasonably related thereto or as determined by further consent.
  • This refers to the categories of personal data and the categories of data subjects as set forth in Appendix 1.
  • VASCO-fulfilment will not process personal data for any purpose other than those specified by the Data Controller. The Data Controller will inform VASCO-fulfilment of the purposes of processing to the extent that they are not already specified in this Data Processing Agreement.
  • The personal data processed on behalf of the Data Controller remains the property of the Data Controller and/or the data subjects concerned.

Article 2. Obligations of VASCO Fulfillment

  • With regard to the processing operations referred to in Article 1, VASCO-fulfilment will ensure compliance with applicable laws and regulations, including, in any event, laws and regulations governing the protection of personal data, such as the General Data Protection Regulation.
  • VASCO-fulfilment shall, upon the Controller’s first request, inform the Controller of the measures it has taken regarding its obligations under this Data Processing Agreement.
  • The obligations of VASCO-fulfilment arising from this Data Processing Agreement also apply to those who process personal data under the authority of VASCO-fulfilment, including but not limited to employees, in the broadest sense of the term.
  • VASCO-fulfilment shall immediately notify the Data Controller if, in its opinion, an instruction from the Data Controller violates the legislation referred to in paragraph 1.
  • VASCO-fulfilment will, to the best of its ability, assist the Data Controller in conducting data protection impact assessments (DPIAs).
  • In accordance with Article 30 of the GDPR, VASCO-fulfilment will maintain a record of all categories of processing activities it performs on behalf of the Data Controller under this Data Processing Agreement. Upon request, VASCO-fulfilment will provide the Data Controller with access to this record.

Section 3. Disclosure of Personal Data

  • VASCO-fulfilment may process personal data in countries within the European Economic Area (EEA). In addition, VASCO-fulfilment may also transfer personal data to a country outside the EEA, provided that such country ensures an adequate level of protection and complies with the other obligations imposed on it under this Data Processing Agreement and the Personal Data Protection Act.
  • VASCO-fulfilment will notify the Data Controller of the country or countries involved. VASCO-fulfilment guarantees that, given the circumstances affecting the transfer of personal data or a category of data transfers, countries outside the EEA provide an adequate level of protection.
  • In particular, when determining an appropriate level of protection, VASCO-fulfilment will take into account the duration of the intended processing, the country of origin and the country of final destination, the general and sector-specific legal rules applicable in the relevant country, as well as the professional standards and security measures observed in those countries.

Article 4. Division of Responsibilities

  • VASCO-fulfilment provides IT resources for the purposes of data processing, which the Data Controller may use for the purposes mentioned above. VASCO-fulfilment itself only performs data processing on the basis of separate agreements.
  • VASCO-fulfilment is solely responsible for the processing of personal data under this Data Processing Agreement, in accordance with the instructions of the Data Controller and under the Data Controller’s express (ultimate) responsibility. VASCO-fulfilment is expressly not responsible for any other processing of personal data, including, but not limited to, the collection of personal data by the Data Controller, processing for purposes not notified by the Data Controller to VASCO-fulfilment, processing by third parties, and/or processing for other purposes.
  • The Data Controller warrants that the content, use, and instructions regarding the processing of personal data as set forth in this Data Processing Agreement are not unlawful and do not infringe upon any rights of third parties.

Section 5. Engagement of Subprocessors

  • Under this data processing agreement, VASCO-fulfilment may engage third parties (subprocessors) provided that such third parties are notified to the Data Controller in advance. The Data Controller may object if the use of a specific notified subprocessor is unacceptable to it.
  • In any case, VASCO-fulfilment ensures that these sub-processors undertake in writing to comply with at least the same obligations as those agreed between the Data Controller and VASCO-fulfilment. The Data Controller has the right to review any agreements involved in this regard.
  • VASCO-fulfilment guarantees that these sub-processors will properly comply with the obligations set forth in this Data Processing Agreement and, in the event of errors on the part of these sub-processors, is liable for all damages as if it had committed the error(s) itself.
  • The data controller authorizes VASCO-fulfilment to use subprocessors as listed on https://picqer.com/nl/privacy/verwerkers.

Article 6. Security

  • VASCO-fulfilment will make every effort to implement adequate technical and organizational measures regarding the processing of personal data to prevent loss or any form of unlawful processing (such as unauthorized access, damage, alteration, or disclosure of personal data).
  • VASCO-fulfilment has taken at least the following measures:
  • Encryption of digital files containing personal data
  • Securing network connections using Secure Socket Layer (SSL) technology
  • Pseudonymization of personal data where possible
    • VASCO-fulfilment does not guarantee that the security measures will be effective under all circumstances. If no explicitly defined security measures are included in the Data Processing Agreement, VASCO-fulfilment will endeavor to ensure that the security measures meet a level that, given the state of the art, the sensitivity of the personal data, and the costs associated with implementing the security measures, is not unreasonable.
    • The Data Controller shall only make personal data available to VASCO-fulfilment for processing if it has verified that the necessary security measures have been implemented. The Data Controller is responsible for ensuring compliance with the measures agreed upon by the Parties.

Article 7. Reporting Requirement

  • The Data Controller is at all times responsible for reporting a security breach and/or data breach (defined as: a breach of the security of personal data that results in a risk of adverse consequences, or has adverse consequences, for the protection of personal data) to the supervisory authority and/or the data subjects. To enable the Data Controller to comply with this legal obligation, VASCO-fulfilment shall immediately notify the Data Controller of the security breach and/or data breach.
  • A report must always be filed.
  • The reporting requirement includes, at a minimum, reporting the fact that a data breach has occurred. In addition, the reporting requirement includes:
  • the nature of the personal data breach, including, where possible, the categories of data subjects and personal data involved, and an estimate of the number of data subjects and personal data records affected;
  • the name and contact information of the data protection officer or another point of contact where further information can be obtained;
  • the likely consequences of the breach in relation to personal data;
  • the measures that VASCO-fulfilment has proposed or taken to address the personal data breach, including, where applicable, measures to mitigate any adverse effects thereof.
    • In accordance with Article 33(5) of the GDPR, VASCO-fulfilment will document all data breaches, including the facts surrounding the personal data breach, its consequences, and the corrective measures taken. Upon request, VASCO-fulfilment will provide the Data Controller with access to this information.

Section 8. Handling Requests from Data Subjects

  • If a data subject submits a request to VASCO-fulfilment to exercise his or her legal rights (Articles 15–22 of the GDPR), VASCO-fulfilment will forward the request to the Data Controller, and the Data Controller will handle the request. VASCO-fulfilment may inform the data subject of this.

Article 9. Confidentiality

  • All personal data that VASCO-fulfilment receives from the Data Controller and/or collects itself under this Data Processing Agreement is subject to a duty of confidentiality with respect to third parties. VASCO-fulfilment will not use this information for any purpose other than that for which it was obtained, even if it has been processed in such a way that it cannot be traced back to the data subjects.
  • This confidentiality obligation does not apply to the extent that the Controller has given express consent to disclose the information to third parties, if such disclosure is reasonably necessary given the nature of the assignment and the performance of this Data Processing Agreement, or if there is a legal obligation to disclose the information to a third party.

Article 10. Audit

  • The Data Controller has the right to have audits conducted by an independent third party bound by confidentiality to verify compliance with all provisions of the Data Processing Agreement and all matters directly related thereto.
  • This audit may be conducted once a year, as well as whenever there is a specific suspicion of misuse of personal data.
  • VASCO-fulfilment will cooperate with the audit and make all information reasonably relevant to the audit—including supporting data such as system logs—and employees available as soon as possible.
  • The findings of the audit will be reviewed by VASCO-fulfilment and may be implemented by VASCO-fulfilment at its sole discretion and in the manner it deems appropriate.
  • The costs of the audit will be borne by the Data Controller.

Article 11. Liability

  • VASCO-fulfilment’s liability for damages resulting from an attributable breach of the Data Processing Agreement, or arising from a tort or otherwise, is excluded. To the extent that the aforementioned liability cannot be excluded, it is limited per event (a series of consecutive events counts as a single event) to compensation for direct damages, up to a maximum of the amount of the fees received by VASCO-fulfilment for the work performed under this Data Processing Agreement during the month preceding the event causing the damage. VASCO-fulfilment’s liability for direct damages shall in no event exceed a total of €30,000.00.
  • "Direct damage" refers exclusively to all damage consisting of:
  • direct damage to property (“property damage”);
  • reasonable and verifiable costs incurred in compelling VASCO-fulfilment to (once again) properly comply with the Data Processing Agreement;
  • reasonable costs incurred in determining the cause and extent of the damage, to the extent that such costs relate to the direct damage referred to herein; and
  • reasonable and demonstrable costs incurred by the Data Controller to prevent or mitigate the direct damage referred to in this section.
    • VASCO-fulfilment’s liability for indirect damages is excluded. Indirect damages are defined as any damages that are not direct damages, including, but not limited to, consequential damages, lost profits, lost savings, diminished goodwill, damages due to business interruption, damages due to failure to achieve marketing objectives, damages related to the use of data or data files prescribed by the Data Controller, or loss, corruption, or destruction of data or data files.
    • The exclusions and limitations referred to in this article shall not apply if and to the extent that the damage results from willful misconduct or gross negligence on the part of VASCO-fulfilment or its management.
    • Unless performance by VASCO-fulfilment remains permanently impossible, VASCO-fulfilment’s liability for attributable failure to perform the Agreement shall arise only if the Data Controller immediately gives VASCO-fulfilment written notice of default, setting a reasonable period for remedying the failure, and VASCO-fulfilment continues to fail to perform its obligations in a manner attributable to it even after that period. The notice of default must contain as complete and detailed a description of the failure as possible, so that VASCO-fulfilment is given the opportunity to respond adequately.
    • Any claim for damages brought by the Data Controller against VASCO-fulfilment that has not been specified and explicitly reported shall lapse upon the mere passage of twelve (12) months following the date on which the claim arose.

Article 12. Term and Termination

  • This Data Processing Agreement shall enter into force upon signature by the Parties and on the date of the last signature.
  • This Data Processing Agreement is entered into for the term specified in the Main Agreement between the Parties and, in the absence thereof, in any event for the duration of the collaboration.
  • As soon as the Data Processing Agreement is terminated, for whatever reason and in whatever manner, VASCO-fulfilment shall—at the Data Controller’s discretion—return all personal data in its possession, whether in original or copied form, to the Data Controller, and/or delete and/or destroy such original personal data and any copies thereof.
  • The parties may amend this agreement only by mutual consent.

Article 13. Governing Law and Dispute Resolution

  • The Data Processing Agreement and its performance are governed by Dutch law.
  • Any disputes that may arise between the Parties in connection with the Data Processing Agreement shall be submitted to the competent court in Rotterdam.

Agreed and signed by us:

On behalf of the Data Controller

Name: Customer Name

Position: position

Date: date

Signature

On behalf of VASCO-fulfilment

Name: Ruben de Jager

Position: Director

Date: September 18, 2019

Signature

Appendix 1: Specification of personal data and data subjects

Pursuant to Section 1.1 of the Data Processing Agreement, VASCO-fulfilment will process the following (special) personal data on behalf of the Data Controller:

  • Personal information
  • Phone number
  • Email address
  • IP address
  • Purchase, Return, and Delivery History
  • Other personal data provided in the comments field of an order
  • Other personal data stored by the Data Controller in VASCO-fulfilment

From the categories of data subjects:

  • Suppliers
  • Customers

The Data Controller warrants that the personal data and categories of data subjects described in this Appendix 1 are complete and accurate, and indemnifies VASCO-fulfilment against any defects or claims resulting from an incorrect representation by the Data Controller.