Algemene verordering gegevensbescherming (AVG)
- Company Name ……………………………………………………………
having its registered office and principal place of business at …………………………………….
Street name + house number …………………………………………..
Postal code …………………………………………
Represented by ………………………………..
(hereinafter referred to as “Principal”), and,
- the private company Invorderingsbedrijf and/or C.M. Zakelijk B.V., having its registered office and principal place of business at Koninginnegracht 14 C, (2514 AA) ‘s-Gravenhage, registered in the Commercial Register under number 56170394, and herewith legally represented by (name) (hereinafter to be referred to as “Contractor”)
Together hereinafter also referred to as “Parties”,
- Contractor offers the Service to Customer and in that capacity stores personal data of customers of Customer;
● in the context of its service provision the Contractor collects (special) personal data from the Client’s customers and processes these by means of the application;
● insofar as the Contractor processes personal data on behalf of the Customer in the context of the Agreement, the Customer qualifies under article 4, section 7 and section 8 of the Regulation as the Processor for the Processing of personal data and the Contractor as the Processor;
● in this Processing Agreement, as referred to in article 28, paragraph 3 of the Regulation, the parties wish to lay down their agreements about the Processing of Personal Data by the Counterparty, which apply to their relationship in connection with the (processing of personal data in the context of) said activities on the instructions of and for the benefit of the Contracting Authority.
Declare to have agreed as follows:
Article 1 Definitions
1.1 In this Processing Agreement the following terms, always written with a capital letter, shall have the following meanings whether they are used in plural or
- General Terms and Conditions: the general terms and conditions of the Contractor, which form an inseparable part of the Agreement;
b. Agreement: the agreement concluded between the Client and the Contractor concerning the use by the Client of the Contractor’s Service;
c. Processing Agreement: the present agreement including appendices, which forms part of the Agreement;
d. Appendix: appendix to the Processing Agreement, which forms an integral part of the Processing Agreement;
e. Personal Data: all data that can be traced directly or indirectly to a natural person as referred to in article 4 to the
natural person as referred to in article 4, opening words and 1 of the AVG;
f. Processing: an operation or set of operations in the context of the Agreement relating to Personal Data, or a set of Personal Data, whether or not carried out by automated means, such as collecting, recording, organizing, structuring, storing, updating or amending, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, blocking, erasing or destroying. The processing of Personal Data as referred to in Article 4 opening words and under 2 of the AVG.
g. Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
1.2 To the extent that terms written with a capital letter are not defined above, the relevant definition in
1.2 Where terms written with a capital letter are not defined above, the relevant definition is contained in the Agreement and/or General Terms and Conditions.
1.3 The provisions of the Agreement apply in full to the Processing
Processing Agreement. Insofar as the General Terms and Conditions contain provisions regarding the
1.3 The provisions of the Agreement apply in full to the Processing Agreement.
Article 2 Subject of this Processing Agreement
2.1 This Processing Agreement governs the Processing of Personal Data by the Contractor in the context of the Agreement.
2.2 Contractor undertakes, in the context of this Processing Agreement, to Process Personal Data on the instructions of
2.2 Contractor undertakes, within the scope of this Processing Agreement, to Process Personal Data on behalf of the Principal. The Principal and the Contractor have entered into this Processing Agreement with regard to the performance of the
Agreement. An overview of the type of Personal Data, the categories of
data subjects and purposes for which the Processing of Personal Data takes place,
is included in Annex 1.
2.3 Principal guarantees that the order to Process that Personal Data is in accordance with all applicable laws and regulations. Principal shall indemnify Contractor against all claims of third parties arising in any way from non-compliance with this guarantee.
2.4 Principal is responsible for the processing of the personal data in the context of the Agreement, as well as Personal Data created by further processing of data.
2.5 The Contractor undertakes to process Personal Data only for the purposes specified in
this Processing Agreement and/or the Agreement. Contractor
may use the personal data in anonymized form for statistical
purposes. Provider guarantees that it will not, without express and written permission
of the Principal, will not use the personal data processed under this Processing Agreement and/or Agreement in any way, unless a legal provision applicable to the Provider obliges it to process. In that case, the Contractor will notify the Principal of that legal provision prior to the Processing, unless that legislation prohibits such notification for important reasons of public interest
Article 3 Technical and organizational measures
3.1. Provider shall implement or have implemented appropriate technical and organizational measures
3.1. Contractor shall implement or have implemented appropriate technical and organizational measures to protect Personal Data against loss or against any form of
unlawful Processing and thus guarantee a security level appropriate to the risk.
guarantee. These measures will, taking into account the state of the art and the
costs of implementation, ensure an appropriate level of security, having regard to the
risks involved in the processing and the nature of the data to be protected
entail. The Contractor will in any case take measures to
protected against destruction, whether accidental or unlawful, against accidental and
intentional loss, falsification, unauthorized disclosure or access, or against any
other form of unlawful processing.
3.2. The technical and organizational measures taken by the Contractor are described in
The technical and organizational measures taken by the Contracted Party are described in Annex 2. The Principal acknowledges having read the relevant measures and by signing this Processing Agreement the Principal agrees to the measures taken by the Contractor.
3.3 If and to the extent that the Principal expressly requests this in writing, the Contractor will take additional measures with a view to securing the Personal Data.
3.4 The Contractor will not process Personal Data outside the European Union, unless it has obtained the express written consent of the Customer to do so and subject to deviating legal obligations and with due observance of the applicable legal obligations, in which case the Contractor will inform the Customer in advance whether the relevant transfer will take place or after obtaining the prior written consent of the Customer, which consent will not be refused on unreasonable grounds.
3.5 Contractor will, as far as reasonably possible, assist Client in
3.5 The Contractor shall, as far as reasonably possible, assist the Client in complying with its obligation under the AVG to take appropriate technical and
organizational measures in order to guarantee a security level commensurate with the risk.
level of security appropriate to the risk.
Article 4 Confidentiality – Secrecy of Contractor’s Staff
4.1 Contractor shall give all its employees, who are involved in the execution of the
Agreement, sign a declaration of confidentiality – which may or may not be included in the
contract with those employees – which in any case states that these employees must observe secrecy.
that these employees must observe secrecy with regard to the Personal
Personal Data. Provider takes such measures, such as security of data carriers, to guarantee that this secrecy obligation is fulfilled.
Article 5 Engagement of third parties (sub-processor)
5.1. The Contractor is permitted, in the context of this Processing Agreement and the
Agreement to make use of third parties and/or subcontractors (“Sub processors”),
as listed in the Schedule. If the Contractor wishes to use other Sub processors, the Contractor will inform the Client of the intended changes and give the Client the opportunity to object to these changes.
5.2. The Contractor shall contractually oblige each Sub processor to impose at least the same data protection obligations as stipulated in this Processing Agreement, including in particular the confidentiality obligations, notification obligations and security measures.
Article 6 Liability
6.1 Article 14 of the General Terms and Conditions regarding the limitation of liability, shall apply
applicable mutatis mutandis.
6.2 Without prejudice to article 6.1 of this Processing Agreement, the Contractor is only
liable for the damage caused by Processing if, during such Processing, the obligations of the AVG specifically addressed to the Contractor have not been fulfilled, if outside or contrary to the lawful instructions of the Principal, or if the Contractor has failed imputably in its performance of the Processing Agreement.
Artikel 7 Inbreuk in verband met persoonsgegevens
7.1 Indien opdrachtnemer kennis krijgt van een inbreuk in verband met persoonsgegevens zoals
gedefinieerd in de AVG en/of enig ander incident ten aanzien van de beveiliging van Persoonsgegevens, zal zij i) Opdrachtgever daarvan binnen 1 week op de hoogte stellen, tenzij het niet waarschijnlijk is dat de inbreuk een risico inhoudt voor de rechten en vrijheden van natuurlijke personen en ii) alle redelijke maatregelen nemen om (verdere) schending van de AVG te voorkomen of te beperken. Opdrachtgever erkent dat Opdrachtnemer in dat kader derden kan inschakelen zonder Opdrachtgever daarover voorafgaand in te lichten.
7.2 Opdrachtnemer zal, voor zover redelijk, haar medewerking verlenen aan Opdrachtgever en Opdrachtgever ondersteunen in het uitvoeren van haar wettelijke verplichtingen ten aanzien van het geconstateerde incident. Opdrachtnemer zal voor zover redelijk Opdrachtgever ondersteunen bij de op Opdrachtgever rustende meldplicht ten aanzien van de inbreuk in verband met persoonsgegevens bij de Autoriteit Persoonsgegevens en/of de betrokkene, zoals bedoeld in artikelen 33, lid 3, en 34, lid 1, AVG. Opdrachtnemer is nimmer gehouden tot het melden van een inbreuk in verband met persoonsgegevens bij de Autoriteit Persoonsgegevens en/of de betrokkene.
7.3 Opdrachtnemer is nimmer aansprakelijk voor de (correcte en/of tijdige uitvoering van de) op
opdrachtgever rustende meldplicht zoals bedoeld in artikelen 33 en 34 AVG.
7.4 De Opdrachtnemer documenteert alle inbreuken in verband met Persoonsgegevens als bedoeld in artikel 7.1 van deze Verwerkersovereenkomst, met inbegrip van de feiten omtrent de inbreuk in verband met Persoonsgegevens, de gevolgen daarvan en de genomen corrigerende maatregelen. Deze documentatie verstrekt de Opdrachtnemer uitsluitend aan de Opdrachtgever in geval van een verzoek van de toezichthoudende autoriteit aan de Opdrachtgever, als bedoeld in artikel 33 lid 5 AVG.
Article 7 Personal data breach
7.1 If the Contractor becomes aware of a Personal Data breach as
defined in the AVG and/or any other incident regarding the security of Personal Data, it will i) notify the Client within 1 week, unless it is not likely that the breach involves a risk for the rights and freedoms of natural persons and ii) take all reasonable measures to prevent or limit (further) violation of the AVG. Customer acknowledges that Contractor may engage third parties in this context without informing Customer in advance.
7.2 Contractor will, to the extent reasonable, cooperate with Customer and support Customer in the performance of its legal obligations with respect to the identified incident. Contractor shall, to the extent reasonable, support Client in the fulfilment of its obligation to report the personal data breach to the Authority for the Protection of Individuals with regard to the Processing of Personal Data and/or the data subject, as referred to in articles 33 (3) and 34 (1) of the AVG. The Contractor is never obliged to report a personal data breach to the Personal Data Authority and/or the data subject.
7.3 The contractor shall never be liable for the (correct and/or timely) performance of the obligation to report as referred to in
7.3 The Contractor shall never be liable for the (correct and/or timely) performance of the reporting obligation incumbent on the Client as referred to in Articles 33 and 34 of the AVG.
7.4 The Contractor shall document all breaches in connection with Personal Data as referred to in article 7.1 of this Processing Agreement, including the facts regarding the breach in connection with Personal Data, the consequences thereof and the corrective measures taken. The Provider shall provide this documentation to the Principal only in the event of a request from the supervisory authority to the Principal, as referred to in Article 33 (5) AVG.
Article 8 Assistance to the Client
8.1. Provider shall, to the extent reasonably possible, assist Client
assist the Client in fulfilling its duty under the AVG to respond to requests for the exercise of
the rights of a data subject, in particular the right to inspection (Art.
15 AVG), rectification (art. 16 AVG), erasure of data (art. 17 AVG), restriction (art. 18 AVG),
transferability (art. 20 AVG) and the right to object (art. 21 and 22 AVG). Contractor
will forward a complaint or a request from a data subject with regard to the Processing of
Personal Data within 1 month to the Principal, who is responsible for handling the request. The Contractor is entitled to charge the Client for any costs involved in the cooperation.
8.2. The Contractor shall, to the extent reasonably possible, assist the Client in enforcing its obligation under the AVG to conduct a data protection impact assessment (Sections 35 and 36 AVG). The Contractor is entitled to charge the Client for any costs involved in this.
8.3. The Contractor shall provide the Client with all information that is
necessary to demonstrate that the Contractor complies with its obligations under the AVG.
Furthermore, the Contractor shall, at the request of the Client, facilitate and contribute to audits, including inspections, by the Client or an auditor authorized by the Client. The Contractor is entitled to charge any costs involved to the Principal, unless such an audit reveals demonstrably serious culpable negligence on the part of the Contractor with regard to the implementation of the security measures agreed upon in Annex 2 of the Processing Agreement.
Article 9 Termination
9.1 The Processing Agreement ends when the Agreement ends, unless
after termination of the Agreement, for whatever reason, the Contractor still processes or has in its possession
Process Personal Data or has it in its possession, in which case the Processing Agreement will apply for as long as the Contractor Processes Personal Data. Notwithstanding the specific provisions of the Agreement, upon the first request of the Principal, the Provider shall erase or return to the Principal all Personal Data and delete existing copies, unless the Provider is required by law to store the Personal Data. Provider shall send a written confirmation to the Principal once the Personal Data has been destroyed at the request of the Principal.
Article 10 Changes and retention periods
10.1 The Contractor is at all times entitled to amend and/or supplement this Processing Agreement if this is necessary to
10.1 The Contractor is always entitled to amend and/or supplement this Processing Agreement if this is necessary in order to comply with (future) laws and regulations.
Amendments of minor importance, such as apparent clerical errors, obvious omissions
and other changes of a similar nature may be made at all times without the
without the Customer being asked for its approval and without the Customer being entitled to terminate the Agreement / Processing Agreement. The most up-to-date Processor Agreement will be available on the Contractor’s website, both on the website and after the login screen.
10.2 The Principal shall adequately inform the Contractor about (statutory) retention periods applicable to the Processing of Personal Data for the Contractor. Contractor will not Process Personal Data for longer than in accordance with these retention periods.
10.4 The obligations from this Processing Agreement which by their nature are intended to
survive termination, shall remain in effect even after termination of this Processing Agreement.
Signature by signatory,
Contractor makes available to Client online services consisting of Contractor’s online portal. The services provided by Contractor are described in the Agreement and the General Terms and Conditions.
The Processing Agreement takes place for the following purposes:
To provide the online total solution, consisting of:
– Relationship management
– Sales management
– Other commercial purposes
– Financial administration
– Project administration
– Calendar of events
– Time registration
– Dossier management
– Legal proceedings
– Collection activities
Processing also takes place to implement and maintain the software systems.
The processing relates to the following categories of data subjects:
– Contact details per user (name, email address, password, role, address details, telephone number):
– Data provided by the Client to the Contractor for the processing purposes (“Client Data”);
Contractor will process the following type of Personal Data:
– Data relating to the Client
– Data provided by the Client for the purpose of collection activities.
Appendix 2 Specification of security
In order to maintain high level security standards the Contractor shall use the following. The Contractor will inform the Client if the security measures described below are changed:
Physical security measures
– All personal data is stored on servers of the Contractor’s suppliers, which are certified.
– Only selected employees of the Contractor have access codes.
– Non-disclosure statements signed by employees.
Technical security measures
– Access to the databases is limited to a specific IP range and can only be accessed
– be accessed by employees of the Contractor.
– The Contractor’s server containing the personal data cannot be accessed from the outside. Except for the aforementioned employees.
– All information managed by the Contractor is secured with a secure modem
– All web services of the Contractor are secured with SSL certificates.
– The Back Office web services are secured with the EV SSL certificate (this provides the highest level of security for authentication).
Appendix Suppliers and Subcontractors
– Software Suppliers