DATA PROCESSING AGREEMENT EasySIGN

This Data Processing Agreement forms an integral part of the Agreement. User is in the Agreement responsible (“the Controller”) for the personal data. EasySIGN BV is in the Agreement processor (“the Processor”) of the personal data. After this, both parties will be cited as Controller or Processor.

WHEREAS

The parties have agreed that the Controller uses the Processor as a software supplier for the EasySIGN graphic production software. The Processor processes personal data of the Controller in the context of the execution of the agreement.

In order to enable the Parties to carry out their relationship in a manner consistent with the law, the Parties have entered into this Data Processing Agreement (“DPA”), as follows:
 
1. Definitions
For the purposes of this DPA:  
‘Applicable  Data Protection Law” : the legislation that protects the fundamental rights and freedoms of individuals and in particular their right to privacy with regard to the Processing of Personal Data, which legislation applies to the Controller and Processor; the term Applicable Data Protection Law also includes the GDPR;    
“Controller” : The above named customer of EasySIGN who, as a natural or legal person, alone or together with others, determines the purposes and means of the Processing of Personal Data;    
“GDPR” : regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which entered into force on 25 May 2018;    
“International Organization” : an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;    
“Member State” : a country belonging to the European Union;    
“Personal data” : any information relating to an identified or identifiable natural person (Data subject);    
“Data subject” : an identifiable person who can be identified, directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Personal Data Breach” : a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;    
“Process/Processing” : any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
“Processor” : EasySIGN BV, which processes Personal Data on behalf of the Controller;
“Agreement between the customer and EasySIGN when entering into Subscription” : the main agreement concluded between the Controller and the Processor that sets out the conditions for the provision of the Services;    
“Services” : the services provided by the Processor to the Controller and described under ‘Subject of processing’ in Appendix 1 to this DPA;    
“Special Categories of Personal Data” : personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; the Processing of genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation;    
“Subprocessor” : a data processor engaged by the Processor that declares its willingness to receive Personal Data from the Processor intended solely for Processing Activities that must be performed for the Controller in accordance with its instructions, the conditions of this DPA, and the conditions of a written sub-processing agreement;    
“Supervisory Authority” : an independent public authority established by a Member State pursuant to Article 51 of the GDPR;    
“Technical and Organizational   Security Measures” : the measures aimed at protecting Personal Data against accidental destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing;    
Third Country” : a country in respect of which the European Commission has not decided that that country, or an area or one or more specified sectors within that country, guarantees an adequate level of data protection.
2. Details of the Processing
The details of the Processing Activities that the Processor performs for the Controller as a data processor that has received instructions to that effect (such as the subject matter, the nature, and the purpose of the processing, the type of personal data, and the categories of data subjects) are set out in Appendix 1 to this DPA.

3. Rights and obligations of the Controller
The Controller has instructed the Processor, and shall continue to instruct the Processor for the duration of the data processing for which the instruction has been given, to process the Personal Data solely for the Controller and in accordance with the Applicable Data Protection Law, the Agreement between the customer and EasySIGN on taking out a Subscription, this DPA, and the Controller’s instructions. The Controller is entitled and obliged to give the Processor instructions for the Processing of the Personal Data, both in general and in individual cases. Instructions can also relate to the rectification, deletion, and blocking of Personal Data. Instructions are generally given in writing, unless urgency or other specific circumstances require a different form (e.g. oral or electronic). The Controller shall immediately confirm unwritten instructions in writing. Insofar as carrying out an instruction leads to costs for the Processor, the Processor shall first notify the Controller of those costs. The Processor shall carry out an instruction only once the Controller has confirmed that it is responsible for the costs of carrying out that instruction.

4. Obligations of the Processor
Processor will:
  1. process the Personal Data exclusively in accordance with the instructions of the Controller and on behalf of the Controller; such instructions are given in the agreement between customer and EasySIGN when entering into a subscription, this DPA and otherwise in documented form as mentioned in article 3 above. This obligation to follow the instructions of the Controller also applies to the transfer of the Personal data to a Third Country or an International Organisation;
  2. inform the Controller immediately if the Processor is unable to comply with an instruction from the Controller for any reason;
  3. ensure that persons who are authorised by the Processor to Process the Personal Data on behalf of the Controller undertake to observe confidentiality or that those persons are subject to an appropriate duty of confidentiality and that the persons who have access to the Personal Data will Process those Personal Data in accordance with the instructions of the Controller;
  4. implement the Technical and Organizational Security Measures that meet the requirements of the Applicable Data Protection Law as further specified in Appendix 2, before Processing the Personal Data and ensuring that it provides the Controller with sufficient guarantees with regard to those Technical and Organisational Security Measures;
  5. assist the Controller by means of appropriate Technical and Organizational Measures, to the extent feasible, for the fulfilment of the controller’s obligation to respond to requests for the exercise of the rights of the Data Subjects regarding information, access, rectification and deletion, restriction of processing, notification, data portability , making objections, and automated decision-making; insofar as those feasible Technical and Organizational Measures require changes or alterations in the Technical and Organizational Measures as mentioned in Appendix 2, the Processor will inform the Controller of the costs of implementing those additional or altered Technical and Organizational Measures. As soon as the Controller has confirmed that these costs are for his account, the Processor will implement those additional or altered Technical and Organizational Measures to assist the Controller in ensuring compliance with data subjects’ requests;
  6. make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 GDPR, and allow for and contribute to audits, including inspections conducted by the controller or another auditor mandated by the Controller. The Controller is aware that audits in person and on location can significantly disrupt the Processor’s business operations, cost a lot of money, and be time-consuming. Accordingly, the Controller may conduct an audit in person and on location only if it reimburses the costs incurred by the Processor due to the disruption of its business operations;
  7. notify the Controller without unnecessary delay:
    i.
    of any legally binding request for disclosure of the Personal Data by a law enforcement authority, unless this notice is otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
    ii.
    of complaints and requests received directly from Data Subjects (for example, complaints and requests relating to access, rectification, deletion, restriction of processing, notification, data portability, objections against data processing, and automated decision-making) without dealing with that request further unless it is otherwise authorized to do so;
    iii.
    if the Processor is obliged on the basis of EU legislation or the legislation of a Member State that applies to it to process the Personal Data beyond the scope of the Controller’s instructions, before carrying out that processing beyond that scope, unless the EU legislation or legislation of that Member State prohibits that information for compelling reasons of public interest; the notice must specify the statutory requirement under that EU legislation or the legislation of the Member State;
    iv.
    if, in the Processor’s opinion, an instruction is contrary to the Applicable Data Protection Law; if it gives that notice, the Processor is not obliged to follow the instruction, unless and until the Controller has confirmed or altered it; and
    v.
    as soon as the Processor becomes aware of a Personal Data Breach, within no more than 24 hours. If such a Personal Data Breach occurs, the Processor shall assist the Controller, at the Controller’s written request, with its obligation under the Applicable Data Protection Law to report the breach to the Data Subjects or the Supervisory Authority, and to document the Personal Data Breach. Contact details relating to the report are recorded in the client service system. The contact persons are listed in the appendix to this agreement;
  8. assist the Controller in a Data Protection Impact Assessment as required under Article 35 GDPR relating to the Services provided by the Processor to the Controller and the Personal Data that the Processor processes for the Controller;
  9. deal with all questions of the Controller relating to its Processing of the Personal Data (for example, to enable the Controller to respond promptly to complaints or requests of Data Subjects) and to comply with the advice of the Supervisory Authority on the Processing of the transmitted data;
  10. insofar as it is obliged and requested to rectify, delete, and/or block Personal Data that is processed under this DPA, do this immediately. If and insofar as Personal Data cannot be deleted because of statutory data retention requirements, the Processor, instead of deleting the relevant Personal Data, shall restrict the further Processing and/or use of the Personal Data, or remove the corresponding identity from the Personal Data (‘blocking’). If such a blocking obligation applies to the Processor, the Processor shall delete the relevant Personal Data by no later than the last day of the calendar year in which the retention period ends.
 
5. Subprocessing
 
  1. The Controller gives permission for the use of Sub-processor(s) engaged by the Processor for the provision of the Services. The Controller grants its approval for the Sub-processor(s) with regard to:
    WebWhales Woocommerce Webshop
    Hubspot CRM
    Copernica CRM
    Teamleader CRM
    U-digital Marketing service provider
    Hotjar Online behavior recording tool
    Mollie Payment service provider
    Exact Online Cloud based bookkeeping
    Libra Service Automatisering Computer service provider
    Microsoft Office 365 Cloud based email and spreadsheets
    Wibu Cloud based license manager
    Google Google Analytics
    The processing agreements made available by them have been concluded with these parties.
  2. In the event that the Processor intends to engage new or more Sub-Processors, the Processor will ensure that the EasySIGN ‘Privacy Policy’ (https://www.easysign.com/about-us/privacy-policy/) is updated. Controller ensures periodic consultation of the EasySIGN ‘Privacy Policy’. If the Controller has reasonable grounds to object to the use of new or more Sub-Processors, the Controller must immediately notify the Processor in writing within 14 days of receipt of the Notification Sub-Processor. In the event that Controller objects to a new or different Sub-processor, and that retention is not unreasonable, will Processor use reasonable efforts to make changes to the Services available to the Controller or recommend a commercially reasonable change in the configuration of Controller or the use by the Controller of the Services to prevent Processing of Personal Data by the new or different Sub-processor to which objections have been made, without imposing an unreasonable burden on the Controller. If the Processor is unable to make that change available within a reasonable period of time, which period will not exceed sixty (60) days, the Controller may terminate the relevant portion the affected part of the ‘Terms and conditions’ (https://www.easysign.com/about-us/general-terms-and-conditions/), however, only with respect to those Services that cannot be provided by the Processor without the use of the new or different Sub-Processor to which objection has been made by means of written notice to the Processor.
  3. The Processor shall contractually impose the same data protection obligation as included in this DPA on all Sub-Processors. The agreement between the Processor and the Sub-Processor must namely give adequate guarantees for the implementation of the Technical and Organizational Security Measures as specified in Appendix 2, insofar as those Technical and Organizational Security Measures are important for the services provided by the Sub-Processor.
  4. Processor chooses the Sub-processor with the utmost care.
  5. If such a Sub-Processor is located in a Third Country, the Processor, at the Controller’s written request, shall enter into an EU model contract (Controller > Processor) on behalf of the Controller (in the Controller’s name), pursuant to Commission Decision 2010/87/EU. In this case, the Controller instructs and authorizes the Processor to give Sub-Processors instructions in the Controller’s name and to enforce all the Controller’s rights in respect of the Sub-Processors under the EU model contract.
  6. The Processor remains liable toward the Controller for the fulfillment of the Sub-Processor’s obligations, if that Sub-Processor fails to fulfill its obligations. However, the Processor is not liable for any damage/loss and claims arising from the Controller’s instructions to the Sub-Processors.
 
6. Limitation of Liability
All liability arising out of or in connection with this DPA follows, and is governed solely by, the liability provisions set forth in, or otherwise applicable to, the ‘Terms and conditions’. Therefore, and for the purpose of calculating liability limits and/or determining the application of other limitations of liability, any liability arising under this DPA shall be deemed to arise under the relevant ‘Terms and conditions’.

7. Duration and termination
  1. The duration of this DPA is equal to that of the relevant ‘Terms and conditions’. Unless otherwise provided in this Agreement, rights and obligations in the area of termination are the same as those set forth in the relevant ‘Terms and conditions’.
  2. The Processor will, at the first request of the Controller, delete or return to the Controller all Personal Data after the end of the provision of the Services, and delete all existing copies unless the Processor is obliged to retain such Personal Data under EU or Member State law.
 
8. Miscellaneous
  1. In the event of a conflict between the provisions of this DPA and any other agreements between the Parties, the provisions of this DPA shall prevail with respect to the data protection obligations of the Parties. In case of doubt as to whether clauses in those other agreements relate to the data protection obligations of the Parties, this DPA shall prevail.
  2. Invalidity or unenforceability of any provision of this DPA shall not affect the validity or enforceability of the remaining provisions of this DPA. The invalid or unenforceable provision is (i) amended in such a way as to guarantee its validity or enforceability while at the same time preserving the intentions of the Parties as much as possible or – if this is not possible – (ii) as if the invalid or unenforceable part had never been included therein. The above also applies if this DPA contains an omission
  3. This DPA is governed by the same law as the agreement between Customer and EasySIGN when entering into a Subscription except to the extent that mandatory Applicable Data Protection Law applies.
  4. This processing agreement is subject to Dutch law. Any disputes regarding the implementation thereof will be submitted to the competent court in Eindhoven
   
On behalf of the Processor:
Full name: Paul Schoofs
Position: Managing Director
Address: Melkweg 5, 5527 CZ Hapert
Date: 21 March 2022
Signature:
 

Annex 1 – Categories of Data Subjects
The Personal Data transferred concerns the following categories of Data Subjects:
  • Companies
  • Customers of customer
  • Employees
  • Suppliers
 
Subject of the processing
Use of software for the design and manufacture of signs and other graphic production.

Nature and purpose of the processing
The Processor collects, stores, processes and uses the Personal Data of the Data Subjects on behalf of the Controller in order to execute the agreement, including:
  • Management of tasks, meetings and calls;
  • Adding Personal Data to the CRM tools for the purpose of following up emails, managing contacts and companies;
  • Follow-up of a sales process;
  • Invoicing;
  • Time registration;
  • Creation and management of support tickets (incl. statistics thereof)
  • Goal creation and management
  • Voice-over-ip
 
Type of personal data
The Personal Data collected, processed and used by the Processor on behalf of the Controller concern the following categories of personal data: usage data and contact details, more specifically: Abonnementsgegevens:
  • the desired subscription;
  • username;
  • password;
  Your details:
  • first and last name;
  • telephone number;
  • e-mail address;
  • voorkeurtaal;
  Your company details:
  • company name;
  • invoice address;
  • postal code and city;
  • country;
  • e-mail address;
  • VAT number;
  Payment details:
  • IBAN and ascription.
Contact person in case of security breach
This will be the person who has been appointed as the contact person for the agreement. This can be found by logging in to www.EasySIGN.com under ‘My details’.

Contact with Processor
Compliance & privacy manager: EasySIGN BV, Paul Schoofs support@easysign.com

Annex 2 – Security Measures Sheet
Description of the Technical and Organizational Security Measures implemented by the Processor in accordance with Applicable Data Protection Act:   This Appendix describes the Technical and Organizational Security Measures and procedures that the Processor must maintain at least to protect the security of personal data created, collected, received, or otherwise obtained.

General
Technical and organizational measures can be regarded as the state of the art at the time of conclusion of the Service Agreement. The Processor will evaluate technical and organizational measures over time, taking into account costs for implementation, nature, scope, context and objectives of processing, and the risk of differences in the degree of probability and severity for the rights and freedoms of natural persons.

Detailed technical measures
  Logical access control to EasySIGN’s systems, using passwords:
  • All EasySIGN employees are informed about and wary of “Social Engineering”;
  EasySIGN monitors its systems 24/7:
  • Availability is measured every five minutes.
  • Monitoring of EasySIGN’s (virtual) servers is carried out by a qualified team of Operation Engineers and Developers, whereby it can be measured per machine and per service whether they are available and whether they deliver the performance necessary to meet the agreed Service Levels. Alerts take place via Whatsapp and via e-mail.
Depending on Customers’ configuration, EasySIGN usually works partly in the cloud. This means that the login licenses require the availability of the data centers of Wibu Systems (sub-contractor Claranet GmbH) and Webwhales Woocommerce.  Operation and availability of the customer-license-access systems does not depend on local servers in our office in Hapert.   EasySIGN uses SSL security protocols.   An adequate and up-to-date mechanism is in place to detect and handle malicious software, including computer viruses.   Only authorized personnel can access the Personal Data. Employees have a strict confidentiality obligation, which is included in the employment contract.   The building has an alarm system and is monitored 24/7 outside office hours. During office hours the door is closed and access is only possible by appointment and under the guidance of an EasySIGN employee.

Log files
  All user actions are logged and stored indefinitely. The logs consist of the following components:
  • Incoming mail: all mails sent to EasySIGN
  • EasySIGN website & software: all actions that the user performs with EasySIGN and all errors that result from it;
  The following personal data are present in the logs:
  • Username
  • Computer name
  • User ID
  • IP address
  • E-mail address / full e-mail
With this data it is possible to find out who this user is and what this person has done.   EasySIGN stores the “Document Workflow Status” in log files for an indefinite period of time and therefore also stores it indefinitely. In this log you can always check which actions have been taken on documents, actions such as granting a license, changing name, opening, deleting, splitting, grouping, exporting, plotting, error messages etc. This log data is stored on the production servers in log databases. This is a different database than the WooCommerce webshop database.  

Questions?

You may always contact us if you have questions regarding your privacy or the data we’ve collected about you. Get in touch with our support team.

Are you ready to make things EASY?

GET NOW