DATA PROCESSING AGREEMENT EasySIGNThis Data Processing Agreement forms an integral part of the Agreement. User is in the Agreement responsible (“the Controller”) for the personal data. EasySIGN BV is in the Agreement processor (“the Processor”) of the personal data. After this, both parties will be cited as Controller or Processor.
WHEREASThe parties have agreed that the Controller uses the Processor as a software supplier for the EasySIGN graphic production software. The Processor processes personal data of the Controller in the context of the execution of the agreement.
In order to enable the Parties to carry out their relationship in a manner consistent with the law, the Parties have entered into this Data Processing Agreement (“DPA”), as follows:
1. DefinitionsFor the purposes of this DPA:
|‘Applicable Data Protection Law”||: the legislation that protects the fundamental rights and freedoms of individuals and in particular their right to privacy with regard to the Processing of Personal Data, which legislation applies to the Controller and Processor; the term Applicable Data Protection Law also includes the GDPR;|
|“Controller”||: The above named customer of EasySIGN who, as a natural or legal person, alone or together with others, determines the purposes and means of the Processing of Personal Data;|
|“GDPR”||: regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which entered into force on 25 May 2018;|
|“International Organization”||: an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;|
|“Member State”||: a country belonging to the European Union;|
|“Personal data”||: any information relating to an identified or identifiable natural person (Data subject);|
|“Data subject”||: an identifiable person who can be identified, directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;|
|“Personal Data Breach”||: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;|
|“Process/Processing”||: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;|
|“Processor”||: EasySIGN BV, which processes Personal Data on behalf of the Controller;|
|“Agreement between the customer and EasySIGN when entering into Subscription”||: the main agreement concluded between the Controller and the Processor that sets out the conditions for the provision of the Services;|
|“Services”||: the services provided by the Processor to the Controller and described under ‘Subject of processing’ in Appendix 1 to this DPA;|
|“Special Categories of Personal Data”||: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; the Processing of genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation;|
|“Subprocessor”||: a data processor engaged by the Processor that declares its willingness to receive Personal Data from the Processor intended solely for Processing Activities that must be performed for the Controller in accordance with its instructions, the conditions of this DPA, and the conditions of a written sub-processing agreement;|
|“Supervisory Authority”||: an independent public authority established by a Member State pursuant to Article 51 of the GDPR;|
|“Technical and Organizational Security Measures”||: the measures aimed at protecting Personal Data against accidental destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing;|
|“Third Country”||: a country in respect of which the European Commission has not decided that that country, or an area or one or more specified sectors within that country, guarantees an adequate level of data protection.|
2. Details of the ProcessingThe details of the Processing Activities that the Processor performs for the Controller as a data processor that has received instructions to that effect (such as the subject matter, the nature, and the purpose of the processing, the type of personal data, and the categories of data subjects) are set out in Appendix 1 to this DPA.
3. Rights and obligations of the ControllerThe Controller has instructed the Processor, and shall continue to instruct the Processor for the duration of the data processing for which the instruction has been given, to process the Personal Data solely for the Controller and in accordance with the Applicable Data Protection Law, the Agreement between the customer and EasySIGN on taking out a Subscription, this DPA, and the Controller’s instructions. The Controller is entitled and obliged to give the Processor instructions for the Processing of the Personal Data, both in general and in individual cases. Instructions can also relate to the rectification, deletion, and blocking of Personal Data. Instructions are generally given in writing, unless urgency or other specific circumstances require a different form (e.g. oral or electronic). The Controller shall immediately confirm unwritten instructions in writing. Insofar as carrying out an instruction leads to costs for the Processor, the Processor shall first notify the Controller of those costs. The Processor shall carry out an instruction only once the Controller has confirmed that it is responsible for the costs of carrying out that instruction.
4. Obligations of the ProcessorProcessor will:
- process the Personal Data exclusively in accordance with the instructions of the Controller and on behalf of the Controller; such instructions are given in the agreement between customer and EasySIGN when entering into a subscription, this DPA and otherwise in documented form as mentioned in article 3 above. This obligation to follow the instructions of the Controller also applies to the transfer of the Personal data to a Third Country or an International Organisation;
- inform the Controller immediately if the Processor is unable to comply with an instruction from the Controller for any reason;
- ensure that persons who are authorised by the Processor to Process the Personal Data on behalf of the Controller undertake to observe confidentiality or that those persons are subject to an appropriate duty of confidentiality and that the persons who have access to the Personal Data will Process those Personal Data in accordance with the instructions of the Controller;
- implement the Technical and Organizational Security Measures that meet the requirements of the Applicable Data Protection Law as further specified in Appendix 2, before Processing the Personal Data and ensuring that it provides the Controller with sufficient guarantees with regard to those Technical and Organisational Security Measures;
- assist the Controller by means of appropriate Technical and Organizational Measures, to the extent feasible, for the fulfilment of the controller’s obligation to respond to requests for the exercise of the rights of the Data Subjects regarding information, access, rectification and deletion, restriction of processing, notification, data portability , making objections, and automated decision-making; insofar as those feasible Technical and Organizational Measures require changes or alterations in the Technical and Organizational Measures as mentioned in Appendix 2, the Processor will inform the Controller of the costs of implementing those additional or altered Technical and Organizational Measures. As soon as the Controller has confirmed that these costs are for his account, the Processor will implement those additional or altered Technical and Organizational Measures to assist the Controller in ensuring compliance with data subjects’ requests;
- make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 GDPR, and allow for and contribute to audits, including inspections conducted by the controller or another auditor mandated by the Controller. The Controller is aware that audits in person and on location can significantly disrupt the Processor’s business operations, cost a lot of money, and be time-consuming. Accordingly, the Controller may conduct an audit in person and on location only if it reimburses the costs incurred by the Processor due to the disruption of its business operations;
- notify the Controller without unnecessary delay:
i.of any legally binding request for disclosure of the Personal Data by a law enforcement authority, unless this notice is otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;ii.of complaints and requests received directly from Data Subjects (for example, complaints and requests relating to access, rectification, deletion, restriction of processing, notification, data portability, objections against data processing, and automated decision-making) without dealing with that request further unless it is otherwise authorized to do so;iii.if the Processor is obliged on the basis of EU legislation or the legislation of a Member State that applies to it to process the Personal Data beyond the scope of the Controller’s instructions, before carrying out that processing beyond that scope, unless the EU legislation or legislation of that Member State prohibits that information for compelling reasons of public interest; the notice must specify the statutory requirement under that EU legislation or the legislation of the Member State;iv.if, in the Processor’s opinion, an instruction is contrary to the Applicable Data Protection Law; if it gives that notice, the Processor is not obliged to follow the instruction, unless and until the Controller has confirmed or altered it; andv.as soon as the Processor becomes aware of a Personal Data Breach, within no more than 24 hours. If such a Personal Data Breach occurs, the Processor shall assist the Controller, at the Controller’s written request, with its obligation under the Applicable Data Protection Law to report the breach to the Data Subjects or the Supervisory Authority, and to document the Personal Data Breach. Contact details relating to the report are recorded in the client service system. The contact persons are listed in the appendix to this agreement;
- assist the Controller in a Data Protection Impact Assessment as required under Article 35 GDPR relating to the Services provided by the Processor to the Controller and the Personal Data that the Processor processes for the Controller;
- deal with all questions of the Controller relating to its Processing of the Personal Data (for example, to enable the Controller to respond promptly to complaints or requests of Data Subjects) and to comply with the advice of the Supervisory Authority on the Processing of the transmitted data;
- insofar as it is obliged and requested to rectify, delete, and/or block Personal Data that is processed under this DPA, do this immediately. If and insofar as Personal Data cannot be deleted because of statutory data retention requirements, the Processor, instead of deleting the relevant Personal Data, shall restrict the further Processing and/or use of the Personal Data, or remove the corresponding identity from the Personal Data (‘blocking’). If such a blocking obligation applies to the Processor, the Processor shall delete the relevant Personal Data by no later than the last day of the calendar year in which the retention period ends.
The Controller gives permission for the use of Sub-processor(s) engaged by the Processor for the provision of the Services. The Controller grants its approval for the Sub-processor(s) with regard to:
WebWhales Woocommerce Webshop Hubspot CRM Copernica CRM Teamleader CRM U-digital Marketing service provider Hotjar Online behavior recording tool Mollie Payment service provider Exact Online Cloud based bookkeeping Libra Service Automatisering Computer service provider Microsoft Office 365 Cloud based email and spreadsheets Wibu Cloud based license manager Google Analytics
- The Processor shall contractually impose the same data protection obligation as included in this DPA on all Sub-Processors. The agreement between the Processor and the Sub-Processor must namely give adequate guarantees for the implementation of the Technical and Organizational Security Measures as specified in Appendix 2, insofar as those Technical and Organizational Security Measures are important for the services provided by the Sub-Processor.
- Processor chooses the Sub-processor with the utmost care.
- If such a Sub-Processor is located in a Third Country, the Processor, at the Controller’s written request, shall enter into an EU model contract (Controller > Processor) on behalf of the Controller (in the Controller’s name), pursuant to Commission Decision 2010/87/EU. In this case, the Controller instructs and authorizes the Processor to give Sub-Processors instructions in the Controller’s name and to enforce all the Controller’s rights in respect of the Sub-Processors under the EU model contract.
- The Processor remains liable toward the Controller for the fulfillment of the Sub-Processor’s obligations, if that Sub-Processor fails to fulfill its obligations. However, the Processor is not liable for any damage/loss and claims arising from the Controller’s instructions to the Sub-Processors.
6. Limitation of LiabilityAll liability arising out of or in connection with this DPA follows, and is governed solely by, the liability provisions set forth in, or otherwise applicable to, the ‘Terms and conditions’. Therefore, and for the purpose of calculating liability limits and/or determining the application of other limitations of liability, any liability arising under this DPA shall be deemed to arise under the relevant ‘Terms and conditions’.
7. Duration and termination
- The duration of this DPA is equal to that of the relevant ‘Terms and conditions’. Unless otherwise provided in this Agreement, rights and obligations in the area of termination are the same as those set forth in the relevant ‘Terms and conditions’.
- The Processor will, at the first request of the Controller, delete or return to the Controller all Personal Data after the end of the provision of the Services, and delete all existing copies unless the Processor is obliged to retain such Personal Data under EU or Member State law.
- In the event of a conflict between the provisions of this DPA and any other agreements between the Parties, the provisions of this DPA shall prevail with respect to the data protection obligations of the Parties. In case of doubt as to whether clauses in those other agreements relate to the data protection obligations of the Parties, this DPA shall prevail.
- Invalidity or unenforceability of any provision of this DPA shall not affect the validity or enforceability of the remaining provisions of this DPA. The invalid or unenforceable provision is (i) amended in such a way as to guarantee its validity or enforceability while at the same time preserving the intentions of the Parties as much as possible or – if this is not possible – (ii) as if the invalid or unenforceable part had never been included therein. The above also applies if this DPA contains an omission
- This DPA is governed by the same law as the agreement between Customer and EasySIGN when entering into a Subscription except to the extent that mandatory Applicable Data Protection Law applies.
- This processing agreement is subject to Dutch law. Any disputes regarding the implementation thereof will be submitted to the competent court in Eindhoven
On behalf of the Processor:
|Full name:||Paul Schoofs|
|Address:||Melkweg 5, 5527 CZ Hapert|
|Date:||21 March 2022|
Annex 1 – Categories of Data SubjectsThe Personal Data transferred concerns the following categories of Data Subjects:
- Customers of customer
Subject of the processingUse of software for the design and manufacture of signs and other graphic production.
Nature and purpose of the processingThe Processor collects, stores, processes and uses the Personal Data of the Data Subjects on behalf of the Controller in order to execute the agreement, including:
- Management of tasks, meetings and calls;
- Adding Personal Data to the CRM tools for the purpose of following up emails, managing contacts and companies;
- Follow-up of a sales process;
- Time registration;
- Creation and management of support tickets (incl. statistics thereof)
- Goal creation and management
Type of personal dataThe Personal Data collected, processed and used by the Processor on behalf of the Controller concern the following categories of personal data: usage data and contact details, more specifically: Abonnementsgegevens:
- the desired subscription;
- first and last name;
- telephone number;
- e-mail address;
- company name;
- invoice address;
- postal code and city;
- e-mail address;
- VAT number;
- IBAN and ascription.