Data processing agreement

This Data processing agreement applies to all forms of processing of personal data that Time4less BV, hereinafter referred to as “Saver”, established in Steenwijk, registered with the Chamber of Commerce under number 68864485, (hereinafter: Processor) for the benefit of a counterparty to whom it provides services (hereinafter: Controller).

Hereinafter jointly referred to as “Parties”;

In consideration of:

A. Parties have entered into an agreement with regard to time registration via an App and a Portal, hereinafter referred to as: “Agreement”. For the implementation of the Agreement, Processor processes Personal Data for the benefit of the Controller;
B. Parties wish to handle the Personal Data that is (will be) processed for the execution of the Agreement carefully and in accordance with the GDPR and other applicable laws and regulations regarding the Processing of Personal Data;
C. In accordance with the GDPR and other Applicable laws and regulations regarding the Processing of Personal Data, the parties wish to establish their rights and obligations with regard to the Processing of Personal Data of Data Subjects in Writing in this Data processing agreement.
D. The Controller alone determines the purpose and means of the processing of personal data and the Processor has no influence on this;

Have agreed as follows:

Concepts

1.1 Data subject: the person to whom a Personal Data relates.
1.2 Data breach: a breach of the security of Personal Data that has serious adverse consequences for the protection of Personal Data.
1.3 Personnel: the persons to be engaged by the Parties for the implementation of this Data processing agreement, who will work under their responsibility.
1.4 Personal data: any data relating to an identified or identifiable natural person. (Traceable) pseudonymised personal data also fall under this concept.
1.5 Sub-processor: third party engaged by Processor to process Personal Data on behalf of Processor, without being subject to the direct authority of Processor.
1.6 Controller: the controller for the Processing within the meaning of the Personal Data Protection Act (WBP) and / or European regulations and guidelines with regard to the protection of personal data (GDPR).
1.7 Processor: the person who processes Personal Data on behalf of the Controller without being subject to his direct authority.
1.8 Processing: any action or set of actions related to Personal Data, including in any case the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, provision by means of transmission, distribution or any other form of making available, bringing together, relating to each other, as well as protecting, erasing or destroying data.

Topic

2.1 If the Processor only has access to the Personal Data, without an obligation to process it, the Processor will observe both the national and international laws and regulations regarding personal data and the provisions of this Data processing agreement; if and insofar as the Processor has previously notified the Processor in advance of the presence of Personal Data and the location (path) where these Personal Data are located.
2.2 If the Processor has undertaken to process Personal Data in the Agreement, the Processor will do this with great care and in accordance with the purposes of the processing, and both national and international laws and regulations with regard to personal data and the provisions of observe this Data processing agreement; if and insofar as the Controller has notified the Processor in advance of the presence of Personal Data and the location of this Personal Data.

Obligations of the Controller

3.1 The Controller will notify the Processor of any changes relating to the Processing (if applicable) and any consequences thereof, in principle within 10 working days.
3.2 Controller guarantees that the order to Process the Personal Data (if applicable) is not unlawful and does not infringe the rights of third parties.

Obligations of the Processor

4.1 The Processor will only view and / or process the Personal Data if and insofar as this is necessary for the execution of the Agreement and will follow all reasonable instructions from the Controller.
4.2 Processor will not store the Personal Data in a location outside the European Economic Area. Domain registrations may require the transfer of personal data to countries outside the European Economic Area. This is then limited to what is required by the relevant registry.
4.3 The Processor guarantees that its Personnel will comply with the provisions of this Data processing agreement, if and insofar as they are involved in any way with the Processing of Personal Data. The Processor’s employees are bound by a duty of confidentiality.
4.4 Processor has appointed a data protection officer.
4.5 At the Controller’s first request, the Processor will immediately provide or, if requested, destroy all copies of the Personal Data originating from and / or processed on behalf of the Controller, or destroy it on request.
4.6 Processor will take appropriate technical and organizational security measures to protect the Personal Data against loss and against unlawful processing. These measures ensure, taking into account the state of the art and the costs of its implementation, an appropriate level of security in view of the risks involved in the processing and the nature of the data to be protected.
4.7 Processor keeps a register of all categories of processing activities that it has performed on behalf of the Controller.
4.8 The Processor provides the Controller with full and timely cooperation to allow the Data Subjects to have access to their personal data, to have their personal data deleted or corrected, and / or to demonstrate that these personal data have been removed or corrected, or if the Data Controller considers the Data Subject’s point of view disputes, to record that the Data Subject considers his personal data to be incorrect.
4.9 Processor will take adequate internal controls to fulfill the obligations under this Agreement and record them in a manner that allows for easy monitoring of compliance. When Processing Personal Data, activities and incidents related to the Personal Data are recorded in log files.
4.10 On the instructions of the Controller, the Processor cooperates with encryption (encryption) and anonymizing the Personal Data. If this leads to higher costs for the Processor, the Controller will reimburse these costs.
4.11 The Controller can have the Processing of Personal Data checked once a year for correct compliance with the Data processing agreement by means of an investigation by an independent register EDP Auditor. The Auditor will be required to observe secrecy. Processor will provide all information requested by the Auditor. The Auditor will report to Controller in general terms, but will not disclose details of security measures taken. The costs of the investigation are for the account of the Controller.
4.12 The content and scope of the Processing Order and the compensation to be paid for this is in accordance with that which is regulated in the Agreement. Processor will follow instructions from Controller with regard to the processing and / or storage of Personal Data.

Subprocessor

5.1 Processor may outsource the performance of the Data processing agreement in whole or in part to a Subprocessor. The Processor remains the contact point for the Controller at all times and is responsible for compliance with the provisions of this Data processing agreement.
5.2 The Processor will impose the same obligations on the Sub-processor – and set this in writing in a contract – as ensue for himself from this Data processing agreement and supervise compliance by the Sub-Processor. Processor is fully liable to Controller for the consequences of outsourcing work to a Subprocessor.

Provision of Personal Data

6.1 The Processor is not permitted to provide Personal Data to anyone other than the Controller, except on the basis of a legal obligation or for the benefit of the agreement with the Controller.
6.2 If the Processor is obliged to provide Personal Data on the basis of a legal obligation, the Processor will:

Security

7.1 Controller and Processor shall take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, so that the Processing complies with the requirements of the GDPR and other Applicable Laws and Regulations regarding the Processing of Personal Data and the protection of Data Subjects’ rights is guaranteed. The security measures taken by the Processor are included in Appendix A.
7.2 Controller and Processor will make every effort to protect and keep the Personal Data secure against intruders and against external calamities as well as against careless processing, unlawful provision or unauthorized provision and against loss, destruction or damage. Both parties ensure that their IT facilities and equipment are physically protected against unauthorized access and against damage and malfunction and take measures to prevent unauthorized access to information systems.
7.3 Controller and Processor will continuously monitor whether the processing systems used (continue to) meet adequate requirements of confidentiality, integrity, availability and resilience (rapid recovery after temporary unavailability).
7.4 If the Controller requests this in writing, the Processor will take special measures with regard to the designated (categories of) Personal Data for the security and / or confidentiality thereof. If this leads to higher costs for the Processor, the Controller will reimburse these costs.

Data breach

8.1 When a Data Leak occurs at the Processor, the Processor will report this immediately, but in any case within 24 hours, to the Controller, stating the nature of the Data Leak, the (suspected) consequences thereof and the measures taken to remedy the consequences. or limit.

confidentiality

9.1 All data of the Controller and its customers are confidential and will be treated as such by the Processor. Processor is obliged to observe secrecy with regard to all Personal Data and information that it processes, or that it becomes aware of in the context of the Agreement or this Data processing agreement.
9.2 Confidentiality does not apply to information:

Intellectual ownership

10.1 All Intellectual Property Rights, including copyrights, database rights and all other intellectual property rights as well as similar rights to protect information on the collection of data and Personal Data, copies or edits thereof, rest with the Controller (or a customer of the Controller).
10.2 All intellectual property rights – including copyrights, database rights and all other intellectual property rights as well as similar rights to protect information – on the Processor’s products and services are vested in the Processor.

Liability and insurance

11.1 The Processor is liable for damage suffered by the Controller and forfeits that the Controller forfeits as a result of the breach of, or violation of, the Processor with regulations under or pursuant to the Personal Data Protection Act and / or European regulations and guidelines with regard to protection. of personal data and / or other laws and regulations in this regard and / or this Data processing agreement.
11.2 The liability of the Processor for damage and / or forfeited fines suffered by the Controller, as referred to in Article 11.1, is limited to € 10,000 per event. This limitation of liability lapses if and insofar as the damage is the result of intent or gross negligence (deliberate recklessness) on the part of the Processor.
11.3 Controller will indemnify Processor against claims from third parties (especially Data Subjects) and any damage resulting from this, based on non-compliance with regulations under or pursuant to the Personal Data Protection Act and / or European regulations and guidelines with regard to the protection of personal data and / or other relevant laws and regulations and / or this Data processing agreement.
11.4 The Processor undertakes to cover the risks as referred to in Articles 11.1 to 11.2 by means of a liability insurance.

Duration and termination

12.1 The Data processing agreement will take effect when the general terms and conditions have been accepted.
12.2 The provisions regarding the duration and termination of the Agreement count as provisions regarding the duration and termination of the Data processing agreement. If the Agreement ends for any reason, the Processor Agreement also ends.
12.3 In the event of termination of the Data processing agreement the Processor will transfer all Personal Data to the Controller, or, at the explicit written request of the Controller, destroy the Personal Data that the Processor has in its possession.
12.4 Obligations that, by their nature, are intended to continue even after termination of the Data processing agreement, will continue to apply after termination. These obligations include, inter alia, the provisions regarding confidentiality, transfer and destruction, liability and applicable law.

Dissolution

13.1 Each Party can dissolve the Agreement in whole or in part if the other party culpably fails to fulfill the Data processing agreement and the shortcoming has not been remedied even after notice of default, without prejudice to the right to compensation.
13.2 Either Party can dissolve the Agreement in whole or in part with immediate effect without notice of default if the other party is granted a moratorium, if bankruptcy is filed against the other party, if the other party’s company is liquidated or terminated other than for reconstruction. or merger of companies.

Others

14.1 Amendments to this Agreement or additions thereto will be agreed in writing between the Processor and the Controller. Any changes or additions will be set out in an addendum to this agreement and will be binding if this addendum is signed by both Parties.
14.2 Any disputes arising from this agreement, after an attempt to resolve the dispute in mutual consultation has proved to be unsuccessful, will be settled by arbitration in accordance with the rules and procedures of the Netherlands Arbitration Institute, whereby the arbitrator (s) will apply Dutch law. .

Appendix A – Security measures

The measures with which the Processor complies as a minimum:
1. The Processor will take measures to secure the processing of the data and to guarantee privacy.
2. The Processor’s employees involved in the processing of personal data are bound by a duty of confidentiality or integrity code.
3. All employees of the organization and, where applicable, hired personnel and external users receive appropriate training and regular training in the organization’s information security policies and procedures, as relevant to their role. Within the training and further training, explicit attention is paid to the handling of personal data.
4. IT facilities and equipment are physically protected against unauthorized access and against damage and malfunction.
5. There are procedures to provide authorized users with access to the information systems and services they need to perform their duties and to prevent unauthorized access to information systems.
6. When transporting confidential information about networks explicitly designated as such by the Controller, adequate encryption must always be used.
7. For the management of certificates and the associated keys, a current key plan applies in which powers and segregation of duties are guaranteed.
8. There are procedures for the acquisition, development, maintenance and destruction of data and information systems.
9. Activities that users perform (with personal data) are recorded in log files. The same applies to other relevant events, such as attempts to gain unauthorized access to personal data and disruptions that can lead to mutilation or loss of personal data. Logging of specific data is possible based on customization via a quote.
10. Security measures are built into all application systems, including adequate access control.
11. The network and information systems are actively monitored and managed. There is also a procedure available to deal with any data breaches. Part of this is informing the Controller.
12. The Processor installs timely solutions that the suppliers release for security breaches. All this only if and insofar as the relevant software has been / is supplied, or used, or maintained by the Processor on behalf of the Controller.
13. There are procedures for dealing with information security incidents and security vulnerabilities in a timely and effective manner, as soon as they are reported.
14. The Controller reports data breaches that are subject to a statutory reporting obligation to the relevant supervisory authority (usually the Dutch Data Protection Authority).