Data Processor Agreement – Example
This data processor agreement is an example and not legally binding and therefore cannot be treated as such.
Article 1. Purposes of processing
1.1 Processor undertakes to process personal data on behalf of the Controller under the terms and conditions of this Data Processor Agreement. Processing shall only be carried out within the scope of the Purposes.
1.2 The Processor shall take no independent decisions on the processing of the personal data for other purposes, including on the provision thereof to third parties and the duration of storage of data. The control over personal data granted to Processor under this Data Processor Agreement or other agreements between the Parties, as well as over data processed by the Processor in said context, is vested in the Controller.
1.3 The personal data to be processed on the instructions of the Controller shall remain the property of the Controller and/or the relevant data subjects.
Article 2. Obligations of the Processor
2.1 With respect to the processing operations set out in Article 1, the Processor shall ensure compliance with applicable laws and regulations, including in any event the laws and regulations governing the protection of personal data, such as the Personal Data Protection Act.
2.2 The Processor will inform the Controller, upon first request, regarding the measures it has implemented in respect of its obligations under this Data Processor Agreement.
2.3 The obligations of the Processor under this Data Processor Agreement shall also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.
Article 3. Transfer of personal data
3.1 The Processor may process the personal data in countries within the European Union. Transfer to countries outside the European Union is prohibited without prior written consent of Controller.
3.2 Processor will inform Controller which country or countries are involved.
Article 4. Allocation of responsibilities
4.1 Processor shall provide ICT resources for the purpose of the processing operations, which may be used by Controller for the purposes listed above. Processor himself/herself shall only perform processing operations on the basis of separate agreements.
4.2 Processor shall solely be responsible for the processing of personal data under this Data Processor Agreement, in accordance with the instructions of Controller and under the explicit responsibility or final responsibility of Controller. Processor shall expressly not be responsible for other processing operations of personal data, including in any event but not limited to the collection of personal data by the Controller, processing operations for purposes that have not been reported to Processor by Controller, processing operations by third parties and/or for other purposes.
4.3 Processor guarantees that the content, use and assignment for the processing operations of personal data within the meaning of this Agreement, are not unlawful and do not infringe on any rights of a third party.
Article 5. Security
5.1 Processor will endeavour to implement adequate technical and organisational measures with regard to the processing operations of personal data to be carried out, against loss or any form of unlawful processing (such as unauthorised disclosure, deterioration, alteration or transmission of personal information.
5.2 In any event, Processor shall have implemented the following measures:
- Logical access control through the use of passwords
- Physical measures for access security
5.3 Processor does not guarantee that the security is effective under all conditions. If a specifically described form of security is absent from the Data Processor Agreement, Processor will endeavour to ensure that the security will be of such a level that is not unreasonable, given the state of the art, the sensitivity of the personal data and the costs associated with implementing the security.
5.4 Controller shall only provide Processor with personal data for the purpose of processing, if it has been assured that the required security measures have been implemented. Controller is responsible for compliance with the measures agreed by the Parties.
Article 6. Duty to report
6.1 In the event of a security breach and/or a data breach, Processor shall immediately notify the Controller, or within 24 hours after the occurrence of the breach, following which the Controller shall assess whether or not to inform the data subject(s) and/or the relevant supervisor(s). Processor guarantees that the information provided is complete, correct and accurate. The duty to report shall apply irrespective of the impact of the breach.
6.2 If required by laws and regulations, Processor will cooperate in informing the relevant authorities and/or data subjects.
6.3 The duty to report shall at least include reporting the fact that there has been a breach, as well as:
- the (alleged) cause of the breach
- the (as yet known and/or expected) result
- the (proposed) solution
Article 7. Handling requests of the data subjects
7.1 In the event a data subject sends a requests for inspection, in accordance with Article 35 of the Personal Data Protection Act, or correction, addition, modification or protection as provided for in Article 36 of the Personal Data Protection Act, Processor shall forward such a request to Controller and Controller will further handle the request. Processor may inform the data subject accordingly.
Article 8. Secrecy and confidentiality
8.1 All personal data Processor receives from Controller or and/or collects itself under this Data Processor Agreement, is subject to a duty of confidentiality towards third parties. Processor will not use this information for any purpose other than those for which it has been acquired, even if it has been converted into such a form that it cannot be traced to the data subjects.
8.2 This duty of confidentiality shall not apply where Controller has given express consent to disclose the information to third parties, if disclosure of the information to third parties is logically necessary given the nature of the assignment and the performance of this Data Processor Agreement, or if there is a legal obligation to disclose the information to a third party.
Article 9. Audit
9.1 Controller shall have the right to conduct audits to verify compliance with all points of the Data Processor Agreement and everything directly related to this.
9.2 This audit may be carried out once a year and in the event of specific grounds for suspicion of abuse of personal data.
9.3 Processor will cooperate in the audit and provide all information reasonably relevant to the audit in a timely manner, including supporting data such as system logs, and staff.
9.4 The findings of the audit carried out will be assessed by the Parties by mutual agreement and, consequently, whether or not implemented by either Party or jointly by both Parties.
9.5 The costs of the audit shall be borne by Controller.
Article 10. Liability
10.1 The liability of Processor for damages resulting from an attributable failure in the performance of the Data Processor Agreement or from a wrongful act or otherwise, is excluded. Where the said liability cannot be excluded, this shall per event (a sequence of events is considered as one event) be limited to the direct damage, with a maximum amount equal to the fees received by the Processor for the work under this Data Processor Agreement for the month preceding the injurious event. The liability of Processor for direct damage shall never exceed the amount of fees received for the work under the Data Processor Agreement for the three months preceding the injurious event.
10.2 Direct damage is exclusively understood to mean all damage consisting of:
damage directly caused to tangible objects (“property damage”);
reasonable and demonstrable costs incurred to remind the Processor to properly perform the Data Processor Agreement (again);
reasonable costs, incurred to determine the cause and the extent of the damage, insofar as related to direct damage as here intended; and
reasonable and demonstrable costs incurred by Controller to prevent or limit the direct damage within the meaning of this article.
10.3 The liability of the Processor for indirect damage is excluded. Direct damage shall include all damage that is not direct damage and therefore in any case, but not limited to, consequential damage, lost profits, lost savings, loss of goodwill, loss due to business interruption, loss due to not determining marketing purposes, damage relating to use of information or data files prescribed by Controller, or loss, alteration or destruction of data or data files.
10.4 The exclusions and limitations set out in this Article shall not apply if and insofar as the damage is the result of intent or deliberate recklessness of Processor or its management.
10.5 Unless performance by Processor is permanently impossible, the liability of Processor due to attributable failure in the performance of the Agreement shall arise only if Controller gives Processor immediate written notice of default, specifying a reasonable period to rectify the failure and Processor continues to imputably fail in the performance of its obligations even after such period. The notice of default must contain the most complete and detailed description possible of the failure, allowing Processor to respond adequately.
10.6 Any claim to damages by Controller against Processor that is not specified and has not been explicitly reported shall be extinguished by the mere lapse of twelve (12) months after the claim arises.
Article 11. Duration and termination
11.1 This Data Processor Agreement is concluded at the moment Controller has notified Processor of acceptance.
11.2 This Data Processor Agreement has been entered into for an unspecified period of time. A notice period of one month shall be observed.
11.3 Once the Data Processor Agreement for any reason and in any manner whatsoever, is terminated, Processor shall delete and/or destroy all personal data in its possession, including any copies thereof.
11.4 Parties may only amend this Agreement by mutual consent.
Article 12. Governing law and dispute resolution
12.1 The Data Processor Agreement and its implementation shall be governed by Dutch law.
12.2 All disputes relating to the Data Processor Agreement that may arise between the Parties will be submitted to the competent court for the district in which the Processor has its registered office.