Data Processing Agreement
Contract number: […].
- [full name and legal form of the contracting party],
which has its registered office in [place],
legally represented in this matter by
…………… (and …………..) [signatory’s name],
hereafter referred to as ‘the Controller’,
- PNO Consultants B.V., which has its seat in Rijswijk,
legally represented in this matter by
[signatory’s name and position],
hereafter referred to as ‘the Contractor’,
jointly referred to as ‘the Parties’;
• Insofar as the Contractor processes Personal Data for the Controller in the context of the Contract, the Controller, under article 4 (7) and (8) of the Regulation, qualifies as a controller for the Processing of Personal Data and the Contractor as a processor;
• The Parties to this Data Processing Agreement, as referred to in article 28, paragraph 3 of the Regulation, wish to record their agreements on the Processing of Personal Data by the Contractor.
AGREE AS FOLLOWS:
Article 1 Definitions
The following terms are defined below for the purposes of this Data Processing Agreement:
1.1 Data Subject: the person whom the Personal Data concerns.
1.2 Personal Data Breach: a breach in security that leads to the accidental or unlawful destruction, loss, change or unauthorised provision of, or unauthorised access to, data that has been transferred, stored or processed in any other way.
1.3 Contract: the Contract between the Controller and the Contractor
[name] dated [date], reference number [number].
1.4 Personal Data: any data concerning an identified or identifiable natural person that is processed by the Contractor for the Controller in the context of the Contract
1.5 Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.6 Data Processing Agreement: this agreement including its recitals and the accompanying schedules.
1.7 Processing: any operation or any set of operations concerning Personal Data or any set of Personal Data, carried out in the context of the Contract via automated or manual procedures, including in any case the collection, recording, organisation, structuring, storage, updating or modification, retrieval, consultation, use, disclosure by means of transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.
Article 2 Object of this Data Processing Agreement
2.1 This Data Processing Agreement governs the Processing of Personal Data by the Contractor in the context of the Contract.
2.2 The nature and purpose of the Processing, the type of Personal Data and the categories of Personal Data, Data Subjects and recipients are set out in Schedule 1.
2.3 The Contractor ensures that the appropriate technical and organisational measures will be taken, in order to ensure that Processing complies with the requirements of the Regulation and that the rights of the Data Subject(s) are protected.
2.4 The Contractor ensures compliance with the requirements of the applicable legislation relating to the Processing of Personal Data.
Article 3 Entry into force and duration
3.1 This Data Processing Agreement enters into force as soon as it has been signed by both Parties.
3.2 This Data Processing Agreement terminates after and insofar as the Contractor has deleted or returned all Personal Data in accordance with article 10.
3.3 Neither of the Parties may terminate this Data Processing Agreement before the Contract terminates.
Article 4 Scope of Contractor’s Processing competence
4.1 The Contractor will Process the Personal Data exclusively for and on the basis of written instructions from the Controller barring statutory rules to the contrary that apply to the Contractor.
4.2 If any instruction as referred to in paragraph 1 is deemed by the Contractor to contravene a statutory rule on data protection, the Contractor will notify the Controller of this prior to Processing, unless a statutory rule prohibits such notification.
4.3 If the Contractor is obliged to disclose Personal Data on the basis of a statutory rule, it will inform the Controller immediately, if possible prior to the disclosure.
4.4 The Contractor will have no control over the purpose or means of the Personal Data Processing.
Article 5 Security measures
5.1 According to article 32 of the Regulation the Contractor will implement all suitable technical and organisational security measures against a Personal Data Breach.
5.2 The Parties recognise that guaranteeing an appropriate level of security may require additional security measures to be implemented on an ongoing basis. The Contractor guarantees an appropriate level of security having regard to the risks entailed.
5.3 At the express written request of the Controller, the Contractor will adopt additional measures to ensure the security of the Personal Data.
5.4 The Contractor will not process any Personal Data outside a European Union member state, unless it has obtained express written approval to do so from the Controller and barring statutory obligations to the contrary.
5.5 If the Contractor discovers any illegal or unauthorised Processing or infringements of the security measures referred to paragraphs 1 and 2, it will inform the Contacting Authority without unreasonable delay.
5.6 The Contractor will assist the Controller in ensuring compliance with the obligations under articles 32 to 36 inclusive of the Regulation.
Article 6 Duty of confidentiality – Contractor’s staff
6.1 The Contractor will not divulge in any way any information that comes to its knowledge in performing the Contract and which it knows or may reasonably be assumed to know is confidential, except in so far as it is compelled to divulge such information under a statutory regulation or court ruling.
6.2 The Contractor will impose the same duty of confidentiality on its staff and makes sure that they will fulfil it.
Article 7 Subprocessor
7.1 In performing the Contract, the Contractor may make use of third-party services only after it has obtained the Controller’s consent. The Controller will not withhold its consent without good reason. It may attach conditions to its consent.
7.2 The fact that the Controller has given its consent does not affect the Contractor’s own responsibility and liability for discharging the obligations imposed on it under the Contract.
7.3 If the Contractor engages another processor to carry out Processing activities for the Controller, the other processor must be bound by an agreement imposing the same data protection obligations as those imposed by this Data Processing Agreement.
Article 8 Assistance concerning rights of Data Subjects
The Contractor will assist the Controller in fulfilling its obligation to respond to requests from Data Subjects to exercise the rights set out in chapter III of the Regulation.
Article 9 Personal Data Breach
9.1 The Contractor will inform the Controller, without unreasonable delay, as soon as it becomes aware of any Personal Data Breach, in accordance with article 33 of the Regulation.
9.2 After reporting an incident as described in the first paragraph, the Contractor will also inform the Controller of developments relating to the Personal Data Breach.
9.3 Each of the Parties will bear any costs they incur in connection with reporting incidents to the competent supervisory authority and the Data Subject.
Article 10 Return or erasure of Personal Data
Once the Contract expires, the Contractor will erase the Personal Data or return it to the Controller, whichever the Controller prefers. The Contractor will delete any copies, barring statutory rules to the contrary.
Article 11 Obligation to supply information and audit obligation
11.1 The Contractor will provide all necessary information to show that the obligations set out in this Data Processing Agreement have been and will be fulfilled.
11.2 The Contractor will provide all necessary cooperation with respect to audits.
Done on the later of the two dates stated below and signed in duplicate.
[Place], [date] Rijswijk, [date]
For [Controller] For PNO Consultants B.V.
[signatory’s name] [signatory’s name]
[signatory’s position] [signatory’s position]
Schedule 1 Processing Personal Data
This Schedule must in any case specify:
1 The nature and purpose of the Processing activities
2 The type of Personal Data
3 The categories of Personal Data
4 The categories of Data Subjects
5 The categories of Personal Data recipients
The information in the Controller’s records, obligatory under article 30 of the Regulation, can be used to complete this schedule.