Skip to Content

Parties:

Companies that have placed an order for which the details are known and orders have been executed, hereinafter referred to as the Data Controller

in

PaceX B.V. Marktweg 71, 8451CD in Oudeschoot, hereinafter Processor

considering that

The data controller wants certain forms of processing to be carried out by the processor, whereby the data controller specifies the purpose and means,

The processor is willing to do so and is also willing to comply with obligations regarding security and other aspects of the General Data Protection Regulation (hereinafter: 'GDPR'), as far as it is within its power,

Parties, also considering the requirement from Article 28, paragraph 3 of the GDPR, wish to document their rights and obligations in writing,

have agreed on the following

Agreement:

  1. Scope of application

1.1 This agreement applies insofar as one or more processing activities listed in Appendix 1 occur during the provision of services under the Main Agreement.

1.2 The processing activities in Appendix 1 that take place during the provision of the services will hereinafter be referred to as: "the Processing." The personal data that are processed in this context: "the Personal Data."

1.3 With regard to the Processing, the Data Controller is the data controller and the Processor is the processor. The natural persons who actually use the services of the Processor under the Master Agreement and, if applicable, their representatives, are hereinafter also referred to as "the End Users."

1.4 All terms in this agreement have the meaning assigned to them in the GDPR.

  1. Purposes of processing

2.1 The Processor agrees, under the terms of this Processor Agreement, to process personal data on behalf of the Data Controller. Processing will only take place for the purpose of executing the purchased ICT services in the context of Cloud, Security, Web & Software. The following services may include: using PaceX software on one's own computer system or on a system hosted by PaceX B.V.

Plus the purposes that are reasonably related to them or that are determined with further consent. The Processor will only process the (special) personal data that have been provided by the Data Controller to the Processor for the purposes established in this Processor Agreement, at the request of the Data Controller. The Processor will not process the personal data for any other purpose than as established by the Data Controller. The Data Controller will inform the Processor of the processing purposes to the extent that these have not already been mentioned in this Processor Agreement. The categories of personal data and processing purposes are further described in Appendix 1.

2.2 The personal data to be processed on behalf of the Data Controller remain the property of the Data Controller and/or the relevant data subjects.

2.3 The data controller ensures that it will maintain a register of the processing activities governed by this Processor Agreement. The data controller indemnifies the processor against all claims and demands related to the failure to comply with the registration obligation or the incorrect compliance with it.

  1. Processor Obligations

3.1 With regard to the processing mentioned in Article 1, the Processor shall ensure compliance with the applicable laws and regulations, including, in any case, the laws and regulations concerning the protection of personal data, such as the GDPR.

3.2 The Processor shall inform the Controller, at their first request, about the measures taken by it regarding its obligations under this Processor Agreement.

3.3 The obligations of the Processor arising from this Processor Agreement also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.

3.4 The Processor shall provide the Controller with the necessary cooperation when a data protection impact assessment (DPIA) or prior consultation with the supervisory authority is required in the context of processing.

  1. Transfer of personal data

4.1 The processor may process personal data in countries within the European Union. Transfer to countries outside the European Union is prohibited.

4.2 The Processor only shares stored data from the Data Controller in the PaceX software with Marketers on behalf of the Data Controller. This is done through an automated process.

  1. Distribution of responsibility

5.1 The permitted processing will be carried out by the Processor within a (semi-) automated environment.

5.2 The Processor is solely responsible for the processing of personal data under this Processor Agreement, in accordance with the instructions of the Data Controller and under the express (final) responsibility of the Data Controller. For other processing of personal data, including but not limited to the collection of personal data by the Data Controller, processing for purposes not communicated by the Data Controller to the Processor, processing by third parties, and/or for other purposes, the Processor is expressly not responsible.

5.3 The data controller guarantees that the content, use, and assignment of the processing of personal data as referred to in this Agreement is not unlawful and does not infringe on any rights of third parties.

  1. Engaging sub-processors

6.1 The Data Controller hereby grants the Processor permission to use a Sub-Processor in the processing of personal data, based on this Data Processing Agreement, in compliance with applicable privacy legislation.

6.2 An overview of the Sub-processors engaged by the Processor is included in Appendix 2. The Data Controller has the right to object to any Sub-processors engaged by the Processor. When the Data Controller objects to the Sub-processors engaged by the Processor, the Parties will consult with each other to reach a solution.

6.3 The Processor ensures that these Sub-processors take on the same obligations in writing as those agreed upon between the Data Controller and the Processor regarding the processing of personal data.

  1. Security

7.1 The processor shall take appropriate technical and organizational measures regarding the processing of personal data to protect against loss or any form of unlawful processing (such as unauthorized access, alteration, modification, or disclosure of personal data).

7.2 In the data center from which the services are provided, at least the following measures have been taken: Logical access control, optionally using: passwords, personal access cards, biometric verification;

  1. Physical measures for access security;
  2. Encryption of digital backup files containing personal data;
  3. Organizational measures for access security;
  4. Sample-based compliance checks;
  5. Security of network connections via Secure Socket Layer (SSL) technology;
  6. A secure internal network;
  7. Purpose-specific access restrictions;
  8. Control over granted authorities.

7.3 The Processor does not guarantee that the security is effective under all circumstances. If a specifically described security measure is absent from the Processor Agreement, the Processor will make efforts to ensure that the security meets a level that, considering the state of technology, the sensitivity of the personal data, and the costs associated with implementing the security, is not unreasonable.

7.4 The Data Controller only provides personal data to the Processor for processing if it has ensured that the required security measures have been implemented. The Data Controller is responsible for compliance with the measures agreed upon by the Parties.

  1. Reporting obligation

8.1 In the event of a data breach (defined as a security incident that accidentally or unlawfully leads to the destruction, loss, alteration, or unauthorized disclosure of or access to transmitted, stored, or otherwise processed data), concerning the personal data of the Data Controller, the Processor shall promptly inform the Data Controller, or within 24 hours after the breach becomes known to the Processor, after which the Data Controller will assess whether to inform the affected individuals and/or the relevant supervisory authorities. The Processor makes every effort to ensure that the information provided is complete, correct, and accurate. The reporting obligation applies regardless of the impact of the breach.

8.2 If required by law and/or regulations, the Processor will cooperate in informing the relevant authorities and/or parties involved.

8.3 The reporting obligation includes at least reporting the fact that there has been a leak. In addition, the reporting obligation includes:

  1. the date on which the leak occurred (if no exact date is known: the period during which the leak occurred);
  2. what the (alleged) cause of the leak is;
  3. the date and time when the leak became known to the Processor or to a third party or subcontractor engaged by him;
  4. a description of the group of individuals whose data has been leaked, including the type or types of personal data that have been leaked;
  5. or the data has been encrypted, hashed, or made incomprehensible or inaccessible to unauthorized persons in another way;
  6. what the intended and/or already undertaken measures are to seal the leak and to mitigate the consequences of the leak;
  7. contact details for the follow-up of the report.
  8. Handling requests from data subjects

9.1 In the event that a data subject submits a request to exercise his/her legal rights to the Processor, the Processor will forward the request to the Controller and inform the data subject of this. The Controller will then handle the request independently.

9.2 In the event that a data subject submits a request to exercise one of their legal rights to the Data Controller, the Processor shall, if the Data Controller requests this, provide assistance to the extent that it is possible and reasonable. The Processor may charge reasonable costs to the Data Controller for this.

  1. Confidentiality and secrecy

10.1 All personal data that the Processor receives from the Controller and/or collects itself in the context of this Processor Agreement is subject to a confidentiality obligation towards third parties. The Processor will not use this information for any purpose other than that for which it was obtained, even if it has been rendered in such a form that it cannot be traced back to the data subjects.

10.2 This confidentiality obligation does not apply insofar as the Data Controller has given explicit consent to disclose the information to third parties, if the provision of the information to third parties is logically necessary given the nature of the assignment provided and the execution of this Processor Agreement, or if there is a legal obligation to provide the information to a third party.

  1. Audit

11.1 The data controller has the right to have audits conducted by an independent ICT expert who is bound by confidentiality to verify compliance with all points of the Data Processing Agreement.

11.2 This audit will only take place after the Data Controller has requested, reviewed, and provided reasonable arguments for justifying an audit initiated by the Data Controller based on the similar audit reports available from the Processor. Such an audit is justified when the similar audit reports available from the Processor do not provide sufficient clarity regarding the Processor's compliance with this Processor Agreement. The audit initiated by the Data Controller will take place two weeks after prior notice from the Data Controller, and no more than once a year.

11.3 In the event of an audit, all reasonably relevant information, including supporting data such as system logs, and employees will be made available as promptly as possible and within a reasonable timeframe, with a maximum period of two weeks being considered reasonable. The data controller will ensure that the audit has as little disruptive effect on the other operations of the processor as possible.

11.4 The findings resulting from the conducted audit will be assessed by the Parties in mutual consultation and, based on that, may or may not be implemented by one of the Parties or by both Parties jointly.

11.5 The costs of the audit will be borne by the Data Controller.

  1. Liability and penalty provisions

12.1 The Processor is only liable for direct damage that results from a attributable shortcoming in the fulfillment of this Processor Agreement and that has arisen from the activities of the Processor. The Processor is not liable for indirect damage, unless the Data Controller proves that the aforementioned was caused by intent or equivalent gross negligence of the management of the Processor.

12.2 The liability of the Processor is limited per event (a series of consecutive events is considered one event) to the compensation for direct damage, up to a maximum amount of the fees received by the Processor for the work under this Processor Agreement over the three months preceding the damaging event. The liability of the Processor for direct damage shall never exceed EUR 15,000 in total.

12.3 Direct damage is understood to mean exclusively all damage consisting of:

  1. damage directly caused to tangible property (“property damage”);
  2. reasonable and demonstrable costs to urge the Processor to comply (again) properly with the Processor Agreement;
  3. reasonable costs for determining the cause and extent of the damage insofar as it relates to the direct damage as intended here; and
  4. reasonable and demonstrable costs incurred by the Data Controller to prevent or limit the direct damage as referred to in this article.

12.4 Indirect damage is understood to mean all damage that is not direct damage and includes, but is not limited to, consequential damage, lost profits, missed savings, reduced goodwill, damage due to business stagnation, damage due to the failure to determine marketing objectives, damage related to the use of data or databases prescribed by the Data Controller, or loss, alteration, or destruction of data or databases.

12.5 The exclusions and limitations referred to in this article shall cease to apply if and to the extent that the damage is the result of intent by the Processor or its management.

12.6 Unless compliance by the Processor is permanently impossible, the liability of the Processor for attributable failure to comply with the Agreement arises only if the Data Controller promptly notifies the Processor in writing of the default, setting a reasonable period for remedying the default, and the Processor continues to fail to comply with its obligations after that period. The notice of default must contain as complete and detailed a description of the default as possible, so that the Processor is given the opportunity to respond adequately.

12.7 Any claim for damages by the Data Controller against the Processor that has not been specified and explicitly reported shall expire solely by the passage of twelve (12) months after the occurrence of the claim.

  1. Duration and termination

13.1 This Processor Agreement is established by the signing of the Parties and on the date of the last signature.

13.2 This Processor Agreement is entered into for the duration as specified in the main agreement between the Parties and, in the absence thereof, for the duration of the collaboration.

13.3 As soon as the Processor Agreement is terminated, for whatever reason and in whatever manner, the Processor will return all personal data in its possession, in original or copy form, to the Data Controller, and thereafter delete and/or destroy this data and any copies thereof.

13.4 The parties may only amend this agreement with mutual consent.

  1. Applicable law and dispute resolution

14.1 The Processor Agreement and its execution are governed by Dutch law.

14.2 All disputes that may arise between the Parties in connection with the Processor Agreement shall be submitted to the competent court for the district in which the Processor is located.

14.3 All provided services are subject to the general terms and conditions of PaceX applies. A copy will be sent upon request.