Data Processing Agreement
Pursuant to Article 28 GDPR between:
- the Customer, hereafter: “Controller”
and
- Taalhammer BV, Nachtwachtlaan 298, 1058EK Amsterdam, Netherlands, hereafter: “Processor”
- Data Processing Agreement
- § 1 Subject and Duration of Processing
- § 2 Scope, type and purpose of processing
- § 3 Type of personal data
- § 4 Data subjects
- § 5 Rights and obligations of the Controller; Monitoring rights
- § 6 Obligations of the Processor
- § 7 Place of Performance
- § 8 Sub-processing
- § 9 Technical and organisational measures
- § 10 Liability
- § 11 Erasure and return of personal data
- § 12 Final provisions
- APPENDIX – Technical and organizational measures
The Controller (data controller) and the Processor agree to the following contract for data processing in accordance with Art. 28 of the European General Data Protection Regulation (“GDPR”). Based on the existing contractual relationship between the two parties (“Main Contract”), the Processor processes personal data on behalf of the Controller. The rights and duties related to data protection arising from this contract are specified in this data processing agreement (“DPA”). The appendices to this contract are part of the DPA. The provisions agreed upon apply to all services provided by the Processor for the Controller and all activities connected to said services that involve or may involve processing of personal data.
§ 1 Subject and Duration of Processing
a) The subject of this contract is the processing of personal data (hereafter: data) by the Processor for the Controller, on their behalf and according to their instructions. The Processor will undertake processing of personal data in order to allow the employees and staff of the Controller to use the Processor’s language learning app. The subject and duration of this DPA conform, in addition, to those of the Main Contract.
b) The Controller can terminate this contract and the Main Contract at any time without notice in the event that the Processor has seriously violated the conditions of this DPA. Such a violation has occurred, in particular, if the Processor uses the Controller’s data for purposes other than those listed in this DPA or violates a principal obligation arising from this DPA.
c) Even if the serious violations listed above have not occurred, the Controller has the right to terminate this DPA and the Main Contract without notice in the event that the Processor has violated this DPA repeatedly. In order to do so, the Controller must provide prior written notification or a notification in text form that the DPA is being violated.
§ 2 Scope, type and purpose of processing
The scope, type and purpose of the personal data to be processed is derived from the Main Contract signed by the two parties. In particular, the Processor will carry out the following processing on behalf of the Controller:
- provision of, set-up and maintenance of the Processor’s language learning app to and for the Controller’s employees.
§ 3 Type of personal data
The Processor will receive access to the following personal data (either because the Controller provides the data to them or allows them to access the data), and/or the Controller allows the Processor to collect the following personal data:
- Controller employee email addresses
- Usage data
- Data regarding employee activities on taalhammer.com (for example the language being learned, the native language, time spent learning the language and completed lessons)
§ 4 Data subjects
The data listed above will be collected on the following data subjects:
- The Controller’s staff, employees and other personnel
§ 5 Rights and obligations of the Controller; Monitoring rights
a) The Controller shall be solely responsible for determining whether data processing is permissible and for protecting the rights of data subjects and is therefore the data controller as defined in Art. 4 Paragraph 7 GDPR.
b) The Controller will instruct the Processor as to the type and scope of processing of personal data.
c) Before the contract and associated data processing begins, and then regularly afterwards, the Controller has the right, after providing the Processor with adequate advance notice and during regular business hours, to ensure that the Processor is in compliance with data security measures, specifically technical and organisational measures. The Controller may also have a third party carry out this check.
d) The Processor agrees that the Controller can, after providing a prior notice, check that data protection regulations and the stipulations of this DPA are being complied with to the scope required at any time (usually at most once per calendar year). The Controller may conduct this inspection themselves or have a third party conduct the inspection for them, in particular by requesting information and viewing the saved data and systems, as well as inspect the situation on Site.
e) The Processor must comply with any inspection measures carried out by the data protection supervisory authority in accordance with Art. 58 GDPR. They shall inform the Controller immediately after receiving notification or becoming aware of implementation of inspection measures, as well as in the event of any other queries, investigations or inquiries from the data protection supervisory authority, including in particular in the event that said measures take place as part of a prior consultation in accordance with Art. 36 GDPR, provided that the measures or queries might affect data processing services carried out by the Processor for the Controller.
f) On the Controller’s request, the Processor shall prove that they are in compliance with the required technical and organisational measures. This proof may be provided in the form of a current attestation or report (e.g., from an auditor, external Data Protection Officer, internal auditor or external data protection auditor) and where appropriate a suitable certification (e.g., in accordance with BSI-Grundschutz, ISO27001 or an approved certification process in accordance with Art. 42 GDPR) or compliance with approved codes of conduct in accordance with Art. 40 GDPR. The Controller’s right to inspect the Processor remains unaffected.
§ 6 Obligations of the Processor
a) The Processor shall be obliged to process personal data solely in the manner instructed and in accordance with the stipulations in this DPA.
b) When granting the rights of data subjects in accordance with Art. 15 et seq. GDPR (rectification, restriction of processing, erasure, notification and provision of information), the Processor will support the Controller at the first request to do so and to the extent feasible. The Processor will arrange suitable technical and organisational measures for doing so. Upon request, the Processor must rectify, erase or limit processing of personal data processed on behalf of the Controller.
c) In the event that data collected on behalf of the Controller is subject to a request for data portability in accordance with Art. 20 GDPR, the Processor will immediately provide the Controller with the relevant set of data on request. The data will be provided in a structured, common and machine-readable format.
d) In the event that a data subject contacts the Processor directly to exercise their data subject rights, the Processor must notify the Controller immediately as to this request.
e) The Processor will notify the Controller immediately in the event that they are of the opinion that an instruction given by the Controller violates legal regulations. The Processor can then delay implementing the relevant instruction until it is confirmed or amended by the Controller.
f) Once the Main Contract is terminated, the Processor is required to return all personal data in their possession acquired in connection with this contractual relationship to the Controller, and to delete said data in a manner compliant with data protection, data security and the Controller’s instructions. This includes any backups made by the Processor. Erasure in compliance with data protection and data security must be documented and the date noted, and written confirmation sent to the Controller.
g) The Processor shall ensure that employees involved in processing data from the Controller and other persons working for the Processor are forbidden from processing the data in a manner not covered by the instructions. In addition, the Processor guarantees that persons authorised to process the personal data are required to maintain confidentiality or are subject to an appropriate legal obligation to maintain secrecy. This obligation to keep the information confidential remains in effect even once the DPA has been terminated.
h) The Processor shall ensure that, in the event of a personal data breach of the Controller ́s data, it shall inform the Controller without undue delay and provide appropriate support to the Controller in its obligations pursuant to Art. 33 – 36 GDPR.
§ 7 Place of Performance
a) Processing and use of the data take place solely within the Netherlands, in a European Union Member-State or in another State party to the agreement regarding the European Economic Area. Any transfer to a third-party state requires prior permission from the Controller and may only take place when the special requirements listed in Art. 44 et seq. GDPR is fulfilled.
b) In the event that personal data is processed outside of the EU, the Processor guarantees that applicable conditions under the relevant data protection regulations for the existence of special legal requirements for processing personal data outside of the EU have been met (“legal data protection justification”). This is the case insofar as and provided that the European Commission has certified that such conditions have been met and that there is an appropriate level of protection. It is also the case in the event that processing is carried out based on suitable safeguards in accordance with Art 46 Paragraph 1(c) (Standard European data protection clauses) with additional security measures taken by the supplier. Finally, it is the case if personal data processing outside of the EU takes place solely as part of a programme that the European Commission has certified as having an appropriate level of protection (for example any agreement replacing the EU-US Privacy Shield), and that further processors fulfil the required formal and substantive conditions, have qualified as part of the programme and remain continuously qualified for the programme for the entire term of the contract.
§ 8 Sub-processing
a) The Controller agrees that the Processor may use sub-processors. The Processor will inform the Controller in each case before engaging or replacing a sub-processor.
b) The Controller may object to the change of sub-processor, provided they do so within an appropriate amount of time and for cause, by noting their objection to the body specified by the Controller. If refusal of consent is not forthcoming within the appropriate amount of time, it is assumed that the Controller has consented to the changes. If the change has been made for cause, that is for reasons of data protection, and in the event that the parties cannot agree to a solution, the Controller is granted extraordinary termination rights.
c) Should a sub-processor be engaged, doing so must continue to guarantee a level of protection equivalent to that laid out in this DPA. Nevertheless, the Processor shall remain liable at all times for every action or inaction carried out by the sub-processor engaged by the Processor, in the same manner in which they are responsible for their own actions and inactions.
d) The Processor must regularly check that the sub-processor is in compliance with their obligations. In particular, the Processor must check, in advance of signing the contract and on a regular basis during the contractual term, that the sub-processor has met the guaranteed and required technical and organisational measures needed for protection of the personal data.
e) Currently, the Processor works together with the following sub-processors in order to fulfil this DPA, and the Controller gives their permission for them to do so:
Name and Address of the Subprocessor | Description of Services |
Close CRM,New York City, NY 10011, US | Provision of marketing and CRM services |
TransIP B.V.Vondellaan 472332 AA Leiden | Data hosting (app, website, database), takes place within the EEA (Netherlands) |
§ 9 Technical and organisational measures
a) The Processor is required to comply with the basics of proper data processing in accordance with Art. 32 in conjunction with Art. 5 Paragraph 1 GDPR. They will take all required measures to secure the data and to guarantee secure data processing, in particular taking into consideration the state of the art and the reduction of any possible disadvantageous consequences to data subjects. The measures to be taken include, in particular, those measures with which an appropriate anonymisation and encryption can be guaranteed, as well as measures for protecting confidentiality, integrity, availability and capacity of the systems in use as well as measures that guarantee continuity of processing after any incidents.
b) The technical and organizational measures met by the Processor are listed in detail in the appendix to this DPA and are part of the DPA.
§ 10 Liability
a) The Processor shall be liable to the Controller in accordance with legal regulations for all damages incurred due to culpable violation of this DPA as well as due to violation of the applicable legal data protection regulations by the Processor, their employees or anyone delegated by them with implementation of the contractual stipulations during the performance of contractual services.
b) In accordance with Art. 82 GDPR, the Controller and/or the Processor are responsible for compensation of any damages that a data subject is entitled to claim based on unlawful or incorrect data processing carried out as part of the framework of this contract and in violation of the GDPR or the BDSG-neu or other data protection regulations. The Processor indemnifies the Controller inter se from all damage claims made against the Controller arising from culpable violation of the Processor’s obligations laid out in this contract.
§ 11 Erasure and return of personal data
a) The Processor may not make copies or duplicates of the data without first informing and receiving permission from the Controller, except for the purpose of data backup or the creation of technical copies for the following purposes:
- to implement processing activities as part of this DPA
- to provide proof of proper data processing
- to fulfill legal retention requirements
b) Once contractual order processing has come to an end, or earlier at the request of the Controller, but at the latest once this DPA has been terminated, the Processor will return all documents, processing results, usage results and data sets related to this DPA to the controller or – if permission has been granted – delete or destroy said items in a manner compliant with data protection regulations. The same applies to all associated test, scrap, redundant and discarded materials. A log of the deletion and/or destruction must be provided upon request.
c) Every piece of documentation that serves as proof of proper data processing in accordance with this data processing agreement may be saved by the Processor beyond the duration of this DPA in accordance with the relevant and applicable retention periods. Once the contract term has come to an end, the Processor may deliver such documentation to the Controller to ensure that they are released from this contractual obligation.
§ 12 Final provisions
a) In the event of contradictions between the terms laid out in this DPA and the regulations set out in the Main Contract, the terms of this DPA shall prevail.
b) Amendments and additions to this DPA must be made in writing and require an express statement that they change and/or add to the existing conditions. This also applies to any waiver of this formal requirement.
c) Should any provision of this DPA be or become invalid or unenforceable, the remaining provisions in this DPA shall remain unaffected. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that comes closest to the intention of the condition to be replaced.
d) This DPA is subject to Dutch law.
e) In the event that access to the data is jeopardized by measures taken by third parties (e.g., measures taken by insolvency administrators, seizure by financial authorities, etc.), the Processor must inform the Controller as to said measures immediately.
APPENDIX – Technical and organizational measures
The Processor takes appropriate technical and organizational measures to ensure an adequate level of protection within the framework of data protection and data security of the present contractual relationship. In particular, the Processor ensures the confidentiality, integrity, availability and resilience of the systems or applications used and, among other things, implements the following measures and monitoring.
A. Confidentiality (art. 32 par. 1 Point b GDPR)
1. Physical Access Control
Measures that physically prevent unauthorized persons from accessing IT systems and data processing systems that handle personal data, as well as physically blocking sensitive files and media:
- Registration of visitors
- Reception
- Clear desk policy
- No user data files in public areas
2. Electronic Access Control / System access control
Measures to prevent unauthorized persons from processing or using data protected under data protection law:
- 2-factor authentication
- Authentication with username / password
- Secure locks
- Use of anti-virus software
- Minimum password length of 8 characters including upper case, lower case, numbers and special characters
- Tracking of document versions
- Data encryption of laptops / notebooks
- Use of a software firewall
- Administration of rights by system administrator
- Logging of deletion
3. Internal Access Control (permissions for users to access and modify data)
Measures to ensure that it is possible to subsequently verify and determine whether and by whom personal data has been entered, modified or removed from computer systems:
- Authorization concepts (differentiation between user and admin accounts)
- Regular monitoring and updating of authorizations ́ validity
- Determination of access rights on a “need-to-know” basis
- Record keeping of accesses
4. Separation Control
- E-mail addresses of users are processed separately from usage data (minutes, units, language)
- Encrypted storage of personal data whenever possible
- Software-based customer separation
- Separation of test and productive systems
5. Pseudonymisation (art. 32 par. 1 Point a GDPR; art. 25 par. 1 GDPR)
● Usage data is pseudonymized by UUIDs and hash methods
B. Integrity (art. 32 par. 1 Point b GDPR)
1. Data Transfer Control
Measures to ensure that personal data cannot be illegally read, copied, altered or removed during electronic transmission or during its transport or storage on data carriers, as well as measures that can be used to verify and establish to which places a transfer of personal data is intended:
- No unauthorized reading; encryption and authorization concepts
- copying, changes or deletions of data with electronic transfer or transport
- Virtual Private Networks (VPN)
- Documentation of data recipients and time periods of planned licensing or agreed deletion periods
- Logging procedures
2. Data Entry Control
Measures to ensure that it is possible to subsequently verify and determine whether and by whom personal data has been entered, modified or removed from computer systems:
- Tracking document versions
- Record of data entry / logging of system activities
- Document management
C. Availability and Resilience (art. 32 par. 1 Point b GDPR)
1. Availability Control
Measures to ensure that personal data is protected against accidental destruction or loss:
- Constant and redundant data backup
- Uninterruptible power supply
- Fire safety measures
- Anti-virus protection
- Firewalls
- Emergency reporting procedures, emergency response plans.
- Resilience tests to DDoS attacks
- Early warning mechanisms
- Capacity and resilience forecasting
2. Rapid Recovery (art. 32 par. 1 Point c GDPR) (art. 32 par. 1 Point c GDPR);
Measures ensuring the ability to rapidly recover the availability of and access to personal data in the event of a physical or technical incident:
- Regular backups of data
- Secure storage of database
- Incident Response Processes