This data processing agreement is applicable to all processing of
personal data to be undertaken by ProductIP B.V. (hereinafter:
Processor) for the benefit of <customer name> (hereinafter:
Controller) to whom it provides services on the basis of the agreement
concluded between these parties (hereinafter: the Agreement).
Purposes of processing
Processor hereby agrees under the terms of this Data Processing
Agreement to process personal data on behalf of the Controller.
Processing shall be done solely for the purposes set out in Appendix 1
and all purposes compatible therewith or as determined jointly.
The personal data to be processed by Processor and the categories of
data subjects involved are set out in Appendix 1 to this Data
Controller shall inform Processor of any processing purposes to the
extent not already mentioned in this Data Processing Agreement.
Processor however is permitted to use personal data for quality
assurance purposes, including surveys to data subjects and statistical
research purposes regarding the quality of Processor’s services.
All personal data processed on behalf of Controller shall remain the
property of Controller and/or the data subjects in question.
Regarding the processing operations referred to in the previous
article, Processor shall comply with all applicable legislation.
Upon first request Processor shall inform Controller about any
measures taken to comply with its obligations under this Data
All obligations for Processor under this Data Processing Agreement
shall apply equally to any persons processing personal data under
the supervision of Processor, including but not limited to employees
in the broadest sense of the term.
Processor shall inform Controller without delay if in its opinion
an instruction of Controller would violate the legislation referred
to in the first clause of this article.
Processor shall provide reasonable assistance to Controller in the
context of any privacy impact assessments to be made by Controller.
Processor shall, in accordance with Article 30 GDPR, keep a
register of all categories of processing activities which it carries
out on behalf of the Controller under this data processing
agreement. At Controller’s request, Processor shall provide
Controller access to this register.
Transfer of personal data
Processor may process the personal data in any country within the
In addition, Processor may transfer the personal data to a country
outside the European Union, provided that country ensures an adequate
level of protection of personal data and complies with other
obligations imposed on it under this Data Processing Agreement and the
GDPR, including the availability of appropriate safeguards and
enforceable data subject rights and effective legal remedies for data
Processor shall, on request, report to Controller of the countries
involved. Processor warrants that, considering the circumstances that
apply to the transfer of personal data or any category of transfers,
the country or countries outside the European Union have an adequate
level of protection.
In particular Processor shall take into account the duration of the
processing, the country of origin and the country of destination, the
general and sector-based rules of law in the country of destination
and the professional rules and security measures which are complied
with in that country.
Allocation of responsibilities
The authorised processing operations shall be performed by employees
of Processor within an automated environment.
Processor is solely responsible for the processing of personal data
under this Data Processing Agreement in accordance with the
instructions of Controller and under the explicit supervision of
Controller. For any other processing of personal data, including but
not limited to any collection of personal data by Controller,
processing for purposes not reported to Processor, processing by third
parties and/or for other purposes, the Processor does not accept any
Controller represents and warrants that the content, usage and
instructions to process the personal data as meant in this Data
Processing Agreement are lawful and do not violate any right of any
Involvement of sub-processors
Processor shall involve third parties in the processing under this
Data Processing Agreement. A list of sub-processors will, on request,
be provided to Controller.
In any event, Processor shall ensure that any third parties are
bound to at least the same obligations as agreed between Controller
and Processor. Controller has the right to inspect the agreements
containing such obligations.
Processor represents and warrants that these third parties shall
comply with the obligations under this Data Processing Agreement.
Processor shall use reasonable efforts to implement appropriate
technical and organisational measures to ensure a level of security
appropriate to the risk for the processing operations involved,
against loss or unlawful processing (in particular from accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or
access to personal data transmitted, stored or otherwise processed).
Processor does not warrant that the security is effective under all
circumstances. Processor shall however use best efforts to ensure a
level of security appropriate to the risk taking into account the
state of the art, the costs of implementation and the nature, scope,
context and purposes of processing as well as the risk of varying
likelihood and severity for the rights and freedoms of natural
Notification and communication of data breaches
Controller is responsible at all times for notification of any
security breaches and/or personal data breaches
(which are understood as: a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or
otherwise processed) to the competent supervisory authority, and for
communication of the same to data subjects. In order to enable
Controller to comply with this legal requirement, Processor shall
notify Controller within a reasonable period after becoming aware of
an actual or threatened security or personal data breach.
A notification under the previous clause shall be made at all times,
but only for actual breaches. The notification shall include at least
the fact that a breach has occurred. In addition, the notification
the name of the person notifying about the breach
details of the person notifying about the breach
a description of the
nature of the personal data breach including, where possible, the
categories and approximate number of data subjects concerned, and the
categories and approximate number of personal data records concerned;
a description of the likely consequences of the personal data breach;
a description of the measures taken or proposed to be taken by the
controller to address the personal data breach, including, where
appropriate, measures to mitigate its possible adverse effects.
Processor shall document all data breaches in accordance with
Article 33(5) GDPR, including the facts relating to the personal data
breaches, the consequences thereof and the measures taken to correct
the respective breach. At Controller’s request, Processor shall
provide access hereto.
Processing requests from data subjects
In the event a data subject makes a request to exercise his or her
legal rights under Articles 15-22 GDPR to Processor, Processor shall
pass on such request to Controller, and Controller shall process the
request. Processor may inform the data subject of this passing on.
All personal data that Processor receives from Controller and/or
collects itself is subject to strict obligations of confidentiality
towards third parties. Processor shall not use this information for
any goals other than for which it was obtained, not even if the
information has been converted into a form that is no longer related
to an identified or identifiable natural person.
The confidentiality obligation shall not apply to the extent
Controller has granted explicit permission to provide the information
to third parties, the provision to third parties is reasonably
necessary considering the nature of the assignment to Controller or
the provision is legally required.
Controller has the right to have audits performed on Processor by an
independent third party bound by confidentiality obligations to verify
compliance with the security requirements, compliance with data
processing regulations, unauthorised use of personal data by Processor
personnel, compliance with the Data Processing
Agreement, and all issues reasonably connected thereto.
This audit may be performed once every year.
Processor shall give its full cooperation to the audit and shall
make available employees and all reasonably relevant information,
including supporting data such as system logs.
The audit findings shall be assessed by the parties in joint
consultation and may or may not be implemented by either party or
The costs of the audit shall be borne by Controller.
Parties explicitly agree that any liability arising in connection
with personal data processing shall be as provided in the Agreement.
Term and termination
This Data Processing Agreement enters into force upon signature by
the parties and on the date of the last signature.
This Data Processing Agreement is entered into for the duration of
the cooperation between parties.
Upon termination of the Data Processing Agreement, regardless of
reason or manner, Processor shall - at the choice of Controller -
return in original format or destroy all personal data available to
Processor is entitled to amend Appendix 1 from time to time.
Processor shall notify the Controller of amendments at least three
months prior to their taking effect. Controller may terminate if the
amendments are unacceptable to it.
Applicable law and competent venue
This Data Processing Agreement and its execution are subject to
Any disputes that may arise between the parties in connection with
this Data Processing Agreement shall be brought to the competent court
of Gelderland, the Netherlands.
Appendix 1: Stipulation of purposes, personal data and data subjects
Processor shall process the personal data only for the following
purposes, as specified in article 1 of the Data Processing Agreement:
• Storing data in the ‘cloud’ for the benefit, and associated online
Processor shall process the below personal data under the supervision
of Controller, as specified in article 1 of the Data Processing
Names and addresses
Of the following categories of data subjects:
Controller represents and warrants that the description of personal data
and categories of data subjects in this Appendix 1 is complete and
accurate, and shall indemnify and hold harmless Processor for all faults
and claims that may arise from a violation of this representation and
For the Processor
Maarten J. van der Dussen
2 May 2018