VMlogo2

DATA PROCESSING AGREEMENT

Click here for a PDF document.

This Processor Agreement shall be concluded with the organization that consents to this processing agreement and relates to the processing of personal data during the performing of an assessment and the provision associated services by ValueMatch B.V..

  1. Company hereafter referred to as: “Controller”;

and 

  1. VALUEMATCH B.V., with registered office at Schalkwijkstraat 43 in (3512 KR) Utrecht, the Netherlands, registered in the trade register of the Chamber of Commerce under number 73201383 and legally represented by Mr. P.A. van Nimwegen;

hereafter referred to as: “Processor”;

collectively referred to as “Parties”;

CONSIDER THAT: 

  • an agreement has been concluded between Controller and Processor with regard to carrying out an assessment and/or providing training by completing the application form and agreeing with the general terms and conditions. (hereafter: the “Agreement”);
  • In the context of the implementation of the Agreement, the Processor shall obtain personal data and will process this data for the Controller, or customers of the Controller;
  • Where appropriate, customers of the Controller qualify as being the Controller as defined in the GDPR;
  • Parties for the legal framework regarding privacy assume the applicability of EU Regulation 2016/679 of 27 April 2016 (hereafter: the “GDPR”);
  • Terms from the GDPR used in this Processor Agreement, such as processing, personal data, controller and processor, have the meaning as assigned to them in the GDPR;
  • In accordance with Article 28 of the GDPR, Parties shall describe in this agreement (the “Processor Agreement”) the subject matter and duration of processing, the nature and purpose of the processing, the type of personal data, categories of data subjects and the rights and obligations of the Parties;

AGREE TO THE FOLLOWING:

Article 1 General

  1. Processor processes personal data on behalf of and for the benefit of the Controller during the term of the Agreement.
  2. Processor processes personal data for the Controller in accordance with the written instructions and under the explicit responsibility of the Controller.
  3. The Controller has control over the processing of the personal data and determines the purpose and means of processing the personal data. The control of the personal data will never rest with the Processor.
  4. In the event that a European Union or Member State law applicable to the Processor obliges him/her to process in a way that deviates from that which has been agreed in this Processor Agreement, then the Processor will notify the Controller of this legal requirement prior to the processing, unless that provision prohibits such notification.
  5. The Controller shall ensure that the content, use and/or processing of the personal data by the Processor are not unlawful and do not infringe on any rights of a third party.
  6. Controller will inform the Processor of any changes to regulations, which form the basis for changing the rights and obligations of the Parties in this Processor Agreement.

Article 2 Security

  1. In the event the Controller is of the opinion that a change to the security measures to be taken by the Processor, is necessary in order to provide an appropriate level of security, then the Parties shall enter into consultation about the change required to the security measures as requested by the Controller.
  2. The processor cannot guarantee that the security measures are effective under all circumstances.
  3. The security measures taken by the Processor, taking into account the latest available      technology, implementation costs as well as risks that the processing and the nature of the personal data entail, shall offer an appropriate level of security.
  4. Parties shall take technical and organizational security measures to protect the personal data against loss or against any form of unlawful processing. On request the Processor will inform the Controller of any measures in the field of security.

Article 3 Audits

  1. The processor declares that s/he is willing to cooperate with such an assessment and to consult with the Controller about the recommendations made by the expert for improvement. The obligation to cooperate as referred to here does not automatically lead to the obligation to follow all recommendations.
  2. Controller will notify the Processor in good time of such a planned assessment.
  3. The Controller is entitled to have an annual assessment performed by an independent expert with regard to the implementation of the Processor Agreement.

Article 4 Security incidents and data leaks

  1. Communication of a breach to the supervisory authority and the data subject remains at all times the responsibility of the Controller.
  2. The Processor will inform the Controller of any breach as soon as possible after the Processor has discovered the aforementioned breach.
  3. Taking into account the nature of the processing and the information available to the Processor, the Processor will assist the Controller in fulfilling the obligations under Article 33 and 34 GDPR regarding the notification of a data breach to the supervisory authority and to the person concerned.

Article 5 Co-operation obligation Processor

  1. fulfilling the obligations of the Controller set out in articles 32 to 36 GDPR, taking into account the information available to the Processor. The aforementioned obligations concern the security of the processing, the PIA and the prior consultation with a supervisory authority.
  2. fulfilling the legal obligations of the Controller with regard to rights of the person concerned by means of appropriate technical and organizational measures. The aforementioned responsibilities of the Controller are set out in articles 12 to 23 of the GDPR and include a request for (notification of) the removal or correction of personal data and the right to transfer data;
  3. The Processor shall assist the Controller, to the extent possible and reasonable according to the nature of his activities, with:

Article 6 Use of other processors

  1. If the Processor instructs another processor to perform specific processing activities on behalf of the Controller, then the Processor shall ensure that the other processor is subject to the same data protection obligations as in the present Processor Agreement. The obligations shall be agreed in writing. If the other processor does not fulfill his/her data protection obligations, then the Processor shall remain responsible to the Controller for fulfilling the obligations of the other processor.
  2. The Controller authorizes the Processor to engage other processors to fulfill the obligations arising from the Agreement under the condition that the Processor informs the Controller of the intended changes regarding the addition or replacement of other processors. The Controller may object to an intended change within 5 working days after notification. If the Processor does not accept the objection of the Controller, the Controller may terminate the Agreement without notice.

Article 7 Confidentiality

  1. The provisions of the first paragraph of this article do not apply if and insofar as the provision of the personal data is necessary pursuant to a court decision, a statutory provision or on the basis of a competent order issued by a governmental authority.
  2. The parties guarantee that the persons authorized to process the personal data have committed themselves to observe confidentiality or are bound by an appropriate legal obligation of confidentiality.

Article 8 Liability

  1. An administrative fine imposed by the supervisory authority or claims of data subjects against the Controller cannot be recovered from the Processor, unless there is intent or deliberate recklessness on the part of the management of the Processor.
  2. The Controller shall indemnify Processor against claims from the supervisory authority and/or data subjects whose personal data are processed by the Processor in the context of the execution of the Agreement, unless the Controller proves that the facts underlying the claim are attributable to the Processor.

Article 9 Duration and termination

  1. The provisions of paragraph 3 of this article do not apply if a statutory regulation prevents the complete or partial return or destruction of personal data by the Processor. In such a case, the Processor will only continue to process the personal data to the extent necessary under his/her legal obligations.
  2. If the Controller so requests, the Processor will return the personal data to the Controller or destroy it after the termination of the agreement. If this is not requested, the data will be stored for the duration as stipulated in Annex 1.
  3. This Processing Agreement ends by operation of law when the Controller terminates the agreement in writing. The provisions of this Processor Agreement that are intended to retain their validity after termination will remain in full force after the termination of the Processing Agreement.
  4. This Processing Agreement comes into force on the date of the last signature of this Processor Agreement by the Parties and is concluded for an indefinite period of time.

Article 10 Costs

  1. The reasonable costs incurred by the Processor in complying with provisions regarding “Audits” “Co-operation obligation Processor” “Returning of personal data by termination of agreement” and “Security incidents and data leaks” (insofar as it concerns a notification to the supervisory authority and those involved), including the actual costs incurred and hours spent by the Processor, are borne by the Controller unless the costs are incurred as a result of a substantial attributable shortcoming by the Processor in the implementation of this Processor Agreement. 

Article 11 Other

  1. This Processor Agreement forms an integral part of the Agreement. All rights and obligations under the Agreement, including liability conditions, therefore also apply to this Processor Agreement. In the event of contradictions between the provisions of this Processor Agreement and the Agreement, the provisions of the Processor Agreement prevail.

ANNEX 1:

  • SUBJECT PROCESSING AND TYPE OF PERSONAL DATA:

In order to execute the Agreement, personal data will be processed in the context of the implementation of online assessments, the resulting reports and associated services provided by the Processor in the field of coaching, teambuilding, organizational culture and HR-related activities. It mainly concerns:

  • Name and address details;
  • Contact details: e-mail address and telephone number;
  • IP-address;
  • Data input assessment and world view.

The Controller shall not permit the processing of any special personal data or data from children (<16 years). Processor does not consider personal data processed in the context of the performance of an assessment as being special personal data as set out in Article 9 of the GDPR.

  • DURATION:

The Controller has full control over the duration of the processing and the storage of personal data. The Controller shall not store personal data for longer than required for the provision of the service requested by the party concerned or required to meet the purposes for which the data was provided.  

The Parties agree that the Processor will retain personal data for at least 2 years for the benefit of the Controller. The Processor will delete personal data no later than 2 years and 6 months after the assessment data has been made available to the Controller.

The parties agree that the Processor may continue to make unlimited use of assessment data insofar as this data has been anonymized;

  • NATURE AND PURPOSE:

Processor shall process personal data as part of the processing of assessments and provision of accompanying services. This includes collecting, recording, storing, retrieving, consulting, using, making available, compiling, correlating and deleting personal data.

  • SUB-PROCESSORS / LOCATION

The sub-processors used by ValueMatch are:

  • Vservs B.V. in the Netherlands – data storage in the Netherlands
  • Strato – data storage in the Netherlands and Germany
  • Dropbox – data storage in Europe and the US
  • Microsoft – data storage in Europe and the US

These parties comply with the GDPR and have concluded a processing agreement with ValueMatch.

  • TECHNICAL AND ORGANIZATIONAL MEASURES:

The processor will - among other things - take the following technical and organizational security measures to protect personal data from infringements:

  • Only use sub-processors that comply with the GDPR and ensure that there is a processor agreement between ValueMatch and these parties.
  • Implement sound network security techniques and monitoring that offer multiple levels of security. The processor shall use standard security techniques, including firewalls, encryption, access control, monitoring of network security and intrusion detection systems to ensure that only those who are authorized have access to the data.
  • Periodic checks and half-yearly audits to delete data and comply with storage duration as given above.

Controller shall take the following technical and organizational security measures to protect personal data from infringements:

  • Enter into a processor agreement with Dropbox (by taking a Business account) or remove all offered documents from the Dropbox offered by ValueMatch within 7 working days.
  • If use is not made of a Dropbox Business account, the Dropbox offered by ValueMatch cannot be shared with others inside or outside the organization.
  • Implement sound network security techniques and monitoring that offer multiple levels of security. Controller shall use standard security techniques, including firewalls, encryption, access control, monitoring of network security and intrusion detection systems to ensure that only those who are authorized have access to the data..
  • NOTIFICATION OF INFRINGEMENT:

The Controller will make a report of a breach or infringement by e-mail and by telephone to the person who has entered into the Agreement.

The processor will provide the following information when reporting a breach:

  • Contact information notifier (name, function, email, telephone number)
  • Data of breach/ infringement:
    • Summary incident
    • Personal data involved in breach
  • When breach took place
  • The nature of the breach
  • Estimate of the consequences of the breach
  • Measures that the processor has taken to limit and prevent breach